infra/ansible
4
5
Fork 5
Code Issues 5 Pull Requests 1 Activity

Compare commits

base: infra:master
Branches Tags
infra:master
infra:pizza
noby:homeassistant
noby:upgrade_20240315
noby:upgrade_20230123
noby:upgrade_20220721
noby:xrdp
noby:workadventure
noby:master
noby:pizza
..
compare: noby:homeassistant
Branches Tags
noby:homeassistant
noby:upgrade_20240315
noby:upgrade_20230123
noby:upgrade_20220721
noby:xrdp
noby:workadventure
noby:master
noby:pizza
infra:master
infra:pizza

13 Commits
master ... homeassist

Author SHA1 Message Date
Thomas Basler
bd7d256004 homeassistant: Add installation procedures for nginx 2024-10-03 20:25:05 +02:00
Thomas Basler
6e55e4ff78 homeassistant: Add installation procedures for grafana 2024-10-03 20:25:05 +02:00
Thomas Basler
3e87601013 homeassistant: Install pgadmin4 2024-10-03 20:25:05 +02:00
Thomas Basler
838d881480 pgadmin4: Add role to install and configure pgadmin4 2024-10-03 20:25:05 +02:00
Thomas Basler
6bfff16a4b homeassistant: Add installation procedures for homeassistant 2024-10-03 20:24:53 +02:00
Thomas Basler
552c9d71b3 homeassistant: Added install procedure for postgres database 2024-10-03 01:24:37 +02:00
Thomas Basler
3b8cc7d1ea homeassistant: Prepare system for installation (install packages, create directories) 2024-10-02 22:09:54 +02:00
Thomas Basler
b629b62974 homeassistant: Install newer python version if required 2024-10-02 21:59:04 +02:00
Thomas Basler
389331e59a Add .pyc files to .gitignore 2024-10-02 21:20:39 +02:00
Thomas Basler
c7c56f212e homeassistant: Add MQTT bridge to pizza 2024-10-02 21:19:28 +02:00
Thomas Basler
a9c66ab0e3 homeassistant: Install basic mosquitto instance 2024-10-02 21:13:55 +02:00
Thomas Basler
42538dc019 mosquitto: Add role to install and configure mosquitto 2024-10-02 21:09:02 +02:00
Thomas Basler
79af417b4f homeassistant: Create empty role for further development 2024-10-02 21:02:01 +02:00
52 changed files with 2316 additions and 662 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,3 +2,4 @@
site.retry site.retry
ansible.log ansible.log
*.swp *.swp
*.pyc

4
README.md
View File

@ -31,9 +31,9 @@ Currently the following hosts are installed:
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM | | knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
| bob.binary.kitchen | Debian 12 | Gitea Actions | | bob.binary.kitchen | Debian 12 | Gitea Actions |
| lasagne.binary.kitchen | Debian 12 | Home Assistant * | | lasagne.binary.kitchen | Debian 12 | Home Assistant * |
| tschunk.binary.kitchen | Debian 12 | Strichliste | | tschunk.binary.kitchen | Debian 11 | Strichliste |
| bowle.binary.kitchen | Debian 12 | Files | | bowle.binary.kitchen | Debian 12 | Files |
| lock-auweg.binary.kitchen | Debian 12 | Doorlock | | lock-auweg.binary.kitchen | Debian 11 | Doorlock |
\*: The main application is not managed by ansible but manually installed \*: The main application is not managed by ansible but manually installed

2
host_vars/aeron.binary.kitchen
View File

@ -5,5 +5,3 @@ radius_hostname: radius3.binary.kitchen
slapd_hostname: ldap3.binary.kitchen slapd_hostname: ldap3.binary.kitchen
slapd_replica_id: 3 slapd_replica_id: 3
slapd_role: slave slapd_role: slave
uau_reboot: "false"

2
host_vars/bacon.binary.kitchen
View File

@ -15,5 +15,3 @@ radius_hostname: radius1.binary.kitchen
slapd_hostname: ldap1.binary.kitchen slapd_hostname: ldap1.binary.kitchen
slapd_replica_id: 1 slapd_replica_id: 1
slapd_role: slave slapd_role: slave
uau_reboot: "false"

37
host_vars/lasagne.binary.kitchen
View File

@ -9,3 +9,40 @@ root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "false" uau_reboot: "false"
mosquitto_listeners:
# Listeners for Mosquitto MQTT Broker
- name: "default"
listener: "1883"
protocol: "mqtt"
use_username_as_clientid: "false"
allow_zero_length_clientid: "true"
allow_anonymous: "false"
users:
- username: admin
password: "{{ vault_mosquitto_arwen_admin_passwd }}"
acl:
- permissions: readwrite
topic: "#"
- username: homeassistant
password: "{{ vault_mosquitto_arwen_homeassistant_passwd }}"
acl:
- permissions: readwrite
topic: "#"
mosquitto_bridges:
- connection: pizza
address: 172.23.4.6:1883
topics:
- topic: "# out 0"
- topic: "# in 0"
ha_pg_db_pass: "{{ vault_ha_pg_db_pass }}"
pgadmin4_db_password: "{{ vault_pgadmin4_db_password }}"
pgadmin4_initial_user_email: noby@binary-kitchen.de
pgadmin4_initial_user_password: "{{ vault_pgadmin4_initial_user_password }}"
ha_pg_grafana_db_pass: "{{ vault_ha_pg_grafana_db_pass }}"
ha_domains:
- lasagne.binary.kitchen

15
roles/common/templates/sshd_config.j2
View File

@ -1,8 +1,9 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information. # sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with # The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where # OpenSSH is to specify options with their default value where
@ -68,7 +69,7 @@ PasswordAuthentication {{ sshd_password_authentication }}
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads) # some PAM modules and threads)
KbdInteractiveAuthentication no ChallengeResponseAuthentication no
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@ -84,13 +85,13 @@ KbdInteractiveAuthentication no
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and # be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration, # PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass # PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password". # the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
UsePAM yes UsePAM yes
#AllowAgentForwarding yes #AllowAgentForwarding yes
@ -108,7 +109,7 @@ PrintMotd no
#ClientAliveInterval 0 #ClientAliveInterval 0
#ClientAliveCountMax 3 #ClientAliveCountMax 3
#UseDNS no #UseDNS no
#PidFile /run/sshd.pid #PidFile /var/run/sshd.pid
#MaxStartups 10:30:100 #MaxStartups 10:30:100
#PermitTunnel no #PermitTunnel no
#ChrootDirectory none #ChrootDirectory none

4
roles/dhcpd/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: Restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

14
roles/dhcpd/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Install dhcp server
apt: name=isc-dhcp-server
- name: Configure dhcp server
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- default/isc-dhcp-server
- dhcp/dhcpd.conf
notify: Restart isc-dhcp-server
- name: Start the dhcp server
service: name=isc-dhcp-server state=started enabled=yes

21
roles/dhcpd/templates/default/isc-dhcp-server.j2 Normal file
View File

@ -0,0 +1,21 @@
#
# This is a POSIX shell fragment
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
INTERFACESv6=""
INTERFACES="{{ ansible_default_ipv4['interface'] }}"

