infra
/
ansible
4
5
Fork 5
Code Issues 6 Pull Requests Activity

Compare commits

base: infra:master
Branches Tags
infra:master
infra:kea
infra:pizza
..
compare: infra:pizza
Branches Tags
infra:master
infra:kea
infra:pizza

1 Commits
master ... pizza

Author SHA1 Message Date
Markus a9899061d8 [WIP] role for pizza 2020-11-21 22:14:53 +01:00
302 changed files with 3709 additions and 11797 deletions
Show Stats Expand all files Collapse all files

67
README.md
View File

@ -1,68 +1,11 @@
# Binary Kitchen Ansible Playbooks
This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
## Usage
## Using
To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
TBA
It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
## Style / Contributing
## Current setup
Currently the following hosts are installed:
### Internal Servers
| Hostname | OS | Purpose |
| ------------------------- | --------- | ----------------------- |
| wurst.binary.kitchen | Proxmox 8 | VM Host |
| salat.binary.kitchen | Proxmox 8 | VM Host |
| weizen.binary.kitchen | Proxmox 8 | VM Host |
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| sulis.binary.kitchen | Debian 12 | Shell |
| nabia.binary.kitchen | Debian 12 | Monitoring |
| epona.binary.kitchen | Debian 12 | NetBox |
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
| pancake.binary.kitchen | Debian 12 | XRDP |
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
| bob.binary.kitchen | Debian 12 | Gitea Actions |
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
| tschunk.binary.kitchen | Debian 11 | Strichliste |
| bowle.binary.kitchen | Debian 12 | Files |
| lock-auweg.binary.kitchen | Debian 11 | Doorlock |
\*: The main application is not managed by ansible but manually installed
### External Servers
| Hostname | OS | Purpose |
| ----------------------------- | --------- | ----------------------- |
| helium.binary-kitchen.net | Debian 12 | LDAP Master |
| lithium.binary-kitchen.net | Debian 12 | Mail |
| beryllium.binary-kitchen.net | Debian 12 | Web * |
| boron.binary-kitchen.net | Debian 12 | Gitea |
| carbon.binary-kitchen.net | Debian 12 | Jabber |
| nitrogen.binary-kitchen.net | Debian 12 | NextCloud |
| oxygen.binary-kitchen.net | Debian 12 | Shell |
| fluorine.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| neon.binary-kitchen.net | Debian 12 | Auth. DNS |
| sodium.binary-kitchen.net | Debian 12 | Mattrix |
| magnesium.binary-kitchen.net | Debian 12 | TURN |
| aluminium.binary-kitchen.net | Debian 12 | Zammad |
| krypton.binary-kitchen.net | Debian 12 | PartDB * |
| yttrium.binary-kitchen.net | Debian 12 | Hintervvoidler * |
| zirconium.binary-kitchen.net | Debian 12 | Jitsi |
| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle * |
| technetium.binary-kitchen.net | Debian 12 | Event CTFd * |
| ruthenium.binary-kitchen.net | Debian 12 | Minecraft * |
| rhodium.binary-kitchen.net | Debian 12 | Event pretix |
| palladium.binary-kitchen.net | Debian 12 | Event pretalx |
| argentum.binary-kitchen.net | Debian 12 | Event Web * |
| cadmium.binary-kitchen.neti | Debian 12 | Event NetBox * |
| barium.binary-kitchen.net | Debian 12 | Workadventure |
\*: The main application is not managed by ansible but manually installed
TBA/TBD

1
ansible.cfg
View File

@ -1,6 +1,5 @@
[defaults]
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
interpreter_python = auto
inventory = ./hosts
nocows = 1
remote_user = root

110
group_vars/all/vars.yml
View File

@ -5,14 +5,6 @@ acertmgr_mode: webdir
acme_dnskey_file: /etc/acertmgr/nsupdate.key
acme_dnskey_server: neon.binary-kitchen.net
authentik_domain: auth.binary-kitchen.de
authentik_dbname: authentik
authentik_dbuser: authentik
authentik_dbpass: "{{ vault_authentik_dbpass }}"
authentik_secret: "{{ vault_authentik_secret }}"
bk23b_domain: 23b.binary-kitchen.de
coturn_realm: turn.binary-kitchen.de
coturn_secret: "{{ vault_coturn_secret }}"
@ -22,12 +14,19 @@ dns_axfr_ips:
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
drone_admin: moepman
drone_domain: drone.binary-kitchen.de
drone_dbname: drone
drone_dbuser: drone
drone_dbpass: "{{ vault_drone_dbpass }}"
drone_uipass: "{{ vault_drone_uipass }}"
drone_secret: "{{ vault_drone_secret }}"
drone_gitea_client: "{{ vault_drone_gitea_client }}"
drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
dss_domain: dss.binary-kitchen.de
dss_secret: "{{ vault_dss_secret }}"
fpm_status_user: admin
fpm_status_pass: "{{ vault_fpm_status_pass }}"
gitea_domain: git.binary-kitchen.de
gitea_dbname: gogs
gitea_dbuser: gogs
@ -35,20 +34,11 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
gitea_secret: "{{ vault_gitea_secret }}"
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
hedgedoc_domain: pad.binary-kitchen.de
hedgedoc_dbname: hedgedoc
hedgedoc_dbuser: hedgedoc
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
icinga_domain: icinga.binary.kitchen
icinga_dbname: icinga
icinga_dbuser: icinga
icinga_dbpass: "{{ vault_icinga_dbpass }}"
icinga_server: nabia.binary.kitchen
icingaweb_dbname: icingaweb
icingaweb_dbuser: icingaweb
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
hackmd_domain: pad.binary-kitchen.de
hackmd_dbname: hackmd
hackmd_dbuser: hackmd
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
hackmd_secret: "{{ vault_hackmd_secret }}"
jitsi_domain: jitsi.binary-kitchen.de
jitsi_admin_email: exxess@binary-kitchen.de
@ -68,29 +58,16 @@ mail_domain: binary-kitchen.de
mail_domains:
- ccc-r.de
- ccc-regensburg.de
- eh21.easterhegg.eu
- makerspace-regensburg.de
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
mail_server: mail.binary-kitchen.de
mailman_domain: lists.binary-kitchen.de
mail_trusted:
- 213.166.246.0/28
- 213.166.246.37/32
- 213.166.246.45/32
- 213.166.246.46/32
- 213.166.246.47/32
- 213.166.246.250/32
- 2a02:958:0:f6::/124
- 2a02:958:0:f6::37/128
- 2a02:958:0:f6::45/128
- 2a02:958:0:f6::46/128
- 2a02:958:0:f6::47/128
mail_aliases:
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
- "bbb@binary-kitchen.de boehm.johannes@gmail.com"
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
- "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
- "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
@ -98,14 +75,12 @@ mail_aliases:
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
- "orga@ccc-r.de orga@ccc-regensburg.de"
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
- "paypal@binary-kitchen.de timo.schindler@binary-kitchen.de"
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
- "pretalx@binary-kitchen.de moepman@binary-kitchen.de"
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
- "seife@binary-kitchen.de anke@binary-kitchen.de"
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
- "vorstand@binary-kitchen.de anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
@ -119,41 +94,25 @@ mail_aliases:
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
- "tickets@eh21.easterhegg.eu orga@eh21.easterhegg.eu"
- "hackzuck@eh21.easterhegg.eu kekskruemml@binary-kitchen.de"
matrix_domain: matrix.binary-kitchen.de
matrix_dbname: matrix
matrix_dbuser: matrix
matrix_dbpass: "{{ vault_matrix_dbpass }}"
mc_domain: minecraft.binary-kitchen.de
netbox_domain: netbox.binary.kitchen
netbox_dbname: netbox
netbox_dbuser: netbox
netbox_dbpass: "{{ vault_netbox_dbpass }}"
netbox_secret: "{{ vault_netbox_secret }}"
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
nextcloud_domain: oc.binary-kitchen.de
nextcloud_dbname: owncloud
nextcloud_dbuser: owncloud
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
omm_domain: omm.binary.kitchen
pretalx_domain: fahrplan.eh21.easterhegg.eu
pretalx_dbname: pretalx
pretalx_dbuser: pretalx
pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
pretalx_mail: pretalx@binary-kitchen.de
pretix_domain: pretix.events.binary-kitchen.de
pretix_domainx: tickets.eh21.easterhegg.eu
pretix_dbname: pretix
pretix_dbuser: pretix
pretix_dbpass: "{{ vault_pretix_dbpass }}"
pretix_mail: pretix@binary-kitchen.de
plk_domain: plk-regensburg.de
plk_dbuser: plkdbuser
plk_dbname: plkdb
plk_dbpass: "{{ vault_plk_dbpass }}"
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -167,6 +126,8 @@ pve_targets:
radius_secret: "{{ vault_radius_secret }}"
rocketchat_domain: chat.binary-kitchen.de
root_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
@ -174,22 +135,3 @@ root_keys:
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
slapd_root_pass: "{{ vault_slapd_root_pass }}"
slapd_san: ldap.binary.kitchen
sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
sssd_base_user: ou=people,dc=binary-kitchen,dc=de
strichliste_domain: tschunk.binary.kitchen
strichliste_dbname: strichliste
strichliste_dbuser: strichliste
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
vaultwarden_domain: vault.binary-kitchen.de
vaultwarden_dbname: vaultwarden
vaultwarden_dbuser: vaultwarden
vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
vaultwarden_token: "{{ vault_vaultwarden_token }}"
vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
workadventure_domain: wa.binary-kitchen.de
zammad_domain: requests.binary-kitchen.de

