kea: added reservation for chromecast keller video

use "@" instead of "" to prevent this from happening again

README.md

@@ -1,11 +1,68 @@
 # Binary Kitchen Ansible Playbooks
 
-This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
+This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
 
-## Using
+## Usage
 
-TBA
+To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
 
-## Style / Contributing
+It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
 
-TBA/TBD
+
+## Current setup
+
+Currently the following hosts are installed:
+
+### Internal Servers
+
+| Hostname                    | OS        | Purpose                 |
+| --------------------------- | --------- | ----------------------- |
+| wurst.binary.kitchen        | Proxmox 8 | VM Host                 |
+| salat.binary.kitchen        | Proxmox 8 | VM Host                 |
+| weizen.binary.kitchen       | Proxmox 8 | VM Host                 |
+| bacon.binary.kitchen        | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aveta.binary.kitchen        | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aeron.binary.kitchen        | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| sulis.binary.kitchen        | Debian 12 | Shell                   |
+| nabia.binary.kitchen        | Debian 12 | Monitoring              |
+| epona.binary.kitchen        | Debian 12 | NetBox                  |
+| pizza.binary.kitchen        | Debian 11 | OpenHAB *               |
+| pancake.binary.kitchen      | Debian 12 | XRDP                    |
+| knoedel.binary.kitchen      | Debian 12 | SIP-DECT OMM            |
+| schweinshaxn.binary.kitchen | Debian 12 | FreePBX                 |
+| bob.binary.kitchen          | Debian 12 | Gitea Actions           |
+| lasagne.binary.kitchen      | Debian 12 | Home Assistant *        |
+| tschunk.binary.kitchen      | Debian 12 | Strichliste             |
+| bowle.binary.kitchen        | Debian 12 | Files                   |
+| lock-auweg.binary.kitchen   | Debian 12 | Doorlock                |
+
+\*: The main application is not managed by ansible but manually installed
+
+### External Servers
+
+| Hostname                      | OS        | Purpose                 |
+| ----------------------------- | --------- | ----------------------- |
+| helium.binary-kitchen.net     | Debian 12 | LDAP Master             |
+| lithium.binary-kitchen.net    | Debian 12 | Mail                    |
+| beryllium.binary-kitchen.net  | Debian 12 | Web *                   |
+| boron.binary-kitchen.net      | Debian 12 | Gitea                   |
+| carbon.binary-kitchen.net     | Debian 12 | Jabber                  |
+| nitrogen.binary-kitchen.net   | Debian 12 | NextCloud               |
+| oxygen.binary-kitchen.net     | Debian 12 | Shell                   |
+| fluorine.binary-kitchen.net   | Debian 12 | Web (div. via Docker)   |
+| neon.binary-kitchen.net       | Debian 12 | Auth. DNS               |
+| sodium.binary-kitchen.net     | Debian 12 | Mattrix                 |
+| magnesium.binary-kitchen.net  | Debian 12 | TURN                    |
+| aluminium.binary-kitchen.net  | Debian 12 | Web (div. via Docker)   |
+| krypton.binary-kitchen.net    | Debian 12 | PartDB *                |
+| yttrium.binary-kitchen.net    | Debian 12 | Hintervvoidler *        |
+| zirconium.binary-kitchen.net  | Debian 12 | Jitsi                   |
+| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle *          |
+| technetium.binary-kitchen.net | Debian 12 | Event CTFd *            |
+| ruthenium.binary-kitchen.net  | Debian 12 | Minecraft *             |
+| rhodium.binary-kitchen.net    | Debian 12 | Event pretix            |
+| palladium.binary-kitchen.net  | Debian 12 | Event pretalx           |
+| argentum.binary-kitchen.net   | Debian 12 | Event Web *             |
+| cadmium.binary-kitchen.net    | Debian 12 | Event NetBox *          |
+
+\*: The main application is not managed by ansible but manually installed

group_vars/all/vars.yml

@@ -5,6 +5,14 @@ acertmgr_mode: webdir
 acme_dnskey_file: /etc/acertmgr/nsupdate.key
 acme_dnskey_server: neon.binary-kitchen.net
 
+authentik_domain: auth.binary-kitchen.de
+authentik_dbname: authentik
+authentik_dbuser: authentik
+authentik_dbpass: "{{ vault_authentik_dbpass }}"
+authentik_secret: "{{ vault_authentik_secret }}"
+
+bk23b_domain: 23b.binary-kitchen.de
+
 coturn_realm: turn.binary-kitchen.de
 coturn_secret: "{{ vault_coturn_secret }}"
 
@@ -14,19 +22,12 @@ dns_axfr_ips:
 
 dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
 
-drone_admin: moepman
-drone_domain: drone.binary-kitchen.de
-drone_dbname: drone
-drone_dbuser: drone
-drone_dbpass: "{{ vault_drone_dbpass }}"
-drone_uipass: "{{ vault_drone_uipass }}"
-drone_secret: "{{ vault_drone_secret }}"
-drone_gitea_client: "{{ vault_drone_gitea_client }}"
-drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
-
 dss_domain: dss.binary-kitchen.de
 dss_secret: "{{ vault_dss_secret }}"
 
+fpm_status_user: admin
+fpm_status_pass: "{{ vault_fpm_status_pass }}"
+
 gitea_domain: git.binary-kitchen.de
 gitea_dbname: gogs
 gitea_dbuser: gogs
@@ -35,8 +36,8 @@ gitea_secret: "{{ vault_gitea_secret }}"
 gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
 
 hedgedoc_domain: pad.binary-kitchen.de
-hedgedoc_dbname: hackmd
-hedgedoc_dbuser: hackmd
+hedgedoc_dbname: hedgedoc
+hedgedoc_dbuser: hedgedoc
 hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
 hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
 
@@ -44,6 +45,7 @@ icinga_domain: icinga.binary.kitchen
 icinga_dbname: icinga
 icinga_dbuser: icinga
 icinga_dbpass: "{{ vault_icinga_dbpass }}"
+icinga_server: nabia.binary.kitchen
 icingaweb_dbname: icingaweb
 icingaweb_dbuser: icingaweb
 icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
@@ -66,18 +68,27 @@ mail_domain: binary-kitchen.de
 mail_domains:
 - ccc-r.de
 - ccc-regensburg.de
+- eh21.easterhegg.eu
 - makerspace-regensburg.de
 mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
 mail_server: mail.binary-kitchen.de
 mailman_domain: lists.binary-kitchen.de
 mail_trusted:
 - 213.166.246.0/28
+- 213.166.246.37/32
 - 213.166.246.45/32
+- 213.166.246.46/32
+- 213.166.246.47/32
 - 213.166.246.250/32
 - 2a02:958:0:f6::/124
+- 2a02:958:0:f6::37/128
 - 2a02:958:0:f6::45/128
+- 2a02:958:0:f6::46/128
+- 2a02:958:0:f6::47/128
 mail_aliases:
 - "auweg@binary-kitchen.de	venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
+- "bbb@binary-kitchen.de	boehm.johannes@gmail.com"
+- "dasfilament@binary-kitchen.de	taxx@binary-kitchen.de"
 - "epvpn@binary-kitchen.de	noby@binary-kitchen.de"
 - "google@binary-kitchen.de	vorstand@binary-kitchen.de"
 - "info@binary-kitchen.de	vorstand@binary-kitchen.de"
@@ -87,12 +98,16 @@ mail_aliases:
 - "openhab@binary-kitchen.de	noby@binary-kitchen.de"
 - "orga@ccc-r.de	orga@ccc-regensburg.de"
 - "orga@ccc-regensburg.de	anti@binary-kitchen.de"
-- "paypal@binary-kitchen.de	timo.schindler@binary-kitchen.de"
+- "paypal@binary-kitchen.de	ralf@binary-kitchen.de"
 - "post@makerspace-regensburg.de	vorstand@binary-kitchen.de"
+- "pretalx@binary-kitchen.de	moepman@binary-kitchen.de"
+- "pretix@binary-kitchen.de	moepman@binary-kitchen.de"
 - "root@binary-kitchen.de	moepman@binary-kitchen.de,kishi@binary-kitchen.de"
 - "seife@binary-kitchen.de	anke@binary-kitchen.de"
 - "siebdruck@binary-kitchen.de	anke@binary-kitchen.de"
-- "vorstand@binary-kitchen.de	anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
+- "therapy-jetzt@binary-kitchen.de	darthrain@binary-kitchen.de"
+- "toepferwerkstatt@binary-kitchen.de	anke@binary-kitchen.de,meet_judith@binary-kitchen.de"
+- "vorstand@binary-kitchen.de	anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
 - "voucher1@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher2@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher3@binary-kitchen.de	exxess@binary-kitchen.de"
@@ -105,7 +120,12 @@ mail_aliases:
 - "voucher10@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher11@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher12@binary-kitchen.de	exxess@binary-kitchen.de"
+- "voucher13@binary-kitchen.de	exxess@binary-kitchen.de"
+- "voucher14@binary-kitchen.de	exxess@binary-kitchen.de"
+- "voucher15@binary-kitchen.de	exxess@binary-kitchen.de"
 - "workshops@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
+- "tickets@eh21.easterhegg.eu	orga@eh21.easterhegg.eu"
+- "hackzuck@eh21.easterhegg.eu	kekskruemml@binary-kitchen.de"
 
 matrix_domain: matrix.binary-kitchen.de
 matrix_dbname: matrix
@@ -125,15 +145,14 @@ nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 
-nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
-nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
-nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
+omm_domain: omm.binary.kitchen
 
-pretix_domain: pretix.rc3.binary-kitchen.de
+pretix_domain: pretix.events.binary-kitchen.de
+pretix_domainx: tickets.eh21.easterhegg.eu
 pretix_dbname: pretix
 pretix_dbuser: pretix
 pretix_dbpass: "{{ vault_pretix_dbpass }}"
-pretix_mail: rc3@binary-kitchen.de
+pretix_mail: pretix@binary-kitchen.de
 
 prometheus_pve_user: prometheus@pve
 prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@@ -155,4 +174,20 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
 
-workadventure_domain: wa.binary-kitchen.de
+sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
+sssd_base_user: ou=people,dc=binary-kitchen,dc=de
+
+strichliste_domain: tschunk.binary.kitchen
+strichliste_dbname: strichliste
+strichliste_dbuser: strichliste
+strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
+
+therapy_domain: therapy.jetzt
+therapy_secret: "{{ vault_therapy_secret }}"
+
+vaultwarden_domain: vault.binary-kitchen.de
+vaultwarden_dbname: vaultwarden
+vaultwarden_dbuser: vaultwarden
+vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
+vaultwarden_token: "{{ vault_vaultwarden_token }}"
+vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"

group_vars/all/vault.yml

@@ -1,70 +1,109 @@
 $ANSIBLE_VAULT;1.1;AES256
-34303237313431646264363034353637613836633432633638333963363037663435626166663630
-6338393164366434386334313664386166373031326538350a396639373163646666376462373662
-36623863356436356635303263643239666162333863613831326630303363346137653234323838
-3639623464303131350a653162336338626665393534623063623330323162373935353939303631
-64333363373563343336643764306563376461393430643631366133353836646363363166653233
-38323331386165366334656630626138383131323664333266353164323164373364303161653365
-30333339646139626434636365653666636534346266636262613938656665343634363563663366
-32306663653930613762663534613635616663613130613933626331663861643439323664353739
-31316531653562646363376233636464396262313132343234303933343066373862633235383333
-31313431336464663163343835646430323664373166363465343037333130343636646363393231
-34613162386637306539663431636137353039383037333937613035393332353933333134346335
-31616561636533383639366634316164343466613634643130353437393664336332316132363934
-61333961613530333536613034386332646136313939356339633334353333326661393231343261
-62653463316662376134663965383030636639356637393237653362616561616238653637623039
-65653139373633323766356362613239316165393966623932346561363363393138653032366439
-64303463306132363261333936653763353833386337303763316362666134306264306464306362
-30343364393539636565633861386261373661623061333733353635336133373162636465376137
-61316465306534623337383631663538336632383832343132333862316336323961623637383838
-65363832646138376233653264373535633437376162326361313863333839343236343966393839
-32323361666264373466396130666465303032393364633134343264643731323438646562333361
-63376266616430643135326430366266633332633333646134313736316139386232333965346331
-61663964653931333730643435303637666563316133373831336566303361383736666139626562
-38623031303533396632613361323533313334333631316434646232383136393433323466383330
-65666530616466623933393936613963663766653361643733326330643162346635613835633736
-64393064326233313035316130353563623639303665623064303831376332353264633930363364
-33623137353130353962323964396130646230393335386434346130663064613434643136656466
-63623666376165653961666539383335356163316131353966613036643530663835313766366533
-31656633633331636535316234653561326465623562393632623062383935336530383133626236
-66323366306366623631373861346635303063376264613734643039363137613837333534616362
-37633462373538313562666639613031343866383234633438373936623437333666343731633735
-33386666313531613734643431333332346439386465303531306365386537613933623636643237
-35653434303433633533356662623965383133383838613361303832326130343938393561393935
-38313533643830633432303464306561643233303866316130616531623230393366323264626165
-33653230366138376533376166393466656233353061343338393433386332333361353063323634
-66366561646466616566336265363037616433616231353739613538633765343235323637303535
-34373739306130313536633338353130656632666536356535636265333335303730333031323436
-39633466353139663361646265656334633461346564616633643030383662353762643237333761
-31326435313361366163353836633535303462623533373363376433613139373135393566333937
-64313838373366383432376430643236633030623736643435363038616261333364366139666435
-66623661643032633931623539383136373138636333323737323165333831333764363137393562
-62663335353265353535643666356632663736343039333965653639653764646261323736313430
-39656366356130326363363133383062333530316165643430383161306135346663623861313030
-65346430353230363561633239623330623265666336616133326263323063333132323764343735
-63346230373339343062393035356565376265643463326366326535313130663163366435323339
-62363339313332663333653336633331343161363432393639316630633365643037653739613132
-63316662336630626366363662333061353539333133653732646330643065333430316333316131
-33363662653465306531666435363932663432373932353466383364383634643634313736303931
-63353632353836663263616137353031643238663632363563656137313961656534663137613061
-37636530306334613639326363383665373061383634326630653366386632636634653638653330
-32366438623635363833343566353365373762646162393637326433656438663066663766333761
-65363136666238623439663764363266363731613261326566653035303265623736353331376562
-36646435353134613363316236383938613032626562646237366337376433326334386330646266
-66333365323133616466646164353262653830313764376562636164326163623463373863373630
-31623264373330386136396130626133323762363262336337396562613166646132386362383635
-61333637373462316463303962396162383039373265303939306132323533393236343965613835
-32646361383938383337653264323766363130613264613463386432306238316531653437323939
-39353866313834393933623630303539633334663239343865313264616664656464646631623934
-33623230643633353361343965396236393939343765653161643530626133663236383135343934
-37353231626339323866613237663463656239326335643035313730363133616538613866386162
-65623335393462633130353965343533616261636261656162626639323231623934663765386166
-37353665643363386662646538306530326161653461393236616531343935393639386432633437
-63643561646337616138633063646261323937333262333535626235373561336339346661353365
-30396365376566616538353866383266666436636131656535363062633237313266366639373536
-64316435316234313365306332383637636263376563393464303566313566636238626434393364
-62316263353733636136393034616362643764346536373533363937633938383037376261656330
-30333738616232616566643335353161636466643830393464643263653633373662623437643332
-61396430636631396134393064633131636233653664373363386638366138343435613438303330
-61366234663461333331623961393834643233623862323861346163343934303838666232626639
-6139
+38306162656631353365313637393663316134623036643364383033613731356230663464376264
+3335653933643733613462636638396664363762636561300a376538626636303765613633646633
+63333534656163663834303039646639646530333532313732643261356262323764616463393832
+3137306637306565610a653637626438353766323031336665326231626538323637313763373934
+30303332656263623938666235643866343363363139653861343533313431396235333539333432
+65613236386434333635636431356236643335316362636530303834353235646337643639333538
+31643330393433323739343762323937643064313661643265376330633264316137373363303935
+66346134643432666463383333653735626437666137386135353532393638363834346164643335
+38393232623130346363636335313866623239373366613864356561636661343537383364373164
+66643232393262393536623130653332323663363263323036663662316163326466306334363363
+66306365366566326239346537656562363762373165613063376139383363313038373235303062
+65326531653635333034653439613563313539633834393562343164613661386532306665663433
+32663432656664333063376263346439316265646435623533623337333162656138636139303931
+31333561623838393239313761383665663733366461623830343165336538393362353132306335
+37396565616435343732626331373735313165333061346435646664376339636438373764643731
+66356464316336383834646333656164363535373065643665393435393266363432346239663161
+36393336346433326130303264626234613135626538313938663039386133336233373262363566
+33386163393936663165643530663865663436663066333231316334306435623966666636633638
+38616338316137393831303436653562386265373064373163306133346434616238393966623330
+39396237326461643865336364343263343230626362646162623136353235366431626362313030
+64633137306231346561353630636533353239373562396665376139303936323836633764616434
+35376135656338616139376261366637343433333063343864343362613135343364623265313861
+36303565333830323933333864613534626466373033666235626365346531323631386365323835
+61613564386466333933613162326431613963333864393362376163313161643165356134343438
+38396533363565343233643863343432313165386465303336626337333331646664626262643333
+64343438653335663234653466663239616633653162383630666639613738323734646431623264
+65343535336637323063366536663433366363626632383536653765373830666235326530636362
+35303432333832353366363731643863366134626139623435613336626238303837316433623238
+32313930396432333836346364346436613934316136646533633339323736366135316631363132
+36623931313137333932313731343936313966653163666261623937363335613035333335356533
+34633838333635323464633763383765653266663233643836383135336434376364396164333233
+37616438643234336337313965663034646166373436373530386463663961313362326362353437
+31313837643535313039653531323765366339373130636565333939643564643533343534376638
+63616431643531663765366239326135343531333037366264353961346162633633353237613430
+66666433356530633835666139653932383362376334383762373530666630393764643632363331
+35316134623064626439633236343938346134383938333832336533373838633466613364653563
+64626631303435653339356631323137336538633233393962306531626266353766386162363031
+39363961623033323661643136326435643466303332646234396339653833653937666532336138
+37646336383963616630333566633537303736656666663635316631383537303035323131393862
+33343335386235333632656436356465646235313638313634353631393365366166383133636665
+66363463363339646133353831666631366439646364393239346166343062663866373938396637
+31386237393065306134653636313933653062353636323963323437663163346366363263313665
+32306331623637396664636165663434653630636130306133343736313262303635353661373533
+61313466376365303031376336316431636365633736616535623934653562336636363866356266
+36336266663562623961396164316266373633383431613564646232643766663733353338623936
+38663731363262646334653761666562646433353230613838353233373662313938303533303864
+39316630636637343163643637356634383862363330353233653361646261623038303962613561
+63373832366661373036383036623563366364636530613063366364323635323937376165376236
+39663962643939386561623430623031366632646235366463656533643233613138363461656637
+63323236356438303732653834626138623838323764633639373436666635363834303835366466
+61306430303831303934316436373136353637373535373664666265313034646630666237636231
+39376161653134356365363666633634313065323331633261623961633763313734313735633966
+62643031376566343832343638613939333132353466613163386537386239363337323463396135
+61393930633138333739626233663432643837643563656662646631306566663437346362613939
+31363639323335623038356566323836653865653136383161666461656436313933333032336639
+32333166663935656663643461303466343835303732616263626462316133306239383264353263
+61313231386262376234316335383334336663326331643733643432366636326561353730623730
+37313431623561353266303134313064376236626462316339656339353131363765303734356464
+32336435363932353666336132363333303336323135363535666436646233366335376333383531
+65363832333534623931326438616237356235626666333934373638373665613738636466383735
+30333137303630366661343833663437343664303961313831336461393064643331386336663739
+62623838633936323834653965326161343161356334333030616137343637353138353731363762
+64623065636336643634333937323636356131373939623130306330313937656566363832663663
+66313036393135306437353061303438303761303563633566656131653433663030396235323435
+32346663316636373431663530393435313931663535396564363466353431343633613634383332
+31326665303563316664356564356535646665653737613038636236323562616231613233633039
+37643530653639313466313838343630656363653833613161656466376631653266613439626331
+35363930626534346164353033323039636365363234303435636535623265393635313436666234
+66623264306430306662303866303735316137383830646136666662346265613662333765656266
+64613161316162616133316165623863353431376633366262386239346335306634346333316566
+34396265376130306361343862383631653561616333643665353938666565306335653665373736
+63626630383232363961393435646334396366663532303132666235646464393662376331333361
+34663138336365633131633365336664393633376333316161336138393539333564396539343332
+36626664616263353931616362633638323038356230613937386339653633626465326538383265
+31646236323435323861666233656437343732343066306562363462363664386234333061396263
+61316636323234633631306434363665393938323631363563346166333139633436623230353436
+31303831636638666630376231303130343363393339666230363162383266616135336333386334
+64313838356466306361383464623037663931353664323336666532316536316362663639353238
+34616536613730343834633935646330306564643036306330626636653365653361396461316637
+62636264343737333539646332316562316136343734393063313439663939663935313930333061
+30343263626638353331336666373964343338343434633639326338633966396131623933346236
+37373564623238363935313736313165303862356530613164653562653530316630306365646165
+31326630303038396666343065356261616133373832383661393666383664323161633337376665
+63393938373830343761326562303730303237393661383561386633383561386437373061396462
+65376230643131353462613436316561646562356666376462386136336630636165333236636630
+35653164333437383565396637343762646665333734303764623638323532363164653139333937
+39313834303531636434366663386435396266663930623733366261656634666531626234386239
+62613466313636326238303164666332633632333364636331396264396164646639653761373863
+66653761393734643362306538356263353265616330393635343737363666623962346261366134
+30393937376265626163376565343364323366383330613832366434313034316164636331653063
+65356630663634616465363231666163376437353038303934356561666363333663333239313031
+34356463613963633331646364336431333630633737623766623361336432646339373364303661
+37656630376137613232306163656430323236306632353837363536376161656365366531313363
+32623537303439343438656461363233353931356566323963363662303838666465363464353833
+39386230653962373333643135353533323737343265343334316234613736616639613435616165
+61373431353463643936613631393461393637356264366665383538653336353535613330376465
+65616261666463623236313437656232306164643538653562376539613736303761636531613862
+30323532343339343135356431303866333537346233336266363630346562646237646563313331
+35393039383436633230653030623637663030393539363163393930616330373166313161346336
+38373963393834396133363966636638336161666234346564623761303262366336363061343866
+38356238323366613066323264366337393232343331636532666462613263626332376561616334
+63373433663562353466353062643965623635643464393238363965636532643439383764626566
+33646437333365653563393337343537316437323038313339316135303564376161323863303665
+62373564343036333564646565393738306231646537393636356234613639663466636335393031
+35623562343566386261376163303939653861623364373433383363316134303236663361613062
+37346664386162333130323134616264373237393639376533383036323131633963363665633531
+62663533383666613464386638383965346331643837356331326661303034376163373362386134
+38353461343233626365

group_vars/auweg

@@ -5,6 +5,8 @@ dhcpd_primary: 172.23.13.3
 
 dns_primary: 172.23.13.3
 
+doorlock_domain: lock-auweg.binary.kitchen
+
 name_servers:
 - 172.23.13.3
 

host_vars/aeron.binary.kitchen

@@ -3,4 +3,7 @@
 radius_hostname: radius3.binary.kitchen
 
 slapd_hostname: ldap3.binary.kitchen
+slapd_replica_id: 3
 slapd_role: slave
+
+unattended_reboot: "false"

host_vars/argentum.binary-kitchen.net

@@ -0,0 +1,6 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

host_vars/aveta.binary.kitchen

@@ -3,4 +3,5 @@
 radius_hostname: radius2.binary.kitchen
 
 slapd_hostname: ldap2.binary.kitchen
+slapd_replica_id: 2
 slapd_role: slave

host_vars/bacon.binary.kitchen

@@ -13,4 +13,7 @@ ntp_peers:
 radius_hostname: radius1.binary.kitchen
 
 slapd_hostname: ldap1.binary.kitchen
+slapd_replica_id: 1
 slapd_role: slave
+
+unattended_reboot: "false"

host_vars/beryllium.binary-kitchen.net

@@ -1,5 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/bowle.binary.kitchen

@@ -5,4 +5,4 @@ nfs_exports:
 - /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
 - /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
 
-uau_reboot: "false"
+unattended_reboot: "false"

host_vars/fluorine.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

host_vars/indium.binary-kitchen.net

@@ -0,0 +1,5 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCNBY95YcFFBeiHM3IDzqKT/X/U09bpAWXwkCWIg6KlZumZg891apx6a0HLDannoBt7YCyYFgl3c1eJ36D08tRcy5c5k/+8Xhq0hq/HWo3EV5sd6Y+8xeTRST6Um8nyxHoSI7xw79yRoteOUDIzPnmDtbLQ2z3vWkA/H1EZQ4IjeQgFhl9vl4EyuAJ47Cdlv1D870BDspgAEoxSbipQEEnPsIctdyySp1R/sNC5tuP6qaoQ6nIDFdgv5rcY8SmgJQ2otlGex18RSBObBjdfyepV71mluqfs6HtVsM9zDvRUwY/FX4wmVc4QPdPLh/2kzEZi0YzefB10tpsuvhaOFI8JqXBDuSFZh3xCzRmKRlmqn50jrvGkYGUWg/GNYNF2rLCltCzg3BJHGaFh9sOtjaKLW+hTJwDtz4LIqNZb6w/2586hzjGCrrZgN24eLEcdp7iTPnkCul+kgOZaa62ytdKjza6/tgKCeUaEwmJTBuKMp/hor/LdLeibYgTtqUoFB7j1Ti2ey7oHly1oiSaKcR/hChgx0sniltRmzJI7KLuUiF+xkpv5Kf4rGl7UjvVxyf3glNh5DL87CfeWkGF3dgsjJdfYIHVJz/Bf6x0aB2TyybF8Exm0R05dhMT6ahZqMqa5d/aUZN+S3MaXw2amHWbMe8VcFpu/AztqrQM8sM+Mw== sprinterfreak"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/knoedel.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/krypton.binary-kitchen.net

@@ -2,3 +2,4 @@
 
 root_keys_host:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/lasagne.binary.kitchen

@@ -0,0 +1,11 @@
+---
+
+root_keys_host:
+- "# Thomas Basler"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
+- "# Ralf Ramsauer"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
+- "# Thomas Schmid"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+
+unattended_reboot: "false"

host_vars/lock-auweg.binary.kitchen

@@ -0,0 +1,5 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/magnesium.binary-kitchen.net

@@ -0,0 +1,3 @@
+---
+
+acertmgr_mode: standalone

host_vars/molybdenum.binary-kitchen.net

@@ -4,3 +4,4 @@ grafana_domain: zelle.binary-kitchen.de
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/oxygen.binary-kitchen.net

@@ -1,3 +1,4 @@
 ---
 
-uau_reboot: "false"
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+sshd_password_authentication: "yes"

host_vars/pancake.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/pizza.binary.kitchen

@@ -4,9 +4,8 @@ root_keys_host:
 - "# Thomas Basler"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
 - "# Ralf Ramsauer"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
 - "# Thomas Schmid"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
 
-uau_reboot: "false"
+unattended_reboot: "false"

host_vars/rhodium.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

host_vars/ruthenium.binary-kitchen.net

@@ -2,6 +2,6 @@
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
 
-uau_reboot: "false"
+unattended_reboot: "false"

host_vars/schweinshaxn.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/strontium.binary-kitchen.net

