Compare commits

...

304 Commits

Author SHA1 Message Date
2d139167ea indium: new temp. host for igel livestreaming 2024-10-31 14:42:10 +01:00
933e25ca6a therapy: new role to be deployed on aluminium 2024-10-31 14:37:42 +01:00
eb4a5d1d13 netbox: bump to version 4.1.5 2024-10-30 20:18:14 +01:00
df069adc5e icinga: add apt and disk service definitions 2024-10-28 19:53:06 +01:00
c2b8944756 icinga: move host config into zones in order to support agents 2024-10-28 00:30:16 +01:00
4715798c3f remove technetium.binary-kitchen.net 2024-10-28 00:28:32 +01:00
750157ef76 group_vars: add more voucher aliases 2024-10-28 00:25:29 +01:00
20c13ddbdc icinga: add TODO 2024-10-27 22:27:58 +01:00
62bc168983 matrix: increase local media lifetime 2024-10-21 20:02:23 +02:00
d72fc4ceaa uau: rebase against Debian 12 2024-10-21 20:01:44 +02:00
68fee1e0d7 common: rebase against Debian 12 2024-10-21 20:01:06 +02:00
2ea069f94e netbox: bump to version 4.1.4 2024-10-21 19:06:31 +02:00
63df9a1a54 README.md: update strichliste and auweg doorlock to debian 12 2024-10-19 21:42:52 +02:00
35a3f9ae97 strichliste: use system version of debian 2024-10-19 21:40:54 +02:00
71025ea2f4 dns_intern: update dns to reflect changes in network components 2024-10-06 16:35:48 +02:00
ea189822fc repalce dhcpd by kea 2024-10-05 19:39:26 +02:00
b425f3b482 kea: don't configure HA unless needed 2024-10-05 19:36:53 +02:00
c8a0e54cc8 kea: fix socket paths 2024-10-05 19:36:53 +02:00
4b0b8adcdd kea: add ddns support 2024-10-05 19:36:53 +02:00
06a8052353 kea: add more subnets, pools and reservations 2024-10-05 19:36:53 +02:00
dcf7325368 kea: define options and classes for dect-rfps and voip-phones 2024-10-05 19:36:53 +02:00
1ddcc40476 kea: query primary dns server for hostnames
otherwise the role will fail if the host it is deployed from has VPN but
is not using our DNS infra
2024-10-05 19:36:53 +02:00
Kishi85
bcb5584874 kea: configure control agent necessary for HA 2024-10-05 19:36:53 +02:00
Kishi85
3530b825e2 kea: add DHCP4 HA config (hot-standby) 2024-10-05 19:36:53 +02:00
5c8baa80e3 kea: new role (replaces dhcpd) 2024-10-05 19:36:53 +02:00
1164198097 netbox: bump to version 4.1.3 2024-10-02 19:27:59 +02:00
a6298aee8e authentik: bump to version 2024.8.3 2024-09-27 17:05:26 +02:00
94d7f4e8c1 netbox: bump to version 4.1.2 2024-09-27 11:54:51 +02:00
e3cd449b0b authentik: bump to version 2024.8.2 2024-09-16 18:28:44 +02:00
79adbecdba netbox: bump to version 4.1.1 2024-09-16 17:39:55 +02:00
3ac021d922 slapd: enable password policies
this will facilitate proper locking of accounts
2024-09-11 15:06:18 +02:00
0ff1611b8d gitea: bump to version 1.22.2 2024-09-09 23:43:10 +02:00
fe0c6bbdec authentik: bump to vesion 2024.8.1 2024-09-09 23:28:38 +02:00
909ec370e4 netbox: bump to version 4.1.0 2024-09-09 09:36:14 +02:00
7c2158fa30 hedgedoc: bump to version 1.10.0 2024-09-01 18:27:54 +02:00
962fb1bc5e authentik: bump to version 2024.6.4 2024-08-23 17:44:29 +02:00
cf510ab999 netbox: bump to version 4.0.8 2024-08-12 14:34:44 +02:00
d7552497b4 authentik: bump to version 2024.6.3 2024-08-12 13:51:09 +02:00
99238faf96 netbox: bump to version 4.0.7 2024-07-18 20:20:24 +02:00
cb5d253c0d gitea: bump to version 1.22.1 2024-07-18 20:14:16 +02:00
e40b981476 vaultwarden: fix websocket pass through 2024-07-18 19:44:11 +02:00
6675814d77 nebtox: bump to version 4.0.6 2024-06-28 16:15:38 +02:00
41c044aefe authentik: bump to version 2024.6.0 2024-06-27 19:18:30 +02:00
5a946f94ef netbox: bump to version 4.0.5 2024-06-13 09:21:32 +02:00
82ede41fe9 netbox: fix psycopg dependency to use binary
the C variant will fail to compile
2024-05-27 22:48:36 +02:00
620d4c94f2 netbox: bump to version 4.0.3 2024-05-27 22:47:12 +02:00
e0f000c201 gitea: bump to version 1.22.0 2024-05-27 19:20:23 +02:00
d8e1e6edf4 web: split php pools into www and spaceapi
prevent deadloks from crawlers that open lots of wiki pages which in
turn query the spaceapi
discovery and fix by voidptr
2024-05-17 22:32:51 +02:00
b9e886fd01 dns_intern: rename erx-bk to rt-w13b
The EdgeRouter has been replaced by a APU running VyOS
2024-05-13 09:42:01 +02:00
581757a3f0 beryllium: add toffy as root user 2024-05-10 13:16:20 +02:00
79217219fb mail: explicitly configure anti-phishing providers 2024-05-07 23:31:07 +02:00
9bee86f6ba authentik: bump to version 2024.4.2 2024-05-07 23:28:47 +02:00
bd75c4283a act_runner: bump to version 0.2.10 2024-05-06 19:22:18 +02:00
8b6e02f91f netbox: bump to version 3.7.8 2024-05-06 19:21:08 +02:00
f791a1cd8d netbox: bump to version 3.7.5 2024-04-17 19:49:23 +02:00
50ea038b51 web: add mail autoconfig file for thunderbird 2024-04-17 19:13:19 +02:00
15166b92a2 gitea: bump to version 1.21.11 2024-04-17 18:14:39 +02:00
88764a7fb5 gitea: bump to version 1.21.10 2024-03-26 18:00:38 +01:00
f1e3189a1d gitea: bump to version 1.21.9 2024-03-22 16:46:37 +01:00
477357b00e hosts: add cadmium 2024-03-18 09:03:19 +01:00
d860c5a538 mail: add alias for hackzuck 2024-03-18 09:02:44 +01:00
849a8f491d cadmium: new host for event netbox 2024-03-18 09:02:01 +01:00
6e766fdc5b netbox: bump to version 3.7.4 2024-03-18 08:48:47 +01:00
631ba79ba4 README: update OS for pancake 2024-03-16 17:15:14 +01:00
3c1a92a4b6 xrdp_apphost: Upgrade configs from bullseye to bookworm 2024-03-15 21:50:52 +01:00
e2c7bed035 xrdp_apphost: Upgrade EstlCam from 11244 to 11245 2024-03-15 19:36:50 +01:00
07a0e22d35 xrdp_apphost: Upgrade LightBurn from 1.3.01 to 1.5.03 2024-03-15 19:12:07 +01:00
f72960bbc8 xrdp_apphost: Upgrade slicer from 2.5.0 to 2.7.2 2024-03-15 18:57:05 +01:00
51e673ca94 icinga_agent: [WIP] 2024-03-11 18:23:42 +01:00
b99c41b938 icinga-monitor: fix typo 2024-03-03 15:38:48 +01:00
f839bd1db9 icinga_agent: add basic disk monitoring 2024-03-02 21:01:42 +01:00
d5f8a39219 dns_intern: remove obsolete racktables entry 2024-03-01 22:56:29 +01:00
36bf2bbc3f icinga-monitor: use follow for http checks 2024-03-01 22:38:40 +01:00
34b1d83233 icinga_agent: new role to enroll an agent 2024-03-01 22:37:01 +01:00
0e9d3092e6 gitea: bump to version 1.21.7 2024-02-28 00:30:44 +01:00
7b03d89096 mail: himmel@eh21.easterhegg.eu goes into zammad 2024-02-24 13:02:53 +01:00
07686bbf73 gitea: bump to version 1.21.6 2024-02-23 14:12:58 +01:00
b3c04b5675 netbox: bump to version 3.7.3 2024-02-22 23:19:33 +01:00
b058a8d891 common: support looking up sshPublicKey from LDAP 2024-02-21 08:38:44 +01:00
d5b11f15d2 dns_intern: rebase config against upstream 2024-02-21 08:37:34 +01:00
ec9b306469 gitea: fix service group name 2024-02-06 17:42:36 +01:00
9ac34b1079 netbox: bump version to 3.7.2 2024-02-06 17:28:16 +01:00
40a2a28676 hedgedoc: restart on failure 2024-02-05 20:59:13 +01:00
574afd2b83 gitea: bump to version 1.21.5 2024-02-05 20:58:48 +01:00
a219a7ecaf nextcloud: make compatiable with Debian 12 2024-02-01 17:56:04 +01:00
265aa863fd pretalx: set client size limit 2024-01-29 19:02:08 +01:00
dffb4be7d0 authentik: bump to version 2023.10.7 2024-01-29 18:35:26 +01:00
67066c88c7 minor cleanup 2024-01-22 17:15:28 +01:00
db0cc8517a README: update 2024-01-20 18:57:43 +01:00
d8ab43dc29 netbox: bump to version 3.7.1 2024-01-18 19:41:34 +01:00
b919df64ce authentik: bump to version 2023.10.6 2024-01-18 19:39:53 +01:00
91e88b07b3 gitea: bump version to 1.21.4 2024-01-17 18:18:59 +01:00
f29fccefbe new VM: technetium (Event CTFd) 2024-01-17 18:18:31 +01:00
668b9418db common: rebase chrony config
against current debian default config
2024-01-16 22:24:59 +01:00
8c7629c409 cleanup/unify naming 2024-01-16 22:23:44 +01:00
a23e1598bf README: add an overview of systems 2024-01-16 19:34:00 +01:00
9b9a844867 yttrium: repurpose as VM for hintervvoidler 2024-01-16 19:33:31 +01:00
d1682eb5f2 sssd: new role to replace ldap_pam (based on nslcd) 2024-01-16 19:03:03 +01:00
c6db7e5805 omm: update notes 2024-01-11 22:25:53 +01:00
cfa3c48827 matrix: enable some retention features 2024-01-11 20:01:28 +01:00
b61d00aeca omm: new role (SIP-DECT OMM) 2024-01-11 19:54:01 +01:00
4a56b35fdd gitea: cleanup role 2024-01-11 17:30:34 +01:00
cf373d84ec act_runner: new role
gitea actions will replace drone
2024-01-11 17:28:09 +01:00
c3ce352580 gitea: bump version to 1.21.3 2024-01-09 20:25:45 +01:00
6f5b4891d4 allow mail from argentum 2024-01-08 22:03:48 +01:00
937961174f argentum: give access to flo 2024-01-08 20:09:03 +01:00
b2b7045f61 zammad: new role 2024-01-08 20:08:25 +01:00
83d6c87415 mail: smtp smuggling related settings 2024-01-04 20:42:15 +01:00
79230057af dhcpd: replace ap04 with a newer model 2024-01-03 23:34:18 +01:00
3e13f04758 rhodium: add tom as root user 2024-01-03 19:45:31 +01:00
aa53ae45ca authentik: bump to version 2023.10.5 2024-01-03 19:06:15 +01:00
4e4999d409 netbox: bump to version 3.7.0 2024-01-03 12:31:09 +01:00
1d1c1d0381 gitea: bump to version 1.21.2 2023-12-20 09:03:30 +01:00
40559373ba nbetbox: bump to version 3.6.7 2023-12-20 08:45:13 +01:00
b990c6c1c3 netbox: bump to version 3.6.6 2023-12-13 08:33:27 +01:00
84cb7be90d gitea: bump to version 1.21.1 2023-11-27 16:57:27 +01:00
eca8792bb5 group_vars: add EH21 mail aliases 2023-11-27 16:54:59 +01:00
e4f934264f event_web: apply settings needed for engelsystem 2023-11-24 14:51:18 +01:00
ce477eceb2 authentik: bump version to 2023.10.4 2023-11-24 14:50:28 +01:00
b7142615fb netbox: fix DB priviledge settings for current ansible versions 2023-11-21 10:40:25 +01:00
20b0cb26ff netbox: bump verion to 3.6.5 2023-11-20 23:07:38 +01:00
eb430ed0ee gitea: bump version to 1.21.0 2023-11-20 23:06:31 +01:00
700fa97feb groups_vars: enable mail for eh21.easterhegg.eu 2023-11-17 13:26:23 +01:00
21c64883f0 event_web: add engelsystem domain 2023-11-15 17:15:12 +01:00
cca5e2f3df host_vers: add toffy as root user on argentum 2023-11-14 18:06:31 +01:00
5a54bdfe67 matrix: rebase config against upstream 2023-11-14 16:58:02 +01:00
05e5e2d6a0 pretix: add additional event domain 2023-11-14 16:53:04 +01:00
1fa4fb24aa web: drop domain plk-regensburg.de 2023-11-14 16:50:21 +01:00
3642f4db11 event_web: use final domain for EH 2023-11-14 16:49:27 +01:00
a5c5957554 dhcpd: no ddns update at location Auweg 2023-11-13 15:19:06 +01:00
17b59ae656 authentik: bump to version 2023.10.2 2023-11-07 17:59:06 +01:00
9c072a4678 pretalx: don't spam useless mails 2023-11-07 17:50:57 +01:00
02496ae591 pretalx: fix static directory 2023-11-07 16:50:10 +01:00
d5d762f73e groups_vars: update bbb mail alias 2023-11-07 16:49:49 +01:00
e85e1f43ea mail: install clamav 2023-11-07 16:49:34 +01:00
22c743baec new host: argentum.binary-kitchen.net (event web) 2023-11-07 16:49:13 +01:00
d10886f284 netbox: bump to version 3.6.4 2023-10-19 09:55:00 +02:00
198a5908b2 mail: silence django warnings 2023-10-12 22:24:18 +02:00
07d14163fb gitea: bump to version 1.20.5 2023-10-11 16:27:04 +02:00
d0429f9984 dns_intern: make compatiable with Debian 12 2023-10-10 19:25:04 +02:00
7ba5813e39 mail: make compatiable with Debian 12 2023-10-10 14:46:06 +02:00
2d499a0967 netbox: bump to version 3.6.3 2023-09-27 20:45:22 +02:00
58c875c4dc slapd: make compatiable with Debian 12 2023-09-20 22:38:24 +02:00
6bf772b761 authentik: bump to version 2023.8.3 2023-09-15 12:29:05 +02:00
66f751b4fb fix typo 2023-09-15 12:09:28 +02:00
b656aef36d pretalx: deploy on palladium 2023-09-15 12:08:32 +02:00
fc452e7d60 re-add rhodium (pretix) 2023-09-15 12:05:48 +02:00
2aec019f3b pretix: cleanup config 2023-09-15 09:11:56 +02:00
6b600be79c pretix: fix ansible deprecation warning 2023-09-15 09:11:25 +02:00
a3995263f2 gitea: bump to version 1.20.4 2023-09-15 09:03:18 +02:00
d4e75761aa authentik: bump to version 2023.8.2 2023-09-07 08:58:58 +02:00
aa05825fb2 gitea: bump to version 1.20.3 2023-09-06 22:46:34 +02:00
ad41c02741 netbox: bump to version 3.6.1 2023-09-06 22:32:46 +02:00
c0852557af matrix: make compatiable with Debian 12 2023-09-06 21:41:06 +02:00
586a02e545 heisenbridge: new role 2023-09-06 21:37:39 +02:00
1c0b1e6032 pretix: make compatiable with Debian 12 2023-09-06 17:37:27 +02:00
003c4ee83d fileserver: make compatiable with Debian 12 2023-09-06 14:51:50 +02:00
4c55923b1c specify keyring for apt_key 2023-09-06 14:50:54 +02:00
089136b71c group_vars: update aliases 2023-08-04 09:20:30 +02:00
ce825b105c hedgedoc: bump to version 1.9.9 2023-07-31 14:04:30 +02:00
d120a95789 gitea: bump to version 1.20.2 2023-07-31 14:03:40 +02:00
d2aa747d52 netbox: bump to version 3.5.7 2023-07-31 13:57:11 +02:00
565177b6d6 mail: exclude no longer used file from postmap 2023-07-17 17:47:56 +02:00
f6b8724b93 authentik: new role (SSO provider) 2023-07-17 17:45:45 +02:00
ac8c0318a9 matrix: rebase config against upstream 2023-07-17 16:26:28 +02:00
35de5eb253 librenms: make compatiable with Debian 12 2023-07-17 16:25:45 +02:00
6c14018f4a icinga: make compatiable with Debian 12 2023-07-17 16:25:18 +02:00
b4ef06572b common: install wget 2023-07-17 16:24:50 +02:00
a12e0bf43b web: make compatiable with Debian 12 2023-07-17 16:24:07 +02:00
f484efbd54 pbs: make compatiable with Debian 12 2023-07-17 16:23:25 +02:00
d21c73e317 prometheus: add missing dependency 2023-07-17 16:23:00 +02:00
48f2330a84 hedgedoc: use more generic postgres version 2023-07-17 16:21:56 +02:00
7c4c262fd3 vaultwarden: use more generic postgres version 2023-07-17 16:21:33 +02:00
1ea08a8776 dns_intern: make compatiable with Debian 12 2023-07-17 16:21:07 +02:00
c1da05cdaf dns_extern: make compatiable with Debian 12 2023-07-17 16:20:42 +02:00
06d0895b96 gitea: bump version to 1.20.0 2023-07-17 16:20:01 +02:00
6279bd0caa gitea: bump to version 1.19.3 2023-06-28 07:44:45 +02:00
a9668ff6d7 netbox: bump to version 3.5.4 2023-06-28 07:44:14 +02:00
c06ba3f0c3 remove old pretix host 2023-06-19 15:13:02 +02:00
46d97d75bf netbox: bump to version 3.5.2 2023-05-23 17:22:47 +02:00
8cefd0363b nextcloud: update to PHP 8.2 2023-05-08 18:38:53 +02:00
0c53d9dc3e grafana: fix repo and key location 2023-05-02 17:44:39 +02:00
d448fe5384 gitea: bump to version 1.19.2 2023-04-28 14:37:18 +02:00
0430a7e456 gitea: bump to version 1.9.1 2023-04-25 17:51:50 +02:00
adadbc9663 new Vorstand, new permissions 2023-04-24 23:18:22 +02:00
7cbb6abff9 netbox: bump to version 3.4.8 2023-04-24 18:03:43 +02:00
4e1880d394 gitea: bump to version 1.19.0 2023-03-23 17:27:38 +01:00
5d1b2ab959 netbox: bump to version 3.4.6 2023-03-16 16:07:59 +01:00
837c9fc20a mail: mark spam as read 2023-02-28 17:52:38 +01:00
4103a23f48 hedgedoc: bump version to 1.9.7 2023-02-20 20:34:15 +01:00
35a7acafd4 gitea: bump version to 1.18.4 2023-02-20 20:33:58 +01:00
b2d6066acb netbox: bump to version 3.4.4 2023-02-03 16:26:38 +01:00
d662fd6689 common: update zshrc from upstream (grml) 2023-01-26 08:52:59 +01:00
70d4edc0d6 xrdp_apphost: Upgrade Lightburn to 1.3.01 and slicer to 2.5.0 2023-01-23 21:16:55 +01:00
63b0d62938 gitea: bump to version 1.18.2 2023-01-23 09:55:15 +01:00
4993782513 strichliste: deploy on tschunk
Signed-off-by: Thomas Schmid <tom@lfence.de>
2023-01-16 22:00:19 +01:00
3b1b600c8e new host: tschunk/strichliste 2023-01-16 18:49:34 +01:00
a0d455d3ed bk-dss: bump to version 0.8.5 2023-01-06 23:59:04 +01:00
f0bd56d813 23b: deploy on fluorine 2023-01-06 22:56:00 +01:00
a1a8a75787 group_vars: add forgotten 23b domain name 2023-01-06 22:54:08 +01:00
0b1ee06e0c gitea: bump to version 1.18.0 2023-01-06 22:50:51 +01:00
f2abb27a08 netbox: bump to version 3.4.2 2023-01-06 17:45:50 +01:00
1e3a163dca 23b: enable service 2023-01-01 02:04:24 +01:00
631f34baea gitea: bump to version 1.17.4 2022-12-22 09:33:20 +01:00
6696697892 23b: new role 2022-12-17 20:28:41 +01:00
fcb2638d8f host_vars: fix ssh key for ralf 2022-12-17 20:27:30 +01:00
b4146fc919 netbox: bump to version 3.4.1 2022-12-17 10:38:06 +01:00
d9678ba6f5 gitea: bump version to 1.17.3 2022-12-08 16:01:48 +01:00
0154bded19 doorlock: first steps towards an auweg doorlock 2022-11-17 16:00:20 +01:00
b5bfc03f2f hedgedoc: bump to 1.9.5 2022-10-31 17:21:36 +01:00
4344bd7d45 lasagne: new host for homeassistant 2022-10-22 17:38:08 +02:00
234e889d9d krypton: add noby as root user 2022-09-30 13:13:37 +02:00
5f39fd3ea7 docker: use debian packages instead of upstream 2022-09-30 13:12:58 +02:00
6b5c59183e netbox: bump to version 3.3.4 2022-09-21 14:12:47 +02:00
9e20fd1c19 mail: remove unused service fcgiwrap 2022-09-17 17:03:35 +02:00
a7d391e0de workadventure: fix trailing whitespace 2022-09-03 16:09:39 +02:00
9e9bfade44 vaultwarden: enable yubico support 2022-09-03 12:58:29 +02:00
64badc0d8f vaultwarden: disable sends 2022-09-03 12:58:15 +02:00
0c1df72dce vaultwarden: fix domain (HTTPS) 2022-09-03 12:29:32 +02:00
fdf91000d5 hedgedoc: handle restart via systemd service 2022-09-03 12:26:48 +02:00
b86945f714 vaultwarden: handle restart via systemd service 2022-09-03 12:26:29 +02:00
14c055bff0 vaultwarden: new role 2022-09-03 12:21:08 +02:00
a08b2c047e hedgedoc: rename from hackmd 2022-09-03 00:36:59 +02:00
a59ac1435e netbox: bump to version 3.3.2 2022-09-02 21:54:51 +02:00
c23b065e68 gitea: bump to version 1.17.1 2022-09-02 21:12:25 +02:00
a40afba368 sulis, oxygen: allow password login 2022-09-02 21:11:48 +02:00
db8e6f2576 hackmd: use docker instead of native setup 2022-09-02 21:11:04 +02:00
cc35e0da6c common: minimize diff against upstream 2022-09-02 15:00:44 +02:00
26a36701f5 grafana: fix vhost config (origin not allowed) 2022-09-02 14:55:11 +02:00
7403383a4f molybdenum.binary-kitchen.net: add tom as root 2022-09-02 14:54:42 +02:00
b710872b20 common: fix style 2022-09-02 14:53:05 +02:00
4dd1f87e73
added sshd to common 2022-08-01 21:30:33 +02:00
33e0419253 gitea: bump to version 1.17.0 2022-07-31 11:00:49 +02:00
ab693499f4 xrdp_apphost: Set immutable bit for info directory 2022-07-21 19:22:35 +02:00
7e3ee25048 xrdp_apphost: Upgrade Lightburn to 1.2.00 2022-07-21 19:14:51 +02:00
ce8e6d6cd2 new host: lock-auweg 2022-07-16 18:44:20 +02:00
e1e8da8a2b dns_intern: add host lock-auweg 2022-07-16 18:42:56 +02:00
cd80847a57 mail: rebase config against upstream 2022-07-16 18:41:33 +02:00
d5ec34c47e librenms: enable monitoring via icinga 2022-07-16 18:40:47 +02:00
227926ff12 install unattended upgrades on pizza 2022-07-09 21:32:04 +02:00
Kishi85
5ddc8ee09a mail: Remove config related to deprecated mailman version 2.x 2022-07-07 12:12:37 +02:00
d2c83c01fc netbox: bump to version 3.2.5 2022-06-22 14:44:00 +02:00
3e0cdbe023 group_vars: fix salt values 2022-06-20 10:43:19 +02:00
e1856f6ceb group_vars: add secrets wrt xrdp_apphost 2022-06-20 08:43:16 +02:00
3dbdbc226b xrdp_apphost: Upgrade Lightburn to 1.1.04 2022-06-19 21:47:48 +02:00
5cbaf1b4a6 xrdp_apphost: Upgrade Slicer to 2.4.2 2022-06-19 21:47:48 +02:00
447fcbaad5 xrdp_apphost: Moved passwords to vault 2022-06-19 21:47:48 +02:00
ec6b1d4725 xrdp_apphost: Upgrade Estlcam to 11.244 2022-06-19 21:47:48 +02:00
ad96a50ae8 xrdp_apphost: Upgrade Slicer to 2.4.1 2022-06-19 21:47:48 +02:00
ca244db889 xrdp_apphost: Upgrade Lightburn to 1.1.03 2022-06-19 21:47:48 +02:00
73b36d8bc3 xrdp_apphost: Add app config to git repositories
A git repository is created for each config folder for each application
2022-06-19 21:47:48 +02:00
a1a3091507 xrdp_apphost: Consolidate common application tasks
This commit consolidates common tasks like user creation which is
needed by all applications into a single file.
2022-06-19 21:47:48 +02:00
541c061c7d xrdp_apphost: Moved configuration to dictionary
This allows config and user generation using loops
2022-06-19 21:47:48 +02:00
2d645a13f4 xrdp_apphost: Implemented cleanup of old files
All files older than 30 days as well as empty folders
will be automatically deleted.
2022-06-19 21:47:48 +02:00
9eef0c7739 xrdp_apphost: Secure home directories
Remove all permissions for other users from home directries
2022-06-19 21:47:48 +02:00
f565853cd2 xrdp_apphost: Add configuration for Slic3r 2022-06-19 21:47:48 +02:00
9c2cf94ea2 xrdp_apphost: Split role into different files 2022-06-19 21:47:48 +02:00
7c40f82c6c xrdp_apphost: Added ansible hint to all templates 2022-06-19 21:47:48 +02:00
bd96df2eb0 xrdp_apphost: Add tsadmin user
This user is able to e.g. run graphical installers for estlcam
2022-06-19 21:47:48 +02:00
3c09971484 xrdp_apphost: Add configuration for Estlcam 2022-06-19 21:47:48 +02:00
fabf719de5 xrdp_apphost: Create samba shares 2022-06-19 21:47:48 +02:00
44241e5df5 xrdp_apphost: Made login screen configureable 2022-06-19 21:47:48 +02:00
da9b432864 xrdp_apphost: new role 2022-06-19 21:47:48 +02:00
e956702e86 workadventure: enable monitoring via icinga 2022-06-06 21:16:03 +02:00
8bf2704c9b matrix: enable monitoring via icinga 2022-06-06 21:11:36 +02:00
4f57cf5f62 nextcloud: enable monitoring via icinga 2022-06-06 21:06:23 +02:00
02c5e0fa8f netbox: enable monitoring via icinga 2022-06-06 21:06:07 +02:00
9e194d1d6d hackmd: enable monitoring via icinga 2022-06-06 20:35:14 +02:00
29b0201507 grafana: enable monitoring via icinga 2022-06-06 20:34:56 +02:00
3214cdacd1 drone: enable monitoring via icinga 2022-06-06 20:34:44 +02:00
c57ce61df4 bk_dss: enable monitoring via icinga 2022-06-06 20:34:06 +02:00
cec001156b group_vars: define server running icinga 2022-06-06 20:28:08 +02:00
dbb9a58354 gitea: bump version to 1.16.8 2022-06-06 20:26:59 +02:00
82f0b278a6 gitea: enable monitoring via icinga 2022-06-06 20:26:37 +02:00
b87119a1df icinga: icinga-monitor: implement http host check 2022-06-06 20:25:38 +02:00
792d7dcc90 netbox: bump to version 3.2.3 2022-05-25 13:48:43 +02:00
359f2f68d7 nextcloud: update PHP to 8.1 2022-05-24 15:36:22 +02:00
Kishi85
93e01f3650 mail: Add mailman3 hyperkitty archiver config 2022-05-11 15:18:00 +02:00
69348ed49b mailman: default to mailman3 web interface 2022-05-09 20:58:19 +02:00
43a672b064 mail: fix rspamd settings
a config keyword has changed which which used to prevent locally sources
mails from being checked again
2022-04-25 21:48:03 +02:00
beb8fafd1a gitea: bump to version 1.16.6 2022-04-25 10:50:50 +02:00
e63ad7a34d common: install fdisk 2022-04-22 15:18:33 +02:00
cd90151635 netbox: bump to version 3.2.0 2022-04-11 18:24:19 +02:00
239d2b6f9b hackmd: bump to version 1.9.3 2022-04-11 18:24:19 +02:00
3c901c5e2e gitea: prevent bots from downloading archives 2022-04-02 11:03:09 +02:00
0893017a01 gitea: cleanup old repo archives 2022-04-02 10:56:35 +02:00
3fcc39c852 gitea: bump to version 1.16.5 2022-03-28 17:15:08 +02:00
3cd42908be matrix: rebase homeserver config against current upstream 2022-03-23 18:04:48 +01:00
dac19a26b6 site: fix typo 2022-03-21 21:42:44 +01:00
cece722363 dhcpd: fix typo 2022-03-21 21:42:32 +01:00
9675522a88 pretix: allow pretix to send mail 2022-03-14 19:34:23 +01:00
cc62b843ed pretix: use generic mail address 2022-03-14 19:32:58 +01:00
6d3f81e32d pretix: use more generic domain 2022-03-14 17:42:49 +01:00
c002c52c25 netbox: bump version to 3.1.9 2022-03-14 14:40:06 +01:00
01811b089e gitea: bump to version 1.16.3 2022-03-03 17:15:49 +01:00
84c167e9ed gitea: bump to version 1.16.1 2022-02-17 17:52:48 +01:00
79668ac85d workardventure: cleanup whitespace 2022-02-07 18:11:33 +01:00
16bdd2cc5a matrix: enable URL previews 2022-02-07 18:09:19 +01:00
848bf5c82c gitea: bump to version 1.16.0 2022-02-02 18:49:37 +01:00
224d6ef256 coturn: configure TURN for use with BBB 2022-01-27 21:12:28 +01:00
dcc8dfa14b new host: magnesium.binary-kitchen.net (TURN) 2022-01-27 20:55:21 +01:00
45cb1623cf mail: fix DKIM/ARC for mailman3 2022-01-27 19:46:51 +01:00
1541f5c7a8 mail: ugly hack to fix mailman3 2022-01-27 19:19:11 +01:00
c23bc49529 mail: disable eSLD for rspamd 2022-01-27 19:18:56 +01:00
249 changed files with 9003 additions and 2891 deletions

