indium: new temp. host for igel livestreaming

otherwise the role will fail if the host it is deployed from has VPN but
is not using our DNS infra

README.md

@@ -31,9 +31,9 @@ Currently the following hosts are installed:
 | knoedel.binary.kitchen    | Debian 12 | SIP-DECT OMM            |
 | bob.binary.kitchen        | Debian 12 | Gitea Actions           |
 | lasagne.binary.kitchen    | Debian 12 | Home Assistant *        |
-| tschunk.binary.kitchen    | Debian 11 | Strichliste             |
+| tschunk.binary.kitchen    | Debian 12 | Strichliste             |
 | bowle.binary.kitchen      | Debian 12 | Files                   |
-| lock-auweg.binary.kitchen | Debian 11 | Doorlock                |
+| lock-auweg.binary.kitchen | Debian 12 | Doorlock                |
 
 \*: The main application is not managed by ansible but manually installed
 
@@ -52,7 +52,7 @@ Currently the following hosts are installed:
 | neon.binary-kitchen.net       | Debian 12 | Auth. DNS               |
 | sodium.binary-kitchen.net     | Debian 12 | Mattrix                 |
 | magnesium.binary-kitchen.net  | Debian 12 | TURN                    |
-| aluminium.binary-kitchen.net  | Debian 12 | Zammad                  |
+| aluminium.binary-kitchen.net  | Debian 12 | Web (div. via Docker)   |
 | krypton.binary-kitchen.net    | Debian 12 | PartDB *                |
 | yttrium.binary-kitchen.net    | Debian 12 | Hintervvoidler *        |
 | zirconium.binary-kitchen.net  | Debian 12 | Jitsi                   |
@@ -62,7 +62,8 @@ Currently the following hosts are installed:
 | rhodium.binary-kitchen.net    | Debian 12 | Event pretix            |
 | palladium.binary-kitchen.net  | Debian 12 | Event pretalx           |
 | argentum.binary-kitchen.net   | Debian 12 | Event Web *             |
-| cadmium.binary-kitchen.neti   | Debian 12 | Event NetBox *          |
+| cadmium.binary-kitchen.net    | Debian 12 | Event NetBox *          |
+| indium.binary-kitchen.net     | Debian 12 | Igel CAM *              |
 | barium.binary-kitchen.net     | Debian 12 | Workadventure           |
 
 \*: The main application is not managed by ansible but manually installed

group_vars/all/vars.yml

@@ -25,6 +25,9 @@ dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
 dss_domain: dss.binary-kitchen.de
 dss_secret: "{{ vault_dss_secret }}"
 
+fpm_status_user: admin
+fpm_status_pass: "{{ vault_fpm_status_pass }}"
+
 gitea_domain: git.binary-kitchen.de
 gitea_dbname: gogs
 gitea_dbuser: gogs
@@ -102,6 +105,7 @@ mail_aliases:
 - "root@binary-kitchen.de	moepman@binary-kitchen.de,kishi@binary-kitchen.de"
 - "seife@binary-kitchen.de	anke@binary-kitchen.de"
 - "siebdruck@binary-kitchen.de	anke@binary-kitchen.de"
+- "therapy-jetzt@binary-kitchen.de	darthrain@binary-kitchen.de"
 - "vorstand@binary-kitchen.de	anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
 - "voucher1@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher2@binary-kitchen.de	exxess@binary-kitchen.de"
@@ -115,6 +119,9 @@ mail_aliases:
 - "voucher10@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher11@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher12@binary-kitchen.de	exxess@binary-kitchen.de"
+- "voucher13@binary-kitchen.de	exxess@binary-kitchen.de"
+- "voucher14@binary-kitchen.de	exxess@binary-kitchen.de"
+- "voucher15@binary-kitchen.de	exxess@binary-kitchen.de"
 - "workshops@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
 - "tickets@eh21.easterhegg.eu	orga@eh21.easterhegg.eu"
 - "hackzuck@eh21.easterhegg.eu	kekskruemml@binary-kitchen.de"
@@ -180,6 +187,9 @@ strichliste_dbname: strichliste
 strichliste_dbuser: strichliste
 strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
 
+therapy_domain: therapy.jetzt
+therapy_secret: "{{ vault_therapy_secret }}"
+
 vaultwarden_domain: vault.binary-kitchen.de
 vaultwarden_dbname: vaultwarden
 vaultwarden_dbuser: vaultwarden

