gitea: bump to version 1.21.10

against current debian default config

README.md

@@ -1,11 +1,68 @@
 # Binary Kitchen Ansible Playbooks
 
-This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
+This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
 
-## Using
+## Usage
 
-TBA
+To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
 
-## Style / Contributing
+It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
 
-TBA/TBD
+
+## Current setup
+
+Currently the following hosts are installed:
+
+### Internal Servers
+
+| Hostname                  | OS        | Purpose                 |
+| ------------------------- | --------- | ----------------------- |
+| wurst.binary.kitchen      | Proxmox 8 | VM Host                 |
+| salat.binary.kitchen      | Proxmox 8 | VM Host                 |
+| weizen.binary.kitchen     | Proxmox 8 | VM Host                 |
+| bacon.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aveta.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aeron.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| sulis.binary.kitchen      | Debian 12 | Shell                   |
+| nabia.binary.kitchen      | Debian 12 | Monitoring              |
+| epona.binary.kitchen      | Debian 12 | NetBox                  |
+| pizza.binary.kitchen      | Debian 11 | OpenHAB *               |
+| pancake.binary.kitchen    | Debian 12 | XRDP                    |
+| knoedel.binary.kitchen    | Debian 12 | SIP-DECT OMM            |
+| bob.binary.kitchen        | Debian 12 | Gitea Actions           |
+| lasagne.binary.kitchen    | Debian 12 | Home Assistant *        |
+| tschunk.binary.kitchen    | Debian 11 | Strichliste             |
+| bowle.binary.kitchen      | Debian 12 | Files                   |
+| lock-auweg.binary.kitchen | Debian 11 | Doorlock                |
+
+\*: The main application is not managed by ansible but manually installed
+
+### External Servers
+
+| Hostname                      | OS        | Purpose                 |
+| ----------------------------- | --------- | ----------------------- |
+| helium.binary-kitchen.net     | Debian 12 | LDAP Master             |
+| lithium.binary-kitchen.net    | Debian 12 | Mail                    |
+| beryllium.binary-kitchen.net  | Debian 12 | Web *                   |
+| boron.binary-kitchen.net      | Debian 12 | Gitea                   |
+| carbon.binary-kitchen.net     | Debian 12 | Jabber                  |
+| nitrogen.binary-kitchen.net   | Debian 12 | NextCloud               |
+| oxygen.binary-kitchen.net     | Debian 12 | Shell                   |
+| fluorine.binary-kitchen.net   | Debian 12 | Web (div. via Docker)   |
+| neon.binary-kitchen.net       | Debian 12 | Auth. DNS               |
+| sodium.binary-kitchen.net     | Debian 12 | Mattrix                 |
+| magnesium.binary-kitchen.net  | Debian 12 | TURN                    |
+| aluminium.binary-kitchen.net  | Debian 12 | Zammad                  |
+| krypton.binary-kitchen.net    | Debian 12 | PartDB *                |
+| yttrium.binary-kitchen.net    | Debian 12 | Hintervvoidler *        |
+| zirconium.binary-kitchen.net  | Debian 12 | Jitsi                   |
+| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle *          |
+| technetium.binary-kitchen.net | Debian 12 | Event CTFd *            |
+| ruthenium.binary-kitchen.net  | Debian 12 | Minecraft *             |
+| rhodium.binary-kitchen.net    | Debian 12 | Event pretix            |
+| palladium.binary-kitchen.net  | Debian 12 | Event pretalx           |
+| argentum.binary-kitchen.net   | Debian 12 | Event Web *             |
+| cadmium.binary-kitchen.neti   | Debian 12 | Event NetBox *          |
+| barium.binary-kitchen.net     | Debian 12 | Workadventure           |
+
+\*: The main application is not managed by ansible but manually installed

group_vars/all/vars.yml

@@ -5,6 +5,14 @@ acertmgr_mode: webdir
 acme_dnskey_file: /etc/acertmgr/nsupdate.key
 acme_dnskey_server: neon.binary-kitchen.net
 
+authentik_domain: auth.binary-kitchen.de
+authentik_dbname: authentik
+authentik_dbuser: authentik
+authentik_dbpass: "{{ vault_authentik_dbpass }}"
+authentik_secret: "{{ vault_authentik_secret }}"
+
+bk23b_domain: 23b.binary-kitchen.de
+
 coturn_realm: turn.binary-kitchen.de
 coturn_secret: "{{ vault_coturn_secret }}"
 
@@ -14,16 +22,6 @@ dns_axfr_ips:
 
 dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
 
-drone_admin: moepman
-drone_domain: drone.binary-kitchen.de
-drone_dbname: drone
-drone_dbuser: drone
-drone_dbpass: "{{ vault_drone_dbpass }}"
-drone_uipass: "{{ vault_drone_uipass }}"
-drone_secret: "{{ vault_drone_secret }}"
-drone_gitea_client: "{{ vault_drone_gitea_client }}"
-drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
-
 dss_domain: dss.binary-kitchen.de
 dss_secret: "{{ vault_dss_secret }}"
 
@@ -35,8 +33,8 @@ gitea_secret: "{{ vault_gitea_secret }}"
 gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
 
 hedgedoc_domain: pad.binary-kitchen.de
-hedgedoc_dbname: hackmd
-hedgedoc_dbuser: hackmd
+hedgedoc_dbname: hedgedoc
+hedgedoc_dbuser: hedgedoc
 hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
 hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
 
@@ -67,6 +65,7 @@ mail_domain: binary-kitchen.de
 mail_domains:
 - ccc-r.de
 - ccc-regensburg.de
+- eh21.easterhegg.eu
 - makerspace-regensburg.de
 mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
 mail_server: mail.binary-kitchen.de
@@ -75,13 +74,17 @@ mail_trusted:
 - 213.166.246.0/28
 - 213.166.246.37/32
 - 213.166.246.45/32
+- 213.166.246.46/32
+- 213.166.246.47/32
 - 213.166.246.250/32
 - 2a02:958:0:f6::/124
 - 2a02:958:0:f6::37/128
 - 2a02:958:0:f6::45/128
+- 2a02:958:0:f6::46/128
+- 2a02:958:0:f6::47/128
 mail_aliases:
 - "auweg@binary-kitchen.de	venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
-- "bbb@binary-kitchen.de	timo.schindler@binary-kitchen.de"
+- "bbb@binary-kitchen.de	boehm.johannes@gmail.com"
 - "dasfilament@binary-kitchen.de	taxx@binary-kitchen.de"
 - "epvpn@binary-kitchen.de	noby@binary-kitchen.de"
 - "google@binary-kitchen.de	vorstand@binary-kitchen.de"
@@ -94,11 +97,12 @@ mail_aliases:
 - "orga@ccc-regensburg.de	anti@binary-kitchen.de"
 - "paypal@binary-kitchen.de	ralf@binary-kitchen.de"
 - "post@makerspace-regensburg.de	vorstand@binary-kitchen.de"
+- "pretalx@binary-kitchen.de	moepman@binary-kitchen.de"
 - "pretix@binary-kitchen.de	moepman@binary-kitchen.de"
 - "root@binary-kitchen.de	moepman@binary-kitchen.de,kishi@binary-kitchen.de"
 - "seife@binary-kitchen.de	anke@binary-kitchen.de"
 - "siebdruck@binary-kitchen.de	anke@binary-kitchen.de"
-- "vorstand@binary-kitchen.de	anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
+- "vorstand@binary-kitchen.de	anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
 - "voucher1@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher2@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher3@binary-kitchen.de	exxess@binary-kitchen.de"
@@ -112,6 +116,8 @@ mail_aliases:
 - "voucher11@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher12@binary-kitchen.de	exxess@binary-kitchen.de"
 - "workshops@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
+- "tickets@eh21.easterhegg.eu	orga@eh21.easterhegg.eu"
+- "hackzuck@eh21.easterhegg.eu	kekskruemml@binary-kitchen.de"
 
 matrix_domain: matrix.binary-kitchen.de
 matrix_dbname: matrix
@@ -131,11 +137,16 @@ nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 
-nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
-nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
-nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
+omm_domain: omm.binary.kitchen
+
+pretalx_domain: fahrplan.eh21.easterhegg.eu
+pretalx_dbname: pretalx
+pretalx_dbuser: pretalx
+pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
+pretalx_mail: pretalx@binary-kitchen.de
 
 pretix_domain: pretix.events.binary-kitchen.de
+pretix_domainx: tickets.eh21.easterhegg.eu
 pretix_dbname: pretix
 pretix_dbuser: pretix
 pretix_dbpass: "{{ vault_pretix_dbpass }}"
@@ -161,4 +172,21 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
 
+sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
+sssd_base_user: ou=people,dc=binary-kitchen,dc=de
+
+strichliste_domain: tschunk.binary.kitchen
+strichliste_dbname: strichliste
+strichliste_dbuser: strichliste
+strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
+
+vaultwarden_domain: vault.binary-kitchen.de
+vaultwarden_dbname: vaultwarden
+vaultwarden_dbuser: vaultwarden
+vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
+vaultwarden_token: "{{ vault_vaultwarden_token }}"
+vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
+
 workadventure_domain: wa.binary-kitchen.de
+
+zammad_domain: requests.binary-kitchen.de

group_vars/all/vault.yml

@@ -1,102 +1,106 @@
 $ANSIBLE_VAULT;1.1;AES256
-34313430623638333161613331623835666163626232326164366136373833633138373733333231
-6563336334663666373235313064363364646361643033310a663033616232363434306230313765
-31386338646433393334663031623261353661333565663763363834313264363463383562633934
-3663623932356635360a306231613431623763663130656634623365643730336564663862336536
-34663863313364613831656162663663646634636432656539643531326163653363376662393935
-61343934313135623265646539616136306231633566616534383562393964663565323534386162
-31646233313339383863313334353031386166653264353831383133633761306539636533656336
-37643866646538316234633736613136356166613037383638303465663639633432326533653832
-30313862646132393063393239656561646566336362643466386435613734623632613361323266
-64316166313635306631396166303132626139386563613231646439356637393662623530353261
-62326661663064393362653136346262313762376130623461313563613161623838356363306263
-38376438333632623962646535313239343038383030383736313536303935346236326631616632
-65376162613630343064356361336535623030316435333036363635623461626330663635653631
-61313435373839366363613338666630366333383962393734333662646239663237386437373333
-31373065336139643033643666653737306664626134643937343264646539616264393530343462
-38366232393832666439383066383738643966363132663832396562646238306638343266353934
-38396236373830303661336635646137306236386436343033383764666535323834313534346533
-35333665303534383634303732346164616666643731313839353462343365356338386561613231
-35333965353736386531356565376434393563653562373261633664623438346638613765303736
-65336230636539613332616433326335326436333136636566383731306437663438306636363930
-31376230353230613038636662623432646361383263663532396234656133333237333738666233
-61613961343963393437393664393265306564373164316265363232303831663331393130356662
-39313230616463636163386261353431356338353833393161313861643137646166363864313861
-64306161653565396339656333346235346365373836373633376231333833313034353864656434
-33623861326664356339336333663365663663353061323037346330653133396235363831623136
-63343662356235633332373733626232353437373263343038663932636232363030336436616131
-65376436663962363631386664353531303963313263633261633766326566383262643334646466
-65363664306332656134633039643135323134616535613834313533626633353066343762646132
-31353761373366313365373632366661646235333039656231323030366338326264333162646562
-39343265376234363635306537636464323030316231306564316635656563303565336539326237
-36393632386564343730616566373535616263383564343866353665373363363333343935346464
-31646338353235356231353135663062323766663231383730396235373934303465346239303961
-66646463663762633963336365356431323431383938373839346364303464633031633633663937
-36646165633661633361313635393134646133363334373863663132376266336233336435356435
-38303862613564363731313062316533633465353830316436326431656132353431373231646337
-33343464353039623236643633636239343965643633343966326562343934313664633563613730
-63313930643936393838636634613331633835656434646163386661663037376330646366656232
-32623461633935353134343533626266653031666335336236343039363066396337633639363235
-38626233383461356264616534656537633931663936383330386532363434383833613835613439
-64306262626539623136376630646439353335623266306139306434663331346237306331666533
-37363433343433363632336333633065313865626564633134616462393831626237333638333739
-61623030386235666132666661623462323332393666623539636139326530623233396533373939
-32396261306661663739333138353335663734316232303661353166376133653934306233343739
-33353833323739343163396234633264373139346264653933633433393132363966636135393365
-36363530396166363630643764633436663037666631343535366132373334663938333930396133
-36303864303961333664653635343935353266396231313964646262363038626561653466646438
-62306434373136393738303835656130333936663430636139383137633536383131616533613634
-62343464636332343031326365383964326666636466666636663236633935356635336435313437
-33626137326238356537353762613164653731326563663239316537646338643131643564663632
-33353536383265303030343735616530666236343064323337623232396130393366363161356636
-61333862313432323139313963386538393365373335373139353533356537383739373539646134
-37623936653933326633643961313530663533326532383133353238303336643432353833393338
-31633065666336373236386537636536326236636639376465346136326535653764373131636135
-61393932643639383234396163326633393733616563343637613661326432623461393934653965
-32643162386238316261633733613366323834393365633430643964666262306339633766613533
-65366264313431333132303063393564383062346365633133383463376631303933643065613137
-61383231393339363465363064633862633135326536663163366234623764626439346461303164
-32373738636533306362333138643832643862656239303464373434303537653336646430356633
-36626436356231616166666163346539633738623734343031373735346165303664346137343132
-31663230343934333138656333626339623133323630336266353831653135616363333432616361
-33613236623538333663366136656563663331366237303763653238336139363163366635646532
-37316430623433336436376462656331373336303831393333626166346135333737326435353834
-37636162646438313162303462633830353239623565393331316662616535343138613437653665
-31316563346234633031653131666531333266306139346566383263303835343532363633373665
-30336462626434393063343234356633636433356164363163363564383263623364386435383239
-33323738366534633730666436303433343731306662393863323633653263316138386365376666
-35316365303361623030383836316436323663646464386231346432396563663133643834383636
-61326534313237316130393538613834656231303732656163346237643535663239366536636633
-36306137616664623735613966343264653932363035373336636465323163393539363064386562
-31626138316163393466323333613530376265386136376330636364363166323061383034623336
-38643166363864383264373665323238326232376633653565356536376466303834313733613531
-65333734353036303935333533306334306231373731353463346461353930316562316439356562
-38336435366335333230323766626134376131323435323735653736336662313962393766383435
-39323734643037643066363338373332653830393337306633336131663131616164336536393837
-35383366316130343162663231343763373331613261393566366133346564636334643464373535
-37633536323531613831656662323263316630623061383930363637346438623735383430366538
-39303961326461323661346630313636643531303265393461373036306435353863643036623665
-66333965303032653537613232633162303138343632396134336130333430636666376430323466
-61323535313463653866666265313765623831376633666534623033643063386231623238656439
-63323166373764306162613233323466366363666535643339646361306638343762393834343131
-31393437373733343138306563363032353831616334383631656266346131303161633265343461
-62343234383936303664643234323665343635626435613766343737396564656137393061666165
-66313531666562303030323764356632626233333432343461393362303563643661336335366339
-62346366643835303563646161366434386532363265313531303634336136653062613464376138
-66336333623565623263363561303537303337623137656430353830353937323265313837333237
-62343132326665326130376566626661366534353335366532623539303536323762646462306261
-63383133633462376162316338663765393933663536663239636439643733376434333030616131
-63326332336563326232346430643534336133376334646635653862333133306135666132353839
-37336136346464363365633262623630343463343035666161626665663030346533303266313837
-32323566393630626566393334353832383235626161343532323930656430343739663432333866
-62663136333637663563366536303437363964666638326134373766313837383431663733383630
-63336432656239393465353666383131326536643531663337396234396663373432303163653331
-33626237386237626433653637313835376632613131663235353037336231613134633065323035
-31366531343131303937663561336262623062313961366233633430323639383332656236363535
-35353639633366366439666532326539666230323338643931383264306436386634316331393133
-33393963303734303037353139356436313036343766646131333735356266333434333039363339
-62396231303137303236626439633331306663313630653437363733656130653863646537316536
-39346233633436323565363466653862333630633030666136613237333663643339306334613532