View File

@ -1,11 +1,69 @@
# Binary Kitchen Ansible Playbooks
This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
## Using
## Usage
TBA
To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
## Style / Contributing
It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
TBA/TBD
## Current setup
Currently the following hosts are installed:
### Internal Servers
| Hostname | OS | Purpose |
| ------------------------- | --------- | ----------------------- |
| wurst.binary.kitchen | Proxmox 8 | VM Host |
| salat.binary.kitchen | Proxmox 8 | VM Host |
| weizen.binary.kitchen | Proxmox 8 | VM Host |
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| sulis.binary.kitchen | Debian 12 | Shell |
| nabia.binary.kitchen | Debian 12 | Monitoring |
| epona.binary.kitchen | Debian 12 | NetBox |
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
| pancake.binary.kitchen | Debian 12 | XRDP |
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
| bob.binary.kitchen | Debian 12 | Gitea Actions |
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
| tschunk.binary.kitchen | Debian 12 | Strichliste |
| bowle.binary.kitchen | Debian 12 | Files |
| lock-auweg.binary.kitchen | Debian 12 | Doorlock |
\*: The main application is not managed by ansible but manually installed
### External Servers
| Hostname | OS | Purpose |
| ----------------------------- | --------- | ----------------------- |
| helium.binary-kitchen.net | Debian 12 | LDAP Master |
| lithium.binary-kitchen.net | Debian 12 | Mail |
| beryllium.binary-kitchen.net | Debian 12 | Web * |
| boron.binary-kitchen.net | Debian 12 | Gitea |
| carbon.binary-kitchen.net | Debian 12 | Jabber |
| nitrogen.binary-kitchen.net | Debian 12 | NextCloud |
| oxygen.binary-kitchen.net | Debian 12 | Shell |
| fluorine.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| neon.binary-kitchen.net | Debian 12 | Auth. DNS |
| sodium.binary-kitchen.net | Debian 12 | Mattrix |
| magnesium.binary-kitchen.net | Debian 12 | TURN |
| aluminium.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| krypton.binary-kitchen.net | Debian 12 | PartDB * |
| yttrium.binary-kitchen.net | Debian 12 | Hintervvoidler * |
| zirconium.binary-kitchen.net | Debian 12 | Jitsi |
| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle * |
| technetium.binary-kitchen.net | Debian 12 | Event CTFd * |
| ruthenium.binary-kitchen.net | Debian 12 | Minecraft * |
| rhodium.binary-kitchen.net | Debian 12 | Event pretix |
| palladium.binary-kitchen.net | Debian 12 | Event pretalx |
| argentum.binary-kitchen.net | Debian 12 | Event Web * |
| cadmium.binary-kitchen.net | Debian 12 | Event NetBox * |
| indium.binary-kitchen.net | Debian 12 | Igel CAM * |
| barium.binary-kitchen.net | Debian 12 | Workadventure |
\*: The main application is not managed by ansible but manually installed

View File

@ -5,6 +5,14 @@ acertmgr_mode: webdir
acme_dnskey_file: /etc/acertmgr/nsupdate.key
acme_dnskey_server: neon.binary-kitchen.net
authentik_domain: auth.binary-kitchen.de
authentik_dbname: authentik
authentik_dbuser: authentik
authentik_dbpass: "{{ vault_authentik_dbpass }}"
authentik_secret: "{{ vault_authentik_secret }}"
bk23b_domain: 23b.binary-kitchen.de
coturn_realm: turn.binary-kitchen.de
coturn_secret: "{{ vault_coturn_secret }}"
@ -14,19 +22,12 @@ dns_axfr_ips:
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
drone_admin: moepman
drone_domain: drone.binary-kitchen.de
drone_dbname: drone
drone_dbuser: drone
drone_dbpass: "{{ vault_drone_dbpass }}"
drone_uipass: "{{ vault_drone_uipass }}"
drone_secret: "{{ vault_drone_secret }}"
drone_gitea_client: "{{ vault_drone_gitea_client }}"
drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
dss_domain: dss.binary-kitchen.de
dss_secret: "{{ vault_dss_secret }}"
fpm_status_user: admin
fpm_status_pass: "{{ vault_fpm_status_pass }}"
gitea_domain: git.binary-kitchen.de
gitea_dbname: gogs
gitea_dbuser: gogs
@ -35,8 +36,8 @@ gitea_secret: "{{ vault_gitea_secret }}"
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
hedgedoc_domain: pad.binary-kitchen.de
hedgedoc_dbname: hackmd
hedgedoc_dbuser: hackmd
hedgedoc_dbname: hedgedoc
hedgedoc_dbuser: hedgedoc
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
@ -44,6 +45,7 @@ icinga_domain: icinga.binary.kitchen
icinga_dbname: icinga
icinga_dbuser: icinga
icinga_dbpass: "{{ vault_icinga_dbpass }}"
icinga_server: nabia.binary.kitchen
icingaweb_dbname: icingaweb
icingaweb_dbuser: icingaweb
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
@ -66,6 +68,7 @@ mail_domain: binary-kitchen.de
mail_domains:
- ccc-r.de
- ccc-regensburg.de
- eh21.easterhegg.eu
- makerspace-regensburg.de
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
mail_server: mail.binary-kitchen.de
@ -73,12 +76,18 @@ mailman_domain: lists.binary-kitchen.de
mail_trusted:
- 213.166.246.0/28
- 213.166.246.37/32
- 213.166.246.45/32
- 213.166.246.46/32
- 213.166.246.47/32
- 213.166.246.250/32
- 2a02:958:0:f6::/124
- 2a02:958:0:f6::37/128
- 2a02:958:0:f6::45/128
- 2a02:958:0:f6::46/128
- 2a02:958:0:f6::47/128
mail_aliases:
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
- "bbb@binary-kitchen.de timo.schindler@binary-kitchen.de"
- "bbb@binary-kitchen.de boehm.johannes@gmail.com"
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
@ -91,10 +100,13 @@ mail_aliases:
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
- "pretalx@binary-kitchen.de moepman@binary-kitchen.de"
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
- "seife@binary-kitchen.de anke@binary-kitchen.de"
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "therapy-jetzt@binary-kitchen.de darthrain@binary-kitchen.de"
- "vorstand@binary-kitchen.de anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
@ -107,7 +119,12 @@ mail_aliases:
- "voucher10@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher13@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher14@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher15@binary-kitchen.de exxess@binary-kitchen.de"
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
- "tickets@eh21.easterhegg.eu orga@eh21.easterhegg.eu"
- "hackzuck@eh21.easterhegg.eu kekskruemml@binary-kitchen.de"
matrix_domain: matrix.binary-kitchen.de
matrix_dbname: matrix
@ -127,15 +144,20 @@ nextcloud_dbname: owncloud
nextcloud_dbuser: owncloud
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
omm_domain: omm.binary.kitchen
pretix_domain: pretix.rc3.binary-kitchen.de
pretalx_domain: fahrplan.eh21.easterhegg.eu
pretalx_dbname: pretalx
pretalx_dbuser: pretalx
pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
pretalx_mail: pretalx@binary-kitchen.de
pretix_domain: pretix.events.binary-kitchen.de
pretix_domainx: tickets.eh21.easterhegg.eu
pretix_dbname: pretix
pretix_dbuser: pretix
pretix_dbpass: "{{ vault_pretix_dbpass }}"
pretix_mail: rc3@binary-kitchen.de
pretix_mail: pretix@binary-kitchen.de
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -157,4 +179,24 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
slapd_root_pass: "{{ vault_slapd_root_pass }}"
slapd_san: ldap.binary.kitchen
sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
sssd_base_user: ou=people,dc=binary-kitchen,dc=de
strichliste_domain: tschunk.binary.kitchen
strichliste_dbname: strichliste
strichliste_dbuser: strichliste
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
therapy_domain: therapy.jetzt
therapy_secret: "{{ vault_therapy_secret }}"
vaultwarden_domain: vault.binary-kitchen.de
vaultwarden_dbname: vaultwarden
vaultwarden_dbuser: vaultwarden
vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
vaultwarden_token: "{{ vault_vaultwarden_token }}"
vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
workadventure_domain: wa.binary-kitchen.de
zammad_domain: requests.binary-kitchen.de

