infra/ansible
4
5
Fork 5
Code Issues 6 Pull Requests 1 Activity

Compare commits

base: infra:master
Branches Tags
infra:master
infra:pizza
noby:cc-dhcp-leases-keller
noby:homeassistant
noby:cc-dhcp-leases-workshop
noby:cc-dhcp-leases-wled
noby:cc-dhcp-leases-wohnzimmer-audio
noby:php-requirements
noby:cc-dhcp-leases
noby:upgrade_20241222
noby:doorbot
noby:freepbx
noby:upgrade_20240315
noby:upgrade_20230123
noby:upgrade_20220721
noby:xrdp
noby:workadventure
noby:master
noby:pizza
..
compare: noby:workadventure
Branches Tags
noby:cc-dhcp-leases-keller
noby:homeassistant
noby:cc-dhcp-leases-workshop
noby:cc-dhcp-leases-wled
noby:cc-dhcp-leases-wohnzimmer-audio
noby:php-requirements
noby:cc-dhcp-leases
noby:upgrade_20241222
noby:doorbot
noby:freepbx
noby:upgrade_20240315
noby:upgrade_20230123
noby:upgrade_20220721
noby:xrdp
noby:workadventure
noby:master
noby:pizza
infra:master
infra:pizza

No commits in common. "master" and "workadventure" have entirely different histories.
master ... workadvent

259 changed files with 3045 additions and 9125 deletions
Show Stats Expand all files Collapse all files

67
README.md
View File

@ -1,68 +1,11 @@
# Binary Kitchen Ansible Playbooks
This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
## Usage
## Using
To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
TBA
It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
## Style / Contributing
## Current setup
Currently the following hosts are installed:
### Internal Servers
| Hostname | OS | Purpose |
| --------------------------- | --------- | ----------------------- |
| wurst.binary.kitchen | Proxmox 8 | VM Host |
| salat.binary.kitchen | Proxmox 8 | VM Host |
| weizen.binary.kitchen | Proxmox 8 | VM Host |
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| sulis.binary.kitchen | Debian 12 | Shell |
| nabia.binary.kitchen | Debian 12 | Monitoring |
| epona.binary.kitchen | Debian 12 | NetBox |
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
| pancake.binary.kitchen | Debian 12 | XRDP |
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
| schweinshaxn.binary.kitchen | Debian 12 | FreePBX |
| bob.binary.kitchen | Debian 12 | Gitea Actions |
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
| tschunk.binary.kitchen | Debian 12 | Strichliste |
| bowle.binary.kitchen | Debian 12 | Files |
| lock-auweg.binary.kitchen | Debian 12 | Doorlock |
\*: The main application is not managed by ansible but manually installed
### External Servers
| Hostname | OS | Purpose |
| ----------------------------- | --------- | ----------------------- |
| helium.binary-kitchen.net | Debian 12 | LDAP Master |
| lithium.binary-kitchen.net | Debian 12 | Mail |
| beryllium.binary-kitchen.net | Debian 12 | Web * |
| boron.binary-kitchen.net | Debian 12 | Gitea |
| carbon.binary-kitchen.net | Debian 12 | Jabber |
| nitrogen.binary-kitchen.net | Debian 12 | NextCloud |
| oxygen.binary-kitchen.net | Debian 12 | Shell |
| fluorine.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| neon.binary-kitchen.net | Debian 12 | Auth. DNS |
| sodium.binary-kitchen.net | Debian 12 | Mattrix |
| magnesium.binary-kitchen.net | Debian 12 | TURN |
| aluminium.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| krypton.binary-kitchen.net | Debian 12 | PartDB * |
| yttrium.binary-kitchen.net | Debian 12 | Hintervvoidler * |
| zirconium.binary-kitchen.net | Debian 12 | Jitsi |
| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle * |
| technetium.binary-kitchen.net | Debian 12 | Event CTFd * |
| ruthenium.binary-kitchen.net | Debian 12 | Minecraft * |
| rhodium.binary-kitchen.net | Debian 12 | Event pretix |
| palladium.binary-kitchen.net | Debian 12 | Event pretalx |
| argentum.binary-kitchen.net | Debian 12 | Event Web * |
| cadmium.binary-kitchen.net | Debian 12 | Event NetBox * |
\*: The main application is not managed by ansible but manually installed
TBA/TBD

73
group_vars/all/vars.yml
View File

@ -5,14 +5,6 @@ acertmgr_mode: webdir
acme_dnskey_file: /etc/acertmgr/nsupdate.key
acme_dnskey_server: neon.binary-kitchen.net
authentik_domain: auth.binary-kitchen.de
authentik_dbname: authentik
authentik_dbuser: authentik
authentik_dbpass: "{{ vault_authentik_dbpass }}"
authentik_secret: "{{ vault_authentik_secret }}"
bk23b_domain: 23b.binary-kitchen.de
coturn_realm: turn.binary-kitchen.de
coturn_secret: "{{ vault_coturn_secret }}"
@ -22,12 +14,19 @@ dns_axfr_ips:
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
drone_admin: moepman
drone_domain: drone.binary-kitchen.de
drone_dbname: drone
drone_dbuser: drone
drone_dbpass: "{{ vault_drone_dbpass }}"
drone_uipass: "{{ vault_drone_uipass }}"
drone_secret: "{{ vault_drone_secret }}"
drone_gitea_client: "{{ vault_drone_gitea_client }}"
drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
dss_domain: dss.binary-kitchen.de
dss_secret: "{{ vault_dss_secret }}"
fpm_status_user: admin
fpm_status_pass: "{{ vault_fpm_status_pass }}"
gitea_domain: git.binary-kitchen.de
gitea_dbname: gogs
gitea_dbuser: gogs
@ -36,8 +35,8 @@ gitea_secret: "{{ vault_gitea_secret }}"
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
hedgedoc_domain: pad.binary-kitchen.de
hedgedoc_dbname: hedgedoc
hedgedoc_dbuser: hedgedoc
hedgedoc_dbname: hackmd
hedgedoc_dbuser: hackmd
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
@ -45,7 +44,6 @@ icinga_domain: icinga.binary.kitchen
icinga_dbname: icinga
icinga_dbuser: icinga
icinga_dbpass: "{{ vault_icinga_dbpass }}"
icinga_server: nabia.binary.kitchen
icingaweb_dbname: icingaweb
icingaweb_dbuser: icingaweb
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
@ -68,7 +66,6 @@ mail_domain: binary-kitchen.de
mail_domains:
- ccc-r.de
- ccc-regensburg.de
- eh21.easterhegg.eu
- makerspace-regensburg.de
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
mail_server: mail.binary-kitchen.de
@ -76,18 +73,12 @@ mailman_domain: lists.binary-kitchen.de
mail_trusted:
- 213.166.246.0/28
- 213.166.246.37/32
- 213.166.246.45/32
- 213.166.246.46/32
- 213.166.246.47/32
- 213.166.246.250/32
- 2a02:958:0:f6::/124
- 2a02:958:0:f6::37/128
- 2a02:958:0:f6::45/128
- 2a02:958:0:f6::46/128
- 2a02:958:0:f6::47/128
mail_aliases:
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
- "bbb@binary-kitchen.de boehm.johannes@gmail.com"
- "bbb@binary-kitchen.de timo.schindler@binary-kitchen.de"
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
@ -100,14 +91,10 @@ mail_aliases:
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
- "pretalx@binary-kitchen.de moepman@binary-kitchen.de"
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
- "seife@binary-kitchen.de anke@binary-kitchen.de"
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
- "therapy-jetzt@binary-kitchen.de darthrain@binary-kitchen.de"
- "toepferwerkstatt@binary-kitchen.de anke@binary-kitchen.de,meet_judith@binary-kitchen.de"
- "vorstand@binary-kitchen.de anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
@ -120,12 +107,7 @@ mail_aliases:
- "voucher10@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher13@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher14@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher15@binary-kitchen.de exxess@binary-kitchen.de"
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
- "tickets@eh21.easterhegg.eu orga@eh21.easterhegg.eu"
- "hackzuck@eh21.easterhegg.eu kekskruemml@binary-kitchen.de"
matrix_domain: matrix.binary-kitchen.de
matrix_dbname: matrix
@ -145,14 +127,15 @@ nextcloud_dbname: owncloud
nextcloud_dbuser: owncloud
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
omm_domain: omm.binary.kitchen
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
pretix_domain: pretix.events.binary-kitchen.de
pretix_domainx: tickets.eh21.easterhegg.eu
pretix_domain: pretix.rc3.binary-kitchen.de
pretix_dbname: pretix
pretix_dbuser: pretix
pretix_dbpass: "{{ vault_pretix_dbpass }}"
pretix_mail: pretix@binary-kitchen.de
pretix_mail: rc3@binary-kitchen.de
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -174,20 +157,4 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
slapd_root_pass: "{{ vault_slapd_root_pass }}"
slapd_san: ldap.binary.kitchen
sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
sssd_base_user: ou=people,dc=binary-kitchen,dc=de
strichliste_domain: tschunk.binary.kitchen
strichliste_dbname: strichliste
strichliste_dbuser: strichliste
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
therapy_domain: therapy.jetzt
therapy_secret: "{{ vault_therapy_secret }}"
vaultwarden_domain: vault.binary-kitchen.de
vaultwarden_dbname: vaultwarden
vaultwarden_dbuser: vaultwarden
vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
vaultwarden_token: "{{ vault_vaultwarden_token }}"
vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
workadventure_domain: wa.binary-kitchen.de