group_vars/all/vault.yml

@@ -1,106 +1,110 @@
 $ANSIBLE_VAULT;1.1;AES256
-61333062333563653966393334326633643564313063346266663461633538366662623937373738
-3732396164303638643362316564393236353737346235380a666361396631656563303733343032
-66396531313139343062363639636334373836306237363733393635346261313832366330303436
-6362383638363931380a323066343834363138356662656439343131353330366532626538653434
-64663834333563333263356532326262333938613432356233656238313365663661636334333066
-63653561316239356638653834646261643564316535306133633832666365383238303364346466
-63393164646330623061633039316638656566346663616661633464303237386261316262623533
-63306266333063373333323030666264323564663032333637343134306231373964666630333538
-63626363383836363639663830643530376361613466613666303933363563663763636635363132
-36666432646233313663613563663565313537316164313964656461666336326331303035343062
-35323363373130333935373035663635626666613236376261623934366235633738323430666330
-33323130363839386331613334636531396665316336376265333231343763656637396437653733
-64366565336132333131346463356236343934663332633830373939616434613561613564313837
-34333039363962643333343961636165323766343531336465306438306365636137636662303165
-35346530313134346432303862643735376331376432616136306537653266333434336663373931
-35373235333937646165663238636232656336393330386161636435666637356632333832646137
-30333233636266623165663538303639663466363337323330383962383139643532623462663564
-63313262366236623232303732373136393139323562313733623763363864646432653037316465
-34306261303035306436396262333131366562643166333130393438393636623034656163653131
-65363530613064633462633238343834336538353766353766336132303333383164326363316365
-31303532363838306338626662313234343134306531353765333237303962303339366233366632
-35643565353766353962386135323765356130393731363633373238626332356637363339356437
-30386361363837373434363939373361343862393364316537633463653862666164613730306565
-36343762326337333235643862626566346235333934656631306461633934306230333365343731
-64643835323061613230336234343438383938653761393133656137626434653532636466313439
-31363362306539643635386237353466343733616334303762343964636533636662333661653839
-34663264613033373965336635663131396334616432653462346634626535393761666237623936
-31666439356261303134343938333433323538653337653937333830656163633965353235653539
-65353937333463343236636237313736313565613833653530333135623233363564393266353363
-33323236643634616263303133663631386638356561373730653930646265616634356364366361
-37666362363230313664343633343464383334386539616132636562626465326364353436356338
-61383736663733643132656266633837646366343637303264363465633536633962353235303336
-38376430343733386631623334386564616264386234613664366631313334626436313865356565
-33663433663963653835376666303664656438623337663536376234356465396534306362346162
-62323262323933336232376636353831633834656536633666643961396365306464303730626463
-36363631336236353730393035613333666465653861373766393731373863353330656366306263
-62316636333230366563623836316232323831393233366539363662646564373436623230343761
-61626235656438373566646365353761376139383962353635393439666365333332313035653433
-64316638363061613561306534616465646661326637633332333734626562353664666432616137
-32643636356261613430376535633837646437626132373735323366313738633134303962306163
-30366230333533663433616664343862346232363733623239353035656134366437313662353933
-32663261663937663437643233383562656537333364643435356639616136623036306231633839
-38386631643264636535323766643661626566323661313831326530636532383330633066336130
-39306631636433376361636637633135316662306636306137366531333662303238613434333534
-35633162316363333934623663303839343366376263343536333563663833323734356566623663
-64646437343935306230333034636431396439366237643839363035313164393666616235393034
-33323333626537633730303961613263363835343030363331633165663035336633613831326632
-35363738336534663934616338363764353562306139613464663533323863326331646464333533
-36363962653830613864393565623561646233313135386163623932363865343861313534663234
-32313466656532616638376238363937613264346265316135336137363961386161376364343063
-33316662343066336438336137353262646264656434333364343334373762303062386165663530
-63313666356633633936366162366332333163656164306533356530666166353635616364643830
-66336339663737616664616430373162386238636134303137386331393837353462623336663335
-34303038323037363165613935376262376464383265323462373638313530396537633031653530
-63613135373639623138333635343035303734383932336333303063666662333164643430393637
-64393262363235616666303366346137633132313066613731333064346139646361363832343730
-39666338303339663665363033653735346130313431306131306261636430396465323937623062
-32343433376438623965363338633639383738326561376665623461653539383666636535656663
-37353665363663356464366331313236653430313034613733363665633239656361623931646432
-30653632643062366333663830326663623766646535666534613933663333366466333033383165
-33373039303564656562636432303934383132666665656161323535333930346265623639316366
-38393764346265653734373136636538346361363966393732323362323733386631623762313366
-63313733653730336536393335623138383365303934303730343136613734663062326166316461
-35313363656335643531343561336662663434353031623733353035633063396366376664303364
-36643262633832363362306263376135346632386631346432333137623631343234333337643536
-35353135303330626663663963366139363265666434363364303266613564373337616564366566
-30646635633834616536333361303361313934316434393330333231613038346466306531646537
-39303131396562656334303536613964363936643435613035623065323963633764623432373235
-37393564626239333761626131643366306131346339356364373061353865653966326362613164
-62366562326234303865323934353734613364653161316131363964666439636561663361396239
-30353266303764396265656635616462653563613630616537353530613835656333353364333632
-39663939376633613133623839353133613066633333633135316132636435363330393966396431
-30656638653662356164393038323538643661333734623937653430643931623061666330633631
-63323834313733353635363535613666643361356363386465383961626331303435333363396230
-37313835633136323134623261626432653965366230656266356333653437386463396563613563
-62656562626131336230383965303962383464643832333361343838393338353365663766373031
-31633265653262356139323564663834616164313439346133386135333563323264313261336336
-39393166613865353164376130303536373931643436633133313361356166393432363631666361
-36366537363630333830333432333466363266666636643932636565613738346239383736306533
-32333838396638656134643538313033336137316638326232303837386537393737316237356237
-62646561333430303765656537373738316131306664626533646461333261306665626336376537
-35633736303262656236303230653564386130666362303132646166306432393962306366663432
-64353366353839643366376433646661376434313266326665343063653534343531623033316461
-37306439373366303236666338616364343163663165626665613761333838333366336238343633
-38663066623532353464653164616237353464363539313762396162653139393133323438643331
-66306562346136346363396235356264303164636662386166666436316338323462656537386335
-36373763313935666539643834653237336130336530653834643263373264353233643938393965
-30313637366236383433313161386531623936356161333462636566633036383635616638316434
-66313434393365333633336231656536353138303235616439643535376338326262663632313564
-65306534356531303835373231623234356337623234366137386437303864643764613731326137
-65376337386133353739376661353766343931383135363038353839376666306337323835613935
-33303730623132613462363538666638313533333564656164363731323463613230366230373664
-31303331396264353162383138643063313737366635333664343836346338353537366362613937
-35623934646239356339343339653337656330616565616232633232373036383562393362343332
-39316661623563333234656633666365303964366338303862333730656366626533326334613038
-39663332623862626230373135623235363064636163373737316262613233663031383366363563
-34613730343564373230306237656662636130333736393136366138333864313636343362613631
-64636266626637366530363763323930643336313339613930623835326431643663356365353865
-35653238333131363262346565653066383834633131303466636232653234363366646635656338
-31386163616237316361643134396230386338643339633562376436333238346665363938323462
-32336435663138393230366632633132333834303539303439313764623163383661396536383461
-31636365633765346262616235336666363932336366373438643531663539333431663231326362
-32326230363965356434343833383662393430333535636536323066373439653330373937636565
-61306565663734636630633730383736653736383765326638656433646637393033356665633831
-66353338633833346436666134343465623236626339613363623834333261313531
+35346137343735356637663033653465666664363730663138663936636632306566313836643132
+6633663564393937323035363563326465366364373961310a643132653066323938333863626264
+66656663646164633538396132363231373430636134313632333834633435336331396338623933
+3832343264356539390a313937393535623838356465313530303836346164313261613537366430
+64393533613662376466363462643262643433663839393166613938616462663732346234363436
+66663837333861303530373036363536376239633764356461303534626233343861343135353234
+61356362353635343737356430666536636339306630613263613933356330366132356661343566
+33306437666461656339653131633537643931333164396463623433633263633139366565636362
+35306339333631623036386134373839303739373230636164653137393439633530366163613636
+65326635396135313530366161373438623365356437353234343537393033356135623862393033
+62643033656331373435316665313933653835653663376432366461363261303131623237623663
+33363238663963363963326531386137613564633338653466393436663438313231313466323433
+32323934343462333264646137366461303333363165303433663130326437353236653336623266
+30653930616465313930303961383538376662386331663430613064306366323035663431656461
+61623735336162636662616232346637653566306433316237613762623133323236353533623833
+61306630376231643266663732343565386465373066643339633136643961656161393738373862
+33353162656331363563343234303538383763303736393661333831366436633533656265343930
+38616462363238613464386439663830663264646133633631646166346130663464633333333730
+33653231303636653638323136663066666465353532383331663163626237656265656463393139
+64363465663732343930613931313363336633363335383564626366383537376634363461616163
+39393630343531313638363230656634623836396366326530616637363334313961366233306233
+35633961303661376663643339613835633563336361646137353466366436373263363138663563
+62356365616664353131663764303730643361613038663833373834336132306265376436616464
+38383937626439303362636432363936313930313339366565353034313339663536373138376438
+34366637363838623064633765653134383230656565373263356164326661326133353634636536
+31383961343066306437623031386461643430326134646537613366623131353161353335313664
+61633834656438366331653966373131656634303135373630363762313765316364343837663431
+32373438616561333634343436366638353439363563656331333263653061613231303733633134
+66386563346535646339303039353962363762663164386436626632623465363833323434343066
+63626466653162616164323831336165646136613530383063353232333464333234316435386266
+62333535373131666434626261333335663762346663313630643136383835376663636136363933
+33623237666537613164623362396537396163373437633537376435356638653533613939663734
+66626564633435663164616365313339386232386562636461653262363332393536353138393730
+33323464376666663236366134366436313237666635356565346235363630363265343535356233
+35653163663962316336323931356436366439653835346138623966366436373066303932346637
+31393932343136633239663238363337626266623163316165646533333363393038383038316664
+34363739613234666466353163643236356238353831636163393763336261353831313136653963
+33636265383634393332373031306261363764303730633466616432316433656166393035653737
+30643231616334366231333761633461653338653633663564643938616163663532333639353830
+64383761306138303736643962386235353366333832616138306237393738396230303633333132
+31373362323261303362613336333130626364646561653335373639333262663735376437376433
+36386236343233373631303633626363336665656131633862633363326233636636373832353937
+39303237393632363337396362323936646333376439373031626330343139373636333062383138
+33333137623066303961376137613361313831636631663865343863633735366433643165643035
+39373565396561326362376435666539386263666635363664633833336536366466613163323134
+39653239653935346262656333306635646535626563323130663838313564383165393961346161
+39616439376435613535336434343364343066353863626363613765303862306663373730346539
+39363136393463333538323266633235643963363663323265313738633037303862633265353236
+64343361316437623732366163326633346462343332333735333936633266623832633939626362
+32333035613963666530663335656562393465323063336330383535326565346536393731333165
+30373733343136306532636666313338626434313334303933636238643034386438386364663932
+35313134633532373466363132623632376666396161333064376538616137656163663633653064
+66623633343939306638643132386139303761646364656163326263313066616535623234323361
+37396366663734373334386131663161346461383938313263346537353836366264616164636262
+64376535373431376465386165613765653732303461356565623965346334376564343439386164
+30393664353461623965303265393338353366616164633739383434623834306166376631643330
+31303866306561366132333532396135653261613935623537366562313433396436343666386535
+37323861343462396163333431663137643232393865643238316338323735366637643666343735
+30663334326332616361623662653133383536326635626434383830633434366330313731356531
+30366562613532643334613430313737633266343237373765366238313833656463646462613666
+32393734356638633966643133383961613332623331633634646439353338303266393366323564
+36353032383030623163323065653833656330363466336466656562373034653061346163366238
+33346534313633333134356665656462346234393230323132626661666362373566383036653937
+66366266333934343263326433326163373730383361653262633966333135316437633835303665
+66663430363039633464636531326135616563636131656265356438313633306236653431656664
+30343733313638363237343131626538643932373931623136323862646366623362306365616131
+37303966343562313730653763633564336435336362656262363735393966633135376236616163
+39626637393865643338623863346666333764616430383038303434626164653861346433333764
+61386131303764383137616334363866363363313165366339636530393362396135306265303464
+63333030306338346633633863306238333334393562373662663562313733643432396462313131
+65333661343031656263623230346230353266303261646131303731636466303863323466356232
+63383835316161306431663962343966366338323138383632326533646461326232356133356265
+39636434376436363439376230633237366536653561616264613665656635636532623330353466
+65366132646536316131323038313263333961656430343661303664366266313861343463303364
+32303662393433353462346464393931393637316537623061343635353938663765646234323431
+38643531653132633763666663623637373431653731383037346262646332393864643431363338
+32343963623364613538656338336365343265383262656139643934333037383930376564343636
+33623835663035313839656333613833396635646537616464376138663262346564383834643933
+30383039633164353730656339616436343330333134323136646664393764343163313536373261
+31646164656166376232653034363864623161326564303337636534653762336337346335373238
+64373062306165616162666362326531643964656366653037663163363964653462346633666434
+35303638623239353934636332373562343962393531346132303032623334333335373734643034
+64646361373066316134613635666435306235313632633633643864373261643065303937323639
+65383663626338303134613532623763626430623864313930366463663632313130383033633831
+66613531623534336461393764623237383231333133336638313637306439633361353039613938
+30613562393635646235336330633933336233363735346534633266633730346236353265333464
+39613132306232653639326336643662353461356439623233316465316232396366616531396464
+63626462383639353434316364363164376639363264646530323038373439643132343264643231
+32656465366265383630626332613636336632656136333330643937633630396663626632333930
+61623661633666316630616632633832613231386235653434663964316533306233383539343637
+38663431666230653736326531353934396562656161616462383466353637363732616636373033
+39643438356632306431386235333532326463646161616466646634633163366233363362343563
+34393631343733326363363737623638383939353266343262633232336633386233346436393333
+31646161613464623137353939613437623835316531343336323833653437363563363462633536
+36313230363131373233623731636363313034366665633737346134366666393634386637626563
+36376135373330396664616435353539333439306434313933333235646363313262336163386263
+65353361363066363234353336623466393331326332316530356636343865663137313737313830
+35633563343064333565373463343234393732333735363963333336646561393764316462643466
+36653162343239373038336134393532386363333638383831333834373030633138633530353336
+63376334666632323130633136613230306135336231666635363036633066323863346138643330
+33623462653638656237646634623431313664336636366330626135653730323239323462383262
+39326431386235363034386138653665353136356536373838636336626430623164353761636662
+32623363663163633433623833633665313662636264656662373061356336383965303731313431
+34373332616336303062363564656137383463353836303134363434356265393361346365343630
+32613933633139643637363136623863663962356166336134656464613362363130333930356230
+63626365353266383137643263636163613932343333363632333936613831616465646437656465
+35636534363461336332626134346239656238643561313935363366343462333639633937303664
+64323739643562343234333739353334663834626438386432663737653366633466666362643138
+64313536306363653562623536646261313639333266643336613932363835356665

host_vars/aeron.binary.kitchen

@@ -5,3 +5,5 @@ radius_hostname: radius3.binary.kitchen
 slapd_hostname: ldap3.binary.kitchen
 slapd_replica_id: 3
 slapd_role: slave
+
+uau_reboot: "false"

host_vars/bacon.binary.kitchen

@@ -15,3 +15,5 @@ radius_hostname: radius1.binary.kitchen
 slapd_hostname: ldap1.binary.kitchen
 slapd_replica_id: 1
 slapd_role: slave
+
+uau_reboot: "false"

host_vars/beryllium.binary-kitchen.net

@@ -1,5 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/indium.binary-kitchen.net

@@ -0,0 +1,5 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCNBY95YcFFBeiHM3IDzqKT/X/U09bpAWXwkCWIg6KlZumZg891apx6a0HLDannoBt7YCyYFgl3c1eJ36D08tRcy5c5k/+8Xhq0hq/HWo3EV5sd6Y+8xeTRST6Um8nyxHoSI7xw79yRoteOUDIzPnmDtbLQ2z3vWkA/H1EZQ4IjeQgFhl9vl4EyuAJ47Cdlv1D870BDspgAEoxSbipQEEnPsIctdyySp1R/sNC5tuP6qaoQ6nIDFdgv5rcY8SmgJQ2otlGex18RSBObBjdfyepV71mluqfs6HtVsM9zDvRUwY/FX4wmVc4QPdPLh/2kzEZi0YzefB10tpsuvhaOFI8JqXBDuSFZh3xCzRmKRlmqn50jrvGkYGUWg/GNYNF2rLCltCzg3BJHGaFh9sOtjaKLW+hTJwDtz4LIqNZb6w/2586hzjGCrrZgN24eLEcdp7iTPnkCul+kgOZaa62ytdKjza6/tgKCeUaEwmJTBuKMp/hor/LdLeibYgTtqUoFB7j1Ti2ey7oHly1oiSaKcR/hChgx0sniltRmzJI7KLuUiF+xkpv5Kf4rGl7UjvVxyf3glNh5DL87CfeWkGF3dgsjJdfYIHVJz/Bf6x0aB2TyybF8Exm0R05dhMT6ahZqMqa5d/aUZN+S3MaXw2amHWbMe8VcFpu/AztqrQM8sM+Mw== sprinterfreak"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

hosts

@@ -34,10 +34,10 @@ krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
 molybdenum.binary-kitchen.net
-technetium.binary-kitchen.net
 ruthenium.binary-kitchen.net
 rhodium.binary-kitchen.net
 palladium.binary-kitchen.net
 argentum.binary-kitchen.net
 cadmium.binary-kitchen.net
+indium.binary-kitchen.net
 barium.binary-kitchen.net

roles/act_runner/defaults/main.yml

@@ -3,5 +3,5 @@
 actrunner_user: act_runner
 actrunner_group: act_runner
 
-actrunner_version: 0.2.6
+actrunner_version: 0.2.10
 actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

roles/authentik/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+authentik_version: 2024.8.3

roles/authentik/templates/docker-compose.yml.j2

@@ -2,7 +2,7 @@
 version: "3.4"
 services:
   postgresql:
-    image: docker.io/library/postgres:12-alpine
+    image: docker.io/library/postgres:16-alpine
     restart: unless-stopped
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
@@ -29,7 +29,7 @@ services:
     volumes:
       - ./redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
     restart: unless-stopped
     command: server
     environment:
@@ -48,7 +48,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
     restart: unless-stopped
     command: worker
     environment:

roles/common/templates/sshd_config.j2

@@ -1,9 +1,8 @@
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
 
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
@@ -69,7 +68,7 @@ PasswordAuthentication {{ sshd_password_authentication }}
 
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
-ChallengeResponseAuthentication no
+KbdInteractiveAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -85,13 +84,13 @@ ChallengeResponseAuthentication no
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 UsePAM yes
 
