Compare commits

...

50 Commits

Author SHA1 Message Date
8a3e5ba9a8 decommission host indium.binary-kitchen.net 2024-12-26 21:35:45 +01:00
394e2e8026 netbox: bump to version 4.1.8 2024-12-18 11:41:00 +01:00
62d33f4652 gitea: bump to version 1.22.6 2024-12-18 11:35:11 +01:00
bf72143ee4 authentik: bump to version 2024.10.5 2024-12-18 11:33:18 +01:00
3c37b9f2d9 new mail alias: toepferwerkstatt@binary-kitchen.de 2024-12-12 21:58:31 +01:00
ebdde070da README: fix formatting 2024-12-11 15:04:49 +01:00
60f4024cf1 new host: schweinshaxn.binary.kitchen (FreePBX) 2024-12-11 15:03:58 +01:00
5174aead5f freepbx: Install additional required packages 2024-12-11 14:51:45 +01:00
3d91267020 freepbx: Cleanup and only use flask based application 2024-12-11 14:51:45 +01:00
e3a79a0307 freepbx: Install self developed yealink packages 2024-12-11 14:51:45 +01:00
4f1790d815 kea: remove whitespace 2024-11-25 21:24:35 +01:00
8927eab887 gitea: bump to version 1.22.4 2024-11-25 21:19:25 +01:00
21a0f13094 kea: fix HA by using pri/sec in LB mode 2024-11-25 21:18:47 +01:00
da13a7a3d2 authentik: bump to version 2024.10.4 2024-11-22 17:09:31 +01:00
f4642e7a03 netbox: bump to version 4.1.7 2024-11-22 17:09:06 +01:00
e45e331b03 don't destroy containers before starting the service 2024-11-20 18:17:47 +01:00
92000b5fbe common: minor updates 2024-11-20 18:16:06 +01:00
3fa13d41c2 common: integrate unattended upgrades 2024-11-20 18:15:36 +01:00
583f6d3e82 group_vars: remove unused vars 2024-11-18 16:29:24 +01:00
10f7450bc6 pretalx: remove role (was on palladium.binary-kitchen.net) 2024-11-18 16:28:04 +01:00
9179a8a1f6 dns_intern: set RA flag on answers from auth for own zones 2024-11-17 19:32:02 +01:00
29d008ca04 dns_intern: fix broken dns delegation
use "@" instead of "" to prevent this from happening again
2024-11-15 19:56:03 +01:00
744aed3b60 authentik: bump to version 2024.10.2 2024-11-14 23:45:57 +01:00
1e664169bd web: add monitoring 2024-11-11 20:04:38 +01:00
d5edf48ea1 web: fix typo 2024-11-11 20:04:27 +01:00
19d2545f1f web: new vhost fahrplan.eh21.easterhegg.eu
this will serve a static dump of the fahrplan and replace the pretalx
instance
2024-11-11 19:23:50 +01:00
b3038ec3dd netbox: bump to version 4.1.6 2024-11-11 18:26:10 +01:00
8285085468 gitea: bump to version 1.22.3 2024-11-11 18:25:35 +01:00
7a82e453e9 workadventure: remove role (decommission barium.binary-kitchen.net) 2024-11-11 18:24:35 +01:00
a3dddac6d0 vaultwareden: bump compose version 2024-11-09 15:33:09 +01:00
d7c0716f4a hedgedoc: enable automatic updates of docker images 2024-11-09 15:30:49 +01:00
44f9505bef vaultwarden: enable automatic updates of docker images 2024-11-06 19:11:29 +01:00
338c12c687 authentik: split handling or service and reload timer 2024-11-06 19:08:10 +01:00
405b5c5385 authentik: maybe don't try to detach the container for now
seems oneshot won't work properly, even without Restart=always
2024-11-05 22:27:53 +01:00
e2a071d69f authentik: bump to version 2024.10.1 2024-11-05 22:18:46 +01:00
d7aab43f06 authentik: enable automatic updates of docker images 2024-11-05 22:18:12 +01:00
e1c900ad65 authentik: bump to version 2024.10.0 2024-11-04 17:47:48 +01:00
baf02e790f kea: add options for new yealink voip phones 2024-11-02 17:24:22 +01:00
2d139167ea indium: new temp. host for igel livestreaming 2024-10-31 14:42:10 +01:00
933e25ca6a therapy: new role to be deployed on aluminium 2024-10-31 14:37:42 +01:00
eb4a5d1d13 netbox: bump to version 4.1.5 2024-10-30 20:18:14 +01:00
df069adc5e icinga: add apt and disk service definitions 2024-10-28 19:53:06 +01:00
c2b8944756 icinga: move host config into zones in order to support agents 2024-10-28 00:30:16 +01:00
4715798c3f remove technetium.binary-kitchen.net 2024-10-28 00:28:32 +01:00
750157ef76 group_vars: add more voucher aliases 2024-10-28 00:25:29 +01:00
20c13ddbdc icinga: add TODO 2024-10-27 22:27:58 +01:00
62bc168983 matrix: increase local media lifetime 2024-10-21 20:02:23 +02:00
d72fc4ceaa uau: rebase against Debian 12 2024-10-21 20:01:44 +02:00
68fee1e0d7 common: rebase against Debian 12 2024-10-21 20:01:06 +02:00
2ea069f94e netbox: bump to version 4.1.4 2024-10-21 19:06:31 +02:00
82 changed files with 779 additions and 642 deletions

View File

@ -15,25 +15,26 @@ Currently the following hosts are installed:
### Internal Servers
| Hostname | OS | Purpose |
| ------------------------- | --------- | ----------------------- |
| wurst.binary.kitchen | Proxmox 8 | VM Host |
| salat.binary.kitchen | Proxmox 8 | VM Host |
| weizen.binary.kitchen | Proxmox 8 | VM Host |
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| sulis.binary.kitchen | Debian 12 | Shell |
| nabia.binary.kitchen | Debian 12 | Monitoring |
| epona.binary.kitchen | Debian 12 | NetBox |
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
| pancake.binary.kitchen | Debian 12 | XRDP |
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
| bob.binary.kitchen | Debian 12 | Gitea Actions |
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
| tschunk.binary.kitchen | Debian 12 | Strichliste |
| bowle.binary.kitchen | Debian 12 | Files |
| lock-auweg.binary.kitchen | Debian 12 | Doorlock |
| Hostname | OS | Purpose |
| --------------------------- | --------- | ----------------------- |
| wurst.binary.kitchen | Proxmox 8 | VM Host |
| salat.binary.kitchen | Proxmox 8 | VM Host |
| weizen.binary.kitchen | Proxmox 8 | VM Host |
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| sulis.binary.kitchen | Debian 12 | Shell |
| nabia.binary.kitchen | Debian 12 | Monitoring |
| epona.binary.kitchen | Debian 12 | NetBox |
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
| pancake.binary.kitchen | Debian 12 | XRDP |
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
| schweinshaxn.binary.kitchen | Debian 12 | FreePBX |
| bob.binary.kitchen | Debian 12 | Gitea Actions |
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
| tschunk.binary.kitchen | Debian 12 | Strichliste |
| bowle.binary.kitchen | Debian 12 | Files |
| lock-auweg.binary.kitchen | Debian 12 | Doorlock |
\*: The main application is not managed by ansible but manually installed
@ -52,7 +53,7 @@ Currently the following hosts are installed:
| neon.binary-kitchen.net | Debian 12 | Auth. DNS |
| sodium.binary-kitchen.net | Debian 12 | Mattrix |
| magnesium.binary-kitchen.net | Debian 12 | TURN |
| aluminium.binary-kitchen.net | Debian 12 | Zammad |
| aluminium.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| krypton.binary-kitchen.net | Debian 12 | PartDB * |
| yttrium.binary-kitchen.net | Debian 12 | Hintervvoidler * |
| zirconium.binary-kitchen.net | Debian 12 | Jitsi |
@ -62,7 +63,6 @@ Currently the following hosts are installed:
| rhodium.binary-kitchen.net | Debian 12 | Event pretix |
| palladium.binary-kitchen.net | Debian 12 | Event pretalx |
| argentum.binary-kitchen.net | Debian 12 | Event Web * |
| cadmium.binary-kitchen.neti | Debian 12 | Event NetBox * |
| barium.binary-kitchen.net | Debian 12 | Workadventure |
| cadmium.binary-kitchen.net | Debian 12 | Event NetBox * |
\*: The main application is not managed by ansible but manually installed

View File

@ -105,6 +105,8 @@ mail_aliases:
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
- "seife@binary-kitchen.de anke@binary-kitchen.de"
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
- "therapy-jetzt@binary-kitchen.de darthrain@binary-kitchen.de"
- "toepferwerkstatt@binary-kitchen.de anke@binary-kitchen.de,meet_judith@binary-kitchen.de"
- "vorstand@binary-kitchen.de anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
@ -118,6 +120,9 @@ mail_aliases:
- "voucher10@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher13@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher14@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher15@binary-kitchen.de exxess@binary-kitchen.de"
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
- "tickets@eh21.easterhegg.eu orga@eh21.easterhegg.eu"
- "hackzuck@eh21.easterhegg.eu kekskruemml@binary-kitchen.de"
@ -142,12 +147,6 @@ nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
omm_domain: omm.binary.kitchen
pretalx_domain: fahrplan.eh21.easterhegg.eu
pretalx_dbname: pretalx
pretalx_dbuser: pretalx
pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
pretalx_mail: pretalx@binary-kitchen.de
pretix_domain: pretix.events.binary-kitchen.de
pretix_domainx: tickets.eh21.easterhegg.eu
pretix_dbname: pretix
@ -183,13 +182,12 @@ strichliste_dbname: strichliste
strichliste_dbuser: strichliste
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
therapy_domain: therapy.jetzt
therapy_secret: "{{ vault_therapy_secret }}"
vaultwarden_domain: vault.binary-kitchen.de
vaultwarden_dbname: vaultwarden
vaultwarden_dbuser: vaultwarden
vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
vaultwarden_token: "{{ vault_vaultwarden_token }}"
vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
workadventure_domain: wa.binary-kitchen.de
zammad_domain: requests.binary-kitchen.de

View File

@ -1,109 +1,109 @@
$ANSIBLE_VAULT;1.1;AES256
63626562396631623335303064393137396262393239366236373634323333343264343335306330
3861326430303265376564306139323064356339653039330a613335323233356361303066663139
34386465306537666464643736656230356632633239363865386166373834653030363736613834
6339303364363166620a626134303835346130386238653232316663346633313631653164336336
34653639363635663537356639646333616438336438333463656537326134343531393435663266
64366333346130653730613865346134356161373237343539373965623036656231653939303365
62326638666431333265343639326461313433656639393839396366633431616435393263336231
66303634656536636165636462396637656331666336623734333139316533636664306262326566
36616366663933613561336164386463393635636264613737316464666535366361613065363362
30316566323663623133346130393032646237353934363531326530396263363130326638393032
30633832663134613964323733623230363831636664373661633966366264373766326161623862
39396331313231633237313735636261653531313961616230626565623633636638643936326237
62333066366439643163336233353361343662326237376332396461393663623761613962333237
65633039363636323235356632326563376163386161373362383466346339356463636437646262
38313164393036393661336633373265303536316165623330643236313936666139376237366164
31373364663136356139356433386132343630396531373961616131343333663463616262373439
34393161323334333732383866653463656265393761346533663530613530313062626330356535
65393037636665303564316536376531386561366466643961666439326462353864643635353934
66616432303966643731386133613430313737356539386331623832656132663461393538363962
64313935613063373832343862373734316634663333313835323836386466336663643661656436
61353663646165623165663035383461376331373439666433386433376234613163396234373632
61646230363163366338653332373834386534333436373737383463363335356436313463626333
63393166316663323066323863373830393937353864376366313535663565613031643932383364
62623633353662323965393563363261623564396632643662663032613032666162616132336130
39376430663833303264306135643832383231623336613734373964653736376235653334333639
63376661636561383236633365303031326630356661633062663564396133313633323738333539
66303235613562313636343766356263383132643962393232396263393665666334633438383632
38646635643030303464396634356161333836376364333361356461346664303563346463333838
34356139373233313631653533356633643730663438646630373331313065363136663938306439
38336563363966653632613436356530316234326365666438326635313537343665663233363731
36646565393937326336626333383863656565323832303937323536346366303839633236663566
32373632646463363634363031626635383233656361336532636366653434623562623937656137
66303663316165633932643365623732323430376334303036303961396264303664616433356361
64366135376232313265376563633163373933343066653939313433366539396163656163346663
30626331333034316131343361636364653936373235623562336366336237353966613536316637
61343530326139636365613434386263383430626663333932386431313164346532666562346537
32623538353365383030396332386133343464643732653038623337353135663964643566396439
64633435623763666461356331306539373638383034343735373765373333656562326338613763
63633732373765316238633539316665623431616333363364316531306630343735393335616630
36613362336566393866623566666430336639376662633233656130653837313161653462346335
63396532663633393363626136373161303235613761373235633831393736343630353031613364
32353463383934313961313638613533623638383062343936616336646431383935393938623138
31383032326365333136666165633832333836346231636332353830336264636235383162356630
38316137623935633863363162376239623932373233663663323830363162313665613830623763
63656237343662616130326339386231376564613164666163393232653762613932343561343031
66386431343139373734626430656139353635636233336236653438353066393732663637323435
63303434376634366262646662616162343664666365373934346530343239653330356234373065
31373934363731373136346665623334306631626134613334633135666461636462303164653662
36323132376532613431653063643965636233373165333639323966663333633563303438396466
64633761376164383835613038633630623439643364323232633437386334346138343361306638
38626632326137303839306531633536643161656231636662383461373964646333303936343733
36333863316162393134646563316235663164613062303734346662386466656461346364356564
35326234336439623961383938316136633037343863363933616663366536613866666165376664
30306438666365333333636632643832303463356533343033623938653365663732336164303033
65653936363839323239306463366533653439663437343536393564336163313962313935636534
34346330393637343834323931353762613839366166353139303535376230356466646261363464
33386337616230623537376665663835373766316332363433313234326461313935636666363261
30653433333436306564653461303165656163363331643536323535623062396561643662323334
35626565616538396566363433363732656538313531636632643163633637303339656431346466
61353030666638393361613833353532656130643866636135643434366562386363656434323366
36343764316136316630353338363735646533346362386266643136626366356331656363393133
35636633353662393435346365663432656166646136346331363563363539326162633166393164
34303164353632373437613564336266373934396236383962376530613631633932626431333864
64623439336638613337383763353531376133343436346330373362313034616166616537636366
30306132613333633261326630323038323431643163373365376662623339396136313531366332
66663037643036303836376632646132383563316262393438636432666661333836376663666130
31316135366562633134306633333834636132623739373131626161633636313737646334376434
33376337393630663338643366316465353266346365333830613533393139333235366237323339
66346465313462373334316535383633343165373733313230373461366336353664306537306538
32653538366565663764353031303763613835366461666163336665656436333563613835653438
65376265303131376239616536353933346633393438643466343439643039313236373033323034
64316364663139353664653564393262323565646235356431326331343433373639316234363938
65633034666532306137353431613732663166323936356433323733376261386161383265663264
35643038663565646135343233623530396165336263303931653037393934343833623337343834
31343631343563626561393763356463393930616338623861363835343635376238653337653133
31393834343536396536363533363739306639646333313836393331306566393534383265613234
31623238306531383936343836336466343336396530633033323063346261366633343936316637
30343165333861346635623934363537383531323637313461663964353338653639366562306236
30363265393038633564626463393166333665396538663639346665353736336134643862663630
62393037363963613263313939613865393066323830656362656464643730636535623639636131
63343263333134336364323236656639613635323165383164636465353438653134646334643962
35306463626336626664383638323865633631346437613139623239663538666363313237323663
39323734353363643334343538303635366637373530383832393861346164666666306631643563
63306565306337383539636330623933666266353635396238656435373563383830666636616335
39386134383938626439366437383138303062333236306436336163393832613532303332303833
39323539396235383765613234303765303136653064336361333035643365386232613766356362
30656437376537623165626530623365393463626337383139663734396331396363396162383330
31663636383037613563346330323063393637616334356439666263623662383666376265313732
63343837306336313264313934653836363665616264396662633761363237366437653962626664
38383462313435383133613465656435363563373765313361623565636564616236313666633264
37393165386163393666376636343963333932346463303661373339303765303938636135323363
35663731656431656330336366383330616163353934333564356633613165396463393066396533
32396264653265333865643365346233633863333335383735396134663062343166656233613931
35633133336337343531313266323663363830353236323035313031646434303761343737633139
30343439323330353531633337353365363031666635653364326235316435383835663139376136
39343361636662346166363432366162666631366431623563363936336164323836376232326162
39316337343436386363643064653337613131346266353636333664373262326563386264303831
65343534616464633232373532313865363732663235376534396436333531633261393066313263
38316437643232336234343663666536353134626139623138636234396661613261326437303065
36383331323061643632323339383530626430343132613039393434333939383065623464646362
65303135313962613564666261356533313961323464623535393631613337663366626136343364
61363035333636366439313961326462633463616237343133356437303234323363306337343237
61376138323336663839623539633866313133346338313165623039336335663666313532636261
36383332346636373936366632393364323331303866623533643062666361613133383262383538
64343665333761326134303566656638633362643031306535333661623437636139353565623435
39323631393132336636653731636264356637373031633037653466383163663865626339323731
34623137386338343038373464613832363761643362623434373136376638663537623762646266
63306439363039303461
38306162656631353365313637393663316134623036643364383033613731356230663464376264
3335653933643733613462636638396664363762636561300a376538626636303765613633646633
63333534656163663834303039646639646530333532313732643261356262323764616463393832
3137306637306565610a653637626438353766323031336665326231626538323637313763373934
30303332656263623938666235643866343363363139653861343533313431396235333539333432
65613236386434333635636431356236643335316362636530303834353235646337643639333538
31643330393433323739343762323937643064313661643265376330633264316137373363303935
66346134643432666463383333653735626437666137386135353532393638363834346164643335
38393232623130346363636335313866623239373366613864356561636661343537383364373164
66643232393262393536623130653332323663363263323036663662316163326466306334363363
66306365366566326239346537656562363762373165613063376139383363313038373235303062
65326531653635333034653439613563313539633834393562343164613661386532306665663433
32663432656664333063376263346439316265646435623533623337333162656138636139303931
31333561623838393239313761383665663733366461623830343165336538393362353132306335
37396565616435343732626331373735313165333061346435646664376339636438373764643731
66356464316336383834646333656164363535373065643665393435393266363432346239663161
36393336346433326130303264626234613135626538313938663039386133336233373262363566
33386163393936663165643530663865663436663066333231316334306435623966666636633638
38616338316137393831303436653562386265373064373163306133346434616238393966623330
39396237326461643865336364343263343230626362646162623136353235366431626362313030
64633137306231346561353630636533353239373562396665376139303936323836633764616434
35376135656338616139376261366637343433333063343864343362613135343364623265313861
36303565333830323933333864613534626466373033666235626365346531323631386365323835
61613564386466333933613162326431613963333864393362376163313161643165356134343438
38396533363565343233643863343432313165386465303336626337333331646664626262643333
64343438653335663234653466663239616633653162383630666639613738323734646431623264
65343535336637323063366536663433366363626632383536653765373830666235326530636362
35303432333832353366363731643863366134626139623435613336626238303837316433623238
32313930396432333836346364346436613934316136646533633339323736366135316631363132
36623931313137333932313731343936313966653163666261623937363335613035333335356533
34633838333635323464633763383765653266663233643836383135336434376364396164333233
37616438643234336337313965663034646166373436373530386463663961313362326362353437
31313837643535313039653531323765366339373130636565333939643564643533343534376638
63616431643531663765366239326135343531333037366264353961346162633633353237613430
66666433356530633835666139653932383362376334383762373530666630393764643632363331
35316134623064626439633236343938346134383938333832336533373838633466613364653563
64626631303435653339356631323137336538633233393962306531626266353766386162363031
39363961623033323661643136326435643466303332646234396339653833653937666532336138
37646336383963616630333566633537303736656666663635316631383537303035323131393862
33343335386235333632656436356465646235313638313634353631393365366166383133636665
66363463363339646133353831666631366439646364393239346166343062663866373938396637
31386237393065306134653636313933653062353636323963323437663163346366363263313665
32306331623637396664636165663434653630636130306133343736313262303635353661373533
61313466376365303031376336316431636365633736616535623934653562336636363866356266
36336266663562623961396164316266373633383431613564646232643766663733353338623936
38663731363262646334653761666562646433353230613838353233373662313938303533303864
39316630636637343163643637356634383862363330353233653361646261623038303962613561
63373832366661373036383036623563366364636530613063366364323635323937376165376236
39663962643939386561623430623031366632646235366463656533643233613138363461656637
63323236356438303732653834626138623838323764633639373436666635363834303835366466
61306430303831303934316436373136353637373535373664666265313034646630666237636231
39376161653134356365363666633634313065323331633261623961633763313734313735633966
62643031376566343832343638613939333132353466613163386537386239363337323463396135
61393930633138333739626233663432643837643563656662646631306566663437346362613939
31363639323335623038356566323836653865653136383161666461656436313933333032336639
32333166663935656663643461303466343835303732616263626462316133306239383264353263
61313231386262376234316335383334336663326331643733643432366636326561353730623730
37313431623561353266303134313064376236626462316339656339353131363765303734356464
32336435363932353666336132363333303336323135363535666436646233366335376333383531
65363832333534623931326438616237356235626666333934373638373665613738636466383735
30333137303630366661343833663437343664303961313831336461393064643331386336663739
62623838633936323834653965326161343161356334333030616137343637353138353731363762
64623065636336643634333937323636356131373939623130306330313937656566363832663663
66313036393135306437353061303438303761303563633566656131653433663030396235323435
32346663316636373431663530393435313931663535396564363466353431343633613634383332
31326665303563316664356564356535646665653737613038636236323562616231613233633039
37643530653639313466313838343630656363653833613161656466376631653266613439626331
35363930626534346164353033323039636365363234303435636535623265393635313436666234
66623264306430306662303866303735316137383830646136666662346265613662333765656266
64613161316162616133316165623863353431376633366262386239346335306634346333316566
34396265376130306361343862383631653561616333643665353938666565306335653665373736
63626630383232363961393435646334396366663532303132666235646464393662376331333361
34663138336365633131633365336664393633376333316161336138393539333564396539343332
36626664616263353931616362633638323038356230613937386339653633626465326538383265
31646236323435323861666233656437343732343066306562363462363664386234333061396263
61316636323234633631306434363665393938323631363563346166333139633436623230353436
31303831636638666630376231303130343363393339666230363162383266616135336333386334
64313838356466306361383464623037663931353664323336666532316536316362663639353238
34616536613730343834633935646330306564643036306330626636653365653361396461316637
62636264343737333539646332316562316136343734393063313439663939663935313930333061
30343263626638353331336666373964343338343434633639326338633966396131623933346236
37373564623238363935313736313165303862356530613164653562653530316630306365646165
31326630303038396666343065356261616133373832383661393666383664323161633337376665
63393938373830343761326562303730303237393661383561386633383561386437373061396462
65376230643131353462613436316561646562356666376462386136336630636165333236636630
35653164333437383565396637343762646665333734303764623638323532363164653139333937
39313834303531636434366663386435396266663930623733366261656634666531626234386239
62613466313636326238303164666332633632333364636331396264396164646639653761373863
66653761393734643362306538356263353265616330393635343737363666623962346261366134
30393937376265626163376565343364323366383330613832366434313034316164636331653063
65356630663634616465363231666163376437353038303934356561666363333663333239313031
34356463613963633331646364336431333630633737623766623361336432646339373364303661
37656630376137613232306163656430323236306632353837363536376161656365366531313363
32623537303439343438656461363233353931356566323963363662303838666465363464353833
39386230653962373333643135353533323737343265343334316234613736616639613435616165
61373431353463643936613631393461393637356264366665383538653336353535613330376465
65616261666463623236313437656232306164643538653562376539613736303761636531613862
30323532343339343135356431303866333537346233336266363630346562646237646563313331
35393039383436633230653030623637663030393539363163393930616330373166313161346336
38373963393834396133363966636638336161666234346564623761303262366336363061343866
38356238323366613066323264366337393232343331636532666462613263626332376561616334
63373433663562353466353062643965623635643464393238363965636532643439383764626566
33646437333365653563393337343537316437323038313339316135303564376161323863303665
62373564343036333564646565393738306231646537393636356234613639663466636335393031
35623562343566386261376163303939653861623364373433383363316134303236663361613062
37346664386162333130323134616264373237393639376533383036323131633963363665633531
62663533383666613464386638383965346331643837356331326661303034376163373362386134
38353461343233626365

View File

@ -5,3 +5,5 @@ radius_hostname: radius3.binary.kitchen
slapd_hostname: ldap3.binary.kitchen
slapd_replica_id: 3
slapd_role: slave
unattended_reboot: "false"

View File

@ -15,3 +15,5 @@ radius_hostname: radius1.binary.kitchen
slapd_hostname: ldap1.binary.kitchen
slapd_replica_id: 1
slapd_role: slave
unattended_reboot: "false"

View File

@ -5,4 +5,4 @@ nfs_exports:
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
uau_reboot: "false"
unattended_reboot: "false"

View File

@ -0,0 +1,5 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCNBY95YcFFBeiHM3IDzqKT/X/U09bpAWXwkCWIg6KlZumZg891apx6a0HLDannoBt7YCyYFgl3c1eJ36D08tRcy5c5k/+8Xhq0hq/HWo3EV5sd6Y+8xeTRST6Um8nyxHoSI7xw79yRoteOUDIzPnmDtbLQ2z3vWkA/H1EZQ4IjeQgFhl9vl4EyuAJ47Cdlv1D870BDspgAEoxSbipQEEnPsIctdyySp1R/sNC5tuP6qaoQ6nIDFdgv5rcY8SmgJQ2otlGex18RSBObBjdfyepV71mluqfs6HtVsM9zDvRUwY/FX4wmVc4QPdPLh/2kzEZi0YzefB10tpsuvhaOFI8JqXBDuSFZh3xCzRmKRlmqn50jrvGkYGUWg/GNYNF2rLCltCzg3BJHGaFh9sOtjaKLW+hTJwDtz4LIqNZb6w/2586hzjGCrrZgN24eLEcdp7iTPnkCul+kgOZaa62ytdKjza6/tgKCeUaEwmJTBuKMp/hor/LdLeibYgTtqUoFB7j1Ti2ey7oHly1oiSaKcR/hChgx0sniltRmzJI7KLuUiF+xkpv5Kf4rGl7UjvVxyf3glNh5DL87CfeWkGF3dgsjJdfYIHVJz/Bf6x0aB2TyybF8Exm0R05dhMT6ahZqMqa5d/aUZN+S3MaXw2amHWbMe8VcFpu/AztqrQM8sM+Mw== sprinterfreak"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -8,4 +8,4 @@ root_keys_host:
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "false"
unattended_reboot: "false"

View File

@ -8,4 +8,4 @@ root_keys_host:
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "false"
unattended_reboot: "false"

View File

@ -4,4 +4,4 @@ root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
uau_reboot: "false"
unattended_reboot: "false"

View File

@ -0,0 +1,4 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -4,4 +4,4 @@ root_keys_host:
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "true"
unattended_reboot: "true"

4
hosts
View File

@ -8,6 +8,7 @@ epona.binary.kitchen ansible_host=172.23.2.7
pizza.binary.kitchen ansible_host=172.23.2.33
pancake.binary.kitchen ansible_host=172.23.2.34
knoedel.binary.kitchen ansible_host=172.23.2.35
schweinshaxn.binary.kitchen ansible_host=172.23.2.36
bob.binary.kitchen ansible_host=172.23.2.37
lasagne.binary.kitchen ansible_host=172.23.2.38
tschunk.binary.kitchen ansible_host=172.23.2.39
@ -34,10 +35,7 @@ krypton.binary-kitchen.net
yttrium.binary-kitchen.net
zirconium.binary-kitchen.net
molybdenum.binary-kitchen.net
technetium.binary-kitchen.net
ruthenium.binary-kitchen.net
rhodium.binary-kitchen.net
palladium.binary-kitchen.net
argentum.binary-kitchen.net
cadmium.binary-kitchen.net
barium.binary-kitchen.net

View File

@ -1,3 +1,3 @@
---
authentik_version: 2024.8.3
authentik_version: 2024.10.5

View File

@ -6,6 +6,9 @@
- name: Restart authentik
service: name=authentik state=restarted
- name: Restart authentik-reload
service: name=authentik-reload state=restarted
- name: Restart nginx
service: name=nginx state=restarted

View File

@ -42,9 +42,21 @@
- Reload systemd
- Restart authentik
- name: Systemd unit for authentik-reload
template: src=authentik-reload.{{ item }}.j2 dest=/etc/systemd/system/authentik-reload.{{ item }}
with_items:
- "service"
- "timer"
notify:
- Reload systemd
- Restart authentik-reload
- name: Start the authentik service
service: name=authentik state=started enabled=yes
- name: Enable auto update timer
service: name=authentik-reload.timer state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:

View File

@ -0,0 +1,7 @@
[Unit]
Description=Refresh authentik images
[Service]
Type=oneshot
ExecStart=/bin/systemctl reload-or-restart authentik.service

View File

@ -0,0 +1,10 @@
[Unit]
Description=Refresh authentik images
Requires=authentik.service
After=authentik.service
[Timer]
OnCalendar=*:0/15
[Install]
WantedBy=timers.target

View File

@ -15,8 +15,8 @@ TimeoutStartSec=1200
WorkingDirectory=/opt/authentik
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Update images
ExecStartPre=-/usr/bin/docker-compose pull --quiet
# Compose up
ExecStart=/usr/bin/docker-compose up
@ -24,5 +24,9 @@ ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
# Refresh on reload
ExecReload=-/usr/bin/docker-compose pull --quiet
ExecReload=/usr/bin/docker-compose up -d
[Install]
WantedBy=multi-user.target

View File

@ -9,3 +9,5 @@ logrotate_excludes:
sshd_password_authentication: "no"
sshd_permit_root_login: "prohibit-password"
unattended_reboot: "true"

View File

@ -4,6 +4,7 @@
apt:
name:
- apt-transport-https
- debian-goodies
- dnsutils
- fdisk
- gnupg2
@ -15,6 +16,7 @@
- pydf
- rsync
- sudo
- unattended-upgrades
- vim-nox
- wget
- zsh
@ -26,6 +28,12 @@
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Configure unattended upgrades
template: src={{ item }}.j2 dest=/etc/apt/apt.conf.d/{{ item }}
with_items:
- 02periodic
- 50unattended-upgrades
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no

View File

@ -9,6 +9,7 @@
- less
- rsync
- vim-nox
- wget
- zsh
- name: Configure misc software

View File

@ -6,3 +6,6 @@
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony
- name: Start chrony
service: name=chrony state=started enabled=yes

View File

@ -2,7 +2,7 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...". A
// Lines below have the format "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
@ -31,6 +31,7 @@ Unattended-Upgrade::Origins-Pattern {
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
@ -93,9 +94,11 @@ Unattended-Upgrade::Package-Blacklist {
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
@ -110,7 +113,7 @@ Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
Unattended-Upgrade::Automatic-Reboot "{{ unattended_reboot }}";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
@ -145,3 +148,18 @@ Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

View File

@ -1,9 +1,8 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
@ -69,7 +68,7 @@ PasswordAuthentication {{ sshd_password_authentication }}
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
@ -85,13 +84,13 @@ ChallengeResponseAuthentication no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
@ -109,7 +108,7 @@ PrintMotd no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

View File

@ -1,19 +1,19 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024100600; serial
2024111500; serial
1d; refresh
2h; retry
4w; expire
1h; minimum time-to-live
)
IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
@ IN NS ns1.binary.kitchen.
@ IN NS ns2.binary.kitchen.
; Subdomains
users IN NS ns1.binary.kitchen.
users IN NS ns2.binary.kitchen.
; External
IN A 213.166.246.4
@ IN A 213.166.246.4
www IN A 213.166.246.4
; Aliases
3dprinter IN A 172.23.3.251

View File

@ -9,17 +9,27 @@ newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'})
{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from slaves
-- allow AXFR/IXFR only from secondary
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
{% endif %}
-- allow NOTIFY only from master
-- allow NOTIFY only from primary
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
-- function to set RA flag
function setRA(dq)
dq.dh:setRA(true)
return DNSResponseAction.None
end
-- set RA flag for queries to own zones
addResponseAction('binary.kitchen', LuaResponseAction(setRA))
addResponseAction('23.172.in-addr.arpa', LuaResponseAction(setRA))
-- use resolver for anything else
addAction(AllRule(), PoolAction('resolve'))

View File

@ -0,0 +1,12 @@
---
deploy_key_file: /root/.ssh/id_git_deploy_rsa
asterisk_user: asterisk
asterisk_group: asterisk
repo_provisioning: gogs@git.binary-kitchen.de:noby/voip-yealink-provisioning.git
repo_utilities: gogs@git.binary-kitchen.de:noby/voip-yealink-xml-browser.git
path_yealink_provisioning: /tftpboot/yealink
path_yealink_utilities: /opt/yealink_utilities

View File

@ -0,0 +1,10 @@
---
- name: Reload systemd
ansible.builtin.systemd:
daemon_reload: true
- name: Restart yealink-utilities
ansible.builtin.service:
name: yealink-utilities
state: restarted

View File

@ -0,0 +1,8 @@
---
galaxy_info:
author: Thomas Basler
description: Install FreePBX extensions
license: None
platforms:
- name: Debian
min_ansible_version: "2.4"

View File

@ -0,0 +1,20 @@
---
- name: Generate an OpenSSH keypair for gitea deploy usage
community.crypto.openssh_keypair:
path: "{{ deploy_key_file }}"
- name: Wait for confirmation
ansible.builtin.pause:
prompt: Please confirm that you've distributed the public key to all repositories! Press return to continue. Press Ctrl+c and then "a" to abort
- name: Install required packages
ansible.builtin.apt:
name:
- php-ldap
- name: Include provisioning tasks
ansible.builtin.include_tasks: yealink_provisioning.yml
- name: Include XML-Utilities tasks
ansible.builtin.include_tasks: yealink_utilities.yml

View File

@ -0,0 +1,9 @@
---
- name: Clone Yealink Provisioning data
ansible.builtin.git: # noqa: latest
repo: "{{ repo_provisioning }}"
dest: "{{ path_yealink_provisioning }}"
force: true
accept_hostkey: true
key_file: "{{ deploy_key_file }}"

View File

@ -0,0 +1,53 @@
---
- name: Install dependencies
ansible.builtin.package:
name: "python3-venv"
state: present
- name: Check if .gitignore contains "{{ path_yealink_utilities }}"
ansible.builtin.command: grep "directory = {{ path_yealink_utilities }}" /root/.gitconfig
register: gitignore_check
ignore_errors: true
- name: "Patch /root/.gitconfig"
ansible.builtin.command: |-
git config --global --add safe.directory {{ path_yealink_utilities }}
when: gitignore_check.rc != 0
- name: Clone Yealink Utilities
ansible.builtin.git: # noqa: latest
repo: "{{ repo_utilities }}"
dest: "{{ path_yealink_utilities }}"
force: true
accept_hostkey: true
key_file: "{{ deploy_key_file }}"
- name: Ensure directory permissions
ansible.builtin.file:
path: "{{ path_yealink_utilities }}"
state: directory
recurse: true
owner: "{{ asterisk_user }}"
group: "{{ asterisk_group }}"
- name: Install specified python requirements in indicated (virtualenv)
ansible.builtin.pip:
requirements: "{{ path_yealink_utilities }}/requirements.txt"
virtualenv: "{{ path_yealink_utilities }}/.venv"
virtualenv_command: 'python3 -m venv'
- name: Install systemd unit
ansible.builtin.template:
src: yealink-utilities.service.j2
dest: /etc/systemd/system/yealink-utilities.service
mode: "0644"
notify:
- Reload systemd
- Restart yealink-utilities
- name: Enable yealink-utilities
ansible.builtin.service:
name: yealink-utilities
state: started
enabled: true

View File

@ -0,0 +1,17 @@
[Unit]
Description=Yealink XML-Browser
After=syslog.target
After=network.target
[Service]
RestartSec=2s
Type=simple
User={{ asterisk_user }}
Group={{ asterisk_group }}
Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:{{ path_yealink_utilities }}/.venv/bin"
WorkingDirectory={{ path_yealink_utilities }}
ExecStart={{ path_yealink_utilities }}/.venv/bin/python3 {{ path_yealink_utilities }}/run.py
Restart=always
[Install]
WantedBy=multi-user.target

View File

@ -3,5 +3,5 @@
gitea_user: gogs
gitea_group: gogs
gitea_version: 1.22.2
gitea_version: 1.22.6
gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

View File

@ -6,6 +6,9 @@
- name: Restart hedgedoc
service: name=hedgedoc state=restarted
- name: Restart hedgedoc-reload
service: name=hedgedoc-reload state=restarted
- name: Restart nginx
service: name=nginx state=restarted

View File

@ -42,9 +42,21 @@
- Reload systemd
- Restart hedgedoc
- name: Systemd unit for hedgedoc-reload
template: src=hedgedoc-reload.{{ item }}.j2 dest=/etc/systemd/system/hedgedoc-reload.{{ item }}
with_items:
- "service"
- "timer"
notify:
- Reload systemd
- Restart hedgedoc-reload
- name: Start the hedgedoc service
service: name=hedgedoc state=started enabled=yes
- name: Enable auto update timer
service: name=hedgedoc-reload.timer state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:

View File

@ -1,4 +1,5 @@
version: "3"
---
version: "3.4"
services:
database:
image: postgres:13-alpine

View File

@ -0,0 +1,7 @@
[Unit]
Description=Refresh hedgedoc images
[Service]
Type=oneshot
ExecStart=/bin/systemctl reload-or-restart hedgedoc.service

View File

@ -0,0 +1,10 @@
[Unit]
Description=Refresh authentik images
Requires=authentik.service
After=authentik.service
[Timer]
OnCalendar=*:0/15
[Install]
WantedBy=timers.target

View File

@ -15,8 +15,8 @@ TimeoutStartSec=1200
WorkingDirectory=/opt/hedgedoc
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Update images
ExecStartPre=-/usr/bin/docker-compose pull --quiet
# Compose up
ExecStart=/usr/bin/docker-compose up
@ -24,5 +24,9 @@ ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
# Refresh on reload
ExecReload=-/usr/bin/docker-compose pull --quiet
ExecReload=/usr/bin/docker-compose up -d
[Install]
WantedBy=multi-user.target

View File

@ -11,7 +11,7 @@
- name: Regenerate hosts.conf
assemble:
src: /etc/icinga2/conf.d/hosts
dest: /etc/icinga2/conf.d/hosts.conf
dest: /etc/icinga2/zones.d/master/hosts.conf
# validate: /usr/sbin/icinga2 daemon -c %s --validate
notify: Restart icinga2
delegate_to: "{{ icinga_server }}"

View File

@ -11,7 +11,7 @@
- name: Regenerate hosts.conf
assemble:
src: /etc/icinga2/conf.d/hosts
dest: /etc/icinga2/conf.d/hosts.conf
dest: /etc/icinga2/zones.d/master/hosts.conf
# validate: /usr/sbin/icinga2 daemon -c %s --validate
notify: Restart icinga2
delegate_to: "{{ icinga_server }}"

View File

@ -1,8 +1,8 @@
{% for disk in disks %}
vars.disks["disk {{ disk }}"] = {
vars.disks[" {{ disk }}"] = {
disk_partitions = "{{ disk }}"
disk_wfree = "10%"
disk_cfree = "5%"
disk_wfree = "10%"
}
{% endfor %}

View File

@ -0,0 +1,21 @@
apply Service "apt" {
import "generic-service"
check_command = "apt"
command_endpoint = host.vars.agent_endpoint
assign where host.vars.agent_endpoint && host.vars.os == "Linux"
}
apply Service "disk" for (disk => config in host.vars.disks) {
import "generic-service"
check_command = "disk"
command_endpoint = host.vars.agent_endpoint
assign where host.vars.agent_endpoint
vars += config
}

View File

@ -62,6 +62,24 @@
changed_when: "'for these changes to take effect' in features_result.stdout"
notify: Restart icinga2
# TODO setup as master node
# icinga2 node setup --master
- name: Ensure directory for zone config exists
file:
path: /etc/icinga2/zones.d/master
state: directory
owner: "{{ icinga_user }}"
group: "{{ icinga_group }}"
- name: Configure services
copy: src=icinga2/zones.d/master/services.conf dest=/etc/icinga2/zones.d/master/services.conf owner={{ icinga_user }} group={{ icinga_group }}
notify: Restart icinga2
- name: Configure zones
template: src=icinga2/zones.conf.j2 dest=/etc/icinga2/zones.conf owner={{ icinga_user }} group={{ icinga_group }}
notify: Restart icinga2
- name: Ensure directory for host snippets exists
file:
path: /etc/icinga2/conf.d/hosts

View File

@ -0,0 +1,28 @@
object Endpoint "{{ ansible_fqdn }}" {
}
object Zone "master" {
endpoints = [ "{{ ansible_fqdn }}" ]
}
{% for host in groups['all'] %}
{% if host != ansible_fqdn %}
object Endpoint "{{ host }}" {
host = "{{ host }}"
}
object Zone "{{ host }}" {
endpoints = [ "{{ host }}" ]
parent = "master"
}
{% endif %}
{% endfor %}
object Zone "global-templates" {
global = true
}
object Zone "director-global" {
global = true
}

View File

@ -64,7 +64,7 @@
- name: Regenerate hosts.conf
assemble:
src: /etc/icinga2/conf.d/hosts
dest: /etc/icinga2/conf.d/hosts.conf
dest: /etc/icinga2/zones.d/master/hosts.conf
# validate: /usr/sbin/icinga2 daemon -c %s --validate
notify: Restart icinga2
delegate_to: "{{ icinga_server }}"

View File

@ -32,7 +32,7 @@
"parameters": {
"high-availability": [ {
"this-server-name": "{{ inventory_hostname.split('.')[0] }}",
"mode": "hot-standby",
"mode": "load-balancing",
"heartbeat-delay": 10000,
"max-response-delay": 60000,
"max-ack-delay": 5000,
@ -42,12 +42,14 @@
{
"name": "{{ lookup('dig', dhcpd_primary+'/PTR', '@'+dns_primary).split('.')[0] }}",
"url": "http://{{ dhcpd_primary }}:8000/",
"role": "primary"
"role": "primary",
"auto-failover": true
},
{
"name": "{{ lookup('dig', dhcpd_secondary+'/PTR', '@'+dns_primary).split('.')[0] }}",
"url": "http://{{ dhcpd_secondary }}:8000/",
"role": "standby"
"role": "secondary",
"auto-failover": true
}
]
} ]
@ -133,7 +135,7 @@
"client-classes": [
{
"name": "voip-phone",
"name": "cisco-phone",
"option-data": [
{
"name": "tftp-server-name",
@ -142,6 +144,16 @@
]
},
{
"name": "yealink-phone",
"option-data": [
{
"name": "tftp-server-name",
"data": "tftp://172.23.2.36/yealink/$PN"
}
]
},
{
"name": "dect-rfp",
"option-data": [
@ -325,27 +337,57 @@
},
{
"hw-address": "00:1D:45:B6:99:2F",
"hw-address": "00:15:65:94:df:39",
"hostname": "voip01",
"client-classes": [ "voip-phone" ]
"client-classes": [ "yealink-phone" ]
},
{
"hw-address": "00:15:65:94:e2:2d",
"hostname": "voip02",
"client-classes": [ "yealink-phone" ]
},
{
"hw-address": "00:15:65:94:df:3a",
"hostname": "voip03",
"client-classes": [ "yealink-phone" ]
},
{
"hw-address": "00:15:65:94:de:7f",
"hostname": "voip04",
"client-classes": [ "yealink-phone" ]
},
{
"hw-address": "00:15:65:94:e3:39",
"hostname": "voip04",
"client-classes": [ "yealink-phone" ]
},
{
"hw-address": "00:1D:45:B6:99:2F",
// "hostname": "voip01",
"client-classes": [ "cisco-phone" ]
},
{
"hw-address": "00:1D:A2:66:B8:3E",
"hostname": "voip02",
"client-classes": [ "voip-phone" ]
// "hostname": "voip02",
"client-classes": [ "cisco-phone" ]
},
{
"hw-address": "00:1E:BE:90:FB:DB",
"hostname": "voip03",
"client-classes": [ "voip-phone" ]
// "hostname": "voip03",
"client-classes": [ "cisco-phone" ]
},
{
"hw-address": "00:1E:BE:90:FF:06",
"hostname": "voip04",
"client-classes": [ "voip-phone" ]
// "hostname": "voip04",
"client-classes": [ "cisco-phone" ]
}
]
},

View File

@ -2793,7 +2793,7 @@ background_updates:
# marked as protected from quarantine will not be deleted.
#
media_retention:
local_media_lifetime: 90d
local_media_lifetime: 180d
remote_media_lifetime: 14d

View File

@ -2,4 +2,4 @@
netbox_group: netbox
netbox_user: netbox
netbox_version: 4.1.3
netbox_version: 4.1.8

View File

@ -1,4 +0,0 @@
---
pretalx_user: pretalx
pretalx_group: pretalx

View File

@ -1,13 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart pretalx-web
service: name=pretalx-web state=restarted
- name: Restart pretalx-worker
service: name=pretalx-worker state=restarted

View File

@ -1,125 +0,0 @@
---
- name: Create group
group: name={{ pretalx_group }}
- name: Create user
user: name={{ pretalx_user }} home=/home/{{ pretalx_user }} group={{ pretalx_group }}
- name: Create pretalx directories
file: path={{ item }} state=directory owner={{ pretalx_user }} group={{ pretalx_group }}
with_items:
- /etc/pretalx
- /opt/pretalx
- /opt/pretalx/data
- /opt/pretalx/data/media
- /opt/pretalx/static
- name: Install dependencies
apt:
name:
- build-essential
- gettext
- libssl-dev
- nodejs
- npm
- python3-setuptools
- python3-dev
- python3-pip
- python3-venv
- name: Install PostgreSQL
apt:
name:
- postgresql
- python3-psycopg2
- name: Configure PostgreSQL user
postgresql_user: name={{ pretalx_dbuser }} password={{ pretalx_dbpass }}
become: true
become_user: postgres
- name: Configure PostgreSQL database
postgresql_db: name={{ pretalx_dbname }} owner={{ pretalx_dbuser }}
become: true
become_user: postgres
- name: Install redis
apt: name=redis-server
- name: Install pretalx
pip:
name:
- gunicorn
- pretalx[postgres,redis]
- psycopg2-binary
virtualenv: /opt/pretalx/venv
virtualenv_command: "python3 -m venv"
become: true
become_user: "{{ pretalx_user }}"
register: pretalx_install
- name: Configure pretalx
template:
src: pretalx.cfg.j2
dest: /etc/pretalx/pretalx.cfg
owner: "{{ pretalx_user }}"
group: "{{ pretalx_group }}"
notify:
- Restart pretalx-web
- Restart pretalx-worker
- name: Run migration script
command:
cmd: "./venv/bin/python3 -m pretalx migrate"
chdir: "/opt/pretalx"
become: true
become_user: "{{ pretalx_user }}"
when: pretalx_install.changed
- name: Run rebuild script
command:
cmd: "./venv/bin/python3 -m pretalx rebuild"
chdir: "/opt/pretalx"
become: true
become_user: "{{ pretalx_user }}"
when: pretalx_install.changed
- name: Enable pretalx cronjob
cron:
user: "{{ pretalx_user }}"
name: pretalx
minute: "*/5"
job: "export PATH=/opt/pretalx/venv/bin:$PATH && cd /opt/pretalx && python -m pretalx runperiodic > /dev/null"
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ pretalx_domain }}.key -out /etc/nginx/ssl/{{ pretalx_domain }}.crt -days 730 -subj "/CN={{ pretalx_domain }}" creates=/etc/nginx/ssl/{{ pretalx_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for pretalx
template: src=certs.j2 dest=/etc/acertmgr/{{ pretalx_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/pretalx
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/pretalx dest=/etc/nginx/sites-enabled/pretalx state=link
notify: Restart nginx
- name: Install systemd units
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
with_items:
- pretalx-web
- pretalx-worker
notify:
- Reload systemd
- Restart pretalx-web
- Restart pretalx-worker
- name: Enable services
service: name={{ item }} state=started enabled=yes
with_items:
- pretalx-web
- pretalx-worker

View File

@ -1,18 +0,0 @@
[Unit]
Description=pretalx web service
After=network.target
[Service]
User={{ pretalx_user }}
Group={{ pretalx_group }}
Environment="VIRTUAL_ENV=/opt/pretalx/venv"
Environment="PATH=/opt/pretalx/venv/bin:/usr/local/bin:/usr/bin:/bin"
ExecStart=/opt/pretalx/venv/bin/gunicorn pretalx.wsgi \
--name pretalx --workers 5 \
--max-requests 1200 --max-requests-jitter 50 \
--log-level=info --bind=127.0.0.1:8345
WorkingDirectory=/opt/pretalx
Restart=on-failure
[Install]
WantedBy=multi-user.target

View File

@ -1,15 +0,0 @@
[Unit]
Description=pretalx background worker
After=network.target
[Service]
User={{ pretalx_user }}
Group={{ pretalx_group }}
Environment="VIRTUAL_ENV=/opt/pretalx/venv"
Environment="PATH=/opt/pretalx/venv/bin:/usr/local/bin:/usr/bin:/bin"
ExecStart=/opt/pretalx/venv/bin/celery -A pretalx.celery_app worker -l info
WorkingDirectory=/opt/pretalx
Restart=on-failure
[Install]
WantedBy=multi-user.target

View File

@ -1,27 +0,0 @@
[filesystem]
data = /opt/pretalx/data
static = /opt/pretalx/static
[site]
debug = False
url = https://{{ pretalx_domain }}
[database]
backend = postgresql
name = {{ pretalx_dbname }}
user = {{ pretalx_dbuser }}
password = {{ pretalx_dbpass }}
host =
[mail]
from={{ pretalx_mail }}
host={{ mail_server }}
tls = True
[redis]
location=redis://127.0.0.1/0
sessions=true
[celery]
backend=redis://127.0.0.1/1
broker=redis://127.0.0.1/2

View File

@ -1,49 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ pretalx_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ pretalx_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ pretalx_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ pretalx_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ pretalx_domain }}.crt;
add_header Referrer-Policy same-origin;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass http://localhost:8345;
client_max_body_size 32M;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
}
location /media/ {
alias /opt/pretalx/data/media/;
expires 7d;
access_log off;
}
location /static/ {
alias /opt/pretalx/static/;
access_log off;
expires 365d;
add_header Cache-Control "public";
}
}

View File

@ -1,13 +1,13 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart therapy
service: name=therapy state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Restart workadventure
service: name=workadventure state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

View File

@ -0,0 +1,55 @@
---
- name: Install packages
apt:
name:
- docker.io
- docker-compose
- name: Create therapy group
group: name=therapy
- name: Create therapy user
user:
name: therapy
home: /opt/therapy
shell: /bin/bash
group: therapy
groups: docker
# TODO
# checkout source to /opt/therapy/source - currently done manually
- name: Configure therapy container
template: src=docker-compose.yml.j2 dest=/opt/therapy/docker-compose.yml
notify: Restart therapy
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ therapy_domain }}.key -out /etc/nginx/ssl/{{ therapy_domain }}.crt -days 730 -subj "/CN={{ therapy_domain }}" creates=/etc/nginx/ssl/{{ therapy_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for therapy
template: src=certs.j2 dest=/etc/acertmgr/{{ therapy_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/therapy
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/therapy dest=/etc/nginx/sites-enabled/therapy state=link
notify: Restart nginx
- name: Systemd unit for therapy
template: src=therapy.service.j2 dest=/etc/systemd/system/therapy.service
notify:
- Reload systemd
- Restart therapy
- name: Start the therapy service
service: name=therapy state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ therapy_domain }}"

View File

@ -1,13 +1,13 @@
---
{{ pretalx_domain }}:
- path: /etc/nginx/ssl/{{ pretalx_domain }}.key
{{ therapy_domain }}:
- path: /etc/nginx/ssl/{{ therapy_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ pretalx_domain }}.crt
- path: /etc/nginx/ssl/{{ therapy_domain }}.crt
user: root
group: root
perm: '400'

View File

@ -0,0 +1,12 @@
---
version: "3.4"
services:
server:
image: therapy
build: ./source
restart: unless-stopped
command: server
environment:
THERAPY_SECRET: {{ therapy_secret }}
ports:
- "127.0.0.1:5000:5000"

View File

@ -1,5 +1,5 @@
[Unit]
Description=WorkAdventure service using docker compose
Description=therapy service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
@ -7,13 +7,13 @@ Before=nginx.service
[Service]
Type=simple
User=workadventure
Group=workadventure
User=therapy
Group=therapy
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/workadventure/source/
WorkingDirectory=/opt/therapy
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v

View File

@ -0,0 +1,31 @@
server {
listen 80;
listen [::]:80;
server_name {{ therapy_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ therapy_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ therapy_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ therapy_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ therapy_domain }}.crt;
location / {
proxy_pass http://localhost:5000;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@ -1,3 +0,0 @@
---
uau_reboot: "true"

View File

@ -1,13 +0,0 @@
---
- name: Install unattended upgrades
apt:
name:
- unattended-upgrades
- debian-goodies
- name: Configure unattended upgrades
template: src={{ item }}.j2 dest=/etc/apt/apt.conf.d/{{ item }}
with_items:
- 02periodic
- 50unattended-upgrades

View File

@ -6,6 +6,9 @@
- name: Restart vaultwarden
service: name=vaultwarden state=restarted
- name: Restart vaultwarden-reload
service: name=vaultwarden-reload state=restarted
- name: Restart nginx
service: name=nginx state=restarted

View File

@ -42,9 +42,21 @@
- Reload systemd
- Restart vaultwarden
- name: Systemd unit for vaultwarden-reload
template: src=vaultwarden-reload.{{ item }}.j2 dest=/etc/systemd/system/vaultwarden-reload.{{ item }}
with_items:
- "service"
- "timer"
notify:
- Reload systemd
- Restart vaultwarden-reload
- name: Start the vaultwarden service
service: name=vaultwarden state=started enabled=yes
- name: Enable auto update timer
service: name=vaultwarden-reload.timer state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:

View File

@ -1,4 +1,5 @@
version: "3"
---
version: "3.4"
services:
database:
image: postgres:13-alpine

View File

@ -0,0 +1,7 @@
[Unit]
Description=Refresh vaultwarden images
[Service]
Type=oneshot
ExecStart=/bin/systemctl reload-or-restart vaultwarden.service

View File

@ -0,0 +1,10 @@
[Unit]
Description=Refresh vaultwarden images
Requires=vaultwarden.service
After=vaultwarden.service
[Timer]
OnCalendar=*:0/15
[Install]
WantedBy=timers.target

View File

@ -15,8 +15,8 @@ TimeoutStartSec=1200
WorkingDirectory=/opt/vaultwarden
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Update images
ExecStartPre=-/usr/bin/docker-compose pull --quiet
# Compose up
ExecStart=/usr/bin/docker-compose up
@ -24,5 +24,9 @@ ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
# Refresh on reload
ExecReload=-/usr/bin/docker-compose pull --quiet
ExecReload=/usr/bin/docker-compose up -d
[Install]
WantedBy=multi-user.target

View File

@ -42,6 +42,20 @@ www.ccc-r.de:
format: key
action: '/usr/sbin/service nginx restart'
fahrplan.eh21.easterhegg.eu:
- path: /etc/nginx/ssl/fahrplan.eh21.easterhegg.eu.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/fahrplan.eh21.easterhegg.eu.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
www.makerspace-regensburg.de:
- path: /etc/nginx/ssl/www.makerspace-regensburg.de.crt
user: root

View File

@ -145,7 +145,7 @@ server {
ssl_certificate_key /etc/nginx/ssl/autoconfig.binary-kitchen.de.key;
ssl_certificate /etc/nginx/ssl/autoconfig.binary-kitchen.de.crt;
root /var/www/autconfig;
root /var/www/autoconfig;
default_type text/html;
}
@ -180,6 +180,41 @@ server {
default_type text/html;
}
server {
listen 80;
listen [::]:80;
server_name fahrplan.eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://fahrplan.eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name fahrplan.eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/fahrplan.eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/fahrplan.eh21.easterhegg.eu.crt;
root /var/www/eh21-fahrplan;
location = / {
return 301 https://fahrplan.eh21.easterhegg.eu/eh/;
}
default_type text/html;
}
server {
listen 80;
listen [::]:80;

View File

@ -15,6 +15,7 @@
- autoconfig
- autoconfig/mail
- ccc-r
- eh21-fahrplan
- makerspace-regensburg
- kitchen
@ -30,6 +31,10 @@
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/www.ccc-r.de.key -out /etc/nginx/ssl/www.ccc-r.de.crt -days 730 -subj "/CN=www.ccc-r.de" creates=/etc/nginx/ssl/www.ccc-r.de.crt
notify: Restart nginx
- name: Ensure (EH21 fahrplan) certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/fahrplan.eh21.easterhegg.eu.key -out /etc/nginx/ssl/fahrplan.eh21.easterhegg.eu.crt -days 730 -subj "/CN=fahrplan.eh21.easterhegg.eu" creates=/etc/nginx/ssl/fahrplan.eh21.easterhegg.eu.crt
notify: Restart nginx
- name: Ensure (MS-R) certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/www.makerspace-regensburg.de.key -out /etc/nginx/ssl/www.makerspace-regensburg.de.crt -days 730 -subj "/CN=www.makerspace-regensburg.de" creates=/etc/nginx/ssl/www.makerspace-regensburg.de.crt
notify: Restart nginx
@ -65,3 +70,14 @@
- name: Start php8.2-fpm
service: name=php8.2-fpm state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ item }}"
with_items:
- "www.binary-kitchen.de"
- "autoconfig.binary-kitchen.de"
- "www.ccc-r.de"
- "www.makerspace-regensburg.de"
- "fahrplan.eh21.easterhegg.eu"

View File

@ -1,5 +0,0 @@
---
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

View File

@ -1,51 +0,0 @@
---
# TODO
# source code is not yet checked out from git
- name: Install docker-compose
apt: name=docker-compose
- name: Install git
apt: name=git
- name: Create workadventure group
group: name=workadventure
- name: Create workadventure user
user:
name: workadventure
home: /opt/workadventure
shell: /bin/zsh
group: workadventure
groups: docker
- name: Install systemd unit
template: src=workadventure.service.j2 dest=/lib/systemd/system/workadventure.service
notify:
- Reload systemd
- Restart workadventure
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ workadventure_domain }}.key -out /etc/nginx/ssl/{{ workadventure_domain }}.crt -days 730 -subj "/CN={{ workadventure_domain }}" creates=/etc/nginx/ssl/{{ workadventure_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for workadventure
template: src=certs.j2 dest=/etc/acertmgr/{{ workadventure_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/workadventure
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/workadventure dest=/etc/nginx/sites-enabled/workadventure state=link
notify: Restart nginx
- name: Enable workadventure
service: name=workadventure enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ workadventure_domain }}"

View File

@ -1,15 +0,0 @@
---
{{ workadventure_domain }} play.{{ workadventure_domain }} pusher.{{ workadventure_domain }} uploader.{{ workadventure_domain }}:
- path: /etc/nginx/ssl/{{ workadventure_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ workadventure_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -1,76 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ workadventure_domain }} play.{{ workadventure_domain }} pusher.{{ workadventure_domain }} uploader.{{ workadventure_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ workadventure_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
location / {
root /opt/workadventure/source/landing/dist;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name play.{{ workadventure_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
location / {
root /opt/workadventure/source/src/front/dist;
try_files $uri uri/ /index.html?$args;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name pusher.{{ workadventure_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
location / {
proxy_pass http://localhost:8002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name uploader.{{ workadventure_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ workadventure_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
location / {
proxy_pass http://localhost:8005;
}
}

View File

@ -6,11 +6,6 @@
- common
- root_keys
- name: Setup unattended updates
hosts: [sulis.binary.kitchen, nabia.binary.kitchen, epona.binary.kitchen, pizza.binary.kitchen, pancake.binary.kitchen, knoedel.binary.kitchen, bob.binary.kitchen, lasagne.binary.kitchen, tschunk.binary.kitchen, bowle.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, neon.binary-kitchen.net, sodium.binary-kitchen.net, magnesium.binary-kitchen.net, aluminium.binary-kitchen.net, krypton.binary-kitchen.net, yttrium.binary-kitchen.net, zirconium.binary-kitchen.net, molybdenum.binary-kitchen.net, technetium.binary-kitchen.net, ruthenium.binary-kitchen.net, rhodium.binary-kitchen.net, palladium.binary-kitchen.net, argentum.binary-kitchen.net, cadmium.binary-kitchen.net, barium.binary-kitchen.net]
roles:
- uau
- name: Setup Proxmox VE SSL
hosts: [salat.binary.kitchen, wurst.binary.kitchen, weizen.binary.kitchen]
roles:
@ -52,6 +47,11 @@
roles:
- omm
- name: Setup FreePBX server
hosts: schweinshaxn.binary.kitchen
roles:
- freepbx
- name: Setup gitea runner server
hosts: bob.binary.kitchen
roles:
@ -107,8 +107,8 @@
- name: Setup web server (dockerized)
hosts: fluorine.binary-kitchen.net
roles:
- authentik
- 23b
- authentik
- hedgedoc
- vaultwarden
@ -128,10 +128,10 @@
roles:
- coturn
- name: Setup zammad server
- name: Setup web server (dockerized)
hosts: aluminium.binary-kitchen.net
roles:
- zammad
- therapy
- name: Setup jitsi server
hosts: zirconium.binary-kitchen.net
@ -153,11 +153,6 @@
roles:
- pretix
- name: Setup event pretalx server
hosts: palladium.binary-kitchen.net
roles:
- pretalx
- name: Setup event netbox server
hosts: cadmium.binary-kitchen.net
roles:
@ -167,8 +162,3 @@
hosts: argentum.binary-kitchen.net
roles:
- event_web
- name: Setup WorkAdventure server
hosts: barium.binary-kitchen.net
roles:
- workadventure