netbox: bump to version 4.1.8

This will allow for easier management using commands such as docker ps,
or docker logs.

.ansible-lint

@@ -0,0 +1,4 @@
+skip_list:
+ - meta-no-info
+ - package-latest
+ - risky-file-permissions

.drone.yml

@@ -0,0 +1,11 @@
+---
+
+name: playbook
+kind: pipeline
+type: docker
+
+steps:
+- name: lint
+  image: cytopia/ansible-lint:latest
+  commands:
+  - ansible-lint

.gitignore

@@ -2,3 +2,4 @@
 __pycache__
 site.retry
 *.pyc
+ff-ansible.code-workspace

README.md

@@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
 
 ## Requirements
 
-The python package netaddr is required on the host running ansible.
+The python packages netaddr and passlib are required on the host running ansible.
 
 The vault password must be stored in `.vault_pass`.
 
-The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
+The *only* supported distributions to deploy roles on is debian buster.
 
 
 ## Running Ansible

ansible.cfg

@@ -1,5 +1,6 @@
 [defaults]
 ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
+interpreter_python = auto
 inventory       = ./hosts
 library         = ./library
 nocows          = 1

group_vars/all/vars.yml

@@ -2,6 +2,20 @@
 
 acertmgr_mode: webdir
 
+dnsdist_targets:
+- gw11.regensburg.freifunk.net:8053
+- gw21.regensburg.freifunk.net:8053
+- gw31.regensburg.freifunk.net:8053
+- resolver.regensburg.freifunk.net:8053
+
+dns_slaves:
+- 195.201.117.207
+- 2a01:4f8:1c0c:7dda::1
+- 213.166.224.14
+- 2a02:958:0:1::e
+- 213.166.225.14
+- 2a02:958:0:1::1:e
+
 fastd_targets:
 - gw11.regensburg.freifunk.net:9281
 - gw21.regensburg.freifunk.net:9281
@@ -25,15 +39,24 @@ gre_matrix:
  - { id: 26, a: gw21, b: gw31 }
 # - { id: 33, a: gw22, b: gw31 }
 
+netbox_domain: netbox.regensburg.freifunk.net
+netbox_dbname: netbox
+netbox_dbuser: netbox
+netbox_dbpass: "{{ vault_netbox_dbpass }}"
+netbox_secret: "{{ vault_netbox_secret }}"
+
 node_targets:
+- ns1.regensburg.freifunk.net:9100
+- stats.regensburg.freifunk.net:9100
+- tiles.regensburg.freifunk.net:9100
 - gw11.regensburg.freifunk.net:9100
 - gw21.regensburg.freifunk.net:9100
 - gw31.regensburg.freifunk.net:9100
 - web.regensburg.freifunk.net:9100
-- stats.ffrgb:9100
+- resolver.regensburg.freifunk.net:9100
+- netbox.regensburg.freifunk.net:9100
 - unms.ffrgb:9100
 - unifi.ffrgb:9100
-- tiles.ffrgb:9100
 
 ntp_servers:
 - 0.de.pool.ntp.org
@@ -41,6 +64,10 @@ ntp_servers:
 - 2.de.pool.ntp.org
 - 3.de.pool.ntp.org
 
+prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
+
+prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
+
 prometheus_pve_user: prometheus@pve
 prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
 
@@ -48,8 +75,17 @@ pve_targets:
 - pve01.ffrgb
 - pve02.ffrgb
 
+searxng_domain: sx.regensburg.freifunk.net
+searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
+
 site: ffrgb
 site_domain: regensburg.freifunk.net
 
+speedtest_domain: speed.regensburg.freifunk.net
+speedtest_domains: speed.ffrgb.net speed.regensburg.freifunk.net
+speedtest_secret: "{{ vault_speedtest_secret }}"
+
+tileserver_domain: tiles.regensburg.freifunk.net
+
 web_services:
-- { id: tiles, domain: tiles.regensburg.freifunk.net }
+- { id: uisp, domain: uisp.regensburg.freifunk.net, domains: uisp.ffrgb.net uisp.regensburg.freifunk.net }