191
group_vars/all/vault.yml
View File

@ -1,109 +1,84 @@
$ANSIBLE_VAULT;1.1;AES256
38306162656631353365313637393663316134623036643364383033613731356230663464376264
3335653933643733613462636638396664363762636561300a376538626636303765613633646633
63333534656163663834303039646639646530333532313732643261356262323764616463393832
3137306637306565610a653637626438353766323031336665326231626538323637313763373934
30303332656263623938666235643866343363363139653861343533313431396235333539333432
65613236386434333635636431356236643335316362636530303834353235646337643639333538
31643330393433323739343762323937643064313661643265376330633264316137373363303935
66346134643432666463383333653735626437666137386135353532393638363834346164643335
38393232623130346363636335313866623239373366613864356561636661343537383364373164
66643232393262393536623130653332323663363263323036663662316163326466306334363363
66306365366566326239346537656562363762373165613063376139383363313038373235303062
65326531653635333034653439613563313539633834393562343164613661386532306665663433
32663432656664333063376263346439316265646435623533623337333162656138636139303931
31333561623838393239313761383665663733366461623830343165336538393362353132306335
37396565616435343732626331373735313165333061346435646664376339636438373764643731
66356464316336383834646333656164363535373065643665393435393266363432346239663161
36393336346433326130303264626234613135626538313938663039386133336233373262363566
33386163393936663165643530663865663436663066333231316334306435623966666636633638
38616338316137393831303436653562386265373064373163306133346434616238393966623330
39396237326461643865336364343263343230626362646162623136353235366431626362313030
64633137306231346561353630636533353239373562396665376139303936323836633764616434
35376135656338616139376261366637343433333063343864343362613135343364623265313861
36303565333830323933333864613534626466373033666235626365346531323631386365323835
61613564386466333933613162326431613963333864393362376163313161643165356134343438
38396533363565343233643863343432313165386465303336626337333331646664626262643333
64343438653335663234653466663239616633653162383630666639613738323734646431623264
65343535336637323063366536663433366363626632383536653765373830666235326530636362
35303432333832353366363731643863366134626139623435613336626238303837316433623238
32313930396432333836346364346436613934316136646533633339323736366135316631363132
36623931313137333932313731343936313966653163666261623937363335613035333335356533
34633838333635323464633763383765653266663233643836383135336434376364396164333233
37616438643234336337313965663034646166373436373530386463663961313362326362353437
31313837643535313039653531323765366339373130636565333939643564643533343534376638
63616431643531663765366239326135343531333037366264353961346162633633353237613430
66666433356530633835666139653932383362376334383762373530666630393764643632363331
35316134623064626439633236343938346134383938333832336533373838633466613364653563
64626631303435653339356631323137336538633233393962306531626266353766386162363031
39363961623033323661643136326435643466303332646234396339653833653937666532336138
37646336383963616630333566633537303736656666663635316631383537303035323131393862
33343335386235333632656436356465646235313638313634353631393365366166383133636665
66363463363339646133353831666631366439646364393239346166343062663866373938396637
31386237393065306134653636313933653062353636323963323437663163346366363263313665
32306331623637396664636165663434653630636130306133343736313262303635353661373533
61313466376365303031376336316431636365633736616535623934653562336636363866356266
36336266663562623961396164316266373633383431613564646232643766663733353338623936
38663731363262646334653761666562646433353230613838353233373662313938303533303864
39316630636637343163643637356634383862363330353233653361646261623038303962613561
63373832366661373036383036623563366364636530613063366364323635323937376165376236
39663962643939386561623430623031366632646235366463656533643233613138363461656637
63323236356438303732653834626138623838323764633639373436666635363834303835366466
61306430303831303934316436373136353637373535373664666265313034646630666237636231
39376161653134356365363666633634313065323331633261623961633763313734313735633966
62643031376566343832343638613939333132353466613163386537386239363337323463396135
61393930633138333739626233663432643837643563656662646631306566663437346362613939
31363639323335623038356566323836653865653136383161666461656436313933333032336639
32333166663935656663643461303466343835303732616263626462316133306239383264353263
61313231386262376234316335383334336663326331643733643432366636326561353730623730
37313431623561353266303134313064376236626462316339656339353131363765303734356464
32336435363932353666336132363333303336323135363535666436646233366335376333383531
65363832333534623931326438616237356235626666333934373638373665613738636466383735
30333137303630366661343833663437343664303961313831336461393064643331386336663739
62623838633936323834653965326161343161356334333030616137343637353138353731363762
64623065636336643634333937323636356131373939623130306330313937656566363832663663
66313036393135306437353061303438303761303563633566656131653433663030396235323435
32346663316636373431663530393435313931663535396564363466353431343633613634383332
31326665303563316664356564356535646665653737613038636236323562616231613233633039
37643530653639313466313838343630656363653833613161656466376631653266613439626331
35363930626534346164353033323039636365363234303435636535623265393635313436666234
66623264306430306662303866303735316137383830646136666662346265613662333765656266
64613161316162616133316165623863353431376633366262386239346335306634346333316566
34396265376130306361343862383631653561616333643665353938666565306335653665373736
63626630383232363961393435646334396366663532303132666235646464393662376331333361
34663138336365633131633365336664393633376333316161336138393539333564396539343332
36626664616263353931616362633638323038356230613937386339653633626465326538383265
31646236323435323861666233656437343732343066306562363462363664386234333061396263
61316636323234633631306434363665393938323631363563346166333139633436623230353436
31303831636638666630376231303130343363393339666230363162383266616135336333386334
64313838356466306361383464623037663931353664323336666532316536316362663639353238
34616536613730343834633935646330306564643036306330626636653365653361396461316637
62636264343737333539646332316562316136343734393063313439663939663935313930333061
30343263626638353331336666373964343338343434633639326338633966396131623933346236
37373564623238363935313736313165303862356530613164653562653530316630306365646165
31326630303038396666343065356261616133373832383661393666383664323161633337376665
63393938373830343761326562303730303237393661383561386633383561386437373061396462
65376230643131353462613436316561646562356666376462386136336630636165333236636630
35653164333437383565396637343762646665333734303764623638323532363164653139333937
39313834303531636434366663386435396266663930623733366261656634666531626234386239
62613466313636326238303164666332633632333364636331396264396164646639653761373863
66653761393734643362306538356263353265616330393635343737363666623962346261366134
30393937376265626163376565343364323366383330613832366434313034316164636331653063
65356630663634616465363231666163376437353038303934356561666363333663333239313031
34356463613963633331646364336431333630633737623766623361336432646339373364303661
37656630376137613232306163656430323236306632353837363536376161656365366531313363
32623537303439343438656461363233353931356566323963363662303838666465363464353833
39386230653962373333643135353533323737343265343334316234613736616639613435616165
61373431353463643936613631393461393637356264366665383538653336353535613330376465
65616261666463623236313437656232306164643538653562376539613736303761636531613862
30323532343339343135356431303866333537346233336266363630346562646237646563313331
35393039383436633230653030623637663030393539363163393930616330373166313161346336
38373963393834396133363966636638336161666234346564623761303262366336363061343866
38356238323366613066323264366337393232343331636532666462613263626332376561616334
63373433663562353466353062643965623635643464393238363965636532643439383764626566
33646437333365653563393337343537316437323038313339316135303564376161323863303665
62373564343036333564646565393738306231646537393636356234613639663466636335393031
35623562343566386261376163303939653861623364373433383363316134303236663361613062
37346664386162333130323134616264373237393639376533383036323131633963363665633531
62663533383666613464386638383965346331643837356331326661303034376163373362386134
38353461343233626365
35323963326634353430373361636231303663373264616131356530663738306563303332363762
3436613664633530623163353436323035346463623737390a383665663266313338356361626161
39643939393939333361663434353237633861303032323730336661633663373636326432663135
3430313238313836610a343432396536316462313230656236366363343034383732646163626231
30643132316365613664333834356630666336633635373037326162646538333062363237363465
30303632303339616166323932303865313766316436623232633335613263323437633331346133
64633161383236346536616231333634626466373232366265333062306635663631663565666531
30653633643430356164386364386336323162383164663639323430343239333366306161336365
39663663343037396566366363353461656330353636306162626639663137666136306235656165
66613338623232316336323830303830383364396537633161373032323739316131336431313035
63346662366562656638363961613263363134646131623436316463326265646138323238303437
31363734376333343961356137373764656534363437316633656665616430323231383563633766
30653565373563376664303133653665356264363735333939646339653735633765306261633836
31313465323238316263343166646132356333373033616361333532623564336338373838303536
65333962636161633038353135303466353839663833626530616635666337346161623635383963
66636230393331316239616434613265343139636632396630656630623662306464633162366139
35646332623137643130373738336265623930376165343238626233356235613434636564313939
34636266383536383936313263373538666165633163396635313365616339303264663566316234
65353262313062653061326239363266333637316362366539616136373062313764316330663138
64343337356133643163383864343962623237316230343763653838613738393739343131323835
38623063626531613764356265376230336530326364643635383438363463333931333461393563
37343231366165616666376664653633616332346661383935393435653934336562343531323664
38396233306266623361636566663262393336343434383532393336343533653364666264306463
66393234376137643761396635626337656465383066303863383535636363336463343234363361
61626365633639643237336464653666396131343535636431636438343265663138346631316335
63343136656131653039396539323231663730316134306432613034363635343230353361616338
34303931343866343831623333386533313733613663363565313666353139356265333461336237
34643265623739376565663039343638343839633362303035386562333264333438313835393039
39376266643831343561653832353266313461363738663533383935376234636338343734353731
36396634316561336363633339653566323134306430373536613763303763653764336237633465
39313562373062666566663437386538663733643261656361346364393935613638393464663062
31643035356630363630363532353137626431643366383437663437333761613062363663633832
30663331333036653362646164313134316136663839386464353731303065376634313138656337
34306234303233613136353661643436666538623634323137343861346165333730303430386237
39313762313339356430303934343837336230303231613266643231376634333739353366333139
39393436366339616166393530313862303961353131646163306633386637376634363534363461
31363634653638633334346334613061333234633061343732363330363636656333316366383838
39343234616461656432653836623233343965636432616630313037366535366131393033383063
31343038646162616666613264363738366434613939333536656534336339326537366435383263
66376638376133303136346663386561336239643465376336633665656563666133666165323633
30613032343735653231356663333033653436393331653133646162333531613930316635356533
38663830383463663366393034656638643136383261373332383636333331396639346361376334
32333633316433616664643662636634323038306664663538386330356261323461396264323635
66376133666434363932353762663461333861376139323439653431663638343362326166336133
37396532306135386661353665356562363135656338333261386437376431363663383662303339
30343534393965646231303037366435333238343931393036616364643631333163336331396364
39303766363938383831316531303265383236646334616365613732643134366338366438623266
61346132623333343933373666363937376332653766313463333132626466373763346330613433
37383631656662386164633566376235366465663531383134613139656330313561633030643139
31646264316533303638303939656539663936306465656366303761343335383562366238316332
36623265383739376332393565386436653934316438313631626333343234656564623335386133
64363538396631363538653361373138393637326533386239353532316531376166313265303463
66306637383237303236306264373831636636643766383565326230313165356337633662663832
39666464646365313536633539366330333938643431633136643166336566343137653066343735
38653037346332373139356439656436366339323431626331636538346639303034323231663034
36626536343236326439653665323563326431386462666331386163623232333661613437313865
65363237643266393866363761316534666537616633393863366562666539633761613465616436
30346435363431393261336361333564313537353564333136633866643466353261666430376130
66333765306162666361393133636661393766333733363033663739646633303561623662316231
61653332346361363565343466363339323064313537343537396637343730653563653734313337
38316334376136636365373338313362313836613666643034343964353236313433303330366332
66356562643636353465343133323462313465653434383835636535666135363438653833623836
32636638313635326537336633656162346166303262386232613366366639326338316638656230
65613763353031386537333332363736636236623561323036623864313830316661633362613164
64356161376234666535393961376138656632653266306434343335373734663265383537326234
35636131303133666366326434323832633865626538333864653236343135383636373437303864
38663339666262373063643162343037343537383235326633623165396539633161303862623938
32663433396637643765363837316439363863386162316363633136633232643635363166646534
61366665356238653764623237613861323139366638633432343137336438316237333030613431
37323463636162333231303234383831333138306163643630633335383465313737383832646161
33643637373037666562366536383662663737373962373937633839633933323738366236323361
63663330346436343232616364353261613635646339333062643038363634623561623163643932
65306466363464376336353965633535356437333237666161383465393631333963393030316663
62343564383838383938646338383466383533646539336239323064383565333834396535396634
30616131643463663235636334613165343133646562656537396334623234383734396131643930
66373765333538643661386435666166633438383035663563333339663536663137393162343865
39326463316133343331633137363365653366643439613062633665633132633036333337323935
31393665623938316230653936353966396539353730353364346434646434616636663563336666
32623861363864383430356236396366616361326334656639613061636239306663626435636435
36316135633739313364336634376635303131616239666262613230666165636533613935643664
35356538613062646635336332613635643135396665376439323331386163356631383531376230
36386661326362633833333133356366633264353061356665353131323737303339396333613763
386531643264353562356563663961626139

