dns_intern: rename erx-bk to rt-w13b

The EdgeRouter has been replaced by a APU running VyOS

README.md

@@ -1,11 +1,68 @@
 # Binary Kitchen Ansible Playbooks
 
-This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
+This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
 
-## Using
+## Usage
 
-TBA
+To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
 
-## Style / Contributing
+It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
 
-TBA/TBD
+
+## Current setup
+
+Currently the following hosts are installed:
+
+### Internal Servers
+
+| Hostname                  | OS        | Purpose                 |
+| ------------------------- | --------- | ----------------------- |
+| wurst.binary.kitchen      | Proxmox 8 | VM Host                 |
+| salat.binary.kitchen      | Proxmox 8 | VM Host                 |
+| weizen.binary.kitchen     | Proxmox 8 | VM Host                 |
+| bacon.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aveta.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aeron.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| sulis.binary.kitchen      | Debian 12 | Shell                   |
+| nabia.binary.kitchen      | Debian 12 | Monitoring              |
+| epona.binary.kitchen      | Debian 12 | NetBox                  |
+| pizza.binary.kitchen      | Debian 11 | OpenHAB *               |
+| pancake.binary.kitchen    | Debian 12 | XRDP                    |
+| knoedel.binary.kitchen    | Debian 12 | SIP-DECT OMM            |
+| bob.binary.kitchen        | Debian 12 | Gitea Actions           |
+| lasagne.binary.kitchen    | Debian 12 | Home Assistant *        |
+| tschunk.binary.kitchen    | Debian 11 | Strichliste             |
+| bowle.binary.kitchen      | Debian 12 | Files                   |
+| lock-auweg.binary.kitchen | Debian 11 | Doorlock                |
+
+\*: The main application is not managed by ansible but manually installed
+
+### External Servers
+
+| Hostname                      | OS        | Purpose                 |
+| ----------------------------- | --------- | ----------------------- |
+| helium.binary-kitchen.net     | Debian 12 | LDAP Master             |
+| lithium.binary-kitchen.net    | Debian 12 | Mail                    |
+| beryllium.binary-kitchen.net  | Debian 12 | Web *                   |
+| boron.binary-kitchen.net      | Debian 12 | Gitea                   |
+| carbon.binary-kitchen.net     | Debian 12 | Jabber                  |
+| nitrogen.binary-kitchen.net   | Debian 12 | NextCloud               |
+| oxygen.binary-kitchen.net     | Debian 12 | Shell                   |
+| fluorine.binary-kitchen.net   | Debian 12 | Web (div. via Docker)   |
+| neon.binary-kitchen.net       | Debian 12 | Auth. DNS               |
+| sodium.binary-kitchen.net     | Debian 12 | Mattrix                 |
+| magnesium.binary-kitchen.net  | Debian 12 | TURN                    |
+| aluminium.binary-kitchen.net  | Debian 12 | Zammad                  |
+| krypton.binary-kitchen.net    | Debian 12 | PartDB *                |
+| yttrium.binary-kitchen.net    | Debian 12 | Hintervvoidler *        |
+| zirconium.binary-kitchen.net  | Debian 12 | Jitsi                   |
+| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle *          |
+| technetium.binary-kitchen.net | Debian 12 | Event CTFd *            |
+| ruthenium.binary-kitchen.net  | Debian 12 | Minecraft *             |
+| rhodium.binary-kitchen.net    | Debian 12 | Event pretix            |
+| palladium.binary-kitchen.net  | Debian 12 | Event pretalx           |
+| argentum.binary-kitchen.net   | Debian 12 | Event Web *             |
+| cadmium.binary-kitchen.neti   | Debian 12 | Event NetBox *          |
+| barium.binary-kitchen.net     | Debian 12 | Workadventure           |
+
+\*: The main application is not managed by ansible but manually installed

group_vars/all/vars.yml

@@ -5,6 +5,14 @@ acertmgr_mode: webdir
 acme_dnskey_file: /etc/acertmgr/nsupdate.key
 acme_dnskey_server: neon.binary-kitchen.net
 
+authentik_domain: auth.binary-kitchen.de
+authentik_dbname: authentik
+authentik_dbuser: authentik
+authentik_dbpass: "{{ vault_authentik_dbpass }}"
+authentik_secret: "{{ vault_authentik_secret }}"
+
+bk23b_domain: 23b.binary-kitchen.de
+
 coturn_realm: turn.binary-kitchen.de
 coturn_secret: "{{ vault_coturn_secret }}"
 
@@ -14,16 +22,6 @@ dns_axfr_ips:
 
 dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
 
-drone_admin: moepman
-drone_domain: drone.binary-kitchen.de
-drone_dbname: drone
-drone_dbuser: drone
-drone_dbpass: "{{ vault_drone_dbpass }}"
-drone_uipass: "{{ vault_drone_uipass }}"
-drone_secret: "{{ vault_drone_secret }}"
-drone_gitea_client: "{{ vault_drone_gitea_client }}"
-drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
-
 dss_domain: dss.binary-kitchen.de
 dss_secret: "{{ vault_dss_secret }}"
 
@@ -35,8 +33,8 @@ gitea_secret: "{{ vault_gitea_secret }}"
 gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
 
 hedgedoc_domain: pad.binary-kitchen.de
-hedgedoc_dbname: hackmd
-hedgedoc_dbuser: hackmd
+hedgedoc_dbname: hedgedoc
+hedgedoc_dbuser: hedgedoc
 hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
 hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
 
@@ -44,6 +42,7 @@ icinga_domain: icinga.binary.kitchen
 icinga_dbname: icinga
 icinga_dbuser: icinga
 icinga_dbpass: "{{ vault_icinga_dbpass }}"
+icinga_server: nabia.binary.kitchen
 icingaweb_dbname: icingaweb
 icingaweb_dbuser: icingaweb
 icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
@@ -66,18 +65,26 @@ mail_domain: binary-kitchen.de
 mail_domains:
 - ccc-r.de
 - ccc-regensburg.de
+- eh21.easterhegg.eu
 - makerspace-regensburg.de
 mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
 mail_server: mail.binary-kitchen.de
 mailman_domain: lists.binary-kitchen.de
 mail_trusted:
 - 213.166.246.0/28
+- 213.166.246.37/32
 - 213.166.246.45/32
+- 213.166.246.46/32
+- 213.166.246.47/32
 - 213.166.246.250/32
 - 2a02:958:0:f6::/124
+- 2a02:958:0:f6::37/128
 - 2a02:958:0:f6::45/128
+- 2a02:958:0:f6::46/128
+- 2a02:958:0:f6::47/128
 mail_aliases:
 - "auweg@binary-kitchen.de	venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
+- "bbb@binary-kitchen.de	boehm.johannes@gmail.com"
 - "dasfilament@binary-kitchen.de	taxx@binary-kitchen.de"
 - "epvpn@binary-kitchen.de	noby@binary-kitchen.de"
 - "google@binary-kitchen.de	vorstand@binary-kitchen.de"
@@ -88,12 +95,14 @@ mail_aliases:
 - "openhab@binary-kitchen.de	noby@binary-kitchen.de"
 - "orga@ccc-r.de	orga@ccc-regensburg.de"
 - "orga@ccc-regensburg.de	anti@binary-kitchen.de"
-- "paypal@binary-kitchen.de	timo.schindler@binary-kitchen.de"
+- "paypal@binary-kitchen.de	ralf@binary-kitchen.de"
 - "post@makerspace-regensburg.de	vorstand@binary-kitchen.de"
+- "pretalx@binary-kitchen.de	moepman@binary-kitchen.de"
+- "pretix@binary-kitchen.de	moepman@binary-kitchen.de"
 - "root@binary-kitchen.de	moepman@binary-kitchen.de,kishi@binary-kitchen.de"
 - "seife@binary-kitchen.de	anke@binary-kitchen.de"
 - "siebdruck@binary-kitchen.de	anke@binary-kitchen.de"
-- "vorstand@binary-kitchen.de	anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
+- "vorstand@binary-kitchen.de	anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
 - "voucher1@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher2@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher3@binary-kitchen.de	exxess@binary-kitchen.de"
@@ -107,6 +116,8 @@ mail_aliases:
 - "voucher11@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher12@binary-kitchen.de	exxess@binary-kitchen.de"
 - "workshops@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
+- "tickets@eh21.easterhegg.eu	orga@eh21.easterhegg.eu"
+- "hackzuck@eh21.easterhegg.eu	kekskruemml@binary-kitchen.de"
 
 matrix_domain: matrix.binary-kitchen.de
 matrix_dbname: matrix
@@ -126,15 +137,20 @@ nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 
-nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
-nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
-nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
+omm_domain: omm.binary.kitchen
 
-pretix_domain: pretix.rc3.binary-kitchen.de
+pretalx_domain: fahrplan.eh21.easterhegg.eu
+pretalx_dbname: pretalx
+pretalx_dbuser: pretalx
+pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
+pretalx_mail: pretalx@binary-kitchen.de
+
+pretix_domain: pretix.events.binary-kitchen.de
+pretix_domainx: tickets.eh21.easterhegg.eu
 pretix_dbname: pretix
 pretix_dbuser: pretix
 pretix_dbpass: "{{ vault_pretix_dbpass }}"
-pretix_mail: rc3@binary-kitchen.de
+pretix_mail: pretix@binary-kitchen.de
 
 prometheus_pve_user: prometheus@pve
 prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@@ -156,4 +172,21 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
 
+sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
+sssd_base_user: ou=people,dc=binary-kitchen,dc=de
+
+strichliste_domain: tschunk.binary.kitchen
+strichliste_dbname: strichliste
+strichliste_dbuser: strichliste
+strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
+
+vaultwarden_domain: vault.binary-kitchen.de
+vaultwarden_dbname: vaultwarden
+vaultwarden_dbuser: vaultwarden
+vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
+vaultwarden_token: "{{ vault_vaultwarden_token }}"
+vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
+
 workadventure_domain: wa.binary-kitchen.de
+
+zammad_domain: requests.binary-kitchen.de

