netbox: fix psycopg dependency to use binary

the C variant will fail to compile

README.md

@@ -1,11 +1,68 @@
 # Binary Kitchen Ansible Playbooks
 
-This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
+This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
 
-## Using
+## Usage
 
-TBA
+To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
 
-## Style / Contributing
+It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
 
-TBA/TBD
+
+## Current setup
+
+Currently the following hosts are installed:
+
+### Internal Servers
+
+| Hostname                  | OS        | Purpose                 |
+| ------------------------- | --------- | ----------------------- |
+| wurst.binary.kitchen      | Proxmox 8 | VM Host                 |
+| salat.binary.kitchen      | Proxmox 8 | VM Host                 |
+| weizen.binary.kitchen     | Proxmox 8 | VM Host                 |
+| bacon.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aveta.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aeron.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| sulis.binary.kitchen      | Debian 12 | Shell                   |
+| nabia.binary.kitchen      | Debian 12 | Monitoring              |
+| epona.binary.kitchen      | Debian 12 | NetBox                  |
+| pizza.binary.kitchen      | Debian 11 | OpenHAB *               |
+| pancake.binary.kitchen    | Debian 12 | XRDP                    |
+| knoedel.binary.kitchen    | Debian 12 | SIP-DECT OMM            |
+| bob.binary.kitchen        | Debian 12 | Gitea Actions           |
+| lasagne.binary.kitchen    | Debian 12 | Home Assistant *        |
+| tschunk.binary.kitchen    | Debian 11 | Strichliste             |
+| bowle.binary.kitchen      | Debian 12 | Files                   |
+| lock-auweg.binary.kitchen | Debian 11 | Doorlock                |
+
+\*: The main application is not managed by ansible but manually installed
+
+### External Servers
+
+| Hostname                      | OS        | Purpose                 |
+| ----------------------------- | --------- | ----------------------- |
+| helium.binary-kitchen.net     | Debian 12 | LDAP Master             |
+| lithium.binary-kitchen.net    | Debian 12 | Mail                    |
+| beryllium.binary-kitchen.net  | Debian 12 | Web *                   |
+| boron.binary-kitchen.net      | Debian 12 | Gitea                   |
+| carbon.binary-kitchen.net     | Debian 12 | Jabber                  |
+| nitrogen.binary-kitchen.net   | Debian 12 | NextCloud               |
+| oxygen.binary-kitchen.net     | Debian 12 | Shell                   |
+| fluorine.binary-kitchen.net   | Debian 12 | Web (div. via Docker)   |
+| neon.binary-kitchen.net       | Debian 12 | Auth. DNS               |
+| sodium.binary-kitchen.net     | Debian 12 | Mattrix                 |
+| magnesium.binary-kitchen.net  | Debian 12 | TURN                    |
+| aluminium.binary-kitchen.net  | Debian 12 | Zammad                  |
+| krypton.binary-kitchen.net    | Debian 12 | PartDB *                |
+| yttrium.binary-kitchen.net    | Debian 12 | Hintervvoidler *        |
+| zirconium.binary-kitchen.net  | Debian 12 | Jitsi                   |
+| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle *          |
+| technetium.binary-kitchen.net | Debian 12 | Event CTFd *            |
+| ruthenium.binary-kitchen.net  | Debian 12 | Minecraft *             |
+| rhodium.binary-kitchen.net    | Debian 12 | Event pretix            |
+| palladium.binary-kitchen.net  | Debian 12 | Event pretalx           |
+| argentum.binary-kitchen.net   | Debian 12 | Event Web *             |
+| cadmium.binary-kitchen.neti   | Debian 12 | Event NetBox *          |
+| barium.binary-kitchen.net     | Debian 12 | Workadventure           |
+
+\*: The main application is not managed by ansible but manually installed

group_vars/all/vars.yml

@@ -5,6 +5,14 @@ acertmgr_mode: webdir
 acme_dnskey_file: /etc/acertmgr/nsupdate.key
 acme_dnskey_server: neon.binary-kitchen.net
 
+authentik_domain: auth.binary-kitchen.de
+authentik_dbname: authentik
+authentik_dbuser: authentik
+authentik_dbpass: "{{ vault_authentik_dbpass }}"
+authentik_secret: "{{ vault_authentik_secret }}"
+
+bk23b_domain: 23b.binary-kitchen.de
+
 coturn_realm: turn.binary-kitchen.de
 coturn_secret: "{{ vault_coturn_secret }}"
 
@@ -14,19 +22,12 @@ dns_axfr_ips:
 
 dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
 
-drone_admin: moepman
-drone_domain: drone.binary-kitchen.de
-drone_dbname: drone
-drone_dbuser: drone
-drone_dbpass: "{{ vault_drone_dbpass }}"
-drone_uipass: "{{ vault_drone_uipass }}"
-drone_secret: "{{ vault_drone_secret }}"
-drone_gitea_client: "{{ vault_drone_gitea_client }}"
-drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
-
 dss_domain: dss.binary-kitchen.de
 dss_secret: "{{ vault_dss_secret }}"
 
+fpm_status_user: admin
+fpm_status_pass: "{{ vault_fpm_status_pass }}"
+
 gitea_domain: git.binary-kitchen.de
 gitea_dbname: gogs
 gitea_dbuser: gogs
@@ -35,8 +36,8 @@ gitea_secret: "{{ vault_gitea_secret }}"
 gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
 
 hedgedoc_domain: pad.binary-kitchen.de
-hedgedoc_dbname: hackmd
-hedgedoc_dbuser: hackmd
+hedgedoc_dbname: hedgedoc
+hedgedoc_dbuser: hedgedoc
 hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
 hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
 
@@ -44,6 +45,7 @@ icinga_domain: icinga.binary.kitchen
 icinga_dbname: icinga
 icinga_dbuser: icinga
 icinga_dbpass: "{{ vault_icinga_dbpass }}"
+icinga_server: nabia.binary.kitchen
 icingaweb_dbname: icingaweb
 icingaweb_dbuser: icingaweb
 icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
@@ -66,18 +68,26 @@ mail_domain: binary-kitchen.de
 mail_domains:
 - ccc-r.de
 - ccc-regensburg.de
+- eh21.easterhegg.eu
 - makerspace-regensburg.de
 mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
 mail_server: mail.binary-kitchen.de
 mailman_domain: lists.binary-kitchen.de
 mail_trusted:
 - 213.166.246.0/28
+- 213.166.246.37/32
 - 213.166.246.45/32
+- 213.166.246.46/32
+- 213.166.246.47/32
 - 213.166.246.250/32
 - 2a02:958:0:f6::/124
+- 2a02:958:0:f6::37/128
 - 2a02:958:0:f6::45/128
+- 2a02:958:0:f6::46/128
+- 2a02:958:0:f6::47/128
 mail_aliases:
 - "auweg@binary-kitchen.de	venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
+- "bbb@binary-kitchen.de	boehm.johannes@gmail.com"
 - "dasfilament@binary-kitchen.de	taxx@binary-kitchen.de"
 - "epvpn@binary-kitchen.de	noby@binary-kitchen.de"
 - "google@binary-kitchen.de	vorstand@binary-kitchen.de"
@@ -88,12 +98,14 @@ mail_aliases:
 - "openhab@binary-kitchen.de	noby@binary-kitchen.de"
 - "orga@ccc-r.de	orga@ccc-regensburg.de"
 - "orga@ccc-regensburg.de	anti@binary-kitchen.de"
-- "paypal@binary-kitchen.de	timo.schindler@binary-kitchen.de"
+- "paypal@binary-kitchen.de	ralf@binary-kitchen.de"
 - "post@makerspace-regensburg.de	vorstand@binary-kitchen.de"
+- "pretalx@binary-kitchen.de	moepman@binary-kitchen.de"
+- "pretix@binary-kitchen.de	moepman@binary-kitchen.de"
 - "root@binary-kitchen.de	moepman@binary-kitchen.de,kishi@binary-kitchen.de"
 - "seife@binary-kitchen.de	anke@binary-kitchen.de"
 - "siebdruck@binary-kitchen.de	anke@binary-kitchen.de"
-- "vorstand@binary-kitchen.de	anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
+- "vorstand@binary-kitchen.de	anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
 - "voucher1@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher2@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher3@binary-kitchen.de	exxess@binary-kitchen.de"
@@ -107,6 +119,8 @@ mail_aliases:
 - "voucher11@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher12@binary-kitchen.de	exxess@binary-kitchen.de"
 - "workshops@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
+- "tickets@eh21.easterhegg.eu	orga@eh21.easterhegg.eu"
+- "hackzuck@eh21.easterhegg.eu	kekskruemml@binary-kitchen.de"
 
 matrix_domain: matrix.binary-kitchen.de
 matrix_dbname: matrix
@@ -126,15 +140,20 @@ nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 
-nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
-nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
-nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
+omm_domain: omm.binary.kitchen
 
-pretix_domain: pretix.rc3.binary-kitchen.de
+pretalx_domain: fahrplan.eh21.easterhegg.eu
+pretalx_dbname: pretalx
+pretalx_dbuser: pretalx
+pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
+pretalx_mail: pretalx@binary-kitchen.de
+
+pretix_domain: pretix.events.binary-kitchen.de
+pretix_domainx: tickets.eh21.easterhegg.eu
 pretix_dbname: pretix
 pretix_dbuser: pretix
 pretix_dbpass: "{{ vault_pretix_dbpass }}"
-pretix_mail: rc3@binary-kitchen.de
+pretix_mail: pretix@binary-kitchen.de
 
 prometheus_pve_user: prometheus@pve
 prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@@ -156,4 +175,21 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
 
+sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
+sssd_base_user: ou=people,dc=binary-kitchen,dc=de
+
+strichliste_domain: tschunk.binary.kitchen
+strichliste_dbname: strichliste
+strichliste_dbuser: strichliste
+strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
+
+vaultwarden_domain: vault.binary-kitchen.de
+vaultwarden_dbname: vaultwarden
+vaultwarden_dbuser: vaultwarden
+vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
+vaultwarden_token: "{{ vault_vaultwarden_token }}"
+vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
+
 workadventure_domain: wa.binary-kitchen.de
+
+zammad_domain: requests.binary-kitchen.de

group_vars/all/vault.yml

@@ -1,84 +1,109 @@
 $ANSIBLE_VAULT;1.1;AES256
-35323963326634353430373361636231303663373264616131356530663738306563303332363762
-3436613664633530623163353436323035346463623737390a383665663266313338356361626161
-39643939393939333361663434353237633861303032323730336661633663373636326432663135
-3430313238313836610a343432396536316462313230656236366363343034383732646163626231
-30643132316365613664333834356630666336633635373037326162646538333062363237363465
-30303632303339616166323932303865313766316436623232633335613263323437633331346133
-64633161383236346536616231333634626466373232366265333062306635663631663565666531
-30653633643430356164386364386336323162383164663639323430343239333366306161336365
-39663663343037396566366363353461656330353636306162626639663137666136306235656165
-66613338623232316336323830303830383364396537633161373032323739316131336431313035
-63346662366562656638363961613263363134646131623436316463326265646138323238303437
-31363734376333343961356137373764656534363437316633656665616430323231383563633766
-30653565373563376664303133653665356264363735333939646339653735633765306261633836
-31313465323238316263343166646132356333373033616361333532623564336338373838303536
-65333962636161633038353135303466353839663833626530616635666337346161623635383963
-66636230393331316239616434613265343139636632396630656630623662306464633162366139
-35646332623137643130373738336265623930376165343238626233356235613434636564313939
-34636266383536383936313263373538666165633163396635313365616339303264663566316234
-65353262313062653061326239363266333637316362366539616136373062313764316330663138
-64343337356133643163383864343962623237316230343763653838613738393739343131323835
-38623063626531613764356265376230336530326364643635383438363463333931333461393563
-37343231366165616666376664653633616332346661383935393435653934336562343531323664
-38396233306266623361636566663262393336343434383532393336343533653364666264306463
-66393234376137643761396635626337656465383066303863383535636363336463343234363361
-61626365633639643237336464653666396131343535636431636438343265663138346631316335
-63343136656131653039396539323231663730316134306432613034363635343230353361616338
-34303931343866343831623333386533313733613663363565313666353139356265333461336237
-34643265623739376565663039343638343839633362303035386562333264333438313835393039
-39376266643831343561653832353266313461363738663533383935376234636338343734353731
-36396634316561336363633339653566323134306430373536613763303763653764336237633465
-39313562373062666566663437386538663733643261656361346364393935613638393464663062
-31643035356630363630363532353137626431643366383437663437333761613062363663633832
-30663331333036653362646164313134316136663839386464353731303065376634313138656337
-34306234303233613136353661643436666538623634323137343861346165333730303430386237
-39313762313339356430303934343837336230303231613266643231376634333739353366333139
-39393436366339616166393530313862303961353131646163306633386637376634363534363461
-31363634653638633334346334613061333234633061343732363330363636656333316366383838
-39343234616461656432653836623233343965636432616630313037366535366131393033383063
-31343038646162616666613264363738366434613939333536656534336339326537366435383263
-66376638376133303136346663386561336239643465376336633665656563666133666165323633
-30613032343735653231356663333033653436393331653133646162333531613930316635356533
-38663830383463663366393034656638643136383261373332383636333331396639346361376334
-32333633316433616664643662636634323038306664663538386330356261323461396264323635
-66376133666434363932353762663461333861376139323439653431663638343362326166336133
-37396532306135386661353665356562363135656338333261386437376431363663383662303339
-30343534393965646231303037366435333238343931393036616364643631333163336331396364
-39303766363938383831316531303265383236646334616365613732643134366338366438623266
-61346132623333343933373666363937376332653766313463333132626466373763346330613433
-37383631656662386164633566376235366465663531383134613139656330313561633030643139
-31646264316533303638303939656539663936306465656366303761343335383562366238316332
-36623265383739376332393565386436653934316438313631626333343234656564623335386133
-64363538396631363538653361373138393637326533386239353532316531376166313265303463
-66306637383237303236306264373831636636643766383565326230313165356337633662663832
-39666464646365313536633539366330333938643431633136643166336566343137653066343735
-38653037346332373139356439656436366339323431626331636538346639303034323231663034
-36626536343236326439653665323563326431386462666331386163623232333661613437313865
-65363237643266393866363761316534666537616633393863366562666539633761613465616436
-30346435363431393261336361333564313537353564333136633866643466353261666430376130
-66333765306162666361393133636661393766333733363033663739646633303561623662316231
-61653332346361363565343466363339323064313537343537396637343730653563653734313337
-38316334376136636365373338313362313836613666643034343964353236313433303330366332
-66356562643636353465343133323462313465653434383835636535666135363438653833623836
-32636638313635326537336633656162346166303262386232613366366639326338316638656230
-65613763353031386537333332363736636236623561323036623864313830316661633362613164
-64356161376234666535393961376138656632653266306434343335373734663265383537326234
-35636131303133666366326434323832633865626538333864653236343135383636373437303864
-38663339666262373063643162343037343537383235326633623165396539633161303862623938
-32663433396637643765363837316439363863386162316363633136633232643635363166646534
-61366665356238653764623237613861323139366638633432343137336438316237333030613431
-37323463636162333231303234383831333138306163643630633335383465313737383832646161
-33643637373037666562366536383662663737373962373937633839633933323738366236323361
-63663330346436343232616364353261613635646339333062643038363634623561623163643932
-65306466363464376336353965633535356437333237666161383465393631333963393030316663
-62343564383838383938646338383466383533646539336239323064383565333834396535396634
-30616131643463663235636334613165343133646562656537396334623234383734396131643930
-66373765333538643661386435666166633438383035663563333339663536663137393162343865
-39326463316133343331633137363365653366643439613062633665633132633036333337323935
-31393665623938316230653936353966396539353730353364346434646434616636663563336666
-32623861363864383430356236396366616361326334656639613061636239306663626435636435
-36316135633739313364336634376635303131616239666262613230666165636533613935643664
-35356538613062646635336332613635643135396665376439323331386163356631383531376230
-36386661326362633833333133356366633264353061356665353131323737303339396333613763
-386531643264353562356563663961626139
+63626562396631623335303064393137396262393239366236373634323333343264343335306330
+3861326430303265376564306139323064356339653039330a613335323233356361303066663139
+34386465306537666464643736656230356632633239363865386166373834653030363736613834
+6339303364363166620a626134303835346130386238653232316663346633313631653164336336
+34653639363635663537356639646333616438336438333463656537326134343531393435663266
+64366333346130653730613865346134356161373237343539373965623036656231653939303365
+62326638666431333265343639326461313433656639393839396366633431616435393263336231
+66303634656536636165636462396637656331666336623734333139316533636664306262326566
+36616366663933613561336164386463393635636264613737316464666535366361613065363362
+30316566323663623133346130393032646237353934363531326530396263363130326638393032
+30633832663134613964323733623230363831636664373661633966366264373766326161623862
+39396331313231633237313735636261653531313961616230626565623633636638643936326237
+62333066366439643163336233353361343662326237376332396461393663623761613962333237
+65633039363636323235356632326563376163386161373362383466346339356463636437646262
+38313164393036393661336633373265303536316165623330643236313936666139376237366164
+31373364663136356139356433386132343630396531373961616131343333663463616262373439
+34393161323334333732383866653463656265393761346533663530613530313062626330356535
+65393037636665303564316536376531386561366466643961666439326462353864643635353934
+66616432303966643731386133613430313737356539386331623832656132663461393538363962
+64313935613063373832343862373734316634663333313835323836386466336663643661656436
+61353663646165623165663035383461376331373439666433386433376234613163396234373632
+61646230363163366338653332373834386534333436373737383463363335356436313463626333
+63393166316663323066323863373830393937353864376366313535663565613031643932383364
+62623633353662323965393563363261623564396632643662663032613032666162616132336130
+39376430663833303264306135643832383231623336613734373964653736376235653334333639
+63376661636561383236633365303031326630356661633062663564396133313633323738333539
+66303235613562313636343766356263383132643962393232396263393665666334633438383632
+38646635643030303464396634356161333836376364333361356461346664303563346463333838
+34356139373233313631653533356633643730663438646630373331313065363136663938306439
+38336563363966653632613436356530316234326365666438326635313537343665663233363731
+36646565393937326336626333383863656565323832303937323536346366303839633236663566
+32373632646463363634363031626635383233656361336532636366653434623562623937656137
+66303663316165633932643365623732323430376334303036303961396264303664616433356361
+64366135376232313265376563633163373933343066653939313433366539396163656163346663
+30626331333034316131343361636364653936373235623562336366336237353966613536316637
+61343530326139636365613434386263383430626663333932386431313164346532666562346537
+32623538353365383030396332386133343464643732653038623337353135663964643566396439
+64633435623763666461356331306539373638383034343735373765373333656562326338613763
+63633732373765316238633539316665623431616333363364316531306630343735393335616630
+36613362336566393866623566666430336639376662633233656130653837313161653462346335
+63396532663633393363626136373161303235613761373235633831393736343630353031613364
+32353463383934313961313638613533623638383062343936616336646431383935393938623138
+31383032326365333136666165633832333836346231636332353830336264636235383162356630
+38316137623935633863363162376239623932373233663663323830363162313665613830623763
+63656237343662616130326339386231376564613164666163393232653762613932343561343031
+66386431343139373734626430656139353635636233336236653438353066393732663637323435
+63303434376634366262646662616162343664666365373934346530343239653330356234373065
+31373934363731373136346665623334306631626134613334633135666461636462303164653662
+36323132376532613431653063643965636233373165333639323966663333633563303438396466
+64633761376164383835613038633630623439643364323232633437386334346138343361306638
+38626632326137303839306531633536643161656231636662383461373964646333303936343733
+36333863316162393134646563316235663164613062303734346662386466656461346364356564
+35326234336439623961383938316136633037343863363933616663366536613866666165376664
+30306438666365333333636632643832303463356533343033623938653365663732336164303033
+65653936363839323239306463366533653439663437343536393564336163313962313935636534
+34346330393637343834323931353762613839366166353139303535376230356466646261363464
+33386337616230623537376665663835373766316332363433313234326461313935636666363261
+30653433333436306564653461303165656163363331643536323535623062396561643662323334
+35626565616538396566363433363732656538313531636632643163633637303339656431346466
+61353030666638393361613833353532656130643866636135643434366562386363656434323366
+36343764316136316630353338363735646533346362386266643136626366356331656363393133
+35636633353662393435346365663432656166646136346331363563363539326162633166393164
+34303164353632373437613564336266373934396236383962376530613631633932626431333864
+64623439336638613337383763353531376133343436346330373362313034616166616537636366
+30306132613333633261326630323038323431643163373365376662623339396136313531366332
+66663037643036303836376632646132383563316262393438636432666661333836376663666130
+31316135366562633134306633333834636132623739373131626161633636313737646334376434
+33376337393630663338643366316465353266346365333830613533393139333235366237323339
+66346465313462373334316535383633343165373733313230373461366336353664306537306538
+32653538366565663764353031303763613835366461666163336665656436333563613835653438
+65376265303131376239616536353933346633393438643466343439643039313236373033323034
+64316364663139353664653564393262323565646235356431326331343433373639316234363938
+65633034666532306137353431613732663166323936356433323733376261386161383265663264
+35643038663565646135343233623530396165336263303931653037393934343833623337343834
+31343631343563626561393763356463393930616338623861363835343635376238653337653133
+31393834343536396536363533363739306639646333313836393331306566393534383265613234
+31623238306531383936343836336466343336396530633033323063346261366633343936316637
+30343165333861346635623934363537383531323637313461663964353338653639366562306236
+30363265393038633564626463393166333665396538663639346665353736336134643862663630
+62393037363963613263313939613865393066323830656362656464643730636535623639636131
+63343263333134336364323236656639613635323165383164636465353438653134646334643962
+35306463626336626664383638323865633631346437613139623239663538666363313237323663
+39323734353363643334343538303635366637373530383832393861346164666666306631643563
+63306565306337383539636330623933666266353635396238656435373563383830666636616335
+39386134383938626439366437383138303062333236306436336163393832613532303332303833
+39323539396235383765613234303765303136653064336361333035643365386232613766356362
+30656437376537623165626530623365393463626337383139663734396331396363396162383330
+31663636383037613563346330323063393637616334356439666263623662383666376265313732
+63343837306336313264313934653836363665616264396662633761363237366437653962626664
+38383462313435383133613465656435363563373765313361623565636564616236313666633264
+37393165386163393666376636343963333932346463303661373339303765303938636135323363
+35663731656431656330336366383330616163353934333564356633613165396463393066396533
+32396264653265333865643365346233633863333335383735396134663062343166656233613931
+35633133336337343531313266323663363830353236323035313031646434303761343737633139
+30343439323330353531633337353365363031666635653364326235316435383835663139376136
+39343361636662346166363432366162666631366431623563363936336164323836376232326162
+39316337343436386363643064653337613131346266353636333664373262326563386264303831
+65343534616464633232373532313865363732663235376534396436333531633261393066313263
+38316437643232336234343663666536353134626139623138636234396661613261326437303065
+36383331323061643632323339383530626430343132613039393434333939383065623464646362
+65303135313962613564666261356533313961323464623535393631613337663366626136343364
+61363035333636366439313961326462633463616237343133356437303234323363306337343237
+61376138323336663839623539633866313133346338313165623039336335663666313532636261
+36383332346636373936366632393364323331303866623533643062666361613133383262383538
+64343665333761326134303566656638633362643031306535333661623437636139353565623435
+39323631393132336636653731636264356637373031633037653466383163663865626339323731
+34623137386338343038373464613832363761643362623434373136376638663537623762646266
+63306439363039303461

group_vars/auweg

@@ -5,6 +5,8 @@ dhcpd_primary: 172.23.13.3
 
 dns_primary: 172.23.13.3
 
+doorlock_domain: lock-auweg.binary.kitchen
+
 name_servers:
 - 172.23.13.3
 

host_vars/aeron.binary.kitchen

@@ -3,4 +3,5 @@
 radius_hostname: radius3.binary.kitchen
 
 slapd_hostname: ldap3.binary.kitchen
+slapd_replica_id: 3
 slapd_role: slave

host_vars/argentum.binary-kitchen.net

@@ -0,0 +1,6 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

host_vars/aveta.binary.kitchen

@@ -3,4 +3,5 @@
 radius_hostname: radius2.binary.kitchen
 
 slapd_hostname: ldap2.binary.kitchen
+slapd_replica_id: 2
 slapd_role: slave

host_vars/bacon.binary.kitchen

@@ -13,4 +13,5 @@ ntp_peers:
 radius_hostname: radius1.binary.kitchen
 
 slapd_hostname: ldap1.binary.kitchen
+slapd_replica_id: 1
 slapd_role: slave

host_vars/beryllium.binary-kitchen.net

@@ -1,5 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/fluorine.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

host_vars/krypton.binary-kitchen.net

@@ -2,3 +2,4 @@
 
 root_keys_host:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/lasagne.binary.kitchen

@@ -0,0 +1,11 @@
+---
+
+root_keys_host:
+- "# Thomas Basler"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
+- "# Ralf Ramsauer"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
+- "# Thomas Schmid"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+
+uau_reboot: "false"

host_vars/lock-auweg.binary.kitchen

@@ -0,0 +1,5 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/magnesium.binary-kitchen.net

@@ -0,0 +1,3 @@
+---
+
+acertmgr_mode: standalone

host_vars/molybdenum.binary-kitchen.net

@@ -4,3 +4,4 @@ grafana_domain: zelle.binary-kitchen.de
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/oxygen.binary-kitchen.net

@@ -1,3 +1,4 @@
 ---
 
-uau_reboot: "false"
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+sshd_password_authentication: "yes"

host_vars/pancake.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/pizza.binary.kitchen

@@ -4,8 +4,7 @@ root_keys_host:
 - "# Thomas Basler"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
 - "# Ralf Ramsauer"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
 - "# Thomas Schmid"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
 

host_vars/rhodium.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

host_vars/ruthenium.binary-kitchen.net

@@ -2,6 +2,6 @@
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
 
 uau_reboot: "false"

host_vars/strontium.binary-kitchen.net

@@ -1,4 +0,0 @@
----
-
-root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

host_vars/sulis.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+sshd_password_authentication: "yes"

host_vars/technetium.binary-kitchen.net

@@ -1,4 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"

host_vars/tschunk.binary.kitchen

@@ -0,0 +1,7 @@
+---
+
+root_keys_host:
+- "# Thomas Schmid"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+
+uau_reboot: "true"

host_vars/yttrium.binary-kitchen.net

@@ -1,5 +1,6 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

hosts

@@ -9,11 +9,14 @@ pizza.binary.kitchen ansible_host=172.23.2.33
 pancake.binary.kitchen ansible_host=172.23.2.34
 knoedel.binary.kitchen ansible_host=172.23.2.35
 bob.binary.kitchen ansible_host=172.23.2.37
+lasagne.binary.kitchen ansible_host=172.23.2.38
+tschunk.binary.kitchen ansible_host=172.23.2.39
 bowle.binary.kitchen ansible_host=172.23.2.62
 salat.binary.kitchen ansible_host=172.23.9.61
 [auweg]
-aeron.binary.kitchen ansible_host=172.23.13.3
 weizen.binary.kitchen ansible_host=172.23.12.61
+aeron.binary.kitchen ansible_host=172.23.13.3
+lock-auweg.binary.kitchen ansible_host=172.23.13.12
 [fan_rz]
 helium.binary-kitchen.net
 lithium.binary-kitchen.net
@@ -25,10 +28,16 @@ oxygen.binary-kitchen.net
 fluorine.binary-kitchen.net
 neon.binary-kitchen.net
 sodium.binary-kitchen.net
+magnesium.binary-kitchen.net
+aluminium.binary-kitchen.net
 krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
 molybdenum.binary-kitchen.net
+technetium.binary-kitchen.net
 ruthenium.binary-kitchen.net
 rhodium.binary-kitchen.net
+palladium.binary-kitchen.net
+argentum.binary-kitchen.net
+cadmium.binary-kitchen.net
 barium.binary-kitchen.net

roles/23b/handlers/main.yml

@@ -3,11 +3,11 @@
 - name: Reload systemd
   systemd: daemon_reload=yes
 
-- name: Run acertmgr
-  command: /usr/bin/acertmgr
-
-- name: Restart drone
-  service: name=drone state=restarted
+- name: Restart 23b
+  service: name=23b state=restarted
 
 - name: Restart nginx
   service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/23b/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create 23b group
+  group: name=23b
+
+- name: Create 23b user
+  user:
+    name: 23b
+    home: /opt/23b
+    shell: /bin/bash
+    group: 23b
+    groups: docker
+
+# docker-compolse.yml is managed outside ansible
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for 23b
+  template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
+  notify: Restart nginx
+
+- name: Systemd unit for 23b
+  template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
+  notify:
+  - Reload systemd
+  - Restart 23b
+
+- name: Start the 23b service
+  service: name=23b state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ bk23b_domain }}"

roles/23b/templates/23b.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=23b service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=23b
+Group=23b
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/23b/23b/23b
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/23b/templates/certs.j2

@@ -1,13 +1,13 @@
 ---
 
-{{ drone_domain }}:
-- path: /etc/nginx/ssl/{{ drone_domain }}.key
+{{ bk23b_domain }}:
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
   user: root
   group: root
   perm: '400'
   format: key
   action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ drone_domain }}.crt
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
   user: root
   group: root
   perm: '400'

roles/23b/templates/vhost.j2

@@ -0,0 +1,36 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ bk23b_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ bk23b_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ bk23b_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
+
+	# set max upload size
+	client_max_body_size 8M;
+
+	location / {
+		proxy_pass http://localhost:5000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}

roles/act_runner/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+actrunner_user: act_runner
+actrunner_group: act_runner
+
+actrunner_version: 0.2.10
+actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

roles/act_runner/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart act_runner
+  service: name=act_runner state=restarted

roles/act_runner/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Create group
+  group: name={{ actrunner_group }}
+
+- name: Create user
+  user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
+
+- name: Create directories
+  file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
+  with_items:
+  - /etc/act_runner
+  - /var/lib/act_runner
+
+- name: Download act_runner binary
+  get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
+  register: runner_download
+
+- name: Symlink act_runner binary
+  file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
+  when: runner_download.changed
+  notify: Restart act_runner
+
+- name: Configure act_runner
+  template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
+  notify: Restart act_runner
+
+- name: Install systemd unit
+  template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
+  notify:
+  - Reload systemd
+  - Restart act_runner
+
+- name: Enable act_runner
+  service: name=act_runner state=started enabled=yes

roles/act_runner/templates/act_runner.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Gitea Actions runner
+Documentation=https://gitea.com/gitea/act_runner
+After=docker.service
+
+[Service]
+ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
+ExecReload=/bin/kill -s HUP $MAINPID
+WorkingDirectory=/var/lib/act_runner
+TimeoutSec=0
+RestartSec=10
+Restart=always
+User={{ actrunner_user }}
+
+[Install]
+WantedBy=multi-user.target

roles/act_runner/templates/config.yaml.j2

@@ -0,0 +1,86 @@
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: warn
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 4
+  # Extra environment variables to run jobs.
+  envs:
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels: [
+    "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
+    "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
+    "ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
+  ]
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: ""
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

roles/authentik/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart authentik
+  service: name=authentik state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/authentik/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create authentik group
+  group: name=authentik
+
+- name: Create authentik user
+  user:
+    name: authentik
+    home: /opt/authentik
+    shell: /bin/bash
+    group: authentik
+    groups: docker
+
+- name: Configure authentik container
+  template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
+  notify: Restart authentik
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for authentik
+  template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
+  notify: Restart nginx
+
+- name: Systemd unit for authentik
+  template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
+  notify:
+  - Reload systemd
+  - Restart authentik
+
+- name: Start the authentik service
+  service: name=authentik state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ authentik_domain }}"

roles/authentik/templates/authentik.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=authentik service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=authentik
+Group=authentik
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/authentik
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/authentik/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ authentik_domain }}:
+- path: /etc/nginx/ssl/{{ authentik_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/authentik/templates/docker-compose.yml.j2

@@ -0,0 +1,75 @@
+---
+version: "3.4"
+services:
+  postgresql:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ./database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: {{ authentik_dbpass }}
+      POSTGRES_USER: {{ authentik_dbuser }}
+      POSTGRES_DB: {{ authentik_dbname }}
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ./redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    ports:
+      - "127.0.0.1:9000:9000"
+    depends_on:
+      - postgresql
+      - redis
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+    depends_on:
+      - postgresql
+      - redis

roles/authentik/templates/vhost.j2

@@ -0,0 +1,41 @@
+map $http_upgrade $connection_upgrade {
+	default	upgrade;
+	''	close;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ authentik_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ authentik_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ authentik_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
+
+	location / {
+		proxy_pass http://localhost:9000;
+		proxy_http_version 1.1;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}

roles/bk_dss/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 
 dss_uwsgi_port: 5001
-dss_version: 0.8.4
+dss_version: 0.8.5

roles/bk_dss/tasks/main.yml

@@ -44,3 +44,8 @@
 - name: Enable vhosts
   file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
   notify: Restart nginx
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ dss_domain }}"

roles/bk_dss/templates/config.cfg.j2

@@ -1,12 +1,14 @@
 DEBUG = True
+REMEMBER_COOKIE_SECURE = True
 SECRET_KEY = "{{ dss_secret }}"
+SESSION_COOKIE_SECURE = True
 SESSION_TIMEOUT = 3600
 
 LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
 LDAP_URI = "{{ ldap_uri }}"
 LDAP_BASE = "{{ ldap_base }}"
 
-ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
+ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
 
 USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
 
@@ -28,7 +30,7 @@ USER_ATTRS = {
 	'userPassword' : '{pass}'
 }
 
-GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
+GROUP_FILTER = "(objectClass=posixGroup)"
 
 REDIS_HOST = "127.0.0.1"
 REDIS_PASSWD = None

roles/common/defaults/main.yml

@@ -6,3 +6,6 @@ logrotate_excludes:
 - "/etc/logrotate.d/dbconfig-common"
 - "/etc/logrotate.d/btmp"
 - "/etc/logrotate.d/wtmp"
+
+sshd_password_authentication: "no"
+sshd_permit_root_login: "prohibit-password"

roles/common/handlers/main.yml

@@ -6,6 +6,9 @@
 - name: Restart journald
   service: name=systemd-journald state=restarted
 
+- name: Restart sshd
+  service: name=sshd state=restarted
+
 - name: update-grub
   command: update-grub
 

roles/common/tasks/Debian.yml

@@ -5,6 +5,7 @@
     name:
     - apt-transport-https
     - dnsutils
+    - fdisk
     - gnupg2
     - htop
     - less
@@ -15,6 +16,7 @@
     - rsync
     - sudo
     - vim-nox
+    - wget
     - zsh
 
 - name: Install software on KVM VMs
@@ -101,3 +103,12 @@
     regexp: "rotate [0-9]+"
     replace: "rotate 7"
   loop: "{{ logrotateconfigpaths }}"
+
+- name: Configure sshd
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart sshd

roles/common/templates/chrony.conf.j2

@@ -1,6 +1,9 @@
 # Welcome to the chrony configuration file. See chrony.conf(5) for more
 # information about usable directives.
 
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
 {% for srv in ntp_servers %}
 server {{ srv }} iburst
 {% endfor %}
@@ -23,6 +26,9 @@ keyfile /etc/chrony/chrony.keys
 # information.
 driftfile /var/lib/chrony/chrony.drift
 
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
 # Uncomment the following line to turn logging on.
 #log tracking measurements statistics
 
@@ -33,7 +39,7 @@ logdir /var/log/chrony
 maxupdateskew 100.0
 
 # This directive enables kernel synchronisation (every 11 minutes) of the
-# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
 rtcsync
 
 # Step the system clock instead of slewing it if the adjustment is larger than

roles/common/templates/sshd_config.j2

@@ -0,0 +1,132 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin {{ sshd_permit_root_login }}
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
+AuthorizedKeysCommand {{ sshd_authkeys_command }}
+{%   if sshd_authkeys_user is defined and sshd_authkeys_user %}
+AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
+{%   else %}
+AuthorizedKeysCommandUser nobody
+{%   endif %}
+{% else %}
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+{% endif %}
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ sshd_password_authentication }}
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

roles/coturn/handlers/main.yml

@@ -1,4 +1,10 @@
 ---
 
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
 - name: Restart coturn
   service: name=coturn state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/coturn/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+- { role: acertmgr }

roles/coturn/tasks/main.yml

@@ -3,6 +3,28 @@
 - name: Install coturn
   apt: name=coturn
 
+- name: Create coturn service override directory
+  file: path=/etc/systemd/system/coturn.service.d state=directory
+
+- name: Configure coturn service override
+  template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
+  notify:
+  - Reload systemd
+  - Restart coturn
+
+- name: Create gitea directories
+  file: path={{ item }} state=directory owner=turnserver
+  with_items:
+  - /etc/turnserver
+  - /etc/turnserver/certs
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
+  notify: Run acertmgr
+
 - name: Configure coturn
   template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:

roles/coturn/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ coturn_realm }}:
+- path: /etc/turnserver/certs/{{ coturn_realm }}.key
+  user: turnserver
+  group: turnserver
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service coturn restart'
+- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
+  user: turnserver
+  group: turnserver
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service coturn restart'

roles/coturn/templates/coturn.override.j2

@@ -0,0 +1,2 @@
+[Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE

roles/coturn/templates/turnserver.conf.j2

@@ -15,7 +15,7 @@
 # Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
-#listening-port=3478
+listening-port=443
 
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
@@ -27,7 +27,7 @@
 # TLS version 1.0, 1.1 and 1.2.
 # For secure UDP connections, Coturn supports DTLS version 1.
 #
-#tls-listening-port=5349
+tls-listening-port=443
 
 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one".
@@ -125,7 +125,10 @@
 #
 # By default, this value is empty, and no address mapping is used.
 #
-#external-ip=60.70.80.91
+external-ip={{ ansible_default_ipv4.address }}
+{% if ansible_default_ipv6.address is defined %}
+external-ip={{ ansible_default_ipv6.address }}
+{% endif %}
 #
 #OR:
 #
@@ -399,17 +402,17 @@ realm={{ coturn_realm }}
 # Uncomment if no TCP client listener is desired.
 # By default TCP client listener is always started.
 #
-no-tcp
+#no-tcp
 
 # Uncomment if no TLS client listener is desired.
 # By default TLS client listener is always started.
 #
-no-tls
+#no-tls
 
 # Uncomment if no DTLS client listener is desired.
 # By default DTLS client listener is always started.
 #
-no-dtls
+#no-dtls
 
 # Uncomment if no UDP relay endpoints are allowed.
 # By default UDP relay endpoints are enabled (like in RFC 5766).
@@ -746,6 +749,6 @@ mobility
 
 # Do not allow an TLS/DTLS version of protocol
 #
-no-tlsv1
-no-tlsv1_1
-no-tlsv1_2
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2

roles/dhcpd/templates/dhcp/dhcpd.conf.j2

@@ -107,7 +107,6 @@ subnet 172.23.13.0 netmask 255.255.255.0 {
 # Users Auweg
 subnet 172.23.14.0 netmask 255.255.255.0 {
   option routers 172.23.14.1;
-  ddns-domainname "users.binary.kitchen";
   option domain-search "binary.kitchen", "users.binary.kitchen";
   pool {
 {% if dhcpd_failover == true %}
@@ -119,7 +118,7 @@ subnet 172.23.14.0 netmask 255.255.255.0 {
 
 # MQTT Auweg
 subnet 172.23.15.0 netmask 255.255.255.0 {
-  option routers 172.23.4.1;
+  option routers 172.23.15.1;
   pool {
 {% if dhcpd_failover == true %}
     failover peer "failover-partner";
@@ -143,7 +142,7 @@ host ap01 {
 }
 
 host ap04 {
-  hardware ethernet 44:48:c1:ce:90:06;
+  hardware ethernet 74:9e:75:ce:93:54;
   fixed-address ap04.binary.kitchen;
 }
 

roles/dns_extern/templates/pdns.conf.j2

@@ -1,5 +1,4 @@
-local-address=0.0.0.0
-local-ipv6=::
+local-address=0.0.0.0, ::
 launch=gsqlite3
 gsqlite3-dnssec
 gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3

roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2021120101; serial
+					2024051300; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -11,7 +11,7 @@ $TTL 1h				; default time-to-live
 				IN	NS	ns2.binary.kitchen.
 ; Loopback
 1.0				IN	PTR	core.binary.kitchen.
-2.0				IN	PTR	erx-bk.binary.kitchen.
+2.0				IN	PTR	rt-w13b.binary.kitchen.
 3.0				IN	PTR	erx-rz.binary.kitchen.
 4.0				IN	PTR	erx-auweg.binary.kitchen.
 ; Management
@@ -50,6 +50,8 @@ $TTL 1h				; default time-to-live
 35.2				IN	PTR	knoedel.binary.kitchen.
 36.2				IN	PTR	schweinshaxn.binary.kitchen.
 37.2				IN	PTR	bob.binary.kitchen.
+38.2				IN	PTR	lasagne.binary.kitchen.
+39.2				IN	PTR	tschunk.binary.kitchen.
 62.2				IN	PTR	bowle.binary.kitchen.
 91.2				IN	PTR	strammermax.binary.kitchen.
 92.2				IN	PTR	obatzda.binary.kitchen.
@@ -67,6 +69,7 @@ $GENERATE 10-230 $.3		IN	PTR	dhcp-${0,3,d}-03.binary.kitchen.
 ; MQTT
 1.4				IN	PTR	v2304.core.binary.kitchen.
 6.4				IN	PTR	pizza.mqtt.binary.kitchen.
+7.4				IN	PTR	lasagne.mqtt.binary.kitchen.
 $GENERATE 10-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
 241.4				IN	PTR	habdisplay1.mqtt.binary.kitchen.
 242.4				IN	PTR	habdisplay2.mqtt.binary.kitchen.
@@ -91,6 +94,7 @@ $GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
 111.12				IN	PTR	rfp11.binary.kitchen.
 ; Services Auweg
 3.13				IN	PTR	aeron.binary.kitchen.
+12.13				IN	PTR	lock-auweg.binary.kitchen.
 ; Clients Auweg
 $GENERATE 10-230 $.14		IN	PTR	dhcp-${0,3,d}-14.binary.kitchen.
 ; MQTT

roles/dns_intern/templates/bind/binary.kitchen.zone.j2

@@ -1,7 +1,7 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
 @				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
-					2021120101; serial
+					2024051300; serial
 					1d; refresh
 					2h; retry
 					4w; expire
@@ -30,12 +30,11 @@ netbox				IN	A	172.23.2.7
 ns1				IN	A	172.23.2.3
 ns2				IN	A	172.23.2.4
 omm				IN	A	172.23.2.35
-racktables			IN	A	172.23.2.6
 radius				IN	A	172.23.2.3
 radius				IN	A	172.23.2.4
 ; Loopback
 core				IN	A	172.23.0.1
-erx-bk				IN	A	172.23.0.2
+rt-w13b				IN	A	172.23.0.2
 erx-rz				IN	A	172.23.0.3
 erx-auweg			IN	A	172.23.0.4
 ; Management
@@ -74,6 +73,8 @@ pancake				IN	A	172.23.2.34
 knoedel				IN	A	172.23.2.35
 schweinshaxn			IN	A	172.23.2.36
 bob				IN	A	172.23.2.37
+lasagne				IN	A	172.23.2.38
+tschunk				IN	A	172.23.2.39
 bowle				IN	A	172.23.2.62
 strammermax			IN	A	172.23.2.91
 obatzda				IN	A	172.23.2.92
@@ -91,6 +92,7 @@ noodlehub			IN	A	172.23.3.251
 ; MQTT
 v2304.core			IN	A	172.23.4.1
 pizza.mqtt			IN	A	172.23.4.6
+lasagne.mqtt			IN	A	172.23.4.7
 $GENERATE 10-240 dhcp-${0,3,d}-04	IN	A	172.23.4.$
 habdisplay1.mqtt		IN	A	172.23.4.241
 habdisplay2.mqtt		IN	A	172.23.4.242
@@ -112,6 +114,7 @@ weizen				IN	A	172.23.12.61
 rfp11				IN	A	172.23.12.111
 ; Services Auweg
 aeron				IN	A	172.23.13.3
+lock-auweg			IN	A	172.23.13.12
 ; Clients Auweg
 $GENERATE 10-230 dhcp-${0,3,d}-14	IN	A	172.23.14.$
 ; MQTT Auweg

roles/dns_intern/templates/dnsdist.conf.j2

@@ -10,11 +10,11 @@ newServer({address='127.0.0.1:5353', pool='resolve'})
 
 {% if dns_secondary is defined %}
 -- allow AXFR/IXFR only from slaves
-addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
+addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
 {% endif %}
 
 -- allow NOTIFY only from master
-addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
+addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
 
 -- use auth servers for own zones
 addAction('binary.kitchen', PoolAction('authdns'))

roles/dns_intern/templates/pdns.conf.j2

@@ -26,12 +26,6 @@ launch=bind,gsqlite3
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
-#################################
-# local-ipv6	Local IP address to which we bind
-#
-# local-ipv6=::
-local-ipv6=
-
 #################################
 # local-port	The port on which we listen
 #

roles/dns_intern/templates/recursor.conf.j2

@@ -11,9 +11,9 @@
 config-dir=/etc/powerdns
 
 #################################
-# dnssec	DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
+# dnssec	DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
 #
-# dnssec=process-no-validate
+# dnssec=process
 dnssec=off
 
 #################################

roles/docker/tasks/main.yml

@@ -1,17 +1,10 @@
 ---
 
-- name: Enable docker apt-key
-  apt_key: url='https://download.docker.com/linux/debian/gpg'
-
-- name: Enable docker repository
-  apt_repository:
-    repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
-    filename: docker
-
 - name: Install docker
   apt:
     name:
-    - docker-ce
-    - docker-ce-cli
-    - containerd.io
+    - docker.io
     - python3-docker
+
+- name: Enable docker
+  service: name=docker state=started enabled=yes

roles/doorlock/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/doorlock/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/doorlock/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
+      -days 730 -subj "/CN={{ doorlock_domain }}"
+    creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
+  notify: Restart nginx
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ doorlock_domain }}"
+
+- name: Configure certificate manager for doorlock
+  template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
+  notify: Run acertmgr

roles/doorlock/templates/certs.j2

@@ -0,0 +1,18 @@
+---
+
+{{ doorlock_domain }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/drone/files/drone.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=drone.io server
-After=network-online.target
-
-[Service]
-Type=simple
-User=drone
-EnvironmentFile=/etc/default/drone
-ExecStart=/opt/drone/bin/drone-server
-Restart=always
-RestartSec=5s
-
-[Install]
-WantedBy=multi-user.target

roles/drone/tasks/main.yml

@@ -1,52 +0,0 @@
----
-
-- name: Create user
-  user: name=drone
-
-# TODO install drone to /opt/drone/bin
-# currently it is manually compiled
-
-- name: Configure drone
-  template: src=drone.j2 dest=/etc/default/drone
-  notify: Restart drone
-
-- name: Install PostgreSQL
-  apt:
-    name:
-    - postgresql
-    - python3-psycopg2
-
-- name: Configure PostgreSQL database
-  postgresql_db: name={{ drone_dbname }}
-  become: true
-  become_user: postgres
-
-- name: Configure PostgreSQL user
-  postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
-  become: true
-  become_user: postgres
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for drone
-  template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
-  notify: Restart nginx
-
-- name: Install systemd unit
-  copy: src=drone.service dest=/lib/systemd/system/drone.service
-  notify:
-  - Reload systemd
-  - Restart drone
-
-- name: Enable drone
-  service: name=drone enabled=yes

roles/drone/templates/drone.j2

@@ -1,10 +0,0 @@
-DRONE_AGENTS_ENABLED=true
-DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
-DRONE_DATABASE_DRIVER=postgres
-DRONE_GITEA_SERVER=https://{{ gitea_domain }}
-DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
-DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
-DRONE_RPC_SECRET={{ drone_secret }}
-DRONE_SERVER_HOST={{ drone_domain }}
-DRONE_SERVER_PROTO=https
-DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

roles/drone/templates/vhost.j2

@@ -1,31 +0,0 @@
-server {
-	listen 80;
-	listen [::]:80;
-
-	server_name {{ drone_domain }};
-
-	location /.well-known/acme-challenge {
-		default_type "text/plain";
-		alias /var/www/acme-challenge;
-	}
-
-	location / {
-		return 301 https://{{ drone_domain }}$request_uri;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name {{ drone_domain }};
-
-	ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
-
-	location / {
-		client_max_body_size 128M;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_pass http://localhost:8080;
-	}
-}

roles/drone_runner/tasks/main.yml

@@ -1,21 +0,0 @@
----
-
-- name: Run runner container
-  docker_container:
-    name: runner
-    image: drone/drone-runner-docker:1
-    env:
-      DRONE_RPC_PROTO: "https"
-      DRONE_RPC_HOST: "{{ drone_domain }}"
-      DRONE_RPC_SECRET: "{{ drone_secret }}"
-      DRONE_RUNNER_CAPACITY: "2"
-      DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
-      DRONE_UI_USERNAME: "admin"
-      DRONE_UI_PASSWORD: "{{ drone_uipass }}"
-    ports:
-    - "3000:3000"
-    pull: yes
-    restart_policy: unless-stopped
-    state: started
-    volumes:
-    - "/var/run/docker.sock:/var/run/docker.sock"

roles/event_web/files/certs

@@ -0,0 +1,15 @@
+---
+
+eh21.easterhegg.eu engel.eh21.easterhegg.eu:
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'

roles/event_web/files/vhost

@@ -0,0 +1,68 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/eh21;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://engel.eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/engel/public;
+
+	index index.php;
+
+	location / {
+		try_files $uri $uri/ /index.php?$args;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+		fastcgi_index index.php;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		include fastcgi_params;
+	}
+}

roles/event_web/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/event_web/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/event_web/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - php-fpm
+
+- name: Create vhost directory
+  file: path=/var/www/eh21 state=directory owner=www-data group=www-data
+
+- name: Create vhost directory
+  file: path=/var/www/engel state=directory owner=www-data group=www-data
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager
+  copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
+  notify: Run acertmgr
+
+- name: Configure vhosts
+  copy: src=vhost dest=/etc/nginx/sites-available/www
+  notify: Restart nginx
+
+- name: Enable vhosts
+  file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
+  notify: Restart nginx
+
+- name: Start php8.2-fpm
+  service: name=php8.2-fpm state=started enabled=yes

roles/fileserver/templates/smb.conf.j2

@@ -42,7 +42,7 @@
 # option cannot handle dynamic or non-broadcast interfaces correctly.
 ;   bind interfaces only = yes
 
-
+   min protocol = NT1
 
 #### Debugging/Accounting ####
 
@@ -213,7 +213,7 @@
 ;[printers]
 ;   comment = All Printers
 ;   browseable = no
-;   path = /var/spool/samba
+;   path = /var/tmp
 ;   printable = yes
 ;   guest ok = no
 ;   read only = yes
@@ -240,5 +240,5 @@
    browseable = yes
    read only = no
    guest ok = yes
-   create mask = 0600
-   directory mask = 0700
+   create mask = 0660
+   directory mask = 0770

roles/gitea/defaults/main.yml

@@ -3,6 +3,5 @@
 gitea_user: gogs
 gitea_group: gogs
 
-gitea_checksum: sha256:dbdefbeed7073951ba955cb6c40bd7d9ece7a349c1326ad80c314690ff3616f1
-gitea_version: 1.15.9
+gitea_version: 1.22.0
 gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

roles/gitea/tasks/main.yml

@@ -6,19 +6,24 @@
 - name: Create user
   user: name={{ gitea_user }} home=/home/{{ gitea_user }} group={{ gitea_group }}
 
-- name: Create gitea directories
-  file: path={{ item }} state=directory owner={{ gitea_user }}
+- name: Create directories
+  file: path={{ item }} state=directory owner={{ gitea_user }} group={{ gitea_group }}
   with_items:
   - /opt/gitea
   - /opt/gitea/custom
   - /opt/gitea/custom/conf
 
 - name: Download gitea binary
-  get_url: url={{ gitea_url }} dest=/opt/gitea/gitea checksum={{ gitea_checksum }} mode=0755
+  get_url: url={{ gitea_url }} dest=/opt/gitea/gitea-{{ gitea_version }} mode=0755
+  register: gitea_download
+
+- name: Symlink gitea binary
+  file: src=/opt/gitea/gitea-{{ gitea_version }} dest=/opt/gitea/gitea state=link
+  when: gitea_download.changed
   notify: Restart gitea
 
 - name: Configure gitea
-  template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }}
+  template: src=app.ini.j2 dest=/opt/gitea/custom/conf/app.ini force=no owner={{ gitea_user }} group={{ gitea_group }}
 
 - name: Install systemd unit
   template: src=gitea.service.j2 dest=/lib/systemd/system/gitea.service
@@ -50,6 +55,9 @@
   template: src=certs.j2 dest=/etc/acertmgr/{{ gitea_domain }}.conf
   notify: Run acertmgr
 
+- name: Configure robots.txt for gitea
+  template: src=robots.txt.j2 dest=/opt/gitea/custom/robots.txt owner={{ gitea_user }}
+
 - name: Configure vhost
   template: src=vhost.j2 dest=/etc/nginx/sites-available/gitea
   notify: Restart nginx
@@ -59,4 +67,9 @@
   notify: Restart nginx
 
 - name: Enable gitea
-  service: name=gitea enabled=yes
+  service: name=gitea state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ gitea_domain }}"

roles/gitea/templates/app.ini.j2

@@ -43,3 +43,10 @@ LEVEL = warn
 
 [oauth2]
 JWT_SECRET = {{ gitea_jwt_secret }}
+
+[cron]
+ENABLED = true
+
+[cron.archive_cleanup]
+SCHEDULE = @midnight
+OLDER_THAN = 168h

roles/gitea/templates/gitea.service.j2

@@ -8,7 +8,7 @@ Requires=postgresql.service
 RestartSec=2s
 Type=simple
 User={{ gitea_user }}
-Group={{ gitea_user }}
+Group={{ gitea_group }}
 WorkingDirectory=/opt/gitea/
 ExecStart=/opt/gitea/gitea web
 Restart=always

roles/gitea/templates/robots.txt.j2

@@ -0,0 +1,4 @@
+User-agent: *
+Disallow: /*/*/archive/*.bundle$
+Disallow: /*/*/archive/*.tar.gz$
+Disallow: /*/*/archive/*.zip$

roles/gitea/templates/vhost.j2

@@ -23,6 +23,10 @@ server {
 	ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
 
+	location /robots.txt {
+		alias /opt/gitea/custom/robots.txt;
+	}
+
 	location / {
 		client_max_body_size 1024M;
 		proxy_set_header X-Real-IP $remote_addr;

roles/grafana/tasks/main.yml

@@ -1,10 +1,10 @@
 ---
 
 - name: Enable grafana apt-key
-  apt_key: url="https://packages.grafana.com/gpg.key"
+  apt_key: url="https://apt.grafana.com/gpg.key" keyring="/etc/apt/trusted.gpg.d/grafana.gpg"
 
 - name: Enable grafana repository
-  apt_repository: repo="deb https://packages.grafana.com/oss/deb stable main"
+  apt_repository: repo="deb https://apt.grafana.com stable main"
 
 - name: Install grafana
   apt: name=grafana
@@ -34,3 +34,8 @@
 
 - name: Start grafana
   service: name=grafana-server state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ grafana_domain }}"

roles/grafana/templates/vhost.j2

@@ -25,7 +25,8 @@ server {
 
 	location / {
 		client_max_body_size 1024M;
-		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header Host $http_host;
 		proxy_pass http://localhost:3000;
 	}
 }

roles/hackmd/defaults/main.yml

@@ -1,4 +0,0 @@
----
-
-hedgedoc_version: 1.8.2
-hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz

roles/hackmd/tasks/main.yml

@@ -1,105 +0,0 @@
----
-
-- name: Create user
-  user: name=hackmd
-
-- name: Enable nodesource apt-key
-  apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
-
-- name: Enable nodesource repository
-  apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
-
-- name: Enable yarnpkg apt-key
-  apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
-
-- name: Enable yarnpkg repository
-  apt_repository: repo="deb https://dl.yarnpkg.com/debian/ stable main"
-
-- name: Pin nodejs repository
-  blockinfile:
-    path: /etc/apt/preferences.d/nodejs
-    create: yes
-    block: |
-      Package: *
-      Pin: origin deb.nodesource.com
-      Pin-Priority: 600
-
-- name: Install packages
-  apt:
-    name:
-    - build-essential
-    - git
-    - nodejs
-    - postgresql
-    - python3-psycopg2
-    - yarn
-
-- name: Unpack hedgedoc
-  unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
-  register: hedgedoc_unarchive
-
-- name: Create hedgedoc upload path
-  file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
-
-- name: Remove old hedgedoc upload path
-  file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
-
-- name: Link hedgedoc upload path
-  file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
-
-- name: Setup hedgedoc
-  command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
-  become: true
-  become_user: hackmd
-
-- name: Configure hedgedoc
-  template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
-  register: hedgedoc_config
-  notify: Restart hedgedoc
-
-- name: Install hedgedoc frontend deps
-  command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
-  become: true
-  become_user: hackmd
-  when: hedgedoc_unarchive.changed or hedgedoc_config.changed
-
-- name: Build hedgedoc frontend
-  command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
-  become: true
-  become_user: hackmd
-  when: hedgedoc_unarchive.changed or hedgedoc_config.changed
-
-- name: Configure PostgreSQL database
-  postgresql_db: name={{ hedgedoc_dbname }}
-  become: true
-  become_user: postgres
-
-- name: Configure PostgreSQL user
-  postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
-  become: true
-  become_user: postgres
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for hedgedoc
-  template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
-  notify: Restart nginx
-
-- name: Systemd unit for hedgedoc
-  template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
-  notify:
-  - Reload systemd
-  - Restart hedgedoc
-
-- name: Start the hedgedoc service
-  service: name=hedgedoc state=started enabled=yes

roles/hackmd/templates/config.json.j2

@@ -1,45 +0,0 @@
-{
-    "production": {
-        "domain": "{{ hedgedoc_domain }}",
-        "protocolUseSSL": true,
-        "allowAnonymous": false,
-        "allowAnonymousEdits": true,
-        "allowFreeURL": true,
-        "sessionSecret": "{{ hedgedoc_secret }}",
-        "hsts": {
-            "enable": true,
-            "maxAgeSeconds": 2592000,
-            "includeSubdomains": true,
-            "preload": true
-        },
-        "csp": {
-            "enable": true,
-            "directives": {
-            },
-            "upgradeInsecureRequests": "auto",
-            "addDefaults": true,
-            "addDisqus": true,
-            "addGoogleAnalytics": true
-        },
-        "db": {
-            "username": "{{ hedgedoc_dbuser }}",
-            "password": "{{ hedgedoc_dbpass }}",
-            "database": "{{ hedgedoc_dbname }}",
-            "host": "localhost",
-            "port": "5432",
-            "dialect": "postgres"
-        },
-        "ldap": {
-            "url": "{{ ldap_uri }}",
-            "bindDn": "{{ ldap_binddn }}",
-            "bindCredentials": "{{ ldap_bindpw }}",
-            "searchBase": "{{ ldap_base }}",
-            "searchFilter": "(uid={{ '{{' }}username{{ '}}' }})",
-            "searchAttributes": ["cn", "uid"],
-            "usernameField": "cn",
-            "useridField": "uid",
-            "tlsca": "/etc/ssl/certs/ca-certificates.crt"
-        },
-        "email": false
-    }
-}

roles/hackmd/templates/hedgedoc.service.j2

@@ -1,14 +0,0 @@
-[Unit]
-Description=HedgeDoc
-After=network.target
-
-[Service]
-Environment=NODE_ENV=production
-WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
-Type=simple
-User=hackmd
-ExecStart=/usr/bin/yarn start
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target

roles/hedgedoc/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/hedgedoc/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create hedgedoc group
+  group: name=hedgedoc
+
+- name: Create hedgedoc user
+  user:
+    name: hedgedoc
+    home: /opt/hedgedoc
+    shell: /bin/bash
+    group: hedgedoc
+    groups: docker
+
+- name: Configure hedgedoc container
+  template: src=docker-compose.yml.j2 dest=/opt/hedgedoc/docker-compose.yml
+  notify: Restart hedgedoc
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for hedgedoc
+  template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
+  notify: Restart nginx
+
+- name: Systemd unit for hedgedoc
+  template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
+  notify:
+  - Reload systemd
+  - Restart hedgedoc
+
+- name: Start the hedgedoc service
+  service: name=hedgedoc state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ hedgedoc_domain }}"

roles/hedgedoc/templates/docker-compose.yml.j2

@@ -0,0 +1,44 @@
+version: "3"
+services:
+  database:
+    image: postgres:13-alpine
+    environment:
+      - POSTGRES_USER={{ hedgedoc_dbuser }}
+      - POSTGRES_PASSWORD={{ hedgedoc_dbpass }}
+      - POSTGRES_DB={{ hedgedoc_dbname }}
+    volumes:
+      - ./database:/var/lib/postgresql/data
+  app:
+    image: quay.io/hedgedoc/hedgedoc:1.9.9
+    restart: on-failure
+    environment:
+      - CMD_DOMAIN={{ hedgedoc_domain }}
+      - CMD_PROTOCOL_USESSL=true
+      - CMD_ALLOW_ANONYMOUS=false
+      - CMD_ALLOW_ANONYMOUS_EDITS=true
+      - CMD_ALLOW_FREEURL=true
+      - CMD_SESSION_SECRET={{ hedgedoc_secret }}
+      - CMD_HSTS_ENABLE=true
+      - CMD_HSTS_MAX_AGE=2592000
+      - CMD_HSTS_INCLUDE_SUBDOMAINS=true
+      - CMD_HSTS_PRELOAD=true
+      - CMD_CSP_ENABLE=true
+      - CMD_DB_URL=postgres://{{ hedgedoc_dbuser }}:{{ hedgedoc_dbpass }}@database/{{ hedgedoc_dbname }}
+      - CMD_LDAP_URL={{ ldap_uri }}
+      - CMD_LDAP_BINDDN={{ ldap_binddn }}
+      - CMD_LDAP_BINDCREDENTIALS={{ ldap_bindpw }}
+      - CMD_LDAP_SEARCHBASE={{ ldap_base }}
+      - CMD_LDAP_SEARCHFILTER=(uid={{ '{{' }}username{{ '}}' }})
+      - CMD_LDAP_SEARCHATTRIBUTES=cn,uid
+      - CMD_LDAP_USERIDFIELD=uid
+      - CMD_LDAP_USERNAMEFIELD=cn
+      - CMD_LDAP_TLS_CA=/etc/ssl/certs/ca-certificates.crt
+      - CMD_EMAIL=false
+    volumes:
+      - /etc/hosts:/etc/hosts:ro
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - ./uploads:/hedgedoc/public/uploads
+    ports:
+      - "127.0.0.1:3000:3000"
+    depends_on:
+      - database