group_vars/all/vault.yml

@@ -1,128 +1,137 @@
 $ANSIBLE_VAULT;1.1;AES256
-36303531356238623563383536313866333234626534333764393330613338323437633133333933
+31633832313136353531623833383865383736333164376632363635333439613763643062663632
-6664636362396636366362363236383763653561366236370a336538353466333830326166353833
+3736376165623664376436643138653435393239636333370a643363343061303436613238373237
-38616339376634616533376262623839653063666633306537353065303436636130376335336631
+36653730376133363061333536626436363366393335303932663736316631633630323634353531
-3432623039316431330a656664386662633362356137666661323438386333386632343864336663
+3734353134396561660a616339303762313430616234383138326438383432646564356662393536
-36623430663333393434393464633633376431333736396165343964663137373366343262373262
+61376161343965656365646238393261356133326131613730343234336139366461333032396531
-62343237623763363961313666333364386364353732383061623937663731653037386562383339
+38653031363934623231336661363233393562383434323633353139336530383432383736353937
-39623633666336356666626134333935356265303035616135303532396632323861366233373936
+65633935373261653134653839353233643439616266613531373938393231643736333436353234
-61356363613161653263323737343866323538623039643230373765353337376631643362633639
+65646665626531323566326561353333666535666430613961666232646632303662343832643661
-32346239353462363239393862643665373663646530343837313132616166346662326339316635
+35373166323439623137383164663838393766326237336234326635383930323365326431343338
-35313465343631333939376165313661616133363565666439336163326132633137363166383831
+61343434363961633532656466653732626135306334303634383235643531396535326536636264
-62613832373839383234356463323761613036666331306434353165653639616336633638396633
+37343930623235363632623963346637363964666664636266373137363037383036633233643130
-61363333376239623738386262653165643335343436303634366536363338386138313235313562
+30323036653637656131623332613463303937323133653064623333396534336661306432323536
-34303332626239323235613532396435646632353132613962363961383536666131306533306566
+38373534303235323230306139663736663430633463663166393033613435616662336335643137
-64306364393266633635363162323133656363633862326231366161633138343765343564646236
+32366439333661313930636234346265306233393966623832613834623263356337356162396335
-66666535613764613964633164333063306263353931646532346136663839646533643230666362
+34353362613163323936613930666339303839393431303461363565623561363034306538396237
-65343432353838383832306331333832386363613566373461323033643963616237663165366636
+38326263303033376435623037653365636362653831623066653263623236613566623962313266
-36336266353664353136323237383237663363613035653664303634633266333565303833356238
+34336233343530366236313131323962666163383035633361333637343732356338626265613338
-62623538623861653135633666613034363766306263323262663631383961333932313837333339
+36643663336161663636343864623864323735613838373562376431643338346662393731373833
-38313439636262313563326232323937323163373532306464333662363362613064313638353338
+38313839393433626630363635323232373534303437656561316231653536306264386331333666
-34633766623962326464393564316563663764326462316232653935383463343163613532623931
+36323330626164363730643337623262303335333438303432373465343235303836366362383336
-33653136636634373939386439623661383432616534333061626232303266343666383335346666
+39666631363362383338616536666432373738336131653765353635373365623030393365636630
-34323336366232363563626139316666353433343236626334366138656334646338623338316439
+38303033306664356162316262346434343239646230663062643566336132613535393835366236
-32323833656430373831616661613662353465376664633233333666373766356666373839336232
+66306435653364323335623665316264646631383066373837653536316135316130393766356162
-65346637616539616330356138323865646433346339363130343366363731343262393538336466
+33326431643162383539323161626163316532373831386334643761636630616162666236613766
-30316565303133343762666165626533343135633937323162653964626535343962653636636163
+38633738333331616336363736396635306630363561613966656538633432363661313432373731
-36323066393039333531626434383830666665326563376638656238393439373033653763386131
+39303764303362336536396130613637653530376437333336613465643539396330623261356534
-65316265626130643335333362363232613733633835633234316565303532623766653032303332
+64633761643065313038656261326638343032353832376262653135663162353434323936353862
-33386661326362626538393033396430303564653737346339643966623337653661376633623166
+31663738353965303963353962626534303333303037336431373631396635363938326133336330
-66313162316131326364393731346336626663626564343662343334616533616537633765376463
+63353333616664663934636433653434626162323064653430666565613061623239613561643838
-64303939313639613665353035336536373436646436373038633233313330663965386665326234
+66356662303137383639336432633432636235306165306339623632316134306431376163616465
-37326338333262313461373765306163646233303930633838636563313138646461656130666234
+32636132656232303162333238393837383731633931363865356634643736326139313638333230
-33383232336333373965666630386131326137666633623231633739646435363532393432323330
+39316662306432333333333266333234646539646532316536383932666435366136346138626136
-33393431616630336139393236636533383537623162376636393365663733626565306661386665
+64373362366239633964616638363666656564323436636432663937666565653436613465366461
-65613536313032646636623334656266336531383733306361363536616661336236353735343535
+65376562303639363332636532386535386365656636346365333330386132383637636239653730
-31353738346332643465383735636666326532623166373962376563633861376361663663393030
+63333361303037393936653064336439653932373739336564333132303639343835376633666631
-31316366346531376635386335366564373530303664323934383930356530356265623530356461
+66613138343730636563626131623437343232303964626562633332303761626331383662373531
-31656461663637373238303737383263353065326333383564346532376261316130346461373230
+39663463656361303236666661356564373432333062303363313532333938633337363536343930
-31633939313061663235326331613061383033313131633330303238363135303637363133663637
+37376464393438613564653465353037313536626466643131336133336161316437316433663032
-61653439633534633234366164313665356265323931346234646163333463366466613934333536
+62633465613634373238383937643037346336336135353230386538353933616436646534366435
-36336662306531643537333437363032643433323564643736336539393634333139633631376238
+31323363666266373662626362663164653863326239303462363739383730643962333230343733
-63633031646163613161626139666334623961646230366561343839653638303465323632653438
+37393831383666393064626437323861353739363762346330666436356466316464393838366133
-39613364326264333131636231303031643336353663386238636561373839393834376636646534
+34653131653838643063396633346132336439393132353661373063623865643465306238326538
-31383764623664363065626331363762623232336162383164396435613330303432616632306336
+63313366386263623333636636376637383536353663643266653431626365666139393764663633
-64313564636433643430336333613339666536383062383932366137636432373038333134313263
+62366234376231393261646366383733633565303433353631343239313362646161663433653632
-61636635613534663662353732333563366230636332326337303433356536373563663639326438
+61303231616366386435666232353531306331613638633531613364663130643433336232633164
-31393664643765653365363834653936336138336261313337636363323063616261336137306662
+64373131303135316135376339353366313635653466663765323931616232333539333639623033
-66663632663864366262363566393437313136373531313264323663373866663865396335666431
+39626233316430303062336234623966376564386365613265363866666636626435306664336636
-33383665346634383039393334373166396230393432623934326665663931636431646330643033
+39346139316331306333666332393631306433623365303064383831643864336634303737633434
-65613339623863323537626631343935333966326263323836373163633531373662393561633731
+39303364633530343531373964353335333832636433313865303765393665633838316531343035
-64613237363562643164613338396436303334346234343739323137616364626433666464663133
+34666237353834613337353063666333353764666431376235393534613534363163333732373061
-61306630626261376465636234613263366334626161353338323739643938323137633835653032
+36663537363938373235326537326139366562656264393930653630383332383466333435386233
-66323964663965616666626138636433323736323630303832366365663436396265333033666662
+32613737303431333537326264343065306361653562633064393762643161313666663262313236
-65343730336233323637356435363931346638666239363964646538343665396466646238363531
+65386430306432653563623666646439376163383433653561333461383933383835373563396137
-31343535393931633830326561323437643834393430646431393765336433326236313537616532
+62383861393963313534616437663465333834663235356439363735633133623365383839613037
-37363739373838383361616663633963373032646663333735663533356630626537326165666530
+34303465363033313739373631363261313130616663336662346132653239313562386664353432
-61633537336437366266303463336438373137303037383761393365366365323263643239323736
+64373961663563393362303166633630343665663437373562613461343266646332313963653965
-33316637643735363531643965383530643333636437363936303133373261386237386630616232
+39363632313864343437333038623364323161376237386333616636303364373964343464643330
-30373861313638663639653932333532306166653462616136326365616465363436363663313430
+31613431313562353862306236623233636264653635643264333364336533623036356530343465
-30306664626566643431353362383364633961306536663136396538313364656231363538363964
+33366131333365393333373062623666663065316666363736633562363934336534313464353239
-37613761326365656632323034376634316430326666306330383937393963656333666437336639
+30666365303330363962653731626266376433666135333435313236386163653336386134633630
-61343365343463303161336366386161363662646138316536653635383034616431356265613032
+65336335346539666431643036636663643936326635636438636438646230353962646335396461
-66643937333933633932376133306465373031386334373032373261643762396637396139616638
+64623238343632346265376537323462316162633437633463656235626366666235653231303736
-64313966393732383830646566306266663734356531336564393362613937646565663337353038
+34316166363139336536396631663435386434396336346331663333353338353466346433393062
-31663734616536343938393638663636653532383538313137336166633632653235323833643665
+31343662316464356663356539303934633336613335373732353165366266303837303364616537
-35393234633364666561653934346139353761643536313438366231646564323138393133333662
+31356135313732633232343362663932656363633162623539323938643239383333306638346236
-36656164333831393061653632633830383766613638353863306663356164393665373965373237
+36666564323336346234313239656463626138313364656637353434303266613232353334666539
-32363065326231393231343839633463326235316533636163356434313832343064396532613832
+34666437356531393933656338373834303130663132303433376338643833643236333639663530
-33306331623364363566663463316139336134396636653264343563623339373566656134636364
+32653536643035303536353431623463353762393539363634636566396134353362633038333831
-38653435333061333966396131376564386134363433643134616338343535353132633465616364
+33633632666331666665373664633138323536633264653339663463326236343862656563323835
-31393266313339383233363364303731653933613632363231333965653237393962646132373761
+66633038346237356638646133626239336233633261626464626238636363666431646661366337
-30643865626130343263656562653765343561636235333966363935333038383734363136633339
+32396137303664363734666238346636653531666461306335343636303861653533356266643833
-65383232313633363761303063343936613765636633663866633833303938366339373635343733
+39633939666534663033336462336633636264336133633630366166356163306539613830636432
-32616432343338376139313663656535373064353063643661663732633130383932373138666133
+66326661646430366332363530333338373136656234613030616338383531313138666435313562
-33336262316664613936633032656234353262333633626237376636383261626331346464363261
+33346262353934636564613730396536333731653036303333343039393534643837663234346234
-65396138653264636537346436636230613435376532383130666138373334643834303064303161
+30303032623565316234343834303061303333346539636138343334663131646463363863663062
-38393563336564343530373362613166636639393963383539333234613734353834306135643363
+31343432383238623733346563323533636466346538616334646338366465356165613434623730
-65613732376661373137353262626565613164343631336531393132333137326531353439333731
+37323930623539353764643939643963353238646230396337633362363664613431303032656639
-37396434626365646565613766653930613632316632363764353330313836326436313438653836
+38613961633439613837636531653163383633373263343235303766613736616636613066316463
-64613337626236323435393363626332383235326635323561633261396466623462623536306361
+63346337383864363562373562643636343764626433383634643064313831373833356132393737
-65393331343664343533356462656638636638666464353037633334323363613936353266363530
+39356534623536373066663933356535356532636332343661333166663433666433363661343861
-39663264356132363836343765336163653731373035653332303462383933333734363537366233
+63393734656534363761313862613364616161303735323563656265323362313061343332346238
-33646333653762656534663635636634663835643730386264333738323962636266653734303239
+35353534663137653466396432353437333739363631373332316165663964653335363034636131
-30336261323039386461303933633366316537303230336238636662396133353735653936313232
+33363933333764306265306161336165306234616161313466393233363431363061633730653437
-63373335313162643562393131653930383566363239613063633931376536373366346331623337
+65313636366162303763663530386239343833626139643439306161623066313638323361353831
-64343734333565316232356634376438306536373662316632313066336364383062653765643165
+63323531353939356337613865663737373661343362353362326637666666383535633030626163
-66626465636365613064323664393163636230303664666632653938633364343136343464653735
+36386464326134333965623262356532353161316533626331623266623630383331313037376365
-38376637646232333735633861356238646235616536336662353466346163616631613062303837
+37353164306433633563386436653235616661366639343035306533643732326232366537633635
-32363638383838663833633532323365663531323632313534613133306336383262306530613337
+33306338386561353564643537353736663434663931343263333764633961666464373461346335
-39653732323430643334366131313137653265353632643136643662626361636666326364303831
+65323462313761653361343236326632393835613538616436666534363366626637376262326462
-39666166623564373133323332353337623038623737303935383036613236666339306235316166
+32366530383439646137383737303634613136396135633136316233326230323466383932616630
-37643737386438623261653064643339663865366433376162373466653461313961383166663830
+66316561333961346130306531623936376636646330373237623034633135303630353566333037
-35396661396664623866346661396563363564306136333137663166323362386431663835323365
+34656233316663656661623731633034643332336631356436653134366162396336643331623135
-35656361353162666638626130343833303165333964613161396132613939313738396563333336
+65646466633236393036383639623066663963653431343836626664383431363663653535383565
-64366533646137633166383431666366643937666139653637386535363135656432363136373134
+64333432343561623633316232623864386161376163333238623066636533353330336566313835
-62396433316339366534303064636436646365373138376162333032383539373939376337643663
+66653265346331393238343862353162383234303334626261643065656637386434636564663665
-62613966646361366435366361633864373066303933633039623530336236346261323335633130
+63616339663261616534376661393837343335373638366264323732353032363731376332653936
-65323838323235653839656530626661343731383966623732663430313137643566343566643932
+64393262346230636366336133616366646533373530356235316561643232333664343462386539
-62353936666632336532326266376438346339343030666530666261386335343566336237616639
+38396665626131646234613466396334346431316638333436633637353836313933656134383031
-33353932326435393266336263363466633035653161363162376630343132383436336164643337
+38633838323163383536323735626132323565643136663030643436303363333264373061663430
-66323436376265353062373166343162353334313365313462616139393430333164323539636235
+65613836313531636264633333346331343038373466653231613830383435386364636237303965
-38613531393030663831663361333437313333643264353131356163313630636264313130663363
+65663635633732663636333764623133373864356363313535333136613039313035663633386338
-62383166396131386133626131303163323865393832663262666434623833653861353064663062
+61343930323665616464643235396232393134373537616635663231343763346434626665393966
-65623239356163656433363339386632303562333064613631383933323563663761343465306133
+31613835666563333261373533316364346538393438636636633862353431333030623933663130
-32336233303461666366336466643936396366343735363934363136393738303031386339623532
+31626337303733373034666562363064373936656435636637356365386363346664306134376339
-30326131383636356535343462313338303235343739623039353066653661313431333461333030
+37383335646339636265656134383432396438383732303066396636373834373037663062336335
-65336166623732353432633236393233313964306435633231336534643134643834626534626131
+61346438636134333763346265653766396165626365633237373466346438363330633562353731
-39303239366439303230316565373235616261633362633737646365316133616366643333343138
+61313630373137303131326134613264356462333363643463643861666239623937636535336536
-31323138343838363735663835633361663036613461336135356639396334633765643764346365
+30313234623936316439643164316139386366336630616266653338383337653561656337343837
-33353332326330366434313662383765653561663238653137383339626539633364336336363634
+66613234363738306235316632316666376231306561653865353636373835646263393932316134
-65626465666435326566363863643064363365623361633266316137643637656537663934396663
+30313433613664306533386133376232323737633934396135626532323830346336353631383539
-65633738613231326461373761626135373866326130356335653739636130366135363137646362
+38666264343962646237313332396535643863393535303437346262613861646663303037333736
-37393839346634373132316434313966653730623035633933636230643765366261373839373333
+63326534313964613663376635306162653639623735633139326161323232653462343063383036
-39363263376533326533663365363538383434663830646630323562333235356335373363383831
+39616233613664626161663131383366663435626432626663623638646163666535316461383531
-66393361663865653238643035353138623730396363333633336261363739303264336136663638
+39663130646564373563323965386331353036366230343635363266323864623633663333656561
-61646366323238373861386266353135333835353665333965306665613331393438313064303435
+33353131623065623839396634653735396262656261323963363261643761373137616232666665
-36633333366637616666386531396539303630653735373163623437396161393633636435356631
+39643835383034383439393638363438633931323437613365643935383766333535643537633633
-30393530323234373631393630383564306132616135646534316466336335366131663465336231
+63633133303166326432613932396331356263626166343436386463376537656231656438313563
-64353136663436653637613765636234343836393262323535666232326265303333646436636531
+30653664383935383161303865363338393933363334653631616432643037626433356561636634
-38313063373133383062333439363036663562623639333932386131353666373037623539316335
+34316436383462386331393231633161383362666532363561326631613137656464306262313034
-39613766383631643661353238643534646464663231663166386634636330373332653963616330
+35636334623861323836326265396664373461313034343231316261616330313938333263666665
-39383238386135646330336565323762326463313939386236366161356463343566376231396465
+39616163346632623764666337313561626233636363343036363331663932616530346230653663
-64376661633465643864663236323961653535386362656238323730326663383138613831613633
+62373661306566373638383962356563323430613262326534663663383162396263306335613462
-38373661666363666661313065356364353232333466386263383761323264363535643034326563
+39326162663161663264626437353064306238646664376666336534326263313061393133373636
-61353638646463383063616365376535366232653135653430336231353633323665373438613437
+33346161376136636536393264363332633561373037326566313137366265383635376366343036
-32316164643438626236613839353333316536313439306334666566623465323366633036326466
+30613763633264303536396535303236353138393032336461666131356464343930656665326535
-61646263396333373063383861313033393335323263393261636265613736376361393735636130
+64393130376166383538353866323265303562326239626233636237626664346631646264386439
-643939373434306635633963666533396439
+65383730333534656361366438316536613138303334343665396438336164663064373838323534
+64626631363131663462303131333735633337653335623939383264363163633765326438313965
+32623662383464316133623538616139623433336435316166346336663761343536393662393733
+35333938383137383863653966363837366639303634616239643235653932643132323033373238
+38323734353563383133333538316236393162636237313061363663303764343533626466373137
+32656561383633633166386437653361313363666334636639353833323461663030313736613831
+30613832306137323637653330306637323530613935333263373338346430393265333839636566
+39336662326637363038653734323230626234346433313830656264633732666430663265383031
+65313864386637303563636239646633393335616231613531633762326430633231343264363236
+32346662623562356432

host_vars/gw11.regensburg.freifunk.net

@@ -3,13 +3,22 @@
 batman_ipv4: 10.90.32.11/19
 batman_ipv6: fdef:f10f:1337:cafe::11/64
 batman_algo: BATMAN_IV
-global_ipv6: 2a00:9d80:6000:0101::11/64
+global_ipv6: 2001:678:ddc:11::11/64
 nextnode4: 10.90.32.1
 nextnode6: fdef:f10f:1337:cafe::1
 mtu: 1312
 
+vx_wg_vni: 3665730
+
+mesh_wg_port: 20010
+mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
+
 fastd_port: 10010
 
 gateway_id: 11
 
 site_code: ffrgb_cty
+
+nat_pool: 194.156.22.12-194.156.22.13
+
+ntp_server: true

host_vars/gw12.regensburg.freifunk.net

@@ -8,8 +8,15 @@ nextnode4: 10.90.32.1
 nextnode6: fdef:f10f:1337:cafe::1
 mtu: 1312
 
+vx_wg_vni: 3665730
+
+mesh_wg_port: 20010
+mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
+
 fastd_port: 10010
 
 gateway_id: 12
 
 site_code: ffrgb_cty
+
+ntp_server: true

host_vars/gw21.regensburg.freifunk.net

@@ -3,13 +3,22 @@
 batman_ipv4: 10.90.64.21/19
 batman_ipv6: fdef:f20f:1337:cafe::21/64
 batman_algo: BATMAN_IV
-global_ipv6: 2a00:9d80:6000:0102::21/64
+global_ipv6: 2001:678:ddc:21::21/64
 nextnode4: 10.90.64.1
 nextnode6: fdef:f20f:1337:cafe::1
 mtu: 1312
 
+vx_wg_vni: 11781694
+
+mesh_wg_port: 20020
+mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
+
 fastd_port: 10020
 
 gateway_id: 21
 
 site_code: ffrgb_uml
+
+nat_pool: 194.156.22.22-194.156.22.23
+
+ntp_server: true

host_vars/gw22.regensburg.freifunk.net

@@ -10,6 +10,13 @@ mtu: 1312
 
 fastd_port: 10020
 
+vx_wg_vni: 11781694
+
+mesh_wg_port: 20020
+mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
+
 gateway_id: 22
 
 site_code: ffrgb_uml
+
+ntp_server: true

host_vars/gw31.regensburg.freifunk.net

@@ -3,13 +3,22 @@
 batman_ipv4: 10.90.96.31/19
 batman_ipv6: fdef:f30f:1337:cafe::31/64
 batman_algo: BATMAN_IV
-global_ipv6: 2a00:9d80:6000:0103::31/64
+global_ipv6: 2001:678:ddc:31::31/64
 nextnode4: 10.90.96.1
 nextnode6: fdef:f30f:1337:cafe::1
 mtu: 1312
 
+vx_wg_vni: 3120917
+
+mesh_wg_port: 20030
+mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
+
 fastd_port: 10030
 
 gateway_id: 31
 
 site_code: ffrgb_tst
+
+nat_pool: 194.156.22.32-194.156.22.33
+
+ntp_server: true

host_vars/resolver.regensburg.freifunk.net

@@ -0,0 +1,3 @@
+---
+
+acertmgr_mode: standalone

host_vars/stats.regensburg.freifunk.net

@@ -0,0 +1,31 @@
+---
+
+grafana_rendering: True
+
+# yanic needs this
+site_code: ffrgb_cty
+
+yanic_publisher: true
+
+yanic_repondd_enable: false
+
+yanic_respondd_interface: ens18
+yanic_respondd_ip: true
+
+yanic_nodes_prune_after: 60d
+yanic_nodes_offline_after: 5m
+
+yanic_meshviewer_enable: false
+
+yanic_nodelist_enable: true
+
+yanic_database_delete_after: 720d
+
+yanic_dbc_repondd_enable: false
+
+yanic_influxdb:
+- enable: true
+  host: http://127.0.0.1:8086
+  database: ffrgb
+  username: "admin"
+  password: "{{ vault_yanic_influx_pw }}"

hosts

@@ -2,8 +2,12 @@
 gw11.regensburg.freifunk.net
 gw21.regensburg.freifunk.net
 gw31.regensburg.freifunk.net
+netbox.regensburg.freifunk.net
+ns1.regensburg.freifunk.net
+resolver.regensburg.freifunk.net
+stats.regensburg.freifunk.net
+sx.regensburg.freifunk.net
+tiles.regensburg.freifunk.net
 web.regensburg.freifunk.net
-stats.ffrgb ansible_host=10.90.224.100
 unms.ffrgb ansible_host=10.90.224.101
 unifi.ffrgb ansible_host=10.90.224.102
-tiles.ffrgb ansible_host=10.90.224.103

library/fastd_key

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 EXAMPLES = '''
 # Generates a fastd key
@@ -23,7 +23,7 @@ if __name__ == '__main__':
     # create file with restrictive permissions
     with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
       # generate fastd secret
-      secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
+      secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode()
       handle.write('secret "%s";\n' % secret)
 
     changed = True

roles/acertmgr/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+acertmgr_version: "{{ lookup('url', 'https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt') | trim }}"

roles/acertmgr/tasks/main.yml

@@ -8,16 +8,9 @@
     - python3-yaml
     - python3-pkg-resources
 
-- name: Find current acertmgr version
-  get_url:
-    url: "https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt"
-    dest: /tmp/acertmgr.version
-  vars:
-    ansible_connection: local
-
 - name: Install acertmgr
   apt:
-   deb: "https://github.com/moepman/acertmgr/releases/download/{{ lookup('file', '/tmp/acertmgr.version') }}/python3-acertmgr_{{ lookup('file', '/tmp/acertmgr.version') }}-1_all.deb"
+    deb: "https://github.com/moepman/acertmgr/releases/download/{{ acertmgr_version }}/python3-acertmgr_{{ acertmgr_version }}-1_all.deb"
 