group_vars/all/vault.yml

@@ -1,84 +1,106 @@
 $ANSIBLE_VAULT;1.1;AES256
-35323963326634353430373361636231303663373264616131356530663738306563303332363762
-3436613664633530623163353436323035346463623737390a383665663266313338356361626161
-39643939393939333361663434353237633861303032323730336661633663373636326432663135
-3430313238313836610a343432396536316462313230656236366363343034383732646163626231
-30643132316365613664333834356630666336633635373037326162646538333062363237363465
-30303632303339616166323932303865313766316436623232633335613263323437633331346133
-64633161383236346536616231333634626466373232366265333062306635663631663565666531
-30653633643430356164386364386336323162383164663639323430343239333366306161336365
-39663663343037396566366363353461656330353636306162626639663137666136306235656165
-66613338623232316336323830303830383364396537633161373032323739316131336431313035
-63346662366562656638363961613263363134646131623436316463326265646138323238303437
-31363734376333343961356137373764656534363437316633656665616430323231383563633766
-30653565373563376664303133653665356264363735333939646339653735633765306261633836
-31313465323238316263343166646132356333373033616361333532623564336338373838303536
-65333962636161633038353135303466353839663833626530616635666337346161623635383963
-66636230393331316239616434613265343139636632396630656630623662306464633162366139
-35646332623137643130373738336265623930376165343238626233356235613434636564313939
-34636266383536383936313263373538666165633163396635313365616339303264663566316234
-65353262313062653061326239363266333637316362366539616136373062313764316330663138
-64343337356133643163383864343962623237316230343763653838613738393739343131323835
-38623063626531613764356265376230336530326364643635383438363463333931333461393563
-37343231366165616666376664653633616332346661383935393435653934336562343531323664
-38396233306266623361636566663262393336343434383532393336343533653364666264306463
-66393234376137643761396635626337656465383066303863383535636363336463343234363361
-61626365633639643237336464653666396131343535636431636438343265663138346631316335
-63343136656131653039396539323231663730316134306432613034363635343230353361616338
-34303931343866343831623333386533313733613663363565313666353139356265333461336237
-34643265623739376565663039343638343839633362303035386562333264333438313835393039
-39376266643831343561653832353266313461363738663533383935376234636338343734353731
-36396634316561336363633339653566323134306430373536613763303763653764336237633465
-39313562373062666566663437386538663733643261656361346364393935613638393464663062
-31643035356630363630363532353137626431643366383437663437333761613062363663633832
-30663331333036653362646164313134316136663839386464353731303065376634313138656337
-34306234303233613136353661643436666538623634323137343861346165333730303430386237
-39313762313339356430303934343837336230303231613266643231376634333739353366333139
-39393436366339616166393530313862303961353131646163306633386637376634363534363461
-31363634653638633334346334613061333234633061343732363330363636656333316366383838
-39343234616461656432653836623233343965636432616630313037366535366131393033383063
-31343038646162616666613264363738366434613939333536656534336339326537366435383263
-66376638376133303136346663386561336239643465376336633665656563666133666165323633
-30613032343735653231356663333033653436393331653133646162333531613930316635356533
-38663830383463663366393034656638643136383261373332383636333331396639346361376334
-32333633316433616664643662636634323038306664663538386330356261323461396264323635
-66376133666434363932353762663461333861376139323439653431663638343362326166336133
-37396532306135386661353665356562363135656338333261386437376431363663383662303339
-30343534393965646231303037366435333238343931393036616364643631333163336331396364
-39303766363938383831316531303265383236646334616365613732643134366338366438623266
-61346132623333343933373666363937376332653766313463333132626466373763346330613433
-37383631656662386164633566376235366465663531383134613139656330313561633030643139
-31646264316533303638303939656539663936306465656366303761343335383562366238316332
-36623265383739376332393565386436653934316438313631626333343234656564623335386133
-64363538396631363538653361373138393637326533386239353532316531376166313265303463
-66306637383237303236306264373831636636643766383565326230313165356337633662663832
-39666464646365313536633539366330333938643431633136643166336566343137653066343735
-38653037346332373139356439656436366339323431626331636538346639303034323231663034
-36626536343236326439653665323563326431386462666331386163623232333661613437313865
-65363237643266393866363761316534666537616633393863366562666539633761613465616436
-30346435363431393261336361333564313537353564333136633866643466353261666430376130
-66333765306162666361393133636661393766333733363033663739646633303561623662316231
-61653332346361363565343466363339323064313537343537396637343730653563653734313337
-38316334376136636365373338313362313836613666643034343964353236313433303330366332
-66356562643636353465343133323462313465653434383835636535666135363438653833623836
-32636638313635326537336633656162346166303262386232613366366639326338316638656230
-65613763353031386537333332363736636236623561323036623864313830316661633362613164
-64356161376234666535393961376138656632653266306434343335373734663265383537326234
-35636131303133666366326434323832633865626538333864653236343135383636373437303864
-38663339666262373063643162343037343537383235326633623165396539633161303862623938
-32663433396637643765363837316439363863386162316363633136633232643635363166646534
-61366665356238653764623237613861323139366638633432343137336438316237333030613431
-37323463636162333231303234383831333138306163643630633335383465313737383832646161
-33643637373037666562366536383662663737373962373937633839633933323738366236323361
-63663330346436343232616364353261613635646339333062643038363634623561623163643932
-65306466363464376336353965633535356437333237666161383465393631333963393030316663
-62343564383838383938646338383466383533646539336239323064383565333834396535396634
-30616131643463663235636334613165343133646562656537396334623234383734396131643930
-66373765333538643661386435666166633438383035663563333339663536663137393162343865
-39326463316133343331633137363365653366643439613062633665633132633036333337323935
-31393665623938316230653936353966396539353730353364346434646434616636663563336666
-32623861363864383430356236396366616361326334656639613061636239306663626435636435
-36316135633739313364336634376635303131616239666262613230666165636533613935643664
-35356538613062646635336332613635643135396665376439323331386163356631383531376230
-36386661326362633833333133356366633264353061356665353131323737303339396333613763
-386531643264353562356563663961626139
+61333062333563653966393334326633643564313063346266663461633538366662623937373738
+3732396164303638643362316564393236353737346235380a666361396631656563303733343032
+66396531313139343062363639636334373836306237363733393635346261313832366330303436
+6362383638363931380a323066343834363138356662656439343131353330366532626538653434
+64663834333563333263356532326262333938613432356233656238313365663661636334333066
+63653561316239356638653834646261643564316535306133633832666365383238303364346466
+63393164646330623061633039316638656566346663616661633464303237386261316262623533
+63306266333063373333323030666264323564663032333637343134306231373964666630333538
+63626363383836363639663830643530376361613466613666303933363563663763636635363132
+36666432646233313663613563663565313537316164313964656461666336326331303035343062
+35323363373130333935373035663635626666613236376261623934366235633738323430666330
+33323130363839386331613334636531396665316336376265333231343763656637396437653733
+64366565336132333131346463356236343934663332633830373939616434613561613564313837
+34333039363962643333343961636165323766343531336465306438306365636137636662303165
+35346530313134346432303862643735376331376432616136306537653266333434336663373931
+35373235333937646165663238636232656336393330386161636435666637356632333832646137
+30333233636266623165663538303639663466363337323330383962383139643532623462663564
+63313262366236623232303732373136393139323562313733623763363864646432653037316465
+34306261303035306436396262333131366562643166333130393438393636623034656163653131
+65363530613064633462633238343834336538353766353766336132303333383164326363316365
+31303532363838306338626662313234343134306531353765333237303962303339366233366632
+35643565353766353962386135323765356130393731363633373238626332356637363339356437
+30386361363837373434363939373361343862393364316537633463653862666164613730306565
+36343762326337333235643862626566346235333934656631306461633934306230333365343731
+64643835323061613230336234343438383938653761393133656137626434653532636466313439
+31363362306539643635386237353466343733616334303762343964636533636662333661653839
+34663264613033373965336635663131396334616432653462346634626535393761666237623936
+31666439356261303134343938333433323538653337653937333830656163633965353235653539
+65353937333463343236636237313736313565613833653530333135623233363564393266353363
+33323236643634616263303133663631386638356561373730653930646265616634356364366361
+37666362363230313664343633343464383334386539616132636562626465326364353436356338
+61383736663733643132656266633837646366343637303264363465633536633962353235303336
+38376430343733386631623334386564616264386234613664366631313334626436313865356565
+33663433663963653835376666303664656438623337663536376234356465396534306362346162
+62323262323933336232376636353831633834656536633666643961396365306464303730626463
+36363631336236353730393035613333666465653861373766393731373863353330656366306263
+62316636333230366563623836316232323831393233366539363662646564373436623230343761
+61626235656438373566646365353761376139383962353635393439666365333332313035653433
+64316638363061613561306534616465646661326637633332333734626562353664666432616137
+32643636356261613430376535633837646437626132373735323366313738633134303962306163
+30366230333533663433616664343862346232363733623239353035656134366437313662353933
+32663261663937663437643233383562656537333364643435356639616136623036306231633839
+38386631643264636535323766643661626566323661313831326530636532383330633066336130
+39306631636433376361636637633135316662306636306137366531333662303238613434333534
+35633162316363333934623663303839343366376263343536333563663833323734356566623663
+64646437343935306230333034636431396439366237643839363035313164393666616235393034
+33323333626537633730303961613263363835343030363331633165663035336633613831326632
+35363738336534663934616338363764353562306139613464663533323863326331646464333533
+36363962653830613864393565623561646233313135386163623932363865343861313534663234
+32313466656532616638376238363937613264346265316135336137363961386161376364343063
+33316662343066336438336137353262646264656434333364343334373762303062386165663530
+63313666356633633936366162366332333163656164306533356530666166353635616364643830
+66336339663737616664616430373162386238636134303137386331393837353462623336663335
+34303038323037363165613935376262376464383265323462373638313530396537633031653530
+63613135373639623138333635343035303734383932336333303063666662333164643430393637
+64393262363235616666303366346137633132313066613731333064346139646361363832343730
+39666338303339663665363033653735346130313431306131306261636430396465323937623062
+32343433376438623965363338633639383738326561376665623461653539383666636535656663
+37353665363663356464366331313236653430313034613733363665633239656361623931646432
+30653632643062366333663830326663623766646535666534613933663333366466333033383165
+33373039303564656562636432303934383132666665656161323535333930346265623639316366
+38393764346265653734373136636538346361363966393732323362323733386631623762313366
+63313733653730336536393335623138383365303934303730343136613734663062326166316461
+35313363656335643531343561336662663434353031623733353035633063396366376664303364
+36643262633832363362306263376135346632386631346432333137623631343234333337643536
+35353135303330626663663963366139363265666434363364303266613564373337616564366566
+30646635633834616536333361303361313934316434393330333231613038346466306531646537
+39303131396562656334303536613964363936643435613035623065323963633764623432373235
+37393564626239333761626131643366306131346339356364373061353865653966326362613164
+62366562326234303865323934353734613364653161316131363964666439636561663361396239
+30353266303764396265656635616462653563613630616537353530613835656333353364333632
+39663939376633613133623839353133613066633333633135316132636435363330393966396431
+30656638653662356164393038323538643661333734623937653430643931623061666330633631
+63323834313733353635363535613666643361356363386465383961626331303435333363396230
+37313835633136323134623261626432653965366230656266356333653437386463396563613563
+62656562626131336230383965303962383464643832333361343838393338353365663766373031
+31633265653262356139323564663834616164313439346133386135333563323264313261336336
+39393166613865353164376130303536373931643436633133313361356166393432363631666361
+36366537363630333830333432333466363266666636643932636565613738346239383736306533
+32333838396638656134643538313033336137316638326232303837386537393737316237356237
+62646561333430303765656537373738316131306664626533646461333261306665626336376537
+35633736303262656236303230653564386130666362303132646166306432393962306366663432
+64353366353839643366376433646661376434313266326665343063653534343531623033316461
+37306439373366303236666338616364343163663165626665613761333838333366336238343633
+38663066623532353464653164616237353464363539313762396162653139393133323438643331
+66306562346136346363396235356264303164636662386166666436316338323462656537386335
+36373763313935666539643834653237336130336530653834643263373264353233643938393965
+30313637366236383433313161386531623936356161333462636566633036383635616638316434
+66313434393365333633336231656536353138303235616439643535376338326262663632313564
+65306534356531303835373231623234356337623234366137386437303864643764613731326137
+65376337386133353739376661353766343931383135363038353839376666306337323835613935
+33303730623132613462363538666638313533333564656164363731323463613230366230373664
+31303331396264353162383138643063313737366635333664343836346338353537366362613937
+35623934646239356339343339653337656330616565616232633232373036383562393362343332
+39316661623563333234656633666365303964366338303862333730656366626533326334613038
+39663332623862626230373135623235363064636163373737316262613233663031383366363563
+34613730343564373230306237656662636130333736393136366138333864313636343362613631
+64636266626637366530363763323930643336313339613930623835326431643663356365353865
+35653238333131363262346565653066383834633131303466636232653234363366646635656338
+31386163616237316361643134396230386338643339633562376436333238346665363938323462
+32336435663138393230366632633132333834303539303439313764623163383661396536383461
+31636365633765346262616235336666363932336366373438643531663539333431663231326362
+32326230363965356434343833383662393430333535636536323066373439653330373937636565
+61306565663734636630633730383736653736383765326638656433646637393033356665633831
+66353338633833346436666134343465623236626339613363623834333261313531

group_vars/auweg

@@ -5,6 +5,8 @@ dhcpd_primary: 172.23.13.3
 
 dns_primary: 172.23.13.3
 
+doorlock_domain: lock-auweg.binary.kitchen
+
 name_servers:
 - 172.23.13.3
 

host_vars/aeron.binary.kitchen

@@ -3,4 +3,5 @@
 radius_hostname: radius3.binary.kitchen
 
 slapd_hostname: ldap3.binary.kitchen
+slapd_replica_id: 3
 slapd_role: slave

host_vars/argentum.binary-kitchen.net

@@ -0,0 +1,6 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

host_vars/aveta.binary.kitchen

@@ -3,4 +3,5 @@
 radius_hostname: radius2.binary.kitchen
 
 slapd_hostname: ldap2.binary.kitchen
+slapd_replica_id: 2
 slapd_role: slave

host_vars/bacon.binary.kitchen

@@ -13,4 +13,5 @@ ntp_peers:
 radius_hostname: radius1.binary.kitchen
 
 slapd_hostname: ldap1.binary.kitchen
+slapd_replica_id: 1
 slapd_role: slave

host_vars/beryllium.binary-kitchen.net

@@ -1,5 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/fluorine.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

host_vars/krypton.binary-kitchen.net

@@ -2,3 +2,4 @@
 
 root_keys_host:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/lasagne.binary.kitchen

@@ -0,0 +1,11 @@
+---
+
+root_keys_host:
+- "# Thomas Basler"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
+- "# Ralf Ramsauer"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
+- "# Thomas Schmid"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+
+uau_reboot: "false"

host_vars/lock-auweg.binary.kitchen

@@ -0,0 +1,5 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/magnesium.binary-kitchen.net

@@ -0,0 +1,3 @@
+---
+
+acertmgr_mode: standalone

host_vars/molybdenum.binary-kitchen.net

@@ -4,3 +4,4 @@ grafana_domain: zelle.binary-kitchen.de
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/oxygen.binary-kitchen.net

@@ -1,3 +1,4 @@
 ---
 
-uau_reboot: "false"
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+sshd_password_authentication: "yes"

host_vars/pancake.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/pizza.binary.kitchen

@@ -4,8 +4,7 @@ root_keys_host:
 - "# Thomas Basler"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
 - "# Ralf Ramsauer"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
 - "# Thomas Schmid"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
 

host_vars/rhodium.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

host_vars/ruthenium.binary-kitchen.net

@@ -2,6 +2,6 @@
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
 
 uau_reboot: "false"

host_vars/strontium.binary-kitchen.net

@@ -1,4 +0,0 @@
----
-
-root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

host_vars/sulis.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+sshd_password_authentication: "yes"

host_vars/technetium.binary-kitchen.net

@@ -1,4 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"

host_vars/tschunk.binary.kitchen

@@ -0,0 +1,7 @@
+---
+
+root_keys_host:
+- "# Thomas Schmid"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+
+uau_reboot: "true"

host_vars/yttrium.binary-kitchen.net

@@ -1,5 +1,6 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

hosts

@@ -9,11 +9,14 @@ pizza.binary.kitchen ansible_host=172.23.2.33
 pancake.binary.kitchen ansible_host=172.23.2.34
 knoedel.binary.kitchen ansible_host=172.23.2.35
 bob.binary.kitchen ansible_host=172.23.2.37
+lasagne.binary.kitchen ansible_host=172.23.2.38
+tschunk.binary.kitchen ansible_host=172.23.2.39
 bowle.binary.kitchen ansible_host=172.23.2.62
 salat.binary.kitchen ansible_host=172.23.9.61
 [auweg]
-aeron.binary.kitchen ansible_host=172.23.13.3
 weizen.binary.kitchen ansible_host=172.23.12.61
+aeron.binary.kitchen ansible_host=172.23.13.3
+lock-auweg.binary.kitchen ansible_host=172.23.13.12
 [fan_rz]
 helium.binary-kitchen.net
 lithium.binary-kitchen.net
@@ -25,10 +28,16 @@ oxygen.binary-kitchen.net
 fluorine.binary-kitchen.net
 neon.binary-kitchen.net
 sodium.binary-kitchen.net
+magnesium.binary-kitchen.net
+aluminium.binary-kitchen.net
 krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
 molybdenum.binary-kitchen.net
+technetium.binary-kitchen.net
 ruthenium.binary-kitchen.net
 rhodium.binary-kitchen.net
+palladium.binary-kitchen.net
+argentum.binary-kitchen.net
+cadmium.binary-kitchen.net
 barium.binary-kitchen.net

roles/23b/handlers/main.yml

@@ -3,11 +3,11 @@
 - name: Reload systemd
   systemd: daemon_reload=yes
 
-- name: Run acertmgr
-  command: /usr/bin/acertmgr
-
-- name: Restart drone
-  service: name=drone state=restarted
+- name: Restart 23b
+  service: name=23b state=restarted
 
 - name: Restart nginx
   service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/23b/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create 23b group
+  group: name=23b
+
+- name: Create 23b user
+  user:
+    name: 23b
+    home: /opt/23b
+    shell: /bin/bash
+    group: 23b
+    groups: docker
+
+# docker-compolse.yml is managed outside ansible
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for 23b
+  template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
+  notify: Restart nginx
+
+- name: Systemd unit for 23b
+  template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
+  notify:
+  - Reload systemd
+  - Restart 23b
+
+- name: Start the 23b service
+  service: name=23b state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ bk23b_domain }}"

roles/23b/templates/23b.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=23b service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=23b
+Group=23b
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/23b/23b/23b
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/23b/templates/certs.j2

@@ -1,13 +1,13 @@
 ---
 
-{{ drone_domain }}:
-- path: /etc/nginx/ssl/{{ drone_domain }}.key
+{{ bk23b_domain }}:
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
   user: root
   group: root
   perm: '400'
   format: key
   action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ drone_domain }}.crt
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
   user: root
   group: root
   perm: '400'

roles/23b/templates/vhost.j2

@@ -0,0 +1,36 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ bk23b_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ bk23b_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ bk23b_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
+
+	# set max upload size
+	client_max_body_size 8M;
+
+	location / {
+		proxy_pass http://localhost:5000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}

roles/act_runner/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+actrunner_user: act_runner
+actrunner_group: act_runner
+
+actrunner_version: 0.2.10
+actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

roles/act_runner/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart act_runner
+  service: name=act_runner state=restarted

roles/act_runner/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Create group
+  group: name={{ actrunner_group }}
+
+- name: Create user
+  user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
+
+- name: Create directories
+  file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
+  with_items:
+  - /etc/act_runner
+  - /var/lib/act_runner
+
+- name: Download act_runner binary
+  get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
+  register: runner_download
+
+- name: Symlink act_runner binary
+  file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
+  when: runner_download.changed
+  notify: Restart act_runner
+
+- name: Configure act_runner
+  template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
+  notify: Restart act_runner
+
+- name: Install systemd unit
+  template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
+  notify:
+  - Reload systemd
+  - Restart act_runner
+
+- name: Enable act_runner
+  service: name=act_runner state=started enabled=yes

roles/act_runner/templates/act_runner.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Gitea Actions runner
+Documentation=https://gitea.com/gitea/act_runner
+After=docker.service
+
+[Service]
+ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
+ExecReload=/bin/kill -s HUP $MAINPID
+WorkingDirectory=/var/lib/act_runner
+TimeoutSec=0
+RestartSec=10
+Restart=always
+User={{ actrunner_user }}
+
+[Install]
+WantedBy=multi-user.target

roles/act_runner/templates/config.yaml.j2

@@ -0,0 +1,86 @@
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: warn
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 4
+  # Extra environment variables to run jobs.
+  envs:
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels: [
+    "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
+    "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
+    "ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
+  ]
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: ""
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

roles/authentik/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart authentik
+  service: name=authentik state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/authentik/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create authentik group
+  group: name=authentik
+
+- name: Create authentik user
+  user:
+    name: authentik
+    home: /opt/authentik
+    shell: /bin/bash
+    group: authentik
+    groups: docker
+
+- name: Configure authentik container
+  template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
+  notify: Restart authentik
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for authentik
+  template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
+  notify: Restart nginx
+
+- name: Systemd unit for authentik
+  template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
+  notify:
+  - Reload systemd
+  - Restart authentik
+
+- name: Start the authentik service
+  service: name=authentik state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ authentik_domain }}"

roles/authentik/templates/authentik.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=authentik service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=authentik
+Group=authentik
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/authentik
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/authentik/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ authentik_domain }}:
+- path: /etc/nginx/ssl/{{ authentik_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/authentik/templates/docker-compose.yml.j2

@@ -0,0 +1,75 @@
+---
+version: "3.4"
+services:
+  postgresql:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ./database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: {{ authentik_dbpass }}
+      POSTGRES_USER: {{ authentik_dbuser }}
+      POSTGRES_DB: {{ authentik_dbname }}
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ./redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    ports:
+      - "127.0.0.1:9000:9000"
+    depends_on:
+      - postgresql
+      - redis
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+    depends_on:
+      - postgresql
+      - redis

roles/authentik/templates/vhost.j2

@@ -0,0 +1,41 @@
+map $http_upgrade $connection_upgrade {
+	default	upgrade;
+	''	close;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ authentik_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ authentik_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ authentik_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
+
+	location / {
+		proxy_pass http://localhost:9000;
+		proxy_http_version 1.1;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}

roles/bk_dss/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 
 dss_uwsgi_port: 5001
-dss_version: 0.8.4
+dss_version: 0.8.5

roles/bk_dss/tasks/main.yml

@@ -44,3 +44,8 @@
 - name: Enable vhosts
   file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
   notify: Restart nginx
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ dss_domain }}"

roles/bk_dss/templates/config.cfg.j2

@@ -1,12 +1,14 @@
 DEBUG = True
+REMEMBER_COOKIE_SECURE = True
 SECRET_KEY = "{{ dss_secret }}"
+SESSION_COOKIE_SECURE = True
 SESSION_TIMEOUT = 3600
 
 LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
 LDAP_URI = "{{ ldap_uri }}"
 LDAP_BASE = "{{ ldap_base }}"
 
-ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
+ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
 
 USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
 
@@ -28,7 +30,7 @@ USER_ATTRS = {
 	'userPassword' : '{pass}'
 }
 
-GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
+GROUP_FILTER = "(objectClass=posixGroup)"
 
 REDIS_HOST = "127.0.0.1"
 REDIS_PASSWD = None

roles/common/defaults/main.yml

@@ -6,3 +6,6 @@ logrotate_excludes:
 - "/etc/logrotate.d/dbconfig-common"
 - "/etc/logrotate.d/btmp"
 - "/etc/logrotate.d/wtmp"
+
+sshd_password_authentication: "no"
+sshd_permit_root_login: "prohibit-password"

roles/common/handlers/main.yml

@@ -6,6 +6,9 @@
 - name: Restart journald
   service: name=systemd-journald state=restarted
 
+- name: Restart sshd
+  service: name=sshd state=restarted
+
 - name: update-grub
   command: update-grub
 

roles/common/tasks/Debian.yml

@@ -5,6 +5,7 @@
     name:
     - apt-transport-https
     - dnsutils
+    - fdisk
     - gnupg2
     - htop
     - less
@@ -15,6 +16,7 @@
     - rsync
     - sudo
     - vim-nox
+    - wget
     - zsh
 
 - name: Install software on KVM VMs
@@ -101,3 +103,12 @@
     regexp: "rotate [0-9]+"
     replace: "rotate 7"
   loop: "{{ logrotateconfigpaths }}"
+
+- name: Configure sshd
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart sshd

roles/common/templates/chrony.conf.j2

@@ -1,6 +1,9 @@
 # Welcome to the chrony configuration file. See chrony.conf(5) for more
 # information about usable directives.
 
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
 {% for srv in ntp_servers %}
 server {{ srv }} iburst
 {% endfor %}
@@ -23,6 +26,9 @@ keyfile /etc/chrony/chrony.keys
 # information.
 driftfile /var/lib/chrony/chrony.drift
 
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
 # Uncomment the following line to turn logging on.
 #log tracking measurements statistics
 
@@ -33,7 +39,7 @@ logdir /var/log/chrony
 maxupdateskew 100.0
 
 # This directive enables kernel synchronisation (every 11 minutes) of the
-# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
 rtcsync
 
 # Step the system clock instead of slewing it if the adjustment is larger than

roles/common/templates/sshd_config.j2

@@ -0,0 +1,132 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin {{ sshd_permit_root_login }}
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
+AuthorizedKeysCommand {{ sshd_authkeys_command }}
+{%   if sshd_authkeys_user is defined and sshd_authkeys_user %}
+AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
+{%   else %}
+AuthorizedKeysCommandUser nobody
+{%   endif %}
+{% else %}
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+{% endif %}
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ sshd_password_authentication }}
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

roles/coturn/handlers/main.yml

@@ -1,4 +1,10 @@
 ---
 
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
 - name: Restart coturn
   service: name=coturn state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/coturn/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+- { role: acertmgr }

roles/coturn/tasks/main.yml

@@ -3,6 +3,28 @@
 - name: Install coturn
   apt: name=coturn
 
+- name: Create coturn service override directory
+  file: path=/etc/systemd/system/coturn.service.d state=directory
+
+- name: Configure coturn service override
+  template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
+  notify:
+  - Reload systemd
+  - Restart coturn
+
+- name: Create gitea directories
+  file: path={{ item }} state=directory owner=turnserver
+  with_items:
+  - /etc/turnserver
+  - /etc/turnserver/certs
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
+  notify: Run acertmgr
+
 - name: Configure coturn
   template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:

roles/coturn/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ coturn_realm }}:
+- path: /etc/turnserver/certs/{{ coturn_realm }}.key
+  user: turnserver
+  group: turnserver
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service coturn restart'
+- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
+  user: turnserver
+  group: turnserver
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service coturn restart'

roles/coturn/templates/coturn.override.j2

@@ -0,0 +1,2 @@
+[Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE

roles/coturn/templates/turnserver.conf.j2

@@ -15,7 +15,7 @@
 # Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
-#listening-port=3478
+listening-port=443
 
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
@@ -27,7 +27,7 @@
 # TLS version 1.0, 1.1 and 1.2.
 # For secure UDP connections, Coturn supports DTLS version 1.
 #
-#tls-listening-port=5349
+tls-listening-port=443
 
 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one".
@@ -125,7 +125,10 @@
 #
 # By default, this value is empty, and no address mapping is used.
 #
-#external-ip=60.70.80.91
+external-ip={{ ansible_default_ipv4.address }}
+{% if ansible_default_ipv6.address is defined %}
+external-ip={{ ansible_default_ipv6.address }}
+{% endif %}
 #
 #OR:
 #
@@ -399,17 +402,17 @@ realm={{ coturn_realm }}
 # Uncomment if no TCP client listener is desired.
 # By default TCP client listener is always started.
 #
-no-tcp
+#no-tcp
 
 # Uncomment if no TLS client listener is desired.
 # By default TLS client listener is always started.
 #
-no-tls
+#no-tls
 
 # Uncomment if no DTLS client listener is desired.
 # By default DTLS client listener is always started.
 #
-no-dtls
+#no-dtls
 
 # Uncomment if no UDP relay endpoints are allowed.
 # By default UDP relay endpoints are enabled (like in RFC 5766).
@@ -746,6 +749,6 @@ mobility
 
 # Do not allow an TLS/DTLS version of protocol
 #
-no-tlsv1
-no-tlsv1_1
-no-tlsv1_2
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2

roles/dhcpd/templates/dhcp/dhcpd.conf.j2

@@ -107,7 +107,6 @@ subnet 172.23.13.0 netmask 255.255.255.0 {
 # Users Auweg
 subnet 172.23.14.0 netmask 255.255.255.0 {
   option routers 172.23.14.1;
-  ddns-domainname "users.binary.kitchen";
   option domain-search "binary.kitchen", "users.binary.kitchen";
   pool {
 {% if dhcpd_failover == true %}
@@ -119,7 +118,7 @@ subnet 172.23.14.0 netmask 255.255.255.0 {
 
 # MQTT Auweg
 subnet 172.23.15.0 netmask 255.255.255.0 {
-  option routers 172.23.4.1;
+  option routers 172.23.15.1;
   pool {
 {% if dhcpd_failover == true %}
     failover peer "failover-partner";
@@ -143,7 +142,7 @@ host ap01 {
 }
 
 host ap04 {
-  hardware ethernet 44:48:c1:ce:90:06;
+  hardware ethernet 74:9e:75:ce:93:54;
   fixed-address ap04.binary.kitchen;
 }
 

roles/dns_extern/templates/pdns.conf.j2

@@ -1,5 +1,4 @@
-local-address=0.0.0.0
-local-ipv6=::
+local-address=0.0.0.0, ::
 launch=gsqlite3
 gsqlite3-dnssec
 gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3

roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2021120101; serial
+					2024051300; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -11,7 +11,7 @@ $TTL 1h				; default time-to-live
 				IN	NS	ns2.binary.kitchen.
 ; Loopback
 1.0				IN	PTR	core.binary.kitchen.
-2.0				IN	PTR	erx-bk.binary.kitchen.
+2.0				IN	PTR	rt-w13b.binary.kitchen.
 3.0				IN	PTR	erx-rz.binary.kitchen.
 4.0				IN	PTR	erx-auweg.binary.kitchen.
 ; Management
@@ -50,6 +50,8 @@ $TTL 1h				; default time-to-live
 35.2				IN	PTR	knoedel.binary.kitchen.
 36.2				IN	PTR	schweinshaxn.binary.kitchen.
 37.2				IN	PTR	bob.binary.kitchen.
+38.2				IN	PTR	lasagne.binary.kitchen.
+39.2				IN	PTR	tschunk.binary.kitchen.
 62.2				IN	PTR	bowle.binary.kitchen.
 91.2				IN	PTR	strammermax.binary.kitchen.
 92.2				IN	PTR	obatzda.binary.kitchen.
@@ -67,6 +69,7 @@ $GENERATE 10-230 $.3		IN	PTR	dhcp-${0,3,d}-03.binary.kitchen.
 ; MQTT
 1.4				IN	PTR	v2304.core.binary.kitchen.
 6.4				IN	PTR	pizza.mqtt.binary.kitchen.
+7.4				IN	PTR	lasagne.mqtt.binary.kitchen.
 $GENERATE 10-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
 241.4				IN	PTR	habdisplay1.mqtt.binary.kitchen.
 242.4				IN	PTR	habdisplay2.mqtt.binary.kitchen.
@@ -91,6 +94,7 @@ $GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
 111.12				IN	PTR	rfp11.binary.kitchen.
 ; Services Auweg
 3.13				IN	PTR	aeron.binary.kitchen.
+12.13				IN	PTR	lock-auweg.binary.kitchen.
 ; Clients Auweg
 $GENERATE 10-230 $.14		IN	PTR	dhcp-${0,3,d}-14.binary.kitchen.
 ; MQTT

roles/dns_intern/templates/bind/binary.kitchen.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2021120101; serial
+					2024051300; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -30,12 +30,11 @@ netbox				IN	A	172.23.2.7
 ns1				IN	A	172.23.2.3
 ns2				IN	A	172.23.2.4
 omm				IN	A	172.23.2.35
-racktables			IN	A	172.23.2.6
 radius				IN	A	172.23.2.3
 radius				IN	A	172.23.2.4
 ; Loopback
 core				IN	A	172.23.0.1
-erx-bk				IN	A	172.23.0.2
+rt-w13b				IN	A	172.23.0.2
 erx-rz				IN	A	172.23.0.3
 erx-auweg			IN	A	172.23.0.4
 ; Management
@@ -74,6 +73,8 @@ pancake				IN	A	172.23.2.34
 knoedel				IN	A	172.23.2.35
 schweinshaxn			IN	A	172.23.2.36
 bob				IN	A	172.23.2.37
+lasagne				IN	A	172.23.2.38
+tschunk				IN	A	172.23.2.39
 bowle				IN	A	172.23.2.62
 strammermax			IN	A	172.23.2.91
 obatzda				IN	A	172.23.2.92
@@ -91,6 +92,7 @@ noodlehub			IN	A	172.23.3.251
 ; MQTT
 v2304.core			IN	A	172.23.4.1
 pizza.mqtt			IN	A	172.23.4.6
+lasagne.mqtt			IN	A	172.23.4.7
 $GENERATE 10-240 dhcp-${0,3,d}-04	IN	A	172.23.4.$
 habdisplay1.mqtt		IN	A	172.23.4.241
 habdisplay2.mqtt		IN	A	172.23.4.242
@@ -112,6 +114,7 @@ weizen				IN	A	172.23.12.61
 rfp11				IN	A	172.23.12.111
 ; Services Auweg
 aeron				IN	A	172.23.13.3
+lock-auweg			IN	A	172.23.13.12
 ; Clients Auweg
 $GENERATE 10-230 dhcp-${0,3,d}-14	IN	A	172.23.14.$
 ; MQTT Auweg

roles/dns_intern/templates/dnsdist.conf.j2

@@ -10,11 +10,11 @@ newServer({address='127.0.0.1:5353', pool='resolve'})
 
 {% if dns_secondary is defined %}
 -- allow AXFR/IXFR only from slaves
-addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
+addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
 {% endif %}
 
 -- allow NOTIFY only from master
-addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
+addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
 
 -- use auth servers for own zones
 addAction('binary.kitchen', PoolAction('authdns'))

roles/dns_intern/templates/pdns.conf.j2

@@ -26,12 +26,6 @@ launch=bind,gsqlite3
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
-#################################
-# local-ipv6	Local IP address to which we bind
-#
-# local-ipv6=::
-local-ipv6=
-
 #################################
 # local-port	The port on which we listen
 #

roles/dns_intern/templates/recursor.conf.j2

@@ -11,9 +11,9 @@
 config-dir=/etc/powerdns
 
 #################################
-# dnssec	DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
+# dnssec	DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
 #
-# dnssec=process-no-validate
+# dnssec=process
 dnssec=off
 
 #################################

roles/docker/tasks/main.yml

@@ -1,17 +1,10 @@
 ---
 
-- name: Enable docker apt-key
-  apt_key: url='https://download.docker.com/linux/debian/gpg'
-
-- name: Enable docker repository
-  apt_repository:
-    repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
-    filename: docker
-
 - name: Install docker
   apt:
     name:
-    - docker-ce
-    - docker-ce-cli
-    - containerd.io
+    - docker.io
     - python3-docker
+
+- name: Enable docker
+  service: name=docker state=started enabled=yes

roles/doorlock/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/doorlock/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/doorlock/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
+      -days 730 -subj "/CN={{ doorlock_domain }}"
+    creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
+  notify: Restart nginx
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ doorlock_domain }}"
+
+- name: Configure certificate manager for doorlock
+  template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
+  notify: Run acertmgr

roles/doorlock/templates/certs.j2

@@ -0,0 +1,18 @@
+---
+
+{{ doorlock_domain }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/drone/files/drone.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=drone.io server
-After=network-online.target
-
-[Service]
-Type=simple
-User=drone
-EnvironmentFile=/etc/default/drone
-ExecStart=/opt/drone/bin/drone-server
-Restart=always
-RestartSec=5s
-
-[Install]
-WantedBy=multi-user.target

roles/drone/tasks/main.yml

@@ -1,52 +0,0 @@
----
-
-- name: Create user
-  user: name=drone
-
-# TODO install drone to /opt/drone/bin
-# currently it is manually compiled
-
-- name: Configure drone
-  template: src=drone.j2 dest=/etc/default/drone
-  notify: Restart drone
-
-- name: Install PostgreSQL
-  apt:
-    name:
-    - postgresql
-    - python3-psycopg2
-
-- name: Configure PostgreSQL database
-  postgresql_db: name={{ drone_dbname }}
-  become: true
-  become_user: postgres
-
-- name: Configure PostgreSQL user
-  postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
-  become: true
-  become_user: postgres
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for drone
-  template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
-  notify: Restart nginx
-
-- name: Install systemd unit
-  copy: src=drone.service dest=/lib/systemd/system/drone.service
-  notify:
-  - Reload systemd
-  - Restart drone
-
-- name: Enable drone
-  service: name=drone enabled=yes

roles/drone/templates/drone.j2

@@ -1,10 +0,0 @@
-DRONE_AGENTS_ENABLED=true
-DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
-DRONE_DATABASE_DRIVER=postgres
-DRONE_GITEA_SERVER=https://{{ gitea_domain }}
-DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
-DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
-DRONE_RPC_SECRET={{ drone_secret }}
-DRONE_SERVER_HOST={{ drone_domain }}
-DRONE_SERVER_PROTO=https
-DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

roles/drone/templates/vhost.j2

@@ -1,31 +0,0 @@
-server {
-	listen 80;
-	listen [::]:80;
-
-	server_name {{ drone_domain }};
-
-	location /.well-known/acme-challenge {
-		default_type "text/plain";
-		alias /var/www/acme-challenge;
-	}
-
-	location / {
-		return 301 https://{{ drone_domain }}$request_uri;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name {{ drone_domain }};
-
-	ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
-
-	location / {
-		client_max_body_size 128M;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_pass http://localhost:8080;
-	}
-}

roles/drone_runner/tasks/main.yml

@@ -1,21 +0,0 @@
----
-
-- name: Run runner container
-  docker_container:
-    name: runner
-    image: drone/drone-runner-docker:1
-    env:
-      DRONE_RPC_PROTO: "https"
-      DRONE_RPC_HOST: "{{ drone_domain }}"
-      DRONE_RPC_SECRET: "{{ drone_secret }}"
-      DRONE_RUNNER_CAPACITY: "2"
-      DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
-      DRONE_UI_USERNAME: "admin"
-      DRONE_UI_PASSWORD: "{{ drone_uipass }}"
-    ports:
-    - "3000:3000"
-    pull: yes
-    restart_policy: unless-stopped
-    state: started
-    volumes:
-    - "/var/run/docker.sock:/var/run/docker.sock"

roles/event_web/files/certs

@@ -0,0 +1,15 @@
+---
+
+eh21.easterhegg.eu engel.eh21.easterhegg.eu:
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'

roles/event_web/files/vhost

@@ -0,0 +1,68 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/eh21;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://engel.eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/engel/public;
+
+	index index.php;
+
+	location / {
+		try_files $uri $uri/ /index.php?$args;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+		fastcgi_index index.php;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		include fastcgi_params;
+	}
+}

roles/event_web/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/event_web/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/event_web/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - php-fpm
+
+- name: Create vhost directory
+  file: path=/var/www/eh21 state=directory owner=www-data group=www-data
+
+- name: Create vhost directory
+  file: path=/var/www/engel state=directory owner=www-data group=www-data
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager
+  copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
+  notify: Run acertmgr
+
+- name: Configure vhosts
+  copy: src=vhost dest=/etc/nginx/sites-available/www
+  notify: Restart nginx
+
+- name: Enable vhosts
+  file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
+  notify: Restart nginx
+
+- name: Start php8.2-fpm
+  service: name=php8.2-fpm state=started enabled=yes

roles/fileserver/templates/smb.conf.j2

@@ -42,7 +42,7 @@
 # option cannot handle dynamic or non-broadcast interfaces correctly.
 ;   bind interfaces only = yes
 
-
+   min protocol = NT1
 
 #### Debugging/Accounting ####
 
@@ -213,7 +213,7 @@
 ;[printers]
 ;   comment = All Printers
 ;   browseable = no
-;   path = /var/spool/samba
+;   path = /var/tmp
 ;   printable = yes
 ;   guest ok = no
 ;   read only = yes
@@ -240,5 +240,5 @@
    browseable = yes
    read only = no
    guest ok = yes
-   create mask = 0600
-   directory mask = 0700
+   create mask = 0660
+   directory mask = 0770

roles/gitea/defaults/main.yml

@@ -3,6 +3,5 @@
 gitea_user: gogs
 gitea_group: gogs
 
-gitea_checksum: sha256:dbdefbeed7073951ba955cb6c40bd7d9ece7a349c1326ad80c314690ff3616f1
-gitea_version: 1.15.9
+gitea_version: 1.21.11
 gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

roles/gitea/tasks/main.yml

@@ -6,19 +6,24 @@
 - name: Create user
   user: name={{ gitea_user }} home=/home/{{ gitea_user }} group={{ gitea_group }}
 
-- name: Create gitea directories
-  file: path={{ item }} state=directory owner={{ gitea_user }}
+- name: Create directories
+  file: path={{ item }} state=directory owner={{ gitea_user }} group={{ gitea_group }}
   with_items:
   - /opt/gitea
   - /opt/gitea/custom
   - /opt/gitea/custom/conf
 
 - name: Download gitea binary
-  get_url: url={{ gitea_url }} dest=/opt/gitea/gitea checksum={{ gitea_checksum }} mode=0755
+  get_url: url={{ gitea_url }} dest=/opt/gitea/gitea-{{ gitea_version }} mode=0755
+  register: gitea_download
+
+- name: Symlink gitea binary
+  file: src=/opt/gitea/gitea-{{ gitea_version }} dest=/opt/gitea/gitea state=link
+  when: gitea_download.changed
   notify: Restart gitea
 
 - name: Configure gitea
-  template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }}
+  template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }} group={{ gitea_group }}
 
 - name: Install systemd unit
   template: src=gitea.service.j2 dest=/lib/systemd/system/gitea.service
@@ -50,6 +55,9 @@
   template: src=certs.j2 dest=/etc/acertmgr/{{ gitea_domain }}.conf
   notify: Run acertmgr
 
+- name: Configure robots.txt for gitea
+  template: src=robots.txt.j2 dest=/opt/gitea/custom/robots.txt owner={{ gitea_user }}
+
 - name: Configure vhost
   template: src=vhost.j2 dest=/etc/nginx/sites-available/gitea
   notify: Restart nginx
@@ -59,4 +67,9 @@
   notify: Restart nginx
 
 - name: Enable gitea
-  service: name=gitea enabled=yes
+  service: name=gitea state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ gitea_domain }}"

roles/gitea/templates/app.ini.j2

@@ -43,3 +43,10 @@ LEVEL = warn
 
 [oauth2]
 JWT_SECRET = {{ gitea_jwt_secret }}
+
+[cron]
+ENABLED = true
+
+[cron.archive_cleanup]
+SCHEDULE = @midnight
+OLDER_THAN = 168h

roles/gitea/templates/gitea.service.j2

@@ -8,7 +8,7 @@ Requires=postgresql.service
 RestartSec=2s
 Type=simple
 User={{ gitea_user }}
-Group={{ gitea_user }}
+Group={{ gitea_group }}
 WorkingDirectory=/opt/gitea/
 ExecStart=/opt/gitea/gitea web
 Restart=always

roles/gitea/templates/robots.txt.j2

@@ -0,0 +1,4 @@
+User-agent: *
+Disallow: /*/*/archive/*.bundle$
+Disallow: /*/*/archive/*.tar.gz$
+Disallow: /*/*/archive/*.zip$

roles/gitea/templates/vhost.j2

@@ -23,6 +23,10 @@ server {
 	ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
 
+	location /robots.txt {
+		alias /opt/gitea/custom/robots.txt;
+	}
+
 	location / {
 		client_max_body_size 1024M;
 		proxy_set_header X-Real-IP $remote_addr;

roles/grafana/tasks/main.yml

@@ -1,10 +1,10 @@
 ---
 
 - name: Enable grafana apt-key
-  apt_key: url="https://packages.grafana.com/gpg.key"
+  apt_key: url="https://apt.grafana.com/gpg.key" keyring="/etc/apt/trusted.gpg.d/grafana.gpg"
 
 - name: Enable grafana repository
-  apt_repository: repo="deb https://packages.grafana.com/oss/deb stable main"
+  apt_repository: repo="deb https://apt.grafana.com stable main"
 
 - name: Install grafana
   apt: name=grafana
@@ -34,3 +34,8 @@
 
 - name: Start grafana
   service: name=grafana-server state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ grafana_domain }}"

roles/grafana/templates/vhost.j2

@@ -25,7 +25,8 @@ server {
 
 	location / {
 		client_max_body_size 1024M;
-		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header Host $http_host;
 		proxy_pass http://localhost:3000;
 	}
 }

roles/hackmd/defaults/main.yml

@@ -1,4 +0,0 @@
----
-
-hedgedoc_version: 1.8.2
-hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz

roles/hackmd/tasks/main.yml

@@ -1,105 +0,0 @@
----
-
-- name: Create user
-  user: name=hackmd
-
-- name: Enable nodesource apt-key
-  apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
-
-- name: Enable nodesource repository
-  apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
-
-- name: Enable yarnpkg apt-key
-  apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
-
-- name: Enable yarnpkg repository
-  apt_repository: repo="deb https://dl.yarnpkg.com/debian/ stable main"
-
-- name: Pin nodejs repository
-  blockinfile:
-    path: /etc/apt/preferences.d/nodejs
-    create: yes
-    block: |
-      Package: *
-      Pin: origin deb.nodesource.com
-      Pin-Priority: 600
-
-- name: Install packages
-  apt:
-    name:
-    - build-essential
-    - git
-    - nodejs
-    - postgresql
-    - python3-psycopg2
-    - yarn
-
-- name: Unpack hedgedoc
-  unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
-  register: hedgedoc_unarchive
-
-- name: Create hedgedoc upload path
-  file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
-
-- name: Remove old hedgedoc upload path
-  file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
-
-- name: Link hedgedoc upload path
-  file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
-
-- name: Setup hedgedoc
-  command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
-  become: true
-  become_user: hackmd
-
-- name: Configure hedgedoc
-  template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
-  register: hedgedoc_config
-  notify: Restart hedgedoc
-
-- name: Install hedgedoc frontend deps
-  command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
-  become: true
-  become_user: hackmd
-  when: hedgedoc_unarchive.changed or hedgedoc_config.changed
-
-- name: Build hedgedoc frontend
-  command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
-  become: true
-  become_user: hackmd
-  when: hedgedoc_unarchive.changed or hedgedoc_config.changed
-
-- name: Configure PostgreSQL database
-  postgresql_db: name={{ hedgedoc_dbname }}
-  become: true
-  become_user: postgres
-
-- name: Configure PostgreSQL user
-  postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
-  become: true
-  become_user: postgres
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for hedgedoc
-  template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
-  notify: Restart nginx
-
-- name: Systemd unit for hedgedoc
-  template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
-  notify:
-  - Reload systemd
-  - Restart hedgedoc
-
-- name: Start the hedgedoc service
-  service: name=hedgedoc state=started enabled=yes

roles/hackmd/templates/config.json.j2

@@ -1,45 +0,0 @@
-{
-    "production": {
-        "domain": "{{ hedgedoc_domain }}",
-        "protocolUseSSL": true,
-        "allowAnonymous": false,
-        "allowAnonymousEdits": true,
-        "allowFreeURL": true,
-        "sessionSecret": "{{ hedgedoc_secret }}",
-        "hsts": {
-            "enable": true,
-            "maxAgeSeconds": 2592000,
-            "includeSubdomains": true,
-            "preload": true
-        },
-        "csp": {
-            "enable": true,
-            "directives": {
-            },
-            "upgradeInsecureRequests": "auto",
-            "addDefaults": true,
-            "addDisqus": true,
-            "addGoogleAnalytics": true
-        },
-        "db": {
-            "username": "{{ hedgedoc_dbuser }}",
-            "password": "{{ hedgedoc_dbpass }}",
-            "database": "{{ hedgedoc_dbname }}",
-            "host": "localhost",
-            "port": "5432",
-            "dialect": "postgres"
-        },
-        "ldap": {
-            "url": "{{ ldap_uri }}",
-            "bindDn": "{{ ldap_binddn }}",
-            "bindCredentials": "{{ ldap_bindpw }}",
-            "searchBase": "{{ ldap_base }}",
-            "searchFilter": "(uid={{ '{{' }}username{{ '}}' }})",
-            "searchAttributes": ["cn", "uid"],
-            "usernameField": "cn",
-            "useridField": "uid",
-            "tlsca": "/etc/ssl/certs/ca-certificates.crt"
-        },
-        "email": false
-    }
-}

roles/hackmd/templates/hedgedoc.service.j2

@@ -1,14 +0,0 @@
-[Unit]
-Description=HedgeDoc
-After=network.target
-
-[Service]
-Environment=NODE_ENV=production
-WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
-Type=simple
-User=hackmd
-ExecStart=/usr/bin/yarn start
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target

roles/hedgedoc/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/hedgedoc/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create hedgedoc group
+  group: name=hedgedoc
+
+- name: Create hedgedoc user
+  user:
+    name: hedgedoc
+    home: /opt/hedgedoc
+    shell: /bin/bash
+    group: hedgedoc
+    groups: docker
+
+- name: Configure hedgedoc container
+  template: src=docker-compose.yml.j2 dest=/opt/hedgedoc/docker-compose.yml
+  notify: Restart hedgedoc
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for hedgedoc
+  template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
+  notify: Restart nginx
+
+- name: Systemd unit for hedgedoc
+  template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
+  notify:
+  - Reload systemd
+  - Restart hedgedoc
+
+- name: Start the hedgedoc service
+  service: name=hedgedoc state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ hedgedoc_domain }}"

roles/hedgedoc/templates/docker-compose.yml.j2

@@ -0,0 +1,44 @@
+version: "3"
+services:
+  database:
+    image: postgres:13-alpine
+    environment:
+      - POSTGRES_USER={{ hedgedoc_dbuser }}
+      - POSTGRES_PASSWORD={{ hedgedoc_dbpass }}
+      - POSTGRES_DB={{ hedgedoc_dbname }}
+    volumes:
+      - ./database:/var/lib/postgresql/data
+  app:
+    image: quay.io/hedgedoc/hedgedoc:1.9.9
+    restart: on-failure
+    environment:
+      - CMD_DOMAIN={{ hedgedoc_domain }}
+      - CMD_PROTOCOL_USESSL=true
+      - CMD_ALLOW_ANONYMOUS=false
+      - CMD_ALLOW_ANONYMOUS_EDITS=true
+      - CMD_ALLOW_FREEURL=true
+      - CMD_SESSION_SECRET={{ hedgedoc_secret }}
+      - CMD_HSTS_ENABLE=true
+      - CMD_HSTS_MAX_AGE=2592000
+      - CMD_HSTS_INCLUDE_SUBDOMAINS=true
+      - CMD_HSTS_PRELOAD=true
+      - CMD_CSP_ENABLE=true
+      - CMD_DB_URL=postgres://{{ hedgedoc_dbuser }}:{{ hedgedoc_dbpass }}@database/{{ hedgedoc_dbname }}
+      - CMD_LDAP_URL={{ ldap_uri }}
+      - CMD_LDAP_BINDDN={{ ldap_binddn }}
+      - CMD_LDAP_BINDCREDENTIALS={{ ldap_bindpw }}
+      - CMD_LDAP_SEARCHBASE={{ ldap_base }}
+      - CMD_LDAP_SEARCHFILTER=(uid={{ '{{' }}username{{ '}}' }})
+      - CMD_LDAP_SEARCHATTRIBUTES=cn,uid
+      - CMD_LDAP_USERIDFIELD=uid
+      - CMD_LDAP_USERNAMEFIELD=cn
+      - CMD_LDAP_TLS_CA=/etc/ssl/certs/ca-certificates.crt
+      - CMD_EMAIL=false
+    volumes:
+      - /etc/hosts:/etc/hosts:ro
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - ./uploads:/hedgedoc/public/uploads
+    ports:
+      - "127.0.0.1:3000:3000"
+    depends_on:
+      - database