2
group_vars/auweg
View File

@ -5,8 +5,6 @@ dhcpd_primary: 172.23.13.3
dns_primary: 172.23.13.3
doorlock_domain: lock-auweg.binary.kitchen
name_servers:
- 172.23.13.3

3
host_vars/aeron.binary.kitchen
View File

@ -3,7 +3,4 @@
radius_hostname: radius3.binary.kitchen
slapd_hostname: ldap3.binary.kitchen
slapd_replica_id: 3
slapd_role: slave
unattended_reboot: "false"

6
host_vars/argentum.binary-kitchen.net
View File

@ -1,6 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

1
host_vars/aveta.binary.kitchen
View File

@ -3,5 +3,4 @@
radius_hostname: radius2.binary.kitchen
slapd_hostname: ldap2.binary.kitchen
slapd_replica_id: 2
slapd_role: slave

3
host_vars/bacon.binary.kitchen
View File

@ -13,7 +13,4 @@ ntp_peers:
radius_hostname: radius1.binary.kitchen
slapd_hostname: ldap1.binary.kitchen
slapd_replica_id: 1
slapd_role: slave
unattended_reboot: "false"

2
host_vars/beryllium.binary-kitchen.net
View File

@ -1,5 +1,5 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

2
host_vars/bowle.binary.kitchen
View File

@ -5,4 +5,4 @@ nfs_exports:
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
unattended_reboot: "false"
uau_reboot: "false"

4
host_vars/fluorine.binary-kitchen.net
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

5
host_vars/indium.binary-kitchen.net
View File

@ -1,5 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCNBY95YcFFBeiHM3IDzqKT/X/U09bpAWXwkCWIg6KlZumZg891apx6a0HLDannoBt7YCyYFgl3c1eJ36D08tRcy5c5k/+8Xhq0hq/HWo3EV5sd6Y+8xeTRST6Um8nyxHoSI7xw79yRoteOUDIzPnmDtbLQ2z3vWkA/H1EZQ4IjeQgFhl9vl4EyuAJ47Cdlv1D870BDspgAEoxSbipQEEnPsIctdyySp1R/sNC5tuP6qaoQ6nIDFdgv5rcY8SmgJQ2otlGex18RSBObBjdfyepV71mluqfs6HtVsM9zDvRUwY/FX4wmVc4QPdPLh/2kzEZi0YzefB10tpsuvhaOFI8JqXBDuSFZh3xCzRmKRlmqn50jrvGkYGUWg/GNYNF2rLCltCzg3BJHGaFh9sOtjaKLW+hTJwDtz4LIqNZb6w/2586hzjGCrrZgN24eLEcdp7iTPnkCul+kgOZaa62ytdKjza6/tgKCeUaEwmJTBuKMp/hor/LdLeibYgTtqUoFB7j1Ti2ey7oHly1oiSaKcR/hChgx0sniltRmzJI7KLuUiF+xkpv5Kf4rGl7UjvVxyf3glNh5DL87CfeWkGF3dgsjJdfYIHVJz/Bf6x0aB2TyybF8Exm0R05dhMT6ahZqMqa5d/aUZN+S3MaXw2amHWbMe8VcFpu/AztqrQM8sM+Mw== sprinterfreak"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

1
host_vars/krypton.binary-kitchen.net
View File

@ -2,4 +2,3 @@
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

11
host_vars/lasagne.binary.kitchen
View File

@ -1,11 +0,0 @@
---
root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
unattended_reboot: "false"

5
host_vars/lock-auweg.binary.kitchen
View File

@ -1,5 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

3
host_vars/magnesium.binary-kitchen.net
View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

1
host_vars/molybdenum.binary-kitchen.net
View File

@ -4,4 +4,3 @@ grafana_domain: zelle.binary-kitchen.de
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

3
host_vars/oxygen.binary-kitchen.net
View File

@ -1,4 +1,3 @@
---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"
uau_reboot: "false"

4
host_vars/pancake.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

5
host_vars/pizza.binary.kitchen
View File

@ -4,8 +4,9 @@ root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
unattended_reboot: "false"
uau_reboot: "false"

4
host_vars/rhodium.binary-kitchen.net
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

4
host_vars/ruthenium.binary-kitchen.net
View File

@ -2,6 +2,6 @@
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
unattended_reboot: "false"
uau_reboot: "false"

4
host_vars/schweinshaxn.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

4
host_vars/strontium.binary-kitchen.net Normal file
View File

@ -0,0 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

4
host_vars/sulis.binary.kitchen
View File

@ -1,4 +0,0 @@
---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"

3
host_vars/technetium.binary-kitchen.net
View File

@ -1,5 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"

7
host_vars/tschunk.binary.kitchen
View File

@ -1,7 +0,0 @@
---
root_keys_host:
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
unattended_reboot: "true"

5
host_vars/yttrium.binary-kitchen.net
View File

@ -1,6 +1,5 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"

11
hosts
View File

@ -8,16 +8,12 @@ epona.binary.kitchen ansible_host=172.23.2.7
pizza.binary.kitchen ansible_host=172.23.2.33
pancake.binary.kitchen ansible_host=172.23.2.34
knoedel.binary.kitchen ansible_host=172.23.2.35
schweinshaxn.binary.kitchen ansible_host=172.23.2.36
bob.binary.kitchen ansible_host=172.23.2.37
lasagne.binary.kitchen ansible_host=172.23.2.38
tschunk.binary.kitchen ansible_host=172.23.2.39
bowle.binary.kitchen ansible_host=172.23.2.62
salat.binary.kitchen ansible_host=172.23.9.61
[auweg]
weizen.binary.kitchen ansible_host=172.23.12.61
aeron.binary.kitchen ansible_host=172.23.13.3
lock-auweg.binary.kitchen ansible_host=172.23.13.12
weizen.binary.kitchen ansible_host=172.23.12.61
[fan_rz]
helium.binary-kitchen.net
lithium.binary-kitchen.net
@ -29,13 +25,10 @@ oxygen.binary-kitchen.net
fluorine.binary-kitchen.net
neon.binary-kitchen.net
sodium.binary-kitchen.net
magnesium.binary-kitchen.net
aluminium.binary-kitchen.net
krypton.binary-kitchen.net
yttrium.binary-kitchen.net
zirconium.binary-kitchen.net
molybdenum.binary-kitchen.net
ruthenium.binary-kitchen.net
rhodium.binary-kitchen.net
argentum.binary-kitchen.net
cadmium.binary-kitchen.net
barium.binary-kitchen.net

49
roles/23b/tasks/main.yml
View File

@ -1,49 +0,0 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create 23b group
group: name=23b
- name: Create 23b user
user:
name: 23b
home: /opt/23b
shell: /bin/bash
group: 23b
groups: docker
# docker-compolse.yml is managed outside ansible
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for 23b
template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
notify: Restart nginx
- name: Systemd unit for 23b
template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
notify:
- Reload systemd
- Restart 23b
- name: Start the 23b service
service: name=23b state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ bk23b_domain }}"

36
roles/23b/templates/vhost.j2
View File

@ -1,36 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ bk23b_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ bk23b_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ bk23b_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
# set max upload size
client_max_body_size 8M;
location / {
proxy_pass http://localhost:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

7
roles/act_runner/defaults/main.yml
View File

@ -1,7 +0,0 @@
---
actrunner_user: act_runner
actrunner_group: act_runner
actrunner_version: 0.2.10
actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

7
roles/act_runner/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart act_runner
service: name=act_runner state=restarted

35
roles/act_runner/tasks/main.yml
View File

@ -1,35 +0,0 @@
---
- name: Create group
group: name={{ actrunner_group }}
- name: Create user
user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
- name: Create directories
file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
with_items:
- /etc/act_runner
- /var/lib/act_runner
- name: Download act_runner binary
get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
register: runner_download
- name: Symlink act_runner binary
file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
when: runner_download.changed
notify: Restart act_runner
- name: Configure act_runner
template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
notify: Restart act_runner
- name: Install systemd unit
template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
notify:
- Reload systemd
- Restart act_runner
- name: Enable act_runner
service: name=act_runner state=started enabled=yes

16
roles/act_runner/templates/act_runner.service.j2
View File

@ -1,16 +0,0 @@
[Unit]
Description=Gitea Actions runner
Documentation=https://gitea.com/gitea/act_runner
After=docker.service
[Service]
ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
ExecReload=/bin/kill -s HUP $MAINPID
WorkingDirectory=/var/lib/act_runner
TimeoutSec=0
RestartSec=10
Restart=always
User={{ actrunner_user }}
[Install]
WantedBy=multi-user.target

86
roles/act_runner/templates/config.yaml.j2
View File

@ -1,86 +0,0 @@
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: warn
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 4
# Extra environment variables to run jobs.
envs:
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `deamon`, will use labels in `.runner` file.
labels: [
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
"ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
"ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
]
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: ""
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

3
roles/authentik/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
authentik_version: 2024.12.1

16
roles/authentik/handlers/main.yml
View File

@ -1,16 +0,0 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart authentik
service: name=authentik state=restarted
- name: Restart authentik-reload
service: name=authentik-reload state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

63
roles/authentik/tasks/main.yml
View File

@ -1,63 +0,0 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create authentik group
group: name=authentik
- name: Create authentik user
user:
name: authentik
home: /opt/authentik
shell: /bin/bash
group: authentik
groups: docker
- name: Configure authentik container
template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
notify: Restart authentik
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for authentik
template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
notify: Restart nginx
- name: Systemd unit for authentik
template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
notify:
- Reload systemd
- Restart authentik
- name: Systemd unit for authentik-reload
template: src=authentik-reload.{{ item }}.j2 dest=/etc/systemd/system/authentik-reload.{{ item }}
with_items:
- "service"
- "timer"
notify:
- Reload systemd
- Restart authentik-reload
- name: Start the authentik service
service: name=authentik state=started enabled=yes
- name: Enable auto update timer
service: name=authentik-reload.timer state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ authentik_domain }}"

7
roles/authentik/templates/authentik-reload.service.j2
View File

@ -1,7 +0,0 @@
[Unit]
Description=Refresh authentik images
[Service]
Type=oneshot
ExecStart=/bin/systemctl reload-or-restart authentik.service

10
roles/authentik/templates/authentik-reload.timer.j2
View File

@ -1,10 +0,0 @@
[Unit]
Description=Refresh authentik images
Requires=authentik.service
After=authentik.service
[Timer]
OnCalendar=*:0/15
[Install]
WantedBy=timers.target

