Compare commits
No commits in common. "master" and "master" have entirely different histories.
67
README.md
67
README.md
|
@ -1,68 +1,11 @@
|
||||||
# Binary Kitchen Ansible Playbooks
|
# Binary Kitchen Ansible Playbooks
|
||||||
|
|
||||||
This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
|
This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
|
||||||
|
|
||||||
## Usage
|
## Using
|
||||||
|
|
||||||
To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
|
TBA
|
||||||
|
|
||||||
It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
|
## Style / Contributing
|
||||||
|
|
||||||
|
TBA/TBD
|
||||||
## Current setup
|
|
||||||
|
|
||||||
Currently the following hosts are installed:
|
|
||||||
|
|
||||||
### Internal Servers
|
|
||||||
|
|
||||||
| Hostname | OS | Purpose |
|
|
||||||
| ------------------------- | --------- | ----------------------- |
|
|
||||||
| wurst.binary.kitchen | Proxmox 8 | VM Host |
|
|
||||||
| salat.binary.kitchen | Proxmox 8 | VM Host |
|
|
||||||
| weizen.binary.kitchen | Proxmox 8 | VM Host |
|
|
||||||
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
|
|
||||||
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
|
|
||||||
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
|
|
||||||
| sulis.binary.kitchen | Debian 12 | Shell |
|
|
||||||
| nabia.binary.kitchen | Debian 12 | Monitoring |
|
|
||||||
| epona.binary.kitchen | Debian 12 | NetBox |
|
|
||||||
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
|
|
||||||
| pancake.binary.kitchen | Debian 12 | XRDP |
|
|
||||||
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
|
|
||||||
| bob.binary.kitchen | Debian 12 | Gitea Actions |
|
|
||||||
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
|
|
||||||
| tschunk.binary.kitchen | Debian 11 | Strichliste |
|
|
||||||
| bowle.binary.kitchen | Debian 12 | Files |
|
|
||||||
| lock-auweg.binary.kitchen | Debian 11 | Doorlock |
|
|
||||||
|
|
||||||
\*: The main application is not managed by ansible but manually installed
|
|
||||||
|
|
||||||
### External Servers
|
|
||||||
|
|
||||||
| Hostname | OS | Purpose |
|
|
||||||
| ----------------------------- | --------- | ----------------------- |
|
|
||||||
| helium.binary-kitchen.net | Debian 12 | LDAP Master |
|
|
||||||
| lithium.binary-kitchen.net | Debian 12 | Mail |
|
|
||||||
| beryllium.binary-kitchen.net | Debian 12 | Web * |
|
|
||||||
| boron.binary-kitchen.net | Debian 12 | Gitea |
|
|
||||||
| carbon.binary-kitchen.net | Debian 12 | Jabber |
|
|
||||||
| nitrogen.binary-kitchen.net | Debian 12 | NextCloud |
|
|
||||||
| oxygen.binary-kitchen.net | Debian 12 | Shell |
|
|
||||||
| fluorine.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
|
|
||||||
| neon.binary-kitchen.net | Debian 12 | Auth. DNS |
|
|
||||||
| sodium.binary-kitchen.net | Debian 12 | Mattrix |
|
|
||||||
| magnesium.binary-kitchen.net | Debian 12 | TURN |
|
|
||||||
| aluminium.binary-kitchen.net | Debian 12 | Zammad |
|
|
||||||
| krypton.binary-kitchen.net | Debian 12 | PartDB * |
|
|
||||||
| yttrium.binary-kitchen.net | Debian 12 | Hintervvoidler * |
|
|
||||||
| zirconium.binary-kitchen.net | Debian 12 | Jitsi |
|
|
||||||
| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle * |
|
|
||||||
| technetium.binary-kitchen.net | Debian 12 | Event CTFd * |
|
|
||||||
| ruthenium.binary-kitchen.net | Debian 12 | Minecraft * |
|
|
||||||
| rhodium.binary-kitchen.net | Debian 12 | Event pretix |
|
|
||||||
| palladium.binary-kitchen.net | Debian 12 | Event pretalx |
|
|
||||||
| argentum.binary-kitchen.net | Debian 12 | Event Web * |
|
|
||||||
| cadmium.binary-kitchen.neti | Debian 12 | Event NetBox * |
|
|
||||||
| barium.binary-kitchen.net | Debian 12 | Workadventure |
|
|
||||||
|
|
||||||
\*: The main application is not managed by ansible but manually installed
|
|
||||||
|
|
|
@ -5,14 +5,6 @@ acertmgr_mode: webdir
|
||||||
acme_dnskey_file: /etc/acertmgr/nsupdate.key
|
acme_dnskey_file: /etc/acertmgr/nsupdate.key
|
||||||
acme_dnskey_server: neon.binary-kitchen.net
|
acme_dnskey_server: neon.binary-kitchen.net
|
||||||
|
|
||||||
authentik_domain: auth.binary-kitchen.de
|
|
||||||
authentik_dbname: authentik
|
|
||||||
authentik_dbuser: authentik
|
|
||||||
authentik_dbpass: "{{ vault_authentik_dbpass }}"
|
|
||||||
authentik_secret: "{{ vault_authentik_secret }}"
|
|
||||||
|
|
||||||
bk23b_domain: 23b.binary-kitchen.de
|
|
||||||
|
|
||||||
coturn_realm: turn.binary-kitchen.de
|
coturn_realm: turn.binary-kitchen.de
|
||||||
coturn_secret: "{{ vault_coturn_secret }}"
|
coturn_secret: "{{ vault_coturn_secret }}"
|
||||||
|
|
||||||
|
@ -22,12 +14,19 @@ dns_axfr_ips:
|
||||||
|
|
||||||
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
|
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
|
||||||
|
|
||||||
|
drone_admin: moepman
|
||||||
|
drone_domain: drone.binary-kitchen.de
|
||||||
|
drone_dbname: drone
|
||||||
|
drone_dbuser: drone
|
||||||
|
drone_dbpass: "{{ vault_drone_dbpass }}"
|
||||||
|
drone_uipass: "{{ vault_drone_uipass }}"
|
||||||
|
drone_secret: "{{ vault_drone_secret }}"
|
||||||
|
drone_gitea_client: "{{ vault_drone_gitea_client }}"
|
||||||
|
drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
|
||||||
|
|
||||||
dss_domain: dss.binary-kitchen.de
|
dss_domain: dss.binary-kitchen.de
|
||||||
dss_secret: "{{ vault_dss_secret }}"
|
dss_secret: "{{ vault_dss_secret }}"
|
||||||
|
|
||||||
fpm_status_user: admin
|
|
||||||
fpm_status_pass: "{{ vault_fpm_status_pass }}"
|
|
||||||
|
|
||||||
gitea_domain: git.binary-kitchen.de
|
gitea_domain: git.binary-kitchen.de
|
||||||
gitea_dbname: gogs
|
gitea_dbname: gogs
|
||||||
gitea_dbuser: gogs
|
gitea_dbuser: gogs
|
||||||
|
@ -36,8 +35,8 @@ gitea_secret: "{{ vault_gitea_secret }}"
|
||||||
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
|
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
|
||||||
|
|
||||||
hedgedoc_domain: pad.binary-kitchen.de
|
hedgedoc_domain: pad.binary-kitchen.de
|
||||||
hedgedoc_dbname: hedgedoc
|
hedgedoc_dbname: hackmd
|
||||||
hedgedoc_dbuser: hedgedoc
|
hedgedoc_dbuser: hackmd
|
||||||
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
|
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
|
||||||
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
|
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
|
||||||
|
|
||||||
|
@ -45,7 +44,6 @@ icinga_domain: icinga.binary.kitchen
|
||||||
icinga_dbname: icinga
|
icinga_dbname: icinga
|
||||||
icinga_dbuser: icinga
|
icinga_dbuser: icinga
|
||||||
icinga_dbpass: "{{ vault_icinga_dbpass }}"
|
icinga_dbpass: "{{ vault_icinga_dbpass }}"
|
||||||
icinga_server: nabia.binary.kitchen
|
|
||||||
icingaweb_dbname: icingaweb
|
icingaweb_dbname: icingaweb
|
||||||
icingaweb_dbuser: icingaweb
|
icingaweb_dbuser: icingaweb
|
||||||
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
|
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
|
||||||
|
@ -68,27 +66,18 @@ mail_domain: binary-kitchen.de
|
||||||
mail_domains:
|
mail_domains:
|
||||||
- ccc-r.de
|
- ccc-r.de
|
||||||
- ccc-regensburg.de
|
- ccc-regensburg.de
|
||||||
- eh21.easterhegg.eu
|
|
||||||
- makerspace-regensburg.de
|
- makerspace-regensburg.de
|
||||||
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
|
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
|
||||||
mail_server: mail.binary-kitchen.de
|
mail_server: mail.binary-kitchen.de
|
||||||
mailman_domain: lists.binary-kitchen.de
|
mailman_domain: lists.binary-kitchen.de
|
||||||
mail_trusted:
|
mail_trusted:
|
||||||
- 213.166.246.0/28
|
- 213.166.246.0/28
|
||||||
- 213.166.246.37/32
|
|
||||||
- 213.166.246.45/32
|
- 213.166.246.45/32
|
||||||
- 213.166.246.46/32
|
|
||||||
- 213.166.246.47/32
|
|
||||||
- 213.166.246.250/32
|
- 213.166.246.250/32
|
||||||
- 2a02:958:0:f6::/124
|
- 2a02:958:0:f6::/124
|
||||||
- 2a02:958:0:f6::37/128
|
|
||||||
- 2a02:958:0:f6::45/128
|
- 2a02:958:0:f6::45/128
|
||||||
- 2a02:958:0:f6::46/128
|
|
||||||
- 2a02:958:0:f6::47/128
|
|
||||||
mail_aliases:
|
mail_aliases:
|
||||||
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
|
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
|
||||||
- "bbb@binary-kitchen.de boehm.johannes@gmail.com"
|
|
||||||
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
|
|
||||||
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
|
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
|
||||||
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
|
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||||
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
|
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||||
|
@ -98,14 +87,12 @@ mail_aliases:
|
||||||
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
|
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
|
||||||
- "orga@ccc-r.de orga@ccc-regensburg.de"
|
- "orga@ccc-r.de orga@ccc-regensburg.de"
|
||||||
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
|
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
|
||||||
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
|
- "paypal@binary-kitchen.de timo.schindler@binary-kitchen.de"
|
||||||
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
|
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
|
||||||
- "pretalx@binary-kitchen.de moepman@binary-kitchen.de"
|
|
||||||
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
|
|
||||||
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
|
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
|
||||||
- "seife@binary-kitchen.de anke@binary-kitchen.de"
|
- "seife@binary-kitchen.de anke@binary-kitchen.de"
|
||||||
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
|
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
|
||||||
- "vorstand@binary-kitchen.de anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
|
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
|
||||||
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
|
@ -119,8 +106,6 @@ mail_aliases:
|
||||||
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
||||||
- "tickets@eh21.easterhegg.eu orga@eh21.easterhegg.eu"
|
|
||||||
- "hackzuck@eh21.easterhegg.eu kekskruemml@binary-kitchen.de"
|
|
||||||
|
|
||||||
matrix_domain: matrix.binary-kitchen.de
|
matrix_domain: matrix.binary-kitchen.de
|
||||||
matrix_dbname: matrix
|
matrix_dbname: matrix
|
||||||
|
@ -140,20 +125,15 @@ nextcloud_dbname: owncloud
|
||||||
nextcloud_dbuser: owncloud
|
nextcloud_dbuser: owncloud
|
||||||
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
|
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
|
||||||
|
|
||||||
omm_domain: omm.binary.kitchen
|
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
||||||
|
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
||||||
|
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
||||||
|
|
||||||
pretalx_domain: fahrplan.eh21.easterhegg.eu
|
pretix_domain: pretix.rc3.binary-kitchen.de
|
||||||
pretalx_dbname: pretalx
|
|
||||||
pretalx_dbuser: pretalx
|
|
||||||
pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
|
|
||||||
pretalx_mail: pretalx@binary-kitchen.de
|
|
||||||
|
|
||||||
pretix_domain: pretix.events.binary-kitchen.de
|
|
||||||
pretix_domainx: tickets.eh21.easterhegg.eu
|
|
||||||
pretix_dbname: pretix
|
pretix_dbname: pretix
|
||||||
pretix_dbuser: pretix
|
pretix_dbuser: pretix
|
||||||
pretix_dbpass: "{{ vault_pretix_dbpass }}"
|
pretix_dbpass: "{{ vault_pretix_dbpass }}"
|
||||||
pretix_mail: pretix@binary-kitchen.de
|
pretix_mail: rc3@binary-kitchen.de
|
||||||
|
|
||||||
prometheus_pve_user: prometheus@pve
|
prometheus_pve_user: prometheus@pve
|
||||||
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
||||||
|
@ -175,21 +155,4 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
|
||||||
slapd_root_pass: "{{ vault_slapd_root_pass }}"
|
slapd_root_pass: "{{ vault_slapd_root_pass }}"
|
||||||
slapd_san: ldap.binary.kitchen
|
slapd_san: ldap.binary.kitchen
|
||||||
|
|
||||||
sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
|
||||||
sssd_base_user: ou=people,dc=binary-kitchen,dc=de
|
|
||||||
|
|
||||||
strichliste_domain: tschunk.binary.kitchen
|
|
||||||
strichliste_dbname: strichliste
|
|
||||||
strichliste_dbuser: strichliste
|
|
||||||
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
|
|
||||||
|
|
||||||
vaultwarden_domain: vault.binary-kitchen.de
|
|
||||||
vaultwarden_dbname: vaultwarden
|
|
||||||
vaultwarden_dbuser: vaultwarden
|
|
||||||
vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
|
|
||||||
vaultwarden_token: "{{ vault_vaultwarden_token }}"
|
|
||||||
vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
|
|
||||||
|
|
||||||
workadventure_domain: wa.binary-kitchen.de
|
workadventure_domain: wa.binary-kitchen.de
|
||||||
|
|
||||||
zammad_domain: requests.binary-kitchen.de
|
|
||||||
|
|
|
@ -1,109 +1,70 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
63626562396631623335303064393137396262393239366236373634323333343264343335306330
|
34303237313431646264363034353637613836633432633638333963363037663435626166663630
|
||||||
3861326430303265376564306139323064356339653039330a613335323233356361303066663139
|
6338393164366434386334313664386166373031326538350a396639373163646666376462373662
|
||||||
34386465306537666464643736656230356632633239363865386166373834653030363736613834
|
36623863356436356635303263643239666162333863613831326630303363346137653234323838
|
||||||
6339303364363166620a626134303835346130386238653232316663346633313631653164336336
|
3639623464303131350a653162336338626665393534623063623330323162373935353939303631
|
||||||
34653639363635663537356639646333616438336438333463656537326134343531393435663266
|
64333363373563343336643764306563376461393430643631366133353836646363363166653233
|
||||||
64366333346130653730613865346134356161373237343539373965623036656231653939303365
|
38323331386165366334656630626138383131323664333266353164323164373364303161653365
|
||||||
62326638666431333265343639326461313433656639393839396366633431616435393263336231
|
30333339646139626434636365653666636534346266636262613938656665343634363563663366
|
||||||
66303634656536636165636462396637656331666336623734333139316533636664306262326566
|
32306663653930613762663534613635616663613130613933626331663861643439323664353739
|
||||||
36616366663933613561336164386463393635636264613737316464666535366361613065363362