 - name: Create config directories
   file:

roles/apt/files/unattended-upgrades.conf

@@ -1,7 +1,7 @@
 // Unattended-Upgrade::Origins-Pattern controls which packages are
 // upgraded.
 //
-// Lines below have the format format is "keyword=value,...".  A
+// Lines below have the format "keyword=value,...".  A
 // package will be upgraded only if the values in its metadata match
 // all the supplied keywords in a line.  (In other words, omitted
 // keywords are wild cards.) The keywords originate from the Release
@@ -19,50 +19,73 @@
 // Within lines unattended-upgrades allows 2 macros whose values are
 // derived from /etc/debian_version:
 //   ${distro_id}            Installed origin.
-//   ${distro_codename}      Installed codename (eg, "jessie")
+//   ${distro_codename}      Installed codename (eg, "buster")
 Unattended-Upgrade::Origins-Pattern {
         // Codename based matching:
         // This will follow the migration of a release through different
         // archives (e.g. from testing to stable and later oldstable).
-//      "o=Debian,n=jessie";
+        // Software will be the latest available for the named release,
-//      "o=Debian,n=jessie-updates";
+        // but the Debian release itself will not be automatically upgraded.
-//      "o=Debian,n=jessie-proposed-updates";
+        "origin=Debian,codename=${distro_codename}-updates";
-//      "o=Debian,n=jessie,l=Debian-Security";
+//      "origin=Debian,codename=${distro_codename}-proposed-updates";
+        "origin=Debian,codename=${distro_codename},label=Debian";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
 
         // Archive or Suite based matching:
         // Note that this will silently match a different release after
         // migration to the specified archive (e.g. testing becomes the
         // new stable).
-        "origin=Debian,codename=${distro_codename}";
+//      "o=Debian,a=stable";
-        "origin=Debian,codename=${distro_codename}-updates";
+//      "o=Debian,a=stable-updates";
-        "origin=Debian,codename=${distro_codename}-proposed-updates";
+//      "o=Debian,a=proposed-updates";
-        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
 };
 
-// List of packages to not update (regexp are supported)
+// Python regular expressions, matching packages to exclude from upgrading
 Unattended-Upgrade::Package-Blacklist {
-//	"vim";
+    // The following matches all packages starting with linux-
-//	"libc6";
+//  "linux-";
-//	"libc6-dev";
+
-//	"libc6-i686";
+    // Use $ to explicitely define the end of a package name. Without
+    // the $, "libc6" would match all of them.
+//  "libc6$";
+//  "libc6-dev$";
+//  "libc6-i686$";
+
+    // Special characters need escaping
+//  "libstdc\+\+6$";
+
+    // The following matches packages like xen-system-amd64, xen-utils-4.1,
+    // xenstore-utils and libxenstore3.0
+//  "(lib)?xen(store)?";
+
+    // For more information about Python regular expressions, see
+    // https://docs.python.org/3/howto/regex.html
 };
 
 // This option allows you to control if on a unclean dpkg exit
 // unattended-upgrades will automatically run 
 //   dpkg --force-confold --configure -a
 // The default is true, to ensure updates keep getting installed
-Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
 
 // Split the upgrade into the smallest possible chunks so that
-// they can be interrupted with SIGUSR1. This makes the upgrade
+// they can be interrupted with SIGTERM. This makes the upgrade
 // a bit slower but it has the benefit that shutdown while a upgrade
 // is running is possible (with a small delay)
-Unattended-Upgrade::MinimalSteps "true";
+//Unattended-Upgrade::MinimalSteps "true";
 
-// Install all unattended-upgrades when the machine is shuting down
+// Install all updates when the machine is shutting down
-// instead of doing it in the background while the machine is running
+// instead of doing it in the background while the machine is running.
-// This will (obviously) make shutdown slower
+// This will (obviously) make shutdown slower.
-Unattended-Upgrade::InstallOnShutdown "false";
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
 
 // Send email to this address for problems or packages upgrades
 // If empty or unset then no email is sent, make sure that you
@@ -70,19 +93,29 @@ Unattended-Upgrade::InstallOnShutdown "false";
 // 'mailx' must be installed. E.g. "user@example.com"
 Unattended-Upgrade::Mail "root";
 
-// Set this value to "true" to get emails only on errors. Default
+// Set this value to one of:
-// is to always send a mail if Unattended-Upgrade::Mail is set
+//    "always", "only-on-error" or "on-change"
-Unattended-Upgrade::MailOnlyOnError "true";
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+Unattended-Upgrade::MailReport "only-on-error";
 
-// Do automatic removal of new unused dependencies after the upgrade
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+// Do automatic removal of unused packages after the upgrade
 // (equivalent to apt-get autoremove)
 Unattended-Upgrade::Remove-Unused-Dependencies "true";
 
 // Automatically reboot *WITHOUT CONFIRMATION* if
-//  the file /var/run/reboot-required is found after the upgrade 
+//  the file /var/run/reboot-required is found after the upgrade
 Unattended-Upgrade::Automatic-Reboot "false";
 
-// Automatically reboot even if there are users currently logged in.
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
 //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
 
 // If automatic reboot is enabled and needed, reboot at the specific
@@ -92,10 +125,40 @@ Unattended-Upgrade::Automatic-Reboot "false";
 
 // Use apt bandwidth limit feature, this example limits the download
 // speed to 70kb/sec
-Acquire::http::Dl-Limit "200";
+//Acquire::http::Dl-Limit "70";
 
 // Enable logging to syslog. Default is False
 // Unattended-Upgrade::SyslogEnable "false";
 
 // Specify syslog facility. Default is daemon
 // Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

roles/apt/tasks/main.yml

@@ -3,21 +3,18 @@
 - name: Configure apt not to install recommends packages
   copy: src=apt-recommends.conf dest=/etc/apt/apt.conf.d/40recommends
 
-- name: Install apt https transport plugin
+- name: Install apt related tools
-  apt: name=apt-transport-https
+  apt:
-
+    name:
-- name: Install debian-goodies for checkrestart
+    - apt-transport-https
-  apt: name={{ item }}
+    - debian-goodies
-  with_items:
+    - gnupg2
-  - debian-goodies
+    - lsof
-  - lsof
+    - unattended-upgrades
 
 - name: Configure periodic apt updates
   copy: src=apt-periodic.conf dest=/etc/apt/apt.conf.d/10periodic
 
-- name: Install unattended-upgrades
-  apt: name=unattended-upgrades
-
 - name: Configure unattended-upgrades
   copy: src=unattended-upgrades.conf dest=/etc/apt/apt.conf.d/50unattended-upgrades
 

roles/arp_cache/tasks/main.yml

@@ -8,4 +8,4 @@
   - { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
   - { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
   - { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
-  - { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }
+  - { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 }

roles/common/handlers/main.yml

@@ -1,7 +1,13 @@
 ---
 
+- name: Restart chrony
+  service: name=chrony state=restarted
+
 - name: Restart journald
   service: name=systemd-journald state=restarted
 
+- name: update-grub
+  command: update-grub
+
 - name: update-initramfs
   command: update-initramfs -u -k all

roles/common/tasks/Debian.yml

@@ -0,0 +1,79 @@
+---
+
+- name: Install misc software
+  apt:
+    name:
+    - ca-certificates
+    - dnsutils
+    - git
+    - htop
+    - less
+    - mtr-tiny
+    - net-tools
+    - openssl
+    - psmisc
+    - pydf
+    - rsync
+    - sudo
+    - vim-nox
+    - wget
+    - zsh
+    - fail2ban
+
+- name: Install software on KVM VMs
+  apt:
+    name:
+    - acpid
+    - qemu-guest-agent
+  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
+
+- name: Configure misc software
+  copy: src={{ item.src }} dest={{ item.dest }}
+  diff: no
+  with_items:
+  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+  - { src: "motd", dest: "/etc/motd" }
+  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
+
+- name: Set shell for root user
+  user: name=root shell=/bin/zsh
+
+- name: Disable hibernation/resume
+  copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
+  notify: update-initramfs
+
+- name: Enable serial console on KVM VMs
+  lineinfile:
+    path: "/etc/default/grub"
+    state: "present"
+    regexp: "^#?GRUB_CMDLINE_LINUX=.*"
+    line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
+  notify: update-grub
+  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
+
+- name: Prevent normal users from running su
+  lineinfile:
+    path: /etc/pam.d/su
+    regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
+    line: "auth       required   pam_wheel.so"
+
+- name: Configure journald retention
+  lineinfile:
+    path: "/etc/systemd/journald.conf"
+    state: "present"
+    regexp: "^#?MaxRetentionSec=.*"
+    line: "MaxRetentionSec=7day"
+  notify: Restart journald
+
+- name: Set logrotate.conf to daily
+  replace:
+    path: "/etc/logrotate.conf"
+    regexp: "(?:weekly|monthly)"
+    replace: "daily"
+
+- name: Set logrotate.conf rotation to 7
+  replace:
+    path: "/etc/logrotate.conf"
+    regexp: "rotate [0-9]+"
+    replace: "rotate 7"

roles/common/tasks/Proxmox.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Install misc software
+  apt:
+    name:
+    - dnsutils
+    - htop
+    - ipmitool
+    - less
+    - rsync
+    - vim-nox
+    - wget
+    - zsh
+
+- name: Configure misc software
+  copy: src={{ item.src }} dest={{ item.dest }}
+  diff: no
+  with_items:
+  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+  - { src: "motd", dest: "/etc/motd" }
+  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
+
+- name: Set shell for root user
+  user: name=root shell=/bin/zsh

roles/common/tasks/chrony.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Install chrony
+  apt: name=chrony
+
+- name: Configure chrony
+  template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
+  notify: Restart chrony
+
+- name: Start chrony
+  service: name=chrony state=started enabled=yes

roles/common/tasks/main.yml

@@ -1,75 +1,21 @@
 ---
 
-- name: Install misc software
+- name: Cleanup
-  apt: name={{ item }}
+  apt: autoclean=yes
-  with_items:
+  when: ansible_os_family == "Debian"
-  - dnsutils
-  - git
-  - htop
-  - less
-  - mtr-tiny
-  - net-tools
-  - openssl
-  - psmisc
-  - pydf
-  - rsync
-  - sudo
-  - vim-nox
-  - zsh
-  - fail2ban
 