166
group_vars/all/vault.yml
View File

@ -1,109 +1,59 @@
$ANSIBLE_VAULT;1.1;AES256
63626562396631623335303064393137396262393239366236373634323333343264343335306330
3861326430303265376564306139323064356339653039330a613335323233356361303066663139
34386465306537666464643736656230356632633239363865386166373834653030363736613834
6339303364363166620a626134303835346130386238653232316663346633313631653164336336
34653639363635663537356639646333616438336438333463656537326134343531393435663266
64366333346130653730613865346134356161373237343539373965623036656231653939303365
62326638666431333265343639326461313433656639393839396366633431616435393263336231
66303634656536636165636462396637656331666336623734333139316533636664306262326566
36616366663933613561336164386463393635636264613737316464666535366361613065363362
30316566323663623133346130393032646237353934363531326530396263363130326638393032
30633832663134613964323733623230363831636664373661633966366264373766326161623862
39396331313231633237313735636261653531313961616230626565623633636638643936326237
62333066366439643163336233353361343662326237376332396461393663623761613962333237
65633039363636323235356632326563376163386161373362383466346339356463636437646262
38313164393036393661336633373265303536316165623330643236313936666139376237366164
31373364663136356139356433386132343630396531373961616131343333663463616262373439
34393161323334333732383866653463656265393761346533663530613530313062626330356535
65393037636665303564316536376531386561366466643961666439326462353864643635353934
66616432303966643731386133613430313737356539386331623832656132663461393538363962
64313935613063373832343862373734316634663333313835323836386466336663643661656436
61353663646165623165663035383461376331373439666433386433376234613163396234373632
61646230363163366338653332373834386534333436373737383463363335356436313463626333
63393166316663323066323863373830393937353864376366313535663565613031643932383364
62623633353662323965393563363261623564396632643662663032613032666162616132336130
39376430663833303264306135643832383231623336613734373964653736376235653334333639
63376661636561383236633365303031326630356661633062663564396133313633323738333539
66303235613562313636343766356263383132643962393232396263393665666334633438383632
38646635643030303464396634356161333836376364333361356461346664303563346463333838
34356139373233313631653533356633643730663438646630373331313065363136663938306439
38336563363966653632613436356530316234326365666438326635313537343665663233363731
36646565393937326336626333383863656565323832303937323536346366303839633236663566
32373632646463363634363031626635383233656361336532636366653434623562623937656137
66303663316165633932643365623732323430376334303036303961396264303664616433356361
64366135376232313265376563633163373933343066653939313433366539396163656163346663
30626331333034316131343361636364653936373235623562336366336237353966613536316637
61343530326139636365613434386263383430626663333932386431313164346532666562346537
32623538353365383030396332386133343464643732653038623337353135663964643566396439
64633435623763666461356331306539373638383034343735373765373333656562326338613763
63633732373765316238633539316665623431616333363364316531306630343735393335616630
36613362336566393866623566666430336639376662633233656130653837313161653462346335
63396532663633393363626136373161303235613761373235633831393736343630353031613364
32353463383934313961313638613533623638383062343936616336646431383935393938623138
31383032326365333136666165633832333836346231636332353830336264636235383162356630
38316137623935633863363162376239623932373233663663323830363162313665613830623763
63656237343662616130326339386231376564613164666163393232653762613932343561343031
66386431343139373734626430656139353635636233336236653438353066393732663637323435
63303434376634366262646662616162343664666365373934346530343239653330356234373065
31373934363731373136346665623334306631626134613334633135666461636462303164653662
36323132376532613431653063643965636233373165333639323966663333633563303438396466
64633761376164383835613038633630623439643364323232633437386334346138343361306638
38626632326137303839306531633536643161656231636662383461373964646333303936343733
36333863316162393134646563316235663164613062303734346662386466656461346364356564
35326234336439623961383938316136633037343863363933616663366536613866666165376664
30306438666365333333636632643832303463356533343033623938653365663732336164303033
65653936363839323239306463366533653439663437343536393564336163313962313935636534
34346330393637343834323931353762613839366166353139303535376230356466646261363464
33386337616230623537376665663835373766316332363433313234326461313935636666363261
30653433333436306564653461303165656163363331643536323535623062396561643662323334
35626565616538396566363433363732656538313531636632643163633637303339656431346466
61353030666638393361613833353532656130643866636135643434366562386363656434323366
36343764316136316630353338363735646533346362386266643136626366356331656363393133
35636633353662393435346365663432656166646136346331363563363539326162633166393164
34303164353632373437613564336266373934396236383962376530613631633932626431333864
64623439336638613337383763353531376133343436346330373362313034616166616537636366
30306132613333633261326630323038323431643163373365376662623339396136313531366332
66663037643036303836376632646132383563316262393438636432666661333836376663666130
31316135366562633134306633333834636132623739373131626161633636313737646334376434
33376337393630663338643366316465353266346365333830613533393139333235366237323339
66346465313462373334316535383633343165373733313230373461366336353664306537306538
32653538366565663764353031303763613835366461666163336665656436333563613835653438
65376265303131376239616536353933346633393438643466343439643039313236373033323034
64316364663139353664653564393262323565646235356431326331343433373639316234363938
65633034666532306137353431613732663166323936356433323733376261386161383265663264
35643038663565646135343233623530396165336263303931653037393934343833623337343834
31343631343563626561393763356463393930616338623861363835343635376238653337653133
31393834343536396536363533363739306639646333313836393331306566393534383265613234
31623238306531383936343836336466343336396530633033323063346261366633343936316637
30343165333861346635623934363537383531323637313461663964353338653639366562306236
30363265393038633564626463393166333665396538663639346665353736336134643862663630
62393037363963613263313939613865393066323830656362656464643730636535623639636131
63343263333134336364323236656639613635323165383164636465353438653134646334643962
35306463626336626664383638323865633631346437613139623239663538666363313237323663
39323734353363643334343538303635366637373530383832393861346164666666306631643563
63306565306337383539636330623933666266353635396238656435373563383830666636616335
39386134383938626439366437383138303062333236306436336163393832613532303332303833
39323539396235383765613234303765303136653064336361333035643365386232613766356362
30656437376537623165626530623365393463626337383139663734396331396363396162383330
31663636383037613563346330323063393637616334356439666263623662383666376265313732
63343837306336313264313934653836363665616264396662633761363237366437653962626664
38383462313435383133613465656435363563373765313361623565636564616236313666633264
37393165386163393666376636343963333932346463303661373339303765303938636135323363
35663731656431656330336366383330616163353934333564356633613165396463393066396533
32396264653265333865643365346233633863333335383735396134663062343166656233613931
35633133336337343531313266323663363830353236323035313031646434303761343737633139
30343439323330353531633337353365363031666635653364326235316435383835663139376136
39343361636662346166363432366162666631366431623563363936336164323836376232326162
39316337343436386363643064653337613131346266353636333664373262326563386264303831
65343534616464633232373532313865363732663235376534396436333531633261393066313263
38316437643232336234343663666536353134626139623138636234396661613261326437303065
36383331323061643632323339383530626430343132613039393434333939383065623464646362
65303135313962613564666261356533313961323464623535393631613337663366626136343364
61363035333636366439313961326462633463616237343133356437303234323363306337343237
61376138323336663839623539633866313133346338313165623039336335663666313532636261
36383332346636373936366632393364323331303866623533643062666361613133383262383538
64343665333761326134303566656638633362643031306535333661623437636139353565623435
39323631393132336636653731636264356637373031633037653466383163663865626339323731
34623137386338343038373464613832363761643362623434373136376638663537623762646266
63306439363039303461
37303932343462623335393066643531373533636435356462326537373532613534353266396435
3636666364306637306266393933383963633032383265650a656563303332303134323135353239
34633863333930316564633632313939643664373163373833636139366537646530383736343130
6239373931306234620a353966346262646538306631656461613431636230333430663931643933
31316362353439393838363666613932313635313864333135636530653238653162353033356437
33353063363639346266313631393463623864636133623264613865336536613536343365386230
65396263393862626139396430623134316632313637623631623762656139623664356331623066
30323430613963313162616135303164663364336634326533346438373635366238356531613461
30333736633965333163616437303566666239313962353531393530613265363833396136646262
62633662666532396535316361303934613138373365633161393664313234663533363736323335
38613762376234663564333333386265633138613839636132346638313430653639636339336239
38633564333831326331326166666362353364303933393532643936313564386565643162623435
36356437356631666137323039316430656566613436623062656562666139383635653039636463
35393438323765303431333737356339343730303531333834306239366533393537626239376163
31663332343136323264376234363264343136623365383833666638656531306362663462383033
31633838643562613762363634653865353361303666363139636337386439626235336462653036
30376461643839313665383430386534656265626139313034646438323861653530383637316139
35313539636137303561646564616362313435666262343137616263396465356434363862323137
38626464383039386139343665363538326539613837366437623362336639336133323463666235
36346333356434363838363634343233323363333762653264333062656133623434666162356433
37623862653862643335333931663063623166353534636430323230663838653532356335306632
33646265343834363839653565326538353930663061376461646534386637376234646264343933
65653763343236653630396238333232633461663333646531323337626235396231383931663264
34363564366134663036643332346238373639646336396261316133326235636265323636663335
35363537346466396432396162383131306438396431336138666663633132646662316165643333
64633434623166343262623038623431343631333962663566303566393761653536303638643037
63363963306139336235363537396432383131303763643966313937353537333739393031616439
35343361646234663062633631323238656137373464386561656439313636613630323632616332
39346239666266623038363066643865373762633532323431373431373165643662663661633365
35353361383339623535336362313430616139396561623934346264323462663663383566393165
35366637313861386465333530613530623832643333616538336436356134313832306139336361
32393162373235356236343332363038393631626534643237383232323735633265333562633231
61613164363962323236666365353830346664643263393532343562383736336535353364343638
62386465323331653565306234646664393164666334383765336630346438633636353264636138
31316231326236313839353465353230353935363330393035373234393039386134366534653636
63323730383931353763383739393330316335373563393039366166313031373664636335363363
38363131363565326431636361316562313037373664306333313366646336333162663664306539
64636530363561393037373766383937616435313333653836363835383231633130396133663635
36613531323732623264646666656139333766656562623430313964366236373663626135383437
31643663663637613762313465656636396264623362643538323166356636303430613133383664
66383332326437333638663562376665386237313533303437623765353661393561373338636130
30383665333366643331366536646330633133643566393962633164643563613536363434393234
66323931316535353632356432373262623962616264383430623436303637616165386433326231
38633730636633643634343833313964653530663034333063313334636134646634363437346161
32613061363032383732323263303830363532326239316538393739313730383530633862313039
37653865303932313635656332663039376331393161623731623039653865623436363061626538
32383934613335363534666461343135303235373262343634306130633536323839393139346662
31623265323138353963623938616665383765366230656461383835346230346261623866366630
65303965353432386136373562306434623739666262356663656266346439356435613362333563
34366539353366346636376662363837303332373866323434366261326164633033353930383038
36666433656365366663326163343034306439653262353733323232373133386436333637346563
32626533336530633731336631333334353366306538663936643637346335303965626631316562
33333061656234393661363766663630316662613764333231326434383465666234653238393965
31636561396665383063613433653837363634623337623330666466353532633434383864343464
38303436306165353433356536326466306530373635616531393462666336666435633235613937
37343832333864643636366632623062363234633365326635386663376439383332306333653161
34353830396165366534313334616161323461613066383561343563393330613464373862623062
3536303066343262636636393861313539616636643339353562

16
group_vars/auweg
View File

@ -1,16 +0,0 @@
---
dhcpd_failover: false
dhcpd_primary: 172.23.13.3
dns_primary: 172.23.13.3
doorlock_domain: lock-auweg.binary.kitchen
name_servers:
- 172.23.13.3
ntp_servers:
- 172.23.12.61
radius_cn: radius.binary.kitchen

3
group_vars/kitchen
View File

@ -4,9 +4,6 @@ dhcpd_failover: true
dhcpd_primary: 172.23.2.3
dhcpd_secondary: 172.23.2.4
dns_primary: 172.23.2.3
dns_secondary: 172.23.2.4
name_servers:
- 172.23.2.3
- 172.23.2.4

7
host_vars/aeron.binary.kitchen
View File

@ -1,7 +0,0 @@
---
radius_hostname: radius3.binary.kitchen
slapd_hostname: ldap3.binary.kitchen
slapd_replica_id: 3
slapd_role: slave

6
host_vars/argentum.binary-kitchen.net
View File

@ -1,6 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

1
host_vars/aveta.binary.kitchen
View File

@ -3,5 +3,4 @@
radius_hostname: radius2.binary.kitchen
slapd_hostname: ldap2.binary.kitchen
slapd_replica_id: 2
slapd_role: slave

5
host_vars/bacon.binary.kitchen
View File

@ -1,11 +1,9 @@
---
ntp_server: true
ntp_servers:
- ptbtime2.ptb.de
- ntp1.rrze.uni-erlangen.de
- rustime01.rus.uni-stuttgart.de
- ntps1-0.cs.tu-berlin.de
ntp_peers:
- 172.23.1.60
@ -13,5 +11,4 @@ ntp_peers:
radius_hostname: radius1.binary.kitchen
slapd_hostname: ldap1.binary.kitchen
slapd_replica_id: 1
slapd_role: slave

2
host_vars/barium.binary-kitchen.net
View File

@ -1,2 +0,0 @@
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

2
host_vars/beryllium.binary-kitchen.net
View File

@ -1,5 +1,5 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

8
host_vars/bowle.binary.kitchen
View File

@ -1,8 +0,0 @@
---
nfs_exports:
- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
uau_reboot: "false"

4
host_vars/fluorine.binary-kitchen.net
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

4
host_vars/knoedel.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

1
host_vars/krypton.binary-kitchen.net
View File

@ -2,4 +2,3 @@
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

11
host_vars/lasagne.binary.kitchen
View File

@ -1,11 +0,0 @@
---
root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "false"

5
host_vars/lock-auweg.binary.kitchen
View File

@ -1,5 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

3
host_vars/magnesium.binary-kitchen.net
View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

1
host_vars/molybdenum.binary-kitchen.net
View File

@ -4,4 +4,3 @@ grafana_domain: zelle.binary-kitchen.de
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

2
host_vars/nitrogen.binary-kitchen.net
View File

@ -3,5 +3,3 @@
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
nginx_anonymize: True

3
host_vars/oxygen.binary-kitchen.net
View File

@ -1,4 +1,3 @@
---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"
uau_reboot: "false"

4
host_vars/pancake.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

3
host_vars/pizza.binary.kitchen
View File

@ -4,7 +4,8 @@ root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

4
host_vars/rhodium.binary-kitchen.net
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

2
host_vars/ruthenium.binary-kitchen.net
View File

@ -2,6 +2,6 @@
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
uau_reboot: "false"

4
host_vars/strontium.binary-kitchen.net Normal file
View File

@ -0,0 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

4
host_vars/sulis.binary.kitchen
View File

@ -1,4 +0,0 @@
---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"

3
host_vars/technetium.binary-kitchen.net
View File

@ -1,5 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"

7
host_vars/tschunk.binary.kitchen
View File

@ -1,7 +0,0 @@
---
root_keys_host:
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "true"

8
host_vars/weizen.binary.kitchen
View File

@ -1,8 +0,0 @@
---
ntp_server: true
ntp_servers:
- ptbtime1.ptb.de
- ntp1.rrze.uni-erlangen.de
- rustime01.rus.uni-stuttgart.de

4
host_vars/wurst.binary.kitchen
View File

@ -1,11 +1,9 @@
---
ntp_server: true
ntp_servers:
- ptbtime1.ptb.de
- ntp1.rrze.uni-erlangen.de
- rustime01.rus.uni-stuttgart.de
- ntps1-0.cs.tu-berlin.de
ntp_peers:
- 172.23.2.3

5
host_vars/yttrium.binary-kitchen.net
View File

@ -1,6 +1,5 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"

18
hosts
View File

@ -4,19 +4,10 @@ bacon.binary.kitchen ansible_host=172.23.2.3
aveta.binary.kitchen ansible_host=172.23.2.4
sulis.binary.kitchen ansible_host=172.23.2.5
nabia.binary.kitchen ansible_host=172.23.2.6
epona.binary.kitchen ansible_host=172.23.2.7
pizza.binary.kitchen ansible_host=172.23.2.33
pancake.binary.kitchen ansible_host=172.23.2.34
knoedel.binary.kitchen ansible_host=172.23.2.35
bob.binary.kitchen ansible_host=172.23.2.37
lasagne.binary.kitchen ansible_host=172.23.2.38
tschunk.binary.kitchen ansible_host=172.23.2.39
bowle.binary.kitchen ansible_host=172.23.2.62
bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
salat.binary.kitchen ansible_host=172.23.9.61
[auweg]
weizen.binary.kitchen ansible_host=172.23.12.61
aeron.binary.kitchen ansible_host=172.23.13.3
lock-auweg.binary.kitchen ansible_host=172.23.13.12
[fan_rz]
helium.binary-kitchen.net
lithium.binary-kitchen.net
@ -28,16 +19,9 @@ oxygen.binary-kitchen.net
fluorine.binary-kitchen.net
neon.binary-kitchen.net
sodium.binary-kitchen.net
magnesium.binary-kitchen.net
aluminium.binary-kitchen.net
krypton.binary-kitchen.net
yttrium.binary-kitchen.net
zirconium.binary-kitchen.net
molybdenum.binary-kitchen.net
technetium.binary-kitchen.net
ruthenium.binary-kitchen.net
rhodium.binary-kitchen.net
palladium.binary-kitchen.net
argentum.binary-kitchen.net
cadmium.binary-kitchen.net
barium.binary-kitchen.net

49
roles/23b/tasks/main.yml
View File

@ -1,49 +0,0 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create 23b group
group: name=23b
- name: Create 23b user
user:
name: 23b
home: /opt/23b
shell: /bin/bash
group: 23b
groups: docker
# docker-compolse.yml is managed outside ansible
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for 23b
template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
notify: Restart nginx
- name: Systemd unit for 23b
template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
notify:
- Reload systemd
- Restart 23b
- name: Start the 23b service
service: name=23b state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ bk23b_domain }}"

28
roles/23b/templates/23b.service.j2
View File

@ -1,28 +0,0 @@
[Unit]
Description=23b service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=23b
Group=23b
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/23b/23b/23b
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
[Install]
WantedBy=multi-user.target

7
roles/act_runner/defaults/main.yml
View File

@ -1,7 +0,0 @@
---
actrunner_user: act_runner
actrunner_group: act_runner
actrunner_version: 0.2.10
actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

7
roles/act_runner/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart act_runner
service: name=act_runner state=restarted

35
roles/act_runner/tasks/main.yml
View File

@ -1,35 +0,0 @@
---
- name: Create group
group: name={{ actrunner_group }}
- name: Create user
user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
- name: Create directories
file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
with_items:
- /etc/act_runner
- /var/lib/act_runner
- name: Download act_runner binary
get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
register: runner_download
- name: Symlink act_runner binary
file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
when: runner_download.changed
notify: Restart act_runner
- name: Configure act_runner
template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
notify: Restart act_runner
- name: Install systemd unit
template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
notify:
- Reload systemd
- Restart act_runner
- name: Enable act_runner
service: name=act_runner state=started enabled=yes

16
roles/act_runner/templates/act_runner.service.j2
View File

@ -1,16 +0,0 @@
[Unit]
Description=Gitea Actions runner
Documentation=https://gitea.com/gitea/act_runner
After=docker.service
[Service]
ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
ExecReload=/bin/kill -s HUP $MAINPID
WorkingDirectory=/var/lib/act_runner
TimeoutSec=0
RestartSec=10
Restart=always
User={{ actrunner_user }}
[Install]
WantedBy=multi-user.target

86
roles/act_runner/templates/config.yaml.j2
View File

@ -1,86 +0,0 @@
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: warn
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 4
# Extra environment variables to run jobs.
envs:
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `deamon`, will use labels in `.runner` file.
labels: [
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
"ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
"ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
]
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: ""
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

13
roles/authentik/handlers/main.yml
View File

@ -1,13 +0,0 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart authentik
service: name=authentik state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

51
roles/authentik/tasks/main.yml
View File

@ -1,51 +0,0 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create authentik group
group: name=authentik
- name: Create authentik user
user:
name: authentik
home: /opt/authentik
shell: /bin/bash
group: authentik
groups: docker
- name: Configure authentik container
template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
notify: Restart authentik
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for authentik
template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
notify: Restart nginx
- name: Systemd unit for authentik
template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
notify:
- Reload systemd
- Restart authentik
- name: Start the authentik service
service: name=authentik state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ authentik_domain }}"

28
roles/authentik/templates/authentik.service.j2
View File

@ -1,28 +0,0 @@
[Unit]
Description=authentik service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=authentik
Group=authentik
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/authentik
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
[Install]
WantedBy=multi-user.target

75
roles/authentik/templates/docker-compose.yml.j2
View File

@ -1,75 +0,0 @@
---
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- ./database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: {{ authentik_dbpass }}
POSTGRES_USER: {{ authentik_dbuser }}
POSTGRES_DB: {{ authentik_dbname }}
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- ./redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
volumes:
- ./media:/media
- ./custom-templates:/templates
ports:
- "127.0.0.1:9000:9000"
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
depends_on:
- postgresql
- redis

41
roles/authentik/templates/vhost.j2
View File

@ -1,41 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name {{ authentik_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ authentik_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ authentik_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

2
roles/bk_dss/defaults/main.yml
View File

@ -1,4 +1,4 @@
---
dss_uwsgi_port: 5001
dss_version: 0.8.5
dss_version: 0.8.4

5
roles/bk_dss/tasks/main.yml
View File

@ -44,8 +44,3 @@
- name: Enable vhosts
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
notify: Restart nginx
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ dss_domain }}"

6
roles/bk_dss/templates/config.cfg.j2
View File

@ -1,14 +1,12 @@
DEBUG = True
REMEMBER_COOKIE_SECURE = True
SECRET_KEY = "{{ dss_secret }}"
SESSION_COOKIE_SECURE = True
SESSION_TIMEOUT = 3600
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
LDAP_URI = "{{ ldap_uri }}"
LDAP_BASE = "{{ ldap_base }}"
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
@ -30,7 +28,7 @@ USER_ATTRS = {
'userPassword' : '{pass}'
}
GROUP_FILTER = "(objectClass=posixGroup)"
GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
REDIS_HOST = "127.0.0.1"
REDIS_PASSWD = None

3
roles/common/defaults/main.yml
View File

@ -6,6 +6,3 @@ logrotate_excludes:
- "/etc/logrotate.d/dbconfig-common"
- "/etc/logrotate.d/btmp"
- "/etc/logrotate.d/wtmp"
sshd_password_authentication: "no"
sshd_permit_root_login: "prohibit-password"

4261
roles/common/files/.zshrc
View File

File diff suppressed because it is too large Load Diff

10
roles/common/files/50-virtio-kernel-names.link Normal file
View File

@ -0,0 +1,10 @@
# udev 226 introduced predictable interface names for virtio;
# disable this for upgrades. You can remove this file if you update your
# network configuration to move to the ens* names instead.
# See /usr/share/doc/udev/README.Debian.gz for details about predictable
# network interface names.
[Match]
Driver=virtio_net
[Link]
NamePolicy=onboard kernel

6
roles/common/files/99-default.link Normal file
View File

@ -0,0 +1,6 @@
# This machine is most likely a virtualized guest, where the old persistent
# network interface mechanism (75-persistent-net-generator.rules) did not work.
# This file disables /lib/systemd/network/99-default.link to avoid
# changing network interface names on upgrade. Please read
# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
# supported mechanism.

9
roles/common/handlers/main.yml
View File

@ -1,16 +1,7 @@
---
- name: Restart chrony
service: name=chrony state=restarted
- name: Restart journald
service: name=systemd-journald state=restarted
- name: Restart sshd
service: name=sshd state=restarted
- name: update-grub
command: update-grub
- name: update-initramfs
command: update-initramfs -u -k all

48
roles/common/tasks/Debian.yml
View File

@ -3,10 +3,7 @@
- name: Install misc software
apt:
name:
- apt-transport-https
- dnsutils
- fdisk
- gnupg2
- htop
- less
- net-tools
@ -16,7 +13,6 @@
- rsync
- sudo
- vim-nox
- wget
- zsh
- name: Install software on KVM VMs
@ -30,32 +26,35 @@
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Create LDAP client config
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
- name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs
- name: Enable serial console on KVM VMs
lineinfile:
path: "/etc/default/grub"
state: "present"
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
notify: update-grub
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
# TODO template /etc/network/interfaces
- name: Fix network interface names
copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
with_items:
- 50-virtio-kernel-names.link
- 99-default.link
notify: update-initramfs
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: 'auth required pam_wheel.so'
- name: Configure journald retention
lineinfile:
@ -90,25 +89,16 @@
set_fact:
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
- name: "Set logrotate.d/* to daily"
- name: 'Set logrotate.d/* to daily'
replace:
path: "{{ item }}"
regexp: "(?:weekly|monthly)"
replace: "daily"
loop: "{{ logrotateconfigpaths }}"
- name: "Set /etc/logrotate.d/* rotation to 7"
- name: 'Set /etc/logrotate.d/* rotation to 7'
replace:
path: "{{ item }}"
regexp: "rotate [0-9]+"
replace: "rotate 7"
loop: "{{ logrotateconfigpaths }}"
- name: Configure sshd
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify: Restart sshd

14
roles/common/tasks/FreeBSD.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Install misc software
pkgng:
name:
- vim-lite
- htop
- zsh
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
with_items:
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }

9
roles/common/tasks/Proxmox.yml
View File

@ -13,12 +13,11 @@
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user
user: name=root shell=/bin/zsh

8
roles/common/tasks/chrony.yml
View File

@ -1,8 +0,0 @@
---
- name: Install chrony
apt: name=chrony
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony

13
roles/common/tasks/main.yml
View File

@ -2,20 +2,21 @@
- name: Cleanup
apt: autoclean=yes
when: ansible_os_family == "Debian"
when: ansible_os_family == 'Debian'
- name: Gather package facts
package_facts:
manager: apt
when: ansible_os_family == "Debian"
when: ansible_os_family == 'Debian'
- name: Proxmox
include: Proxmox.yml
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
- name: Debian
include: Debian.yml
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
- name: Setup chrony
include: chrony.yml
- name: FreeBSD
include: FreeBSD.yml
when: ansible_distribution == 'FreeBSD'

52
roles/common/templates/chrony.conf.j2
View File

@ -1,52 +0,0 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
{% if ntp_server is defined and ntp_server is true %}
allow 172.23.0.0/16
{% endif -%}
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC

19
roles/common/templates/ldap.conf.j2 Normal file
View File

@ -0,0 +1,19 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE {{ ldap_base }}
URI {{ ldap_uri }}
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_REQCERT demand
TLS_CACERTDIR /etc/ssl/certs
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

132
roles/common/templates/sshd_config.j2
View File

@ -1,132 +0,0 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin {{ sshd_permit_root_login }}
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
AuthorizedKeysCommand {{ sshd_authkeys_command }}
{% if sshd_authkeys_user is defined and sshd_authkeys_user %}
AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
{% else %}
AuthorizedKeysCommandUser nobody
{% endif %}
{% else %}
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
{% endif %}
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication {{ sshd_password_authentication }}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

6
roles/coturn/handlers/main.yml
View File

@ -1,10 +1,4 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart coturn
service: name=coturn state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

22
roles/coturn/tasks/main.yml
View File

@ -3,28 +3,6 @@
- name: Install coturn
apt: name=coturn
- name: Create coturn service override directory
file: path=/etc/systemd/system/coturn.service.d state=directory
- name: Configure coturn service override
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
notify:
- Reload systemd
- Restart coturn
- name: Create gitea directories
file: path={{ item }} state=directory owner=turnserver
with_items:
- /etc/turnserver
- /etc/turnserver/certs
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
notify: Run acertmgr
- name: Configure coturn
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:

15
roles/coturn/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ coturn_realm }}:
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
user: turnserver
group: turnserver
perm: '400'
format: key
action: '/usr/sbin/service coturn restart'
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
user: turnserver
group: turnserver
perm: '400'
format: crt,ca
action: '/usr/sbin/service coturn restart'

2
roles/coturn/templates/coturn.override.j2
View File

@ -1,2 +0,0 @@
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

216
roles/coturn/templates/turnserver.conf.j2
View File

@ -1,9 +1,9 @@
# Coturn TURN SERVER configuration file
#
# Boolean values note: where a boolean value is supposed to be used,
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
# If the value is missing, then it means 'true' by default.
# Boolean values note: where boolean value is supposed to be used,
# you can use '0', 'off', 'no', 'false', 'f' as 'false,
# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
# If the value is missed, then it means 'true'.
#
# Listener interface device (optional, Linux only).
@ -15,19 +15,19 @@
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
listening-port=443
#listening-port=3478
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too - if allowed by configuration. The TURN server
# "automatically" recognizes the type of traffic. Actually, two listening
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, Coturn currently supports
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, we currently support SSL version 3 and
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1.
# For secure UDP connections, we support DTLS version 1.
#
tls-listening-port=443
#tls-listening-port=5349
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
@ -45,14 +45,6 @@ tls-listening-port=443
#
#alt-tls-listening-port=0
# Some network setups will require using a TCP reverse proxy in front
# of the STUN server. If the proxy port option is set a single listener
# is started on the given port that accepts connections using the
# haproxy proxy protocol v2.
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
#
#tcp-proxy-port=5555
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening.
@ -125,10 +117,7 @@ tls-listening-port=443
#
# By default, this value is empty, and no address mapping is used.
#
external-ip={{ ansible_default_ipv4.address }}
{% if ansible_default_ipv6.address is defined %}
external-ip={{ ansible_default_ipv6.address }}
{% endif %}
#external-ip=60.70.80.91
#
#OR:
#
@ -144,8 +133,8 @@ external-ip={{ ansible_default_ipv6.address }}
#
# If this parameter is not set, then the default OS-dependent
# thread pattern algorithm will be employed. Usually the default
# algorithm is optimal, so you have to change this option
# if you want to make some fine tweaks.
# algorithm is the most optimal, so you have to change this option
# only if you want to make some fine tweaks.
#
# In the older systems (Linux kernel before 3.9),
# the number of UDP threads is always one thread per network listening
@ -166,7 +155,7 @@ external-ip={{ ansible_default_ipv6.address }}
# Uncomment to run TURN server in 'extra' verbose mode.
# This mode is very annoying and produces lots of output.
# Not recommended under normal circumstances.
# Not recommended under any normal circumstances.
#
#Verbose
@ -180,27 +169,15 @@ fingerprint
#
#lt-cred-mech
# This option is the opposite of lt-cred-mech.
# This option is opposite to lt-cred-mech.
# (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined,
# then no-auth is default. If at least one user is defined,
# in this file, in command line or in usersdb file, then
# in this file or in command line or in usersdb file, then
# lt-cred-mech is default.
#
#no-auth
# Enable prometheus exporter
# If enabled the turnserver will expose an endpoint with stats on a prometheus format
# this endpoint is listening on a different port to not conflict with other configurations.
#
# You can simply run the turnserver and access the port 9641 and path /metrics
#
# For mor info on the prometheus exporter and metrics
# https://prometheus.io/docs/introduction/overview/
# https://prometheus.io/docs/concepts/data_model/
#
#prometheus
# TURN REST API flag.
# (Time Limited Long Term Credential)
# Flag that sets a special authorization option that is based upon authentication secret.
@ -216,33 +193,34 @@ fingerprint
# turn password -> base64(hmac(secret key, usercombo))
#
# This allows TURN credentials to be accounted for a specific user id.
# If you don't have a suitable id, then the timestamp alone can be used.
# This option is enabled by turning on secret-based authentication.
# The actual value of the secret is defined either by the option static-auth-secret,
# If you don't have a suitable id, the timestamp alone can be used.
# This option is just turning on secret-based authentication.
# The actual value of the secret is defined either by option static-auth-secret,
# or can be found in the turn_secret table in the database (see below).
#
# Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
#
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
# this option then it automatically enables lt-cred-mech internally
# as if you had enabled both.
# Be aware that use-auth-secret overrides some part of lt-cred-mech.
# Notice that this feature depends internally on lt-cred-mech, so if you set
# use-auth-secret then it enables internally automatically lt-cred-mech option
# like if you enable both.
#
# Note that you can use only one auth mechanism at the same time! This is because,
# both mechanisms conduct username and password validation in different ways.
# You can use only one of the to auth mechanisms in the same time because,
# both mechanism use the username and password validation in different way.
#
# Use either lt-cred-mech or use-auth-secret in the conf
# This way be aware that you can't use both auth mechnaism in the same time!
# Use in config either the lt-cred-mech or the use-auth-secret
# to avoid any confusion.
#
use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server
# will try to use the 'dynamic' value in the turn_secret table
# in the user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that mode is considered 'dynamic'.
# will try to use the 'dynamic' value in turn_secret table
# in user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that other mode is 'dynamic'.
#
static-auth-secret={{ coturn_secret }}
@ -256,10 +234,10 @@ static-auth-secret={{ coturn_secret }}
#
#oauth
# 'Static' user accounts for the long term credentials mechanism, only.
# 'Static' user accounts for long term credentials mechanism, only.
# This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so they can NOT be changed while the turnserver is running.
# so that they can NOT be changed while the turnserver is running.
#
#user=username1:key1
#user=username2:key2
@ -285,15 +263,15 @@ static-auth-secret={{ coturn_secret }}
# SQLite database file name.
#
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
# /var/lib/turn/turndb.
#
#userdb=/var/db/turndb
# PostgreSQL database connection string in the case that you are using PostgreSQL
# PostgreSQL database connection string in the case that we are using PostgreSQL
# as the user database.
# This database can be used for the long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
@ -301,43 +279,43 @@ static-auth-secret={{ coturn_secret }}
#
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
# MySQL database connection string in the case that you are using MySQL
# MySQL database connection string in the case that we are using MySQL
# as the user database.
# This database can be used for the long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
#
# Optional connection string parameters for the secure communications (SSL):
# ca, capath, cert, key, cipher
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
# command options description).
#
# Use the string format below (space separated parameters, all optional):
# Use string format as below (space separated parameters, all optional):
#
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
# If you want to use an encrypted password in the MySQL connection string,
# then set the MySQL password encryption secret key file with this option.
# If you want to use in the MySQL connection string the password in encrypted format,
# then set in this option the MySQL password encryption secret key file.
#
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
# If you want to use a cleartext password then do not set this option!
# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
# If you want to use cleartext password then do not set this option!
#
# This is the file path for the aes encrypted secret key used for password encryption.
# This is the file path which contain secret key of aes encryption while using password encryption.
#
#secret-key-file=/path/
# MongoDB database connection string in the case that you are using MongoDB
# MongoDB database connection string in the case that we are using MongoDB
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
#
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
# Redis database connection string in the case that you are using Redis
# Redis database connection string in the case that we are using Redis
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# Use the string format below (space separated parameters, all optional):
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format as below (space separated parameters, all optional):
#
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
@ -345,23 +323,23 @@ static-auth-secret={{ coturn_secret }}
# This database keeps allocations status information, and it can be also used for publishing
# and delivering traffic and allocation event notifications.
# The connection string has the same parameters as redis-userdb connection string.
# Use the string format below (space separated parameters, all optional):
# Use string format as below (space separated parameters, all optional):
#
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# The default realm to be used for the users when no explicit
# origin/realm relationship is found in the database, or if the TURN
# origin/realm relationship was found in the database, or if the TURN
# server is not using any database (just the commands-line settings
# and the userdb file). Must be used with long-term credentials
# mechanism or with TURN REST API.
#
# Note: If the default realm is not specified, then realm falls back to the host domain name.
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
# Note: If default realm is not specified at all, then realm falls back to the host domain name.
# If domain name is empty string, or '(None)', then it is initialized to am empty string.
#
realm={{ coturn_realm }}
# This flag sets the origin consistency
# check. Across the session, all requests must have the same
# The flag that sets the origin consistency
# check: across the session, all requests must have the same
# main ORIGIN attribute value (if the ORIGIN was
# initially used by the session).
#
@ -381,7 +359,7 @@ realm={{ coturn_realm }}
# Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above
# that limit will be dropped or temporarily suppressed (within
# that limit will be dropped or temporary suppressed (within
# the available buffer limits).
# This option can also be set through the database, for a particular realm.
#
@ -402,17 +380,17 @@ realm={{ coturn_realm }}
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
@ -425,10 +403,10 @@ realm={{ coturn_realm }}
#no-tcp-relay
# Uncomment if extra security is desired,
# with nonce value having a limited lifetime.
# The nonce value is unique for a session.
# with nonce value having limited lifetime.
# By default, the nonce value is unique for a session,
# and has unlimited lifetime.
# Set this option to limit the nonce lifetime.
# Set it to 0 for unlimited lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
# the client will get 438 error and will have to re-authenticate itself.
#
@ -457,7 +435,6 @@ realm={{ coturn_realm }}
# Certificate file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
#cert=/usr/local/etc/turn_server_cert.pem
@ -480,7 +457,7 @@ realm={{ coturn_realm }}
# CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates.
# By default this is not set: there is no default value and the client
# By default it is not set: there is no default value and the client
# certificate is not checked.
#
# Example:
@ -494,13 +471,13 @@ realm={{ coturn_realm }}
#
#ec-curve-name=prime256v1
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh566
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh1066
#dh2066
# Use custom DH TLS key, stored in PEM format in the file.
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
@ -508,16 +485,16 @@ realm={{ coturn_realm }}
#dh-file=<DH-PEM-file-name>
# Flag to prevent stdout log messages.
# By default, all log messages go to both stdout and to
# the configured log file. With this option everything will
# go to the configured log only (unless the log file itself is stdout).
# By default, all log messages are going to both stdout and to
# the configured log file. With this option everything will be
# going to the configured log only (unless the log file itself is stdout).
#
#no-stdout-log
# Option to set the log file name.
# By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and the current directory
# (Whichever file open operation succeeds first will be used).
# /var/log, /var/tmp, /tmp and current directories directories
# (which open operation succeeds first that file will be used).
# With this option you can set the definite log file name.
# The special names are "stdout" and "-" - they will force everything
# to the stdout. Also, the "syslog" name will force everything to
@ -537,25 +514,15 @@ syslog
#
#simple-log
# Enable full ISO-8601 timestamp in all logs.
#new-log-timestamp
# Set timestamp format (in strftime(1) format)
#new-log-timestamp-format "%FT%T%z"
# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
# Enable binding logging and UDP endpoint logs in verbose log mode.
#log-binding
# Option to set the "redirection" mode. The value of this option
# will be the address of the alternate server for UDP & TCP service in the form of
# will be the address of the alternate server for UDP & TCP service in form of
# <ip>[:<port>]. The server will send this value in the attribute
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
# Client will receive only values with the same address family
# as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
# The client must use the obtained value for subsequent TURN communications.
# If more than one --alternate-server option is provided, then the functionality
# If more than one --alternate-server options are provided, then the functionality
# can be more accurately described as "load-balancing" than a mere "redirection".
# If the port number is omitted, then the default port
# number 3478 for the UDP/TCP protocols will be used.
@ -565,7 +532,7 @@ syslog
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Multiple alternate servers can be set. They will be used in the
# round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if you have 4 alternate servers,
# the load will be distributed equally. For example, if we have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this
# can emulate "weighting" of the servers.
@ -592,15 +559,6 @@ syslog
#
#stun-only
# Option to hide software version. Enhance security when used in production.
# Revealing the specific software version of the agent through the
# SOFTWARE attribute might allow them to become more vulnerable to
# attacks against software that is known to contain security holes.
# Implementers SHOULD make usage of the SOFTWARE attribute a
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
#
#no-software-attribute
# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
# By default, this option is NOT set.
@ -664,19 +622,19 @@ mobility
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default Coturn works according RFC 6156.)
# (By default coTURN works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
#
#keep-address-family
# User name to run the process. After the initialization, the turnserver process
# will attempt to change the current user ID to that user.
# will make an attempt to change the current user ID to that user.
#
#proc-user=<user-name>
# Group name to run the process. After the initialization, the turnserver process
# will attempt to change the current group ID to that group.
# will make an attempt to change the current group ID to that group.
#
#proc-group=<group-name>
@ -696,8 +654,8 @@ mobility
#cli-port=5766
# CLI access password. Default is empty (no password).
# For the security reasons, it is recommended that you use the encrypted
# form of the password (see the -P command in the turnadmin utility).
# For the security reasons, it is recommended to use the encrypted
# for of the password (see the -P command in the turnadmin utility).
#
# Secure form for password 'qwerty':
#
@ -726,12 +684,8 @@ mobility
#
#web-admin-listen-on-workers
#acme-redirect=http://redirectserver/.well-known/acme-challenge/
# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
# Default is '', i.e. no special handling for such requests.
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when you want to run
# Only for those applications when we want to run
# server applications on the relay endpoints.
# This option eliminates the IP permissions check on
# the packets incoming to the relay endpoints.
@ -749,6 +703,6 @@ mobility
# Do not allow an TLS/DTLS version of protocol
#
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2
no-tlsv1
no-tlsv1_1
no-tlsv1_2

10
roles/dhcpd/templates/default/isc-dhcp-server.j2
View File

@ -3,12 +3,10 @@
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
#DHCPD_PID=/var/run/dhcpd.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
@ -16,6 +14,4 @@
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
INTERFACESv6=""
INTERFACES="{{ ansible_default_ipv4['interface'] }}"
INTERFACES="eth0"

135
roles/dhcpd/templates/dhcp/dhcpd.conf.j2
View File

@ -3,24 +3,13 @@
# option definitions common to all supported networks...
option domain-name "binary.kitchen";
option domain-name-servers {{ name_servers | join(', ') }};
option domain-search "binary.kitchen";
option ntp-servers 172.23.1.60, 172.23.2.3;
# options related to Mitel SIP-DECT
option space sipdect;
option local-encapsulation code 43 = encapsulate sipdect;
option sipdect.ommip1 code 10 = ip-address;
option sipdect.ommip2 code 19 = ip-address;
option sipdect.syslogip code 14 = ip-address;
option sipdect.syslogport code 15 = integer 16;
option magic_str code 224 = text;
default-lease-time 7200;
max-lease-time 28800;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
ddns-updates on;
ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
@ -72,8 +61,6 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
# Users
subnet 172.23.3.0 netmask 255.255.255.0 {
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
@ -93,46 +80,6 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
}
}
# Management Auweg
subnet 172.23.12.0 netmask 255.255.255.0 {
option routers 172.23.12.1;
}
# Services Auweg
subnet 172.23.13.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.13.1;
}
# Users Auweg
subnet 172.23.14.0 netmask 255.255.255.0 {
option routers 172.23.14.1;
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.14.10 172.23.14.230;
}
}
# MQTT Auweg
subnet 172.23.15.0 netmask 255.255.255.0 {
option routers 172.23.15.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.15.10 172.23.15.240;
}
}
# DDNS zones
zone users.binary.kitchen {
primary {{ dns_primary }};
}
# Fixed IPs
@ -142,7 +89,7 @@ host ap01 {
}
host ap04 {
hardware ethernet 74:9e:75:ce:93:54;
hardware ethernet 44:48:c1:ce:90:06;
fixed-address ap04.binary.kitchen;
}
@ -151,44 +98,34 @@ host ap05 {
fixed-address ap05.binary.kitchen;
}
host ap06 {
hardware ethernet 94:b4:0f:c0:1d:a0;
fixed-address ap06.binary.kitchen;
}
host ap11 {
hardware ethernet 18:64:72:c6:c2:0c;
fixed-address ap11.binary.kitchen;
}
host ap12 {
hardware ethernet 18:64:72:c6:c4:98;
fixed-address ap12.binary.kitchen;
}
host bowle {
hardware ethernet ac:1f:6b:25:16:b6;
fixed-address bowle.binary.kitchen;
}
host cannelloni {
hardware ethernet b8:27:eb:18:5c:11;
hardware ethernet 00:10:f3:15:88:ac;
fixed-address cannelloni.binary.kitchen;
}
host cashdesk {
hardware ethernet 00:0b:ca:94:13:f1;
fixed-address cashdesk.binary.kitchen;
}
host fusilli {
hardware ethernet b8:27:eb:1d:b9:bf;
fixed-address fusilli.binary.kitchen;
}
host habdisplay1 {
hardware ethernet b8:27:eb:b6:62:be;
fixed-address habdisplay1.mqtt.binary.kitchen;
host garlic {
hardware ethernet b8:27:eb:56:2b:7c;
fixed-address garlic.binary.kitchen;
}
host habdisplay2 {
hardware ethernet b8:27:eb:df:0b:7b;
fixed-address habdisplay2.mqtt.binary.kitchen;
host homer {
hardware ethernet b8:27:eb:24:b2:12;
fixed-address homer.binary.kitchen;
}
host klopi {
@ -202,7 +139,7 @@ host lock {
}
host maccaroni {
hardware ethernet b8:27:eb:f5:9e:a1;
hardware ethernet b8:27:eb:18:5c:11;
fixed-address maccaroni.binary.kitchen;
}
@ -222,22 +159,22 @@ host mpcnc {
}
host noodlehub {
hardware ethernet b8:27:eb:56:2b:7c;
hardware ethernet b8:27:eb:eb:e5:88;
fixed-address noodlehub.binary.kitchen;
}
host openhabgw1 {
hardware ethernet dc:a6:32:bf:e2:3e;
fixed-address openhabgw1.mqtt.binary.kitchen;
}
host pizza {
hardware ethernet 52:54:00:17:02:21;
fixed-address pizza.binary.kitchen;
}
host punsch {
hardware ethernet 00:21:85:1b:7f:3d;
fixed-address punsch.binary.kitchen;
}
host spaghetti {
hardware ethernet b8:27:eb:eb:e5:88;
hardware ethernet b8:27:eb:e3:e9:f1;
fixed-address spaghetti.binary.kitchen;
}
@ -280,34 +217,6 @@ host voip04 {
}
# Mitel SIP-DECT
host rfp01 {
hardware ethernet 00:30:42:1B:73:5A;
fixed-address 172.23.1.111;
option host-name "rfp01";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp02 {
hardware ethernet 00:30:42:21:D4:D5;
fixed-address 172.23.1.112;
option host-name "rfp02";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp11 {
hardware ethernet 00:30:42:1B:8B:9B;
fixed-address 172.23.12.111;
option host-name "rfp11";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
# OMAPI
omapi-port 7911;

10
roles/dns_extern/tasks/main.yml
View File

@ -5,21 +5,11 @@
name:
- pdns-server
- pdns-backend-sqlite3
- sqlite3
- name: Configure powerdns
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
notify: Restart powerdns
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/powerdns.sqlite3
creates: /var/lib/powerdns/powerdns.sqlite3
become: true
become_user: pdns
- name: Copy update policy script
copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
notify: Restart powerdns

4
roles/dns_extern/templates/pdns.conf.j2
View File

@ -1,4 +1,5 @@
local-address=0.0.0.0, ::
local-address=0.0.0.0
local-ipv6=::
launch=gsqlite3
gsqlite3-dnssec
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
@ -10,4 +11,3 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
{% endif %}
allow-dnsupdate-from=0.0.0.0/0,::/0
lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
security-poll-suffix=

3
roles/dns_intern/handlers/main.yml
View File

@ -5,6 +5,3 @@
with_items:
- pdns
- pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

23
roles/dns_intern/tasks/main.yml
View File

@ -3,11 +3,8 @@
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-backend-sqlite3
- pdns-server
- pdns-recursor
- sqlite3
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
@ -22,28 +19,8 @@
- bind/23.172.in-addr.arpa.zone
- bind/binary.kitchen.zone
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/pdns.sqlite3
creates: /var/lib/powerdns/pdns.sqlite3
become: true
become_user: pdns
# TODO
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
# TODO
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the powerdns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns
- pdns-recursor

67
roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
View File

@ -1,57 +1,52 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024051300; serial
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
2020051101; serial
1d; refresh
2h; retry
4w; expire
1h; minimum time-to-live
)
IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
IN NS ns.binary.kitchen.
; Loopback
1.0 IN PTR core.binary.kitchen.
2.0 IN PTR rt-w13b.binary.kitchen.
2.0 IN PTR erx-bk.binary.kitchen.
3.0 IN PTR erx-rz.binary.kitchen.
4.0 IN PTR erx-auweg.binary.kitchen.
4.0 IN PTR pf-bk.binary.kitchen.
5.0 IN PTR pf-rz.binary.kitchen.
; Management
1.1 IN PTR v2301.core.binary.kitchen.
11.1 IN PTR ups1.binary.kitchen.
21.1 IN PTR pdu1.binary.kitchen.
22.1 IN PTR pdu2.binary.kitchen.
23.1 IN PTR pdu3.binary.kitchen.
31.1 IN PTR sw-butchery.binary.kitchen.
32.1 IN PTR sw-mini.binary.kitchen.
33.1 IN PTR sw-rack.binary.kitchen.
31.1 IN PTR sw01.binary.kitchen.
32.1 IN PTR sw02.binary.kitchen.
33.1 IN PTR sw03.binary.kitchen.
41.1 IN PTR ap01.binary.kitchen.
42.1 IN PTR ap02.binary.kitchen.
43.1 IN PTR ap03.binary.kitchen.
44.1 IN PTR ap04.binary.kitchen.
45.1 IN PTR ap05.binary.kitchen.
46.1 IN PTR ap06.binary.kitchen.
51.1 IN PTR modem.binary.kitchen.
60.1 IN PTR wurst.binary.kitchen.
80.1 IN PTR wurst-bmc.binary.kitchen.
82.1 IN PTR bowle-bmc.binary.kitchen.
101.1 IN PTR nbe-w13b.binary.kitchen.
102.1 IN PTR nbe-tr8.binary.kitchen.
111.1 IN PTR rfp01.binary.kitchen.
112.1 IN PTR rfp02.binary.kitchen.
; Services
1.2 IN PTR v2302.core.binary.kitchen.
2.2 IN PTR ns.binary.kitchen.
3.2 IN PTR bacon.binary.kitchen.
4.2 IN PTR aveta.binary.kitchen.
5.2 IN PTR sulis.binary.kitchen.
6.2 IN PTR nabia.binary.kitchen.
7.2 IN PTR epona.binary.kitchen.
11.2 IN PTR homer.binary.kitchen.
12.2 IN PTR lock.binary.kitchen.
13.2 IN PTR matrix.binary.kitchen.
33.2 IN PTR pizza.binary.kitchen.
34.2 IN PTR pancake.binary.kitchen.
35.2 IN PTR knoedel.binary.kitchen.
36.2 IN PTR schweinshaxn.binary.kitchen.
37.2 IN PTR bob.binary.kitchen.
38.2 IN PTR lasagne.binary.kitchen.
39.2 IN PTR tschunk.binary.kitchen.
44.2 IN PTR cashdesk.binary.kitchen.
62.2 IN PTR bowle.binary.kitchen.
91.2 IN PTR strammermax.binary.kitchen.
92.2 IN PTR obatzda.binary.kitchen.
@ -61,48 +56,32 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
240.3 IN PTR fusilli.binary.kitchen.
241.3 IN PTR klopi.binary.kitchen.
242.3 IN PTR mpcnc.binary.kitchen.
243.3 IN PTR garlic.binary.kitchen.
244.3 IN PTR mirror.binary.kitchen.
245.3 IN PTR spaghetti.binary.kitchen.
246.3 IN PTR maccaroni.binary.kitchen.
247.3 IN PTR pve02-bmc.tmp.binary.kitchen.
248.3 IN PTR pve02.tmp.binary.kitchen.
249.3 IN PTR ffrgb.binary.kitchen.
250.3 IN PTR cannelloni.binary.kitchen.
251.3 IN PTR noodlehub.binary.kitchen.
; MQTT
1.4 IN PTR v2304.core.binary.kitchen.
6.4 IN PTR pizza.mqtt.binary.kitchen.
7.4 IN PTR lasagne.mqtt.binary.kitchen.
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
245.4 IN PTR logo1.mqtt.binary.kitchen.
246.4 IN PTR logo2.mqtt.binary.kitchen.
250.4 IN PTR moodlights1.mqtt.binary.kitchen.
251.4 IN PTR openhabgw1.mqtt.binary.kitchen.
252.4 IN PTR homematic-ccu2.mqtt.binary.kitchen.
; Management RZ
1.9 IN PTR switch0.erx-rz.binary.kitchen.
61.9 IN PTR salat.binary.kitchen.
81.9 IN PTR salat-bmc.binary.kitchen.
; Services RZ
23.8 IN PTR cernunnos.binary.kitchen.
; VPN RZ (ER-X)
1.10 IN PTR wg0.erx-rz.binary.kitchen.
1.10 IN PTR wg1.erx-rz.binary.kitchen.
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
; Management Auweg
31.12 IN PTR sw-auweg.binary.kitchen.
41.12 IN PTR ap11.binary.kitchen.
42.12 IN PTR ap12.binary.kitchen.
61.12 IN PTR weizen.binary.kitchen.
111.12 IN PTR rfp11.binary.kitchen.
; Services Auweg
3.13 IN PTR aeron.binary.kitchen.
12.13 IN PTR lock-auweg.binary.kitchen.
; Clients Auweg
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
; MQTT
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
; VPN RZ (pf)
$GENERATE 2-254 $.11 IN PTR vpn-${0,3,d}-11.binary.kitchen.
; Point-to-Point
1.96 IN PTR v400.erx-bk.binary.kitchen.
2.96 IN PTR v400.core.binary.kitchen.
1.97 IN PTR wg1.erx-rz.binary.kitchen.
2.97 IN PTR wg1.erx-bk.binary.kitchen.
5.97 IN PTR wg2.erx-rz.binary.kitchen.
6.97 IN PTR wg2.erx-auweg.binary.kitchen.
1.97 IN PTR wg0.erx-rz.binary.kitchen.
2.97 IN PTR wg0.erx-bk.binary.kitchen.

77
roles/dns_intern/templates/bind/binary.kitchen.zone.j2
View File

@ -1,80 +1,67 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024051300; serial
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
2020051101; serial
1d; refresh
2h; retry
4w; expire
1h; minimum time-to-live
)
IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
; Subdomains
users IN NS ns1.binary.kitchen.
users IN NS ns2.binary.kitchen.
IN NS ns.binary.kitchen.
; External
IN A 213.166.246.4
www IN A 213.166.246.4
; Aliases
3dprinter IN A 172.23.3.251
icinga IN A 172.23.2.6
ldap IN A 172.23.2.3
ldap IN A 172.23.2.4
ldap IN A 213.166.246.2
ldap1 IN A 172.23.2.3
ldap2 IN A 172.23.2.4
ldap3 IN A 172.23.13.3
ldapm IN A 213.166.246.2
librenms IN A 172.23.2.6
netbox IN A 172.23.2.7
ns1 IN A 172.23.2.3
ns2 IN A 172.23.2.4
omm IN A 172.23.2.35
racktables IN A 172.23.2.6
radius IN A 172.23.2.3
radius IN A 172.23.2.4
; Loopback
core IN A 172.23.0.1
rt-w13b IN A 172.23.0.2
erx-bk IN A 172.23.0.2
erx-rz IN A 172.23.0.3
erx-auweg IN A 172.23.0.4
pf-bk IN A 172.23.0.4
pf-rz IN A 172.23.0.5
; Management
v2301.core IN A 172.23.1.1
ups1 IN A 172.23.1.11
pdu1 IN A 172.23.1.21
pdu2 IN A 172.23.1.22
pdu3 IN A 172.23.1.23
sw-butchery IN A 172.23.1.31
sw-mini IN A 172.23.1.32
sw-rack IN A 172.23.1.33
sw01 IN A 172.23.1.31
sw02 IN A 172.23.1.32
sw03 IN A 172.23.1.33
ap01 IN A 172.23.1.41
ap02 IN A 172.23.1.42
ap03 IN A 172.23.1.43
ap04 IN A 172.23.1.44
ap05 IN A 172.23.1.45
ap06 IN A 172.23.1.46
modem IN A 172.23.1.51
wurst IN A 172.23.1.60
wurst-bmc IN A 172.23.1.80
bowle-bmc IN A 172.23.1.82
nbe-w13b IN A 172.23.1.101
nbe-tr8 IN A 172.23.1.102
rfp01 IN A 172.23.1.111
rfp02 IN A 172.23.1.112
; Services
v2302.core IN A 172.23.2.1
ns IN A 172.23.2.2
bacon IN A 172.23.2.3
aveta IN A 172.23.2.4
sulis IN A 172.23.2.5
nabia IN A 172.23.2.6
epona IN A 172.23.2.7
homer IN A 172.23.2.11
lock IN A 172.23.2.12
matrix IN A 172.23.2.13
pizza IN A 172.23.2.33
pancake IN A 172.23.2.34
knoedel IN A 172.23.2.35
schweinshaxn IN A 172.23.2.36
bob IN A 172.23.2.37
lasagne IN A 172.23.2.38
tschunk IN A 172.23.2.39
cashdesk IN A 172.23.2.44
bowle IN A 172.23.2.62
strammermax IN A 172.23.2.91
obatzda IN A 172.23.2.92
@ -84,48 +71,32 @@ $GENERATE 10-230 dhcp-${0,3,d}-03 IN A 172.23.3.$
fusilli IN A 172.23.3.240
klopi IN A 172.23.3.241
mpcnc IN A 172.23.3.242
garlic IN A 172.23.3.243
mirror IN A 172.23.3.244
spaghetti IN A 172.23.3.245
maccaroni IN A 172.23.3.246
pve02-bmc.tmp IN A 172.23.3.247
pve02.tmp IN A 172.23.3.248
ffrgb IN A 172.23.3.249
cannelloni IN A 172.23.3.250
noodlehub IN A 172.23.3.251
; MQTT
v2304.core IN A 172.23.4.1
pizza.mqtt IN A 172.23.4.6
lasagne.mqtt IN A 172.23.4.7
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
habdisplay1.mqtt IN A 172.23.4.241
habdisplay2.mqtt IN A 172.23.4.242
logo1.mqtt IN A 172.23.4.245
logo2.mqtt IN A 172.23.4.246
moodlights1.mqtt IN A 172.23.4.250
openhabgw1.mqtt IN A 172.23.4.251
homematic-ccu2.mqtt IN A 172.23.4.252
; Management RZ
switch0.erx-rz IN A 172.23.9.1
salat IN A 172.23.9.61
salat-bmc IN A 172.23.9.81
; Services RZ
; Management Auweg
sw-auweg IN A 172.23.12.31
ap11 IN A 172.23.12.41
ap12 IN A 172.23.12.42
weizen IN A 172.23.12.61
rfp11 IN A 172.23.12.111
; Services Auweg
aeron IN A 172.23.13.3
lock-auweg IN A 172.23.13.12
; Clients Auweg
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
; MQTT Auweg
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
cernunnos IN A 172.23.8.23
; VPN RZ (ER-X)
wg0.erx-rz IN A 172.23.10.1
wg1.erx-rz IN A 172.23.10.1
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
; VPN RZ (pf)
$GENERATE 2-254 vpn-${0,3,d}-11 IN A 172.23.11.$
; Point-to-Point
v400.erx-bk IN A 172.23.96.1
v400.core IN A 172.23.96.2
wg1.erx-rz IN A 172.23.97.1
wg1.erx-bk IN A 172.23.97.2
wg2.erx-rz IN A 172.23.97.5
wg2.erx-auweg IN A 172.23.97.6
wg0.erx-rz IN A 172.23.97.1
wg0.erx-bk IN A 172.23.97.2

27
roles/dns_intern/templates/dnsdist.conf.j2
View File

@ -1,27 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
-- define downstream servers/pools
newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'})
{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from slaves
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
{% endif %}
-- allow NOTIFY only from master
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
-- use resolver for anything else
addAction(AllRule(), PoolAction('resolve'))
-- disable security status polling via DNS
setSecurityPollSuffix('')

72
roles/dns_intern/templates/pdns.conf.j2
View File

@ -1,90 +1,46 @@
# {{ ansible_managed }}
{% if ansible_default_ipv4.address == dns_primary %}
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
#################################
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# dnsupdate=no
dnsupdate=yes
{% endif %}
#################################
# launch Which backends to launch and order to query them in
# launch Which backends to launch and order to query them in
#
# launch=
launch=bind,gsqlite3
launch=bind
#################################
# local-address Local IP addresses to which we bind
# local-address Local IP addresses to which we bind
#
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-port The port on which we listen
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
#
# local-port=53
local-port=5300
{% if ansible_default_ipv4.address == dns_primary %}
#################################
# master Act as a master
#
# master=no
master=yes
{% if dns_secondary is defined %}
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify={{ dns_secondary }}
{% endif %}
{% endif %}
#################################
# security-poll-suffix Domain name from which to query security update notifications
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix=
#################################
# setgid If set, change group id to this gid for more security
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
# setuid If set, change user id to this uid for more security
#
setuid=pdns
{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
#################################
# slave Act as a slave
#
# slave=no
slave=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
trusted-notification-proxy=127.0.0.1,::1
{% endif %}
#################################
# bind-config Location of named.conf
# bind-config Location of the Bind configuration file to parse.
#
bind-config=/etc/powerdns/bindbackend.conf
#################################
# gsqlite3-database Filename of the SQLite3 database
#
# gsqlite3-database=
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3

34
roles/dns_intern/templates/recursor.conf.j2
View File

@ -1,55 +1,61 @@
# {{ ansible_managed }}
#################################
# allow-from If set, only allow these comma separated netmasks to recurse
# allow-from If set, only allow these comma separated netmasks to recurse
#
# allow-from=127.0.0.0/8
#allow-from=127.0.0.0/8
#################################
# config-dir Location of configuration directory (recursor.conf)
# config-dir Location of configuration directory (recursor.conf)
#
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process
# dnssec=process-no-validate
dnssec=off
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
#
local-address=127.0.0.1
# forward-zones=
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
#################################
# local-port port to listen on
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-port=5353
local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
#################################
# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
# local-port port to listen on
#
local-port=53
#################################
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
#
{% if global_ipv6 is defined %}
query-local-address6={{ global_ipv6 | ipaddr('address') }}
{% endif %}
#################################
# quiet Suppress logging of questions and answers
# quiet Suppress logging of questions and answers
#
quiet=yes
#################################
# security-poll-suffix Domain name from which to query security update notifications
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix=
#################################
# setgid If set, change group id to this gid for more security
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
# setuid If set, change user id to this uid for more security
#
setuid=pdns

17
roles/docker/tasks/main.yml
View File

@ -1,10 +1,17 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian buster stable'
filename: docker
- name: Install docker
apt:
name:
- docker.io
- python3-docker
- name: Enable docker
service: name=docker state=started enabled=yes
- docker-ce
- docker-ce-cli
- containerd.io
- python-docker

7
roles/doorlock/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart nginx
service: name=nginx state=restarted

20
roles/doorlock/tasks/main.yml
View File

@ -1,20 +0,0 @@
---
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
-days 730 -subj "/CN={{ doorlock_domain }}"
creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ doorlock_domain }}"
- name: Configure certificate manager for doorlock
template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
notify: Run acertmgr

18
roles/doorlock/templates/certs.j2
View File

@ -1,18 +0,0 @@
---
{{ doorlock_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

14
roles/drone/files/drone.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=drone.io server
After=network-online.target
[Service]
Type=simple
User=drone
EnvironmentFile=/etc/default/drone
ExecStart=/opt/drone/bin/drone-server
Restart=always
RestartSec=5s
[Install]
WantedBy=multi-user.target

10
roles/23b/handlers/main.yml → roles/drone/handlers/main.yml
View File

@ -3,11 +3,11 @@
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart 23b
service: name=23b state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart drone
service: name=drone state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

0
roles/23b/meta/main.yml → roles/drone/meta/main.yml
View File

52
roles/drone/tasks/main.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Create user
user: name=drone
# TODO install drone to /opt/drone/bin
# currently it is manually compiled
- name: Configure drone
template: src=drone.j2 dest=/etc/default/drone
notify: Restart drone
- name: Install PostgreSQL
apt:
name:
- postgresql
- python-psycopg2
- name: Configure PostgreSQL database
postgresql_db: name={{ drone_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for drone
template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
notify: Restart nginx
- name: Install systemd unit
copy: src=drone.service dest=/lib/systemd/system/drone.service
notify:
- Reload systemd
- Restart drone
- name: Enable drone
service: name=drone enabled=yes

6
roles/23b/templates/certs.j2 → roles/drone/templates/certs.j2
View File

@ -1,13 +1,13 @@
---
{{ bk23b_domain }}:
- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
{{ drone_domain }}:
- path: /etc/nginx/ssl/{{ drone_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
- path: /etc/nginx/ssl/{{ drone_domain }}.crt
user: root
group: root
perm: '400'

10
roles/drone/templates/drone.j2 Normal file
View File

@ -0,0 +1,10 @@
DRONE_AGENTS_ENABLED=true
DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
DRONE_DATABASE_DRIVER=postgres
DRONE_GITEA_SERVER=https://{{ gitea_domain }}
DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
DRONE_RPC_SECRET={{ drone_secret }}
DRONE_SERVER_HOST={{ drone_domain }}
DRONE_SERVER_PROTO=https
DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

31
roles/drone/templates/vhost.j2 Normal file
View File

@ -0,0 +1,31 @@
server {
listen 80;
listen [::]:80;
server_name {{ drone_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ drone_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ drone_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
location / {
client_max_body_size 128M;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
}

0
roles/act_runner/meta/main.yml → roles/drone_runner/meta/main.yml
View File

20
roles/drone_runner/tasks/main.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: Run runner container
docker_container:
name: runner
image: drone/drone-runner-docker:1
env:
DRONE_RPC_PROTO: "https"
DRONE_RPC_HOST: "{{ drone_domain }}"
DRONE_RPC_SECRET: "{{ drone_secret }}"
DRONE_RUNNER_CAPACITY: "2"
DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
DRONE_UI_USERNAME: "admin"
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
ports:
- "3000:3000"
restart_policy: unless-stopped
state: started
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"

15
roles/event_web/files/certs
View File

@ -1,15 +0,0 @@
---
eh21.easterhegg.eu engel.eh21.easterhegg.eu:
- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'

68
roles/event_web/files/vhost
View File

@ -1,68 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/eh21;
}
server {
listen 80;
listen [::]:80;
server_name engel.eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://engel.eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name engel.eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/engel/public;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

5
roles/event_web/meta/main.yml
View File

@ -1,5 +0,0 @@
---
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

31
roles/event_web/tasks/main.yml
View File

@ -1,31 +0,0 @@
---
- name: Install dependencies
apt:
name:
- php-fpm
- name: Create vhost directory
file: path=/var/www/eh21 state=directory owner=www-data group=www-data
- name: Create vhost directory
file: path=/var/www/engel state=directory owner=www-data group=www-data
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
notify: Restart nginx
- name: Configure certificate manager
copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
notify: Run acertmgr
- name: Configure vhosts
copy: src=vhost dest=/etc/nginx/sites-available/www
notify: Restart nginx
- name: Enable vhosts
file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
notify: Restart nginx
- name: Start php8.2-fpm
service: name=php8.2-fpm state=started enabled=yes

7
roles/fileserver/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Reload nfs-server
service: name=nfs-server state=reloaded
- name: Reload smbd
service: name=smbd state=reloaded

30
roles/fileserver/tasks/main.yml
View File

@ -1,30 +0,0 @@
---
# TODO also enable contrib for $release-security
- name: Enable contrib repositories
apt_repository:
repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }} contrib
- name: Install zfs-dkms
apt:
name: zfs-dkms
# creating the ZFS pool is not part of this role
- name: Install NFS and samba
apt:
name:
- nfs-kernel-server
- samba
- name: Configure NFS
template:
src: exports.j2
dest: /etc/exports
notify: Reload nfs-server
- name: Configure samba
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
notify: Reload smbd

4
roles/fileserver/templates/exports.j2
View File

@ -1,4 +0,0 @@
# {{ ansible_managed }}
{% for item in nfs_exports %}
{{ item }}
{% endfor %}

244
roles/fileserver/templates/smb.conf.j2
View File

@ -1,244 +0,0 @@
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
min protocol = NT1
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
;[homes]
; comment = Home Directories
; browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
; read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
; create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
; directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
; valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
;[printers]
; comment = All Printers
; browseable = no
; path = /var/tmp
; printable = yes
; guest ok = no
; read only = yes
; create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
;[print$]
; comment = Printer Drivers
; path = /var/lib/samba/printers
; browseable = yes
; read only = yes
; guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
# Binary Kitchen public share
[tank]
path = /exports/tank
browseable = yes
read only = no
guest ok = yes
create mask = 0660
directory mask = 0770

5
roles/gitea/defaults/main.yml
View File

@ -3,5 +3,6 @@
gitea_user: gogs
gitea_group: gogs
gitea_version: 1.21.11
gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
gitea_checksum: sha256:74417bc8e950b685de79c3a39655029f28d27c99e94adbe83c0ec22325d8771f
gitea_version: 1.12.6
gitea_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

Some files were not shown because too many files have changed in this diff Show More