forked from infra/ansible
Compare commits
1 Commits
Author | SHA1 | Date | |
---|---|---|---|
a9899061d8 |
67
README.md
67
README.md
@ -1,68 +1,11 @@
|
||||
# Binary Kitchen Ansible Playbooks
|
||||
|
||||
This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
|
||||
This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
|
||||
|
||||
## Usage
|
||||
## Using
|
||||
|
||||
To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
|
||||
TBA
|
||||
|
||||
It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
|
||||
## Style / Contributing
|
||||
|
||||
|
||||
## Current setup
|
||||
|
||||
Currently the following hosts are installed:
|
||||
|
||||
### Internal Servers
|
||||
|
||||
| Hostname | OS | Purpose |
|
||||
| ------------------------- | --------- | ----------------------- |
|
||||
| wurst.binary.kitchen | Proxmox 8 | VM Host |
|
||||
| salat.binary.kitchen | Proxmox 8 | VM Host |
|
||||
| weizen.binary.kitchen | Proxmox 8 | VM Host |
|
||||
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
|
||||
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
|
||||
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
|
||||
| sulis.binary.kitchen | Debian 12 | Shell |
|
||||
| nabia.binary.kitchen | Debian 12 | Monitoring |
|
||||
| epona.binary.kitchen | Debian 12 | NetBox |
|
||||
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
|
||||
| pancake.binary.kitchen | Debian 12 | XRDP |
|
||||
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
|
||||
| bob.binary.kitchen | Debian 12 | Gitea Actions |
|
||||
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
|
||||
| tschunk.binary.kitchen | Debian 12 | Strichliste |
|
||||
| bowle.binary.kitchen | Debian 12 | Files |
|
||||
| lock-auweg.binary.kitchen | Debian 12 | Doorlock |
|
||||
|
||||
\*: The main application is not managed by ansible but manually installed
|
||||
|
||||
### External Servers
|
||||
|
||||
| Hostname | OS | Purpose |
|
||||
| ----------------------------- | --------- | ----------------------- |
|
||||
| helium.binary-kitchen.net | Debian 12 | LDAP Master |
|
||||
| lithium.binary-kitchen.net | Debian 12 | Mail |
|
||||
| beryllium.binary-kitchen.net | Debian 12 | Web * |
|
||||
| boron.binary-kitchen.net | Debian 12 | Gitea |
|
||||
| carbon.binary-kitchen.net | Debian 12 | Jabber |
|
||||
| nitrogen.binary-kitchen.net | Debian 12 | NextCloud |
|
||||
| oxygen.binary-kitchen.net | Debian 12 | Shell |
|
||||
| fluorine.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
|
||||
| neon.binary-kitchen.net | Debian 12 | Auth. DNS |
|
||||
| sodium.binary-kitchen.net | Debian 12 | Mattrix |
|
||||
| magnesium.binary-kitchen.net | Debian 12 | TURN |
|
||||
| aluminium.binary-kitchen.net | Debian 12 | Zammad |
|
||||
| krypton.binary-kitchen.net | Debian 12 | PartDB * |
|
||||
| yttrium.binary-kitchen.net | Debian 12 | Hintervvoidler * |
|
||||
| zirconium.binary-kitchen.net | Debian 12 | Jitsi |
|
||||
| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle * |
|
||||
| technetium.binary-kitchen.net | Debian 12 | Event CTFd * |
|
||||
| ruthenium.binary-kitchen.net | Debian 12 | Minecraft * |
|
||||
| rhodium.binary-kitchen.net | Debian 12 | Event pretix |
|
||||
| palladium.binary-kitchen.net | Debian 12 | Event pretalx |
|
||||
| argentum.binary-kitchen.net | Debian 12 | Event Web * |
|
||||
| cadmium.binary-kitchen.neti | Debian 12 | Event NetBox * |
|
||||
| barium.binary-kitchen.net | Debian 12 | Workadventure |
|
||||
|
||||
\*: The main application is not managed by ansible but manually installed
|
||||
TBA/TBD
|
||||
|
@ -1,6 +1,5 @@
|
||||
[defaults]
|
||||
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
||||
interpreter_python = auto
|
||||
inventory = ./hosts
|
||||
nocows = 1
|
||||
remote_user = root
|
||||
|
@ -5,14 +5,6 @@ acertmgr_mode: webdir
|
||||
acme_dnskey_file: /etc/acertmgr/nsupdate.key
|
||||
acme_dnskey_server: neon.binary-kitchen.net
|
||||
|
||||
authentik_domain: auth.binary-kitchen.de
|
||||
authentik_dbname: authentik
|
||||
authentik_dbuser: authentik
|
||||
authentik_dbpass: "{{ vault_authentik_dbpass }}"
|
||||
authentik_secret: "{{ vault_authentik_secret }}"
|
||||
|
||||
bk23b_domain: 23b.binary-kitchen.de
|
||||
|
||||
coturn_realm: turn.binary-kitchen.de
|
||||
coturn_secret: "{{ vault_coturn_secret }}"
|
||||
|
||||
@ -22,12 +14,19 @@ dns_axfr_ips:
|
||||
|
||||
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
|
||||
|
||||
drone_admin: moepman
|
||||
drone_domain: drone.binary-kitchen.de
|
||||
drone_dbname: drone
|
||||
drone_dbuser: drone
|
||||
drone_dbpass: "{{ vault_drone_dbpass }}"
|
||||
drone_uipass: "{{ vault_drone_uipass }}"
|
||||
drone_secret: "{{ vault_drone_secret }}"
|
||||
drone_gitea_client: "{{ vault_drone_gitea_client }}"
|
||||
drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
|
||||
|
||||
dss_domain: dss.binary-kitchen.de
|
||||
dss_secret: "{{ vault_dss_secret }}"
|
||||
|
||||
fpm_status_user: admin
|
||||
fpm_status_pass: "{{ vault_fpm_status_pass }}"
|
||||
|
||||
gitea_domain: git.binary-kitchen.de
|
||||
gitea_dbname: gogs
|
||||
gitea_dbuser: gogs
|
||||
@ -35,20 +34,11 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
|
||||
gitea_secret: "{{ vault_gitea_secret }}"
|
||||
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
|
||||
|
||||
hedgedoc_domain: pad.binary-kitchen.de
|
||||
hedgedoc_dbname: hedgedoc
|
||||
hedgedoc_dbuser: hedgedoc
|
||||
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
|
||||
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
|
||||
|
||||
icinga_domain: icinga.binary.kitchen
|
||||
icinga_dbname: icinga
|
||||
icinga_dbuser: icinga
|
||||
icinga_dbpass: "{{ vault_icinga_dbpass }}"
|
||||
icinga_server: nabia.binary.kitchen
|
||||
icingaweb_dbname: icingaweb
|
||||
icingaweb_dbuser: icingaweb
|
||||
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
|
||||
hackmd_domain: pad.binary-kitchen.de
|
||||
hackmd_dbname: hackmd
|
||||
hackmd_dbuser: hackmd
|
||||
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
||||
hackmd_secret: "{{ vault_hackmd_secret }}"
|
||||
|
||||
jitsi_domain: jitsi.binary-kitchen.de
|
||||
jitsi_admin_email: exxess@binary-kitchen.de
|
||||
@ -68,29 +58,16 @@ mail_domain: binary-kitchen.de
|
||||
mail_domains:
|
||||
- ccc-r.de
|
||||
- ccc-regensburg.de
|
||||
- eh21.easterhegg.eu
|
||||
- makerspace-regensburg.de
|
||||
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
|
||||
mail_server: mail.binary-kitchen.de
|
||||
mailman_domain: lists.binary-kitchen.de
|
||||
mail_trusted:
|
||||
- 213.166.246.0/28
|
||||
- 213.166.246.37/32
|
||||
- 213.166.246.45/32
|
||||
- 213.166.246.46/32
|
||||
- 213.166.246.47/32
|
||||
- 213.166.246.250/32
|
||||
- 2a02:958:0:f6::/124
|
||||
- 2a02:958:0:f6::37/128
|
||||
- 2a02:958:0:f6::45/128
|
||||
- 2a02:958:0:f6::46/128
|
||||
- 2a02:958:0:f6::47/128
|
||||
mail_aliases:
|
||||
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
|
||||
- "bbb@binary-kitchen.de boehm.johannes@gmail.com"
|
||||
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
|
||||
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
|
||||
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||
- "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
|
||||
- "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
||||
@ -98,14 +75,12 @@ mail_aliases:
|
||||
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
|
||||
- "orga@ccc-r.de orga@ccc-regensburg.de"
|
||||
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
|
||||
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
|
||||
- "paypal@binary-kitchen.de timo.schindler@binary-kitchen.de"
|
||||
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
|
||||
- "pretalx@binary-kitchen.de moepman@binary-kitchen.de"
|
||||
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
|
||||
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
|
||||
- "seife@binary-kitchen.de anke@binary-kitchen.de"
|
||||
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
|
||||
- "vorstand@binary-kitchen.de anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
|
||||
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
|
||||
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
@ -119,41 +94,25 @@ mail_aliases:
|
||||
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
||||
- "tickets@eh21.easterhegg.eu orga@eh21.easterhegg.eu"
|
||||
- "hackzuck@eh21.easterhegg.eu kekskruemml@binary-kitchen.de"
|
||||
|
||||
matrix_domain: matrix.binary-kitchen.de
|
||||
matrix_dbname: matrix
|
||||
matrix_dbuser: matrix
|
||||
matrix_dbpass: "{{ vault_matrix_dbpass }}"
|
||||
|
||||
mc_domain: minecraft.binary-kitchen.de
|
||||
|
||||
netbox_domain: netbox.binary.kitchen
|
||||
netbox_dbname: netbox
|
||||
netbox_dbuser: netbox
|
||||
netbox_dbpass: "{{ vault_netbox_dbpass }}"
|
||||
netbox_secret: "{{ vault_netbox_secret }}"
|
||||
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
||||
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
||||
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
||||
|
||||
nextcloud_domain: oc.binary-kitchen.de
|
||||
nextcloud_dbname: owncloud
|
||||
nextcloud_dbuser: owncloud
|
||||
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
|
||||
|
||||
omm_domain: omm.binary.kitchen
|
||||
|
||||
pretalx_domain: fahrplan.eh21.easterhegg.eu
|
||||
pretalx_dbname: pretalx
|
||||
pretalx_dbuser: pretalx
|
||||
pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
|
||||
pretalx_mail: pretalx@binary-kitchen.de
|
||||
|
||||
pretix_domain: pretix.events.binary-kitchen.de
|
||||
pretix_domainx: tickets.eh21.easterhegg.eu
|
||||
pretix_dbname: pretix
|
||||
pretix_dbuser: pretix
|
||||
pretix_dbpass: "{{ vault_pretix_dbpass }}"
|
||||
pretix_mail: pretix@binary-kitchen.de
|
||||
plk_domain: plk-regensburg.de
|
||||
plk_dbuser: plkdbuser
|
||||
plk_dbname: plkdb
|
||||
plk_dbpass: "{{ vault_plk_dbpass }}"
|
||||
|
||||
prometheus_pve_user: prometheus@pve
|
||||
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
||||
@ -167,6 +126,8 @@ pve_targets:
|
||||
|
||||
radius_secret: "{{ vault_radius_secret }}"
|
||||
|
||||
rocketchat_domain: chat.binary-kitchen.de
|
||||
|
||||
root_keys:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
|
||||
@ -174,22 +135,3 @@ root_keys:
|
||||
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
|
||||
slapd_root_pass: "{{ vault_slapd_root_pass }}"
|
||||
slapd_san: ldap.binary.kitchen
|
||||
|
||||
sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
||||
sssd_base_user: ou=people,dc=binary-kitchen,dc=de
|
||||
|
||||
strichliste_domain: tschunk.binary.kitchen
|
||||
strichliste_dbname: strichliste
|
||||
strichliste_dbuser: strichliste
|
||||
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
|
||||
|
||||
vaultwarden_domain: vault.binary-kitchen.de
|
||||
vaultwarden_dbname: vaultwarden
|
||||
vaultwarden_dbuser: vaultwarden
|
||||
vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
|
||||
vaultwarden_token: "{{ vault_vaultwarden_token }}"
|
||||
vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
|
||||
|
||||
workadventure_domain: wa.binary-kitchen.de
|
||||
|
||||
zammad_domain: requests.binary-kitchen.de
|
||||
|
@ -1,109 +1,59 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
63626562396631623335303064393137396262393239366236373634323333343264343335306330
|
||||
3861326430303265376564306139323064356339653039330a613335323233356361303066663139
|
||||
34386465306537666464643736656230356632633239363865386166373834653030363736613834
|
||||
6339303364363166620a626134303835346130386238653232316663346633313631653164336336
|
||||
34653639363635663537356639646333616438336438333463656537326134343531393435663266
|
||||
64366333346130653730613865346134356161373237343539373965623036656231653939303365
|
||||
62326638666431333265343639326461313433656639393839396366633431616435393263336231
|
||||
66303634656536636165636462396637656331666336623734333139316533636664306262326566
|
||||
36616366663933613561336164386463393635636264613737316464666535366361613065363362
|
||||
30316566323663623133346130393032646237353934363531326530396263363130326638393032
|
||||
30633832663134613964323733623230363831636664373661633966366264373766326161623862
|
||||
39396331313231633237313735636261653531313961616230626565623633636638643936326237
|
||||
62333066366439643163336233353361343662326237376332396461393663623761613962333237
|
||||
65633039363636323235356632326563376163386161373362383466346339356463636437646262
|
||||
38313164393036393661336633373265303536316165623330643236313936666139376237366164
|
||||
31373364663136356139356433386132343630396531373961616131343333663463616262373439
|
||||
34393161323334333732383866653463656265393761346533663530613530313062626330356535
|
||||
65393037636665303564316536376531386561366466643961666439326462353864643635353934
|
||||
66616432303966643731386133613430313737356539386331623832656132663461393538363962
|
||||
64313935613063373832343862373734316634663333313835323836386466336663643661656436
|
||||
61353663646165623165663035383461376331373439666433386433376234613163396234373632
|
||||
61646230363163366338653332373834386534333436373737383463363335356436313463626333
|
||||
63393166316663323066323863373830393937353864376366313535663565613031643932383364
|
||||
62623633353662323965393563363261623564396632643662663032613032666162616132336130
|
||||
39376430663833303264306135643832383231623336613734373964653736376235653334333639
|
||||
63376661636561383236633365303031326630356661633062663564396133313633323738333539
|
||||
66303235613562313636343766356263383132643962393232396263393665666334633438383632
|
||||
38646635643030303464396634356161333836376364333361356461346664303563346463333838
|
||||
34356139373233313631653533356633643730663438646630373331313065363136663938306439
|
||||
38336563363966653632613436356530316234326365666438326635313537343665663233363731
|
||||
36646565393937326336626333383863656565323832303937323536346366303839633236663566
|
||||
32373632646463363634363031626635383233656361336532636366653434623562623937656137
|
||||
66303663316165633932643365623732323430376334303036303961396264303664616433356361
|
