indium: new temp. host for igel livestreaming

otherwise the role will fail if the host it is deployed from has VPN but
is not using our DNS infra

README.md

@@ -1,11 +1,69 @@
 # Binary Kitchen Ansible Playbooks
 
-This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
+This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
 
-## Using
+## Usage
 
-TBA
+To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
 
-## Style / Contributing
+It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
 
-TBA/TBD
+
+## Current setup
+
+Currently the following hosts are installed:
+
+### Internal Servers
+
+| Hostname                  | OS        | Purpose                 |
+| ------------------------- | --------- | ----------------------- |
+| wurst.binary.kitchen      | Proxmox 8 | VM Host                 |
+| salat.binary.kitchen      | Proxmox 8 | VM Host                 |
+| weizen.binary.kitchen     | Proxmox 8 | VM Host                 |
+| bacon.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aveta.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aeron.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| sulis.binary.kitchen      | Debian 12 | Shell                   |
+| nabia.binary.kitchen      | Debian 12 | Monitoring              |
+| epona.binary.kitchen      | Debian 12 | NetBox                  |
+| pizza.binary.kitchen      | Debian 11 | OpenHAB *               |
+| pancake.binary.kitchen    | Debian 12 | XRDP                    |
+| knoedel.binary.kitchen    | Debian 12 | SIP-DECT OMM            |
+| bob.binary.kitchen        | Debian 12 | Gitea Actions           |
+| lasagne.binary.kitchen    | Debian 12 | Home Assistant *        |
+| tschunk.binary.kitchen    | Debian 12 | Strichliste             |
+| bowle.binary.kitchen      | Debian 12 | Files                   |
+| lock-auweg.binary.kitchen | Debian 12 | Doorlock                |
+
+\*: The main application is not managed by ansible but manually installed
+
+### External Servers
+
+| Hostname                      | OS        | Purpose                 |
+| ----------------------------- | --------- | ----------------------- |
+| helium.binary-kitchen.net     | Debian 12 | LDAP Master             |
+| lithium.binary-kitchen.net    | Debian 12 | Mail                    |
+| beryllium.binary-kitchen.net  | Debian 12 | Web *                   |
+| boron.binary-kitchen.net      | Debian 12 | Gitea                   |
+| carbon.binary-kitchen.net     | Debian 12 | Jabber                  |
+| nitrogen.binary-kitchen.net   | Debian 12 | NextCloud               |
+| oxygen.binary-kitchen.net     | Debian 12 | Shell                   |
+| fluorine.binary-kitchen.net   | Debian 12 | Web (div. via Docker)   |
+| neon.binary-kitchen.net       | Debian 12 | Auth. DNS               |
+| sodium.binary-kitchen.net     | Debian 12 | Mattrix                 |
+| magnesium.binary-kitchen.net  | Debian 12 | TURN                    |
+| aluminium.binary-kitchen.net  | Debian 12 | Web (div. via Docker)   |
+| krypton.binary-kitchen.net    | Debian 12 | PartDB *                |
+| yttrium.binary-kitchen.net    | Debian 12 | Hintervvoidler *        |
+| zirconium.binary-kitchen.net  | Debian 12 | Jitsi                   |
+| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle *          |
+| technetium.binary-kitchen.net | Debian 12 | Event CTFd *            |
+| ruthenium.binary-kitchen.net  | Debian 12 | Minecraft *             |
+| rhodium.binary-kitchen.net    | Debian 12 | Event pretix            |
+| palladium.binary-kitchen.net  | Debian 12 | Event pretalx           |
+| argentum.binary-kitchen.net   | Debian 12 | Event Web *             |
+| cadmium.binary-kitchen.net    | Debian 12 | Event NetBox *          |
+| indium.binary-kitchen.net     | Debian 12 | Igel CAM *              |
+| barium.binary-kitchen.net     | Debian 12 | Workadventure           |
+
+\*: The main application is not managed by ansible but manually installed

group_vars/all/vars.yml

@@ -5,6 +5,12 @@ acertmgr_mode: webdir
 acme_dnskey_file: /etc/acertmgr/nsupdate.key
 acme_dnskey_server: neon.binary-kitchen.net
 
+authentik_domain: auth.binary-kitchen.de
+authentik_dbname: authentik
+authentik_dbuser: authentik
+authentik_dbpass: "{{ vault_authentik_dbpass }}"
+authentik_secret: "{{ vault_authentik_secret }}"
+
 bk23b_domain: 23b.binary-kitchen.de
 
 coturn_realm: turn.binary-kitchen.de
@@ -16,19 +22,12 @@ dns_axfr_ips:
 
 dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
 
-drone_admin: moepman
-drone_domain: drone.binary-kitchen.de
-drone_dbname: drone
-drone_dbuser: drone
-drone_dbpass: "{{ vault_drone_dbpass }}"
-drone_uipass: "{{ vault_drone_uipass }}"
-drone_secret: "{{ vault_drone_secret }}"
-drone_gitea_client: "{{ vault_drone_gitea_client }}"
-drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
-
 dss_domain: dss.binary-kitchen.de
 dss_secret: "{{ vault_dss_secret }}"
 
+fpm_status_user: admin
+fpm_status_pass: "{{ vault_fpm_status_pass }}"
+
 gitea_domain: git.binary-kitchen.de
 gitea_dbname: gogs
 gitea_dbuser: gogs
@@ -69,6 +68,7 @@ mail_domain: binary-kitchen.de
 mail_domains:
 - ccc-r.de
 - ccc-regensburg.de
+- eh21.easterhegg.eu
 - makerspace-regensburg.de
 mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
 mail_server: mail.binary-kitchen.de
@@ -77,13 +77,17 @@ mail_trusted:
 - 213.166.246.0/28
 - 213.166.246.37/32
 - 213.166.246.45/32
+- 213.166.246.46/32
+- 213.166.246.47/32
 - 213.166.246.250/32
 - 2a02:958:0:f6::/124
 - 2a02:958:0:f6::37/128
 - 2a02:958:0:f6::45/128
+- 2a02:958:0:f6::46/128
+- 2a02:958:0:f6::47/128
 mail_aliases:
 - "auweg@binary-kitchen.de	venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
-- "bbb@binary-kitchen.de	timo.schindler@binary-kitchen.de"
+- "bbb@binary-kitchen.de	boehm.johannes@gmail.com"
 - "dasfilament@binary-kitchen.de	taxx@binary-kitchen.de"
 - "epvpn@binary-kitchen.de	noby@binary-kitchen.de"
 - "google@binary-kitchen.de	vorstand@binary-kitchen.de"
@@ -96,11 +100,13 @@ mail_aliases:
 - "orga@ccc-regensburg.de	anti@binary-kitchen.de"
 - "paypal@binary-kitchen.de	ralf@binary-kitchen.de"
 - "post@makerspace-regensburg.de	vorstand@binary-kitchen.de"
+- "pretalx@binary-kitchen.de	moepman@binary-kitchen.de"
 - "pretix@binary-kitchen.de	moepman@binary-kitchen.de"
 - "root@binary-kitchen.de	moepman@binary-kitchen.de,kishi@binary-kitchen.de"
 - "seife@binary-kitchen.de	anke@binary-kitchen.de"
 - "siebdruck@binary-kitchen.de	anke@binary-kitchen.de"
-- "vorstand@binary-kitchen.de	anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
+- "therapy-jetzt@binary-kitchen.de	darthrain@binary-kitchen.de"
+- "vorstand@binary-kitchen.de	anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
 - "voucher1@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher2@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher3@binary-kitchen.de	exxess@binary-kitchen.de"
@@ -113,7 +119,12 @@ mail_aliases:
 - "voucher10@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher11@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher12@binary-kitchen.de	exxess@binary-kitchen.de"
+- "voucher13@binary-kitchen.de	exxess@binary-kitchen.de"
+- "voucher14@binary-kitchen.de	exxess@binary-kitchen.de"
+- "voucher15@binary-kitchen.de	exxess@binary-kitchen.de"
 - "workshops@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
+- "tickets@eh21.easterhegg.eu	orga@eh21.easterhegg.eu"
+- "hackzuck@eh21.easterhegg.eu	kekskruemml@binary-kitchen.de"
 
 matrix_domain: matrix.binary-kitchen.de
 matrix_dbname: matrix
@@ -133,11 +144,16 @@ nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 
-nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
-nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
-nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
+omm_domain: omm.binary.kitchen
+
+pretalx_domain: fahrplan.eh21.easterhegg.eu
+pretalx_dbname: pretalx
+pretalx_dbuser: pretalx
+pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
+pretalx_mail: pretalx@binary-kitchen.de
 
 pretix_domain: pretix.events.binary-kitchen.de
+pretix_domainx: tickets.eh21.easterhegg.eu
 pretix_dbname: pretix
 pretix_dbuser: pretix
 pretix_dbpass: "{{ vault_pretix_dbpass }}"
@@ -163,11 +179,17 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
 
+sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
+sssd_base_user: ou=people,dc=binary-kitchen,dc=de
+
 strichliste_domain: tschunk.binary.kitchen
 strichliste_dbname: strichliste
 strichliste_dbuser: strichliste
 strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
 
+therapy_domain: therapy.jetzt
+therapy_secret: "{{ vault_therapy_secret }}"
+
 vaultwarden_domain: vault.binary-kitchen.de
 vaultwarden_dbname: vaultwarden
 vaultwarden_dbuser: vaultwarden
@@ -176,3 +198,5 @@ vaultwarden_token: "{{ vault_vaultwarden_token }}"
 vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
 
 workadventure_domain: wa.binary-kitchen.de
+
+zammad_domain: requests.binary-kitchen.de

group_vars/all/vault.yml

@@ -1,113 +1,110 @@
 $ANSIBLE_VAULT;1.1;AES256
-33356339653434306633616533373539393833643861336239613238306565383934623362323936
-3231313234343830613238636565366362393164303361640a353264333266633737366330653939
-63306561623062623637383862323462336238623737666638346535653262316631356335653634
-3266313436366432620a363766343137643236646139613666646361663638613033323234386330
-38366261353239613837623463376130383033336665393936613937633330613461653831376461
-64356337356338383537323231653238353861626461306164393033326635626537613636623132
-33306634326437646234623531313432323131336635336365333334643761343233656564303233
-61643461656631396533343463663937653063353235393861623433306666363131343061643938
-33623039636636386662383639663837373730666164303430303634303936303837326431643538
-39333061636534323932316432393364353537353665643138636637313731316637316139643635
-32363262343161656664666432333533303836623661643264323335313836666162633261633963
-33326131653034313763613164656135636532373261346631326335396533613234353138316233
-34356364666365656630376536666139303332396235356365356232333831373362663536326364
-65386563613631323339356232323334396539326163373630313038333364366439353935663335
-35383530353465636532326162336136366664353539313465346536323339343234393231313833
-63383163633439363234353230343463653265363062623961316565376237396131666264373737
-34313435356661653763356238363734663239613933326239623535393564363162663535663238
-39313562353364373638373734626136636135303962326135343333616536373761663533613734
-37336566663036383466343433376466633061383032653137653935336238613665383661393939
-64656366383538623862356538303266656364653561313538316461316232306531343265303263
-65356531626335666433646438323463343731656235376338613439663636353934323461306465
-36303262346465626332616233323636306232373435373765616237336636333466393233373264
-64646437656638633565333436353433386535633063363235613537353038373439616565373936
-30306131383661383930336365353435666134373438316335656564396530316266636134316437
-31653832343932646165363563653462326665383533636365373963366233386464373634313535
-37333962326132313065633830306136373264363162303838376138343131386131346563396335
-36336163383966353738353638376161663131643362626664323865666464306336653462383035
-36353938633662353733303662323335376664346437643361623033646261636432306536626130
-39353630653166653034626362643864363266393233363238326538376237656130343163616435
-61626334313436386639356635623963353938643032323165633732303961393530343664613034
-34656462306434386262616366343532356138643632616466313261366434373939316538326637
-38396436333033373333383062366561313834636239666166373464343862323231633337386536
-31313834373362666630393535663738346561336130383961336365633035373939656662373563
-37643530653638336236383166663438623636623639363839356330396337366462653563346233
-63666231356463333764653666393264386433346562336537663439653464613661663536303863
-38373362393937336266646336393731653864326639623834303663363861393539376632343364
-30626265373931393332353135313461366435386435626636306231303165393564313365393037
-61306264326264663337313139613165336135643133383166323339393232653335326435343136
-61393636643431336235366331616464653633373865353439323034386631643761383431643761
-32646461323731623335633834663938306537363636373066383933373835353031336338623535
-62303934623439363364396466386366616365623130363863353938376566383762343362613130
-39653730633030383039616264646464623434396137616237343466653034373538656162643362
-66656433376134313761303238303965313262336439643330333661613939613037633333303564
-32393431383364656161316635363766343030643437653037393566323365643739346134303864
-64616437663761613034313539383230323932393130363464333731376332303137363034313338
-66663735656130353834373564663936653639626662323436646162393831393637326361386235
-37656265353264666133666162316536643861303939316131613661353633313164666165356663
-33323739633837656164326661663966343937653966636237643535303232333464313562363838
-34613530653237343765613834663935613766323765353431666331653733336464626263653436
-63383538633334343130376463353334616531306164366565323536333231356537373834353264
-30363534303264393235306564323562313539333666313361623830396530356261623436346133
-61313562333335396263633632643062326236653631376462363833356438653539323338383632
-39396464373366646433303738363565346663353733346366636136313361353137663666333339
-66333337373466613230326661363231613164313437316263396361633639393136393837616266
-32343637393034353562346566316138323838613836313632656465316635373531323034663132
-64303166396561326264313338346166323166353561646635663665643038616530636130373734
-30623934646439633531376135373536636562663636383438306433643530643639343236353733
-33306632323738333438633635313563313035333133393439613139613563616264313433363663
-33363033663734666630393030386534306632653163656231383464386266393263306432336462
-61323963396239333833373136393563643534353765313261646238386236356534303833306166
-30373462326339333764613331353162623338633939613938636565336466633030346135303737
-33393633646336326237396434373961613965623565656437653862343635343737623633633032
-36316266646339316636316434373966373666383039336631386365626335343739646330373436
-31616266646565343935336636316531383737646132393462343631316638646337343031623839
-61383831393061336532636565306330643534396466346363636633346139316464376133363730
-64326333393734333430373732353961663137353966646165353564636161306462626161393737
-39663234633531363864376166383531333832663463316463633530323662616536626334636334
-39383638303939633234383336363239353264326239366135646233316564633036333532366361
-30303330663739303063633264366165313966356566613361663834326535326138396238353433
-30656532316164646339306266663739323964363966303030323631343163626139633863343161
-37613338343865373065643162656238613039376634373237376262383335313536386138393738
-66373935633536633136663366323038626130633835333036646134396562316630656539323532
-64346135353062636364313733373266343133653566373961643532663736666132333331656161
-64633136356332663535653763326563346234666535643331616336323164383635373264343763
-61383233616663313164336338636130366462343936633539393638373164373332643462393661
-63356364353565356135313461616537643532316235336565656162643430666638653338356132
-32333138306438633061636430636538623461653538363037633330653338306230376439363434
-32346239313938633161326134643565626531626130666663353836633531366232366262613332
-66303262313736643138663363323365653039313237376665306131393461666435353763633261
-39313339313737313266383334356533643765373964643832366430393335353030373838646136
-37353430376439663563313537366536346630666533313763363934653663616236656534366365
-62353434363439646436323133323763383062356661643931643262386233343538653661623065
-38663939633665303935313531363938663062383934656532636339326532363866663233626633
-64666464353335386163313634333732386466396365306366373532366635376334373064656261
-39623963633233396636653033343564643333393833393937323964663832303565643432623135
-33353361336339666436343061313539373662306230393036346537343834666563326134313265
-31663138613534303262383461313930626163343437653334333163383866353562363965313964
-31353464383135666666393239356632616564376639346438643930373135303935346430633937
-33313035353265323439386233623430633435616539383834303266616363316338393830653137
-36653036323065383936393532643332636265656165633437306137646363626532353436656534
-33346430313534336166353130653034373239613533656465386337643330383062353861333331
-33343264376463616566656339306333346439306338643739336635336631336237613465636230
-38613038333930346264373330316232343233646334373266646438376637363434653138303032
-36346135346564666265326262313862323465313965326636346132646637313762356137613339
-65396263356562653664373061376464623936613036343264663635386537306262323463396632
-33643237623362366138323132626233653631633863313165346661366138366363653637383430
-63303036613637396662323062366132313764396237353639386235383039353634396537333263
-65376665303539626661643562373561626234323234363265326331343963346163333763616332
-36393063376431633566353339303963393865383831353735626134373037653938303338363936
-36393130653861633231303136636636393263303064343662336662383661663864623762383031
-35373935656264393339326563643665623230313032613630383538393036616265366335353934
-65636339313838653038396433643134386235393238386665363364313034626662373736383639
-37336331626339646466306134616465636665613337376335396532343530356532303635353761
-63666235313335353237333535396332653866373930303433613236643665333762616133326362
-36323434343261313635303731363965313566353164356135393034333737396365333164386465
-31376537663534656634663863373364653234376263333530633666646331343536613866383361
-37636664646139383165396531333162613838313736316361633134653238386534386362623631
-63333531303632356661393637373164383833343965313465363735663534313666653561313861
-64313635643765663966316266316133393931663735653933613665326532646632306236353734
-64343462643834373461636261323337646431346435313633396332383934306138333231343263
-32303431616331386339333063653965343062323733333032663432393334323033656564373332
-66613166353130626336
+35346137343735356637663033653465666664363730663138663936636632306566313836643132
+6633663564393937323035363563326465366364373961310a643132653066323938333863626264
+66656663646164633538396132363231373430636134313632333834633435336331396338623933
+3832343264356539390a313937393535623838356465313530303836346164313261613537366430
+64393533613662376466363462643262643433663839393166613938616462663732346234363436
+66663837333861303530373036363536376239633764356461303534626233343861343135353234
+61356362353635343737356430666536636339306630613263613933356330366132356661343566
+33306437666461656339653131633537643931333164396463623433633263633139366565636362
+35306339333631623036386134373839303739373230636164653137393439633530366163613636
+65326635396135313530366161373438623365356437353234343537393033356135623862393033
+62643033656331373435316665313933653835653663376432366461363261303131623237623663
+33363238663963363963326531386137613564633338653466393436663438313231313466323433
+32323934343462333264646137366461303333363165303433663130326437353236653336623266
+30653930616465313930303961383538376662386331663430613064306366323035663431656461
+61623735336162636662616232346637653566306433316237613762623133323236353533623833
+61306630376231643266663732343565386465373066643339633136643961656161393738373862
+33353162656331363563343234303538383763303736393661333831366436633533656265343930
+38616462363238613464386439663830663264646133633631646166346130663464633333333730
+33653231303636653638323136663066666465353532383331663163626237656265656463393139
+64363465663732343930613931313363336633363335383564626366383537376634363461616163
+39393630343531313638363230656634623836396366326530616637363334313961366233306233
+35633961303661376663643339613835633563336361646137353466366436373263363138663563
+62356365616664353131663764303730643361613038663833373834336132306265376436616464
+38383937626439303362636432363936313930313339366565353034313339663536373138376438
+34366637363838623064633765653134383230656565373263356164326661326133353634636536
+31383961343066306437623031386461643430326134646537613366623131353161353335313664
+61633834656438366331653966373131656634303135373630363762313765316364343837663431
+32373438616561333634343436366638353439363563656331333263653061613231303733633134
+66386563346535646339303039353962363762663164386436626632623465363833323434343066
+63626466653162616164323831336165646136613530383063353232333464333234316435386266
+62333535373131666434626261333335663762346663313630643136383835376663636136363933
+33623237666537613164623362396537396163373437633537376435356638653533613939663734
+66626564633435663164616365313339386232386562636461653262363332393536353138393730
+33323464376666663236366134366436313237666635356565346235363630363265343535356233
+35653163663962316336323931356436366439653835346138623966366436373066303932346637
+31393932343136633239663238363337626266623163316165646533333363393038383038316664
+34363739613234666466353163643236356238353831636163393763336261353831313136653963
+33636265383634393332373031306261363764303730633466616432316433656166393035653737
+30643231616334366231333761633461653338653633663564643938616163663532333639353830
+64383761306138303736643962386235353366333832616138306237393738396230303633333132
+31373362323261303362613336333130626364646561653335373639333262663735376437376433
+36386236343233373631303633626363336665656131633862633363326233636636373832353937
+39303237393632363337396362323936646333376439373031626330343139373636333062383138
+33333137623066303961376137613361313831636631663865343863633735366433643165643035
+39373565396561326362376435666539386263666635363664633833336536366466613163323134
+39653239653935346262656333306635646535626563323130663838313564383165393961346161
+39616439376435613535336434343364343066353863626363613765303862306663373730346539
+39363136393463333538323266633235643963363663323265313738633037303862633265353236
+64343361316437623732366163326633346462343332333735333936633266623832633939626362
+32333035613963666530663335656562393465323063336330383535326565346536393731333165
+30373733343136306532636666313338626434313334303933636238643034386438386364663932
+35313134633532373466363132623632376666396161333064376538616137656163663633653064
+66623633343939306638643132386139303761646364656163326263313066616535623234323361
+37396366663734373334386131663161346461383938313263346537353836366264616164636262
+64376535373431376465386165613765653732303461356565623965346334376564343439386164
+30393664353461623965303265393338353366616164633739383434623834306166376631643330
+31303866306561366132333532396135653261613935623537366562313433396436343666386535
+37323861343462396163333431663137643232393865643238316338323735366637643666343735
+30663334326332616361623662653133383536326635626434383830633434366330313731356531
+30366562613532643334613430313737633266343237373765366238313833656463646462613666
+32393734356638633966643133383961613332623331633634646439353338303266393366323564
+36353032383030623163323065653833656330363466336466656562373034653061346163366238
+33346534313633333134356665656462346234393230323132626661666362373566383036653937
+66366266333934343263326433326163373730383361653262633966333135316437633835303665
+66663430363039633464636531326135616563636131656265356438313633306236653431656664
+30343733313638363237343131626538643932373931623136323862646366623362306365616131
+37303966343562313730653763633564336435336362656262363735393966633135376236616163
+39626637393865643338623863346666333764616430383038303434626164653861346433333764
+61386131303764383137616334363866363363313165366339636530393362396135306265303464
+63333030306338346633633863306238333334393562373662663562313733643432396462313131
+65333661343031656263623230346230353266303261646131303731636466303863323466356232
+63383835316161306431663962343966366338323138383632326533646461326232356133356265
+39636434376436363439376230633237366536653561616264613665656635636532623330353466
+65366132646536316131323038313263333961656430343661303664366266313861343463303364
+32303662393433353462346464393931393637316537623061343635353938663765646234323431
+38643531653132633763666663623637373431653731383037346262646332393864643431363338
+32343963623364613538656338336365343265383262656139643934333037383930376564343636
+33623835663035313839656333613833396635646537616464376138663262346564383834643933
+30383039633164353730656339616436343330333134323136646664393764343163313536373261
+31646164656166376232653034363864623161326564303337636534653762336337346335373238
+64373062306165616162666362326531643964656366653037663163363964653462346633666434
+35303638623239353934636332373562343962393531346132303032623334333335373734643034
+64646361373066316134613635666435306235313632633633643864373261643065303937323639
+65383663626338303134613532623763626430623864313930366463663632313130383033633831
+66613531623534336461393764623237383231333133336638313637306439633361353039613938
+30613562393635646235336330633933336233363735346534633266633730346236353265333464
+39613132306232653639326336643662353461356439623233316465316232396366616531396464
+63626462383639353434316364363164376639363264646530323038373439643132343264643231
+32656465366265383630626332613636336632656136333330643937633630396663626632333930
+61623661633666316630616632633832613231386235653434663964316533306233383539343637
+38663431666230653736326531353934396562656161616462383466353637363732616636373033
+39643438356632306431386235333532326463646161616466646634633163366233363362343563
+34393631343733326363363737623638383939353266343262633232336633386233346436393333
+31646161613464623137353939613437623835316531343336323833653437363563363462633536
+36313230363131373233623731636363313034366665633737346134366666393634386637626563
+36376135373330396664616435353539333439306434313933333235646363313262336163386263
+65353361363066363234353336623466393331326332316530356636343865663137313737313830
+35633563343064333565373463343234393732333735363963333336646561393764316462643466
+36653162343239373038336134393532386363333638383831333834373030633138633530353336
+63376334666632323130633136613230306135336231666635363036633066323863346138643330
+33623462653638656237646634623431313664336636366330626135653730323239323462383262
+39326431386235363034386138653665353136356536373838636336626430623164353761636662
+32623363663163633433623833633665313662636264656662373061356336383965303731313431
+34373332616336303062363564656137383463353836303134363434356265393361346365343630
+32613933633139643637363136623863663962356166336134656464613362363130333930356230
+63626365353266383137643263636163613932343333363632333936613831616465646437656465
+35636534363461336332626134346239656238643561313935363366343462333639633937303664
+64323739643562343234333739353334663834626438386432663737653366633466666362643138
+64313536306363653562623536646261313639333266643336613932363835356665

host_vars/aeron.binary.kitchen

@@ -3,4 +3,7 @@
 radius_hostname: radius3.binary.kitchen
 
 slapd_hostname: ldap3.binary.kitchen
+slapd_replica_id: 3
 slapd_role: slave
+
+uau_reboot: "false"

host_vars/argentum.binary-kitchen.net

@@ -0,0 +1,6 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

host_vars/aveta.binary.kitchen

@@ -3,4 +3,5 @@
 radius_hostname: radius2.binary.kitchen
 
 slapd_hostname: ldap2.binary.kitchen
+slapd_replica_id: 2
 slapd_role: slave

host_vars/bacon.binary.kitchen

@@ -13,4 +13,7 @@ ntp_peers:
 radius_hostname: radius1.binary.kitchen
 
 slapd_hostname: ldap1.binary.kitchen
+slapd_replica_id: 1
 slapd_role: slave
+
+uau_reboot: "false"

host_vars/beryllium.binary-kitchen.net

@@ -1,5 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/indium.binary-kitchen.net

@@ -0,0 +1,5 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCNBY95YcFFBeiHM3IDzqKT/X/U09bpAWXwkCWIg6KlZumZg891apx6a0HLDannoBt7YCyYFgl3c1eJ36D08tRcy5c5k/+8Xhq0hq/HWo3EV5sd6Y+8xeTRST6Um8nyxHoSI7xw79yRoteOUDIzPnmDtbLQ2z3vWkA/H1EZQ4IjeQgFhl9vl4EyuAJ47Cdlv1D870BDspgAEoxSbipQEEnPsIctdyySp1R/sNC5tuP6qaoQ6nIDFdgv5rcY8SmgJQ2otlGex18RSBObBjdfyepV71mluqfs6HtVsM9zDvRUwY/FX4wmVc4QPdPLh/2kzEZi0YzefB10tpsuvhaOFI8JqXBDuSFZh3xCzRmKRlmqn50jrvGkYGUWg/GNYNF2rLCltCzg3BJHGaFh9sOtjaKLW+hTJwDtz4LIqNZb6w/2586hzjGCrrZgN24eLEcdp7iTPnkCul+kgOZaa62ytdKjza6/tgKCeUaEwmJTBuKMp/hor/LdLeibYgTtqUoFB7j1Ti2ey7oHly1oiSaKcR/hChgx0sniltRmzJI7KLuUiF+xkpv5Kf4rGl7UjvVxyf3glNh5DL87CfeWkGF3dgsjJdfYIHVJz/Bf6x0aB2TyybF8Exm0R05dhMT6ahZqMqa5d/aUZN+S3MaXw2amHWbMe8VcFpu/AztqrQM8sM+Mw== sprinterfreak"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/oxygen.binary-kitchen.net

@@ -1,4 +1,4 @@
 ---
 
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
 sshd_password_authentication: "yes"
-uau_reboot: "false"

host_vars/rhodium.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

host_vars/strontium.binary-kitchen.net

@@ -1,4 +0,0 @@
----
-
-root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

host_vars/sulis.binary.kitchen

@@ -1,3 +1,4 @@
 ---
 
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
 sshd_password_authentication: "yes"

host_vars/technetium.binary-kitchen.net

@@ -1,4 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"

host_vars/yttrium.binary-kitchen.net

@@ -1,5 +1,6 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

hosts

@@ -29,10 +29,15 @@ fluorine.binary-kitchen.net
 neon.binary-kitchen.net
 sodium.binary-kitchen.net
 magnesium.binary-kitchen.net
+aluminium.binary-kitchen.net
 krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
 molybdenum.binary-kitchen.net
 ruthenium.binary-kitchen.net
 rhodium.binary-kitchen.net
+palladium.binary-kitchen.net
+argentum.binary-kitchen.net
+cadmium.binary-kitchen.net
+indium.binary-kitchen.net
 barium.binary-kitchen.net

roles/act_runner/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+actrunner_user: act_runner
+actrunner_group: act_runner
+
+actrunner_version: 0.2.10
+actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

roles/act_runner/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart act_runner
+  service: name=act_runner state=restarted

roles/act_runner/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Create group
+  group: name={{ actrunner_group }}
+
+- name: Create user
+  user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
+
+- name: Create directories
+  file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
+  with_items:
+  - /etc/act_runner
+  - /var/lib/act_runner
+
+- name: Download act_runner binary
+  get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
+  register: runner_download
+
+- name: Symlink act_runner binary
+  file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
+  when: runner_download.changed
+  notify: Restart act_runner
+
+- name: Configure act_runner
+  template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
+  notify: Restart act_runner
+
+- name: Install systemd unit
+  template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
+  notify:
+  - Reload systemd
+  - Restart act_runner
+
+- name: Enable act_runner
+  service: name=act_runner state=started enabled=yes

roles/act_runner/templates/act_runner.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Gitea Actions runner
+Documentation=https://gitea.com/gitea/act_runner
+After=docker.service
+
+[Service]
+ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
+ExecReload=/bin/kill -s HUP $MAINPID
+WorkingDirectory=/var/lib/act_runner
+TimeoutSec=0
+RestartSec=10
+Restart=always
+User={{ actrunner_user }}
+
+[Install]
+WantedBy=multi-user.target

roles/act_runner/templates/config.yaml.j2

@@ -0,0 +1,86 @@
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: warn
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 4
+  # Extra environment variables to run jobs.
+  envs:
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels: [
+    "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
+    "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
+    "ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
+  ]
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: ""
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

roles/authentik/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+authentik_version: 2024.8.3

roles/authentik/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart authentik
+  service: name=authentik state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/authentik/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create authentik group
+  group: name=authentik
+
+- name: Create authentik user
+  user:
+    name: authentik
+    home: /opt/authentik
+    shell: /bin/bash
+    group: authentik
+    groups: docker
+
+- name: Configure authentik container
+  template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
+  notify: Restart authentik
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for authentik
+  template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
+  notify: Restart nginx
+
+- name: Systemd unit for authentik
+  template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
+  notify:
+  - Reload systemd
+  - Restart authentik
+
+- name: Start the authentik service
+  service: name=authentik state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ authentik_domain }}"

roles/authentik/templates/authentik.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=authentik service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=authentik
+Group=authentik
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/authentik
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/authentik/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ authentik_domain }}:
+- path: /etc/nginx/ssl/{{ authentik_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/authentik/templates/docker-compose.yml.j2

@@ -0,0 +1,75 @@
+---
+version: "3.4"
+services:
+  postgresql:
+    image: docker.io/library/postgres:16-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ./database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: {{ authentik_dbpass }}
+      POSTGRES_USER: {{ authentik_dbuser }}
+      POSTGRES_DB: {{ authentik_dbname }}
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ./redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    ports:
+      - "127.0.0.1:9000:9000"
+    depends_on:
+      - postgresql
+      - redis
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+    depends_on:
+      - postgresql
+      - redis

roles/authentik/templates/vhost.j2

@@ -0,0 +1,41 @@
+map $http_upgrade $connection_upgrade {
+	default	upgrade;
+	''	close;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ authentik_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ authentik_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ authentik_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
+
+	location / {
+		proxy_pass http://localhost:9000;
+		proxy_http_version 1.1;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}

roles/bk_dss/templates/config.cfg.j2

@@ -8,7 +8,7 @@ LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
 LDAP_URI = "{{ ldap_uri }}"
 LDAP_BASE = "{{ ldap_base }}"
 
-ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
+ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
 
 USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
 

roles/common/tasks/Debian.yml

@@ -16,6 +16,7 @@
     - rsync
     - sudo
     - vim-nox
+    - wget
     - zsh
 
 - name: Install software on KVM VMs
@@ -103,7 +104,7 @@
     replace: "rotate 7"
   loop: "{{ logrotateconfigpaths }}"
 
-- name: Configure ssh password login
+- name: Configure sshd
   template:
     src: sshd_config.j2
     dest: /etc/ssh/sshd_config

roles/common/templates/chrony.conf.j2

@@ -1,6 +1,9 @@
 # Welcome to the chrony configuration file. See chrony.conf(5) for more
 # information about usable directives.
 
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
 {% for srv in ntp_servers %}
 server {{ srv }} iburst
 {% endfor %}
@@ -23,6 +26,9 @@ keyfile /etc/chrony/chrony.keys
 # information.
 driftfile /var/lib/chrony/chrony.drift
 
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
 # Uncomment the following line to turn logging on.
 #log tracking measurements statistics
 
@@ -33,7 +39,7 @@ logdir /var/log/chrony
 maxupdateskew 100.0
 
 # This directive enables kernel synchronisation (every 11 minutes) of the
-# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
 rtcsync
 
 # Step the system clock instead of slewing it if the adjustment is larger than

roles/common/templates/sshd_config.j2

@@ -1,9 +1,8 @@
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
 
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
@@ -43,8 +42,17 @@ PermitRootLogin {{ sshd_permit_root_login }}
 
 #AuthorizedPrincipalsFile none
 
+{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
+AuthorizedKeysCommand {{ sshd_authkeys_command }}
+{%   if sshd_authkeys_user is defined and sshd_authkeys_user %}
+AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
+{%   else %}
+AuthorizedKeysCommandUser nobody
+{%   endif %}
+{% else %}
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
+{% endif %}
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
@@ -60,7 +68,7 @@ PasswordAuthentication {{ sshd_password_authentication }}
 
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
-ChallengeResponseAuthentication no
+KbdInteractiveAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -76,13 +84,13 @@ ChallengeResponseAuthentication no
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 UsePAM yes
 
 #AllowAgentForwarding yes
@@ -100,7 +108,7 @@ PrintMotd no
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
-#PidFile /var/run/sshd.pid
+#PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none

roles/dhcpd/handlers/main.yml

@@ -1,4 +0,0 @@
----
-
-- name: Restart isc-dhcp-server
-  service: name=isc-dhcp-server state=restarted

roles/dhcpd/tasks/main.yml

@@ -1,14 +0,0 @@
----
-
-- name: Install dhcp server
-  apt: name=isc-dhcp-server
-
-- name: Configure dhcp server
-  template: src={{ item }}.j2 dest=/etc/{{ item }}
-  with_items:
-  - default/isc-dhcp-server
-  - dhcp/dhcpd.conf
-  notify: Restart isc-dhcp-server
-
-- name: Start the dhcp server
-  service: name=isc-dhcp-server state=started enabled=yes

roles/dhcpd/templates/default/isc-dhcp-server.j2

@@ -1,21 +0,0 @@
-#
-# This is a POSIX shell fragment
-#
-
-# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
-#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
-#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
-
-# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
-#DHCPDv4_PID=/var/run/dhcpd.pid
-#DHCPDv6_PID=/var/run/dhcpd6.pid
-
-# Additional options to start dhcpd with.
-#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
-#OPTIONS=""
-
-# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
-#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
-INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
-INTERFACESv6=""
-INTERFACES="{{ ansible_default_ipv4['interface'] }}"

roles/dhcpd/templates/dhcp/dhcpd.conf.j2

@@ -1,320 +0,0 @@
-# dhcpd.conf
-
-# option definitions common to all supported networks...
-option domain-name "binary.kitchen";
-option domain-name-servers {{ name_servers | join(', ') }};
-option domain-search "binary.kitchen";
-option ntp-servers 172.23.1.60, 172.23.2.3;
-
-# options related to Mitel SIP-DECT
-option space sipdect;
-option local-encapsulation code 43 = encapsulate sipdect;
-option sipdect.ommip1 code 10 = ip-address;
-option sipdect.ommip2 code 19 = ip-address;
-option sipdect.syslogip code 14 = ip-address;
-option sipdect.syslogport code 15 = integer 16;
-option magic_str code 224 = text;
-
-default-lease-time 7200;
-max-lease-time 28800;
-
-# Use this to enble / disable dynamic dns updates globally.
-ddns-update-style interim;
-ddns-updates on;
-
-# If this DHCP server is the official DHCP server for the local
-# network, the authoritative directive should be uncommented.
-authoritative;
-
-# Use this to send dhcp log messages to a different log file (you also
-# have to hack syslog.conf to complete the redirection).
-log-facility local7;
-
-{% if dhcpd_failover == true %}
-
-# Failover
-
-failover peer "failover-partner" {
-{% if ansible_default_ipv4.address == dhcpd_primary %}
-  primary;
-  address {{ dhcpd_primary }};
-  peer address {{ dhcpd_secondary }};
-{% elif ansible_default_ipv4.address == dhcpd_secondary %}
-  secondary;
-  address {{ dhcpd_secondary }};
-  peer address {{ dhcpd_primary }};
-{% endif %}
-  port 520;
-  peer port 520;
-  max-response-delay 60;
-  max-unacked-updates 10;
-{% if ansible_default_ipv4.address == dhcpd_primary %}
-  mclt 600;
-  split 255;
-{% endif %}
-  load balance max seconds 3;
-}
-{% endif %}
-
-# Binary Kitchen subnets
-
-# Management
-subnet 172.23.1.0 netmask 255.255.255.0 {
-  option routers 172.23.1.1;
-}
-
-# Services
-subnet 172.23.2.0 netmask 255.255.255.0 {
-  allow bootp;
-  option routers 172.23.2.1;
-}
-
-# Users
-subnet 172.23.3.0 netmask 255.255.255.0 {
-  option routers 172.23.3.1;
-  ddns-domainname "users.binary.kitchen";
-  option domain-search "binary.kitchen", "users.binary.kitchen";
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.3.10 172.23.3.230;
-  }
-}
-
-# MQTT
-subnet 172.23.4.0 netmask 255.255.255.0 {
-  option routers 172.23.4.1;
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.4.10 172.23.4.240;
-  }
-}
-
-# Management Auweg
-subnet 172.23.12.0 netmask 255.255.255.0 {
-  option routers 172.23.12.1;
-}
-
-# Services Auweg
-subnet 172.23.13.0 netmask 255.255.255.0 {
-  allow bootp;
-  option routers 172.23.13.1;
-}
-
-# Users Auweg
-subnet 172.23.14.0 netmask 255.255.255.0 {
-  option routers 172.23.14.1;
-  ddns-domainname "users.binary.kitchen";
-  option domain-search "binary.kitchen", "users.binary.kitchen";
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.14.10 172.23.14.230;
-  }
-}
-
-# MQTT Auweg
-subnet 172.23.15.0 netmask 255.255.255.0 {
-  option routers 172.23.15.1;
-  pool {
-{% if dhcpd_failover == true %}
-    failover peer "failover-partner";
-{% endif %}
-    range 172.23.15.10 172.23.15.240;
-  }
-}
-
-# DDNS zones
-
-zone users.binary.kitchen {
-  primary {{ dns_primary }};
-}
-
-
-# Fixed IPs
-
-host ap01 {
-  hardware ethernet 44:48:c1:ce:a9:00;
-  fixed-address ap01.binary.kitchen;
-}
-
-host ap04 {
-  hardware ethernet 44:48:c1:ce:90:06;
-  fixed-address ap04.binary.kitchen;
-}
-
-host ap05 {
-  hardware ethernet bc:9f:e4:c3:6f:aa;
-  fixed-address ap05.binary.kitchen;
-}
-
-host ap06 {
-  hardware ethernet 94:b4:0f:c0:1d:a0;
-  fixed-address ap06.binary.kitchen;
-}
-
-host ap11 {
-  hardware ethernet 18:64:72:c6:c2:0c;
-  fixed-address ap11.binary.kitchen;
-}
-
-host ap12 {
-  hardware ethernet 18:64:72:c6:c4:98;
-  fixed-address ap12.binary.kitchen;
-}
-
-host bowle {
-  hardware ethernet ac:1f:6b:25:16:b6;
-  fixed-address bowle.binary.kitchen;
-}
-
-host cannelloni {
-  hardware ethernet b8:27:eb:18:5c:11;
-  fixed-address cannelloni.binary.kitchen;
-}
-
-host fusilli {
-  hardware ethernet b8:27:eb:1d:b9:bf;
-  fixed-address fusilli.binary.kitchen;
-}
-
-host habdisplay1 {
-  hardware ethernet b8:27:eb:b6:62:be;
-  fixed-address habdisplay1.mqtt.binary.kitchen;
-}
-
-host habdisplay2 {
-  hardware ethernet b8:27:eb:df:0b:7b;
-  fixed-address habdisplay2.mqtt.binary.kitchen;
-}
-
-host klopi {
-  hardware ethernet 74:da:38:6e:e6:9d;
-  fixed-address klopi.binary.kitchen;
-}
-
-host lock {
-  hardware ethernet b8:27:eb:d8:b9:ad;
-  fixed-address lock.binary.kitchen;
-}
-
-host maccaroni {
-  hardware ethernet b8:27:eb:f5:9e:a1;
-  fixed-address maccaroni.binary.kitchen;
-}
-
-host matrix {
-  hardware ethernet b8:27:eb:ed:22:58;
-  fixed-address matrix.binary.kitchen;
-}
-
-host mirror {
-  hardware ethernet 74:da:38:7d:ed:84;
-  fixed-address mirror.binary.kitchen;
-}
-
-host mpcnc {
-  hardware ethernet b8:27:eb:0f:d3:8b;
-  fixed-address mpcnc.binary.kitchen;
-}
-
-host noodlehub {
-  hardware ethernet b8:27:eb:56:2b:7c;
-  fixed-address noodlehub.binary.kitchen;
-}
-
-host openhabgw1 {
-  hardware ethernet dc:a6:32:bf:e2:3e;
-  fixed-address openhabgw1.mqtt.binary.kitchen;
-}
-
-host pizza {
-  hardware ethernet 52:54:00:17:02:21;
-  fixed-address pizza.binary.kitchen;
-}
-
-host spaghetti {
-  hardware ethernet b8:27:eb:eb:e5:88;
-  fixed-address spaghetti.binary.kitchen;
-}
-
-host schweinshaxn {
-  hardware ethernet 52:54:00:17:02:24;
-  fixed-address schweinshaxn.binary.kitchen;
-}
-
-host strammermax {
-  hardware ethernet 08:00:37:B8:55:44;
-  fixed-address strammermax.binary.kitchen;
-}
-
-host obatzda {
-  hardware ethernet ec:9a:74:35:35:cf;
-  fixed-address obatzda.binary.kitchen;
-}
-
-
-# VoIP Phones
-
-host voip01 {
-  hardware ethernet 00:1D:45:B6:99:2F;
-  option tftp-server-name "172.23.2.36";
-}
-
-host voip02 {
-  hardware ethernet 00:1D:A2:66:B8:3E;
-  option tftp-server-name "172.23.2.36";
-}
-
-host voip03 {
-  hardware ethernet 00:1E:BE:90:FB:DB;
-  option tftp-server-name "172.23.2.36";
-}
-
-host voip04 {
-  hardware ethernet 00:1E:BE:90:FF:06;
-  option tftp-server-name "172.23.2.36";
-}
-
-
-# Mitel SIP-DECT
-
-host rfp01 {
-  hardware ethernet 00:30:42:1B:73:5A;
-  fixed-address 172.23.1.111;
-  option host-name "rfp01";
-  option sipdect.ommip1 172.23.2.35;
-  option magic_str = "OpenMobilitySIP-DECT";
-}
-
-host rfp02 {
-  hardware ethernet 00:30:42:21:D4:D5;
-  fixed-address 172.23.1.112;
-  option host-name "rfp02";
-  option sipdect.ommip1 172.23.2.35;
-  option magic_str = "OpenMobilitySIP-DECT";
-}
-
-host rfp11 {
-  hardware ethernet 00:30:42:1B:8B:9B;
-  fixed-address 172.23.12.111;
-  option host-name "rfp11";
-  option sipdect.ommip1 172.23.2.35;
-  option magic_str = "OpenMobilitySIP-DECT";
-}
-
-
-
-# OMAPI
-
-omapi-port 7911;
-omapi-key omapi_key;
-
-key omapi_key {
-  algorithm hmac-md5;
-  secret {{ dhcp_omapi_key }};
-}

roles/dns_extern/templates/pdns.conf.j2

@@ -1,5 +1,4 @@
-local-address=0.0.0.0
-local-ipv6=::
+local-address=0.0.0.0, ::
 launch=gsqlite3
 gsqlite3-dnssec
 gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3

roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2023011601; serial
+					2024100600; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -11,9 +11,9 @@ $TTL 1h				; default time-to-live
 				IN	NS	ns2.binary.kitchen.
 ; Loopback
 1.0				IN	PTR	core.binary.kitchen.
-2.0				IN	PTR	erx-bk.binary.kitchen.
+2.0				IN	PTR	rt-w13b.binary.kitchen.
 3.0				IN	PTR	erx-rz.binary.kitchen.
-4.0				IN	PTR	erx-auweg.binary.kitchen.
+4.0				IN	PTR	rt-auweg.binary.kitchen.
 ; Management
 1.1				IN	PTR	v2301.core.binary.kitchen.
 11.1				IN	PTR	ups1.binary.kitchen.
@@ -87,22 +87,26 @@ $GENERATE 10-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
 1.10				IN	PTR	wg0.erx-rz.binary.kitchen.
 $GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
 ; Management Auweg
+1.12				IN	PTR	v2312.rt-auweg.binary.kitchen.
 31.12				IN	PTR	sw-auweg.binary.kitchen.
 41.12				IN	PTR	ap11.binary.kitchen.
 42.12				IN	PTR	ap12.binary.kitchen.
 61.12				IN	PTR	weizen.binary.kitchen.
 111.12				IN	PTR	rfp11.binary.kitchen.
 ; Services Auweg
+1.13				IN	PTR	v2313.rt-auweg.binary.kitchen.
 3.13				IN	PTR	aeron.binary.kitchen.
 12.13				IN	PTR	lock-auweg.binary.kitchen.
 ; Clients Auweg
+1.14				IN	PTR	v2314.rt-auweg.binary.kitchen.
 $GENERATE 10-230 $.14		IN	PTR	dhcp-${0,3,d}-14.binary.kitchen.
 ; MQTT
+1.15				IN	PTR	v2315.rt-auweg.binary.kitchen.
 $GENERATE 10-240 $.15		IN	PTR	dhcp-${0,3,d}-15.binary.kitchen.
 ; Point-to-Point
-1.96				IN	PTR	v400.erx-bk.binary.kitchen.
+1.96				IN	PTR	v400.rt-w13b.binary.kitchen.
 2.96				IN	PTR	v400.core.binary.kitchen.
 1.97				IN	PTR	wg1.erx-rz.binary.kitchen.
-2.97				IN	PTR	wg1.erx-bk.binary.kitchen.
+2.97				IN	PTR	wg1.rt-w13b.binary.kitchen.
 5.97				IN	PTR	wg2.erx-rz.binary.kitchen.
-6.97				IN	PTR	wg2.erx-auweg.binary.kitchen.
+6.97				IN	PTR	wg2.rt-auweg.binary.kitchen.

roles/dns_intern/templates/bind/binary.kitchen.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2023011601; serial
+					2024100600; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -30,14 +30,13 @@ netbox				IN	A	172.23.2.7
 ns1				IN	A	172.23.2.3
 ns2				IN	A	172.23.2.4
 omm				IN	A	172.23.2.35
-racktables			IN	A	172.23.2.6
 radius				IN	A	172.23.2.3
 radius				IN	A	172.23.2.4
 ; Loopback
 core				IN	A	172.23.0.1
-erx-bk				IN	A	172.23.0.2
+rt-w13b				IN	A	172.23.0.2
 erx-rz				IN	A	172.23.0.3
-erx-auweg			IN	A	172.23.0.4
+rt-auweg			IN	A	172.23.0.4
 ; Management
 v2301.core			IN	A	172.23.1.1
 ups1				IN	A	172.23.1.11
@@ -108,25 +107,29 @@ salat				IN	A	172.23.9.61
 salat-bmc			IN	A	172.23.9.81
 ; Services RZ
 ; Management Auweg
+v2312.rt-auweg			IN	A	172.23.12.1
 sw-auweg			IN	A	172.23.12.31
 ap11				IN	A	172.23.12.41
 ap12				IN	A	172.23.12.42
 weizen				IN	A	172.23.12.61
 rfp11				IN	A	172.23.12.111
 ; Services Auweg
+v2313.rt-auweg			IN	A	172.23.13.1
 aeron				IN	A	172.23.13.3
 lock-auweg			IN	A	172.23.13.12
 ; Clients Auweg
+v2314.rt-auweg			IN	A	172.23.14.1
 $GENERATE 10-230 dhcp-${0,3,d}-14	IN	A	172.23.14.$
 ; MQTT Auweg
+v2315.rt-auweg			IN	A	172.23.15.1
 $GENERATE 10-240 dhcp-${0,3,d}-15	IN	A	172.23.15.$
 ; VPN RZ (ER-X)
 wg0.erx-rz			IN	A	172.23.10.1
 $GENERATE 2-254 vpn-${0,3,d}-10	IN	A	172.23.10.$
 ; Point-to-Point
-v400.erx-bk			IN	A	172.23.96.1
+v400.rt-w13b			IN	A	172.23.96.1
 v400.core			IN	A	172.23.96.2
 wg1.erx-rz			IN	A	172.23.97.1
-wg1.erx-bk			IN	A	172.23.97.2
+wg1.rt-w13b			IN	A	172.23.97.2
 wg2.erx-rz			IN	A	172.23.97.5
-wg2.erx-auweg			IN	A	172.23.97.6
+wg2.rt-auweg			IN	A	172.23.97.6

roles/dns_intern/templates/dnsdist.conf.j2

@@ -10,11 +10,11 @@ newServer({address='127.0.0.1:5353', pool='resolve'})
 
 {% if dns_secondary is defined %}
 -- allow AXFR/IXFR only from slaves
-addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
+addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
 {% endif %}
 
 -- allow NOTIFY only from master
-addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
+addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
 
 -- use auth servers for own zones
 addAction('binary.kitchen', PoolAction('authdns'))

roles/dns_intern/templates/pdns.conf.j2

@@ -26,12 +26,6 @@ launch=bind,gsqlite3
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
-#################################
-# local-ipv6	Local IP address to which we bind
-#
-# local-ipv6=::
-local-ipv6=
-
 #################################
 # local-port	The port on which we listen
 #

roles/dns_intern/templates/recursor.conf.j2

@@ -11,9 +11,9 @@
 config-dir=/etc/powerdns
 
 #################################
-# dnssec	DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
+# dnssec	DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
 #
-# dnssec=process-no-validate
+# dnssec=process
 dnssec=off
 
 #################################

roles/drone/files/drone.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=drone.io server
-After=network-online.target
-
-[Service]
-Type=simple
-User=drone
-EnvironmentFile=/etc/default/drone
-ExecStart=/opt/drone/bin/drone-server
-Restart=always
-RestartSec=5s
-
-[Install]
-WantedBy=multi-user.target

roles/drone/tasks/main.yml

@@ -1,57 +0,0 @@
----
-
-- name: Create user
-  user: name=drone
-
-# TODO install drone to /opt/drone/bin
-# currently it is manually compiled
-
-- name: Configure drone
-  template: src=drone.j2 dest=/etc/default/drone
-  notify: Restart drone
-
-- name: Install PostgreSQL
-  apt:
-    name:
-    - postgresql
-    - python3-psycopg2
-
-- name: Configure PostgreSQL database
-  postgresql_db: name={{ drone_dbname }}
-  become: true
-  become_user: postgres
-
-- name: Configure PostgreSQL user
-  postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
-  become: true
-  become_user: postgres
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for drone
-  template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
-  notify: Restart nginx
-
-- name: Install systemd unit
-  copy: src=drone.service dest=/lib/systemd/system/drone.service
-  notify:
-  - Reload systemd
-  - Restart drone
-
-- name: Enable drone
-  service: name=drone enabled=yes
-
-- name: Enable monitoring
-  include_role: name=icinga-monitor tasks_from=http
-  vars:
-    vhost: "{{ drone_domain }}"

roles/drone/templates/drone.j2

@@ -1,10 +0,0 @@
-DRONE_AGENTS_ENABLED=true
-DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
-DRONE_DATABASE_DRIVER=postgres
-DRONE_GITEA_SERVER=https://{{ gitea_domain }}
-DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
-DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
-DRONE_RPC_SECRET={{ drone_secret }}
-DRONE_SERVER_HOST={{ drone_domain }}
-DRONE_SERVER_PROTO=https
-DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

roles/drone/templates/vhost.j2

@@ -1,31 +0,0 @@
-server {
-	listen 80;
-	listen [::]:80;
-
-	server_name {{ drone_domain }};
-
-	location /.well-known/acme-challenge {
-		default_type "text/plain";
-		alias /var/www/acme-challenge;
-	}
-
-	location / {
-		return 301 https://{{ drone_domain }}$request_uri;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name {{ drone_domain }};
-
-	ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
-
-	location / {
-		client_max_body_size 128M;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_pass http://localhost:8080;
-	}
-}

roles/drone_runner/tasks/main.yml

@@ -1,21 +0,0 @@
----
-
-- name: Run runner container
-  docker_container:
-    name: runner
-    image: drone/drone-runner-docker:1
-    env:
-      DRONE_RPC_PROTO: "https"
-      DRONE_RPC_HOST: "{{ drone_domain }}"
-      DRONE_RPC_SECRET: "{{ drone_secret }}"
-      DRONE_RUNNER_CAPACITY: "2"
-      DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
-      DRONE_UI_USERNAME: "admin"
-      DRONE_UI_PASSWORD: "{{ drone_uipass }}"
-    ports:
-    - "3000:3000"
-    pull: yes
-    restart_policy: unless-stopped
-    state: started
-    volumes:
-    - "/var/run/docker.sock:/var/run/docker.sock"

roles/event_web/files/certs

@@ -0,0 +1,15 @@
+---
+
+eh21.easterhegg.eu engel.eh21.easterhegg.eu:
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'

roles/event_web/files/vhost

@@ -0,0 +1,68 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/eh21;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://engel.eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/engel/public;
+
+	index index.php;
+
+	location / {
+		try_files $uri $uri/ /index.php?$args;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+		fastcgi_index index.php;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		include fastcgi_params;
+	}
+}

roles/event_web/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/event_web/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/event_web/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - php-fpm
+
+- name: Create vhost directory
+  file: path=/var/www/eh21 state=directory owner=www-data group=www-data
+
+- name: Create vhost directory
+  file: path=/var/www/engel state=directory owner=www-data group=www-data
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager
+  copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
+  notify: Run acertmgr
+
+- name: Configure vhosts
+  copy: src=vhost dest=/etc/nginx/sites-available/www
+  notify: Restart nginx
+
+- name: Enable vhosts
+  file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
+  notify: Restart nginx
+
+- name: Start php8.2-fpm
+  service: name=php8.2-fpm state=started enabled=yes

roles/fileserver/templates/smb.conf.j2

@@ -42,7 +42,7 @@
 # option cannot handle dynamic or non-broadcast interfaces correctly.
 ;   bind interfaces only = yes
 
-
+   min protocol = NT1
 
 #### Debugging/Accounting ####
 
@@ -213,7 +213,7 @@
 ;[printers]
 ;   comment = All Printers
 ;   browseable = no
-;   path = /var/spool/samba
+;   path = /var/tmp
 ;   printable = yes
 ;   guest ok = no
 ;   read only = yes
@@ -240,5 +240,5 @@
    browseable = yes
    read only = no
    guest ok = yes
-   create mask = 0600
-   directory mask = 0700
+   create mask = 0660
+   directory mask = 0770

roles/gitea/defaults/main.yml

@@ -3,6 +3,5 @@
 gitea_user: gogs
 gitea_group: gogs
 
-gitea_checksum: sha256:f1843e9dd88f906df919f1374a938e3f1c9f67ef1a7541146d8a568decd419ce
-gitea_version: 1.18.2
+gitea_version: 1.22.2
 gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

roles/gitea/tasks/main.yml

@@ -6,19 +6,24 @@
 - name: Create user
   user: name={{ gitea_user }} home=/home/{{ gitea_user }} group={{ gitea_group }}
 
-- name: Create gitea directories
-  file: path={{ item }} state=directory owner={{ gitea_user }}
+- name: Create directories
+  file: path={{ item }} state=directory owner={{ gitea_user }} group={{ gitea_group }}
   with_items:
   - /opt/gitea
   - /opt/gitea/custom
   - /opt/gitea/custom/conf
 
 - name: Download gitea binary
-  get_url: url={{ gitea_url }} dest=/opt/gitea/gitea checksum={{ gitea_checksum }} mode=0755
+  get_url: url={{ gitea_url }} dest=/opt/gitea/gitea-{{ gitea_version }} mode=0755
+  register: gitea_download
+
+- name: Symlink gitea binary
+  file: src=/opt/gitea/gitea-{{ gitea_version }} dest=/opt/gitea/gitea state=link
+  when: gitea_download.changed
   notify: Restart gitea
 
 - name: Configure gitea
-  template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }}
+  template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }} group={{ gitea_group }}
 
 - name: Install systemd unit
   template: src=gitea.service.j2 dest=/lib/systemd/system/gitea.service
@@ -62,7 +67,7 @@
   notify: Restart nginx
 
 - name: Enable gitea
-  service: name=gitea enabled=yes
+  service: name=gitea state=started enabled=yes
 
 - name: Enable monitoring
   include_role: name=icinga-monitor tasks_from=http

roles/gitea/templates/gitea.service.j2

@@ -8,7 +8,7 @@ Requires=postgresql.service
 RestartSec=2s
 Type=simple
 User={{ gitea_user }}
-Group={{ gitea_user }}
+Group={{ gitea_group }}
 WorkingDirectory=/opt/gitea/
 ExecStart=/opt/gitea/gitea web
 Restart=always

roles/grafana/tasks/main.yml

@@ -1,10 +1,10 @@
 ---
 
 - name: Enable grafana apt-key
-  apt_key: url="https://packages.grafana.com/gpg.key"
+  apt_key: url="https://apt.grafana.com/gpg.key" keyring="/etc/apt/trusted.gpg.d/grafana.gpg"
 
 - name: Enable grafana repository
-  apt_repository: repo="deb https://packages.grafana.com/oss/deb stable main"
+  apt_repository: repo="deb https://apt.grafana.com stable main"
 
 - name: Install grafana
   apt: name=grafana

roles/hedgedoc/templates/docker-compose.yml.j2

@@ -1,7 +1,7 @@
 version: "3"
 services:
   database:
-    image: postgres:13.4-alpine
+    image: postgres:13-alpine
     environment:
       - POSTGRES_USER={{ hedgedoc_dbuser }}
       - POSTGRES_PASSWORD={{ hedgedoc_dbpass }}
@@ -9,7 +9,8 @@ services:
     volumes:
       - ./database:/var/lib/postgresql/data
   app:
-    image: quay.io/hedgedoc/hedgedoc:1.9.5
+    image: quay.io/hedgedoc/hedgedoc:1.10.0
+    restart: on-failure
     environment:
       - CMD_DOMAIN={{ hedgedoc_domain }}
       - CMD_PROTOCOL_USESSL=true

roles/heisenbridge/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+heisenbridge_user: heisenbridge
+heisenbridge_group: heisenbridge
+
+heisenbridge_directory: /opt/heisenbridge
+heisenbridge_config: "{{ heisenbridge_directory }}/heisenbridge.yaml"

roles/heisenbridge/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart heisenbridge
+  service: name=heisenbridge state=restarted

roles/heisenbridge/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - python3-pip
+    - python3-venv
+
+- name: Create group
+  group:
+    name: "{{ heisenbridge_group }}"
+    system: yes
+
+- name: Create user
+  user:
+    name: "{{ heisenbridge_user }}"
+    group: "{{ heisenbridge_group }}"
+    system: yes
+    create_home: no
+    home: "{{ heisenbridge_directory }}"
+
+- name: Create directory
+  file:
+    path: "{{ heisenbridge_directory }}"
+    state: directory
+    owner: "{{ heisenbridge_user }}"
+    group: "{{ heisenbridge_group }}"
+    mode: 0755
+
+- name: Install heisenbridge
+  pip:
+    name: heisenbridge
+    virtualenv: "{{ heisenbridge_directory }}"
+    virtualenv_command: python3 -m venv
+  become: true
+  become_user: "{{ heisenbridge_user }}"
+  environment:
+    MULTIDICT_NO_EXTENSIONS: 1
+    YARL_NO_EXTENSIONS: 1
+
+- name: Create configuration
+  command:
+    cmd: "{{ heisenbridge_directory }}/bin/heisenbridge -c {{ heisenbridge_config }} --generate"
+    creates: "{{ heisenbridge_config }}"
+  become: true
+  become_user: "{{ heisenbridge_user }}"
+  notify: Restart heisenbridge
+
+- name: Install systemd unit
+  template: src=heisenbridge.service.j2 dest=/lib/systemd/system/heisenbridge.service
+  notify:
+  - Reload systemd
+  - Restart heisenbridge
+
+- name: Enable heisenbridge
+  service: name=heisenbridge enabled=yes

roles/heisenbridge/templates/heisenbridge.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=Heisenbridge
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User={{ heisenbridge_user }}
+Group={{ heisenbridge_user }}
+WorkingDirectory={{ heisenbridge_directory }}
+ExecStart={{ heisenbridge_directory }}/bin/heisenbridge -c {{ heisenbridge_config }}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/icinga-monitor/tasks/disk.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Configure monitoring for disk
+  template:
+    src: disk.j2
+    dest: /etc/icinga2/conf.d/hosts/{{ inventory_hostname }}.disk
+    owner: "{{ icinga_user }}"
+    group: "{{ icinga_group }}"
+  delegate_to: "{{ icinga_server }}"
+
+- name: Regenerate hosts.conf
+  assemble:
+    src: /etc/icinga2/conf.d/hosts
+    dest: /etc/icinga2/zones.d/master/hosts.conf
+#   validate: /usr/sbin/icinga2 daemon -c %s --validate
+  notify: Restart icinga2
+  delegate_to: "{{ icinga_server }}"

roles/icinga-monitor/tasks/http.yml

@@ -11,7 +11,7 @@
 - name: Regenerate hosts.conf
   assemble:
     src: /etc/icinga2/conf.d/hosts
-    dest: /etc/icinga2/conf.d/hosts.conf
+    dest: /etc/icinga2/zones.d/master/hosts.conf
 #   validate: /usr/sbin/icinga2 daemon -c %s --validate
   notify: Restart icinga2
   delegate_to: "{{ icinga_server }}"

roles/icinga-monitor/templates/disk.j2

@@ -0,0 +1,8 @@
+{% for disk in disks %}
+
+  vars.disks[" {{ disk }}"] = {
+    disk_partitions = "{{ disk }}"
+    disk_cfree = "5%"
+    disk_wfree = "10%"
+  }
+{% endfor %}

roles/icinga-monitor/templates/http.j2

@@ -1,5 +1,6 @@
 
   vars.http_vhosts["{{ vhost }}"] = {
+    http_onredirect = "follow"
     http_sni = "true"
     http_ssl = "true"
     http_vhost = "{{ vhost }}"

roles/icinga/files/icinga2/zones.d/master/services.conf

@@ -0,0 +1,21 @@
+apply Service "apt" {
+  import "generic-service"
+
+  check_command = "apt"
+
+  command_endpoint = host.vars.agent_endpoint
+
+  assign where host.vars.agent_endpoint && host.vars.os == "Linux"
+}
+
+apply Service "disk" for (disk => config in host.vars.disks) {
+  import "generic-service"
+
+  check_command = "disk"
+
+  command_endpoint = host.vars.agent_endpoint
+
+  assign where host.vars.agent_endpoint
+
+  vars += config
+}

roles/icinga/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Enable icinga apt-key
-  apt_key: url="https://packages.icinga.com/icinga.key"
+  apt_key: url="https://packages.icinga.com/icinga.key" keyring="/etc/apt/trusted.gpg.d/icinga.gpg"
 
 - name: Enable icinga repository
   apt_repository:
@@ -62,6 +62,24 @@
   changed_when: "'for these changes to take effect' in features_result.stdout"
   notify: Restart icinga2
 
+# TODO setup as master node
+# icinga2 node setup --master
+
+- name: Ensure directory for zone config exists
+  file:
+    path: /etc/icinga2/zones.d/master
+    state: directory
+    owner: "{{ icinga_user }}"
+    group: "{{ icinga_group }}"
+
+- name: Configure services
+  copy: src=icinga2/zones.d/master/services.conf dest=/etc/icinga2/zones.d/master/services.conf owner={{ icinga_user }} group={{ icinga_group }}
+  notify: Restart icinga2
+
+- name: Configure zones
+  template: src=icinga2/zones.conf.j2 dest=/etc/icinga2/zones.conf owner={{ icinga_user }} group={{ icinga_group }}
+  notify: Restart icinga2
+
 - name: Ensure directory for host snippets exists
   file:
     path: /etc/icinga2/conf.d/hosts
@@ -110,5 +128,5 @@
   file: src=/etc/nginx/sites-available/icinga dest=/etc/nginx/sites-enabled/icinga state=link
   notify: Restart nginx
 
-- name: Start php7.4-fpm
-  service: name=php7.4-fpm state=started enabled=yes
+- name: Start php8.2-fpm
+  service: name=php8.2-fpm state=started enabled=yes

roles/icinga/templates/icinga2/zones.conf.j2

@@ -0,0 +1,28 @@
+object Endpoint "{{ ansible_fqdn }}" {
+}
+
+object Zone "master" {
+	endpoints = [ "{{ ansible_fqdn }}" ]
+}
+
+{% for host in groups['all'] %}
+{% if host != ansible_fqdn %}
+object Endpoint "{{ host }}" {
+	host  = "{{ host }}"
+}
+
+
+object Zone "{{ host }}" {
+	endpoints = [ "{{ host }}" ]
+	parent = "master"
+}
+
+{% endif %}
+{% endfor %}
+object Zone "global-templates" {
+	global = true
+}
+
+object Zone "director-global" {
+	global = true
+}

roles/icinga/templates/vhost.j2

@@ -19,7 +19,7 @@ server {
 	ssl_certificate /etc/nginx/ssl/{{ icinga_domain }}.crt;
 
 	location ~ ^/icingaweb2/index\.php(.*)$ {
-		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
 		fastcgi_index index.php;
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;

roles/icinga_agent/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+icinga_user: nagios
+icinga_group: nagios

roles/icinga_agent/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart icinga2
+  service: name=icinga2 state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/icinga_agent/tasks/main.yml

@@ -0,0 +1,77 @@
+---
+
+- name: Install icinga
+  apt: name=icinga2
+
+- name: Check if client is already enrolled
+  stat:
+    path: /var/lib/icinga2/certs/{{ ansible_fqdn }}.crt
+  register: cert_file
+
+- name: Enroll agent on master server
+  block:
+  - name: Ensure certificate directory exists
+    file:
+      path: /var/lib/icinga2/certs
+      state: directory
+      owner: "{{ icinga_user }}"
+      group: "{{ icinga_group }}"
+
+  - name: Copy certificate from master
+    fetch:
+      src: /var/lib/icinga2/certs/{{ icinga_server }}.crt
+      dest: /tmp/{{ icinga_server }}.crt
+      flat: true
+    delegate_to: "{{ icinga_server }}"
+
+  - name: Copy certificate to host
+    copy:
+      src: /tmp/{{ icinga_server }}.crt
+      dest: /var/lib/icinga2/certs/{{ icinga_server }}.crt
+      owner: "{{ icinga_user }}"
+      group: "{{ icinga_group }}"
+
+  - name: Get ticket from master
+    shell: "icinga2 pki ticket --cn {{ ansible_fqdn }}"
+    register: "icinga_ticket"
+    changed_when: "False"
+    delegate_to: "{{ icinga_server }}"
+
+  - name: Setup node
+    command:
+      argv:
+      - icinga2
+      - node
+      - setup
+      - --ticket
+      - "{{ icinga_ticket.stdout | trim }}"
+      - --endpoint
+      - "{{ icinga_server }}"
+      - --zone
+      - "{{ ansible_fqdn }}"
+      - --parent_host
+      - "{{ icinga_server }}"
+      - --trustedcert
+      - "/var/lib/icinga2/certs/{{ icinga_server }}.crt"
+      - --accept-commands
+      - --accept-config
+  when: not cert_file.stat.exists
+
+- name: Set agent address on master
+  template: src=hosts.agent.j2 dest=/etc/icinga2/conf.d/hosts/{{ inventory_hostname }}.01_agent owner={{ icinga_user }} group={{ icinga_group }}
+  delegate_to: "{{ icinga_server }}"
+
+- name: Regenerate hosts.conf
+  assemble:
+    src: /etc/icinga2/conf.d/hosts
+    dest: /etc/icinga2/zones.d/master/hosts.conf
+#   validate: /usr/sbin/icinga2 daemon -c %s --validate
+  notify: Restart icinga2
+  delegate_to: "{{ icinga_server }}"
+
+# TODO expand this to cover more than just the root partition
+- name: Monitor disks
+  include_role: name=icinga-monitor tasks_from=disk
+  vars:
+    disks:
+    - "/"

roles/icinga_agent/templates/hosts.agent.j2

@@ -0,0 +1,3 @@
+
+  /* Set custom variable `agent_endpoint` for use in `services.conf`. */
+  vars.agent_endpoint = "{{ inventory_hostname }}"

roles/indium_dummy/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/indium_dummy/tasks/main.yml

@@ -0,0 +1 @@
+---

roles/kea/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Restart kea-dhcp4-server
+  service: name=kea-dhcp4-server state=restarted
+
+- name: Restart kea-dhcp-ddns-server
+  service: name=kea-dhcp-ddns-server state=restarted
+
+- name: Restart kea-ctrl-agent
+  service: name=kea-ctrl-agent state=restarted

roles/kea/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+
+- name: Install the kea dhcp server
+  apt:
+    name:
+    - kea-ctrl-agent
+    - kea-dhcp4-server
+    - kea-dhcp-ddns-server
+
+- name: Configure the kea dhcp4 server
+  template:
+    src: kea/kea-dhcp4.conf.j2
+    dest: /etc/kea/kea-dhcp4.conf
+#   validate: kea-dhcp4 -t %s
+  notify: Restart kea-dhcp4-server
+
+- name: Start the kea dhcp4 server
+  service: name=kea-dhcp4-server state=started enabled=yes
+
+- name: Configure the kea dhcp-ddns server
+  template:
+    src: kea/kea-dhcp-ddns.conf.j2
+    dest: /etc/kea/kea-dhcp-ddns.conf
+#   validate: kea-dhcp-ddns -t %s
+  notify: Restart kea-dhcp-ddns-server
+
+- name: Start the kea dhcp-ddns server
+  service: name=kea-dhcp-ddns-server state=started enabled=yes
+
+- name: Configure the kea control agent
+  template:
+    src: kea/kea-ctrl-agent.conf.j2
+    dest: /etc/kea/kea-ctrl-agent.conf
+#   validate: kea-ctrl-agent -t %s
+  notify: Restart kea-ctrl-agent
+
+- name: Start the kea control agent
+  service: name=kea-ctrl-agent state=started enabled=yes

roles/kea/templates/kea/kea-ctrl-agent.conf.j2

@@ -0,0 +1,37 @@
+{
+    "Control-agent":
+    {
+        "http-host": "0.0.0.0",
+        "http-port": 8000,
+        "control-sockets":
+        {
+            "dhcp4":
+            {
+                "comment": "socket to DHCP4 server",
+                "socket-type": "unix",
+                "socket-name": "/run/kea/kea4-ctrl-socket"
+            },
+
+            "d2":
+            {
+                "socket-type": "unix",
+                "socket-name": "/run/kea/kea-ddns-ctrl-socket",
+                "user-context": { "in-use": false }
+            }
+        },
+
+        "loggers": [
+            {
+                "name": "kea-ctrl-agent",
+                "output_options": [
+                    {
+                        "output": "stdout",
+                        "pattern": "%-5p %m\n"
+                    }
+                ],
+                "severity": "INFO",
+                "debuglevel": 0
+            }
+        ]
+    }
+}

roles/kea/templates/kea/kea-dhcp-ddns.conf.j2

@@ -0,0 +1,38 @@
+{
+"DhcpDdns": {
+    "ip-address": "127.0.0.1",
+    "port": 53001,
+    "control-socket": {
+        "socket-type": "unix",
+      "socket-name": "/run/kea/kea-ddns-ctrl-socket"
+    },
+
+    "forward-ddns": {
+        "ddns-domains": [
+            {
+                "name": "users.binary.kitchen.",
+                "dns-servers": [
+                    { "ip-address": "{{ dns_primary }}" }
+                ]
+            }
+        ]
+    },
+
+    "reverse-ddns": {
+    },
+
+    "loggers": [
+        {
+            "name": "kea-dhcp4",
+            "output_options": [
+                {
+                    "output": "stdout",
+                    "pattern": "%-5p %m\n"
+                }
+            ],
+            "severity": "INFO",
+            "debuglevel": 0
+        }
+    ]
+}
+}

roles/kea/templates/kea/kea-dhcp4.conf.j2

@@ -0,0 +1,470 @@
+{
+
+"Dhcp4": {
+    "interfaces-config": {
+        "interfaces": [ "{{ ansible_default_ipv4['interface'] }}" ]
+    },
+
+    "control-socket": {
+        "socket-type": "unix",
+        "socket-name": "/run/kea/kea4-ctrl-socket"
+    },
+
+    "dhcp-ddns": {
+        "enable-updates": true,
+        "server-ip": "127.0.0.1",
+        "server-port": 53001,
+        "sender-ip": "",
+        "sender-port": 0,
+        "max-queue-size": 1024,
+        "ncr-protocol": "UDP",
+        "ncr-format": "JSON"
+    },
+
+    "hooks-libraries": [
+        {
+            "library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so"
+{% if dhcpd_failover %}
+        },
+
+        {
+            "library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so",
+            "parameters": {
+                "high-availability": [ {
+                    "this-server-name": "{{ inventory_hostname.split('.')[0] }}",
+                    "mode": "hot-standby",
+                    "heartbeat-delay": 10000,
+                    "max-response-delay": 60000,
+                    "max-ack-delay": 5000,
+                    "max-unacked-clients": 5,
+                    "sync-timeout": 60000,
+                    "peers": [
+                        {
+                            "name": "{{ lookup('dig', dhcpd_primary+'/PTR', '@'+dns_primary).split('.')[0] }}",
+                            "url": "http://{{ dhcpd_primary }}:8000/",
+                            "role": "primary"
+                        },
+                        {
+                            "name": "{{ lookup('dig', dhcpd_secondary+'/PTR', '@'+dns_primary).split('.')[0] }}",
+                            "url": "http://{{ dhcpd_secondary }}:8000/",
+                            "role": "standby"
+                        }
+                    ]
+                } ]
+            }
+{% endif %}
+        }
+    ],
+
+    "lease-database": {
+        "type": "memfile",
+        "lfc-interval": 3600
+    },
+
+    "expired-leases-processing": {
+        "reclaim-timer-wait-time": 10,
+        "flush-reclaimed-timer-wait-time": 25,
+        "hold-reclaimed-time": 3600,
+        "max-reclaim-leases": 100,
+        "max-reclaim-time": 250,
+        "unwarned-reclaim-cycles": 5
+    },
+
+    "renew-timer": 900,
+    "rebind-timer": 1800,
+    "valid-lifetime": 3600,
+
+    "option-def": [
+        {
+            "code": 43,
+            "encapsulate": "sipdect",
+            "name": "vendor-encapsulated-options",
+            "space": "dhcp4",
+            "type": "empty"
+        },
+        {
+            "code": 10,
+            "name": "ommip1",
+            "space": "sipdect",
+            "type": "ipv4-address"
+        },
+        {
+            "code": 19,
+            "name": "ommip2",
+            "space": "sipdect",
+            "type": "ipv4-address"
+        },
+        {
+            "code": 14,
+            "name": "syslogip",
+            "space": "sipdect",
+            "type": "ipv4-address"
+        },
+        {
+            "code": 15,
+            "name": "syslogport",
+            "space": "sipdect",
+            "type": "int16"
+        },
+        {
+            "code": 224,
+            "name": "magic_str",
+            "space": "dhcp4",
+            "type": "string"
+        }
+    ],
+
+    "option-data": [
+        {
+            "name": "domain-name-servers",
+            "data": "{{ name_servers | join(', ') }}"
+        },
+
+        {
+            "name": "domain-name",
+            "data": "binary.kitchen"
+        },
+
+        {
+            "name": "domain-search",
+            "data": "binary.kitchen"
+        }
+    ],
+
+    "client-classes": [
+        {
+            "name": "voip-phone",
+            "option-data": [
+                {
+                    "name": "tftp-server-name",
+                    "data": "172.23.2.36"
+                }
+            ]
+        },
+
+        {
+            "name": "dect-rfp",
+            "option-data": [
+                {
+                    "name": "vendor-encapsulated-options"
+                },
+                {
+                    "data": "172.23.2.35",
+                    "name": "ommip1",
+                    "space": "sipdect"
+                },
+                {
+                    "data": "OpenMobilitySIP-DECT",
+                    "name": "magic_str"
+                }
+            ]
+        }
+    ],
+
+    "subnet4": [
+        {
+            "subnet": "172.23.1.0/24",
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.1.1"
+                }
+            ],
+
+            "reservations": [
+                {
+                    "hw-address": "44:48:c1:ce:a9:00",
+                    "ip-address": "172.23.1.41",
+                    "hostname": "ap01"
+                },
+
+                {
+                    "hw-address": "74:9e:75:ce:93:54",
+                    "ip-address": "172.23.1.44",
+                    "hostname": "ap04"
+                },
+
+                {
+                    "hw-address": "bc:9f:e4:c3:6f:aa",
+                    "ip-address": "172.23.1.45",
+                    "hostname": "ap05"
+                },
+
+                {
+                    "hw-address": "94:b4:0f:c0:1d:a0",
+                    "ip-address": "172.23.1.46",
+                    "hostname": "ap06"
+                },
+
+                {
+                    "hw-address": "00:30:42:1B:73:5A",
+                    "ip-address": "172.23.1.111",
+                    "client-classes": [ "dect-rfp" ],
+                    "hostname": "rfp01"
+                },
+
+                {
+                    "hw-address": "00:30:42:21:D4:D5",
+                    "ip-address": "172.23.1.112",
+                    "client-classes": [ "dect-rfp" ],
+                    "hostname": "rfp02"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.2.0/24",
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.2.1"
+                }
+            ],
+
+            "reservations": [
+                {
+                    "hw-address": "b8:27:eb:d8:b9:ad",
+                    "ip-address": "172.23.2.12",
+                    "hostname": "lock"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:ed:22:58",
+                    "ip-address": "172.23.2.13",
+                    "hostname": "matrix"
+                },
+
+                {
+                    "hw-address": "08:00:37:B8:55:44",
+                    "ip-address": "172.23.2.91",
+                    "hostname": "strammermax"
+                },
+
+                {
+                    "hw-address": "ec:9a:74:35:35:cf",
+                    "ip-address": "172.23.2.92",
+                    "hostname": "obatzda"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.3.0/24",
+
+            "pools": [ { "pool": "172.23.3.10 - 172.23.3.230" } ],
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.3.1"
+                },
+
+                {
+                    "name": "domain-search",
+                    "data": "binary.kitchen, users.binary.kitchen"
+                }
+            ],
+
+            "ddns-send-updates": true,
+            "ddns-override-client-update": true,
+            "ddns-override-no-update": true,
+            "ddns-qualifying-suffix": "users.binary.kitchen",
+            "ddns-generated-prefix": "dhcp",
+            "ddns-replace-client-name": "when-not-present",
+            "ddns-update-on-renew": true,
+
+            "reservations": [
+                {
+                    "hw-address": "b8:27:eb:18:5c:11",
+                    "ip-address": "172.23.3.250",
+                    "hostname": "cannelloni"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:1d:b9:bf",
+                    "ip-address": "172.23.3.240",
+                    "hostname": "fusilli"
+                },
+
+                {
+                    "hw-address": "74:da:38:6e:e6:9d",
+                    "ip-address": "172.23.3.241",
+                    "hostname": "klopi"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:f5:9e:a1",
+                    "ip-address": "172.23.3.246",
+                    "hostname": "maccaroni"
+                },
+
+                {
+                    "hw-address": "74:da:38:7d:ed:84",
+                    "ip-address": "172.23.3.244",
+                    "hostname": "mirror"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:0f:d3:8b",
+                    "ip-address": "172.23.3.242",
+                    "hostname": "mpcnc"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:56:2b:7c",
+                    "ip-address": "172.23.3.251",
+                    "hostname": "noodlehub"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:eb:e5:88",
+                    "ip-address": "172.23.3.245",
+                    "hostname": "spaghetti"
+                },
+
+                {
+                    "hw-address": "00:1D:45:B6:99:2F",
+                    "hostname": "voip01",
+                    "client-classes": [ "voip-phone" ]
+                },
+
+                {
+                    "hw-address": "00:1D:A2:66:B8:3E",
+                    "hostname": "voip02",
+                    "client-classes": [ "voip-phone" ]
+                },
+
+                {
+                    "hw-address": "00:1E:BE:90:FB:DB",
+                    "hostname": "voip03",
+                    "client-classes": [ "voip-phone" ]
+                },
+
+                {
+                    "hw-address": "00:1E:BE:90:FF:06",
+                    "hostname": "voip04",
+                    "client-classes": [ "voip-phone" ]
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.4.0/24",
+
+            "pools": [ { "pool": "172.23.4.10 - 172.23.4.240" } ],
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.4.1"
+                }
+            ],
+
+            "reservations": [
+                {
+                    "hw-address": "b8:27:eb:b6:62:be",
+                    "ip-address": "172.23.4.241",
+                    "hostname": "habdisplay1"
+                },
+
+                {
+                    "hw-address": "b8:27:eb:df:0b:7b",
+                    "ip-address": "172.23.4.242",
+                    "hostname": "habdisplay2"
+                },
+
+                {
+                    "hw-address": "dc:a6:32:bf:e2:3e",
+                    "ip-address": "172.23.4.251",
+                    "hostname": "openhabgw1"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.12.0/24",
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.12.1"
+                }
+            ],
+
+            "reservations": [
+                {
+                    "hw-address": "18:64:72:c6:c2:0c",
+                    "ip-address": "172.23.12.41",
+                    "hostname": "ap11"
+                },
+
+                {
+                    "hw-address": "18:64:72:c6:c4:98",
+                    "ip-address": "172.23.12.42",
+                    "hostname": "ap12"
+                },
+
+                {
+                    "hw-address": "00:30:42:1B:8B:9B",
+                    "ip-address": "172.23.12.111",
+                    "client-classes": [ "dect-rfp" ],
+                    "hostname": "rfp11"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.13.0/24",
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.13.1"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.14.0/24",
+
+            "pools": [ { "pool": "172.23.14.10 - 172.23.14.240" } ],
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.14.1"
+                }
+            ]
+        },
+
+        {
+            "subnet": "172.23.15.0/24",
+
+            "pools": [ { "pool": "172.23.15.10 - 172.23.15.240" } ],
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "172.23.15.1"
+                }
+            ]
+        }
+    ],
+
+    "loggers": [
+        {
+            "name": "kea-dhcp4",
+            "output_options": [
+                {
+                    "output": "stdout",
+                    "pattern": "%-5p %m\n"
+                }
+            ],
+            "severity": "INFO",
+            "debuglevel": 0
+        }
+    ]
+}
+}

roles/ldap_pam/files/mkhomedir

@@ -1,6 +0,0 @@
-Name: Create home directory during login
-Default: yes
-Priority: 900
-Session-Type: Additional
-Session:
-	required	pam_mkhomedir.so umask=0077 skel=/etc/skel

roles/ldap_pam/files/nsswitch.conf

@@ -1,20 +0,0 @@
-# /etc/nsswitch.conf
-#
-# Example configuration of GNU Name Service Switch functionality.
-# If you have the `glibc-doc-reference' and `info' packages installed, try:
-# `info libc "Name Service Switch"' for information about this file.
-
-passwd:         files ldap
-group:          files ldap
-shadow:         files ldap
-gshadow:        files
-
-hosts:          files dns
-networks:       files
-
-protocols:      db files
-services:       db files
-ethers:         db files
-rpc:            db files
-
-netgroup:       nis

roles/ldap_pam/handlers/main.yml

@@ -1,10 +0,0 @@
----
-
-- name: Restart nscd
-  service: name=nscd state=restarted
-
-- name: Restart nslcd
-  service: name=nslcd state=restarted
-
-- name: Update pam-auth
-  shell: pam-auth-update --package libpam-modules 2>/dev/null

roles/ldap_pam/tasks/main.yml

@@ -1,19 +0,0 @@
----
-
-- name: Install nslcd
-  apt: name=nslcd
-
-- name: Configure nslcd
-  template: src=nslcd.conf.j2 dest=/etc/nslcd.conf
-  notify: Restart nslcd
-
-- name: Configure nsswitch
-  copy: src=nsswitch.conf dest=/etc/nsswitch.conf
-  notify: Restart nscd
-
-- name: Configure PAM mkhomedir
-  copy: src=mkhomedir dest=/usr/share/pam-configs/mkhomedir mode=0644
-  notify: Update pam-auth
-
-- name: Start the nslcd service
-  service: name=nslcd state=started enabled=yes

roles/ldap_pam/templates/nslcd.conf.j2

@@ -1,36 +0,0 @@
-# /etc/nslcd.conf
-# nslcd configuration file. See nslcd.conf(5)
-# for details.
-
-# The user and group nslcd should run as.
-uid nslcd
-gid nslcd
-
-# The location at which the LDAP server(s) should be reachable.
-uri {{ ldap_uri }}
-
-# The search base that will be used for all queries.
-base {{ ldap_base }}
-
-# The LDAP protocol version to use.
-#ldap_version 3
-
-# The DN to bind with for normal lookups.
-binddn {{ ldap_binddn }}
-bindpw {{ ldap_bindpw }}
-
-# The DN used for password modifications by root.
-#rootpwmoddn cn=admin,dc=example,dc=com
-
-# The search scope.
-scope one
-
-# Customize certain database lookups.
-base group  {{ nslcd_base_group }}
-base passwd {{ nslcd_base_passwd }}
-base shadow {{ nslcd_base_shadow }}
-
-# SSL options
-tls_reqcert demand
-tls_cacertfile /etc/ssl/certs/ca-certificates.crt
-tls_cacertdir /etc/ssl/certs

roles/librenms/tasks/main.yml

@@ -51,8 +51,8 @@
     regexp: ';?date\.timezone'
     line: 'date.timezone = Europe/Berlin'
   with_items:
-  - /etc/php/7.4/cli/php.ini
-  - /etc/php/7.4/fpm/php.ini
+  - /etc/php/8.2/cli/php.ini
+  - /etc/php/8.2/fpm/php.ini
 
 - name: Ensure certificates are available
   command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
@@ -76,8 +76,8 @@
   file: src=/etc/nginx/sites-available/librenms dest=/etc/nginx/sites-enabled/librenms state=link
   notify: Restart nginx
 
-- name: Start php7.4-fpm
-  service: name=php7.4-fpm state=started enabled=yes
+- name: Start php8.2-fpm
+  service: name=php8.2-fpm state=started enabled=yes
 
 - name: Enable monitoring
   include_role: name=icinga-monitor tasks_from=http

roles/librenms/templates/vhost.j2

@@ -31,7 +31,7 @@ server {
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 		fastcgi_param PATH_INFO $fastcgi_path_info;
-		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
 		fastcgi_intercept_errors on;
 	}
 

roles/mail/files/dovecot/move-spam.sieve

@@ -1,5 +1,6 @@
-require ["fileinto","mailbox"];
+require ["fileinto", "imap4flags", "mailbox"];
 
 if header :contains "X-Spam" "Yes" {
+ addflag "\\Seen";
  fileinto "Junk";
 }

roles/mail/files/rspamd/local.d/phishing.conf

@@ -0,0 +1,2 @@
+openphish_enabled = true;
+phishtank_enabled = false;

roles/mail/handlers/main.yml

@@ -30,5 +30,4 @@
   command: postmap /etc/{{ item }}
   with_items:
   - postfix/helo_access
-  - postfix/transport
   - postfix/virtual-alias

roles/mail/tasks/main.yml

@@ -10,6 +10,7 @@
   apt:
     name:
     - bsd-mailx
+    - clamav-daemon
     - dovecot-core
     - dovecot-imapd
     - dovecot-lmtpd

roles/mail/templates/mailman/mailman-hyperkitty.cfg.j2

@@ -13,9 +13,11 @@
 # address will be used by Mailman to forward incoming emails to HyperKitty
 # for archiving. It does not need to be publicly available, in fact it's
 # better if it is not.
+# However, if your Mailman installation is accessed via HTTPS, the URL needs
+# to match your SSL certificate (e.g. https://lists.example.com/hyperkitty).
 #base_url: http://localhost/mailman3/hyperkitty/
 base_url: https://{{ mailman_domain }}/mailman3/hyperkitty/
 
-# Shared API key, must be the identical to the value in HyperKitty's
-# settings.
+# The shared api_key, must be identical except for quoting to the value of
+# MAILMAN_ARCHIVER_KEY in HyperKitty's settings.
 api_key: {{ mailman3_archiverkey }}

roles/mail/templates/mailman/mailman-web.py.j2

@@ -202,3 +202,13 @@ POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost/mailman3/'
 
 # This is a quick and dirty hack - maybe there is a way to reliably retrieve the right ID?
 SITE_ID = 2
+
+
+Q_CLUSTER = { 'orm': 'default',
+              'retry': 360,
+              'save_limit': 100,
+              'timeout': 300,
+              'workers': 2
+}
+
+DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'

roles/mail/templates/mailman/mailman.cfg.j2

@@ -38,7 +38,7 @@ lock_file: $lock_dir/master.lck
 
 [database]
 class: mailman.database.postgresql.PostgreSQLDatabase
-url: postgres://{{ mailman3_dbuser }}:{{ mailman3_dbpass }}@localhost/{{ mailman3_dbname }}
+url: postgresql://{{ mailman3_dbuser }}:{{ mailman3_dbpass }}@localhost/{{ mailman3_dbname }}
 debug: no
 
 [logging.debian]

roles/mail/templates/postfix/main.cf.j2

@@ -99,6 +99,9 @@ smtpd_recipient_restrictions =
     reject_unauth_pipelining
     reject_unverified_recipient
 
+# SMTP Smuggling
+smtpd_forbid_bare_newline = yes
+
 # rspamd Milter setup
 smtpd_milters = inet:localhost:11332
 non_smtpd_milters = inet:localhost:11332

roles/matrix/tasks/main.yml

@@ -1,7 +1,8 @@
 ---
 
 - name: Enable matrix apt-key
-  apt_key: url="https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg"
+  apt_key: url="https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg" keyring="/etc/apt/trusted.gpg.d/matrix.gpg"
+
 
 - name: Enable matrix repository
   apt_repository: repo="deb https://packages.matrix.org/debian/ {{ ansible_distribution_release }} main"