noby/ansible
1
0
Fork 0
forked from infra/ansible
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

merge into: noby:homeassistant
Branches Tags
noby:master
noby:homeassistant
noby:upgrade_20240315
noby:upgrade_20230123
noby:upgrade_20220721
noby:xrdp
noby:workadventure
noby:pizza
infra:master
infra:pizza
...
pull from: infra:master
Branches Tags
infra:master
infra:pizza
noby:master
noby:homeassistant
noby:upgrade_20240315
noby:upgrade_20230123
noby:upgrade_20220721
noby:xrdp
noby:workadventure
noby:pizza

17 Commits
homeassist ... master

Author SHA1 Message Date
Markus Hauschild
62bc168983 matrix: increase local media lifetime 2024-10-21 20:02:23 +02:00
Markus Hauschild
d72fc4ceaa uau: rebase against Debian 12 2024-10-21 20:01:44 +02:00
Markus Hauschild
68fee1e0d7 common: rebase against Debian 12 2024-10-21 20:01:06 +02:00
Markus Hauschild
2ea069f94e netbox: bump to version 4.1.4 2024-10-21 19:06:31 +02:00
Thomas Schmid
63df9a1a54 README.md: update strichliste and auweg doorlock to debian 12 2024-10-19 21:42:52 +02:00
Thomas Schmid
35a3f9ae97 strichliste: use system version of debian 2024-10-19 21:40:54 +02:00
Markus Hauschild
71025ea2f4 dns_intern: update dns to reflect changes in network components 2024-10-06 16:35:48 +02:00
Markus Hauschild
ea189822fc repalce dhcpd by kea 2024-10-05 19:39:26 +02:00
Markus Hauschild
b425f3b482 kea: don't configure HA unless needed 2024-10-05 19:36:53 +02:00
Markus Hauschild
c8a0e54cc8 kea: fix socket paths 2024-10-05 19:36:53 +02:00
Markus Hauschild
4b0b8adcdd kea: add ddns support 2024-10-05 19:36:53 +02:00
Markus Hauschild
06a8052353 kea: add more subnets, pools and reservations 2024-10-05 19:36:53 +02:00
Markus Hauschild
dcf7325368 kea: define options and classes for dect-rfps and voip-phones 2024-10-05 19:36:53 +02:00
Markus Hauschild
1ddcc40476 kea: query primary dns server for hostnames 
otherwise the role will fail if the host it is deployed from has VPN but
is not using our DNS infra
 2024-10-05 19:36:53 +02:00
Kishi85
bcb5584874 kea: configure control agent necessary for HA 2024-10-05 19:36:53 +02:00
Kishi85
3530b825e2 kea: add DHCP4 HA config (hot-standby) 2024-10-05 19:36:53 +02:00
Markus Hauschild
5c8baa80e3 kea: new role (replaces dhcpd) 2024-10-05 19:36:53 +02:00
20 changed files with 662 additions and 411 deletions
Show Stats Expand all files Collapse all files

4
README.md
View File

@ -31,9 +31,9 @@ Currently the following hosts are installed:
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
| bob.binary.kitchen | Debian 12 | Gitea Actions |
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
| tschunk.binary.kitchen | Debian 11 | Strichliste |
| tschunk.binary.kitchen | Debian 12 | Strichliste |
| bowle.binary.kitchen | Debian 12 | Files |
| lock-auweg.binary.kitchen | Debian 11 | Doorlock |
| lock-auweg.binary.kitchen | Debian 12 | Doorlock |
\*: The main application is not managed by ansible but manually installed

2
host_vars/aeron.binary.kitchen
View File

@ -5,3 +5,5 @@ radius_hostname: radius3.binary.kitchen
slapd_hostname: ldap3.binary.kitchen
slapd_replica_id: 3
slapd_role: slave
uau_reboot: "false"

2
host_vars/bacon.binary.kitchen
View File

@ -15,3 +15,5 @@ radius_hostname: radius1.binary.kitchen
slapd_hostname: ldap1.binary.kitchen
slapd_replica_id: 1
slapd_role: slave
uau_reboot: "false"