32
roles/authentik/templates/authentik.service.j2
View File

@ -1,32 +0,0 @@
[Unit]
Description=authentik service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=authentik
Group=authentik
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/authentik
# Update images
ExecStartPre=-/usr/bin/docker-compose pull --quiet
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
# Refresh on reload
ExecReload=-/usr/bin/docker-compose pull --quiet
ExecReload=/usr/bin/docker-compose up -d
[Install]
WantedBy=multi-user.target

15
roles/authentik/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ authentik_domain }}:
- path: /etc/nginx/ssl/{{ authentik_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

79
roles/authentik/templates/docker-compose.yml.j2
View File

@ -1,79 +0,0 @@
---
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- ./database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: {{ authentik_dbpass }}
POSTGRES_USER: {{ authentik_dbuser }}
POSTGRES_DB: {{ authentik_dbname }}
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- ./redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
volumes:
- ./media:/media
- ./custom-templates:/templates
ports:
- "127.0.0.1:9000:9000"
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy

41
roles/authentik/templates/vhost.j2
View File

@ -1,41 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name {{ authentik_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ authentik_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ authentik_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

2
roles/bk_dss/defaults/main.yml
View File

@ -1,4 +1,4 @@
---
dss_uwsgi_port: 5001
dss_version: 0.8.5
dss_version: 0.8.4

5
roles/bk_dss/tasks/main.yml
View File

@ -44,8 +44,3 @@
- name: Enable vhosts
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
notify: Restart nginx
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ dss_domain }}"

6
roles/bk_dss/templates/config.cfg.j2
View File

@ -1,14 +1,12 @@
DEBUG = True
REMEMBER_COOKIE_SECURE = True
SECRET_KEY = "{{ dss_secret }}"
SESSION_COOKIE_SECURE = True
SESSION_TIMEOUT = 3600
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
LDAP_URI = "{{ ldap_uri }}"
LDAP_BASE = "{{ ldap_base }}"
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
@ -30,7 +28,7 @@ USER_ATTRS = {
'userPassword' : '{pass}'
}
GROUP_FILTER = "(objectClass=posixGroup)"
GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
REDIS_HOST = "127.0.0.1"
REDIS_PASSWD = None

5
roles/common/defaults/main.yml
View File

@ -6,8 +6,3 @@ logrotate_excludes:
- "/etc/logrotate.d/dbconfig-common"
- "/etc/logrotate.d/btmp"
- "/etc/logrotate.d/wtmp"
sshd_password_authentication: "no"
sshd_permit_root_login: "prohibit-password"
unattended_reboot: "true"

4261
roles/common/files/.zshrc
View File

File diff suppressed because it is too large Load Diff

3
roles/common/handlers/main.yml
View File

@ -6,9 +6,6 @@
- name: Restart journald
service: name=systemd-journald state=restarted
- name: Restart sshd
service: name=sshd state=restarted
- name: update-grub
command: update-grub

19
roles/common/tasks/Debian.yml
View File

@ -4,9 +4,7 @@
apt:
name:
- apt-transport-https
- debian-goodies
- dnsutils
- fdisk
- gnupg2
- htop
- less
@ -16,9 +14,7 @@
- pydf
- rsync
- sudo
- unattended-upgrades
- vim-nox
- wget
- zsh
- name: Install software on KVM VMs
@ -28,12 +24,6 @@
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Configure unattended upgrades
template: src={{ item }}.j2 dest=/etc/apt/apt.conf.d/{{ item }}
with_items:
- 02periodic
- 50unattended-upgrades
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
@ -111,12 +101,3 @@
regexp: "rotate [0-9]+"
replace: "rotate 7"
loop: "{{ logrotateconfigpaths }}"
- name: Configure sshd
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify: Restart sshd

1
roles/common/tasks/Proxmox.yml
View File

@ -9,7 +9,6 @@
- less
- rsync
- vim-nox
- wget
- zsh
- name: Configure misc software

3
roles/common/tasks/chrony.yml
View File

@ -6,6 +6,3 @@
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony
- name: Start chrony
service: name=chrony state=started enabled=yes

8
roles/common/templates/chrony.conf.j2
View File

@ -1,9 +1,6 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
@ -26,9 +23,6 @@ keyfile /etc/chrony/chrony.keys
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
@ -39,7 +33,7 @@ logdir /var/log/chrony
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
# real-time clock. Note that it cant be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than

131
roles/common/templates/sshd_config.j2
View File

@ -1,131 +0,0 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin {{ sshd_permit_root_login }}
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
AuthorizedKeysCommand {{ sshd_authkeys_command }}
{% if sshd_authkeys_user is defined and sshd_authkeys_user %}
AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
{% else %}
AuthorizedKeysCommandUser nobody
{% endif %}
{% else %}
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
{% endif %}
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication {{ sshd_password_authentication }}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

6
roles/coturn/handlers/main.yml
View File

@ -1,10 +1,4 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart coturn
service: name=coturn state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

4
roles/coturn/meta/main.yml
View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: acertmgr }

22
roles/coturn/tasks/main.yml
View File

@ -3,28 +3,6 @@
- name: Install coturn
apt: name=coturn
- name: Create coturn service override directory
file: path=/etc/systemd/system/coturn.service.d state=directory
- name: Configure coturn service override
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
notify:
- Reload systemd
- Restart coturn
- name: Create gitea directories
file: path={{ item }} state=directory owner=turnserver
with_items:
- /etc/turnserver
- /etc/turnserver/certs
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
notify: Run acertmgr
- name: Configure coturn
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:

15
roles/coturn/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ coturn_realm }}:
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
user: turnserver
group: turnserver
perm: '400'
format: key
action: '/usr/sbin/service coturn restart'
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
user: turnserver
group: turnserver
perm: '400'
format: crt,ca
action: '/usr/sbin/service coturn restart'

2
roles/coturn/templates/coturn.override.j2
View File

@ -1,2 +0,0 @@
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

21
roles/coturn/templates/turnserver.conf.j2
View File

@ -15,7 +15,7 @@
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
listening-port=443
#listening-port=3478
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
@ -27,7 +27,7 @@ listening-port=443
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1.
#
tls-listening-port=443
#tls-listening-port=5349
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
@ -125,10 +125,7 @@ tls-listening-port=443
#
# By default, this value is empty, and no address mapping is used.
#
external-ip={{ ansible_default_ipv4.address }}
{% if ansible_default_ipv6.address is defined %}
external-ip={{ ansible_default_ipv6.address }}
{% endif %}
#external-ip=60.70.80.91
#
#OR:
#
@ -402,17 +399,17 @@ realm={{ coturn_realm }}
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
@ -749,6 +746,6 @@ mobility
# Do not allow an TLS/DTLS version of protocol
#
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2
no-tlsv1
no-tlsv1_1
no-tlsv1_2

4
roles/dhcpd/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: Restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

14
roles/dhcpd/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Install dhcp server
apt: name=isc-dhcp-server
- name: Configure dhcp server
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- default/isc-dhcp-server
- dhcp/dhcpd.conf
notify: Restart isc-dhcp-server
- name: Start the dhcp server
service: name=isc-dhcp-server state=started enabled=yes

21
roles/dhcpd/templates/default/isc-dhcp-server.j2 Normal file
View File

@ -0,0 +1,21 @@
#
# This is a POSIX shell fragment
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
INTERFACESv6=""
INTERFACES="{{ ansible_default_ipv4['interface'] }}"

320
roles/dhcpd/templates/dhcp/dhcpd.conf.j2 Normal file
View File

@ -0,0 +1,320 @@
# dhcpd.conf
# option definitions common to all supported networks...
option domain-name "binary.kitchen";
option domain-name-servers {{ name_servers | join(', ') }};
option domain-search "binary.kitchen";
option ntp-servers 172.23.1.60, 172.23.2.3;
# options related to Mitel SIP-DECT
option space sipdect;
option local-encapsulation code 43 = encapsulate sipdect;
option sipdect.ommip1 code 10 = ip-address;
option sipdect.ommip2 code 19 = ip-address;
option sipdect.syslogip code 14 = ip-address;
option sipdect.syslogport code 15 = integer 16;
option magic_str code 224 = text;
default-lease-time 7200;
max-lease-time 28800;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
ddns-updates on;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
{% if dhcpd_failover == true %}
# Failover
failover peer "failover-partner" {
{% if ansible_default_ipv4.address == dhcpd_primary %}
primary;
address {{ dhcpd_primary }};
peer address {{ dhcpd_secondary }};
{% elif ansible_default_ipv4.address == dhcpd_secondary %}
secondary;
address {{ dhcpd_secondary }};
peer address {{ dhcpd_primary }};
{% endif %}
port 520;
peer port 520;
max-response-delay 60;
max-unacked-updates 10;
{% if ansible_default_ipv4.address == dhcpd_primary %}
mclt 600;
split 255;
{% endif %}
load balance max seconds 3;
}
{% endif %}
# Binary Kitchen subnets
# Management
subnet 172.23.1.0 netmask 255.255.255.0 {
option routers 172.23.1.1;
}
# Services
subnet 172.23.2.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.2.1;
}
# Users
subnet 172.23.3.0 netmask 255.255.255.0 {
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.3.10 172.23.3.230;
}
}
# MQTT
subnet 172.23.4.0 netmask 255.255.255.0 {
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.4.10 172.23.4.240;
}
}
# Management Auweg
subnet 172.23.12.0 netmask 255.255.255.0 {
option routers 172.23.12.1;
}
# Services Auweg
subnet 172.23.13.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.13.1;
}
# Users Auweg
subnet 172.23.14.0 netmask 255.255.255.0 {
option routers 172.23.14.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.14.10 172.23.14.230;
}
}
# MQTT Auweg
subnet 172.23.15.0 netmask 255.255.255.0 {
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.15.10 172.23.15.240;
}
}
# DDNS zones
zone users.binary.kitchen {
primary {{ dns_primary }};
}
# Fixed IPs
host ap01 {
hardware ethernet 44:48:c1:ce:a9:00;
fixed-address ap01.binary.kitchen;
}
host ap04 {
hardware ethernet 44:48:c1:ce:90:06;
fixed-address ap04.binary.kitchen;
}
host ap05 {
hardware ethernet bc:9f:e4:c3:6f:aa;
fixed-address ap05.binary.kitchen;
}
host ap06 {
hardware ethernet 94:b4:0f:c0:1d:a0;
fixed-address ap06.binary.kitchen;
}
host ap11 {
hardware ethernet 18:64:72:c6:c2:0c;
fixed-address ap11.binary.kitchen;
}
host ap12 {
hardware ethernet 18:64:72:c6:c4:98;
fixed-address ap12.binary.kitchen;
}
host bowle {
hardware ethernet ac:1f:6b:25:16:b6;
fixed-address bowle.binary.kitchen;
}
host cannelloni {
hardware ethernet b8:27:eb:18:5c:11;
fixed-address cannelloni.binary.kitchen;
}
host fusilli {
hardware ethernet b8:27:eb:1d:b9:bf;
fixed-address fusilli.binary.kitchen;
}
host habdisplay1 {
hardware ethernet b8:27:eb:b6:62:be;
fixed-address habdisplay1.mqtt.binary.kitchen;
}
host habdisplay2 {
hardware ethernet b8:27:eb:df:0b:7b;
fixed-address habdisplay2.mqtt.binary.kitchen;
}
host klopi {
hardware ethernet 74:da:38:6e:e6:9d;
fixed-address klopi.binary.kitchen;
}
host lock {
hardware ethernet b8:27:eb:d8:b9:ad;
fixed-address lock.binary.kitchen;
}
host maccaroni {
hardware ethernet b8:27:eb:f5:9e:a1;
fixed-address maccaroni.binary.kitchen;
}
host matrix {
hardware ethernet b8:27:eb:ed:22:58;
fixed-address matrix.binary.kitchen;
}
host mirror {
hardware ethernet 74:da:38:7d:ed:84;
fixed-address mirror.binary.kitchen;
}
host mpcnc {
hardware ethernet b8:27:eb:0f:d3:8b;
fixed-address mpcnc.binary.kitchen;
}
host noodlehub {
hardware ethernet b8:27:eb:56:2b:7c;
fixed-address noodlehub.binary.kitchen;
}
host openhabgw1 {
hardware ethernet dc:a6:32:bf:e2:3e;
fixed-address openhabgw1.mqtt.binary.kitchen;
}
host pizza {
hardware ethernet 52:54:00:17:02:21;
fixed-address pizza.binary.kitchen;
}
host spaghetti {
hardware ethernet b8:27:eb:eb:e5:88;
fixed-address spaghetti.binary.kitchen;
}
host schweinshaxn {
hardware ethernet 52:54:00:17:02:24;
fixed-address schweinshaxn.binary.kitchen;
}
host strammermax {
hardware ethernet 08:00:37:B8:55:44;
fixed-address strammermax.binary.kitchen;
}
host obatzda {
hardware ethernet ec:9a:74:35:35:cf;
fixed-address obatzda.binary.kitchen;
}
# VoIP Phones
host voip01 {
hardware ethernet 00:1D:45:B6:99:2F;
option tftp-server-name "172.23.2.36";
}
host voip02 {
hardware ethernet 00:1D:A2:66:B8:3E;
option tftp-server-name "172.23.2.36";
}
host voip03 {
hardware ethernet 00:1E:BE:90:FB:DB;
option tftp-server-name "172.23.2.36";
}
host voip04 {
hardware ethernet 00:1E:BE:90:FF:06;
option tftp-server-name "172.23.2.36";
}
# Mitel SIP-DECT
host rfp01 {
hardware ethernet 00:30:42:1B:73:5A;
fixed-address 172.23.1.111;
option host-name "rfp01";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp02 {
hardware ethernet 00:30:42:21:D4:D5;
fixed-address 172.23.1.112;
option host-name "rfp02";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp11 {
hardware ethernet 00:30:42:1B:8B:9B;
fixed-address 172.23.12.111;
option host-name "rfp11";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
# OMAPI
omapi-port 7911;
omapi-key omapi_key;
key omapi_key {
algorithm hmac-md5;
secret {{ dhcp_omapi_key }};
}

3
roles/dns_extern/templates/pdns.conf.j2
View File

@ -1,4 +1,5 @@
local-address=0.0.0.0, ::
local-address=0.0.0.0
local-ipv6=::
launch=gsqlite3
gsqlite3-dnssec
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3

20
roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024100600; serial
2021120101; serial
1d; refresh
2h; retry
4w; expire
@ -11,9 +11,9 @@ $TTL 1h ; default time-to-live
IN NS ns2.binary.kitchen.
; Loopback
1.0 IN PTR core.binary.kitchen.
2.0 IN PTR rt-w13b.binary.kitchen.
2.0 IN PTR erx-bk.binary.kitchen.
3.0 IN PTR erx-rz.binary.kitchen.
4.0 IN PTR rt-auweg.binary.kitchen.
4.0 IN PTR erx-auweg.binary.kitchen.
; Management
1.1 IN PTR v2301.core.binary.kitchen.
11.1 IN PTR ups1.binary.kitchen.
@ -50,8 +50,6 @@ $TTL 1h ; default time-to-live
35.2 IN PTR knoedel.binary.kitchen.
36.2 IN PTR schweinshaxn.binary.kitchen.
37.2 IN PTR bob.binary.kitchen.
38.2 IN PTR lasagne.binary.kitchen.
39.2 IN PTR tschunk.binary.kitchen.
62.2 IN PTR bowle.binary.kitchen.
91.2 IN PTR strammermax.binary.kitchen.
92.2 IN PTR obatzda.binary.kitchen.
@ -69,7 +67,6 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
; MQTT
1.4 IN PTR v2304.core.binary.kitchen.
6.4 IN PTR pizza.mqtt.binary.kitchen.
7.4 IN PTR lasagne.mqtt.binary.kitchen.
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
@ -87,26 +84,21 @@ $GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
1.10 IN PTR wg0.erx-rz.binary.kitchen.
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
; Management Auweg
1.12 IN PTR v2312.rt-auweg.binary.kitchen.
31.12 IN PTR sw-auweg.binary.kitchen.
41.12 IN PTR ap11.binary.kitchen.
42.12 IN PTR ap12.binary.kitchen.
61.12 IN PTR weizen.binary.kitchen.
111.12 IN PTR rfp11.binary.kitchen.
; Services Auweg
1.13 IN PTR v2313.rt-auweg.binary.kitchen.
3.13 IN PTR aeron.binary.kitchen.
12.13 IN PTR lock-auweg.binary.kitchen.
; Clients Auweg
1.14 IN PTR v2314.rt-auweg.binary.kitchen.
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
; MQTT
1.15 IN PTR v2315.rt-auweg.binary.kitchen.
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
; Point-to-Point
1.96 IN PTR v400.rt-w13b.binary.kitchen.
1.96 IN PTR v400.erx-bk.binary.kitchen.
2.96 IN PTR v400.core.binary.kitchen.
1.97 IN PTR wg1.erx-rz.binary.kitchen.
2.97 IN PTR wg1.rt-w13b.binary.kitchen.
2.97 IN PTR wg1.erx-bk.binary.kitchen.
5.97 IN PTR wg2.erx-rz.binary.kitchen.
6.97 IN PTR wg2.rt-auweg.binary.kitchen.
6.97 IN PTR wg2.erx-auweg.binary.kitchen.