 #AllowAgentForwarding yes
@@ -109,7 +108,7 @@ PrintMotd no
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
-#PidFile /var/run/sshd.pid
+#PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none

roles/dhcpd/handlers/main.yml

@@ -1,4 +0,0 @@
----
-
-- name: Restart isc-dhcp-server
-  service: name=isc-dhcp-server state=restarted

roles/dhcpd/tasks/main.yml

@@ -1,14 +0,0 @@
----
-
-- name: Install dhcp server
-  apt: name=isc-dhcp-server
-
-- name: Configure dhcp server
-  template: src={{ item }}.j2 dest=/etc/{{ item }}
-  with_items:
-  - default/isc-dhcp-server
-  - dhcp/dhcpd.conf
-  notify: Restart isc-dhcp-server
-
-- name: Start the dhcp server
-  service: name=isc-dhcp-server state=started enabled=yes

roles/dhcpd/templates/default/isc-dhcp-server.j2

@@ -1,21 +0,0 @@
-#
-# This is a POSIX shell fragment
-#
-
-# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
-#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
-#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
-
-# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
-#DHCPDv4_PID=/var/run/dhcpd.pid
-#DHCPDv6_PID=/var/run/dhcpd6.pid
-
-# Additional options to start dhcpd with.
-#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
-#OPTIONS=""
-
-# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
-#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
-INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
-INTERFACESv6=""
-INTERFACES="{{ ansible_default_ipv4['interface'] }}"

roles/dhcpd/templates/dhcp/dhcpd.conf.j2

@@ -1,319 +0,0 @@
-# dhcpd.conf
-
-# option definitions common to all supported networks...
-option domain-name "binary.kitchen";
-option domain-name-servers {{ name_servers | join(', ') }};
-option domain-search "binary.kitchen";
-option ntp-servers 172.23.1.60, 172.23.2.3;
-
-# options related to Mitel SIP-DECT
-option space sipdect;
-option local-encapsulation code 43 = encapsulate sipdect;
-option sipdect.ommip1 code 10 = ip-address;
-option sipdect.ommip2 code 19 = ip-address;
-option sipdect.syslogip code 14 = ip-address;
-option sipdect.syslogport code 15 = integer 16;
-option magic_str code 224 = text;
-
-default-lease-time 7200;
-max-lease-time 28800;
-
-# Use this to enble / disable dynamic dns updates globally.
-ddns-update-style interim;
-ddns-updates on;
-
-# If this DHCP server is the official DHCP server for the local
-# network, the authoritative directive should be uncommented.
-authoritative;
-
-# Use this to send dhcp log messages to a different log file (you also
-# have to hack syslog.conf to complete the redirection).
-log-facility local7;
-
-{% if dhcpd_failover == true %}
-
-# Failover
-
-failover peer "failover-partner" {
-{% if ansible_default_ipv4.address == dhcpd_primary %}
-  primary;
-  address {{ dhcpd_primary }};
-  peer address {{ dhcpd_secondary }};
-{% elif ansible_default_ipv4.address == dhcpd_secondary %}
-  secondary;
-  address {{ dhcpd_secondary }};
-  peer address {{ dhcpd_primary }};
-{% endif %}
-  port 520;
-  peer port 520;
-  max-response-delay 60;
-  max-unacked-updates 10;
-{% if ansible_default_ipv4.address == dhcpd_primary %}
-  mclt 600;
-  split 255;
-{% endif %}
-  load balance max seconds 3;
-}
-{% endif %}
-
-# Binary Kitchen subnets
-
-# Management
-subnet 172.23.1.0 netmask 255.255.255.0 {
-  option routers 172.23.1.1;
-}
-
-# Services
-subnet 172.23.2.0 netmask 255.255.255.0 {
-  allow bootp;
-  option routers 172.23.2.1;
-}
-
-# Users
-subnet 172.23.3.0 netmask 255.255.255.0 {
-  option routers 172.23.3.1;
-  ddns-domainname "users.binary.kitchen";
-  option domain-search "binary.kitchen", "users.binary.kitchen";
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.3.10 172.23.3.230;
-  }
-}
-
-# MQTT
-subnet 172.23.4.0 netmask 255.255.255.0 {
-  option routers 172.23.4.1;
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.4.10 172.23.4.240;
-  }
-}
-
-# Management Auweg
-subnet 172.23.12.0 netmask 255.255.255.0 {
-  option routers 172.23.12.1;
-}
-
-# Services Auweg
-subnet 172.23.13.0 netmask 255.255.255.0 {
-  allow bootp;
-  option routers 172.23.13.1;
-}
-
-# Users Auweg
-subnet 172.23.14.0 netmask 255.255.255.0 {
-  option routers 172.23.14.1;
-  option domain-search "binary.kitchen", "users.binary.kitchen";
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.14.10 172.23.14.230;
-  }
-}
-
-# MQTT Auweg
-subnet 172.23.15.0 netmask 255.255.255.0 {
-  option routers 172.23.15.1;
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.15.10 172.23.15.240;
-  }
-}
-
-# DDNS zones
-
-zone users.binary.kitchen {
-  primary {{ dns_primary }};
-}
-
-
-# Fixed IPs
-
-host ap01 {
-  hardware ethernet 44:48:c1:ce:a9:00;
-  fixed-address ap01.binary.kitchen;
-}
-
-host ap04 {
-  hardware ethernet 74:9e:75:ce:93:54;
-  fixed-address ap04.binary.kitchen;
-}
-
-host ap05 {
-  hardware ethernet bc:9f:e4:c3:6f:aa;
-  fixed-address ap05.binary.kitchen;
-}
-
-host ap06 {
-  hardware ethernet 94:b4:0f:c0:1d:a0;
-  fixed-address ap06.binary.kitchen;
-}
-
-host ap11 {
-  hardware ethernet 18:64:72:c6:c2:0c;
-  fixed-address ap11.binary.kitchen;
-}
-
-host ap12 {
-  hardware ethernet 18:64:72:c6:c4:98;
-  fixed-address ap12.binary.kitchen;
-}
-
-host bowle {
-  hardware ethernet ac:1f:6b:25:16:b6;
-  fixed-address bowle.binary.kitchen;
-}
-
-host cannelloni {
-  hardware ethernet b8:27:eb:18:5c:11;
-  fixed-address cannelloni.binary.kitchen;
-}
-
-host fusilli {
-  hardware ethernet b8:27:eb:1d:b9:bf;
-  fixed-address fusilli.binary.kitchen;
-}
-
-host habdisplay1 {
-  hardware ethernet b8:27:eb:b6:62:be;
-  fixed-address habdisplay1.mqtt.binary.kitchen;
-}
-
-host habdisplay2 {
-  hardware ethernet b8:27:eb:df:0b:7b;
-  fixed-address habdisplay2.mqtt.binary.kitchen;
-}
-
-host klopi {
-  hardware ethernet 74:da:38:6e:e6:9d;
-  fixed-address klopi.binary.kitchen;
-}
-
-host lock {
-  hardware ethernet b8:27:eb:d8:b9:ad;
-  fixed-address lock.binary.kitchen;
-}
-
-host maccaroni {
-  hardware ethernet b8:27:eb:f5:9e:a1;
-  fixed-address maccaroni.binary.kitchen;
-}
-
-host matrix {
-  hardware ethernet b8:27:eb:ed:22:58;
-  fixed-address matrix.binary.kitchen;
-}
-
-host mirror {
-  hardware ethernet 74:da:38:7d:ed:84;
-  fixed-address mirror.binary.kitchen;
-}
-
-host mpcnc {
-  hardware ethernet b8:27:eb:0f:d3:8b;
-  fixed-address mpcnc.binary.kitchen;
-}
-
-host noodlehub {
-  hardware ethernet b8:27:eb:56:2b:7c;
-  fixed-address noodlehub.binary.kitchen;
-}
-
-host openhabgw1 {
-  hardware ethernet dc:a6:32:bf:e2:3e;
-  fixed-address openhabgw1.mqtt.binary.kitchen;
-}
-
-host pizza {
-  hardware ethernet 52:54:00:17:02:21;
-  fixed-address pizza.binary.kitchen;
-}
-
-host spaghetti {
-  hardware ethernet b8:27:eb:eb:e5:88;
-  fixed-address spaghetti.binary.kitchen;
-}
-
-host schweinshaxn {
-  hardware ethernet 52:54:00:17:02:24;
-  fixed-address schweinshaxn.binary.kitchen;
-}
-
-host strammermax {
-  hardware ethernet 08:00:37:B8:55:44;
-  fixed-address strammermax.binary.kitchen;
-}
-
-host obatzda {
-  hardware ethernet ec:9a:74:35:35:cf;
-  fixed-address obatzda.binary.kitchen;
-}
-
-
-# VoIP Phones
-
-host voip01 {
-  hardware ethernet 00:1D:45:B6:99:2F;
-  option tftp-server-name "172.23.2.36";
-}
-
-host voip02 {
-  hardware ethernet 00:1D:A2:66:B8:3E;
-  option tftp-server-name "172.23.2.36";
-}
-
-host voip03 {
-  hardware ethernet 00:1E:BE:90:FB:DB;
-  option tftp-server-name "172.23.2.36";
-}
-
-host voip04 {
-  hardware ethernet 00:1E:BE:90:FF:06;
-  option tftp-server-name "172.23.2.36";
-}
-
-
-# Mitel SIP-DECT
-
-host rfp01 {
-  hardware ethernet 00:30:42:1B:73:5A;
-  fixed-address 172.23.1.111;
-  option host-name "rfp01";
-  option sipdect.ommip1 172.23.2.35;
-  option magic_str = "OpenMobilitySIP-DECT";
-}
-
-host rfp02 {
-  hardware ethernet 00:30:42:21:D4:D5;
-  fixed-address 172.23.1.112;
-  option host-name "rfp02";
-  option sipdect.ommip1 172.23.2.35;
-  option magic_str = "OpenMobilitySIP-DECT";
-}
-
-host rfp11 {
-  hardware ethernet 00:30:42:1B:8B:9B;
-  fixed-address 172.23.12.111;
-  option host-name "rfp11";
-  option sipdect.ommip1 172.23.2.35;
-  option magic_str = "OpenMobilitySIP-DECT";
-}
-
-
-
-# OMAPI
-
-omapi-port 7911;
-omapi-key omapi_key;
-
-key omapi_key {
-  algorithm hmac-md5;
-  secret {{ dhcp_omapi_key }};
-}

roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2024030100; serial
+					2024100600; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -11,9 +11,9 @@ $TTL 1h				; default time-to-live
 				IN	NS	ns2.binary.kitchen.
 ; Loopback
 1.0				IN	PTR	core.binary.kitchen.
-2.0				IN	PTR	erx-bk.binary.kitchen.
+2.0				IN	PTR	rt-w13b.binary.kitchen.
 3.0				IN	PTR	erx-rz.binary.kitchen.
-4.0				IN	PTR	erx-auweg.binary.kitchen.
+4.0				IN	PTR	rt-auweg.binary.kitchen.
 ; Management
 1.1				IN	PTR	v2301.core.binary.kitchen.
 11.1				IN	PTR	ups1.binary.kitchen.
@@ -87,22 +87,26 @@ $GENERATE 10-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
 1.10				IN	PTR	wg0.erx-rz.binary.kitchen.
 $GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
 ; Management Auweg
+1.12				IN	PTR	v2312.rt-auweg.binary.kitchen.
 31.12				IN	PTR	sw-auweg.binary.kitchen.
 41.12				IN	PTR	ap11.binary.kitchen.
 42.12				IN	PTR	ap12.binary.kitchen.
 61.12				IN	PTR	weizen.binary.kitchen.
 111.12				IN	PTR	rfp11.binary.kitchen.
 ; Services Auweg
+1.13				IN	PTR	v2313.rt-auweg.binary.kitchen.
 3.13				IN	PTR	aeron.binary.kitchen.
 12.13				IN	PTR	lock-auweg.binary.kitchen.
 ; Clients Auweg
+1.14				IN	PTR	v2314.rt-auweg.binary.kitchen.
 $GENERATE 10-230 $.14		IN	PTR	dhcp-${0,3,d}-14.binary.kitchen.
 ; MQTT
+1.15				IN	PTR	v2315.rt-auweg.binary.kitchen.
 $GENERATE 10-240 $.15		IN	PTR	dhcp-${0,3,d}-15.binary.kitchen.
 ; Point-to-Point
-1.96				IN	PTR	v400.erx-bk.binary.kitchen.
+1.96				IN	PTR	v400.rt-w13b.binary.kitchen.
 2.96				IN	PTR	v400.core.binary.kitchen.
 1.97				IN	PTR	wg1.erx-rz.binary.kitchen.
-2.97				IN	PTR	wg1.erx-bk.binary.kitchen.
+2.97				IN	PTR	wg1.rt-w13b.binary.kitchen.
 5.97				IN	PTR	wg2.erx-rz.binary.kitchen.
-6.97				IN	PTR	wg2.erx-auweg.binary.kitchen.
+6.97				IN	PTR	wg2.rt-auweg.binary.kitchen.

roles/dns_intern/templates/bind/binary.kitchen.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2024030100; serial
+					2024100600; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -34,9 +34,9 @@ radius				IN	A	172.23.2.3
 radius				IN	A	172.23.2.4
 ; Loopback
 core				IN	A	172.23.0.1
-erx-bk				IN	A	172.23.0.2
+rt-w13b				IN	A	172.23.0.2
 erx-rz				IN	A	172.23.0.3
-erx-auweg			IN	A	172.23.0.4
+rt-auweg			IN	A	172.23.0.4
 ; Management
 v2301.core			IN	A	172.23.1.1
 ups1				IN	A	172.23.1.11
@@ -107,25 +107,29 @@ salat				IN	A	172.23.9.61
 salat-bmc			IN	A	172.23.9.81
 ; Services RZ
 ; Management Auweg
+v2312.rt-auweg			IN	A	172.23.12.1
 sw-auweg			IN	A	172.23.12.31
 ap11				IN	A	172.23.12.41
 ap12				IN	A	172.23.12.42
 weizen				IN	A	172.23.12.61
 rfp11				IN	A	172.23.12.111
 ; Services Auweg
+v2313.rt-auweg			IN	A	172.23.13.1
 aeron				IN	A	172.23.13.3
 lock-auweg			IN	A	172.23.13.12
 ; Clients Auweg
+v2314.rt-auweg			IN	A	172.23.14.1
 $GENERATE 10-230 dhcp-${0,3,d}-14	IN	A	172.23.14.$
 ; MQTT Auweg
+v2315.rt-auweg			IN	A	172.23.15.1
 $GENERATE 10-240 dhcp-${0,3,d}-15	IN	A	172.23.15.$
 ; VPN RZ (ER-X)
 wg0.erx-rz			IN	A	172.23.10.1
 $GENERATE 2-254 vpn-${0,3,d}-10	IN	A	172.23.10.$
 ; Point-to-Point
-v400.erx-bk			IN	A	172.23.96.1
+v400.rt-w13b			IN	A	172.23.96.1
 v400.core			IN	A	172.23.96.2
 wg1.erx-rz			IN	A	172.23.97.1
-wg1.erx-bk			IN	A	172.23.97.2
+wg1.rt-w13b			IN	A	172.23.97.2
 wg2.erx-rz			IN	A	172.23.97.5
-wg2.erx-auweg			IN	A	172.23.97.6
+wg2.rt-auweg			IN	A	172.23.97.6

roles/gitea/defaults/main.yml

@@ -3,5 +3,5 @@
 gitea_user: gogs
 gitea_group: gogs
 
-gitea_version: 1.21.10
+gitea_version: 1.22.2
 gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

roles/hedgedoc/templates/docker-compose.yml.j2

@@ -9,7 +9,7 @@ services:
     volumes:
       - ./database:/var/lib/postgresql/data
   app:
-    image: quay.io/hedgedoc/hedgedoc:1.9.9
+    image: quay.io/hedgedoc/hedgedoc:1.10.0
     restart: on-failure
     environment:
       - CMD_DOMAIN={{ hedgedoc_domain }}

roles/icinga-monitor/tasks/disk.yml

@@ -11,7 +11,7 @@
 - name: Regenerate hosts.conf
   assemble:
     src: /etc/icinga2/conf.d/hosts
-    dest: /etc/icinga2/conf.d/hosts.conf
+    dest: /etc/icinga2/zones.d/master/hosts.conf
 #   validate: /usr/sbin/icinga2 daemon -c %s --validate
   notify: Restart icinga2
   delegate_to: "{{ icinga_server }}"

roles/icinga-monitor/tasks/http.yml

@@ -11,7 +11,7 @@
 - name: Regenerate hosts.conf
   assemble:
     src: /etc/icinga2/conf.d/hosts
-    dest: /etc/icinga2/conf.d/hosts.conf
+    dest: /etc/icinga2/zones.d/master/hosts.conf
 #   validate: /usr/sbin/icinga2 daemon -c %s --validate
   notify: Restart icinga2
   delegate_to: "{{ icinga_server }}"

roles/icinga-monitor/templates/disk.j2

@@ -1,8 +1,8 @@
 {% for disk in disks %}
 
-  vars.disks["disk {{ disk }}"] = {
+  vars.disks[" {{ disk }}"] = {
     disk_partitions = "{{ disk }}"
-    disk_wfree = "10%"
     disk_cfree = "5%"
+    disk_wfree = "10%"
   }
 {% endfor %}

roles/icinga/files/icinga2/zones.d/master/services.conf

@@ -0,0 +1,21 @@
+apply Service "apt" {
+  import "generic-service"
+
+  check_command = "apt"
+
+  command_endpoint = host.vars.agent_endpoint
+
+  assign where host.vars.agent_endpoint && host.vars.os == "Linux"
+}
+
+apply Service "disk" for (disk => config in host.vars.disks) {
+  import "generic-service"
+
+  check_command = "disk"
+
+  command_endpoint = host.vars.agent_endpoint
+
+  assign where host.vars.agent_endpoint
+
+  vars += config
+}

roles/icinga/tasks/main.yml

@@ -62,6 +62,24 @@
   changed_when: "'for these changes to take effect' in features_result.stdout"
   notify: Restart icinga2
 
+# TODO setup as master node
+# icinga2 node setup --master
+
+- name: Ensure directory for zone config exists
+  file:
+    path: /etc/icinga2/zones.d/master
+    state: directory
+    owner: "{{ icinga_user }}"
+    group: "{{ icinga_group }}"
+
+- name: Configure services
+  copy: src=icinga2/zones.d/master/services.conf dest=/etc/icinga2/zones.d/master/services.conf owner={{ icinga_user }} group={{ icinga_group }}
+  notify: Restart icinga2
+
+- name: Configure zones
+  template: src=icinga2/zones.conf.j2 dest=/etc/icinga2/zones.conf owner={{ icinga_user }} group={{ icinga_group }}
+  notify: Restart icinga2
+
 - name: Ensure directory for host snippets exists
   file:
     path: /etc/icinga2/conf.d/hosts

roles/icinga/templates/icinga2/zones.conf.j2

@@ -0,0 +1,28 @@
+object Endpoint "{{ ansible_fqdn }}" {
+}
+
+object Zone "master" {
+	endpoints = [ "{{ ansible_fqdn }}" ]
+}
+
+{% for host in groups['all'] %}
+{% if host != ansible_fqdn %}
+object Endpoint "{{ host }}" {
+	host  = "{{ host }}"
+}
+
+
+object Zone "{{ host }}" {
+	endpoints = [ "{{ host }}" ]
+	parent = "master"
+}
+
+{% endif %}
+{% endfor %}
+object Zone "global-templates" {
+	global = true
+}
+
+object Zone "director-global" {
+	global = true
+}

roles/icinga_agent/tasks/main.yml

@@ -64,7 +64,7 @@
 - name: Regenerate hosts.conf
   assemble:
     src: /etc/icinga2/conf.d/hosts
-    dest: /etc/icinga2/conf.d/hosts.conf
+    dest: /etc/icinga2/zones.d/master/hosts.conf
 #   validate: /usr/sbin/icinga2 daemon -c %s --validate
   notify: Restart icinga2
   delegate_to: "{{ icinga_server }}"

roles/indium_dummy/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/indium_dummy/tasks/main.yml

@@ -0,0 +1 @@
+---

roles/kea/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Restart kea-dhcp4-server
+  service: name=kea-dhcp4-server state=restarted
+
+- name: Restart kea-dhcp-ddns-server
+  service: name=kea-dhcp-ddns-server state=restarted
+
+- name: Restart kea-ctrl-agent
+  service: name=kea-ctrl-agent state=restarted

roles/kea/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+
+- name: Install the kea dhcp server
+  apt:
+    name:
+    - kea-ctrl-agent
+    - kea-dhcp4-server
+    - kea-dhcp-ddns-server
+
+- name: Configure the kea dhcp4 server
+  template:
+    src: kea/kea-dhcp4.conf.j2
+    dest: /etc/kea/kea-dhcp4.conf
+#   validate: kea-dhcp4 -t %s
+  notify: Restart kea-dhcp4-server
+
+- name: Start the kea dhcp4 server
+  service: name=kea-dhcp4-server state=started enabled=yes
+
+- name: Configure the kea dhcp-ddns server
+  template:
+    src: kea/kea-dhcp-ddns.conf.j2
+    dest: /etc/kea/kea-dhcp-ddns.conf
+#   validate: kea-dhcp-ddns -t %s
+  notify: Restart kea-dhcp-ddns-server
+
+- name: Start the kea dhcp-ddns server
+  service: name=kea-dhcp-ddns-server state=started enabled=yes
+
+- name: Configure the kea control agent
+  template:
+    src: kea/kea-ctrl-agent.conf.j2
+    dest: /etc/kea/kea-ctrl-agent.conf
+#   validate: kea-ctrl-agent -t %s
+  notify: Restart kea-ctrl-agent
+
+- name: Start the kea control agent
+  service: name=kea-ctrl-agent state=started enabled=yes

roles/kea/templates/kea/kea-ctrl-agent.conf.j2

@@ -0,0 +1,37 @@
+{
+    "Control-agent":
+    {
+        "http-host": "0.0.0.0",
+        "http-port": 8000,
+        "control-sockets":
+        {
+            "dhcp4":
+            {
+                "comment": "socket to DHCP4 server",
+                "socket-type": "unix",
+                "socket-name": "/run/kea/kea4-ctrl-socket"
+            },
+
+            "d2":
+            {
+                "socket-type": "unix",
+                "socket-name": "/run/kea/kea-ddns-ctrl-socket",
+                "user-context": { "in-use": false }
+            }
+        },
+
+        "loggers": [
+            {
+                "name": "kea-ctrl-agent",
+                "output_options": [
+                    {
+                        "output": "stdout",
+                        "pattern": "%-5p %m\n"
+                    }
+                ],
+                "severity": "INFO",
+                "debuglevel": 0
+            }
+        ]
+    }
+}

roles/kea/templates/kea/kea-dhcp-ddns.conf.j2

@@ -0,0 +1,38 @@
+{
+"DhcpDdns": {
+    "ip-address": "127.0.0.1",
+    "port": 53001,
+    "control-socket": {
+        "socket-type": "unix",
+      "socket-name": "/run/kea/kea-ddns-ctrl-socket"
+    },
+
+    "forward-ddns": {
+        "ddns-domains": [
+            {
+                "name": "users.binary.kitchen.",
+                "dns-servers": [
+                    { "ip-address": "{{ dns_primary }}" }
+                ]
+            }
+        ]
+    },
+
+    "reverse-ddns": {
+    },
+
+    "loggers": [
+        {
+            "name": "kea-dhcp4",
+            "output_options": [
+                {
+                    "output": "stdout",
+                    "pattern": "%-5p %m\n"
+                }
+            ],
+            "severity": "INFO",
+            "debuglevel": 0
+        }
+    ]
+}
+}

roles/kea/templates/kea/kea-dhcp4.conf.j2

@@ -0,0 +1,470 @@
+{
+
+"Dhcp4": {
+    "interfaces-config": {
+        "interfaces": [ "{{ ansible_default_ipv4['interface'] }}" ]
+    },
+
+    "control-socket": {
+        "socket-type": "unix",
+        "socket-name": "/run/kea/kea4-ctrl-socket"
+    },
+
+    "dhcp-ddns": {
+        "enable-updates": true,
+        "server-ip": "127.0.0.1",
+        "server-port": 53001,
+        "sender-ip": "",
+        "sender-port": 0,
+        "max-queue-size": 1024,
+        "ncr-protocol": "UDP",
+        "ncr-format": "JSON"
+    },
+
+    "hooks-libraries": [
+        {
+            "library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so"
+{% if dhcpd_failover %}
+        },
+
+        {
+            "library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so",
+            "parameters": {
+                "high-availability": [ {
+                    "this-server-name": "{{ inventory_hostname.split('.')[0] }}",
+                    "mode": "hot-standby",
+                    "heartbeat-delay": 10000,
+                    "max-response-delay": 60000,
+                    "max-ack-delay": 5000,
+                    "max-unacked-clients": 5,
+                    "sync-timeout": 60000,
+                    "peers": [
+                        {
+                            "name": "{{ lookup('dig', dhcpd_primary+'/PTR', '@'+dns_primary).split('.')[0] }}",
+                            "url": "http://{{ dhcpd_primary }}:8000/",
+                            "role": "primary"
+                        },
+                        {
+                            "name": "{{ lookup('dig', dhcpd_secondary+'/PTR', '@'+dns_primary).split('.')[0] }}",
+                            "url": "http://{{ dhcpd_secondary }}:8000/",
+                            "role": "standby"
+                        }
+                    ]
+                } ]
+            }
+{% endif %}
+        }
+    ],
+
+    "lease-database": {
+        "type": "memfile",
+        "lfc-interval": 3600
+    },
+
+    "expired-leases-processing": {
+        "reclaim-timer-wait-time": 10,
+        "flush-reclaimed-timer-wait-time": 25,
+        "hold-reclaimed-time": 3600,
+        "max-reclaim-leases": 100,
+        "max-reclaim-time": 250,
+        "unwarned-reclaim-cycles": 5
+    },
+
+    "renew-timer": 900,
+    "rebind-timer": 1800,
+    "valid-lifetime": 3600,
+
+    "option-def": [
+        {
+            "code": 43,
+            "encapsulate": "sipdect",
+            "name": "vendor-encapsulated-options",
+            "space": "dhcp4",
+            "type": "empty"
+        },
+        {
+            "code": 10,
+            "name": "ommip1",
+            "space": "sipdect",
+            "type": "ipv4-address"
+        },
+        {
+            "code": 19,
+            "name": "ommip2",
+            "space": "sipdect",
+            "type": "ipv4-address"
+        },
+        {
+            "code": 14,
+            "name": "syslogip",
+            "space": "sipdect",
+            "type": "ipv4-address"
+        },
+        {
+            "code": 15,
+            "name": "syslogport",
+            "space": "sipdect",
+            "type": "int16"
+        },
+        {
+            "code": 224,
+            "name": "magic_str",
+            "space": "dhcp4",
+            "type": "string"
+        }
+    ],
+
+    "option-data": [
+        {
+            "name": "domain-name-servers",
+            "data": "{{ name_servers | join(', ') }}"
+        },
+
+        {
+            "name": "domain-name",
+            "data": "binary.kitchen"
+        },
+
+        {
+            "name": "domain-search",
+            "data": "binary.kitchen"
+        }
+    ],
+
+    "client-classes": [
+        {
+            "name": "voip-phone",
+            "option-data": [
+                {
+                    "name": "tftp-server-name",
+                    "data": "172.23.2.36"
+                }
+            ]
+        },
+
+        {
+            "name": "dect-rfp",
+            "option-data": [
+                {
+                    "name": "vendor-encapsulated-options"
+                },
+                {
+                    "data": "172.23.2.35",
+                    "name": "ommip1",
+                    "space": "sipdect"
+                },
+                {
+                    "data": "OpenMobilitySIP-DECT",
+                    "name": "magic_str"
+                }
+            ]
+        }
+    ],
+
+    "subnet4": [
+        {
+            "subnet": "172.23.1.0/24",
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.1.1"
+                }
+            ],
+
+            "reservations": [
+                {
+                    "hw-address": "44:48:c1:ce:a9:00",
+                    "ip-address": "172.23.1.41",
+                    "hostname": "ap01"
+                },
+
+                {
+                    "hw-address": "74:9e:75:ce:93:54",
+                    "ip-address": "172.23.1.44",
+                    "hostname": "ap04"
+                },
+
+                {
+                    "hw-address": "bc:9f:e4:c3:6f:aa",
+                    "ip-address": "172.23.1.45",
+                    "hostname": "ap05"
+                },
+
+                {
+                    "hw-address": "94:b4:0f:c0:1d:a0",
+                    "ip-address": "172.23.1.46",
+                    "hostname": "ap06"
+                },
+
+                {
+                    "hw-address": "00:30:42:1B:73:5A",
+                    "ip-address": "172.23.1.111",
+                    "client-classes": [ "dect-rfp" ],
+                    "hostname": "rfp01"
+                },
+
+                {
+                    "hw-address": "00:30:42:21:D4:D5",
+                    "ip-address": "172.23.1.112",
+                    "client-classes": [ "dect-rfp" ],
+                    "hostname": "rfp02"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.2.0/24",
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.2.1"
+                }
+            ],
+
+            "reservations": [
+                {
+                    "hw-address": "b8:27:eb:d8:b9:ad",
+                    "ip-address": "172.23.2.12",
+                    "hostname": "lock"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:ed:22:58",
+                    "ip-address": "172.23.2.13",
+                    "hostname": "matrix"
+                },
+
+                {
+                    "hw-address": "08:00:37:B8:55:44",
+                    "ip-address": "172.23.2.91",
+                    "hostname": "strammermax"
+                },
+
+                {
+                    "hw-address": "ec:9a:74:35:35:cf",
+                    "ip-address": "172.23.2.92",
+                    "hostname": "obatzda"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.3.0/24",
+
+            "pools": [ { "pool": "172.23.3.10 - 172.23.3.230" } ],
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.3.1"
+                },
+
+                {
+                    "name": "domain-search",
+                    "data": "binary.kitchen, users.binary.kitchen"
+                }
+            ],
+
+            "ddns-send-updates": true,
+            "ddns-override-client-update": true,
+            "ddns-override-no-update": true,
+            "ddns-qualifying-suffix": "users.binary.kitchen",
+            "ddns-generated-prefix": "dhcp",
+            "ddns-replace-client-name": "when-not-present",
+            "ddns-update-on-renew": true,
+
+            "reservations": [
+                {
+                    "hw-address": "b8:27:eb:18:5c:11",
+                    "ip-address": "172.23.3.250",
+                    "hostname": "cannelloni"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:1d:b9:bf",
+                    "ip-address": "172.23.3.240",
+                    "hostname": "fusilli"
+                },
+
+                {
+                    "hw-address": "74:da:38:6e:e6:9d",
+                    "ip-address": "172.23.3.241",
+                    "hostname": "klopi"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:f5:9e:a1",
+                    "ip-address": "172.23.3.246",
+                    "hostname": "maccaroni"
+                },
+
+                {
+                    "hw-address": "74:da:38:7d:ed:84",
+                    "ip-address": "172.23.3.244",
+                    "hostname": "mirror"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:0f:d3:8b",
+                    "ip-address": "172.23.3.242",
+                    "hostname": "mpcnc"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:56:2b:7c",
+                    "ip-address": "172.23.3.251",
+                    "hostname": "noodlehub"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:eb:e5:88",
+                    "ip-address": "172.23.3.245",
+                    "hostname": "spaghetti"
+                },
+
+                {
+                    "hw-address": "00:1D:45:B6:99:2F",
+                    "hostname": "voip01",
+                    "client-classes": [ "voip-phone" ]
+                },
+
+                {
+                    "hw-address": "00:1D:A2:66:B8:3E",
+                    "hostname": "voip02",
+                    "client-classes": [ "voip-phone" ]
+                },
+
+                {
+                    "hw-address": "00:1E:BE:90:FB:DB",
+                    "hostname": "voip03",
+                    "client-classes": [ "voip-phone" ]
+                },
+
+                {
+                    "hw-address": "00:1E:BE:90:FF:06",
+                    "hostname": "voip04",
+                    "client-classes": [ "voip-phone" ]
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.4.0/24",
+
+            "pools": [ { "pool": "172.23.4.10 - 172.23.4.240" } ],
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.4.1"
+                }
+            ],
+
+            "reservations": [
+                {
+                    "hw-address": "b8:27:eb:b6:62:be",
+                    "ip-address": "172.23.4.241",
+                    "hostname": "habdisplay1"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:df:0b:7b",
+                    "ip-address": "172.23.4.242",
+                    "hostname": "habdisplay2"
+                },
+
+                {
+                    "hw-address": "dc:a6:32:bf:e2:3e",
+                    "ip-address": "172.23.4.251",
+                    "hostname": "openhabgw1"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.12.0/24",
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.12.1"
+                }
+            ],
+
+            "reservations": [
+                {
+                    "hw-address": "18:64:72:c6:c2:0c",
+                    "ip-address": "172.23.12.41",
+                    "hostname": "ap11"
+                },
+
+                {
+                    "hw-address": "18:64:72:c6:c4:98",
+                    "ip-address": "172.23.12.42",
+                    "hostname": "ap12"
+                },
+
+                {
+                    "hw-address": "00:30:42:1B:8B:9B",
+                    "ip-address": "172.23.12.111",
+                    "client-classes": [ "dect-rfp" ],
+                    "hostname": "rfp11"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.13.0/24",
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.13.1"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.14.0/24",
+
+            "pools": [ { "pool": "172.23.14.10 - 172.23.14.240" } ],
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.14.1"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.15.0/24",
+
+            "pools": [ { "pool": "172.23.15.10 - 172.23.15.240" } ],
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.15.1"
+                }
+            ]
+        }
+    ],
+
+    "loggers": [
+        {
+            "name": "kea-dhcp4",
+            "output_options": [
+                {
+                    "output": "stdout",
+                    "pattern": "%-5p %m\n"
+                }
+            ],
+            "severity": "INFO",
+            "debuglevel": 0
+        }
+    ]
+}
+}

roles/mail/files/rspamd/local.d/phishing.conf

@@ -0,0 +1,2 @@
+openphish_enabled = true;
+phishtank_enabled = false;

roles/matrix/templates/matrix-synapse/homeserver.yaml.j2

@@ -2793,7 +2793,7 @@ background_updates:
 # marked as protected from quarantine will not be deleted.
 #
 media_retention:
-    local_media_lifetime: 90d
+    local_media_lifetime: 180d
     remote_media_lifetime: 14d
 
 

roles/netbox/defaults/main.yml

@@ -2,4 +2,4 @@
 
 netbox_group: netbox
 netbox_user: netbox
-netbox_version: 3.7.4
+netbox_version: 4.1.5

roles/netbox/tasks/main.yml

@@ -74,13 +74,21 @@
     group: "{{ netbox_group }}"
     recurse: yes
 
+- name: Fix psycopg variant
+  lineinfile:
+    path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
+    regexp: '^psycopg\[.*,pool\]==(.*)$'
+    line: 'psycopg[binary,pool]==\1'
+    backrefs: yes
+  register: netbox_psycopg_fix
+
 - name: Run upgrade script
   command:
     cmd: ./upgrade.sh
     chdir: "/opt/netbox-{{ netbox_version }}"
   become: true
   become_user: "{{ netbox_user }}"
-  when: netbox_unarchive.changed
+  when: netbox_unarchive.changed or netbox_psycopg_fix.changed
 
 # TODO - still manual work
 # * Create a super user

roles/slapd/templates/slapd.conf.j2

@@ -12,6 +12,7 @@ include		/etc/ldap/schema/cosine.schema
 include		/etc/ldap/schema/inetorgperson.schema
 include		/etc/ldap/schema/kitchen.schema
 include		/etc/ldap/schema/misc.schema
+include		/etc/ldap/schema/namedobject.schema
 include		/etc/ldap/schema/nis.schema
 include		/etc/ldap/schema/openssh-lpk.schema
 include		/etc/ldap/schema/radius.schema
@@ -31,6 +32,7 @@ loglevel	sync
 # Load dynamic backend modules:
 modulepath	/usr/lib/ldap
 moduleload	back_mdb.la
+moduleload	ppolicy.la
 {% if slapd_role == 'master' %}
 moduleload	syncprov.la
 {% endif %}
@@ -134,6 +136,14 @@ index	mail			eq
 index	mailAlternateAddress	eq
 
 
+#######################################################################
+# Password Policies
+#######################################################################
+
+overlay ppolicy
+ppolicy_default "cn=pp-default,ou=policies,dc=binary-kitchen,dc=de"
+
+
 {% if slapd_role == 'master' %}
 #######################################################################
 # Replication

roles/strichliste/tasks/main.yml

@@ -3,28 +3,21 @@
 - name: Request nsupdate key for certificate
   include_role: name=acme-dnskey-generate
 
-- name: Enable sury php apt-key
-  apt_key: url="https://packages.sury.org/php/apt.gpg"
-
-- name: Enable sury php repository
-  apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
-
 - name: Install packages
   apt:
     name:
-    - php8.1
-    - php8.1-common
-    - php8.1-curl
-    - php8.1-mysql
-    - php8.1-mbstring
-    - php8.1-cli
-    - php8.1-opcache
-    - php8.1-xml
-    - php8.1-fpm
-    - php8.1-readline
+    - php
+    - php-common
+    - php-curl
+    - php-mysql
+    - php-mbstring
+    - php-cli
+    - php-opcache
+    - php-xml
+    - php-fpm
+    - php-readline
     - mariadb-server
     - python3-mysqldb
-    - python3-psycopg2
 
 - name: Ensure certificates are available
   command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ strichliste_domain }}.key -out /etc/nginx/ssl/{{ strichliste_domain }}.crt -days 730 -subj "/CN={{ strichliste_domain }}" creates=/etc/nginx/ssl/{{ strichliste_domain }}.crt
@@ -37,12 +30,6 @@
 - name: Create vhost directory
   file: path=/var/www/strichliste state=directory owner=www-data group=www-data
 
-- name: Install Mariadb
-  apt:
-    name:
-    - mariadb-server
-    - python3-mysqldb
-
 - name: Configure Mariadb database
   community.mysql.mysql_db: name={{ strichliste_dbname }}
   become: true
@@ -77,5 +64,5 @@
   file: src=/etc/nginx/sites-available/strichliste dest=/etc/nginx/sites-enabled/strichliste state=link
   notify: Restart nginx
 
-- name: Start php8.1-fpm
-  service: name=php8.1-fpm state=started enabled=yes
+- name: Start php8.2-fpm
+  service: name=php8.2-fpm state=started enabled=yes

roles/therapy/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart therapy
+  service: name=therapy state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/therapy/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/therapy/tasks/main.yml

@@ -0,0 +1,55 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker.io
+    - docker-compose
+
+- name: Create therapy group
+  group: name=therapy
+
+- name: Create therapy user
+  user:
+    name: therapy
+    home: /opt/therapy
+    shell: /bin/bash
+    group: therapy
+    groups: docker
+
+# TODO
+# checkout source to /opt/therapy/source - currently done manually
+
+- name: Configure therapy container
+  template: src=docker-compose.yml.j2 dest=/opt/therapy/docker-compose.yml
+  notify: Restart therapy
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ therapy_domain }}.key -out /etc/nginx/ssl/{{ therapy_domain }}.crt -days 730 -subj "/CN={{ therapy_domain }}" creates=/etc/nginx/ssl/{{ therapy_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for therapy
+  template: src=certs.j2 dest=/etc/acertmgr/{{ therapy_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/therapy
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/therapy dest=/etc/nginx/sites-enabled/therapy state=link
+  notify: Restart nginx
+
+- name: Systemd unit for therapy
+  template: src=therapy.service.j2 dest=/etc/systemd/system/therapy.service
+  notify:
+  - Reload systemd
+  - Restart therapy
+
+- name: Start the therapy service
+  service: name=therapy state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ therapy_domain }}"

roles/therapy/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ therapy_domain }}:
+- path: /etc/nginx/ssl/{{ therapy_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ therapy_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/therapy/templates/docker-compose.yml.j2

@@ -0,0 +1,12 @@
+---
+version: "3.4"
+services:
+  server:
+    image: therapy
+    build: ./source
+    restart: unless-stopped
+    command: server
+    environment:
+      THERAPY_SECRET: {{ therapy_secret }}
+    ports:
+      - "127.0.0.1:5000:5000"

roles/therapy/templates/therapy.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=therapy service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=therapy
+Group=therapy
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/therapy
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/therapy/templates/vhost.j2

@@ -0,0 +1,31 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ therapy_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ therapy_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ therapy_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ therapy_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ therapy_domain }}.crt;
+
+	location / {
+		proxy_pass http://localhost:5000;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}

roles/uau/templates/50unattended-upgrades.j2

@@ -2,7 +2,7 @@
 // Unattended-Upgrade::Origins-Pattern controls which packages are
 // upgraded.
 //
-// Lines below have the format format is "keyword=value,...".  A
+// Lines below have the format "keyword=value,...".  A
 // package will be upgraded only if the values in its metadata match
 // all the supplied keywords in a line.  (In other words, omitted
 // keywords are wild cards.) The keywords originate from the Release
@@ -31,6 +31,7 @@ Unattended-Upgrade::Origins-Pattern {
 //      "origin=Debian,codename=${distro_codename}-proposed-updates";
         "origin=Debian,codename=${distro_codename},label=Debian";
         "origin=Debian,codename=${distro_codename},label=Debian-Security";
+        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
 
         // Archive or Suite based matching:
         // Note that this will silently match a different release after
@@ -65,7 +66,7 @@ Unattended-Upgrade::Package-Blacklist {
 };
 
 // This option allows you to control if on a unclean dpkg exit
-// unattended-upgrades will automatically run
+// unattended-upgrades will automatically run 
 //   dpkg --force-confold --configure -a
 // The default is true, to ensure updates keep getting installed
 //Unattended-Upgrade::AutoFixInterruptedDpkg "true";
@@ -93,9 +94,11 @@ Unattended-Upgrade::Package-Blacklist {
 // 'mailx' must be installed. E.g. "user@example.com"
 Unattended-Upgrade::Mail "root";
 
-// Set this value to "true" to get emails only on errors. Default
-// is to always send a mail if Unattended-Upgrade::Mail is set
-Unattended-Upgrade::MailOnlyOnError "true";
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+Unattended-Upgrade::MailReport "only-on-error";
 
 // Remove unused automatically installed kernel-related packages
 // (kernel images, kernel headers and kernel version locked tools).
@@ -145,3 +148,18 @@ Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
 // Print debugging information both in unattended-upgrades and
 // in unattended-upgrade-shutdown
 // Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

roles/vaultwarden/templates/vhost.j2

@@ -33,6 +33,9 @@ server {
 
 	location / {
 		proxy_pass http://localhost:4000;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $http_connection;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

roles/web/files/certs

@@ -14,6 +14,20 @@ www.binary-kitchen.de binary-kitchen.de www.binary.kitchen binary.kitchen:
   format: key
   action: '/usr/sbin/service nginx restart'
 
+autoconfig.binary-kitchen.de:
+- path: /etc/nginx/ssl/autoconfig.binary-kitchen.de.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/autoconfig.binary-kitchen.de.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+
 www.ccc-r.de:
 - path: /etc/nginx/ssl/www.ccc-r.de.crt
   user: root

roles/web/files/php/8.2/fpm/pool.d/spaceapi.conf

@@ -0,0 +1,491 @@
+; Start a new pool named 'www'.
+; the variable $pool can be used in any directive and will be replaced by the
+; pool name ('www' here)
+[spaceapi]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /usr) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of the child processes. This can be used only if the master
+; process running user is root. It is set after the child process is created.
+; The user and group can be specified either by their name or by their numeric
+; IDs.
+; Note: If the user is root, the executable needs to be started with
+;       --allow-to-run-as-root option to work.
+; Default Values: The user is set to master process running user by default.
+;                 If the group is not set, the user's group is used.
+user = www-data
+group = www-data
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = /run/php/php8.2-fpm-spaceapi.sock
+
+; Set listen(2) backlog.
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
+;listen.backlog = 511
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: Owner is set to the master process running user. If the group
+;                 is not set, the owner's group is used. Mode is set to 0660.
+listen.owner = www-data
+listen.group = www-data
+;listen.mode = 0660
+
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+;listen.acl_users =
+;listen.acl_groups =
+
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+;listen.allowed_clients = 127.0.0.1
+
+; Set the associated the route table (FIB). FreeBSD only
+; Default Value: -1
+;listen.setfib = 1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool processes will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
+; or group is different than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+;   static  - a fixed number (pm.max_children) of child processes;
+;   dynamic - the number of child processes are set dynamically based on the
+;             following directives. With this process management, there will be
+;             always at least 1 children.
+;             pm.max_children      - the maximum number of children that can
+;                                    be alive at the same time.
+;             pm.start_servers     - the number of children created on startup.
+;             pm.min_spare_servers - the minimum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is less than this
+;                                    number then some children will be created.
+;             pm.max_spare_servers - the maximum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is greater than this
+;                                    number then some children will be killed.
+;             pm.max_spawn_rate    - the maximum number of rate to spawn child
+;                                    processes at once.
+;  ondemand - no children are created at startup. Children will be forked when
+;             new requests will connect. The following parameter are used:
+;             pm.max_children           - the maximum number of children that
+;                                         can be alive at the same time.
+;             pm.process_idle_timeout   - The number of seconds after which
+;                                         an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 20
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: (min_spare_servers + max_spare_servers) / 2
+pm.start_servers = 5
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = 5
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = 15
+
+; The number of rate to spawn child processes at once.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+; Default Value: 32
+;pm.max_spawn_rate = 32
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following information:
+;   pool                 - the name of the pool;
+;   process manager      - static, dynamic or ondemand;
+;   start time           - the date and time FPM has started;
+;   start since          - number of seconds since FPM has started;
+;   accepted conn        - the number of request accepted by the pool;
+;   listen queue         - the number of request in the queue of pending
+;                          connections (see backlog in listen(2));
+;   max listen queue     - the maximum number of requests in the queue
+;                          of pending connections since FPM has started;
+;   listen queue len     - the size of the socket queue of pending connections;
+;   idle processes       - the number of idle processes;
+;   active processes     - the number of active processes;
+;   total processes      - the number of idle + active processes;
+;   max active processes - the maximum number of active processes since FPM
+;                          has started;
+;   max children reached - number of times, the process limit has been reached,
+;                          when pm tries to start more children (works only for
+;                          pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+;   pool:                 www
+;   process manager:      static
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          62636
+;   accepted conn:        190460
+;   listen queue:         0
+;   max listen queue:     1
+;   listen queue len:     42
+;   idle processes:       4
+;   active processes:     11
+;   total processes:      15
+;   max active processes: 12
+;   max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+;   http://www.foo.bar/status
+;   http://www.foo.bar/status?json
+;   http://www.foo.bar/status?html
+;   http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example:
+;   http://www.foo.bar/status?full
+;   http://www.foo.bar/status?json&full
+;   http://www.foo.bar/status?html&full
+;   http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+;   pid                  - the PID of the process;
+;   state                - the state of the process (Idle, Running, ...);
+;   start time           - the date and time the process has started;
+;   start since          - the number of seconds since the process has started;
+;   requests             - the number of requests the process has served;
+;   request duration     - the duration in µs of the requests;
+;   request method       - the request method (GET, POST, ...);
+;   request URI          - the request URI with the query string;
+;   content length       - the content length of the request (only with POST);
+;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
+;   script               - the main script called (or '-' if not set);
+;   last request cpu     - the %cpu the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because CPU calculation is done when the request
+;                          processing has terminated;
+;   last request memory  - the max amount of memory the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because memory calculation is done when the request
+;                          processing has terminated;
+; If the process is in Idle state, then informations are related to the
+; last request the process has served. Otherwise informations are related to
+; the current request being served.
+; Example output:
+;   ************************
+;   pid:                  31330
+;   state:                Running
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          63087
+;   requests:             12808
+;   request duration:     1250261
+;   request method:       GET
+;   request URI:          /test_mem.php?N=10000
+;   content length:       0
+;   user:                 -
+;   script:               /home/fat/web/docs/php/test_mem.php
+;   last request cpu:     0.00
+;   last request memory:  0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+;       It's available in: /usr/share/php/8.2/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+pm.status_path = /fpmstatus-spaceapi
+
+; The address on which to accept FastCGI status request. This creates a new
+; invisible pool that can handle requests independently. This is useful
+; if the main pool is busy with long running requests because it is still possible
+; to get the status before finishing the long running requests.
+;
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Default Value: value of the listen option
+;pm.status_listen = 127.0.0.1:9001
+pm.status_listen = /run/php/php8.2-fpm-spaceapi-status.sock
+
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+
+; The access log format.
+; The following syntax is allowed
+;  %%: the '%' character
+;  %C: %CPU used by the request
+;      it can accept the following format:
+;      - %{user}C for user CPU only
+;      - %{system}C for system CPU only
+;      - %{total}C  for user + system CPU (default)
+;  %d: time taken to serve the request
+;      it can accept the following format:
+;      - %{seconds}d (default)
+;      - %{milliseconds}d
+;      - %{milli}d
+;      - %{microseconds}d
+;      - %{micro}d
+;  %e: an environment variable (same as $_ENV or $_SERVER)
+;      it must be associated with embraces to specify the name of the env
+;      variable. Some examples:
+;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+;  %f: script filename
+;  %l: content-length of the request (for POST request only)
+;  %m: request method
+;  %M: peak of memory allocated by PHP
+;      it can accept the following format:
+;      - %{bytes}M (default)
+;      - %{kilobytes}M
+;      - %{kilo}M
+;      - %{megabytes}M
+;      - %{mega}M
+;  %n: pool name
+;  %o: output header
+;      it must be associated with embraces to specify the name of the header:
+;      - %{Content-Type}o
+;      - %{X-Powered-By}o
+;      - %{Transfert-Encoding}o
+;      - ....
+;  %p: PID of the child that serviced the request
+;  %P: PID of the parent of the child that serviced the request
+;  %q: the query string
+;  %Q: the '?' character if query string exists
+;  %r: the request URI (without the query string, see %q and %Q)
+;  %R: remote IP address
+;  %s: status (response code)
+;  %t: server time the request was received
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;  %T: time the log has been written (the request has finished)
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;  %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
+
+; A list of request_uri values which should be filtered from the access log.
+;
+; As a security precuation, this setting will be ignored if:
+;     - the request method is not GET or HEAD; or
+;     - there is a request body; or
+;     - there are query parameters; or
+;     - the response code is outwith the successful range of 200 to 299
+;
+; Note: The paths are matched against the output of the access.format tag "%r".
+;       On common configurations, this may look more like SCRIPT_NAME than the
+;       expected pre-rewrite URI.
+;
+; Default Value: not set
+;access.suppress_path[] = /ping
+;access.suppress_path[] = /health_check.php
+
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+;slowlog = log/$pool.log.slow
+
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+
+; Depth of slow log stack trace.
+; Default Value: 20
+;request_slowlog_trace_depth = 20
+
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_terminate_timeout = 0
+
+; The timeout set by 'request_terminate_timeout' ini option is not engaged after
+; application calls 'fastcgi_finish_request' or when application has finished and
+; shutdown functions are being called (registered via register_shutdown_function).
+; This option will enable timeout limit to be applied unconditionally
+; even in such cases.
+; Default Value: no
+;request_terminate_timeout_track_finished = no
+
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever
+;       possible. However, all PHP paths will be relative to the chroot
+;       (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot =
+
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environment, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+;catch_workers_output = yes
+
+; Decorate worker output with prefix and suffix containing information about
+; the child that writes to the log and if stdout or stderr is used as well as
+; log level and time. This options is used only if catch_workers_output is yes.
+; Settings to "no" will output data as written to the stdout or stderr.
+; Default value: yes
+;decorate_workers_output = no
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; execute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+;   php_value/php_flag             - you can set classic ini defines which can
+;                                    be overwritten from PHP call 'ini_set'.
+;   php_admin_value/php_admin_flag - these directives won't be overwritten by
+;                                     PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+;                specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M

roles/web/files/php/8.2/fpm/pool.d/www.conf

@@ -0,0 +1,491 @@
+; Start a new pool named 'www'.
+; the variable $pool can be used in any directive and will be replaced by the
+; pool name ('www' here)
+[www]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /usr) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of the child processes. This can be used only if the master
+; process running user is root. It is set after the child process is created.
+; The user and group can be specified either by their name or by their numeric
+; IDs.
+; Note: If the user is root, the executable needs to be started with
+;       --allow-to-run-as-root option to work.
+; Default Values: The user is set to master process running user by default.
+;                 If the group is not set, the user's group is used.
+user = www-data
+group = www-data
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = /run/php/php8.2-fpm-www.sock
+
+; Set listen(2) backlog.
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
+;listen.backlog = 511
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: Owner is set to the master process running user. If the group
+;                 is not set, the owner's group is used. Mode is set to 0660.
+listen.owner = www-data
+listen.group = www-data
+;listen.mode = 0660
+
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+;listen.acl_users =
+;listen.acl_groups =
+
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+;listen.allowed_clients = 127.0.0.1
+
+; Set the associated the route table (FIB). FreeBSD only
+; Default Value: -1
+;listen.setfib = 1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool processes will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
+; or group is different than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+;   static  - a fixed number (pm.max_children) of child processes;
+;   dynamic - the number of child processes are set dynamically based on the
+;             following directives. With this process management, there will be
+;             always at least 1 children.
+;             pm.max_children      - the maximum number of children that can
+;                                    be alive at the same time.
+;             pm.start_servers     - the number of children created on startup.
+;             pm.min_spare_servers - the minimum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is less than this
+;                                    number then some children will be created.
+;             pm.max_spare_servers - the maximum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is greater than this
+;                                    number then some children will be killed.
+;             pm.max_spawn_rate    - the maximum number of rate to spawn child
+;                                    processes at once.
+;  ondemand - no children are created at startup. Children will be forked when
+;             new requests will connect. The following parameter are used:
+;             pm.max_children           - the maximum number of children that
+;                                         can be alive at the same time.
+;             pm.process_idle_timeout   - The number of seconds after which
+;                                         an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 20
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: (min_spare_servers + max_spare_servers) / 2
+pm.start_servers = 5
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = 5
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = 15
+
+; The number of rate to spawn child processes at once.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+; Default Value: 32
+;pm.max_spawn_rate = 32
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following information:
+;   pool                 - the name of the pool;
+;   process manager      - static, dynamic or ondemand;
+;   start time           - the date and time FPM has started;
+;   start since          - number of seconds since FPM has started;
+;   accepted conn        - the number of request accepted by the pool;
+;   listen queue         - the number of request in the queue of pending
+;                          connections (see backlog in listen(2));
+;   max listen queue     - the maximum number of requests in the queue
+;                          of pending connections since FPM has started;
+;   listen queue len     - the size of the socket queue of pending connections;
+;   idle processes       - the number of idle processes;
+;   active processes     - the number of active processes;
+;   total processes      - the number of idle + active processes;
+;   max active processes - the maximum number of active processes since FPM
+;                          has started;
+;   max children reached - number of times, the process limit has been reached,
+;                          when pm tries to start more children (works only for
+;                          pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+;   pool:                 www
+;   process manager:      static
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          62636
+;   accepted conn:        190460
+;   listen queue:         0
+;   max listen queue:     1
+;   listen queue len:     42
+;   idle processes:       4
+;   active processes:     11
+;   total processes:      15
+;   max active processes: 12
+;   max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+;   http://www.foo.bar/status
+;   http://www.foo.bar/status?json
+;   http://www.foo.bar/status?html
+;   http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example:
+;   http://www.foo.bar/status?full
+;   http://www.foo.bar/status?json&full
+;   http://www.foo.bar/status?html&full
+;   http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+;   pid                  - the PID of the process;
+;   state                - the state of the process (Idle, Running, ...);
+;   start time           - the date and time the process has started;
+;   start since          - the number of seconds since the process has started;
+;   requests             - the number of requests the process has served;
+;   request duration     - the duration in µs of the requests;
+;   request method       - the request method (GET, POST, ...);
+;   request URI          - the request URI with the query string;
+;   content length       - the content length of the request (only with POST);
+;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
+;   script               - the main script called (or '-' if not set);
+;   last request cpu     - the %cpu the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because CPU calculation is done when the request
+;                          processing has terminated;
+;   last request memory  - the max amount of memory the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because memory calculation is done when the request
+;                          processing has terminated;
+; If the process is in Idle state, then informations are related to the
+; last request the process has served. Otherwise informations are related to
+; the current request being served.
+; Example output:
+;   ************************
+;   pid:                  31330
+;   state:                Running
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          63087
+;   requests:             12808
+;   request duration:     1250261
+;   request method:       GET
+;   request URI:          /test_mem.php?N=10000
+;   content length:       0
+;   user:                 -
+;   script:               /home/fat/web/docs/php/test_mem.php
+;   last request cpu:     0.00
+;   last request memory:  0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+;       It's available in: /usr/share/php/8.2/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+pm.status_path = /fpmstatus-www
+
+; The address on which to accept FastCGI status request. This creates a new
+; invisible pool that can handle requests independently. This is useful
+; if the main pool is busy with long running requests because it is still possible
+; to get the status before finishing the long running requests.
+;
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Default Value: value of the listen option
+;pm.status_listen = 127.0.0.1:9001
+pm.status_listen = /run/php/php8.2-fpm-www-status.sock
+
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+
+; The access log format.
+; The following syntax is allowed
+;  %%: the '%' character
+;  %C: %CPU used by the request
+;      it can accept the following format:
+;      - %{user}C for user CPU only
+;      - %{system}C for system CPU only
+;      - %{total}C  for user + system CPU (default)
+;  %d: time taken to serve the request
+;      it can accept the following format:
+;      - %{seconds}d (default)
+;      - %{milliseconds}d
+;      - %{milli}d
+;      - %{microseconds}d
+;      - %{micro}d
+;  %e: an environment variable (same as $_ENV or $_SERVER)
+;      it must be associated with embraces to specify the name of the env
+;      variable. Some examples:
+;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+;  %f: script filename
+;  %l: content-length of the request (for POST request only)
+;  %m: request method
+;  %M: peak of memory allocated by PHP
+;      it can accept the following format:
+;      - %{bytes}M (default)
+;      - %{kilobytes}M
+;      - %{kilo}M
+;      - %{megabytes}M
+;      - %{mega}M
+;  %n: pool name
+;  %o: output header
+;      it must be associated with embraces to specify the name of the header:
+;      - %{Content-Type}o
+;      - %{X-Powered-By}o
+;      - %{Transfert-Encoding}o
+;      - ....
+;  %p: PID of the child that serviced the request
+;  %P: PID of the parent of the child that serviced the request
+;  %q: the query string
+;  %Q: the '?' character if query string exists
+;  %r: the request URI (without the query string, see %q and %Q)
+;  %R: remote IP address
+;  %s: status (response code)
+;  %t: server time the request was received
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;  %T: time the log has been written (the request has finished)
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;  %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
+
+; A list of request_uri values which should be filtered from the access log.
+;
+; As a security precuation, this setting will be ignored if:
+;     - the request method is not GET or HEAD; or
+;     - there is a request body; or
+;     - there are query parameters; or
+;     - the response code is outwith the successful range of 200 to 299
+;
+; Note: The paths are matched against the output of the access.format tag "%r".
+;       On common configurations, this may look more like SCRIPT_NAME than the
+;       expected pre-rewrite URI.
+;
+; Default Value: not set
+;access.suppress_path[] = /ping
+;access.suppress_path[] = /health_check.php
+
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+;slowlog = log/$pool.log.slow
+
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+
+; Depth of slow log stack trace.
+; Default Value: 20
+;request_slowlog_trace_depth = 20
+
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_terminate_timeout = 0
+
+; The timeout set by 'request_terminate_timeout' ini option is not engaged after
+; application calls 'fastcgi_finish_request' or when application has finished and
+; shutdown functions are being called (registered via register_shutdown_function).
+; This option will enable timeout limit to be applied unconditionally
+; even in such cases.
+; Default Value: no
+;request_terminate_timeout_track_finished = no
+
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever
+;       possible. However, all PHP paths will be relative to the chroot
+;       (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot =
+
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environment, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+;catch_workers_output = yes
+
+; Decorate worker output with prefix and suffix containing information about
+; the child that writes to the log and if stdout or stderr is used as well as
+; log level and time. This options is used only if catch_workers_output is yes.
+; Settings to "no" will output data as written to the stdout or stderr.
+; Default value: yes
+;decorate_workers_output = no
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; execute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+;   php_value/php_flag             - you can set classic ini defines which can
+;                                    be overwritten from PHP call 'ini_set'.
+;   php_admin_value/php_admin_flag - these directives won't be overwritten by
+;                                     PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+;                specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M