|
31316531653562646363376233636464396262313132343234303933343066373862633235383333
|
||||||
30316566323663623133346130393032646237353934363531326530396263363130326638393032
|
31313431336464663163343835646430323664373166363465343037333130343636646363393231
|
||||||
30633832663134613964323733623230363831636664373661633966366264373766326161623862
|
34613162386637306539663431636137353039383037333937613035393332353933333134346335
|
||||||
39396331313231633237313735636261653531313961616230626565623633636638643936326237
|
31616561636533383639366634316164343466613634643130353437393664336332316132363934
|
||||||
62333066366439643163336233353361343662326237376332396461393663623761613962333237
|
61333961613530333536613034386332646136313939356339633334353333326661393231343261
|
||||||
65633039363636323235356632326563376163386161373362383466346339356463636437646262
|
62653463316662376134663965383030636639356637393237653362616561616238653637623039
|
||||||
38313164393036393661336633373265303536316165623330643236313936666139376237366164
|
65653139373633323766356362613239316165393966623932346561363363393138653032366439
|
||||||
31373364663136356139356433386132343630396531373961616131343333663463616262373439
|
64303463306132363261333936653763353833386337303763316362666134306264306464306362
|
||||||
34393161323334333732383866653463656265393761346533663530613530313062626330356535
|
30343364393539636565633861386261373661623061333733353635336133373162636465376137
|
||||||
65393037636665303564316536376531386561366466643961666439326462353864643635353934
|
61316465306534623337383631663538336632383832343132333862316336323961623637383838
|
||||||
66616432303966643731386133613430313737356539386331623832656132663461393538363962
|
65363832646138376233653264373535633437376162326361313863333839343236343966393839
|
||||||
64313935613063373832343862373734316634663333313835323836386466336663643661656436
|
32323361666264373466396130666465303032393364633134343264643731323438646562333361
|
||||||
61353663646165623165663035383461376331373439666433386433376234613163396234373632
|
63376266616430643135326430366266633332633333646134313736316139386232333965346331
|
||||||
61646230363163366338653332373834386534333436373737383463363335356436313463626333
|
61663964653931333730643435303637666563316133373831336566303361383736666139626562
|
||||||
63393166316663323066323863373830393937353864376366313535663565613031643932383364
|
38623031303533396632613361323533313334333631316434646232383136393433323466383330
|
||||||
62623633353662323965393563363261623564396632643662663032613032666162616132336130
|
65666530616466623933393936613963663766653361643733326330643162346635613835633736
|
||||||
39376430663833303264306135643832383231623336613734373964653736376235653334333639
|
64393064326233313035316130353563623639303665623064303831376332353264633930363364
|
||||||
63376661636561383236633365303031326630356661633062663564396133313633323738333539
|
33623137353130353962323964396130646230393335386434346130663064613434643136656466
|
||||||
66303235613562313636343766356263383132643962393232396263393665666334633438383632
|
63623666376165653961666539383335356163316131353966613036643530663835313766366533
|
||||||
38646635643030303464396634356161333836376364333361356461346664303563346463333838
|
31656633633331636535316234653561326465623562393632623062383935336530383133626236
|
||||||
34356139373233313631653533356633643730663438646630373331313065363136663938306439
|
66323366306366623631373861346635303063376264613734643039363137613837333534616362
|
||||||
38336563363966653632613436356530316234326365666438326635313537343665663233363731
|
37633462373538313562666639613031343866383234633438373936623437333666343731633735
|
||||||
36646565393937326336626333383863656565323832303937323536346366303839633236663566
|
33386666313531613734643431333332346439386465303531306365386537613933623636643237
|
||||||
32373632646463363634363031626635383233656361336532636366653434623562623937656137
|
35653434303433633533356662623965383133383838613361303832326130343938393561393935
|
||||||
66303663316165633932643365623732323430376334303036303961396264303664616433356361
|
38313533643830633432303464306561643233303866316130616531623230393366323264626165
|
||||||
64366135376232313265376563633163373933343066653939313433366539396163656163346663
|
33653230366138376533376166393466656233353061343338393433386332333361353063323634
|
||||||
30626331333034316131343361636364653936373235623562336366336237353966613536316637
|
66366561646466616566336265363037616433616231353739613538633765343235323637303535
|
||||||
61343530326139636365613434386263383430626663333932386431313164346532666562346537
|
34373739306130313536633338353130656632666536356535636265333335303730333031323436
|
||||||
32623538353365383030396332386133343464643732653038623337353135663964643566396439
|
39633466353139663361646265656334633461346564616633643030383662353762643237333761
|
||||||
64633435623763666461356331306539373638383034343735373765373333656562326338613763
|
31326435313361366163353836633535303462623533373363376433613139373135393566333937
|
||||||
63633732373765316238633539316665623431616333363364316531306630343735393335616630
|
64313838373366383432376430643236633030623736643435363038616261333364366139666435
|
||||||
36613362336566393866623566666430336639376662633233656130653837313161653462346335
|
66623661643032633931623539383136373138636333323737323165333831333764363137393562
|
||||||
63396532663633393363626136373161303235613761373235633831393736343630353031613364
|
62663335353265353535643666356632663736343039333965653639653764646261323736313430
|
||||||
32353463383934313961313638613533623638383062343936616336646431383935393938623138
|
39656366356130326363363133383062333530316165643430383161306135346663623861313030
|
||||||
31383032326365333136666165633832333836346231636332353830336264636235383162356630
|
65346430353230363561633239623330623265666336616133326263323063333132323764343735
|
||||||
38316137623935633863363162376239623932373233663663323830363162313665613830623763
|
63346230373339343062393035356565376265643463326366326535313130663163366435323339
|
||||||
63656237343662616130326339386231376564613164666163393232653762613932343561343031
|
62363339313332663333653336633331343161363432393639316630633365643037653739613132
|
||||||
66386431343139373734626430656139353635636233336236653438353066393732663637323435
|
63316662336630626366363662333061353539333133653732646330643065333430316333316131
|
||||||
63303434376634366262646662616162343664666365373934346530343239653330356234373065
|
33363662653465306531666435363932663432373932353466383364383634643634313736303931
|
||||||
31373934363731373136346665623334306631626134613334633135666461636462303164653662
|
63353632353836663263616137353031643238663632363563656137313961656534663137613061
|
||||||
36323132376532613431653063643965636233373165333639323966663333633563303438396466
|
37636530306334613639326363383665373061383634326630653366386632636634653638653330
|
||||||
64633761376164383835613038633630623439643364323232633437386334346138343361306638
|
32366438623635363833343566353365373762646162393637326433656438663066663766333761
|
||||||
38626632326137303839306531633536643161656231636662383461373964646333303936343733
|
65363136666238623439663764363266363731613261326566653035303265623736353331376562
|
||||||
36333863316162393134646563316235663164613062303734346662386466656461346364356564
|
36646435353134613363316236383938613032626562646237366337376433326334386330646266
|
||||||
35326234336439623961383938316136633037343863363933616663366536613866666165376664
|
66333365323133616466646164353262653830313764376562636164326163623463373863373630
|
||||||
30306438666365333333636632643832303463356533343033623938653365663732336164303033
|
31623264373330386136396130626133323762363262336337396562613166646132386362383635
|
||||||
65653936363839323239306463366533653439663437343536393564336163313962313935636534
|
61333637373462316463303962396162383039373265303939306132323533393236343965613835
|
||||||
34346330393637343834323931353762613839366166353139303535376230356466646261363464
|
32646361383938383337653264323766363130613264613463386432306238316531653437323939
|
||||||
33386337616230623537376665663835373766316332363433313234326461313935636666363261
|
39353866313834393933623630303539633334663239343865313264616664656464646631623934
|
||||||
30653433333436306564653461303165656163363331643536323535623062396561643662323334
|
33623230643633353361343965396236393939343765653161643530626133663236383135343934
|
||||||
35626565616538396566363433363732656538313531636632643163633637303339656431346466
|
37353231626339323866613237663463656239326335643035313730363133616538613866386162
|
||||||
61353030666638393361613833353532656130643866636135643434366562386363656434323366
|
65623335393462633130353965343533616261636261656162626639323231623934663765386166
|
||||||
36343764316136316630353338363735646533346362386266643136626366356331656363393133
|
37353665643363386662646538306530326161653461393236616531343935393639386432633437
|
||||||
35636633353662393435346365663432656166646136346331363563363539326162633166393164
|
63643561646337616138633063646261323937333262333535626235373561336339346661353365
|
||||||
34303164353632373437613564336266373934396236383962376530613631633932626431333864
|
30396365376566616538353866383266666436636131656535363062633237313266366639373536
|
||||||
64623439336638613337383763353531376133343436346330373362313034616166616537636366
|
64316435316234313365306332383637636263376563393464303566313566636238626434393364
|
||||||
30306132613333633261326630323038323431643163373365376662623339396136313531366332
|
62316263353733636136393034616362643764346536373533363937633938383037376261656330
|
||||||
66663037643036303836376632646132383563316262393438636432666661333836376663666130
|
30333738616232616566643335353161636466643830393464643263653633373662623437643332
|
||||||
31316135366562633134306633333834636132623739373131626161633636313737646334376434
|
61396430636631396134393064633131636233653664373363386638366138343435613438303330
|
||||||
33376337393630663338643366316465353266346365333830613533393139333235366237323339
|
61366234663461333331623961393834643233623862323861346163343934303838666232626639
|
||||||
66346465313462373334316535383633343165373733313230373461366336353664306537306538
|
6139
|
||||||
32653538366565663764353031303763613835366461666163336665656436333563613835653438
|
|
||||||
65376265303131376239616536353933346633393438643466343439643039313236373033323034
|
|
||||||
64316364663139353664653564393262323565646235356431326331343433373639316234363938
|
|
||||||
65633034666532306137353431613732663166323936356433323733376261386161383265663264
|
|
||||||
35643038663565646135343233623530396165336263303931653037393934343833623337343834
|
|
||||||
31343631343563626561393763356463393930616338623861363835343635376238653337653133
|
|
||||||
31393834343536396536363533363739306639646333313836393331306566393534383265613234
|
|
||||||
31623238306531383936343836336466343336396530633033323063346261366633343936316637
|
|
||||||
30343165333861346635623934363537383531323637313461663964353338653639366562306236
|
|
||||||
30363265393038633564626463393166333665396538663639346665353736336134643862663630
|
|
||||||
62393037363963613263313939613865393066323830656362656464643730636535623639636131
|
|
||||||
63343263333134336364323236656639613635323165383164636465353438653134646334643962
|
|
||||||
35306463626336626664383638323865633631346437613139623239663538666363313237323663
|
|
||||||
39323734353363643334343538303635366637373530383832393861346164666666306631643563
|
|
||||||
63306565306337383539636330623933666266353635396238656435373563383830666636616335
|
|
||||||
39386134383938626439366437383138303062333236306436336163393832613532303332303833
|
|
||||||
39323539396235383765613234303765303136653064336361333035643365386232613766356362
|
|
||||||
30656437376537623165626530623365393463626337383139663734396331396363396162383330
|
|
||||||
31663636383037613563346330323063393637616334356439666263623662383666376265313732
|
|
||||||
63343837306336313264313934653836363665616264396662633761363237366437653962626664
|
|
||||||
38383462313435383133613465656435363563373765313361623565636564616236313666633264
|
|
||||||
37393165386163393666376636343963333932346463303661373339303765303938636135323363
|
|
||||||
35663731656431656330336366383330616163353934333564356633613165396463393066396533
|
|
||||||
32396264653265333865643365346233633863333335383735396134663062343166656233613931
|
|
||||||
35633133336337343531313266323663363830353236323035313031646434303761343737633139
|
|
||||||
30343439323330353531633337353365363031666635653364326235316435383835663139376136
|
|
||||||
39343361636662346166363432366162666631366431623563363936336164323836376232326162
|
|
||||||
39316337343436386363643064653337613131346266353636333664373262326563386264303831
|
|
||||||
65343534616464633232373532313865363732663235376534396436333531633261393066313263
|
|
||||||
38316437643232336234343663666536353134626139623138636234396661613261326437303065
|
|
||||||
36383331323061643632323339383530626430343132613039393434333939383065623464646362
|
|
||||||
65303135313962613564666261356533313961323464623535393631613337663366626136343364
|
|
||||||
61363035333636366439313961326462633463616237343133356437303234323363306337343237
|
|
||||||
61376138323336663839623539633866313133346338313165623039336335663666313532636261
|
|
||||||
36383332346636373936366632393364323331303866623533643062666361613133383262383538
|
|
||||||
64343665333761326134303566656638633362643031306535333661623437636139353565623435
|
|
||||||
39323631393132336636653731636264356637373031633037653466383163663865626339323731
|
|
||||||
34623137386338343038373464613832363761643362623434373136376638663537623762646266
|
|
||||||
63306439363039303461
|
|
||||||
|
|
|
@ -5,8 +5,6 @@ dhcpd_primary: 172.23.13.3
|
||||||
|
|
||||||
dns_primary: 172.23.13.3
|
dns_primary: 172.23.13.3
|
||||||
|
|
||||||
doorlock_domain: lock-auweg.binary.kitchen
|
|
||||||
|
|
||||||
name_servers:
|
name_servers:
|
||||||
- 172.23.13.3
|
- 172.23.13.3
|
||||||
|
|
||||||
|
|
|
@ -3,5 +3,4 @@
|
||||||
radius_hostname: radius3.binary.kitchen