27
roles/dns_intern/templates/bind/binary.kitchen.zone.j2
View File

@ -1,19 +1,19 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024111500; serial
2021120101; serial
1d; refresh
2h; retry
4w; expire
1h; minimum time-to-live
)
@ IN NS ns1.binary.kitchen.
@ IN NS ns2.binary.kitchen.
IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
; Subdomains
users IN NS ns1.binary.kitchen.
users IN NS ns2.binary.kitchen.
; External
@ IN A 213.166.246.4
IN A 213.166.246.4
www IN A 213.166.246.4
; Aliases
3dprinter IN A 172.23.3.251
@ -30,13 +30,14 @@ netbox IN A 172.23.2.7
ns1 IN A 172.23.2.3
ns2 IN A 172.23.2.4
omm IN A 172.23.2.35
racktables IN A 172.23.2.6
radius IN A 172.23.2.3
radius IN A 172.23.2.4
; Loopback
core IN A 172.23.0.1
rt-w13b IN A 172.23.0.2
erx-bk IN A 172.23.0.2
erx-rz IN A 172.23.0.3
rt-auweg IN A 172.23.0.4
erx-auweg IN A 172.23.0.4
; Management
v2301.core IN A 172.23.1.1
ups1 IN A 172.23.1.11
@ -73,8 +74,6 @@ pancake IN A 172.23.2.34
knoedel IN A 172.23.2.35
schweinshaxn IN A 172.23.2.36
bob IN A 172.23.2.37
lasagne IN A 172.23.2.38
tschunk IN A 172.23.2.39
bowle IN A 172.23.2.62
strammermax IN A 172.23.2.91
obatzda IN A 172.23.2.92
@ -92,7 +91,6 @@ noodlehub IN A 172.23.3.251
; MQTT
v2304.core IN A 172.23.4.1
pizza.mqtt IN A 172.23.4.6
lasagne.mqtt IN A 172.23.4.7
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
habdisplay1.mqtt IN A 172.23.4.241
habdisplay2.mqtt IN A 172.23.4.242
@ -107,29 +105,24 @@ salat IN A 172.23.9.61
salat-bmc IN A 172.23.9.81
; Services RZ
; Management Auweg
v2312.rt-auweg IN A 172.23.12.1
sw-auweg IN A 172.23.12.31
ap11 IN A 172.23.12.41
ap12 IN A 172.23.12.42
weizen IN A 172.23.12.61
rfp11 IN A 172.23.12.111
; Services Auweg
v2313.rt-auweg IN A 172.23.13.1
aeron IN A 172.23.13.3
lock-auweg IN A 172.23.13.12
; Clients Auweg
v2314.rt-auweg IN A 172.23.14.1
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
; MQTT Auweg
v2315.rt-auweg IN A 172.23.15.1
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
; VPN RZ (ER-X)
wg0.erx-rz IN A 172.23.10.1
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
; Point-to-Point
v400.rt-w13b IN A 172.23.96.1
v400.erx-bk IN A 172.23.96.1
v400.core IN A 172.23.96.2
wg1.erx-rz IN A 172.23.97.1
wg1.rt-w13b IN A 172.23.97.2
wg1.erx-bk IN A 172.23.97.2
wg2.erx-rz IN A 172.23.97.5
wg2.rt-auweg IN A 172.23.97.6
wg2.erx-auweg IN A 172.23.97.6

18
roles/dns_intern/templates/dnsdist.conf.j2
View File

@ -9,27 +9,17 @@ newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'})
{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from secondary
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
-- allow AXFR/IXFR only from slaves
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
{% endif %}
-- allow NOTIFY only from primary
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
-- allow NOTIFY only from master
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
-- function to set RA flag
function setRA(dq)
dq.dh:setRA(true)
return DNSResponseAction.None
end
-- set RA flag for queries to own zones
addResponseAction('binary.kitchen', LuaResponseAction(setRA))
addResponseAction('23.172.in-addr.arpa', LuaResponseAction(setRA))
-- use resolver for anything else
addAction(AllRule(), PoolAction('resolve'))

6
roles/dns_intern/templates/pdns.conf.j2
View File

@ -26,6 +26,12 @@ launch=bind,gsqlite3
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
#

4
roles/dns_intern/templates/recursor.conf.j2
View File

@ -11,9 +11,9 @@
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process
# dnssec=process-no-validate
dnssec=off
#################################

15
roles/docker/tasks/main.yml
View File

@ -1,10 +1,17 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
filename: docker
- name: Install docker
apt:
name:
- docker.io
- docker-ce
- docker-ce-cli
- containerd.io
- python3-docker
- name: Enable docker
service: name=docker state=started enabled=yes

7
roles/doorlock/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart nginx
service: name=nginx state=restarted

20
roles/doorlock/tasks/main.yml
View File

@ -1,20 +0,0 @@
---
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
-days 730 -subj "/CN={{ doorlock_domain }}"
creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ doorlock_domain }}"
- name: Configure certificate manager for doorlock
template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
notify: Run acertmgr

18
roles/doorlock/templates/certs.j2
View File

@ -1,18 +0,0 @@
---
{{ doorlock_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

14
roles/drone/files/drone.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=drone.io server
After=network-online.target
[Service]
Type=simple
User=drone
EnvironmentFile=/etc/default/drone
ExecStart=/opt/drone/bin/drone-server
Restart=always
RestartSec=5s
[Install]
WantedBy=multi-user.target

10
roles/23b/handlers/main.yml → roles/drone/handlers/main.yml
View File

@ -3,11 +3,11 @@
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart 23b
service: name=23b state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart drone
service: name=drone state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

0
roles/23b/meta/main.yml → roles/drone/meta/main.yml
View File

52
roles/drone/tasks/main.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Create user
user: name=drone
# TODO install drone to /opt/drone/bin
# currently it is manually compiled
- name: Configure drone
template: src=drone.j2 dest=/etc/default/drone
notify: Restart drone
- name: Install PostgreSQL
apt:
name:
- postgresql
- python3-psycopg2
- name: Configure PostgreSQL database
postgresql_db: name={{ drone_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for drone
template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
notify: Restart nginx
- name: Install systemd unit
copy: src=drone.service dest=/lib/systemd/system/drone.service
notify:
- Reload systemd
- Restart drone
- name: Enable drone
service: name=drone enabled=yes

6
roles/23b/templates/certs.j2 → roles/drone/templates/certs.j2
View File

@ -1,13 +1,13 @@
---
{{ bk23b_domain }}:
- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
{{ drone_domain }}:
- path: /etc/nginx/ssl/{{ drone_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
- path: /etc/nginx/ssl/{{ drone_domain }}.crt
user: root
group: root
perm: '400'

10
roles/drone/templates/drone.j2 Normal file
View File

@ -0,0 +1,10 @@
DRONE_AGENTS_ENABLED=true
DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
DRONE_DATABASE_DRIVER=postgres
DRONE_GITEA_SERVER=https://{{ gitea_domain }}
DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
DRONE_RPC_SECRET={{ drone_secret }}
DRONE_SERVER_HOST={{ drone_domain }}
DRONE_SERVER_PROTO=https
DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

31
roles/drone/templates/vhost.j2 Normal file
View File

@ -0,0 +1,31 @@
server {
listen 80;
listen [::]:80;
server_name {{ drone_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ drone_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ drone_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
location / {
client_max_body_size 128M;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
}

0
roles/act_runner/meta/main.yml → roles/drone_runner/meta/main.yml
View File

21
roles/drone_runner/tasks/main.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Run runner container
docker_container:
name: runner
image: drone/drone-runner-docker:1
env:
DRONE_RPC_PROTO: "https"
DRONE_RPC_HOST: "{{ drone_domain }}"
DRONE_RPC_SECRET: "{{ drone_secret }}"
DRONE_RUNNER_CAPACITY: "2"
DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
DRONE_UI_USERNAME: "admin"
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
ports:
- "3000:3000"
pull: yes
restart_policy: unless-stopped
state: started
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"

15
roles/event_web/files/certs
View File

@ -1,15 +0,0 @@
---
eh21.easterhegg.eu engel.eh21.easterhegg.eu:
- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'

68
roles/event_web/files/vhost
View File

@ -1,68 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/eh21;
}
server {
listen 80;
listen [::]:80;
server_name engel.eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://engel.eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name engel.eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/engel/public;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

7
roles/event_web/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

5
roles/event_web/meta/main.yml
View File

@ -1,5 +0,0 @@
---
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

31
roles/event_web/tasks/main.yml
View File

@ -1,31 +0,0 @@
---
- name: Install dependencies
apt:
name:
- php-fpm
- name: Create vhost directory
file: path=/var/www/eh21 state=directory owner=www-data group=www-data
- name: Create vhost directory
file: path=/var/www/engel state=directory owner=www-data group=www-data
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
notify: Restart nginx
- name: Configure certificate manager
copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
notify: Run acertmgr
- name: Configure vhosts
copy: src=vhost dest=/etc/nginx/sites-available/www
notify: Restart nginx
- name: Enable vhosts
file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
notify: Restart nginx
- name: Start php8.2-fpm
service: name=php8.2-fpm state=started enabled=yes

8
roles/fileserver/templates/smb.conf.j2
View File

@ -42,7 +42,7 @@
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
min protocol = NT1
#### Debugging/Accounting ####
@ -213,7 +213,7 @@
;[printers]
; comment = All Printers
; browseable = no
; path = /var/tmp
; path = /var/spool/samba
; printable = yes
; guest ok = no
; read only = yes
@ -240,5 +240,5 @@
browseable = yes
read only = no
guest ok = yes
create mask = 0660
directory mask = 0770
create mask = 0600
directory mask = 0700

12
roles/freepbx/defaults/main.yml
View File

@ -1,12 +0,0 @@
---
deploy_key_file: /root/.ssh/id_git_deploy_rsa
asterisk_user: asterisk
asterisk_group: asterisk
repo_provisioning: gogs@git.binary-kitchen.de:noby/voip-yealink-provisioning.git
repo_utilities: gogs@git.binary-kitchen.de:noby/voip-yealink-xml-browser.git
path_yealink_provisioning: /tftpboot/yealink
path_yealink_utilities: /opt/yealink_utilities

10
roles/freepbx/handlers/main.yml
View File

@ -1,10 +0,0 @@
---
- name: Reload systemd
ansible.builtin.systemd:
daemon_reload: true
- name: Restart yealink-utilities
ansible.builtin.service:
name: yealink-utilities
state: restarted

8
roles/freepbx/meta/main.yml
View File

@ -1,8 +0,0 @@
---
galaxy_info:
author: Thomas Basler
description: Install FreePBX extensions
license: None
platforms:
- name: Debian
min_ansible_version: "2.4"

20
roles/freepbx/tasks/main.yml
View File

@ -1,20 +0,0 @@
---
- name: Generate an OpenSSH keypair for gitea deploy usage
community.crypto.openssh_keypair:
path: "{{ deploy_key_file }}"
- name: Wait for confirmation
ansible.builtin.pause:
prompt: Please confirm that you've distributed the public key to all repositories! Press return to continue. Press Ctrl+c and then "a" to abort
- name: Install required packages
ansible.builtin.apt:
name:
- php-ldap
- name: Include provisioning tasks
ansible.builtin.include_tasks: yealink_provisioning.yml
- name: Include XML-Utilities tasks
ansible.builtin.include_tasks: yealink_utilities.yml

9
roles/freepbx/tasks/yealink_provisioning.yml
View File

@ -1,9 +0,0 @@
---
- name: Clone Yealink Provisioning data
ansible.builtin.git: # noqa: latest
repo: "{{ repo_provisioning }}"
dest: "{{ path_yealink_provisioning }}"
force: true
accept_hostkey: true
key_file: "{{ deploy_key_file }}"

53
roles/freepbx/tasks/yealink_utilities.yml
View File

@ -1,53 +0,0 @@
---
- name: Install dependencies
ansible.builtin.package:
name: "python3-venv"
state: present
- name: Check if .gitignore contains "{{ path_yealink_utilities }}"
ansible.builtin.command: grep "directory = {{ path_yealink_utilities }}" /root/.gitconfig
register: gitignore_check
ignore_errors: true
- name: "Patch /root/.gitconfig"
ansible.builtin.command: |-
git config --global --add safe.directory {{ path_yealink_utilities }}
when: gitignore_check.rc != 0
- name: Clone Yealink Utilities
ansible.builtin.git: # noqa: latest
repo: "{{ repo_utilities }}"
dest: "{{ path_yealink_utilities }}"
force: true
accept_hostkey: true
key_file: "{{ deploy_key_file }}"
- name: Ensure directory permissions
ansible.builtin.file:
path: "{{ path_yealink_utilities }}"
state: directory
recurse: true
owner: "{{ asterisk_user }}"
group: "{{ asterisk_group }}"
- name: Install specified python requirements in indicated (virtualenv)
ansible.builtin.pip:
requirements: "{{ path_yealink_utilities }}/requirements.txt"
virtualenv: "{{ path_yealink_utilities }}/.venv"
virtualenv_command: 'python3 -m venv'
- name: Install systemd unit
ansible.builtin.template:
src: yealink-utilities.service.j2
dest: /etc/systemd/system/yealink-utilities.service
mode: "0644"
notify:
- Reload systemd
- Restart yealink-utilities
- name: Enable yealink-utilities
ansible.builtin.service:
name: yealink-utilities
state: started
enabled: true

17
roles/freepbx/templates/yealink-utilities.service.j2
View File

@ -1,17 +0,0 @@
[Unit]
Description=Yealink XML-Browser
After=syslog.target
After=network.target
[Service]
RestartSec=2s
Type=simple
User={{ asterisk_user }}
Group={{ asterisk_group }}
Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:{{ path_yealink_utilities }}/.venv/bin"
WorkingDirectory={{ path_yealink_utilities }}
ExecStart={{ path_yealink_utilities }}/.venv/bin/python3 {{ path_yealink_utilities }}/run.py
Restart=always
[Install]
WantedBy=multi-user.target

3
roles/gitea/defaults/main.yml
View File

@ -3,5 +3,6 @@
gitea_user: gogs
gitea_group: gogs
gitea_version: 1.22.6
gitea_checksum: sha256:8dfab91bde02a27fba0248ba1d0175b2e4ff57ba3ef7a9da3e68cbb11d15178a
gitea_version: 1.15.10
gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

23
roles/gitea/tasks/main.yml
View File

@ -6,24 +6,19 @@
- name: Create user
user: name={{ gitea_user }} home=/home/{{ gitea_user }} group={{ gitea_group }}
- name: Create directories
file: path={{ item }} state=directory owner={{ gitea_user }} group={{ gitea_group }}
- name: Create gitea directories
file: path={{ item }} state=directory owner={{ gitea_user }}
with_items:
- /opt/gitea
- /opt/gitea/custom
- /opt/gitea/custom/conf
- name: Download gitea binary
get_url: url={{ gitea_url }} dest=/opt/gitea/gitea-{{ gitea_version }} mode=0755
register: gitea_download
- name: Symlink gitea binary
file: src=/opt/gitea/gitea-{{ gitea_version }} dest=/opt/gitea/gitea state=link
when: gitea_download.changed
get_url: url={{ gitea_url }} dest=/opt/gitea/gitea checksum={{ gitea_checksum }} mode=0755
notify: Restart gitea
- name: Configure gitea
template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }} group={{ gitea_group }}
template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }}
- name: Install systemd unit
template: src=gitea.service.j2 dest=/lib/systemd/system/gitea.service
@ -55,9 +50,6 @@
template: src=certs.j2 dest=/etc/acertmgr/{{ gitea_domain }}.conf
notify: Run acertmgr
- name: Configure robots.txt for gitea
template: src=robots.txt.j2 dest=/opt/gitea/custom/robots.txt owner={{ gitea_user }}
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/gitea
notify: Restart nginx
@ -67,9 +59,4 @@
notify: Restart nginx
- name: Enable gitea
service: name=gitea state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ gitea_domain }}"
service: name=gitea enabled=yes

Some files were not shown because too many files have changed in this diff Show More