-- name: Install software on KVM VMs
+- name: Gather package facts
-  apt: name={{ item }}
+  package_facts:
-  with_items:
+    manager: apt
-  - acpid
+  when: ansible_os_family == "Debian"
-  - qemu-guest-agent
-  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
 
-- name: Configure misc software
+- name: Proxmox
-  copy: src={{ item.src }} dest={{ item.dest }}
+  include: Proxmox.yml
-  diff: no
+  when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
-  with_items:
-  - { src: '.zshrc', dest: '/root/.zshrc' }
-  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
-  - { src: 'motd', dest: '/etc/motd' }
-  - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
 
-- name: Set shell for root user
+- name: Debian
-  user: name=root shell=/bin/zsh
+  include: Debian.yml
+  when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
 
-- name: Disable hibernation/resume
+- name: Setup chrony
-  copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
+  include: chrony.yml
-  notify: update-initramfs
-
-- name: use new-style network interface names
-  file: path=/etc/systemd/network/{{ item }} state=absent
-  with_items:
-  - 50-virtio-kernel-names.link
-  - 99-default.link
-  notify: update-initramfs
-
-- name: Prevent normal users from running su
-  lineinfile:
-    path: /etc/pam.d/su
-    regexp: '^.*auth\s+required\s+pam_wheel.so$'
-    line: 'auth       required   pam_wheel.so'
-
-- name: Configure journald retention
-  lineinfile:
-    path: "/etc/systemd/journald.conf"
-    state: "present"
-    regexp: "^#?MaxRetentionSec=.*"
-    line: "MaxRetentionSec=7day"
-  notify: Restart journald
-
-- name: Set logrotate.conf to daily
-  replace:
-    path: "/etc/logrotate.conf"
-    regexp: "(?:weekly|monthly)"
-    replace: "daily"
-
-- name: Set logrotate.conf rotation to 7
-  replace:
-    path: "/etc/logrotate.conf"
-    regexp: "rotate [0-9]+"
-    replace: "rotate 7"

roles/common/templates/chrony.conf.j2

@@ -0,0 +1,53 @@
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
+{% for srv in ntp_servers %}
+server {{ srv }} iburst
+{% endfor %}
+{% if ntp_peers is defined %}
+
+{% for peer in ntp_peers %}
+peer {{ peer }}
+{% endfor %}
+{% endif %}
+
+{% if ntp_server is defined and ntp_server is true %}
+allow 10.90.0.0/16
+allow 2001:678:ddc::/48
+{% endif -%}
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapsectz right/UTC

roles/dhcpd/defaults/main.yml

@@ -2,5 +2,5 @@
 
 dhcpd_interfaces: br-{{ site_code }}
 dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
-dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
+dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
 name_server: "{{ batman_ipv4 | ipaddr('address') }}"

roles/dhcpd/templates/dhcpd.conf.j2

@@ -2,7 +2,7 @@
 
 # option definitions common to all supported networks...
 option domain-name "{{ site_domain }}";
-option domain-name-servers {{nextnode4}}, {{ name_server }};
+option domain-name-servers {{ nextnode4 }}, {{ name_server }};
 
 local-address {{ batman_ipv4 | ipaddr('address') }};
 

roles/dns/tasks/main.yml

@@ -1,28 +0,0 @@
----
-
-- name: Install powerdns
-  apt: name={{ item }}
-  with_items:
-  - pdns-backend-bind
-  - pdns-recursor
-  - pdns-server
-
-- name: Create zone directory
-  file: path=/etc/powerdns/bind/ state=directory
-
-- name: Configure powerdns
-  template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
-  tags: dns
-  notify: Restart powerdns
-  with_items:
-  - bind/ffrgb.zone
-  - bind/90.10.in-addr.arpa.zone
-  - bindbackend.conf
-  - pdns.conf
-  - recursor.conf
-
-- name: Start the powerdns services
-  service: name={{ item }} state=started enabled=yes
-  with_items:
-  - pdns
-  - pdns-recursor

roles/dns_auth/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Restart powerdns
+  service: name=pdns state=restarted

roles/dns_auth/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Install powerdns
+  apt:
+    name:
+    - pdns-server
+    - pdns-backend-sqlite3
+    - sqlite3
+
+- name: Configure powerdns
+  template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
+  notify: Restart powerdns
+
+- name: Initialize database
+  command:
+    cmd: >
+      sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
+      /var/lib/powerdns/powerdns.sqlite3
+    creates: /var/lib/powerdns/powerdns.sqlite3
+
+- name: Start the powerdns services
+  service: name=pdns state=started enabled=yes

roles/dns_auth/templates/pdns.conf.j2

@@ -0,0 +1,35 @@
+#################################
+# allow-axfr-ips	Allow zonetransfers only to these subnets
+#
+# allow-axfr-ips=127.0.0.0/8,::1
+allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
+
+#################################
+# dname-processing	If we should support DNAME records
+#
+# dname-processing=no
+dname-processing=yes
+
+#################################
+# launch	Which backends to launch and order to query them in
+#
+# launch=
+launch=gsqlite3
+
+gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
+
+#################################
+# master	Act as a master
+#
+# master=no
+master=yes
+
+#################################
+# only-notify	Only send AXFR NOTIFY to these IP addresses or netmasks
+#
+# only-notify=0.0.0.0/0,::/0
+only-notify=
+
+# security-poll-suffix  Domain name from which to query security update notifications
+#
+security-poll-suffix=

roles/dns_resolver/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart powerdns
+  service: name=pdns-recursor state=restarted
+
+- name: Restart dnsdist
+  service: name=dnsdist state=restarted

roles/dns_resolver/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+- { role: acertmgr }

roles/dns_resolver/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Install powerdns
+  apt:
+    name:
+    - dnsdist
+    - pdns-recursor
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/dnsdist/{{ ansible_fqdn }}.key
+      -out /etc/dnsdist/{{ ansible_fqdn }}.crt
+      -days 730 -subj "/CN={{ ansible_fqdn }}"
+    creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
+  notify: Restart dnsdist
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
+  notify: Run acertmgr
+
+- name: Configure powerdns
+  template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
+  notify: Restart powerdns
+
+- name: Configure dnsdist
+  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
+  notify: Restart dnsdist
+
+- name: Start the dns services
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+  - dnsdist
+  - pdns-recursor

roles/dns_resolver/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ ansible_fqdn }}:
+- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
+  user: _dnsdist
+  group: _dnsdist
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service dnsdist restart'
+- path: /etc/dnsdist/{{ ansible_fqdn }}.key
+  user: _dnsdist
+  group: _dnsdist
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service dnsdist restart'

roles/dns_resolver/templates/dnsdist.conf.j2

@@ -0,0 +1,24 @@
+-- {{ ansible_managed }}
+
+setLocal('127.0.0.1')
+addLocal('::1')
+addLocal('{{ ansible_default_ipv4.address }}')
+addLocal('{{ ansible_default_ipv6.address }}')
+
+setACL({'0.0.0.0/0', '::/0'})
+
+addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
+
+newServer({address='127.0.0.1:5353', name='localhost'})
+
+addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
+addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
+
+-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
+addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
+
+-- HTTP Endpoint for Prometheus
+webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
+
+-- disable security status polling via DNS
+setSecurityPollSuffix('')

roles/dns_resolver/templates/recursor.conf.j2

@@ -0,0 +1,53 @@
+# {{ ansible_managed }}
+
+#################################
+# allow-from    If set, only allow these comma separated netmasks to recurse
+#
+#allow-from=127.0.0.0/8
+
+#################################
+# config-dir    Location of configuration directory (recursor.conf)
+#
+config-dir=/etc/powerdns
+
+#################################
+# dnssec        DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
+#
+# dnssec=process-no-validate
+dnssec=off
+
+#################################
+# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
+#
+local-address=127.0.0.1
+
+#################################
+# local-port    port to listen on
+#
+local-port=5353
+
+#################################
+# query-local-address   Source IP address for sending queries
+#
+query-local-address=::,0.0.0.0
+
+#################################
+# quiet Suppress logging of questions and answers
+#
+quiet=yes
+
+#################################
+# security-poll-suffix  Domain name from which to query security update notifications
+#
+# security-poll-suffix=secpoll.powerdns.com.
+security-poll-suffix=
+
+#################################
+# setgid        If set, change group id to this gid for more security
+#
+setgid=pdns
+
+#################################
+# setuid        If set, change user id to this uid for more security
+#
+setuid=pdns

roles/dns_split/handlers/main.yml

@@ -1,7 +1,13 @@
 ---
 
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
 - name: Restart powerdns
   service: name={{ item }} state=restarted
   with_items:
    - pdns
    - pdns-recursor
+
+- name: Restart dnsdist
+  service: name=dnsdist state=restarted