|
radius_hostname: radius3.binary.kitchen
|
||||||
|
|
||||||
slapd_hostname: ldap3.binary.kitchen
|
slapd_hostname: ldap3.binary.kitchen
|
||||||
slapd_replica_id: 3
|
|
||||||
slapd_role: slave
|
slapd_role: slave
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
root_keys_host:
|
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
|
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
|
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"
|
|
|
@ -3,5 +3,4 @@
|
||||||
radius_hostname: radius2.binary.kitchen
|
radius_hostname: radius2.binary.kitchen
|
||||||
|
|
||||||
slapd_hostname: ldap2.binary.kitchen
|
slapd_hostname: ldap2.binary.kitchen
|
||||||
slapd_replica_id: 2
|
|
||||||
slapd_role: slave
|
slapd_role: slave
|
||||||
|
|
|
@ -13,5 +13,4 @@ ntp_peers:
|
||||||
radius_hostname: radius1.binary.kitchen
|
radius_hostname: radius1.binary.kitchen
|
||||||
|
|
||||||
slapd_hostname: ldap1.binary.kitchen
|
slapd_hostname: ldap1.binary.kitchen
|
||||||
slapd_replica_id: 1
|
|
||||||
slapd_role: slave
|
slapd_role: slave
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
root_keys_host:
|
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
root_keys_host:
|
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
|
|
@ -2,4 +2,3 @@
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
root_keys_host:
|
|
||||||
- "# Thomas Basler"
|
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
|
|
||||||
- "# Ralf Ramsauer"
|
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
|
||||||
- "# Thomas Schmid"
|
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
|
||||||
|
|
||||||
uau_reboot: "false"
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
root_keys_host:
|
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
|
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"
|
|
|
@ -1,3 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
acertmgr_mode: standalone
|
|
|
@ -4,4 +4,3 @@ grafana_domain: zelle.binary-kitchen.de
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
|
uau_reboot: "false"
|
||||||
sshd_password_authentication: "yes"
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
root_keys_host:
|
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
|
|
@ -4,7 +4,8 @@ root_keys_host:
|
||||||
- "# Thomas Basler"
|
- "# Thomas Basler"
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
|
||||||
- "# Ralf Ramsauer"
|
- "# Ralf Ramsauer"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
|
||||||
- "# Thomas Schmid"
|
- "# Thomas Schmid"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||||
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
root_keys_host:
|
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
|
|
@ -2,6 +2,6 @@
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
|
||||||
|
|
||||||
uau_reboot: "false"
|
uau_reboot: "false"
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
root_keys_host:
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
|
|
||||||
sshd_password_authentication: "yes"
|
|
|
@ -1,5 +1,4 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
root_keys_host:
|
|
||||||
- "# Thomas Schmid"
|
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
|
||||||
|
|
||||||
uau_reboot: "true"
|
|
|
@ -1,6 +1,5 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
|
||||||
|
|
13
hosts
13
hosts
|
@ -6,17 +6,12 @@ sulis.binary.kitchen ansible_host=172.23.2.5
|
||||||
nabia.binary.kitchen ansible_host=172.23.2.6
|
nabia.binary.kitchen ansible_host=172.23.2.6
|
||||||
epona.binary.kitchen ansible_host=172.23.2.7
|
epona.binary.kitchen ansible_host=172.23.2.7
|
||||||
pizza.binary.kitchen ansible_host=172.23.2.33
|
pizza.binary.kitchen ansible_host=172.23.2.33
|
||||||
pancake.binary.kitchen ansible_host=172.23.2.34
|
|
||||||
knoedel.binary.kitchen ansible_host=172.23.2.35
|
|
||||||
bob.binary.kitchen ansible_host=172.23.2.37
|
bob.binary.kitchen ansible_host=172.23.2.37
|
||||||
lasagne.binary.kitchen ansible_host=172.23.2.38
|
|
||||||
tschunk.binary.kitchen ansible_host=172.23.2.39
|
|
||||||
bowle.binary.kitchen ansible_host=172.23.2.62
|
bowle.binary.kitchen ansible_host=172.23.2.62
|
||||||
salat.binary.kitchen ansible_host=172.23.9.61
|
salat.binary.kitchen ansible_host=172.23.9.61
|
||||||
[auweg]
|
[auweg]
|
||||||
weizen.binary.kitchen ansible_host=172.23.12.61
|
|
||||||
aeron.binary.kitchen ansible_host=172.23.13.3
|
aeron.binary.kitchen ansible_host=172.23.13.3
|
||||||
lock-auweg.binary.kitchen ansible_host=172.23.13.12
|
weizen.binary.kitchen ansible_host=172.23.12.61
|
||||||
[fan_rz]
|
[fan_rz]
|
||||||
helium.binary-kitchen.net
|
helium.binary-kitchen.net
|
||||||
lithium.binary-kitchen.net
|
lithium.binary-kitchen.net
|
||||||
|
@ -28,16 +23,10 @@ oxygen.binary-kitchen.net
|
||||||
fluorine.binary-kitchen.net
|
fluorine.binary-kitchen.net
|
||||||
neon.binary-kitchen.net
|
neon.binary-kitchen.net
|
||||||
sodium.binary-kitchen.net
|
sodium.binary-kitchen.net
|
||||||
magnesium.binary-kitchen.net
|
|
||||||
aluminium.binary-kitchen.net
|
|
||||||
krypton.binary-kitchen.net
|
krypton.binary-kitchen.net
|
||||||
yttrium.binary-kitchen.net
|
yttrium.binary-kitchen.net
|
||||||
zirconium.binary-kitchen.net
|
zirconium.binary-kitchen.net
|
||||||
molybdenum.binary-kitchen.net
|
molybdenum.binary-kitchen.net
|
||||||
technetium.binary-kitchen.net
|
|
||||||
ruthenium.binary-kitchen.net
|
ruthenium.binary-kitchen.net
|
||||||
rhodium.binary-kitchen.net
|
rhodium.binary-kitchen.net
|
||||||
palladium.binary-kitchen.net
|
|
||||||
argentum.binary-kitchen.net
|
|
||||||
cadmium.binary-kitchen.net
|
|
||||||
barium.binary-kitchen.net
|
barium.binary-kitchen.net
|
||||||
|
|
|
@ -1,49 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Install packages
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- docker-compose
|
|
||||||
|
|
||||||
- name: Create 23b group
|
|
||||||
group: name=23b
|
|
||||||
|
|
||||||
- name: Create 23b user
|
|
||||||
user:
|
|
||||||
name: 23b
|
|
||||||
home: /opt/23b
|
|
||||||
shell: /bin/bash
|
|
||||||
group: 23b
|
|
||||||
groups: docker
|
|
||||||
|
|
||||||
# docker-compolse.yml is managed outside ansible
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Configure certificate manager for 23b
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure vhost
|
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Enable vhost
|
|
||||||
file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Systemd unit for 23b
|
|
||||||
template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
|
|
||||||
notify:
|
|
||||||
- Reload systemd
|
|
||||||
- Restart 23b
|
|
||||||
|
|
||||||
- name: Start the 23b service
|
|
||||||
service: name=23b state=started enabled=yes
|
|
||||||
|
|
||||||
- name: Enable monitoring
|
|
||||||
include_role: name=icinga-monitor tasks_from=http
|
|
||||||
vars:
|
|
||||||
vhost: "{{ bk23b_domain }}"
|
|
|
@ -1,28 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=23b service using docker compose
|
|
||||||
Requires=docker.service
|
|
||||||
After=docker.service
|
|
||||||
Before=nginx.service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
|
|
||||||
User=23b
|
|
||||||
Group=23b
|
|
||||||
|
|
||||||
Restart=always
|
|
||||||
TimeoutStartSec=1200
|
|
||||||
|
|
||||||
WorkingDirectory=/opt/23b/23b/23b
|
|
||||||
|
|
||||||
# Make sure no old containers are running
|
|
||||||
ExecStartPre=/usr/bin/docker-compose down -v
|
|
||||||
|
|
||||||
# Compose up
|
|
||||||
ExecStart=/usr/bin/docker-compose up
|
|
||||||
|
|
||||||
# Compose down, remove containers and volumes
|
|
||||||
ExecStop=/usr/bin/docker-compose down -v
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,36 +0,0 @@
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name {{ bk23b_domain }};
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
default_type "text/plain";
|
|
||||||
alias /var/www/acme-challenge;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://{{ bk23b_domain }}$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name {{ bk23b_domain }};
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
|
|
||||||
ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
|
|
||||||
|
|
||||||
# set max upload size
|
|
||||||
client_max_body_size 8M;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://localhost:5000;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
actrunner_user: act_runner
|
|
||||||
actrunner_group: act_runner
|
|
||||||
|
|
||||||
actrunner_version: 0.2.10
|
|
||||||
actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Reload systemd
|
|
||||||
systemd: daemon_reload=yes
|
|
||||||
|
|
||||||
- name: Restart act_runner
|
|
||||||
service: name=act_runner state=restarted
|
|
|
@ -1,35 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Create group
|
|
||||||
group: name={{ actrunner_group }}
|
|
||||||
|
|
||||||
- name: Create user
|
|
||||||
user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
|
|
||||||
|
|
||||||
- name: Create directories
|
|
||||||
file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
|
|
||||||
with_items:
|
|
||||||
- /etc/act_runner
|
|
||||||
- /var/lib/act_runner
|
|
||||||
|
|
||||||
- name: Download act_runner binary
|
|
||||||
get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
|
|
||||||
register: runner_download
|
|
||||||
|
|
||||||
- name: Symlink act_runner binary
|
|
||||||
file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
|
|
||||||
when: runner_download.changed
|
|
||||||
notify: Restart act_runner
|
|
||||||
|
|
||||||
- name: Configure act_runner
|
|
||||||
template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
|
|
||||||
notify: Restart act_runner
|
|
||||||
|
|
||||||
- name: Install systemd unit
|
|
||||||
template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
|
|
||||||
notify:
|
|
||||||
- Reload systemd
|
|
||||||
- Restart act_runner
|
|
||||||
|
|
||||||
- name: Enable act_runner
|
|
||||||
service: name=act_runner state=started enabled=yes
|
|
|
@ -1,16 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Gitea Actions runner
|
|
||||||
Documentation=https://gitea.com/gitea/act_runner
|
|
||||||
After=docker.service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
|
|
||||||
ExecReload=/bin/kill -s HUP $MAINPID
|
|
||||||
WorkingDirectory=/var/lib/act_runner
|
|
||||||
TimeoutSec=0
|
|
||||||
RestartSec=10
|
|
||||||
Restart=always
|
|
||||||
User={{ actrunner_user }}
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,86 +0,0 @@
|
||||||
log:
|
|
||||||
# The level of logging, can be trace, debug, info, warn, error, fatal
|
|
||||||
level: warn
|
|
||||||
|
|
||||||
runner:
|
|
||||||
# Where to store the registration result.
|
|
||||||
file: .runner
|
|
||||||
# Execute how many tasks concurrently at the same time.
|
|
||||||
capacity: 4
|
|
||||||
# Extra environment variables to run jobs.
|
|
||||||
envs:
|
|
||||||
# Extra environment variables to run jobs from a file.
|
|
||||||
# It will be ignored if it's empty or the file doesn't exist.
|
|
||||||
env_file: .env
|
|
||||||
# The timeout for a job to be finished.
|
|
||||||
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
|
|
||||||
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
|
|
||||||
timeout: 3h
|
|
||||||
# Whether skip verifying the TLS certificate of the Gitea instance.
|
|
||||||
insecure: false
|
|
||||||
# The timeout for fetching the job from the Gitea instance.
|
|
||||||
fetch_timeout: 5s
|
|
||||||
# The interval for fetching the job from the Gitea instance.
|
|
||||||
fetch_interval: 2s
|
|
||||||
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
|
|
||||||
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
|
|
||||||
# If it's empty when registering, it will ask for inputting labels.
|
|
||||||
# If it's empty when execute `deamon`, will use labels in `.runner` file.
|
|
||||||
labels: [
|
|
||||||
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
|
|
||||||
"ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
|
|
||||||
"ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
|
|
||||||
]
|
|
||||||
|
|
||||||
cache:
|
|
||||||
# Enable cache server to use actions/cache.
|
|
||||||
enabled: true
|
|
||||||
# The directory to store the cache data.
|
|
||||||
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
|
|
||||||
dir: ""
|
|
||||||
# The host of the cache server.
|
|
||||||
# It's not for the address to listen, but the address to connect from job containers.
|
|
||||||
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
|
|
||||||
host: ""
|
|
||||||
# The port of the cache server.
|
|
||||||
# 0 means to use a random available port.
|
|
||||||
port: 0
|
|
||||||
# The external cache server URL. Valid only when enable is true.
|
|
||||||
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
|
|
||||||
# The URL should generally end with "/".
|
|
||||||
external_server: ""
|
|
||||||
|
|
||||||
container:
|
|
||||||
# Specifies the network to which the container will connect.
|
|
||||||
# Could be host, bridge or the name of a custom network.
|
|
||||||
# If it's empty, act_runner will create a network automatically.
|
|
||||||
network: ""
|
|
||||||
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
|
|
||||||
privileged: false
|
|
||||||
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
|
|
||||||
options:
|
|
||||||
# The parent directory of a job's working directory.
|
|
||||||
# If it's empty, /workspace will be used.
|
|
||||||
workdir_parent:
|
|
||||||
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
|
|
||||||
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
|
|
||||||
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
|
|
||||||
# valid_volumes:
|
|
||||||
# - data
|
|
||||||
# - /src/*.json
|
|
||||||
# If you want to allow any volume, please use the following configuration:
|
|
||||||
# valid_volumes:
|
|
||||||
# - '**'
|
|
||||||
valid_volumes: []
|
|
||||||
# overrides the docker client host with the specified one.
|
|
||||||
# If it's empty, act_runner will find an available docker host automatically.
|
|
||||||
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
|
|
||||||
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
|
|
||||||
docker_host: ""
|
|
||||||
# Pull docker image(s) even if already present
|
|
||||||
force_pull: false
|
|
||||||
|
|
||||||
host:
|
|
||||||
# The parent directory of a job's working directory.
|
|
||||||
# If it's empty, $HOME/.cache/act/ will be used.
|
|
||||||
workdir_parent:
|
|
|
@ -1,13 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Reload systemd
|
|
||||||
systemd: daemon_reload=yes
|
|
||||||
|
|
||||||
- name: Restart authentik
|
|
||||||
service: name=authentik state=restarted
|
|
||||||
|
|
||||||
- name: Restart nginx
|
|
||||||
service: name=nginx state=restarted
|
|
||||||
|
|
||||||
- name: Run acertmgr
|
|
||||||
command: /usr/bin/acertmgr
|
|
|
@ -1,51 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Install packages
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- docker-compose
|
|
||||||
|
|
||||||
- name: Create authentik group
|
|
||||||
group: name=authentik
|
|
||||||
|
|
||||||
- name: Create authentik user
|
|
||||||
user:
|
|
||||||
name: authentik
|
|
||||||
home: /opt/authentik
|
|
||||||
shell: /bin/bash
|
|
||||||
group: authentik
|
|
||||||
groups: docker
|
|
||||||
|
|
||||||
- name: Configure authentik container
|
|
||||||
template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
|
|
||||||
notify: Restart authentik
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Configure certificate manager for authentik
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure vhost
|
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Enable vhost
|
|
||||||
file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Systemd unit for authentik
|
|
||||||
template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
|
|
||||||
notify:
|
|
||||||
- Reload systemd
|
|
||||||
- Restart authentik
|
|
||||||
|
|
||||||
- name: Start the authentik service
|
|
||||||
service: name=authentik state=started enabled=yes
|
|
||||||
|
|
||||||
- name: Enable monitoring
|
|
||||||
include_role: name=icinga-monitor tasks_from=http
|
|
||||||
vars:
|
|
||||||
vhost: "{{ authentik_domain }}"
|
|
|
@ -1,28 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=authentik service using docker compose
|
|
||||||
Requires=docker.service
|
|
||||||
After=docker.service
|
|
||||||
Before=nginx.service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
|
|
||||||
User=authentik
|
|
||||||
Group=authentik
|
|
||||||
|
|
||||||
Restart=always
|
|
||||||
TimeoutStartSec=1200
|
|
||||||
|
|
||||||
WorkingDirectory=/opt/authentik
|
|
||||||
|
|
||||||
# Make sure no old containers are running
|
|
||||||
ExecStartPre=/usr/bin/docker-compose down -v
|
|
||||||
|
|
||||||
# Compose up
|
|
||||||
ExecStart=/usr/bin/docker-compose up
|
|
||||||
|
|
||||||
# Compose down, remove containers and volumes
|
|
||||||
ExecStop=/usr/bin/docker-compose down -v
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
{{ authentik_domain }}:
|
|
||||||
- path: /etc/nginx/ssl/{{ authentik_domain }}.key
|
|
||||||
user: root
|
|
||||||
group: root
|
|
||||||
perm: '400'
|
|
||||||
format: key
|
|
||||||
action: '/usr/sbin/service nginx restart'
|
|
||||||
- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
|
|
||||||
user: root
|
|
||||||
group: root
|
|
||||||
perm: '400'
|
|
||||||
format: crt,ca
|
|
||||||
action: '/usr/sbin/service nginx restart'
|
|
|
@ -1,75 +0,0 @@
|
||||||
---
|
|
||||||
version: "3.4"
|
|
||||||
services:
|
|
||||||
postgresql:
|
|
||||||
image: docker.io/library/postgres:12-alpine
|
|
||||||
restart: unless-stopped
|
|
||||||
healthcheck:
|
|
||||||
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
|
|
||||||
start_period: 20s
|
|
||||||
interval: 30s
|
|
||||||
retries: 5
|
|
||||||
timeout: 5s
|
|
||||||
volumes:
|
|
||||||
- ./database:/var/lib/postgresql/data
|
|
||||||
environment:
|
|
||||||
POSTGRES_PASSWORD: {{ authentik_dbpass }}
|
|
||||||
POSTGRES_USER: {{ authentik_dbuser }}
|
|
||||||
POSTGRES_DB: {{ authentik_dbname }}
|
|
||||||
redis:
|
|
||||||
image: docker.io/library/redis:alpine
|
|
||||||
command: --save 60 1 --loglevel warning
|
|
||||||
restart: unless-stopped
|
|
||||||
healthcheck:
|
|
||||||
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
|
|
||||||
start_period: 20s
|
|
||||||
interval: 30s
|
|
||||||
retries: 5
|
|
||||||
timeout: 3s
|
|
||||||
volumes:
|
|
||||||
- ./redis:/data
|
|
||||||
server:
|
|
||||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
|
|
||||||
restart: unless-stopped
|
|
||||||
command: server
|
|
||||||
environment:
|
|
||||||
AUTHENTIK_REDIS__HOST: redis
|
|
||||||
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
|
||||||
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
|
|
||||||
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
|
|
||||||
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
|
|
||||||
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
|
|
||||||
volumes:
|
|
||||||
- ./media:/media
|
|
||||||
- ./custom-templates:/templates
|
|
||||||
ports:
|
|
||||||
- "127.0.0.1:9000:9000"
|
|
||||||
depends_on:
|
|
||||||
- postgresql
|
|
||||||
- redis
|
|
||||||
worker:
|
|
||||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
|
|
||||||
restart: unless-stopped
|
|
||||||
command: worker
|
|
||||||
environment:
|
|
||||||
AUTHENTIK_REDIS__HOST: redis
|
|
||||||
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
|
||||||
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
|
|
||||||
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
|
|
||||||
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
|
|
||||||
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
|
|
||||||
# `user: root` and the docker socket volume are optional.
|
|
||||||
# See more for the docker socket integration here:
|
|
||||||
# https://goauthentik.io/docs/outposts/integrations/docker
|
|
||||||
# Removing `user: root` also prevents the worker from fixing the permissions
|
|
||||||
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
|
|
||||||
# (1000:1000 by default)
|
|
||||||
user: root
|
|
||||||
volumes:
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
|
||||||
- ./media:/media
|
|
||||||
- ./certs:/certs
|
|
||||||
- ./custom-templates:/templates
|
|
||||||
depends_on:
|
|
||||||
- postgresql
|
|
||||||
- redis
|
|
|
@ -1,41 +0,0 @@
|
||||||
map $http_upgrade $connection_upgrade {
|
|
||||||
default upgrade;
|
|
||||||
'' close;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name {{ authentik_domain }};
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
default_type "text/plain";
|
|
||||||
alias /var/www/acme-challenge;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://{{ authentik_domain }}$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name {{ authentik_domain }};
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
|
|
||||||
ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://localhost:9000;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $connection_upgrade;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,4 +1,4 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
dss_uwsgi_port: 5001
|
dss_uwsgi_port: 5001
|
||||||
dss_version: 0.8.5
|
dss_version: 0.8.4
|
||||||
|
|
|
@ -44,8 +44,3 @@
|
||||||
- name: Enable vhosts
|
- name: Enable vhosts
|
||||||
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
|
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Enable monitoring
|
|
||||||
include_role: name=icinga-monitor tasks_from=http
|
|
||||||
vars:
|
|
||||||
vhost: "{{ dss_domain }}"
|
|
||||||
|
|
|
@ -1,14 +1,12 @@
|
||||||
DEBUG = True
|
DEBUG = True
|
||||||
REMEMBER_COOKIE_SECURE = True
|
|
||||||
SECRET_KEY = "{{ dss_secret }}"
|
SECRET_KEY = "{{ dss_secret }}"
|
||||||
SESSION_COOKIE_SECURE = True
|
|
||||||
SESSION_TIMEOUT = 3600
|
SESSION_TIMEOUT = 3600
|
||||||
|
|
||||||
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
|
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
|
||||||
LDAP_URI = "{{ ldap_uri }}"
|
LDAP_URI = "{{ ldap_uri }}"
|
||||||
LDAP_BASE = "{{ ldap_base }}"
|
LDAP_BASE = "{{ ldap_base }}"
|
||||||
|
|
||||||
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
|
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
|
||||||
|
|
||||||
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
|
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
|
||||||
|
|
||||||
|
@ -30,7 +28,7 @@ USER_ATTRS = {
|
||||||
'userPassword' : '{pass}'
|
'userPassword' : '{pass}'
|
||||||
}
|
}
|
||||||
|
|
||||||
GROUP_FILTER = "(objectClass=posixGroup)"
|
GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
|
||||||
|
|
||||||
REDIS_HOST = "127.0.0.1"
|
REDIS_HOST = "127.0.0.1"
|
||||||
REDIS_PASSWD = None
|
REDIS_PASSWD = None
|
||||||
|
|
|
@ -6,6 +6,3 @@ logrotate_excludes:
|
||||||
- "/etc/logrotate.d/dbconfig-common"
|
- "/etc/logrotate.d/dbconfig-common"
|
||||||
- "/etc/logrotate.d/btmp"
|
- "/etc/logrotate.d/btmp"
|
||||||
- "/etc/logrotate.d/wtmp"
|
- "/etc/logrotate.d/wtmp"
|
||||||
|
|
||||||
sshd_password_authentication: "no"
|
|
||||||
sshd_permit_root_login: "prohibit-password"
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -6,9 +6,6 @@
|
||||||
- name: Restart journald
|
- name: Restart journald
|
||||||
service: name=systemd-journald state=restarted
|
service: name=systemd-journald state=restarted
|
||||||
|
|
||||||
- name: Restart sshd
|
|
||||||
service: name=sshd state=restarted
|
|
||||||
|
|
||||||
- name: update-grub
|
- name: update-grub
|
||||||
command: update-grub
|
command: update-grub
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
name:
|
name:
|
||||||
- apt-transport-https
|
- apt-transport-https
|
||||||
- dnsutils
|
- dnsutils
|
||||||
- fdisk
|
|
||||||
- gnupg2
|
- gnupg2
|
||||||
- htop
|
- htop
|
||||||
- less
|
- less
|
||||||
|
@ -16,7 +15,6 @@
|
||||||
- rsync
|
- rsync
|
||||||
- sudo
|
- sudo
|
||||||
- vim-nox
|
- vim-nox
|
||||||
- wget
|
|
||||||
- zsh
|
- zsh
|
||||||
|
|
||||||
- name: Install software on KVM VMs
|
- name: Install software on KVM VMs
|
||||||
|
@ -30,10 +28,10 @@
|
||||||
copy: src={{ item.src }} dest={{ item.dest }}
|
copy: src={{ item.src }} dest={{ item.dest }}
|
||||||
diff: no
|
diff: no
|
||||||
with_items:
|
with_items:
|
||||||
- { src: ".zshrc", dest: "/root/.zshrc" }
|
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||||
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||||
- { src: "motd", dest: "/etc/motd" }
|
- { src: 'motd', dest: '/etc/motd' }
|
||||||
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
||||||
|
|
||||||
- name: Set shell for root user
|
- name: Set shell for root user
|
||||||
user: name=root shell=/bin/zsh
|
user: name=root shell=/bin/zsh
|
||||||
|
@ -54,8 +52,8 @@
|
||||||
- name: Prevent normal users from running su
|
- name: Prevent normal users from running su
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/pam.d/su
|
path: /etc/pam.d/su
|
||||||
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
|
regexp: '^.*auth\s+required\s+pam_wheel.so$'
|
||||||
line: "auth required pam_wheel.so"
|
line: 'auth required pam_wheel.so'
|
||||||
|
|
||||||
- name: Configure journald retention
|
- name: Configure journald retention
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -90,25 +88,16 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
|
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
|
||||||
|
|
||||||
- name: "Set logrotate.d/* to daily"
|
- name: 'Set logrotate.d/* to daily'
|
||||||
replace:
|
replace:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
regexp: "(?:weekly|monthly)"
|
regexp: "(?:weekly|monthly)"
|
||||||
replace: "daily"
|
replace: "daily"
|
||||||
loop: "{{ logrotateconfigpaths }}"
|
loop: "{{ logrotateconfigpaths }}"
|
||||||
|
|
||||||
- name: "Set /etc/logrotate.d/* rotation to 7"
|
- name: 'Set /etc/logrotate.d/* rotation to 7'
|
||||||
replace:
|
replace:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
regexp: "rotate [0-9]+"
|
regexp: "rotate [0-9]+"
|
||||||
replace: "rotate 7"
|
replace: "rotate 7"
|
||||||
loop: "{{ logrotateconfigpaths }}"
|
loop: "{{ logrotateconfigpaths }}"
|
||||||
|
|
||||||
- name: Configure sshd
|
|
||||||
template:
|
|
||||||
src: sshd_config.j2
|
|
||||||
dest: /etc/ssh/sshd_config
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0644'
|
|
||||||
notify: Restart sshd
|
|
||||||
|
|
|
@ -15,10 +15,10 @@
|
||||||
copy: src={{ item.src }} dest={{ item.dest }}
|
copy: src={{ item.src }} dest={{ item.dest }}
|
||||||
diff: no
|
diff: no
|
||||||
with_items:
|
with_items:
|
||||||
- { src: ".zshrc", dest: "/root/.zshrc" }
|
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||||
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||||
- { src: "motd", dest: "/etc/motd" }
|
- { src: 'motd', dest: '/etc/motd' }
|
||||||
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
||||||
|
|
||||||
- name: Set shell for root user
|
- name: Set shell for root user
|
||||||
user: name=root shell=/bin/zsh
|
user: name=root shell=/bin/zsh
|
||||||
|
|
|
@ -2,20 +2,20 @@
|
||||||
|
|
||||||
- name: Cleanup
|
- name: Cleanup
|
||||||
apt: autoclean=yes
|
apt: autoclean=yes
|
||||||
when: ansible_os_family == "Debian"
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
- name: Gather package facts
|
- name: Gather package facts
|
||||||
package_facts:
|
package_facts:
|
||||||
manager: apt
|
manager: apt
|
||||||
when: ansible_os_family == "Debian"
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
- name: Proxmox
|
- name: Proxmox
|
||||||
include: Proxmox.yml
|
include: Proxmox.yml
|
||||||
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
|
when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
|
||||||
|
|
||||||
- name: Debian
|
- name: Debian
|
||||||
include: Debian.yml
|
include: Debian.yml
|
||||||
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
|
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
|
||||||
|
|
||||||
- name: Setup chrony
|
- name: Setup chrony
|
||||||
include: chrony.yml
|
include: chrony.yml
|
||||||
|
|
|
@ -1,9 +1,6 @@
|
||||||
# Welcome to the chrony configuration file. See chrony.conf(5) for more
|
# Welcome to the chrony configuration file. See chrony.conf(5) for more
|
||||||
# information about usable directives.
|
# information about usable directives.
|
||||||
|
|
||||||
# Include configuration files found in /etc/chrony/conf.d.
|
|
||||||
confdir /etc/chrony/conf.d
|
|
||||||
|
|
||||||
{% for srv in ntp_servers %}
|
{% for srv in ntp_servers %}
|
||||||
server {{ srv }} iburst
|
server {{ srv }} iburst
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -26,9 +23,6 @@ keyfile /etc/chrony/chrony.keys