@@ -1,4 +0,0 @@
----
-
-root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

host_vars/sulis.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+sshd_password_authentication: "yes"

host_vars/technetium.binary-kitchen.net

@@ -1,4 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"

host_vars/tschunk.binary.kitchen

@@ -0,0 +1,7 @@
+---
+
+root_keys_host:
+- "# Thomas Schmid"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+
+unattended_reboot: "true"

host_vars/yttrium.binary-kitchen.net

@@ -1,5 +1,6 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

hosts

@@ -6,12 +6,18 @@ sulis.binary.kitchen ansible_host=172.23.2.5
 nabia.binary.kitchen ansible_host=172.23.2.6
 epona.binary.kitchen ansible_host=172.23.2.7
 pizza.binary.kitchen ansible_host=172.23.2.33
+pancake.binary.kitchen ansible_host=172.23.2.34
+knoedel.binary.kitchen ansible_host=172.23.2.35
+schweinshaxn.binary.kitchen ansible_host=172.23.2.36
 bob.binary.kitchen ansible_host=172.23.2.37
+lasagne.binary.kitchen ansible_host=172.23.2.38
+tschunk.binary.kitchen ansible_host=172.23.2.39
 bowle.binary.kitchen ansible_host=172.23.2.62
 salat.binary.kitchen ansible_host=172.23.9.61
 [auweg]
-aeron.binary.kitchen ansible_host=172.23.13.3
 weizen.binary.kitchen ansible_host=172.23.12.61
+aeron.binary.kitchen ansible_host=172.23.13.3
+lock-auweg.binary.kitchen ansible_host=172.23.13.12
 [fan_rz]
 helium.binary-kitchen.net
 lithium.binary-kitchen.net
@@ -23,10 +29,13 @@ oxygen.binary-kitchen.net
 fluorine.binary-kitchen.net
 neon.binary-kitchen.net
 sodium.binary-kitchen.net
+magnesium.binary-kitchen.net
+aluminium.binary-kitchen.net
 krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
 molybdenum.binary-kitchen.net
 ruthenium.binary-kitchen.net
 rhodium.binary-kitchen.net
-barium.binary-kitchen.net
+argentum.binary-kitchen.net
+cadmium.binary-kitchen.net

roles/23b/handlers/main.yml

@@ -3,11 +3,11 @@
 - name: Reload systemd
   systemd: daemon_reload=yes
 
-- name: Run acertmgr
-  command: /usr/bin/acertmgr
-
-- name: Restart drone
-  service: name=drone state=restarted
+- name: Restart 23b
+  service: name=23b state=restarted
 
 - name: Restart nginx
   service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/23b/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create 23b group
+  group: name=23b
+
+- name: Create 23b user
+  user:
+    name: 23b
+    home: /opt/23b
+    shell: /bin/bash
+    group: 23b
+    groups: docker
+
+# docker-compolse.yml is managed outside ansible
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for 23b
+  template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
+  notify: Restart nginx
+
+- name: Systemd unit for 23b
+  template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
+  notify:
+  - Reload systemd
+  - Restart 23b
+
+- name: Start the 23b service
+  service: name=23b state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ bk23b_domain }}"

roles/23b/templates/23b.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=23b service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=23b
+Group=23b
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/23b/23b/23b
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/23b/templates/certs.j2

@@ -1,13 +1,13 @@
 ---
 
-{{ drone_domain }}:
-- path: /etc/nginx/ssl/{{ drone_domain }}.key
+{{ bk23b_domain }}:
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
   user: root
   group: root
   perm: '400'
   format: key
   action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ drone_domain }}.crt
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
   user: root
   group: root
   perm: '400'

roles/23b/templates/vhost.j2

@@ -0,0 +1,36 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ bk23b_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ bk23b_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ bk23b_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
+
+	# set max upload size
+	client_max_body_size 8M;
+
+	location / {
+		proxy_pass http://localhost:5000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}

roles/act_runner/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+actrunner_user: act_runner
+actrunner_group: act_runner
+
+actrunner_version: 0.2.10
+actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

roles/act_runner/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart act_runner
+  service: name=act_runner state=restarted

roles/act_runner/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Create group
+  group: name={{ actrunner_group }}
+
+- name: Create user
+  user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
+
+- name: Create directories
+  file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
+  with_items:
+  - /etc/act_runner
+  - /var/lib/act_runner
+
+- name: Download act_runner binary
+  get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
+  register: runner_download
+
+- name: Symlink act_runner binary
+  file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
+  when: runner_download.changed
+  notify: Restart act_runner
+
+- name: Configure act_runner
+  template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
+  notify: Restart act_runner
+
+- name: Install systemd unit
+  template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
+  notify:
+  - Reload systemd
+  - Restart act_runner
+
+- name: Enable act_runner
+  service: name=act_runner state=started enabled=yes

roles/act_runner/templates/act_runner.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Gitea Actions runner
+Documentation=https://gitea.com/gitea/act_runner
+After=docker.service
+
+[Service]
+ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
+ExecReload=/bin/kill -s HUP $MAINPID
+WorkingDirectory=/var/lib/act_runner
+TimeoutSec=0
+RestartSec=10
+Restart=always
+User={{ actrunner_user }}
+
+[Install]
+WantedBy=multi-user.target

roles/act_runner/templates/config.yaml.j2

@@ -0,0 +1,86 @@
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: warn
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 4
+  # Extra environment variables to run jobs.
+  envs:
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels: [
+    "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
+    "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
+    "ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
+  ]
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: ""
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

roles/authentik/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+authentik_version: 2024.12.1

roles/authentik/handlers/main.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart authentik
+  service: name=authentik state=restarted
+
+- name: Restart authentik-reload
+  service: name=authentik-reload state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/authentik/tasks/main.yml

@@ -0,0 +1,63 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create authentik group
+  group: name=authentik
+
+- name: Create authentik user
+  user:
+    name: authentik
+    home: /opt/authentik
+    shell: /bin/bash
+    group: authentik
+    groups: docker
+
+- name: Configure authentik container
+  template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
+  notify: Restart authentik
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for authentik
+  template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
+  notify: Restart nginx
+
+- name: Systemd unit for authentik
+  template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
+  notify:
+  - Reload systemd
+  - Restart authentik
+
+- name: Systemd unit for authentik-reload
+  template: src=authentik-reload.{{ item }}.j2 dest=/etc/systemd/system/authentik-reload.{{ item }}
+  with_items:
+  - "service"
+  - "timer"
+  notify:
+  - Reload systemd
+  - Restart authentik-reload
+
+- name: Start the authentik service
+  service: name=authentik state=started enabled=yes
+
+- name: Enable auto update timer
+  service: name=authentik-reload.timer state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ authentik_domain }}"

roles/authentik/templates/authentik-reload.service.j2

@@ -0,0 +1,7 @@
+[Unit]
+Description=Refresh authentik images
+
+[Service]
+Type=oneshot
+
+ExecStart=/bin/systemctl reload-or-restart authentik.service

roles/authentik/templates/authentik-reload.timer.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Refresh authentik images
+Requires=authentik.service
+After=authentik.service
+
+[Timer]
+OnCalendar=*:0/15
+
+[Install]
+WantedBy=timers.target

roles/authentik/templates/authentik.service.j2

@@ -0,0 +1,32 @@
+[Unit]
+Description=authentik service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=authentik
+Group=authentik
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/authentik
+
+# Update images
+ExecStartPre=-/usr/bin/docker-compose pull --quiet
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+# Refresh on reload
+ExecReload=-/usr/bin/docker-compose pull --quiet
+ExecReload=/usr/bin/docker-compose up -d
+
+[Install]
+WantedBy=multi-user.target

roles/authentik/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ authentik_domain }}:
+- path: /etc/nginx/ssl/{{ authentik_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/authentik/templates/docker-compose.yml.j2

@@ -0,0 +1,79 @@
+---
+version: "3.4"
+services:
+  postgresql:
+    image: docker.io/library/postgres:16-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ./database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: {{ authentik_dbpass }}
+      POSTGRES_USER: {{ authentik_dbuser }}
+      POSTGRES_DB: {{ authentik_dbname }}
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ./redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    ports:
+      - "127.0.0.1:9000:9000"
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy

roles/authentik/templates/vhost.j2

@@ -0,0 +1,41 @@
+map $http_upgrade $connection_upgrade {
+	default	upgrade;
+	''	close;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ authentik_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ authentik_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ authentik_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
+
+	location / {
+		proxy_pass http://localhost:9000;
+		proxy_http_version 1.1;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}

roles/bk_dss/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 
 dss_uwsgi_port: 5001
-dss_version: 0.8.4
+dss_version: 0.8.5

roles/bk_dss/tasks/main.yml

@@ -44,3 +44,8 @@
 - name: Enable vhosts
   file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
   notify: Restart nginx
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ dss_domain }}"

roles/bk_dss/templates/config.cfg.j2

@@ -1,12 +1,14 @@
 DEBUG = True
+REMEMBER_COOKIE_SECURE = True
 SECRET_KEY = "{{ dss_secret }}"
+SESSION_COOKIE_SECURE = True
 SESSION_TIMEOUT = 3600
 
 LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
 LDAP_URI = "{{ ldap_uri }}"
 LDAP_BASE = "{{ ldap_base }}"
 
-ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
+ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
 
 USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
 
@@ -28,7 +30,7 @@ USER_ATTRS = {
 	'userPassword' : '{pass}'
 }
 
-GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
+GROUP_FILTER = "(objectClass=posixGroup)"
 
 REDIS_HOST = "127.0.0.1"
 REDIS_PASSWD = None

roles/common/defaults/main.yml

@@ -6,3 +6,8 @@ logrotate_excludes:
 - "/etc/logrotate.d/dbconfig-common"
 - "/etc/logrotate.d/btmp"
 - "/etc/logrotate.d/wtmp"
+
+sshd_password_authentication: "no"
+sshd_permit_root_login: "prohibit-password"
+
+unattended_reboot: "true"

roles/common/handlers/main.yml

@@ -6,6 +6,9 @@
 - name: Restart journald
   service: name=systemd-journald state=restarted
 
+- name: Restart sshd
+  service: name=sshd state=restarted
+
 - name: update-grub
   command: update-grub
 

roles/common/tasks/Debian.yml

@@ -4,7 +4,9 @@
   apt:
     name:
     - apt-transport-https
+    - debian-goodies
     - dnsutils
+    - fdisk
     - gnupg2
     - htop
     - less
@@ -14,7 +16,9 @@
     - pydf
     - rsync
     - sudo
+    - unattended-upgrades
     - vim-nox
+    - wget
     - zsh
 
 - name: Install software on KVM VMs
@@ -24,14 +28,20 @@
     - qemu-guest-agent
   when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
 
+- name: Configure unattended upgrades
+  template: src={{ item }}.j2 dest=/etc/apt/apt.conf.d/{{ item }}
+  with_items:
+  - 02periodic
+  - 50unattended-upgrades
+
 - name: Configure misc software
   copy: src={{ item.src }} dest={{ item.dest }}
   diff: no
   with_items:
-  - { src: '.zshrc', dest: '/root/.zshrc' }
-  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
-  - { src: 'motd', dest: '/etc/motd' }
-  - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
+  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+  - { src: "motd", dest: "/etc/motd" }
+  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
 
 - name: Set shell for root user
   user: name=root shell=/bin/zsh
@@ -52,8 +62,8 @@
 - name: Prevent normal users from running su
   lineinfile:
     path: /etc/pam.d/su
-    regexp: '^.*auth\s+required\s+pam_wheel.so$'
-    line: 'auth       required   pam_wheel.so'
+    regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
+    line: "auth       required   pam_wheel.so"
 
 - name: Configure journald retention
   lineinfile:
@@ -88,16 +98,25 @@
   set_fact:
     logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
 
-- name: 'Set logrotate.d/* to daily'
+- name: "Set logrotate.d/* to daily"
   replace:
     path: "{{ item }}"
     regexp: "(?:weekly|monthly)"
     replace: "daily"
   loop: "{{ logrotateconfigpaths }}"
 
-- name: 'Set /etc/logrotate.d/* rotation to 7'
+- name: "Set /etc/logrotate.d/* rotation to 7"
   replace:
     path: "{{ item }}"
     regexp: "rotate [0-9]+"
     replace: "rotate 7"
   loop: "{{ logrotateconfigpaths }}"
+
+- name: Configure sshd
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart sshd

roles/common/tasks/Proxmox.yml

@@ -9,16 +9,17 @@
     - less
     - rsync
     - vim-nox
+    - wget
     - zsh
 
 - name: Configure misc software
   copy: src={{ item.src }} dest={{ item.dest }}
   diff: no
   with_items:
-  - { src: '.zshrc', dest: '/root/.zshrc' }
-  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
-  - { src: 'motd', dest: '/etc/motd' }
-  - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
+  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+  - { src: "motd", dest: "/etc/motd" }
+  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
 
 - name: Set shell for root user
   user: name=root shell=/bin/zsh

roles/common/tasks/chrony.yml

@@ -6,3 +6,6 @@
 - name: Configure chrony
   template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
   notify: Restart chrony
+
+- name: Start chrony
+  service: name=chrony state=started enabled=yes

roles/common/tasks/main.yml

@@ -2,20 +2,20 @@
 
 - name: Cleanup
   apt: autoclean=yes
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == "Debian"
 
 - name: Gather package facts
   package_facts:
     manager: apt
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == "Debian"
 
 - name: Proxmox
   include: Proxmox.yml
-  when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
+  when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
 
 - name: Debian
   include: Debian.yml
-  when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
+  when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
 
 - name: Setup chrony
   include: chrony.yml

roles/common/templates/50unattended-upgrades.j2

@@ -2,7 +2,7 @@
 // Unattended-Upgrade::Origins-Pattern controls which packages are
 // upgraded.
 //
-// Lines below have the format format is "keyword=value,...".  A
+// Lines below have the format "keyword=value,...".  A
 // package will be upgraded only if the values in its metadata match
 // all the supplied keywords in a line.  (In other words, omitted
 // keywords are wild cards.) The keywords originate from the Release
@@ -31,6 +31,7 @@ Unattended-Upgrade::Origins-Pattern {
 //      "origin=Debian,codename=${distro_codename}-proposed-updates";
         "origin=Debian,codename=${distro_codename},label=Debian";
         "origin=Debian,codename=${distro_codename},label=Debian-Security";
+        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
 
         // Archive or Suite based matching:
         // Note that this will silently match a different release after
@@ -65,7 +66,7 @@ Unattended-Upgrade::Package-Blacklist {
 };
 
 // This option allows you to control if on a unclean dpkg exit
-// unattended-upgrades will automatically run
+// unattended-upgrades will automatically run 
 //   dpkg --force-confold --configure -a
 // The default is true, to ensure updates keep getting installed
 //Unattended-Upgrade::AutoFixInterruptedDpkg "true";
@@ -93,9 +94,11 @@ Unattended-Upgrade::Package-Blacklist {
 // 'mailx' must be installed. E.g. "user@example.com"
 Unattended-Upgrade::Mail "root";
 
-// Set this value to "true" to get emails only on errors. Default
-// is to always send a mail if Unattended-Upgrade::Mail is set
-Unattended-Upgrade::MailOnlyOnError "true";
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+Unattended-Upgrade::MailReport "only-on-error";
 
 // Remove unused automatically installed kernel-related packages
 // (kernel images, kernel headers and kernel version locked tools).
@@ -110,7 +113,7 @@ Unattended-Upgrade::Remove-Unused-Dependencies "true";
 
 // Automatically reboot *WITHOUT CONFIRMATION* if
 //  the file /var/run/reboot-required is found after the upgrade
-Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
+Unattended-Upgrade::Automatic-Reboot "{{ unattended_reboot }}";
 
 // Automatically reboot even if there are users currently logged in
 // when Unattended-Upgrade::Automatic-Reboot is set to true
@@ -145,3 +148,18 @@ Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
 // Print debugging information both in unattended-upgrades and
 // in unattended-upgrade-shutdown
 // Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

roles/common/templates/chrony.conf.j2

@@ -1,6 +1,9 @@
 # Welcome to the chrony configuration file. See chrony.conf(5) for more
 # information about usable directives.
 
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
 {% for srv in ntp_servers %}
 server {{ srv }} iburst
 {% endfor %}
@@ -23,6 +26,9 @@ keyfile /etc/chrony/chrony.keys
 # information.
 driftfile /var/lib/chrony/chrony.drift
 
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
 # Uncomment the following line to turn logging on.
 #log tracking measurements statistics
 
@@ -33,7 +39,7 @@ logdir /var/log/chrony
 maxupdateskew 100.0
 
 # This directive enables kernel synchronisation (every 11 minutes) of the
-# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
 rtcsync
 
 # Step the system clock instead of slewing it if the adjustment is larger than

roles/common/templates/sshd_config.j2

@@ -0,0 +1,131 @@
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin {{ sshd_permit_root_login }}
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
+AuthorizedKeysCommand {{ sshd_authkeys_command }}
+{%   if sshd_authkeys_user is defined and sshd_authkeys_user %}
+AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
+{%   else %}
+AuthorizedKeysCommandUser nobody
+{%   endif %}
+{% else %}
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+{% endif %}
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ sshd_password_authentication }}
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

roles/coturn/handlers/main.yml

@@ -1,4 +1,10 @@
 ---
 
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
 - name: Restart coturn
   service: name=coturn state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/coturn/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+- { role: acertmgr }

roles/coturn/tasks/main.yml

@@ -3,6 +3,28 @@
 - name: Install coturn
   apt: name=coturn
 
+- name: Create coturn service override directory
+  file: path=/etc/systemd/system/coturn.service.d state=directory
+
+- name: Configure coturn service override
+  template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
+  notify:
+  - Reload systemd
+  - Restart coturn
+
+- name: Create gitea directories
+  file: path={{ item }} state=directory owner=turnserver
+  with_items:
+  - /etc/turnserver
+  - /etc/turnserver/certs
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
+  notify: Run acertmgr
+
 - name: Configure coturn
   template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:

roles/coturn/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ coturn_realm }}:
+- path: /etc/turnserver/certs/{{ coturn_realm }}.key
+  user: turnserver
+  group: turnserver
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service coturn restart'
+- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
+  user: turnserver
+  group: turnserver
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service coturn restart'

roles/coturn/templates/coturn.override.j2

@@ -0,0 +1,2 @@
+[Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE

roles/coturn/templates/turnserver.conf.j2

@@ -15,7 +15,7 @@
 # Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
-#listening-port=3478
+listening-port=443
 
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
@@ -27,7 +27,7 @@
 # TLS version 1.0, 1.1 and 1.2.
 # For secure UDP connections, Coturn supports DTLS version 1.
 #
-#tls-listening-port=5349
+tls-listening-port=443
 
 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one".
@@ -125,7 +125,10 @@
 #
 # By default, this value is empty, and no address mapping is used.
 #
-#external-ip=60.70.80.91
+external-ip={{ ansible_default_ipv4.address }}
+{% if ansible_default_ipv6.address is defined %}
+external-ip={{ ansible_default_ipv6.address }}
+{% endif %}
 #
 #OR:
 #
@@ -399,17 +402,17 @@ realm={{ coturn_realm }}
 # Uncomment if no TCP client listener is desired.
 # By default TCP client listener is always started.
 #
-no-tcp
+#no-tcp
 
 # Uncomment if no TLS client listener is desired.
 # By default TLS client listener is always started.
 #
-no-tls
+#no-tls
 
 # Uncomment if no DTLS client listener is desired.
 # By default DTLS client listener is always started.
 #
-no-dtls
+#no-dtls
 
 # Uncomment if no UDP relay endpoints are allowed.
 # By default UDP relay endpoints are enabled (like in RFC 5766).
@@ -746,6 +749,6 @@ mobility
 
 # Do not allow an TLS/DTLS version of protocol
 #
-no-tlsv1
-no-tlsv1_1
-no-tlsv1_2
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2

roles/dhcpd/handlers/main.yml

@@ -1,4 +0,0 @@
----
-
-- name: Restart isc-dhcp-server
-  service: name=isc-dhcp-server state=restarted

roles/dhcpd/tasks/main.yml

@@ -1,14 +0,0 @@
----
-
-- name: Install dhcp server
-  apt: name=isc-dhcp-server
-
-- name: Configure dhcp server
-  template: src={{ item }}.j2 dest=/etc/{{ item }}
-  with_items:
-  - default/isc-dhcp-server
-  - dhcp/dhcpd.conf
-  notify: Restart isc-dhcp-server
-
-- name: Start the dhcp server
-  service: name=isc-dhcp-server state=started enabled=yes

roles/dhcpd/templates/default/isc-dhcp-server.j2

@@ -1,21 +0,0 @@
-#
-# This is a POSIX shell fragment
-#
-
-# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
-#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
-#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
-
-# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
-#DHCPDv4_PID=/var/run/dhcpd.pid
-#DHCPDv6_PID=/var/run/dhcpd6.pid
-
-# Additional options to start dhcpd with.
-#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
-#OPTIONS=""
-
-# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
-#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
-INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
-INTERFACESv6=""
-INTERFACES="{{ ansible_default_ipv4['interface'] }}"

roles/dhcpd/templates/dhcp/dhcpd.conf.j2

@@ -1,278 +0,0 @@
-# dhcpd.conf
-
-# option definitions common to all supported networks...
-option domain-name "binary.kitchen";
-option domain-name-servers {{ name_servers | join(', ') }};
-option domain-search "binary.kitchen";
-option ntp-servers 172.23.1.60, 172.23.2.3;
-
-default-lease-time 7200;
-max-lease-time 28800;
-
-# Use this to enble / disable dynamic dns updates globally.
-ddns-update-style interim;
-ddns-updates on;
-
-# If this DHCP server is the official DHCP server for the local
-# network, the authoritative directive should be uncommented.
-authoritative;
-
-# Use this to send dhcp log messages to a different log file (you also
-# have to hack syslog.conf to complete the redirection).
-log-facility local7;
-
-{% if dhcpd_failover == true %}
-
-# Failover
-
-failover peer "failover-partner" {
-{% if ansible_default_ipv4.address == dhcpd_primary %}
-  primary;
-  address {{ dhcpd_primary }};
-  peer address {{ dhcpd_secondary }};
-{% elif ansible_default_ipv4.address == dhcpd_secondary %}
-  secondary;
-  address {{ dhcpd_secondary }};
-  peer address {{ dhcpd_primary }};
-{% endif %}
-  port 520;
-  peer port 520;
-  max-response-delay 60;
-  max-unacked-updates 10;
-{% if ansible_default_ipv4.address == dhcpd_primary %}
-  mclt 600;
-  split 255;
-{% endif %}
-  load balance max seconds 3;
-}
-{% endif %}
-
-# Binary Kitchen subnets
-
-# Management
-subnet 172.23.1.0 netmask 255.255.255.0 {
-  option routers 172.23.1.1;
-}
-
-# Services
-subnet 172.23.2.0 netmask 255.255.255.0 {
-  allow bootp;
-  option routers 172.23.2.1;
-}
-
-# Users
-subnet 172.23.3.0 netmask 255.255.255.0 {
-  option routers 172.23.3.1;
-  ddns-domainname "users.binary.kitchen";
-  option domain-search "binary.kitchen", "users.binary.kitchen";
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.3.10 172.23.3.230;
-  }
-}
-
-# MQTT
-subnet 172.23.4.0 netmask 255.255.255.0 {
-  option routers 172.23.4.1;
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.4.10 172.23.4.240;
-  }
-}
-
-# Management Auweg
-subnet 172.23.12.0 netmask 255.255.255.0 {
-  option routers 172.23.12.1;
-}
-
-# Services Auweg
-subnet 172.23.13.0 netmask 255.255.255.0 {
-  allow bootp;
-  option routers 172.23.13.1;
-}
-
-# Users Auweg
-subnet 172.23.14.0 netmask 255.255.255.0 {
-  option routers 172.23.3.1;
-  ddns-domainname "users.binary.kitchen";
-  option domain-search "binary.kitchen", "users.binary.kitchen";
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.14.10 172.23.14.230;
-  }
-}
-
-# MQTT Auweg
-subnet 172.23.15.0 netmask 255.255.255.0 {
-  option routers 172.23.4.1;
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.15.10 172.23.15.240;
-  }
-}
-
-# DDNS zones
-
-zone users.binary.kitchen {
-  primary {{ dns_primary }};
-}
-
-
-# Fixed IPs
-
-host ap01 {
-  hardware ethernet 44:48:c1:ce:a9:00;
-  fixed-address ap01.binary.kitchen;
-}
-
-host ap04 {
-  hardware ethernet 44:48:c1:ce:90:06;
-  fixed-address ap04.binary.kitchen;
-}
-
-host ap05 {
-  hardware ethernet bc:9f:e4:c3:6f:aa;
-  fixed-address ap05.binary.kitchen;
-}
-
-host ap06 {
-  hardware ethernet 94:b4:0f:c0:1d:a0;
-  fixed-address ap06.binary.kitchen;
-}
-
-host bowle {
-  hardware ethernet ac:1f:6b:25:16:b6;
-  fixed-address bowle.binary.kitchen;
-}
-
-host cannelloni {
-  hardware ethernet 00:10:f3:15:88:ac;
-  fixed-address cannelloni.binary.kitchen;
-}
-
-host fusilli {
-  hardware ethernet b8:27:eb:1d:b9:bf;
-  fixed-address fusilli.binary.kitchen;
-}
-
-host garlic {
-  hardware ethernet b8:27:eb:56:2b:7c;
-  fixed-address garlic.binary.kitchen;
-}
-
-host habdisplay1 {
-  hardware ethernet b8:27:eb:b6:62:be;
-  fixed-address habdisplay1.mqtt.binary.kitchen;
-}
-
-host habdisplay2 {
-  hardware ethernet b8:27:eb:df:0b:7b;
-  fixed-address habdisplay2.mqtt.binary.kitchen;
-}
-
-host klopi {
-  hardware ethernet 74:da:38:6e:e6:9d;
-  fixed-address klopi.binary.kitchen;
-}
-
-host lock {
-  hardware ethernet b8:27:eb:d8:b9:ad;
-  fixed-address lock.binary.kitchen;
-}
-
-host maccaroni {
-  hardware ethernet b8:27:eb:18:5c:11;
-  fixed-address maccaroni.binary.kitchen;
-}
-
-host matrix {
-  hardware ethernet b8:27:eb:ed:22:58;
-  fixed-address matrix.binary.kitchen;
-}
-
-host mirror {
-  hardware ethernet 74:da:38:7d:ed:84;
-  fixed-address mirror.binary.kitchen;
-}
-
-host mpcnc {
-  hardware ethernet b8:27:eb:0f:d3:8b;
-  fixed-address mpcnc.binary.kitchen;
-}
-
-host noodlehub {
-  hardware ethernet b8:27:eb:eb:e5:88;
-  fixed-address noodlehub.binary.kitchen;
-}
-
-host openhabgw1 {
-  hardware ethernet dc:a6:32:bf:e2:3e;
-  fixed-address openhabgw1.mqtt.binary.kitchen;
-}
-
-host pizza {
-  hardware ethernet 52:54:00:17:02:21;
-  fixed-address pizza.binary.kitchen;
-}
-
-host spaghetti {
-  hardware ethernet b8:27:eb:e3:e9:f1;
-  fixed-address spaghetti.binary.kitchen;
-}
-
-host schweinshaxn {
-  hardware ethernet 52:54:00:17:02:24;
-  fixed-address schweinshaxn.binary.kitchen;
-}
-
-host strammermax {
-  hardware ethernet 08:00:37:B8:55:44;
-  fixed-address strammermax.binary.kitchen;
-}
-
-host obatzda {
-  hardware ethernet ec:9a:74:35:35:cf;
-  fixed-address obatzda.binary.kitchen;
-}
-
-
-# VoIP Phones
-
-host voip01 {
-  hardware ethernet 00:1D:45:B6:99:2F;
-  option tftp-server-name "172.23.2.36";
-}
-
-host voip02 {
-  hardware ethernet 00:1D:A2:66:B8:3E;
-  option tftp-server-name "172.23.2.36";
-}
-
-host voip03 {
-  hardware ethernet 00:1E:BE:90:FB:DB;
-  option tftp-server-name "172.23.2.36";
-}
-
-host voip04 {
-  hardware ethernet 00:1E:BE:90:FF:06;
-  option tftp-server-name "172.23.2.36";
-}
-
-
-# OMAPI
-
-omapi-port 7911;
-omapi-key omapi_key;
-
-key omapi_key {
-  algorithm hmac-md5;
-  secret {{ dhcp_omapi_key }};
-}

roles/dns_extern/templates/pdns.conf.j2

@@ -1,5 +1,4 @@
-local-address=0.0.0.0
-local-ipv6=::
+local-address=0.0.0.0, ::
 launch=gsqlite3
 gsqlite3-dnssec
 gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3

roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2021091301; serial
+					2024100600; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -11,21 +11,20 @@ $TTL 1h				; default time-to-live
 				IN	NS	ns2.binary.kitchen.
 ; Loopback
 1.0				IN	PTR	core.binary.kitchen.
-2.0				IN	PTR	erx-bk.binary.kitchen.
+2.0				IN	PTR	rt-w13b.binary.kitchen.
 3.0				IN	PTR	erx-rz.binary.kitchen.
-4.0				IN	PTR	erx-auweg.binary.kitchen.
+4.0				IN	PTR	rt-auweg.binary.kitchen.
 ; Management
 1.1				IN	PTR	v2301.core.binary.kitchen.
 11.1				IN	PTR	ups1.binary.kitchen.
 21.1				IN	PTR	pdu1.binary.kitchen.
 22.1				IN	PTR	pdu2.binary.kitchen.
 23.1				IN	PTR	pdu3.binary.kitchen.
-31.1				IN	PTR	sw01.binary.kitchen.
-32.1				IN	PTR	sw02.binary.kitchen.
-33.1				IN	PTR	sw03.binary.kitchen.
+31.1				IN	PTR	sw-butchery.binary.kitchen.
+32.1				IN	PTR	sw-mini.binary.kitchen.
+33.1				IN	PTR	sw-rack.binary.kitchen.
 41.1				IN	PTR	ap01.binary.kitchen.
 42.1				IN	PTR	ap02.binary.kitchen.
-43.1				IN	PTR	ap03.binary.kitchen.
 44.1				IN	PTR	ap04.binary.kitchen.
 45.1				IN	PTR	ap05.binary.kitchen.
 46.1				IN	PTR	ap06.binary.kitchen.
@@ -35,6 +34,8 @@ $TTL 1h				; default time-to-live
 82.1				IN	PTR	bowle-bmc.binary.kitchen.
 101.1				IN	PTR	nbe-w13b.binary.kitchen.
 102.1				IN	PTR	nbe-tr8.binary.kitchen.
+111.1				IN	PTR	rfp01.binary.kitchen.
+112.1				IN	PTR	rfp02.binary.kitchen.
 ; Services
 1.2				IN	PTR	v2302.core.binary.kitchen.
 3.2				IN	PTR	bacon.binary.kitchen.
@@ -45,8 +46,12 @@ $TTL 1h				; default time-to-live
 12.2				IN	PTR	lock.binary.kitchen.
 13.2				IN	PTR	matrix.binary.kitchen.
 33.2				IN	PTR	pizza.binary.kitchen.
+34.2				IN	PTR	pancake.binary.kitchen.
+35.2				IN	PTR	knoedel.binary.kitchen.
 36.2				IN	PTR	schweinshaxn.binary.kitchen.
 37.2				IN	PTR	bob.binary.kitchen.
+38.2				IN	PTR	lasagne.binary.kitchen.
+39.2				IN	PTR	tschunk.binary.kitchen.
 62.2				IN	PTR	bowle.binary.kitchen.
 91.2				IN	PTR	strammermax.binary.kitchen.
 92.2				IN	PTR	obatzda.binary.kitchen.
@@ -56,7 +61,6 @@ $GENERATE 10-230 $.3		IN	PTR	dhcp-${0,3,d}-03.binary.kitchen.
 240.3				IN	PTR	fusilli.binary.kitchen.
 241.3				IN	PTR	klopi.binary.kitchen.
 242.3				IN	PTR	mpcnc.binary.kitchen.
-243.3				IN	PTR	garlic.binary.kitchen.
 244.3				IN	PTR	mirror.binary.kitchen.
 245.3				IN	PTR	spaghetti.binary.kitchen.
 246.3				IN	PTR	maccaroni.binary.kitchen.
@@ -65,6 +69,7 @@ $GENERATE 10-230 $.3		IN	PTR	dhcp-${0,3,d}-03.binary.kitchen.
 ; MQTT
 1.4				IN	PTR	v2304.core.binary.kitchen.
 6.4				IN	PTR	pizza.mqtt.binary.kitchen.
+7.4				IN	PTR	lasagne.mqtt.binary.kitchen.
 $GENERATE 10-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
 241.4				IN	PTR	habdisplay1.mqtt.binary.kitchen.
 242.4				IN	PTR	habdisplay2.mqtt.binary.kitchen.
@@ -82,17 +87,26 @@ $GENERATE 10-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
 1.10				IN	PTR	wg0.erx-rz.binary.kitchen.
 $GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
 ; Management Auweg
+1.12				IN	PTR	v2312.rt-auweg.binary.kitchen.
+31.12				IN	PTR	sw-auweg.binary.kitchen.
+41.12				IN	PTR	ap11.binary.kitchen.
+42.12				IN	PTR	ap12.binary.kitchen.
 61.12				IN	PTR	weizen.binary.kitchen.
+111.12				IN	PTR	rfp11.binary.kitchen.
 ; Services Auweg
+1.13				IN	PTR	v2313.rt-auweg.binary.kitchen.
 3.13				IN	PTR	aeron.binary.kitchen.
+12.13				IN	PTR	lock-auweg.binary.kitchen.
 ; Clients Auweg
+1.14				IN	PTR	v2314.rt-auweg.binary.kitchen.
 $GENERATE 10-230 $.14		IN	PTR	dhcp-${0,3,d}-14.binary.kitchen.
 ; MQTT
+1.15				IN	PTR	v2315.rt-auweg.binary.kitchen.
 $GENERATE 10-240 $.15		IN	PTR	dhcp-${0,3,d}-15.binary.kitchen.
 ; Point-to-Point
-1.96				IN	PTR	v400.erx-bk.binary.kitchen.
+1.96				IN	PTR	v400.rt-w13b.binary.kitchen.
 2.96				IN	PTR	v400.core.binary.kitchen.
 1.97				IN	PTR	wg1.erx-rz.binary.kitchen.
-2.97				IN	PTR	wg1.erx-bk.binary.kitchen.
+2.97				IN	PTR	wg1.rt-w13b.binary.kitchen.
 5.97				IN	PTR	wg2.erx-rz.binary.kitchen.
-6.97				IN	PTR	wg2.erx-auweg.binary.kitchen.
+6.97				IN	PTR	wg2.rt-auweg.binary.kitchen.

roles/dns_intern/templates/bind/binary.kitchen.zone.j2

@@ -1,19 +1,19 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2021091301; serial
+					2024111500; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
-				IN	NS	ns1.binary.kitchen.
-				IN	NS	ns2.binary.kitchen.
+@				IN	NS	ns1.binary.kitchen.
+@				IN	NS	ns2.binary.kitchen.
 ; Subdomains
 users				IN	NS	ns1.binary.kitchen.
 users				IN	NS	ns2.binary.kitchen.
 ; External
-				IN	A	213.166.246.4
+@				IN	A	213.166.246.4
 www				IN	A	213.166.246.4
 ; Aliases
 3dprinter			IN	A	172.23.3.251
@@ -29,26 +29,25 @@ librenms			IN	A	172.23.2.6
 netbox				IN	A	172.23.2.7
 ns1				IN	A	172.23.2.3
 ns2				IN	A	172.23.2.4
-racktables			IN	A	172.23.2.6
+omm				IN	A	172.23.2.35
 radius				IN	A	172.23.2.3
 radius				IN	A	172.23.2.4
 ; Loopback
 core				IN	A	172.23.0.1
-erx-bk				IN	A	172.23.0.2
+rt-w13b				IN	A	172.23.0.2
 erx-rz				IN	A	172.23.0.3
-erx-auweg			IN	A	172.23.0.4
+rt-auweg			IN	A	172.23.0.4
 ; Management
 v2301.core			IN	A	172.23.1.1
 ups1				IN	A	172.23.1.11
 pdu1				IN	A	172.23.1.21
 pdu2				IN	A	172.23.1.22
 pdu3				IN	A	172.23.1.23
-sw01				IN	A	172.23.1.31
-sw02				IN	A	172.23.1.32
-sw03				IN	A	172.23.1.33
+sw-butchery			IN	A	172.23.1.31
+sw-mini				IN	A	172.23.1.32
+sw-rack				IN	A	172.23.1.33
 ap01				IN	A	172.23.1.41
 ap02				IN	A	172.23.1.42
-ap03				IN	A	172.23.1.43
 ap04				IN	A	172.23.1.44
 ap05				IN	A	172.23.1.45
 ap06				IN	A	172.23.1.46
@@ -58,6 +57,8 @@ wurst-bmc			IN	A	172.23.1.80
 bowle-bmc			IN	A	172.23.1.82
 nbe-w13b			IN	A	172.23.1.101
 nbe-tr8				IN	A	172.23.1.102
+rfp01				IN	A	172.23.1.111
+rfp02				IN	A	172.23.1.112
 ; Services
 v2302.core			IN	A	172.23.2.1
 bacon				IN	A	172.23.2.3
@@ -68,8 +69,12 @@ epona				IN	A	172.23.2.7
 lock				IN	A	172.23.2.12
 matrix				IN	A	172.23.2.13
 pizza				IN	A	172.23.2.33
+pancake				IN	A	172.23.2.34
+knoedel				IN	A	172.23.2.35
 schweinshaxn			IN	A	172.23.2.36
 bob				IN	A	172.23.2.37
+lasagne				IN	A	172.23.2.38
+tschunk				IN	A	172.23.2.39
 bowle				IN	A	172.23.2.62
 strammermax			IN	A	172.23.2.91
 obatzda				IN	A	172.23.2.92
@@ -79,7 +84,6 @@ $GENERATE 10-230 dhcp-${0,3,d}-03	IN	A	172.23.3.$
 fusilli				IN	A	172.23.3.240
 klopi				IN	A	172.23.3.241
 mpcnc				IN	A	172.23.3.242
-garlic				IN	A	172.23.3.243
 mirror				IN	A	172.23.3.244
 spaghetti			IN	A	172.23.3.245
 maccaroni			IN	A	172.23.3.246
@@ -88,6 +92,7 @@ noodlehub			IN	A	172.23.3.251
 ; MQTT
 v2304.core			IN	A	172.23.4.1
 pizza.mqtt			IN	A	172.23.4.6
+lasagne.mqtt			IN	A	172.23.4.7
 $GENERATE 10-240 dhcp-${0,3,d}-04	IN	A	172.23.4.$
 habdisplay1.mqtt		IN	A	172.23.4.241
 habdisplay2.mqtt		IN	A	172.23.4.242
@@ -102,20 +107,29 @@ salat				IN	A	172.23.9.61
 salat-bmc			IN	A	172.23.9.81
 ; Services RZ
 ; Management Auweg
+v2312.rt-auweg			IN	A	172.23.12.1
+sw-auweg			IN	A	172.23.12.31
+ap11				IN	A	172.23.12.41
+ap12				IN	A	172.23.12.42
 weizen				IN	A	172.23.12.61
+rfp11				IN	A	172.23.12.111
 ; Services Auweg
+v2313.rt-auweg			IN	A	172.23.13.1
 aeron				IN	A	172.23.13.3
+lock-auweg			IN	A	172.23.13.12
 ; Clients Auweg
+v2314.rt-auweg			IN	A	172.23.14.1
 $GENERATE 10-230 dhcp-${0,3,d}-14	IN	A	172.23.14.$
 ; MQTT Auweg
+v2315.rt-auweg			IN	A	172.23.15.1
 $GENERATE 10-240 dhcp-${0,3,d}-15	IN	A	172.23.15.$
 ; VPN RZ (ER-X)
 wg0.erx-rz			IN	A	172.23.10.1
 $GENERATE 2-254 vpn-${0,3,d}-10	IN	A	172.23.10.$
 ; Point-to-Point
-v400.erx-bk			IN	A	172.23.96.1
+v400.rt-w13b			IN	A	172.23.96.1
 v400.core			IN	A	172.23.96.2
 wg1.erx-rz			IN	A	172.23.97.1
-wg1.erx-bk			IN	A	172.23.97.2
+wg1.rt-w13b			IN	A	172.23.97.2
 wg2.erx-rz			IN	A	172.23.97.5
-wg2.erx-auweg			IN	A	172.23.97.6
+wg2.rt-auweg			IN	A	172.23.97.6

roles/dns_intern/templates/dnsdist.conf.j2

@@ -9,17 +9,27 @@ newServer({address='127.0.0.1:5300', pool='authdns'})
 newServer({address='127.0.0.1:5353', pool='resolve'})
 
 {% if dns_secondary is defined %}
--- allow AXFR/IXFR only from slaves
-addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
+-- allow AXFR/IXFR only from secondary
+addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
 {% endif %}
 
--- allow NOTIFY only from master
-addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
+-- allow NOTIFY only from primary
+addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
 
 -- use auth servers for own zones
 addAction('binary.kitchen', PoolAction('authdns'))
 addAction('23.172.in-addr.arpa', PoolAction('authdns'))
 
+-- function to set RA flag
+function setRA(dq)
+  dq.dh:setRA(true)
+  return DNSResponseAction.None
+end
+
+-- set RA flag for queries to own zones
+addResponseAction('binary.kitchen', LuaResponseAction(setRA))
+addResponseAction('23.172.in-addr.arpa', LuaResponseAction(setRA))
+
 -- use resolver for anything else
 addAction(AllRule(), PoolAction('resolve'))
 

roles/dns_intern/templates/pdns.conf.j2

@@ -26,12 +26,6 @@ launch=bind,gsqlite3
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
-#################################
-# local-ipv6	Local IP address to which we bind
-#
-# local-ipv6=::
-local-ipv6=
-
 #################################
 # local-port	The port on which we listen
 #

roles/dns_intern/templates/recursor.conf.j2

@@ -11,9 +11,9 @@
 config-dir=/etc/powerdns
 
 #################################
-# dnssec	DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
+# dnssec	DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
 #
-# dnssec=process-no-validate
+# dnssec=process
 dnssec=off
 
 #################################

roles/docker/tasks/main.yml

@@ -1,17 +1,10 @@
 ---
 
-- name: Enable docker apt-key
-  apt_key: url='https://download.docker.com/linux/debian/gpg'
-
-- name: Enable docker repository
-  apt_repository:
-    repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
-    filename: docker
-
 - name: Install docker
   apt:
     name:
-    - docker-ce
-    - docker-ce-cli
-    - containerd.io
+    - docker.io
     - python3-docker
+
+- name: Enable docker
+  service: name=docker state=started enabled=yes

roles/doorlock/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/doorlock/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
+      -days 730 -subj "/CN={{ doorlock_domain }}"
+    creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
+  notify: Restart nginx
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ doorlock_domain }}"
+
+- name: Configure certificate manager for doorlock
+  template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
+  notify: Run acertmgr

roles/doorlock/templates/certs.j2

@@ -0,0 +1,18 @@
+---
+
+{{ doorlock_domain }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/drone/files/drone.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=drone.io server
-After=network-online.target
-
-[Service]
-Type=simple
-User=drone
-EnvironmentFile=/etc/default/drone
-ExecStart=/opt/drone/bin/drone-server
-Restart=always
-RestartSec=5s
-
-[Install]
-WantedBy=multi-user.target

roles/drone/tasks/main.yml

@@ -1,52 +0,0 @@
----
-
-- name: Create user
-  user: name=drone
-
-# TODO install drone to /opt/drone/bin
-# currently it is manually compiled
-
-- name: Configure drone
-  template: src=drone.j2 dest=/etc/default/drone
-  notify: Restart drone
-
-- name: Install PostgreSQL
-  apt:
-    name:
-    - postgresql
-    - python3-psycopg2
-
-- name: Configure PostgreSQL database
-  postgresql_db: name={{ drone_dbname }}
-  become: true
-  become_user: postgres
-
-- name: Configure PostgreSQL user
-  postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
-  become: true
-  become_user: postgres
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for drone
-  template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
-  notify: Restart nginx
-
-- name: Install systemd unit
-  copy: src=drone.service dest=/lib/systemd/system/drone.service
-  notify:
-  - Reload systemd
-  - Restart drone
-
-- name: Enable drone
-  service: name=drone enabled=yes

roles/drone/templates/drone.j2

@@ -1,10 +0,0 @@
-DRONE_AGENTS_ENABLED=true
-DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
-DRONE_DATABASE_DRIVER=postgres
-DRONE_GITEA_SERVER=https://{{ gitea_domain }}
-DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
-DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
-DRONE_RPC_SECRET={{ drone_secret }}
-DRONE_SERVER_HOST={{ drone_domain }}
-DRONE_SERVER_PROTO=https
-DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

roles/drone/templates/vhost.j2

@@ -1,31 +0,0 @@
-server {
-	listen 80;
-	listen [::]:80;
-
-	server_name {{ drone_domain }};
-
-	location /.well-known/acme-challenge {
-		default_type "text/plain";
-		alias /var/www/acme-challenge;
-	}
-
-	location / {
-		return 301 https://{{ drone_domain }}$request_uri;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name {{ drone_domain }};
-
-	ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
-
-	location / {
-		client_max_body_size 128M;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_pass http://localhost:8080;
-	}
-}

roles/drone_runner/tasks/main.yml

@@ -1,21 +0,0 @@
----
-
-- name: Run runner container
-  docker_container:
-    name: runner
-    image: drone/drone-runner-docker:1
-    env:
-      DRONE_RPC_PROTO: "https"
-      DRONE_RPC_HOST: "{{ drone_domain }}"
-      DRONE_RPC_SECRET: "{{ drone_secret }}"
-      DRONE_RUNNER_CAPACITY: "2"
-      DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
-      DRONE_UI_USERNAME: "admin"
-      DRONE_UI_PASSWORD: "{{ drone_uipass }}"
-    ports:
-    - "3000:3000"
-    pull: yes
-    restart_policy: unless-stopped
-    state: started
-    volumes:
-    - "/var/run/docker.sock:/var/run/docker.sock"

roles/event_web/files/certs

@@ -0,0 +1,15 @@
+---
+
+eh21.easterhegg.eu engel.eh21.easterhegg.eu:
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'

roles/event_web/files/vhost

@@ -0,0 +1,68 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/eh21;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://engel.eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/engel/public;
+
+	index index.php;
+
+	location / {
+		try_files $uri $uri/ /index.php?$args;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+		fastcgi_index index.php;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		include fastcgi_params;
+	}
+}

roles/event_web/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/event_web/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/event_web/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - php-fpm
+
+- name: Create vhost directory
+  file: path=/var/www/eh21 state=directory owner=www-data group=www-data
+
+- name: Create vhost directory
+  file: path=/var/www/engel state=directory owner=www-data group=www-data
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager
+  copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
+  notify: Run acertmgr
+
+- name: Configure vhosts
+  copy: src=vhost dest=/etc/nginx/sites-available/www
+  notify: Restart nginx
+
+- name: Enable vhosts
+  file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
+  notify: Restart nginx
+
+- name: Start php8.2-fpm
+  service: name=php8.2-fpm state=started enabled=yes

roles/fileserver/templates/smb.conf.j2

@@ -42,7 +42,7 @@
 # option cannot handle dynamic or non-broadcast interfaces correctly.
 ;   bind interfaces only = yes
 
-
+   min protocol = NT1
 
 #### Debugging/Accounting ####
 
@@ -213,7 +213,7 @@
 ;[printers]
 ;   comment = All Printers
 ;   browseable = no
-;   path = /var/spool/samba
+;   path = /var/tmp
 ;   printable = yes
 ;   guest ok = no
 ;   read only = yes
@@ -240,5 +240,5 @@
    browseable = yes
    read only = no
    guest ok = yes
-   create mask = 0600
-   directory mask = 0700
+   create mask = 0660
+   directory mask = 0770

roles/freepbx/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+
+deploy_key_file: /root/.ssh/id_git_deploy_rsa
+
+asterisk_user: asterisk
+asterisk_group: asterisk
+
+repo_provisioning: gogs@git.binary-kitchen.de:noby/voip-yealink-provisioning.git
+repo_utilities: gogs@git.binary-kitchen.de:noby/voip-yealink-xml-browser.git
+
+path_yealink_provisioning: /tftpboot/yealink
+path_yealink_utilities: /opt/yealink_utilities

roles/freepbx/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart yealink-utilities
+  ansible.builtin.service:
+    name: yealink-utilities
+    state: restarted