roles/dns_split/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+
+- name: Install powerdns
+  apt:
+    name:
+    - dnsdist
+    - pdns-backend-bind
+    - pdns-recursor
+    - pdns-server
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/dnsdist/{{ ansible_fqdn }}.key
+      -out /etc/dnsdist/{{ ansible_fqdn }}.crt
+      -days 730 -subj "/CN={{ ansible_fqdn }}"
+    creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
+  notify: Restart dnsdist
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
+  notify: Run acertmgr
+
+- name: Create zone directory
+  file: path=/etc/powerdns/bind/ state=directory
+
+- name: Configure powerdns
+  template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
+  notify: Restart powerdns
+  with_items:
+  - bind/ffrgb.zone
+  - bind/90.10.in-addr.arpa.zone
+  - bindbackend.conf
+  - pdns.conf
+  - recursor.conf
+
+- name: Configure dnsdist
+  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
+  notify: Restart dnsdist
+
+- name: Start the dns services
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+  - dnsdist
+  - pdns
+  - pdns-recursor

roles/dns_split/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ ansible_fqdn }}:
+- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
+  user: _dnsdist
+  group: _dnsdist
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service dnsdist restart'
+- path: /etc/dnsdist/{{ ansible_fqdn }}.key
+  user: _dnsdist
+  group: _dnsdist
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service dnsdist restart'

roles/dns_split/templates/dnsdist.conf.j2

@@ -0,0 +1,20 @@
+-- {{ ansible_managed }}
+
+setLocal('127.0.0.1')
+addLocal('::1')
+addLocal('{{ batman_ipv4 | ipaddr('address') }}')
+addLocal('{{ batman_ipv6 | ipaddr('address') }}')
+
+newServer({address='127.0.0.1:5353', name='localhost'})
+
+addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
+addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
+
+-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
+addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
+
+-- HTTP Endpoint for Prometheus
+webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
+
+-- disable security status polling via DNS
+setSecurityPollSuffix('')

roles/dns_split/templates/pdns.conf.j2

@@ -12,12 +12,6 @@ launch=bind
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
-#################################
-# local-ipv6    Local IP address to which we bind
-#
-# local-ipv6=::
-local-ipv6=
-
 #################################
 # local-port    The port on which we listen
 #

roles/dns_split/templates/recursor.conf.j2

@@ -25,19 +25,17 @@ forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
 #################################
 # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
 #
-local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
+local-address=127.0.0.1
 
 #################################
 # local-port    port to listen on
 #
-local-port=53
+local-port=5353
 
 #################################
-# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
+# query-local-address   Source IP address for sending queries
 #
-{% if global_ipv6 is defined %}
+query-local-address=::,0.0.0.0
-query-local-address6={{ global_ipv6 | ipaddr('address') }}
-{% endif %}
 
 #################################
 # quiet Suppress logging of questions and answers

roles/docker/tasks/main.yml

@@ -1,17 +1,10 @@
 ---
 
-- name: Enable docker apt-key
-  apt_key: url='https://download.docker.com/linux/debian/gpg'
-
-- name: Enable docker repository
-  apt_repository:
-    repo: 'deb https://download.docker.com/linux/debian buster stable'
-    filename: docker
-
 - name: Install docker
   apt:
     name:
-    - docker-ce
+    - docker.io
-    - docker-ce-cli
+    - python3-docker
-    - containerd.io
+
-    - python-docker
+- name: Enable docker
+  service: name=docker state=started enabled=yes

roles/exit-ip/defaults/main.yml

@@ -1,4 +0,0 @@
----
-
-conntrack_max: 131072
-fastd_instances: 3

roles/exit_ip/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+
+conntrack_max: 131072
+fastd_instances: 3
+nat_pool: "{{ ansible_default_ipv4.address }}"

roles/exit_ip/templates/rules.v4.j2

@@ -4,12 +4,14 @@
 :INPUT ACCEPT [1:136]
 :OUTPUT ACCEPT [2:472]
 :POSTROUTING ACCEPT [0:0]
--A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
+-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }}
 COMMIT
 *filter
 :INPUT ACCEPT [1124:131621]
--A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
 -A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
+-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
 :FORWARD ACCEPT [0:0]
 -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 :OUTPUT ACCEPT [1151:175226]

roles/exit_ip/templates/rules.v6.j2

@@ -1,9 +1,13 @@
 # {{ ansible_managed }}
 *filter
 :INPUT ACCEPT [0:0]
--A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
 -A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
+-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
 :FORWARD ACCEPT [0:0]
 -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 :OUTPUT ACCEPT [0:0]
+-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
+-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
 COMMIT

roles/fastd/handlers/main.yml

@@ -1,8 +1,8 @@
 ---
 
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
 - name: Restart fastd
   service: name=fastd@{{ site_code }}{{ item }} state=restarted
   with_sequence: start=0 count={{ fastd_instances }}
-
-- name: Reload systemd
-  command: systemctl daemon-reload

roles/fastd/templates/fastd.conf.j2

@@ -11,7 +11,6 @@ interface "vpn-{{ site_code }}{{ item }}";
 
 method "null";
 method "salsa2012+umac";
-method "xsalsa20-poly1305";
 
 secure handshakes yes;
 

roles/fastd_exporter/handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Reload systemd
-  command: systemctl daemon-reload
+  systemd: daemon_reload=yes
 
 - name: Restart fastd-exporter
   service: name=fastd-exporter state=restarted

roles/fastd_exporter/meta/main.yml

@@ -1,4 +1,4 @@
 ---
 
 dependencies:
-- { role: git }
+- { role: go }

roles/git/tasks/main.yml

@@ -1,7 +0,0 @@
----
-
-- name: Install git
-  apt: name=git
-
-- name: Install ca-certificates
-  apt: name=ca-certificates

roles/grafana/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+grafana_rendering: False

roles/grafana/tasks/main.yml

@@ -1,10 +1,38 @@
 ---
 
-- name: Enable grafana apt-key
+- name: Retrieve Grafana Key and avoid apt_key
-  apt_key: url='https://packages.grafana.com/gpg.key'
+  block:
+    - name: grafana |no apt key
+      ansible.builtin.get_url:
+        url: https://apt.grafana.com/gpg.key
+        dest: /usr/share/keyrings/grafana.key
 
 - name: Enable grafana repository
-  apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
+  apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
 
 - name: Install grafana
   apt: name=grafana
+
+- name: Install grafana rendering dependencies
+  apt:
+    name:
+    - libxdamage1
+    - libxext6
+    - libxi6
+    - libxtst6
+    - libnss3
+    - libnss3
+    - libcups2
+    - libxss1
+    - libxrandr2
+    - libasound2
+    - libatk1.0-0
+    - libatk-bridge2.0-0
+    - libpangocairo-1.0-0
+    - libpango-1.0-0
+    - libcairo2
+    - libatspi2.0-0
+    - libgtk3.0-cil
+    - libgdk3.0-cil
+    - libx11-xcb-dev
+  when: grafana_rendering

roles/influxdb/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Import Influxdb GPG siging key with store
+  ansible.builtin.get_url:
+    url: "https://repos.influxdata.com/influxdata-archive_compat.key"
+    dest: /etc/apt/trusted.gpg.d/influxdb.key
+    checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
+
+- name: Convert key
+  ansible.builtin.command:
+    argv:
+      - gpg
+      - --dearmor
+      - /etc/apt/trusted.gpg.d/influxdb.key
+    creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
+
+- name: Enable InfluxDB repository
+  ansible.builtin.apt_repository:
+    repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
+    state: present
+
+- name: Install influxdb
+  apt: name=influxdb

roles/interfaces/files/networking.service

@@ -1,8 +1,9 @@
 [Unit]
-Description=ifupdown2 networking initialization
+Description=Network initialization
 Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
 DefaultDependencies=no
-Before=network.target shutdown.target network-online.target
+After=local-fs.target network-pre.target
+Before=shutdown.target network.target network-online.target
 Conflicts=shutdown.target
 
 [Service]
@@ -10,6 +11,7 @@ Type=oneshot
 RemainAfterExit=yes
 SyslogIdentifier=networking
 TimeoutStopSec=30s
+EnvironmentFile=/etc/default/networking
 ExecStart=/usr/share/ifupdown2/sbin/start-networking start
 ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
 ExecReload=/usr/share/ifupdown2/sbin/start-networking reload

roles/interfaces/handlers/main.yml

@@ -4,4 +4,4 @@
   command: /sbin/ifreload -a
 
 - name: Reload systemd
-  command: systemctl daemon-reload
+  systemd: daemon_reload=yes

roles/interfaces/tasks/main.yml

@@ -1,10 +1,13 @@
 ---
 
 - name: Install dependencies
-  apt: name=python-pkg-resources
+  apt:
+    name:
+    - bridge-utils
 
+# work-around to get a version new enough not to screw up forwarding setting on all interfaces
 - name: Install ifupdown2
-  apt: name=ifupdown2 state=latest
+  apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb
 
 - name: Uninstall ifupdown
   apt: name=ifupdown state=absent

roles/interfaces/templates/mesh.conf.j2

@@ -14,6 +14,8 @@ iface br-{{ site_code }}
 {% if global_ipv6 is defined %}
 	address		{{ global_ipv6 }}
 {% endif %}
+	#
+	post-up		echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
 