View File

@ -1,84 +1,110 @@
$ANSIBLE_VAULT;1.1;AES256
35323963326634353430373361636231303663373264616131356530663738306563303332363762
3436613664633530623163353436323035346463623737390a383665663266313338356361626161
39643939393939333361663434353237633861303032323730336661633663373636326432663135
3430313238313836610a343432396536316462313230656236366363343034383732646163626231
30643132316365613664333834356630666336633635373037326162646538333062363237363465
30303632303339616166323932303865313766316436623232633335613263323437633331346133
64633161383236346536616231333634626466373232366265333062306635663631663565666531
30653633643430356164386364386336323162383164663639323430343239333366306161336365
39663663343037396566366363353461656330353636306162626639663137666136306235656165
66613338623232316336323830303830383364396537633161373032323739316131336431313035
63346662366562656638363961613263363134646131623436316463326265646138323238303437
31363734376333343961356137373764656534363437316633656665616430323231383563633766
30653565373563376664303133653665356264363735333939646339653735633765306261633836
31313465323238316263343166646132356333373033616361333532623564336338373838303536
65333962636161633038353135303466353839663833626530616635666337346161623635383963
66636230393331316239616434613265343139636632396630656630623662306464633162366139
35646332623137643130373738336265623930376165343238626233356235613434636564313939
34636266383536383936313263373538666165633163396635313365616339303264663566316234
65353262313062653061326239363266333637316362366539616136373062313764316330663138
64343337356133643163383864343962623237316230343763653838613738393739343131323835
38623063626531613764356265376230336530326364643635383438363463333931333461393563
37343231366165616666376664653633616332346661383935393435653934336562343531323664
38396233306266623361636566663262393336343434383532393336343533653364666264306463
66393234376137643761396635626337656465383066303863383535636363336463343234363361
61626365633639643237336464653666396131343535636431636438343265663138346631316335
63343136656131653039396539323231663730316134306432613034363635343230353361616338
34303931343866343831623333386533313733613663363565313666353139356265333461336237
34643265623739376565663039343638343839633362303035386562333264333438313835393039
39376266643831343561653832353266313461363738663533383935376234636338343734353731
36396634316561336363633339653566323134306430373536613763303763653764336237633465
39313562373062666566663437386538663733643261656361346364393935613638393464663062
31643035356630363630363532353137626431643366383437663437333761613062363663633832
30663331333036653362646164313134316136663839386464353731303065376634313138656337
34306234303233613136353661643436666538623634323137343861346165333730303430386237
39313762313339356430303934343837336230303231613266643231376634333739353366333139
39393436366339616166393530313862303961353131646163306633386637376634363534363461
31363634653638633334346334613061333234633061343732363330363636656333316366383838
39343234616461656432653836623233343965636432616630313037366535366131393033383063
31343038646162616666613264363738366434613939333536656534336339326537366435383263
66376638376133303136346663386561336239643465376336633665656563666133666165323633
30613032343735653231356663333033653436393331653133646162333531613930316635356533
38663830383463663366393034656638643136383261373332383636333331396639346361376334
32333633316433616664643662636634323038306664663538386330356261323461396264323635
66376133666434363932353762663461333861376139323439653431663638343362326166336133
37396532306135386661353665356562363135656338333261386437376431363663383662303339
30343534393965646231303037366435333238343931393036616364643631333163336331396364
39303766363938383831316531303265383236646334616365613732643134366338366438623266
61346132623333343933373666363937376332653766313463333132626466373763346330613433
37383631656662386164633566376235366465663531383134613139656330313561633030643139
31646264316533303638303939656539663936306465656366303761343335383562366238316332
36623265383739376332393565386436653934316438313631626333343234656564623335386133
64363538396631363538653361373138393637326533386239353532316531376166313265303463
66306637383237303236306264373831636636643766383565326230313165356337633662663832
39666464646365313536633539366330333938643431633136643166336566343137653066343735
38653037346332373139356439656436366339323431626331636538346639303034323231663034
36626536343236326439653665323563326431386462666331386163623232333661613437313865
65363237643266393866363761316534666537616633393863366562666539633761613465616436
30346435363431393261336361333564313537353564333136633866643466353261666430376130
66333765306162666361393133636661393766333733363033663739646633303561623662316231
61653332346361363565343466363339323064313537343537396637343730653563653734313337
38316334376136636365373338313362313836613666643034343964353236313433303330366332
66356562643636353465343133323462313465653434383835636535666135363438653833623836
32636638313635326537336633656162346166303262386232613366366639326338316638656230
65613763353031386537333332363736636236623561323036623864313830316661633362613164
64356161376234666535393961376138656632653266306434343335373734663265383537326234
35636131303133666366326434323832633865626538333864653236343135383636373437303864
38663339666262373063643162343037343537383235326633623165396539633161303862623938
32663433396637643765363837316439363863386162316363633136633232643635363166646534
61366665356238653764623237613861323139366638633432343137336438316237333030613431
37323463636162333231303234383831333138306163643630633335383465313737383832646161
33643637373037666562366536383662663737373962373937633839633933323738366236323361
63663330346436343232616364353261613635646339333062643038363634623561623163643932
65306466363464376336353965633535356437333237666161383465393631333963393030316663
62343564383838383938646338383466383533646539336239323064383565333834396535396634
30616131643463663235636334613165343133646562656537396334623234383734396131643930
66373765333538643661386435666166633438383035663563333339663536663137393162343865
39326463316133343331633137363365653366643439613062633665633132633036333337323935
31393665623938316230653936353966396539353730353364346434646434616636663563336666
32623861363864383430356236396366616361326334656639613061636239306663626435636435
36316135633739313364336634376635303131616239666262613230666165636533613935643664
35356538613062646635336332613635643135396665376439323331386163356631383531376230
36386661326362633833333133356366633264353061356665353131323737303339396333613763
386531643264353562356563663961626139
35346137343735356637663033653465666664363730663138663936636632306566313836643132
6633663564393937323035363563326465366364373961310a643132653066323938333863626264
66656663646164633538396132363231373430636134313632333834633435336331396338623933
3832343264356539390a313937393535623838356465313530303836346164313261613537366430
64393533613662376466363462643262643433663839393166613938616462663732346234363436
66663837333861303530373036363536376239633764356461303534626233343861343135353234
61356362353635343737356430666536636339306630613263613933356330366132356661343566
33306437666461656339653131633537643931333164396463623433633263633139366565636362
35306339333631623036386134373839303739373230636164653137393439633530366163613636
65326635396135313530366161373438623365356437353234343537393033356135623862393033
62643033656331373435316665313933653835653663376432366461363261303131623237623663
33363238663963363963326531386137613564633338653466393436663438313231313466323433
32323934343462333264646137366461303333363165303433663130326437353236653336623266
30653930616465313930303961383538376662386331663430613064306366323035663431656461
61623735336162636662616232346637653566306433316237613762623133323236353533623833
61306630376231643266663732343565386465373066643339633136643961656161393738373862
33353162656331363563343234303538383763303736393661333831366436633533656265343930
38616462363238613464386439663830663264646133633631646166346130663464633333333730
33653231303636653638323136663066666465353532383331663163626237656265656463393139
64363465663732343930613931313363336633363335383564626366383537376634363461616163
39393630343531313638363230656634623836396366326530616637363334313961366233306233
35633961303661376663643339613835633563336361646137353466366436373263363138663563
62356365616664353131663764303730643361613038663833373834336132306265376436616464
38383937626439303362636432363936313930313339366565353034313339663536373138376438
34366637363838623064633765653134383230656565373263356164326661326133353634636536
31383961343066306437623031386461643430326134646537613366623131353161353335313664
61633834656438366331653966373131656634303135373630363762313765316364343837663431
32373438616561333634343436366638353439363563656331333263653061613231303733633134
66386563346535646339303039353962363762663164386436626632623465363833323434343066
63626466653162616164323831336165646136613530383063353232333464333234316435386266
62333535373131666434626261333335663762346663313630643136383835376663636136363933
33623237666537613164623362396537396163373437633537376435356638653533613939663734
66626564633435663164616365313339386232386562636461653262363332393536353138393730
33323464376666663236366134366436313237666635356565346235363630363265343535356233
35653163663962316336323931356436366439653835346138623966366436373066303932346637
31393932343136633239663238363337626266623163316165646533333363393038383038316664
34363739613234666466353163643236356238353831636163393763336261353831313136653963
33636265383634393332373031306261363764303730633466616432316433656166393035653737
30643231616334366231333761633461653338653633663564643938616163663532333639353830
64383761306138303736643962386235353366333832616138306237393738396230303633333132
31373362323261303362613336333130626364646561653335373639333262663735376437376433
36386236343233373631303633626363336665656131633862633363326233636636373832353937
39303237393632363337396362323936646333376439373031626330343139373636333062383138
33333137623066303961376137613361313831636631663865343863633735366433643165643035
39373565396561326362376435666539386263666635363664633833336536366466613163323134
39653239653935346262656333306635646535626563323130663838313564383165393961346161
39616439376435613535336434343364343066353863626363613765303862306663373730346539
39363136393463333538323266633235643963363663323265313738633037303862633265353236
64343361316437623732366163326633346462343332333735333936633266623832633939626362
32333035613963666530663335656562393465323063336330383535326565346536393731333165
30373733343136306532636666313338626434313334303933636238643034386438386364663932
35313134633532373466363132623632376666396161333064376538616137656163663633653064
66623633343939306638643132386139303761646364656163326263313066616535623234323361
37396366663734373334386131663161346461383938313263346537353836366264616164636262
64376535373431376465386165613765653732303461356565623965346334376564343439386164
30393664353461623965303265393338353366616164633739383434623834306166376631643330
31303866306561366132333532396135653261613935623537366562313433396436343666386535
37323861343462396163333431663137643232393865643238316338323735366637643666343735
30663334326332616361623662653133383536326635626434383830633434366330313731356531
30366562613532643334613430313737633266343237373765366238313833656463646462613666
32393734356638633966643133383961613332623331633634646439353338303266393366323564
36353032383030623163323065653833656330363466336466656562373034653061346163366238
33346534313633333134356665656462346234393230323132626661666362373566383036653937
66366266333934343263326433326163373730383361653262633966333135316437633835303665
66663430363039633464636531326135616563636131656265356438313633306236653431656664
30343733313638363237343131626538643932373931623136323862646366623362306365616131
37303966343562313730653763633564336435336362656262363735393966633135376236616163
39626637393865643338623863346666333764616430383038303434626164653861346433333764
61386131303764383137616334363866363363313165366339636530393362396135306265303464
63333030306338346633633863306238333334393562373662663562313733643432396462313131
65333661343031656263623230346230353266303261646131303731636466303863323466356232
63383835316161306431663962343966366338323138383632326533646461326232356133356265
39636434376436363439376230633237366536653561616264613665656635636532623330353466
65366132646536316131323038313263333961656430343661303664366266313861343463303364
32303662393433353462346464393931393637316537623061343635353938663765646234323431
38643531653132633763666663623637373431653731383037346262646332393864643431363338
32343963623364613538656338336365343265383262656139643934333037383930376564343636
33623835663035313839656333613833396635646537616464376138663262346564383834643933
30383039633164353730656339616436343330333134323136646664393764343163313536373261
31646164656166376232653034363864623161326564303337636534653762336337346335373238
64373062306165616162666362326531643964656366653037663163363964653462346633666434
35303638623239353934636332373562343962393531346132303032623334333335373734643034
64646361373066316134613635666435306235313632633633643864373261643065303937323639
65383663626338303134613532623763626430623864313930366463663632313130383033633831
66613531623534336461393764623237383231333133336638313637306439633361353039613938
30613562393635646235336330633933336233363735346534633266633730346236353265333464
39613132306232653639326336643662353461356439623233316465316232396366616531396464
63626462383639353434316364363164376639363264646530323038373439643132343264643231
32656465366265383630626332613636336632656136333330643937633630396663626632333930
61623661633666316630616632633832613231386235653434663964316533306233383539343637
38663431666230653736326531353934396562656161616462383466353637363732616636373033
39643438356632306431386235333532326463646161616466646634633163366233363362343563
34393631343733326363363737623638383939353266343262633232336633386233346436393333
31646161613464623137353939613437623835316531343336323833653437363563363462633536
36313230363131373233623731636363313034366665633737346134366666393634386637626563
36376135373330396664616435353539333439306434313933333235646363313262336163386263
65353361363066363234353336623466393331326332316530356636343865663137313737313830
35633563343064333565373463343234393732333735363963333336646561393764316462643466
36653162343239373038336134393532386363333638383831333834373030633138633530353336
63376334666632323130633136613230306135336231666635363036633066323863346138643330
33623462653638656237646634623431313664336636366330626135653730323239323462383262
39326431386235363034386138653665353136356536373838636336626430623164353761636662
32623363663163633433623833633665313662636264656662373061356336383965303731313431
34373332616336303062363564656137383463353836303134363434356265393361346365343630
32613933633139643637363136623863663962356166336134656464613362363130333930356230
63626365353266383137643263636163613932343333363632333936613831616465646437656465
35636534363461336332626134346239656238643561313935363366343462333639633937303664
64323739643562343234333739353334663834626438386432663737653366633466666362643138
64313536306363653562623536646261313639333266643336613932363835356665

View File

@ -5,6 +5,8 @@ dhcpd_primary: 172.23.13.3
dns_primary: 172.23.13.3
doorlock_domain: lock-auweg.binary.kitchen
name_servers:
- 172.23.13.3

View File

@ -3,4 +3,7 @@
radius_hostname: radius3.binary.kitchen
slapd_hostname: ldap3.binary.kitchen
slapd_replica_id: 3
slapd_role: slave
uau_reboot: "false"

View File

@ -0,0 +1,6 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

View File

@ -3,4 +3,5 @@
radius_hostname: radius2.binary.kitchen
slapd_hostname: ldap2.binary.kitchen
slapd_replica_id: 2
slapd_role: slave

View File

@ -13,4 +13,7 @@ ntp_peers:
radius_hostname: radius1.binary.kitchen
slapd_hostname: ldap1.binary.kitchen
slapd_replica_id: 1
slapd_role: slave
uau_reboot: "false"

View File

@ -1,5 +1,5 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -0,0 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

View File

@ -0,0 +1,5 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCNBY95YcFFBeiHM3IDzqKT/X/U09bpAWXwkCWIg6KlZumZg891apx6a0HLDannoBt7YCyYFgl3c1eJ36D08tRcy5c5k/+8Xhq0hq/HWo3EV5sd6Y+8xeTRST6Um8nyxHoSI7xw79yRoteOUDIzPnmDtbLQ2z3vWkA/H1EZQ4IjeQgFhl9vl4EyuAJ47Cdlv1D870BDspgAEoxSbipQEEnPsIctdyySp1R/sNC5tuP6qaoQ6nIDFdgv5rcY8SmgJQ2otlGex18RSBObBjdfyepV71mluqfs6HtVsM9zDvRUwY/FX4wmVc4QPdPLh/2kzEZi0YzefB10tpsuvhaOFI8JqXBDuSFZh3xCzRmKRlmqn50jrvGkYGUWg/GNYNF2rLCltCzg3BJHGaFh9sOtjaKLW+hTJwDtz4LIqNZb6w/2586hzjGCrrZgN24eLEcdp7iTPnkCul+kgOZaa62ytdKjza6/tgKCeUaEwmJTBuKMp/hor/LdLeibYgTtqUoFB7j1Ti2ey7oHly1oiSaKcR/hChgx0sniltRmzJI7KLuUiF+xkpv5Kf4rGl7UjvVxyf3glNh5DL87CfeWkGF3dgsjJdfYIHVJz/Bf6x0aB2TyybF8Exm0R05dhMT6ahZqMqa5d/aUZN+S3MaXw2amHWbMe8VcFpu/AztqrQM8sM+Mw== sprinterfreak"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -2,3 +2,4 @@
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -0,0 +1,11 @@
---
root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "false"

View File

@ -0,0 +1,5 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

View File

@ -0,0 +1,3 @@
---
acertmgr_mode: standalone

View File

@ -4,3 +4,4 @@ grafana_domain: zelle.binary-kitchen.de
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

View File

@ -1,3 +1,4 @@
---
uau_reboot: "false"
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"

View File

@ -0,0 +1,4 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -4,8 +4,7 @@ root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

View File

@ -0,0 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

View File

@ -2,6 +2,6 @@
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
uau_reboot: "false"

View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

View File

@ -0,0 +1,4 @@
---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"

View File

@ -1,4 +1,5 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"

View File

@ -0,0 +1,7 @@
---
root_keys_host:
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "true"

View File

@ -1,5 +1,6 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

11
hosts
View File

@ -9,11 +9,14 @@ pizza.binary.kitchen ansible_host=172.23.2.33
pancake.binary.kitchen ansible_host=172.23.2.34
knoedel.binary.kitchen ansible_host=172.23.2.35
bob.binary.kitchen ansible_host=172.23.2.37
lasagne.binary.kitchen ansible_host=172.23.2.38
tschunk.binary.kitchen ansible_host=172.23.2.39
bowle.binary.kitchen ansible_host=172.23.2.62
salat.binary.kitchen ansible_host=172.23.9.61
[auweg]
aeron.binary.kitchen ansible_host=172.23.13.3
weizen.binary.kitchen ansible_host=172.23.12.61
aeron.binary.kitchen ansible_host=172.23.13.3
lock-auweg.binary.kitchen ansible_host=172.23.13.12
[fan_rz]
helium.binary-kitchen.net
lithium.binary-kitchen.net
@ -25,10 +28,16 @@ oxygen.binary-kitchen.net
fluorine.binary-kitchen.net
neon.binary-kitchen.net
sodium.binary-kitchen.net
magnesium.binary-kitchen.net
aluminium.binary-kitchen.net
krypton.binary-kitchen.net
yttrium.binary-kitchen.net
zirconium.binary-kitchen.net
molybdenum.binary-kitchen.net
ruthenium.binary-kitchen.net
rhodium.binary-kitchen.net
palladium.binary-kitchen.net
argentum.binary-kitchen.net
cadmium.binary-kitchen.net
indium.binary-kitchen.net
barium.binary-kitchen.net

View File

@ -3,11 +3,11 @@
- name: Reload systemd
systemd: daemon_reload=yes
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart drone
service: name=drone state=restarted
- name: Restart 23b
service: name=23b state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

49
roles/23b/tasks/main.yml Normal file
View File

@ -0,0 +1,49 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create 23b group
group: name=23b
- name: Create 23b user
user:
name: 23b
home: /opt/23b
shell: /bin/bash
group: 23b
groups: docker
# docker-compolse.yml is managed outside ansible
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for 23b
template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
notify: Restart nginx
- name: Systemd unit for 23b
template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
notify:
- Reload systemd
- Restart 23b
- name: Start the 23b service
service: name=23b state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ bk23b_domain }}"

View File

@ -0,0 +1,28 @@
[Unit]
Description=23b service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=23b
Group=23b
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/23b/23b/23b
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
[Install]
WantedBy=multi-user.target

View File

@ -1,13 +1,13 @@
---
{{ drone_domain }}:
- path: /etc/nginx/ssl/{{ drone_domain }}.key
{{ bk23b_domain }}:
- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ drone_domain }}.crt
- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
user: root
group: root
perm: '400'

View File

@ -0,0 +1,36 @@
server {
listen 80;
listen [::]:80;
server_name {{ bk23b_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ bk23b_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ bk23b_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
# set max upload size
client_max_body_size 8M;
location / {
proxy_pass http://localhost:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@ -0,0 +1,7 @@
---
actrunner_user: act_runner
actrunner_group: act_runner
actrunner_version: 0.2.10
actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

View File

@ -0,0 +1,7 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart act_runner
service: name=act_runner state=restarted

View File

@ -0,0 +1,35 @@
---
- name: Create group
group: name={{ actrunner_group }}
- name: Create user
user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
- name: Create directories
file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
with_items:
- /etc/act_runner
- /var/lib/act_runner
- name: Download act_runner binary
get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
register: runner_download
- name: Symlink act_runner binary
file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
when: runner_download.changed
notify: Restart act_runner
- name: Configure act_runner
template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
notify: Restart act_runner
- name: Install systemd unit
template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
notify:
- Reload systemd
- Restart act_runner
- name: Enable act_runner
service: name=act_runner state=started enabled=yes

View File

@ -0,0 +1,16 @@
[Unit]
Description=Gitea Actions runner
Documentation=https://gitea.com/gitea/act_runner
After=docker.service
[Service]
ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
ExecReload=/bin/kill -s HUP $MAINPID
WorkingDirectory=/var/lib/act_runner
TimeoutSec=0
RestartSec=10
Restart=always
User={{ actrunner_user }}
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,86 @@
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: warn
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 4
# Extra environment variables to run jobs.
envs:
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `deamon`, will use labels in `.runner` file.
labels: [
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
"ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
"ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
]
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: ""
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

View File

@ -0,0 +1,3 @@
---
authentik_version: 2024.8.3

View File

@ -0,0 +1,13 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart authentik
service: name=authentik state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

View File

@ -0,0 +1,51 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create authentik group
group: name=authentik
- name: Create authentik user
user:
name: authentik
home: /opt/authentik
shell: /bin/bash
group: authentik
groups: docker
- name: Configure authentik container
template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
notify: Restart authentik
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for authentik
template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
notify: Restart nginx
- name: Systemd unit for authentik
template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
notify:
- Reload systemd
- Restart authentik
- name: Start the authentik service
service: name=authentik state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ authentik_domain }}"

View File

@ -0,0 +1,28 @@
[Unit]
Description=authentik service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=authentik
Group=authentik
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/authentik
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,15 @@
---
{{ authentik_domain }}:
- path: /etc/nginx/ssl/{{ authentik_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -0,0 +1,75 @@
---
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- ./database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: {{ authentik_dbpass }}
POSTGRES_USER: {{ authentik_dbuser }}
POSTGRES_DB: {{ authentik_dbname }}
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- ./redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
volumes:
- ./media:/media
- ./custom-templates:/templates
ports:
- "127.0.0.1:9000:9000"
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
depends_on:
- postgresql
- redis

View File

@ -0,0 +1,41 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name {{ authentik_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ authentik_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ authentik_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

View File

@ -1,4 +1,4 @@
---
dss_uwsgi_port: 5001
dss_version: 0.8.4
dss_version: 0.8.5

View File

@ -44,3 +44,8 @@
- name: Enable vhosts
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
notify: Restart nginx
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ dss_domain }}"

View File

@ -1,12 +1,14 @@
DEBUG = True
REMEMBER_COOKIE_SECURE = True
SECRET_KEY = "{{ dss_secret }}"
SESSION_COOKIE_SECURE = True
SESSION_TIMEOUT = 3600
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
LDAP_URI = "{{ ldap_uri }}"
LDAP_BASE = "{{ ldap_base }}"
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
@ -28,7 +30,7 @@ USER_ATTRS = {
'userPassword' : '{pass}'
}
GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
GROUP_FILTER = "(objectClass=posixGroup)"
REDIS_HOST = "127.0.0.1"
REDIS_PASSWD = None

View File

@ -6,3 +6,6 @@ logrotate_excludes:
- "/etc/logrotate.d/dbconfig-common"
- "/etc/logrotate.d/btmp"
- "/etc/logrotate.d/wtmp"
sshd_password_authentication: "no"
sshd_permit_root_login: "prohibit-password"

File diff suppressed because it is too large Load Diff

View File

@ -6,6 +6,9 @@
- name: Restart journald
service: name=systemd-journald state=restarted
- name: Restart sshd
service: name=sshd state=restarted
- name: update-grub
command: update-grub

View File

@ -5,6 +5,7 @@
name:
- apt-transport-https
- dnsutils
- fdisk
- gnupg2
- htop
- less
@ -15,6 +16,7 @@
- rsync
- sudo
- vim-nox
- wget
- zsh
- name: Install software on KVM VMs
@ -101,3 +103,12 @@
regexp: "rotate [0-9]+"
replace: "rotate 7"
loop: "{{ logrotateconfigpaths }}"
- name: Configure sshd
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify: Restart sshd

View File

@ -1,6 +1,9 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
@ -23,6 +26,9 @@ keyfile /etc/chrony/chrony.keys
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
@ -33,7 +39,7 @@ logdir /var/log/chrony
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it cant be used along with the 'rtcfile' directive.
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than

View File

@ -0,0 +1,131 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin {{ sshd_permit_root_login }}
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
AuthorizedKeysCommand {{ sshd_authkeys_command }}
{% if sshd_authkeys_user is defined and sshd_authkeys_user %}
AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
{% else %}
AuthorizedKeysCommandUser nobody
{% endif %}
{% else %}
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
{% endif %}
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication {{ sshd_password_authentication }}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

View File

@ -1,4 +1,10 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart coturn
service: name=coturn state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

View File

@ -0,0 +1,4 @@
---
dependencies:
- { role: acertmgr }

View File

@ -3,6 +3,28 @@
- name: Install coturn
apt: name=coturn
- name: Create coturn service override directory
file: path=/etc/systemd/system/coturn.service.d state=directory
- name: Configure coturn service override
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
notify:
- Reload systemd
- Restart coturn
- name: Create gitea directories
file: path={{ item }} state=directory owner=turnserver
with_items:
- /etc/turnserver
- /etc/turnserver/certs
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
notify: Run acertmgr
- name: Configure coturn
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:

View File

@ -0,0 +1,15 @@
---
{{ coturn_realm }}:
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
user: turnserver
group: turnserver
perm: '400'
format: key
action: '/usr/sbin/service coturn restart'
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
user: turnserver
group: turnserver
perm: '400'
format: crt,ca
action: '/usr/sbin/service coturn restart'

View File

@ -0,0 +1,2 @@
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

View File

@ -15,7 +15,7 @@
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
#listening-port=3478
listening-port=443
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
@ -27,7 +27,7 @@
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1.
#
#tls-listening-port=5349
tls-listening-port=443
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
@ -125,7 +125,10 @@
#
# By default, this value is empty, and no address mapping is used.
#
#external-ip=60.70.80.91
external-ip={{ ansible_default_ipv4.address }}
{% if ansible_default_ipv6.address is defined %}
external-ip={{ ansible_default_ipv6.address }}
{% endif %}
#
#OR:
#
@ -399,17 +402,17 @@ realm={{ coturn_realm }}
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
no-tcp
#no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
no-tls
#no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
no-dtls
#no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
@ -746,6 +749,6 @@ mobility
# Do not allow an TLS/DTLS version of protocol
#
no-tlsv1
no-tlsv1_1
no-tlsv1_2
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2

View File

@ -1,4 +0,0 @@
---
- name: Restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

View File

@ -1,14 +0,0 @@
---
- name: Install dhcp server
apt: name=isc-dhcp-server
- name: Configure dhcp server
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- default/isc-dhcp-server
- dhcp/dhcpd.conf
notify: Restart isc-dhcp-server
- name: Start the dhcp server
service: name=isc-dhcp-server state=started enabled=yes

View File

@ -1,21 +0,0 @@
#
# This is a POSIX shell fragment
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
INTERFACESv6=""
INTERFACES="{{ ansible_default_ipv4['interface'] }}"

View File

@ -1,320 +0,0 @@
# dhcpd.conf
# option definitions common to all supported networks...
option domain-name "binary.kitchen";
option domain-name-servers {{ name_servers | join(', ') }};
option domain-search "binary.kitchen";
option ntp-servers 172.23.1.60, 172.23.2.3;
# options related to Mitel SIP-DECT
option space sipdect;
option local-encapsulation code 43 = encapsulate sipdect;
option sipdect.ommip1 code 10 = ip-address;
option sipdect.ommip2 code 19 = ip-address;
option sipdect.syslogip code 14 = ip-address;
option sipdect.syslogport code 15 = integer 16;
option magic_str code 224 = text;
default-lease-time 7200;
max-lease-time 28800;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
ddns-updates on;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
{% if dhcpd_failover == true %}
# Failover
failover peer "failover-partner" {
{% if ansible_default_ipv4.address == dhcpd_primary %}
primary;
address {{ dhcpd_primary }};
peer address {{ dhcpd_secondary }};
{% elif ansible_default_ipv4.address == dhcpd_secondary %}
secondary;
address {{ dhcpd_secondary }};
peer address {{ dhcpd_primary }};
{% endif %}
port 520;
peer port 520;
max-response-delay 60;
max-unacked-updates 10;
{% if ansible_default_ipv4.address == dhcpd_primary %}
mclt 600;
split 255;
{% endif %}
load balance max seconds 3;
}
{% endif %}
# Binary Kitchen subnets
# Management
subnet 172.23.1.0 netmask 255.255.255.0 {
option routers 172.23.1.1;
}
# Services
subnet 172.23.2.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.2.1;
}
# Users
subnet 172.23.3.0 netmask 255.255.255.0 {
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.3.10 172.23.3.230;
}
}
# MQTT
subnet 172.23.4.0 netmask 255.255.255.0 {
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.4.10 172.23.4.240;
}
}
# Management Auweg
subnet 172.23.12.0 netmask 255.255.255.0 {
option routers 172.23.12.1;
}
# Services Auweg
subnet 172.23.13.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.13.1;
}
# Users Auweg
subnet 172.23.14.0 netmask 255.255.255.0 {
option routers 172.23.14.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.14.10 172.23.14.230;
}
}
# MQTT Auweg
subnet 172.23.15.0 netmask 255.255.255.0 {
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.15.10 172.23.15.240;
}
}
# DDNS zones
zone users.binary.kitchen {
primary {{ dns_primary }};
}
# Fixed IPs
host ap01 {
hardware ethernet 44:48:c1:ce:a9:00;
fixed-address ap01.binary.kitchen;
}
host ap04 {
hardware ethernet 44:48:c1:ce:90:06;
fixed-address ap04.binary.kitchen;
}
host ap05 {
hardware ethernet bc:9f:e4:c3:6f:aa;
fixed-address ap05.binary.kitchen;
}
host ap06 {
hardware ethernet 94:b4:0f:c0:1d:a0;
fixed-address ap06.binary.kitchen;
}
host ap11 {
hardware ethernet 18:64:72:c6:c2:0c;
fixed-address ap11.binary.kitchen;
}
host ap12 {
hardware ethernet 18:64:72:c6:c4:98;
fixed-address ap12.binary.kitchen;
}
host bowle {
hardware ethernet ac:1f:6b:25:16:b6;
fixed-address bowle.binary.kitchen;
}
host cannelloni {
hardware ethernet b8:27:eb:18:5c:11;
fixed-address cannelloni.binary.kitchen;
}
host fusilli {
hardware ethernet b8:27:eb:1d:b9:bf;
fixed-address fusilli.binary.kitchen;
}
host habdisplay1 {
hardware ethernet b8:27:eb:b6:62:be;
fixed-address habdisplay1.mqtt.binary.kitchen;
}
host habdisplay2 {
hardware ethernet b8:27:eb:df:0b:7b;
fixed-address habdisplay2.mqtt.binary.kitchen;
}
host klopi {
hardware ethernet 74:da:38:6e:e6:9d;
fixed-address klopi.binary.kitchen;
}
host lock {
hardware ethernet b8:27:eb:d8:b9:ad;
fixed-address lock.binary.kitchen;
}
host maccaroni {
hardware ethernet b8:27:eb:f5:9e:a1;
fixed-address maccaroni.binary.kitchen;
}
host matrix {
hardware ethernet b8:27:eb:ed:22:58;
fixed-address matrix.binary.kitchen;
}
host mirror {
hardware ethernet 74:da:38:7d:ed:84;
fixed-address mirror.binary.kitchen;
}
host mpcnc {
hardware ethernet b8:27:eb:0f:d3:8b;
fixed-address mpcnc.binary.kitchen;
}
host noodlehub {
hardware ethernet b8:27:eb:56:2b:7c;
fixed-address noodlehub.binary.kitchen;
}
host openhabgw1 {
hardware ethernet dc:a6:32:bf:e2:3e;
fixed-address openhabgw1.mqtt.binary.kitchen;
}
host pizza {
hardware ethernet 52:54:00:17:02:21;
fixed-address pizza.binary.kitchen;
}
host spaghetti {
hardware ethernet b8:27:eb:eb:e5:88;
fixed-address spaghetti.binary.kitchen;
}
host schweinshaxn {
hardware ethernet 52:54:00:17:02:24;
fixed-address schweinshaxn.binary.kitchen;
}
host strammermax {
hardware ethernet 08:00:37:B8:55:44;
fixed-address strammermax.binary.kitchen;
}
host obatzda {
hardware ethernet ec:9a:74:35:35:cf;
fixed-address obatzda.binary.kitchen;
}
# VoIP Phones
host voip01 {
hardware ethernet 00:1D:45:B6:99:2F;
option tftp-server-name "172.23.2.36";
}
host voip02 {
hardware ethernet 00:1D:A2:66:B8:3E;
option tftp-server-name "172.23.2.36";
}
host voip03 {
hardware ethernet 00:1E:BE:90:FB:DB;
option tftp-server-name "172.23.2.36";
}
host voip04 {
hardware ethernet 00:1E:BE:90:FF:06;
option tftp-server-name "172.23.2.36";
}
# Mitel SIP-DECT
host rfp01 {
hardware ethernet 00:30:42:1B:73:5A;
fixed-address 172.23.1.111;
option host-name "rfp01";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp02 {
hardware ethernet 00:30:42:21:D4:D5;
fixed-address 172.23.1.112;
option host-name "rfp02";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp11 {
hardware ethernet 00:30:42:1B:8B:9B;
fixed-address 172.23.12.111;
option host-name "rfp11";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
# OMAPI
omapi-port 7911;
omapi-key omapi_key;
key omapi_key {
algorithm hmac-md5;
secret {{ dhcp_omapi_key }};
}

View File

@ -1,5 +1,4 @@
local-address=0.0.0.0
local-ipv6=::
local-address=0.0.0.0, ::
launch=gsqlite3
gsqlite3-dnssec
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3

View File

@ -1,7 +1,7 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2021120101; serial
2024100600; serial
1d; refresh
2h; retry
4w; expire
@ -11,9 +11,9 @@ $TTL 1h ; default time-to-live
IN NS ns2.binary.kitchen.
; Loopback
1.0 IN PTR core.binary.kitchen.
2.0 IN PTR erx-bk.binary.kitchen.
2.0 IN PTR rt-w13b.binary.kitchen.
3.0 IN PTR erx-rz.binary.kitchen.
4.0 IN PTR erx-auweg.binary.kitchen.
4.0 IN PTR rt-auweg.binary.kitchen.
; Management
1.1 IN PTR v2301.core.binary.kitchen.
11.1 IN PTR ups1.binary.kitchen.
@ -50,6 +50,8 @@ $TTL 1h ; default time-to-live
35.2 IN PTR knoedel.binary.kitchen.
36.2 IN PTR schweinshaxn.binary.kitchen.
37.2 IN PTR bob.binary.kitchen.
38.2 IN PTR lasagne.binary.kitchen.
39.2 IN PTR tschunk.binary.kitchen.
62.2 IN PTR bowle.binary.kitchen.
91.2 IN PTR strammermax.binary.kitchen.
92.2 IN PTR obatzda.binary.kitchen.
@ -67,6 +69,7 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
; MQTT
1.4 IN PTR v2304.core.binary.kitchen.
6.4 IN PTR pizza.mqtt.binary.kitchen.
7.4 IN PTR lasagne.mqtt.binary.kitchen.
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
@ -84,21 +87,26 @@ $GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
1.10 IN PTR wg0.erx-rz.binary.kitchen.
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
; Management Auweg
1.12 IN PTR v2312.rt-auweg.binary.kitchen.
31.12 IN PTR sw-auweg.binary.kitchen.
41.12 IN PTR ap11.binary.kitchen.
42.12 IN PTR ap12.binary.kitchen.
61.12 IN PTR weizen.binary.kitchen.
111.12 IN PTR rfp11.binary.kitchen.
; Services Auweg
1.13 IN PTR v2313.rt-auweg.binary.kitchen.
3.13 IN PTR aeron.binary.kitchen.
12.13 IN PTR lock-auweg.binary.kitchen.
; Clients Auweg
1.14 IN PTR v2314.rt-auweg.binary.kitchen.
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
; MQTT
1.15 IN PTR v2315.rt-auweg.binary.kitchen.
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
; Point-to-Point
1.96 IN PTR v400.erx-bk.binary.kitchen.
1.96 IN PTR v400.rt-w13b.binary.kitchen.
2.96 IN PTR v400.core.binary.kitchen.
1.97 IN PTR wg1.erx-rz.binary.kitchen.
2.97 IN PTR wg1.erx-bk.binary.kitchen.
2.97 IN PTR wg1.rt-w13b.binary.kitchen.
5.97 IN PTR wg2.erx-rz.binary.kitchen.
6.97 IN PTR wg2.erx-auweg.binary.kitchen.
6.97 IN PTR wg2.rt-auweg.binary.kitchen.

View File

@ -1,7 +1,7 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2021120101; serial
2024100600; serial
1d; refresh
2h; retry
4w; expire
@ -30,14 +30,13 @@ netbox IN A 172.23.2.7
ns1 IN A 172.23.2.3
ns2 IN A 172.23.2.4
omm IN A 172.23.2.35
racktables IN A 172.23.2.6
radius IN A 172.23.2.3
radius IN A 172.23.2.4
; Loopback
core IN A 172.23.0.1
erx-bk IN A 172.23.0.2
rt-w13b IN A 172.23.0.2
erx-rz IN A 172.23.0.3
erx-auweg IN A 172.23.0.4
rt-auweg IN A 172.23.0.4
; Management
v2301.core IN A 172.23.1.1
ups1 IN A 172.23.1.11
@ -74,6 +73,8 @@ pancake IN A 172.23.2.34
knoedel IN A 172.23.2.35
schweinshaxn IN A 172.23.2.36
bob IN A 172.23.2.37
lasagne IN A 172.23.2.38
tschunk IN A 172.23.2.39
bowle IN A 172.23.2.62
strammermax IN A 172.23.2.91
obatzda IN A 172.23.2.92
@ -91,6 +92,7 @@ noodlehub IN A 172.23.3.251
; MQTT
v2304.core IN A 172.23.4.1
pizza.mqtt IN A 172.23.4.6
lasagne.mqtt IN A 172.23.4.7
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
habdisplay1.mqtt IN A 172.23.4.241
habdisplay2.mqtt IN A 172.23.4.242
@ -105,24 +107,29 @@ salat IN A 172.23.9.61
salat-bmc IN A 172.23.9.81
; Services RZ
; Management Auweg
v2312.rt-auweg IN A 172.23.12.1
sw-auweg IN A 172.23.12.31
ap11 IN A 172.23.12.41
ap12 IN A 172.23.12.42
weizen IN A 172.23.12.61
rfp11 IN A 172.23.12.111
; Services Auweg
v2313.rt-auweg IN A 172.23.13.1
aeron IN A 172.23.13.3
lock-auweg IN A 172.23.13.12
; Clients Auweg
v2314.rt-auweg IN A 172.23.14.1
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
; MQTT Auweg
v2315.rt-auweg IN A 172.23.15.1
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
; VPN RZ (ER-X)
wg0.erx-rz IN A 172.23.10.1
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
; Point-to-Point
v400.erx-bk IN A 172.23.96.1
v400.rt-w13b IN A 172.23.96.1
v400.core IN A 172.23.96.2
wg1.erx-rz IN A 172.23.97.1
wg1.erx-bk IN A 172.23.97.2
wg1.rt-w13b IN A 172.23.97.2
wg2.erx-rz IN A 172.23.97.5
wg2.erx-auweg IN A 172.23.97.6
wg2.rt-auweg IN A 172.23.97.6

View File

@ -10,11 +10,11 @@ newServer({address='127.0.0.1:5353', pool='resolve'})
{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from slaves
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
{% endif %}
-- allow NOTIFY only from master
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))

View File

@ -26,12 +26,6 @@ launch=bind,gsqlite3
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
#

View File

@ -11,9 +11,9 @@
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
# dnssec DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
#
# dnssec=process-no-validate
# dnssec=process
dnssec=off
#################################

View File

@ -1,17 +1,10 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
filename: docker
- name: Install docker
apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker.io
- python3-docker
- name: Enable docker
service: name=docker state=started enabled=yes

View File

@ -0,0 +1,7 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart nginx
service: name=nginx state=restarted

View File

@ -0,0 +1,5 @@
---
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

View File

@ -0,0 +1,20 @@
---
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
-days 730 -subj "/CN={{ doorlock_domain }}"
creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ doorlock_domain }}"
- name: Configure certificate manager for doorlock
template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
notify: Run acertmgr

View File

@ -0,0 +1,18 @@
---
{{ doorlock_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -1,14 +0,0 @@
[Unit]
Description=drone.io server
After=network-online.target
[Service]
Type=simple
User=drone
EnvironmentFile=/etc/default/drone
ExecStart=/opt/drone/bin/drone-server
Restart=always
RestartSec=5s
[Install]
WantedBy=multi-user.target

View File

@ -1,52 +0,0 @@
---
- name: Create user
user: name=drone
# TODO install drone to /opt/drone/bin
# currently it is manually compiled
- name: Configure drone
template: src=drone.j2 dest=/etc/default/drone
notify: Restart drone
- name: Install PostgreSQL
apt:
name:
- postgresql
- python3-psycopg2
- name: Configure PostgreSQL database
postgresql_db: name={{ drone_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for drone
template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
notify: Restart nginx
- name: Install systemd unit
copy: src=drone.service dest=/lib/systemd/system/drone.service
notify:
- Reload systemd
- Restart drone
- name: Enable drone
service: name=drone enabled=yes

View File

@ -1,10 +0,0 @@
DRONE_AGENTS_ENABLED=true
DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
DRONE_DATABASE_DRIVER=postgres
DRONE_GITEA_SERVER=https://{{ gitea_domain }}
DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
DRONE_RPC_SECRET={{ drone_secret }}
DRONE_SERVER_HOST={{ drone_domain }}
DRONE_SERVER_PROTO=https
DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

View File

@ -1,31 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ drone_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ drone_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ drone_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
location / {
client_max_body_size 128M;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
}

View File

@ -1,21 +0,0 @@
---
- name: Run runner container
docker_container:
name: runner
image: drone/drone-runner-docker:1
env:
DRONE_RPC_PROTO: "https"
DRONE_RPC_HOST: "{{ drone_domain }}"
DRONE_RPC_SECRET: "{{ drone_secret }}"
DRONE_RUNNER_CAPACITY: "2"
DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
DRONE_UI_USERNAME: "admin"
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
ports:
- "3000:3000"
pull: yes
restart_policy: unless-stopped
state: started
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"

View File

@ -0,0 +1,15 @@
---
eh21.easterhegg.eu engel.eh21.easterhegg.eu:
- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'

View File

@ -0,0 +1,68 @@
server {
listen 80;
listen [::]:80;
server_name eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/eh21;
}
server {
listen 80;
listen [::]:80;
server_name engel.eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://engel.eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name engel.eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/engel/public;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

View File

@ -0,0 +1,7 @@
---
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

View File

@ -0,0 +1,5 @@
---
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

View File

@ -0,0 +1,31 @@
---
- name: Install dependencies
apt:
name:
- php-fpm
- name: Create vhost directory
file: path=/var/www/eh21 state=directory owner=www-data group=www-data
- name: Create vhost directory
file: path=/var/www/engel state=directory owner=www-data group=www-data
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
notify: Restart nginx
- name: Configure certificate manager
copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
notify: Run acertmgr
- name: Configure vhosts
copy: src=vhost dest=/etc/nginx/sites-available/www
notify: Restart nginx
- name: Enable vhosts
file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
notify: Restart nginx
- name: Start php8.2-fpm
service: name=php8.2-fpm state=started enabled=yes

View File

@ -42,7 +42,7 @@
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
min protocol = NT1
#### Debugging/Accounting ####
@ -213,7 +213,7 @@
;[printers]
; comment = All Printers
; browseable = no
; path = /var/spool/samba
; path = /var/tmp
; printable = yes
; guest ok = no
; read only = yes
@ -240,5 +240,5 @@
browseable = yes
read only = no
guest ok = yes
create mask = 0600
directory mask = 0700
create mask = 0660
directory mask = 0770

View File

@ -3,6 +3,5 @@
gitea_user: gogs
gitea_group: gogs
gitea_checksum: sha256:8dfab91bde02a27fba0248ba1d0175b2e4ff57ba3ef7a9da3e68cbb11d15178a
gitea_version: 1.15.10
gitea_version: 1.22.2
gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

View File

@ -6,19 +6,24 @@
- name: Create user
user: name={{ gitea_user }} home=/home/{{ gitea_user }} group={{ gitea_group }}
- name: Create gitea directories
file: path={{ item }} state=directory owner={{ gitea_user }}
- name: Create directories
file: path={{ item }} state=directory owner={{ gitea_user }} group={{ gitea_group }}
with_items:
- /opt/gitea
- /opt/gitea/custom
- /opt/gitea/custom/conf
- name: Download gitea binary
get_url: url={{ gitea_url }} dest=/opt/gitea/gitea checksum={{ gitea_checksum }} mode=0755
get_url: url={{ gitea_url }} dest=/opt/gitea/gitea-{{ gitea_version }} mode=0755
register: gitea_download
- name: Symlink gitea binary
file: src=/opt/gitea/gitea-{{ gitea_version }} dest=/opt/gitea/gitea state=link
when: gitea_download.changed
notify: Restart gitea
- name: Configure gitea
template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }}
template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }} group={{ gitea_group }}
- name: Install systemd unit
template: src=gitea.service.j2 dest=/lib/systemd/system/gitea.service
@ -50,6 +55,9 @@
template: src=certs.j2 dest=/etc/acertmgr/{{ gitea_domain }}.conf
notify: Run acertmgr
- name: Configure robots.txt for gitea
template: src=robots.txt.j2 dest=/opt/gitea/custom/robots.txt owner={{ gitea_user }}
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/gitea
notify: Restart nginx
@ -59,4 +67,9 @@
notify: Restart nginx
- name: Enable gitea
service: name=gitea enabled=yes
service: name=gitea state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ gitea_domain }}"

View File

@ -43,3 +43,10 @@ LEVEL = warn
[oauth2]
JWT_SECRET = {{ gitea_jwt_secret }}
[cron]
ENABLED = true
[cron.archive_cleanup]
SCHEDULE = @midnight
OLDER_THAN = 168h

View File

@ -8,7 +8,7 @@ Requires=postgresql.service
RestartSec=2s
Type=simple
User={{ gitea_user }}
Group={{ gitea_user }}
Group={{ gitea_group }}
WorkingDirectory=/opt/gitea/
ExecStart=/opt/gitea/gitea web
Restart=always

View File

@ -0,0 +1,4 @@
User-agent: *
Disallow: /*/*/archive/*.bundle$
Disallow: /*/*/archive/*.tar.gz$
Disallow: /*/*/archive/*.zip$

View File

@ -23,6 +23,10 @@ server {
ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
location /robots.txt {
alias /opt/gitea/custom/robots.txt;
}
location / {
client_max_body_size 1024M;
proxy_set_header X-Real-IP $remote_addr;

View File

@ -1,10 +1,10 @@
---
- name: Enable grafana apt-key
apt_key: url="https://packages.grafana.com/gpg.key"
apt_key: url="https://apt.grafana.com/gpg.key" keyring="/etc/apt/trusted.gpg.d/grafana.gpg"
- name: Enable grafana repository
apt_repository: repo="deb https://packages.grafana.com/oss/deb stable main"
apt_repository: repo="deb https://apt.grafana.com stable main"
- name: Install grafana
apt: name=grafana
@ -34,3 +34,8 @@
- name: Start grafana
service: name=grafana-server state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ grafana_domain }}"

View File

@ -25,7 +25,8 @@ server {
location / {
client_max_body_size 1024M;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://localhost:3000;
}
}

View File

@ -1,4 +0,0 @@
---
hedgedoc_version: 1.8.2
hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz

View File

@ -1,105 +0,0 @@
---
- name: Create user
user: name=hackmd
- name: Enable nodesource apt-key
apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
- name: Enable nodesource repository
apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
- name: Enable yarnpkg apt-key
apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
- name: Enable yarnpkg repository
apt_repository: repo="deb https://dl.yarnpkg.com/debian/ stable main"
- name: Pin nodejs repository
blockinfile:
path: /etc/apt/preferences.d/nodejs
create: yes
block: |
Package: *
Pin: origin deb.nodesource.com
Pin-Priority: 600
- name: Install packages
apt:
name:
- build-essential
- git
- nodejs
- postgresql
- python3-psycopg2
- yarn
- name: Unpack hedgedoc
unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
register: hedgedoc_unarchive
- name: Create hedgedoc upload path
file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
- name: Remove old hedgedoc upload path
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
- name: Link hedgedoc upload path
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
- name: Setup hedgedoc
command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
become: true
become_user: hackmd
- name: Configure hedgedoc
template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
register: hedgedoc_config
notify: Restart hedgedoc
- name: Install hedgedoc frontend deps
command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
become: true
become_user: hackmd
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
- name: Build hedgedoc frontend
command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
become: true
become_user: hackmd
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
- name: Configure PostgreSQL database
postgresql_db: name={{ hedgedoc_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for hedgedoc
template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
notify: Restart nginx
- name: Systemd unit for hedgedoc
template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
notify:
- Reload systemd
- Restart hedgedoc
- name: Start the hedgedoc service
service: name=hedgedoc state=started enabled=yes

View File

@ -1,45 +0,0 @@
{
"production": {
"domain": "{{ hedgedoc_domain }}",
"protocolUseSSL": true,
"allowAnonymous": false,
"allowAnonymousEdits": true,
"allowFreeURL": true,
"sessionSecret": "{{ hedgedoc_secret }}",
"hsts": {
"enable": true,
"maxAgeSeconds": 2592000,
"includeSubdomains": true,
"preload": true
},
"csp": {
"enable": true,
"directives": {
},
"upgradeInsecureRequests": "auto",
"addDefaults": true,
"addDisqus": true,
"addGoogleAnalytics": true
},
"db": {
"username": "{{ hedgedoc_dbuser }}",
"password": "{{ hedgedoc_dbpass }}",
"database": "{{ hedgedoc_dbname }}",
"host": "localhost",
"port": "5432",
"dialect": "postgres"
},
"ldap": {
"url": "{{ ldap_uri }}",
"bindDn": "{{ ldap_binddn }}",
"bindCredentials": "{{ ldap_bindpw }}",
"searchBase": "{{ ldap_base }}",
"searchFilter": "(uid={{ '{{' }}username{{ '}}' }})",
"searchAttributes": ["cn", "uid"],
"usernameField": "cn",
"useridField": "uid",
"tlsca": "/etc/ssl/certs/ca-certificates.crt"
},
"email": false
}
}

View File

@ -1,14 +0,0 @@
[Unit]
Description=HedgeDoc
After=network.target
[Service]
Environment=NODE_ENV=production
WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
Type=simple
User=hackmd
ExecStart=/usr/bin/yarn start
Restart=on-failure
[Install]
WantedBy=multi-user.target

Some files were not shown because too many files have changed in this diff Show More