319
roles/dhcpd/templates/dhcp/dhcpd.conf.j2 Normal file
View File

@ -0,0 +1,319 @@
# dhcpd.conf
# option definitions common to all supported networks...
option domain-name "binary.kitchen";
option domain-name-servers {{ name_servers | join(', ') }};
option domain-search "binary.kitchen";
option ntp-servers 172.23.1.60, 172.23.2.3;
# options related to Mitel SIP-DECT
option space sipdect;
option local-encapsulation code 43 = encapsulate sipdect;
option sipdect.ommip1 code 10 = ip-address;
option sipdect.ommip2 code 19 = ip-address;
option sipdect.syslogip code 14 = ip-address;
option sipdect.syslogport code 15 = integer 16;
option magic_str code 224 = text;
default-lease-time 7200;
max-lease-time 28800;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
ddns-updates on;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
{% if dhcpd_failover == true %}
# Failover
failover peer "failover-partner" {
{% if ansible_default_ipv4.address == dhcpd_primary %}
primary;
address {{ dhcpd_primary }};
peer address {{ dhcpd_secondary }};
{% elif ansible_default_ipv4.address == dhcpd_secondary %}
secondary;
address {{ dhcpd_secondary }};
peer address {{ dhcpd_primary }};
{% endif %}
port 520;
peer port 520;
max-response-delay 60;
max-unacked-updates 10;
{% if ansible_default_ipv4.address == dhcpd_primary %}
mclt 600;
split 255;
{% endif %}
load balance max seconds 3;
}
{% endif %}
# Binary Kitchen subnets
# Management
subnet 172.23.1.0 netmask 255.255.255.0 {
option routers 172.23.1.1;
}
# Services
subnet 172.23.2.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.2.1;
}
# Users
subnet 172.23.3.0 netmask 255.255.255.0 {
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.3.10 172.23.3.230;
}
}
# MQTT
subnet 172.23.4.0 netmask 255.255.255.0 {
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.4.10 172.23.4.240;
}
}
# Management Auweg
subnet 172.23.12.0 netmask 255.255.255.0 {
option routers 172.23.12.1;
}
# Services Auweg
subnet 172.23.13.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.13.1;
}
# Users Auweg
subnet 172.23.14.0 netmask 255.255.255.0 {
option routers 172.23.14.1;
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.14.10 172.23.14.230;
}
}
# MQTT Auweg
subnet 172.23.15.0 netmask 255.255.255.0 {
option routers 172.23.15.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.15.10 172.23.15.240;
}
}
# DDNS zones
zone users.binary.kitchen {
primary {{ dns_primary }};
}
# Fixed IPs
host ap01 {
hardware ethernet 44:48:c1:ce:a9:00;
fixed-address ap01.binary.kitchen;
}
host ap04 {
hardware ethernet 74:9e:75:ce:93:54;
fixed-address ap04.binary.kitchen;
}
host ap05 {
hardware ethernet bc:9f:e4:c3:6f:aa;
fixed-address ap05.binary.kitchen;
}
host ap06 {
hardware ethernet 94:b4:0f:c0:1d:a0;
fixed-address ap06.binary.kitchen;
}
host ap11 {
hardware ethernet 18:64:72:c6:c2:0c;
fixed-address ap11.binary.kitchen;
}
host ap12 {
hardware ethernet 18:64:72:c6:c4:98;
fixed-address ap12.binary.kitchen;
}
host bowle {
hardware ethernet ac:1f:6b:25:16:b6;
fixed-address bowle.binary.kitchen;
}
host cannelloni {
hardware ethernet b8:27:eb:18:5c:11;
fixed-address cannelloni.binary.kitchen;
}
host fusilli {
hardware ethernet b8:27:eb:1d:b9:bf;
fixed-address fusilli.binary.kitchen;
}
host habdisplay1 {
hardware ethernet b8:27:eb:b6:62:be;
fixed-address habdisplay1.mqtt.binary.kitchen;
}
host habdisplay2 {
hardware ethernet b8:27:eb:df:0b:7b;
fixed-address habdisplay2.mqtt.binary.kitchen;
}
host klopi {
hardware ethernet 74:da:38:6e:e6:9d;
fixed-address klopi.binary.kitchen;
}
host lock {
hardware ethernet b8:27:eb:d8:b9:ad;
fixed-address lock.binary.kitchen;
}
host maccaroni {
hardware ethernet b8:27:eb:f5:9e:a1;
fixed-address maccaroni.binary.kitchen;
}
host matrix {
hardware ethernet b8:27:eb:ed:22:58;
fixed-address matrix.binary.kitchen;
}
host mirror {
hardware ethernet 74:da:38:7d:ed:84;
fixed-address mirror.binary.kitchen;
}
host mpcnc {
hardware ethernet b8:27:eb:0f:d3:8b;
fixed-address mpcnc.binary.kitchen;
}
host noodlehub {
hardware ethernet b8:27:eb:56:2b:7c;
fixed-address noodlehub.binary.kitchen;
}
host openhabgw1 {
hardware ethernet dc:a6:32:bf:e2:3e;
fixed-address openhabgw1.mqtt.binary.kitchen;
}
host pizza {
hardware ethernet 52:54:00:17:02:21;
fixed-address pizza.binary.kitchen;
}
host spaghetti {
hardware ethernet b8:27:eb:eb:e5:88;
fixed-address spaghetti.binary.kitchen;
}
host schweinshaxn {
hardware ethernet 52:54:00:17:02:24;
fixed-address schweinshaxn.binary.kitchen;
}
host strammermax {
hardware ethernet 08:00:37:B8:55:44;
fixed-address strammermax.binary.kitchen;
}
host obatzda {
hardware ethernet ec:9a:74:35:35:cf;
fixed-address obatzda.binary.kitchen;
}
# VoIP Phones
host voip01 {
hardware ethernet 00:1D:45:B6:99:2F;
option tftp-server-name "172.23.2.36";
}
host voip02 {
hardware ethernet 00:1D:A2:66:B8:3E;
option tftp-server-name "172.23.2.36";
}
host voip03 {
hardware ethernet 00:1E:BE:90:FB:DB;
option tftp-server-name "172.23.2.36";
}
host voip04 {
hardware ethernet 00:1E:BE:90:FF:06;
option tftp-server-name "172.23.2.36";
}
# Mitel SIP-DECT
host rfp01 {
hardware ethernet 00:30:42:1B:73:5A;
fixed-address 172.23.1.111;
option host-name "rfp01";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp02 {
hardware ethernet 00:30:42:21:D4:D5;
fixed-address 172.23.1.112;
option host-name "rfp02";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp11 {
hardware ethernet 00:30:42:1B:8B:9B;
fixed-address 172.23.12.111;
option host-name "rfp11";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
# OMAPI
omapi-port 7911;
omapi-key omapi_key;
key omapi_key {
algorithm hmac-md5;
secret {{ dhcp_omapi_key }};
}

14
roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names $ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live $TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. ( @ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024100600; serial 2024051300; serial
1d; refresh 1d; refresh
2h; retry 2h; retry
4w; expire 4w; expire
@ -13,7 +13,7 @@ $TTL 1h ; default time-to-live
1.0 IN PTR core.binary.kitchen. 1.0 IN PTR core.binary.kitchen.
2.0 IN PTR rt-w13b.binary.kitchen. 2.0 IN PTR rt-w13b.binary.kitchen.
3.0 IN PTR erx-rz.binary.kitchen. 3.0 IN PTR erx-rz.binary.kitchen.
4.0 IN PTR rt-auweg.binary.kitchen. 4.0 IN PTR erx-auweg.binary.kitchen.
; Management ; Management
1.1 IN PTR v2301.core.binary.kitchen. 1.1 IN PTR v2301.core.binary.kitchen.
11.1 IN PTR ups1.binary.kitchen. 11.1 IN PTR ups1.binary.kitchen.
@ -87,26 +87,22 @@ $GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
1.10 IN PTR wg0.erx-rz.binary.kitchen. 1.10 IN PTR wg0.erx-rz.binary.kitchen.
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen. $GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
; Management Auweg ; Management Auweg
1.12 IN PTR v2312.rt-auweg.binary.kitchen.
31.12 IN PTR sw-auweg.binary.kitchen. 31.12 IN PTR sw-auweg.binary.kitchen.
41.12 IN PTR ap11.binary.kitchen. 41.12 IN PTR ap11.binary.kitchen.
42.12 IN PTR ap12.binary.kitchen. 42.12 IN PTR ap12.binary.kitchen.
61.12 IN PTR weizen.binary.kitchen. 61.12 IN PTR weizen.binary.kitchen.
111.12 IN PTR rfp11.binary.kitchen. 111.12 IN PTR rfp11.binary.kitchen.
; Services Auweg ; Services Auweg
1.13 IN PTR v2313.rt-auweg.binary.kitchen.
3.13 IN PTR aeron.binary.kitchen. 3.13 IN PTR aeron.binary.kitchen.
12.13 IN PTR lock-auweg.binary.kitchen. 12.13 IN PTR lock-auweg.binary.kitchen.
; Clients Auweg ; Clients Auweg
1.14 IN PTR v2314.rt-auweg.binary.kitchen.
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen. $GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
; MQTT ; MQTT
1.15 IN PTR v2315.rt-auweg.binary.kitchen.
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen. $GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
; Point-to-Point ; Point-to-Point
1.96 IN PTR v400.rt-w13b.binary.kitchen. 1.96 IN PTR v400.erx-bk.binary.kitchen.
2.96 IN PTR v400.core.binary.kitchen. 2.96 IN PTR v400.core.binary.kitchen.
1.97 IN PTR wg1.erx-rz.binary.kitchen. 1.97 IN PTR wg1.erx-rz.binary.kitchen.
2.97 IN PTR wg1.rt-w13b.binary.kitchen. 2.97 IN PTR wg1.erx-bk.binary.kitchen.
5.97 IN PTR wg2.erx-rz.binary.kitchen. 5.97 IN PTR wg2.erx-rz.binary.kitchen.
6.97 IN PTR wg2.rt-auweg.binary.kitchen. 6.97 IN PTR wg2.erx-auweg.binary.kitchen.

14
roles/dns_intern/templates/bind/binary.kitchen.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN binary.kitchen ; base for unqualified names $ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live $TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. ( @ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024100600; serial 2024051300; serial
1d; refresh 1d; refresh
2h; retry 2h; retry
4w; expire 4w; expire
@ -36,7 +36,7 @@ radius IN A 172.23.2.4
core IN A 172.23.0.1 core IN A 172.23.0.1
rt-w13b IN A 172.23.0.2 rt-w13b IN A 172.23.0.2
erx-rz IN A 172.23.0.3 erx-rz IN A 172.23.0.3
rt-auweg IN A 172.23.0.4 erx-auweg IN A 172.23.0.4
; Management ; Management
v2301.core IN A 172.23.1.1 v2301.core IN A 172.23.1.1
ups1 IN A 172.23.1.11 ups1 IN A 172.23.1.11
@ -107,29 +107,25 @@ salat IN A 172.23.9.61
salat-bmc IN A 172.23.9.81 salat-bmc IN A 172.23.9.81
; Services RZ ; Services RZ
; Management Auweg ; Management Auweg
v2312.rt-auweg IN A 172.23.12.1
sw-auweg IN A 172.23.12.31 sw-auweg IN A 172.23.12.31
ap11 IN A 172.23.12.41 ap11 IN A 172.23.12.41
ap12 IN A 172.23.12.42 ap12 IN A 172.23.12.42
weizen IN A 172.23.12.61 weizen IN A 172.23.12.61
rfp11 IN A 172.23.12.111 rfp11 IN A 172.23.12.111
; Services Auweg ; Services Auweg
v2313.rt-auweg IN A 172.23.13.1
aeron IN A 172.23.13.3 aeron IN A 172.23.13.3
lock-auweg IN A 172.23.13.12 lock-auweg IN A 172.23.13.12
; Clients Auweg ; Clients Auweg
v2314.rt-auweg IN A 172.23.14.1
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$ $GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
; MQTT Auweg ; MQTT Auweg
v2315.rt-auweg IN A 172.23.15.1
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$ $GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
; VPN RZ (ER-X) ; VPN RZ (ER-X)
wg0.erx-rz IN A 172.23.10.1 wg0.erx-rz IN A 172.23.10.1
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$ $GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
; Point-to-Point ; Point-to-Point
v400.rt-w13b IN A 172.23.96.1 v400.erx-bk IN A 172.23.96.1
v400.core IN A 172.23.96.2 v400.core IN A 172.23.96.2
wg1.erx-rz IN A 172.23.97.1 wg1.erx-rz IN A 172.23.97.1
wg1.rt-w13b IN A 172.23.97.2 wg1.erx-bk IN A 172.23.97.2
wg2.erx-rz IN A 172.23.97.5 wg2.erx-rz IN A 172.23.97.5
wg2.rt-auweg IN A 172.23.97.6 wg2.erx-auweg IN A 172.23.97.6

22
roles/homeassistant/defaults/main.yml Normal file
View File

@ -0,0 +1,22 @@
---
# Python version required for home assistant
ha_python_version: '3.12'
# The location of the config directory
ha_conf_dir: /etc/homeassistant
# The location of the installatin directory
ha_venv_dir: "/opt/homeassistant"
# The default user
ha_user: homeassistant
ha_pg_db_version: 15
ha_pg_db_name: homeassistant
ha_pg_db_user: homeassistant
ha_pg_db_pass: xxxxx
ha_pg_grafana_db_name: grafana
ha_pg_grafana_db_user: grafana
ha_pg_grafana_db_pass: xxxxx

21
roles/homeassistant/handlers/main.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Restart postgresql
ansible.builtin.service:
name: postgresql
state: restarted
- name: Restart homeassistant
ansible.builtin.service:
name: home-assistant
state: restarted
- name: Restart grafana
ansible.builtin.service:
name: grafana-server
state: restarted
- name: Restart nginx
ansible.builtin.service:
name: nginx
state: restarted

14
roles/homeassistant/meta/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
galaxy_info:
author: Thomas Basler
description: Install HomeAssistant environment
license: None
platforms:
- name: Debian
min_ansible_version: "2.4"
dependencies:
- { role: mosquitto }
- { role: pgadmin4 }
- { role: nginx, nginx_ssl: false }

77
roles/homeassistant/tasks/grafana.yml Normal file
View File

@ -0,0 +1,77 @@
---
- name: Grafana | add GPG signing key
become: true
ansible.builtin.apt_key:
url: "https://apt.grafana.com/gpg.key"
state: present
validate_certs: true
- name: Grafana | add official repository
become: true
ansible.builtin.apt_repository:
repo: "deb https://apt.grafana.com stable main"
state: present
filename: grafana
update_cache: true
tags: install
- name: Grafana | establish dependencies
become: true
ansible.builtin.apt:
name: "{{ item }}"
state: present
loop: ["grafana"]
tags: install
- name: Grafana | Configure PostgreSQL database
community.general.postgresql_db:
name: "{{ ha_pg_grafana_db_name }}"
template: template0
encoding: utf8
become: true
become_user: postgres
- name: Grafana | Configure PostgreSQL user
community.general.postgresql_user:
db: "{{ ha_pg_grafana_db_name }}"
name: "{{ ha_pg_grafana_db_user }}"
password: "{{ ha_pg_grafana_db_pass }}"
become: true
become_user: postgres
- name: Grafana | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ pgadmin4_db_user }}
community.postgresql.postgresql_privs:
db: "{{ ha_pg_grafana_db_name }}"
privs: ALL
type: schema
objs: public
role: "{{ ha_pg_grafana_db_user }}"
become: true
become_user: postgres
- name: GRANT SELECT PRIVILEGES ON DATABASE {{ ha_pg_db_name }} TO {{ ha_pg_grafana_db_user }}
community.general.postgresql_privs:
db: "{{ ha_pg_db_name }}"
privs: SELECT
type: table
objs: statistics,statistics_meta
role: "{{ ha_pg_grafana_db_user }}"
become: true
become_user: postgres
ignore_errors: true
- name: Grafana | install config file
ansible.builtin.template:
src: grafana.ini.j2
dest: "/etc/grafana/grafana.ini"
owner: root
group: root
mode: "0644"
notify: Restart grafana
- name: Grafana | Start service
ansible.builtin.service:
name: grafana-server
state: started
enabled: true

33
roles/homeassistant/tasks/installation.yml Normal file
View File

@ -0,0 +1,33 @@
---
- name: Install defined version of Home Assistant
ansible.builtin.pip:
name:
- wheel
- psycopg2
- packaging
- uv
- netifaces
- homeassistant=={{ ha_version }}
virtualenv: '{{ ha_venv_dir }}'
virtualenv_command: 'python{{ ha_python_version }} -m venv'
when: ha_version is defined
become: true
become_user: "{{ ha_user }}"
notify: Restart homeassistant
- name: Install latest version of Home Assistant
ansible.builtin.pip:
name:
- wheel
- psycopg2
- packaging
- uv
- homeassistant
extra_args: "--upgrade"
virtualenv: "{{ ha_venv_dir }}"
virtualenv_command: 'python{{ ha_python_version }} -m venv'
when: ha_version is undefined
become: true
become_user: "{{ ha_user }}"
notify: Restart homeassistant

15
roles/homeassistant/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Install python if required
ansible.builtin.include_tasks: python_312.yml
when: ha_python_version == '3.12'
- name: Include sub-tasks
ansible.builtin.include_tasks: '{{ item }}'
loop:
- preparation.yml
- postgres.yml
- systemd.yml
- installation.yml
- grafana.yml
- nginx.yml

15
roles/homeassistant/tasks/nginx.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Configure vhost
ansible.builtin.template:
src: vhost.j2
dest: /etc/nginx/sites-available/homeassistant
mode: "0644"
notify: Restart nginx
- name: Enable vhost
ansible.builtin.file:
src: /etc/nginx/sites-available/homeassistant
dest: /etc/nginx/sites-enabled/homeassistant
state: link
notify: Restart nginx

54
roles/homeassistant/tasks/postgres.yml Normal file
View File

@ -0,0 +1,54 @@
---
- name: Postgres | establish dependencies
ansible.builtin.package:
name: "{{ item }}"
state: present
loop:
- postgresql-{{ ha_pg_db_version }}
- libpq-dev
- python3-psycopg2
- name: Postgres | Configure PostgreSQL database
community.general.postgresql_db:
name: "{{ ha_pg_db_name }}"
template: template0
encoding: utf8
become: true
become_user: postgres
- name: Postgres | Configure PostgreSQL user
community.general.postgresql_user:
db: "{{ ha_pg_db_name }}"
name: "{{ ha_pg_db_user }}"
password: "{{ ha_pg_db_pass }}"
become: true
become_user: postgres
- name: Postgres | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ ha_pg_db_user }}
community.postgresql.postgresql_privs:
db: "{{ ha_pg_db_user }}"
privs: ALL
type: schema
objs: public
role: "{{ ha_pg_db_user }}"
become: true
become_user: postgres
- name: Postgres | Grant all users access to all dbs
community.general.postgresql_pg_hba:
dest: /etc/postgresql/{{ ha_pg_db_version }}/main/pg_hba.conf
contype: host
users: all
databases: all
method: scram-sha-256
source: 0.0.0.0/0
notify: Restart postgresql
- name: Postgres | Listen to external interfaces
community.general.postgresql_set:
name: listen_addresses
value: "*"
become: true
become_user: postgres
notify: Restart postgresql

41
roles/homeassistant/tasks/preparation.yml Normal file
View File

@ -0,0 +1,41 @@
---
- name: Install commonly-named packages
ansible.builtin.package:
name: "{{ item }}"
state: present
loop:
- python3
- python3-dev
- python3-venv
- python3-pip
- libffi-dev
- libssl-dev
- libjpeg-dev
- zlib1g-dev
- autoconf
- build-essential
- libopenjp2-7
- libtiff6
- libturbojpeg0
- tzdata
- git
- ffmpeg
- name: Create user
ansible.builtin.user:
name: "{{ ha_user }}"
comment: "Home Assistant"
system: true
shell: "/sbin/nologin"
- name: Create directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "02775"
owner: "{{ ha_user }}"
group: "{{ ha_user }}"
loop:
- "{{ ha_conf_dir }}"
- "{{ ha_venv_dir }}"

26
roles/homeassistant/tasks/python_312.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Python 3.12 | add GPG signing key
become: true
ansible.builtin.apt_key:
url: "https://pascalroeleven.nl/deb-pascalroeleven.gpg"
state: present
validate_certs: true
tags: install
- name: Python 3.12 | add official repository
become: true
ansible.builtin.apt_repository:
repo: "deb http://deb.pascalroeleven.nl/python3.12 bookworm-backports main"
state: present
filename: python312
update_cache: true
tags: install
- name: Python 3.12 | establish dependencies
become: true
ansible.builtin.apt:
name: "{{ item }}"
state: present
loop: "{{ python312_dependencies }}"
tags: install

17
roles/homeassistant/tasks/systemd.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Install systemd unit file
ansible.builtin.template:
src: home-assistant.service.j2
dest: "/etc/systemd/system/home-assistant.service"
owner: root
group: root
mode: "0644"
notify: Restart homeassistant
- name: Enable home assistant service
ansible.builtin.systemd:
name: home-assistant
daemon_reload: true
enabled: true
notify: Restart homeassistant

1082
roles/homeassistant/templates/grafana.ini.j2 Normal file
View File

File diff suppressed because it is too large Load Diff

14
roles/homeassistant/templates/home-assistant.service.j2 Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Home Assistant
After=network.target postgresql.service
[Service]
Type=simple
User={{ ha_user }}
Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:{{ ha_venv_dir }}/bin"
ExecStart={{ ha_venv_dir }}/bin/hass --config {{ ha_conf_dir }}
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target

41
roles/homeassistant/templates/vhost.j2 Normal file
View File

@ -0,0 +1,41 @@
{{ ansible_managed | comment }}
server {
listen 80;
listen [::]:80;
server_name {{ ha_domains | join(' ') }};
proxy_buffering off;
location / {
proxy_pass http://127.0.0.1:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/websocket {
proxy_pass http://127.0.0.1:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /grafana {
client_max_body_size 1024M;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://localhost:3000;
}
location = /pgadmin4 { rewrite ^ /pgadmin4/; }
location /pgadmin4 { try_files $uri @pgadmin4; }
location @pgadmin4 {
include uwsgi_params;
uwsgi_pass unix:/run/pgadmin4/pgadmin4.sock;
}
}

6
roles/homeassistant/vars/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
python312_dependencies:
- python3.12
- python3.12-venv
- python3.12-dev

10
roles/kea/handlers/main.yml
View File

@ -1,10 +0,0 @@
---
- name: Restart kea-dhcp4-server
service: name=kea-dhcp4-server state=restarted
- name: Restart kea-dhcp-ddns-server
service: name=kea-dhcp-ddns-server state=restarted
- name: Restart kea-ctrl-agent
service: name=kea-ctrl-agent state=restarted

38
roles/kea/tasks/main.yml
View File

@ -1,38 +0,0 @@
---
- name: Install the kea dhcp server
apt:
name:
- kea-ctrl-agent
- kea-dhcp4-server
- kea-dhcp-ddns-server
- name: Configure the kea dhcp4 server
template:
src: kea/kea-dhcp4.conf.j2
dest: /etc/kea/kea-dhcp4.conf
# validate: kea-dhcp4 -t %s
notify: Restart kea-dhcp4-server
- name: Start the kea dhcp4 server
service: name=kea-dhcp4-server state=started enabled=yes
- name: Configure the kea dhcp-ddns server
template:
src: kea/kea-dhcp-ddns.conf.j2
dest: /etc/kea/kea-dhcp-ddns.conf
# validate: kea-dhcp-ddns -t %s
notify: Restart kea-dhcp-ddns-server
- name: Start the kea dhcp-ddns server
service: name=kea-dhcp-ddns-server state=started enabled=yes
- name: Configure the kea control agent
template:
src: kea/kea-ctrl-agent.conf.j2
dest: /etc/kea/kea-ctrl-agent.conf
# validate: kea-ctrl-agent -t %s
notify: Restart kea-ctrl-agent
- name: Start the kea control agent
service: name=kea-ctrl-agent state=started enabled=yes

37
roles/kea/templates/kea/kea-ctrl-agent.conf.j2
View File

@ -1,37 +0,0 @@
{
"Control-agent":
{
"http-host": "0.0.0.0",
"http-port": 8000,
"control-sockets":
{
"dhcp4":
{
"comment": "socket to DHCP4 server",
"socket-type": "unix",
"socket-name": "/run/kea/kea4-ctrl-socket"
},
"d2":
{
"socket-type": "unix",
"socket-name": "/run/kea/kea-ddns-ctrl-socket",
"user-context": { "in-use": false }
}
},
"loggers": [
{
"name": "kea-ctrl-agent",
"output_options": [
{
"output": "stdout",
"pattern": "%-5p %m\n"
}
],
"severity": "INFO",
"debuglevel": 0
}
]
}
}

38
roles/kea/templates/kea/kea-dhcp-ddns.conf.j2
View File

@ -1,38 +0,0 @@
{
"DhcpDdns": {
"ip-address": "127.0.0.1",
"port": 53001,
"control-socket": {
"socket-type": "unix",
"socket-name": "/run/kea/kea-ddns-ctrl-socket"
},
"forward-ddns": {
"ddns-domains": [
{
"name": "users.binary.kitchen.",
"dns-servers": [
{ "ip-address": "{{ dns_primary }}" }
]
}
]
},
"reverse-ddns": {
},
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [
{
"output": "stdout",
"pattern": "%-5p %m\n"
}
],
"severity": "INFO",
"debuglevel": 0
}
]
}
}

470
roles/kea/templates/kea/kea-dhcp4.conf.j2
View File

@ -1,470 +0,0 @@
{
"Dhcp4": {
"interfaces-config": {
"interfaces": [ "{{ ansible_default_ipv4['interface'] }}" ]
},
"control-socket": {
"socket-type": "unix",
"socket-name": "/run/kea/kea4-ctrl-socket"
},
"dhcp-ddns": {
"enable-updates": true,
"server-ip": "127.0.0.1",
"server-port": 53001,
"sender-ip": "",
"sender-port": 0,
"max-queue-size": 1024,
"ncr-protocol": "UDP",
"ncr-format": "JSON"
},
"hooks-libraries": [
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so"
{% if dhcpd_failover %}
},
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so",
"parameters": {
"high-availability": [ {
"this-server-name": "{{ inventory_hostname.split('.')[0] }}",
"mode": "hot-standby",
"heartbeat-delay": 10000,
"max-response-delay": 60000,
"max-ack-delay": 5000,
"max-unacked-clients": 5,
"sync-timeout": 60000,
"peers": [
{
"name": "{{ lookup('dig', dhcpd_primary+'/PTR', '@'+dns_primary).split('.')[0] }}",
"url": "http://{{ dhcpd_primary }}:8000/",
"role": "primary"
},
{
"name": "{{ lookup('dig', dhcpd_secondary+'/PTR', '@'+dns_primary).split('.')[0] }}",
"url": "http://{{ dhcpd_secondary }}:8000/",
"role": "standby"
}
]
} ]
}
{% endif %}
}
],
"lease-database": {
"type": "memfile",
"lfc-interval": 3600
},
"expired-leases-processing": {
"reclaim-timer-wait-time": 10,
"flush-reclaimed-timer-wait-time": 25,
"hold-reclaimed-time": 3600,
"max-reclaim-leases": 100,
"max-reclaim-time": 250,
"unwarned-reclaim-cycles": 5
},
"renew-timer": 900,
"rebind-timer": 1800,
"valid-lifetime": 3600,
"option-def": [
{
"code": 43,
"encapsulate": "sipdect",
"name": "vendor-encapsulated-options",
"space": "dhcp4",
"type": "empty"
},
{
"code": 10,
"name": "ommip1",
"space": "sipdect",
"type": "ipv4-address"
},
{
"code": 19,
"name": "ommip2",
"space": "sipdect",
"type": "ipv4-address"
},
{
"code": 14,
"name": "syslogip",
"space": "sipdect",
"type": "ipv4-address"
},
{
"code": 15,
"name": "syslogport",
"space": "sipdect",
"type": "int16"
},
{
"code": 224,
"name": "magic_str",
"space": "dhcp4",
"type": "string"
}
],
"option-data": [
{
"name": "domain-name-servers",
"data": "{{ name_servers | join(', ') }}"
},
{
"name": "domain-name",
"data": "binary.kitchen"
},
{
"name": "domain-search",
"data": "binary.kitchen"
}
],
"client-classes": [
{
"name": "voip-phone",
"option-data": [
{
"name": "tftp-server-name",
"data": "172.23.2.36"
}
]
},
{
"name": "dect-rfp",
"option-data": [
{
"name": "vendor-encapsulated-options"
},
{
"data": "172.23.2.35",
"name": "ommip1",
"space": "sipdect"
},
{
"data": "OpenMobilitySIP-DECT",
"name": "magic_str"
}
]
}
],
"subnet4": [
{
"subnet": "172.23.1.0/24",
"option-data": [
{
"name": "routers",
"data": "172.23.1.1"
}
],
"reservations": [
{
"hw-address": "44:48:c1:ce:a9:00",
"ip-address": "172.23.1.41",
"hostname": "ap01"
},
{
"hw-address": "74:9e:75:ce:93:54",
"ip-address": "172.23.1.44",
"hostname": "ap04"
},
{
"hw-address": "bc:9f:e4:c3:6f:aa",
"ip-address": "172.23.1.45",
"hostname": "ap05"
},
{
"hw-address": "94:b4:0f:c0:1d:a0",
"ip-address": "172.23.1.46",
"hostname": "ap06"
},
{
"hw-address": "00:30:42:1B:73:5A",
"ip-address": "172.23.1.111",
"client-classes": [ "dect-rfp" ],
"hostname": "rfp01"
},
{
"hw-address": "00:30:42:21:D4:D5",
"ip-address": "172.23.1.112",
"client-classes": [ "dect-rfp" ],
"hostname": "rfp02"
}
]
},
{
"subnet": "172.23.2.0/24",
"option-data": [
{
"name": "routers",
"data": "172.23.2.1"
}
],
"reservations": [
{
"hw-address": "b8:27:eb:d8:b9:ad",
"ip-address": "172.23.2.12",
"hostname": "lock"
},
{
"hw-address": "b8:27:eb:ed:22:58",
"ip-address": "172.23.2.13",
"hostname": "matrix"
},
{
"hw-address": "08:00:37:B8:55:44",
"ip-address": "172.23.2.91",
"hostname": "strammermax"
},
{
"hw-address": "ec:9a:74:35:35:cf",
"ip-address": "172.23.2.92",
"hostname": "obatzda"
}
]
},
{
"subnet": "172.23.3.0/24",
"pools": [ { "pool": "172.23.3.10 - 172.23.3.230" } ],
"option-data": [
{
"name": "routers",
"data": "172.23.3.1"
},
{
"name": "domain-search",
"data": "binary.kitchen, users.binary.kitchen"
}
],
"ddns-send-updates": true,
"ddns-override-client-update": true,
"ddns-override-no-update": true,
"ddns-qualifying-suffix": "users.binary.kitchen",
"ddns-generated-prefix": "dhcp",
"ddns-replace-client-name": "when-not-present",
"ddns-update-on-renew": true,
"reservations": [
{
"hw-address": "b8:27:eb:18:5c:11",
"ip-address": "172.23.3.250",
"hostname": "cannelloni"
},
{
"hw-address": "b8:27:eb:1d:b9:bf",
"ip-address": "172.23.3.240",
"hostname": "fusilli"
},
{
"hw-address": "74:da:38:6e:e6:9d",
"ip-address": "172.23.3.241",
"hostname": "klopi"
},
{
"hw-address": "b8:27:eb:f5:9e:a1",
"ip-address": "172.23.3.246",
"hostname": "maccaroni"
},
{
"hw-address": "74:da:38:7d:ed:84",
"ip-address": "172.23.3.244",
"hostname": "mirror"
},
{
"hw-address": "b8:27:eb:0f:d3:8b",
"ip-address": "172.23.3.242",
"hostname": "mpcnc"
},
{
"hw-address": "b8:27:eb:56:2b:7c",
"ip-address": "172.23.3.251",
"hostname": "noodlehub"
},
{
"hw-address": "b8:27:eb:eb:e5:88",
"ip-address": "172.23.3.245",
"hostname": "spaghetti"
},
{
"hw-address": "00:1D:45:B6:99:2F",
"hostname": "voip01",
"client-classes": [ "voip-phone" ]
},
{
"hw-address": "00:1D:A2:66:B8:3E",
"hostname": "voip02",
"client-classes": [ "voip-phone" ]
},
{
"hw-address": "00:1E:BE:90:FB:DB",
"hostname": "voip03",
"client-classes": [ "voip-phone" ]
},
{
"hw-address": "00:1E:BE:90:FF:06",
"hostname": "voip04",
"client-classes": [ "voip-phone" ]
}
]
},
{
"subnet": "172.23.4.0/24",
"pools": [ { "pool": "172.23.4.10 - 172.23.4.240" } ],
"option-data": [
{
"name": "routers",
"data": "172.23.4.1"
}
],
"reservations": [
{
"hw-address": "b8:27:eb:b6:62:be",
"ip-address": "172.23.4.241",
"hostname": "habdisplay1"
},
{
"hw-address": "b8:27:eb:df:0b:7b",
"ip-address": "172.23.4.242",
"hostname": "habdisplay2"
},
{
"hw-address": "dc:a6:32:bf:e2:3e",
"ip-address": "172.23.4.251",
"hostname": "openhabgw1"
}
]
},
{
"subnet": "172.23.12.0/24",
"option-data": [
{
"name": "routers",
"data": "172.23.12.1"
}
],
"reservations": [
{
"hw-address": "18:64:72:c6:c2:0c",
"ip-address": "172.23.12.41",
"hostname": "ap11"
},
{
"hw-address": "18:64:72:c6:c4:98",
"ip-address": "172.23.12.42",
"hostname": "ap12"
},
{
"hw-address": "00:30:42:1B:8B:9B",
"ip-address": "172.23.12.111",
"client-classes": [ "dect-rfp" ],
"hostname": "rfp11"
}
]
},
{
"subnet": "172.23.13.0/24",
"option-data": [
{
"name": "routers",
"data": "172.23.13.1"
}
]
},
{
"subnet": "172.23.14.0/24",
"pools": [ { "pool": "172.23.14.10 - 172.23.14.240" } ],
"option-data": [
{
"name": "routers",
"data": "172.23.14.1"
}
]
},
{
"subnet": "172.23.15.0/24",
"pools": [ { "pool": "172.23.15.10 - 172.23.15.240" } ],
"option-data": [
{
"name": "routers",
"data": "172.23.15.1"
}
]
}
],
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [
{
"output": "stdout",
"pattern": "%-5p %m\n"
}
],
"severity": "INFO",
"debuglevel": 0
}
]
}
}

2
roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
View File

@ -2793,7 +2793,7 @@ background_updates:
# marked as protected from quarantine will not be deleted. # marked as protected from quarantine will not be deleted.
# #
media_retention: media_retention:
local_media_lifetime: 180d local_media_lifetime: 90d
remote_media_lifetime: 14d remote_media_lifetime: 14d

4
roles/mosquitto/README.md Normal file
View File

@ -0,0 +1,4 @@
Ansible Role: Mosquitto
=========
Install and configure [Mosquitto](https://mosquitto.org/) MQTT message broker.

46
roles/mosquitto/defaults/main.yml Normal file
View File

@ -0,0 +1,46 @@
---
mosquitto_packages:
- mosquitto
- mosquitto-clients
mosquitto_listeners:
# Listeners for Mosquitto MQTT Broker
- name: "default"
listener: "1883 localhost"
protocol: "mqtt"
use_username_as_clientid: "true"
allow_zero_length_clientid: "true"
allow_anonymous: "false"
users: []
# Users for Mosquitto MQTT Broker
# Type: Arrays of Objects with following parameters defined:
# - username: <string>
# password: <string>
# acl: <Array> of Objects as follows:
# - permissions: <string> Acceptable Value: either `read`, `readwrite`, `write`, `deny`
# - topic: <string> Acceptable Value: your/mqtt/topic (wildcards `+`, and `*` allowed)
auth_anonymous: []
# Topics which are accessable with anonymous access
# Example
# - "topic read topic_name"
auth_patterns: []
# %c to match the client id of the client
# %u to match the username of the client
# Example
# - "pattern write $SYS/broker/connection/%c/state"
mosquitto_bridges: []
# Bridges for Mosquitto MQTT Broker
# Type: Arrays of Objects with following parameters defined:
# - connection: <string>
# address: <string>
# bridge_insecure: <boolean>
# bridge_capath: <string>
# remote_password: <string>
# remote_username: <string>
# remote_clientid: <string>
# try_private: <boolean>
# topics:
# - topic: # in 0 down/ to-level/02/line/
# - topic: # out 0 up/ from-level/02/line/

34
roles/mosquitto/filter_plugins/mosquitto_passwd.py Normal file
View File

@ -0,0 +1,34 @@
# mosquitto_passwd.py: Custom Jinja2 filter plugin to generate valid PBKDF2_SHA512
# hash digests for plain-text passwords in `users` file for
# Eclipse Mosquitto Broker
from ansible.errors import AnsibleError
def mosquitto_passwd(passwd):
try:
import passlib.hash
except Exception as e:
raise AnsibleError(
'mosquitto_passlib custom filter requires the passlib pip package installed')
SALT_SIZE = 12
ITERATIONS = 101
salt = passwd[:SALT_SIZE]
salt = bytes(salt, 'utf-8')
salt += b"0" * (SALT_SIZE - len(salt))
digest = passlib.hash.pbkdf2_sha512.using(salt_size=SALT_SIZE, rounds=ITERATIONS, salt=salt) \
.hash(passwd) \
.replace("pbkdf2-sha512", "7") \
.replace(".", "+")
return digest + "=="
class FilterModule(object):
def filters(self):
return {
'mosquitto_passwd': mosquitto_passwd,
}

6
roles/mosquitto/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Restart Mosquitto
ansible.builtin.service:
name: mosquitto
state: restarted

11
roles/mosquitto/meta/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
galaxy_info:
author: Thomas Basler
description: Install Mosquitto
license: None
platforms:
- name: Debian
min_ansible_version: "2.4"
dependencies: []

35
roles/mosquitto/tasks/main.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: Mosquitto | Install Mosquitto packages
ansible.builtin.apt:
name: "{{ item }}"
state: present
with_items: "{{ mosquitto_packages }}"
notify: Restart Mosquitto
- name: Mosquitto | Generating Configuration File
ansible.builtin.template:
src: mosquitto.conf.j2
dest: /etc/mosquitto/conf.d/mosquitto.conf
mode: "0755"
notify: Restart Mosquitto
- name: Mosquitto | Generating Authentication Users File
ansible.builtin.template:
src: users.j2
dest: "/etc/mosquitto/users_{{ item.name }}"
mode: "0755"
vars:
mosquitto_users: "{{ item.users }}"
with_items: "{{ mosquitto_listeners }}"
notify: Restart Mosquitto
- name: Mosquitto | Generating Access Control List File
ansible.builtin.template:
src: acl.j2
dest: "/etc/mosquitto/acl_{{ item.name }}"
mode: "0755"
vars:
listener: "{{ item }}"
with_items: "{{ mosquitto_listeners }}"
notify: Restart Mosquitto

28
roles/mosquitto/templates/acl.j2 Normal file
View File

@ -0,0 +1,28 @@
{{ ansible_managed | comment }}
{% for entry in listener.auth_anonymous | default([]) %}
{% if loop.first %}
# Anonymous access
{% endif %}
{{ entry }}
{% endfor %}
{% for user in listener.users %}
{% if loop.first %}
# User access
{% endif %}
user {{ user.username }}
{% for access_list in user.acl | default([]) %}
topic {{ access_list.permissions }} {{ access_list.topic }}
{% if loop.last %}
{% endif %}
{% endfor %}
{% endfor %}
{% for entry in listener.auth_patterns | default([]) %}
{% if loop.first %}
# Global patterns
{% endif %}
{{ entry }}
{% endfor %}

36
roles/mosquitto/templates/mosquitto.conf.j2 Normal file
View File

@ -0,0 +1,36 @@
{{ ansible_managed | comment }}
# Logging Configuration
log_timestamp true
log_type all
# Listener
per_listener_settings true
{% for elem in mosquitto_listeners %}
### Listener '{{ elem.name }}'
listener {{ elem.listener }}
{% for key, value in elem | dictsort %}
{% if key not in ["listener", "name", "users", "auth_anonymous", "auth_patterns"] %}
{{ key }} {{ value }}
{% endif %}
{% endfor %}
password_file /etc/mosquitto/users_{{ elem.name }}
acl_file /etc/mosquitto/acl_{{ elem.name }}
{% endfor %}
{% for elem in mosquitto_bridges %}
{% if loop.first %}
# Bridges
{% endif %}
connection {{ elem.connection }}
{% for key, value in elem | dictsort %}
{% if key not in ["connection", "topics"] %}
{{ key }} {{ value }}
{% endif %}
{% endfor %}
{% for topic in elem.topics %}
topic {{ topic.topic }}
{% endfor %}
{% endfor %}

5
roles/mosquitto/templates/users.j2 Normal file
View File

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
{% for user in mosquitto_users %}
{{ user.username }}:{{ user.password | mosquitto_passwd }}
{% endfor %}

2
roles/netbox/defaults/main.yml
View File

@ -2,4 +2,4 @@
netbox_group: netbox netbox_group: netbox
netbox_user: netbox netbox_user: netbox
netbox_version: 4.1.4 netbox_version: 4.1.3

10
roles/pgadmin4/defaults/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
pgadmin4_user: pgadmin4
pgadmin4_db_database: pgadmin4
pgadmin4_db_user: pgadmin4
pgadmin4_db_password: xxxxx
pgadmin4_conf_dir: /etc/pgadmin
pgadmin4_initial_user_email: admin@admin.com
pgadmin4_initial_user_password: admin42

6
roles/pgadmin4/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Restart pgadmin4
ansible.builtin.service:
name: pgadmin4
state: restarted

11
roles/pgadmin4/meta/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
galaxy_info:
author: Thomas Basler
description: Install PgAdmin4
license: None
platforms:
- name: Debian
min_ansible_version: "2.4"
dependencies: []

119
roles/pgadmin4/tasks/main.yml Normal file
View File

@ -0,0 +1,119 @@
---
- name: PgAdmin 4 | add GPG signing key
become: true
ansible.builtin.apt_key:
url: "https://www.pgadmin.org/static/packages_pgadmin_org.pub"
state: present
validate_certs: true
tags: install
- name: PgAdmin 4 | add official repository
become: true
ansible.builtin.apt_repository:
repo: "deb https://ftp.postgresql.org/pub/pgadmin/pgadmin4/apt/bookworm pgadmin4 main"
state: present
filename: pgadmin4
update_cache: true
tags: install
- name: PgAdmin 4 | establish dependencies
become: true
ansible.builtin.apt:
name: "{{ item }}"
state: present
tags: install
loop: ["pgadmin4-server", "uwsgi-core", "uwsgi-plugin-python3", "python3-pexpect"]
- name: PgAdmin 4 | Configure PostgreSQL database
community.general.postgresql_db:
name: "{{ pgadmin4_db_database }}"
template: template0
encoding: utf8
become: true
become_user: postgres
register: pgadmin4_db
- name: PgAdmin 4 | Configure PostgreSQL user
community.general.postgresql_user:
db: "{{ pgadmin4_db_database }}"
name: "{{ pgadmin4_db_user }}"
password: "{{ pgadmin4_db_password }}"
become: true
become_user: postgres
- name: PgAdmin 4 | Configure PostgreSQL user privileges
community.postgresql.postgresql_privs:
database: "{{ pgadmin4_db_database }}"
state: present
privs: ALL
type: database
role: "{{ pgadmin4_db_user }}"
become: true
become_user: postgres
- name: PgAdmin 4 | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ pgadmin4_db_user }}
community.postgresql.postgresql_privs:
db: "{{ pgadmin4_db_database }}"
privs: ALL
type: schema
objs: public
role: "{{ pgadmin4_db_user }}"
become: true
become_user: postgres
- name: Create user
ansible.builtin.user:
name: "{{ pgadmin4_user }}"
comment: "pgAdmin 4"
createhome: false
system: true
shell: "/sbin/nologin"
- name: PgAdmin 4 | create config directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "02775"
owner: "root"
group: "root"
with_items:
- "{{ pgadmin4_conf_dir }}"
- name: PgAdmin 4 | install config file
ansible.builtin.template:
src: config_system.py.j2
dest: "{{ pgadmin4_conf_dir }}/config_system.py"
owner: root
group: root
mode: "0644"
notify: Restart pgadmin4
- name: PgAdmin 4 | install systemd unit file
ansible.builtin.template:
src: pgadmin4.service.j2
dest: "/etc/systemd/system/pgadmin4.service"
owner: root
group: root
mode: "0644"
notify: Restart pgadmin4
- name: PgAdmin 4 | enable service
ansible.builtin.service:
name: pgadmin4
enabled: true
- name: PgAdmin 4 | setup pgadmin # noqa: no-handler
ansible.builtin.expect:
command: /bin/bash -c "/usr/pgadmin4/venv/bin/python3 /usr/pgadmin4/web/setup.py setup-db"
chdir: /usr/pgadmin4/web/
echo: true
timeout: 300
responses:
'Email\ address:': "{{ pgadmin4_initial_user_email | trim }}"
'Password:': "{{ pgadmin4_initial_user_password | trim }}"
'Retype\ password:': "{{ pgadmin4_initial_user_password | trim }}"
'Do\ you\ wish\ to\ continue\ \(y/n\)\?': "y"
'Would\ you\ like\ to\ continue\ \(y/n\)\?': "y"
when: pgadmin4_db.changed
notify: Restart pgadmin4

4
roles/pgadmin4/templates/config_system.py.j2 Normal file
View File

@ -0,0 +1,4 @@
LOG_FILE = '/var/log/pgadmin/pgadmin4.log'
CONFIG_DATABASE_URI = 'postgresql://{{ pgadmin4_db_user }}:{{ pgadmin4_db_password }}@localhost:5432/{{ pgadmin4_db_database }}'
SESSION_DB_PATH = '/var/lib/pgadmin/sessions'
STORAGE_DIR = '/var/lib/pgadmin/storage'

29
roles/pgadmin4/templates/pgadmin4.service.j2 Normal file
View File

@ -0,0 +1,29 @@
[Unit]
Description = PgAdmin4 uwsgi Service
After = network.target network-online.target
Wants = network-online.target
[Service]
User={{ pgadmin4_user }}
StateDirectory=pgadmin
RuntimeDirectory=pgadmin4
LogsDirectory=pgadmin
ExecStart=uwsgi \
--socket /run/pgadmin4/pgadmin4.sock --chmod-socket=666 \
--plugin python3 \
-H /usr/pgadmin4/venv \
--processes 1 \
--threads 25 \
--chdir /usr/pgadmin4/web/ \
--manage-script-name \
--mount /pgadmin4=pgAdmin4:app
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill -INT $MAINPID
Restart=always
Type=notify
StandardError=syslog
NotifyAccess=all
KillSignal=SIGQUIT
[Install]
WantedBy = multi-user.target

37
roles/strichliste/tasks/main.yml
View File

@ -3,21 +3,28 @@
- name: Request nsupdate key for certificate - name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate include_role: name=acme-dnskey-generate
- name: Enable sury php apt-key
apt_key: url="https://packages.sury.org/php/apt.gpg"
- name: Enable sury php repository
apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
- name: Install packages - name: Install packages
apt: apt:
name: name:
- php - php8.1
- php-common - php8.1-common
- php-curl - php8.1-curl
- php-mysql - php8.1-mysql
- php-mbstring - php8.1-mbstring
- php-cli - php8.1-cli
- php-opcache - php8.1-opcache
- php-xml - php8.1-xml
- php-fpm - php8.1-fpm
- php-readline - php8.1-readline
- mariadb-server - mariadb-server
- python3-mysqldb - python3-mysqldb
- python3-psycopg2
- name: Ensure certificates are available - name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ strichliste_domain }}.key -out /etc/nginx/ssl/{{ strichliste_domain }}.crt -days 730 -subj "/CN={{ strichliste_domain }}" creates=/etc/nginx/ssl/{{ strichliste_domain }}.crt command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ strichliste_domain }}.key -out /etc/nginx/ssl/{{ strichliste_domain }}.crt -days 730 -subj "/CN={{ strichliste_domain }}" creates=/etc/nginx/ssl/{{ strichliste_domain }}.crt
@ -30,6 +37,12 @@
- name: Create vhost directory - name: Create vhost directory
file: path=/var/www/strichliste state=directory owner=www-data group=www-data file: path=/var/www/strichliste state=directory owner=www-data group=www-data
- name: Install Mariadb
apt:
name:
- mariadb-server
- python3-mysqldb
- name: Configure Mariadb database - name: Configure Mariadb database
community.mysql.mysql_db: name={{ strichliste_dbname }} community.mysql.mysql_db: name={{ strichliste_dbname }}
become: true become: true
@ -64,5 +77,5 @@
file: src=/etc/nginx/sites-available/strichliste dest=/etc/nginx/sites-enabled/strichliste state=link file: src=/etc/nginx/sites-available/strichliste dest=/etc/nginx/sites-enabled/strichliste state=link
notify: Restart nginx notify: Restart nginx
- name: Start php8.2-fpm - name: Start php8.1-fpm
service: name=php8.2-fpm state=started enabled=yes service: name=php8.1-fpm state=started enabled=yes

26
roles/uau/templates/50unattended-upgrades.j2
View File

@ -2,7 +2,7 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are // Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded. // upgraded.
// //
// Lines below have the format "keyword=value,...". A // Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match // package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted // all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release // keywords are wild cards.) The keywords originate from the Release
@ -31,7 +31,6 @@ Unattended-Upgrade::Origins-Pattern {
// "origin=Debian,codename=${distro_codename}-proposed-updates"; // "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian"; "origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security"; "origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// Archive or Suite based matching: // Archive or Suite based matching:
// Note that this will silently match a different release after // Note that this will silently match a different release after
@ -94,11 +93,9 @@ Unattended-Upgrade::Package-Blacklist {
// 'mailx' must be installed. E.g. "user@example.com" // 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root"; Unattended-Upgrade::Mail "root";
// Set this value to one of: // Set this value to "true" to get emails only on errors. Default
// "always", "only-on-error" or "on-change" // is to always send a mail if Unattended-Upgrade::Mail is set
// If this is not set, then any legacy MailOnlyOnError (boolean) value Unattended-Upgrade::MailOnlyOnError "true";
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";
// Remove unused automatically installed kernel-related packages // Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools). // (kernel images, kernel headers and kernel version locked tools).
@ -148,18 +145,3 @@ Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
// Print debugging information both in unattended-upgrades and // Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown // in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false"; // Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

7
site.yml
View File

@ -20,7 +20,7 @@
hosts: [bacon.binary.kitchen, aveta.binary.kitchen, aeron.binary.kitchen] hosts: [bacon.binary.kitchen, aveta.binary.kitchen, aeron.binary.kitchen]
roles: roles:
- dns_intern - dns_intern
- kea - dhcpd
- slapd - slapd
- radius - radius
@ -172,3 +172,8 @@
hosts: barium.binary-kitchen.net hosts: barium.binary-kitchen.net
roles: roles:
- workadventure - workadventure
- name: Setup HomeAssistant server
hosts: lasagne.binary.kitchen
roles:
- homeassistant