infra
/
ansible
4
5
Fork 5
Code Issues 6 Pull Requests Activity

Compare commits

base: infra:master
Branches Tags
infra:master
infra:kea
infra:pizza
noby:upgrade_20240315
noby:upgrade_20230123
noby:upgrade_20220721
noby:xrdp
noby:workadventure
noby:master
noby:pizza
..
compare: noby:master
Branches Tags
noby:upgrade_20240315
noby:upgrade_20230123
noby:upgrade_20220721
noby:xrdp
noby:workadventure
noby:master
noby:pizza
infra:master
infra:kea
infra:pizza

No commits in common. "master" and "master" have entirely different histories.
master ... master

231 changed files with 3164 additions and 7864 deletions
Show Stats Expand all files Collapse all files

67
README.md
View File

@ -1,68 +1,11 @@
# Binary Kitchen Ansible Playbooks
This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
## Usage
## Using
To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
TBA
It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
## Style / Contributing
## Current setup
Currently the following hosts are installed:
### Internal Servers
| Hostname | OS | Purpose |
| ------------------------- | --------- | ----------------------- |
| wurst.binary.kitchen | Proxmox 8 | VM Host |
| salat.binary.kitchen | Proxmox 8 | VM Host |
| weizen.binary.kitchen | Proxmox 8 | VM Host |
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| sulis.binary.kitchen | Debian 12 | Shell |
| nabia.binary.kitchen | Debian 12 | Monitoring |
| epona.binary.kitchen | Debian 12 | NetBox |
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
| pancake.binary.kitchen | Debian 12 | XRDP |
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
| bob.binary.kitchen | Debian 12 | Gitea Actions |
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
| tschunk.binary.kitchen | Debian 11 | Strichliste |
| bowle.binary.kitchen | Debian 12 | Files |
| lock-auweg.binary.kitchen | Debian 11 | Doorlock |
\*: The main application is not managed by ansible but manually installed
### External Servers
| Hostname | OS | Purpose |
| ----------------------------- | --------- | ----------------------- |
| helium.binary-kitchen.net | Debian 12 | LDAP Master |
| lithium.binary-kitchen.net | Debian 12 | Mail |
| beryllium.binary-kitchen.net | Debian 12 | Web * |
| boron.binary-kitchen.net | Debian 12 | Gitea |
| carbon.binary-kitchen.net | Debian 12 | Jabber |
| nitrogen.binary-kitchen.net | Debian 12 | NextCloud |
| oxygen.binary-kitchen.net | Debian 12 | Shell |
| fluorine.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| neon.binary-kitchen.net | Debian 12 | Auth. DNS |
| sodium.binary-kitchen.net | Debian 12 | Mattrix |
| magnesium.binary-kitchen.net | Debian 12 | TURN |
| aluminium.binary-kitchen.net | Debian 12 | Zammad |
| krypton.binary-kitchen.net | Debian 12 | PartDB * |
| yttrium.binary-kitchen.net | Debian 12 | Hintervvoidler * |
| zirconium.binary-kitchen.net | Debian 12 | Jitsi |
| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle * |
| technetium.binary-kitchen.net | Debian 12 | Event CTFd * |
| ruthenium.binary-kitchen.net | Debian 12 | Minecraft * |
| rhodium.binary-kitchen.net | Debian 12 | Event pretix |
| palladium.binary-kitchen.net | Debian 12 | Event pretalx |
| argentum.binary-kitchen.net | Debian 12 | Event Web * |
| cadmium.binary-kitchen.neti | Debian 12 | Event NetBox * |
| barium.binary-kitchen.net | Debian 12 | Workadventure |
\*: The main application is not managed by ansible but manually installed
TBA/TBD

72
group_vars/all/vars.yml
View File

@ -5,14 +5,6 @@ acertmgr_mode: webdir
acme_dnskey_file: /etc/acertmgr/nsupdate.key
acme_dnskey_server: neon.binary-kitchen.net
authentik_domain: auth.binary-kitchen.de
authentik_dbname: authentik
authentik_dbuser: authentik
authentik_dbpass: "{{ vault_authentik_dbpass }}"
authentik_secret: "{{ vault_authentik_secret }}"
bk23b_domain: 23b.binary-kitchen.de
coturn_realm: turn.binary-kitchen.de
coturn_secret: "{{ vault_coturn_secret }}"
@ -22,6 +14,16 @@ dns_axfr_ips:
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
drone_admin: moepman
drone_domain: drone.binary-kitchen.de
drone_dbname: drone
drone_dbuser: drone
drone_dbpass: "{{ vault_drone_dbpass }}"
drone_uipass: "{{ vault_drone_uipass }}"
drone_secret: "{{ vault_drone_secret }}"
drone_gitea_client: "{{ vault_drone_gitea_client }}"
drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
dss_domain: dss.binary-kitchen.de
dss_secret: "{{ vault_dss_secret }}"
@ -33,8 +35,8 @@ gitea_secret: "{{ vault_gitea_secret }}"
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
hedgedoc_domain: pad.binary-kitchen.de
hedgedoc_dbname: hedgedoc
hedgedoc_dbuser: hedgedoc
hedgedoc_dbname: hackmd
hedgedoc_dbuser: hackmd
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
@ -42,7 +44,6 @@ icinga_domain: icinga.binary.kitchen
icinga_dbname: icinga
icinga_dbuser: icinga
icinga_dbpass: "{{ vault_icinga_dbpass }}"
icinga_server: nabia.binary.kitchen
icingaweb_dbname: icingaweb
icingaweb_dbuser: icingaweb
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
@ -65,27 +66,18 @@ mail_domain: binary-kitchen.de
mail_domains:
- ccc-r.de
- ccc-regensburg.de
- eh21.easterhegg.eu
- makerspace-regensburg.de
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
mail_server: mail.binary-kitchen.de
mailman_domain: lists.binary-kitchen.de
mail_trusted:
- 213.166.246.0/28
- 213.166.246.37/32
- 213.166.246.45/32
- 213.166.246.46/32
- 213.166.246.47/32
- 213.166.246.250/32
- 2a02:958:0:f6::/124
- 2a02:958:0:f6::37/128
- 2a02:958:0:f6::45/128
- 2a02:958:0:f6::46/128
- 2a02:958:0:f6::47/128
mail_aliases:
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
- "bbb@binary-kitchen.de boehm.johannes@gmail.com"
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
@ -95,14 +87,12 @@ mail_aliases:
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
- "orga@ccc-r.de orga@ccc-regensburg.de"
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
- "paypal@binary-kitchen.de timo.schindler@binary-kitchen.de"
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
- "pretalx@binary-kitchen.de moepman@binary-kitchen.de"
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
- "seife@binary-kitchen.de anke@binary-kitchen.de"
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
- "vorstand@binary-kitchen.de anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
@ -116,8 +106,6 @@ mail_aliases:
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
- "tickets@eh21.easterhegg.eu orga@eh21.easterhegg.eu"
- "hackzuck@eh21.easterhegg.eu kekskruemml@binary-kitchen.de"
matrix_domain: matrix.binary-kitchen.de
matrix_dbname: matrix
@ -137,20 +125,15 @@ nextcloud_dbname: owncloud
nextcloud_dbuser: owncloud
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
omm_domain: omm.binary.kitchen
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
pretalx_domain: fahrplan.eh21.easterhegg.eu
pretalx_dbname: pretalx
pretalx_dbuser: pretalx
pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
pretalx_mail: pretalx@binary-kitchen.de
pretix_domain: pretix.events.binary-kitchen.de
pretix_domainx: tickets.eh21.easterhegg.eu
pretix_domain: pretix.rc3.binary-kitchen.de
pretix_dbname: pretix
pretix_dbuser: pretix
pretix_dbpass: "{{ vault_pretix_dbpass }}"
pretix_mail: pretix@binary-kitchen.de
pretix_mail: rc3@binary-kitchen.de
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -172,21 +155,4 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
slapd_root_pass: "{{ vault_slapd_root_pass }}"
slapd_san: ldap.binary.kitchen
sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
sssd_base_user: ou=people,dc=binary-kitchen,dc=de
strichliste_domain: tschunk.binary.kitchen
strichliste_dbname: strichliste
strichliste_dbuser: strichliste
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
vaultwarden_domain: vault.binary-kitchen.de
vaultwarden_dbname: vaultwarden
vaultwarden_dbuser: vaultwarden
vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
vaultwarden_token: "{{ vault_vaultwarden_token }}"
vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
workadventure_domain: wa.binary-kitchen.de
zammad_domain: requests.binary-kitchen.de

174
group_vars/all/vault.yml
View File

@ -1,106 +1,70 @@
$ANSIBLE_VAULT;1.1;AES256
61333062333563653966393334326633643564313063346266663461633538366662623937373738
3732396164303638643362316564393236353737346235380a666361396631656563303733343032
66396531313139343062363639636334373836306237363733393635346261313832366330303436
6362383638363931380a323066343834363138356662656439343131353330366532626538653434
64663834333563333263356532326262333938613432356233656238313365663661636334333066
63653561316239356638653834646261643564316535306133633832666365383238303364346466
63393164646330623061633039316638656566346663616661633464303237386261316262623533
63306266333063373333323030666264323564663032333637343134306231373964666630333538
63626363383836363639663830643530376361613466613666303933363563663763636635363132
36666432646233313663613563663565313537316164313964656461666336326331303035343062
35323363373130333935373035663635626666613236376261623934366235633738323430666330
33323130363839386331613334636531396665316336376265333231343763656637396437653733
64366565336132333131346463356236343934663332633830373939616434613561613564313837
34333039363962643333343961636165323766343531336465306438306365636137636662303165
35346530313134346432303862643735376331376432616136306537653266333434336663373931
35373235333937646165663238636232656336393330386161636435666637356632333832646137
30333233636266623165663538303639663466363337323330383962383139643532623462663564
63313262366236623232303732373136393139323562313733623763363864646432653037316465
34306261303035306436396262333131366562643166333130393438393636623034656163653131
65363530613064633462633238343834336538353766353766336132303333383164326363316365
31303532363838306338626662313234343134306531353765333237303962303339366233366632
35643565353766353962386135323765356130393731363633373238626332356637363339356437
30386361363837373434363939373361343862393364316537633463653862666164613730306565
36343762326337333235643862626566346235333934656631306461633934306230333365343731
64643835323061613230336234343438383938653761393133656137626434653532636466313439
31363362306539643635386237353466343733616334303762343964636533636662333661653839
34663264613033373965336635663131396334616432653462346634626535393761666237623936
31666439356261303134343938333433323538653337653937333830656163633965353235653539
65353937333463343236636237313736313565613833653530333135623233363564393266353363
33323236643634616263303133663631386638356561373730653930646265616634356364366361
37666362363230313664343633343464383334386539616132636562626465326364353436356338
61383736663733643132656266633837646366343637303264363465633536633962353235303336
38376430343733386631623334386564616264386234613664366631313334626436313865356565
33663433663963653835376666303664656438623337663536376234356465396534306362346162
62323262323933336232376636353831633834656536633666643961396365306464303730626463
36363631336236353730393035613333666465653861373766393731373863353330656366306263
62316636333230366563623836316232323831393233366539363662646564373436623230343761
61626235656438373566646365353761376139383962353635393439666365333332313035653433
64316638363061613561306534616465646661326637633332333734626562353664666432616137
32643636356261613430376535633837646437626132373735323366313738633134303962306163
30366230333533663433616664343862346232363733623239353035656134366437313662353933
32663261663937663437643233383562656537333364643435356639616136623036306231633839
38386631643264636535323766643661626566323661313831326530636532383330633066336130
39306631636433376361636637633135316662306636306137366531333662303238613434333534
35633162316363333934623663303839343366376263343536333563663833323734356566623663
64646437343935306230333034636431396439366237643839363035313164393666616235393034
33323333626537633730303961613263363835343030363331633165663035336633613831326632
35363738336534663934616338363764353562306139613464663533323863326331646464333533
36363962653830613864393565623561646233313135386163623932363865343861313534663234
32313466656532616638376238363937613264346265316135336137363961386161376364343063
33316662343066336438336137353262646264656434333364343334373762303062386165663530
63313666356633633936366162366332333163656164306533356530666166353635616364643830
66336339663737616664616430373162386238636134303137386331393837353462623336663335
34303038323037363165613935376262376464383265323462373638313530396537633031653530
63613135373639623138333635343035303734383932336333303063666662333164643430393637
64393262363235616666303366346137633132313066613731333064346139646361363832343730
39666338303339663665363033653735346130313431306131306261636430396465323937623062
32343433376438623965363338633639383738326561376665623461653539383666636535656663
37353665363663356464366331313236653430313034613733363665633239656361623931646432
30653632643062366333663830326663623766646535666534613933663333366466333033383165
33373039303564656562636432303934383132666665656161323535333930346265623639316366
38393764346265653734373136636538346361363966393732323362323733386631623762313366
63313733653730336536393335623138383365303934303730343136613734663062326166316461
35313363656335643531343561336662663434353031623733353035633063396366376664303364
36643262633832363362306263376135346632386631346432333137623631343234333337643536
35353135303330626663663963366139363265666434363364303266613564373337616564366566
30646635633834616536333361303361313934316434393330333231613038346466306531646537
39303131396562656334303536613964363936643435613035623065323963633764623432373235
37393564626239333761626131643366306131346339356364373061353865653966326362613164
62366562326234303865323934353734613364653161316131363964666439636561663361396239
30353266303764396265656635616462653563613630616537353530613835656333353364333632
39663939376633613133623839353133613066633333633135316132636435363330393966396431
30656638653662356164393038323538643661333734623937653430643931623061666330633631
63323834313733353635363535613666643361356363386465383961626331303435333363396230
37313835633136323134623261626432653965366230656266356333653437386463396563613563
62656562626131336230383965303962383464643832333361343838393338353365663766373031
31633265653262356139323564663834616164313439346133386135333563323264313261336336
39393166613865353164376130303536373931643436633133313361356166393432363631666361
36366537363630333830333432333466363266666636643932636565613738346239383736306533
32333838396638656134643538313033336137316638326232303837386537393737316237356237
62646561333430303765656537373738316131306664626533646461333261306665626336376537
35633736303262656236303230653564386130666362303132646166306432393962306366663432
64353366353839643366376433646661376434313266326665343063653534343531623033316461
37306439373366303236666338616364343163663165626665613761333838333366336238343633
38663066623532353464653164616237353464363539313762396162653139393133323438643331
66306562346136346363396235356264303164636662386166666436316338323462656537386335
36373763313935666539643834653237336130336530653834643263373264353233643938393965
30313637366236383433313161386531623936356161333462636566633036383635616638316434
66313434393365333633336231656536353138303235616439643535376338326262663632313564
65306534356531303835373231623234356337623234366137386437303864643764613731326137
65376337386133353739376661353766343931383135363038353839376666306337323835613935
33303730623132613462363538666638313533333564656164363731323463613230366230373664
31303331396264353162383138643063313737366635333664343836346338353537366362613937
35623934646239356339343339653337656330616565616232633232373036383562393362343332
39316661623563333234656633666365303964366338303862333730656366626533326334613038
39663332623862626230373135623235363064636163373737316262613233663031383366363563
34613730343564373230306237656662636130333736393136366138333864313636343362613631
64636266626637366530363763323930643336313339613930623835326431643663356365353865
35653238333131363262346565653066383834633131303466636232653234363366646635656338
31386163616237316361643134396230386338643339633562376436333238346665363938323462
32336435663138393230366632633132333834303539303439313764623163383661396536383461
31636365633765346262616235336666363932336366373438643531663539333431663231326362
32326230363965356434343833383662393430333535636536323066373439653330373937636565
61306565663734636630633730383736653736383765326638656433646637393033356665633831
66353338633833346436666134343465623236626339613363623834333261313531
34303237313431646264363034353637613836633432633638333963363037663435626166663630
6338393164366434386334313664386166373031326538350a396639373163646666376462373662
36623863356436356635303263643239666162333863613831326630303363346137653234323838
3639623464303131350a653162336338626665393534623063623330323162373935353939303631
64333363373563343336643764306563376461393430643631366133353836646363363166653233
38323331386165366334656630626138383131323664333266353164323164373364303161653365
30333339646139626434636365653666636534346266636262613938656665343634363563663366
32306663653930613762663534613635616663613130613933626331663861643439323664353739
31316531653562646363376233636464396262313132343234303933343066373862633235383333
31313431336464663163343835646430323664373166363465343037333130343636646363393231
34613162386637306539663431636137353039383037333937613035393332353933333134346335
31616561636533383639366634316164343466613634643130353437393664336332316132363934
61333961613530333536613034386332646136313939356339633334353333326661393231343261
62653463316662376134663965383030636639356637393237653362616561616238653637623039
65653139373633323766356362613239316165393966623932346561363363393138653032366439
64303463306132363261333936653763353833386337303763316362666134306264306464306362
30343364393539636565633861386261373661623061333733353635336133373162636465376137
61316465306534623337383631663538336632383832343132333862316336323961623637383838
65363832646138376233653264373535633437376162326361313863333839343236343966393839
32323361666264373466396130666465303032393364633134343264643731323438646562333361
63376266616430643135326430366266633332633333646134313736316139386232333965346331
61663964653931333730643435303637666563316133373831336566303361383736666139626562
38623031303533396632613361323533313334333631316434646232383136393433323466383330
65666530616466623933393936613963663766653361643733326330643162346635613835633736
64393064326233313035316130353563623639303665623064303831376332353264633930363364
33623137353130353962323964396130646230393335386434346130663064613434643136656466
63623666376165653961666539383335356163316131353966613036643530663835313766366533
31656633633331636535316234653561326465623562393632623062383935336530383133626236
66323366306366623631373861346635303063376264613734643039363137613837333534616362
37633462373538313562666639613031343866383234633438373936623437333666343731633735
33386666313531613734643431333332346439386465303531306365386537613933623636643237
35653434303433633533356662623965383133383838613361303832326130343938393561393935
38313533643830633432303464306561643233303866316130616531623230393366323264626165
33653230366138376533376166393466656233353061343338393433386332333361353063323634
66366561646466616566336265363037616433616231353739613538633765343235323637303535
34373739306130313536633338353130656632666536356535636265333335303730333031323436
39633466353139663361646265656334633461346564616633643030383662353762643237333761
31326435313361366163353836633535303462623533373363376433613139373135393566333937
64313838373366383432376430643236633030623736643435363038616261333364366139666435
66623661643032633931623539383136373138636333323737323165333831333764363137393562
62663335353265353535643666356632663736343039333965653639653764646261323736313430
39656366356130326363363133383062333530316165643430383161306135346663623861313030
65346430353230363561633239623330623265666336616133326263323063333132323764343735
63346230373339343062393035356565376265643463326366326535313130663163366435323339
62363339313332663333653336633331343161363432393639316630633365643037653739613132
63316662336630626366363662333061353539333133653732646330643065333430316333316131
33363662653465306531666435363932663432373932353466383364383634643634313736303931
63353632353836663263616137353031643238663632363563656137313961656534663137613061
37636530306334613639326363383665373061383634326630653366386632636634653638653330
32366438623635363833343566353365373762646162393637326433656438663066663766333761
65363136666238623439663764363266363731613261326566653035303265623736353331376562
36646435353134613363316236383938613032626562646237366337376433326334386330646266
66333365323133616466646164353262653830313764376562636164326163623463373863373630
31623264373330386136396130626133323762363262336337396562613166646132386362383635
61333637373462316463303962396162383039373265303939306132323533393236343965613835
32646361383938383337653264323766363130613264613463386432306238316531653437323939
39353866313834393933623630303539633334663239343865313264616664656464646631623934
33623230643633353361343965396236393939343765653161643530626133663236383135343934
37353231626339323866613237663463656239326335643035313730363133616538613866386162
65623335393462633130353965343533616261636261656162626639323231623934663765386166
37353665643363386662646538306530326161653461393236616531343935393639386432633437
63643561646337616138633063646261323937333262333535626235373561336339346661353365
30396365376566616538353866383266666436636131656535363062633237313266366639373536
64316435316234313365306332383637636263376563393464303566313566636238626434393364
62316263353733636136393034616362643764346536373533363937633938383037376261656330
30333738616232616566643335353161636466643830393464643263653633373662623437643332
61396430636631396134393064633131636233653664373363386638366138343435613438303330
61366234663461333331623961393834643233623862323861346163343934303838666232626639
6139

2
group_vars/auweg
View File

@ -5,8 +5,6 @@ dhcpd_primary: 172.23.13.3
dns_primary: 172.23.13.3
doorlock_domain: lock-auweg.binary.kitchen
name_servers:
- 172.23.13.3

1
host_vars/aeron.binary.kitchen
View File

@ -3,5 +3,4 @@
radius_hostname: radius3.binary.kitchen
slapd_hostname: ldap3.binary.kitchen
slapd_replica_id: 3
slapd_role: slave

6
host_vars/argentum.binary-kitchen.net
View File

@ -1,6 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

1
host_vars/aveta.binary.kitchen
View File

@ -3,5 +3,4 @@
radius_hostname: radius2.binary.kitchen
slapd_hostname: ldap2.binary.kitchen
slapd_replica_id: 2
slapd_role: slave

1
host_vars/bacon.binary.kitchen
View File

@ -13,5 +13,4 @@ ntp_peers:
radius_hostname: radius1.binary.kitchen
slapd_hostname: ldap1.binary.kitchen
slapd_replica_id: 1
slapd_role: slave

4
host_vars/fluorine.binary-kitchen.net
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

4
host_vars/knoedel.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

1
host_vars/krypton.binary-kitchen.net
View File

@ -2,4 +2,3 @@
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

11
host_vars/lasagne.binary.kitchen
View File

@ -1,11 +0,0 @@
---
root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "false"

5
host_vars/lock-auweg.binary.kitchen
View File

@ -1,5 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

3
host_vars/magnesium.binary-kitchen.net
View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

1
host_vars/molybdenum.binary-kitchen.net
View File

@ -4,4 +4,3 @@ grafana_domain: zelle.binary-kitchen.de
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

3
host_vars/oxygen.binary-kitchen.net
View File

@ -1,4 +1,3 @@
---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"
uau_reboot: "false"

4
host_vars/pancake.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

3
host_vars/pizza.binary.kitchen
View File

@ -4,7 +4,8 @@ root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

4
host_vars/rhodium.binary-kitchen.net
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

2
host_vars/ruthenium.binary-kitchen.net
View File

@ -2,6 +2,6 @@
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
uau_reboot: "false"

4
host_vars/strontium.binary-kitchen.net Normal file
View File

@ -0,0 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

4
host_vars/sulis.binary.kitchen
View File

@ -1,4 +0,0 @@
---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"

3
host_vars/technetium.binary-kitchen.net
View File

@ -1,5 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"

7
host_vars/tschunk.binary.kitchen
View File

@ -1,7 +0,0 @@
---
root_keys_host:
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "true"

5
host_vars/yttrium.binary-kitchen.net
View File

@ -1,6 +1,5 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"

13
hosts
View File

@ -6,17 +6,12 @@ sulis.binary.kitchen ansible_host=172.23.2.5
nabia.binary.kitchen ansible_host=172.23.2.6
epona.binary.kitchen ansible_host=172.23.2.7
pizza.binary.kitchen ansible_host=172.23.2.33
pancake.binary.kitchen ansible_host=172.23.2.34
knoedel.binary.kitchen ansible_host=172.23.2.35
bob.binary.kitchen ansible_host=172.23.2.37
lasagne.binary.kitchen ansible_host=172.23.2.38
tschunk.binary.kitchen ansible_host=172.23.2.39
bowle.binary.kitchen ansible_host=172.23.2.62
salat.binary.kitchen ansible_host=172.23.9.61
[auweg]
weizen.binary.kitchen ansible_host=172.23.12.61
aeron.binary.kitchen ansible_host=172.23.13.3
lock-auweg.binary.kitchen ansible_host=172.23.13.12
weizen.binary.kitchen ansible_host=172.23.12.61
[fan_rz]
helium.binary-kitchen.net
lithium.binary-kitchen.net
@ -28,16 +23,10 @@ oxygen.binary-kitchen.net
fluorine.binary-kitchen.net
neon.binary-kitchen.net
sodium.binary-kitchen.net
magnesium.binary-kitchen.net
aluminium.binary-kitchen.net
krypton.binary-kitchen.net
yttrium.binary-kitchen.net
zirconium.binary-kitchen.net
molybdenum.binary-kitchen.net
technetium.binary-kitchen.net
ruthenium.binary-kitchen.net
rhodium.binary-kitchen.net
palladium.binary-kitchen.net
argentum.binary-kitchen.net
cadmium.binary-kitchen.net
barium.binary-kitchen.net

49
roles/23b/tasks/main.yml
View File

@ -1,49 +0,0 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create 23b group
group: name=23b
- name: Create 23b user
user:
name: 23b
home: /opt/23b
shell: /bin/bash
group: 23b
groups: docker
# docker-compolse.yml is managed outside ansible
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for 23b
template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
notify: Restart nginx
- name: Systemd unit for 23b
template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
notify:
- Reload systemd
- Restart 23b
- name: Start the 23b service
service: name=23b state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ bk23b_domain }}"

28
roles/23b/templates/23b.service.j2
View File

@ -1,28 +0,0 @@
[Unit]
Description=23b service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=23b
Group=23b
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/23b/23b/23b
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
[Install]
WantedBy=multi-user.target

36
roles/23b/templates/vhost.j2
View File

@ -1,36 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ bk23b_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ bk23b_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ bk23b_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
# set max upload size
client_max_body_size 8M;
location / {
proxy_pass http://localhost:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

7
roles/act_runner/defaults/main.yml
View File

@ -1,7 +0,0 @@
---
actrunner_user: act_runner
actrunner_group: act_runner
actrunner_version: 0.2.10
actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

7
roles/act_runner/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart act_runner
service: name=act_runner state=restarted

35
roles/act_runner/tasks/main.yml
View File

@ -1,35 +0,0 @@
---
- name: Create group
group: name={{ actrunner_group }}
- name: Create user
user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
- name: Create directories
file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
with_items:
- /etc/act_runner
- /var/lib/act_runner
- name: Download act_runner binary
get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
register: runner_download
- name: Symlink act_runner binary
file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
when: runner_download.changed
notify: Restart act_runner
- name: Configure act_runner
template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
notify: Restart act_runner
- name: Install systemd unit
template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
notify:
- Reload systemd
- Restart act_runner
- name: Enable act_runner
service: name=act_runner state=started enabled=yes

16
roles/act_runner/templates/act_runner.service.j2
View File

@ -1,16 +0,0 @@
[Unit]
Description=Gitea Actions runner
Documentation=https://gitea.com/gitea/act_runner
After=docker.service
[Service]
ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
ExecReload=/bin/kill -s HUP $MAINPID
WorkingDirectory=/var/lib/act_runner
TimeoutSec=0
RestartSec=10
Restart=always
User={{ actrunner_user }}
[Install]
WantedBy=multi-user.target

86
roles/act_runner/templates/config.yaml.j2
View File

@ -1,86 +0,0 @@
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: warn
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 4
# Extra environment variables to run jobs.
envs:
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `deamon`, will use labels in `.runner` file.
labels: [
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
"ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
"ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
]
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: ""
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

13
roles/authentik/handlers/main.yml
View File

@ -1,13 +0,0 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart authentik
service: name=authentik state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

51
roles/authentik/tasks/main.yml
View File

@ -1,51 +0,0 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create authentik group
group: name=authentik
- name: Create authentik user
user:
name: authentik
home: /opt/authentik
shell: /bin/bash
group: authentik
groups: docker
- name: Configure authentik container
template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
notify: Restart authentik
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for authentik
template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
notify: Restart nginx
- name: Systemd unit for authentik
template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
notify:
- Reload systemd
- Restart authentik
- name: Start the authentik service
service: name=authentik state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ authentik_domain }}"

28
roles/authentik/templates/authentik.service.j2
View File

@ -1,28 +0,0 @@
[Unit]
Description=authentik service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=authentik
Group=authentik
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/authentik
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
[Install]
WantedBy=multi-user.target

15
roles/authentik/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ authentik_domain }}:
- path: /etc/nginx/ssl/{{ authentik_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

75
roles/authentik/templates/docker-compose.yml.j2
View File

@ -1,75 +0,0 @@
---
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- ./database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: {{ authentik_dbpass }}
POSTGRES_USER: {{ authentik_dbuser }}
POSTGRES_DB: {{ authentik_dbname }}
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- ./redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
volumes:
- ./media:/media
- ./custom-templates:/templates
ports:
- "127.0.0.1:9000:9000"
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
depends_on:
- postgresql
- redis

41
roles/authentik/templates/vhost.j2
View File

@ -1,41 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name {{ authentik_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ authentik_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ authentik_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

2
roles/bk_dss/defaults/main.yml
View File

@ -1,4 +1,4 @@
---
dss_uwsgi_port: 5001
dss_version: 0.8.5
dss_version: 0.8.4

5
roles/bk_dss/tasks/main.yml
View File

@ -44,8 +44,3 @@
- name: Enable vhosts
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
notify: Restart nginx
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ dss_domain }}"

6
roles/bk_dss/templates/config.cfg.j2
View File

@ -1,14 +1,12 @@
DEBUG = True
REMEMBER_COOKIE_SECURE = True
SECRET_KEY = "{{ dss_secret }}"
SESSION_COOKIE_SECURE = True
SESSION_TIMEOUT = 3600
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
LDAP_URI = "{{ ldap_uri }}"
LDAP_BASE = "{{ ldap_base }}"
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
@ -30,7 +28,7 @@ USER_ATTRS = {
'userPassword' : '{pass}'
}
GROUP_FILTER = "(objectClass=posixGroup)"
GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
REDIS_HOST = "127.0.0.1"
REDIS_PASSWD = None

3
roles/common/defaults/main.yml
View File

@ -6,6 +6,3 @@ logrotate_excludes:
- "/etc/logrotate.d/dbconfig-common"
- "/etc/logrotate.d/btmp"
- "/etc/logrotate.d/wtmp"
sshd_password_authentication: "no"
sshd_permit_root_login: "prohibit-password"

4261
roles/common/files/.zshrc
View File

File diff suppressed because it is too large Load Diff

3
roles/common/handlers/main.yml
View File

@ -6,9 +6,6 @@
- name: Restart journald
service: name=systemd-journald state=restarted
- name: Restart sshd
service: name=sshd state=restarted
- name: update-grub
command: update-grub

27
roles/common/tasks/Debian.yml
View File

@ -5,7 +5,6 @@
name:
- apt-transport-https
- dnsutils
- fdisk
- gnupg2
- htop
- less
@ -16,7 +15,6 @@
- rsync
- sudo
- vim-nox
- wget
- zsh
- name: Install software on KVM VMs
@ -30,10 +28,10 @@
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user
user: name=root shell=/bin/zsh
@ -54,8 +52,8 @@
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: 'auth required pam_wheel.so'
- name: Configure journald retention
lineinfile:
@ -90,25 +88,16 @@
set_fact:
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
- name: "Set logrotate.d/* to daily"
- name: 'Set logrotate.d/* to daily'
replace:
path: "{{ item }}"
regexp: "(?:weekly|monthly)"
replace: "daily"
loop: "{{ logrotateconfigpaths }}"
- name: "Set /etc/logrotate.d/* rotation to 7"
- name: 'Set /etc/logrotate.d/* rotation to 7'
replace:
path: "{{ item }}"
regexp: "rotate [0-9]+"
replace: "rotate 7"
loop: "{{ logrotateconfigpaths }}"
- name: Configure sshd
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify: Restart sshd

8
roles/common/tasks/Proxmox.yml
View File

@ -15,10 +15,10 @@
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user
user: name=root shell=/bin/zsh

8
roles/common/tasks/main.yml
View File

@ -2,20 +2,20 @@
- name: Cleanup
apt: autoclean=yes
when: ansible_os_family == "Debian"
when: ansible_os_family == 'Debian'
- name: Gather package facts
package_facts:
manager: apt
when: ansible_os_family == "Debian"
when: ansible_os_family == 'Debian'
- name: Proxmox
include: Proxmox.yml
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
- name: Debian
include: Debian.yml
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
- name: Setup chrony
include: chrony.yml

8
roles/common/templates/chrony.conf.j2
View File

@ -1,9 +1,6 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
@ -26,9 +23,6 @@ keyfile /etc/chrony/chrony.keys
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
@ -39,7 +33,7 @@ logdir /var/log/chrony
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
# real-time clock. Note that it cant be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than

132
roles/common/templates/sshd_config.j2
View File

@ -1,132 +0,0 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin {{ sshd_permit_root_login }}
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
AuthorizedKeysCommand {{ sshd_authkeys_command }}
{% if sshd_authkeys_user is defined and sshd_authkeys_user %}
AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
{% else %}
AuthorizedKeysCommandUser nobody
{% endif %}
{% else %}
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
{% endif %}
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication {{ sshd_password_authentication }}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

6
roles/coturn/handlers/main.yml
View File

@ -1,10 +1,4 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart coturn
service: name=coturn state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

4
roles/coturn/meta/main.yml
View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: acertmgr }

22
roles/coturn/tasks/main.yml
View File

@ -3,28 +3,6 @@
- name: Install coturn
apt: name=coturn
- name: Create coturn service override directory
file: path=/etc/systemd/system/coturn.service.d state=directory
- name: Configure coturn service override
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
notify:
- Reload systemd
- Restart coturn
- name: Create gitea directories
file: path={{ item }} state=directory owner=turnserver
with_items:
- /etc/turnserver
- /etc/turnserver/certs
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
notify: Run acertmgr
- name: Configure coturn
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:

15
roles/coturn/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ coturn_realm }}:
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
user: turnserver
group: turnserver
perm: '400'
format: key
action: '/usr/sbin/service coturn restart'
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
user: turnserver
group: turnserver
perm: '400'
format: crt,ca
action: '/usr/sbin/service coturn restart'

2
roles/coturn/templates/coturn.override.j2
View File

@ -1,2 +0,0 @@
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

21
roles/coturn/templates/turnserver.conf.j2
View File

@ -15,7 +15,7 @@
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
listening-port=443
#listening-port=3478
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
@ -27,7 +27,7 @@ listening-port=443
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1.
#
tls-listening-port=443
#tls-listening-port=5349
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
@ -125,10 +125,7 @@ tls-listening-port=443
#
# By default, this value is empty, and no address mapping is used.
#
external-ip={{ ansible_default_ipv4.address }}
{% if ansible_default_ipv6.address is defined %}
external-ip={{ ansible_default_ipv6.address }}
{% endif %}
#external-ip=60.70.80.91
#
#OR:
#
@ -402,17 +399,17 @@ realm={{ coturn_realm }}
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
@ -749,6 +746,6 @@ mobility
# Do not allow an TLS/DTLS version of protocol
#
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2
no-tlsv1
no-tlsv1_1
no-tlsv1_2

67
roles/dhcpd/templates/dhcp/dhcpd.conf.j2
View File

@ -6,15 +6,6 @@ option domain-name-servers {{ name_servers | join(', ') }};
option domain-search "binary.kitchen";
option ntp-servers 172.23.1.60, 172.23.2.3;
# options related to Mitel SIP-DECT
option space sipdect;
option local-encapsulation code 43 = encapsulate sipdect;
option sipdect.ommip1 code 10 = ip-address;
option sipdect.ommip2 code 19 = ip-address;
option sipdect.syslogip code 14 = ip-address;
option sipdect.syslogport code 15 = integer 16;
option magic_str code 224 = text;
default-lease-time 7200;
max-lease-time 28800;
@ -106,7 +97,8 @@ subnet 172.23.13.0 netmask 255.255.255.0 {
# Users Auweg
subnet 172.23.14.0 netmask 255.255.255.0 {
option routers 172.23.14.1;
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
@ -118,7 +110,7 @@ subnet 172.23.14.0 netmask 255.255.255.0 {
# MQTT Auweg
subnet 172.23.15.0 netmask 255.255.255.0 {
option routers 172.23.15.1;
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
@ -142,7 +134,7 @@ host ap01 {
}
host ap04 {
hardware ethernet 74:9e:75:ce:93:54;
hardware ethernet 44:48:c1:ce:90:06;
fixed-address ap04.binary.kitchen;
}
@ -156,23 +148,13 @@ host ap06 {
fixed-address ap06.binary.kitchen;
}
host ap11 {
hardware ethernet 18:64:72:c6:c2:0c;
fixed-address ap11.binary.kitchen;
}
host ap12 {
hardware ethernet 18:64:72:c6:c4:98;
fixed-address ap12.binary.kitchen;
}
host bowle {
hardware ethernet ac:1f:6b:25:16:b6;
fixed-address bowle.binary.kitchen;
}
host cannelloni {
hardware ethernet b8:27:eb:18:5c:11;
hardware ethernet 00:10:f3:15:88:ac;
fixed-address cannelloni.binary.kitchen;
}
@ -181,6 +163,11 @@ host fusilli {
fixed-address fusilli.binary.kitchen;
}
host garlic {
hardware ethernet b8:27:eb:56:2b:7c;
fixed-address garlic.binary.kitchen;
}
host habdisplay1 {
hardware ethernet b8:27:eb:b6:62:be;
fixed-address habdisplay1.mqtt.binary.kitchen;
@ -202,7 +189,7 @@ host lock {
}
host maccaroni {
hardware ethernet b8:27:eb:f5:9e:a1;
hardware ethernet b8:27:eb:18:5c:11;
fixed-address maccaroni.binary.kitchen;
}
@ -222,7 +209,7 @@ host mpcnc {
}
host noodlehub {
hardware ethernet b8:27:eb:56:2b:7c;
hardware ethernet b8:27:eb:eb:e5:88;
fixed-address noodlehub.binary.kitchen;
}
@ -237,7 +224,7 @@ host pizza {
}
host spaghetti {
hardware ethernet b8:27:eb:eb:e5:88;
hardware ethernet b8:27:eb:e3:e9:f1;
fixed-address spaghetti.binary.kitchen;
}
@ -280,34 +267,6 @@ host voip04 {
}
# Mitel SIP-DECT
host rfp01 {
hardware ethernet 00:30:42:1B:73:5A;
fixed-address 172.23.1.111;
option host-name "rfp01";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp02 {
hardware ethernet 00:30:42:21:D4:D5;
fixed-address 172.23.1.112;
option host-name "rfp02";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp11 {
hardware ethernet 00:30:42:1B:8B:9B;
fixed-address 172.23.12.111;
option host-name "rfp11";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
# OMAPI
omapi-port 7911;

3
roles/dns_extern/templates/pdns.conf.j2
View File

@ -1,4 +1,5 @@
local-address=0.0.0.0, ::
local-address=0.0.0.0
local-ipv6=::
launch=gsqlite3
gsqlite3-dnssec
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3

22
roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024030100; serial
2021091301; serial
1d; refresh
2h; retry
4w; expire
@ -20,11 +20,12 @@ $TTL 1h ; default time-to-live
21.1 IN PTR pdu1.binary.kitchen.
22.1 IN PTR pdu2.binary.kitchen.
23.1 IN PTR pdu3.binary.kitchen.
31.1 IN PTR sw-butchery.binary.kitchen.
32.1 IN PTR sw-mini.binary.kitchen.
33.1 IN PTR sw-rack.binary.kitchen.
31.1 IN PTR sw01.binary.kitchen.
32.1 IN PTR sw02.binary.kitchen.
33.1 IN PTR sw03.binary.kitchen.
41.1 IN PTR ap01.binary.kitchen.
42.1 IN PTR ap02.binary.kitchen.
43.1 IN PTR ap03.binary.kitchen.
44.1 IN PTR ap04.binary.kitchen.
45.1 IN PTR ap05.binary.kitchen.
46.1 IN PTR ap06.binary.kitchen.
@ -34,8 +35,6 @@ $TTL 1h ; default time-to-live
82.1 IN PTR bowle-bmc.binary.kitchen.
101.1 IN PTR nbe-w13b.binary.kitchen.
102.1 IN PTR nbe-tr8.binary.kitchen.
111.1 IN PTR rfp01.binary.kitchen.
112.1 IN PTR rfp02.binary.kitchen.
; Services
1.2 IN PTR v2302.core.binary.kitchen.
3.2 IN PTR bacon.binary.kitchen.
@ -46,12 +45,8 @@ $TTL 1h ; default time-to-live
12.2 IN PTR lock.binary.kitchen.
13.2 IN PTR matrix.binary.kitchen.
33.2 IN PTR pizza.binary.kitchen.
34.2 IN PTR pancake.binary.kitchen.
35.2 IN PTR knoedel.binary.kitchen.
36.2 IN PTR schweinshaxn.binary.kitchen.
37.2 IN PTR bob.binary.kitchen.
38.2 IN PTR lasagne.binary.kitchen.
39.2 IN PTR tschunk.binary.kitchen.
62.2 IN PTR bowle.binary.kitchen.
91.2 IN PTR strammermax.binary.kitchen.
92.2 IN PTR obatzda.binary.kitchen.
@ -61,6 +56,7 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
240.3 IN PTR fusilli.binary.kitchen.
241.3 IN PTR klopi.binary.kitchen.
242.3 IN PTR mpcnc.binary.kitchen.
243.3 IN PTR garlic.binary.kitchen.
244.3 IN PTR mirror.binary.kitchen.
245.3 IN PTR spaghetti.binary.kitchen.
246.3 IN PTR maccaroni.binary.kitchen.
@ -69,7 +65,6 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
; MQTT
1.4 IN PTR v2304.core.binary.kitchen.
6.4 IN PTR pizza.mqtt.binary.kitchen.
7.4 IN PTR lasagne.mqtt.binary.kitchen.
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
@ -87,14 +82,9 @@ $GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
1.10 IN PTR wg0.erx-rz.binary.kitchen.
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
; Management Auweg
31.12 IN PTR sw-auweg.binary.kitchen.
41.12 IN PTR ap11.binary.kitchen.
42.12 IN PTR ap12.binary.kitchen.
61.12 IN PTR weizen.binary.kitchen.
111.12 IN PTR rfp11.binary.kitchen.
; Services Auweg
3.13 IN PTR aeron.binary.kitchen.
12.13 IN PTR lock-auweg.binary.kitchen.
; Clients Auweg
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
; MQTT

24
roles/dns_intern/templates/bind/binary.kitchen.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024030100; serial
2021091301; serial
1d; refresh
2h; retry
4w; expire
@ -29,7 +29,7 @@ librenms IN A 172.23.2.6
netbox IN A 172.23.2.7
ns1 IN A 172.23.2.3
ns2 IN A 172.23.2.4
omm IN A 172.23.2.35
racktables IN A 172.23.2.6
radius IN A 172.23.2.3
radius IN A 172.23.2.4
; Loopback
@ -43,11 +43,12 @@ ups1 IN A 172.23.1.11
pdu1 IN A 172.23.1.21
pdu2 IN A 172.23.1.22
pdu3 IN A 172.23.1.23
sw-butchery IN A 172.23.1.31
sw-mini IN A 172.23.1.32
sw-rack IN A 172.23.1.33
sw01 IN A 172.23.1.31
sw02 IN A 172.23.1.32
sw03 IN A 172.23.1.33
ap01 IN A 172.23.1.41
ap02 IN A 172.23.1.42
ap03 IN A 172.23.1.43
ap04 IN A 172.23.1.44
ap05 IN A 172.23.1.45
ap06 IN A 172.23.1.46
@ -57,8 +58,6 @@ wurst-bmc IN A 172.23.1.80
bowle-bmc IN A 172.23.1.82
nbe-w13b IN A 172.23.1.101
nbe-tr8 IN A 172.23.1.102
rfp01 IN A 172.23.1.111
rfp02 IN A 172.23.1.112
; Services
v2302.core IN A 172.23.2.1
bacon IN A 172.23.2.3
@ -69,12 +68,8 @@ epona IN A 172.23.2.7
lock IN A 172.23.2.12
matrix IN A 172.23.2.13
pizza IN A 172.23.2.33
pancake IN A 172.23.2.34
knoedel IN A 172.23.2.35
schweinshaxn IN A 172.23.2.36
bob IN A 172.23.2.37
lasagne IN A 172.23.2.38
tschunk IN A 172.23.2.39
bowle IN A 172.23.2.62
strammermax IN A 172.23.2.91
obatzda IN A 172.23.2.92
@ -84,6 +79,7 @@ $GENERATE 10-230 dhcp-${0,3,d}-03 IN A 172.23.3.$
fusilli IN A 172.23.3.240
klopi IN A 172.23.3.241
mpcnc IN A 172.23.3.242
garlic IN A 172.23.3.243
mirror IN A 172.23.3.244
spaghetti IN A 172.23.3.245
maccaroni IN A 172.23.3.246
@ -92,7 +88,6 @@ noodlehub IN A 172.23.3.251
; MQTT
v2304.core IN A 172.23.4.1
pizza.mqtt IN A 172.23.4.6
lasagne.mqtt IN A 172.23.4.7
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
habdisplay1.mqtt IN A 172.23.4.241
habdisplay2.mqtt IN A 172.23.4.242
@ -107,14 +102,9 @@ salat IN A 172.23.9.61
salat-bmc IN A 172.23.9.81
; Services RZ
; Management Auweg
sw-auweg IN A 172.23.12.31
ap11 IN A 172.23.12.41
ap12 IN A 172.23.12.42
weizen IN A 172.23.12.61
rfp11 IN A 172.23.12.111
; Services Auweg
aeron IN A 172.23.13.3
lock-auweg IN A 172.23.13.12
; Clients Auweg
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
; MQTT Auweg

4
roles/dns_intern/templates/dnsdist.conf.j2
View File

@ -10,11 +10,11 @@ newServer({address='127.0.0.1:5353', pool='resolve'})
{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from slaves
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
{% endif %}
-- allow NOTIFY only from master
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))

6
roles/dns_intern/templates/pdns.conf.j2
View File

@ -26,6 +26,12 @@ launch=bind,gsqlite3
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
#

4
roles/dns_intern/templates/recursor.conf.j2
View File

@ -11,9 +11,9 @@
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process
# dnssec=process-no-validate
dnssec=off
#################################

15
roles/docker/tasks/main.yml
View File

@ -1,10 +1,17 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
filename: docker
- name: Install docker
apt:
name:
- docker.io
- docker-ce
- docker-ce-cli
- containerd.io
- python3-docker
- name: Enable docker
service: name=docker state=started enabled=yes

7
roles/doorlock/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart nginx
service: name=nginx state=restarted

5
roles/doorlock/meta/main.yml
View File

@ -1,5 +0,0 @@
---
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

20
roles/doorlock/tasks/main.yml
View File

@ -1,20 +0,0 @@
---
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
-days 730 -subj "/CN={{ doorlock_domain }}"
creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ doorlock_domain }}"
- name: Configure certificate manager for doorlock
template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
notify: Run acertmgr

18
roles/doorlock/templates/certs.j2
View File

@ -1,18 +0,0 @@
---
{{ doorlock_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

14
roles/drone/files/drone.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=drone.io server
After=network-online.target
[Service]
Type=simple
User=drone
EnvironmentFile=/etc/default/drone
ExecStart=/opt/drone/bin/drone-server
Restart=always
RestartSec=5s
[Install]
WantedBy=multi-user.target

10
roles/23b/handlers/main.yml → roles/drone/handlers/main.yml
View File

@ -3,11 +3,11 @@
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart 23b
service: name=23b state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart drone
service: name=drone state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

0
roles/23b/meta/main.yml → roles/drone/meta/main.yml
View File

52
roles/drone/tasks/main.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Create user
user: name=drone
# TODO install drone to /opt/drone/bin
# currently it is manually compiled
- name: Configure drone
template: src=drone.j2 dest=/etc/default/drone
notify: Restart drone
- name: Install PostgreSQL
apt:
name:
- postgresql
- python3-psycopg2
- name: Configure PostgreSQL database
postgresql_db: name={{ drone_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for drone
template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
notify: Restart nginx
- name: Install systemd unit
copy: src=drone.service dest=/lib/systemd/system/drone.service
notify:
- Reload systemd
- Restart drone
- name: Enable drone
service: name=drone enabled=yes

6
roles/23b/templates/certs.j2 → roles/drone/templates/certs.j2
View File

@ -1,13 +1,13 @@
---
{{ bk23b_domain }}:
- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
{{ drone_domain }}:
- path: /etc/nginx/ssl/{{ drone_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
- path: /etc/nginx/ssl/{{ drone_domain }}.crt
user: root
group: root
perm: '400'

10
roles/drone/templates/drone.j2 Normal file
View File

@ -0,0 +1,10 @@
DRONE_AGENTS_ENABLED=true
DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
DRONE_DATABASE_DRIVER=postgres
DRONE_GITEA_SERVER=https://{{ gitea_domain }}
DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
DRONE_RPC_SECRET={{ drone_secret }}
DRONE_SERVER_HOST={{ drone_domain }}
DRONE_SERVER_PROTO=https
DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

31
roles/drone/templates/vhost.j2 Normal file
View File

@ -0,0 +1,31 @@
server {
listen 80;
listen [::]:80;
server_name {{ drone_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ drone_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ drone_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
location / {
client_max_body_size 128M;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
}

0
roles/act_runner/meta/main.yml → roles/drone_runner/meta/main.yml
View File

21
roles/drone_runner/tasks/main.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Run runner container
docker_container:
name: runner
image: drone/drone-runner-docker:1
env:
DRONE_RPC_PROTO: "https"
DRONE_RPC_HOST: "{{ drone_domain }}"
DRONE_RPC_SECRET: "{{ drone_secret }}"
DRONE_RUNNER_CAPACITY: "2"
DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
DRONE_UI_USERNAME: "admin"
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
ports:
- "3000:3000"
pull: yes
restart_policy: unless-stopped
state: started
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"

15
roles/event_web/files/certs
View File

@ -1,15 +0,0 @@
---
eh21.easterhegg.eu engel.eh21.easterhegg.eu:
- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'

68
roles/event_web/files/vhost
View File

@ -1,68 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/eh21;
}
server {
listen 80;
listen [::]:80;
server_name engel.eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://engel.eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name engel.eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/engel/public;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

7
roles/event_web/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

5
roles/event_web/meta/main.yml
View File

@ -1,5 +0,0 @@
---
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

31
roles/event_web/tasks/main.yml
View File

@ -1,31 +0,0 @@
---
- name: Install dependencies
apt:
name:
- php-fpm
- name: Create vhost directory
file: path=/var/www/eh21 state=directory owner=www-data group=www-data
- name: Create vhost directory
file: path=/var/www/engel state=directory owner=www-data group=www-data
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
notify: Restart nginx
- name: Configure certificate manager
copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
notify: Run acertmgr
- name: Configure vhosts
copy: src=vhost dest=/etc/nginx/sites-available/www
notify: Restart nginx
- name: Enable vhosts
file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
notify: Restart nginx
- name: Start php8.2-fpm
service: name=php8.2-fpm state=started enabled=yes

8
roles/fileserver/templates/smb.conf.j2
View File

@ -42,7 +42,7 @@
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
min protocol = NT1
#### Debugging/Accounting ####
@ -213,7 +213,7 @@
;[printers]
; comment = All Printers
; browseable = no
; path = /var/tmp
; path = /var/spool/samba
; printable = yes
; guest ok = no
; read only = yes
@ -240,5 +240,5 @@
browseable = yes
read only = no
guest ok = yes
create mask = 0660
directory mask = 0770
create mask = 0600
directory mask = 0700

5
roles/gitea/defaults/main.yml
View File

@ -3,5 +3,6 @@
gitea_user: gogs
gitea_group: gogs
gitea_version: 1.21.11
gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
gitea_checksum: sha256:1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be
gitea_version: 1.15.6
gitea_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

23
roles/gitea/tasks/main.yml
View File

@ -6,24 +6,19 @@
- name: Create user
user: name={{ gitea_user }} home=/home/{{ gitea_user }} group={{ gitea_group }}
- name: Create directories
file: path={{ item }} state=directory owner={{ gitea_user }} group={{ gitea_group }}
- name: Create gitea directories
file: path={{ item }} state=directory owner={{ gitea_user }}
with_items:
- /opt/gitea
- /opt/gitea/custom
- /opt/gitea/custom/conf
- name: Download gitea binary
get_url: url={{ gitea_url }} dest=/opt/gitea/gitea-{{ gitea_version }} mode=0755
register: gitea_download
- name: Symlink gitea binary
file: src=/opt/gitea/gitea-{{ gitea_version }} dest=/opt/gitea/gitea state=link
when: gitea_download.changed
get_url: url={{ gitea_url }} dest=/opt/gitea/gitea checksum={{ gitea_checksum }} mode=0755
notify: Restart gitea
- name: Configure gitea
template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }} group={{ gitea_group }}
template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }}
- name: Install systemd unit
template: src=gitea.service.j2 dest=/lib/systemd/system/gitea.service
@ -55,9 +50,6 @@
template: src=certs.j2 dest=/etc/acertmgr/{{ gitea_domain }}.conf
notify: Run acertmgr
- name: Configure robots.txt for gitea
template: src=robots.txt.j2 dest=/opt/gitea/custom/robots.txt owner={{ gitea_user }}
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/gitea
notify: Restart nginx
@ -67,9 +59,4 @@
notify: Restart nginx
- name: Enable gitea
service: name=gitea state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ gitea_domain }}"
service: name=gitea enabled=yes

7
roles/gitea/templates/app.ini.j2
View File

@ -43,10 +43,3 @@ LEVEL = warn
[oauth2]
JWT_SECRET = {{ gitea_jwt_secret }}
[cron]
ENABLED = true
[cron.archive_cleanup]
SCHEDULE = @midnight
OLDER_THAN = 168h

2
roles/gitea/templates/gitea.service.j2
View File

@ -8,7 +8,7 @@ Requires=postgresql.service
RestartSec=2s
Type=simple
User={{ gitea_user }}
Group={{ gitea_group }}
Group={{ gitea_user }}
WorkingDirectory=/opt/gitea/
ExecStart=/opt/gitea/gitea web
Restart=always

4
roles/gitea/templates/robots.txt.j2
View File

@ -1,4 +0,0 @@
User-agent: *
Disallow: /*/*/archive/*.bundle$
Disallow: /*/*/archive/*.tar.gz$
Disallow: /*/*/archive/*.zip$

4
roles/gitea/templates/vhost.j2
View File

@ -23,10 +23,6 @@ server {
ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
location /robots.txt {
alias /opt/gitea/custom/robots.txt;
}
location / {
client_max_body_size 1024M;
proxy_set_header X-Real-IP $remote_addr;

9
roles/grafana/tasks/main.yml
View File

@ -1,10 +1,10 @@
---
- name: Enable grafana apt-key
apt_key: url="https://apt.grafana.com/gpg.key" keyring="/etc/apt/trusted.gpg.d/grafana.gpg"
apt_key: url='https://packages.grafana.com/gpg.key'
- name: Enable grafana repository
apt_repository: repo="deb https://apt.grafana.com stable main"
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
- name: Install grafana
apt: name=grafana
@ -34,8 +34,3 @@
- name: Start grafana
service: name=grafana-server state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ grafana_domain }}"

3
roles/grafana/templates/vhost.j2
View File

@ -25,8 +25,7 @@ server {
location / {
client_max_body_size 1024M;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:3000;
}
}

4
roles/hackmd/defaults/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
hedgedoc_version: 1.8.2
hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz

0
roles/hedgedoc/handlers/main.yml → roles/hackmd/handlers/main.yml
View File

0
roles/authentik/meta/main.yml → roles/hackmd/meta/main.yml
View File

105
roles/hackmd/tasks/main.yml Normal file
View File

@ -0,0 +1,105 @@
---
- name: Create user
user: name=hackmd
- name: Enable nodesource apt-key
apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
- name: Enable nodesource repository
apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
- name: Enable yarnpkg apt-key
apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
- name: Enable yarnpkg repository
apt_repository: repo="deb https://dl.yarnpkg.com/debian/ stable main"
- name: Pin nodejs repository
blockinfile:
path: /etc/apt/preferences.d/nodejs
create: yes
block: |
Package: *
Pin: origin deb.nodesource.com
Pin-Priority: 600
- name: Install packages
apt:
name:
- build-essential
- git
- nodejs
- postgresql
- python3-psycopg2
- yarn
- name: Unpack hedgedoc
unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
register: hedgedoc_unarchive
- name: Create hedgedoc upload path
file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
- name: Remove old hedgedoc upload path
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
- name: Link hedgedoc upload path
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
- name: Setup hedgedoc
command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
become: true
become_user: hackmd
- name: Configure hedgedoc
template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
register: hedgedoc_config
notify: Restart hedgedoc
- name: Install hedgedoc frontend deps
command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
become: true
become_user: hackmd
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
- name: Build hedgedoc frontend
command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
become: true
become_user: hackmd
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
- name: Configure PostgreSQL database
postgresql_db: name={{ hedgedoc_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for hedgedoc
template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
notify: Restart nginx
- name: Systemd unit for hedgedoc
template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
notify:
- Reload systemd
- Restart hedgedoc
- name: Start the hedgedoc service
service: name=hedgedoc state=started enabled=yes

0
roles/hedgedoc/templates/certs.j2 → roles/hackmd/templates/certs.j2
View File

45
roles/hackmd/templates/config.json.j2 Normal file
View File

@ -0,0 +1,45 @@
{
"production": {
"domain": "{{ hedgedoc_domain }}",
"protocolUseSSL": true,
"allowAnonymous": false,
"allowAnonymousEdits": true,
"allowFreeURL": true,
"sessionSecret": "{{ hedgedoc_secret }}",
"hsts": {
"enable": true,
"maxAgeSeconds": 2592000,
"includeSubdomains": true,
"preload": true
},
"csp": {
"enable": true,
"directives": {
},
"upgradeInsecureRequests": "auto",
"addDefaults": true,
"addDisqus": true,
"addGoogleAnalytics": true
},
"db": {
"username": "{{ hedgedoc_dbuser }}",
"password": "{{ hedgedoc_dbpass }}",
"database": "{{ hedgedoc_dbname }}",
"host": "localhost",
"port": "5432",
"dialect": "postgres"
},
"ldap": {
"url": "{{ ldap_uri }}",
"bindDn": "{{ ldap_binddn }}",
"bindCredentials": "{{ ldap_bindpw }}",
"searchBase": "{{ ldap_base }}",
"searchFilter": "(uid={{ '{{' }}username{{ '}}' }})",
"searchAttributes": ["cn", "uid"],
"usernameField": "cn",
"useridField": "uid",
"tlsca": "/etc/ssl/certs/ca-certificates.crt"
},
"email": false
}
}

14
roles/hackmd/templates/hedgedoc.service.j2 Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=HedgeDoc
After=network.target
[Service]
Environment=NODE_ENV=production
WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
Type=simple
User=hackmd
ExecStart=/usr/bin/yarn start
Restart=on-failure
[Install]
WantedBy=multi-user.target

0
roles/hedgedoc/templates/vhost.j2 → roles/hackmd/templates/vhost.j2
View File

Some files were not shown because too many files have changed in this diff Show More