roles/web/files/vhost

@@ -75,16 +75,81 @@ server {
 		rewrite ^/wiki/(.*) /wiki/doku.php?id=$1&$args last;
 	}
 
+	location ~ ^/fpmstatus-spaceapi {
+		auth_basic "Admin";
+		auth_basic_user_file /etc/nginx/fpm_status.htaccess;
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param PATH_INFO $fastcgi_path_info;
+		fastcgi_pass unix:/var/run/php/php8.2-fpm-spaceapi-status.sock;
+		fastcgi_intercept_errors on;
+		fastcgi_read_timeout 10s;
+	}
+
+	location ~ ^/fpmstatus-www {
+		auth_basic "Admin";
+		auth_basic_user_file /etc/nginx/fpm_status.htaccess;
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param PATH_INFO $fastcgi_path_info;
+		fastcgi_pass unix:/var/run/php/php8.2-fpm-www-status.sock;
+		fastcgi_intercept_errors on;
+		fastcgi_read_timeout 10s;
+	}
+
+	location ~ ^/spaceapi.php {
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param PATH_INFO $fastcgi_path_info;
+		fastcgi_pass unix:/var/run/php/php8.2-fpm-spaceapi.sock;
+		fastcgi_intercept_errors on;
+		fastcgi_read_timeout 10s;
+	}
+
 	location ~ \.php(?:$|/) {
 		fastcgi_split_path_info ^(.+\.php)(/.+)$;
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 		fastcgi_param PATH_INFO $fastcgi_path_info;
-		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+		fastcgi_pass unix:/var/run/php/php8.2-fpm-www.sock;
 		fastcgi_intercept_errors on;
+		# fastcgi_read_timeout intentionally not reduced, since Wiki etc. might perform long-running operations (file uploads etc.)
 	}
 }
 
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name autoconfig.binary-kitchen.de;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://autoconfig.binary-kitchen.de$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name autoconfig.binary-kitchen.de;
+
+	ssl_certificate_key /etc/nginx/ssl/autoconfig.binary-kitchen.de.key;
+	ssl_certificate /etc/nginx/ssl/autoconfig.binary-kitchen.de.crt;
+
+	root /var/www/autconfig;
+
+	default_type text/html;
+}
+
 server {
 	listen 80;
 	listen [::]:80;

roles/web/handlers/main.yml

@@ -3,5 +3,8 @@
 - name: Restart nginx
   service: name=nginx state=restarted
 
+- name: Restart php8.2-fpm
+  service: name=php8.2-fpm state=restarted
+
 - name: Run acertmgr
   command: /usr/bin/acertmgr

roles/web/tasks/main.yml

@@ -7,14 +7,25 @@
     - php-ldap
     - php-sqlite3
     - php-xml
+    - python3-passlib
 
-- name: Create vhost directory
-  file: path=/var/www/kitchen state=directory owner=www-data group=www-data
+- name: Create vhost directories
+  file: path=/var/www/{{ item }} state=directory owner=www-data group=www-data
+  with_items:
+  - autoconfig
+  - autoconfig/mail
+  - ccc-r
+  - makerspace-regensburg
+  - kitchen
 
 - name: Ensure (BK) certificates are available
   command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/www.binary-kitchen.de.key -out /etc/nginx/ssl/www.binary-kitchen.de.crt -days 730 -subj "/CN=www.binary-kitchen.de" creates=/etc/nginx/ssl/www.binary-kitchen.de.crt
   notify: Restart nginx
 
+- name: Ensure (BK autodiscover) certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/autoconfig.binary-kitchen.de.key -out /etc/nginx/ssl/autoconfig.binary-kitchen.de.crt -days 730 -subj "/CN=autoconfig.binary-kitchen.de" creates=/etc/nginx/ssl/autoconfig.binary-kitchen.de.crt
+  notify: Restart nginx
+
 - name: Ensure (CCC-R) certificates are available
   command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/www.ccc-r.de.key -out /etc/nginx/ssl/www.ccc-r.de.crt -days 730 -subj "/CN=www.ccc-r.de" creates=/etc/nginx/ssl/www.ccc-r.de.crt
   notify: Restart nginx
@@ -23,6 +34,23 @@
   command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/www.makerspace-regensburg.de.key -out /etc/nginx/ssl/www.makerspace-regensburg.de.crt -days 730 -subj "/CN=www.makerspace-regensburg.de" creates=/etc/nginx/ssl/www.makerspace-regensburg.de.crt
   notify: Restart nginx
 
+- name: Place Thunderbird autoconfig file
+  template: src=auto_mail.xml.j2 dest=/var/www/autoconfig/mail/config-v1.1.xml
+
+- name: Configure php-fpm
+  copy: src={{ item }} dest=/etc/php/8.2/fpm/pool.d/
+  notify: Restart php8.2-fpm
+  with_fileglob: "php/8.2/fpm/pool.d/*.conf"
+
+- name: Configure htaccess for fpm status
+  htpasswd:
+    path: /etc/nginx/fpm_status.htaccess
+    name: "{{ fpm_status_user}}"
+    password: "{{ fpm_status_pass }}"
+    owner: root
+    group: www-data
+    mode: 0640
+
 - name: Configure certificate manager
   copy: src=certs dest=/etc/acertmgr/www.binary-kitchen.de.conf
   notify: Run acertmgr

roles/web/templates/auto_mail.xml.j2

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<clientConfig version="1.1">
+  <emailProvider id="binary-kitchen.de">
+    <domain>{{ mail_domain }}</domain>
+    <displayName>Binary Kitchen</displayName>
+    <displayShortName>Binary Kitchen</displayShortName>
+    <incomingServer type="imap">
+      <hostname>{{ mail_server }}</hostname>
+      <port>993</port>
+      <socketType>SSL</socketType>
+      <authentication>password-encrypted</authentication>
+      <username>%EMAILLOCALPART%</username>
+    </incomingServer>
+    <incomingServer type="imap">
+      <hostname>{{ mail_server }}</hostname>
+      <port>143</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-encrypted</authentication>
+      <username>%EMAILLOCALPART%</username>
+    </incomingServer>
+    <outgoingServer type="smtp">
+      <hostname>{{ mail_server }}</hostname>
+      <port>465</port>
+      <socketType>SSL</socketType>
+      <authentication>password-encrypted</authentication>
+      <username>%EMAILLOCALPART%</username>
+    </outgoingServer>
+    <outgoingServer type="smtp">
+      <hostname>{{ mail_server }}</hostname>
+      <port>587</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-encrypted</authentication>
+      <username>%EMAILLOCALPART%</username>
+    </outgoingServer>
+    <documentation url="https://www.binary-kitchen.de/wiki/infra:start#e-mail">
+      <descr lang="de">Beschreibung der Einstellungen</descr>
+      <descr lang="en">Generic settings description</descr>
+    </documentation>
+  </emailProvider>
+</clientConfig>

site.yml

@@ -7,7 +7,7 @@
   - root_keys
 
 - name: Setup unattended updates
-  hosts: [sulis.binary.kitchen, nabia.binary.kitchen, epona.binary.kitchen, pizza.binary.kitchen, pancake.binary.kitchen, knoedel.binary.kitchen, bob.binary.kitchen, lasagne.binary.kitchen, tschunk.binary.kitchen, bowle.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, neon.binary-kitchen.net, sodium.binary-kitchen.net, magnesium.binary-kitchen.net, aluminium.binary-kitchen.net, krypton.binary-kitchen.net, yttrium.binary-kitchen.net, zirconium.binary-kitchen.net, molybdenum.binary-kitchen.net, technetium.binary-kitchen.net, ruthenium.binary-kitchen.net, rhodium.binary-kitchen.net, palladium.binary-kitchen.net, argentum.binary-kitchen.net, cadmium.binary-kitchen.net, barium.binary-kitchen.net]
+  hosts: [sulis.binary.kitchen, nabia.binary.kitchen, epona.binary.kitchen, pizza.binary.kitchen, pancake.binary.kitchen, knoedel.binary.kitchen, bob.binary.kitchen, lasagne.binary.kitchen, tschunk.binary.kitchen, bowle.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, neon.binary-kitchen.net, sodium.binary-kitchen.net, magnesium.binary-kitchen.net, aluminium.binary-kitchen.net, krypton.binary-kitchen.net, yttrium.binary-kitchen.net, zirconium.binary-kitchen.net, molybdenum.binary-kitchen.net, ruthenium.binary-kitchen.net, rhodium.binary-kitchen.net, palladium.binary-kitchen.net, argentum.binary-kitchen.net, cadmium.binary-kitchen.net, indium.binary-kitchen.net, barium.binary-kitchen.net]
   roles:
   - uau
 
@@ -20,7 +20,7 @@
   hosts: [bacon.binary.kitchen, aveta.binary.kitchen, aeron.binary.kitchen]
   roles:
   - dns_intern
-  - dhcpd
+  - kea
   - slapd
   - radius
 
@@ -128,10 +128,10 @@
   roles:
   - coturn
 
-- name: Setup zammad server
+- name: Setup web server (dockerized)
   hosts: aluminium.binary-kitchen.net
   roles:
-  - zammad
+  - therapy
 
 - name: Setup jitsi server
   hosts: zirconium.binary-kitchen.net
@@ -163,6 +163,11 @@
   roles:
 # - netbox
 
+- name: Setup igelcam server
+  hosts: indium.binary-kitchen.net
+  roles:
+  - indium_dummy
+
 - name: Setup event web server
   hosts: argentum.binary-kitchen.net
   roles: