group_vars: whitelist pretix for mail

web_plk: remove host: technetium

ansible.cfg

@@ -1,5 +1,6 @@
 [defaults]
 ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
+interpreter_python = auto
 inventory       = ./hosts
 nocows          = 1
 remote_user     = root

group_vars/all/vars.yml

@@ -34,11 +34,19 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
 gitea_secret: "{{ vault_gitea_secret }}"
 gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
 
-hackmd_domain: pad.binary-kitchen.de
-hackmd_dbname: hackmd
-hackmd_dbuser: hackmd
-hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
-hackmd_secret: "{{ vault_hackmd_secret }}"
+hedgedoc_domain: pad.binary-kitchen.de
+hedgedoc_dbname: hackmd
+hedgedoc_dbuser: hackmd
+hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
+hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
+
+icinga_domain: icinga.binary.kitchen
+icinga_dbname: icinga
+icinga_dbuser: icinga
+icinga_dbpass: "{{ vault_icinga_dbpass }}"
+icingaweb_dbname: icingaweb
+icingaweb_dbuser: icingaweb
+icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
 
 jitsi_domain: jitsi.binary-kitchen.de
 jitsi_admin_email: exxess@binary-kitchen.de
@@ -64,10 +72,14 @@ mail_server: mail.binary-kitchen.de
 mailman_domain: lists.binary-kitchen.de
 mail_trusted:
 - 213.166.246.0/28
+- 213.166.246.45/32
 - 213.166.246.250/32
 - 2a02:958:0:f6::/124
+- 2a02:958:0:f6::45/128
 mail_aliases:
+- "auweg@binary-kitchen.de	venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
 - "epvpn@binary-kitchen.de	noby@binary-kitchen.de"
+- "google@binary-kitchen.de	vorstand@binary-kitchen.de"
 - "info@binary-kitchen.de	vorstand@binary-kitchen.de"
 - "lebercast@binary-kitchen.de	anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
 - "loetworkshop@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
@@ -80,7 +92,7 @@ mail_aliases:
 - "root@binary-kitchen.de	moepman@binary-kitchen.de,kishi@binary-kitchen.de"
 - "seife@binary-kitchen.de	anke@binary-kitchen.de"
 - "siebdruck@binary-kitchen.de	anke@binary-kitchen.de"
-- "vorstand@binary-kitchen.de	anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
+- "vorstand@binary-kitchen.de	anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
 - "voucher1@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher2@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher3@binary-kitchen.de	exxess@binary-kitchen.de"
@@ -100,19 +112,28 @@ matrix_dbname: matrix
 matrix_dbuser: matrix
 matrix_dbpass: "{{ vault_matrix_dbpass }}"
 
-nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
-nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
-nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
+mc_domain: minecraft.binary-kitchen.de
+
+netbox_domain: netbox.binary.kitchen
+netbox_dbname: netbox
+netbox_dbuser: netbox
+netbox_dbpass: "{{ vault_netbox_dbpass }}"
+netbox_secret: "{{ vault_netbox_secret }}"
 
 nextcloud_domain: oc.binary-kitchen.de
 nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 
-plk_domain: plk-regensburg.de
-plk_dbuser: plkdbuser
-plk_dbname: plkdb
-plk_dbpass: "{{ vault_plk_dbpass }}"
+nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
+nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
+nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
+
+pretix_domain: pretix.rc3.binary-kitchen.de
+pretix_dbname: pretix
+pretix_dbuser: pretix
+pretix_dbpass: "{{ vault_pretix_dbpass }}"
+pretix_mail: rc3@binary-kitchen.de
 
 prometheus_pve_user: prometheus@pve
 prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@@ -126,8 +147,6 @@ pve_targets:
 
 radius_secret: "{{ vault_radius_secret }}"
 
-rocketchat_domain: chat.binary-kitchen.de
-
 root_keys:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
@@ -135,3 +154,5 @@ root_keys:
 slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
+
+workadventure_domain: wa.binary-kitchen.de

group_vars/all/vault.yml

@@ -1,59 +1,70 @@
 $ANSIBLE_VAULT;1.1;AES256
-37303932343462623335393066643531373533636435356462326537373532613534353266396435
-3636666364306637306266393933383963633032383265650a656563303332303134323135353239
-34633863333930316564633632313939643664373163373833636139366537646530383736343130
-6239373931306234620a353966346262646538306631656461613431636230333430663931643933
-31316362353439393838363666613932313635313864333135636530653238653162353033356437
-33353063363639346266313631393463623864636133623264613865336536613536343365386230
-65396263393862626139396430623134316632313637623631623762656139623664356331623066
-30323430613963313162616135303164663364336634326533346438373635366238356531613461
-30333736633965333163616437303566666239313962353531393530613265363833396136646262
-62633662666532396535316361303934613138373365633161393664313234663533363736323335
-38613762376234663564333333386265633138613839636132346638313430653639636339336239
-38633564333831326331326166666362353364303933393532643936313564386565643162623435
-36356437356631666137323039316430656566613436623062656562666139383635653039636463
-35393438323765303431333737356339343730303531333834306239366533393537626239376163
-31663332343136323264376234363264343136623365383833666638656531306362663462383033
-31633838643562613762363634653865353361303666363139636337386439626235336462653036
-30376461643839313665383430386534656265626139313034646438323861653530383637316139
-35313539636137303561646564616362313435666262343137616263396465356434363862323137
-38626464383039386139343665363538326539613837366437623362336639336133323463666235
-36346333356434363838363634343233323363333762653264333062656133623434666162356433
-37623862653862643335333931663063623166353534636430323230663838653532356335306632
-33646265343834363839653565326538353930663061376461646534386637376234646264343933
-65653763343236653630396238333232633461663333646531323337626235396231383931663264
-34363564366134663036643332346238373639646336396261316133326235636265323636663335
-35363537346466396432396162383131306438396431336138666663633132646662316165643333
-64633434623166343262623038623431343631333962663566303566393761653536303638643037
-63363963306139336235363537396432383131303763643966313937353537333739393031616439
-35343361646234663062633631323238656137373464386561656439313636613630323632616332
-39346239666266623038363066643865373762633532323431373431373165643662663661633365
-35353361383339623535336362313430616139396561623934346264323462663663383566393165
-35366637313861386465333530613530623832643333616538336436356134313832306139336361
-32393162373235356236343332363038393631626534643237383232323735633265333562633231
-61613164363962323236666365353830346664643263393532343562383736336535353364343638
-62386465323331653565306234646664393164666334383765336630346438633636353264636138
-31316231326236313839353465353230353935363330393035373234393039386134366534653636
-63323730383931353763383739393330316335373563393039366166313031373664636335363363
-38363131363565326431636361316562313037373664306333313366646336333162663664306539
-64636530363561393037373766383937616435313333653836363835383231633130396133663635
-36613531323732623264646666656139333766656562623430313964366236373663626135383437
-31643663663637613762313465656636396264623362643538323166356636303430613133383664
-66383332326437333638663562376665386237313533303437623765353661393561373338636130
-30383665333366643331366536646330633133643566393962633164643563613536363434393234
-66323931316535353632356432373262623962616264383430623436303637616165386433326231
-38633730636633643634343833313964653530663034333063313334636134646634363437346161
-32613061363032383732323263303830363532326239316538393739313730383530633862313039
-37653865303932313635656332663039376331393161623731623039653865623436363061626538
-32383934613335363534666461343135303235373262343634306130633536323839393139346662
-31623265323138353963623938616665383765366230656461383835346230346261623866366630
-65303965353432386136373562306434623739666262356663656266346439356435613362333563
-34366539353366346636376662363837303332373866323434366261326164633033353930383038
-36666433656365366663326163343034306439653262353733323232373133386436333637346563
-32626533336530633731336631333334353366306538663936643637346335303965626631316562
-33333061656234393661363766663630316662613764333231326434383465666234653238393965
-31636561396665383063613433653837363634623337623330666466353532633434383864343464
-38303436306165353433356536326466306530373635616531393462666336666435633235613937
-37343832333864643636366632623062363234633365326635386663376439383332306333653161
-34353830396165366534313334616161323461613066383561343563393330613464373862623062
-3536303066343262636636393861313539616636643339353562
+34303237313431646264363034353637613836633432633638333963363037663435626166663630
+6338393164366434386334313664386166373031326538350a396639373163646666376462373662
+36623863356436356635303263643239666162333863613831326630303363346137653234323838
+3639623464303131350a653162336338626665393534623063623330323162373935353939303631
+64333363373563343336643764306563376461393430643631366133353836646363363166653233
+38323331386165366334656630626138383131323664333266353164323164373364303161653365
+30333339646139626434636365653666636534346266636262613938656665343634363563663366
+32306663653930613762663534613635616663613130613933626331663861643439323664353739
+31316531653562646363376233636464396262313132343234303933343066373862633235383333
+31313431336464663163343835646430323664373166363465343037333130343636646363393231
+34613162386637306539663431636137353039383037333937613035393332353933333134346335
+31616561636533383639366634316164343466613634643130353437393664336332316132363934
+61333961613530333536613034386332646136313939356339633334353333326661393231343261
+62653463316662376134663965383030636639356637393237653362616561616238653637623039
+65653139373633323766356362613239316165393966623932346561363363393138653032366439
+64303463306132363261333936653763353833386337303763316362666134306264306464306362
+30343364393539636565633861386261373661623061333733353635336133373162636465376137
+61316465306534623337383631663538336632383832343132333862316336323961623637383838
+65363832646138376233653264373535633437376162326361313863333839343236343966393839
+32323361666264373466396130666465303032393364633134343264643731323438646562333361
+63376266616430643135326430366266633332633333646134313736316139386232333965346331
+61663964653931333730643435303637666563316133373831336566303361383736666139626562
+38623031303533396632613361323533313334333631316434646232383136393433323466383330
+65666530616466623933393936613963663766653361643733326330643162346635613835633736
+64393064326233313035316130353563623639303665623064303831376332353264633930363364
+33623137353130353962323964396130646230393335386434346130663064613434643136656466
+63623666376165653961666539383335356163316131353966613036643530663835313766366533
+31656633633331636535316234653561326465623562393632623062383935336530383133626236
+66323366306366623631373861346635303063376264613734643039363137613837333534616362
+37633462373538313562666639613031343866383234633438373936623437333666343731633735
+33386666313531613734643431333332346439386465303531306365386537613933623636643237
+35653434303433633533356662623965383133383838613361303832326130343938393561393935
+38313533643830633432303464306561643233303866316130616531623230393366323264626165
+33653230366138376533376166393466656233353061343338393433386332333361353063323634
+66366561646466616566336265363037616433616231353739613538633765343235323637303535
+34373739306130313536633338353130656632666536356535636265333335303730333031323436
+39633466353139663361646265656334633461346564616633643030383662353762643237333761
+31326435313361366163353836633535303462623533373363376433613139373135393566333937
+64313838373366383432376430643236633030623736643435363038616261333364366139666435
+66623661643032633931623539383136373138636333323737323165333831333764363137393562
+62663335353265353535643666356632663736343039333965653639653764646261323736313430
+39656366356130326363363133383062333530316165643430383161306135346663623861313030
+65346430353230363561633239623330623265666336616133326263323063333132323764343735
+63346230373339343062393035356565376265643463326366326535313130663163366435323339
+62363339313332663333653336633331343161363432393639316630633365643037653739613132
+63316662336630626366363662333061353539333133653732646330643065333430316333316131
+33363662653465306531666435363932663432373932353466383364383634643634313736303931
+63353632353836663263616137353031643238663632363563656137313961656534663137613061
+37636530306334613639326363383665373061383634326630653366386632636634653638653330
+32366438623635363833343566353365373762646162393637326433656438663066663766333761
+65363136666238623439663764363266363731613261326566653035303265623736353331376562
+36646435353134613363316236383938613032626562646237366337376433326334386330646266
+66333365323133616466646164353262653830313764376562636164326163623463373863373630
+31623264373330386136396130626133323762363262336337396562613166646132386362383635
+61333637373462316463303962396162383039373265303939306132323533393236343965613835
+32646361383938383337653264323766363130613264613463386432306238316531653437323939
+39353866313834393933623630303539633334663239343865313264616664656464646631623934
+33623230643633353361343965396236393939343765653161643530626133663236383135343934
+37353231626339323866613237663463656239326335643035313730363133616538613866386162
+65623335393462633130353965343533616261636261656162626639323231623934663765386166
+37353665643363386662646538306530326161653461393236616531343935393639386432633437
+63643561646337616138633063646261323937333262333535626235373561336339346661353365
+30396365376566616538353866383266666436636131656535363062633237313266366639373536
+64316435316234313365306332383637636263376563393464303566313566636238626434393364
+62316263353733636136393034616362643764346536373533363937633938383037376261656330
+30333738616232616566643335353161636466643830393464643263653633373662623437643332
+61396430636631396134393064633131636233653664373363386638366138343435613438303330
+61366234663461333331623961393834643233623862323861346163343934303838666232626639
+6139

group_vars/auweg

@@ -0,0 +1,14 @@
+---
+
+dhcpd_failover: false
+dhcpd_primary: 172.23.13.3
+
+dns_primary: 172.23.13.3
+
+name_servers:
+- 172.23.13.3
+
+ntp_servers:
+- 172.23.12.61
+
+radius_cn: radius.binary.kitchen

group_vars/kitchen

@@ -4,6 +4,9 @@ dhcpd_failover: true
 dhcpd_primary: 172.23.2.3
 dhcpd_secondary: 172.23.2.4
 
+dns_primary: 172.23.2.3
+dns_secondary: 172.23.2.4
+
 name_servers:
 - 172.23.2.3
 - 172.23.2.4

host_vars/aeron.binary.kitchen

@@ -0,0 +1,6 @@
+---
+
+radius_hostname: radius3.binary.kitchen
+
+slapd_hostname: ldap3.binary.kitchen
+slapd_role: slave

host_vars/bacon.binary.kitchen

@@ -1,9 +1,11 @@
 ---
 
+ntp_server: true
+
 ntp_servers:
 - ptbtime2.ptb.de
 - ntp1.rrze.uni-erlangen.de
-- ntps1-0.cs.tu-berlin.de
+- rustime01.rus.uni-stuttgart.de
 
 ntp_peers:
 - 172.23.1.60

host_vars/barium.binary-kitchen.net

@@ -0,0 +1,2 @@
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/bowle.binary.kitchen

@@ -0,0 +1,8 @@
+---
+
+nfs_exports:
+- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
+- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
+- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
+
+uau_reboot: "false"

host_vars/nitrogen.binary-kitchen.net

@@ -3,3 +3,5 @@
 root_keys_host:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
+
+nginx_anonymize: True

host_vars/weizen.binary.kitchen

@@ -0,0 +1,8 @@
+---
+
+ntp_server: true
+
+ntp_servers:
+- ptbtime1.ptb.de
+- ntp1.rrze.uni-erlangen.de
+- rustime01.rus.uni-stuttgart.de

host_vars/wurst.binary.kitchen

@@ -1,9 +1,11 @@
 ---
 
+ntp_server: true
+
 ntp_servers:
 - ptbtime1.ptb.de
 - ntp1.rrze.uni-erlangen.de
-- ntps1-0.cs.tu-berlin.de
+- rustime01.rus.uni-stuttgart.de
 
 ntp_peers:
 - 172.23.2.3

hosts

@@ -4,10 +4,14 @@ bacon.binary.kitchen ansible_host=172.23.2.3
 aveta.binary.kitchen ansible_host=172.23.2.4
 sulis.binary.kitchen ansible_host=172.23.2.5
 nabia.binary.kitchen ansible_host=172.23.2.6
+epona.binary.kitchen ansible_host=172.23.2.7
 pizza.binary.kitchen ansible_host=172.23.2.33
 bob.binary.kitchen ansible_host=172.23.2.37
-bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
+bowle.binary.kitchen ansible_host=172.23.2.62
 salat.binary.kitchen ansible_host=172.23.9.61
+[auweg]
+aeron.binary.kitchen ansible_host=172.23.13.3
+weizen.binary.kitchen ansible_host=172.23.12.61
 [fan_rz]
 helium.binary-kitchen.net
 lithium.binary-kitchen.net
@@ -23,5 +27,6 @@ krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
 molybdenum.binary-kitchen.net
-technetium.binary-kitchen.net
 ruthenium.binary-kitchen.net
+rhodium.binary-kitchen.net
+barium.binary-kitchen.net

roles/common/files/50-virtio-kernel-names.link

@@ -1,10 +0,0 @@
-# udev 226 introduced predictable interface names for virtio;
-# disable this for upgrades. You can remove this file if you update your
-# network configuration to move to the ens* names instead.
-# See /usr/share/doc/udev/README.Debian.gz for details about predictable
-# network interface names.
-[Match]
-Driver=virtio_net
-
-[Link]
-NamePolicy=onboard kernel

roles/common/files/99-default.link

@@ -1,6 +0,0 @@
-# This machine is most likely a virtualized guest, where the old persistent
-# network interface mechanism (75-persistent-net-generator.rules) did not work.
-# This file disables /lib/systemd/network/99-default.link to avoid
-# changing network interface names on upgrade. Please read
-# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
-# supported mechanism.

roles/common/handlers/main.yml

@@ -1,7 +1,13 @@
 ---
 
+- name: Restart chrony
+  service: name=chrony state=restarted
+
 - name: Restart journald
   service: name=systemd-journald state=restarted
 
+- name: update-grub
+  command: update-grub
+
 - name: update-initramfs
   command: update-initramfs -u -k all

roles/common/tasks/Debian.yml

@@ -3,7 +3,9 @@
 - name: Install misc software
   apt:
     name:
+    - apt-transport-https
     - dnsutils
+    - gnupg2
     - htop
     - less
     - net-tools
@@ -34,21 +36,18 @@
 - name: Set shell for root user
   user: name=root shell=/bin/zsh
 
-- name: Create LDAP client config
-  template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
-
 - name: Disable hibernation/resume
   copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
   notify: update-initramfs
 
-# TODO template /etc/network/interfaces
-
-- name: Fix network interface names
-  copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
-  with_items:
-  - 50-virtio-kernel-names.link
-  - 99-default.link
-  notify: update-initramfs
+- name: Enable serial console on KVM VMs
+  lineinfile:
+    path: "/etc/default/grub"
+    state: "present"
+    regexp: "^#?GRUB_CMDLINE_LINUX=.*"
+    line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
+  notify: update-grub
+  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
 
 - name: Prevent normal users from running su
   lineinfile:

roles/common/tasks/FreeBSD.yml

@@ -1,14 +0,0 @@
----
-
-- name: Install misc software
-  pkgng:
-    name:
-    - vim-lite
-    - htop
-    - zsh
-
-- name: Configure misc software
-  copy: src={{ item.src }} dest={{ item.dest }}
-  with_items:
-  - { src: '.zshrc', dest: '/root/.zshrc' }
-  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }

roles/common/tasks/Proxmox.yml

@@ -13,6 +13,7 @@
 
 - name: Configure misc software
   copy: src={{ item.src }} dest={{ item.dest }}
+  diff: no
   with_items:
   - { src: '.zshrc', dest: '/root/.zshrc' }
   - { src: '.zshrc.local', dest: '/root/.zshrc.local' }

roles/common/tasks/chrony.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Install chrony
+  apt: name=chrony
+
+- name: Configure chrony
+  template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
+  notify: Restart chrony

roles/common/tasks/main.yml

@@ -17,6 +17,5 @@
   include: Debian.yml
   when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
 
-- name: FreeBSD
-  include: FreeBSD.yml
-  when: ansible_distribution == 'FreeBSD'
+- name: Setup chrony
+  include: chrony.yml

roles/common/templates/chrony.conf.j2

@@ -0,0 +1,46 @@
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+
+{% for srv in ntp_servers %}
+server {{ srv }} iburst
+{% endfor %}
+{% if ntp_peers is defined %}
+
+{% for peer in ntp_peers %}
+peer {{ peer }}
+{% endfor %}
+{% endif %}
+
+{% if ntp_server is defined and ntp_server is true %}
+allow 172.23.0.0/16
+{% endif -%}
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapsectz right/UTC

roles/common/templates/ldap.conf.j2

@@ -1,19 +0,0 @@
-#
-# LDAP Defaults
-#
-
-# See ldap.conf(5) for details
-# This file should be world readable but not world writable.
-
-BASE	{{ ldap_base }}
-URI	{{ ldap_uri }}
-
-#SIZELIMIT	12
-#TIMELIMIT	15
-#DEREF		never
-
-# TLS certificates (needed for GnuTLS)
-TLS_REQCERT demand
-TLS_CACERTDIR /etc/ssl/certs
-TLS_CACERT /etc/ssl/certs/ca-certificates.crt
-

roles/coturn/templates/turnserver.conf.j2

@@ -1,52 +1,60 @@
 # Coturn TURN SERVER configuration file
 #
-# Boolean values note: where boolean value is supposed to be used,
-# you can use '0', 'off', 'no', 'false', 'f' as 'false, 
-# and you can use '1', 'on', 'yes', 'true', 't' as 'true' 
-# If the value is missed, then it means 'true'.
+# Boolean values note: where a boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
+# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
+# If the value is missing, then it means 'true' by default.
 #
 
 # Listener interface device (optional, Linux only).
-# NOT RECOMMENDED. 
+# NOT RECOMMENDED.
 #
 #listening-device=eth0
 
 # TURN listener port for UDP and TCP (Default: 3478).
-# Note: actually, TLS & DTLS sessions can connect to the 
+# Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
 #listening-port=3478
 
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
-# port(s), too - if allowed by configuration. The TURN server 
+# port(s), too - if allowed by configuration. The TURN server
 # "automatically" recognizes the type of traffic. Actually, two listening
 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
-# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
-# For secure TCP connections, we currently support SSL version 3 and 
+# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, Coturn currently supports
 # TLS version 1.0, 1.1 and 1.2.
-# For secure UDP connections, we support DTLS version 1.
+# For secure UDP connections, Coturn supports DTLS version 1.
 #
 #tls-listening-port=5349
 
 # Alternative listening port for UDP and TCP listeners;
-# default (or zero) value means "listening port plus one". 
+# default (or zero) value means "listening port plus one".
 # This is needed for RFC 5780 support
-# (STUN extension specs, NAT behavior discovery). The TURN Server 
-# supports RFC 5780 only if it is started with more than one 
+# (STUN extension specs, NAT behavior discovery). The TURN Server
+# supports RFC 5780 only if it is started with more than one
 # listening IP address of the same family (IPv4 or IPv6).
 # RFC 5780 is supported only by UDP protocol, other protocols
 # are listening to that endpoint only for "symmetry".
 #
 #alt-listening-port=0
-							 
+
 # Alternative listening port for TLS and DTLS protocols.
 # Default (or zero) value means "TLS listening port plus one".
 #
 #alt-tls-listening-port=0
-	
+
+# Some network setups will require using a TCP reverse proxy in front
+# of the STUN server. If the proxy port option is set a single listener
+# is started on the given port that accepts connections using the
+# haproxy proxy protocol v2.
+# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
+#
+#tcp-proxy-port=5555
+
 # Listener IP address of relay server. Multiple listeners can be specified.
-# If no IP(s) specified in the config file or in the command line options, 
+# If no IP(s) specified in the config file or in the command line options,
 # then all IPv4 and IPv6 system IPs will be used for listening.
 #
 #listening-ip=172.17.19.101
@@ -61,7 +69,7 @@
 # they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
 #
 # 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
-# 
+#
 # Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
 #
 # There may be multiple aux-server options, each will be used for listening
@@ -73,7 +81,7 @@
 # (recommended for older Linuxes only)
 # Automatically balance UDP traffic over auxiliary servers (if configured).
 # The load balancing is using the ALTERNATE-SERVER mechanism.
-# The TURN client must support 300 ALTERNATE-SERVER response for this 
+# The TURN client must support 300 ALTERNATE-SERVER response for this
 # functionality.
 #
 #udp-self-balance
@@ -83,13 +91,13 @@
 #
 #relay-device=eth1
 
-# Relay address (the local IP address that will be used to relay the 
+# Relay address (the local IP address that will be used to relay the
 # packets to the peer).
 # Multiple relay addresses may be used.
 # The same IP(s) can be used as both listening IP(s) and relay IP(s).
 #
 # If no relay IP(s) specified, then the turnserver will apply the default
-# policy: it will decide itself which relay addresses to be used, and it 
+# policy: it will decide itself which relay addresses to be used, and it
 # will always be using the client socket IP address as the relay IP address
 # of the TURN session (if the requested relay address family is the same
 # as the family of the client socket).
@@ -112,7 +120,7 @@
 # that option must be used several times, each entry must
 # have form "-X <public-ip/private-ip>", to map all involved addresses.
 # RFC5780 NAT discovery STUN functionality will work correctly,
-# if the addresses are mapped properly, even when the TURN server itself 
+# if the addresses are mapped properly, even when the TURN server itself
 # is behind A NAT.
 #
 # By default, this value is empty, and no address mapping is used.
@@ -127,18 +135,18 @@
 
 # Number of the relay threads to handle the established connections
 # (in addition to authentication thread and the listener thread).
-# If explicitly set to 0 then application runs relay process in a 
-# single thread, in the same thread with the listener process 
+# If explicitly set to 0 then application runs relay process in a
+# single thread, in the same thread with the listener process
 # (the authentication thread will still be a separate thread).
 #
-# If this parameter is not set, then the default OS-dependent 
+# If this parameter is not set, then the default OS-dependent
 # thread pattern algorithm will be employed. Usually the default
-# algorithm is the most optimal, so you have to change this option
-# only if you want to make some fine tweaks. 
+# algorithm is optimal, so you have to change this option
+# if you want to make some fine tweaks.
 #
 # In the older systems (Linux kernel before 3.9),
 # the number of UDP threads is always one thread per network listening
-# endpoint - including the auxiliary endpoints - unless 0 (zero) or 
+# endpoint - including the auxiliary endpoints - unless 0 (zero) or
 # 1 (one) value is set.
 #
 #relay-threads=0
@@ -148,15 +156,15 @@
 #
 #min-port=49152
 #max-port=65535
-	
+
 # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
 # By default the verbose mode is off.
 #verbose
-	
+
 # Uncomment to run TURN server in 'extra' verbose mode.
 # This mode is very annoying and produces lots of output.
-# Not recommended under any normal circumstances.
-#	
+# Not recommended under normal circumstances.
+#
 #Verbose
 
 # Uncomment to use fingerprints in the TURN messages.
@@ -169,58 +177,69 @@ fingerprint
 #
 #lt-cred-mech
 
-# This option is opposite to lt-cred-mech. 
+# This option is the opposite of lt-cred-mech.
 # (TURN Server with no-auth option allows anonymous access).
 # If neither option is defined, and no users are defined,
-# then no-auth is default. If at least one user is defined, 
-# in this file or in command line or in usersdb file, then
+# then no-auth is default. If at least one user is defined,
+# in this file, in command line or in usersdb file, then
 # lt-cred-mech is default.
 #
 #no-auth
 
+# Enable prometheus exporter
+# If enabled the turnserver will expose an endpoint with stats on a prometheus format
+# this endpoint is listening on a different port to not conflict with other configurations.
+#
+# You can simply run the turnserver and access the port 9641 and path /metrics
+#
+# For mor info on the prometheus exporter and metrics
+# https://prometheus.io/docs/introduction/overview/
+# https://prometheus.io/docs/concepts/data_model/
+#
+#prometheus
+
 # TURN REST API flag.
 # (Time Limited Long Term Credential)
 # Flag that sets a special authorization option that is based upon authentication secret.
 #
 # This feature's purpose is to support "TURN Server REST API", see
-# "TURN REST API" link in the project's page 
+# "TURN REST API" link in the project's page
 # https://github.com/coturn/coturn/
 #
 # This option is used with timestamp:
-# 
+#
 # usercombo -> "timestamp:userid"
 # turn user -> usercombo
 # turn password -> base64(hmac(secret key, usercombo))
 #
 # This allows TURN credentials to be accounted for a specific user id.
-# If you don't have a suitable id, the timestamp alone can be used.
-# This option is just turning on secret-based authentication.
-# The actual value of the secret is defined either by option static-auth-secret,
+# If you don't have a suitable id, then the timestamp alone can be used.
+# This option is enabled by turning on secret-based authentication.
+# The actual value of the secret is defined either by the option static-auth-secret,
 # or can be found in the turn_secret table in the database (see below).
-# 
+#
 # Read more about it:
 #  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
 #  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
 #
-# Be aware that use-auth-secret overrides some part of lt-cred-mech.
-# Notice that this feature depends internally on lt-cred-mech, so if you set
-# use-auth-secret then it enables internally automatically lt-cred-mech option
-# like if you enable both.
+# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
+# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
+# this option then it automatically enables lt-cred-mech internally
+# as if you had enabled both.
 #
-# You can use only one of the to auth mechanisms in the same time because,
-# both mechanism use the username and password validation in different way.
+# Note that you can use only one auth mechanism at the same time! This is because,
+# both mechanisms conduct username and password validation in different ways.
 #
-# This way be aware that you can't use both auth mechnaism in the same time!
-# Use in config either the lt-cred-mech or the use-auth-secret
+# Use either lt-cred-mech or use-auth-secret in the conf
 # to avoid any confusion.
 #
 use-auth-secret
 
-# 'Static' authentication secret value (a string) for TURN REST API only. 
+# 'Static' authentication secret value (a string) for TURN REST API only.
 # If not set, then the turn server
-# will try to use the 'dynamic' value in turn_secret table
-# in user database (if present). The database-stored  value can be changed on-the-fly
-# by a separate program, so this is why that other mode is 'dynamic'.
+# will try to use the 'dynamic' value in the turn_secret table
+# in the user database (if present). The database-stored  value can be changed on-the-fly
+# by a separate program, so this is why that mode is considered 'dynamic'.
 #
 static-auth-secret={{ coturn_secret }}
 
@@ -234,10 +253,10 @@ static-auth-secret={{ coturn_secret }}
 #
 #oauth
 
-# 'Static' user accounts for long term credentials mechanism, only.
+# 'Static' user accounts for the long term credentials mechanism, only.
 # This option cannot be used with TURN REST API.
-# 'Static' user accounts are NOT dynamically checked by the turnserver process, 
-# so that they can NOT be changed while the turnserver is running.
+# 'Static' user accounts are NOT dynamically checked by the turnserver process,
+# so they can NOT be changed while the turnserver is running.
 #
 #user=username1:key1
 #user=username2:key2
@@ -255,7 +274,7 @@ static-auth-secret={{ coturn_secret }}
 # password. If it has 0x then it is a key, otherwise it is a password).
 #
 # The corresponding user account entry in the config file will be:
-# 
+#
 #user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
 # Or, equivalently, with open clear password (less secure):
 #user=ninefingers:youhavetoberealistic
@@ -263,83 +282,83 @@ static-auth-secret={{ coturn_secret }}
 
 # SQLite database file name.
 #
-# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
 # /var/lib/turn/turndb.
-# 
+#
 #userdb=/var/db/turndb
 
-# PostgreSQL database connection string in the case that we are using PostgreSQL
+# PostgreSQL database connection string in the case that you are using PostgreSQL
 # as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
-# versions connection string format, see 
+# versions connection string format, see
 # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
 # for 9.x and newer connection string formats.
 #
 #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
 
-# MySQL database connection string in the case that we are using MySQL
+# MySQL database connection string in the case that you are using MySQL
 # as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
 #
-# Optional connection string parameters for the secure communications (SSL): 
-# ca, capath, cert, key, cipher 
-# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the 
+# Optional connection string parameters for the secure communications (SSL):
+# ca, capath, cert, key, cipher
+# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
 # command options description).
 #
-# Use string format as below (space separated parameters, all optional):
+# Use the string format below (space separated parameters, all optional):
 #
 #mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
 
-# If you want to use in the MySQL connection string the password in encrypted format,
-# then set in this option the MySQL password encryption secret key file.
+# If you want to use an encrypted password in the MySQL connection string,
+# then set the MySQL password encryption secret key file with this option.
 #
-# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format! 
-# If you want to use cleartext password then do not set this option!
+# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
+# If you want to use a cleartext password then do not set this option!
 #
-# This is the file path which contain secret key of aes encryption while using password encryption.
+# This is the file path for the aes encrypted secret key used for password encryption.
 #
 #secret-key-file=/path/
 
-# MongoDB database connection string in the case that we are using MongoDB
+# MongoDB database connection string in the case that you are using MongoDB
 # as the user database.
 # This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
-# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
 #
 #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
 
-# Redis database connection string in the case that we are using Redis
+# Redis database connection string in the case that you are using Redis
 # as the user database.
 # This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
-# Use string format as below (space separated parameters, all optional):
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format below (space separated parameters, all optional):
 #
 #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 
 # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
 # This database keeps allocations status information, and it can be also used for publishing
 # and delivering traffic and allocation event notifications.
-# The connection string has the same parameters as redis-userdb connection string. 
-# Use string format as below (space separated parameters, all optional):
+# The connection string has the same parameters as redis-userdb connection string.
+# Use the string format below (space separated parameters, all optional):
 #
 #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 
-# The default realm to be used for the users when no explicit 
-# origin/realm relationship was found in the database, or if the TURN
+# The default realm to be used for the users when no explicit
+# origin/realm relationship is found in the database, or if the TURN
 # server is not using any database (just the commands-line settings
-# and the userdb file). Must be used with long-term credentials 
+# and the userdb file). Must be used with long-term credentials
 # mechanism or with TURN REST API.
 #
-# Note: If default realm is not specified at all, then realm falls back to the host domain name.
-#       If domain name is empty string, or '(None)', then it is initialized to am empty string.
+# Note: If the default realm is not specified, then realm falls back to the host domain name.
+#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
 #
 realm={{ coturn_realm }}
 
-# The flag that sets the origin consistency 
-# check: across the session, all requests must have the same
+# This flag sets the origin consistency
+# check. Across the session, all requests must have the same
 # main ORIGIN attribute value (if the ORIGIN was
 # initially used by the session).
 #
@@ -359,7 +378,7 @@ realm={{ coturn_realm }}
 
 # Max bytes-per-second bandwidth a TURN session is allowed to handle
 # (input and output network streams are treated separately). Anything above
-# that limit will be dropped or temporary suppressed (within
+# that limit will be dropped or temporarily suppressed (within
 # the available buffer limits).
 # This option can also be set through the database, for a particular realm.
 #
@@ -403,11 +422,11 @@ no-dtls
 #no-tcp-relay
 
 # Uncomment if extra security is desired,
-# with nonce value having limited lifetime.
-# By default, the nonce value is unique for a session,
-# and has unlimited lifetime. 
-# Set this option to limit the nonce lifetime. 
-# It defaults to 600 secs (10 min) if no value is provided. After that delay, 
+# with nonce value having a limited lifetime.
+# The nonce value is unique for a session.
+# Set this option to limit the nonce lifetime.
+# Set it to 0 for unlimited lifetime.
+# It defaults to 600 secs (10 min) if no value is provided. After that delay,
 # the client will get 438 error and will have to re-authenticate itself.
 #
 #stale-nonce=600
@@ -433,13 +452,14 @@ no-dtls
 #permission-lifetime=300
 
 # Certificate file.
-# Use an absolute path or path relative to the 
+# Use an absolute path or path relative to the
 # configuration file.
+# Use PEM file format.
 #
 #cert=/usr/local/etc/turn_server_cert.pem
 
 # Private key file.
-# Use an absolute path or path relative to the 
+# Use an absolute path or path relative to the
 # configuration file.
 # Use PEM file format.
 #
@@ -455,29 +475,29 @@ no-dtls
 #
 #cipher-list="DEFAULT"
 
-# CA file in OpenSSL format. 
+# CA file in OpenSSL format.
 # Forces TURN server to verify the client SSL certificates.
-# By default it is not set: there is no default value and the client
+# By default this is not set: there is no default value and the client
 # certificate is not checked.
 #
 # Example:
 #CA-file=/etc/ssh/id_rsa.cert
 
-# Curve name for EC ciphers, if supported by OpenSSL 
-# library (TLS and DTLS). The default value is prime256v1, 
+# Curve name for EC ciphers, if supported by OpenSSL
+# library (TLS and DTLS). The default value is prime256v1,
 # if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
 # an optimal curve will be automatically calculated, if not defined
 # by this option.
 #
 #ec-curve-name=prime256v1
 
-# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
+# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
 #
 #dh566
 
-# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
+# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
 #
-#dh2066
+#dh1066
 
 # Use custom DH TLS key, stored in PEM format in the file.
 # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
@@ -485,21 +505,21 @@ no-dtls
 #dh-file=<DH-PEM-file-name>
 
 # Flag to prevent stdout log messages.
-# By default, all log messages are going to both stdout and to 
-# the configured log file. With this option everything will be 
-# going to the configured log only (unless the log file itself is stdout).
+# By default, all log messages go to both stdout and to
+# the configured log file. With this option everything will
+# go to the configured log only (unless the log file itself is stdout).
 #
 #no-stdout-log
 
 # Option to set the log file name.
-# By default, the turnserver tries to open a log file in 
-# /var/log, /var/tmp, /tmp and current directories directories
-# (which open operation succeeds first that file will be used).
+# By default, the turnserver tries to open a log file in
+# /var/log, /var/tmp, /tmp and the current directory
+# (Whichever file open operation succeeds first will be used).
 # With this option you can set the definite log file name.
-# The special names are "stdout" and "-" - they will force everything 
+# The special names are "stdout" and "-" - they will force everything
 # to the stdout. Also, the "syslog" name will force everything to
-# the system log (syslog). 
-# In the runtime, the logfile can be reset with the SIGHUP signal 
+# the system log (syslog).
+# In the runtime, the logfile can be reset with the SIGHUP signal
 # to the turnserver process.
 #
 #log-file=/var/tmp/turn.log
@@ -514,41 +534,51 @@ syslog
 #
 #simple-log
 
+# Enable full ISO-8601 timestamp in all logs.
+#new-log-timestamp
+
+# Set timestamp format (in strftime(1) format)
+#new-log-timestamp-format "%FT%T%z"
+
+# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
+# Enable binding logging and UDP endpoint logs in verbose log mode.
+#log-binding
+
 # Option to set the "redirection" mode. The value of this option
-# will be the address of the alternate server for UDP & TCP service in form of 
+# will be the address of the alternate server for UDP & TCP service in the form of
 # <ip>[:<port>]. The server will send this value in the attribute
 # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
 # Client will receive only values with the same address family
-# as the client network endpoint address family. 
-# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description. 
+# as the client network endpoint address family.
+# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
 # The client must use the obtained value for subsequent TURN communications.
-# If more than one --alternate-server options are provided, then the functionality
-# can be more accurately described as "load-balancing" than a mere "redirection". 
-# If the port number is omitted, then the default port 
+# If more than one --alternate-server option is provided, then the functionality
+# can be more accurately described as "load-balancing" than a mere "redirection".
+# If the port number is omitted, then the default port
 # number 3478 for the UDP/TCP protocols will be used.
-# Colon (:) characters in IPv6 addresses may conflict with the syntax of 
-# the option. To alleviate this conflict, literal IPv6 addresses are enclosed 
-# in square brackets in such resource identifiers, for example: 
-# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . 
+# Colon (:) characters in IPv6 addresses may conflict with the syntax of
+# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
+# in square brackets in such resource identifiers, for example:
+# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
 # Multiple alternate servers can be set. They will be used in the
-# round-robin manner. All servers in the pool are considered of equal weight and 
-# the load will be distributed equally. For example, if we have 4 alternate servers, 
-# then each server will receive 25% of ALLOCATE requests. A alternate TURN server 
-# address can be used more than one time with the alternate-server option, so this 
+# round-robin manner. All servers in the pool are considered of equal weight and
+# the load will be distributed equally. For example, if you have 4 alternate servers,
+# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
+# address can be used more than one time with the alternate-server option, so this
 # can emulate "weighting" of the servers.
 #
-# Examples: 
+# Examples:
 #alternate-server=1.2.3.4:5678
 #alternate-server=11.22.33.44:56789
 #alternate-server=5.6.7.8
 #alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-			
-# Option to set alternative server for TLS & DTLS services in form of 
-# <ip>:<port>. If the port number is omitted, then the default port 
-# number 5349 for the TLS/DTLS protocols will be used. See the previous 
+
+# Option to set alternative server for TLS & DTLS services in form of
+# <ip>:<port>. If the port number is omitted, then the default port
+# number 5349 for the TLS/DTLS protocols will be used. See the previous
 # option for the functionality description.
 #
-# Examples: 
+# Examples:
 #tls-alternate-server=1.2.3.4:5678
 #tls-alternate-server=11.22.33.44:56789
 #tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
@@ -559,6 +589,15 @@ syslog
 #
 #stun-only
 
+# Option to hide software version. Enhance security when used in production.
+# Revealing the specific software version of the agent through the
+# SOFTWARE attribute might allow them to become more vulnerable to
+# attacks against software that is known to contain security holes.
+# Implementers SHOULD make usage of the SOFTWARE attribute a
+# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
+#
+#no-software-attribute
+
 # Option to suppress STUN functionality, only TURN requests will be processed.
 # Run as TURN server only, all STUN requests will be ignored.
 # By default, this option is NOT set.
@@ -567,7 +606,7 @@ syslog
 
 # This is the timestamp/username separator symbol (character) in TURN REST API.
 # The default value is ':'.
-# rest-api-separator=:	
+# rest-api-separator=:
 
 # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
 # This is an extra security measure.
@@ -575,9 +614,9 @@ syslog
 # (To avoid any security issue that allowing loopback access may raise,
 # the no-loopback-peers option is replaced by allow-loopback-peers.)
 #
-# Allow it only for testing in a development environment! 
-# In production it adds a possible security vulnerability, so for security reasons 
-# it is not allowed using it together with empty cli-password. 
+# Allow it only for testing in a development environment!
+# In production it adds a possible security vulnerability, so for security reasons
+# it is not allowed using it together with empty cli-password.
 #
 #allow-loopback-peers
 
@@ -586,18 +625,18 @@ syslog
 #
 no-multicast-peers
 
-# Option to set the max time, in seconds, allowed for full allocation establishment. 
+# Option to set the max time, in seconds, allowed for full allocation establishment.
 # Default is 60 seconds.
 #
 #max-allocate-timeout=60
 
-# Option to allow or ban specific ip addresses or ranges of ip addresses. 
-# If an ip address is specified as both allowed and denied, then the ip address is 
-# considered to be allowed. This is useful when you wish to ban a range of ip 
+# Option to allow or ban specific ip addresses or ranges of ip addresses.
+# If an ip address is specified as both allowed and denied, then the ip address is
+# considered to be allowed. This is useful when you wish to ban a range of ip
 # addresses, except for a few specific ips within that range.
 #
 # This can be used when you do not want users of the turn server to be able to access
-# machines reachable by the turn server, but would otherwise be unreachable from the 
+# machines reachable by the turn server, but would otherwise be unreachable from the
 # internet (e.g. when the turn server is sitting behind a NAT)
 #
 # Examples:
@@ -619,22 +658,22 @@ no-multicast-peers
 #
 mobility
 
-# Allocate Address Family according 
-# If enabled then TURN server allocates address family according  the TURN 
+# Allocate Address Family according
+# If enabled then TURN server allocates address family according  the TURN
 # Client <=> Server communication address family.
-# (By default coTURN works according RFC 6156.)
+# (By default Coturn works according RFC 6156.)
 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
 #
 #keep-address-family
 
 
 # User name to run the process. After the initialization, the turnserver process
-# will make an attempt to change the current user ID to that user.
+# will attempt to change the current user ID to that user.
 #
 #proc-user=<user-name>
 
 # Group name to run the process. After the initialization, the turnserver process
-# will make an attempt to change the current group ID to that group.
+# will attempt to change the current group ID to that group.
 #
 #proc-group=<group-name>
 
@@ -654,8 +693,8 @@ mobility
 #cli-port=5766
 
 # CLI access password. Default is empty (no password).
-# For the security reasons, it is recommended to use the encrypted
-# for of the password (see the -P command in the turnadmin utility).
+# For the security reasons, it is recommended that you use the encrypted
+# form of the password (see the -P command in the turnadmin utility).
 #
 # Secure form for password 'qwerty':
 #
@@ -684,10 +723,14 @@ mobility
 #
 #web-admin-listen-on-workers
 
-# Server relay. NON-STANDARD AND DANGEROUS OPTION. 
-# Only for those applications when we want to run 
+#acme-redirect=http://redirectserver/.well-known/acme-challenge/
+# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
+# Default is '', i.e. no special handling for such requests.
+
+# Server relay. NON-STANDARD AND DANGEROUS OPTION.
+# Only for those applications when you want to run
 # server applications on the relay endpoints.
-# This option eliminates the IP permissions check on 
+# This option eliminates the IP permissions check on
 # the packets incoming to the relay endpoints.
 #
 #server-relay

roles/dhcpd/templates/default/isc-dhcp-server.j2

@@ -3,10 +3,12 @@
 #
 
 # Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
-#DHCPD_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
 
 # Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
-#DHCPD_PID=/var/run/dhcpd.pid
+#DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
 
 # Additional options to start dhcpd with.
 #	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
@@ -14,4 +16,6 @@
 
 # On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
 #	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
-INTERFACES="eth0"
+INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
+INTERFACESv6=""
+INTERFACES="{{ ansible_default_ipv4['interface'] }}"

roles/dhcpd/templates/dhcp/dhcpd.conf.j2

@@ -3,13 +3,15 @@
 # option definitions common to all supported networks...
 option domain-name "binary.kitchen";
 option domain-name-servers {{ name_servers | join(', ') }};
+option domain-search "binary.kitchen";
 option ntp-servers 172.23.1.60, 172.23.2.3;
 
 default-lease-time 7200;
 max-lease-time 28800;
 
 # Use this to enble / disable dynamic dns updates globally.
-ddns-update-style none;
+ddns-update-style interim;
+ddns-updates on;
 
 # If this DHCP server is the official DHCP server for the local
 # network, the authoritative directive should be uncommented.
@@ -61,6 +63,8 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
 # Users
 subnet 172.23.3.0 netmask 255.255.255.0 {
   option routers 172.23.3.1;
+  ddns-domainname "users.binary.kitchen";
+  option domain-search "binary.kitchen", "users.binary.kitchen";
   pool {
 {% if dhcpd_failover == true %}
     failover peer "failover-partner";
@@ -80,6 +84,47 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
   }
 }
 
+# Management Auweg
+subnet 172.23.12.0 netmask 255.255.255.0 {
+  option routers 172.23.12.1;
+}
+
+# Services Auweg
+subnet 172.23.13.0 netmask 255.255.255.0 {
+  allow bootp;
+  option routers 172.23.13.1;
+}
+
+# Users Auweg
+subnet 172.23.14.0 netmask 255.255.255.0 {
+  option routers 172.23.3.1;
+  ddns-domainname "users.binary.kitchen";
+  option domain-search "binary.kitchen", "users.binary.kitchen";
+  pool {
+{% if dhcpd_failover == true %}
+    failover peer "failover-partner";
+{% endif %}
+    range 172.23.14.10 172.23.14.230;
+  }
+}
+
+# MQTT Auweg
+subnet 172.23.15.0 netmask 255.255.255.0 {
+  option routers 172.23.4.1;
+  pool {
+{% if dhcpd_failover == true %}
+    failover peer "failover-partner";
+{% endif %}
+    range 172.23.15.10 172.23.15.240;
+  }
+}
+
+# DDNS zones
+
+zone users.binary.kitchen {
+  primary {{ dns_primary }};
+}
+
 
 # Fixed IPs
 
@@ -98,6 +143,11 @@ host ap05 {
   fixed-address ap05.binary.kitchen;
 }
 
+host ap06 {
+  hardware ethernet 94:b4:0f:c0:1d:a0;
+  fixed-address ap06.binary.kitchen;
+}
+
 host bowle {
   hardware ethernet ac:1f:6b:25:16:b6;
   fixed-address bowle.binary.kitchen;
@@ -108,11 +158,6 @@ host cannelloni {
   fixed-address cannelloni.binary.kitchen;
 }
 
-host cashdesk {
-  hardware ethernet 00:0b:ca:94:13:f1;
-  fixed-address cashdesk.binary.kitchen;
-}
-
 host fusilli {
   hardware ethernet b8:27:eb:1d:b9:bf;
   fixed-address fusilli.binary.kitchen;
@@ -123,9 +168,14 @@ host garlic {
   fixed-address garlic.binary.kitchen;
 }
 
-host homer {
-  hardware ethernet b8:27:eb:24:b2:12;
-  fixed-address homer.binary.kitchen;
+host habdisplay1 {
+  hardware ethernet b8:27:eb:b6:62:be;
+  fixed-address habdisplay1.mqtt.binary.kitchen;
+}
+
+host habdisplay2 {
+  hardware ethernet b8:27:eb:df:0b:7b;
+  fixed-address habdisplay2.mqtt.binary.kitchen;
 }
 
 host klopi {
@@ -163,16 +213,16 @@ host noodlehub {
   fixed-address noodlehub.binary.kitchen;
 }
 
+host openhabgw1 {
+  hardware ethernet dc:a6:32:bf:e2:3e;
+  fixed-address openhabgw1.mqtt.binary.kitchen;
+}
+
 host pizza {
   hardware ethernet 52:54:00:17:02:21;
   fixed-address pizza.binary.kitchen;
 }
 
-host punsch {
-  hardware ethernet 00:21:85:1b:7f:3d;
-  fixed-address punsch.binary.kitchen;
-}
-
 host spaghetti {
   hardware ethernet b8:27:eb:e3:e9:f1;
   fixed-address spaghetti.binary.kitchen;

roles/dns_extern/tasks/main.yml

@@ -5,11 +5,21 @@
     name:
     - pdns-server
     - pdns-backend-sqlite3
+    - sqlite3
 
 - name: Configure powerdns
   template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
   notify: Restart powerdns
 
+- name: Initialize database
+  command:
+    cmd: >
+      sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
+      /var/lib/powerdns/powerdns.sqlite3
+    creates: /var/lib/powerdns/powerdns.sqlite3
+  become: true
+  become_user: pdns
+
 - name: Copy update policy script
   copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
   notify: Restart powerdns

roles/dns_extern/templates/pdns.conf.j2

@@ -11,3 +11,4 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
 {% endif %}
 allow-dnsupdate-from=0.0.0.0/0,::/0
 lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
+security-poll-suffix=

roles/dns_intern/handlers/main.yml

@@ -5,3 +5,6 @@
   with_items:
    - pdns
    - pdns-recursor
+
+- name: Restart dnsdist
+  service: name=dnsdist state=restarted

roles/dns_intern/tasks/main.yml

@@ -3,8 +3,11 @@
 - name: Install powerdns
   apt:
     name:
+    - dnsdist
+    - pdns-backend-sqlite3
     - pdns-server
     - pdns-recursor
+    - sqlite3
 
 - name: Create zone directory
   file: path=/etc/powerdns/bind/ state=directory
@@ -19,8 +22,28 @@
   - bind/23.172.in-addr.arpa.zone
   - bind/binary.kitchen.zone
 
+- name: Initialize database
+  command:
+    cmd: >
+      sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
+      /var/lib/powerdns/pdns.sqlite3
+    creates: /var/lib/powerdns/pdns.sqlite3
+  become: true
+  become_user: pdns
+
+# TODO
+# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
+
+# TODO
+# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
+
+- name: Configure dnsdist
+  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
+  notify: Restart dnsdist
+
 - name: Start the powerdns services
   service: name={{ item }} state=started enabled=yes
   with_items:
+  - dnsdist
   - pdns
   - pdns-recursor

roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2

@@ -1,19 +1,19 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
-@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
-					2020051101; serial
+@				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
+					2021091301; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
-				IN	NS	ns.binary.kitchen.
+				IN	NS	ns1.binary.kitchen.
+				IN	NS	ns2.binary.kitchen.
 ; Loopback
 1.0				IN	PTR	core.binary.kitchen.
 2.0				IN	PTR	erx-bk.binary.kitchen.
 3.0				IN	PTR	erx-rz.binary.kitchen.
-4.0				IN	PTR	pf-bk.binary.kitchen.
-5.0				IN	PTR	pf-rz.binary.kitchen.
+4.0				IN	PTR	erx-auweg.binary.kitchen.
 ; Management
 1.1				IN	PTR	v2301.core.binary.kitchen.
 11.1				IN	PTR	ups1.binary.kitchen.
@@ -28,6 +28,7 @@ $TTL 1h				; default time-to-live
 43.1				IN	PTR	ap03.binary.kitchen.
 44.1				IN	PTR	ap04.binary.kitchen.
 45.1				IN	PTR	ap05.binary.kitchen.
+46.1				IN	PTR	ap06.binary.kitchen.
 51.1				IN	PTR	modem.binary.kitchen.
 60.1				IN	PTR	wurst.binary.kitchen.
 80.1				IN	PTR	wurst-bmc.binary.kitchen.
@@ -36,17 +37,16 @@ $TTL 1h				; default time-to-live
 102.1				IN	PTR	nbe-tr8.binary.kitchen.
 ; Services
 1.2				IN	PTR	v2302.core.binary.kitchen.
-2.2				IN	PTR	ns.binary.kitchen.
 3.2				IN	PTR	bacon.binary.kitchen.
 4.2				IN	PTR	aveta.binary.kitchen.
 5.2				IN	PTR	sulis.binary.kitchen.
 6.2				IN	PTR	nabia.binary.kitchen.
-11.2				IN	PTR	homer.binary.kitchen.
+7.2				IN	PTR	epona.binary.kitchen.
 12.2				IN	PTR	lock.binary.kitchen.
 13.2				IN	PTR	matrix.binary.kitchen.
 33.2				IN	PTR	pizza.binary.kitchen.
 36.2				IN	PTR	schweinshaxn.binary.kitchen.
-44.2				IN	PTR	cashdesk.binary.kitchen.
+37.2				IN	PTR	bob.binary.kitchen.
 62.2				IN	PTR	bowle.binary.kitchen.
 91.2				IN	PTR	strammermax.binary.kitchen.
 92.2				IN	PTR	obatzda.binary.kitchen.
@@ -60,28 +60,39 @@ $GENERATE 10-230 $.3		IN	PTR	dhcp-${0,3,d}-03.binary.kitchen.
 244.3				IN	PTR	mirror.binary.kitchen.
 245.3				IN	PTR	spaghetti.binary.kitchen.
 246.3				IN	PTR	maccaroni.binary.kitchen.
-247.3				IN	PTR	pve02-bmc.tmp.binary.kitchen.
-248.3				IN	PTR	pve02.tmp.binary.kitchen.
-249.3				IN	PTR	ffrgb.binary.kitchen.
 250.3				IN	PTR	cannelloni.binary.kitchen.
 251.3				IN	PTR	noodlehub.binary.kitchen.
 ; MQTT
 1.4				IN	PTR	v2304.core.binary.kitchen.
 6.4				IN	PTR	pizza.mqtt.binary.kitchen.
 $GENERATE 10-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
+241.4				IN	PTR	habdisplay1.mqtt.binary.kitchen.
+242.4				IN	PTR	habdisplay2.mqtt.binary.kitchen.
+245.4				IN	PTR	logo1.mqtt.binary.kitchen.
+246.4				IN	PTR	logo2.mqtt.binary.kitchen.
+250.4				IN	PTR	moodlights1.mqtt.binary.kitchen.
+251.4				IN	PTR	openhabgw1.mqtt.binary.kitchen.
+252.4				IN	PTR	homematic-ccu2.mqtt.binary.kitchen.
 ; Management RZ
 1.9				IN	PTR	switch0.erx-rz.binary.kitchen.
 61.9				IN	PTR	salat.binary.kitchen.
 81.9				IN	PTR	salat-bmc.binary.kitchen.
 ; Services RZ
-23.8				IN	PTR	cernunnos.binary.kitchen.
 ; VPN RZ (ER-X)
-1.10				IN	PTR	wg1.erx-rz.binary.kitchen.
+1.10				IN	PTR	wg0.erx-rz.binary.kitchen.
 $GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
-; VPN RZ (pf)
-$GENERATE 2-254 $.11		IN	PTR	vpn-${0,3,d}-11.binary.kitchen.
+; Management Auweg
+61.12				IN	PTR	weizen.binary.kitchen.
+; Services Auweg
+3.13				IN	PTR	aeron.binary.kitchen.
+; Clients Auweg
+$GENERATE 10-230 $.14		IN	PTR	dhcp-${0,3,d}-14.binary.kitchen.
+; MQTT
+$GENERATE 10-240 $.15		IN	PTR	dhcp-${0,3,d}-15.binary.kitchen.
 ; Point-to-Point
 1.96				IN	PTR	v400.erx-bk.binary.kitchen.
 2.96				IN	PTR	v400.core.binary.kitchen.
-1.97				IN	PTR	wg0.erx-rz.binary.kitchen.
-2.97				IN	PTR	wg0.erx-bk.binary.kitchen.
+1.97				IN	PTR	wg1.erx-rz.binary.kitchen.
+2.97				IN	PTR	wg1.erx-bk.binary.kitchen.
+5.97				IN	PTR	wg2.erx-rz.binary.kitchen.
+6.97				IN	PTR	wg2.erx-auweg.binary.kitchen.

roles/dns_intern/templates/bind/binary.kitchen.zone.j2

@@ -1,25 +1,34 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
-@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
-					2020051101; serial
+@				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
+					2021091301; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
-				IN	NS	ns.binary.kitchen.
+				IN	NS	ns1.binary.kitchen.
+				IN	NS	ns2.binary.kitchen.
+; Subdomains
+users				IN	NS	ns1.binary.kitchen.
+users				IN	NS	ns2.binary.kitchen.
 ; External
 				IN	A	213.166.246.4
 www				IN	A	213.166.246.4
 ; Aliases
 3dprinter			IN	A	172.23.3.251
+icinga				IN	A	172.23.2.6
 ldap				IN	A	172.23.2.3
 ldap				IN	A	172.23.2.4
 ldap				IN	A	213.166.246.2
 ldap1				IN	A	172.23.2.3
 ldap2				IN	A	172.23.2.4
+ldap3				IN	A	172.23.13.3
 ldapm				IN	A	213.166.246.2
 librenms			IN	A	172.23.2.6
+netbox				IN	A	172.23.2.7
+ns1				IN	A	172.23.2.3
+ns2				IN	A	172.23.2.4
 racktables			IN	A	172.23.2.6
 radius				IN	A	172.23.2.3
 radius				IN	A	172.23.2.4
@@ -27,8 +36,7 @@ radius				IN	A	172.23.2.4
 core				IN	A	172.23.0.1
 erx-bk				IN	A	172.23.0.2
 erx-rz				IN	A	172.23.0.3
-pf-bk				IN	A	172.23.0.4
-pf-rz				IN	A	172.23.0.5
+erx-auweg			IN	A	172.23.0.4
 ; Management
 v2301.core			IN	A	172.23.1.1
 ups1				IN	A	172.23.1.11
@@ -43,6 +51,7 @@ ap02				IN	A	172.23.1.42
 ap03				IN	A	172.23.1.43
 ap04				IN	A	172.23.1.44
 ap05				IN	A	172.23.1.45
+ap06				IN	A	172.23.1.46
 modem				IN	A	172.23.1.51
 wurst				IN	A	172.23.1.60
 wurst-bmc			IN	A	172.23.1.80
@@ -51,17 +60,16 @@ nbe-w13b			IN	A	172.23.1.101
 nbe-tr8				IN	A	172.23.1.102
 ; Services
 v2302.core			IN	A	172.23.2.1
-ns				IN	A	172.23.2.2
 bacon				IN	A	172.23.2.3
 aveta				IN	A	172.23.2.4
 sulis				IN	A	172.23.2.5
 nabia				IN	A	172.23.2.6
-homer				IN	A	172.23.2.11
+epona				IN	A	172.23.2.7
 lock				IN	A	172.23.2.12
 matrix				IN	A	172.23.2.13
 pizza				IN	A	172.23.2.33
 schweinshaxn			IN	A	172.23.2.36
-cashdesk			IN	A	172.23.2.44
+bob				IN	A	172.23.2.37
 bowle				IN	A	172.23.2.62
 strammermax			IN	A	172.23.2.91
 obatzda				IN	A	172.23.2.92
@@ -75,28 +83,39 @@ garlic				IN	A	172.23.3.243
 mirror				IN	A	172.23.3.244
 spaghetti			IN	A	172.23.3.245
 maccaroni			IN	A	172.23.3.246
-pve02-bmc.tmp			IN	A	172.23.3.247
-pve02.tmp			IN	A	172.23.3.248
-ffrgb				IN	A	172.23.3.249
 cannelloni			IN	A	172.23.3.250
 noodlehub			IN	A	172.23.3.251
 ; MQTT
 v2304.core			IN	A	172.23.4.1
 pizza.mqtt			IN	A	172.23.4.6
 $GENERATE 10-240 dhcp-${0,3,d}-04	IN	A	172.23.4.$
+habdisplay1.mqtt		IN	A	172.23.4.241
+habdisplay2.mqtt		IN	A	172.23.4.242
+logo1.mqtt			IN	A	172.23.4.245
+logo2.mqtt			IN	A	172.23.4.246
+moodlights1.mqtt		IN	A	172.23.4.250
+openhabgw1.mqtt			IN	A	172.23.4.251
+homematic-ccu2.mqtt		IN	A	172.23.4.252
 ; Management RZ
 switch0.erx-rz			IN	A	172.23.9.1
 salat				IN	A	172.23.9.61
 salat-bmc			IN	A	172.23.9.81
 ; Services RZ
-cernunnos			IN	A	172.23.8.23
+; Management Auweg
+weizen				IN	A	172.23.12.61
+; Services Auweg
+aeron				IN	A	172.23.13.3
+; Clients Auweg
+$GENERATE 10-230 dhcp-${0,3,d}-14	IN	A	172.23.14.$
+; MQTT Auweg
+$GENERATE 10-240 dhcp-${0,3,d}-15	IN	A	172.23.15.$
 ; VPN RZ (ER-X)
-wg1.erx-rz			IN	A	172.23.10.1
+wg0.erx-rz			IN	A	172.23.10.1
 $GENERATE 2-254 vpn-${0,3,d}-10	IN	A	172.23.10.$
-; VPN RZ (pf)
-$GENERATE 2-254 vpn-${0,3,d}-11	IN	A	172.23.11.$
 ; Point-to-Point
 v400.erx-bk			IN	A	172.23.96.1
 v400.core			IN	A	172.23.96.2
-wg0.erx-rz			IN	A	172.23.97.1
-wg0.erx-bk			IN	A	172.23.97.2
+wg1.erx-rz			IN	A	172.23.97.1
+wg1.erx-bk			IN	A	172.23.97.2
+wg2.erx-rz			IN	A	172.23.97.5
+wg2.erx-auweg			IN	A	172.23.97.6

roles/dns_intern/templates/dnsdist.conf.j2

@@ -0,0 +1,27 @@
+-- {{ ansible_managed }}
+
+setLocal('127.0.0.1')
+addLocal('::1')
+addLocal('{{ ansible_default_ipv4.address }}')
+
+-- define downstream servers/pools
+newServer({address='127.0.0.1:5300', pool='authdns'})
+newServer({address='127.0.0.1:5353', pool='resolve'})
+
+{% if dns_secondary is defined %}
+-- allow AXFR/IXFR only from slaves
+addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
+{% endif %}
+
+-- allow NOTIFY only from master
+addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
+
+-- use auth servers for own zones
+addAction('binary.kitchen', PoolAction('authdns'))
+addAction('23.172.in-addr.arpa', PoolAction('authdns'))
+
+-- use resolver for anything else
+addAction(AllRule(), PoolAction('resolve'))
+
+-- disable security status polling via DNS
+setSecurityPollSuffix('')

roles/dns_intern/templates/pdns.conf.j2

@@ -1,46 +1,96 @@
 # {{ ansible_managed }}
 
+{% if ansible_default_ipv4.address == dns_primary %}
 #################################
-# launch        Which backends to launch and order to query them in
+# allow-dnsupdate-from  A global setting to allow DNS updates from these IP ranges.
 #
-# launch=
-launch=bind
+# allow-dnsupdate-from=127.0.0.0/8,::1
+allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
 
 #################################
-# local-address Local IP addresses to which we bind
+# dnsupdate	Enable/Disable DNS update (RFC2136) support.  Default is no.
+#
+# dnsupdate=no
+dnsupdate=yes
+{% endif %}
+
+#################################
+# launch	Which backends to launch and order to query them in
+#
+# launch=
+launch=bind,gsqlite3
+
+#################################
+# local-address	Local IP addresses to which we bind
 #
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
 #################################
-# local-ipv6    Local IP address to which we bind
+# local-ipv6	Local IP address to which we bind
 #
 # local-ipv6=::
 local-ipv6=
 
 #################################
-# local-port    The port on which we listen
+# local-port	The port on which we listen
 #
 # local-port=53
 local-port=5300
 
+{% if ansible_default_ipv4.address == dns_primary %}
 #################################
-# security-poll-suffix  Domain name from which to query security update notifications
+# master	Act as a master
+#
+# master=no
+master=yes
+
+{% if dns_secondary is defined %}
+#################################
+# only-notify   Only send AXFR NOTIFY to these IP addresses or netmasks
+#
+# only-notify=0.0.0.0/0,::/0
+only-notify={{ dns_secondary }}
+{% endif %}
+{% endif %}
+
+#################################
+# security-poll-suffix	Domain name from which to query security update notifications
 #
 # security-poll-suffix=secpoll.powerdns.com.
 security-poll-suffix=
 
 #################################
-# setgid        If set, change group id to this gid for more security
+# setgid	If set, change group id to this gid for more security
 #
 setgid=pdns
 
 #################################
-# setuid        If set, change user id to this uid for more security
+# setuid	If set, change user id to this uid for more security
 #
 setuid=pdns
 
+{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
 #################################
-# bind-config   Location of the Bind configuration file to parse.
+# slave	Act as a slave
+#
+# slave=no
+slave=yes
+
+#################################
+# trusted-notification-proxy	IP address of incoming notification proxy
+#
+# trusted-notification-proxy=
+trusted-notification-proxy=127.0.0.1,::1
+{% endif %}
+
+#################################
+# bind-config	Location of named.conf
 #
 bind-config=/etc/powerdns/bindbackend.conf
+
+#################################
+# gsqlite3-database	Filename of the SQLite3 database
+#
+# gsqlite3-database=
+gsqlite3-database=/var/lib/powerdns/pdns.sqlite3

roles/dns_intern/templates/recursor.conf.j2

@@ -1,61 +1,55 @@
 # {{ ansible_managed }}
 
 #################################
-# allow-from    If set, only allow these comma separated netmasks to recurse
+# allow-from	If set, only allow these comma separated netmasks to recurse
 #
-#allow-from=127.0.0.0/8
+# allow-from=127.0.0.0/8
 
 #################################
-# config-dir    Location of configuration directory (recursor.conf)
+# config-dir	Location of configuration directory (recursor.conf)
 #
 config-dir=/etc/powerdns
 
 #################################
-# dnssec        DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
+# dnssec	DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
 #
 # dnssec=process-no-validate
 dnssec=off
 
 #################################
-# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
+# local-address	IP addresses to listen on, separated by spaces or commas. Also accepts ports.
 #
-# forward-zones=
-forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
+local-address=127.0.0.1
 
 #################################
-# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
+# local-port	port to listen on
 #
-local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
+local-port=5353
 
 #################################
-# local-port    port to listen on
-#
-local-port=53
-
-#################################
-# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
+# query-local-address6	Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
 #
 {% if global_ipv6 is defined %}
 query-local-address6={{ global_ipv6 | ipaddr('address') }}
 {% endif %}
 
 #################################
-# quiet Suppress logging of questions and answers
+# quiet	Suppress logging of questions and answers
 #
 quiet=yes
 
 #################################
-# security-poll-suffix  Domain name from which to query security update notifications
+# security-poll-suffix	Domain name from which to query security update notifications
 #
 # security-poll-suffix=secpoll.powerdns.com.
 security-poll-suffix=
 
 #################################
-# setgid        If set, change group id to this gid for more security
+# setgid	If set, change group id to this gid for more security
 #
 setgid=pdns
 
 #################################
-# setuid        If set, change user id to this uid for more security
+# setuid	If set, change user id to this uid for more security
 #
 setuid=pdns

roles/docker/tasks/main.yml

@@ -5,7 +5,7 @@
 
 - name: Enable docker repository
   apt_repository:
-    repo: 'deb https://download.docker.com/linux/debian buster stable'
+    repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
     filename: docker
 
 - name: Install docker
@@ -14,4 +14,4 @@
     - docker-ce
     - docker-ce-cli
     - containerd.io
-    - python-docker
+    - python3-docker

roles/drone/tasks/main.yml

@@ -14,7 +14,7 @@
   apt:
     name:
     - postgresql
-    - python-psycopg2
+    - python3-psycopg2
 
 - name: Configure PostgreSQL database
   postgresql_db: name={{ drone_dbname }}

roles/drone_runner/tasks/main.yml

@@ -14,6 +14,7 @@
       DRONE_UI_PASSWORD: "{{ drone_uipass }}"
     ports:
     - "3000:3000"
+    pull: yes
     restart_policy: unless-stopped
     state: started
     volumes:

roles/fileserver/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload nfs-server
+  service: name=nfs-server state=reloaded
+
+- name: Reload smbd
+  service: name=smbd state=reloaded

roles/fileserver/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+
+# TODO also enable contrib for $release-security
+- name: Enable contrib repositories
+  apt_repository:
+    repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }} contrib
+
+- name: Install zfs-dkms
+  apt:
+    name: zfs-dkms
+
+# creating the ZFS pool is not part of this role
+
+- name: Install NFS and samba
+  apt:
+    name:
+    - nfs-kernel-server
+    - samba
+
+- name: Configure NFS
+  template:
+    src: exports.j2
+    dest: /etc/exports
+  notify: Reload nfs-server
+
+- name: Configure samba
+  template:
+    src: smb.conf.j2
+    dest: /etc/samba/smb.conf
+  notify: Reload smbd

roles/fileserver/templates/exports.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+{% for item in nfs_exports %}
+{{ item }}
+{% endfor %}

roles/fileserver/templates/smb.conf.j2

@@ -0,0 +1,244 @@
+#
+# Sample configuration file for the Samba suite for Debian GNU/Linux.
+#
+#
+# This is the main Samba configuration file. You should read the
+# smb.conf(5) manual page in order to understand the options listed
+# here. Samba has a huge number of configurable options most of which 
+# are not shown in this example
+#
+# Some options that are often worth tuning have been included as
+# commented-out examples in this file.
+#  - When such options are commented with ";", the proposed setting
+#    differs from the default Samba behaviour
+#  - When commented with "#", the proposed setting is the default
+#    behaviour of Samba but the option is considered important
+#    enough to be mentioned here
+#
+# NOTE: Whenever you modify this file you should run the command
+# "testparm" to check that you have not made any basic syntactic 
+# errors. 
+
+#======================= Global Settings =======================
+
+[global]
+
+## Browsing/Identification ###
+
+# Change this to the workgroup/NT-domain name your Samba server will part of
+   workgroup = WORKGROUP
+
+#### Networking ####
+
+# The specific set of interfaces / networks to bind to
+# This can be either the interface name or an IP address/netmask;
+# interface names are normally preferred
+;   interfaces = 127.0.0.0/8 eth0
+
+# Only bind to the named interfaces and/or networks; you must use the
+# 'interfaces' option above to use this.
+# It is recommended that you enable this feature if your Samba machine is
+# not protected by a firewall or is a firewall itself.  However, this
+# option cannot handle dynamic or non-broadcast interfaces correctly.
+;   bind interfaces only = yes
+
+
+
+#### Debugging/Accounting ####
+
+# This tells Samba to use a separate log file for each machine
+# that connects
+   log file = /var/log/samba/log.%m
+
+# Cap the size of the individual log files (in KiB).
+   max log size = 1000
+
+# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
+# Append syslog@1 if you want important messages to be sent to syslog too.
+   logging = file
+
+# Do something sensible when Samba crashes: mail the admin a backtrace
+   panic action = /usr/share/samba/panic-action %d
+
+
+####### Authentication #######
+
+# Server role. Defines in which mode Samba will operate. Possible
+# values are "standalone server", "member server", "classic primary
+# domain controller", "classic backup domain controller", "active
+# directory domain controller". 
+#
+# Most people will want "standalone server" or "member server".
+# Running as "active directory domain controller" will require first
+# running "samba-tool domain provision" to wipe databases and create a
+# new domain.
+   server role = standalone server
+
+   obey pam restrictions = yes
+
+# This boolean parameter controls whether Samba attempts to sync the Unix
+# password with the SMB password when the encrypted SMB password in the
+# passdb is changed.
+   unix password sync = yes
+
+# For Unix password sync to work on a Debian GNU/Linux system, the following
+# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
+# sending the correct chat script for the passwd program in Debian Sarge).
+   passwd program = /usr/bin/passwd %u
+   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+
+# This boolean controls whether PAM will be used for password changes
+# when requested by an SMB client instead of the program listed in
+# 'passwd program'. The default is 'no'.
+   pam password change = yes
+
+# This option controls how unsuccessful authentication attempts are mapped
+# to anonymous connections
+   map to guest = bad user
+
+########## Domains ###########
+
+#
+# The following settings only takes effect if 'server role = classic
+# primary domain controller', 'server role = classic backup domain controller'
+# or 'domain logons' is set 
+#
+
+# It specifies the location of the user's
+# profile directory from the client point of view) The following
+# required a [profiles] share to be setup on the samba server (see
+# below)
+;   logon path = \\%N\profiles\%U
+# Another common choice is storing the profile in the user's home directory
+# (this is Samba's default)
+#   logon path = \\%N\%U\profile
+
+# The following setting only takes effect if 'domain logons' is set
+# It specifies the location of a user's home directory (from the client
+# point of view)
+;   logon drive = H:
+#   logon home = \\%N\%U
+
+# The following setting only takes effect if 'domain logons' is set
+# It specifies the script to run during logon. The script must be stored
+# in the [netlogon] share
+# NOTE: Must be store in 'DOS' file format convention
+;   logon script = logon.cmd
+
+# This allows Unix users to be created on the domain controller via the SAMR
+# RPC pipe.  The example command creates a user account with a disabled Unix
+# password; please adapt to your needs
+; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
+
+# This allows machine accounts to be created on the domain controller via the 
+# SAMR RPC pipe.  
+# The following assumes a "machines" group exists on the system
+; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
+
+# This allows Unix groups to be created on the domain controller via the SAMR
+# RPC pipe.  
+; add group script = /usr/sbin/addgroup --force-badname %g
+
+############ Misc ############
+
+# Using the following line enables you to customise your configuration
+# on a per machine basis. The %m gets replaced with the netbios name
+# of the machine that is connecting
+;   include = /home/samba/etc/smb.conf.%m
+
+# Some defaults for winbind (make sure you're not using the ranges
+# for something else.)
+;   idmap config * :              backend = tdb
+;   idmap config * :              range   = 3000-7999
+;   idmap config YOURDOMAINHERE : backend = tdb
+;   idmap config YOURDOMAINHERE : range   = 100000-999999
+;   template shell = /bin/bash
+
+# Setup usershare options to enable non-root users to share folders
+# with the net usershare command.
+
+# Maximum number of usershare. 0 means that usershare is disabled.
+#   usershare max shares = 100
+
+# Allow users who've been granted usershare privileges to create
+# public shares, not just authenticated ones
+   usershare allow guests = yes
+
+#======================= Share Definitions =======================
+
+;[homes]
+;   comment = Home Directories
+;   browseable = no
+
+# By default, the home directories are exported read-only. Change the
+# next parameter to 'no' if you want to be able to write to them.
+;   read only = yes
+
+# File creation mask is set to 0700 for security reasons. If you want to
+# create files with group=rw permissions, set next parameter to 0775.
+;   create mask = 0700
+
+# Directory creation mask is set to 0700 for security reasons. If you want to
+# create dirs. with group=rw permissions, set next parameter to 0775.
+;   directory mask = 0700
+
+# By default, \\server\username shares can be connected to by anyone
+# with access to the samba server.
+# The following parameter makes sure that only "username" can connect
+# to \\server\username
+# This might need tweaking when using external authentication schemes
+;   valid users = %S
+
+# Un-comment the following and create the netlogon directory for Domain Logons
+# (you need to configure Samba to act as a domain controller too.)
+;[netlogon]
+;   comment = Network Logon Service
+;   path = /home/samba/netlogon
+;   guest ok = yes
+;   read only = yes
+
+# Un-comment the following and create the profiles directory to store
+# users profiles (see the "logon path" option above)
+# (you need to configure Samba to act as a domain controller too.)
+# The path below should be writable by all users so that their
+# profile directory may be created the first time they log on
+;[profiles]
+;   comment = Users profiles
+;   path = /home/samba/profiles
+;   guest ok = no
+;   browseable = no
+;   create mask = 0600
+;   directory mask = 0700
+
+;[printers]
+;   comment = All Printers
+;   browseable = no
+;   path = /var/spool/samba
+;   printable = yes
+;   guest ok = no
+;   read only = yes
+;   create mask = 0700
+
+# Windows clients look for this share name as a source of downloadable
+# printer drivers
+;[print$]
+;   comment = Printer Drivers
+;   path = /var/lib/samba/printers
+;   browseable = yes
+;   read only = yes
+;   guest ok = no
+# Uncomment to allow remote administration of Windows print drivers.
+# You may need to replace 'lpadmin' with the name of the group your
+# admin users are members of.
+# Please note that you also need to set appropriate Unix permissions
+# to the drivers directory for these users to have write rights in it
+;   write list = root, @lpadmin
+
+# Binary Kitchen public share 
+[tank]
+   path = /exports/tank
+   browseable = yes
+   read only = no
+   guest ok = yes
+   create mask = 0600
+   directory mask = 0700

roles/gitea/defaults/main.yml

@@ -3,6 +3,6 @@
 gitea_user: gogs
 gitea_group: gogs
 
-gitea_checksum: sha256:74417bc8e950b685de79c3a39655029f28d27c99e94adbe83c0ec22325d8771f
-gitea_version: 1.12.6
+gitea_checksum: sha256:1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be
+gitea_version: 1.15.6
 gitea_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

roles/gitea/tasks/main.yml

@@ -30,7 +30,7 @@
   apt:
     name:
     - postgresql
-    - python-psycopg2
+    - python3-psycopg2
 
 - name: Configure PostgreSQL database
   postgresql_db: name={{ gitea_dbname }}

roles/hackmd/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 
-hackmd_version: 1.5.0
-hackmd_archive: https://github.com/codimd/server/archive/{{ hackmd_version }}.tar.gz
+hedgedoc_version: 1.8.2
+hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz

roles/hackmd/handlers/main.yml

@@ -3,8 +3,8 @@
 - name: Reload systemd
   systemd: daemon_reload=yes
 
-- name: Restart hackmd
-  service: name=hackmd state=restarted
+- name: Restart hedgedoc
+  service: name=hedgedoc state=restarted
 
 - name: Restart nginx
   service: name=nginx state=restarted

roles/hackmd/tasks/main.yml

@@ -3,14 +3,11 @@
 - name: Create user
   user: name=hackmd
 
-- name: Enable https for apt
-  apt: name=apt-transport-https
-
 - name: Enable nodesource apt-key
   apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
 
 - name: Enable nodesource repository
-  apt_repository: repo="deb https://deb.nodesource.com/node_8.x/ {{ ansible_distribution_release }} main"
+  apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
 
 - name: Enable yarnpkg apt-key
   apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
@@ -34,82 +31,75 @@
     - git
     - nodejs
     - postgresql
-    - python-psycopg2
+    - python3-psycopg2
     - yarn
 
-- name: Unpack hackmd
-  unarchive: src={{ hackmd_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/codimd-{{ hackmd_version }}
-  register: hackmd_unarchive
+- name: Unpack hedgedoc
+  unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
+  register: hedgedoc_unarchive
 
-- name: Rename hackmd
-  command: mv /opt/server-{{ hackmd_version }} /opt/codimd-{{ hackmd_version }}
-  when: hackmd_unarchive.changed
+- name: Create hedgedoc upload path
+  file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
 
-- name: Create hackmd upload path
-  file: path=/opt/codimd/uploads state=directory recurse=yes owner=hackmd group=hackmd
+- name: Remove old hedgedoc upload path
+  file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
 
-- name: Remove old hackmd upload path
-  file: path=/opt/codimd-{{ hackmd_version }}/public/uploads state=absent force=yes
+- name: Link hedgedoc upload path
+  file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
 
-- name: Link hackmd upload path
-  file: path=/opt/codimd-{{ hackmd_version }}/public/uploads src=/opt/codimd/uploads state=link owner=hackmd group=hackmd
-
-- name: Setup hackmd
-  command: bin/setup chdir=/opt/codimd-{{ hackmd_version }} creates=/opt/codimd-{{ hackmd_version }}/config.json
+- name: Setup hedgedoc
+  command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
   become: true
   become_user: hackmd
 
-- name: Configure hackmd
-  template: src=config.json.j2 dest=/opt/codimd-{{ hackmd_version }}/config.json owner=hackmd
-  register: hackmd_config
-  notify: Restart hackmd
+- name: Configure hedgedoc
+  template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
+  register: hedgedoc_config
+  notify: Restart hedgedoc
 
-- name: Build hackmd frontend
-  command: /usr/bin/npm run build chdir=/opt/codimd-{{ hackmd_version }}
+- name: Install hedgedoc frontend deps
+  command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
   become: true
   become_user: hackmd
-  when: hackmd_unarchive.changed or hackmd_config.changed
+  when: hedgedoc_unarchive.changed or hedgedoc_config.changed
+
+- name: Build hedgedoc frontend
+  command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
+  become: true
+  become_user: hackmd
+  when: hedgedoc_unarchive.changed or hedgedoc_config.changed
 
 - name: Configure PostgreSQL database
-  postgresql_db: name={{ hackmd_dbname }}
+  postgresql_db: name={{ hedgedoc_dbname }}
   become: true
   become_user: postgres
 
 - name: Configure PostgreSQL user
-  postgresql_user: db={{ hackmd_dbname }} name={{ hackmd_dbuser }} password={{ hackmd_dbpass }} priv=ALL state=present
+  postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
   become: true
   become_user: postgres
 
-- name: Configure sequelize
-  template: src=_sequelizerc.j2 dest=/opt/codimd-{{ hackmd_version }}/.sequelizerc owner=hackmd
-
-- name: Upgrade database schema
-  command: node_modules/.bin/sequelize db:migrate chdir=/opt/codimd-{{ hackmd_version }}
-  become: true
-  become_user: hackmd
-  when: hackmd_unarchive.changed or hackmd_config.changed
-
 - name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hackmd_domain }}.key -out /etc/nginx/ssl/{{ hackmd_domain }}.crt -days 730 -subj "/CN={{ hackmd_domain }}" creates=/etc/nginx/ssl/{{ hackmd_domain }}.crt
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
   notify: Restart nginx
 
-- name: Configure certificate manager for hackmd
-  template: src=certs.j2 dest=/etc/acertmgr/{{ hackmd_domain }}.conf
+- name: Configure certificate manager for hedgedoc
+  template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
   notify: Run acertmgr
 
 - name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/hackmd
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
   notify: Restart nginx
 
 - name: Enable vhost
-  file: src=/etc/nginx/sites-available/hackmd dest=/etc/nginx/sites-enabled/hackmd state=link
+  file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
   notify: Restart nginx
 
-- name: Systemd unit for hackmd
-  template: src=hackmd.service.j2 dest=/etc/systemd/system/hackmd.service
+- name: Systemd unit for hedgedoc
+  template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
   notify:
   - Reload systemd
-  - Restart hackmd
+  - Restart hedgedoc
 
-- name: Start the hackmd service
-  service: name=hackmd state=started enabled=yes
+- name: Start the hedgedoc service
+  service: name=hedgedoc state=started enabled=yes

roles/hackmd/templates/_sequelizerc.j2

@@ -1,8 +0,0 @@
-var path = require('path');
-
-module.exports = {
-    'config':          path.resolve('config.json'),
-    'migrations-path': path.resolve('lib', 'migrations'),
-    'models-path':     path.resolve('lib', 'models'),
-    'url':             'postgres://{{ hackmd_dbuser }}:{{ hackmd_dbpass }}@localhost:5432/{{ hackmd_dbname }}'
-}

roles/hackmd/templates/certs.j2

@@ -1,13 +1,13 @@
 ---
 
-{{ hackmd_domain }}:
-- path: /etc/nginx/ssl/{{ hackmd_domain }}.key
+{{ hedgedoc_domain }}:
+- path: /etc/nginx/ssl/{{ hedgedoc_domain }}.key
   user: root
   group: root
   perm: '400'
   format: key
   action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ hackmd_domain }}.crt
+- path: /etc/nginx/ssl/{{ hedgedoc_domain }}.crt
   user: root
   group: root
   perm: '400'

roles/hackmd/templates/config.json.j2

@@ -1,11 +1,11 @@
 {
     "production": {
-        "domain": "{{ hackmd_domain }}",
+        "domain": "{{ hedgedoc_domain }}",
         "protocolUseSSL": true,
         "allowAnonymous": false,
         "allowAnonymousEdits": true,
         "allowFreeURL": true,
-        "sessionSecret": "{{ hackmd_secret }}",
+        "sessionSecret": "{{ hedgedoc_secret }}",
         "hsts": {
             "enable": true,
             "maxAgeSeconds": 2592000,
@@ -22,9 +22,9 @@
             "addGoogleAnalytics": true
         },
         "db": {
-            "username": "{{ hackmd_dbuser }}",
-            "password": "{{ hackmd_dbpass }}",
-            "database": "{{ hackmd_dbname }}",
+            "username": "{{ hedgedoc_dbuser }}",
+            "password": "{{ hedgedoc_dbpass }}",
+            "database": "{{ hedgedoc_dbname }}",
             "host": "localhost",
             "port": "5432",
             "dialect": "postgres"

roles/hackmd/templates/hedgedoc.service.j2

@@ -1,13 +1,13 @@
 [Unit]
-Description=HackMD
+Description=HedgeDoc
 After=network.target
 
 [Service]
 Environment=NODE_ENV=production
-WorkingDirectory=/opt/codimd-{{ hackmd_version }}
+WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
 Type=simple
 User=hackmd
-ExecStart=/usr/bin/node /opt/codimd-{{ hackmd_version }}/app.js
+ExecStart=/usr/bin/yarn start
 Restart=on-failure
 
 [Install]

roles/hackmd/templates/vhost.j2

@@ -1,8 +1,13 @@
+map $http_upgrade $connection_upgrade {
+	default	upgrade;
+	''	close;
+}
+
 server {
 	listen 80;
 	listen [::]:80;
 
-	server_name {{ hackmd_domain }};
+	server_name {{ hedgedoc_domain }};
 
 	location /.well-known/acme-challenge {
 		default_type "text/plain";
@@ -10,7 +15,7 @@ server {
 	}
 
 	location / {
-		return 301 https://{{ hackmd_domain }}$request_uri;
+		return 301 https://{{ hedgedoc_domain }}$request_uri;
 	}
 }
 
@@ -18,21 +23,30 @@ server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 
-	server_name {{ hackmd_domain }};
+	server_name {{ hedgedoc_domain }};
 
-	ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt;
+	ssl_certificate_key /etc/nginx/ssl/{{ hedgedoc_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ hedgedoc_domain }}.crt;
 
 	# set max upload size
 	client_max_body_size 8M;
 
 	location / {
+		proxy_pass http://localhost:3000;
+		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_pass http://localhost:3000;
-		proxy_http_version 1.1;
-		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header Connection "Upgrade";
+		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 
+
+	location /socket.io/ {
+		proxy_pass http://127.0.0.1:3000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
 }

roles/icinga/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+icinga_user: nagios
+icinga_group: nagios

roles/icinga/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart icinga2
+  service: name=icinga2 state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/icinga/tasks/main.yml

@@ -0,0 +1,98 @@
+---
+
+- name: Enable icinga apt-key
+  apt_key: url='https://packages.icinga.com/icinga.key'
+
+- name: Enable icinga repository
+  apt_repository:
+    repo: 'deb https://packages.icinga.com/debian icinga-{{ ansible_distribution_release }} main'
+    filename: icinga
+
+- name: Install icinga
+  apt:
+    name:
+    - php-fpm
+    - php-pgsql
+    - icinga2
+    - icinga2-ido-pgsql
+    - icingaweb2
+
+- name: Install PostgreSQL
+  apt:
+    name:
+    - postgresql
+    - python3-psycopg2
+
+- name: Configure icinga database
+  postgresql_db: name={{ icinga_dbname }}
+  become: true
+  become_user: postgres
+  register: icinga_ido_db
+
+- name: Configure icinga database user
+  postgresql_user: db={{ icinga_dbname }} name={{ icinga_dbuser }} password={{ icinga_dbpass }} priv=ALL state=present
+  become: true
+  become_user: postgres
+
+# FIXME it is not possible to use login_username and login_password here in order to change the role to icinga
+# so as a workaround you have to insert "SET ROLE icinga;" manually at the top of the referred sql file
+- name: Configure database schema
+  postgresql_db: name={{ icinga_dbname }} target=/usr/share/icinga2-ido-pgsql/schema/pgsql.sql state=restore
+  become: true
+  become_user: postgres
+  when: icinga_ido_db.changed
+
+- name: Configure icingaweb database
+  postgresql_db: name={{ icingaweb_dbname }}
+  become: true
+  become_user: postgres
+
+- name: Configure icingaweb database user
+  postgresql_user: db={{ icingaweb_dbname }} name={{ icingaweb_dbuser }} password={{ icingaweb_dbpass }} priv=ALL state=present
+  become: true
+  become_user: postgres
+
+- name: Configure icinga ido pgsql
+  template: src=icinga2/features-available/ido-pgsql.conf.j2 dest=/etc/icinga2/features-available/ido-pgsql.conf owner={{ icinga_user }} group={{ icinga_group }}
+  notify: Restart icinga2
+
+- name: Enable icinga ido PostgreSQL
+  command: "icinga2 feature enable ido-pgsql"
+  register: features_result
+  changed_when: "'for these changes to take effect' in features_result.stdout"
+  notify: Restart icinga2
+
+- name: Configure known hosts for icinga
+  template: src=icinga2/conf.d/hosts.conf.j2 dest=/etc/icinga2/conf.d/hosts.conf owner={{ icinga_user }} group={{ icinga_group }}
+  notify: Restart icinga2
+
+- name: Create group icingaweb2
+  group: name=icingaweb2 system=yes
+
+- name: Add www-data to icingaweb2
+  user: name=www-data append=yes groups=icingaweb2
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ icinga_domain }}.key -out /etc/nginx/ssl/{{ icinga_domain }}.crt -days 730 -subj "/CN={{ icinga_domain }}" creates=/etc/nginx/ssl/{{ icinga_domain }}.crt
+  notify: Restart nginx
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ icinga_domain }}"
+
+- name: Configure certificate manager for icinga
+  template: src=certs.j2 dest=/etc/acertmgr/{{ icinga_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/icinga
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/icinga dest=/etc/nginx/sites-enabled/icinga state=link
+  notify: Restart nginx
+
+- name: Start php7.4-fpm
+  service: name=php7.4-fpm state=started enabled=yes

roles/icinga/templates/certs.j2

@@ -0,0 +1,18 @@
+---
+
+{{ icinga_domain }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ icinga_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ icinga_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/icinga/templates/icinga2/conf.d/hosts.conf.j2

@@ -0,0 +1,12 @@
+{% for host in groups['all'] %}
+object Host "{{ host }}" {
+  /* Import the default host template defined in `templates.conf`. */
+  import "generic-host"
+
+  /* Specify the address attributes for checks e.g. `ssh` or `http`. */
+  address = "{{ host }}"
+
+  /* Set custom variable `os` for hostgroup assignment in `groups.conf`. */
+  vars.os = "Linux"
+}
+{% endfor %}

roles/icinga/templates/icinga2/features-available/ido-pgsql.conf.j2

@@ -0,0 +1,13 @@
+/**
+ * The db_ido_pgsql library implements IDO functionality
+ * for PostgreSQL.
+ */
+
+library "db_ido_pgsql"
+
+object IdoPgsqlConnection "ido-pgsql" {
+  user = "{{ icinga_dbuser}}",
+  password = "{{ icinga_dbpass }}",
+  host = "localhost",
+  database = "{{ icinga_dbname }}"
+}

roles/icinga/templates/vhost.j2

@@ -0,0 +1,36 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ icinga_domain }};
+
+	location / {
+		return 301 https://{{ icinga_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ icinga_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ icinga_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ icinga_domain }}.crt;
+
+	location ~ ^/icingaweb2/index\.php(.*)$ {
+		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		fastcgi_index index.php;
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
+		fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
+		fastcgi_param REMOTE_USER $remote_user;
+	}
+
+	location ~ ^/icingaweb2(.+)? {
+		alias /usr/share/icingaweb2/public;
+		index index.php;
+		try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
+	}
+
+}

roles/jitsi/tasks/main.yml

@@ -1,8 +1,5 @@
 ---
 
-- name: Ensure apt over https is available
-  apt: name=apt-transport-https
-
 - name: Add Jitsi repo key
   apt_key:
     id: EF8B479E2DC1389C

roles/librenms/tasks/main.yml

@@ -7,20 +7,20 @@
     - git
     - graphviz
     - imagemagick
-    - mtr-tiny
     - mariadb-server
+    - mtr-tiny
     - nmap
+    - php-cli
+    - php-curl
+    - php-fpm
+    - php-gd
+    - php-json
+    - php-mbstring
+    - php-mysql
     - php-net-ipv4
     - php-net-ipv6
     - php-pear
-    - php7.3-cli
-    - php7.3-curl
-    - php7.3-fpm
-    - php7.3-gd
-    - php7.3-json
-    - php7.3-mbstring
-    - php7.3-mysql
-    - php7.3-snmp
+    - php-snmp
     - python3-dotenv
     - python3-pymysql
     - python3-redis
@@ -51,8 +51,8 @@
     regexp: ';?date\.timezone'
     line: 'date.timezone = Europe/Berlin'
   with_items:
-  - /etc/php/7.3/cli/php.ini
-  - /etc/php/7.3/fpm/php.ini
+  - /etc/php/7.4/cli/php.ini
+  - /etc/php/7.4/fpm/php.ini
 
 - name: Ensure certificates are available
   command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
@@ -76,5 +76,5 @@
   file: src=/etc/nginx/sites-available/librenms dest=/etc/nginx/sites-enabled/librenms state=link
   notify: Restart nginx
 
-- name: Start php7.3-fpm
-  service: name=php7.3-fpm state=started enabled=yes
+- name: Start php7.4-fpm
+  service: name=php7.4-fpm state=started enabled=yes

roles/librenms/templates/vhost.j2

@@ -31,7 +31,7 @@ server {
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 		fastcgi_param PATH_INFO $fastcgi_path_info;
-		fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
 		fastcgi_intercept_errors on;
 	}
 

roles/mail/templates/default/postsrsd.j2

@@ -11,10 +11,10 @@ SRS_DOMAIN={{ mail_srs_domain }}
 # If a domain name starts with a dot, it matches all subdomains, but not
 # the domain itself. Separate multiple domains by space or comma.
 #
-SRS_EXCLUDE_DOMAINS=.{{ mail_domain }} {{ mail_domain }}
+SRS_EXCLUDE_DOMAINS=".{{ mail_domain }} {{ mail_domain }}
 {%- for domain in mail_domains %}
  .{{ domain }} {{ domain }}
-{%- endfor %}
+{%- endfor %}"
 
 # First separator character after SRS0 or SRS1.
 # Can be one of: -+=

roles/matrix/tasks/main.yml

@@ -1,8 +1,5 @@
 ---
 
-- name: Enable https for apt
-  apt: name=apt-transport-https
-
 - name: Enable matrix apt-key
   apt_key: url="https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg"
 
@@ -14,7 +11,7 @@
     name:
     - matrix-synapse-py3
     - postgresql
-    - python-psycopg2
+    - python3-psycopg2
 
 - name: Configure PostgreSQL database
   postgresql_db: name={{ matrix_dbname }} lc_collate=C lc_ctype=C template=template0

roles/matrix/templates/vhost.j2

@@ -23,11 +23,14 @@ server {
 	ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
 
+	access_log off;
 	client_max_body_size 25M;
 
 	location / {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
 	}
 }
 
@@ -40,10 +43,13 @@ server {
 	ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
 
+	access_log off;
 	client_max_body_size 25M;
 
 	location / {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
 	}
 }

roles/member_sw/tasks/main.yml

@@ -4,6 +4,7 @@
   apt:
     name:
     - ansible
+    - gcc
     - git
     - irssi
     - netcat6

roles/netbox/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+
+netbox_group: netbox
+netbox_user: netbox
+netbox_version: 3.0.7

roles/netbox/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart netbox
+  service: name=netbox state=restarted
+
+- name: Restart netbox-rq
+  service: name=netbox-rq state=restarted

roles/netbox/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/netbox/tasks/main.yml

@@ -0,0 +1,145 @@
+---
+
+- name: Create group
+  group: name={{ netbox_group }}
+
+- name: Create user
+  user: name={{ netbox_user }} home=/home/{{ netbox_user }} group={{ netbox_group }}
+
+- name: Install dependencies
+  apt:
+    name:
+    - build-essential
+    - libffi-dev
+    - libpq-dev
+    - libssl-dev
+    - libxml2-dev
+    - libxslt1-dev
+    - python3-setuptools
+    - python3-dev
+    - python3-pip
+    - python3-venv
+    - zlib1g-dev
+
+- name: Install PostgreSQL
+  apt:
+    name:
+    - postgresql
+    - python3-psycopg2
+
+- name: Configure PostgreSQL database
+  postgresql_db:
+    name: '{{ netbox_dbname }}'
+  become: true
+  become_user: postgres
+
+- name: Configure PostgreSQL user
+  postgresql_user:
+    db: '{{ netbox_dbname }}'
+    name: '{{ netbox_dbuser }}'
+    password: '{{ netbox_dbpass }}'
+    priv: ALL
+    state: present
+  become: true
+  become_user: postgres
+
+- name: Install redis
+  apt: name=redis-server
+
+- name: Unpack netbox
+  unarchive:
+    src: 'https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz'
+    dest: /opt
+    remote_src: yes
+    creates: '/opt/netbox-{{ netbox_version }}'
+  register: netbox_unarchive
+
+- name: Configure netbox
+  template:
+    src: configuration.py.j2
+    dest: '/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py'
+    owner: '{{ netbox_user }}'
+    group: '{{ netbox_group }}'
+
+- name: Configure gunicorn
+  template:
+    src: gunicorn.py.j2
+    dest: '/opt/netbox-{{ netbox_version }}/gunicorn.py'
+    owner: '{{ netbox_user }}'
+    group: '{{ netbox_group }}'
+
+- name: Netbox file permissions
+  file:
+    path: '/opt/netbox-{{ netbox_version }}'
+    owner: '{{ netbox_user }}'
+    group: '{{ netbox_group }}'
+    recurse: yes
+
+- name: Run upgrade script
+  command:
+    cmd: ./upgrade.sh
+    chdir: '/opt/netbox-{{ netbox_version }}'
+  become: true
+  become_user: '{{ netbox_user }}'
+  when: netbox_unarchive.changed
+
+# TODO - still manual work
+# * Create a super user
+# * Migrate media files
+
+- name: Install netbox housekeeping cronjob
+  template:
+    src: netbox-housekeeping.sh.j2
+    dest: /etc/cron.daily/netbox-housekeeping.sh
+    mode: 0755
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
+      -days 730 -subj "/CN={{ netbox_domain }}"
+    creates: '/etc/nginx/ssl/{{ netbox_domain }}.crt'
+  notify: Restart nginx
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ netbox_domain }}"
+  when: "'kitchen' in group_names"
+
+- name: Configure certificate manager for netbox
+  template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template:
+    src: vhost.j2
+    dest: /etc/nginx/sites-available/netbox
+    owner: root
+    mode: '0644'
+  notify: Restart nginx
+
+- name: Enable vhost
+  file:
+    src: /etc/nginx/sites-available/netbox
+    dest: /etc/nginx/sites-enabled/netbox
+    state: link
+  notify: Restart nginx
+
+- name: Install systemd units
+  template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
+  with_items:
+  - netbox
+  - netbox-rq
+  notify:
+  - Reload systemd
+  - Restart netbox
+  - Restart netbox-rq
+
+- name: Enable services
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+  - netbox
+  - netbox-rq

roles/netbox/templates/certs.j2

@@ -0,0 +1,18 @@
+---
+
+{{ netbox_domain }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ netbox_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ netbox_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/netbox/templates/configuration.py.j2

@@ -0,0 +1,282 @@
+#########################
+#                       #
+#   Required settings   #
+#                       #
+#########################
+
+# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
+# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
+#
+# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
+ALLOWED_HOSTS = ['{{ netbox_domain }}']
+
+# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
+#   https://docs.djangoproject.com/en/stable/ref/settings/#databases
+DATABASE = {
+    'NAME': '{{ netbox_dbname }}',               # Database name
+    'USER': '{{ netbox_dbuser }}',               # PostgreSQL username
+    'PASSWORD': '{{ netbox_dbpass }}',           # PostgreSQL password
+    'HOST': 'localhost',      # Database server
+    'PORT': '',               # Database port (leave blank for default)
+    'CONN_MAX_AGE': 300,      # Max database connection age
+}
+
+# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
+# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
+# to use two separate database IDs.
+REDIS = {
+    'tasks': {
+        'HOST': 'localhost',
+        'PORT': 6379,
+        # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
+        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
+        # 'SENTINEL_SERVICE': 'netbox',
+        'PASSWORD': '',
+        'DATABASE': 0,
+        'SSL': False,
+        # Set this to True to skip TLS certificate verification
+        # This can expose the connection to attacks, be careful
+        # 'INSECURE_SKIP_TLS_VERIFY': False,
+    },
+    'caching': {
+        'HOST': 'localhost',
+        'PORT': 6379,
+        # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
+        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
+        # 'SENTINEL_SERVICE': 'netbox',
+        'PASSWORD': '',
+        'DATABASE': 1,
+        'SSL': False,
+        # Set this to True to skip TLS certificate verification
+        # This can expose the connection to attacks, be careful
+        # 'INSECURE_SKIP_TLS_VERIFY': False,
+    }
+}
+
+# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
+# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
+# symbols. NetBox will not run without this defined. For more information, see
+# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
+SECRET_KEY = '{{ netbox_secret }}'
+
+
+#########################
+#                       #
+#   Optional settings   #
+#                       #
+#########################
+
+# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
+# application errors (assuming correct email settings are provided).
+ADMINS = [
+    # ['John Doe', 'jdoe@example.com'],
+]
+
+# URL schemes that are allowed within links in NetBox
+ALLOWED_URL_SCHEMES = (
+    'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
+)
+
+# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
+# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
+BANNER_TOP = ''
+BANNER_BOTTOM = ''
+
+# Text to include on the login page above the login form. HTML is allowed.
+BANNER_LOGIN = ''
+
+# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
+# BASE_PATH = 'netbox/'
+BASE_PATH = ''
+
+# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
+CHANGELOG_RETENTION = 90
+
+# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
+# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
+# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
+CORS_ORIGIN_ALLOW_ALL = False
+CORS_ORIGIN_WHITELIST = [
+    # 'https://hostname.example.com',
+]
+CORS_ORIGIN_REGEX_WHITELIST = [
+    # r'^(https?://)?(\w+\.)?example\.com$',
+]
+
+# Specify any custom validators here, as a mapping of model to a list of validators classes. Validators should be
+# instances of or inherit from CustomValidator.
+# from extras.validators import CustomValidator
+CUSTOM_VALIDATORS = {
+    # 'dcim.site': [
+    #     CustomValidator({
+    #         'name': {
+    #             'min_length': 10,
+    #             'regex': r'\d{3}$',
+    #         }
+    #     })
+    # ],
+}
+
+# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
+# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
+# on a production system.
+DEBUG = False
+
+# Email settings
+EMAIL = {
+    'SERVER': 'localhost',
+    'PORT': 25,
+    'USERNAME': '',
+    'PASSWORD': '',
+    'USE_SSL': False,
+    'USE_TLS': False,
+    'TIMEOUT': 10,  # seconds
+    'FROM_EMAIL': '',
+}
+
+# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
+# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
+ENFORCE_GLOBAL_UNIQUE = False
+
+# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
+# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
+EXEMPT_VIEW_PERMISSIONS = [
+    # 'dcim.site',
+    # 'dcim.region',
+    # 'ipam.prefix',
+]
+
+# Enable the GraphQL API
+GRAPHQL_ENABLED = True
+
+# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
+# HTTP_PROXIES = {
+#     'http': 'http://10.10.1.10:3128',
+#     'https': 'http://10.10.1.10:1080',
+# }
+
+# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
+# NetBox from an internal IP.
+INTERNAL_IPS = ('127.0.0.1', '::1')
+
+# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
+#   https://docs.djangoproject.com/en/stable/topics/logging/
+LOGGING = {}
+
+# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
+# authenticated to NetBox indefinitely.
+LOGIN_PERSISTENCE = False
+
+# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
+# are permitted to access most data in NetBox but not make any changes.
+LOGIN_REQUIRED = True
+
+# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
+# re-authenticate. (Default: 1209600 [14 days])
+LOGIN_TIMEOUT = None
+
+# Setting this to True will display a "maintenance mode" banner at the top of every page.
+MAINTENANCE_MODE = False
+
+# The URL to use when mapping physical addresses or GPS coordinates
+MAPS_URL = 'https://maps.google.com/?q='
+
+# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
+# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
+# all objects by specifying "?limit=0".
+MAX_PAGE_SIZE = 1000
+
+# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
+# the default value of this setting is derived from the installed location.
+# MEDIA_ROOT = '/opt/netbox/netbox/media'
+
+# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
+# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
+# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
+# STORAGE_CONFIG = {
+#     'AWS_ACCESS_KEY_ID': 'Key ID',
+#     'AWS_SECRET_ACCESS_KEY': 'Secret',
+#     'AWS_STORAGE_BUCKET_NAME': 'netbox',
+#     'AWS_S3_REGION_NAME': 'eu-west-1',
+# }
+
+# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
+METRICS_ENABLED = False
+
+# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
+NAPALM_USERNAME = ''
+NAPALM_PASSWORD = ''
+
+# NAPALM timeout (in seconds). (Default: 30)
+NAPALM_TIMEOUT = 30
+
+# NAPALM optional arguments (see https://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
+# be provided as a dictionary.
+NAPALM_ARGS = {}
+
+# Determine how many objects to display per page within a list. (Default: 50)
+PAGINATE_COUNT = 50
+
+# Enable installed plugins. Add the name of each plugin to the list.
+PLUGINS = []
+
+# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
+# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
+# PLUGINS_CONFIG = {
+#     'my_plugin': {
+#         'foo': 'bar',
+#         'buzz': 'bazz'
+#     }
+# }
+
+# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
+# prefer IPv4 instead.
+PREFER_IPV4 = False
+
+# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
+RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
+RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
+
+# Remote authentication support
+REMOTE_AUTH_ENABLED = False
+REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
+REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
+REMOTE_AUTH_AUTO_CREATE_USER = True
+REMOTE_AUTH_DEFAULT_GROUPS = []
+REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
+
+# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
+# version check or use the URL below to check for release in the official NetBox repository.
+RELEASE_CHECK_URL = None
+# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
+
+# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+# REPORTS_ROOT = '/opt/netbox/netbox/reports'
+
+# Maximum execution time for background tasks, in seconds.
+RQ_DEFAULT_TIMEOUT = 300
+
+# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
+
+# The name to use for the session cookie.
+SESSION_COOKIE_NAME = 'sessionid'
+
+# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
+# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
+# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
+SESSION_FILE_PATH = None
+
+# Time zone (default: UTC)
+TIME_ZONE = 'Europe/Berlin'
+
+# Date/time formatting. See the following link for supported formats:
+# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
+DATE_FORMAT = 'N j, Y'
+SHORT_DATE_FORMAT = 'Y-m-d'
+TIME_FORMAT = 'g:i a'
+SHORT_TIME_FORMAT = 'H:i:s'
+DATETIME_FORMAT = 'N j, Y g:i a'
+SHORT_DATETIME_FORMAT = 'Y-m-d H:i'

roles/netbox/templates/gunicorn.py.j2

@@ -0,0 +1,16 @@
+# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
+bind = '127.0.0.1:8001'
+
+# Number of gunicorn workers to spawn. This should typically be 2n+1, where
+# n is the number of CPU cores present.
+workers = 5
+
+# Number of threads per worker process
+threads = 3
+
+# Timeout (in seconds) for a request to complete
+timeout = 120
+
+# The maximum number of requests a worker can handle before being respawned
+max_requests = 5000
+max_requests_jitter = 500

roles/netbox/templates/netbox-housekeeping.sh.j2

@@ -0,0 +1,9 @@
+#!/bin/sh
+# This shell script invokes NetBox's housekeeping management command, which
+# intended to be run nightly. This script can be copied into your system's
+# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
+# within the cron configuration file.
+#
+# If NetBox has been installed into a nonstandard location, update the paths
+# below.
+/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping

roles/netbox/templates/netbox-rq.service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description=NetBox Request Queue Worker
+Documentation=https://netbox.readthedocs.io/en/stable/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+User=netbox
+Group=netbox
+WorkingDirectory=/opt/netbox-{{ netbox_version }}
+
+ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
+
+Restart=on-failure
+RestartSec=30
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

roles/netbox/templates/netbox.service.j2

@@ -0,0 +1,22 @@
+[Unit]
+Description=NetBox WSGI Service
+Documentation=https://netbox.readthedocs.io/en/stable/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+User=netbox
+Group=netbox
+PIDFile=/var/tmp/netbox.pid
+WorkingDirectory=/opt/netbox-{{ netbox_version }}
+
+ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
+
+Restart=on-failure
+RestartSec=30
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

roles/netbox/templates/vhost.j2

@@ -0,0 +1,38 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ netbox_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ netbox_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ netbox_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ netbox_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ netbox_domain }}.crt;
+
+	location /static/ {
+		alias /opt/netbox-{{ netbox_version }}/netbox/static/;
+	}
+
+	location / {
+		client_max_body_size 32M;
+
+		proxy_pass http://localhost:8001;
+		proxy_set_header X-Forwarded-Host $http_host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}

roles/nextcloud/files/opcache.ini

@@ -9,3 +9,4 @@ opcache.max_accelerated_files=10000
 opcache.memory_consumption=128
 opcache.save_comments=1
 opcache.revalidate_freq=1
+opcache.jit_buffer_size=100M

roles/nextcloud/files/www.conf

@@ -1,5 +1,5 @@
 ; Start a new pool named 'www'.
-; the variable $pool can we used in any directive and will be replaced by the
+; the variable $pool can be used in any directive and will be replaced by the
 ; pool name ('www' here)
 [www]
 
@@ -29,21 +29,20 @@ group = www-data
 ;                            a specific port;
 ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
 ;                            a specific port;
-;   'port'                 - to listen on a TCP socket to all IPv4 addresses on a
-;                            specific port;
-;   '[::]:port'            - to listen on a TCP socket to all addresses
+;   'port'                 - to listen on a TCP socket to all addresses
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-listen = /var/run/php-fpm.sock
+listen = /run/php/php-fpm.sock
 
 ; Set listen(2) backlog.
-; Default Value: 65535 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = 65535
+; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+;listen.backlog = 511
 
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions. 
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
 ; Default Values: user and group are set as the running user
 ;                 mode is set to 0660
 listen.owner = www-data
@@ -54,7 +53,7 @@ listen.group = www-data
 ; When set, listen.owner and listen.group are ignored
 ;listen.acl_users =
 ;listen.acl_groups =
- 
+
 ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
 ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
 ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
@@ -71,6 +70,12 @@ listen.group = www-data
 ; Default Value: no set
 ; process.priority = -19
 
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
+; or group is different than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
+
 ; Choose how the process manager will control the number of child processes.
 ; Possible Values:
 ;   static  - a fixed number (pm.max_children) of child processes;
@@ -106,28 +111,28 @@ pm = dynamic
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
-pm.max_children = 5
+pm.max_children = 80
 
 ; The number of child processes created on startup.
 ; Note: Used only when pm is set to 'dynamic'
-; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 2
+; Default Value: (min_spare_servers + max_spare_servers) / 2
+pm.start_servers = 10
 
 ; The desired minimum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 1
+pm.min_spare_servers = 10
 
 ; The desired maximum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 3
+pm.max_spare_servers = 15
 
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
 ;pm.process_idle_timeout = 10s;
- 
+
 ; The number of requests each child process should execute before respawning.
 ; This can be useful to work around memory leaks in 3rd party libraries. For
 ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
@@ -135,7 +140,7 @@ pm.max_spare_servers = 3
 ;pm.max_requests = 500
 
 ; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
+; recognized as a status page. It shows the following information:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
@@ -180,7 +185,7 @@ pm.max_spare_servers = 3
 ;
 ; By default the status page only outputs short status. Passing 'full' in the
 ; query string will also return status for each pool process.
-; Example: 
+; Example:
 ;   http://www.foo.bar/status?full
 ;   http://www.foo.bar/status?json&full
 ;   http://www.foo.bar/status?html&full
@@ -225,14 +230,30 @@ pm.max_spare_servers = 3
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.0/fpm/status.html
+;       It's available in: /usr/share/php/8.0/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
-; Default Value: not set 
+; Default Value: not set
 ;pm.status_path = /status
- 
+
+; The address on which to accept FastCGI status request. This creates a new
+; invisible pool that can handle requests independently. This is useful
+; if the main pool is busy with long running requests because it is still possible
+; to get the status before finishing the long running requests.
+;
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Default Value: value of the listen option
+;pm.status_listen = 127.0.0.1:9001
+
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
@@ -265,13 +286,13 @@ pm.max_spare_servers = 3
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
-;      - %{miliseconds}d
+;      - %{milliseconds}d
 ;      - %{mili}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
+;      variable. Some examples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
@@ -293,7 +314,7 @@ pm.max_spare_servers = 3
 ;      - ....
 ;  %p: PID of the child that serviced the request
 ;  %P: PID of the parent of the child that serviced the request
-;  %q: the query string 
+;  %q: the query string
 ;  %Q: the '?' character if query string exists
 ;  %r: the request URI (without the query string, see %q and %Q)
 ;  %R: remote IP address
@@ -301,64 +322,87 @@ pm.max_spare_servers = 3
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
 ;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
 ;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
 ;  %u: remote user
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
 ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
- 
+
 ; The log file for slow requests
 ; Default Value: not set
 ; Note: slowlog is mandatory if request_slowlog_timeout is set
 ;slowlog = log/$pool.log.slow
- 
+
 ; The timeout for serving a single request after which a PHP backtrace will be
 ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_slowlog_timeout = 0
- 
+
+; Depth of slow log stack trace.
+; Default Value: 20
+;request_slowlog_trace_depth = 20
+
 ; The timeout for serving a single request after which the worker process will
 ; be killed. This option should be used when the 'max_execution_time' ini option
 ; does not stop script execution for some reason. A value of '0' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_terminate_timeout = 0
- 
+
+; The timeout set by 'request_terminate_timeout' ini option is not engaged after
+; application calls 'fastcgi_finish_request' or when application has finished and
+; shutdown functions are being called (registered via register_shutdown_function).
+; This option will enable timeout limit to be applied unconditionally
+; even in such cases.
+; Default Value: no
+;request_terminate_timeout_track_finished = no
+
 ; Set open file descriptor rlimit.
 ; Default Value: system defined value
 ;rlimit_files = 1024
- 
+
 ; Set max core size rlimit.
 ; Possible Values: 'unlimited' or an integer greater or equal to 0
 ; Default Value: system defined value
 ;rlimit_core = 0
- 
+
 ; Chroot to this directory at the start. This value must be defined as an
 ; absolute path. When this value is not set, chroot is not used.
 ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
 ; of its subdirectories. If the pool prefix is not set, the global prefix
 ; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever 
+; Note: chrooting is a great security feature and should be used whenever
 ;       possible. However, all PHP paths will be relative to the chroot
 ;       (error_log, sessions.save_path, ...).
 ; Default Value: not set
-;chroot = 
- 
+;chroot =
+
 ; Chdir to this directory at the start.
 ; Note: relative path can be used.
 ; Default Value: current directory or / when chroot
-chdir = /
- 
+;chdir = /var/www
+
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
+; Note: on highloaded environment, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes
 
+; Decorate worker output with prefix and suffix containing information about
+; the child that writes to the log and if stdout or stderr is used as well as
+; log level and time. This options is used only if catch_workers_output is yes.
+; Settings to "no" will output data as written to the stdout or stderr.
+; Default value: yes
+;decorate_workers_output = no
+
 ; Clear environment in FPM workers
 ; Prevents arbitrary environment variables from reaching FPM worker processes
 ; by clearing the environment in workers before env vars specified in this
@@ -371,25 +415,26 @@ chdir = /
 ; Limits the extensions of the main script FPM will allow to parse. This can
 ; prevent configuration mistakes on the web server side. You should only limit
 ; FPM to .php extensions to prevent malicious users to use other extensions to
-; exectute php code.
+; execute php code.
 ; Note: set an empty value to allow all extensions.
 ; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5
- 
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
 ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
 ; the current environment.
 ; Default Value: clean env
-env[HOSTNAME] = $HOSTNAME
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
 env[PATH] = /usr/local/bin:/usr/bin:/bin
-env[TMP] = /tmp
-env[TMPDIR] = /tmp
-env[TEMP] = /tmp
 
 ; Additional php.ini defines, specific to this pool of workers. These settings
 ; overwrite the values previously defined in the php.ini. The directives are the
 ; same as the PHP SAPI:
 ;   php_value/php_flag             - you can set classic ini defines which can
-;                                    be overwritten from PHP call 'ini_set'. 
+;                                    be overwritten from PHP call 'ini_set'.
 ;   php_admin_value/php_admin_flag - these directives won't be overwritten by
 ;                                     PHP call 'ini_set'
 ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
@@ -409,3 +454,5 @@ env[TEMP] = /tmp
 ;php_admin_value[error_log] = /var/log/fpm-php.www.log
 ;php_admin_flag[log_errors] = on
 ;php_admin_value[memory_limit] = 32M
+php_admin_value[memory_limit] = 512M
+

roles/nextcloud/handlers/main.yml

@@ -3,5 +3,5 @@
 - name: Restart nginx
   service: name=nginx state=restarted
 
-- name: Restart php7.4-fpm
-  service: name=php7.4-fpm state=restarted
+- name: Restart php8.0-fpm
+  service: name=php8.0-fpm state=restarted

roles/nextcloud/tasks/main.yml

@@ -1,53 +1,56 @@
 ---
 
-- name: Enable https for apt
-  apt: name=apt-transport-https
-
 - name: Enable sury php apt-key
   apt_key: url="https://packages.sury.org/php/apt.gpg"
 
 - name: Enable sury php repository
-  apt_repository: repo="deb https://packages.sury.org/php/ stretch main"
+  apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
+
+- name: Enable collaboraoffice apt-key
+  apt_key: url="https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg"
+
+- name: Enable collaboraoffice repository
+  apt_repository: repo="deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian11 ./"
 
 - name: Install packages
   apt:
     name:
     - php-redis
-    - php7.4
-    - php7.4-bcmath
-    - php7.4-bz2
-    - php7.4-cli
-    - php7.4-common
-    - php7.4-curl
-    - php7.4-dev
-    - php7.4-fpm
-    - php7.4-gd
-    - php7.4-gmp
-    - php7.4-imap
-    - php7.4-intl
-    - php7.4-json
-    - php7.4-ldap
-    - php7.4-mbstring
-    - php7.4-mysql
-    - php7.4-opcache
-    - php7.4-pgsql
-    - php7.4-readline
-    - php7.4-soap
-    - php7.4-sqlite3
-    - php7.4-tidy
-    - php7.4-xml
-    - php7.4-xmlrpc
-    - php7.4-zip
+    - php8.0
+    - php8.0-apcu
+    - php8.0-bcmath
+    - php8.0-bz2
+    - php8.0-cli
+    - php8.0-common
+    - php8.0-curl
+    - php8.0-dev
+    - php8.0-fpm
+    - php8.0-gd
+    - php8.0-gmp
+    - php8.0-imap
+    - php8.0-intl
+    - php8.0-ldap
+    - php8.0-mbstring
+    - php8.0-mysql
+    - php8.0-opcache
+    - php8.0-pgsql
+    - php8.0-readline
+    - php8.0-soap
+    - php8.0-sqlite3
+    - php8.0-tidy
+    - php8.0-xml
+    - php8.0-xmlrpc
+    - php8.0-zip
     - postgresql
-    - python-psycopg2
+    - python3-psycopg2
 
 - name: Configure PostgreSQL database
-  postgresql_db: name={{ owncloud_dbname }}
+  postgresql_db: name={{ nextcloud_dbname }}
   become: true
   become_user: postgres
 
 - name: Configure PostgreSQL user
-  postgresql_user: db={{ owncloud_dbname }} name={{ owncloud_dbuser }} password={{ owncloud_dbpass }} priv=ALL state=present
+  postgresql_user: db={{ nextcloud_dbname }} name={{ nextcloud_dbuser }} password={{ nextcloud_dbpass }} priv=ALL state=present
   become: true
   become_user: postgres
 
@@ -66,22 +69,20 @@
   template: src=vhost.j2 dest=/etc/nginx/sites-available/nextcloud
   notify: Restart nginx
 
-# FIXME currently PHP handled out of ansible
-#- name: Configure php7.4-fpm
-#  copy: src=www.conf dest=/etc/php/7.4/fpm/pool.d/www.conf
-#  notify: Restart php7.4-fpm
+- name: Configure php8.0-fpm
+  copy: src=www.conf dest=/etc/php/8.0/fpm/pool.d/www.conf
+  notify: Restart php8.0-fpm
 
-# FIXME currently PHP handled out of ansible
-#- name: Configure php7.4 opcache
-#  copy: src=opcache.ini dest=/etc/php/7.4/mods-available/opcache.ini
-#  notify: Restart php7.4-fpm
+- name: Configure php8.0 opcache
+  copy: src=opcache.ini dest=/etc/php/8.0/mods-available/opcache.ini
+  notify: Restart php8.0-fpm
 
 - name: Enable vhost
   file: src=/etc/nginx/sites-available/nextcloud dest=/etc/nginx/sites-enabled/nextcloud state=link
   notify: Restart nginx
 
-- name: Start php7.4-fpm
-  service: name=php7.4-fpm state=started enabled=yes
+- name: Start php8.0-fpm
+  service: name=php8.0-fpm state=started enabled=yes
 
 - name: Start PostgreSQL
   service: name=postgresql state=started enabled=yes

roles/nextcloud/templates/vhost.j2

@@ -1,3 +1,7 @@
+upstream php-handler {
+	server unix:/run/php/php-fpm.sock;
+}
+
 server {
 	listen 80;
 	listen [::]:80;
@@ -26,7 +30,7 @@ server {
 	# Add headers to serve security related headers
 	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
 	add_header X-Content-Type-Options nosniff;
-	#add_header X-Frame-Options "SAMEORIGIN";
+	add_header X-Frame-Options "SAMEORIGIN";
 	add_header X-XSS-Protection "1; mode=block";
 	add_header X-Robots-Tag none;
 	add_header X-Download-Options noopen;
@@ -42,9 +46,52 @@ server {
 	client_max_body_size 1G;
 	fastcgi_buffers 64 4K;
 
-	index index.php;
-	error_page 403 /core/templates/403.php;
-	error_page 404 /core/templates/404.php;
+	index index.php index.html /index.php$request_uri;
+
+
+	location ^~ /loleaflet {
+		proxy_pass http://localhost:9980;
+		proxy_set_header Host $http_host;
+	}
+
+	location ^~ /hosting/discovery {
+		proxy_pass http://localhost:9980;
+		proxy_set_header Host $http_host;
+	}
+
+	location ^~ /hosting/capabilities {
+		proxy_pass http://localhost:9980;
+		proxy_set_header Host $http_host;
+	}
+
+	location ~ ^/lool/(.*)/ws$ {
+		proxy_pass http://localhost:9980;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "Upgrade";
+		proxy_set_header Host $http_host;
+		proxy_read_timeout 36000s;
+	}
+
+	location ~ ^/lool {
+		proxy_pass http://localhost:9980;
+		proxy_set_header Host $http_host;
+	}
+
+	location ^~ /lool/adminws {
+		proxy_pass http://localhost:9980;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "Upgrade";
+		proxy_set_header Host $http_host;
+		proxy_read_timeout 36000s;
+	}
+
+
+	# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+	location = / {
+		if ( $http_user_agent ~ ^DavClnt ) {
+			return 302 /remote.php/webdav/$is_args$args;
+		}
+	}
 
 	location = /robots.txt {
 		allow all;
@@ -52,96 +99,65 @@ server {
 		access_log off;
 	}
 
-	location = /.well-known/carddav {
-		return 301 $scheme://$host/remote.php/dav;
-	}
-	location = /.well-known/caldav {
-		return 301 $scheme://$host/remote.php/dav;
+	# Make a regex exception for `/.well-known` so that clients can still
+	# access it despite the existence of the regex rule
+	# `location ~ /(\.|autotest|...)` which would otherwise handle requests
+	# for `/.well-known`.
+	location ^~ /.well-known {
+		# The following 6 rules are borrowed from `.htaccess`
+
+		location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+		location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+		# Anything else is dynamically handled by Nextcloud
+		location ^~ /.well-known            { return 301 /index.php$uri; }
+
+		try_files $uri $uri/ =404;
 	}
 
+	# Rules borrowed from `.htaccess` to hide certain paths from clients
+	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }
 
-	location / {
-		rewrite ^ /index.php$request_uri;
-	}
+	# Ensure this block, which passes PHP files to the PHP process, is above the blocks
+	# which handle static assets (as seen below). If this block is not declared first,
+	# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+	# to the URI, resulting in a HTTP 500 error response.
+	location ~ \.php(?:$|/) {
+		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+		set $path_info $fastcgi_path_info;
 
-	location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-		deny all;
-	}
+		try_files $fastcgi_script_name =404;
 
-	location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-		deny all;
-	}
-
-	location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) {
-		fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-		fastcgi_param PATH_INFO $fastcgi_path_info;
-		fastcgi_pass unix:/run/php/php-fpm.sock;
+		fastcgi_param PATH_INFO $path_info;
 		fastcgi_param HTTPS on;
-		#Avoid sending the security headers twice
-		fastcgi_param modHeadersAvailable true;
-		fastcgi_param front_controller_active true;
+
+		fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+		fastcgi_param front_controller_active true;     # Enable pretty urls
+		fastcgi_pass php-handler;
+
 		fastcgi_intercept_errors on;
 		fastcgi_request_buffering off;
 	}
 
-	location ~ ^\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) {
-		try_files $uri/ =404;
-		index index.php;
-	}
-
-	# Adding the cache control header for js and css files
-	# Make sure it is BELOW the PHP block
-	location ~ \.(?:css|js|woff2?|svg|gif)$ {
+	location ~ \.(?:css|js|svg|gif)$ {
 		try_files $uri /index.php$request_uri;
-		add_header Cache-Control "public, max-age=15778463";
-		# Add headers to serve security related headers (It is intended to
-		# have those duplicated to the ones above)
-		# Before enabling Strict-Transport-Security headers please read into
-		# this topic first.
-		# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
-		#
-		# WARNING: Only add the preload option once you read about
-		# the consequences in https://hstspreload.org/. This option
-		# will add the domain to a hardcoded list that is shipped
-		# in all major browsers and getting removed from this list
-		# could take several months.
-		add_header X-Content-Type-Options nosniff;
-		add_header X-XSS-Protection "1; mode=block";
-		add_header X-Robots-Tag none;
-		add_header X-Download-Options noopen;
-		add_header X-Permitted-Cross-Domain-Policies none;
-		add_header Referrer-Policy no-referrer;
-		# Optional: Don't log access to assets
-		access_log off;
+		expires 6M;         # Cache-Control policy borrowed from `.htaccess`
+		access_log off;     # Optional: Don't log access to assets
 	}
 
-	location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+	location ~ \.woff2?$ {
 		try_files $uri /index.php$request_uri;
-		# Optional: Don't log access to other assets
-		access_log off;
+		expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+		access_log off;     # Optional: Don't log access to assets
 	}
 
-	# collabora static files
-		location ^~ /loleaflet {
-		proxy_pass http://localhost:9980;
-		proxy_set_header Host $http_host;
+
+	location / {
+		try_files $uri $uri/ /index.php$request_uri;
 	}
 
-	# collabora WOPI discovery URL
-	location ^~ /hosting/discovery {
-		proxy_pass http://localhost:9980;
-		proxy_set_header Host $http_host;
-	}
-
-	# collabora websockets, download, presentation and image upload
-	location ^~ /lool {
-		proxy_pass http://localhost:9980;
-		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header Connection "upgrade";
-		proxy_set_header Host $http_host;
-	}
 
 	# collabora static files
 	location /drawio {

roles/nginx/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+nginx_anonymize: False

roles/nginx/tasks/main.yml

@@ -8,7 +8,13 @@
   when: nginx_ssl
 
 - name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
+      -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
+      -days 730 -subj "/CN={{ ansible_fqdn }}"
+    creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
   when: nginx_ssl
   notify: Restart nginx
 
@@ -24,7 +30,7 @@
   - /etc/nginx/dhparam.pem
 
 - name: Configure nginx
-  copy: src=nginx.conf dest=/etc/nginx/nginx.conf
+  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
   notify: Restart nginx
 
 - name: Configure default vhost

roles/nginx/templates/default.j2

@@ -1,3 +1,5 @@
+# {{ ansible_managed }}
+
 server {
 	listen 80 default_server;
 	listen [::]:80 default_server;

roles/nginx/templates/nginx.conf.j2

@@ -47,7 +47,32 @@ http {
 	# Logging Settings
 	##
 
+{% if nginx_anonymize %}
+	map $remote_addr $ip_anonym1 {
+		default 0.0.0;
+		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
+		"~(?P<ip>[^:]+:[^:]+):" $ip;
+	}
+
+	map $remote_addr $ip_anonym2 {
+		default .0;
+		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
+		"~(?P<ip>[^:]+:[^:]+):" ::;
+	}
+
+	map $ip_anonym1$ip_anonym2 $ip_anonymized {
+		default 0.0.0.0;
+		"~(?P<ip>.*)" $ip;
+	}
+
+	log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
+		'"$request" $status $body_bytes_sent '
+		'"$http_referer" "$http_user_agent"';
+
+	access_log /var/log/nginx/access.log anonymized;
+{% else %}
 	access_log /var/log/nginx/access.log;
+{% endif %}
 	error_log /var/log/nginx/error.log;
 
 	##

roles/ntp/handlers/main.yml

@@ -1,7 +0,0 @@
----
-
-- name: Restart ntp
-  service: name=ntp state=restarted
-
-- name: Restart ntpd
-  service: name=ntpd state=restarted

roles/ntp/tasks/Debian.yml

@@ -1,11 +0,0 @@
----
-
-- name: Install ntp
-  apt: name=ntp
-
-- name: Configure ntp
-  template: src=ntp.conf.j2 dest=/etc/ntp.conf
-  notify: Restart ntp
-
-- name: Start the ntp service
-  service: name=ntp state=started enabled=yes

roles/ntp/tasks/FreeBSD.yml

@@ -1,10 +0,0 @@
----
-
-# ntp is already installed on FreeBSD
-
-- name: Configure ntp
-  template: src=ntp.conf.j2 dest=/etc/ntp.conf
-  notify: Restart ntpd
-
-- name: Start the ntp service
-  service: name=ntpd state=started enabled=yes

roles/ntp/tasks/main.yml

@@ -1,9 +0,0 @@
----
-
-- name: Debian
-  include: Debian.yml
-  when: ansible_os_family == 'Debian'
-
-- name: FreeBSD
-  include: FreeBSD.yml
-  when: ansible_distribution == 'FreeBSD'

roles/ntp/templates/ntp.conf.j2

@@ -1,15 +0,0 @@
-{% for srv in ntp_servers %}
-server {{ srv }} iburst
-{% endfor %}
-{% if ntp_peers is defined %}
-
-{% for peer in ntp_peers %}
-peer {{ peer }}
-{% endfor %}
-{% endif %}
-
-restrict default kod nomodify notrap nopeer noquery
-restrict -6 default kod nomodify notrap nopeer noquery
-
-restrict 127.0.0.1
-restrict -6 ::1

roles/pbs/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Enable PBS apt-key
+  apt_key:
+    url: "https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg"
+
+- name: Enable PBS repository
+  apt_repository:
+    repo: "deb http://download.proxmox.com/debian/pbs bullseye pbs-no-subscription"
+    filename: pbs
+
+- name: Install PBS
+  apt:
+    name: proxmox-backup-server

roles/pretix/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+pretix_user: pretix
+pretix_group: pretix

roles/pretix/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart pretix-web
+  service: name=pretix-web state=restarted
+
+- name: Restart pretix-worker
+  service: name=pretix-worker state=restarted

roles/pretix/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/pretix/tasks/main.yml

@@ -0,0 +1,127 @@
+---
+
+- name: Create group
+  group: name={{ pretix_group }}
+
+- name: Create user
+  user: name={{ pretix_user }} home=/home/{{ pretix_user }} group={{ pretix_group }}
+
+- name: Create pretix directories
+  file: path={{ item }} state=directory owner={{ pretix_user }} group={{ pretix_group }}
+  with_items:
+  - /etc/pretix
+  - /opt/pretix
+  - /opt/pretix/data
+  - /opt/pretix/data/media
+
+- name: Install dependencies
+  apt:
+    name:
+    - build-essential
+    - gettext
+    - libffi-dev
+    - libpq-dev
+    - libssl-dev
+    - libxml2-dev
+    - libxslt1-dev
+    - nodejs
+    - python3-setuptools
+    - python3-dev
+    - python3-pip
+    - python3-venv
+    - zlib1g-dev
+
+- name: Install PostgreSQL
+  apt:
+    name:
+    - postgresql
+    - python3-psycopg2
+
+- name: Configure PostgreSQL database
+  postgresql_db: name={{ pretix_dbname }}
+  become: true
+  become_user: postgres
+
+- name: Configure PostgreSQL user
+  postgresql_user: db={{ pretix_dbname }} name={{ pretix_dbuser }} password={{ pretix_dbpass }} priv=ALL state=present
+  become: true
+  become_user: postgres
+
+- name: Install redis
+  apt: name=redis-server
+
+- name: Install pretix
+  pip:
+    name:
+    - gunicorn
+    - pretix
+    virtualenv: /opt/pretix/venv
+    virtualenv_command: "python3 -m venv"
+  become: true
+  become_user: "{{ pretix_user }}"
+  register: pretix_install
+
+- name: Configure pretix
+  template:
+    src: pretix.cfg.j2
+    dest: /etc/pretix/pretix.cfg
+    owner: "{{ pretix_user }}"
+    group: "{{ pretix_group }}"
+  notify:
+  - Restart pretix-web
+  - Restart pretix-worker
+
+- name: Run migration script
+  command:
+    cmd: "./venv/bin/python3 -m pretix migrate"
+    chdir: "/opt/pretix"
+  become: true
+  become_user: "{{ pretix_user }}"
+  when: pretix_install.changed
+
+- name: Run rebuild script
+  command:
+    cmd: "./venv/bin/python3 -m pretix rebuild"
+    chdir: "/opt/pretix"
+  become: true
+  become_user: "{{ pretix_user }}"
+  when: pretix_install.changed
+
+- name: Enable pretix cronjob
+  cron:
+    user: "{{ pretix_user }}"
+    name: pretix
+    minute: "*/5"
+    job: "export PATH=/opt/pretix/venv/bin:$PATH && cd /opt/pretix && python -m pretix runperiodic"
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ pretix_domain }}.key -out /etc/nginx/ssl/{{ pretix_domain }}.crt -days 730 -subj "/CN={{ pretix_domain }}" creates=/etc/nginx/ssl/{{ pretix_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for pretix
+  template: src=certs.j2 dest=/etc/acertmgr/{{ pretix_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/pretix
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/pretix dest=/etc/nginx/sites-enabled/pretix state=link
+  notify: Restart nginx
+
+- name: Install systemd units
+  template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
+  with_items:
+  - pretix-web
+  - pretix-worker
+  notify:
+  - Reload systemd
+  - Restart pretix-web
+  - Restart pretix-worker
+
+- name: Enable services
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+  - pretix-web
+  - pretix-worker

roles/pretix/templates/certs.j2

@@ -1,13 +1,13 @@
 ---
 
-www.{{ plk_domain }} {{ plk_domain }}:
-- path: /etc/nginx/ssl/{{ plk_domain }}.key
+{{ pretix_domain }}:
+- path: /etc/nginx/ssl/{{ pretix_domain }}.key
   user: root
   group: root
   perm: '400'
   format: key
   action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ plk_domain }}.crt
+- path: /etc/nginx/ssl/{{ pretix_domain }}.crt
   user: root
   group: root
   perm: '400'

roles/pretix/templates/pretix-web.service.j2

@@ -0,0 +1,18 @@
+[Unit]
+Description=pretix web service
+After=network.target
+
+[Service]
+User={{ pretix_user }}
+Group={{ pretix_group }}
+Environment="VIRTUAL_ENV=/opt/pretix/venv"
+Environment="PATH=/opt/pretix/venv/bin:/usr/local/bin:/usr/bin:/bin"
+ExecStart=/opt/pretix/venv/bin/gunicorn pretix.wsgi \
+                      --name pretix --workers 5 \
+                      --max-requests 1200  --max-requests-jitter 50 \
+                      --log-level=info --bind=127.0.0.1:8345
+WorkingDirectory=/opt/pretix
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target