infra/ansible
4
5
Fork 5
Code Issues 6 Pull Requests 1 Activity

Compare commits

base: infra:master
Branches Tags
infra:master
infra:pizza
noby:cc-dhcp-leases-keller
noby:homeassistant
noby:cc-dhcp-leases-workshop
noby:cc-dhcp-leases-wled
noby:cc-dhcp-leases-wohnzimmer-audio
noby:php-requirements
noby:cc-dhcp-leases
noby:upgrade_20241222
noby:doorbot
noby:freepbx
noby:upgrade_20240315
noby:upgrade_20230123
noby:upgrade_20220721
noby:xrdp
noby:workadventure
noby:master
noby:pizza
..
compare: noby:master
Branches Tags
noby:cc-dhcp-leases-keller
noby:homeassistant
noby:cc-dhcp-leases-workshop
noby:cc-dhcp-leases-wled
noby:cc-dhcp-leases-wohnzimmer-audio
noby:php-requirements
noby:cc-dhcp-leases
noby:upgrade_20241222
noby:doorbot
noby:freepbx
noby:upgrade_20240315
noby:upgrade_20230123
noby:upgrade_20220721
noby:xrdp
noby:workadventure
noby:master
noby:pizza
infra:master
infra:pizza

No commits in common. "master" and "master" have entirely different histories.
master ... master

267 changed files with 3646 additions and 9883 deletions
Show Stats Expand all files Collapse all files

67
README.md
View File

@ -1,68 +1,11 @@
# Binary Kitchen Ansible Playbooks
This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
## Usage
## Using
To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
TBA
It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
## Style / Contributing
## Current setup
Currently the following hosts are installed:
### Internal Servers
| Hostname | OS | Purpose |
| --------------------------- | --------- | ----------------------- |
| wurst.binary.kitchen | Proxmox 8 | VM Host |
| salat.binary.kitchen | Proxmox 8 | VM Host |
| weizen.binary.kitchen | Proxmox 8 | VM Host |
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| sulis.binary.kitchen | Debian 12 | Shell |
| nabia.binary.kitchen | Debian 12 | Monitoring |
| epona.binary.kitchen | Debian 12 | NetBox |
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
| pancake.binary.kitchen | Debian 12 | XRDP |
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
| schweinshaxn.binary.kitchen | Debian 12 | FreePBX |
| bob.binary.kitchen | Debian 12 | Gitea Actions |
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
| tschunk.binary.kitchen | Debian 12 | Strichliste |
| bowle.binary.kitchen | Debian 12 | Files |
| lock-auweg.binary.kitchen | Debian 12 | Doorlock |
\*: The main application is not managed by ansible but manually installed
### External Servers
| Hostname | OS | Purpose |
| ----------------------------- | --------- | ----------------------- |
| helium.binary-kitchen.net | Debian 12 | LDAP Master |
| lithium.binary-kitchen.net | Debian 12 | Mail |
| beryllium.binary-kitchen.net | Debian 12 | Web * |
| boron.binary-kitchen.net | Debian 12 | Gitea |
| carbon.binary-kitchen.net | Debian 12 | Jabber |
| nitrogen.binary-kitchen.net | Debian 12 | NextCloud |
| oxygen.binary-kitchen.net | Debian 12 | Shell |
| fluorine.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| neon.binary-kitchen.net | Debian 12 | Auth. DNS |
| sodium.binary-kitchen.net | Debian 12 | Mattrix |
| magnesium.binary-kitchen.net | Debian 12 | TURN |
| aluminium.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| krypton.binary-kitchen.net | Debian 12 | PartDB * |
| yttrium.binary-kitchen.net | Debian 12 | Hintervvoidler * |
| zirconium.binary-kitchen.net | Debian 12 | Jitsi |
| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle * |
| technetium.binary-kitchen.net | Debian 12 | Event CTFd * |
| ruthenium.binary-kitchen.net | Debian 12 | Minecraft * |
| rhodium.binary-kitchen.net | Debian 12 | Event pretix |
| palladium.binary-kitchen.net | Debian 12 | Event pretalx |
| argentum.binary-kitchen.net | Debian 12 | Event Web * |
| cadmium.binary-kitchen.net | Debian 12 | Event NetBox * |
\*: The main application is not managed by ansible but manually installed
TBA/TBD

75
group_vars/all/vars.yml
View File

@ -5,14 +5,6 @@ acertmgr_mode: webdir
acme_dnskey_file: /etc/acertmgr/nsupdate.key
acme_dnskey_server: neon.binary-kitchen.net
authentik_domain: auth.binary-kitchen.de
authentik_dbname: authentik
authentik_dbuser: authentik
authentik_dbpass: "{{ vault_authentik_dbpass }}"
authentik_secret: "{{ vault_authentik_secret }}"
bk23b_domain: 23b.binary-kitchen.de
coturn_realm: turn.binary-kitchen.de
coturn_secret: "{{ vault_coturn_secret }}"
@ -22,12 +14,19 @@ dns_axfr_ips:
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
drone_admin: moepman
drone_domain: drone.binary-kitchen.de
drone_dbname: drone
drone_dbuser: drone
drone_dbpass: "{{ vault_drone_dbpass }}"
drone_uipass: "{{ vault_drone_uipass }}"
drone_secret: "{{ vault_drone_secret }}"
drone_gitea_client: "{{ vault_drone_gitea_client }}"
drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
dss_domain: dss.binary-kitchen.de
dss_secret: "{{ vault_dss_secret }}"
fpm_status_user: admin
fpm_status_pass: "{{ vault_fpm_status_pass }}"
gitea_domain: git.binary-kitchen.de
gitea_dbname: gogs
gitea_dbuser: gogs
@ -36,8 +35,8 @@ gitea_secret: "{{ vault_gitea_secret }}"
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
hedgedoc_domain: pad.binary-kitchen.de
hedgedoc_dbname: hedgedoc
hedgedoc_dbuser: hedgedoc
hedgedoc_dbname: hackmd
hedgedoc_dbuser: hackmd
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
@ -45,7 +44,6 @@ icinga_domain: icinga.binary.kitchen
icinga_dbname: icinga
icinga_dbuser: icinga
icinga_dbpass: "{{ vault_icinga_dbpass }}"
icinga_server: nabia.binary.kitchen
icingaweb_dbname: icingaweb
icingaweb_dbuser: icingaweb
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
@ -68,27 +66,18 @@ mail_domain: binary-kitchen.de
mail_domains:
- ccc-r.de
- ccc-regensburg.de
- eh21.easterhegg.eu
- makerspace-regensburg.de
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
mail_server: mail.binary-kitchen.de
mailman_domain: lists.binary-kitchen.de
mail_trusted:
- 213.166.246.0/28
- 213.166.246.37/32
- 213.166.246.45/32
- 213.166.246.46/32
- 213.166.246.47/32
- 213.166.246.250/32
- 2a02:958:0:f6::/124
- 2a02:958:0:f6::37/128
- 2a02:958:0:f6::45/128
- 2a02:958:0:f6::46/128
- 2a02:958:0:f6::47/128
mail_aliases:
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
- "bbb@binary-kitchen.de boehm.johannes@gmail.com"
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
@ -98,16 +87,12 @@ mail_aliases:
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
- "orga@ccc-r.de orga@ccc-regensburg.de"
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
- "paypal@binary-kitchen.de timo.schindler@binary-kitchen.de"
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
- "pretalx@binary-kitchen.de moepman@binary-kitchen.de"
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
- "seife@binary-kitchen.de anke@binary-kitchen.de"
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
- "therapy-jetzt@binary-kitchen.de darthrain@binary-kitchen.de"
- "toepferwerkstatt@binary-kitchen.de anke@binary-kitchen.de,meet_judith@binary-kitchen.de"
- "vorstand@binary-kitchen.de anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
@ -120,12 +105,7 @@ mail_aliases:
- "voucher10@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher13@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher14@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher15@binary-kitchen.de exxess@binary-kitchen.de"
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
- "tickets@eh21.easterhegg.eu orga@eh21.easterhegg.eu"
- "hackzuck@eh21.easterhegg.eu kekskruemml@binary-kitchen.de"
matrix_domain: matrix.binary-kitchen.de
matrix_dbname: matrix
@ -145,14 +125,15 @@ nextcloud_dbname: owncloud
nextcloud_dbuser: owncloud
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
omm_domain: omm.binary.kitchen
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
pretix_domain: pretix.events.binary-kitchen.de
pretix_domainx: tickets.eh21.easterhegg.eu
pretix_domain: pretix.rc3.binary-kitchen.de
pretix_dbname: pretix
pretix_dbuser: pretix
pretix_dbpass: "{{ vault_pretix_dbpass }}"
pretix_mail: pretix@binary-kitchen.de
pretix_mail: rc3@binary-kitchen.de
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -174,20 +155,4 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
slapd_root_pass: "{{ vault_slapd_root_pass }}"
slapd_san: ldap.binary.kitchen
sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
sssd_base_user: ou=people,dc=binary-kitchen,dc=de
strichliste_domain: tschunk.binary.kitchen
strichliste_dbname: strichliste
strichliste_dbuser: strichliste
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
therapy_domain: therapy.jetzt
therapy_secret: "{{ vault_therapy_secret }}"
vaultwarden_domain: vault.binary-kitchen.de
vaultwarden_dbname: vaultwarden
vaultwarden_dbuser: vaultwarden
vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
vaultwarden_token: "{{ vault_vaultwarden_token }}"
vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
workadventure_domain: wa.binary-kitchen.de

177
group_vars/all/vault.yml
View File

@ -1,109 +1,70 @@
$ANSIBLE_VAULT;1.1;AES256
38306162656631353365313637393663316134623036643364383033613731356230663464376264
3335653933643733613462636638396664363762636561300a376538626636303765613633646633
63333534656163663834303039646639646530333532313732643261356262323764616463393832
3137306637306565610a653637626438353766323031336665326231626538323637313763373934
30303332656263623938666235643866343363363139653861343533313431396235333539333432
65613236386434333635636431356236643335316362636530303834353235646337643639333538
31643330393433323739343762323937643064313661643265376330633264316137373363303935
66346134643432666463383333653735626437666137386135353532393638363834346164643335
38393232623130346363636335313866623239373366613864356561636661343537383364373164
66643232393262393536623130653332323663363263323036663662316163326466306334363363
66306365366566326239346537656562363762373165613063376139383363313038373235303062
65326531653635333034653439613563313539633834393562343164613661386532306665663433
32663432656664333063376263346439316265646435623533623337333162656138636139303931
31333561623838393239313761383665663733366461623830343165336538393362353132306335
37396565616435343732626331373735313165333061346435646664376339636438373764643731
66356464316336383834646333656164363535373065643665393435393266363432346239663161
36393336346433326130303264626234613135626538313938663039386133336233373262363566
33386163393936663165643530663865663436663066333231316334306435623966666636633638
38616338316137393831303436653562386265373064373163306133346434616238393966623330
39396237326461643865336364343263343230626362646162623136353235366431626362313030
64633137306231346561353630636533353239373562396665376139303936323836633764616434
35376135656338616139376261366637343433333063343864343362613135343364623265313861
36303565333830323933333864613534626466373033666235626365346531323631386365323835
61613564386466333933613162326431613963333864393362376163313161643165356134343438
38396533363565343233643863343432313165386465303336626337333331646664626262643333
64343438653335663234653466663239616633653162383630666639613738323734646431623264
65343535336637323063366536663433366363626632383536653765373830666235326530636362
35303432333832353366363731643863366134626139623435613336626238303837316433623238
32313930396432333836346364346436613934316136646533633339323736366135316631363132
36623931313137333932313731343936313966653163666261623937363335613035333335356533
34633838333635323464633763383765653266663233643836383135336434376364396164333233
37616438643234336337313965663034646166373436373530386463663961313362326362353437
31313837643535313039653531323765366339373130636565333939643564643533343534376638
63616431643531663765366239326135343531333037366264353961346162633633353237613430
66666433356530633835666139653932383362376334383762373530666630393764643632363331
35316134623064626439633236343938346134383938333832336533373838633466613364653563
64626631303435653339356631323137336538633233393962306531626266353766386162363031
39363961623033323661643136326435643466303332646234396339653833653937666532336138
37646336383963616630333566633537303736656666663635316631383537303035323131393862
33343335386235333632656436356465646235313638313634353631393365366166383133636665
66363463363339646133353831666631366439646364393239346166343062663866373938396637
31386237393065306134653636313933653062353636323963323437663163346366363263313665
32306331623637396664636165663434653630636130306133343736313262303635353661373533
61313466376365303031376336316431636365633736616535623934653562336636363866356266
36336266663562623961396164316266373633383431613564646232643766663733353338623936
38663731363262646334653761666562646433353230613838353233373662313938303533303864
39316630636637343163643637356634383862363330353233653361646261623038303962613561
63373832366661373036383036623563366364636530613063366364323635323937376165376236
39663962643939386561623430623031366632646235366463656533643233613138363461656637
63323236356438303732653834626138623838323764633639373436666635363834303835366466
61306430303831303934316436373136353637373535373664666265313034646630666237636231
39376161653134356365363666633634313065323331633261623961633763313734313735633966
62643031376566343832343638613939333132353466613163386537386239363337323463396135
61393930633138333739626233663432643837643563656662646631306566663437346362613939
31363639323335623038356566323836653865653136383161666461656436313933333032336639
32333166663935656663643461303466343835303732616263626462316133306239383264353263
61313231386262376234316335383334336663326331643733643432366636326561353730623730
37313431623561353266303134313064376236626462316339656339353131363765303734356464
32336435363932353666336132363333303336323135363535666436646233366335376333383531
65363832333534623931326438616237356235626666333934373638373665613738636466383735
30333137303630366661343833663437343664303961313831336461393064643331386336663739
62623838633936323834653965326161343161356334333030616137343637353138353731363762
64623065636336643634333937323636356131373939623130306330313937656566363832663663
66313036393135306437353061303438303761303563633566656131653433663030396235323435
32346663316636373431663530393435313931663535396564363466353431343633613634383332
31326665303563316664356564356535646665653737613038636236323562616231613233633039
37643530653639313466313838343630656363653833613161656466376631653266613439626331
35363930626534346164353033323039636365363234303435636535623265393635313436666234
66623264306430306662303866303735316137383830646136666662346265613662333765656266
64613161316162616133316165623863353431376633366262386239346335306634346333316566
34396265376130306361343862383631653561616333643665353938666565306335653665373736
63626630383232363961393435646334396366663532303132666235646464393662376331333361
34663138336365633131633365336664393633376333316161336138393539333564396539343332
36626664616263353931616362633638323038356230613937386339653633626465326538383265
31646236323435323861666233656437343732343066306562363462363664386234333061396263
61316636323234633631306434363665393938323631363563346166333139633436623230353436
31303831636638666630376231303130343363393339666230363162383266616135336333386334
64313838356466306361383464623037663931353664323336666532316536316362663639353238
34616536613730343834633935646330306564643036306330626636653365653361396461316637
62636264343737333539646332316562316136343734393063313439663939663935313930333061
30343263626638353331336666373964343338343434633639326338633966396131623933346236
37373564623238363935313736313165303862356530613164653562653530316630306365646165
31326630303038396666343065356261616133373832383661393666383664323161633337376665
63393938373830343761326562303730303237393661383561386633383561386437373061396462
65376230643131353462613436316561646562356666376462386136336630636165333236636630
35653164333437383565396637343762646665333734303764623638323532363164653139333937
39313834303531636434366663386435396266663930623733366261656634666531626234386239
62613466313636326238303164666332633632333364636331396264396164646639653761373863
66653761393734643362306538356263353265616330393635343737363666623962346261366134
30393937376265626163376565343364323366383330613832366434313034316164636331653063
65356630663634616465363231666163376437353038303934356561666363333663333239313031
34356463613963633331646364336431333630633737623766623361336432646339373364303661
37656630376137613232306163656430323236306632353837363536376161656365366531313363
32623537303439343438656461363233353931356566323963363662303838666465363464353833
39386230653962373333643135353533323737343265343334316234613736616639613435616165
61373431353463643936613631393461393637356264366665383538653336353535613330376465
65616261666463623236313437656232306164643538653562376539613736303761636531613862
30323532343339343135356431303866333537346233336266363630346562646237646563313331
35393039383436633230653030623637663030393539363163393930616330373166313161346336
38373963393834396133363966636638336161666234346564623761303262366336363061343866
38356238323366613066323264366337393232343331636532666462613263626332376561616334
63373433663562353466353062643965623635643464393238363965636532643439383764626566
33646437333365653563393337343537316437323038313339316135303564376161323863303665
62373564343036333564646565393738306231646537393636356234613639663466636335393031
35623562343566386261376163303939653861623364373433383363316134303236663361613062
37346664386162333130323134616264373237393639376533383036323131633963363665633531
62663533383666613464386638383965346331643837356331326661303034376163373362386134
38353461343233626365
34303237313431646264363034353637613836633432633638333963363037663435626166663630
6338393164366434386334313664386166373031326538350a396639373163646666376462373662
36623863356436356635303263643239666162333863613831326630303363346137653234323838
3639623464303131350a653162336338626665393534623063623330323162373935353939303631
64333363373563343336643764306563376461393430643631366133353836646363363166653233
38323331386165366334656630626138383131323664333266353164323164373364303161653365
30333339646139626434636365653666636534346266636262613938656665343634363563663366
32306663653930613762663534613635616663613130613933626331663861643439323664353739
31316531653562646363376233636464396262313132343234303933343066373862633235383333
31313431336464663163343835646430323664373166363465343037333130343636646363393231
34613162386637306539663431636137353039383037333937613035393332353933333134346335
31616561636533383639366634316164343466613634643130353437393664336332316132363934
61333961613530333536613034386332646136313939356339633334353333326661393231343261
62653463316662376134663965383030636639356637393237653362616561616238653637623039
65653139373633323766356362613239316165393966623932346561363363393138653032366439
64303463306132363261333936653763353833386337303763316362666134306264306464306362
30343364393539636565633861386261373661623061333733353635336133373162636465376137
61316465306534623337383631663538336632383832343132333862316336323961623637383838
65363832646138376233653264373535633437376162326361313863333839343236343966393839
32323361666264373466396130666465303032393364633134343264643731323438646562333361
63376266616430643135326430366266633332633333646134313736316139386232333965346331
61663964653931333730643435303637666563316133373831336566303361383736666139626562
38623031303533396632613361323533313334333631316434646232383136393433323466383330
65666530616466623933393936613963663766653361643733326330643162346635613835633736
64393064326233313035316130353563623639303665623064303831376332353264633930363364
33623137353130353962323964396130646230393335386434346130663064613434643136656466
63623666376165653961666539383335356163316131353966613036643530663835313766366533
31656633633331636535316234653561326465623562393632623062383935336530383133626236
66323366306366623631373861346635303063376264613734643039363137613837333534616362
37633462373538313562666639613031343866383234633438373936623437333666343731633735
33386666313531613734643431333332346439386465303531306365386537613933623636643237
35653434303433633533356662623965383133383838613361303832326130343938393561393935
38313533643830633432303464306561643233303866316130616531623230393366323264626165
33653230366138376533376166393466656233353061343338393433386332333361353063323634
66366561646466616566336265363037616433616231353739613538633765343235323637303535
34373739306130313536633338353130656632666536356535636265333335303730333031323436
39633466353139663361646265656334633461346564616633643030383662353762643237333761
31326435313361366163353836633535303462623533373363376433613139373135393566333937
64313838373366383432376430643236633030623736643435363038616261333364366139666435
66623661643032633931623539383136373138636333323737323165333831333764363137393562
62663335353265353535643666356632663736343039333965653639653764646261323736313430
39656366356130326363363133383062333530316165643430383161306135346663623861313030
65346430353230363561633239623330623265666336616133326263323063333132323764343735
63346230373339343062393035356565376265643463326366326535313130663163366435323339
62363339313332663333653336633331343161363432393639316630633365643037653739613132
63316662336630626366363662333061353539333133653732646330643065333430316333316131
33363662653465306531666435363932663432373932353466383364383634643634313736303931
63353632353836663263616137353031643238663632363563656137313961656534663137613061
37636530306334613639326363383665373061383634326630653366386632636634653638653330
32366438623635363833343566353365373762646162393637326433656438663066663766333761
65363136666238623439663764363266363731613261326566653035303265623736353331376562
36646435353134613363316236383938613032626562646237366337376433326334386330646266
66333365323133616466646164353262653830313764376562636164326163623463373863373630
31623264373330386136396130626133323762363262336337396562613166646132386362383635
61333637373462316463303962396162383039373265303939306132323533393236343965613835
32646361383938383337653264323766363130613264613463386432306238316531653437323939
39353866313834393933623630303539633334663239343865313264616664656464646631623934
33623230643633353361343965396236393939343765653161643530626133663236383135343934
37353231626339323866613237663463656239326335643035313730363133616538613866386162
65623335393462633130353965343533616261636261656162626639323231623934663765386166
37353665643363386662646538306530326161653461393236616531343935393639386432633437
63643561646337616138633063646261323937333262333535626235373561336339346661353365
30396365376566616538353866383266666436636131656535363062633237313266366639373536
64316435316234313365306332383637636263376563393464303566313566636238626434393364
62316263353733636136393034616362643764346536373533363937633938383037376261656330
30333738616232616566643335353161636466643830393464643263653633373662623437643332
61396430636631396134393064633131636233653664373363386638366138343435613438303330
61366234663461333331623961393834643233623862323861346163343934303838666232626639
6139

2
group_vars/auweg
View File

@ -5,8 +5,6 @@ dhcpd_primary: 172.23.13.3
dns_primary: 172.23.13.3
doorlock_domain: lock-auweg.binary.kitchen
name_servers:
- 172.23.13.3

3
host_vars/aeron.binary.kitchen
View File

@ -3,7 +3,4 @@
radius_hostname: radius3.binary.kitchen
slapd_hostname: ldap3.binary.kitchen
slapd_replica_id: 3
slapd_role: slave
unattended_reboot: "false"

6
host_vars/argentum.binary-kitchen.net
View File

@ -1,6 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

1
host_vars/aveta.binary.kitchen
View File

@ -3,5 +3,4 @@
radius_hostname: radius2.binary.kitchen
slapd_hostname: ldap2.binary.kitchen
slapd_replica_id: 2
slapd_role: slave

3
host_vars/bacon.binary.kitchen
View File

@ -13,7 +13,4 @@ ntp_peers:
radius_hostname: radius1.binary.kitchen
slapd_hostname: ldap1.binary.kitchen
slapd_replica_id: 1
slapd_role: slave
unattended_reboot: "false"

2
host_vars/beryllium.binary-kitchen.net
View File

@ -1,5 +1,5 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

2
host_vars/bowle.binary.kitchen
View File

@ -5,4 +5,4 @@ nfs_exports:
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
unattended_reboot: "false"
uau_reboot: "false"

4
host_vars/fluorine.binary-kitchen.net
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

5
host_vars/indium.binary-kitchen.net
View File

@ -1,5 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCNBY95YcFFBeiHM3IDzqKT/X/U09bpAWXwkCWIg6KlZumZg891apx6a0HLDannoBt7YCyYFgl3c1eJ36D08tRcy5c5k/+8Xhq0hq/HWo3EV5sd6Y+8xeTRST6Um8nyxHoSI7xw79yRoteOUDIzPnmDtbLQ2z3vWkA/H1EZQ4IjeQgFhl9vl4EyuAJ47Cdlv1D870BDspgAEoxSbipQEEnPsIctdyySp1R/sNC5tuP6qaoQ6nIDFdgv5rcY8SmgJQ2otlGex18RSBObBjdfyepV71mluqfs6HtVsM9zDvRUwY/FX4wmVc4QPdPLh/2kzEZi0YzefB10tpsuvhaOFI8JqXBDuSFZh3xCzRmKRlmqn50jrvGkYGUWg/GNYNF2rLCltCzg3BJHGaFh9sOtjaKLW+hTJwDtz4LIqNZb6w/2586hzjGCrrZgN24eLEcdp7iTPnkCul+kgOZaa62ytdKjza6/tgKCeUaEwmJTBuKMp/hor/LdLeibYgTtqUoFB7j1Ti2ey7oHly1oiSaKcR/hChgx0sniltRmzJI7KLuUiF+xkpv5Kf4rGl7UjvVxyf3glNh5DL87CfeWkGF3dgsjJdfYIHVJz/Bf6x0aB2TyybF8Exm0R05dhMT6ahZqMqa5d/aUZN+S3MaXw2amHWbMe8VcFpu/AztqrQM8sM+Mw== sprinterfreak"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

4
host_vars/knoedel.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

1
host_vars/krypton.binary-kitchen.net
View File

@ -2,4 +2,3 @@
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

11
host_vars/lasagne.binary.kitchen
View File

@ -1,11 +0,0 @@
---
root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
unattended_reboot: "false"

5
host_vars/lock-auweg.binary.kitchen
View File

@ -1,5 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

3
host_vars/magnesium.binary-kitchen.net
View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

1
host_vars/molybdenum.binary-kitchen.net
View File

@ -4,4 +4,3 @@ grafana_domain: zelle.binary-kitchen.de
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

3
host_vars/oxygen.binary-kitchen.net
View File

@ -1,4 +1,3 @@
---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"
uau_reboot: "false"

4
host_vars/pancake.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

5
host_vars/pizza.binary.kitchen
View File

@ -4,8 +4,9 @@ root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
unattended_reboot: "false"
uau_reboot: "false"

4
host_vars/rhodium.binary-kitchen.net
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

4
host_vars/ruthenium.binary-kitchen.net
View File

@ -2,6 +2,6 @@
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
unattended_reboot: "false"
uau_reboot: "false"

4
host_vars/schweinshaxn.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

4
host_vars/strontium.binary-kitchen.net Normal file
View File

@ -0,0 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

4
host_vars/sulis.binary.kitchen
View File

@ -1,4 +0,0 @@
---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"

3
host_vars/technetium.binary-kitchen.net
View File

@ -1,5 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"

7
host_vars/tschunk.binary.kitchen
View File

@ -1,7 +0,0 @@
---
root_keys_host:
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
unattended_reboot: "true"

5
host_vars/yttrium.binary-kitchen.net
View File

@ -1,6 +1,5 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"

13
hosts
View File

@ -6,18 +6,12 @@ sulis.binary.kitchen ansible_host=172.23.2.5
nabia.binary.kitchen ansible_host=172.23.2.6
epona.binary.kitchen ansible_host=172.23.2.7
pizza.binary.kitchen ansible_host=172.23.2.33
pancake.binary.kitchen ansible_host=172.23.2.34
knoedel.binary.kitchen ansible_host=172.23.2.35
schweinshaxn.binary.kitchen ansible_host=172.23.2.36
bob.binary.kitchen ansible_host=172.23.2.37
lasagne.binary.kitchen ansible_host=172.23.2.38
tschunk.binary.kitchen ansible_host=172.23.2.39
bowle.binary.kitchen ansible_host=172.23.2.62
salat.binary.kitchen ansible_host=172.23.9.61
[auweg]
weizen.binary.kitchen ansible_host=172.23.12.61
aeron.binary.kitchen ansible_host=172.23.13.3
lock-auweg.binary.kitchen ansible_host=172.23.13.12
weizen.binary.kitchen ansible_host=172.23.12.61
[fan_rz]
helium.binary-kitchen.net
lithium.binary-kitchen.net
@ -29,13 +23,10 @@ oxygen.binary-kitchen.net
fluorine.binary-kitchen.net
neon.binary-kitchen.net
sodium.binary-kitchen.net
magnesium.binary-kitchen.net
aluminium.binary-kitchen.net
krypton.binary-kitchen.net
yttrium.binary-kitchen.net
zirconium.binary-kitchen.net
molybdenum.binary-kitchen.net
ruthenium.binary-kitchen.net
rhodium.binary-kitchen.net
argentum.binary-kitchen.net
cadmium.binary-kitchen.net
barium.binary-kitchen.net

49
roles/23b/tasks/main.yml
View File

@ -1,49 +0,0 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create 23b group
group: name=23b
- name: Create 23b user
user:
name: 23b
home: /opt/23b
shell: /bin/bash
group: 23b
groups: docker
# docker-compolse.yml is managed outside ansible
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for 23b
template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
notify: Restart nginx
- name: Systemd unit for 23b
template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
notify:
- Reload systemd
- Restart 23b
- name: Start the 23b service
service: name=23b state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ bk23b_domain }}"

28
roles/23b/templates/23b.service.j2
View File

@ -1,28 +0,0 @@
[Unit]
Description=23b service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=23b
Group=23b
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/23b/23b/23b
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
[Install]
WantedBy=multi-user.target

36
roles/23b/templates/vhost.j2
View File

@ -1,36 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ bk23b_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ bk23b_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ bk23b_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
# set max upload size
client_max_body_size 8M;
location / {
proxy_pass http://localhost:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

7
roles/act_runner/defaults/main.yml
View File

@ -1,7 +0,0 @@
---
actrunner_user: act_runner
actrunner_group: act_runner
actrunner_version: 0.2.10
actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

7
roles/act_runner/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart act_runner
service: name=act_runner state=restarted

35
roles/act_runner/tasks/main.yml
View File

@ -1,35 +0,0 @@
---
- name: Create group
group: name={{ actrunner_group }}
- name: Create user
user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
- name: Create directories
file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
with_items:
- /etc/act_runner
- /var/lib/act_runner
- name: Download act_runner binary
get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
register: runner_download
- name: Symlink act_runner binary
file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
when: runner_download.changed
notify: Restart act_runner
- name: Configure act_runner
template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
notify: Restart act_runner
- name: Install systemd unit
template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
notify:
- Reload systemd
- Restart act_runner
- name: Enable act_runner
service: name=act_runner state=started enabled=yes

16
roles/act_runner/templates/act_runner.service.j2
View File

@ -1,16 +0,0 @@
[Unit]
Description=Gitea Actions runner
Documentation=https://gitea.com/gitea/act_runner
After=docker.service
[Service]
ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
ExecReload=/bin/kill -s HUP $MAINPID
WorkingDirectory=/var/lib/act_runner
TimeoutSec=0
RestartSec=10
Restart=always
User={{ actrunner_user }}
[Install]
WantedBy=multi-user.target

86
roles/act_runner/templates/config.yaml.j2
View File

@ -1,86 +0,0 @@
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: warn
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 4
# Extra environment variables to run jobs.
envs:
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `deamon`, will use labels in `.runner` file.
labels: [
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
"ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
"ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
]
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: ""
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

3
roles/authentik/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
authentik_version: 2024.12.1

16
roles/authentik/handlers/main.yml
View File

@ -1,16 +0,0 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart authentik
service: name=authentik state=restarted
- name: Restart authentik-reload
service: name=authentik-reload state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

63
roles/authentik/tasks/main.yml
View File

@ -1,63 +0,0 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create authentik group
group: name=authentik
- name: Create authentik user
user:
name: authentik
home: /opt/authentik
shell: /bin/bash
group: authentik
groups: docker
- name: Configure authentik container
template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
notify: Restart authentik
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for authentik
template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
notify: Restart nginx
- name: Systemd unit for authentik
template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
notify:
- Reload systemd
- Restart authentik
- name: Systemd unit for authentik-reload
template: src=authentik-reload.{{ item }}.j2 dest=/etc/systemd/system/authentik-reload.{{ item }}
with_items:
- "service"
- "timer"
notify:
- Reload systemd
- Restart authentik-reload
- name: Start the authentik service
service: name=authentik state=started enabled=yes
- name: Enable auto update timer
service: name=authentik-reload.timer state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ authentik_domain }}"

7
roles/authentik/templates/authentik-reload.service.j2
View File

@ -1,7 +0,0 @@
[Unit]
Description=Refresh authentik images
[Service]
Type=oneshot
ExecStart=/bin/systemctl reload-or-restart authentik.service

10
roles/authentik/templates/authentik-reload.timer.j2
View File

@ -1,10 +0,0 @@
[Unit]
Description=Refresh authentik images
Requires=authentik.service
After=authentik.service
[Timer]
OnCalendar=*:0/15
[Install]
WantedBy=timers.target

32
roles/authentik/templates/authentik.service.j2
View File

@ -1,32 +0,0 @@
[Unit]
Description=authentik service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=authentik
Group=authentik
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/authentik
# Update images
ExecStartPre=-/usr/bin/docker-compose pull --quiet
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
# Refresh on reload
ExecReload=-/usr/bin/docker-compose pull --quiet
ExecReload=/usr/bin/docker-compose up -d
[Install]
WantedBy=multi-user.target

15
roles/authentik/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ authentik_domain }}:
- path: /etc/nginx/ssl/{{ authentik_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

79
roles/authentik/templates/docker-compose.yml.j2
View File

@ -1,79 +0,0 @@
---
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- ./database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: {{ authentik_dbpass }}
POSTGRES_USER: {{ authentik_dbuser }}
POSTGRES_DB: {{ authentik_dbname }}
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- ./redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
volumes:
- ./media:/media
- ./custom-templates:/templates
ports:
- "127.0.0.1:9000:9000"
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy

41
roles/authentik/templates/vhost.j2
View File

@ -1,41 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name {{ authentik_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ authentik_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ authentik_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

2
roles/bk_dss/defaults/main.yml
View File

@ -1,4 +1,4 @@
---
dss_uwsgi_port: 5001
dss_version: 0.8.5
dss_version: 0.8.4

5
roles/bk_dss/tasks/main.yml
View File

@ -44,8 +44,3 @@
- name: Enable vhosts
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
notify: Restart nginx
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ dss_domain }}"

6
roles/bk_dss/templates/config.cfg.j2
View File

@ -1,14 +1,12 @@
DEBUG = True
REMEMBER_COOKIE_SECURE = True
SECRET_KEY = "{{ dss_secret }}"
SESSION_COOKIE_SECURE = True
SESSION_TIMEOUT = 3600
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
LDAP_URI = "{{ ldap_uri }}"
LDAP_BASE = "{{ ldap_base }}"
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
@ -30,7 +28,7 @@ USER_ATTRS = {
'userPassword' : '{pass}'
}
GROUP_FILTER = "(objectClass=posixGroup)"
GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
REDIS_HOST = "127.0.0.1"
REDIS_PASSWD = None

5
roles/common/defaults/main.yml
View File

@ -6,8 +6,3 @@ logrotate_excludes:
- "/etc/logrotate.d/dbconfig-common"
- "/etc/logrotate.d/btmp"
- "/etc/logrotate.d/wtmp"
sshd_password_authentication: "no"
sshd_permit_root_login: "prohibit-password"
unattended_reboot: "true"

4261
roles/common/files/.zshrc
View File

File diff suppressed because it is too large Load Diff

3
roles/common/handlers/main.yml
View File

@ -6,9 +6,6 @@
- name: Restart journald
service: name=systemd-journald state=restarted
- name: Restart sshd
service: name=sshd state=restarted
- name: update-grub
command: update-grub

35
roles/common/tasks/Debian.yml
View File

@ -4,9 +4,7 @@
apt:
name:
- apt-transport-https
- debian-goodies
- dnsutils
- fdisk
- gnupg2
- htop
- less
@ -16,9 +14,7 @@
- pydf
- rsync
- sudo
- unattended-upgrades
- vim-nox
- wget
- zsh
- name: Install software on KVM VMs
@ -28,20 +24,14 @@
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Configure unattended upgrades
template: src={{ item }}.j2 dest=/etc/apt/apt.conf.d/{{ item }}
with_items:
- 02periodic
- 50unattended-upgrades
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user
user: name=root shell=/bin/zsh
@ -62,8 +52,8 @@
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: 'auth required pam_wheel.so'
- name: Configure journald retention
lineinfile:
@ -98,25 +88,16 @@
set_fact:
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
- name: "Set logrotate.d/* to daily"
- name: 'Set logrotate.d/* to daily'
replace:
path: "{{ item }}"
regexp: "(?:weekly|monthly)"
replace: "daily"
loop: "{{ logrotateconfigpaths }}"
- name: "Set /etc/logrotate.d/* rotation to 7"
- name: 'Set /etc/logrotate.d/* rotation to 7'
replace:
path: "{{ item }}"
regexp: "rotate [0-9]+"
replace: "rotate 7"
loop: "{{ logrotateconfigpaths }}"
- name: Configure sshd
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify: Restart sshd

9
roles/common/tasks/Proxmox.yml
View File

@ -9,17 +9,16 @@
- less
- rsync
- vim-nox
- wget
- zsh
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user
user: name=root shell=/bin/zsh

3
roles/common/tasks/chrony.yml
View File

@ -6,6 +6,3 @@
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony
- name: Start chrony
service: name=chrony state=started enabled=yes

8
roles/common/tasks/main.yml
View File

@ -2,20 +2,20 @@
- name: Cleanup
apt: autoclean=yes
when: ansible_os_family == "Debian"
when: ansible_os_family == 'Debian'
- name: Gather package facts
package_facts:
manager: apt
when: ansible_os_family == "Debian"
when: ansible_os_family == 'Debian'
- name: Proxmox
include: Proxmox.yml
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
- name: Debian
include: Debian.yml
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
- name: Setup chrony
include: chrony.yml

8
roles/common/templates/chrony.conf.j2
View File

@ -1,9 +1,6 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
@ -26,9 +23,6 @@ keyfile /etc/chrony/chrony.keys
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
@ -39,7 +33,7 @@ logdir /var/log/chrony
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
# real-time clock. Note that it cant be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than

131
roles/common/templates/sshd_config.j2
View File

@ -1,131 +0,0 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin {{ sshd_permit_root_login }}
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
AuthorizedKeysCommand {{ sshd_authkeys_command }}
{% if sshd_authkeys_user is defined and sshd_authkeys_user %}
AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
{% else %}
AuthorizedKeysCommandUser nobody
{% endif %}
{% else %}
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
{% endif %}
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication {{ sshd_password_authentication }}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

6
roles/coturn/handlers/main.yml
View File

@ -1,10 +1,4 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart coturn
service: name=coturn state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

4
roles/coturn/meta/main.yml
View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: acertmgr }

22
roles/coturn/tasks/main.yml
View File

@ -3,28 +3,6 @@
- name: Install coturn
apt: name=coturn
- name: Create coturn service override directory
file: path=/etc/systemd/system/coturn.service.d state=directory
- name: Configure coturn service override
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
notify:
- Reload systemd
- Restart coturn
- name: Create gitea directories
file: path={{ item }} state=directory owner=turnserver
with_items:
- /etc/turnserver
- /etc/turnserver/certs
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
notify: Run acertmgr
- name: Configure coturn
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:

15
roles/coturn/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ coturn_realm }}:
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
user: turnserver
group: turnserver
perm: '400'
format: key
action: '/usr/sbin/service coturn restart'
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
user: turnserver
group: turnserver
perm: '400'
format: crt,ca
action: '/usr/sbin/service coturn restart'

2
roles/coturn/templates/coturn.override.j2
View File

@ -1,2 +0,0 @@
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

21
roles/coturn/templates/turnserver.conf.j2
View File

@ -15,7 +15,7 @@
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
listening-port=443
#listening-port=3478
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
@ -27,7 +27,7 @@ listening-port=443
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1.
#
tls-listening-port=443
#tls-listening-port=5349
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
@ -125,10 +125,7 @@ tls-listening-port=443
#
# By default, this value is empty, and no address mapping is used.
#
external-ip={{ ansible_default_ipv4.address }}
{% if ansible_default_ipv6.address is defined %}
external-ip={{ ansible_default_ipv6.address }}
{% endif %}
#external-ip=60.70.80.91
#
#OR:
#
@ -402,17 +399,17 @@ realm={{ coturn_realm }}
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
@ -749,6 +746,6 @@ mobility
# Do not allow an TLS/DTLS version of protocol
#
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2
no-tlsv1
no-tlsv1_1
no-tlsv1_2

4
roles/dhcpd/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: Restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

14
roles/dhcpd/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Install dhcp server
apt: name=isc-dhcp-server
- name: Configure dhcp server
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- default/isc-dhcp-server
- dhcp/dhcpd.conf
notify: Restart isc-dhcp-server
- name: Start the dhcp server
service: name=isc-dhcp-server state=started enabled=yes

21
roles/dhcpd/templates/default/isc-dhcp-server.j2 Normal file
View File

@ -0,0 +1,21 @@
#
# This is a POSIX shell fragment
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
INTERFACESv6=""
INTERFACES="{{ ansible_default_ipv4['interface'] }}"

278
roles/dhcpd/templates/dhcp/dhcpd.conf.j2 Normal file
View File

@ -0,0 +1,278 @@
# dhcpd.conf
# option definitions common to all supported networks...
option domain-name "binary.kitchen";
option domain-name-servers {{ name_servers | join(', ') }};
option domain-search "binary.kitchen";
option ntp-servers 172.23.1.60, 172.23.2.3;
default-lease-time 7200;
max-lease-time 28800;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
ddns-updates on;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
{% if dhcpd_failover == true %}
# Failover
failover peer "failover-partner" {
{% if ansible_default_ipv4.address == dhcpd_primary %}
primary;
address {{ dhcpd_primary }};
peer address {{ dhcpd_secondary }};
{% elif ansible_default_ipv4.address == dhcpd_secondary %}
secondary;
address {{ dhcpd_secondary }};
peer address {{ dhcpd_primary }};
{% endif %}
port 520;
peer port 520;
max-response-delay 60;
max-unacked-updates 10;
{% if ansible_default_ipv4.address == dhcpd_primary %}
mclt 600;
split 255;
{% endif %}
load balance max seconds 3;
}
{% endif %}
# Binary Kitchen subnets
# Management
subnet 172.23.1.0 netmask 255.255.255.0 {
option routers 172.23.1.1;
}
# Services
subnet 172.23.2.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.2.1;
}
# Users
subnet 172.23.3.0 netmask 255.255.255.0 {
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.3.10 172.23.3.230;
}
}
# MQTT
subnet 172.23.4.0 netmask 255.255.255.0 {
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.4.10 172.23.4.240;
}
}
# Management Auweg
subnet 172.23.12.0 netmask 255.255.255.0 {
option routers 172.23.12.1;
}
# Services Auweg
subnet 172.23.13.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.13.1;
}
# Users Auweg
subnet 172.23.14.0 netmask 255.255.255.0 {
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.14.10 172.23.14.230;
}
}
# MQTT Auweg
subnet 172.23.15.0 netmask 255.255.255.0 {
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.15.10 172.23.15.240;
}
}
# DDNS zones
zone users.binary.kitchen {
primary {{ dns_primary }};
}
# Fixed IPs
host ap01 {
hardware ethernet 44:48:c1:ce:a9:00;
fixed-address ap01.binary.kitchen;
}
host ap04 {
hardware ethernet 44:48:c1:ce:90:06;
fixed-address ap04.binary.kitchen;
}
host ap05 {
hardware ethernet bc:9f:e4:c3:6f:aa;
fixed-address ap05.binary.kitchen;
}
host ap06 {
hardware ethernet 94:b4:0f:c0:1d:a0;
fixed-address ap06.binary.kitchen;
}
host bowle {
hardware ethernet ac:1f:6b:25:16:b6;
fixed-address bowle.binary.kitchen;
}
host cannelloni {
hardware ethernet 00:10:f3:15:88:ac;
fixed-address cannelloni.binary.kitchen;
}
host fusilli {
hardware ethernet b8:27:eb:1d:b9:bf;
fixed-address fusilli.binary.kitchen;
}
host garlic {
hardware ethernet b8:27:eb:56:2b:7c;
fixed-address garlic.binary.kitchen;
}
host habdisplay1 {
hardware ethernet b8:27:eb:b6:62:be;
fixed-address habdisplay1.mqtt.binary.kitchen;
}
host habdisplay2 {
hardware ethernet b8:27:eb:df:0b:7b;
fixed-address habdisplay2.mqtt.binary.kitchen;
}
host klopi {
hardware ethernet 74:da:38:6e:e6:9d;
fixed-address klopi.binary.kitchen;
}
host lock {
hardware ethernet b8:27:eb:d8:b9:ad;
fixed-address lock.binary.kitchen;
}
host maccaroni {
hardware ethernet b8:27:eb:18:5c:11;
fixed-address maccaroni.binary.kitchen;
}
host matrix {
hardware ethernet b8:27:eb:ed:22:58;
fixed-address matrix.binary.kitchen;
}
host mirror {
hardware ethernet 74:da:38:7d:ed:84;
fixed-address mirror.binary.kitchen;
}
host mpcnc {
hardware ethernet b8:27:eb:0f:d3:8b;
fixed-address mpcnc.binary.kitchen;
}
host noodlehub {
hardware ethernet b8:27:eb:eb:e5:88;
fixed-address noodlehub.binary.kitchen;
}
host openhabgw1 {
hardware ethernet dc:a6:32:bf:e2:3e;
fixed-address openhabgw1.mqtt.binary.kitchen;
}
host pizza {
hardware ethernet 52:54:00:17:02:21;
fixed-address pizza.binary.kitchen;
}
host spaghetti {
hardware ethernet b8:27:eb:e3:e9:f1;
fixed-address spaghetti.binary.kitchen;
}
host schweinshaxn {
hardware ethernet 52:54:00:17:02:24;
fixed-address schweinshaxn.binary.kitchen;
}
host strammermax {
hardware ethernet 08:00:37:B8:55:44;
fixed-address strammermax.binary.kitchen;
}
host obatzda {
hardware ethernet ec:9a:74:35:35:cf;
fixed-address obatzda.binary.kitchen;
}
# VoIP Phones
host voip01 {
hardware ethernet 00:1D:45:B6:99:2F;
option tftp-server-name "172.23.2.36";
}
host voip02 {
hardware ethernet 00:1D:A2:66:B8:3E;
option tftp-server-name "172.23.2.36";
}
host voip03 {
hardware ethernet 00:1E:BE:90:FB:DB;
option tftp-server-name "172.23.2.36";
}
host voip04 {
hardware ethernet 00:1E:BE:90:FF:06;
option tftp-server-name "172.23.2.36";
}
# OMAPI
omapi-port 7911;
omapi-key omapi_key;
key omapi_key {
algorithm hmac-md5;
secret {{ dhcp_omapi_key }};
}

3
roles/dns_extern/templates/pdns.conf.j2
View File

@ -1,4 +1,5 @@
local-address=0.0.0.0, ::
local-address=0.0.0.0
local-ipv6=::
launch=gsqlite3
gsqlite3-dnssec
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3

36
roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024100600; serial
2021091301; serial
1d; refresh
2h; retry
4w; expire
@ -11,20 +11,21 @@ $TTL 1h ; default time-to-live
IN NS ns2.binary.kitchen.
; Loopback
1.0 IN PTR core.binary.kitchen.
2.0 IN PTR rt-w13b.binary.kitchen.
2.0 IN PTR erx-bk.binary.kitchen.
3.0 IN PTR erx-rz.binary.kitchen.
4.0 IN PTR rt-auweg.binary.kitchen.
4.0 IN PTR erx-auweg.binary.kitchen.
; Management
1.1 IN PTR v2301.core.binary.kitchen.
11.1 IN PTR ups1.binary.kitchen.
21.1 IN PTR pdu1.binary.kitchen.
22.1 IN PTR pdu2.binary.kitchen.
23.1 IN PTR pdu3.binary.kitchen.
31.1 IN PTR sw-butchery.binary.kitchen.
32.1 IN PTR sw-mini.binary.kitchen.
33.1 IN PTR sw-rack.binary.kitchen.
31.1 IN PTR sw01.binary.kitchen.
32.1 IN PTR sw02.binary.kitchen.
33.1 IN PTR sw03.binary.kitchen.
41.1 IN PTR ap01.binary.kitchen.
42.1 IN PTR ap02.binary.kitchen.
43.1 IN PTR ap03.binary.kitchen.
44.1 IN PTR ap04.binary.kitchen.
45.1 IN PTR ap05.binary.kitchen.
46.1 IN PTR ap06.binary.kitchen.
@ -34,8 +35,6 @@ $TTL 1h ; default time-to-live
82.1 IN PTR bowle-bmc.binary.kitchen.
101.1 IN PTR nbe-w13b.binary.kitchen.
102.1 IN PTR nbe-tr8.binary.kitchen.
111.1 IN PTR rfp01.binary.kitchen.
112.1 IN PTR rfp02.binary.kitchen.
; Services
1.2 IN PTR v2302.core.binary.kitchen.
3.2 IN PTR bacon.binary.kitchen.
@ -46,12 +45,8 @@ $TTL 1h ; default time-to-live
12.2 IN PTR lock.binary.kitchen.
13.2 IN PTR matrix.binary.kitchen.
33.2 IN PTR pizza.binary.kitchen.
34.2 IN PTR pancake.binary.kitchen.
35.2 IN PTR knoedel.binary.kitchen.
36.2 IN PTR schweinshaxn.binary.kitchen.
37.2 IN PTR bob.binary.kitchen.
38.2 IN PTR lasagne.binary.kitchen.
39.2 IN PTR tschunk.binary.kitchen.
62.2 IN PTR bowle.binary.kitchen.
91.2 IN PTR strammermax.binary.kitchen.
92.2 IN PTR obatzda.binary.kitchen.
@ -61,6 +56,7 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
240.3 IN PTR fusilli.binary.kitchen.
241.3 IN PTR klopi.binary.kitchen.
242.3 IN PTR mpcnc.binary.kitchen.
243.3 IN PTR garlic.binary.kitchen.
244.3 IN PTR mirror.binary.kitchen.
245.3 IN PTR spaghetti.binary.kitchen.
246.3 IN PTR maccaroni.binary.kitchen.
@ -69,7 +65,6 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
; MQTT
1.4 IN PTR v2304.core.binary.kitchen.
6.4 IN PTR pizza.mqtt.binary.kitchen.
7.4 IN PTR lasagne.mqtt.binary.kitchen.
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
@ -87,26 +82,17 @@ $GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
1.10 IN PTR wg0.erx-rz.binary.kitchen.
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
; Management Auweg
1.12 IN PTR v2312.rt-auweg.binary.kitchen.
31.12 IN PTR sw-auweg.binary.kitchen.
41.12 IN PTR ap11.binary.kitchen.
42.12 IN PTR ap12.binary.kitchen.
61.12 IN PTR weizen.binary.kitchen.
111.12 IN PTR rfp11.binary.kitchen.
; Services Auweg
1.13 IN PTR v2313.rt-auweg.binary.kitchen.
3.13 IN PTR aeron.binary.kitchen.
12.13 IN PTR lock-auweg.binary.kitchen.
; Clients Auweg
1.14 IN PTR v2314.rt-auweg.binary.kitchen.
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
; MQTT
1.15 IN PTR v2315.rt-auweg.binary.kitchen.
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
; Point-to-Point
1.96 IN PTR v400.rt-w13b.binary.kitchen.
1.96 IN PTR v400.erx-bk.binary.kitchen.
2.96 IN PTR v400.core.binary.kitchen.
1.97 IN PTR wg1.erx-rz.binary.kitchen.
2.97 IN PTR wg1.rt-w13b.binary.kitchen.
2.97 IN PTR wg1.erx-bk.binary.kitchen.
5.97 IN PTR wg2.erx-rz.binary.kitchen.
6.97 IN PTR wg2.rt-auweg.binary.kitchen.
6.97 IN PTR wg2.erx-auweg.binary.kitchen.

44
roles/dns_intern/templates/bind/binary.kitchen.zone.j2
View File

@ -1,19 +1,19 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024111500; serial
2021091301; serial
1d; refresh
2h; retry
4w; expire
1h; minimum time-to-live
)
@ IN NS ns1.binary.kitchen.
@ IN NS ns2.binary.kitchen.
IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
; Subdomains
users IN NS ns1.binary.kitchen.
users IN NS ns2.binary.kitchen.
; External
@ IN A 213.166.246.4
IN A 213.166.246.4
www IN A 213.166.246.4
; Aliases
3dprinter IN A 172.23.3.251
@ -29,25 +29,26 @@ librenms IN A 172.23.2.6
netbox IN A 172.23.2.7
ns1 IN A 172.23.2.3
ns2 IN A 172.23.2.4
omm IN A 172.23.2.35
racktables IN A 172.23.2.6
radius IN A 172.23.2.3
radius IN A 172.23.2.4
; Loopback
core IN A 172.23.0.1
rt-w13b IN A 172.23.0.2
erx-bk IN A 172.23.0.2
erx-rz IN A 172.23.0.3
rt-auweg IN A 172.23.0.4
erx-auweg IN A 172.23.0.4
; Management
v2301.core IN A 172.23.1.1
ups1 IN A 172.23.1.11
pdu1 IN A 172.23.1.21
pdu2 IN A 172.23.1.22
pdu3 IN A 172.23.1.23
sw-butchery IN A 172.23.1.31
sw-mini IN A 172.23.1.32
sw-rack IN A 172.23.1.33
sw01 IN A 172.23.1.31
sw02 IN A 172.23.1.32
sw03 IN A 172.23.1.33
ap01 IN A 172.23.1.41
ap02 IN A 172.23.1.42
ap03 IN A 172.23.1.43
ap04 IN A 172.23.1.44
ap05 IN A 172.23.1.45
ap06 IN A 172.23.1.46
@ -57,8 +58,6 @@ wurst-bmc IN A 172.23.1.80
bowle-bmc IN A 172.23.1.82
nbe-w13b IN A 172.23.1.101
nbe-tr8 IN A 172.23.1.102
rfp01 IN A 172.23.1.111
rfp02 IN A 172.23.1.112
; Services
v2302.core IN A 172.23.2.1
bacon IN A 172.23.2.3
@ -69,12 +68,8 @@ epona IN A 172.23.2.7
lock IN A 172.23.2.12
matrix IN A 172.23.2.13
pizza IN A 172.23.2.33
pancake IN A 172.23.2.34
knoedel IN A 172.23.2.35
schweinshaxn IN A 172.23.2.36
bob IN A 172.23.2.37
lasagne IN A 172.23.2.38
tschunk IN A 172.23.2.39
bowle IN A 172.23.2.62
strammermax IN A 172.23.2.91
obatzda IN A 172.23.2.92
@ -84,6 +79,7 @@ $GENERATE 10-230 dhcp-${0,3,d}-03 IN A 172.23.3.$
fusilli IN A 172.23.3.240
klopi IN A 172.23.3.241
mpcnc IN A 172.23.3.242
garlic IN A 172.23.3.243
mirror IN A 172.23.3.244
spaghetti IN A 172.23.3.245
maccaroni IN A 172.23.3.246
@ -92,7 +88,6 @@ noodlehub IN A 172.23.3.251
; MQTT
v2304.core IN A 172.23.4.1
pizza.mqtt IN A 172.23.4.6
lasagne.mqtt IN A 172.23.4.7
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
habdisplay1.mqtt IN A 172.23.4.241
habdisplay2.mqtt IN A 172.23.4.242
@ -107,29 +102,20 @@ salat IN A 172.23.9.61
salat-bmc IN A 172.23.9.81
; Services RZ
; Management Auweg
v2312.rt-auweg IN A 172.23.12.1
sw-auweg IN A 172.23.12.31
ap11 IN A 172.23.12.41
ap12 IN A 172.23.12.42
weizen IN A 172.23.12.61
rfp11 IN A 172.23.12.111
; Services Auweg
v2313.rt-auweg IN A 172.23.13.1
aeron IN A 172.23.13.3
lock-auweg IN A 172.23.13.12
; Clients Auweg
v2314.rt-auweg IN A 172.23.14.1
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
; MQTT Auweg
v2315.rt-auweg IN A 172.23.15.1
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
; VPN RZ (ER-X)
wg0.erx-rz IN A 172.23.10.1
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
; Point-to-Point
v400.rt-w13b IN A 172.23.96.1
v400.erx-bk IN A 172.23.96.1
v400.core IN A 172.23.96.2
wg1.erx-rz IN A 172.23.97.1
wg1.rt-w13b IN A 172.23.97.2
wg1.erx-bk IN A 172.23.97.2
wg2.erx-rz IN A 172.23.97.5
wg2.rt-auweg IN A 172.23.97.6
wg2.erx-auweg IN A 172.23.97.6

18
roles/dns_intern/templates/dnsdist.conf.j2
View File

@ -9,27 +9,17 @@ newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'})
{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from secondary
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
-- allow AXFR/IXFR only from slaves
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
{% endif %}
-- allow NOTIFY only from primary
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
-- allow NOTIFY only from master
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
-- function to set RA flag
function setRA(dq)
dq.dh:setRA(true)
return DNSResponseAction.None
end
-- set RA flag for queries to own zones
addResponseAction('binary.kitchen', LuaResponseAction(setRA))
addResponseAction('23.172.in-addr.arpa', LuaResponseAction(setRA))
-- use resolver for anything else
addAction(AllRule(), PoolAction('resolve'))

6
roles/dns_intern/templates/pdns.conf.j2
View File

@ -26,6 +26,12 @@ launch=bind,gsqlite3
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
#

4
roles/dns_intern/templates/recursor.conf.j2
View File

@ -11,9 +11,9 @@
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process
# dnssec=process-no-validate
dnssec=off
#################################

15
roles/docker/tasks/main.yml
View File

@ -1,10 +1,17 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
filename: docker
- name: Install docker
apt:
name:
- docker.io
- docker-ce
- docker-ce-cli
- containerd.io
- python3-docker
- name: Enable docker
service: name=docker state=started enabled=yes

7
roles/doorlock/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart nginx
service: name=nginx state=restarted

20
roles/doorlock/tasks/main.yml
View File

@ -1,20 +0,0 @@
---
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
-days 730 -subj "/CN={{ doorlock_domain }}"
creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ doorlock_domain }}"
- name: Configure certificate manager for doorlock
template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
notify: Run acertmgr

18
roles/doorlock/templates/certs.j2
View File

@ -1,18 +0,0 @@
---
{{ doorlock_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

14
roles/drone/files/drone.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=drone.io server
After=network-online.target
[Service]
Type=simple
User=drone
EnvironmentFile=/etc/default/drone
ExecStart=/opt/drone/bin/drone-server
Restart=always
RestartSec=5s
[Install]
WantedBy=multi-user.target

10
roles/23b/handlers/main.yml → roles/drone/handlers/main.yml
View File

@ -3,11 +3,11 @@
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart 23b
service: name=23b state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart drone
service: name=drone state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

0
roles/23b/meta/main.yml → roles/drone/meta/main.yml
View File

52
roles/drone/tasks/main.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Create user
user: name=drone
# TODO install drone to /opt/drone/bin
# currently it is manually compiled
- name: Configure drone
template: src=drone.j2 dest=/etc/default/drone
notify: Restart drone
- name: Install PostgreSQL
apt:
name:
- postgresql
- python3-psycopg2
- name: Configure PostgreSQL database
postgresql_db: name={{ drone_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for drone
template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
notify: Restart nginx
- name: Install systemd unit
copy: src=drone.service dest=/lib/systemd/system/drone.service
notify:
- Reload systemd
- Restart drone
- name: Enable drone
service: name=drone enabled=yes

6
roles/23b/templates/certs.j2 → roles/drone/templates/certs.j2
View File

@ -1,13 +1,13 @@
---
{{ bk23b_domain }}:
- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
{{ drone_domain }}:
- path: /etc/nginx/ssl/{{ drone_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
- path: /etc/nginx/ssl/{{ drone_domain }}.crt
user: root
group: root
perm: '400'

10
roles/drone/templates/drone.j2 Normal file
View File

@ -0,0 +1,10 @@
DRONE_AGENTS_ENABLED=true
DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
DRONE_DATABASE_DRIVER=postgres
DRONE_GITEA_SERVER=https://{{ gitea_domain }}
DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
DRONE_RPC_SECRET={{ drone_secret }}
DRONE_SERVER_HOST={{ drone_domain }}
DRONE_SERVER_PROTO=https
DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

31
roles/drone/templates/vhost.j2 Normal file
View File

@ -0,0 +1,31 @@
server {
listen 80;
listen [::]:80;
server_name {{ drone_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ drone_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ drone_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
location / {
client_max_body_size 128M;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
}

0
roles/act_runner/meta/main.yml → roles/drone_runner/meta/main.yml
View File

21
roles/drone_runner/tasks/main.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Run runner container
docker_container:
name: runner
image: drone/drone-runner-docker:1
env:
DRONE_RPC_PROTO: "https"
DRONE_RPC_HOST: "{{ drone_domain }}"
DRONE_RPC_SECRET: "{{ drone_secret }}"
DRONE_RUNNER_CAPACITY: "2"
DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
DRONE_UI_USERNAME: "admin"
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
ports:
- "3000:3000"
pull: yes
restart_policy: unless-stopped
state: started
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"

15
roles/event_web/files/certs
View File

@ -1,15 +0,0 @@
---
eh21.easterhegg.eu engel.eh21.easterhegg.eu:
- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'

68
roles/event_web/files/vhost
View File

@ -1,68 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/eh21;
}
server {
listen 80;
listen [::]:80;
server_name engel.eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://engel.eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name engel.eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/engel/public;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

7
roles/event_web/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

5
roles/event_web/meta/main.yml
View File

@ -1,5 +0,0 @@
---
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

31
roles/event_web/tasks/main.yml
View File

@ -1,31 +0,0 @@
---
- name: Install dependencies
apt:
name:
- php-fpm
- name: Create vhost directory
file: path=/var/www/eh21 state=directory owner=www-data group=www-data
- name: Create vhost directory
file: path=/var/www/engel state=directory owner=www-data group=www-data
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
notify: Restart nginx
- name: Configure certificate manager
copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
notify: Run acertmgr
- name: Configure vhosts
copy: src=vhost dest=/etc/nginx/sites-available/www
notify: Restart nginx
- name: Enable vhosts
file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
notify: Restart nginx
- name: Start php8.2-fpm
service: name=php8.2-fpm state=started enabled=yes

8
roles/fileserver/templates/smb.conf.j2
View File

@ -42,7 +42,7 @@
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
min protocol = NT1
#### Debugging/Accounting ####
@ -213,7 +213,7 @@
;[printers]
; comment = All Printers
; browseable = no
; path = /var/tmp
; path = /var/spool/samba
; printable = yes
; guest ok = no
; read only = yes
@ -240,5 +240,5 @@
browseable = yes
read only = no
guest ok = yes
create mask = 0660
directory mask = 0770
create mask = 0600
directory mask = 0700

12
roles/freepbx/defaults/main.yml
View File

@ -1,12 +0,0 @@
---
deploy_key_file: /root/.ssh/id_git_deploy_rsa
asterisk_user: asterisk
asterisk_group: asterisk
repo_provisioning: gogs@git.binary-kitchen.de:noby/voip-yealink-provisioning.git
repo_utilities: gogs@git.binary-kitchen.de:noby/voip-yealink-xml-browser.git
path_yealink_provisioning: /tftpboot/yealink
path_yealink_utilities: /opt/yealink_utilities

10
roles/freepbx/handlers/main.yml
View File

@ -1,10 +0,0 @@
---
- name: Reload systemd
ansible.builtin.systemd:
daemon_reload: true
- name: Restart yealink-utilities
ansible.builtin.service:
name: yealink-utilities
state: restarted

8
roles/freepbx/meta/main.yml
View File

@ -1,8 +0,0 @@
---
galaxy_info:
author: Thomas Basler
description: Install FreePBX extensions
license: None
platforms:
- name: Debian
min_ansible_version: "2.4"

20
roles/freepbx/tasks/main.yml
View File

@ -1,20 +0,0 @@
---
- name: Generate an OpenSSH keypair for gitea deploy usage
community.crypto.openssh_keypair:
path: "{{ deploy_key_file }}"
- name: Wait for confirmation
ansible.builtin.pause:
prompt: Please confirm that you've distributed the public key to all repositories! Press return to continue. Press Ctrl+c and then "a" to abort
- name: Install required packages
ansible.builtin.apt:
name:
- php-ldap
- name: Include provisioning tasks
ansible.builtin.include_tasks: yealink_provisioning.yml
- name: Include XML-Utilities tasks
ansible.builtin.include_tasks: yealink_utilities.yml

9
roles/freepbx/tasks/yealink_provisioning.yml
View File

@ -1,9 +0,0 @@
---
- name: Clone Yealink Provisioning data
ansible.builtin.git: # noqa: latest
repo: "{{ repo_provisioning }}"
dest: "{{ path_yealink_provisioning }}"
force: true
accept_hostkey: true
key_file: "{{ deploy_key_file }}"

53
roles/freepbx/tasks/yealink_utilities.yml
View File

@ -1,53 +0,0 @@
---
- name: Install dependencies
ansible.builtin.package:
name: "python3-venv"
state: present
- name: Check if .gitignore contains "{{ path_yealink_utilities }}"
ansible.builtin.command: grep "directory = {{ path_yealink_utilities }}" /root/.gitconfig
register: gitignore_check
ignore_errors: true
- name: "Patch /root/.gitconfig"
ansible.builtin.command: |-
git config --global --add safe.directory {{ path_yealink_utilities }}
when: gitignore_check.rc != 0
- name: Clone Yealink Utilities
ansible.builtin.git: # noqa: latest
repo: "{{ repo_utilities }}"
dest: "{{ path_yealink_utilities }}"
force: true
accept_hostkey: true
key_file: "{{ deploy_key_file }}"
- name: Ensure directory permissions
ansible.builtin.file:
path: "{{ path_yealink_utilities }}"
state: directory
recurse: true
owner: "{{ asterisk_user }}"
group: "{{ asterisk_group }}"
- name: Install specified python requirements in indicated (virtualenv)
ansible.builtin.pip:
requirements: "{{ path_yealink_utilities }}/requirements.txt"
virtualenv: "{{ path_yealink_utilities }}/.venv"
virtualenv_command: 'python3 -m venv'
- name: Install systemd unit
ansible.builtin.template:
src: yealink-utilities.service.j2
dest: /etc/systemd/system/yealink-utilities.service
mode: "0644"
notify:
- Reload systemd
- Restart yealink-utilities
- name: Enable yealink-utilities
ansible.builtin.service:
name: yealink-utilities
state: started
enabled: true

Some files were not shown because too many files have changed in this diff Show More