15
roles/common/templates/sshd_config.j2
View File

@ -1,9 +1,8 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
@ -69,7 +68,7 @@ PasswordAuthentication {{ sshd_password_authentication }}
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
@ -85,13 +84,13 @@ ChallengeResponseAuthentication no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
@ -109,7 +108,7 @@ PrintMotd no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

4
roles/dhcpd/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: Restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

14
roles/dhcpd/tasks/main.yml
View File

@ -1,14 +0,0 @@
---
- name: Install dhcp server
apt: name=isc-dhcp-server
- name: Configure dhcp server
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- default/isc-dhcp-server
- dhcp/dhcpd.conf
notify: Restart isc-dhcp-server
- name: Start the dhcp server
service: name=isc-dhcp-server state=started enabled=yes

21
roles/dhcpd/templates/default/isc-dhcp-server.j2
View File

@ -1,21 +0,0 @@
#
# This is a POSIX shell fragment
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
INTERFACESv6=""
INTERFACES="{{ ansible_default_ipv4['interface'] }}"

319
roles/dhcpd/templates/dhcp/dhcpd.conf.j2
View File

@ -1,319 +0,0 @@
# dhcpd.conf
# option definitions common to all supported networks...
option domain-name "binary.kitchen";
option domain-name-servers {{ name_servers | join(', ') }};
option domain-search "binary.kitchen";
option ntp-servers 172.23.1.60, 172.23.2.3;
# options related to Mitel SIP-DECT
option space sipdect;
option local-encapsulation code 43 = encapsulate sipdect;
option sipdect.ommip1 code 10 = ip-address;
option sipdect.ommip2 code 19 = ip-address;
option sipdect.syslogip code 14 = ip-address;
option sipdect.syslogport code 15 = integer 16;
option magic_str code 224 = text;
default-lease-time 7200;
max-lease-time 28800;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
ddns-updates on;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
{% if dhcpd_failover == true %}
# Failover
failover peer "failover-partner" {
{% if ansible_default_ipv4.address == dhcpd_primary %}
primary;
address {{ dhcpd_primary }};
peer address {{ dhcpd_secondary }};
{% elif ansible_default_ipv4.address == dhcpd_secondary %}
secondary;
address {{ dhcpd_secondary }};
peer address {{ dhcpd_primary }};
{% endif %}
port 520;
peer port 520;
max-response-delay 60;
max-unacked-updates 10;
{% if ansible_default_ipv4.address == dhcpd_primary %}
mclt 600;
split 255;
{% endif %}
load balance max seconds 3;
}
{% endif %}
# Binary Kitchen subnets
# Management
subnet 172.23.1.0 netmask 255.255.255.0 {
option routers 172.23.1.1;
}
# Services
subnet 172.23.2.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.2.1;
}
# Users
subnet 172.23.3.0 netmask 255.255.255.0 {
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.3.10 172.23.3.230;
}
}
# MQTT
subnet 172.23.4.0 netmask 255.255.255.0 {
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.4.10 172.23.4.240;
}
}
# Management Auweg
subnet 172.23.12.0 netmask 255.255.255.0 {
option routers 172.23.12.1;
}
# Services Auweg
subnet 172.23.13.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.13.1;
}
# Users Auweg
subnet 172.23.14.0 netmask 255.255.255.0 {
option routers 172.23.14.1;
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.14.10 172.23.14.230;
}
}
# MQTT Auweg
subnet 172.23.15.0 netmask 255.255.255.0 {
option routers 172.23.15.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.15.10 172.23.15.240;
}
}
# DDNS zones
zone users.binary.kitchen {
primary {{ dns_primary }};
}
# Fixed IPs
host ap01 {
hardware ethernet 44:48:c1:ce:a9:00;
fixed-address ap01.binary.kitchen;
}
host ap04 {
hardware ethernet 74:9e:75:ce:93:54;
fixed-address ap04.binary.kitchen;
}
host ap05 {
hardware ethernet bc:9f:e4:c3:6f:aa;
fixed-address ap05.binary.kitchen;
}
host ap06 {
hardware ethernet 94:b4:0f:c0:1d:a0;
fixed-address ap06.binary.kitchen;
}
host ap11 {
hardware ethernet 18:64:72:c6:c2:0c;
fixed-address ap11.binary.kitchen;
}
host ap12 {
hardware ethernet 18:64:72:c6:c4:98;
fixed-address ap12.binary.kitchen;
}
host bowle {
hardware ethernet ac:1f:6b:25:16:b6;
fixed-address bowle.binary.kitchen;
}
host cannelloni {
hardware ethernet b8:27:eb:18:5c:11;
fixed-address cannelloni.binary.kitchen;
}
host fusilli {
hardware ethernet b8:27:eb:1d:b9:bf;
fixed-address fusilli.binary.kitchen;
}
host habdisplay1 {
hardware ethernet b8:27:eb:b6:62:be;
fixed-address habdisplay1.mqtt.binary.kitchen;
}
host habdisplay2 {
hardware ethernet b8:27:eb:df:0b:7b;
fixed-address habdisplay2.mqtt.binary.kitchen;
}
host klopi {
hardware ethernet 74:da:38:6e:e6:9d;
fixed-address klopi.binary.kitchen;
}
host lock {
hardware ethernet b8:27:eb:d8:b9:ad;
fixed-address lock.binary.kitchen;
}
host maccaroni {
hardware ethernet b8:27:eb:f5:9e:a1;
fixed-address maccaroni.binary.kitchen;
}
host matrix {
hardware ethernet b8:27:eb:ed:22:58;
fixed-address matrix.binary.kitchen;
}
host mirror {
hardware ethernet 74:da:38:7d:ed:84;
fixed-address mirror.binary.kitchen;
}
host mpcnc {
hardware ethernet b8:27:eb:0f:d3:8b;
fixed-address mpcnc.binary.kitchen;
}
host noodlehub {
hardware ethernet b8:27:eb:56:2b:7c;
fixed-address noodlehub.binary.kitchen;
}
host openhabgw1 {
hardware ethernet dc:a6:32:bf:e2:3e;
fixed-address openhabgw1.mqtt.binary.kitchen;
}
host pizza {
hardware ethernet 52:54:00:17:02:21;
fixed-address pizza.binary.kitchen;
}
host spaghetti {
hardware ethernet b8:27:eb:eb:e5:88;
fixed-address spaghetti.binary.kitchen;
}
host schweinshaxn {
hardware ethernet 52:54:00:17:02:24;
fixed-address schweinshaxn.binary.kitchen;
}
host strammermax {
hardware ethernet 08:00:37:B8:55:44;
fixed-address strammermax.binary.kitchen;
}
host obatzda {
hardware ethernet ec:9a:74:35:35:cf;
fixed-address obatzda.binary.kitchen;
}
# VoIP Phones
host voip01 {
hardware ethernet 00:1D:45:B6:99:2F;
option tftp-server-name "172.23.2.36";
}
host voip02 {
hardware ethernet 00:1D:A2:66:B8:3E;
option tftp-server-name "172.23.2.36";
}
host voip03 {
hardware ethernet 00:1E:BE:90:FB:DB;
option tftp-server-name "172.23.2.36";
}
host voip04 {
hardware ethernet 00:1E:BE:90:FF:06;
option tftp-server-name "172.23.2.36";
}
# Mitel SIP-DECT
host rfp01 {
hardware ethernet 00:30:42:1B:73:5A;
fixed-address 172.23.1.111;
option host-name "rfp01";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp02 {
hardware ethernet 00:30:42:21:D4:D5;
fixed-address 172.23.1.112;
option host-name "rfp02";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp11 {
hardware ethernet 00:30:42:1B:8B:9B;
fixed-address 172.23.12.111;
option host-name "rfp11";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
# OMAPI
omapi-port 7911;
omapi-key omapi_key;
key omapi_key {
algorithm hmac-md5;
secret {{ dhcp_omapi_key }};
}

14
roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024051300; serial
2024100600; serial
1d; refresh
2h; retry
4w; expire
@ -13,7 +13,7 @@ $TTL 1h ; default time-to-live
1.0 IN PTR core.binary.kitchen.
2.0 IN PTR rt-w13b.binary.kitchen.
3.0 IN PTR erx-rz.binary.kitchen.
4.0 IN PTR erx-auweg.binary.kitchen.
4.0 IN PTR rt-auweg.binary.kitchen.
; Management
1.1 IN PTR v2301.core.binary.kitchen.
11.1 IN PTR ups1.binary.kitchen.
@ -87,22 +87,26 @@ $GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
1.10 IN PTR wg0.erx-rz.binary.kitchen.
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
; Management Auweg
1.12 IN PTR v2312.rt-auweg.binary.kitchen.
31.12 IN PTR sw-auweg.binary.kitchen.
41.12 IN PTR ap11.binary.kitchen.
42.12 IN PTR ap12.binary.kitchen.
61.12 IN PTR weizen.binary.kitchen.
111.12 IN PTR rfp11.binary.kitchen.
; Services Auweg
1.13 IN PTR v2313.rt-auweg.binary.kitchen.
3.13 IN PTR aeron.binary.kitchen.
12.13 IN PTR lock-auweg.binary.kitchen.
; Clients Auweg
1.14 IN PTR v2314.rt-auweg.binary.kitchen.
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
; MQTT
1.15 IN PTR v2315.rt-auweg.binary.kitchen.
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
; Point-to-Point
1.96 IN PTR v400.erx-bk.binary.kitchen.
1.96 IN PTR v400.rt-w13b.binary.kitchen.
2.96 IN PTR v400.core.binary.kitchen.
1.97 IN PTR wg1.erx-rz.binary.kitchen.
2.97 IN PTR wg1.erx-bk.binary.kitchen.
2.97 IN PTR wg1.rt-w13b.binary.kitchen.
5.97 IN PTR wg2.erx-rz.binary.kitchen.
6.97 IN PTR wg2.erx-auweg.binary.kitchen.
6.97 IN PTR wg2.rt-auweg.binary.kitchen.

14
roles/dns_intern/templates/bind/binary.kitchen.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024051300; serial
2024100600; serial
1d; refresh
2h; retry
4w; expire
@ -36,7 +36,7 @@ radius IN A 172.23.2.4
core IN A 172.23.0.1
rt-w13b IN A 172.23.0.2
erx-rz IN A 172.23.0.3
erx-auweg IN A 172.23.0.4
rt-auweg IN A 172.23.0.4
; Management
v2301.core IN A 172.23.1.1
ups1 IN A 172.23.1.11
@ -107,25 +107,29 @@ salat IN A 172.23.9.61
salat-bmc IN A 172.23.9.81
; Services RZ
; Management Auweg
v2312.rt-auweg IN A 172.23.12.1
sw-auweg IN A 172.23.12.31
ap11 IN A 172.23.12.41
ap12 IN A 172.23.12.42
weizen IN A 172.23.12.61
rfp11 IN A 172.23.12.111
; Services Auweg
v2313.rt-auweg IN A 172.23.13.1
aeron IN A 172.23.13.3
lock-auweg IN A 172.23.13.12
; Clients Auweg
v2314.rt-auweg IN A 172.23.14.1
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
; MQTT Auweg
v2315.rt-auweg IN A 172.23.15.1
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
; VPN RZ (ER-X)
wg0.erx-rz IN A 172.23.10.1
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
; Point-to-Point
v400.erx-bk IN A 172.23.96.1
v400.rt-w13b IN A 172.23.96.1
v400.core IN A 172.23.96.2
wg1.erx-rz IN A 172.23.97.1
wg1.erx-bk IN A 172.23.97.2
wg1.rt-w13b IN A 172.23.97.2
wg2.erx-rz IN A 172.23.97.5
wg2.erx-auweg IN A 172.23.97.6
wg2.rt-auweg IN A 172.23.97.6

10
roles/kea/handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Restart kea-dhcp4-server
service: name=kea-dhcp4-server state=restarted
- name: Restart kea-dhcp-ddns-server
service: name=kea-dhcp-ddns-server state=restarted
- name: Restart kea-ctrl-agent
service: name=kea-ctrl-agent state=restarted

38
roles/kea/tasks/main.yml Normal file
View File

@ -0,0 +1,38 @@
---
- name: Install the kea dhcp server
apt:
name:
- kea-ctrl-agent
- kea-dhcp4-server
- kea-dhcp-ddns-server
- name: Configure the kea dhcp4 server
template:
src: kea/kea-dhcp4.conf.j2
dest: /etc/kea/kea-dhcp4.conf
# validate: kea-dhcp4 -t %s
notify: Restart kea-dhcp4-server
- name: Start the kea dhcp4 server
service: name=kea-dhcp4-server state=started enabled=yes
- name: Configure the kea dhcp-ddns server
template:
src: kea/kea-dhcp-ddns.conf.j2
dest: /etc/kea/kea-dhcp-ddns.conf
# validate: kea-dhcp-ddns -t %s
notify: Restart kea-dhcp-ddns-server
- name: Start the kea dhcp-ddns server
service: name=kea-dhcp-ddns-server state=started enabled=yes
- name: Configure the kea control agent
template:
src: kea/kea-ctrl-agent.conf.j2
dest: /etc/kea/kea-ctrl-agent.conf
# validate: kea-ctrl-agent -t %s
notify: Restart kea-ctrl-agent
- name: Start the kea control agent
service: name=kea-ctrl-agent state=started enabled=yes

37
roles/kea/templates/kea/kea-ctrl-agent.conf.j2 Normal file
View File

@ -0,0 +1,37 @@
{
"Control-agent":
{
"http-host": "0.0.0.0",
"http-port": 8000,
"control-sockets":
{
"dhcp4":
{
"comment": "socket to DHCP4 server",
"socket-type": "unix",
"socket-name": "/run/kea/kea4-ctrl-socket"
},
"d2":
{
"socket-type": "unix",
"socket-name": "/run/kea/kea-ddns-ctrl-socket",
"user-context": { "in-use": false }
}
},
"loggers": [
{
"name": "kea-ctrl-agent",
"output_options": [
{
"output": "stdout",
"pattern": "%-5p %m\n"
}
],
"severity": "INFO",
"debuglevel": 0
}
]
}
}

38
roles/kea/templates/kea/kea-dhcp-ddns.conf.j2 Normal file
View File

@ -0,0 +1,38 @@
{
"DhcpDdns": {
"ip-address": "127.0.0.1",
"port": 53001,
"control-socket": {
"socket-type": "unix",
"socket-name": "/run/kea/kea-ddns-ctrl-socket"
},
"forward-ddns": {
"ddns-domains": [
{
"name": "users.binary.kitchen.",
"dns-servers": [
{ "ip-address": "{{ dns_primary }}" }
]
}
]
},
"reverse-ddns": {
},
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [
{
"output": "stdout",
"pattern": "%-5p %m\n"
}
],
"severity": "INFO",
"debuglevel": 0
}
]
}
}

470
roles/kea/templates/kea/kea-dhcp4.conf.j2 Normal file
View File

@ -0,0 +1,470 @@
{
"Dhcp4": {
"interfaces-config": {
"interfaces": [ "{{ ansible_default_ipv4['interface'] }}" ]
},
"control-socket": {
"socket-type": "unix",
"socket-name": "/run/kea/kea4-ctrl-socket"
},
"dhcp-ddns": {
"enable-updates": true,
"server-ip": "127.0.0.1",
"server-port": 53001,
"sender-ip": "",
"sender-port": 0,
"max-queue-size": 1024,
"ncr-protocol": "UDP",
"ncr-format": "JSON"
},
"hooks-libraries": [
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so"
{% if dhcpd_failover %}
},
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so",
"parameters": {
"high-availability": [ {
"this-server-name": "{{ inventory_hostname.split('.')[0] }}",
"mode": "hot-standby",
"heartbeat-delay": 10000,
"max-response-delay": 60000,
"max-ack-delay": 5000,
"max-unacked-clients": 5,
"sync-timeout": 60000,
"peers": [
{
"name": "{{ lookup('dig', dhcpd_primary+'/PTR', '@'+dns_primary).split('.')[0] }}",
"url": "http://{{ dhcpd_primary }}:8000/",
"role": "primary"
},
{
"name": "{{ lookup('dig', dhcpd_secondary+'/PTR', '@'+dns_primary).split('.')[0] }}",
"url": "http://{{ dhcpd_secondary }}:8000/",
"role": "standby"
}
]
} ]
}
{% endif %}
}
],
"lease-database": {
"type": "memfile",
"lfc-interval": 3600
},
"expired-leases-processing": {
"reclaim-timer-wait-time": 10,
"flush-reclaimed-timer-wait-time": 25,
"hold-reclaimed-time": 3600,
"max-reclaim-leases": 100,
"max-reclaim-time": 250,
"unwarned-reclaim-cycles": 5
},
"renew-timer": 900,
"rebind-timer": 1800,
"valid-lifetime": 3600,
"option-def": [
{
"code": 43,
"encapsulate": "sipdect",
"name": "vendor-encapsulated-options",
"space": "dhcp4",
"type": "empty"
},
{
"code": 10,
"name": "ommip1",
"space": "sipdect",
"type": "ipv4-address"
},
{
"code": 19,
"name": "ommip2",
"space": "sipdect",
"type": "ipv4-address"
},
{
"code": 14,
"name": "syslogip",
"space": "sipdect",
"type": "ipv4-address"
},
{
"code": 15,
"name": "syslogport",
"space": "sipdect",
"type": "int16"
},
{
"code": 224,
"name": "magic_str",
"space": "dhcp4",
"type": "string"
}
],
"option-data": [
{
"name": "domain-name-servers",
"data": "{{ name_servers | join(', ') }}"
},
{
"name": "domain-name",
"data": "binary.kitchen"
},
{
"name": "domain-search",
"data": "binary.kitchen"
}
],
"client-classes": [
{
"name": "voip-phone",
"option-data": [
{
"name": "tftp-server-name",
"data": "172.23.2.36"
}
]
},
{
"name": "dect-rfp",
"option-data": [
{
"name": "vendor-encapsulated-options"
},
{
"data": "172.23.2.35",
"name": "ommip1",
"space": "sipdect"
},
{
"data": "OpenMobilitySIP-DECT",
"name": "magic_str"
}
]
}
],
"subnet4": [
{
"subnet": "172.23.1.0/24",
"option-data": [
{
"name": "routers",
"data": "172.23.1.1"
}
],
"reservations": [
{
"hw-address": "44:48:c1:ce:a9:00",
"ip-address": "172.23.1.41",
"hostname": "ap01"
},
{
"hw-address": "74:9e:75:ce:93:54",
"ip-address": "172.23.1.44",
"hostname": "ap04"
},
{
"hw-address": "bc:9f:e4:c3:6f:aa",
"ip-address": "172.23.1.45",
"hostname": "ap05"
},
{
"hw-address": "94:b4:0f:c0:1d:a0",
"ip-address": "172.23.1.46",
"hostname": "ap06"
},
{
"hw-address": "00:30:42:1B:73:5A",
"ip-address": "172.23.1.111",
"client-classes": [ "dect-rfp" ],
"hostname": "rfp01"
},
{
"hw-address": "00:30:42:21:D4:D5",
"ip-address": "172.23.1.112",
"client-classes": [ "dect-rfp" ],
"hostname": "rfp02"
}
]
},
{
"subnet": "172.23.2.0/24",
"option-data": [
{
"name": "routers",
"data": "172.23.2.1"
}
],
"reservations": [
{
"hw-address": "b8:27:eb:d8:b9:ad",
"ip-address": "172.23.2.12",
"hostname": "lock"
},
{
"hw-address": "b8:27:eb:ed:22:58",
"ip-address": "172.23.2.13",
"hostname": "matrix"
},
{
"hw-address": "08:00:37:B8:55:44",
"ip-address": "172.23.2.91",
"hostname": "strammermax"
},
{
"hw-address": "ec:9a:74:35:35:cf",
"ip-address": "172.23.2.92",
"hostname": "obatzda"
}
]
},
{
"subnet": "172.23.3.0/24",
"pools": [ { "pool": "172.23.3.10 - 172.23.3.230" } ],
"option-data": [
{
"name": "routers",
"data": "172.23.3.1"
},
{
"name": "domain-search",
"data": "binary.kitchen, users.binary.kitchen"
}
],
"ddns-send-updates": true,
"ddns-override-client-update": true,
"ddns-override-no-update": true,
"ddns-qualifying-suffix": "users.binary.kitchen",
"ddns-generated-prefix": "dhcp",
"ddns-replace-client-name": "when-not-present",
"ddns-update-on-renew": true,
"reservations": [
{
"hw-address": "b8:27:eb:18:5c:11",
"ip-address": "172.23.3.250",
"hostname": "cannelloni"
},
{
"hw-address": "b8:27:eb:1d:b9:bf",
"ip-address": "172.23.3.240",
"hostname": "fusilli"
},
{
"hw-address": "74:da:38:6e:e6:9d",
"ip-address": "172.23.3.241",
"hostname": "klopi"
},
{
"hw-address": "b8:27:eb:f5:9e:a1",
"ip-address": "172.23.3.246",
"hostname": "maccaroni"
},
{
"hw-address": "74:da:38:7d:ed:84",
"ip-address": "172.23.3.244",
"hostname": "mirror"
},
{
"hw-address": "b8:27:eb:0f:d3:8b",
"ip-address": "172.23.3.242",
"hostname": "mpcnc"
},
{
"hw-address": "b8:27:eb:56:2b:7c",
"ip-address": "172.23.3.251",
"hostname": "noodlehub"
},
{
"hw-address": "b8:27:eb:eb:e5:88",
"ip-address": "172.23.3.245",
"hostname": "spaghetti"
},
{
"hw-address": "00:1D:45:B6:99:2F",
"hostname": "voip01",
"client-classes": [ "voip-phone" ]
},
{
"hw-address": "00:1D:A2:66:B8:3E",
"hostname": "voip02",
"client-classes": [ "voip-phone" ]
},
{
"hw-address": "00:1E:BE:90:FB:DB",
"hostname": "voip03",
"client-classes": [ "voip-phone" ]
},
{
"hw-address": "00:1E:BE:90:FF:06",
"hostname": "voip04",
"client-classes": [ "voip-phone" ]
}
]
},
{
"subnet": "172.23.4.0/24",
"pools": [ { "pool": "172.23.4.10 - 172.23.4.240" } ],
"option-data": [
{
"name": "routers",
"data": "172.23.4.1"
}
],
"reservations": [
{
"hw-address": "b8:27:eb:b6:62:be",
"ip-address": "172.23.4.241",
"hostname": "habdisplay1"
},
{
"hw-address": "b8:27:eb:df:0b:7b",
"ip-address": "172.23.4.242",
"hostname": "habdisplay2"
},
{
"hw-address": "dc:a6:32:bf:e2:3e",
"ip-address": "172.23.4.251",
"hostname": "openhabgw1"
}
]
},
{
"subnet": "172.23.12.0/24",
"option-data": [
{
"name": "routers",
"data": "172.23.12.1"
}
],
"reservations": [
{
"hw-address": "18:64:72:c6:c2:0c",
"ip-address": "172.23.12.41",
"hostname": "ap11"
},
{
"hw-address": "18:64:72:c6:c4:98",
"ip-address": "172.23.12.42",
"hostname": "ap12"
},
{
"hw-address": "00:30:42:1B:8B:9B",
"ip-address": "172.23.12.111",
"client-classes": [ "dect-rfp" ],
"hostname": "rfp11"
}
]
},
{
"subnet": "172.23.13.0/24",
"option-data": [
{
"name": "routers",
"data": "172.23.13.1"
}
]
},
{
"subnet": "172.23.14.0/24",
"pools": [ { "pool": "172.23.14.10 - 172.23.14.240" } ],
"option-data": [
{
"name": "routers",
"data": "172.23.14.1"
}
]
},
{
"subnet": "172.23.15.0/24",
"pools": [ { "pool": "172.23.15.10 - 172.23.15.240" } ],
"option-data": [
{
"name": "routers",
"data": "172.23.15.1"
}
]
}
],
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [
{
"output": "stdout",
"pattern": "%-5p %m\n"
}
],
"severity": "INFO",
"debuglevel": 0
}
]
}
}

2
roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
View File

@ -2793,7 +2793,7 @@ background_updates:
# marked as protected from quarantine will not be deleted.
#
media_retention:
local_media_lifetime: 90d
local_media_lifetime: 180d
remote_media_lifetime: 14d

2
roles/netbox/defaults/main.yml
View File

@ -2,4 +2,4 @@
netbox_group: netbox
netbox_user: netbox
netbox_version: 4.1.3
netbox_version: 4.1.4

37
roles/strichliste/tasks/main.yml
View File

@ -3,28 +3,21 @@
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
- name: Enable sury php apt-key
apt_key: url="https://packages.sury.org/php/apt.gpg"
- name: Enable sury php repository
apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
- name: Install packages
apt:
name:
- php8.1
- php8.1-common
- php8.1-curl
- php8.1-mysql
- php8.1-mbstring
- php8.1-cli
- php8.1-opcache
- php8.1-xml
- php8.1-fpm
- php8.1-readline
- php
- php-common
- php-curl
- php-mysql
- php-mbstring
- php-cli
- php-opcache
- php-xml
- php-fpm
- php-readline
- mariadb-server
- python3-mysqldb
- python3-psycopg2
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ strichliste_domain }}.key -out /etc/nginx/ssl/{{ strichliste_domain }}.crt -days 730 -subj "/CN={{ strichliste_domain }}" creates=/etc/nginx/ssl/{{ strichliste_domain }}.crt
@ -37,12 +30,6 @@
- name: Create vhost directory
file: path=/var/www/strichliste state=directory owner=www-data group=www-data
- name: Install Mariadb
apt:
name:
- mariadb-server
- python3-mysqldb
- name: Configure Mariadb database
community.mysql.mysql_db: name={{ strichliste_dbname }}
become: true
@ -77,5 +64,5 @@
file: src=/etc/nginx/sites-available/strichliste dest=/etc/nginx/sites-enabled/strichliste state=link
notify: Restart nginx
- name: Start php8.1-fpm
service: name=php8.1-fpm state=started enabled=yes
- name: Start php8.2-fpm
service: name=php8.2-fpm state=started enabled=yes

28
roles/uau/templates/50unattended-upgrades.j2
View File

@ -2,7 +2,7 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...". A
// Lines below have the format "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
@ -31,6 +31,7 @@ Unattended-Upgrade::Origins-Pattern {
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
@ -65,7 +66,7 @@ Unattended-Upgrade::Package-Blacklist {
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
@ -93,9 +94,11 @@ Unattended-Upgrade::Package-Blacklist {
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
@ -145,3 +148,18 @@ Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

2
site.yml
View File

@ -20,7 +20,7 @@
hosts: [bacon.binary.kitchen, aveta.binary.kitchen, aeron.binary.kitchen]
roles:
- dns_intern
- dhcpd
- kea
- slapd
- radius