-63343565393632353138616637356339623639373135636334333130323032346536626465323430
-63383363313338636466316464303039633236343038613734633632633234313837656436663137
-62643130383463333137363537646233613366653664613137623130333330636362
+61333062333563653966393334326633643564313063346266663461633538366662623937373738
+3732396164303638643362316564393236353737346235380a666361396631656563303733343032
+66396531313139343062363639636334373836306237363733393635346261313832366330303436
+6362383638363931380a323066343834363138356662656439343131353330366532626538653434
+64663834333563333263356532326262333938613432356233656238313365663661636334333066
+63653561316239356638653834646261643564316535306133633832666365383238303364346466
+63393164646330623061633039316638656566346663616661633464303237386261316262623533
+63306266333063373333323030666264323564663032333637343134306231373964666630333538
+63626363383836363639663830643530376361613466613666303933363563663763636635363132
+36666432646233313663613563663565313537316164313964656461666336326331303035343062
+35323363373130333935373035663635626666613236376261623934366235633738323430666330
+33323130363839386331613334636531396665316336376265333231343763656637396437653733
+64366565336132333131346463356236343934663332633830373939616434613561613564313837
+34333039363962643333343961636165323766343531336465306438306365636137636662303165
+35346530313134346432303862643735376331376432616136306537653266333434336663373931
+35373235333937646165663238636232656336393330386161636435666637356632333832646137
+30333233636266623165663538303639663466363337323330383962383139643532623462663564
+63313262366236623232303732373136393139323562313733623763363864646432653037316465
+34306261303035306436396262333131366562643166333130393438393636623034656163653131
+65363530613064633462633238343834336538353766353766336132303333383164326363316365
+31303532363838306338626662313234343134306531353765333237303962303339366233366632
+35643565353766353962386135323765356130393731363633373238626332356637363339356437
+30386361363837373434363939373361343862393364316537633463653862666164613730306565
+36343762326337333235643862626566346235333934656631306461633934306230333365343731
+64643835323061613230336234343438383938653761393133656137626434653532636466313439
+31363362306539643635386237353466343733616334303762343964636533636662333661653839
+34663264613033373965336635663131396334616432653462346634626535393761666237623936
+31666439356261303134343938333433323538653337653937333830656163633965353235653539
+65353937333463343236636237313736313565613833653530333135623233363564393266353363
+33323236643634616263303133663631386638356561373730653930646265616634356364366361
+37666362363230313664343633343464383334386539616132636562626465326364353436356338
+61383736663733643132656266633837646366343637303264363465633536633962353235303336
+38376430343733386631623334386564616264386234613664366631313334626436313865356565
+33663433663963653835376666303664656438623337663536376234356465396534306362346162
+62323262323933336232376636353831633834656536633666643961396365306464303730626463
+36363631336236353730393035613333666465653861373766393731373863353330656366306263
+62316636333230366563623836316232323831393233366539363662646564373436623230343761
+61626235656438373566646365353761376139383962353635393439666365333332313035653433
+64316638363061613561306534616465646661326637633332333734626562353664666432616137
+32643636356261613430376535633837646437626132373735323366313738633134303962306163
+30366230333533663433616664343862346232363733623239353035656134366437313662353933
+32663261663937663437643233383562656537333364643435356639616136623036306231633839
+38386631643264636535323766643661626566323661313831326530636532383330633066336130
+39306631636433376361636637633135316662306636306137366531333662303238613434333534
+35633162316363333934623663303839343366376263343536333563663833323734356566623663
+64646437343935306230333034636431396439366237643839363035313164393666616235393034
+33323333626537633730303961613263363835343030363331633165663035336633613831326632
+35363738336534663934616338363764353562306139613464663533323863326331646464333533
+36363962653830613864393565623561646233313135386163623932363865343861313534663234
+32313466656532616638376238363937613264346265316135336137363961386161376364343063
+33316662343066336438336137353262646264656434333364343334373762303062386165663530
+63313666356633633936366162366332333163656164306533356530666166353635616364643830
+66336339663737616664616430373162386238636134303137386331393837353462623336663335
+34303038323037363165613935376262376464383265323462373638313530396537633031653530
+63613135373639623138333635343035303734383932336333303063666662333164643430393637
+64393262363235616666303366346137633132313066613731333064346139646361363832343730
+39666338303339663665363033653735346130313431306131306261636430396465323937623062
+32343433376438623965363338633639383738326561376665623461653539383666636535656663
+37353665363663356464366331313236653430313034613733363665633239656361623931646432
+30653632643062366333663830326663623766646535666534613933663333366466333033383165
+33373039303564656562636432303934383132666665656161323535333930346265623639316366
+38393764346265653734373136636538346361363966393732323362323733386631623762313366
+63313733653730336536393335623138383365303934303730343136613734663062326166316461
+35313363656335643531343561336662663434353031623733353035633063396366376664303364
+36643262633832363362306263376135346632386631346432333137623631343234333337643536
+35353135303330626663663963366139363265666434363364303266613564373337616564366566
+30646635633834616536333361303361313934316434393330333231613038346466306531646537
+39303131396562656334303536613964363936643435613035623065323963633764623432373235
+37393564626239333761626131643366306131346339356364373061353865653966326362613164
+62366562326234303865323934353734613364653161316131363964666439636561663361396239
+30353266303764396265656635616462653563613630616537353530613835656333353364333632
+39663939376633613133623839353133613066633333633135316132636435363330393966396431
+30656638653662356164393038323538643661333734623937653430643931623061666330633631
+63323834313733353635363535613666643361356363386465383961626331303435333363396230
+37313835633136323134623261626432653965366230656266356333653437386463396563613563
+62656562626131336230383965303962383464643832333361343838393338353365663766373031
+31633265653262356139323564663834616164313439346133386135333563323264313261336336
+39393166613865353164376130303536373931643436633133313361356166393432363631666361
+36366537363630333830333432333466363266666636643932636565613738346239383736306533
+32333838396638656134643538313033336137316638326232303837386537393737316237356237
+62646561333430303765656537373738316131306664626533646461333261306665626336376537
+35633736303262656236303230653564386130666362303132646166306432393962306366663432
+64353366353839643366376433646661376434313266326665343063653534343531623033316461
+37306439373366303236666338616364343163663165626665613761333838333366336238343633
+38663066623532353464653164616237353464363539313762396162653139393133323438643331
+66306562346136346363396235356264303164636662386166666436316338323462656537386335
+36373763313935666539643834653237336130336530653834643263373264353233643938393965
+30313637366236383433313161386531623936356161333462636566633036383635616638316434
+66313434393365333633336231656536353138303235616439643535376338326262663632313564
+65306534356531303835373231623234356337623234366137386437303864643764613731326137
+65376337386133353739376661353766343931383135363038353839376666306337323835613935
+33303730623132613462363538666638313533333564656164363731323463613230366230373664
+31303331396264353162383138643063313737366635333664343836346338353537366362613937
+35623934646239356339343339653337656330616565616232633232373036383562393362343332
+39316661623563333234656633666365303964366338303862333730656366626533326334613038
+39663332623862626230373135623235363064636163373737316262613233663031383366363563
+34613730343564373230306237656662636130333736393136366138333864313636343362613631
+64636266626637366530363763323930643336313339613930623835326431643663356365353865
+35653238333131363262346565653066383834633131303466636232653234363366646635656338
+31386163616237316361643134396230386338643339633562376436333238346665363938323462
+32336435663138393230366632633132333834303539303439313764623163383661396536383461
+31636365633765346262616235336666363932336366373438643531663539333431663231326362
+32326230363965356434343833383662393430333535636536323066373439653330373937636565
+61306565663734636630633730383736653736383765326638656433646637393033356665633831
+66353338633833346436666134343465623236626339613363623834333261313531

group_vars/auweg

@@ -5,6 +5,8 @@ dhcpd_primary: 172.23.13.3
 
 dns_primary: 172.23.13.3
 
+doorlock_domain: lock-auweg.binary.kitchen
+
 name_servers:
 - 172.23.13.3
 

host_vars/aeron.binary.kitchen

@@ -3,4 +3,5 @@
 radius_hostname: radius3.binary.kitchen
 
 slapd_hostname: ldap3.binary.kitchen
+slapd_replica_id: 3
 slapd_role: slave

host_vars/argentum.binary-kitchen.net

@@ -0,0 +1,6 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

host_vars/aveta.binary.kitchen

@@ -3,4 +3,5 @@
 radius_hostname: radius2.binary.kitchen
 
 slapd_hostname: ldap2.binary.kitchen
+slapd_replica_id: 2
 slapd_role: slave

host_vars/bacon.binary.kitchen

@@ -13,4 +13,5 @@ ntp_peers:
 radius_hostname: radius1.binary.kitchen
 
 slapd_hostname: ldap1.binary.kitchen
+slapd_replica_id: 1
 slapd_role: slave

host_vars/fluorine.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

host_vars/krypton.binary-kitchen.net

@@ -2,3 +2,4 @@
 
 root_keys_host:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/lasagne.binary.kitchen

@@ -0,0 +1,11 @@
+---
+
+root_keys_host:
+- "# Thomas Basler"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
+- "# Ralf Ramsauer"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
+- "# Thomas Schmid"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+
+uau_reboot: "false"

host_vars/lock-auweg.binary.kitchen

@@ -0,0 +1,5 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/molybdenum.binary-kitchen.net

@@ -4,3 +4,4 @@ grafana_domain: zelle.binary-kitchen.de
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/oxygen.binary-kitchen.net

@@ -1,3 +1,4 @@
 ---
 
-uau_reboot: "false"
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+sshd_password_authentication: "yes"

host_vars/pizza.binary.kitchen

@@ -4,8 +4,7 @@ root_keys_host:
 - "# Thomas Basler"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
 - "# Ralf Ramsauer"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
 - "# Thomas Schmid"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
 

host_vars/rhodium.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

host_vars/ruthenium.binary-kitchen.net

@@ -2,6 +2,6 @@
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
 
 uau_reboot: "false"

host_vars/strontium.binary-kitchen.net

@@ -1,4 +0,0 @@
----
-
-root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

host_vars/sulis.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+sshd_password_authentication: "yes"

host_vars/technetium.binary-kitchen.net

@@ -1,4 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"

host_vars/tschunk.binary.kitchen

@@ -0,0 +1,7 @@
+---
+
+root_keys_host:
+- "# Thomas Schmid"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+
+uau_reboot: "true"

host_vars/yttrium.binary-kitchen.net

@@ -1,5 +1,6 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

hosts

@@ -9,11 +9,14 @@ pizza.binary.kitchen ansible_host=172.23.2.33
 pancake.binary.kitchen ansible_host=172.23.2.34
 knoedel.binary.kitchen ansible_host=172.23.2.35
 bob.binary.kitchen ansible_host=172.23.2.37
+lasagne.binary.kitchen ansible_host=172.23.2.38
+tschunk.binary.kitchen ansible_host=172.23.2.39
 bowle.binary.kitchen ansible_host=172.23.2.62
 salat.binary.kitchen ansible_host=172.23.9.61
 [auweg]
-aeron.binary.kitchen ansible_host=172.23.13.3
 weizen.binary.kitchen ansible_host=172.23.12.61
+aeron.binary.kitchen ansible_host=172.23.13.3
+lock-auweg.binary.kitchen ansible_host=172.23.13.12
 [fan_rz]
 helium.binary-kitchen.net
 lithium.binary-kitchen.net
@@ -26,10 +29,15 @@ fluorine.binary-kitchen.net
 neon.binary-kitchen.net
 sodium.binary-kitchen.net
 magnesium.binary-kitchen.net
+aluminium.binary-kitchen.net
 krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
 molybdenum.binary-kitchen.net
+technetium.binary-kitchen.net
 ruthenium.binary-kitchen.net
 rhodium.binary-kitchen.net
+palladium.binary-kitchen.net
+argentum.binary-kitchen.net
+cadmium.binary-kitchen.net
 barium.binary-kitchen.net

roles/23b/handlers/main.yml

@@ -3,11 +3,11 @@
 - name: Reload systemd
   systemd: daemon_reload=yes
 
-- name: Run acertmgr
-  command: /usr/bin/acertmgr
-
-- name: Restart drone
-  service: name=drone state=restarted
+- name: Restart 23b
+  service: name=23b state=restarted
 
 - name: Restart nginx
   service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/23b/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create 23b group
+  group: name=23b
+
+- name: Create 23b user
+  user:
+    name: 23b
+    home: /opt/23b
+    shell: /bin/bash
+    group: 23b
+    groups: docker
+
+# docker-compolse.yml is managed outside ansible
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for 23b
+  template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
+  notify: Restart nginx
+
+- name: Systemd unit for 23b
+  template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
+  notify:
+  - Reload systemd
+  - Restart 23b
+
+- name: Start the 23b service
+  service: name=23b state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ bk23b_domain }}"

roles/23b/templates/23b.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=23b service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=23b
+Group=23b
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/23b/23b/23b
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/23b/templates/certs.j2

@@ -1,13 +1,13 @@
 ---
 
-{{ drone_domain }}:
-- path: /etc/nginx/ssl/{{ drone_domain }}.key
+{{ bk23b_domain }}:
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
   user: root
   group: root
   perm: '400'
   format: key
   action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ drone_domain }}.crt
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
   user: root
   group: root
   perm: '400'

roles/23b/templates/vhost.j2

@@ -0,0 +1,36 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ bk23b_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ bk23b_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ bk23b_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
+
+	# set max upload size
+	client_max_body_size 8M;
+
+	location / {
+		proxy_pass http://localhost:5000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}

roles/act_runner/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+actrunner_user: act_runner
+actrunner_group: act_runner
+
+actrunner_version: 0.2.6
+actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

roles/act_runner/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart act_runner
+  service: name=act_runner state=restarted

roles/act_runner/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Create group
+  group: name={{ actrunner_group }}
+
+- name: Create user
+  user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
+
+- name: Create directories
+  file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
+  with_items:
+  - /etc/act_runner
+  - /var/lib/act_runner
+
+- name: Download act_runner binary
+  get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
+  register: runner_download
+
+- name: Symlink act_runner binary
+  file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
+  when: runner_download.changed
+  notify: Restart act_runner
+
+- name: Configure act_runner
+  template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
+  notify: Restart act_runner
+
+- name: Install systemd unit
+  template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
+  notify:
+  - Reload systemd
+  - Restart act_runner
+
+- name: Enable act_runner
+  service: name=act_runner state=started enabled=yes

roles/act_runner/templates/act_runner.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Gitea Actions runner
+Documentation=https://gitea.com/gitea/act_runner
+After=docker.service
+
+[Service]
+ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
+ExecReload=/bin/kill -s HUP $MAINPID
+WorkingDirectory=/var/lib/act_runner
+TimeoutSec=0
+RestartSec=10
+Restart=always
+User={{ actrunner_user }}
+
+[Install]
+WantedBy=multi-user.target

roles/act_runner/templates/config.yaml.j2

@@ -0,0 +1,86 @@
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: warn
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 4
+  # Extra environment variables to run jobs.
+  envs:
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels: [
+    "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
+    "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
+    "ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
+  ]
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: ""
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

roles/authentik/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart authentik
+  service: name=authentik state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/authentik/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create authentik group
+  group: name=authentik
+
+- name: Create authentik user
+  user:
+    name: authentik
+    home: /opt/authentik
+    shell: /bin/bash
+    group: authentik
+    groups: docker
+
+- name: Configure authentik container
+  template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
+  notify: Restart authentik
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for authentik
+  template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
+  notify: Restart nginx
+
+- name: Systemd unit for authentik
+  template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
+  notify:
+  - Reload systemd
+  - Restart authentik
+
+- name: Start the authentik service
+  service: name=authentik state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ authentik_domain }}"

roles/authentik/templates/authentik.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=authentik service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=authentik
+Group=authentik
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/authentik
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/authentik/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ authentik_domain }}:
+- path: /etc/nginx/ssl/{{ authentik_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/authentik/templates/docker-compose.yml.j2

@@ -0,0 +1,75 @@
+---
+version: "3.4"
+services:
+  postgresql:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ./database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: {{ authentik_dbpass }}
+      POSTGRES_USER: {{ authentik_dbuser }}
+      POSTGRES_DB: {{ authentik_dbname }}
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ./redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    ports:
+      - "127.0.0.1:9000:9000"
+    depends_on:
+      - postgresql
+      - redis
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+    depends_on:
+      - postgresql
+      - redis

roles/authentik/templates/vhost.j2

@@ -0,0 +1,41 @@
+map $http_upgrade $connection_upgrade {
+	default	upgrade;
+	''	close;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ authentik_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ authentik_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ authentik_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
+
+	location / {
+		proxy_pass http://localhost:9000;
+		proxy_http_version 1.1;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}

roles/bk_dss/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 
 dss_uwsgi_port: 5001
-dss_version: 0.8.4
+dss_version: 0.8.5

roles/bk_dss/templates/config.cfg.j2

@@ -1,12 +1,14 @@
 DEBUG = True
+REMEMBER_COOKIE_SECURE = True
 SECRET_KEY = "{{ dss_secret }}"
+SESSION_COOKIE_SECURE = True
 SESSION_TIMEOUT = 3600
 
 LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
 LDAP_URI = "{{ ldap_uri }}"
 LDAP_BASE = "{{ ldap_base }}"
 
-ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
+ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
 
 USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
 
@@ -28,7 +30,7 @@ USER_ATTRS = {
 	'userPassword' : '{pass}'
 }
 
-GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
+GROUP_FILTER = "(objectClass=posixGroup)"
 
 REDIS_HOST = "127.0.0.1"
 REDIS_PASSWD = None

roles/common/defaults/main.yml

@@ -6,3 +6,6 @@ logrotate_excludes:
 - "/etc/logrotate.d/dbconfig-common"
 - "/etc/logrotate.d/btmp"
 - "/etc/logrotate.d/wtmp"
+
+sshd_password_authentication: "no"
+sshd_permit_root_login: "prohibit-password"

roles/common/handlers/main.yml

@@ -6,6 +6,9 @@
 - name: Restart journald
   service: name=systemd-journald state=restarted
 
+- name: Restart sshd
+  service: name=sshd state=restarted
+
 - name: update-grub
   command: update-grub
 

roles/common/tasks/Debian.yml

@@ -16,6 +16,7 @@
     - rsync
     - sudo
     - vim-nox
+    - wget
     - zsh
 
 - name: Install software on KVM VMs
@@ -102,3 +103,12 @@
     regexp: "rotate [0-9]+"
     replace: "rotate 7"
   loop: "{{ logrotateconfigpaths }}"
+
+- name: Configure sshd
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart sshd

roles/common/templates/chrony.conf.j2

@@ -1,6 +1,9 @@
 # Welcome to the chrony configuration file. See chrony.conf(5) for more
 # information about usable directives.
 
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
 {% for srv in ntp_servers %}
 server {{ srv }} iburst
 {% endfor %}
@@ -23,6 +26,9 @@ keyfile /etc/chrony/chrony.keys
 # information.
 driftfile /var/lib/chrony/chrony.drift
 
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
 # Uncomment the following line to turn logging on.
 #log tracking measurements statistics
 
@@ -33,7 +39,7 @@ logdir /var/log/chrony
 maxupdateskew 100.0
 
 # This directive enables kernel synchronisation (every 11 minutes) of the
-# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
 rtcsync
 
 # Step the system clock instead of slewing it if the adjustment is larger than

roles/common/templates/sshd_config.j2

@@ -0,0 +1,132 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin {{ sshd_permit_root_login }}
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
+AuthorizedKeysCommand {{ sshd_authkeys_command }}
+{%   if sshd_authkeys_user is defined and sshd_authkeys_user %}
+AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
+{%   else %}
+AuthorizedKeysCommandUser nobody
+{%   endif %}
+{% else %}
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+{% endif %}
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ sshd_password_authentication }}
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

roles/dhcpd/templates/dhcp/dhcpd.conf.j2

@@ -107,7 +107,6 @@ subnet 172.23.13.0 netmask 255.255.255.0 {
 # Users Auweg
 subnet 172.23.14.0 netmask 255.255.255.0 {
   option routers 172.23.14.1;
-  ddns-domainname "users.binary.kitchen";
   option domain-search "binary.kitchen", "users.binary.kitchen";
   pool {
 {% if dhcpd_failover == true %}
@@ -143,7 +142,7 @@ host ap01 {
 }
 
 host ap04 {
-  hardware ethernet 44:48:c1:ce:90:06;
+  hardware ethernet 74:9e:75:ce:93:54;
   fixed-address ap04.binary.kitchen;
 }
 

roles/dns_extern/templates/pdns.conf.j2

@@ -1,5 +1,4 @@
-local-address=0.0.0.0
-local-ipv6=::
+local-address=0.0.0.0, ::
 launch=gsqlite3
 gsqlite3-dnssec
 gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3

roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2021120101; serial
+					2024030100; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -50,6 +50,8 @@ $TTL 1h				; default time-to-live
 35.2				IN	PTR	knoedel.binary.kitchen.
 36.2				IN	PTR	schweinshaxn.binary.kitchen.
 37.2				IN	PTR	bob.binary.kitchen.
+38.2				IN	PTR	lasagne.binary.kitchen.
+39.2				IN	PTR	tschunk.binary.kitchen.
 62.2				IN	PTR	bowle.binary.kitchen.
 91.2				IN	PTR	strammermax.binary.kitchen.
 92.2				IN	PTR	obatzda.binary.kitchen.
@@ -67,6 +69,7 @@ $GENERATE 10-230 $.3		IN	PTR	dhcp-${0,3,d}-03.binary.kitchen.
 ; MQTT
 1.4				IN	PTR	v2304.core.binary.kitchen.
 6.4				IN	PTR	pizza.mqtt.binary.kitchen.
+7.4				IN	PTR	lasagne.mqtt.binary.kitchen.
 $GENERATE 10-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
 241.4				IN	PTR	habdisplay1.mqtt.binary.kitchen.
 242.4				IN	PTR	habdisplay2.mqtt.binary.kitchen.
@@ -91,6 +94,7 @@ $GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
 111.12				IN	PTR	rfp11.binary.kitchen.
 ; Services Auweg
 3.13				IN	PTR	aeron.binary.kitchen.
+12.13				IN	PTR	lock-auweg.binary.kitchen.
 ; Clients Auweg
 $GENERATE 10-230 $.14		IN	PTR	dhcp-${0,3,d}-14.binary.kitchen.
 ; MQTT

roles/dns_intern/templates/bind/binary.kitchen.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2021120101; serial
+					2024030100; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -30,7 +30,6 @@ netbox				IN	A	172.23.2.7
 ns1				IN	A	172.23.2.3
 ns2				IN	A	172.23.2.4
 omm				IN	A	172.23.2.35
-racktables			IN	A	172.23.2.6
 radius				IN	A	172.23.2.3
 radius				IN	A	172.23.2.4
 ; Loopback
@@ -74,6 +73,8 @@ pancake				IN	A	172.23.2.34
 knoedel				IN	A	172.23.2.35
 schweinshaxn			IN	A	172.23.2.36
 bob				IN	A	172.23.2.37
+lasagne				IN	A	172.23.2.38
+tschunk				IN	A	172.23.2.39
 bowle				IN	A	172.23.2.62
 strammermax			IN	A	172.23.2.91
 obatzda				IN	A	172.23.2.92
@@ -91,6 +92,7 @@ noodlehub			IN	A	172.23.3.251
 ; MQTT
 v2304.core			IN	A	172.23.4.1
 pizza.mqtt			IN	A	172.23.4.6
+lasagne.mqtt			IN	A	172.23.4.7
 $GENERATE 10-240 dhcp-${0,3,d}-04	IN	A	172.23.4.$
 habdisplay1.mqtt		IN	A	172.23.4.241
 habdisplay2.mqtt		IN	A	172.23.4.242
@@ -112,6 +114,7 @@ weizen				IN	A	172.23.12.61
 rfp11				IN	A	172.23.12.111
 ; Services Auweg
 aeron				IN	A	172.23.13.3
+lock-auweg			IN	A	172.23.13.12
 ; Clients Auweg
 $GENERATE 10-230 dhcp-${0,3,d}-14	IN	A	172.23.14.$
 ; MQTT Auweg

roles/dns_intern/templates/dnsdist.conf.j2

@@ -10,11 +10,11 @@ newServer({address='127.0.0.1:5353', pool='resolve'})
 
 {% if dns_secondary is defined %}
 -- allow AXFR/IXFR only from slaves
-addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
+addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
 {% endif %}
 
 -- allow NOTIFY only from master
-addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
+addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
 
 -- use auth servers for own zones
 addAction('binary.kitchen', PoolAction('authdns'))

roles/dns_intern/templates/pdns.conf.j2

@@ -26,12 +26,6 @@ launch=bind,gsqlite3
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
-#################################
-# local-ipv6	Local IP address to which we bind
-#
-# local-ipv6=::
-local-ipv6=
-
 #################################
 # local-port	The port on which we listen
 #

roles/dns_intern/templates/recursor.conf.j2

@@ -11,9 +11,9 @@
 config-dir=/etc/powerdns
 
 #################################
-# dnssec	DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
+# dnssec	DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
 #
-# dnssec=process-no-validate
+# dnssec=process
 dnssec=off
 
 #################################

roles/docker/tasks/main.yml

@@ -1,17 +1,10 @@
 ---
 
-- name: Enable docker apt-key
-  apt_key: url='https://download.docker.com/linux/debian/gpg'
-
-- name: Enable docker repository
-  apt_repository:
-    repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
-    filename: docker
-
 - name: Install docker
   apt:
     name:
-    - docker-ce
-    - docker-ce-cli
-    - containerd.io
+    - docker.io
     - python3-docker
+
+- name: Enable docker
+  service: name=docker state=started enabled=yes

roles/doorlock/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/doorlock/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/doorlock/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
+      -days 730 -subj "/CN={{ doorlock_domain }}"
+    creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
+  notify: Restart nginx
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ doorlock_domain }}"
+
+- name: Configure certificate manager for doorlock
+  template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
+  notify: Run acertmgr

roles/doorlock/templates/certs.j2

@@ -0,0 +1,18 @@
+---
+
+{{ doorlock_domain }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/drone/files/drone.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=drone.io server
-After=network-online.target
-
-[Service]
-Type=simple
-User=drone
-EnvironmentFile=/etc/default/drone
-ExecStart=/opt/drone/bin/drone-server
-Restart=always
-RestartSec=5s
-
-[Install]
-WantedBy=multi-user.target

roles/drone/tasks/main.yml

@@ -1,57 +0,0 @@
----
-
-- name: Create user
-  user: name=drone
-
-# TODO install drone to /opt/drone/bin
-# currently it is manually compiled
-
-- name: Configure drone
-  template: src=drone.j2 dest=/etc/default/drone
-  notify: Restart drone
-
-- name: Install PostgreSQL
-  apt:
-    name:
-    - postgresql
-    - python3-psycopg2
-
-- name: Configure PostgreSQL database
-  postgresql_db: name={{ drone_dbname }}
-  become: true
-  become_user: postgres
-
-- name: Configure PostgreSQL user
-  postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
-  become: true
-  become_user: postgres
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for drone
-  template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
-  notify: Restart nginx
-
-- name: Install systemd unit
-  copy: src=drone.service dest=/lib/systemd/system/drone.service
-  notify:
-  - Reload systemd
-  - Restart drone
-
-- name: Enable drone
-  service: name=drone enabled=yes
-
-- name: Enable monitoring
-  include_role: name=icinga-monitor tasks_from=http
-  vars:
-    vhost: "{{ drone_domain }}"

roles/drone/templates/drone.j2

@@ -1,10 +0,0 @@
-DRONE_AGENTS_ENABLED=true
-DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
-DRONE_DATABASE_DRIVER=postgres
-DRONE_GITEA_SERVER=https://{{ gitea_domain }}
-DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
-DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
-DRONE_RPC_SECRET={{ drone_secret }}
-DRONE_SERVER_HOST={{ drone_domain }}
-DRONE_SERVER_PROTO=https
-DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

roles/drone/templates/vhost.j2

@@ -1,31 +0,0 @@
-server {
-	listen 80;
-	listen [::]:80;
-
-	server_name {{ drone_domain }};
-
-	location /.well-known/acme-challenge {
-		default_type "text/plain";
-		alias /var/www/acme-challenge;
-	}
-
-	location / {
-		return 301 https://{{ drone_domain }}$request_uri;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name {{ drone_domain }};
-
-	ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
-
-	location / {
-		client_max_body_size 128M;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_pass http://localhost:8080;
-	}
-}

roles/drone_runner/tasks/main.yml

@@ -1,21 +0,0 @@
----
-
-- name: Run runner container
-  docker_container:
-    name: runner
-    image: drone/drone-runner-docker:1
-    env:
-      DRONE_RPC_PROTO: "https"
-      DRONE_RPC_HOST: "{{ drone_domain }}"
-      DRONE_RPC_SECRET: "{{ drone_secret }}"
-      DRONE_RUNNER_CAPACITY: "2"
-      DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
-      DRONE_UI_USERNAME: "admin"
-      DRONE_UI_PASSWORD: "{{ drone_uipass }}"
-    ports:
-    - "3000:3000"
-    pull: yes
-    restart_policy: unless-stopped
-    state: started
-    volumes:
-    - "/var/run/docker.sock:/var/run/docker.sock"

roles/event_web/files/certs

@@ -0,0 +1,15 @@
+---
+
+eh21.easterhegg.eu engel.eh21.easterhegg.eu:
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'

roles/event_web/files/vhost

@@ -0,0 +1,68 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/eh21;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://engel.eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/engel/public;
+
+	index index.php;
+
+	location / {
+		try_files $uri $uri/ /index.php?$args;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+		fastcgi_index index.php;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		include fastcgi_params;
+	}
+}

roles/event_web/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/event_web/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/event_web/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - php-fpm
+
+- name: Create vhost directory
+  file: path=/var/www/eh21 state=directory owner=www-data group=www-data
+
+- name: Create vhost directory
+  file: path=/var/www/engel state=directory owner=www-data group=www-data
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager
+  copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
+  notify: Run acertmgr
+
+- name: Configure vhosts
+  copy: src=vhost dest=/etc/nginx/sites-available/www
+  notify: Restart nginx
+
+- name: Enable vhosts
+  file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
+  notify: Restart nginx
+
+- name: Start php8.2-fpm
+  service: name=php8.2-fpm state=started enabled=yes

roles/fileserver/templates/smb.conf.j2

@@ -42,7 +42,7 @@
 # option cannot handle dynamic or non-broadcast interfaces correctly.
 ;   bind interfaces only = yes
 
-
+   min protocol = NT1
 
 #### Debugging/Accounting ####
 
@@ -213,7 +213,7 @@
 ;[printers]
 ;   comment = All Printers
 ;   browseable = no
-;   path = /var/spool/samba
+;   path = /var/tmp
 ;   printable = yes
 ;   guest ok = no
 ;   read only = yes
@@ -240,5 +240,5 @@
    browseable = yes
    read only = no
    guest ok = yes
-   create mask = 0600
-   directory mask = 0700
+   create mask = 0660
+   directory mask = 0770

roles/gitea/defaults/main.yml

@@ -3,6 +3,5 @@
 gitea_user: gogs
 gitea_group: gogs
 
-gitea_checksum: sha256:1fedb3dd22a8fa2e815dd0491d3db36b3ebf1bb78eafdb8d3f60f740c8885365
-gitea_version: 1.16.8
+gitea_version: 1.21.10
 gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

roles/gitea/tasks/main.yml

@@ -6,19 +6,24 @@
 - name: Create user
   user: name={{ gitea_user }} home=/home/{{ gitea_user }} group={{ gitea_group }}
 
-- name: Create gitea directories
-  file: path={{ item }} state=directory owner={{ gitea_user }}
+- name: Create directories
+  file: path={{ item }} state=directory owner={{ gitea_user }} group={{ gitea_group }}
   with_items:
   - /opt/gitea
   - /opt/gitea/custom
   - /opt/gitea/custom/conf
 
 - name: Download gitea binary
-  get_url: url={{ gitea_url }} dest=/opt/gitea/gitea checksum={{ gitea_checksum }} mode=0755
+  get_url: url={{ gitea_url }} dest=/opt/gitea/gitea-{{ gitea_version }} mode=0755
+  register: gitea_download
+
+- name: Symlink gitea binary
+  file: src=/opt/gitea/gitea-{{ gitea_version }} dest=/opt/gitea/gitea state=link
+  when: gitea_download.changed
   notify: Restart gitea
 
 - name: Configure gitea
-  template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }}
+  template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }} group={{ gitea_group }}
 
 - name: Install systemd unit
   template: src=gitea.service.j2 dest=/lib/systemd/system/gitea.service
@@ -62,7 +67,7 @@
   notify: Restart nginx
 
 - name: Enable gitea
-  service: name=gitea enabled=yes
+  service: name=gitea state=started enabled=yes
 
 - name: Enable monitoring
   include_role: name=icinga-monitor tasks_from=http

roles/gitea/templates/gitea.service.j2

@@ -8,7 +8,7 @@ Requires=postgresql.service
 RestartSec=2s
 Type=simple
 User={{ gitea_user }}
-Group={{ gitea_user }}
+Group={{ gitea_group }}
 WorkingDirectory=/opt/gitea/
 ExecStart=/opt/gitea/gitea web
 Restart=always

roles/grafana/tasks/main.yml

@@ -1,10 +1,10 @@
 ---
 
 - name: Enable grafana apt-key
-  apt_key: url="https://packages.grafana.com/gpg.key"
+  apt_key: url="https://apt.grafana.com/gpg.key" keyring="/etc/apt/trusted.gpg.d/grafana.gpg"
 
 - name: Enable grafana repository
-  apt_repository: repo="deb https://packages.grafana.com/oss/deb stable main"
+  apt_repository: repo="deb https://apt.grafana.com stable main"
 
 - name: Install grafana
   apt: name=grafana

roles/grafana/templates/vhost.j2

@@ -25,7 +25,8 @@ server {
 
 	location / {
 		client_max_body_size 1024M;
-		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header Host $http_host;
 		proxy_pass http://localhost:3000;
 	}
 }

roles/hackmd/defaults/main.yml

@@ -1,4 +0,0 @@
----
-
-hedgedoc_version: 1.9.3
-hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz

roles/hackmd/tasks/main.yml

@@ -1,110 +0,0 @@
----
-
-- name: Create user
-  user: name=hackmd
-
-- name: Enable nodesource apt-key
-  apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
-
-- name: Enable nodesource repository
-  apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
-
-- name: Enable yarnpkg apt-key
-  apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
-
-- name: Enable yarnpkg repository
-  apt_repository: repo="deb https://dl.yarnpkg.com/debian/ stable main"
-
-- name: Pin nodejs repository
-  blockinfile:
-    path: /etc/apt/preferences.d/nodejs
-    create: yes
-    block: |
-      Package: *
-      Pin: origin deb.nodesource.com
-      Pin-Priority: 600
-
-- name: Install packages
-  apt:
-    name:
-    - build-essential
-    - git
-    - nodejs
-    - postgresql
-    - python3-psycopg2
-    - yarn
-
-- name: Unpack hedgedoc
-  unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
-  register: hedgedoc_unarchive
-
-- name: Create hedgedoc upload path
-  file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
-
-- name: Remove old hedgedoc upload path
-  file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
-
-- name: Link hedgedoc upload path
-  file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
-
-- name: Setup hedgedoc
-  command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
-  become: true
-  become_user: hackmd
-
-- name: Configure hedgedoc
-  template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
-  register: hedgedoc_config
-  notify: Restart hedgedoc
-
-- name: Install hedgedoc frontend deps
-  command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
-  become: true
-  become_user: hackmd
-  when: hedgedoc_unarchive.changed or hedgedoc_config.changed
-
-- name: Build hedgedoc frontend
-  command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
-  become: true
-  become_user: hackmd
-  when: hedgedoc_unarchive.changed or hedgedoc_config.changed
-
-- name: Configure PostgreSQL database
-  postgresql_db: name={{ hedgedoc_dbname }}
-  become: true
-  become_user: postgres
-
-- name: Configure PostgreSQL user
-  postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
-  become: true
-  become_user: postgres
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for hedgedoc
-  template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
-  notify: Restart nginx
-
-- name: Systemd unit for hedgedoc
-  template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
-  notify:
-  - Reload systemd
-  - Restart hedgedoc
-
-- name: Start the hedgedoc service
-  service: name=hedgedoc state=started enabled=yes
-
-- name: Enable monitoring
-  include_role: name=icinga-monitor tasks_from=http
-  vars:
-    vhost: "{{ hedgedoc_domain }}"

roles/hackmd/templates/config.json.j2

@@ -1,45 +0,0 @@
-{
-    "production": {
-        "domain": "{{ hedgedoc_domain }}",
-        "protocolUseSSL": true,
-        "allowAnonymous": false,
-        "allowAnonymousEdits": true,
-        "allowFreeURL": true,
-        "sessionSecret": "{{ hedgedoc_secret }}",
-        "hsts": {
-            "enable": true,
-            "maxAgeSeconds": 2592000,
-            "includeSubdomains": true,
-            "preload": true
-        },
-        "csp": {
-            "enable": true,
-            "directives": {
-            },
-            "upgradeInsecureRequests": "auto",
-            "addDefaults": true,
-            "addDisqus": true,
-            "addGoogleAnalytics": true
-        },
-        "db": {
-            "username": "{{ hedgedoc_dbuser }}",
-            "password": "{{ hedgedoc_dbpass }}",
-            "database": "{{ hedgedoc_dbname }}",
-            "host": "localhost",
-            "port": "5432",
-            "dialect": "postgres"
-        },
-        "ldap": {
-            "url": "{{ ldap_uri }}",
-            "bindDn": "{{ ldap_binddn }}",
-            "bindCredentials": "{{ ldap_bindpw }}",
-            "searchBase": "{{ ldap_base }}",
-            "searchFilter": "(uid={{ '{{' }}username{{ '}}' }})",
-            "searchAttributes": ["cn", "uid"],
-            "usernameField": "cn",
-            "useridField": "uid",
-            "tlsca": "/etc/ssl/certs/ca-certificates.crt"
-        },
-        "email": false
-    }
-}

roles/hackmd/templates/hedgedoc.service.j2

@@ -1,14 +0,0 @@
-[Unit]
-Description=HedgeDoc
-After=network.target
-
-[Service]
-Environment=NODE_ENV=production
-WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
-Type=simple
-User=hackmd
-ExecStart=/usr/bin/yarn start
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target

roles/hedgedoc/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/hedgedoc/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create hedgedoc group
+  group: name=hedgedoc
+
+- name: Create hedgedoc user
+  user:
+    name: hedgedoc
+    home: /opt/hedgedoc
+    shell: /bin/bash
+    group: hedgedoc
+    groups: docker
+
+- name: Configure hedgedoc container
+  template: src=docker-compose.yml.j2 dest=/opt/hedgedoc/docker-compose.yml
+  notify: Restart hedgedoc
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for hedgedoc
+  template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
+  notify: Restart nginx
+
+- name: Systemd unit for hedgedoc
+  template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
+  notify:
+  - Reload systemd
+  - Restart hedgedoc
+
+- name: Start the hedgedoc service
+  service: name=hedgedoc state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ hedgedoc_domain }}"

roles/hedgedoc/templates/docker-compose.yml.j2

@@ -0,0 +1,44 @@
+version: "3"
+services:
+  database:
+    image: postgres:13-alpine
+    environment:
+      - POSTGRES_USER={{ hedgedoc_dbuser }}
+      - POSTGRES_PASSWORD={{ hedgedoc_dbpass }}
+      - POSTGRES_DB={{ hedgedoc_dbname }}
+    volumes:
+      - ./database:/var/lib/postgresql/data
+  app:
+    image: quay.io/hedgedoc/hedgedoc:1.9.9
+    restart: on-failure
+    environment:
+      - CMD_DOMAIN={{ hedgedoc_domain }}
+      - CMD_PROTOCOL_USESSL=true
+      - CMD_ALLOW_ANONYMOUS=false
+      - CMD_ALLOW_ANONYMOUS_EDITS=true
+      - CMD_ALLOW_FREEURL=true
+      - CMD_SESSION_SECRET={{ hedgedoc_secret }}
+      - CMD_HSTS_ENABLE=true
+      - CMD_HSTS_MAX_AGE=2592000
+      - CMD_HSTS_INCLUDE_SUBDOMAINS=true
+      - CMD_HSTS_PRELOAD=true
+      - CMD_CSP_ENABLE=true
+      - CMD_DB_URL=postgres://{{ hedgedoc_dbuser }}:{{ hedgedoc_dbpass }}@database/{{ hedgedoc_dbname }}
+      - CMD_LDAP_URL={{ ldap_uri }}
+      - CMD_LDAP_BINDDN={{ ldap_binddn }}
+      - CMD_LDAP_BINDCREDENTIALS={{ ldap_bindpw }}
+      - CMD_LDAP_SEARCHBASE={{ ldap_base }}
+      - CMD_LDAP_SEARCHFILTER=(uid={{ '{{' }}username{{ '}}' }})
+      - CMD_LDAP_SEARCHATTRIBUTES=cn,uid
+      - CMD_LDAP_USERIDFIELD=uid
+      - CMD_LDAP_USERNAMEFIELD=cn
+      - CMD_LDAP_TLS_CA=/etc/ssl/certs/ca-certificates.crt
+      - CMD_EMAIL=false
+    volumes:
+      - /etc/hosts:/etc/hosts:ro
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - ./uploads:/hedgedoc/public/uploads
+    ports:
+      - "127.0.0.1:3000:3000"
+    depends_on:
+      - database

roles/hedgedoc/templates/hedgedoc.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=hedgedoc service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=hedgedoc
+Group=hedgedoc
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/hedgedoc
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/heisenbridge/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+heisenbridge_user: heisenbridge
+heisenbridge_group: heisenbridge
+
+heisenbridge_directory: /opt/heisenbridge
+heisenbridge_config: "{{ heisenbridge_directory }}/heisenbridge.yaml"

roles/heisenbridge/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart heisenbridge
+  service: name=heisenbridge state=restarted

roles/heisenbridge/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - python3-pip
+    - python3-venv
+
+- name: Create group
+  group:
+    name: "{{ heisenbridge_group }}"
+    system: yes
+
+- name: Create user
+  user:
+    name: "{{ heisenbridge_user }}"
+    group: "{{ heisenbridge_group }}"
+    system: yes
+    create_home: no
+    home: "{{ heisenbridge_directory }}"
+
+- name: Create directory
+  file:
+    path: "{{ heisenbridge_directory }}"
+    state: directory
+    owner: "{{ heisenbridge_user }}"
+    group: "{{ heisenbridge_group }}"
+    mode: 0755
+
+- name: Install heisenbridge
+  pip:
+    name: heisenbridge
+    virtualenv: "{{ heisenbridge_directory }}"
+    virtualenv_command: python3 -m venv
+  become: true
+  become_user: "{{ heisenbridge_user }}"
+  environment:
+    MULTIDICT_NO_EXTENSIONS: 1
+    YARL_NO_EXTENSIONS: 1
+
+- name: Create configuration
+  command:
+    cmd: "{{ heisenbridge_directory }}/bin/heisenbridge -c {{ heisenbridge_config }} --generate"
+    creates: "{{ heisenbridge_config }}"
+  become: true
+  become_user: "{{ heisenbridge_user }}"
+  notify: Restart heisenbridge
+
+- name: Install systemd unit
+  template: src=heisenbridge.service.j2 dest=/lib/systemd/system/heisenbridge.service
+  notify:
+  - Reload systemd
+  - Restart heisenbridge
+
+- name: Enable heisenbridge
+  service: name=heisenbridge enabled=yes

roles/heisenbridge/templates/heisenbridge.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=Heisenbridge
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User={{ heisenbridge_user }}
+Group={{ heisenbridge_user }}
+WorkingDirectory={{ heisenbridge_directory }}
+ExecStart={{ heisenbridge_directory }}/bin/heisenbridge -c {{ heisenbridge_config }}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/icinga-monitor/tasks/disk.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Configure monitoring for disk
+  template:
+    src: disk.j2
+    dest: /etc/icinga2/conf.d/hosts/{{ inventory_hostname }}.disk
+    owner: "{{ icinga_user }}"
+    group: "{{ icinga_group }}"
+  delegate_to: "{{ icinga_server }}"
+
+- name: Regenerate hosts.conf
+  assemble:
+    src: /etc/icinga2/conf.d/hosts
+    dest: /etc/icinga2/conf.d/hosts.conf
+#   validate: /usr/sbin/icinga2 daemon -c %s --validate
+  notify: Restart icinga2
+  delegate_to: "{{ icinga_server }}"

roles/icinga-monitor/templates/disk.j2

@@ -0,0 +1,8 @@
+{% for disk in disks %}
+
+  vars.disks["disk {{ disk }}"] = {
+    disk_partitions = "{{ disk }}"
+    disk_wfree = "10%"
+    disk_cfree = "5%"
+  }
+{% endfor %}

roles/icinga-monitor/templates/http.j2

@@ -1,5 +1,6 @@
 
   vars.http_vhosts["{{ vhost }}"] = {
+    http_onredirect = "follow"
     http_sni = "true"
     http_ssl = "true"
     http_vhost = "{{ vhost }}"

roles/icinga/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Enable icinga apt-key
-  apt_key: url="https://packages.icinga.com/icinga.key"
+  apt_key: url="https://packages.icinga.com/icinga.key" keyring="/etc/apt/trusted.gpg.d/icinga.gpg"
 
 - name: Enable icinga repository
   apt_repository:
@@ -110,5 +110,5 @@
   file: src=/etc/nginx/sites-available/icinga dest=/etc/nginx/sites-enabled/icinga state=link
   notify: Restart nginx
 
-- name: Start php7.4-fpm
-  service: name=php7.4-fpm state=started enabled=yes
+- name: Start php8.2-fpm
+  service: name=php8.2-fpm state=started enabled=yes

roles/icinga/templates/vhost.j2

@@ -19,7 +19,7 @@ server {
 	ssl_certificate /etc/nginx/ssl/{{ icinga_domain }}.crt;
 
 	location ~ ^/icingaweb2/index\.php(.*)$ {
-		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
 		fastcgi_index index.php;
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;

roles/icinga_agent/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+icinga_user: nagios
+icinga_group: nagios

roles/icinga_agent/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart icinga2
+  service: name=icinga2 state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted