Compare commits
13 Commits
master
...
homeassist
Author | SHA1 | Date | |
---|---|---|---|
bd7d256004 | |||
6e55e4ff78 | |||
3e87601013 | |||
838d881480 | |||
6bfff16a4b | |||
552c9d71b3 | |||
3b8cc7d1ea | |||
b629b62974 | |||
389331e59a | |||
c7c56f212e | |||
a9c66ab0e3 | |||
42538dc019 | |||
79af417b4f |
1
.gitignore
vendored
1
.gitignore
vendored
@ -2,3 +2,4 @@
|
||||
site.retry
|
||||
ansible.log
|
||||
*.swp
|
||||
*.pyc
|
||||
|
@ -31,9 +31,9 @@ Currently the following hosts are installed:
|
||||
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
|
||||
| bob.binary.kitchen | Debian 12 | Gitea Actions |
|
||||
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
|
||||
| tschunk.binary.kitchen | Debian 12 | Strichliste |
|
||||
| tschunk.binary.kitchen | Debian 11 | Strichliste |
|
||||
| bowle.binary.kitchen | Debian 12 | Files |
|
||||
| lock-auweg.binary.kitchen | Debian 12 | Doorlock |
|
||||
| lock-auweg.binary.kitchen | Debian 11 | Doorlock |
|
||||
|
||||
\*: The main application is not managed by ansible but manually installed
|
||||
|
||||
|
@ -5,5 +5,3 @@ radius_hostname: radius3.binary.kitchen
|
||||
slapd_hostname: ldap3.binary.kitchen
|
||||
slapd_replica_id: 3
|
||||
slapd_role: slave
|
||||
|
||||
uau_reboot: "false"
|
||||
|
@ -15,5 +15,3 @@ radius_hostname: radius1.binary.kitchen
|
||||
slapd_hostname: ldap1.binary.kitchen
|
||||
slapd_replica_id: 1
|
||||
slapd_role: slave
|
||||
|
||||
uau_reboot: "false"
|
||||
|
@ -9,3 +9,40 @@ root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||
|
||||
uau_reboot: "false"
|
||||
|
||||
mosquitto_listeners:
|
||||
# Listeners for Mosquitto MQTT Broker
|
||||
- name: "default"
|
||||
listener: "1883"
|
||||
protocol: "mqtt"
|
||||
use_username_as_clientid: "false"
|
||||
allow_zero_length_clientid: "true"
|
||||
allow_anonymous: "false"
|
||||
users:
|
||||
- username: admin
|
||||
password: "{{ vault_mosquitto_arwen_admin_passwd }}"
|
||||
acl:
|
||||
- permissions: readwrite
|
||||
topic: "#"
|
||||
|
||||
- username: homeassistant
|
||||
password: "{{ vault_mosquitto_arwen_homeassistant_passwd }}"
|
||||
acl:
|
||||
- permissions: readwrite
|
||||
topic: "#"
|
||||
|
||||
mosquitto_bridges:
|
||||
- connection: pizza
|
||||
address: 172.23.4.6:1883
|
||||
topics:
|
||||
- topic: "# out 0"
|
||||
- topic: "# in 0"
|
||||
|
||||
ha_pg_db_pass: "{{ vault_ha_pg_db_pass }}"
|
||||
pgadmin4_db_password: "{{ vault_pgadmin4_db_password }}"
|
||||
pgadmin4_initial_user_email: noby@binary-kitchen.de
|
||||
pgadmin4_initial_user_password: "{{ vault_pgadmin4_initial_user_password }}"
|
||||
ha_pg_grafana_db_pass: "{{ vault_ha_pg_grafana_db_pass }}"
|
||||
|
||||
ha_domains:
|
||||
- lasagne.binary.kitchen
|
||||
|
@ -1,8 +1,9 @@
|
||||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
|
||||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
@ -68,7 +69,7 @@ PasswordAuthentication {{ sshd_password_authentication }}
|
||||
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
KbdInteractiveAuthentication no
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
@ -84,13 +85,13 @@ KbdInteractiveAuthentication no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the KbdInteractiveAuthentication and
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via KbdInteractiveAuthentication may bypass
|
||||
# the setting of "PermitRootLogin prohibit-password".
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and KbdInteractiveAuthentication to 'no'.
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
@ -108,7 +109,7 @@ PrintMotd no
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#UseDNS no
|
||||
#PidFile /run/sshd.pid
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
|
4
roles/dhcpd/handlers/main.yml
Normal file
4
roles/dhcpd/handlers/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
- name: Restart isc-dhcp-server
|
||||
service: name=isc-dhcp-server state=restarted
|
14
roles/dhcpd/tasks/main.yml
Normal file
14
roles/dhcpd/tasks/main.yml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
|
||||
- name: Install dhcp server
|
||||
apt: name=isc-dhcp-server
|
||||
|
||||
- name: Configure dhcp server
|
||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||
with_items:
|
||||
- default/isc-dhcp-server
|
||||
- dhcp/dhcpd.conf
|
||||
notify: Restart isc-dhcp-server
|
||||
|
||||
- name: Start the dhcp server
|
||||
service: name=isc-dhcp-server state=started enabled=yes
|
21
roles/dhcpd/templates/default/isc-dhcp-server.j2
Normal file
21
roles/dhcpd/templates/default/isc-dhcp-server.j2
Normal file
@ -0,0 +1,21 @@
|
||||
#
|
||||
# This is a POSIX shell fragment
|
||||
#
|
||||
|
||||
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
|
||||
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
|
||||
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
|
||||
|
||||
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
|
||||
#DHCPDv4_PID=/var/run/dhcpd.pid
|
||||
#DHCPDv6_PID=/var/run/dhcpd6.pid
|
||||
|
||||
# Additional options to start dhcpd with.
|
||||
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
|
||||
#OPTIONS=""
|
||||
|
||||
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
||||
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
||||
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
|
||||
INTERFACESv6=""
|
||||
INTERFACES="{{ ansible_default_ipv4['interface'] }}"
|
319
roles/dhcpd/templates/dhcp/dhcpd.conf.j2
Normal file
319
roles/dhcpd/templates/dhcp/dhcpd.conf.j2
Normal file
@ -0,0 +1,319 @@
|
||||
# dhcpd.conf
|
||||
|
||||
# option definitions common to all supported networks...
|
||||
option domain-name "binary.kitchen";
|
||||
option domain-name-servers {{ name_servers | join(', ') }};
|
||||
option domain-search "binary.kitchen";
|
||||
option ntp-servers 172.23.1.60, 172.23.2.3;
|
||||
|
||||
# options related to Mitel SIP-DECT
|
||||
option space sipdect;
|
||||
option local-encapsulation code 43 = encapsulate sipdect;
|
||||
option sipdect.ommip1 code 10 = ip-address;
|
||||
option sipdect.ommip2 code 19 = ip-address;
|
||||
option sipdect.syslogip code 14 = ip-address;
|
||||
option sipdect.syslogport code 15 = integer 16;
|
||||
option magic_str code 224 = text;
|
||||
|
||||
default-lease-time 7200;
|
||||
max-lease-time 28800;
|
||||
|
||||
# Use this to enble / disable dynamic dns updates globally.
|
||||
ddns-update-style interim;
|
||||
ddns-updates on;
|
||||
|
||||
# If this DHCP server is the official DHCP server for the local
|
||||
# network, the authoritative directive should be uncommented.
|
||||
authoritative;
|
||||
|
||||
# Use this to send dhcp log messages to a different log file (you also
|
||||
# have to hack syslog.conf to complete the redirection).
|
||||
log-facility local7;
|
||||
|
||||
{% if dhcpd_failover == true %}
|
||||
|
||||
# Failover
|
||||
|
||||
failover peer "failover-partner" {
|
||||
{% if ansible_default_ipv4.address == dhcpd_primary %}
|
||||
primary;
|
||||
address {{ dhcpd_primary }};
|
||||
peer address {{ dhcpd_secondary }};
|
||||
{% elif ansible_default_ipv4.address == dhcpd_secondary %}
|
||||
secondary;
|
||||
address {{ dhcpd_secondary }};
|
||||
peer address {{ dhcpd_primary }};
|
||||
{% endif %}
|
||||
port 520;
|
||||
peer port 520;
|
||||
max-response-delay 60;
|
||||
max-unacked-updates 10;
|
||||
{% if ansible_default_ipv4.address == dhcpd_primary %}
|
||||
mclt 600;
|
||||
split 255;
|
||||
{% endif %}
|
||||
load balance max seconds 3;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
# Binary Kitchen subnets
|
||||
|
||||
# Management
|
||||
subnet 172.23.1.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.1.1;
|
||||
}
|
||||
|
||||
# Services
|
||||
subnet 172.23.2.0 netmask 255.255.255.0 {
|
||||
allow bootp;
|
||||
option routers 172.23.2.1;
|
||||
}
|
||||
|
||||
# Users
|
||||
subnet 172.23.3.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.3.1;
|
||||
ddns-domainname "users.binary.kitchen";
|
||||
option domain-search "binary.kitchen", "users.binary.kitchen";
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
{% endif %}
|
||||
range 172.23.3.10 172.23.3.230;
|
||||
}
|
||||
}
|
||||
|
||||
# MQTT
|
||||
subnet 172.23.4.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.4.1;
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
{% endif %}
|
||||
range 172.23.4.10 172.23.4.240;
|
||||
}
|
||||
}
|
||||
|
||||
# Management Auweg
|
||||
subnet 172.23.12.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.12.1;
|
||||
}
|
||||
|
||||
# Services Auweg
|
||||
subnet 172.23.13.0 netmask 255.255.255.0 {
|
||||
allow bootp;
|
||||
option routers 172.23.13.1;
|
||||
}
|
||||
|
||||
# Users Auweg
|
||||
subnet 172.23.14.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.14.1;
|
||||
option domain-search "binary.kitchen", "users.binary.kitchen";
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
{% endif %}
|
||||
range 172.23.14.10 172.23.14.230;
|
||||
}
|
||||
}
|
||||
|
||||
# MQTT Auweg
|
||||
subnet 172.23.15.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.15.1;
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
{% endif %}
|
||||
range 172.23.15.10 172.23.15.240;
|
||||
}
|
||||
}
|
||||
|
||||
# DDNS zones
|
||||
|
||||
zone users.binary.kitchen {
|
||||
primary {{ dns_primary }};
|
||||
}
|
||||
|
||||
|
||||
# Fixed IPs
|
||||
|
||||
host ap01 {
|
||||
hardware ethernet 44:48:c1:ce:a9:00;
|
||||
fixed-address ap01.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap04 {
|
||||
hardware ethernet 74:9e:75:ce:93:54;
|
||||
fixed-address ap04.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap05 {
|
||||
hardware ethernet bc:9f:e4:c3:6f:aa;
|
||||
fixed-address ap05.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap06 {
|
||||
hardware ethernet 94:b4:0f:c0:1d:a0;
|
||||
fixed-address ap06.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap11 {
|
||||
hardware ethernet 18:64:72:c6:c2:0c;
|
||||
fixed-address ap11.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap12 {
|
||||
hardware ethernet 18:64:72:c6:c4:98;
|
||||
fixed-address ap12.binary.kitchen;
|
||||
}
|
||||
|
||||
host bowle {
|
||||
hardware ethernet ac:1f:6b:25:16:b6;
|
||||
fixed-address bowle.binary.kitchen;
|
||||
}
|
||||
|
||||
host cannelloni {
|
||||
hardware ethernet b8:27:eb:18:5c:11;
|
||||
fixed-address cannelloni.binary.kitchen;
|
||||
}
|
||||
|
||||
host fusilli {
|
||||
hardware ethernet b8:27:eb:1d:b9:bf;
|
||||
fixed-address fusilli.binary.kitchen;
|
||||
}
|
||||
|
||||
host habdisplay1 {
|
||||
hardware ethernet b8:27:eb:b6:62:be;
|
||||
fixed-address habdisplay1.mqtt.binary.kitchen;
|
||||
}
|
||||
|
||||
host habdisplay2 {
|
||||
hardware ethernet b8:27:eb:df:0b:7b;
|
||||
fixed-address habdisplay2.mqtt.binary.kitchen;
|
||||
}
|
||||
|
||||
host klopi {
|
||||
hardware ethernet 74:da:38:6e:e6:9d;
|
||||
fixed-address klopi.binary.kitchen;
|
||||
}
|
||||
|
||||
host lock {
|
||||
hardware ethernet b8:27:eb:d8:b9:ad;
|
||||
fixed-address lock.binary.kitchen;
|
||||
}
|
||||
|
||||
host maccaroni {
|
||||
hardware ethernet b8:27:eb:f5:9e:a1;
|
||||
fixed-address maccaroni.binary.kitchen;
|
||||
}
|
||||
|
||||
host matrix {
|
||||
hardware ethernet b8:27:eb:ed:22:58;
|
||||
fixed-address matrix.binary.kitchen;
|
||||
}
|
||||
|
||||
host mirror {
|
||||
hardware ethernet 74:da:38:7d:ed:84;
|
||||
fixed-address mirror.binary.kitchen;
|
||||
}
|
||||
|
||||
host mpcnc {
|
||||
hardware ethernet b8:27:eb:0f:d3:8b;
|
||||
fixed-address mpcnc.binary.kitchen;
|
||||
}
|
||||
|
||||
host noodlehub {
|
||||
hardware ethernet b8:27:eb:56:2b:7c;
|
||||
fixed-address noodlehub.binary.kitchen;
|
||||
}
|
||||
|
||||
host openhabgw1 {
|
||||
hardware ethernet dc:a6:32:bf:e2:3e;
|
||||
fixed-address openhabgw1.mqtt.binary.kitchen;
|
||||
}
|
||||
|
||||
host pizza {
|
||||
hardware ethernet 52:54:00:17:02:21;
|
||||
fixed-address pizza.binary.kitchen;
|
||||
}
|
||||
|
||||
host spaghetti {
|
||||
hardware ethernet b8:27:eb:eb:e5:88;
|
||||
fixed-address spaghetti.binary.kitchen;
|
||||
}
|
||||
|
||||
host schweinshaxn {
|
||||
hardware ethernet 52:54:00:17:02:24;
|
||||
fixed-address schweinshaxn.binary.kitchen;
|
||||
}
|
||||
|
||||
host strammermax {
|
||||
hardware ethernet 08:00:37:B8:55:44;
|
||||
fixed-address strammermax.binary.kitchen;
|
||||
}
|
||||
|
||||
host obatzda {
|
||||
hardware ethernet ec:9a:74:35:35:cf;
|
||||
fixed-address obatzda.binary.kitchen;
|
||||
}
|
||||
|
||||
|
||||
# VoIP Phones
|
||||
|
||||
host voip01 {
|
||||
hardware ethernet 00:1D:45:B6:99:2F;
|
||||
option tftp-server-name "172.23.2.36";
|
||||
}
|
||||
|
||||
host voip02 {
|
||||
hardware ethernet 00:1D:A2:66:B8:3E;
|
||||
option tftp-server-name "172.23.2.36";
|
||||
}
|
||||
|
||||
host voip03 {
|
||||
hardware ethernet 00:1E:BE:90:FB:DB;
|
||||
option tftp-server-name "172.23.2.36";
|
||||
}
|
||||
|
||||
host voip04 {
|
||||
hardware ethernet 00:1E:BE:90:FF:06;
|
||||
option tftp-server-name "172.23.2.36";
|
||||
}
|
||||
|
||||
|
||||
# Mitel SIP-DECT
|
||||
|
||||
host rfp01 {
|
||||
hardware ethernet 00:30:42:1B:73:5A;
|
||||
fixed-address 172.23.1.111;
|
||||
option host-name "rfp01";
|
||||
option sipdect.ommip1 172.23.2.35;
|
||||
option magic_str = "OpenMobilitySIP-DECT";
|
||||
}
|
||||
|
||||
host rfp02 {
|
||||
hardware ethernet 00:30:42:21:D4:D5;
|
||||
fixed-address 172.23.1.112;
|
||||
option host-name "rfp02";
|
||||
option sipdect.ommip1 172.23.2.35;
|
||||
option magic_str = "OpenMobilitySIP-DECT";
|
||||
}
|
||||
|
||||
host rfp11 {
|
||||
hardware ethernet 00:30:42:1B:8B:9B;
|
||||
fixed-address 172.23.12.111;
|
||||
option host-name "rfp11";
|
||||
option sipdect.ommip1 172.23.2.35;
|
||||
option magic_str = "OpenMobilitySIP-DECT";
|
||||
}
|
||||
|
||||
|
||||
|
||||
# OMAPI
|
||||
|
||||
omapi-port 7911;
|
||||
omapi-key omapi_key;
|
||||
|
||||
key omapi_key {
|
||||
algorithm hmac-md5;
|
||||
secret {{ dhcp_omapi_key }};
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
||||
$TTL 1h ; default time-to-live
|
||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2024100600; serial
|
||||
2024051300; serial
|
||||
1d; refresh
|
||||
2h; retry
|
||||
4w; expire
|
||||
@ -13,7 +13,7 @@ $TTL 1h ; default time-to-live
|
||||
1.0 IN PTR core.binary.kitchen.
|
||||
2.0 IN PTR rt-w13b.binary.kitchen.
|
||||
3.0 IN PTR erx-rz.binary.kitchen.
|
||||
4.0 IN PTR rt-auweg.binary.kitchen.
|
||||
4.0 IN PTR erx-auweg.binary.kitchen.
|
||||
; Management
|
||||
1.1 IN PTR v2301.core.binary.kitchen.
|
||||
11.1 IN PTR ups1.binary.kitchen.
|
||||
@ -87,26 +87,22 @@ $GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
||||
1.10 IN PTR wg0.erx-rz.binary.kitchen.
|
||||
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
|
||||
; Management Auweg
|
||||
1.12 IN PTR v2312.rt-auweg.binary.kitchen.
|
||||
31.12 IN PTR sw-auweg.binary.kitchen.
|
||||
41.12 IN PTR ap11.binary.kitchen.
|
||||
42.12 IN PTR ap12.binary.kitchen.
|
||||
61.12 IN PTR weizen.binary.kitchen.
|
||||
111.12 IN PTR rfp11.binary.kitchen.
|
||||
; Services Auweg
|
||||
1.13 IN PTR v2313.rt-auweg.binary.kitchen.
|
||||
3.13 IN PTR aeron.binary.kitchen.
|
||||
12.13 IN PTR lock-auweg.binary.kitchen.
|
||||
; Clients Auweg
|
||||
1.14 IN PTR v2314.rt-auweg.binary.kitchen.
|
||||
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
|
||||
; MQTT
|
||||
1.15 IN PTR v2315.rt-auweg.binary.kitchen.
|
||||
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
|
||||
; Point-to-Point
|
||||
1.96 IN PTR v400.rt-w13b.binary.kitchen.
|
||||
1.96 IN PTR v400.erx-bk.binary.kitchen.
|
||||
2.96 IN PTR v400.core.binary.kitchen.
|
||||
1.97 IN PTR wg1.erx-rz.binary.kitchen.
|
||||
2.97 IN PTR wg1.rt-w13b.binary.kitchen.
|
||||
2.97 IN PTR wg1.erx-bk.binary.kitchen.
|
||||
5.97 IN PTR wg2.erx-rz.binary.kitchen.
|
||||
6.97 IN PTR wg2.rt-auweg.binary.kitchen.
|
||||
6.97 IN PTR wg2.erx-auweg.binary.kitchen.
|
||||
|
@ -1,7 +1,7 @@
|
||||
$ORIGIN binary.kitchen ; base for unqualified names
|
||||
$TTL 1h ; default time-to-live
|
||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2024100600; serial
|
||||
2024051300; serial
|
||||
1d; refresh
|
||||
2h; retry
|
||||
4w; expire
|
||||
@ -36,7 +36,7 @@ radius IN A 172.23.2.4
|
||||
core IN A 172.23.0.1
|
||||
rt-w13b IN A 172.23.0.2
|
||||
erx-rz IN A 172.23.0.3
|
||||
rt-auweg IN A 172.23.0.4
|
||||
erx-auweg IN A 172.23.0.4
|
||||
; Management
|
||||
v2301.core IN A 172.23.1.1
|
||||
ups1 IN A 172.23.1.11
|
||||
@ -107,29 +107,25 @@ salat IN A 172.23.9.61
|
||||
salat-bmc IN A 172.23.9.81
|
||||
; Services RZ
|
||||
; Management Auweg
|
||||
v2312.rt-auweg IN A 172.23.12.1
|
||||
sw-auweg IN A 172.23.12.31
|
||||
ap11 IN A 172.23.12.41
|
||||
ap12 IN A 172.23.12.42
|
||||
weizen IN A 172.23.12.61
|
||||
rfp11 IN A 172.23.12.111
|
||||
; Services Auweg
|
||||
v2313.rt-auweg IN A 172.23.13.1
|
||||
aeron IN A 172.23.13.3
|
||||
lock-auweg IN A 172.23.13.12
|
||||
; Clients Auweg
|
||||
v2314.rt-auweg IN A 172.23.14.1
|
||||
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
|
||||
; MQTT Auweg
|
||||
v2315.rt-auweg IN A 172.23.15.1
|
||||
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
|
||||
; VPN RZ (ER-X)
|
||||
wg0.erx-rz IN A 172.23.10.1
|
||||
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
|
||||
; Point-to-Point
|
||||
v400.rt-w13b IN A 172.23.96.1
|
||||
v400.erx-bk IN A 172.23.96.1
|
||||
v400.core IN A 172.23.96.2
|
||||
wg1.erx-rz IN A 172.23.97.1
|
||||
wg1.rt-w13b IN A 172.23.97.2
|
||||
wg1.erx-bk IN A 172.23.97.2
|
||||
wg2.erx-rz IN A 172.23.97.5
|
||||
wg2.rt-auweg IN A 172.23.97.6
|
||||
wg2.erx-auweg IN A 172.23.97.6
|
||||
|
22
roles/homeassistant/defaults/main.yml
Normal file
22
roles/homeassistant/defaults/main.yml
Normal file
@ -0,0 +1,22 @@
|
||||
---
|
||||
|
||||
# Python version required for home assistant
|
||||
ha_python_version: '3.12'
|
||||
|
||||
# The location of the config directory
|
||||
ha_conf_dir: /etc/homeassistant
|
||||
|
||||
# The location of the installatin directory
|
||||
ha_venv_dir: "/opt/homeassistant"
|
||||
|
||||
# The default user
|
||||
ha_user: homeassistant
|
||||
|
||||
ha_pg_db_version: 15
|
||||
ha_pg_db_name: homeassistant
|
||||
ha_pg_db_user: homeassistant
|
||||
ha_pg_db_pass: xxxxx
|
||||
|
||||
ha_pg_grafana_db_name: grafana
|
||||
ha_pg_grafana_db_user: grafana
|
||||
ha_pg_grafana_db_pass: xxxxx
|
21
roles/homeassistant/handlers/main.yml
Normal file
21
roles/homeassistant/handlers/main.yml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
|
||||
- name: Restart postgresql
|
||||
ansible.builtin.service:
|
||||
name: postgresql
|
||||
state: restarted
|
||||
|
||||
- name: Restart homeassistant
|
||||
ansible.builtin.service:
|
||||
name: home-assistant
|
||||
state: restarted
|
||||
|
||||
- name: Restart grafana
|
||||
ansible.builtin.service:
|
||||
name: grafana-server
|
||||
state: restarted
|
||||
|
||||
- name: Restart nginx
|
||||
ansible.builtin.service:
|
||||
name: nginx
|
||||
state: restarted
|
14
roles/homeassistant/meta/main.yml
Normal file
14
roles/homeassistant/meta/main.yml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
|
||||
galaxy_info:
|
||||
author: Thomas Basler
|
||||
description: Install HomeAssistant environment
|
||||
license: None
|
||||
platforms:
|
||||
- name: Debian
|
||||
min_ansible_version: "2.4"
|
||||
|
||||
dependencies:
|
||||
- { role: mosquitto }
|
||||
- { role: pgadmin4 }
|
||||
- { role: nginx, nginx_ssl: false }
|
77
roles/homeassistant/tasks/grafana.yml
Normal file
77
roles/homeassistant/tasks/grafana.yml
Normal file
@ -0,0 +1,77 @@
|
||||
---
|
||||
|
||||
- name: Grafana | add GPG signing key
|
||||
become: true
|
||||
ansible.builtin.apt_key:
|
||||
url: "https://apt.grafana.com/gpg.key"
|
||||
state: present
|
||||
validate_certs: true
|
||||
|
||||
- name: Grafana | add official repository
|
||||
become: true
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb https://apt.grafana.com stable main"
|
||||
state: present
|
||||
filename: grafana
|
||||
update_cache: true
|
||||
tags: install
|
||||
|
||||
- name: Grafana | establish dependencies
|
||||
become: true
|
||||
ansible.builtin.apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop: ["grafana"]
|
||||
tags: install
|
||||
|
||||
- name: Grafana | Configure PostgreSQL database
|
||||
community.general.postgresql_db:
|
||||
name: "{{ ha_pg_grafana_db_name }}"
|
||||
template: template0
|
||||
encoding: utf8
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Grafana | Configure PostgreSQL user
|
||||
community.general.postgresql_user:
|
||||
db: "{{ ha_pg_grafana_db_name }}"
|
||||
name: "{{ ha_pg_grafana_db_user }}"
|
||||
password: "{{ ha_pg_grafana_db_pass }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Grafana | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ pgadmin4_db_user }}
|
||||
community.postgresql.postgresql_privs:
|
||||
db: "{{ ha_pg_grafana_db_name }}"
|
||||
privs: ALL
|
||||
type: schema
|
||||
objs: public
|
||||
role: "{{ ha_pg_grafana_db_user }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: GRANT SELECT PRIVILEGES ON DATABASE {{ ha_pg_db_name }} TO {{ ha_pg_grafana_db_user }}
|
||||
community.general.postgresql_privs:
|
||||
db: "{{ ha_pg_db_name }}"
|
||||
privs: SELECT
|
||||
type: table
|
||||
objs: statistics,statistics_meta
|
||||
role: "{{ ha_pg_grafana_db_user }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
ignore_errors: true
|
||||
|
||||
- name: Grafana | install config file
|
||||
ansible.builtin.template:
|
||||
src: grafana.ini.j2
|
||||
dest: "/etc/grafana/grafana.ini"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: Restart grafana
|
||||
|
||||
- name: Grafana | Start service
|
||||
ansible.builtin.service:
|
||||
name: grafana-server
|
||||
state: started
|
||||
enabled: true
|
33
roles/homeassistant/tasks/installation.yml
Normal file
33
roles/homeassistant/tasks/installation.yml
Normal file
@ -0,0 +1,33 @@
|
||||
---
|
||||
|
||||
- name: Install defined version of Home Assistant
|
||||
ansible.builtin.pip:
|
||||
name:
|
||||
- wheel
|
||||
- psycopg2
|
||||
- packaging
|
||||
- uv
|
||||
- netifaces
|
||||
- homeassistant=={{ ha_version }}
|
||||
virtualenv: '{{ ha_venv_dir }}'
|
||||
virtualenv_command: 'python{{ ha_python_version }} -m venv'
|
||||
when: ha_version is defined
|
||||
become: true
|
||||
become_user: "{{ ha_user }}"
|
||||
notify: Restart homeassistant
|
||||
|
||||
- name: Install latest version of Home Assistant
|
||||
ansible.builtin.pip:
|
||||
name:
|
||||
- wheel
|
||||
- psycopg2
|
||||
- packaging
|
||||
- uv
|
||||
- homeassistant
|
||||
extra_args: "--upgrade"
|
||||
virtualenv: "{{ ha_venv_dir }}"
|
||||
virtualenv_command: 'python{{ ha_python_version }} -m venv'
|
||||
when: ha_version is undefined
|
||||
become: true
|
||||
become_user: "{{ ha_user }}"
|
||||
notify: Restart homeassistant
|
15
roles/homeassistant/tasks/main.yml
Normal file
15
roles/homeassistant/tasks/main.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
|
||||
- name: Install python if required
|
||||
ansible.builtin.include_tasks: python_312.yml
|
||||
when: ha_python_version == '3.12'
|
||||
|
||||
- name: Include sub-tasks
|
||||
ansible.builtin.include_tasks: '{{ item }}'
|
||||
loop:
|
||||
- preparation.yml
|
||||
- postgres.yml
|
||||
- systemd.yml
|
||||
- installation.yml
|
||||
- grafana.yml
|
||||
- nginx.yml
|
15
roles/homeassistant/tasks/nginx.yml
Normal file
15
roles/homeassistant/tasks/nginx.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
|
||||
- name: Configure vhost
|
||||
ansible.builtin.template:
|
||||
src: vhost.j2
|
||||
dest: /etc/nginx/sites-available/homeassistant
|
||||
mode: "0644"
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
ansible.builtin.file:
|
||||
src: /etc/nginx/sites-available/homeassistant
|
||||
dest: /etc/nginx/sites-enabled/homeassistant
|
||||
state: link
|
||||
notify: Restart nginx
|
54
roles/homeassistant/tasks/postgres.yml
Normal file
54
roles/homeassistant/tasks/postgres.yml
Normal file
@ -0,0 +1,54 @@
|
||||
---
|
||||
|
||||
- name: Postgres | establish dependencies
|
||||
ansible.builtin.package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop:
|
||||
- postgresql-{{ ha_pg_db_version }}
|
||||
- libpq-dev
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Postgres | Configure PostgreSQL database
|
||||
community.general.postgresql_db:
|
||||
name: "{{ ha_pg_db_name }}"
|
||||
template: template0
|
||||
encoding: utf8
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Postgres | Configure PostgreSQL user
|
||||
community.general.postgresql_user:
|
||||
db: "{{ ha_pg_db_name }}"
|
||||
name: "{{ ha_pg_db_user }}"
|
||||
password: "{{ ha_pg_db_pass }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Postgres | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ ha_pg_db_user }}
|
||||
community.postgresql.postgresql_privs:
|
||||
db: "{{ ha_pg_db_user }}"
|
||||
privs: ALL
|
||||
type: schema
|
||||
objs: public
|
||||
role: "{{ ha_pg_db_user }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Postgres | Grant all users access to all dbs
|
||||
community.general.postgresql_pg_hba:
|
||||
dest: /etc/postgresql/{{ ha_pg_db_version }}/main/pg_hba.conf
|
||||
contype: host
|
||||
users: all
|
||||
databases: all
|
||||
method: scram-sha-256
|
||||
source: 0.0.0.0/0
|
||||
notify: Restart postgresql
|
||||
|
||||
- name: Postgres | Listen to external interfaces
|
||||
community.general.postgresql_set:
|
||||
name: listen_addresses
|
||||
value: "*"
|
||||
become: true
|
||||
become_user: postgres
|
||||
notify: Restart postgresql
|
41
roles/homeassistant/tasks/preparation.yml
Normal file
41
roles/homeassistant/tasks/preparation.yml
Normal file
@ -0,0 +1,41 @@
|
||||
---
|
||||
|
||||
- name: Install commonly-named packages
|
||||
ansible.builtin.package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop:
|
||||
- python3
|
||||
- python3-dev
|
||||
- python3-venv
|
||||
- python3-pip
|
||||
- libffi-dev
|
||||
- libssl-dev
|
||||
- libjpeg-dev
|
||||
- zlib1g-dev
|
||||
- autoconf
|
||||
- build-essential
|
||||
- libopenjp2-7
|
||||
- libtiff6
|
||||
- libturbojpeg0
|
||||
- tzdata
|
||||
- git
|
||||
- ffmpeg
|
||||
|
||||
- name: Create user
|
||||
ansible.builtin.user:
|
||||
name: "{{ ha_user }}"
|
||||
comment: "Home Assistant"
|
||||
system: true
|
||||
shell: "/sbin/nologin"
|
||||
|
||||
- name: Create directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: "02775"
|
||||
owner: "{{ ha_user }}"
|
||||
group: "{{ ha_user }}"
|
||||
loop:
|
||||
- "{{ ha_conf_dir }}"
|
||||
- "{{ ha_venv_dir }}"
|
26
roles/homeassistant/tasks/python_312.yml
Normal file
26
roles/homeassistant/tasks/python_312.yml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
|
||||
- name: Python 3.12 | add GPG signing key
|
||||
become: true
|
||||
ansible.builtin.apt_key:
|
||||
url: "https://pascalroeleven.nl/deb-pascalroeleven.gpg"
|
||||
state: present
|
||||
validate_certs: true
|
||||
tags: install
|
||||
|
||||
- name: Python 3.12 | add official repository
|
||||
become: true
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb http://deb.pascalroeleven.nl/python3.12 bookworm-backports main"
|
||||
state: present
|
||||
filename: python312
|
||||
update_cache: true
|
||||
tags: install
|
||||
|
||||
- name: Python 3.12 | establish dependencies
|
||||
become: true
|
||||
ansible.builtin.apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop: "{{ python312_dependencies }}"
|
||||
tags: install
|
17
roles/homeassistant/tasks/systemd.yml
Normal file
17
roles/homeassistant/tasks/systemd.yml
Normal file
@ -0,0 +1,17 @@
|
||||
---
|
||||
|
||||
- name: Install systemd unit file
|
||||
ansible.builtin.template:
|
||||
src: home-assistant.service.j2
|
||||
dest: "/etc/systemd/system/home-assistant.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: Restart homeassistant
|
||||
|
||||
- name: Enable home assistant service
|
||||
ansible.builtin.systemd:
|
||||
name: home-assistant
|
||||
daemon_reload: true
|
||||
enabled: true
|
||||
notify: Restart homeassistant
|
1082
roles/homeassistant/templates/grafana.ini.j2
Normal file
1082
roles/homeassistant/templates/grafana.ini.j2
Normal file
File diff suppressed because it is too large
Load Diff
14
roles/homeassistant/templates/home-assistant.service.j2
Normal file
14
roles/homeassistant/templates/home-assistant.service.j2
Normal file
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=Home Assistant
|
||||
After=network.target postgresql.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User={{ ha_user }}
|
||||
Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:{{ ha_venv_dir }}/bin"
|
||||
ExecStart={{ ha_venv_dir }}/bin/hass --config {{ ha_conf_dir }}
|
||||
Restart=always
|
||||
RestartSec=3
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
41
roles/homeassistant/templates/vhost.j2
Normal file
41
roles/homeassistant/templates/vhost.j2
Normal file
@ -0,0 +1,41 @@
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{ ha_domains | join(' ') }};
|
||||
|
||||
proxy_buffering off;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8123;
|
||||
proxy_set_header Host $host;
|
||||
proxy_redirect http:// https://;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
location /api/websocket {
|
||||
proxy_pass http://127.0.0.1:8123;
|
||||
proxy_set_header Host $host;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
location /grafana {
|
||||
client_max_body_size 1024M;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_pass http://localhost:3000;
|
||||
}
|
||||
|
||||
location = /pgadmin4 { rewrite ^ /pgadmin4/; }
|
||||
location /pgadmin4 { try_files $uri @pgadmin4; }
|
||||
location @pgadmin4 {
|
||||
include uwsgi_params;
|
||||
uwsgi_pass unix:/run/pgadmin4/pgadmin4.sock;
|
||||
}
|
||||
}
|
6
roles/homeassistant/vars/main.yml
Normal file
6
roles/homeassistant/vars/main.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
|
||||
python312_dependencies:
|
||||
- python3.12
|
||||
- python3.12-venv
|
||||
- python3.12-dev
|
@ -1,10 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Restart kea-dhcp4-server
|
||||
service: name=kea-dhcp4-server state=restarted
|
||||
|
||||
- name: Restart kea-dhcp-ddns-server
|
||||
service: name=kea-dhcp-ddns-server state=restarted
|
||||
|
||||
- name: Restart kea-ctrl-agent
|
||||
service: name=kea-ctrl-agent state=restarted
|
@ -1,38 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install the kea dhcp server
|
||||
apt:
|
||||
name:
|
||||
- kea-ctrl-agent
|
||||
- kea-dhcp4-server
|
||||
- kea-dhcp-ddns-server
|
||||
|
||||
- name: Configure the kea dhcp4 server
|
||||
template:
|
||||
src: kea/kea-dhcp4.conf.j2
|
||||
dest: /etc/kea/kea-dhcp4.conf
|
||||
# validate: kea-dhcp4 -t %s
|
||||
notify: Restart kea-dhcp4-server
|
||||
|
||||
- name: Start the kea dhcp4 server
|
||||
service: name=kea-dhcp4-server state=started enabled=yes
|
||||
|
||||
- name: Configure the kea dhcp-ddns server
|
||||
template:
|
||||
src: kea/kea-dhcp-ddns.conf.j2
|
||||
dest: /etc/kea/kea-dhcp-ddns.conf
|
||||
# validate: kea-dhcp-ddns -t %s
|
||||
notify: Restart kea-dhcp-ddns-server
|
||||
|
||||
- name: Start the kea dhcp-ddns server
|
||||
service: name=kea-dhcp-ddns-server state=started enabled=yes
|
||||
|
||||
- name: Configure the kea control agent
|
||||
template:
|
||||
src: kea/kea-ctrl-agent.conf.j2
|
||||
dest: /etc/kea/kea-ctrl-agent.conf
|
||||
# validate: kea-ctrl-agent -t %s
|
||||
notify: Restart kea-ctrl-agent
|
||||
|
||||
- name: Start the kea control agent
|
||||
service: name=kea-ctrl-agent state=started enabled=yes
|
@ -1,37 +0,0 @@
|
||||
{
|
||||
"Control-agent":
|
||||
{
|
||||
"http-host": "0.0.0.0",
|
||||
"http-port": 8000,
|
||||
"control-sockets":
|
||||
{
|
||||
"dhcp4":
|
||||
{
|
||||
"comment": "socket to DHCP4 server",
|
||||
"socket-type": "unix",
|
||||
"socket-name": "/run/kea/kea4-ctrl-socket"
|
||||
},
|
||||
|
||||
"d2":
|
||||
{
|
||||
"socket-type": "unix",
|
||||
"socket-name": "/run/kea/kea-ddns-ctrl-socket",
|
||||
"user-context": { "in-use": false }
|
||||
}
|
||||
},
|
||||
|
||||
"loggers": [
|
||||
{
|
||||
"name": "kea-ctrl-agent",
|
||||
"output_options": [
|
||||
{
|
||||
"output": "stdout",
|
||||
"pattern": "%-5p %m\n"
|
||||
}
|
||||
],
|
||||
"severity": "INFO",
|
||||
"debuglevel": 0
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
@ -1,38 +0,0 @@
|
||||
{
|
||||
"DhcpDdns": {
|
||||
"ip-address": "127.0.0.1",
|
||||
"port": 53001,
|
||||
"control-socket": {
|
||||
"socket-type": "unix",
|
||||
"socket-name": "/run/kea/kea-ddns-ctrl-socket"
|
||||
},
|
||||
|
||||
"forward-ddns": {
|
||||
"ddns-domains": [
|
||||
{
|
||||
"name": "users.binary.kitchen.",
|
||||
"dns-servers": [
|
||||
{ "ip-address": "{{ dns_primary }}" }
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
"reverse-ddns": {
|
||||
},
|
||||
|
||||
"loggers": [
|
||||
{
|
||||
"name": "kea-dhcp4",
|
||||
"output_options": [
|
||||
{
|
||||
"output": "stdout",
|
||||
"pattern": "%-5p %m\n"
|
||||
}
|
||||
],
|
||||
"severity": "INFO",
|
||||
"debuglevel": 0
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
@ -1,470 +0,0 @@
|
||||
{
|
||||
|
||||
"Dhcp4": {
|
||||
"interfaces-config": {
|
||||
"interfaces": [ "{{ ansible_default_ipv4['interface'] }}" ]
|
||||
},
|
||||
|
||||
"control-socket": {
|
||||
"socket-type": "unix",
|
||||
"socket-name": "/run/kea/kea4-ctrl-socket"
|
||||
},
|
||||
|
||||
"dhcp-ddns": {
|
||||
"enable-updates": true,
|
||||
"server-ip": "127.0.0.1",
|
||||
"server-port": 53001,
|
||||
"sender-ip": "",
|
||||
"sender-port": 0,
|
||||
"max-queue-size": 1024,
|
||||
"ncr-protocol": "UDP",
|
||||
"ncr-format": "JSON"
|
||||
},
|
||||
|
||||
"hooks-libraries": [
|
||||
{
|
||||
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so"
|
||||
{% if dhcpd_failover %}
|
||||
},
|
||||
|
||||
{
|
||||
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so",
|
||||
"parameters": {
|
||||
"high-availability": [ {
|
||||
"this-server-name": "{{ inventory_hostname.split('.')[0] }}",
|
||||
"mode": "hot-standby",
|
||||
"heartbeat-delay": 10000,
|
||||
"max-response-delay": 60000,
|
||||
"max-ack-delay": 5000,
|
||||
"max-unacked-clients": 5,
|
||||
"sync-timeout": 60000,
|
||||
"peers": [
|
||||
{
|
||||
"name": "{{ lookup('dig', dhcpd_primary+'/PTR', '@'+dns_primary).split('.')[0] }}",
|
||||
"url": "http://{{ dhcpd_primary }}:8000/",
|
||||
"role": "primary"
|
||||
},
|
||||
{
|
||||
"name": "{{ lookup('dig', dhcpd_secondary+'/PTR', '@'+dns_primary).split('.')[0] }}",
|
||||
"url": "http://{{ dhcpd_secondary }}:8000/",
|
||||
"role": "standby"
|
||||
}
|
||||
]
|
||||
} ]
|
||||
}
|
||||
{% endif %}
|
||||
}
|
||||
],
|
||||
|
||||
"lease-database": {
|
||||
"type": "memfile",
|
||||
"lfc-interval": 3600
|
||||
},
|
||||
|
||||
"expired-leases-processing": {
|
||||
"reclaim-timer-wait-time": 10,
|
||||
"flush-reclaimed-timer-wait-time": 25,
|
||||
"hold-reclaimed-time": 3600,
|
||||
"max-reclaim-leases": 100,
|
||||
"max-reclaim-time": 250,
|
||||
"unwarned-reclaim-cycles": 5
|
||||
},
|
||||
|
||||
"renew-timer": 900,
|
||||
"rebind-timer": 1800,
|
||||
"valid-lifetime": 3600,
|
||||
|
||||
"option-def": [
|
||||
{
|
||||
"code": 43,
|
||||
"encapsulate": "sipdect",
|
||||
"name": "vendor-encapsulated-options",
|
||||
"space": "dhcp4",
|
||||
"type": "empty"
|
||||
},
|
||||
{
|
||||
"code": 10,
|
||||
"name": "ommip1",
|
||||
"space": "sipdect",
|
||||
"type": "ipv4-address"
|
||||
},
|
||||
{
|
||||
"code": 19,
|
||||
"name": "ommip2",
|
||||
"space": "sipdect",
|
||||
"type": "ipv4-address"
|
||||
},
|
||||
{
|
||||
"code": 14,
|
||||
"name": "syslogip",
|
||||
"space": "sipdect",
|
||||
"type": "ipv4-address"
|
||||
},
|
||||
{
|
||||
"code": 15,
|
||||
"name": "syslogport",
|
||||
"space": "sipdect",
|
||||
"type": "int16"
|
||||
},
|
||||
{
|
||||
"code": 224,
|
||||
"name": "magic_str",
|
||||
"space": "dhcp4",
|
||||
"type": "string"
|
||||
}
|
||||
],
|
||||
|
||||
"option-data": [
|
||||
{
|
||||
"name": "domain-name-servers",
|
||||
"data": "{{ name_servers | join(', ') }}"
|
||||
},
|
||||
|
||||
{
|
||||
"name": "domain-name",
|
||||
"data": "binary.kitchen"
|
||||
},
|
||||
|
||||
{
|
||||
"name": "domain-search",
|
||||
"data": "binary.kitchen"
|
||||
}
|
||||
],
|
||||
|
||||
"client-classes": [
|
||||
{
|
||||
"name": "voip-phone",
|
||||
"option-data": [
|
||||
{
|
||||
"name": "tftp-server-name",
|
||||
"data": "172.23.2.36"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
{
|
||||
"name": "dect-rfp",
|
||||
"option-data": [
|
||||
{
|
||||
"name": "vendor-encapsulated-options"
|
||||
},
|
||||
{
|
||||
"data": "172.23.2.35",
|
||||
"name": "ommip1",
|
||||
"space": "sipdect"
|
||||
},
|
||||
{
|
||||
"data": "OpenMobilitySIP-DECT",
|
||||
"name": "magic_str"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
|
||||
"subnet4": [
|
||||
{
|
||||
"subnet": "172.23.1.0/24",
|
||||
|
||||
"option-data": [
|
||||
{
|
||||
"name": "routers",
|
||||
"data": "172.23.1.1"
|
||||
}
|
||||
],
|
||||
|
||||
"reservations": [
|
||||
{
|
||||
"hw-address": "44:48:c1:ce:a9:00",
|
||||
"ip-address": "172.23.1.41",
|
||||
"hostname": "ap01"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "74:9e:75:ce:93:54",
|
||||
"ip-address": "172.23.1.44",
|
||||
"hostname": "ap04"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "bc:9f:e4:c3:6f:aa",
|
||||
"ip-address": "172.23.1.45",
|
||||
"hostname": "ap05"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "94:b4:0f:c0:1d:a0",
|
||||
"ip-address": "172.23.1.46",
|
||||
"hostname": "ap06"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "00:30:42:1B:73:5A",
|
||||
"ip-address": "172.23.1.111",
|
||||
"client-classes": [ "dect-rfp" ],
|
||||
"hostname": "rfp01"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "00:30:42:21:D4:D5",
|
||||
"ip-address": "172.23.1.112",
|
||||
"client-classes": [ "dect-rfp" ],
|
||||
"hostname": "rfp02"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
{
|
||||
"subnet": "172.23.2.0/24",
|
||||
|
||||
"option-data": [
|
||||
{
|
||||
"name": "routers",
|
||||
"data": "172.23.2.1"
|
||||
}
|
||||
],
|
||||
|
||||
"reservations": [
|
||||
{
|
||||
"hw-address": "b8:27:eb:d8:b9:ad",
|
||||
"ip-address": "172.23.2.12",
|
||||
"hostname": "lock"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "b8:27:eb:ed:22:58",
|
||||
"ip-address": "172.23.2.13",
|
||||
"hostname": "matrix"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "08:00:37:B8:55:44",
|
||||
"ip-address": "172.23.2.91",
|
||||
"hostname": "strammermax"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "ec:9a:74:35:35:cf",
|
||||
"ip-address": "172.23.2.92",
|
||||
"hostname": "obatzda"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
{
|
||||
"subnet": "172.23.3.0/24",
|
||||
|
||||
"pools": [ { "pool": "172.23.3.10 - 172.23.3.230" } ],
|
||||
|
||||
"option-data": [
|
||||
{
|
||||
"name": "routers",
|
||||
"data": "172.23.3.1"
|
||||
},
|
||||
|
||||
{
|
||||
"name": "domain-search",
|
||||
"data": "binary.kitchen, users.binary.kitchen"
|
||||
}
|
||||
],
|
||||
|
||||
"ddns-send-updates": true,
|
||||
"ddns-override-client-update": true,
|
||||
"ddns-override-no-update": true,
|
||||
"ddns-qualifying-suffix": "users.binary.kitchen",
|
||||
"ddns-generated-prefix": "dhcp",
|
||||
"ddns-replace-client-name": "when-not-present",
|
||||
"ddns-update-on-renew": true,
|
||||
|
||||
"reservations": [
|
||||
{
|
||||
"hw-address": "b8:27:eb:18:5c:11",
|
||||
"ip-address": "172.23.3.250",
|
||||
"hostname": "cannelloni"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "b8:27:eb:1d:b9:bf",
|
||||
"ip-address": "172.23.3.240",
|
||||
"hostname": "fusilli"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "74:da:38:6e:e6:9d",
|
||||
"ip-address": "172.23.3.241",
|
||||
"hostname": "klopi"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "b8:27:eb:f5:9e:a1",
|
||||
"ip-address": "172.23.3.246",
|
||||
"hostname": "maccaroni"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "74:da:38:7d:ed:84",
|
||||
"ip-address": "172.23.3.244",
|
||||
"hostname": "mirror"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "b8:27:eb:0f:d3:8b",
|
||||
"ip-address": "172.23.3.242",
|
||||
"hostname": "mpcnc"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "b8:27:eb:56:2b:7c",
|
||||
"ip-address": "172.23.3.251",
|
||||
"hostname": "noodlehub"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "b8:27:eb:eb:e5:88",
|
||||
"ip-address": "172.23.3.245",
|
||||
"hostname": "spaghetti"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "00:1D:45:B6:99:2F",
|
||||
"hostname": "voip01",
|
||||
"client-classes": [ "voip-phone" ]
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "00:1D:A2:66:B8:3E",
|
||||
"hostname": "voip02",
|
||||
"client-classes": [ "voip-phone" ]
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "00:1E:BE:90:FB:DB",
|
||||
"hostname": "voip03",
|
||||
"client-classes": [ "voip-phone" ]
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "00:1E:BE:90:FF:06",
|
||||
"hostname": "voip04",
|
||||
"client-classes": [ "voip-phone" ]
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
{
|
||||
"subnet": "172.23.4.0/24",
|
||||
|
||||
"pools": [ { "pool": "172.23.4.10 - 172.23.4.240" } ],
|
||||
|
||||
"option-data": [
|
||||
{
|
||||
"name": "routers",
|
||||
"data": "172.23.4.1"
|
||||
}
|
||||
],
|
||||
|
||||
"reservations": [
|
||||
{
|
||||
"hw-address": "b8:27:eb:b6:62:be",
|
||||
"ip-address": "172.23.4.241",
|
||||
"hostname": "habdisplay1"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "b8:27:eb:df:0b:7b",
|
||||
"ip-address": "172.23.4.242",
|
||||
"hostname": "habdisplay2"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "dc:a6:32:bf:e2:3e",
|
||||
"ip-address": "172.23.4.251",
|
||||
"hostname": "openhabgw1"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
{
|
||||
"subnet": "172.23.12.0/24",
|
||||
|
||||
"option-data": [
|
||||
{
|
||||
"name": "routers",
|
||||
"data": "172.23.12.1"
|
||||
}
|
||||
],
|
||||
|
||||
"reservations": [
|
||||
{
|
||||
"hw-address": "18:64:72:c6:c2:0c",
|
||||
"ip-address": "172.23.12.41",
|
||||
"hostname": "ap11"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "18:64:72:c6:c4:98",
|
||||
"ip-address": "172.23.12.42",
|
||||
"hostname": "ap12"
|
||||
},
|
||||
|
||||
{
|
||||
"hw-address": "00:30:42:1B:8B:9B",
|
||||
"ip-address": "172.23.12.111",
|
||||
"client-classes": [ "dect-rfp" ],
|
||||
"hostname": "rfp11"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
{
|
||||
"subnet": "172.23.13.0/24",
|
||||
|
||||
"option-data": [
|
||||
{
|
||||
"name": "routers",
|
||||
"data": "172.23.13.1"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
{
|
||||
"subnet": "172.23.14.0/24",
|
||||
|
||||
"pools": [ { "pool": "172.23.14.10 - 172.23.14.240" } ],
|
||||
|
||||
"option-data": [
|
||||
{
|
||||
"name": "routers",
|
||||
"data": "172.23.14.1"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
{
|
||||
"subnet": "172.23.15.0/24",
|
||||
|
||||
"pools": [ { "pool": "172.23.15.10 - 172.23.15.240" } ],
|
||||
|
||||
"option-data": [
|
||||
{
|
||||
"name": "routers",
|
||||
"data": "172.23.15.1"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
|
||||
"loggers": [
|
||||
{
|
||||
"name": "kea-dhcp4",
|
||||
"output_options": [
|
||||
{
|
||||
"output": "stdout",
|
||||
"pattern": "%-5p %m\n"
|
||||
}
|
||||
],
|
||||
"severity": "INFO",
|
||||
"debuglevel": 0
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
@ -2793,7 +2793,7 @@ background_updates:
|
||||
# marked as protected from quarantine will not be deleted.
|
||||
#
|
||||
media_retention:
|
||||
local_media_lifetime: 180d
|
||||
local_media_lifetime: 90d
|
||||
remote_media_lifetime: 14d
|
||||
|
||||
|
||||
|
4
roles/mosquitto/README.md
Normal file
4
roles/mosquitto/README.md
Normal file
@ -0,0 +1,4 @@
|
||||
Ansible Role: Mosquitto
|
||||
=========
|
||||
|
||||
Install and configure [Mosquitto](https://mosquitto.org/) MQTT message broker.
|
46
roles/mosquitto/defaults/main.yml
Normal file
46
roles/mosquitto/defaults/main.yml
Normal file
@ -0,0 +1,46 @@
|
||||
---
|
||||
|
||||
mosquitto_packages:
|
||||
- mosquitto
|
||||
- mosquitto-clients
|
||||
|
||||
mosquitto_listeners:
|
||||
# Listeners for Mosquitto MQTT Broker
|
||||
- name: "default"
|
||||
listener: "1883 localhost"
|
||||
protocol: "mqtt"
|
||||
use_username_as_clientid: "true"
|
||||
allow_zero_length_clientid: "true"
|
||||
allow_anonymous: "false"
|
||||
users: []
|
||||
# Users for Mosquitto MQTT Broker
|
||||
# Type: Arrays of Objects with following parameters defined:
|
||||
# - username: <string>
|
||||
# password: <string>
|
||||
# acl: <Array> of Objects as follows:
|
||||
# - permissions: <string> Acceptable Value: either `read`, `readwrite`, `write`, `deny`
|
||||
# - topic: <string> Acceptable Value: your/mqtt/topic (wildcards `+`, and `*` allowed)
|
||||
auth_anonymous: []
|
||||
# Topics which are accessable with anonymous access
|
||||
# Example
|
||||
# - "topic read topic_name"
|
||||
auth_patterns: []
|
||||
# %c to match the client id of the client
|
||||
# %u to match the username of the client
|
||||
# Example
|
||||
# - "pattern write $SYS/broker/connection/%c/state"
|
||||
|
||||
mosquitto_bridges: []
|
||||
# Bridges for Mosquitto MQTT Broker
|
||||
# Type: Arrays of Objects with following parameters defined:
|
||||
# - connection: <string>
|
||||
# address: <string>
|
||||
# bridge_insecure: <boolean>
|
||||
# bridge_capath: <string>
|
||||
# remote_password: <string>
|
||||
# remote_username: <string>
|
||||
# remote_clientid: <string>
|
||||
# try_private: <boolean>
|
||||
# topics:
|
||||
# - topic: # in 0 down/ to-level/02/line/
|
||||
# - topic: # out 0 up/ from-level/02/line/
|
34
roles/mosquitto/filter_plugins/mosquitto_passwd.py
Normal file
34
roles/mosquitto/filter_plugins/mosquitto_passwd.py
Normal file
@ -0,0 +1,34 @@
|
||||
# mosquitto_passwd.py: Custom Jinja2 filter plugin to generate valid PBKDF2_SHA512
|
||||
# hash digests for plain-text passwords in `users` file for
|
||||
# Eclipse Mosquitto Broker
|
||||
|
||||
|
||||
from ansible.errors import AnsibleError
|
||||
|
||||
|
||||
def mosquitto_passwd(passwd):
|
||||
try:
|
||||
import passlib.hash
|
||||
except Exception as e:
|
||||
raise AnsibleError(
|
||||
'mosquitto_passlib custom filter requires the passlib pip package installed')
|
||||
|
||||
SALT_SIZE = 12
|
||||
ITERATIONS = 101
|
||||
salt = passwd[:SALT_SIZE]
|
||||
salt = bytes(salt, 'utf-8')
|
||||
salt += b"0" * (SALT_SIZE - len(salt))
|
||||
|
||||
digest = passlib.hash.pbkdf2_sha512.using(salt_size=SALT_SIZE, rounds=ITERATIONS, salt=salt) \
|
||||
.hash(passwd) \
|
||||
.replace("pbkdf2-sha512", "7") \
|
||||
.replace(".", "+")
|
||||
|
||||
return digest + "=="
|
||||
|
||||
|
||||
class FilterModule(object):
|
||||
def filters(self):
|
||||
return {
|
||||
'mosquitto_passwd': mosquitto_passwd,
|
||||
}
|
6
roles/mosquitto/handlers/main.yml
Normal file
6
roles/mosquitto/handlers/main.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
|
||||
- name: Restart Mosquitto
|
||||
ansible.builtin.service:
|
||||
name: mosquitto
|
||||
state: restarted
|
11
roles/mosquitto/meta/main.yml
Normal file
11
roles/mosquitto/meta/main.yml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
|
||||
galaxy_info:
|
||||
author: Thomas Basler
|
||||
description: Install Mosquitto
|
||||
license: None
|
||||
platforms:
|
||||
- name: Debian
|
||||
min_ansible_version: "2.4"
|
||||
|
||||
dependencies: []
|
35
roles/mosquitto/tasks/main.yml
Normal file
35
roles/mosquitto/tasks/main.yml
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
|
||||
- name: Mosquitto | Install Mosquitto packages
|
||||
ansible.builtin.apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items: "{{ mosquitto_packages }}"
|
||||
notify: Restart Mosquitto
|
||||
|
||||
- name: Mosquitto | Generating Configuration File
|
||||
ansible.builtin.template:
|
||||
src: mosquitto.conf.j2
|
||||
dest: /etc/mosquitto/conf.d/mosquitto.conf
|
||||
mode: "0755"
|
||||
notify: Restart Mosquitto
|
||||
|
||||
- name: Mosquitto | Generating Authentication Users File
|
||||
ansible.builtin.template:
|
||||
src: users.j2
|
||||
dest: "/etc/mosquitto/users_{{ item.name }}"
|
||||
mode: "0755"
|
||||
vars:
|
||||
mosquitto_users: "{{ item.users }}"
|
||||
with_items: "{{ mosquitto_listeners }}"
|
||||
notify: Restart Mosquitto
|
||||
|
||||
- name: Mosquitto | Generating Access Control List File
|
||||
ansible.builtin.template:
|
||||
src: acl.j2
|
||||
dest: "/etc/mosquitto/acl_{{ item.name }}"
|
||||
mode: "0755"
|
||||
vars:
|
||||
listener: "{{ item }}"
|
||||
with_items: "{{ mosquitto_listeners }}"
|
||||
notify: Restart Mosquitto
|
28
roles/mosquitto/templates/acl.j2
Normal file
28
roles/mosquitto/templates/acl.j2
Normal file
@ -0,0 +1,28 @@
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
{% for entry in listener.auth_anonymous | default([]) %}
|
||||
{% if loop.first %}
|
||||
# Anonymous access
|
||||
{% endif %}
|
||||
{{ entry }}
|
||||
{% endfor %}
|
||||
|
||||
{% for user in listener.users %}
|
||||
{% if loop.first %}
|
||||
# User access
|
||||
{% endif %}
|
||||
user {{ user.username }}
|
||||
{% for access_list in user.acl | default([]) %}
|
||||
topic {{ access_list.permissions }} {{ access_list.topic }}
|
||||
{% if loop.last %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
{% for entry in listener.auth_patterns | default([]) %}
|
||||
{% if loop.first %}
|
||||
# Global patterns
|
||||
{% endif %}
|
||||
{{ entry }}
|
||||
{% endfor %}
|
36
roles/mosquitto/templates/mosquitto.conf.j2
Normal file
36
roles/mosquitto/templates/mosquitto.conf.j2
Normal file
@ -0,0 +1,36 @@
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# Logging Configuration
|
||||
log_timestamp true
|
||||
log_type all
|
||||
|
||||
# Listener
|
||||
per_listener_settings true
|
||||
|
||||
{% for elem in mosquitto_listeners %}
|
||||
### Listener '{{ elem.name }}'
|
||||
listener {{ elem.listener }}
|
||||
{% for key, value in elem | dictsort %}
|
||||
{% if key not in ["listener", "name", "users", "auth_anonymous", "auth_patterns"] %}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
password_file /etc/mosquitto/users_{{ elem.name }}
|
||||
acl_file /etc/mosquitto/acl_{{ elem.name }}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
{% for elem in mosquitto_bridges %}
|
||||
{% if loop.first %}
|
||||
# Bridges
|
||||
{% endif %}
|
||||
connection {{ elem.connection }}
|
||||
{% for key, value in elem | dictsort %}
|
||||
{% if key not in ["connection", "topics"] %}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% for topic in elem.topics %}
|
||||
topic {{ topic.topic }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
5
roles/mosquitto/templates/users.j2
Normal file
5
roles/mosquitto/templates/users.j2
Normal file
@ -0,0 +1,5 @@
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
{% for user in mosquitto_users %}
|
||||
{{ user.username }}:{{ user.password | mosquitto_passwd }}
|
||||
{% endfor %}
|
@ -2,4 +2,4 @@
|
||||
|
||||
netbox_group: netbox
|
||||
netbox_user: netbox
|
||||
netbox_version: 4.1.4
|
||||
netbox_version: 4.1.3
|
||||
|
10
roles/pgadmin4/defaults/main.yml
Normal file
10
roles/pgadmin4/defaults/main.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
|
||||
pgadmin4_user: pgadmin4
|
||||
pgadmin4_db_database: pgadmin4
|
||||
pgadmin4_db_user: pgadmin4
|
||||
pgadmin4_db_password: xxxxx
|
||||
pgadmin4_conf_dir: /etc/pgadmin
|
||||
|
||||
pgadmin4_initial_user_email: admin@admin.com
|
||||
pgadmin4_initial_user_password: admin42
|
6
roles/pgadmin4/handlers/main.yml
Normal file
6
roles/pgadmin4/handlers/main.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
|
||||
- name: Restart pgadmin4
|
||||
ansible.builtin.service:
|
||||
name: pgadmin4
|
||||
state: restarted
|
11
roles/pgadmin4/meta/main.yml
Normal file
11
roles/pgadmin4/meta/main.yml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
|
||||
galaxy_info:
|
||||
author: Thomas Basler
|
||||
description: Install PgAdmin4
|
||||
license: None
|
||||
platforms:
|
||||
- name: Debian
|
||||
min_ansible_version: "2.4"
|
||||
|
||||
dependencies: []
|
119
roles/pgadmin4/tasks/main.yml
Normal file
119
roles/pgadmin4/tasks/main.yml
Normal file
@ -0,0 +1,119 @@
|
||||
---
|
||||
|
||||
- name: PgAdmin 4 | add GPG signing key
|
||||
become: true
|
||||
ansible.builtin.apt_key:
|
||||
url: "https://www.pgadmin.org/static/packages_pgadmin_org.pub"
|
||||
state: present
|
||||
validate_certs: true
|
||||
tags: install
|
||||
|
||||
- name: PgAdmin 4 | add official repository
|
||||
become: true
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb https://ftp.postgresql.org/pub/pgadmin/pgadmin4/apt/bookworm pgadmin4 main"
|
||||
state: present
|
||||
filename: pgadmin4
|
||||
update_cache: true
|
||||
tags: install
|
||||
|
||||
- name: PgAdmin 4 | establish dependencies
|
||||
become: true
|
||||
ansible.builtin.apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
tags: install
|
||||
loop: ["pgadmin4-server", "uwsgi-core", "uwsgi-plugin-python3", "python3-pexpect"]
|
||||
|
||||
- name: PgAdmin 4 | Configure PostgreSQL database
|
||||
community.general.postgresql_db:
|
||||
name: "{{ pgadmin4_db_database }}"
|
||||
template: template0
|
||||
encoding: utf8
|
||||
become: true
|
||||
become_user: postgres
|
||||
register: pgadmin4_db
|
||||
|
||||
- name: PgAdmin 4 | Configure PostgreSQL user
|
||||
community.general.postgresql_user:
|
||||
db: "{{ pgadmin4_db_database }}"
|
||||
name: "{{ pgadmin4_db_user }}"
|
||||
password: "{{ pgadmin4_db_password }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: PgAdmin 4 | Configure PostgreSQL user privileges
|
||||
community.postgresql.postgresql_privs:
|
||||
database: "{{ pgadmin4_db_database }}"
|
||||
state: present
|
||||
privs: ALL
|
||||
type: database
|
||||
role: "{{ pgadmin4_db_user }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: PgAdmin 4 | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ pgadmin4_db_user }}
|
||||
community.postgresql.postgresql_privs:
|
||||
db: "{{ pgadmin4_db_database }}"
|
||||
privs: ALL
|
||||
type: schema
|
||||
objs: public
|
||||
role: "{{ pgadmin4_db_user }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Create user
|
||||
ansible.builtin.user:
|
||||
name: "{{ pgadmin4_user }}"
|
||||
comment: "pgAdmin 4"
|
||||
createhome: false
|
||||
system: true
|
||||
shell: "/sbin/nologin"
|
||||
|
||||
- name: PgAdmin 4 | create config directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: "02775"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
with_items:
|
||||
- "{{ pgadmin4_conf_dir }}"
|
||||
|
||||
- name: PgAdmin 4 | install config file
|
||||
ansible.builtin.template:
|
||||
src: config_system.py.j2
|
||||
dest: "{{ pgadmin4_conf_dir }}/config_system.py"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: Restart pgadmin4
|
||||
|
||||
- name: PgAdmin 4 | install systemd unit file
|
||||
ansible.builtin.template:
|
||||
src: pgadmin4.service.j2
|
||||
dest: "/etc/systemd/system/pgadmin4.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: Restart pgadmin4
|
||||
|
||||
- name: PgAdmin 4 | enable service
|
||||
ansible.builtin.service:
|
||||
name: pgadmin4
|
||||
enabled: true
|
||||
|
||||
- name: PgAdmin 4 | setup pgadmin # noqa: no-handler
|
||||
ansible.builtin.expect:
|
||||
command: /bin/bash -c "/usr/pgadmin4/venv/bin/python3 /usr/pgadmin4/web/setup.py setup-db"
|
||||
chdir: /usr/pgadmin4/web/
|
||||
echo: true
|
||||
timeout: 300
|
||||
responses:
|
||||
'Email\ address:': "{{ pgadmin4_initial_user_email | trim }}"
|
||||
'Password:': "{{ pgadmin4_initial_user_password | trim }}"
|
||||
'Retype\ password:': "{{ pgadmin4_initial_user_password | trim }}"
|
||||
'Do\ you\ wish\ to\ continue\ \(y/n\)\?': "y"
|
||||
'Would\ you\ like\ to\ continue\ \(y/n\)\?': "y"
|
||||
when: pgadmin4_db.changed
|
||||
notify: Restart pgadmin4
|
4
roles/pgadmin4/templates/config_system.py.j2
Normal file
4
roles/pgadmin4/templates/config_system.py.j2
Normal file
@ -0,0 +1,4 @@
|
||||
LOG_FILE = '/var/log/pgadmin/pgadmin4.log'
|
||||
CONFIG_DATABASE_URI = 'postgresql://{{ pgadmin4_db_user }}:{{ pgadmin4_db_password }}@localhost:5432/{{ pgadmin4_db_database }}'
|
||||
SESSION_DB_PATH = '/var/lib/pgadmin/sessions'
|
||||
STORAGE_DIR = '/var/lib/pgadmin/storage'
|
29
roles/pgadmin4/templates/pgadmin4.service.j2
Normal file
29
roles/pgadmin4/templates/pgadmin4.service.j2
Normal file
@ -0,0 +1,29 @@
|
||||
[Unit]
|
||||
Description = PgAdmin4 uwsgi Service
|
||||
After = network.target network-online.target
|
||||
Wants = network-online.target
|
||||
|
||||
[Service]
|
||||
User={{ pgadmin4_user }}
|
||||
StateDirectory=pgadmin
|
||||
RuntimeDirectory=pgadmin4
|
||||
LogsDirectory=pgadmin
|
||||
ExecStart=uwsgi \
|
||||
--socket /run/pgadmin4/pgadmin4.sock --chmod-socket=666 \
|
||||
--plugin python3 \
|
||||
-H /usr/pgadmin4/venv \
|
||||
--processes 1 \
|
||||
--threads 25 \
|
||||
--chdir /usr/pgadmin4/web/ \
|
||||
--manage-script-name \
|
||||
--mount /pgadmin4=pgAdmin4:app
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
ExecStop=/bin/kill -INT $MAINPID
|
||||
Restart=always
|
||||
Type=notify
|
||||
StandardError=syslog
|
||||
NotifyAccess=all
|
||||
KillSignal=SIGQUIT
|
||||
|
||||
[Install]
|
||||
WantedBy = multi-user.target
|
@ -3,21 +3,28 @@
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
|
||||
- name: Enable sury php apt-key
|
||||
apt_key: url="https://packages.sury.org/php/apt.gpg"
|
||||
|
||||
- name: Enable sury php repository
|
||||
apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
|
||||
|
||||
- name: Install packages
|
||||
apt:
|
||||
name:
|
||||
- php
|
||||
- php-common
|
||||
- php-curl
|
||||
- php-mysql
|
||||
- php-mbstring
|
||||
- php-cli
|
||||
- php-opcache
|
||||
- php-xml
|
||||
- php-fpm
|
||||
- php-readline
|
||||
- php8.1
|
||||
- php8.1-common
|
||||
- php8.1-curl
|
||||
- php8.1-mysql
|
||||
- php8.1-mbstring
|
||||
- php8.1-cli
|
||||
- php8.1-opcache
|
||||
- php8.1-xml
|
||||
- php8.1-fpm
|
||||
- php8.1-readline
|
||||
- mariadb-server
|
||||
- python3-mysqldb
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ strichliste_domain }}.key -out /etc/nginx/ssl/{{ strichliste_domain }}.crt -days 730 -subj "/CN={{ strichliste_domain }}" creates=/etc/nginx/ssl/{{ strichliste_domain }}.crt
|
||||
@ -30,6 +37,12 @@
|
||||
- name: Create vhost directory
|
||||
file: path=/var/www/strichliste state=directory owner=www-data group=www-data
|
||||
|
||||
- name: Install Mariadb
|
||||
apt:
|
||||
name:
|
||||
- mariadb-server
|
||||
- python3-mysqldb
|
||||
|
||||
- name: Configure Mariadb database
|
||||
community.mysql.mysql_db: name={{ strichliste_dbname }}
|
||||
become: true
|
||||
@ -64,5 +77,5 @@
|
||||
file: src=/etc/nginx/sites-available/strichliste dest=/etc/nginx/sites-enabled/strichliste state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Start php8.2-fpm
|
||||
service: name=php8.2-fpm state=started enabled=yes
|
||||
- name: Start php8.1-fpm
|
||||
service: name=php8.1-fpm state=started enabled=yes
|
||||
|
@ -2,7 +2,7 @@
|
||||
// Unattended-Upgrade::Origins-Pattern controls which packages are
|
||||
// upgraded.
|
||||
//
|
||||
// Lines below have the format "keyword=value,...". A
|
||||
// Lines below have the format format is "keyword=value,...". A
|
||||
// package will be upgraded only if the values in its metadata match
|
||||
// all the supplied keywords in a line. (In other words, omitted
|
||||
// keywords are wild cards.) The keywords originate from the Release
|
||||
@ -31,7 +31,6 @@ Unattended-Upgrade::Origins-Pattern {
|
||||
// "origin=Debian,codename=${distro_codename}-proposed-updates";
|
||||
"origin=Debian,codename=${distro_codename},label=Debian";
|
||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
|
||||
|
||||
// Archive or Suite based matching:
|
||||
// Note that this will silently match a different release after
|
||||
@ -66,7 +65,7 @@ Unattended-Upgrade::Package-Blacklist {
|
||||
};
|
||||
|
||||
// This option allows you to control if on a unclean dpkg exit
|
||||
// unattended-upgrades will automatically run
|
||||
// unattended-upgrades will automatically run
|
||||
// dpkg --force-confold --configure -a
|
||||
// The default is true, to ensure updates keep getting installed
|
||||
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
||||
@ -94,11 +93,9 @@ Unattended-Upgrade::Package-Blacklist {
|
||||
// 'mailx' must be installed. E.g. "user@example.com"
|
||||
Unattended-Upgrade::Mail "root";
|
||||
|
||||
// Set this value to one of:
|
||||
// "always", "only-on-error" or "on-change"
|
||||
// If this is not set, then any legacy MailOnlyOnError (boolean) value
|
||||
// is used to chose between "only-on-error" and "on-change"
|
||||
Unattended-Upgrade::MailReport "only-on-error";
|
||||
// Set this value to "true" to get emails only on errors. Default
|
||||
// is to always send a mail if Unattended-Upgrade::Mail is set
|
||||
Unattended-Upgrade::MailOnlyOnError "true";
|
||||
|
||||
// Remove unused automatically installed kernel-related packages
|
||||
// (kernel images, kernel headers and kernel version locked tools).
|
||||
@ -148,18 +145,3 @@ Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
|
||||
// Print debugging information both in unattended-upgrades and
|
||||
// in unattended-upgrade-shutdown
|
||||
// Unattended-Upgrade::Debug "false";
|
||||
|
||||
// Allow package downgrade if Pin-Priority exceeds 1000
|
||||
// Unattended-Upgrade::Allow-downgrade "false";
|
||||
|
||||
// When APT fails to mark a package to be upgraded or installed try adjusting
|
||||
// candidates of related packages to help APT's resolver in finding a solution
|
||||
// where the package can be upgraded or installed.
|
||||
// This is a workaround until APT's resolver is fixed to always find a
|
||||
// solution if it exists. (See Debian bug #711128.)
|
||||
// The fallback is enabled by default, except on Debian's sid release because
|
||||
// uninstallable packages are frequent there.
|
||||
// Disabling the fallback speeds up unattended-upgrades when there are
|
||||
// uninstallable packages at the expense of rarely keeping back packages which
|
||||
// could be upgraded or installed.
|
||||
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
|
||||
|
7
site.yml
7
site.yml
@ -20,7 +20,7 @@
|
||||
hosts: [bacon.binary.kitchen, aveta.binary.kitchen, aeron.binary.kitchen]
|
||||
roles:
|
||||
- dns_intern
|
||||
- kea
|
||||
- dhcpd
|
||||
- slapd
|
||||
- radius
|
||||
|
||||
@ -172,3 +172,8 @@
|
||||
hosts: barium.binary-kitchen.net
|
||||
roles:
|
||||
- workadventure
|
||||
|
||||
- name: Setup HomeAssistant server
|
||||
hosts: lasagne.binary.kitchen
|
||||
roles:
|
||||
- homeassistant
|
Loading…
Reference in New Issue
Block a user