|
||||||
# information.
|
# information.
|
||||||
driftfile /var/lib/chrony/chrony.drift
|
driftfile /var/lib/chrony/chrony.drift
|
||||||
|
|
||||||
# Save NTS keys and cookies.
|
|
||||||
ntsdumpdir /var/lib/chrony
|
|
||||||
|
|
||||||
# Uncomment the following line to turn logging on.
|
# Uncomment the following line to turn logging on.
|
||||||
#log tracking measurements statistics
|
#log tracking measurements statistics
|
||||||
|
|
||||||
|
@ -39,7 +33,7 @@ logdir /var/log/chrony
|
||||||
maxupdateskew 100.0
|
maxupdateskew 100.0
|
||||||
|
|
||||||
# This directive enables kernel synchronisation (every 11 minutes) of the
|
# This directive enables kernel synchronisation (every 11 minutes) of the
|
||||||
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
|
# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
|
||||||
rtcsync
|
rtcsync
|
||||||
|
|
||||||
# Step the system clock instead of slewing it if the adjustment is larger than
|
# Step the system clock instead of slewing it if the adjustment is larger than
|
||||||
|
|
|
@ -1,132 +0,0 @@
|
||||||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
|
||||||
|
|
||||||
# This is the sshd server system-wide configuration file. See
|
|
||||||
# sshd_config(5) for more information.
|
|
||||||
|
|
||||||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
|
||||||
|
|
||||||
# The strategy used for options in the default sshd_config shipped with
|
|
||||||
# OpenSSH is to specify options with their default value where
|
|
||||||
# possible, but leave them commented. Uncommented options override the
|
|
||||||
# default value.
|
|
||||||
|
|
||||||
Include /etc/ssh/sshd_config.d/*.conf
|
|
||||||
|
|
||||||
#Port 22
|
|
||||||
#AddressFamily any
|
|
||||||
#ListenAddress 0.0.0.0
|
|
||||||
#ListenAddress ::
|
|
||||||
|
|
||||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
|
|
||||||
# Ciphers and keying
|
|
||||||
#RekeyLimit default none
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
#SyslogFacility AUTH
|
|
||||||
#LogLevel INFO
|
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
|
|
||||||
#LoginGraceTime 2m
|
|
||||||
PermitRootLogin {{ sshd_permit_root_login }}
|
|
||||||
#StrictModes yes
|
|
||||||
#MaxAuthTries 6
|
|
||||||
#MaxSessions 10
|
|
||||||
|
|
||||||
#PubkeyAuthentication yes
|
|
||||||
|
|
||||||
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
|
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
|
||||||
|
|
||||||
#AuthorizedPrincipalsFile none
|
|
||||||
|
|
||||||
{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
|
|
||||||
AuthorizedKeysCommand {{ sshd_authkeys_command }}
|
|
||||||
{% if sshd_authkeys_user is defined and sshd_authkeys_user %}
|
|
||||||
AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
|
|
||||||
{% else %}
|
|
||||||
AuthorizedKeysCommandUser nobody
|
|
||||||
{% endif %}
|
|
||||||
{% else %}
|
|
||||||
#AuthorizedKeysCommand none
|
|
||||||
#AuthorizedKeysCommandUser nobody
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
|
||||||
#HostbasedAuthentication no
|
|
||||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
|
||||||
# HostbasedAuthentication
|
|
||||||
#IgnoreUserKnownHosts no
|
|
||||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
||||||
#IgnoreRhosts yes
|
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
|
||||||
PasswordAuthentication {{ sshd_password_authentication }}
|
|
||||||
#PermitEmptyPasswords no
|
|
||||||
|
|
||||||
# Change to yes to enable challenge-response passwords (beware issues with
|
|
||||||
# some PAM modules and threads)
|
|
||||||
ChallengeResponseAuthentication no
|
|
||||||
|
|
||||||
# Kerberos options
|
|
||||||
#KerberosAuthentication no
|
|
||||||
#KerberosOrLocalPasswd yes
|
|
||||||
#KerberosTicketCleanup yes
|
|
||||||
#KerberosGetAFSToken no
|
|
||||||
|
|
||||||
# GSSAPI options
|
|
||||||
#GSSAPIAuthentication no
|
|
||||||
#GSSAPICleanupCredentials yes
|
|
||||||
#GSSAPIStrictAcceptorCheck yes
|
|
||||||
#GSSAPIKeyExchange no
|
|
||||||
|
|
||||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
|
||||||
# be allowed through the ChallengeResponseAuthentication and
|
|
||||||
# PasswordAuthentication. Depending on your PAM configuration,
|
|
||||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
|
||||||
# the setting of "PermitRootLogin without-password".
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
UsePAM yes
|
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
|
||||||
#AllowTcpForwarding yes
|
|
||||||
#GatewayPorts no
|
|
||||||
X11Forwarding yes
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
||||||
PrintMotd no
|
|
||||||
#PrintLastLog yes
|
|
||||||
#TCPKeepAlive yes
|
|
||||||
#PermitUserEnvironment no
|
|
||||||
#Compression delayed
|
|
||||||
#ClientAliveInterval 0
|
|
||||||
#ClientAliveCountMax 3
|
|
||||||
#UseDNS no
|
|
||||||
#PidFile /var/run/sshd.pid
|
|
||||||
#MaxStartups 10:30:100
|
|
||||||
#PermitTunnel no
|
|
||||||
#ChrootDirectory none
|
|
||||||
#VersionAddendum none
|
|
||||||
|
|
||||||
# no default banner path
|
|
||||||
#Banner none
|
|
||||||
|
|
||||||
# Allow client to pass locale environment variables
|
|
||||||
AcceptEnv LANG LC_*
|
|
||||||
|
|
||||||
# override default of no subsystems
|
|
||||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
||||||
|
|
||||||
# Example of overriding settings on a per-user basis
|
|
||||||
#Match User anoncvs
|
|
||||||
# X11Forwarding no
|
|
||||||
# AllowTcpForwarding no
|
|
||||||
# PermitTTY no
|
|
||||||
# ForceCommand cvs server
|
|
|
@ -1,10 +1,4 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Reload systemd
|
|
||||||
systemd: daemon_reload=yes
|
|
||||||
|
|
||||||
- name: Restart coturn
|
- name: Restart coturn
|
||||||
service: name=coturn state=restarted
|
service: name=coturn state=restarted
|
||||||
|
|
||||||
- name: Run acertmgr
|
|
||||||
command: /usr/bin/acertmgr
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
dependencies:
|
|
||||||
- { role: acertmgr }
|
|
|
@ -3,28 +3,6 @@
|
||||||
- name: Install coturn
|
- name: Install coturn
|
||||||
apt: name=coturn
|
apt: name=coturn
|
||||||
|
|
||||||
- name: Create coturn service override directory
|
|
||||||
file: path=/etc/systemd/system/coturn.service.d state=directory
|
|
||||||
|
|
||||||
- name: Configure coturn service override
|
|
||||||
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
|
|
||||||
notify:
|
|
||||||
- Reload systemd
|
|
||||||
- Restart coturn
|
|
||||||
|
|
||||||
- name: Create gitea directories
|
|
||||||
file: path={{ item }} state=directory owner=turnserver
|
|
||||||
with_items:
|
|
||||||
- /etc/turnserver
|
|
||||||
- /etc/turnserver/certs
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
|
|
||||||
|
|
||||||
- name: Configure certificate manager
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure coturn
|
- name: Configure coturn
|
||||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
{{ coturn_realm }}:
|
|
||||||
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
|
|
||||||
user: turnserver
|
|
||||||
group: turnserver
|
|
||||||
perm: '400'
|
|
||||||
format: key
|
|
||||||
action: '/usr/sbin/service coturn restart'
|
|
||||||
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
|
|
||||||
user: turnserver
|
|
||||||
group: turnserver
|
|
||||||
perm: '400'
|
|
||||||
format: crt,ca
|
|
||||||
action: '/usr/sbin/service coturn restart'
|
|
|
@ -1,2 +0,0 @@
|
||||||
[Service]
|
|
||||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
|
@ -15,7 +15,7 @@
|
||||||
# Note: actually, TLS & DTLS sessions can connect to the
|
# Note: actually, TLS & DTLS sessions can connect to the
|
||||||
# "plain" TCP & UDP port(s), too - if allowed by configuration.
|
# "plain" TCP & UDP port(s), too - if allowed by configuration.
|
||||||
#
|
#
|
||||||
listening-port=443
|
#listening-port=3478
|
||||||
|
|
||||||
# TURN listener port for TLS (Default: 5349).
|
# TURN listener port for TLS (Default: 5349).
|
||||||
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
|
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
|
||||||
|
@ -27,7 +27,7 @@ listening-port=443
|
||||||
# TLS version 1.0, 1.1 and 1.2.
|
# TLS version 1.0, 1.1 and 1.2.
|
||||||
# For secure UDP connections, Coturn supports DTLS version 1.
|
# For secure UDP connections, Coturn supports DTLS version 1.
|
||||||
#
|
#
|
||||||
tls-listening-port=443
|
#tls-listening-port=5349
|
||||||
|
|
||||||
# Alternative listening port for UDP and TCP listeners;
|
# Alternative listening port for UDP and TCP listeners;
|
||||||
# default (or zero) value means "listening port plus one".
|
# default (or zero) value means "listening port plus one".
|
||||||
|
@ -125,10 +125,7 @@ tls-listening-port=443
|
||||||
#
|
#
|
||||||
# By default, this value is empty, and no address mapping is used.
|
# By default, this value is empty, and no address mapping is used.
|
||||||
#
|
#
|
||||||
external-ip={{ ansible_default_ipv4.address }}
|
#external-ip=60.70.80.91
|
||||||
{% if ansible_default_ipv6.address is defined %}
|
|
||||||
external-ip={{ ansible_default_ipv6.address }}
|
|
||||||
{% endif %}
|
|
||||||
#
|
#
|
||||||
#OR:
|
#OR:
|
||||||
#
|
#
|
||||||
|
@ -402,17 +399,17 @@ realm={{ coturn_realm }}
|
||||||
# Uncomment if no TCP client listener is desired.
|
# Uncomment if no TCP client listener is desired.
|
||||||
# By default TCP client listener is always started.
|
# By default TCP client listener is always started.
|
||||||
#
|
#
|
||||||
#no-tcp
|
no-tcp
|
||||||
|
|
||||||
# Uncomment if no TLS client listener is desired.
|
# Uncomment if no TLS client listener is desired.
|
||||||
# By default TLS client listener is always started.
|
# By default TLS client listener is always started.
|
||||||
#
|
#
|
||||||
#no-tls
|
no-tls
|
||||||
|
|
||||||
# Uncomment if no DTLS client listener is desired.
|
# Uncomment if no DTLS client listener is desired.
|
||||||
# By default DTLS client listener is always started.
|
# By default DTLS client listener is always started.
|
||||||
#
|
#
|
||||||
#no-dtls
|
no-dtls
|
||||||
|
|
||||||
# Uncomment if no UDP relay endpoints are allowed.
|
# Uncomment if no UDP relay endpoints are allowed.
|
||||||
# By default UDP relay endpoints are enabled (like in RFC 5766).
|
# By default UDP relay endpoints are enabled (like in RFC 5766).
|
||||||
|
@ -749,6 +746,6 @@ mobility
|
||||||
|
|
||||||
# Do not allow an TLS/DTLS version of protocol
|
# Do not allow an TLS/DTLS version of protocol
|
||||||
#
|
#
|
||||||
#no-tlsv1
|
no-tlsv1
|
||||||
#no-tlsv1_1
|
no-tlsv1_1
|
||||||
#no-tlsv1_2
|
no-tlsv1_2
|
||||||
|
|
|
@ -6,15 +6,6 @@ option domain-name-servers {{ name_servers | join(', ') }};
|
||||||
option domain-search "binary.kitchen";
|
option domain-search "binary.kitchen";
|
||||||
option ntp-servers 172.23.1.60, 172.23.2.3;
|
option ntp-servers 172.23.1.60, 172.23.2.3;
|
||||||
|
|
||||||
# options related to Mitel SIP-DECT
|
|
||||||
option space sipdect;
|
|
||||||
option local-encapsulation code 43 = encapsulate sipdect;
|
|
||||||
option sipdect.ommip1 code 10 = ip-address;
|
|
||||||
option sipdect.ommip2 code 19 = ip-address;
|
|
||||||
option sipdect.syslogip code 14 = ip-address;
|
|
||||||
option sipdect.syslogport code 15 = integer 16;
|
|
||||||
option magic_str code 224 = text;
|
|
||||||
|
|
||||||
default-lease-time 7200;
|
default-lease-time 7200;
|
||||||
max-lease-time 28800;
|
max-lease-time 28800;
|
||||||
|
|
||||||
|
@ -106,7 +97,8 @@ subnet 172.23.13.0 netmask 255.255.255.0 {
|
||||||
|
|
||||||
# Users Auweg
|
# Users Auweg
|
||||||
subnet 172.23.14.0 netmask 255.255.255.0 {
|
subnet 172.23.14.0 netmask 255.255.255.0 {
|
||||||
option routers 172.23.14.1;
|
option routers 172.23.3.1;
|
||||||
|
ddns-domainname "users.binary.kitchen";
|
||||||
option domain-search "binary.kitchen", "users.binary.kitchen";
|
option domain-search "binary.kitchen", "users.binary.kitchen";
|
||||||
pool {
|
pool {
|
||||||
{% if dhcpd_failover == true %}
|
{% if dhcpd_failover == true %}
|
||||||
|
@ -118,7 +110,7 @@ subnet 172.23.14.0 netmask 255.255.255.0 {
|
||||||
|
|
||||||
# MQTT Auweg
|
# MQTT Auweg
|
||||||
subnet 172.23.15.0 netmask 255.255.255.0 {
|
subnet 172.23.15.0 netmask 255.255.255.0 {
|
||||||
option routers 172.23.15.1;
|
option routers 172.23.4.1;
|
||||||
pool {
|
pool {
|
||||||
{% if dhcpd_failover == true %}
|
{% if dhcpd_failover == true %}
|
||||||
failover peer "failover-partner";
|
failover peer "failover-partner";
|
||||||
|
@ -142,7 +134,7 @@ host ap01 {
|
||||||
}
|
}
|
||||||
|
|
||||||
host ap04 {
|
host ap04 {
|
||||||
hardware ethernet 74:9e:75:ce:93:54;
|
hardware ethernet 44:48:c1:ce:90:06;
|
||||||
fixed-address ap04.binary.kitchen;
|
fixed-address ap04.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -156,23 +148,13 @@ host ap06 {
|
||||||
fixed-address ap06.binary.kitchen;
|
fixed-address ap06.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host ap11 {
|
|
||||||
hardware ethernet 18:64:72:c6:c2:0c;
|
|
||||||
fixed-address ap11.binary.kitchen;
|
|
||||||
}
|
|
||||||
|
|
||||||
host ap12 {
|
|
||||||
hardware ethernet 18:64:72:c6:c4:98;
|
|
||||||
fixed-address ap12.binary.kitchen;
|
|
||||||
}
|
|
||||||
|
|
||||||
host bowle {
|
host bowle {
|
||||||
hardware ethernet ac:1f:6b:25:16:b6;
|
hardware ethernet ac:1f:6b:25:16:b6;
|
||||||
fixed-address bowle.binary.kitchen;
|
fixed-address bowle.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host cannelloni {
|
host cannelloni {
|
||||||
hardware ethernet b8:27:eb:18:5c:11;
|
hardware ethernet 00:10:f3:15:88:ac;
|
||||||
fixed-address cannelloni.binary.kitchen;
|
fixed-address cannelloni.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -181,6 +163,11 @@ host fusilli {
|
||||||
fixed-address fusilli.binary.kitchen;
|
fixed-address fusilli.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
host garlic {
|
||||||
|
hardware ethernet b8:27:eb:56:2b:7c;
|
||||||
|
fixed-address garlic.binary.kitchen;
|
||||||
|
}
|
||||||
|
|
||||||
host habdisplay1 {
|
host habdisplay1 {
|
||||||
hardware ethernet b8:27:eb:b6:62:be;
|
hardware ethernet b8:27:eb:b6:62:be;
|
||||||
fixed-address habdisplay1.mqtt.binary.kitchen;
|
fixed-address habdisplay1.mqtt.binary.kitchen;
|
||||||
|
@ -202,7 +189,7 @@ host lock {
|
||||||
}
|
}
|
||||||
|
|
||||||
host maccaroni {
|
host maccaroni {
|
||||||
hardware ethernet b8:27:eb:f5:9e:a1;
|
hardware ethernet b8:27:eb:18:5c:11;
|
||||||
fixed-address maccaroni.binary.kitchen;
|
fixed-address maccaroni.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -222,7 +209,7 @@ host mpcnc {
|
||||||
}
|
}
|
||||||
|
|
||||||
host noodlehub {
|
host noodlehub {
|
||||||
hardware ethernet b8:27:eb:56:2b:7c;
|
hardware ethernet b8:27:eb:eb:e5:88;
|
||||||
fixed-address noodlehub.binary.kitchen;
|
fixed-address noodlehub.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -237,7 +224,7 @@ host pizza {
|
||||||
}
|
}
|
||||||
|
|
||||||
host spaghetti {
|
host spaghetti {
|
||||||
hardware ethernet b8:27:eb:eb:e5:88;
|
hardware ethernet b8:27:eb:e3:e9:f1;
|
||||||
fixed-address spaghetti.binary.kitchen;
|
fixed-address spaghetti.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -280,34 +267,6 @@ host voip04 {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Mitel SIP-DECT
|
|
||||||
|
|
||||||
host rfp01 {
|
|
||||||
hardware ethernet 00:30:42:1B:73:5A;
|
|
||||||
fixed-address 172.23.1.111;
|
|
||||||
option host-name "rfp01";
|
|
||||||
option sipdect.ommip1 172.23.2.35;
|
|
||||||
option magic_str = "OpenMobilitySIP-DECT";
|
|
||||||
}
|
|
||||||
|
|
||||||
host rfp02 {
|
|
||||||
hardware ethernet 00:30:42:21:D4:D5;
|
|
||||||
fixed-address 172.23.1.112;
|
|
||||||
option host-name "rfp02";
|
|
||||||
option sipdect.ommip1 172.23.2.35;
|
|
||||||
option magic_str = "OpenMobilitySIP-DECT";
|
|
||||||
}
|
|
||||||
|
|
||||||
host rfp11 {
|
|
||||||
hardware ethernet 00:30:42:1B:8B:9B;
|
|
||||||
fixed-address 172.23.12.111;
|
|
||||||
option host-name "rfp11";
|
|
||||||
option sipdect.ommip1 172.23.2.35;
|
|
||||||
option magic_str = "OpenMobilitySIP-DECT";
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# OMAPI
|
# OMAPI
|
||||||
|
|
||||||
omapi-port 7911;
|
omapi-port 7911;
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
local-address=0.0.0.0, ::
|
local-address=0.0.0.0
|
||||||
|
local-ipv6=::
|
||||||
launch=gsqlite3
|
launch=gsqlite3
|
||||||
gsqlite3-dnssec
|
gsqlite3-dnssec
|
||||||
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
|
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
||||||
$TTL 1h ; default time-to-live
|
$TTL 1h ; default time-to-live
|
||||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||||
2024051300; serial
|
2021091301; serial
|
||||||
1d; refresh
|
1d; refresh
|
||||||
2h; retry
|
2h; retry
|
||||||
4w; expire
|
4w; expire
|
||||||
|
@ -11,7 +11,7 @@ $TTL 1h ; default time-to-live
|
||||||
IN NS ns2.binary.kitchen.
|
IN NS ns2.binary.kitchen.