 # bat-{{ site_code }}
 auto bat-{{ site_code }}
@@ -21,18 +23,14 @@ iface bat-{{ site_code }}
 	hwaddress	f2:00:90:00:{{ gateway_id }}:20
 	mtu		1500
 	#
-	batman-hop-penalty	5
 	batman-ifaces		dmy-{{ site_code }}
 	batman-ifaces-ignore-regex	.*_.*
+	batman-routing-algo	{{ batman_algo }}
 	#
-	# TODO use batman-xyz instead of batctl
+	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} gw server
-	# see /usr/share/ifupdown2/addons/batman_adv.py
+	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} hp 5
-	#
+	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} it 5000
-	up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
+	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} mff 1
-	up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
-	up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
-	up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
-	up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
 
 
 # dmy-{{ site_code }}

roles/mesh_wg/files/ping

@@ -0,0 +1 @@
+OK

roles/mesh_wg/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Reload interfaces
+  command: /sbin/ifreload -a

roles/mesh_wg/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Install wireguard
+  apt: name=wireguard-tools
+
+- name: Create wireguard config directory
+  file:
+    path: /etc/wireguard
+    state: directory
+    mode: 0700
+
+- name: Configure wireguard options
+  template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
+  notify: Reload interfaces
+
+- name: Configure mesh interfaces
+  template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
+  notify: Reload interfaces
+
+- name: Install wgskex
+  apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
+
+
+- name: Install ping endpoint
+  copy: src=ping dest=/var/www/html/ping

roles/mesh_wg/templates/mesh_wg.conf.j2

@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+# vx-{{ site_code }}
+auto vx-{{ site_code }}
+iface vx-{{ site_code }}
+	mtu		1350
+	vxlan-physdev	wg-{{ site_code }}
+	pre-up		ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
+	up		ip link set vx-{{ site_code }} up
+	post-up		batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
+	down		ip link set vx-{{ site_code }} down
+	post-down	ip -6 link del vx-{{ site_code }}
+
+# wg-{{ site_code }}
+auto wg-{{ site_code }}
+iface wg-{{ site_code }}
+	address		fe80::{{ gateway_id }}/128
+	ipv6-addrgen	no
+	pre-up		ip link add dev wg-{{ site_code }} type wireguard
+	pre-up		wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
+	post-up		ip link set wg-{{ site_code }} mtu 1420

roles/mesh_wg/templates/wg.conf.j2

@@ -0,0 +1,3 @@
+[Interface]
+PrivateKey = {{ mesh_wg_privkey }}
+ListenPort = {{ mesh_wg_port }}

roles/netbox/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+
+netbox_group: netbox
+netbox_user: netbox
+netbox_version: 4.1.8

roles/netbox/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart netbox
+  service: name=netbox state=restarted
+
+- name: Restart netbox-rq
+  service: name=netbox-rq state=restarted

roles/netbox/tasks/main.yml

@@ -0,0 +1,152 @@
+---
+
+- name: Create group
+  group: name={{ netbox_group }}
+
+- name: Create user
+  user: name={{ netbox_user }} home=/home/{{ netbox_user }} group={{ netbox_group }}
+
+- name: Install dependencies
+  apt:
+    name:
+    - build-essential
+    - libffi-dev
+    - libpq-dev
+    - libssl-dev
+    - libxml2-dev
+    - libxslt1-dev
+    - python3-setuptools
+    - python3-dev
+    - python3-pip
+    - python3-venv
+    - zlib1g-dev
+
+- name: Install PostgreSQL
+  apt:
+    name:
+    - postgresql
+    - python3-psycopg2
+
+- name: Configure PostgreSQL user
+  postgresql_user:
+    name: "{{ netbox_dbuser }}"
+    password: "{{ netbox_dbpass }}"
+  become: true
+  become_user: postgres
+
+- name: Configure PostgreSQL database
+  postgresql_db:
+    name: "{{ netbox_dbname }}"
+    owner: "{{ netbox_dbuser }}"
+  become: true
+  become_user: postgres
+
+- name: Install redis
+  apt: name=redis-server
+
+- name: Unpack netbox
+  unarchive:
+    src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
+    dest: /opt
+    remote_src: yes
+    creates: "/opt/netbox-{{ netbox_version }}"
+  register: netbox_unarchive
+
+- name: Configure netbox
+  template:
+    src: configuration.py.j2
+    dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
+    owner: "{{ netbox_user }}"
+    group: "{{ netbox_group }}"
+  notify: Restart netbox
+
+- name: Configure gunicorn
+  template:
+    src: gunicorn.py.j2
+    dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
+    owner: "{{ netbox_user }}"
+    group: "{{ netbox_group }}"
+
+- name: Netbox file permissions
+  file:
+    path: "/opt/netbox-{{ netbox_version }}"
+    owner: "{{ netbox_user }}"
+    group: "{{ netbox_group }}"
+    recurse: yes
+
+- name: Fix psycopg variant
+  lineinfile:
+    path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
+    regexp: '^psycopg\[.*,pool\]==(.*)$'
+    line: 'psycopg[binary,pool]==\1'
+    backrefs: yes
+  register: netbox_psycopg_fix
+
+- name: Run upgrade script
+  command:
+    cmd: ./upgrade.sh
+    chdir: "/opt/netbox-{{ netbox_version }}"
+  become: true
+  become_user: "{{ netbox_user }}"
+  when: netbox_unarchive.changed or netbox_psycopg_fix.changed
+
+# TODO - still manual work
+# * Create a super user
+# * Migrate media files
+
+- name: Install netbox housekeeping cronjob
+  template:
+    src: netbox-housekeeping.sh.j2
+    dest: /etc/cron.daily/netbox-housekeeping.sh
+    mode: 0755
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
+      -days 730 -subj "/CN={{ netbox_domain }}"
+    creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
+  notify: Restart nginx
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ netbox_domain }}"
+  when: "'kitchen' in group_names"
+
+- name: Configure certificate manager for netbox
+  template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template:
+    src: vhost.j2
+    dest: /etc/nginx/sites-available/netbox
+    owner: root
+    mode: "0644"
+  notify: Restart nginx
+
+- name: Enable vhost
+  file:
+    src: /etc/nginx/sites-available/netbox
+    dest: /etc/nginx/sites-enabled/netbox
+    state: link
+  notify: Restart nginx
+
+- name: Install systemd units
+  template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
+  with_items:
+  - netbox
+  - netbox-rq
+  notify:
+  - Reload systemd
+  - Restart netbox
+  - Restart netbox-rq
+
+- name: Enable services
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+  - netbox
+  - netbox-rq

roles/netbox/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ netbox_domain }}:
+- path: /etc/nginx/ssl/{{ netbox_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ netbox_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/netbox/templates/configuration.py.j2

@@ -0,0 +1,212 @@
+#########################
+#                       #
+#   Required settings   #
+#                       #
+#########################
+
+# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
+# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
+#
+# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
+ALLOWED_HOSTS = ['{{ netbox_domain }}']
+
+# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
+#   https://docs.djangoproject.com/en/stable/ref/settings/#databases
+DATABASE = {
+    'NAME': '{{ netbox_dbname }}',               # Database name
+    'USER': '{{ netbox_dbuser }}',               # PostgreSQL username
+    'PASSWORD': '{{ netbox_dbpass }}',           # PostgreSQL password
+    'HOST': 'localhost',      # Database server
+    'PORT': '',               # Database port (leave blank for default)
+    'CONN_MAX_AGE': 300,      # Max database connection age
+}
+
+# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
+# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
+# to use two separate database IDs.
+REDIS = {
+    'tasks': {
+        'HOST': 'localhost',
+        'PORT': 6379,
+        # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
+        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
+        # 'SENTINEL_SERVICE': 'netbox',
+        'PASSWORD': '',
+        'DATABASE': 0,
+        'SSL': False,
+        # Set this to True to skip TLS certificate verification
+        # This can expose the connection to attacks, be careful
+        # 'INSECURE_SKIP_TLS_VERIFY': False,
+    },
+    'caching': {
+        'HOST': 'localhost',
+        'PORT': 6379,
+        # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
+        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
+        # 'SENTINEL_SERVICE': 'netbox',
+        'PASSWORD': '',
+        'DATABASE': 1,
+        'SSL': False,
+        # Set this to True to skip TLS certificate verification
+        # This can expose the connection to attacks, be careful
+        # 'INSECURE_SKIP_TLS_VERIFY': False,
+    }
+}
+
+# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
+# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
+# symbols. NetBox will not run without this defined. For more information, see
+# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
+SECRET_KEY = '{{ netbox_secret }}'
+
+
+#########################
+#                       #
+#   Optional settings   #
+#                       #
+#########################
+
+# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
+# application errors (assuming correct email settings are provided).
+ADMINS = [
+    # ('John Doe', 'jdoe@example.com'),
+]
+
+# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
+# BASE_PATH = 'netbox/'
+BASE_PATH = ''
+
+# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
+# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
+# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
+CORS_ORIGIN_ALLOW_ALL = False
+CORS_ORIGIN_WHITELIST = [
+    # 'https://hostname.example.com',
+]
+CORS_ORIGIN_REGEX_WHITELIST = [
+    # r'^(https?://)?(\w+\.)?example\.com$',
+]
+
+# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
+# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
+# on a production system.
+DEBUG = False
+
+# Email settings
+EMAIL = {
+    'SERVER': 'localhost',
+    'PORT': 25,
+    'USERNAME': '',
+    'PASSWORD': '',
+    'USE_SSL': False,
+    'USE_TLS': False,
+    'TIMEOUT': 10,  # seconds
+    'FROM_EMAIL': '',
+}
+
+# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
+# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
+EXEMPT_VIEW_PERMISSIONS = [
+    # 'dcim.site',
+    # 'dcim.region',
+    # 'ipam.prefix',
+]
+
+# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
+# HTTP_PROXIES = {
+#     'http': 'http://10.10.1.10:3128',
+#     'https': 'http://10.10.1.10:1080',
+# }
+
+# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
+# NetBox from an internal IP.
+INTERNAL_IPS = ('127.0.0.1', '::1')
+
+# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
+#   https://docs.djangoproject.com/en/stable/topics/logging/
+LOGGING = {}
+
+# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
+# authenticated to NetBox indefinitely.
+LOGIN_PERSISTENCE = False
+
+# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
+# are permitted to access most data in NetBox but not make any changes.
+LOGIN_REQUIRED = True
+
+# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
+# re-authenticate. (Default: 1209600 [14 days])
+LOGIN_TIMEOUT = None
+
+# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
+# the default value of this setting is derived from the installed location.
+# MEDIA_ROOT = '/opt/netbox/netbox/media'
+
+# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
+# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
+# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
+# STORAGE_CONFIG = {
+#     'AWS_ACCESS_KEY_ID': 'Key ID',
+#     'AWS_SECRET_ACCESS_KEY': 'Secret',
+#     'AWS_STORAGE_BUCKET_NAME': 'netbox',
+#     'AWS_S3_REGION_NAME': 'eu-west-1',
+# }
+
+# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
+METRICS_ENABLED = False
+
+# Enable installed plugins. Add the name of each plugin to the list.
+PLUGINS = []
+
+# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
+# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
+# PLUGINS_CONFIG = {
+#     'my_plugin': {
+#         'foo': 'bar',
+#         'buzz': 'bazz'
+#     }
+# }
+
+# Remote authentication support
+REMOTE_AUTH_ENABLED = False
+REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
+REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
+REMOTE_AUTH_AUTO_CREATE_USER = True
+REMOTE_AUTH_DEFAULT_GROUPS = []
+REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
+
+# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
+# version check or use the URL below to check for release in the official NetBox repository.
+RELEASE_CHECK_URL = None
+# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
+
+# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+# REPORTS_ROOT = '/opt/netbox/netbox/reports'
+
+# Maximum execution time for background tasks, in seconds.
+RQ_DEFAULT_TIMEOUT = 300
+
+# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
+
+# The name to use for the session cookie.
+SESSION_COOKIE_NAME = 'sessionid'
+
+# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
+# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
+# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
+SESSION_FILE_PATH = None
+
+# Time zone (default: UTC)
+TIME_ZONE = 'Europe/Berlin'
+
+# Date/time formatting. See the following link for supported formats:
+# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
+DATE_FORMAT = 'N j, Y'
+SHORT_DATE_FORMAT = 'Y-m-d'
+TIME_FORMAT = 'g:i a'
+SHORT_TIME_FORMAT = 'H:i:s'
+DATETIME_FORMAT = 'N j, Y g:i a'
+SHORT_DATETIME_FORMAT = 'Y-m-d H:i'

roles/netbox/templates/gunicorn.py.j2

@@ -0,0 +1,16 @@
+# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
+bind = '127.0.0.1:8001'
+
+# Number of gunicorn workers to spawn. This should typically be 2n+1, where
+# n is the number of CPU cores present.
+workers = 5
+
+# Number of threads per worker process
+threads = 3
+
+# Timeout (in seconds) for a request to complete
+timeout = 120
+
+# The maximum number of requests a worker can handle before being respawned
+max_requests = 5000
+max_requests_jitter = 500

roles/netbox/templates/netbox-housekeeping.sh.j2

@@ -0,0 +1,9 @@
+#!/bin/sh
+# This shell script invokes NetBox's housekeeping management command, which
+# intended to be run nightly. This script can be copied into your system's
+# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
+# within the cron configuration file.
+#
+# If NetBox has been installed into a nonstandard location, update the paths
+# below.
+/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping

roles/netbox/templates/netbox-rq.service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description=NetBox Request Queue Worker
+Documentation=https://netbox.readthedocs.io/en/stable/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+User={{ netbox_user }}
+Group={{ netbox_group }}
+WorkingDirectory=/opt/netbox-{{ netbox_version }}
+
+ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
+
+Restart=on-failure
+RestartSec=30
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

roles/netbox/templates/netbox.service.j2

@@ -0,0 +1,22 @@
+[Unit]
+Description=NetBox WSGI Service
+Documentation=https://netbox.readthedocs.io/en/stable/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+User={{ netbox_user }}
+Group={{ netbox_group }}
+PIDFile=/var/tmp/netbox.pid
+WorkingDirectory=/opt/netbox-{{ netbox_version }}
+
+ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
+
+Restart=on-failure
+RestartSec=30
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

roles/netbox/templates/vhost.j2

@@ -0,0 +1,38 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ netbox_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ netbox_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ netbox_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ netbox_domain }}.crt;
+
+	location /static/ {
+		alias /opt/netbox-{{ netbox_version }}/netbox/static/;
+	}
+
+	location / {
+		client_max_body_size 32M;
+
+		proxy_pass http://localhost:8001;
+		proxy_set_header X-Forwarded-Host $http_host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}

roles/nginx/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+nginx_anonymize: False

roles/nginx/tasks/main.yml

@@ -8,7 +8,13 @@
   when: nginx_ssl
 
 - name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
+      -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
+      -days 730 -subj "/CN={{ ansible_fqdn }}"
+    creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
   when: nginx_ssl
   notify: Restart nginx
 
@@ -24,7 +30,7 @@
   - /etc/nginx/dhparam.pem
 
 - name: Configure nginx
-  copy: src=nginx.conf dest=/etc/nginx/nginx.conf
+  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
   notify: Restart nginx
 
 - name: Configure default vhost
@@ -35,7 +41,7 @@
 - name: Ensure network and dns are available before nginx
   lineinfile:
     dest: /lib/systemd/system/nginx.service
-    line: "After=network-online.target nss-lookup.target"
+    line: "After=network-online.target remote-fs.target nss-lookup.target"
     regexp: "^After="
 
 - name: Start nginx

roles/nginx/templates/nginx.conf.j2

@@ -47,7 +47,32 @@ http {
 	# Logging Settings
 	##
 
+{% if nginx_anonymize %}
+	map $remote_addr $ip_anonym1 {
+		default 0.0.0;
+		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
+		"~(?P<ip>[^:]+:[^:]+):" $ip;
+	}
+
+	map $remote_addr $ip_anonym2 {
+		default .0;
+		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
+		"~(?P<ip>[^:]+:[^:]+):" ::;
+	}
+
+	map $ip_anonym1$ip_anonym2 $ip_anonymized {
+		default 0.0.0.0;
+		"~(?P<ip>.*)" $ip;
+	}
+
+	log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
+		'"$request" $status $body_bytes_sent '
+		'"$http_referer" "$http_user_agent"';
+
+	access_log /var/log/nginx/access.log anonymized;
+{% else %}
 	access_log /var/log/nginx/access.log;
+{% endif %}
 	error_log /var/log/nginx/error.log;
 
 	##

roles/node_exporter/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 
-node_exporter_version: 1.0.1
+node_exporter_version: 1.2.0
 node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz

roles/node_exporter/files/node_exporter

@@ -1 +1 @@
-OPTIONS=""
+OPTIONS="--web.config=/etc/node_exporter/web-config.yml"

roles/node_exporter/handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Reload systemd
-  command: systemctl daemon-reload
+  systemd: daemon_reload=yes
 
 - name: Restart node_exporter
   service: name=node_exporter state=restarted

roles/node_exporter/tasks/main.yml

@@ -9,6 +9,27 @@
 - name: Configure node_exporter
   copy: src=node_exporter dest=/etc/default/node_exporter
 
+- name: Create configuration directory
+  file: path=/etc/node_exporter state=directory
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/node_exporter/{{ ansible_fqdn }}.key
+      -out /etc/node_exporter/{{ ansible_fqdn }}.crt
+      -days 730 -subj "/CN={{ ansible_fqdn }}"
+    creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
+  notify: Restart node_exporter
+
+- name: Ensure correct certificate permissions
+  file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
+  notify: Restart node_exporter
+
+- name: Configure node_exporter TLS
+  template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
+  notify: Restart node_exporter
+
 - name: Install systemd unit
   template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
   notify:

roles/node_exporter/templates/web-config.yml.j2

@@ -0,0 +1,6 @@
+tls_server_config:
+  cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
+  key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
+
+basic_auth_users:
+  prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}

roles/ntp/handlers/main.yml

@@ -1,7 +0,0 @@
----
-
-- name: Restart ntp
-  service: name=ntp state=restarted
-
-- name: Restart ntpd
-  service: name=ntpd state=restarted

roles/ntp/tasks/main.yml

@@ -1,11 +0,0 @@
----
-
-- name: Install ntp
-  apt: name=ntp
-
-- name: Configure ntp
-  template: src=ntp.conf.j2 dest=/etc/ntp.conf
-  notify: Restart ntp
-
-- name: Start the ntp service
-  service: name=ntp state=started enabled=yes

roles/ntp/templates/ntp.conf.j2

@@ -1,17 +0,0 @@
-# {{ ansible_managed }}
-
-{% for srv in ntp_servers %}
-server {{ srv }} iburst
-{% endfor %}
-{% if ntp_peers is defined %}
-
-{% for peer in ntp_peers %}
-peer {{ peer }}
-{% endfor %}
-{% endif %}
-
-restrict default kod nomodify notrap nopeer noquery
-restrict -6 default kod nomodify notrap nopeer noquery
-
-restrict 127.0.0.1
-restrict -6 ::1