||||
64366135376232313265376563633163373933343066653939313433366539396163656163346663
|
||||
30626331333034316131343361636364653936373235623562336366336237353966613536316637
|
||||
61343530326139636365613434386263383430626663333932386431313164346532666562346537
|
||||
32623538353365383030396332386133343464643732653038623337353135663964643566396439
|
||||
64633435623763666461356331306539373638383034343735373765373333656562326338613763
|
||||
63633732373765316238633539316665623431616333363364316531306630343735393335616630
|
||||
36613362336566393866623566666430336639376662633233656130653837313161653462346335
|
||||
63396532663633393363626136373161303235613761373235633831393736343630353031613364
|
||||
32353463383934313961313638613533623638383062343936616336646431383935393938623138
|
||||
31383032326365333136666165633832333836346231636332353830336264636235383162356630
|
||||
38316137623935633863363162376239623932373233663663323830363162313665613830623763
|
||||
63656237343662616130326339386231376564613164666163393232653762613932343561343031
|
||||
66386431343139373734626430656139353635636233336236653438353066393732663637323435
|
||||
63303434376634366262646662616162343664666365373934346530343239653330356234373065
|
||||
31373934363731373136346665623334306631626134613334633135666461636462303164653662
|
||||
36323132376532613431653063643965636233373165333639323966663333633563303438396466
|
||||
64633761376164383835613038633630623439643364323232633437386334346138343361306638
|
||||
38626632326137303839306531633536643161656231636662383461373964646333303936343733
|
||||
36333863316162393134646563316235663164613062303734346662386466656461346364356564
|
||||
35326234336439623961383938316136633037343863363933616663366536613866666165376664
|
||||
30306438666365333333636632643832303463356533343033623938653365663732336164303033
|
||||
65653936363839323239306463366533653439663437343536393564336163313962313935636534
|
||||
34346330393637343834323931353762613839366166353139303535376230356466646261363464
|
||||
33386337616230623537376665663835373766316332363433313234326461313935636666363261
|
||||
30653433333436306564653461303165656163363331643536323535623062396561643662323334
|
||||
35626565616538396566363433363732656538313531636632643163633637303339656431346466
|
||||
61353030666638393361613833353532656130643866636135643434366562386363656434323366
|
||||
36343764316136316630353338363735646533346362386266643136626366356331656363393133
|
||||
35636633353662393435346365663432656166646136346331363563363539326162633166393164
|
||||
34303164353632373437613564336266373934396236383962376530613631633932626431333864
|
||||
64623439336638613337383763353531376133343436346330373362313034616166616537636366
|
||||
30306132613333633261326630323038323431643163373365376662623339396136313531366332
|
||||
66663037643036303836376632646132383563316262393438636432666661333836376663666130
|
||||
31316135366562633134306633333834636132623739373131626161633636313737646334376434
|
||||
33376337393630663338643366316465353266346365333830613533393139333235366237323339
|
||||
66346465313462373334316535383633343165373733313230373461366336353664306537306538
|
||||
32653538366565663764353031303763613835366461666163336665656436333563613835653438
|
||||
65376265303131376239616536353933346633393438643466343439643039313236373033323034
|
||||
64316364663139353664653564393262323565646235356431326331343433373639316234363938
|
||||
65633034666532306137353431613732663166323936356433323733376261386161383265663264
|
||||
35643038663565646135343233623530396165336263303931653037393934343833623337343834
|
||||
31343631343563626561393763356463393930616338623861363835343635376238653337653133
|
||||
31393834343536396536363533363739306639646333313836393331306566393534383265613234
|
||||
31623238306531383936343836336466343336396530633033323063346261366633343936316637
|
||||
30343165333861346635623934363537383531323637313461663964353338653639366562306236
|
||||
30363265393038633564626463393166333665396538663639346665353736336134643862663630
|
||||
62393037363963613263313939613865393066323830656362656464643730636535623639636131
|
||||
63343263333134336364323236656639613635323165383164636465353438653134646334643962
|
||||
35306463626336626664383638323865633631346437613139623239663538666363313237323663
|
||||
39323734353363643334343538303635366637373530383832393861346164666666306631643563
|
||||
63306565306337383539636330623933666266353635396238656435373563383830666636616335
|
||||
39386134383938626439366437383138303062333236306436336163393832613532303332303833
|
||||
39323539396235383765613234303765303136653064336361333035643365386232613766356362
|
||||
30656437376537623165626530623365393463626337383139663734396331396363396162383330
|
||||
31663636383037613563346330323063393637616334356439666263623662383666376265313732
|
||||
63343837306336313264313934653836363665616264396662633761363237366437653962626664
|
||||
38383462313435383133613465656435363563373765313361623565636564616236313666633264
|
||||
37393165386163393666376636343963333932346463303661373339303765303938636135323363
|
||||
35663731656431656330336366383330616163353934333564356633613165396463393066396533
|
||||
32396264653265333865643365346233633863333335383735396134663062343166656233613931
|
||||
35633133336337343531313266323663363830353236323035313031646434303761343737633139
|
||||
30343439323330353531633337353365363031666635653364326235316435383835663139376136
|
||||
39343361636662346166363432366162666631366431623563363936336164323836376232326162
|
||||
39316337343436386363643064653337613131346266353636333664373262326563386264303831
|
||||
65343534616464633232373532313865363732663235376534396436333531633261393066313263
|
||||
38316437643232336234343663666536353134626139623138636234396661613261326437303065
|
||||
36383331323061643632323339383530626430343132613039393434333939383065623464646362
|
||||
65303135313962613564666261356533313961323464623535393631613337663366626136343364
|
||||
61363035333636366439313961326462633463616237343133356437303234323363306337343237
|
||||
61376138323336663839623539633866313133346338313165623039336335663666313532636261
|
||||
36383332346636373936366632393364323331303866623533643062666361613133383262383538
|
||||
64343665333761326134303566656638633362643031306535333661623437636139353565623435
|
||||
39323631393132336636653731636264356637373031633037653466383163663865626339323731
|
||||
34623137386338343038373464613832363761643362623434373136376638663537623762646266
|
||||
63306439363039303461
|
||||
37303932343462623335393066643531373533636435356462326537373532613534353266396435
|
||||
3636666364306637306266393933383963633032383265650a656563303332303134323135353239
|
||||
34633863333930316564633632313939643664373163373833636139366537646530383736343130
|
||||
6239373931306234620a353966346262646538306631656461613431636230333430663931643933
|
||||
31316362353439393838363666613932313635313864333135636530653238653162353033356437
|
||||
33353063363639346266313631393463623864636133623264613865336536613536343365386230
|
||||
65396263393862626139396430623134316632313637623631623762656139623664356331623066
|
||||
30323430613963313162616135303164663364336634326533346438373635366238356531613461
|
||||
30333736633965333163616437303566666239313962353531393530613265363833396136646262
|
||||
62633662666532396535316361303934613138373365633161393664313234663533363736323335
|
||||
38613762376234663564333333386265633138613839636132346638313430653639636339336239
|
||||
38633564333831326331326166666362353364303933393532643936313564386565643162623435
|
||||
36356437356631666137323039316430656566613436623062656562666139383635653039636463
|
||||
35393438323765303431333737356339343730303531333834306239366533393537626239376163
|
||||
31663332343136323264376234363264343136623365383833666638656531306362663462383033
|
||||
31633838643562613762363634653865353361303666363139636337386439626235336462653036
|
||||
30376461643839313665383430386534656265626139313034646438323861653530383637316139
|
||||
35313539636137303561646564616362313435666262343137616263396465356434363862323137
|
||||
38626464383039386139343665363538326539613837366437623362336639336133323463666235
|
||||
36346333356434363838363634343233323363333762653264333062656133623434666162356433
|
||||
37623862653862643335333931663063623166353534636430323230663838653532356335306632
|
||||
33646265343834363839653565326538353930663061376461646534386637376234646264343933
|
||||
65653763343236653630396238333232633461663333646531323337626235396231383931663264
|
||||
34363564366134663036643332346238373639646336396261316133326235636265323636663335
|
||||
35363537346466396432396162383131306438396431336138666663633132646662316165643333
|
||||
64633434623166343262623038623431343631333962663566303566393761653536303638643037
|
||||
63363963306139336235363537396432383131303763643966313937353537333739393031616439
|
||||
35343361646234663062633631323238656137373464386561656439313636613630323632616332
|
||||
39346239666266623038363066643865373762633532323431373431373165643662663661633365
|
||||
35353361383339623535336362313430616139396561623934346264323462663663383566393165
|
||||
35366637313861386465333530613530623832643333616538336436356134313832306139336361
|
||||
32393162373235356236343332363038393631626534643237383232323735633265333562633231
|
||||
61613164363962323236666365353830346664643263393532343562383736336535353364343638
|
||||
62386465323331653565306234646664393164666334383765336630346438633636353264636138
|
||||
31316231326236313839353465353230353935363330393035373234393039386134366534653636
|
||||
63323730383931353763383739393330316335373563393039366166313031373664636335363363
|
||||
38363131363565326431636361316562313037373664306333313366646336333162663664306539
|
||||
64636530363561393037373766383937616435313333653836363835383231633130396133663635
|
||||
36613531323732623264646666656139333766656562623430313964366236373663626135383437
|
||||
31643663663637613762313465656636396264623362643538323166356636303430613133383664
|
||||
66383332326437333638663562376665386237313533303437623765353661393561373338636130
|
||||
30383665333366643331366536646330633133643566393962633164643563613536363434393234
|
||||
66323931316535353632356432373262623962616264383430623436303637616165386433326231
|
||||
38633730636633643634343833313964653530663034333063313334636134646634363437346161
|
||||
32613061363032383732323263303830363532326239316538393739313730383530633862313039
|
||||
37653865303932313635656332663039376331393161623731623039653865623436363061626538
|
||||
32383934613335363534666461343135303235373262343634306130633536323839393139346662
|
||||
31623265323138353963623938616665383765366230656461383835346230346261623866366630
|
||||
65303965353432386136373562306434623739666262356663656266346439356435613362333563
|
||||
34366539353366346636376662363837303332373866323434366261326164633033353930383038
|
||||
36666433656365366663326163343034306439653262353733323232373133386436333637346563
|
||||
32626533336530633731336631333334353366306538663936643637346335303965626631316562
|
||||
33333061656234393661363766663630316662613764333231326434383465666234653238393965
|
||||
31636561396665383063613433653837363634623337623330666466353532633434383864343464
|
||||
38303436306165353433356536326466306530373635616531393462666336666435633235613937
|
||||
37343832333864643636366632623062363234633365326635386663376439383332306333653161
|
||||
34353830396165366534313334616161323461613066383561343563393330613464373862623062
|
||||
3536303066343262636636393861313539616636643339353562
|
||||
|
@ -1,16 +0,0 @@
|
||||
---
|
||||
|
||||
dhcpd_failover: false
|
||||
dhcpd_primary: 172.23.13.3
|
||||
|
||||
dns_primary: 172.23.13.3
|
||||
|
||||
doorlock_domain: lock-auweg.binary.kitchen
|
||||
|
||||
name_servers:
|
||||
- 172.23.13.3
|
||||
|
||||
ntp_servers:
|
||||
- 172.23.12.61
|
||||
|
||||
radius_cn: radius.binary.kitchen
|
@ -4,9 +4,6 @@ dhcpd_failover: true
|
||||
dhcpd_primary: 172.23.2.3
|
||||
dhcpd_secondary: 172.23.2.4
|
||||
|
||||
dns_primary: 172.23.2.3
|
||||
dns_secondary: 172.23.2.4
|
||||
|
||||
name_servers:
|
||||
- 172.23.2.3
|
||||
- 172.23.2.4
|
||||
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
|
||||
radius_hostname: radius3.binary.kitchen
|
||||
|
||||
slapd_hostname: ldap3.binary.kitchen
|
||||
slapd_replica_id: 3
|
||||
slapd_role: slave
|
@ -1,6 +0,0 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"
|
@ -3,5 +3,4 @@
|
||||
radius_hostname: radius2.binary.kitchen
|
||||
|
||||
slapd_hostname: ldap2.binary.kitchen
|
||||
slapd_replica_id: 2
|
||||
slapd_role: slave
|
||||
|
@ -1,11 +1,9 @@
|
||||
---
|
||||
|
||||
ntp_server: true
|
||||
|
||||
ntp_servers:
|
||||
- ptbtime2.ptb.de
|
||||
- ntp1.rrze.uni-erlangen.de
|
||||
- rustime01.rus.uni-stuttgart.de
|
||||
- ntps1-0.cs.tu-berlin.de
|
||||
|
||||
ntp_peers:
|
||||
- 172.23.1.60
|
||||
@ -13,5 +11,4 @@ ntp_peers:
|
||||
radius_hostname: radius1.binary.kitchen
|
||||
|
||||
slapd_hostname: ldap1.binary.kitchen
|
||||
slapd_replica_id: 1
|
||||
slapd_role: slave
|
||||
|
@ -1,2 +0,0 @@
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
||||
|
@ -1,8 +0,0 @@
|
||||
---
|
||||
|
||||
nfs_exports:
|
||||
- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
|
||||
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
|
||||
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
|
||||
|
||||
uau_reboot: "false"
|
@ -1,4 +0,0 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
@ -1,4 +0,0 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
@ -2,4 +2,3 @@
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
||||
|
@ -1,11 +0,0 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "# Thomas Basler"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
|
||||
- "# Ralf Ramsauer"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
||||
- "# Thomas Schmid"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||
|
||||
uau_reboot: "false"
|
@ -1,5 +0,0 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"
|
@ -1,3 +0,0 @@
|
||||
---
|
||||
|
||||
acertmgr_mode: standalone
|
@ -4,4 +4,3 @@ grafana_domain: zelle.binary-kitchen.de
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"
|
||||
|
@ -3,5 +3,3 @@
|
||||
root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
|
||||
|
||||
nginx_anonymize: True
|
||||
|
@ -1,4 +1,3 @@
|
||||
---
|
||||
|
||||
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
|
||||
sshd_password_authentication: "yes"
|
||||
uau_reboot: "false"
|
||||
|
@ -1,4 +0,0 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
@ -4,7 +4,8 @@ root_keys_host:
|
||||
- "# Thomas Basler"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
|
||||
- "# Ralf Ramsauer"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
|
||||
- "# Thomas Schmid"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||
|
||||
|
@ -1,4 +0,0 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
@ -2,6 +2,6 @@
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
|
||||
|
||||
uau_reboot: "false"
|
||||
|
4
host_vars/strontium.binary-kitchen.net
Normal file
4
host_vars/strontium.binary-kitchen.net
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"
|
@ -1,4 +0,0 @@
|
||||
---
|
||||
|
||||
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
|
||||
sshd_password_authentication: "yes"
|
@ -1,5 +1,4 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
|
||||
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "# Thomas Schmid"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||
|
||||
uau_reboot: "true"
|
@ -1,8 +0,0 @@
|
||||
---
|
||||
|
||||
ntp_server: true
|
||||
|
||||
ntp_servers:
|
||||
- ptbtime1.ptb.de
|
||||
- ntp1.rrze.uni-erlangen.de
|
||||
- rustime01.rus.uni-stuttgart.de
|
@ -1,11 +1,9 @@
|
||||
---
|
||||
|
||||
ntp_server: true
|
||||
|
||||
ntp_servers:
|
||||
- ptbtime1.ptb.de
|
||||
- ntp1.rrze.uni-erlangen.de
|
||||
- rustime01.rus.uni-stuttgart.de
|
||||
- ntps1-0.cs.tu-berlin.de
|
||||
|
||||
ntp_peers:
|
||||
- 172.23.2.3
|
||||
|
@ -1,6 +1,5 @@
|
||||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
|
||||
|
18
hosts
18
hosts
@ -4,19 +4,10 @@ bacon.binary.kitchen ansible_host=172.23.2.3
|
||||
aveta.binary.kitchen ansible_host=172.23.2.4
|
||||
sulis.binary.kitchen ansible_host=172.23.2.5
|
||||
nabia.binary.kitchen ansible_host=172.23.2.6
|
||||
epona.binary.kitchen ansible_host=172.23.2.7
|
||||
pizza.binary.kitchen ansible_host=172.23.2.33
|
||||
pancake.binary.kitchen ansible_host=172.23.2.34
|
||||
knoedel.binary.kitchen ansible_host=172.23.2.35
|
||||
bob.binary.kitchen ansible_host=172.23.2.37
|
||||
lasagne.binary.kitchen ansible_host=172.23.2.38
|
||||
tschunk.binary.kitchen ansible_host=172.23.2.39
|
||||
bowle.binary.kitchen ansible_host=172.23.2.62
|
||||
bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
|
||||
salat.binary.kitchen ansible_host=172.23.9.61
|
||||
[auweg]
|
||||
weizen.binary.kitchen ansible_host=172.23.12.61
|
||||
aeron.binary.kitchen ansible_host=172.23.13.3
|
||||
lock-auweg.binary.kitchen ansible_host=172.23.13.12
|
||||
[fan_rz]
|
||||
helium.binary-kitchen.net
|
||||
lithium.binary-kitchen.net
|
||||
@ -28,16 +19,9 @@ oxygen.binary-kitchen.net
|
||||
fluorine.binary-kitchen.net
|
||||
neon.binary-kitchen.net
|
||||
sodium.binary-kitchen.net
|
||||
magnesium.binary-kitchen.net
|
||||
aluminium.binary-kitchen.net
|
||||
krypton.binary-kitchen.net
|
||||
yttrium.binary-kitchen.net
|
||||
zirconium.binary-kitchen.net
|
||||
molybdenum.binary-kitchen.net
|
||||
technetium.binary-kitchen.net
|
||||
ruthenium.binary-kitchen.net
|
||||
rhodium.binary-kitchen.net
|
||||
palladium.binary-kitchen.net
|
||||
argentum.binary-kitchen.net
|
||||
cadmium.binary-kitchen.net
|
||||
barium.binary-kitchen.net
|
||||
|
@ -1,49 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install packages
|
||||
apt:
|
||||
name:
|
||||
- docker-compose
|
||||
|
||||
- name: Create 23b group
|
||||
group: name=23b
|
||||
|
||||
- name: Create 23b user
|
||||
user:
|
||||
name: 23b
|
||||
home: /opt/23b
|
||||
shell: /bin/bash
|
||||
group: 23b
|
||||
groups: docker
|
||||
|
||||
# docker-compolse.yml is managed outside ansible
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure certificate manager for 23b
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Systemd unit for 23b
|
||||
template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart 23b
|
||||
|
||||
- name: Start the 23b service
|
||||
service: name=23b state=started enabled=yes
|
||||
|
||||
- name: Enable monitoring
|
||||
include_role: name=icinga-monitor tasks_from=http
|
||||
vars:
|
||||
vhost: "{{ bk23b_domain }}"
|
@ -1,28 +0,0 @@
|
||||
[Unit]
|
||||
Description=23b service using docker compose
|
||||
Requires=docker.service
|
||||
After=docker.service
|
||||
Before=nginx.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
User=23b
|
||||
Group=23b
|
||||
|
||||
Restart=always
|
||||
TimeoutStartSec=1200
|
||||
|
||||
WorkingDirectory=/opt/23b/23b/23b
|
||||
|
||||
# Make sure no old containers are running
|
||||
ExecStartPre=/usr/bin/docker-compose down -v
|
||||
|
||||
# Compose up
|
||||
ExecStart=/usr/bin/docker-compose up
|
||||
|
||||
# Compose down, remove containers and volumes
|
||||
ExecStop=/usr/bin/docker-compose down -v
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
|
||||
actrunner_user: act_runner
|
||||
actrunner_group: act_runner
|
||||
|
||||
actrunner_version: 0.2.10
|
||||
actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart act_runner
|
||||
service: name=act_runner state=restarted
|
@ -1,35 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Create group
|
||||
group: name={{ actrunner_group }}
|
||||
|
||||
- name: Create user
|
||||
user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
|
||||
|
||||
- name: Create directories
|
||||
file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
|
||||
with_items:
|
||||
- /etc/act_runner
|
||||
- /var/lib/act_runner
|
||||
|
||||
- name: Download act_runner binary
|
||||
get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
|
||||
register: runner_download
|
||||
|
||||
- name: Symlink act_runner binary
|
||||
file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
|
||||
when: runner_download.changed
|
||||
notify: Restart act_runner
|
||||
|
||||
- name: Configure act_runner
|
||||
template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
|
||||
notify: Restart act_runner
|
||||
|
||||
- name: Install systemd unit
|
||||
template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart act_runner
|
||||
|
||||
- name: Enable act_runner
|
||||
service: name=act_runner state=started enabled=yes
|
@ -1,16 +0,0 @@
|
||||
[Unit]
|
||||
Description=Gitea Actions runner
|
||||
Documentation=https://gitea.com/gitea/act_runner
|
||||
After=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
|
||||
ExecReload=/bin/kill -s HUP $MAINPID
|
||||
WorkingDirectory=/var/lib/act_runner
|
||||
TimeoutSec=0
|
||||
RestartSec=10
|
||||
Restart=always
|
||||
User={{ actrunner_user }}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,86 +0,0 @@
|
||||
log:
|
||||
# The level of logging, can be trace, debug, info, warn, error, fatal
|
||||
level: warn
|
||||
|
||||
runner:
|
||||
# Where to store the registration result.
|
||||
file: .runner
|
||||
# Execute how many tasks concurrently at the same time.
|
||||
capacity: 4
|
||||
# Extra environment variables to run jobs.
|
||||
envs:
|
||||
# Extra environment variables to run jobs from a file.
|
||||
# It will be ignored if it's empty or the file doesn't exist.
|
||||
env_file: .env
|
||||
# The timeout for a job to be finished.
|
||||
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
|
||||
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
|
||||
timeout: 3h
|
||||
# Whether skip verifying the TLS certificate of the Gitea instance.
|
||||
insecure: false
|
||||
# The timeout for fetching the job from the Gitea instance.
|
||||
fetch_timeout: 5s
|
||||
# The interval for fetching the job from the Gitea instance.
|
||||
fetch_interval: 2s
|
||||
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
|
||||
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
|
||||
# If it's empty when registering, it will ask for inputting labels.
|
||||
# If it's empty when execute `deamon`, will use labels in `.runner` file.
|
||||
labels: [
|
||||
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
|
||||
"ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
|
||||
"ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
|
||||
]
|
||||
|
||||
cache:
|
||||
# Enable cache server to use actions/cache.
|
||||
enabled: true
|
||||
# The directory to store the cache data.
|
||||
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
|
||||
dir: ""
|
||||
# The host of the cache server.
|
||||
# It's not for the address to listen, but the address to connect from job containers.
|
||||
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
|
||||
host: ""
|
||||
# The port of the cache server.
|
||||
# 0 means to use a random available port.
|
||||
port: 0
|
||||
# The external cache server URL. Valid only when enable is true.
|
||||
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
|
||||
# The URL should generally end with "/".
|
||||
external_server: ""
|
||||
|
||||
container:
|
||||
# Specifies the network to which the container will connect.
|
||||
# Could be host, bridge or the name of a custom network.
|
||||
# If it's empty, act_runner will create a network automatically.
|
||||
network: ""
|
||||
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
|
||||
privileged: false
|
||||
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
|
||||
options:
|
||||
# The parent directory of a job's working directory.
|
||||
# If it's empty, /workspace will be used.
|
||||
workdir_parent:
|
||||
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
|
||||
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
|
||||
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
|
||||
# valid_volumes:
|
||||
# - data
|
||||
# - /src/*.json
|
||||
# If you want to allow any volume, please use the following configuration:
|
||||
# valid_volumes:
|
||||
# - '**'
|
||||
valid_volumes: []
|
||||
# overrides the docker client host with the specified one.
|
||||
# If it's empty, act_runner will find an available docker host automatically.
|
||||
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
|
||||
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
|
||||
docker_host: ""
|
||||
# Pull docker image(s) even if already present
|
||||
force_pull: false
|
||||
|
||||
host:
|
||||
# The parent directory of a job's working directory.
|
||||
# If it's empty, $HOME/.cache/act/ will be used.
|
||||
workdir_parent:
|
@ -1,3 +0,0 @@
|
||||
---
|
||||
|
||||
authentik_version: 2024.8.3
|
@ -1,13 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart authentik
|
||||
service: name=authentik state=restarted
|
||||
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
@ -1,51 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install packages
|
||||
apt:
|
||||
name:
|
||||
- docker-compose
|
||||
|
||||
- name: Create authentik group
|
||||
group: name=authentik
|
||||
|
||||
- name: Create authentik user
|
||||
user:
|
||||
name: authentik
|
||||
home: /opt/authentik
|
||||
shell: /bin/bash
|
||||
group: authentik
|
||||
groups: docker
|
||||
|
||||
- name: Configure authentik container
|
||||
template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
|
||||
notify: Restart authentik
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure certificate manager for authentik
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Systemd unit for authentik
|
||||
template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart authentik
|
||||
|
||||
- name: Start the authentik service
|
||||
service: name=authentik state=started enabled=yes
|
||||
|
||||
- name: Enable monitoring
|
||||
include_role: name=icinga-monitor tasks_from=http
|
||||
vars:
|
||||
vhost: "{{ authentik_domain }}"
|
@ -1,28 +0,0 @@
|
||||
[Unit]
|
||||
Description=authentik service using docker compose
|
||||
Requires=docker.service
|
||||
After=docker.service
|
||||
Before=nginx.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
User=authentik
|
||||
Group=authentik
|
||||
|
||||
Restart=always
|
||||
TimeoutStartSec=1200
|
||||
|
||||
WorkingDirectory=/opt/authentik
|
||||
|
||||
# Make sure no old containers are running
|
||||
ExecStartPre=/usr/bin/docker-compose down -v
|
||||
|
||||
# Compose up
|
||||
ExecStart=/usr/bin/docker-compose up
|
||||
|
||||
# Compose down, remove containers and volumes
|
||||
ExecStop=/usr/bin/docker-compose down -v
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,75 +0,0 @@
|
||||
---
|
||||
version: "3.4"
|
||||
services:
|
||||
postgresql:
|
||||
image: docker.io/library/postgres:16-alpine
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
|
||||
start_period: 20s
|
||||
interval: 30s
|
||||
retries: 5
|
||||
timeout: 5s
|
||||
volumes:
|
||||
- ./database:/var/lib/postgresql/data
|
||||
environment:
|
||||
POSTGRES_PASSWORD: {{ authentik_dbpass }}
|
||||
POSTGRES_USER: {{ authentik_dbuser }}
|
||||
POSTGRES_DB: {{ authentik_dbname }}
|
||||
redis:
|
||||
image: docker.io/library/redis:alpine
|
||||
command: --save 60 1 --loglevel warning
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
|
||||
start_period: 20s
|
||||
interval: 30s
|
||||
retries: 5
|
||||
timeout: 3s
|
||||
volumes:
|
||||
- ./redis:/data
|
||||
server:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
|
||||
restart: unless-stopped
|
||||
command: server
|
||||
environment:
|
||||
AUTHENTIK_REDIS__HOST: redis
|
||||
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
||||
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
|
||||
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
|
||||
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
|
||||
volumes:
|
||||
- ./media:/media
|
||||
- ./custom-templates:/templates
|
||||
ports:
|
||||
- "127.0.0.1:9000:9000"
|
||||
depends_on:
|
||||
- postgresql
|
||||
- redis
|
||||
worker:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
|
||||
restart: unless-stopped
|
||||
command: worker
|
||||
environment:
|
||||
AUTHENTIK_REDIS__HOST: redis
|
||||
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
||||
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
|
||||
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
|
||||
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
|
||||
# `user: root` and the docker socket volume are optional.
|
||||
# See more for the docker socket integration here:
|
||||
# https://goauthentik.io/docs/outposts/integrations/docker
|
||||
# Removing `user: root` also prevents the worker from fixing the permissions
|
||||
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
|
||||
# (1000:1000 by default)
|
||||
user: root
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- ./media:/media
|
||||
- ./certs:/certs
|
||||
- ./custom-templates:/templates
|
||||
depends_on:
|
||||
- postgresql
|
||||
- redis
|
@ -1,41 +0,0 @@
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ authentik_domain }};
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
alias /var/www/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://{{ authentik_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ authentik_domain }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:9000;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
}
|
@ -1,4 +1,4 @@
|
||||
---
|
||||
|
||||
dss_uwsgi_port: 5001
|
||||
dss_version: 0.8.5
|
||||
dss_version: 0.8.4
|
||||
|
@ -44,8 +44,3 @@
|
||||
- name: Enable vhosts
|
||||
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable monitoring
|
||||
include_role: name=icinga-monitor tasks_from=http
|
||||
vars:
|
||||
vhost: "{{ dss_domain }}"
|
||||
|
@ -1,14 +1,12 @@
|
||||
DEBUG = True
|
||||
REMEMBER_COOKIE_SECURE = True
|
||||
SECRET_KEY = "{{ dss_secret }}"
|
||||
SESSION_COOKIE_SECURE = True
|
||||
SESSION_TIMEOUT = 3600
|
||||
|
||||
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
|
||||
LDAP_URI = "{{ ldap_uri }}"
|
||||
LDAP_BASE = "{{ ldap_base }}"
|
||||
|
||||
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
|
||||
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
|
||||
|
||||
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
|
||||
|
||||
@ -30,7 +28,7 @@ USER_ATTRS = {
|
||||
'userPassword' : '{pass}'
|
||||
}
|
||||
|
||||
GROUP_FILTER = "(objectClass=posixGroup)"
|
||||
GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
|
||||
|
||||
REDIS_HOST = "127.0.0.1"
|
||||
REDIS_PASSWD = None
|
||||
|
@ -6,6 +6,3 @@ logrotate_excludes:
|
||||
- "/etc/logrotate.d/dbconfig-common"
|
||||
- "/etc/logrotate.d/btmp"
|
||||
- "/etc/logrotate.d/wtmp"
|
||||
|
||||
sshd_password_authentication: "no"
|
||||
sshd_permit_root_login: "prohibit-password"
|
||||
|
File diff suppressed because it is too large
Load Diff
10
roles/common/files/50-virtio-kernel-names.link
Normal file
10
roles/common/files/50-virtio-kernel-names.link
Normal file
@ -0,0 +1,10 @@
|
||||
# udev 226 introduced predictable interface names for virtio;
|
||||
# disable this for upgrades. You can remove this file if you update your
|
||||
# network configuration to move to the ens* names instead.
|
||||
# See /usr/share/doc/udev/README.Debian.gz for details about predictable
|
||||
# network interface names.
|
||||
[Match]
|
||||
Driver=virtio_net
|
||||
|
||||
[Link]
|
||||
NamePolicy=onboard kernel
|
6
roles/common/files/99-default.link
Normal file
6
roles/common/files/99-default.link
Normal file
@ -0,0 +1,6 @@
|
||||
# This machine is most likely a virtualized guest, where the old persistent
|
||||
# network interface mechanism (75-persistent-net-generator.rules) did not work.
|
||||
# This file disables /lib/systemd/network/99-default.link to avoid
|
||||
# changing network interface names on upgrade. Please read
|
||||
# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
|
||||
# supported mechanism.
|
@ -1,16 +1,7 @@
|
||||
---
|
||||
|
||||
- name: Restart chrony
|
||||
service: name=chrony state=restarted
|
||||
|
||||
- name: Restart journald
|
||||
service: name=systemd-journald state=restarted
|
||||
|
||||
- name: Restart sshd
|
||||
service: name=sshd state=restarted
|
||||
|
||||
- name: update-grub
|
||||
command: update-grub
|
||||
|
||||
- name: update-initramfs
|
||||
command: update-initramfs -u -k all
|
||||
|
@ -3,10 +3,7 @@
|
||||
- name: Install misc software
|
||||
apt:
|
||||
name:
|
||||
- apt-transport-https
|
||||
- dnsutils
|
||||
- fdisk
|
||||
- gnupg2
|
||||
- htop
|
||||
- less
|
||||
- net-tools
|
||||
@ -16,7 +13,6 @@
|
||||
- rsync
|
||||
- sudo
|
||||
- vim-nox
|
||||
- wget
|
||||
- zsh
|
||||
|
||||
- name: Install software on KVM VMs
|
||||
@ -30,32 +26,35 @@
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
diff: no
|
||||
with_items:
|
||||
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||
- { src: "motd", dest: "/etc/motd" }
|
||||
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||
- { src: 'motd', dest: '/etc/motd' }
|
||||
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
||||
|
||||
- name: Set shell for root user
|
||||
user: name=root shell=/bin/zsh
|
||||
|
||||
- name: Create LDAP client config
|
||||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
||||
|
||||
- name: Disable hibernation/resume
|
||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||
notify: update-initramfs
|
||||
|
||||
- name: Enable serial console on KVM VMs
|
||||
lineinfile:
|
||||
path: "/etc/default/grub"
|
||||
state: "present"
|
||||
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
|
||||
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
|
||||
notify: update-grub
|
||||
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
||||
# TODO template /etc/network/interfaces
|
||||
|
||||
- name: Fix network interface names
|
||||
copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
|
||||
with_items:
|
||||
- 50-virtio-kernel-names.link
|
||||
- 99-default.link
|
||||
notify: update-initramfs
|
||||
|
||||
- name: Prevent normal users from running su
|
||||
lineinfile:
|
||||
path: /etc/pam.d/su
|
||||
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
|
||||
line: "auth required pam_wheel.so"
|
||||
regexp: '^.*auth\s+required\s+pam_wheel.so$'
|
||||
line: 'auth required pam_wheel.so'
|
||||
|
||||
- name: Configure journald retention
|
||||
lineinfile:
|
||||
@ -90,25 +89,16 @@
|
||||
set_fact:
|
||||
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
|
||||
|
||||
- name: "Set logrotate.d/* to daily"
|
||||
- name: 'Set logrotate.d/* to daily'
|
||||
replace:
|
||||
path: "{{ item }}"
|
||||
regexp: "(?:weekly|monthly)"
|
||||
replace: "daily"
|
||||
loop: "{{ logrotateconfigpaths }}"
|
||||
|
||||
- name: "Set /etc/logrotate.d/* rotation to 7"
|
||||
- name: 'Set /etc/logrotate.d/* rotation to 7'
|
||||
replace:
|
||||
path: "{{ item }}"
|
||||
regexp: "rotate [0-9]+"
|
||||
replace: "rotate 7"
|
||||
loop: "{{ logrotateconfigpaths }}"
|
||||
|
||||
- name: Configure sshd
|
||||
template:
|
||||
src: sshd_config.j2
|
||||
dest: /etc/ssh/sshd_config
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: Restart sshd
|
||||
|
14
roles/common/tasks/FreeBSD.yml
Normal file
14
roles/common/tasks/FreeBSD.yml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
|
||||
- name: Install misc software
|
||||
pkgng:
|
||||
name:
|
||||
- vim-lite
|
||||
- htop
|
||||
- zsh
|
||||
|
||||
- name: Configure misc software
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
with_items:
|
||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
@ -13,12 +13,11 @@
|
||||
|
||||
- name: Configure misc software
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
diff: no
|
||||
with_items:
|
||||
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||
- { src: "motd", dest: "/etc/motd" }
|
||||
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||
- { src: 'motd', dest: '/etc/motd' }
|
||||
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
||||
|
||||
- name: Set shell for root user
|
||||
user: name=root shell=/bin/zsh
|
||||
|
@ -1,8 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install chrony
|
||||
apt: name=chrony
|
||||
|
||||
- name: Configure chrony
|
||||
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
|
||||
notify: Restart chrony
|
@ -2,20 +2,21 @@
|
||||
|
||||
- name: Cleanup
|
||||
apt: autoclean=yes
|
||||
when: ansible_os_family == "Debian"
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
- name: Gather package facts
|
||||
package_facts:
|
||||
manager: apt
|
||||
when: ansible_os_family == "Debian"
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
- name: Proxmox
|
||||
include: Proxmox.yml
|
||||
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
|
||||
when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
|
||||
|
||||
- name: Debian
|
||||
include: Debian.yml
|
||||
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
|
||||
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
|
||||
|
||||
- name: Setup chrony
|
||||
include: chrony.yml
|
||||
- name: FreeBSD
|
||||
include: FreeBSD.yml
|
||||
when: ansible_distribution == 'FreeBSD'
|
||||
|
@ -1,52 +0,0 @@
|
||||
# Welcome to the chrony configuration file. See chrony.conf(5) for more
|
||||
# information about usable directives.
|
||||
|
||||
# Include configuration files found in /etc/chrony/conf.d.
|
||||
confdir /etc/chrony/conf.d
|
||||
|
||||
{% for srv in ntp_servers %}
|
||||
server {{ srv }} iburst
|
||||
{% endfor %}
|
||||
{% if ntp_peers is defined %}
|
||||
|
||||
{% for peer in ntp_peers %}
|
||||
peer {{ peer }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if ntp_server is defined and ntp_server is true %}
|
||||
allow 172.23.0.0/16
|
||||
{% endif -%}
|
||||
|
||||
# This directive specify the location of the file containing ID/key pairs for
|
||||
# NTP authentication.
|
||||
keyfile /etc/chrony/chrony.keys
|
||||
|
||||
# This directive specify the file into which chronyd will store the rate
|
||||
# information.
|
||||
driftfile /var/lib/chrony/chrony.drift
|
||||
|
||||
# Save NTS keys and cookies.
|
||||
ntsdumpdir /var/lib/chrony
|
||||
|
||||
# Uncomment the following line to turn logging on.
|
||||
#log tracking measurements statistics
|
||||
|
||||
# Log files location.
|
||||
logdir /var/log/chrony
|
||||
|
||||
# Stop bad estimates upsetting machine clock.
|
||||
maxupdateskew 100.0
|
||||
|
||||
# This directive enables kernel synchronisation (every 11 minutes) of the
|
||||
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
|
||||
rtcsync
|
||||
|
||||
# Step the system clock instead of slewing it if the adjustment is larger than
|
||||
# one second, but only in the first three clock updates.
|
||||
makestep 1 3
|
||||
|
||||
# Get TAI-UTC offset and leap seconds from the system tz database.
|
||||
# This directive must be commented out when using time sources serving
|
||||
# leap-smeared time.
|
||||
leapsectz right/UTC
|
19
roles/common/templates/ldap.conf.j2
Normal file
19
roles/common/templates/ldap.conf.j2
Normal file
@ -0,0 +1,19 @@
|
||||
#
|
||||
# LDAP Defaults
|
||||
#
|
||||
|
||||
# See ldap.conf(5) for details
|
||||
# This file should be world readable but not world writable.
|
||||
|
||||
BASE {{ ldap_base }}
|
||||
URI {{ ldap_uri }}
|
||||
|
||||
#SIZELIMIT 12
|
||||
#TIMELIMIT 15
|
||||
#DEREF never
|
||||
|
||||
# TLS certificates (needed for GnuTLS)
|
||||
TLS_REQCERT demand
|
||||
TLS_CACERTDIR /etc/ssl/certs
|
||||
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
|
||||
|
@ -1,132 +0,0 @@
|
||||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
Include /etc/ssh/sshd_config.d/*.conf
|
||||
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
PermitRootLogin {{ sshd_permit_root_login }}
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
|
||||
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
|
||||
AuthorizedKeysCommand {{ sshd_authkeys_command }}
|
||||
{% if sshd_authkeys_user is defined and sshd_authkeys_user %}
|
||||
AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
|
||||
{% else %}
|
||||
AuthorizedKeysCommandUser nobody
|
||||
{% endif %}
|
||||
{% else %}
|
||||
#AuthorizedKeysCommand none
|
||||
#AuthorizedKeysCommandUser nobody
|
||||
{% endif %}
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
PasswordAuthentication {{ sshd_password_authentication }}
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
#GSSAPIStrictAcceptorCheck yes
|
||||
#GSSAPIKeyExchange no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
PrintMotd no
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#UseDNS no
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
@ -1,10 +1,4 @@
|
||||
---
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart coturn
|
||||
service: name=coturn state=restarted
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
@ -3,28 +3,6 @@
|
||||
- name: Install coturn
|
||||
apt: name=coturn
|
||||
|
||||
- name: Create coturn service override directory
|
||||
file: path=/etc/systemd/system/coturn.service.d state=directory
|
||||
|
||||
- name: Configure coturn service override
|
||||
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart coturn
|
||||
|
||||
- name: Create gitea directories
|
||||
file: path={{ item }} state=directory owner=turnserver
|
||||
with_items:
|
||||
- /etc/turnserver
|
||||
- /etc/turnserver/certs
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
|
||||
|
||||
- name: Configure certificate manager
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure coturn
|
||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||
with_items:
|
||||
|
@ -1,15 +0,0 @@
|
||||
---
|
||||
|
||||
{{ coturn_realm }}:
|
||||
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
|
||||
user: turnserver
|
||||
group: turnserver
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service coturn restart'
|
||||
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
|
||||
user: turnserver
|
||||
group: turnserver
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service coturn restart'
|
@ -1,2 +0,0 @@
|
||||
[Service]
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
@ -1,9 +1,9 @@
|
||||
# Coturn TURN SERVER configuration file
|
||||
#
|
||||
# Boolean values note: where a boolean value is supposed to be used,
|
||||
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
|
||||
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
|
||||
# If the value is missing, then it means 'true' by default.
|
||||
# Boolean values note: where boolean value is supposed to be used,
|
||||
# you can use '0', 'off', 'no', 'false', 'f' as 'false,
|
||||
# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
|
||||
# If the value is missed, then it means 'true'.
|
||||
#
|
||||
|
||||
# Listener interface device (optional, Linux only).
|
||||
@ -15,19 +15,19 @@
|
||||
# Note: actually, TLS & DTLS sessions can connect to the
|
||||
# "plain" TCP & UDP port(s), too - if allowed by configuration.
|
||||
#
|
||||
listening-port=443
|
||||
#listening-port=3478
|
||||
|
||||
# TURN listener port for TLS (Default: 5349).
|
||||
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
|
||||
# port(s), too - if allowed by configuration. The TURN server
|
||||
# "automatically" recognizes the type of traffic. Actually, two listening
|
||||
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
|
||||
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
|
||||
# For secure TCP connections, Coturn currently supports
|
||||
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
|
||||
# For secure TCP connections, we currently support SSL version 3 and
|
||||
# TLS version 1.0, 1.1 and 1.2.
|
||||
# For secure UDP connections, Coturn supports DTLS version 1.
|
||||
# For secure UDP connections, we support DTLS version 1.
|
||||
#
|
||||
tls-listening-port=443
|
||||
#tls-listening-port=5349
|
||||
|
||||
# Alternative listening port for UDP and TCP listeners;
|
||||
# default (or zero) value means "listening port plus one".
|
||||
@ -45,14 +45,6 @@ tls-listening-port=443
|
||||
#
|
||||
#alt-tls-listening-port=0
|
||||
|
||||
# Some network setups will require using a TCP reverse proxy in front
|
||||
# of the STUN server. If the proxy port option is set a single listener
|
||||
# is started on the given port that accepts connections using the
|
||||
# haproxy proxy protocol v2.
|
||||
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
|
||||
#
|
||||
#tcp-proxy-port=5555
|
||||
|
||||
# Listener IP address of relay server. Multiple listeners can be specified.
|
||||
# If no IP(s) specified in the config file or in the command line options,
|
||||
# then all IPv4 and IPv6 system IPs will be used for listening.
|
||||
@ -125,10 +117,7 @@ tls-listening-port=443
|
||||
#
|
||||
# By default, this value is empty, and no address mapping is used.
|
||||
#
|
||||
external-ip={{ ansible_default_ipv4.address }}
|
||||
{% if ansible_default_ipv6.address is defined %}
|
||||
external-ip={{ ansible_default_ipv6.address }}
|
||||
{% endif %}
|
||||
#external-ip=60.70.80.91
|
||||
#
|
||||
#OR:
|
||||
#
|
||||
@ -144,8 +133,8 @@ external-ip={{ ansible_default_ipv6.address }}
|
||||
#
|
||||
# If this parameter is not set, then the default OS-dependent
|
||||
# thread pattern algorithm will be employed. Usually the default
|
||||
# algorithm is optimal, so you have to change this option
|
||||
# if you want to make some fine tweaks.
|
||||
# algorithm is the most optimal, so you have to change this option
|
||||
# only if you want to make some fine tweaks.
|
||||
#
|
||||
# In the older systems (Linux kernel before 3.9),
|
||||
# the number of UDP threads is always one thread per network listening
|
||||
@ -166,7 +155,7 @@ external-ip={{ ansible_default_ipv6.address }}
|
||||
|
||||
# Uncomment to run TURN server in 'extra' verbose mode.
|
||||
# This mode is very annoying and produces lots of output.
|
||||
# Not recommended under normal circumstances.
|
||||
# Not recommended under any normal circumstances.
|
||||
#
|
||||
#Verbose
|
||||
|
||||
@ -180,27 +169,15 @@ fingerprint
|
||||
#
|
||||
#lt-cred-mech
|
||||
|
||||
# This option is the opposite of lt-cred-mech.
|
||||
# This option is opposite to lt-cred-mech.
|
||||
# (TURN Server with no-auth option allows anonymous access).
|
||||
# If neither option is defined, and no users are defined,
|
||||
# then no-auth is default. If at least one user is defined,
|
||||
# in this file, in command line or in usersdb file, then
|
||||
# in this file or in command line or in usersdb file, then
|
||||
# lt-cred-mech is default.
|
||||
#
|
||||
#no-auth
|
||||
|
||||
# Enable prometheus exporter
|
||||
# If enabled the turnserver will expose an endpoint with stats on a prometheus format
|
||||
# this endpoint is listening on a different port to not conflict with other configurations.
|
||||
#
|
||||
# You can simply run the turnserver and access the port 9641 and path /metrics
|
||||
#
|
||||
# For mor info on the prometheus exporter and metrics
|
||||
# https://prometheus.io/docs/introduction/overview/
|
||||
# https://prometheus.io/docs/concepts/data_model/
|
||||
#
|
||||
#prometheus
|
||||
|
||||
# TURN REST API flag.
|
||||
# (Time Limited Long Term Credential)
|
||||
# Flag that sets a special authorization option that is based upon authentication secret.
|
||||
@ -216,33 +193,34 @@ fingerprint
|
||||
# turn password -> base64(hmac(secret key, usercombo))
|
||||
#
|
||||
# This allows TURN credentials to be accounted for a specific user id.
|
||||
# If you don't have a suitable id, then the timestamp alone can be used.
|
||||
# This option is enabled by turning on secret-based authentication.
|
||||
# The actual value of the secret is defined either by the option static-auth-secret,
|
||||
# If you don't have a suitable id, the timestamp alone can be used.
|
||||
# This option is just turning on secret-based authentication.
|
||||
# The actual value of the secret is defined either by option static-auth-secret,
|
||||
# or can be found in the turn_secret table in the database (see below).
|
||||
#
|
||||
# Read more about it:
|
||||
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
|
||||
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
|
||||
#
|
||||
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
|
||||
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
|
||||
# this option then it automatically enables lt-cred-mech internally
|
||||
# as if you had enabled both.
|
||||
# Be aware that use-auth-secret overrides some part of lt-cred-mech.
|
||||
# Notice that this feature depends internally on lt-cred-mech, so if you set
|
||||
# use-auth-secret then it enables internally automatically lt-cred-mech option
|
||||
# like if you enable both.
|
||||
#
|
||||
# Note that you can use only one auth mechanism at the same time! This is because,
|
||||
# both mechanisms conduct username and password validation in different ways.
|
||||
# You can use only one of the to auth mechanisms in the same time because,
|
||||
# both mechanism use the username and password validation in different way.
|
||||
#
|
||||
# Use either lt-cred-mech or use-auth-secret in the conf
|
||||
# This way be aware that you can't use both auth mechnaism in the same time!
|
||||
# Use in config either the lt-cred-mech or the use-auth-secret
|
||||
# to avoid any confusion.
|
||||
#
|
||||
use-auth-secret
|
||||
|
||||
# 'Static' authentication secret value (a string) for TURN REST API only.
|
||||
# If not set, then the turn server
|
||||
# will try to use the 'dynamic' value in the turn_secret table
|
||||
# in the user database (if present). The database-stored value can be changed on-the-fly
|
||||
# by a separate program, so this is why that mode is considered 'dynamic'.
|
||||
# will try to use the 'dynamic' value in turn_secret table
|
||||
# in user database (if present). The database-stored value can be changed on-the-fly
|
||||
# by a separate program, so this is why that other mode is 'dynamic'.
|
||||
#
|
||||
static-auth-secret={{ coturn_secret }}
|
||||
|
||||
@ -256,10 +234,10 @@ static-auth-secret={{ coturn_secret }}
|
||||
#
|
||||
#oauth
|
||||
|
||||
# 'Static' user accounts for the long term credentials mechanism, only.
|
||||
# 'Static' user accounts for long term credentials mechanism, only.
|
||||
# This option cannot be used with TURN REST API.
|
||||
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
|
||||
# so they can NOT be changed while the turnserver is running.
|
||||
# so that they can NOT be changed while the turnserver is running.
|
||||
#
|
||||
#user=username1:key1
|
||||
#user=username2:key2
|
||||
@ -285,15 +263,15 @@ static-auth-secret={{ coturn_secret }}
|
||||
|
||||
# SQLite database file name.
|
||||
#
|
||||
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
||||
# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
||||
# /var/lib/turn/turndb.
|
||||
#
|
||||
#userdb=/var/db/turndb
|
||||
|
||||
# PostgreSQL database connection string in the case that you are using PostgreSQL
|
||||
# PostgreSQL database connection string in the case that we are using PostgreSQL
|
||||
# as the user database.
|
||||
# This database can be used for the long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
|
||||
# versions connection string format, see
|
||||
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
|
||||
@ -301,43 +279,43 @@ static-auth-secret={{ coturn_secret }}
|
||||
#
|
||||
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
|
||||
|
||||
# MySQL database connection string in the case that you are using MySQL
|
||||
# MySQL database connection string in the case that we are using MySQL
|
||||
# as the user database.
|
||||
# This database can be used for the long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
#
|
||||
# Optional connection string parameters for the secure communications (SSL):
|
||||
# ca, capath, cert, key, cipher
|
||||
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
|
||||
# command options description).
|
||||
#
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
# Use string format as below (space separated parameters, all optional):
|
||||
#
|
||||
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
|
||||
|
||||
# If you want to use an encrypted password in the MySQL connection string,
|
||||
# then set the MySQL password encryption secret key file with this option.
|
||||
# If you want to use in the MySQL connection string the password in encrypted format,
|
||||
# then set in this option the MySQL password encryption secret key file.
|
||||
#
|
||||
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
|
||||
# If you want to use a cleartext password then do not set this option!
|
||||
# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
|
||||
# If you want to use cleartext password then do not set this option!
|
||||
#
|
||||
# This is the file path for the aes encrypted secret key used for password encryption.
|
||||
# This is the file path which contain secret key of aes encryption while using password encryption.
|
||||
#
|
||||
#secret-key-file=/path/
|
||||
|
||||
# MongoDB database connection string in the case that you are using MongoDB
|
||||
# MongoDB database connection string in the case that we are using MongoDB
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
||||
#
|
||||
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
|
||||
|
||||
# Redis database connection string in the case that you are using Redis
|
||||
# Redis database connection string in the case that we are using Redis
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# Use string format as below (space separated parameters, all optional):
|
||||
#
|
||||
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||
|
||||
@ -345,23 +323,23 @@ static-auth-secret={{ coturn_secret }}
|
||||
# This database keeps allocations status information, and it can be also used for publishing
|
||||
# and delivering traffic and allocation event notifications.
|
||||
# The connection string has the same parameters as redis-userdb connection string.
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
# Use string format as below (space separated parameters, all optional):
|
||||
#
|
||||
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||
|
||||
# The default realm to be used for the users when no explicit
|
||||
# origin/realm relationship is found in the database, or if the TURN
|
||||
# origin/realm relationship was found in the database, or if the TURN
|
||||
# server is not using any database (just the commands-line settings
|
||||
# and the userdb file). Must be used with long-term credentials
|
||||
# mechanism or with TURN REST API.
|
||||
#
|
||||
# Note: If the default realm is not specified, then realm falls back to the host domain name.
|
||||
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
|
||||
# Note: If default realm is not specified at all, then realm falls back to the host domain name.
|
||||
# If domain name is empty string, or '(None)', then it is initialized to am empty string.
|
||||
#
|
||||
realm={{ coturn_realm }}
|
||||
|
||||
# This flag sets the origin consistency
|
||||
# check. Across the session, all requests must have the same
|
||||
# The flag that sets the origin consistency
|
||||
# check: across the session, all requests must have the same
|
||||
# main ORIGIN attribute value (if the ORIGIN was
|
||||
# initially used by the session).
|
||||
#
|
||||
@ -381,7 +359,7 @@ realm={{ coturn_realm }}
|
||||
|
||||
# Max bytes-per-second bandwidth a TURN session is allowed to handle
|
||||
# (input and output network streams are treated separately). Anything above
|
||||
# that limit will be dropped or temporarily suppressed (within
|
||||
# that limit will be dropped or temporary suppressed (within
|
||||
# the available buffer limits).
|
||||
# This option can also be set through the database, for a particular realm.
|
||||
#
|
||||
@ -402,17 +380,17 @@ realm={{ coturn_realm }}
|
||||
# Uncomment if no TCP client listener is desired.
|
||||
# By default TCP client listener is always started.
|
||||
#
|
||||
#no-tcp
|
||||
no-tcp
|
||||
|
||||
# Uncomment if no TLS client listener is desired.
|
||||
# By default TLS client listener is always started.
|
||||
#
|
||||
#no-tls
|
||||
no-tls
|
||||
|
||||
# Uncomment if no DTLS client listener is desired.
|
||||
# By default DTLS client listener is always started.
|
||||
#
|
||||
#no-dtls
|
||||
no-dtls
|
||||
|
||||
# Uncomment if no UDP relay endpoints are allowed.
|
||||
# By default UDP relay endpoints are enabled (like in RFC 5766).
|
||||
@ -425,10 +403,10 @@ realm={{ coturn_realm }}
|
||||
#no-tcp-relay
|
||||
|
||||
# Uncomment if extra security is desired,
|
||||
# with nonce value having a limited lifetime.
|
||||
# The nonce value is unique for a session.
|
||||
# with nonce value having limited lifetime.
|
||||
# By default, the nonce value is unique for a session,
|
||||
# and has unlimited lifetime.
|
||||
# Set this option to limit the nonce lifetime.
|
||||
# Set it to 0 for unlimited lifetime.
|
||||
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
|
||||
# the client will get 438 error and will have to re-authenticate itself.
|
||||
#
|
||||
@ -457,7 +435,6 @@ realm={{ coturn_realm }}
|
||||
# Certificate file.
|
||||
# Use an absolute path or path relative to the
|
||||
# configuration file.
|
||||
# Use PEM file format.
|
||||
#
|
||||
#cert=/usr/local/etc/turn_server_cert.pem
|
||||
|
||||
@ -480,7 +457,7 @@ realm={{ coturn_realm }}
|
||||
|
||||
# CA file in OpenSSL format.
|
||||
# Forces TURN server to verify the client SSL certificates.
|
||||
# By default this is not set: there is no default value and the client
|
||||
# By default it is not set: there is no default value and the client
|
||||
# certificate is not checked.
|
||||
#
|
||||
# Example:
|
||||
@ -494,13 +471,13 @@ realm={{ coturn_realm }}
|
||||
#
|
||||
#ec-curve-name=prime256v1
|
||||
|
||||
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
|
||||
# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
|
||||
#
|
||||
#dh566
|
||||
|
||||
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
|
||||
# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
|
||||
#
|
||||
#dh1066
|
||||
#dh2066
|
||||
|
||||
# Use custom DH TLS key, stored in PEM format in the file.
|
||||
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
|
||||
@ -508,16 +485,16 @@ realm={{ coturn_realm }}
|
||||
#dh-file=<DH-PEM-file-name>
|
||||
|
||||
# Flag to prevent stdout log messages.
|
||||
# By default, all log messages go to both stdout and to
|
||||
# the configured log file. With this option everything will
|
||||
# go to the configured log only (unless the log file itself is stdout).
|
||||
# By default, all log messages are going to both stdout and to
|
||||
# the configured log file. With this option everything will be
|
||||
# going to the configured log only (unless the log file itself is stdout).
|
||||
#
|
||||
#no-stdout-log
|
||||
|
||||
# Option to set the log file name.
|
||||
# By default, the turnserver tries to open a log file in
|
||||
# /var/log, /var/tmp, /tmp and the current directory
|
||||
# (Whichever file open operation succeeds first will be used).
|
||||
# /var/log, /var/tmp, /tmp and current directories directories
|
||||
# (which open operation succeeds first that file will be used).
|
||||
# With this option you can set the definite log file name.
|
||||
# The special names are "stdout" and "-" - they will force everything
|
||||
# to the stdout. Also, the "syslog" name will force everything to
|
||||
@ -537,25 +514,15 @@ syslog
|
||||
#
|
||||
#simple-log
|
||||
|
||||
# Enable full ISO-8601 timestamp in all logs.
|
||||
#new-log-timestamp
|
||||
|
||||
# Set timestamp format (in strftime(1) format)
|
||||
#new-log-timestamp-format "%FT%T%z"
|
||||
|
||||
# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
|
||||
# Enable binding logging and UDP endpoint logs in verbose log mode.
|
||||
#log-binding
|
||||
|
||||
# Option to set the "redirection" mode. The value of this option
|
||||
# will be the address of the alternate server for UDP & TCP service in the form of
|
||||
# will be the address of the alternate server for UDP & TCP service in form of
|
||||
# <ip>[:<port>]. The server will send this value in the attribute
|
||||
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
|
||||
# Client will receive only values with the same address family
|
||||
# as the client network endpoint address family.
|
||||
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
|
||||
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
|
||||
# The client must use the obtained value for subsequent TURN communications.
|
||||
# If more than one --alternate-server option is provided, then the functionality
|
||||
# If more than one --alternate-server options are provided, then the functionality
|
||||
# can be more accurately described as "load-balancing" than a mere "redirection".
|
||||
# If the port number is omitted, then the default port
|
||||
# number 3478 for the UDP/TCP protocols will be used.
|
||||
@ -565,7 +532,7 @@ syslog
|
||||
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
|
||||
# Multiple alternate servers can be set. They will be used in the
|
||||
# round-robin manner. All servers in the pool are considered of equal weight and
|
||||
# the load will be distributed equally. For example, if you have 4 alternate servers,
|
||||
# the load will be distributed equally. For example, if we have 4 alternate servers,
|
||||
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
|
||||
# address can be used more than one time with the alternate-server option, so this
|
||||
# can emulate "weighting" of the servers.
|
||||
@ -592,15 +559,6 @@ syslog
|
||||
#
|
||||
#stun-only
|
||||
|
||||
# Option to hide software version. Enhance security when used in production.
|
||||
# Revealing the specific software version of the agent through the
|
||||
# SOFTWARE attribute might allow them to become more vulnerable to
|
||||
# attacks against software that is known to contain security holes.
|
||||
# Implementers SHOULD make usage of the SOFTWARE attribute a
|
||||
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
|
||||
#
|
||||
#no-software-attribute
|
||||
|
||||
# Option to suppress STUN functionality, only TURN requests will be processed.
|
||||
# Run as TURN server only, all STUN requests will be ignored.
|
||||
# By default, this option is NOT set.
|
||||
@ -664,19 +622,19 @@ mobility
|
||||
# Allocate Address Family according
|
||||
# If enabled then TURN server allocates address family according the TURN
|
||||
# Client <=> Server communication address family.
|
||||
# (By default Coturn works according RFC 6156.)
|
||||
# (By default coTURN works according RFC 6156.)
|
||||
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
|
||||
#
|
||||
#keep-address-family
|
||||
|
||||
|
||||
# User name to run the process. After the initialization, the turnserver process
|
||||
# will attempt to change the current user ID to that user.
|
||||
# will make an attempt to change the current user ID to that user.
|
||||
#
|
||||
#proc-user=<user-name>
|
||||
|
||||
# Group name to run the process. After the initialization, the turnserver process
|
||||
# will attempt to change the current group ID to that group.
|
||||
# will make an attempt to change the current group ID to that group.
|
||||
#
|
||||
#proc-group=<group-name>
|
||||
|
||||
@ -696,8 +654,8 @@ mobility
|
||||
#cli-port=5766
|
||||
|
||||
# CLI access password. Default is empty (no password).
|
||||
# For the security reasons, it is recommended that you use the encrypted
|
||||
# form of the password (see the -P command in the turnadmin utility).
|
||||
# For the security reasons, it is recommended to use the encrypted
|
||||
# for of the password (see the -P command in the turnadmin utility).
|
||||
#
|
||||
# Secure form for password 'qwerty':
|
||||
#
|
||||
@ -726,12 +684,8 @@ mobility
|
||||
#
|
||||
#web-admin-listen-on-workers
|
||||
|
||||
#acme-redirect=http://redirectserver/.well-known/acme-challenge/
|
||||
# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
|
||||
# Default is '', i.e. no special handling for such requests.
|
||||
|
||||
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
||||
# Only for those applications when you want to run
|
||||
# Only for those applications when we want to run
|
||||
# server applications on the relay endpoints.
|
||||
# This option eliminates the IP permissions check on
|
||||
# the packets incoming to the relay endpoints.
|
||||
@ -749,6 +703,6 @@ mobility
|
||||
|
||||
# Do not allow an TLS/DTLS version of protocol
|
||||
#
|
||||
#no-tlsv1
|
||||
#no-tlsv1_1
|
||||
#no-tlsv1_2
|
||||
no-tlsv1
|
||||
no-tlsv1_1
|
||||
no-tlsv1_2
|
||||
|
4
roles/dhcpd/handlers/main.yml
Normal file
4
roles/dhcpd/handlers/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
- name: Restart isc-dhcp-server
|
||||
service: name=isc-dhcp-server state=restarted
|
14
roles/dhcpd/tasks/main.yml
Normal file
14
roles/dhcpd/tasks/main.yml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
|
||||
- name: Install dhcp server
|
||||
apt: name=isc-dhcp-server
|
||||
|
||||
- name: Configure dhcp server
|
||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||
with_items:
|
||||
- default/isc-dhcp-server
|
||||
- dhcp/dhcpd.conf
|
||||
notify: Restart isc-dhcp-server
|
||||
|
||||
- name: Start the dhcp server
|
||||
service: name=isc-dhcp-server state=started enabled=yes
|
17
roles/dhcpd/templates/default/isc-dhcp-server.j2
Normal file
17
roles/dhcpd/templates/default/isc-dhcp-server.j2
Normal file
@ -0,0 +1,17 @@
|
||||
#
|
||||
# This is a POSIX shell fragment
|
||||
#
|
||||
|
||||
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
|
||||
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
|
||||
|
||||
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
|
||||
#DHCPD_PID=/var/run/dhcpd.pid
|
||||
|
||||
# Additional options to start dhcpd with.
|
||||
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
|
||||
#OPTIONS=""
|
||||
|
||||
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
||||
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
||||
INTERFACES="eth0"
|
228
roles/dhcpd/templates/dhcp/dhcpd.conf.j2
Normal file
228
roles/dhcpd/templates/dhcp/dhcpd.conf.j2
Normal file
@ -0,0 +1,228 @@
|
||||
# dhcpd.conf
|
||||
|
||||
# option definitions common to all supported networks...
|
||||
option domain-name "binary.kitchen";
|
||||
option domain-name-servers {{ name_servers | join(', ') }};
|
||||
option ntp-servers 172.23.1.60, 172.23.2.3;
|
||||
|
||||
default-lease-time 7200;
|
||||
max-lease-time 28800;
|
||||
|
||||
# Use this to enble / disable dynamic dns updates globally.
|
||||
ddns-update-style none;
|
||||
|
||||
# If this DHCP server is the official DHCP server for the local
|
||||
# network, the authoritative directive should be uncommented.
|
||||
authoritative;
|
||||
|
||||
# Use this to send dhcp log messages to a different log file (you also
|
||||
# have to hack syslog.conf to complete the redirection).
|
||||
log-facility local7;
|
||||
|
||||
{% if dhcpd_failover == true %}
|
||||
|
||||
# Failover
|
||||
|
||||
failover peer "failover-partner" {
|
||||
{% if ansible_default_ipv4.address == dhcpd_primary %}
|
||||
primary;
|
||||
address {{ dhcpd_primary }};
|
||||
peer address {{ dhcpd_secondary }};
|
||||
{% elif ansible_default_ipv4.address == dhcpd_secondary %}
|
||||
secondary;
|
||||
address {{ dhcpd_secondary }};
|
||||
peer address {{ dhcpd_primary }};
|
||||
{% endif %}
|
||||
port 520;
|
||||
peer port 520;
|
||||
max-response-delay 60;
|
||||
max-unacked-updates 10;
|
||||
{% if ansible_default_ipv4.address == dhcpd_primary %}
|
||||
mclt 600;
|
||||
split 255;
|
||||
{% endif %}
|
||||
load balance max seconds 3;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
# Binary Kitchen subnets
|
||||
|
||||
# Management
|
||||
subnet 172.23.1.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.1.1;
|
||||
}
|
||||
|
||||
# Services
|
||||
subnet 172.23.2.0 netmask 255.255.255.0 {
|
||||
allow bootp;
|
||||
option routers 172.23.2.1;
|
||||
}
|
||||
|
||||
# Users
|
||||
subnet 172.23.3.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.3.1;
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
{% endif %}
|
||||
range 172.23.3.10 172.23.3.230;
|
||||
}
|
||||
}
|
||||
|
||||
# MQTT
|
||||
subnet 172.23.4.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.4.1;
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
{% endif %}
|
||||
range 172.23.4.10 172.23.4.240;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Fixed IPs
|
||||
|
||||
host ap01 {
|
||||
hardware ethernet 44:48:c1:ce:a9:00;
|
||||
fixed-address ap01.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap04 {
|
||||
hardware ethernet 44:48:c1:ce:90:06;
|
||||
fixed-address ap04.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap05 {
|
||||
hardware ethernet bc:9f:e4:c3:6f:aa;
|
||||
fixed-address ap05.binary.kitchen;
|
||||
}
|
||||
|
||||
host bowle {
|
||||
hardware ethernet ac:1f:6b:25:16:b6;
|
||||
fixed-address bowle.binary.kitchen;
|
||||
}
|
||||
|
||||
host cannelloni {
|
||||
hardware ethernet 00:10:f3:15:88:ac;
|
||||
fixed-address cannelloni.binary.kitchen;
|
||||
}
|
||||
|
||||
host cashdesk {
|
||||
hardware ethernet 00:0b:ca:94:13:f1;
|
||||
fixed-address cashdesk.binary.kitchen;
|
||||
}
|
||||
|
||||
host fusilli {
|
||||
hardware ethernet b8:27:eb:1d:b9:bf;
|
||||
fixed-address fusilli.binary.kitchen;
|
||||
}
|
||||
|
||||
host garlic {
|
||||
hardware ethernet b8:27:eb:56:2b:7c;
|
||||
fixed-address garlic.binary.kitchen;
|
||||
}
|
||||
|
||||
host homer {
|
||||
hardware ethernet b8:27:eb:24:b2:12;
|
||||
fixed-address homer.binary.kitchen;
|
||||
}
|
||||
|
||||
host klopi {
|
||||
hardware ethernet 74:da:38:6e:e6:9d;
|
||||
fixed-address klopi.binary.kitchen;
|
||||
}
|
||||
|
||||
host lock {
|
||||
hardware ethernet b8:27:eb:d8:b9:ad;
|
||||
fixed-address lock.binary.kitchen;
|
||||
}
|
||||
|
||||
host maccaroni {
|
||||
hardware ethernet b8:27:eb:18:5c:11;
|
||||
fixed-address maccaroni.binary.kitchen;
|
||||
}
|
||||
|
||||
host matrix {
|
||||
hardware ethernet b8:27:eb:ed:22:58;
|
||||
fixed-address matrix.binary.kitchen;
|
||||
}
|
||||
|
||||
host mirror {
|
||||
hardware ethernet 74:da:38:7d:ed:84;
|
||||
fixed-address mirror.binary.kitchen;
|
||||
}
|
||||
|
||||
host mpcnc {
|
||||
hardware ethernet b8:27:eb:0f:d3:8b;
|
||||
fixed-address mpcnc.binary.kitchen;
|
||||
}
|
||||
|
||||
host noodlehub {
|
||||
hardware ethernet b8:27:eb:eb:e5:88;
|
||||
fixed-address noodlehub.binary.kitchen;
|
||||
}
|
||||
|
||||
host pizza {
|
||||
hardware ethernet 52:54:00:17:02:21;
|
||||
fixed-address pizza.binary.kitchen;
|
||||
}
|
||||
|
||||
host punsch {
|
||||
hardware ethernet 00:21:85:1b:7f:3d;
|
||||
fixed-address punsch.binary.kitchen;
|
||||
}
|
||||
|
||||
host spaghetti {
|
||||
hardware ethernet b8:27:eb:e3:e9:f1;
|
||||
fixed-address spaghetti.binary.kitchen;
|
||||
}
|
||||
|
||||
host schweinshaxn {
|
||||
hardware ethernet 52:54:00:17:02:24;
|
||||
fixed-address schweinshaxn.binary.kitchen;
|
||||
}
|
||||
|
||||
host strammermax {
|
||||
hardware ethernet 08:00:37:B8:55:44;
|
||||
fixed-address strammermax.binary.kitchen;
|
||||
}
|
||||
|
||||
host obatzda {
|
||||
hardware ethernet ec:9a:74:35:35:cf;
|
||||
fixed-address obatzda.binary.kitchen;
|
||||
}
|
||||
|
||||
|
||||
# VoIP Phones
|
||||
|
||||
host voip01 {
|
||||
hardware ethernet 00:1D:45:B6:99:2F;
|
||||
option tftp-server-name "172.23.2.36";
|
||||
}
|
||||
|
||||
host voip02 {
|
||||
hardware ethernet 00:1D:A2:66:B8:3E;
|
||||
option tftp-server-name "172.23.2.36";
|
||||
}
|
||||
|
||||
host voip03 {
|
||||
hardware ethernet 00:1E:BE:90:FB:DB;
|
||||
option tftp-server-name "172.23.2.36";
|
||||
}
|
||||
|
||||
host voip04 {
|
||||
hardware ethernet 00:1E:BE:90:FF:06;
|
||||
option tftp-server-name "172.23.2.36";
|
||||
}
|
||||
|
||||
|
||||
# OMAPI
|
||||
|
||||
omapi-port 7911;
|
||||
omapi-key omapi_key;
|
||||
|
||||
key omapi_key {
|
||||
algorithm hmac-md5;
|
||||
secret {{ dhcp_omapi_key }};
|
||||
}
|
@ -5,21 +5,11 @@
|
||||
name:
|
||||
- pdns-server
|
||||
- pdns-backend-sqlite3
|
||||
- sqlite3
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
|
||||
notify: Restart powerdns
|
||||
|
||||
- name: Initialize database
|
||||
command:
|
||||
cmd: >
|
||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
||||
/var/lib/powerdns/powerdns.sqlite3
|
||||
creates: /var/lib/powerdns/powerdns.sqlite3
|
||||
become: true
|
||||
become_user: pdns
|
||||
|
||||
- name: Copy update policy script
|
||||
copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
|
||||
notify: Restart powerdns
|
||||
|
@ -1,4 +1,5 @@
|
||||
local-address=0.0.0.0, ::
|
||||
local-address=0.0.0.0
|
||||
local-ipv6=::
|
||||
launch=gsqlite3
|
||||
gsqlite3-dnssec
|
||||
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
|
||||
@ -10,4 +11,3 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
|
||||
{% endif %}
|
||||
allow-dnsupdate-from=0.0.0.0/0,::/0
|
||||
lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
|
||||
security-poll-suffix=
|
||||
|
@ -5,6 +5,3 @@
|
||||
with_items:
|
||||
- pdns
|
||||
- pdns-recursor
|
||||
|
||||
- name: Restart dnsdist
|
||||
service: name=dnsdist state=restarted
|
||||
|
@ -3,11 +3,8 @@
|
||||
- name: Install powerdns
|
||||
apt:
|
||||
name:
|
||||
- dnsdist
|
||||
- pdns-backend-sqlite3
|
||||
- pdns-server
|
||||
- pdns-recursor
|
||||
- sqlite3
|
||||
|
||||
- name: Create zone directory
|
||||
file: path=/etc/powerdns/bind/ state=directory
|
||||
@ -22,28 +19,8 @@
|
||||
- bind/23.172.in-addr.arpa.zone
|
||||
- bind/binary.kitchen.zone
|
||||
|
||||
- name: Initialize database
|
||||
command:
|
||||
cmd: >
|
||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
||||
/var/lib/powerdns/pdns.sqlite3
|
||||
creates: /var/lib/powerdns/pdns.sqlite3
|
||||
become: true
|
||||
become_user: pdns
|
||||
|
||||
# TODO
|
||||
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
|
||||
|
||||
# TODO
|
||||
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
|
||||
|
||||
- name: Configure dnsdist
|
||||
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Start the powerdns services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- dnsdist
|
||||
- pdns
|
||||
- pdns-recursor
|
||||
|
@ -1,57 +1,52 @@
|
||||
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
||||
$TTL 1h ; default time-to-live
|
||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2024100600; serial
|
||||
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2020051101; serial
|
||||
1d; refresh
|
||||
2h; retry
|
||||
4w; expire
|
||||
1h; minimum time-to-live
|
||||
)
|
||||
IN NS ns1.binary.kitchen.
|
||||
IN NS ns2.binary.kitchen.
|
||||
IN NS ns.binary.kitchen.
|
||||
; Loopback
|
||||
1.0 IN PTR core.binary.kitchen.
|
||||
2.0 IN PTR rt-w13b.binary.kitchen.
|
||||
2.0 IN PTR erx-bk.binary.kitchen.
|
||||
3.0 IN PTR erx-rz.binary.kitchen.
|
||||
4.0 IN PTR rt-auweg.binary.kitchen.
|
||||
4.0 IN PTR pf-bk.binary.kitchen.
|
||||
5.0 IN PTR pf-rz.binary.kitchen.
|
||||
; Management
|
||||
1.1 IN PTR v2301.core.binary.kitchen.
|
||||
11.1 IN PTR ups1.binary.kitchen.
|
||||
21.1 IN PTR pdu1.binary.kitchen.
|
||||
22.1 IN PTR pdu2.binary.kitchen.
|
||||
23.1 IN PTR pdu3.binary.kitchen.
|
||||
31.1 IN PTR sw-butchery.binary.kitchen.
|
||||
32.1 IN PTR sw-mini.binary.kitchen.
|
||||
33.1 IN PTR sw-rack.binary.kitchen.
|
||||
31.1 IN PTR sw01.binary.kitchen.
|
||||
32.1 IN PTR sw02.binary.kitchen.
|
||||
33.1 IN PTR sw03.binary.kitchen.
|
||||
41.1 IN PTR ap01.binary.kitchen.
|
||||
42.1 IN PTR ap02.binary.kitchen.
|
||||
43.1 IN PTR ap03.binary.kitchen.
|
||||
44.1 IN PTR ap04.binary.kitchen.
|
||||
45.1 IN PTR ap05.binary.kitchen.
|
||||
46.1 IN PTR ap06.binary.kitchen.
|
||||
51.1 IN PTR modem.binary.kitchen.
|
||||
60.1 IN PTR wurst.binary.kitchen.
|
||||
80.1 IN PTR wurst-bmc.binary.kitchen.
|
||||
82.1 IN PTR bowle-bmc.binary.kitchen.
|
||||
101.1 IN PTR nbe-w13b.binary.kitchen.
|
||||
102.1 IN PTR nbe-tr8.binary.kitchen.
|
||||
111.1 IN PTR rfp01.binary.kitchen.
|
||||
112.1 IN PTR rfp02.binary.kitchen.
|
||||
; Services
|
||||
1.2 IN PTR v2302.core.binary.kitchen.
|
||||
2.2 IN PTR ns.binary.kitchen.
|
||||
3.2 IN PTR bacon.binary.kitchen.
|
||||
4.2 IN PTR aveta.binary.kitchen.
|
||||
5.2 IN PTR sulis.binary.kitchen.
|
||||
6.2 IN PTR nabia.binary.kitchen.
|
||||
7.2 IN PTR epona.binary.kitchen.
|
||||
11.2 IN PTR homer.binary.kitchen.
|
||||
12.2 IN PTR lock.binary.kitchen.
|
||||
13.2 IN PTR matrix.binary.kitchen.
|
||||
33.2 IN PTR pizza.binary.kitchen.
|
||||
34.2 IN PTR pancake.binary.kitchen.
|
||||
35.2 IN PTR knoedel.binary.kitchen.
|
||||
36.2 IN PTR schweinshaxn.binary.kitchen.
|
||||
37.2 IN PTR bob.binary.kitchen.
|
||||
38.2 IN PTR lasagne.binary.kitchen.
|
||||
39.2 IN PTR tschunk.binary.kitchen.
|
||||
44.2 IN PTR cashdesk.binary.kitchen.
|
||||
62.2 IN PTR bowle.binary.kitchen.
|
||||
91.2 IN PTR strammermax.binary.kitchen.
|
||||
92.2 IN PTR obatzda.binary.kitchen.
|
||||
@ -61,52 +56,32 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
|
||||
240.3 IN PTR fusilli.binary.kitchen.
|
||||
241.3 IN PTR klopi.binary.kitchen.
|
||||
242.3 IN PTR mpcnc.binary.kitchen.
|
||||
243.3 IN PTR garlic.binary.kitchen.
|
||||
244.3 IN PTR mirror.binary.kitchen.
|
||||
245.3 IN PTR spaghetti.binary.kitchen.
|
||||
246.3 IN PTR maccaroni.binary.kitchen.
|
||||
247.3 IN PTR pve02-bmc.tmp.binary.kitchen.
|
||||
248.3 IN PTR pve02.tmp.binary.kitchen.
|
||||
249.3 IN PTR ffrgb.binary.kitchen.
|
||||
250.3 IN PTR cannelloni.binary.kitchen.
|
||||
251.3 IN PTR noodlehub.binary.kitchen.
|
||||
; MQTT
|
||||
1.4 IN PTR v2304.core.binary.kitchen.
|
||||
6.4 IN PTR pizza.mqtt.binary.kitchen.
|
||||
7.4 IN PTR lasagne.mqtt.binary.kitchen.
|
||||
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
||||
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
|
||||
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
|
||||
245.4 IN PTR logo1.mqtt.binary.kitchen.
|
||||
246.4 IN PTR logo2.mqtt.binary.kitchen.
|
||||
250.4 IN PTR moodlights1.mqtt.binary.kitchen.
|
||||
251.4 IN PTR openhabgw1.mqtt.binary.kitchen.
|
||||
252.4 IN PTR homematic-ccu2.mqtt.binary.kitchen.
|
||||
; Management RZ
|
||||
1.9 IN PTR switch0.erx-rz.binary.kitchen.
|
||||
61.9 IN PTR salat.binary.kitchen.
|
||||
81.9 IN PTR salat-bmc.binary.kitchen.
|
||||
; Services RZ
|
||||
23.8 IN PTR cernunnos.binary.kitchen.
|
||||
; VPN RZ (ER-X)
|
||||
1.10 IN PTR wg0.erx-rz.binary.kitchen.
|
||||
1.10 IN PTR wg1.erx-rz.binary.kitchen.
|
||||
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
|
||||
; Management Auweg
|
||||
1.12 IN PTR v2312.rt-auweg.binary.kitchen.
|
||||
31.12 IN PTR sw-auweg.binary.kitchen.
|
||||
41.12 IN PTR ap11.binary.kitchen.
|
||||
42.12 IN PTR ap12.binary.kitchen.
|
||||
61.12 IN PTR weizen.binary.kitchen.
|
||||
111.12 IN PTR rfp11.binary.kitchen.
|
||||
; Services Auweg
|
||||
1.13 IN PTR v2313.rt-auweg.binary.kitchen.
|
||||
3.13 IN PTR aeron.binary.kitchen.
|
||||
12.13 IN PTR lock-auweg.binary.kitchen.
|
||||
; Clients Auweg
|
||||
1.14 IN PTR v2314.rt-auweg.binary.kitchen.
|
||||
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
|
||||
; MQTT
|
||||
1.15 IN PTR v2315.rt-auweg.binary.kitchen.
|
||||
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
|
||||
; VPN RZ (pf)
|
||||
$GENERATE 2-254 $.11 IN PTR vpn-${0,3,d}-11.binary.kitchen.
|
||||
; Point-to-Point
|
||||
1.96 IN PTR v400.rt-w13b.binary.kitchen.
|
||||
1.96 IN PTR v400.erx-bk.binary.kitchen.
|
||||
2.96 IN PTR v400.core.binary.kitchen.
|
||||
1.97 IN PTR wg1.erx-rz.binary.kitchen.
|
||||
2.97 IN PTR wg1.rt-w13b.binary.kitchen.
|
||||
5.97 IN PTR wg2.erx-rz.binary.kitchen.
|
||||
6.97 IN PTR wg2.rt-auweg.binary.kitchen.
|
||||
1.97 IN PTR wg0.erx-rz.binary.kitchen.
|
||||
2.97 IN PTR wg0.erx-bk.binary.kitchen.
|
||||
|
@ -1,80 +1,67 @@
|
||||
$ORIGIN binary.kitchen ; base for unqualified names
|
||||
$TTL 1h ; default time-to-live
|
||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2024100600; serial
|
||||
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2020051101; serial
|
||||
1d; refresh
|
||||
2h; retry
|
||||
4w; expire
|
||||
1h; minimum time-to-live
|
||||
)
|
||||
IN NS ns1.binary.kitchen.
|
||||
IN NS ns2.binary.kitchen.
|
||||
; Subdomains
|
||||
users IN NS ns1.binary.kitchen.
|
||||
users IN NS ns2.binary.kitchen.
|
||||
IN NS ns.binary.kitchen.
|
||||
; External
|
||||
IN A 213.166.246.4
|
||||
www IN A 213.166.246.4
|
||||
; Aliases
|
||||
3dprinter IN A 172.23.3.251
|
||||
icinga IN A 172.23.2.6
|
||||
ldap IN A 172.23.2.3
|
||||
ldap IN A 172.23.2.4
|
||||
ldap IN A 213.166.246.2
|
||||
ldap1 IN A 172.23.2.3
|
||||
ldap2 IN A 172.23.2.4
|
||||
ldap3 IN A 172.23.13.3
|
||||
ldapm IN A 213.166.246.2
|
||||
librenms IN A 172.23.2.6
|
||||
netbox IN A 172.23.2.7
|
||||
ns1 IN A 172.23.2.3
|
||||
ns2 IN A 172.23.2.4
|
||||
omm IN A 172.23.2.35
|
||||
racktables IN A 172.23.2.6
|
||||
radius IN A 172.23.2.3
|
||||
radius IN A 172.23.2.4
|
||||
; Loopback
|
||||
core IN A 172.23.0.1
|
||||
rt-w13b IN A 172.23.0.2
|
||||
erx-bk IN A 172.23.0.2
|
||||
erx-rz IN A 172.23.0.3
|
||||
rt-auweg IN A 172.23.0.4
|
||||
pf-bk IN A 172.23.0.4
|
||||
pf-rz IN A 172.23.0.5
|
||||
; Management
|
||||
v2301.core IN A 172.23.1.1
|
||||
ups1 IN A 172.23.1.11
|
||||
pdu1 IN A 172.23.1.21
|
||||
pdu2 IN A 172.23.1.22
|
||||
pdu3 IN A 172.23.1.23
|
||||
sw-butchery IN A 172.23.1.31
|
||||
sw-mini IN A 172.23.1.32
|
||||
sw-rack IN A 172.23.1.33
|
||||
sw01 IN A 172.23.1.31
|
||||
sw02 IN A 172.23.1.32
|
||||
sw03 IN A 172.23.1.33
|
||||
ap01 IN A 172.23.1.41
|
||||
ap02 IN A 172.23.1.42
|
||||
ap03 IN A 172.23.1.43
|
||||
ap04 IN A 172.23.1.44
|
||||
ap05 IN A 172.23.1.45
|
||||
ap06 IN A 172.23.1.46
|
||||
modem IN A 172.23.1.51
|
||||
wurst IN A 172.23.1.60
|
||||
wurst-bmc IN A 172.23.1.80
|
||||
bowle-bmc IN A 172.23.1.82
|
||||
nbe-w13b IN A 172.23.1.101
|
||||
nbe-tr8 IN A 172.23.1.102
|
||||
rfp01 IN A 172.23.1.111
|
||||
rfp02 IN A 172.23.1.112
|
||||
; Services
|
||||
v2302.core IN A 172.23.2.1
|
||||
ns IN A 172.23.2.2
|
||||
bacon IN A 172.23.2.3
|
||||
aveta IN A 172.23.2.4
|
||||
sulis IN A 172.23.2.5
|
||||
nabia IN A 172.23.2.6
|
||||
epona IN A 172.23.2.7
|
||||
homer IN A 172.23.2.11
|
||||
lock IN A 172.23.2.12
|
||||
matrix IN A 172.23.2.13
|
||||
pizza IN A 172.23.2.33
|
||||
pancake IN A 172.23.2.34
|
||||
knoedel IN A 172.23.2.35
|
||||
schweinshaxn IN A 172.23.2.36
|
||||
bob IN A 172.23.2.37
|
||||
lasagne IN A 172.23.2.38
|
||||
tschunk IN A 172.23.2.39
|
||||
cashdesk IN A 172.23.2.44
|
||||
bowle IN A 172.23.2.62
|
||||
strammermax IN A 172.23.2.91
|
||||
obatzda IN A 172.23.2.92
|
||||
@ -84,52 +71,32 @@ $GENERATE 10-230 dhcp-${0,3,d}-03 IN A 172.23.3.$
|
||||
fusilli IN A 172.23.3.240
|
||||
klopi IN A 172.23.3.241
|
||||
mpcnc IN A 172.23.3.242
|
||||
garlic IN A 172.23.3.243
|
||||
mirror IN A 172.23.3.244
|
||||
spaghetti IN A 172.23.3.245
|
||||
maccaroni IN A 172.23.3.246
|
||||
pve02-bmc.tmp IN A 172.23.3.247
|
||||
pve02.tmp IN A 172.23.3.248
|
||||
ffrgb IN A 172.23.3.249
|
||||
cannelloni IN A 172.23.3.250
|
||||
noodlehub IN A 172.23.3.251
|
||||
; MQTT
|
||||
v2304.core IN A 172.23.4.1
|
||||
pizza.mqtt IN A 172.23.4.6
|
||||
lasagne.mqtt IN A 172.23.4.7
|
||||
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
|
||||
habdisplay1.mqtt IN A 172.23.4.241
|
||||
habdisplay2.mqtt IN A 172.23.4.242
|
||||
logo1.mqtt IN A 172.23.4.245
|
||||
logo2.mqtt IN A 172.23.4.246
|
||||
moodlights1.mqtt IN A 172.23.4.250
|
||||
openhabgw1.mqtt IN A 172.23.4.251
|
||||
homematic-ccu2.mqtt IN A 172.23.4.252
|
||||
; Management RZ
|
||||
switch0.erx-rz IN A 172.23.9.1
|
||||
salat IN A 172.23.9.61
|
||||
salat-bmc IN A 172.23.9.81
|
||||
; Services RZ
|
||||
; Management Auweg
|
||||
v2312.rt-auweg IN A 172.23.12.1
|
||||
sw-auweg IN A 172.23.12.31
|
||||
ap11 IN A 172.23.12.41
|
||||
ap12 IN A 172.23.12.42
|
||||
weizen IN A 172.23.12.61
|
||||
rfp11 IN A 172.23.12.111
|
||||
; Services Auweg
|
||||
v2313.rt-auweg IN A 172.23.13.1
|
||||
aeron IN A 172.23.13.3
|
||||
lock-auweg IN A 172.23.13.12
|
||||
; Clients Auweg
|
||||
v2314.rt-auweg IN A 172.23.14.1
|
||||
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
|
||||
; MQTT Auweg
|
||||
v2315.rt-auweg IN A 172.23.15.1
|
||||
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
|
||||
cernunnos IN A 172.23.8.23
|
||||
; VPN RZ (ER-X)
|
||||
wg0.erx-rz IN A 172.23.10.1
|
||||
wg1.erx-rz IN A 172.23.10.1
|
||||
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
|
||||
; VPN RZ (pf)
|
||||
$GENERATE 2-254 vpn-${0,3,d}-11 IN A 172.23.11.$
|
||||
; Point-to-Point
|
||||
v400.rt-w13b IN A 172.23.96.1
|
||||
v400.erx-bk IN A 172.23.96.1
|
||||
v400.core IN A 172.23.96.2
|
||||
wg1.erx-rz IN A 172.23.97.1
|
||||
wg1.rt-w13b IN A 172.23.97.2
|
||||
wg2.erx-rz IN A 172.23.97.5
|
||||
wg2.rt-auweg IN A 172.23.97.6
|
||||
wg0.erx-rz IN A 172.23.97.1
|
||||
wg0.erx-bk IN A 172.23.97.2
|
||||
|
@ -1,27 +0,0 @@
|
||||
-- {{ ansible_managed }}
|
||||
|
||||
setLocal('127.0.0.1')
|
||||
addLocal('::1')
|
||||
addLocal('{{ ansible_default_ipv4.address }}')
|
||||
|
||||
-- define downstream servers/pools
|
||||
newServer({address='127.0.0.1:5300', pool='authdns'})
|
||||
newServer({address='127.0.0.1:5353', pool='resolve'})
|
||||
|
||||
{% if dns_secondary is defined %}
|
||||
-- allow AXFR/IXFR only from slaves
|
||||
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
|
||||
{% endif %}
|
||||
|
||||
-- allow NOTIFY only from master
|
||||
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
|
||||
|
||||
-- use auth servers for own zones
|
||||
addAction('binary.kitchen', PoolAction('authdns'))
|
||||
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
|
||||
|
||||
-- use resolver for anything else
|
||||
addAction(AllRule(), PoolAction('resolve'))
|
||||
|
||||
-- disable security status polling via DNS
|
||||
setSecurityPollSuffix('')
|
@ -1,24 +1,10 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
{% if ansible_default_ipv4.address == dns_primary %}
|
||||
#################################
|
||||
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
|
||||
#
|
||||
# allow-dnsupdate-from=127.0.0.0/8,::1
|
||||
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
|
||||
|
||||
#################################
|
||||
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
|
||||
#
|
||||
# dnsupdate=no
|
||||
dnsupdate=yes
|
||||
{% endif %}
|
||||
|
||||
#################################
|
||||
# launch Which backends to launch and order to query them in
|
||||
#
|
||||
# launch=
|
||||
launch=bind,gsqlite3
|
||||
launch=bind
|
||||
|
||||
#################################
|
||||
# local-address Local IP addresses to which we bind
|
||||
@ -26,28 +12,18 @@ launch=bind,gsqlite3
|
||||
# local-address=0.0.0.0
|
||||
local-address=127.0.0.1
|
||||
|
||||
#################################
|
||||
# local-ipv6 Local IP address to which we bind
|
||||
#
|
||||
# local-ipv6=::
|
||||
local-ipv6=
|
||||
|
||||
#################################
|
||||
# local-port The port on which we listen
|
||||
#
|
||||
# local-port=53
|
||||
local-port=5300
|
||||
|
||||
{% if ansible_default_ipv4.address == dns_primary %}
|
||||
#################################
|
||||
# master Act as a master
|
||||
#
|
||||
# master=no
|
||||
master=yes
|
||||
|
||||
{% if dns_secondary is defined %}
|
||||
#################################
|
||||
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
|
||||
#
|
||||
# only-notify=0.0.0.0/0,::/0
|
||||
only-notify={{ dns_secondary }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
#################################
|
||||
# security-poll-suffix Domain name from which to query security update notifications
|
||||
#
|
||||
@ -64,27 +40,7 @@ setgid=pdns
|
||||
#
|
||||
setuid=pdns
|
||||
|
||||
{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
|
||||
#################################
|
||||
# slave Act as a slave
|
||||
#
|
||||
# slave=no
|
||||
slave=yes
|
||||
|
||||
#################################
|
||||
# trusted-notification-proxy IP address of incoming notification proxy
|
||||
#
|
||||
# trusted-notification-proxy=
|
||||
trusted-notification-proxy=127.0.0.1,::1
|
||||
{% endif %}
|
||||
|
||||
#################################
|
||||
# bind-config Location of named.conf
|
||||
# bind-config Location of the Bind configuration file to parse.
|
||||
#
|
||||
bind-config=/etc/powerdns/bindbackend.conf
|
||||
|
||||
#################################
|
||||
# gsqlite3-database Filename of the SQLite3 database
|
||||
#
|
||||
# gsqlite3-database=
|
||||
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
|
||||
|
@ -3,7 +3,7 @@
|
||||
#################################
|
||||
# allow-from If set, only allow these comma separated netmasks to recurse
|
||||
#
|
||||
# allow-from=127.0.0.0/8
|
||||
#allow-from=127.0.0.0/8
|
||||
|
||||
#################################
|
||||
# config-dir Location of configuration directory (recursor.conf)
|
||||
@ -11,23 +11,29 @@
|
||||
config-dir=/etc/powerdns
|
||||
|
||||
#################################
|
||||
# dnssec DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
|
||||
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
||||
#
|
||||
# dnssec=process
|
||||
# dnssec=process-no-validate
|
||||
dnssec=off
|
||||
|
||||
#################################
|
||||
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
|
||||
#
|
||||
# forward-zones=
|
||||
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
|
||||
|
||||
#################################
|
||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||
#
|
||||
local-address=127.0.0.1
|
||||
local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
|
||||
|
||||
#################################
|
||||
# local-port port to listen on
|
||||
#
|
||||
local-port=5353
|
||||
local-port=53
|
||||
|
||||
#################################
|
||||
# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
|
||||
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
|
||||
#
|
||||
{% if global_ipv6 is defined %}
|
||||
query-local-address6={{ global_ipv6 | ipaddr('address') }}
|
||||
|
@ -1,10 +1,17 @@
|
||||
---
|
||||
|
||||
- name: Enable docker apt-key
|
||||
apt_key: url='https://download.docker.com/linux/debian/gpg'
|
||||
|
||||
- name: Enable docker repository
|
||||
apt_repository:
|
||||
repo: 'deb https://download.docker.com/linux/debian buster stable'
|
||||
filename: docker
|
||||
|
||||
- name: Install docker
|
||||
apt:
|
||||
name:
|
||||
- docker.io
|
||||
- python3-docker
|
||||
|
||||
- name: Enable docker
|
||||
service: name=docker state=started enabled=yes
|
||||
- docker-ce
|
||||
- docker-ce-cli
|
||||
- containerd.io
|
||||
- python-docker
|
||||
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
@ -1,20 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
|
||||
-days 730 -subj "/CN={{ doorlock_domain }}"
|
||||
creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
vars:
|
||||
acme_dnskey_san_domains:
|
||||
- "{{ doorlock_domain }}"
|
||||
|
||||
- name: Configure certificate manager for doorlock
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
|
||||
notify: Run acertmgr
|
@ -1,18 +0,0 @@
|
||||
---
|
||||
|
||||
{{ doorlock_domain }}:
|
||||
- mode: dns.nsupdate
|
||||
nsupdate_server: {{ acme_dnskey_server }}
|
||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||
- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service nginx restart'
|
14
roles/drone/files/drone.service
Normal file
14
roles/drone/files/drone.service
Normal file
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=drone.io server
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=drone
|
||||
EnvironmentFile=/etc/default/drone
|
||||
ExecStart=/opt/drone/bin/drone-server
|
||||
Restart=always
|
||||
RestartSec=5s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -3,11 +3,11 @@
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart 23b
|
||||
service: name=23b state=restarted
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Restart drone
|
||||
service: name=drone state=restarted
|
||||
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
52
roles/drone/tasks/main.yml
Normal file
52
roles/drone/tasks/main.yml
Normal file
@ -0,0 +1,52 @@
|
||||
---
|
||||
|
||||
- name: Create user
|
||||
user: name=drone
|
||||
|
||||
# TODO install drone to /opt/drone/bin
|
||||
# currently it is manually compiled
|
||||
|
||||
- name: Configure drone
|
||||
template: src=drone.j2 dest=/etc/default/drone
|
||||
notify: Restart drone
|
||||
|
||||
- name: Install PostgreSQL
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db: name={{ drone_dbname }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure PostgreSQL user
|
||||
postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure certificate manager for drone
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Install systemd unit
|
||||
copy: src=drone.service dest=/lib/systemd/system/drone.service
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart drone
|
||||
|
||||
- name: Enable drone
|
||||
service: name=drone enabled=yes
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
|
||||
{{ bk23b_domain }}:
|
||||
- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
|
||||
{{ drone_domain }}:
|
||||
- path: /etc/nginx/ssl/{{ drone_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
|
||||
- path: /etc/nginx/ssl/{{ drone_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
10
roles/drone/templates/drone.j2
Normal file
10
roles/drone/templates/drone.j2
Normal file
@ -0,0 +1,10 @@
|
||||
DRONE_AGENTS_ENABLED=true
|
||||
DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
|
||||
DRONE_DATABASE_DRIVER=postgres
|
||||
DRONE_GITEA_SERVER=https://{{ gitea_domain }}
|
||||
DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
|
||||
DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
|
||||
DRONE_RPC_SECRET={{ drone_secret }}
|
||||
DRONE_SERVER_HOST={{ drone_domain }}
|
||||
DRONE_SERVER_PROTO=https
|
||||
DRONE_USER_CREATE=username:{{ drone_admin }},admin:true
|
31
roles/drone/templates/vhost.j2
Normal file
31
roles/drone/templates/vhost.j2
Normal file
@ -0,0 +1,31 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ drone_domain }};
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
alias /var/www/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://{{ drone_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ drone_domain }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
|
||||
|
||||
location / {
|
||||
client_max_body_size 128M;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_pass http://localhost:8080;
|
||||
}
|
||||
}
|
20
roles/drone_runner/tasks/main.yml
Normal file
20
roles/drone_runner/tasks/main.yml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
|
||||
- name: Run runner container
|
||||
docker_container:
|
||||
name: runner
|
||||
image: drone/drone-runner-docker:1
|
||||
env:
|
||||
DRONE_RPC_PROTO: "https"
|
||||
DRONE_RPC_HOST: "{{ drone_domain }}"
|
||||
DRONE_RPC_SECRET: "{{ drone_secret }}"
|
||||
DRONE_RUNNER_CAPACITY: "2"
|
||||
DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
|
||||
DRONE_UI_USERNAME: "admin"
|
||||
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
|
||||
ports:
|
||||
- "3000:3000"
|
||||
restart_policy: unless-stopped
|
||||
state: started
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
@ -1,15 +0,0 @@
|
||||
---
|
||||
|
||||
eh21.easterhegg.eu engel.eh21.easterhegg.eu:
|
||||
- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
@ -1,68 +0,0 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name eh21.easterhegg.eu;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
alias /var/www/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://eh21.easterhegg.eu$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name eh21.easterhegg.eu;
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
|
||||
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
|
||||
|
||||
root /var/www/eh21;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name engel.eh21.easterhegg.eu;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
alias /var/www/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://engel.eh21.easterhegg.eu$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name engel.eh21.easterhegg.eu;
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
|
||||
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
|
||||
|
||||
root /var/www/engel/public;
|
||||
|
||||
index index.php;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
}
|
||||
}
|
@ -1,5 +0,0 @@
|
||||
---
|
||||
|
||||
dependencies:
|
||||
- { role: acertmgr }
|
||||
- { role: nginx, nginx_ssl: True }
|
@ -1,31 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install dependencies
|
||||
apt:
|
||||
name:
|
||||
- php-fpm
|
||||
|
||||
- name: Create vhost directory
|
||||
file: path=/var/www/eh21 state=directory owner=www-data group=www-data
|
||||
|
||||
- name: Create vhost directory
|
||||
file: path=/var/www/engel state=directory owner=www-data group=www-data
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure certificate manager
|
||||
copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhosts
|
||||
copy: src=vhost dest=/etc/nginx/sites-available/www
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhosts
|
||||
file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Start php8.2-fpm
|
||||
service: name=php8.2-fpm state=started enabled=yes
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Reload nfs-server
|
||||
service: name=nfs-server state=reloaded
|
||||
|
||||
- name: Reload smbd
|
||||
service: name=smbd state=reloaded
|
@ -1,30 +0,0 @@
|
||||
---
|
||||
|
||||
# TODO also enable contrib for $release-security
|
||||
- name: Enable contrib repositories
|
||||
apt_repository:
|
||||
repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }} contrib
|
||||
|
||||
- name: Install zfs-dkms
|
||||
apt:
|
||||
name: zfs-dkms
|
||||
|
||||
# creating the ZFS pool is not part of this role
|
||||
|
||||
- name: Install NFS and samba
|
||||
apt:
|
||||
name:
|
||||
- nfs-kernel-server
|
||||
- samba
|
||||
|
||||
- name: Configure NFS
|
||||
template:
|
||||
src: exports.j2
|
||||
dest: /etc/exports
|
||||
notify: Reload nfs-server
|
||||
|
||||
- name: Configure samba
|
||||
template:
|
||||
src: smb.conf.j2
|
||||
dest: /etc/samba/smb.conf
|
||||
notify: Reload smbd
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user