|
||||||
; Loopback
|
; Loopback
|
||||||
1.0 IN PTR core.binary.kitchen.
|
1.0 IN PTR core.binary.kitchen.
|
||||||
2.0 IN PTR rt-w13b.binary.kitchen.
|
2.0 IN PTR erx-bk.binary.kitchen.
|
||||||
3.0 IN PTR erx-rz.binary.kitchen.
|
3.0 IN PTR erx-rz.binary.kitchen.
|
||||||
4.0 IN PTR erx-auweg.binary.kitchen.
|
4.0 IN PTR erx-auweg.binary.kitchen.
|
||||||
; Management
|
; Management
|
||||||
|
@ -20,11 +20,12 @@ $TTL 1h ; default time-to-live
|
||||||
21.1 IN PTR pdu1.binary.kitchen.
|
21.1 IN PTR pdu1.binary.kitchen.
|
||||||
22.1 IN PTR pdu2.binary.kitchen.
|
22.1 IN PTR pdu2.binary.kitchen.
|
||||||
23.1 IN PTR pdu3.binary.kitchen.
|
23.1 IN PTR pdu3.binary.kitchen.
|
||||||
31.1 IN PTR sw-butchery.binary.kitchen.
|
31.1 IN PTR sw01.binary.kitchen.
|
||||||
32.1 IN PTR sw-mini.binary.kitchen.
|
32.1 IN PTR sw02.binary.kitchen.
|
||||||
33.1 IN PTR sw-rack.binary.kitchen.
|
33.1 IN PTR sw03.binary.kitchen.
|
||||||
41.1 IN PTR ap01.binary.kitchen.
|
41.1 IN PTR ap01.binary.kitchen.
|
||||||
42.1 IN PTR ap02.binary.kitchen.
|
42.1 IN PTR ap02.binary.kitchen.
|
||||||
|
43.1 IN PTR ap03.binary.kitchen.
|
||||||
44.1 IN PTR ap04.binary.kitchen.
|
44.1 IN PTR ap04.binary.kitchen.
|
||||||
45.1 IN PTR ap05.binary.kitchen.
|
45.1 IN PTR ap05.binary.kitchen.
|
||||||
46.1 IN PTR ap06.binary.kitchen.
|
46.1 IN PTR ap06.binary.kitchen.
|
||||||
|
@ -34,8 +35,6 @@ $TTL 1h ; default time-to-live
|
||||||
82.1 IN PTR bowle-bmc.binary.kitchen.
|
82.1 IN PTR bowle-bmc.binary.kitchen.
|
||||||
101.1 IN PTR nbe-w13b.binary.kitchen.
|
101.1 IN PTR nbe-w13b.binary.kitchen.
|
||||||
102.1 IN PTR nbe-tr8.binary.kitchen.
|
102.1 IN PTR nbe-tr8.binary.kitchen.
|
||||||
111.1 IN PTR rfp01.binary.kitchen.
|
|
||||||
112.1 IN PTR rfp02.binary.kitchen.
|
|
||||||
; Services
|
; Services
|
||||||
1.2 IN PTR v2302.core.binary.kitchen.
|
1.2 IN PTR v2302.core.binary.kitchen.
|
||||||
3.2 IN PTR bacon.binary.kitchen.
|
3.2 IN PTR bacon.binary.kitchen.
|
||||||
|
@ -46,12 +45,8 @@ $TTL 1h ; default time-to-live
|
||||||
12.2 IN PTR lock.binary.kitchen.
|
12.2 IN PTR lock.binary.kitchen.
|
||||||
13.2 IN PTR matrix.binary.kitchen.
|
13.2 IN PTR matrix.binary.kitchen.
|
||||||
33.2 IN PTR pizza.binary.kitchen.
|
33.2 IN PTR pizza.binary.kitchen.
|
||||||
34.2 IN PTR pancake.binary.kitchen.
|
|
||||||
35.2 IN PTR knoedel.binary.kitchen.
|
|
||||||
36.2 IN PTR schweinshaxn.binary.kitchen.
|
36.2 IN PTR schweinshaxn.binary.kitchen.
|
||||||
37.2 IN PTR bob.binary.kitchen.
|
37.2 IN PTR bob.binary.kitchen.
|
||||||
38.2 IN PTR lasagne.binary.kitchen.
|
|
||||||
39.2 IN PTR tschunk.binary.kitchen.
|
|
||||||
62.2 IN PTR bowle.binary.kitchen.
|
62.2 IN PTR bowle.binary.kitchen.
|
||||||
91.2 IN PTR strammermax.binary.kitchen.
|
91.2 IN PTR strammermax.binary.kitchen.
|
||||||
92.2 IN PTR obatzda.binary.kitchen.
|
92.2 IN PTR obatzda.binary.kitchen.
|
||||||
|
@ -61,6 +56,7 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
|
||||||
240.3 IN PTR fusilli.binary.kitchen.
|
240.3 IN PTR fusilli.binary.kitchen.
|
||||||
241.3 IN PTR klopi.binary.kitchen.
|
241.3 IN PTR klopi.binary.kitchen.
|
||||||
242.3 IN PTR mpcnc.binary.kitchen.
|
242.3 IN PTR mpcnc.binary.kitchen.
|
||||||
|
243.3 IN PTR garlic.binary.kitchen.
|
||||||
244.3 IN PTR mirror.binary.kitchen.
|
244.3 IN PTR mirror.binary.kitchen.
|
||||||
245.3 IN PTR spaghetti.binary.kitchen.
|
245.3 IN PTR spaghetti.binary.kitchen.
|
||||||
246.3 IN PTR maccaroni.binary.kitchen.
|
246.3 IN PTR maccaroni.binary.kitchen.
|
||||||
|
@ -69,7 +65,6 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
|
||||||
; MQTT
|
; MQTT
|
||||||
1.4 IN PTR v2304.core.binary.kitchen.
|
1.4 IN PTR v2304.core.binary.kitchen.
|
||||||
6.4 IN PTR pizza.mqtt.binary.kitchen.
|
6.4 IN PTR pizza.mqtt.binary.kitchen.
|
||||||
7.4 IN PTR lasagne.mqtt.binary.kitchen.
|
|
||||||
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
||||||
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
|
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
|
||||||
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
|
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
|
||||||
|
@ -87,14 +82,9 @@ $GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
||||||
1.10 IN PTR wg0.erx-rz.binary.kitchen.
|
1.10 IN PTR wg0.erx-rz.binary.kitchen.
|
||||||
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
|
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
|
||||||
; Management Auweg
|
; Management Auweg
|
||||||
31.12 IN PTR sw-auweg.binary.kitchen.
|
|
||||||
41.12 IN PTR ap11.binary.kitchen.
|
|
||||||
42.12 IN PTR ap12.binary.kitchen.
|
|
||||||
61.12 IN PTR weizen.binary.kitchen.
|
61.12 IN PTR weizen.binary.kitchen.
|
||||||
111.12 IN PTR rfp11.binary.kitchen.
|
|
||||||
; Services Auweg
|
; Services Auweg
|
||||||
3.13 IN PTR aeron.binary.kitchen.
|
3.13 IN PTR aeron.binary.kitchen.
|
||||||
12.13 IN PTR lock-auweg.binary.kitchen.
|
|
||||||
; Clients Auweg
|
; Clients Auweg
|
||||||
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
|
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
|
||||||
; MQTT
|
; MQTT
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
$ORIGIN binary.kitchen ; base for unqualified names
|
$ORIGIN binary.kitchen ; base for unqualified names
|
||||||
$TTL 1h ; default time-to-live
|
$TTL 1h ; default time-to-live
|
||||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||||
2024051300; serial
|
2021091301; serial
|
||||||
1d; refresh
|
1d; refresh
|
||||||
2h; retry
|
2h; retry
|
||||||
4w; expire
|
4w; expire
|
||||||
|
@ -29,12 +29,12 @@ librenms IN A 172.23.2.6
|
||||||
netbox IN A 172.23.2.7
|
netbox IN A 172.23.2.7
|
||||||
ns1 IN A 172.23.2.3
|
ns1 IN A 172.23.2.3
|
||||||
ns2 IN A 172.23.2.4
|
ns2 IN A 172.23.2.4
|
||||||
omm IN A 172.23.2.35
|
racktables IN A 172.23.2.6
|
||||||
radius IN A 172.23.2.3
|
radius IN A 172.23.2.3
|
||||||
radius IN A 172.23.2.4
|
radius IN A 172.23.2.4
|
||||||
; Loopback
|
; Loopback
|
||||||
core IN A 172.23.0.1
|
core IN A 172.23.0.1
|
||||||
rt-w13b IN A 172.23.0.2
|
erx-bk IN A 172.23.0.2
|
||||||
erx-rz IN A 172.23.0.3
|
erx-rz IN A 172.23.0.3
|
||||||
erx-auweg IN A 172.23.0.4
|
erx-auweg IN A 172.23.0.4
|
||||||
; Management
|
; Management
|
||||||
|
@ -43,11 +43,12 @@ ups1 IN A 172.23.1.11
|
||||||
pdu1 IN A 172.23.1.21
|
pdu1 IN A 172.23.1.21
|
||||||
pdu2 IN A 172.23.1.22
|
pdu2 IN A 172.23.1.22
|
||||||
pdu3 IN A 172.23.1.23
|
pdu3 IN A 172.23.1.23
|
||||||
sw-butchery IN A 172.23.1.31
|
sw01 IN A 172.23.1.31
|
||||||
sw-mini IN A 172.23.1.32
|
sw02 IN A 172.23.1.32
|
||||||
sw-rack IN A 172.23.1.33
|
sw03 IN A 172.23.1.33
|
||||||
ap01 IN A 172.23.1.41
|
ap01 IN A 172.23.1.41
|
||||||
ap02 IN A 172.23.1.42
|
ap02 IN A 172.23.1.42
|
||||||
|
ap03 IN A 172.23.1.43
|
||||||
ap04 IN A 172.23.1.44
|
ap04 IN A 172.23.1.44
|
||||||
ap05 IN A 172.23.1.45
|
ap05 IN A 172.23.1.45
|
||||||
ap06 IN A 172.23.1.46
|
ap06 IN A 172.23.1.46
|
||||||
|
@ -57,8 +58,6 @@ wurst-bmc IN A 172.23.1.80
|
||||||
bowle-bmc IN A 172.23.1.82
|
bowle-bmc IN A 172.23.1.82
|
||||||
nbe-w13b IN A 172.23.1.101
|
nbe-w13b IN A 172.23.1.101
|
||||||
nbe-tr8 IN A 172.23.1.102
|
nbe-tr8 IN A 172.23.1.102
|
||||||
rfp01 IN A 172.23.1.111
|
|
||||||
rfp02 IN A 172.23.1.112
|
|
||||||
; Services
|
; Services
|
||||||
v2302.core IN A 172.23.2.1
|
v2302.core IN A 172.23.2.1
|
||||||
bacon IN A 172.23.2.3
|
bacon IN A 172.23.2.3
|
||||||
|
@ -69,12 +68,8 @@ epona IN A 172.23.2.7
|
||||||
lock IN A 172.23.2.12
|
lock IN A 172.23.2.12
|
||||||
matrix IN A 172.23.2.13
|
matrix IN A 172.23.2.13
|
||||||
pizza IN A 172.23.2.33
|
pizza IN A 172.23.2.33
|
||||||
pancake IN A 172.23.2.34
|
|
||||||
knoedel IN A 172.23.2.35
|
|
||||||
schweinshaxn IN A 172.23.2.36
|
schweinshaxn IN A 172.23.2.36
|
||||||
bob IN A 172.23.2.37
|
bob IN A 172.23.2.37
|
||||||
lasagne IN A 172.23.2.38
|
|
||||||
tschunk IN A 172.23.2.39
|
|
||||||
bowle IN A 172.23.2.62
|
bowle IN A 172.23.2.62
|
||||||
strammermax IN A 172.23.2.91
|
strammermax IN A 172.23.2.91
|
||||||
obatzda IN A 172.23.2.92
|
obatzda IN A 172.23.2.92
|
||||||
|
@ -84,6 +79,7 @@ $GENERATE 10-230 dhcp-${0,3,d}-03 IN A 172.23.3.$
|
||||||
fusilli IN A 172.23.3.240
|
fusilli IN A 172.23.3.240
|
||||||
klopi IN A 172.23.3.241
|
klopi IN A 172.23.3.241
|
||||||
mpcnc IN A 172.23.3.242
|
mpcnc IN A 172.23.3.242
|
||||||
|
garlic IN A 172.23.3.243
|
||||||
mirror IN A 172.23.3.244
|
mirror IN A 172.23.3.244
|
||||||
spaghetti IN A 172.23.3.245
|
spaghetti IN A 172.23.3.245
|
||||||
maccaroni IN A 172.23.3.246
|
maccaroni IN A 172.23.3.246
|
||||||
|
@ -92,7 +88,6 @@ noodlehub IN A 172.23.3.251
|
||||||
; MQTT
|
; MQTT
|
||||||
v2304.core IN A 172.23.4.1
|
v2304.core IN A 172.23.4.1
|
||||||
pizza.mqtt IN A 172.23.4.6
|
pizza.mqtt IN A 172.23.4.6
|
||||||
lasagne.mqtt IN A 172.23.4.7
|
|
||||||
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
|
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
|
||||||
habdisplay1.mqtt IN A 172.23.4.241
|
habdisplay1.mqtt IN A 172.23.4.241
|
||||||
habdisplay2.mqtt IN A 172.23.4.242
|
habdisplay2.mqtt IN A 172.23.4.242
|
||||||
|
@ -107,14 +102,9 @@ salat IN A 172.23.9.61
|
||||||
salat-bmc IN A 172.23.9.81
|
salat-bmc IN A 172.23.9.81
|
||||||
; Services RZ
|
; Services RZ
|
||||||
; Management Auweg
|
; Management Auweg
|
||||||
sw-auweg IN A 172.23.12.31
|
|
||||||
ap11 IN A 172.23.12.41
|
|
||||||
ap12 IN A 172.23.12.42
|
|
||||||
weizen IN A 172.23.12.61
|
weizen IN A 172.23.12.61
|
||||||
rfp11 IN A 172.23.12.111
|
|
||||||
; Services Auweg
|
; Services Auweg
|
||||||
aeron IN A 172.23.13.3
|
aeron IN A 172.23.13.3
|
||||||
lock-auweg IN A 172.23.13.12
|
|
||||||
; Clients Auweg
|
; Clients Auweg
|
||||||
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
|
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
|
||||||
; MQTT Auweg
|
; MQTT Auweg
|
||||||
|
|
|
@ -10,11 +10,11 @@ newServer({address='127.0.0.1:5353', pool='resolve'})
|
||||||
|
|
||||||
{% if dns_secondary is defined %}
|
{% if dns_secondary is defined %}
|
||||||
-- allow AXFR/IXFR only from slaves
|
-- allow AXFR/IXFR only from slaves
|
||||||
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
|
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
-- allow NOTIFY only from master
|
-- allow NOTIFY only from master
|
||||||
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
|
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
|
||||||
|
|
||||||
-- use auth servers for own zones
|
-- use auth servers for own zones
|
||||||
addAction('binary.kitchen', PoolAction('authdns'))
|
addAction('binary.kitchen', PoolAction('authdns'))
|
||||||
|
|
|
@ -26,6 +26,12 @@ launch=bind,gsqlite3
|
||||||
# local-address=0.0.0.0
|
# local-address=0.0.0.0
|
||||||
local-address=127.0.0.1
|
local-address=127.0.0.1
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# local-ipv6 Local IP address to which we bind
|
||||||
|
#
|
||||||
|
# local-ipv6=::
|
||||||
|
local-ipv6=
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-port The port on which we listen
|
# local-port The port on which we listen
|
||||||
#
|
#
|
||||||
|
|
|
@ -11,9 +11,9 @@
|
||||||
config-dir=/etc/powerdns
|
config-dir=/etc/powerdns
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# dnssec DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
|
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
||||||
#
|
#
|
||||||
# dnssec=process
|
# dnssec=process-no-validate
|
||||||
dnssec=off
|
dnssec=off
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
|
|
|
@ -1,10 +1,17 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Enable docker apt-key
|
||||||
|
apt_key: url='https://download.docker.com/linux/debian/gpg'
|
||||||
|
|
||||||
|
- name: Enable docker repository
|
||||||
|
apt_repository:
|
||||||
|
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
|
||||||
|
filename: docker
|
||||||
|
|
||||||
- name: Install docker
|
- name: Install docker
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- docker.io
|
- docker-ce
|
||||||
|
- docker-ce-cli
|
||||||
|
- containerd.io
|
||||||
- python3-docker
|
- python3-docker
|
||||||
|
|
||||||
- name: Enable docker
|
|
||||||
service: name=docker state=started enabled=yes
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Run acertmgr
|
|
||||||
command: /usr/bin/acertmgr
|
|
||||||
|
|
||||||
- name: Restart nginx
|
|
||||||
service: name=nginx state=restarted
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
dependencies:
|
|
||||||
- { role: acertmgr }
|
|
||||||
- { role: nginx, nginx_ssl: True }
|
|
|
@ -1,20 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command:
|
|
||||||
cmd: >
|
|
||||||
openssl req -x509 -nodes -newkey rsa:2048
|
|
||||||
-keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
|
|
||||||
-days 730 -subj "/CN={{ doorlock_domain }}"
|
|
||||||
creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Request nsupdate key for certificate
|
|
||||||
include_role: name=acme-dnskey-generate
|
|
||||||
vars:
|
|
||||||
acme_dnskey_san_domains:
|
|
||||||
- "{{ doorlock_domain }}"
|
|
||||||
|
|
||||||
- name: Configure certificate manager for doorlock
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
|
|
||||||
notify: Run acertmgr
|
|
|
@ -1,18 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
{{ doorlock_domain }}:
|
|
||||||
- mode: dns.nsupdate
|
|
||||||
nsupdate_server: {{ acme_dnskey_server }}
|
|
||||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
|
||||||
- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
|
|
||||||
user: root
|
|
||||||
group: root
|
|
||||||
perm: '400'
|
|
||||||
format: key
|
|
||||||
action: '/usr/sbin/service nginx restart'
|
|
||||||
- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
|
|
||||||
user: root
|
|
||||||
group: root
|
|
||||||
perm: '400'
|
|
||||||
format: crt,ca
|
|
||||||
action: '/usr/sbin/service nginx restart'
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
[Unit]
|
||||||
|
Description=drone.io server
|
||||||
|
After=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User=drone
|
||||||
|
EnvironmentFile=/etc/default/drone
|
||||||
|
ExecStart=/opt/drone/bin/drone-server
|
||||||
|
Restart=always
|
||||||
|
RestartSec=5s
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -3,11 +3,11 @@
|
||||||
- name: Reload systemd
|
- name: Reload systemd
|
||||||
systemd: daemon_reload=yes
|
systemd: daemon_reload=yes
|
||||||
|
|
||||||
- name: Restart 23b
|
- name: Run acertmgr
|
||||||
service: name=23b state=restarted
|
command: /usr/bin/acertmgr
|
||||||
|
|
||||||
|
- name: Restart drone
|
||||||
|
service: name=drone state=restarted
|
||||||
|
|
||||||
- name: Restart nginx
|
- name: Restart nginx
|
||||||
service: name=nginx state=restarted
|
service: name=nginx state=restarted
|
||||||
|
|
||||||
- name: Run acertmgr
|
|
||||||
command: /usr/bin/acertmgr
|
|
|
@ -0,0 +1,52 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Create user
|
||||||
|
user: name=drone
|
||||||
|
|
||||||
|
# TODO install drone to /opt/drone/bin
|
||||||
|
# currently it is manually compiled
|
||||||
|
|
||||||
|
- name: Configure drone
|
||||||
|
template: src=drone.j2 dest=/etc/default/drone
|
||||||
|
notify: Restart drone
|
||||||
|
|
||||||
|
- name: Install PostgreSQL
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- postgresql
|
||||||
|
- python3-psycopg2
|
||||||
|
|
||||||
|
- name: Configure PostgreSQL database
|
||||||
|
postgresql_db: name={{ drone_dbname }}
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Configure PostgreSQL user
|
||||||
|
postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Configure certificate manager for drone
|
||||||
|
template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
|
||||||
|
notify: Run acertmgr
|
||||||
|
|
||||||
|
- name: Configure vhost
|
||||||
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Enable vhost
|
||||||
|
file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Install systemd unit
|
||||||
|
copy: src=drone.service dest=/lib/systemd/system/drone.service
|
||||||
|
notify:
|
||||||
|
- Reload systemd
|
||||||
|
- Restart drone
|
||||||
|
|
||||||
|
- name: Enable drone
|
||||||
|
service: name=drone enabled=yes
|
|
@ -1,13 +1,13 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
{{ bk23b_domain }}:
|
{{ drone_domain }}:
|
||||||
- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
|
- path: /etc/nginx/ssl/{{ drone_domain }}.key
|
||||||
user: root
|
user: root
|
||||||
group: root
|
group: root
|
||||||
perm: '400'
|
perm: '400'
|
||||||
format: key
|
format: key
|
||||||
action: '/usr/sbin/service nginx restart'
|
action: '/usr/sbin/service nginx restart'
|
||||||
- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
|
- path: /etc/nginx/ssl/{{ drone_domain }}.crt
|
||||||
user: root
|
user: root
|
||||||
group: root
|
group: root
|
||||||
perm: '400'
|
perm: '400'
|
|
@ -0,0 +1,10 @@
|
||||||
|
DRONE_AGENTS_ENABLED=true
|
||||||
|
DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
|
||||||
|
DRONE_DATABASE_DRIVER=postgres
|
||||||
|
DRONE_GITEA_SERVER=https://{{ gitea_domain }}
|
||||||
|
DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
|
||||||
|
DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
|
||||||
|
DRONE_RPC_SECRET={{ drone_secret }}
|
||||||
|
DRONE_SERVER_HOST={{ drone_domain }}
|
||||||
|
DRONE_SERVER_PROTO=https
|
||||||
|
DRONE_USER_CREATE=username:{{ drone_admin }},admin:true
|
|
@ -0,0 +1,31 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name {{ drone_domain }};
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
default_type "text/plain";
|
||||||
|
alias /var/www/acme-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://{{ drone_domain }}$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ drone_domain }};
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
client_max_body_size 128M;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_pass http://localhost:8080;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Run runner container
|
||||||
|
docker_container:
|
||||||
|
name: runner
|
||||||
|
image: drone/drone-runner-docker:1
|
||||||
|
env:
|
||||||
|
DRONE_RPC_PROTO: "https"
|
||||||
|
DRONE_RPC_HOST: "{{ drone_domain }}"
|
||||||
|
DRONE_RPC_SECRET: "{{ drone_secret }}"
|
||||||
|
DRONE_RUNNER_CAPACITY: "2"
|
||||||
|
DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
|
||||||
|
DRONE_UI_USERNAME: "admin"
|
||||||
|
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
|
||||||
|
ports:
|
||||||
|
- "3000:3000"
|
||||||
|
pull: yes
|
||||||
|
restart_policy: unless-stopped
|
||||||
|
state: started
|
||||||
|
volumes:
|
||||||
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
eh21.easterhegg.eu engel.eh21.easterhegg.eu:
|
|
||||||
- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
|
|
||||||
user: root
|
|
||||||
group: root
|
|
||||||
perm: '400'
|
|
||||||
format: crt,ca
|
|
||||||
action: '/usr/sbin/service nginx restart'
|
|
||||||
- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
|
|
||||||
user: root
|
|
||||||
group: root
|
|
||||||
perm: '400'
|
|
||||||
format: key
|
|
||||||
action: '/usr/sbin/service nginx restart'
|
|
|
@ -1,68 +0,0 @@
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name eh21.easterhegg.eu;
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
default_type "text/plain";
|
|
||||||
alias /var/www/acme-challenge;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://eh21.easterhegg.eu$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name eh21.easterhegg.eu;
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
|
|
||||||
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
|
|
||||||
|
|
||||||
root /var/www/eh21;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name engel.eh21.easterhegg.eu;
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
default_type "text/plain";
|
|
||||||
alias /var/www/acme-challenge;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://engel.eh21.easterhegg.eu$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name engel.eh21.easterhegg.eu;
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
|
|
||||||
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
|
|
||||||
|
|
||||||
root /var/www/engel/public;
|
|
||||||
|
|
||||||
index index.php;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php?$args;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
|
|
||||||
fastcgi_index index.php;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
include fastcgi_params;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Restart nginx
|
|
||||||
service: name=nginx state=restarted
|
|
||||||
|
|
||||||
- name: Run acertmgr
|
|
||||||
command: /usr/bin/acertmgr
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
dependencies:
|
|
||||||
- { role: acertmgr }
|
|
||||||
- { role: nginx, nginx_ssl: True }
|
|
|
@ -1,31 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Install dependencies
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- php-fpm
|
|
||||||
|
|
||||||
- name: Create vhost directory
|
|
||||||
file: path=/var/www/eh21 state=directory owner=www-data group=www-data
|
|
||||||
|
|
||||||
- name: Create vhost directory
|
|
||||||
file: path=/var/www/engel state=directory owner=www-data group=www-data
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Configure certificate manager
|
|
||||||
copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure vhosts
|
|
||||||
copy: src=vhost dest=/etc/nginx/sites-available/www
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Enable vhosts
|
|
||||||
file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Start php8.2-fpm
|
|
||||||
service: name=php8.2-fpm state=started enabled=yes
|
|
|
@ -42,7 +42,7 @@
|
||||||
# option cannot handle dynamic or non-broadcast interfaces correctly.
|
# option cannot handle dynamic or non-broadcast interfaces correctly.
|
||||||
; bind interfaces only = yes
|
; bind interfaces only = yes
|
||||||
|
|
||||||
min protocol = NT1
|
|
||||||
|
|
||||||
#### Debugging/Accounting ####
|
#### Debugging/Accounting ####
|
||||||
|
|
||||||
|
@ -213,7 +213,7 @@
|
||||||
;[printers]
|
;[printers]
|
||||||
; comment = All Printers
|
; comment = All Printers
|
||||||
; browseable = no
|
; browseable = no
|
||||||
; path = /var/tmp
|
; path = /var/spool/samba
|
||||||
; printable = yes
|
; printable = yes
|
||||||
; guest ok = no
|
; guest ok = no
|
||||||
; read only = yes
|
; read only = yes
|
||||||
|
@ -240,5 +240,5 @@
|
||||||
browseable = yes
|
browseable = yes
|
||||||
read only = no
|
read only = no
|
||||||
guest ok = yes
|
guest ok = yes
|
||||||
create mask = 0660
|
create mask = 0600
|
||||||
directory mask = 0770
|
directory mask = 0700
|
||||||
|
|
|
@ -3,5 +3,6 @@
|
||||||
gitea_user: gogs
|
gitea_user: gogs
|
||||||
gitea_group: gogs
|
gitea_group: gogs
|
||||||
|
|
||||||
gitea_version: 1.21.11
|
gitea_checksum: sha256:1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be
|
||||||
gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
|
gitea_version: 1.15.6
|
||||||
|
gitea_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
|
||||||
|
|
|
@ -6,24 +6,19 @@
|
||||||
- name: Create user
|
- name: Create user
|
||||||
user: name={{ gitea_user }} home=/home/{{ gitea_user }} group={{ gitea_group }}
|
user: name={{ gitea_user }} home=/home/{{ gitea_user }} group={{ gitea_group }}
|
||||||
|
|
||||||
- name: Create directories
|
- name: Create gitea directories
|
||||||
file: path={{ item }} state=directory owner={{ gitea_user }} group={{ gitea_group }}
|
file: path={{ item }} state=directory owner={{ gitea_user }}
|
||||||
with_items:
|
with_items:
|
||||||
- /opt/gitea
|
- /opt/gitea
|
||||||
- /opt/gitea/custom
|
- /opt/gitea/custom
|
||||||
- /opt/gitea/custom/conf
|
- /opt/gitea/custom/conf
|
||||||
|
|
||||||
- name: Download gitea binary
|
- name: Download gitea binary
|
||||||
get_url: url={{ gitea_url }} dest=/opt/gitea/gitea-{{ gitea_version }} mode=0755
|
get_url: url={{ gitea_url }} dest=/opt/gitea/gitea checksum={{ gitea_checksum }} mode=0755
|
||||||
register: gitea_download
|
|
||||||
|
|
||||||
- name: Symlink gitea binary
|
|
||||||
file: src=/opt/gitea/gitea-{{ gitea_version }} dest=/opt/gitea/gitea state=link
|
|
||||||
when: gitea_download.changed
|
|
||||||
notify: Restart gitea
|
notify: Restart gitea
|
||||||
|
|
||||||
- name: Configure gitea
|
- name: Configure gitea
|
||||||
template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }} group={{ gitea_group }}
|
template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }}
|
||||||
|
|
||||||
- name: Install systemd unit
|
- name: Install systemd unit
|
||||||
template: src=gitea.service.j2 dest=/lib/systemd/system/gitea.service
|
template: src=gitea.service.j2 dest=/lib/systemd/system/gitea.service
|
||||||
|
@ -55,9 +50,6 @@
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ gitea_domain }}.conf
|
template: src=certs.j2 dest=/etc/acertmgr/{{ gitea_domain }}.conf
|
||||||
notify: Run acertmgr
|
notify: Run acertmgr
|
||||||
|
|
||||||
- name: Configure robots.txt for gitea
|
|
||||||
template: src=robots.txt.j2 dest=/opt/gitea/custom/robots.txt owner={{ gitea_user }}
|
|
||||||
|
|
||||||
- name: Configure vhost
|
- name: Configure vhost
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/gitea
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/gitea
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
@ -67,9 +59,4 @@
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Enable gitea
|
- name: Enable gitea
|
||||||
service: name=gitea state=started enabled=yes
|
service: name=gitea enabled=yes
|
||||||
|
|
||||||
- name: Enable monitoring
|
|
||||||
include_role: name=icinga-monitor tasks_from=http
|
|
||||||
vars:
|
|
||||||
vhost: "{{ gitea_domain }}"
|
|
||||||
|
|
|
@ -43,10 +43,3 @@ LEVEL = warn
|
||||||
|
|
||||||
[oauth2]
|
[oauth2]
|
||||||
JWT_SECRET = {{ gitea_jwt_secret }}
|
JWT_SECRET = {{ gitea_jwt_secret }}
|
||||||
|
|
||||||
[cron]
|
|
||||||
ENABLED = true
|
|
||||||
|
|
||||||
[cron.archive_cleanup]
|
|
||||||
SCHEDULE = @midnight
|
|
||||||
OLDER_THAN = 168h
|
|
||||||
|
|
|
@ -8,7 +8,7 @@ Requires=postgresql.service
|
||||||
RestartSec=2s
|
RestartSec=2s
|
||||||
Type=simple
|
Type=simple
|
||||||
User={{ gitea_user }}
|
User={{ gitea_user }}
|
||||||
Group={{ gitea_group }}
|
Group={{ gitea_user }}
|
||||||
WorkingDirectory=/opt/gitea/
|
WorkingDirectory=/opt/gitea/
|
||||||
ExecStart=/opt/gitea/gitea web
|
ExecStart=/opt/gitea/gitea web
|
||||||
Restart=always
|
Restart=always
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
User-agent: *
|
|
||||||
Disallow: /*/*/archive/*.bundle$
|
|
||||||
Disallow: /*/*/archive/*.tar.gz$
|
|
||||||
Disallow: /*/*/archive/*.zip$
|
|
|
@ -23,10 +23,6 @@ server {
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
|
ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
|
||||||
ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
|
ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
|
||||||
|
|
||||||
location /robots.txt {
|
|
||||||
alias /opt/gitea/custom/robots.txt;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
client_max_body_size 1024M;
|
client_max_body_size 1024M;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Enable grafana apt-key
|
- name: Enable grafana apt-key
|
||||||
apt_key: url="https://apt.grafana.com/gpg.key" keyring="/etc/apt/trusted.gpg.d/grafana.gpg"
|
apt_key: url='https://packages.grafana.com/gpg.key'
|
||||||
|
|
||||||
- name: Enable grafana repository
|
- name: Enable grafana repository
|
||||||
apt_repository: repo="deb https://apt.grafana.com stable main"
|
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
|
||||||
|
|
||||||
- name: Install grafana
|
- name: Install grafana
|
||||||
apt: name=grafana
|
apt: name=grafana
|
||||||
|
@ -34,8 +34,3 @@
|
||||||
|
|
||||||
- name: Start grafana
|
- name: Start grafana
|
||||||
service: name=grafana-server state=started enabled=yes
|
service: name=grafana-server state=started enabled=yes
|
||||||
|
|
||||||
- name: Enable monitoring
|
|
||||||
include_role: name=icinga-monitor tasks_from=http
|
|
||||||
vars:
|
|
||||||
vhost: "{{ grafana_domain }}"
|
|
||||||
|
|
|
@ -25,8 +25,7 @@ server {
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
client_max_body_size 1024M;
|
client_max_body_size 1024M;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_pass http://localhost:3000;
|
proxy_pass http://localhost:3000;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
hedgedoc_version: 1.8.2
|
||||||
|
hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz
|
|
@ -0,0 +1,105 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Create user
|
||||||
|
user: name=hackmd
|
||||||
|
|
||||||
|
- name: Enable nodesource apt-key
|
||||||
|
apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
|
||||||
|
|
||||||
|
- name: Enable nodesource repository
|
||||||
|
apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
|
||||||
|
|
||||||
|
- name: Enable yarnpkg apt-key
|
||||||
|
apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
|
||||||
|
|
||||||
|
- name: Enable yarnpkg repository
|
||||||
|
apt_repository: repo="deb https://dl.yarnpkg.com/debian/ stable main"
|
||||||
|
|
||||||
|
- name: Pin nodejs repository
|
||||||
|
blockinfile:
|
||||||
|
path: /etc/apt/preferences.d/nodejs
|
||||||
|
create: yes
|
||||||
|
block: |
|
||||||
|
Package: *
|
||||||
|
Pin: origin deb.nodesource.com
|
||||||
|
Pin-Priority: 600
|
||||||
|
|
||||||
|
- name: Install packages
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- build-essential
|
||||||
|
- git
|
||||||
|
- nodejs
|
||||||
|
- postgresql
|
||||||
|
- python3-psycopg2
|
||||||
|
- yarn
|
||||||
|
|
||||||
|
- name: Unpack hedgedoc
|
||||||
|
unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||||
|
register: hedgedoc_unarchive
|
||||||
|
|
||||||
|
- name: Create hedgedoc upload path
|
||||||
|
file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
|
||||||
|
|
||||||
|
- name: Remove old hedgedoc upload path
|
||||||
|
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
|
||||||
|
|
||||||
|
- name: Link hedgedoc upload path
|
||||||
|
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
|
||||||
|
|
||||||
|
- name: Setup hedgedoc
|
||||||
|
command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
|
||||||
|
become: true
|
||||||
|
become_user: hackmd
|
||||||
|
|
||||||
|
- name: Configure hedgedoc
|
||||||
|
template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
|
||||||
|
register: hedgedoc_config
|
||||||
|
notify: Restart hedgedoc
|
||||||
|
|
||||||
|
- name: Install hedgedoc frontend deps
|
||||||
|
command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||||
|
become: true
|
||||||
|
become_user: hackmd
|
||||||
|
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
|
||||||
|
|
||||||
|
- name: Build hedgedoc frontend
|
||||||
|
command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||||
|
become: true
|
||||||
|
become_user: hackmd
|
||||||
|
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
|
||||||
|
|
||||||
|
- name: Configure PostgreSQL database
|
||||||
|
postgresql_db: name={{ hedgedoc_dbname }}
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Configure PostgreSQL user
|
||||||
|
postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Configure certificate manager for hedgedoc
|
||||||
|
template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
|
||||||
|
notify: Run acertmgr
|
||||||
|
|
||||||
|
- name: Configure vhost
|
||||||
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Enable vhost
|
||||||
|
file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Systemd unit for hedgedoc
|
||||||
|
template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
|
||||||
|
notify:
|
||||||
|
- Reload systemd
|
||||||
|
- Restart hedgedoc
|
||||||
|
|
||||||
|
- name: Start the hedgedoc service
|
||||||
|
service: name=hedgedoc state=started enabled=yes
|
|
@ -0,0 +1,45 @@
|
||||||
|
{
|
||||||
|
"production": {
|
||||||
|
"domain": "{{ hedgedoc_domain }}",
|
||||||
|
"protocolUseSSL": true,
|
||||||
|
"allowAnonymous": false,
|
||||||
|
"allowAnonymousEdits": true,
|
||||||
|
"allowFreeURL": true,
|
||||||
|
"sessionSecret": "{{ hedgedoc_secret }}",
|
||||||
|
"hsts": {
|
||||||
|
"enable": true,
|
||||||
|
"maxAgeSeconds": 2592000,
|
||||||
|
"includeSubdomains": true,
|
||||||
|
"preload": true
|
||||||
|
},
|
||||||
|
"csp": {
|
||||||
|
"enable": true,
|
||||||
|
"directives": {
|
||||||
|
},
|
||||||
|
"upgradeInsecureRequests": "auto",
|
||||||
|
"addDefaults": true,
|
||||||
|
"addDisqus": true,
|
||||||
|
"addGoogleAnalytics": true
|
||||||
|
},
|
||||||
|
"db": {
|
||||||
|
"username": "{{ hedgedoc_dbuser }}",
|
||||||
|
"password": "{{ hedgedoc_dbpass }}",
|
||||||
|
"database": "{{ hedgedoc_dbname }}",
|
||||||
|
"host": "localhost",
|
||||||
|
"port": "5432",
|
||||||
|
"dialect": "postgres"
|
||||||
|
},
|
||||||
|
"ldap": {
|
||||||
|
"url": "{{ ldap_uri }}",
|
||||||
|
"bindDn": "{{ ldap_binddn }}",
|
||||||
|
"bindCredentials": "{{ ldap_bindpw }}",
|
||||||
|
"searchBase": "{{ ldap_base }}",
|
||||||
|
"searchFilter": "(uid={{ '{{' }}username{{ '}}' }})",
|
||||||
|
"searchAttributes": ["cn", "uid"],
|
||||||
|
"usernameField": "cn",
|
||||||
|
"useridField": "uid",
|
||||||
|
"tlsca": "/etc/ssl/certs/ca-certificates.crt"
|
||||||
|
},
|
||||||
|
"email": false
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,14 @@
|
||||||
|
[Unit]
|
||||||
|
Description=HedgeDoc
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Environment=NODE_ENV=production
|
||||||
|
WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||||
|
Type=simple
|
||||||
|
User=hackmd
|
||||||
|
ExecStart=/usr/bin/yarn start
|
||||||
|
Restart=on-failure
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue