From b11e3e57e08af9a24c1b4e90be0b79a2e3ad86b5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Jul 2023 17:42:41 +0000 Subject: [PATCH 001/713] Try another syntax --- .gitea/workflows/test.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/test.yml index 275f027..003e047 100644 --- a/.gitea/workflows/test.yml +++ b/.gitea/workflows/test.yml @@ -1,8 +1,7 @@ --- name: tests # yamllint disable-line rule:truthy -on: - - push +on: [push] jobs: lint: From 330360d977ce0ea72bfd2d63e29ca953ed6233ee Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Jul 2023 17:44:11 +0000 Subject: [PATCH 002/713] Try renaming file --- .gitea/workflows/{test.yml => demo.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .gitea/workflows/{test.yml => demo.yaml} (100%) diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/demo.yaml similarity index 100% rename from .gitea/workflows/test.yml rename to .gitea/workflows/demo.yaml From dbf62bc397c95c5a5d39e273630f956f5ab7f376 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Jul 2023 17:45:46 +0000 Subject: [PATCH 003/713] Syntax changes --- .gitea/workflows/demo.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/demo.yaml b/.gitea/workflows/demo.yaml index 003e047..ccbf274 100644 --- a/.gitea/workflows/demo.yaml +++ b/.gitea/workflows/demo.yaml @@ -1,11 +1,10 @@ --- name: tests -# yamllint disable-line rule:truthy +run-name: just testing on: [push] jobs: - lint: - name: run linter + linter: runs-on: ubuntu-latest steps: - name: Checkout repository From e683b138b30fb8260739f1ff8a60a3f6fc01461c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jul 2023 08:52:02 +0000 Subject: [PATCH 004/713] Move BT USB adapter to different port --- host_vars/homeassistant01.home.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index c9c1d5f..fefe24f 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -7,4 +7,4 @@ network_interfaces: - device: eth1 vlan: 30 virt_install_devices: - - 003.002 + - 001.005 From c0e00b7b08c42edf2554fe4612d35d692ca5f194 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jul 2023 10:01:21 +0000 Subject: [PATCH 005/713] Update ansible-software subrepo --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 225d79a..40a4b9b 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 225d79acad76f0becbd4db481abc7a8039014a8c +Subproject commit 40a4b9b1fdc54de26c817d26cc5867d58657cd90 From 7c921cf76be5286d349c064f3480e3340304595e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jul 2023 10:35:57 +0000 Subject: [PATCH 006/713] Update ansible-software subrepo --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 40a4b9b..270b14c 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 40a4b9b1fdc54de26c817d26cc5867d58657cd90 +Subproject commit 270b14ce153c3cf80de744d8d4128f2506a7e3d0 From 69411beca5bd2641ccc96c59157f45e4653e5b0a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jul 2023 17:07:13 +0000 Subject: [PATCH 007/713] gitea: Increase limit for http request body size --- roles/gitea/tasks/main.yml | 1 + roles/nginx/site/templates/git.foo.sh.conf.j2 | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 roles/nginx/site/templates/git.foo.sh.conf.j2 diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 208eed0..5ef87c0 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -83,6 +83,7 @@ ansible.builtin.copy: dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/gitea.conf" content: | + client_max_body_size 100m; location / { proxy_pass http://127.0.0.1:3000; } diff --git a/roles/nginx/site/templates/git.foo.sh.conf.j2 b/roles/nginx/site/templates/git.foo.sh.conf.j2 new file mode 100644 index 0000000..4bfc067 --- /dev/null +++ b/roles/nginx/site/templates/git.foo.sh.conf.j2 @@ -0,0 +1,2 @@ + # disable any limits to avoid HTTP 413 for large pushes + client_max_body_size 100m; From 8b75d26eb8f889ce23fd418d81ef1dad4e73753b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jul 2023 16:29:36 +0000 Subject: [PATCH 008/713] homeassistant: Add support for custom integrations --- roles/homeassistant/tasks/main.yml | 36 +++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index f2f53d1..46648b8 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -12,8 +12,11 @@ - name: Install dependencies ansible.builtin.package: - name: bluez + name: "{{ item }}" state: installed + with_items: + - bluez + - git - name: Enable bluetooth services ansible.builtin.service: @@ -79,6 +82,37 @@ group: "{{ ansible_wheel }}" setype: _default +- name: Create directories for custom integrations + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + setype: _default + with_items: + - /srv/homeassistant/custom_components + - /srv/homeassistant/downloads + +- name: Download extra integrations + ansible.builtin.git: + dest: "/srv/homeassistant/downloads/{{ item.name }}" + repo: "{{ item.repo }}" + update: true + version: "{{ item.version }}" + notify: Restart homeassistant + with_items: "{{ homeassistant_integrations|default([]) }}" + +- name: Link extra integrations + ansible.builtin.file: + dest: "/srv/homeassistant/custom_components/{{ item.name }}" + src: "../downloads/{{ item.name }}/custom_components/{{ item.name }}" + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + with_items: "{{ homeassistant_integrations|default([]) }}" + - name: Create service file ansible.builtin.template: dest: /etc/systemd/system/homeassistant-container.service From be04450c81901d75563de5a671c0ae5721b23dbc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jul 2023 16:30:33 +0000 Subject: [PATCH 009/713] Add Electrolux integration to homeassistant --- hosts.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts.yml b/hosts.yml index ba6f047..8f7b912 100644 --- a/hosts.yml +++ b/hosts.yml @@ -32,6 +32,10 @@ homeassistant: homeassistant01.home.foo.sh: vars: homeassistant_version: "2023.7" + homeassistant_integrations: + - name: electrolux_status + repo: https://github.com/mauro-midolo/homeassistant_electrolux_status.git + version: v2.12.0 influxdb: hosts: influxdb01.home.foo.sh: From 4ef795d02e2e0e8d1852f6e7cef5572541a6c822 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jul 2023 17:38:11 +0000 Subject: [PATCH 010/713] Update gitea to version 1.20.1 --- hosts.yml | 2 +- roles/gitea/templates/app.ini.j2 | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 8f7b912..3e67283 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.19.4" + gitea_version: "1.20.1" gitearunner: hosts: gitea-runner02.home.foo.sh: diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 index 9ce2612..3a797b9 100644 --- a/roles/gitea/templates/app.ini.j2 +++ b/roles/gitea/templates/app.ini.j2 @@ -75,3 +75,6 @@ REVERSE_PROXY_LIMIT = 1 [actions] ENABLED = true + +[oauth2] +JWT_SECRET = {{ gitea_oauth_jwt_secret }} From 9c449996827ba57b7e04245bc41bf40f6d16920a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 23 Jul 2023 17:12:41 +0000 Subject: [PATCH 011/713] mariadb: Add timezone information to database --- roles/mariadb/files/mysql_tzinfo_check.sh | 22 ++++++++++++++++++++++ roles/mariadb/tasks/main.yml | 15 +++++++++++++++ 2 files changed, 37 insertions(+) create mode 100755 roles/mariadb/files/mysql_tzinfo_check.sh diff --git a/roles/mariadb/files/mysql_tzinfo_check.sh b/roles/mariadb/files/mysql_tzinfo_check.sh new file mode 100755 index 0000000..44e2de2 --- /dev/null +++ b/roles/mariadb/files/mysql_tzinfo_check.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +set -eu + +_timestamp=$(cat <&2 + exit 1 +fi diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 519068d..2673211 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -135,3 +135,18 @@ job: /usr/local/sbin/mariadb-backup hour: "0" minute: "30" + +- name: Copy script to check timezone data + ansible.builtin.copy: + dest: /usr/local/sbin/mysql_tzinfo_check + src: mysql_tzinfo_check.sh + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Create cron job for checking timezone data + ansible.builtin.cron: + name: mysql_tzinfo_check + job: /usr/local/sbin/mysql_tzinfo_check + hour: "3" + minute: "15" From 6b2e64df913a00a534bafe1429152a2c4aa0968d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 25 Jul 2023 16:15:01 +0000 Subject: [PATCH 012/713] Fix typo --- playbooks/dna-gw.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 00f50ea..533314a 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -79,7 +79,7 @@ - name: Create tftp ramdisk for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD//7.3/amd64/bsd.rd" + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/bsd.rd" checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021 dest: /srv/tftpboot/bsd.rd mode: 0644 From 07125310bd1e83ea294884734a30cb9f4006aded Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 29 Jul 2023 18:03:03 +0000 Subject: [PATCH 013/713] Update gitea to 1.20.2 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 3e67283..efae683 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.20.1" + gitea_version: "1.20.2" gitearunner: hosts: gitea-runner02.home.foo.sh: From 08fbb136408e02325ba836b64fac7a622b8e1ca7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 9 Aug 2023 22:33:10 +0000 Subject: [PATCH 014/713] nginx: Add more proxy headers --- roles/nginx/server/templates/nginx.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2 index 1bc0e2b..877fc4e 100644 --- a/roles/nginx/server/templates/nginx.conf.j2 +++ b/roles/nginx/server/templates/nginx.conf.j2 @@ -23,6 +23,9 @@ http { } proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; {% if plaintext is defined %} From 4a09185aebbfb4c3509f9ab17cdeaeb1941ffcbe Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 10 Aug 2023 13:46:38 +0000 Subject: [PATCH 015/713] nginx/site: Fix upstream hostname --- roles/nginx/site/templates/site.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx/site/templates/site.conf.j2 b/roles/nginx/site/templates/site.conf.j2 index a277ec5..f13669c 100644 --- a/roles/nginx/site/templates/site.conf.j2 +++ b/roles/nginx/site/templates/site.conf.j2 @@ -1,5 +1,5 @@ {% if proxy is defined and proxy is not string %} -upstream upstream-{{ site }} { +upstream {{ site }} { {% for item in proxy %} {% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %} {% if item | regex_search(".*:[0-9]+$") %} @@ -39,7 +39,7 @@ server { {% set path = proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %} # https://trac.nginx.org/nginx/ticket/1307 proxy_ssl_verify off; - proxy_pass https://upstream-{{ site }}{{ path }}; + proxy_pass https://{{ site }}{{ path }}; {% else %} proxy_pass {{ proxy }}; {% endif %} From 4846fc9bf5f0192f6b0cb2f3902f0a38aa691a7b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 14 Aug 2023 17:04:33 +0000 Subject: [PATCH 016/713] Update software versions --- hosts.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index efae683..fe4345c 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,12 +26,12 @@ gitearunner: hosts: gitea-runner02.home.foo.sh: vars: - gitea_runner_version: "0.2.3" + gitea_runner_version: "0.2.5" homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.7" + homeassistant_version: "2023.8.2" homeassistant_integrations: - name: electrolux_status repo: https://github.com/mauro-midolo/homeassistant_electrolux_status.git @@ -78,8 +78,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.0.2" - rocketchat_version: "6.2.10" + grafana_version: "10.0.3" + rocketchat_version: "6.31" roundcube_version: "1.6.1" print: hosts: From 45c124a82b3261acc710526971ef48d7145b47e7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 14 Aug 2023 17:15:28 +0000 Subject: [PATCH 017/713] cpupower: Initial version of role --- roles/cpupower/files/cpupower.sysconfig | 3 +++ roles/cpupower/handlers/main.yml | 5 +++++ roles/cpupower/tasks/main.yml | 15 +++++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 roles/cpupower/files/cpupower.sysconfig create mode 100644 roles/cpupower/handlers/main.yml create mode 100644 roles/cpupower/tasks/main.yml diff --git a/roles/cpupower/files/cpupower.sysconfig b/roles/cpupower/files/cpupower.sysconfig new file mode 100644 index 0000000..a75fd87 --- /dev/null +++ b/roles/cpupower/files/cpupower.sysconfig @@ -0,0 +1,3 @@ +# See 'cpupower help' and cpupower(1) for more info +CPUPOWER_START_OPTS="frequency-set -g ondemand" +CPUPOWER_STOP_OPTS="frequency-set -g performance" diff --git a/roles/cpupower/handlers/main.yml b/roles/cpupower/handlers/main.yml new file mode 100644 index 0000000..c37fd46 --- /dev/null +++ b/roles/cpupower/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart cpupower + ansible.builtin.service: + name: cpupower + state: restarted diff --git a/roles/cpupower/tasks/main.yml b/roles/cpupower/tasks/main.yml new file mode 100644 index 0000000..4cd1f83 --- /dev/null +++ b/roles/cpupower/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Copy config + ansible.builtin.copy: + dest: /etc/sysconfig/cpupower + src: cpupower.sysconfig + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart cpupower + +- name: Enable service + ansible.builtin.service: + name: cpupower + state: started + enabled: true From 112d900b8f44edadbf9496525dbfd1821e3c42e5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 14 Aug 2023 17:17:25 +0000 Subject: [PATCH 018/713] base: Add cpupower to physical hosts --- roles/base/tasks/RedHat.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 8e6ca6e..d266052 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -3,6 +3,12 @@ ansible.builtin.hostname: name: "{{ inventory_hostname }}" +- name: Install OS specific roles for physical hardware + ansible.builtin.include_role: + name: cpupower + when: + - ansible_virtualization_role == "host" + - name: Install OS specific roles ansible.builtin.include_role: name: "{{ role }}" From f573704b3419380b0f43eb251709a69adea6b882 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 13:55:29 +0000 Subject: [PATCH 019/713] Move data disks to nvme storage --- group_vars/adm.yml | 2 +- group_vars/gitea.yml | 2 +- group_vars/homeassistant.yml | 2 +- group_vars/log.yml | 2 +- group_vars/mail.yml | 2 +- group_vars/minecraft.yml | 2 +- group_vars/nms.yml | 2 +- host_vars/ldap01.home.foo.sh.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/group_vars/adm.yml b/group_vars/adm.yml index 0eff70a..a49673c 100644 --- a/group_vars/adm.yml +++ b/group_vars/adm.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10} + - {size: 10, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml index 985e033..a49673c 100644 --- a/group_vars/gitea.yml +++ b/group_vars/gitea.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10, type: hdd} + - {size: 10, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/group_vars/homeassistant.yml b/group_vars/homeassistant.yml index 91f88e0..92e8f6a 100644 --- a/group_vars/homeassistant.yml +++ b/group_vars/homeassistant.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10, type: hdd} + - {size: 10, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} diff --git a/group_vars/log.yml b/group_vars/log.yml index 7457482..af1b495 100644 --- a/group_vars/log.yml +++ b/group_vars/log.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 50} + - {size: 50, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/group_vars/mail.yml b/group_vars/mail.yml index 7976023..de75efd 100644 --- a/group_vars/mail.yml +++ b/group_vars/mail.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10} + - {size: 10, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/group_vars/minecraft.yml b/group_vars/minecraft.yml index cf60405..d87c715 100644 --- a/group_vars/minecraft.yml +++ b/group_vars/minecraft.yml @@ -1,7 +1,7 @@ --- mem_size: 4096 datadisks: - - {size: 100} + - {size: 100, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 4949, from: [172.20.30.0/24]} diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 83c016a..cbf2fdb 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10} + - {size: 10, type: nvme} network_vip_interfaces: - device: eth1 diff --git a/host_vars/ldap01.home.foo.sh.yml b/host_vars/ldap01.home.foo.sh.yml index 8951d67..a64ca14 100644 --- a/host_vars/ldap01.home.foo.sh.yml +++ b/host_vars/ldap01.home.foo.sh.yml @@ -5,6 +5,6 @@ network_interfaces: vlan: 20 mac: 52:54:00:ac:dc:1f datadisks: - - {size: 10} + - {size: 10, type: nvme} ldap_master: true From 051acc86cc16deb995d6e1865144d706202d100e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:28:30 +0000 Subject: [PATCH 020/713] node_exporter: First version of role --- roles/node_exporter/handlers/main.yml | 5 ++ roles/node_exporter/meta/main.yml | 3 ++ roles/node_exporter/tasks/main.yml | 48 +++++++++++++++++++ .../node_exporter/templates/web-config.yml.j2 | 6 +++ 4 files changed, 62 insertions(+) create mode 100644 roles/node_exporter/handlers/main.yml create mode 100644 roles/node_exporter/meta/main.yml create mode 100644 roles/node_exporter/tasks/main.yml create mode 100644 roles/node_exporter/templates/web-config.yml.j2 diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml new file mode 100644 index 0000000..29d67a9 --- /dev/null +++ b/roles/node_exporter/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart node_exporter + ansible.builtin.service: + name: prometheus-node-exporter + state: restarted diff --git a/roles/node_exporter/meta/main.yml b/roles/node_exporter/meta/main.yml new file mode 100644 index 0000000..ebfb16f --- /dev/null +++ b/roles/node_exporter/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: epel_repo, when: ansible_os_family == "RedHat"} diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml new file mode 100644 index 0000000..d65eb8a --- /dev/null +++ b/roles/node_exporter/tasks/main.yml @@ -0,0 +1,48 @@ +--- +- name: Install packages + ansible.builtin.package: + name: golang-github-prometheus-node-exporter + state: installed + +- name: Allow prometheus user to read private key + ansible.builtin.user: + name: prometheus + groups: hostkey + append: true + notify: Restart node_exporter + +- name: Create config directory + ansible.builtin.file: + path: /etc/node_exporter + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create web-config + ansible.builtin.template: + dest: /etc/node_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart node_exporter + +- name: Modify config + ansible.builtin.lineinfile: + path: /etc/default/prometheus-node-exporter + regexp: "^ARGS=" + line: >- + ARGS="--collector.filesystem.ignored-mount-points + '^/(dev|proc|sys|run/(user|credentials/systemd-.+))($|/)' + --collector.netclass.ignored-devices '^(br-|docker|veth).+$' + --collector.netdev.device-exclude '^(br-|docker|veth).+$' + --web.config=/etc/node_exporter/web-config.yml + --collector.textfile.directory /var/lib/prometheus/node-exporter" + notify: Restart node_exporter + +- name: Enable node_exporter service + ansible.builtin.service: + name: prometheus-node-exporter + state: started + enabled: true diff --git a/roles/node_exporter/templates/web-config.yml.j2 b/roles/node_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..01c911f --- /dev/null +++ b/roles/node_exporter/templates/web-config.yml.j2 @@ -0,0 +1,6 @@ +--- +tls_server_config: + key_file: {{ tls_private }}/{{ inventory_hostname }}.key + cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert From 9b1aa236c55ee99a003b1d2ff8f9bdc8f8ee0f15 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:29:00 +0000 Subject: [PATCH 021/713] prometheus: First version of role --- roles/prometheus/files/prometheus.service | 23 ++++ roles/prometheus/handlers/main.yml | 5 + roles/prometheus/meta/main.yml | 3 + roles/prometheus/tasks/main.yml | 115 +++++++++++++++++++ roles/prometheus/templates/node.json.j2 | 10 ++ roles/prometheus/templates/prometheus.yml.j2 | 16 +++ 6 files changed, 172 insertions(+) create mode 100644 roles/prometheus/files/prometheus.service create mode 100644 roles/prometheus/handlers/main.yml create mode 100644 roles/prometheus/meta/main.yml create mode 100644 roles/prometheus/tasks/main.yml create mode 100644 roles/prometheus/templates/node.json.j2 create mode 100644 roles/prometheus/templates/prometheus.yml.j2 diff --git a/roles/prometheus/files/prometheus.service b/roles/prometheus/files/prometheus.service new file mode 100644 index 0000000..28f8d3a --- /dev/null +++ b/roles/prometheus/files/prometheus.service @@ -0,0 +1,23 @@ +[Unit] +Description=Prometheus +After=network-online.target +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=simple +Environment="GOMAXPROCS={{ ansible_processor_vcpus|default(ansible_processor_count) }}" +User=prometheus +Group=prometheus +UMask=007 +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/local/sbin/prometheus \ + --config.file=/srv/prometheus/prometheus.yml \ + --log.level=info \ + --storage.tsdb.path=/srv/prometheus/data \ + --storage.tsdb.retention.time=365d \ + --web.console.libraries=/usr/local/share/prometheus/console_libraries +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/prometheus/handlers/main.yml b/roles/prometheus/handlers/main.yml new file mode 100644 index 0000000..690e0bd --- /dev/null +++ b/roles/prometheus/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart prometheus + ansible.builtin.service: + name: prometheus + state: restarted diff --git a/roles/prometheus/meta/main.yml b/roles/prometheus/meta/main.yml new file mode 100644 index 0000000..b95ceec --- /dev/null +++ b/roles/prometheus/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: nginx/server} diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml new file mode 100644 index 0000000..05145f4 --- /dev/null +++ b/roles/prometheus/tasks/main.yml @@ -0,0 +1,115 @@ +--- +- name: Create group + ansible.builtin.group: + name: prometheus + gid: 305 + +- name: Create user + ansible.builtin.user: + name: prometheus + comment: Service Prometheus + createhome: false + group: prometheus + home: /var/empty + shell: /sbin/nologin + uid: 305 + +- name: Extract package + ansible.builtin.unarchive: + src: https://github.com/prometheus/prometheus/releases/download/v2.45.0/prometheus-2.45.0.linux-amd64.tar.gz + dest: /usr/local/src + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + +- name: Copy binaries + ansible.builtin.copy: + dest: "/usr/local/sbin/{{ item }}" + src: "/usr/local/src/prometheus-2.45.0.linux-amd64/{{ item }}" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + with_items: + - promtool + - prometheus + +- name: Create data directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0750" + owner: root + group: prometheus + with_items: + - /export/prometheus + - /export/prometheus/node.d + +- name: Link data directory + ansible.builtin.file: + path: /srv/prometheus + src: /export/prometheus + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Create database directory + ansible.builtin.file: + path: /srv/prometheus/data + state: directory + mode: "0770" + owner: root + group: prometheus + +- name: Create configuration + ansible.builtin.template: + dest: /srv/prometheus/prometheus.yml + src: prometheus.yml.j2 + mode: "0640" + owner: root + group: prometheus + notify: Restart prometheus + +- name: Create host configs + ansible.builtin.template: + dest: "/srv/prometheus/node.d/{{ item }}" + src: node.json.j2 + mode: "0640" + owner: root + group: prometheus + notify: Restart prometheus + with_items: "{{ groups['all'] }}" + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/prometheus.service + src: prometheus.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart prometheus + +- name: Enable service + ansible.builtin.service: + name: prometheus + state: started + enabled: true + +- name: Allow nginx to connect prometheus + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/prometheus.conf" + content: | + location / { + proxy_pass http://127.0.0.1:9090; + } + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx diff --git a/roles/prometheus/templates/node.json.j2 b/roles/prometheus/templates/node.json.j2 new file mode 100644 index 0000000..d2bef64 --- /dev/null +++ b/roles/prometheus/templates/node.json.j2 @@ -0,0 +1,10 @@ +[ + { + "labels": { + "instance": "{{ item }}" + }, + "targets": [ + "{{ item }}" + ] + } +] diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 new file mode 100644 index 0000000..81703ee --- /dev/null +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -0,0 +1,16 @@ +--- +global: + scrape_interval: 1m + scrape_timeout: 10s + evaluation_interval: 1m + +scrape_configs: + - job_name: node + scheme: https + tls_config: + ca_file: "{{ tls_certs }}/ca.crt" + key_file: "{{ tls_private }}/{{ inventory_hostname }}.key" + cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + file_sd_configs: + - files: + - /srv/prometheus/node.d/*.json From 20fb7aeacfe9585bfc74940dabb16639954c7391 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:29:54 +0000 Subject: [PATCH 022/713] Add prometheus hosts --- group_vars/prometheus.yml | 8 ++++++++ host_vars/prometheus02.home.foo.sh.yml | 6 ++++++ hosts.yml | 4 ++++ playbooks/prometheus.yml | 28 ++++++++++++++++++++++++++ 4 files changed, 46 insertions(+) create mode 100644 group_vars/prometheus.yml create mode 100644 host_vars/prometheus02.home.foo.sh.yml create mode 100644 playbooks/prometheus.yml diff --git a/group_vars/prometheus.yml b/group_vars/prometheus.yml new file mode 100644 index 0000000..e80e98c --- /dev/null +++ b/group_vars/prometheus.yml @@ -0,0 +1,8 @@ +--- +datadisks: + - {size: 10, type: nvme} + +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/host_vars/prometheus02.home.foo.sh.yml b/host_vars/prometheus02.home.foo.sh.yml new file mode 100644 index 0000000..6c7cc03 --- /dev/null +++ b/host_vars/prometheus02.home.foo.sh.yml @@ -0,0 +1,6 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: "52:54:00:ac:dc:84" diff --git a/hosts.yml b/hosts.yml index fe4345c..7c55f68 100644 --- a/hosts.yml +++ b/hosts.yml @@ -84,6 +84,9 @@ ocinode: print: hosts: print01.home.foo.sh: +prometheus: + hosts: + prometheus02.home.foo.sh: proxy: hosts: proxy01.home.foo.sh: @@ -154,6 +157,7 @@ rocky9: ldap: mirror: mongodb: + prometheus: sqldb: static: vmhost: diff --git a/playbooks/prometheus.yml b/playbooks/prometheus.yml new file mode 100644 index 0000000..bec40ff --- /dev/null +++ b/playbooks/prometheus.yml @@ -0,0 +1,28 @@ +--- +- name: Deploy KVM virtual machines + ansible.builtin.import_playbook: include/deploy-kvm-guest.yml + vars: + myhosts: prometheus + +- name: Configure instance + hosts: prometheus + user: root + gather_facts: true + + vars_files: + - "{{ ansible_private }}/vars.yml" + + pre_tasks: + - name: Mount /export + ansible.posix.mount: + name: /export + src: LABEL=/export + fstype: xfs + opts: noatime,noexec,nosuid,nodev + passno: "0" + dump: "0" + state: mounted + + roles: + - base + - prometheus From f8319730234eaee78087af2e47d371a5a589d52f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:31:02 +0000 Subject: [PATCH 023/713] Add prometheus playbook to master playbook --- site.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/site.yml b/site.yml index 41765a2..bcceabe 100644 --- a/site.yml +++ b/site.yml @@ -41,6 +41,8 @@ ansible.builtin.import_playbook: playbooks/oci-node.yml - name: Configure print hosts ansible.builtin.import_playbook: playbooks/print.yml +- name: Configure prometheus hosts + ansible.builtin.import_playbook: playbooks/prometheus.yml - name: Configure proxy hosts ansible.builtin.import_playbook: playbooks/proxy.yml - name: Configure relay hosts From 1fdce68b75da2e2ab31f2f4fadd5736226339b73 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:46:44 +0000 Subject: [PATCH 024/713] node_exporter: Fix installing for Fedora --- roles/node_exporter/meta/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/node_exporter/meta/main.yml b/roles/node_exporter/meta/main.yml index ebfb16f..ed212b9 100644 --- a/roles/node_exporter/meta/main.yml +++ b/roles/node_exporter/meta/main.yml @@ -1,3 +1,6 @@ --- dependencies: - - {role: epel_repo, when: ansible_os_family == "RedHat"} + - role: epel_repo + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Fedora" From d7edba1a0fdf40c2e56fef8bb6a0a86e1cf9023e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:48:43 +0000 Subject: [PATCH 025/713] No use for port 443 on ldap hosts --- group_vars/ldap.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/group_vars/ldap.yml b/group_vars/ldap.yml index 660bcb5..85b7b5c 100644 --- a/group_vars/ldap.yml +++ b/group_vars/ldap.yml @@ -3,6 +3,5 @@ saslauthd_mech: ldap firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 636, from: [172.20.20.0/22]} - {proto: tcp, port: 4949, from: [172.20.20.0/22]} From 7516f5813e8d939fdbbb7fccaed29e8bff7092a9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 18:21:43 +0000 Subject: [PATCH 026/713] prometheus: Fix node configs --- roles/prometheus/tasks/main.yml | 2 +- roles/prometheus/templates/node.json.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 05145f4..7ec1353 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -73,7 +73,7 @@ - name: Create host configs ansible.builtin.template: - dest: "/srv/prometheus/node.d/{{ item }}" + dest: "/srv/prometheus/node.d/{{ item }}.json" src: node.json.j2 mode: "0640" owner: root diff --git a/roles/prometheus/templates/node.json.j2 b/roles/prometheus/templates/node.json.j2 index d2bef64..0f4e396 100644 --- a/roles/prometheus/templates/node.json.j2 +++ b/roles/prometheus/templates/node.json.j2 @@ -4,7 +4,7 @@ "instance": "{{ item }}" }, "targets": [ - "{{ item }}" + "{{ item }}:9100" ] } ] From 3d0cf42e8eee3b9d7de95cde3183f22614b74213 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:06:40 +0000 Subject: [PATCH 027/713] Remove obsolete ports from proxy pf config --- group_vars/proxy.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/group_vars/proxy.yml b/group_vars/proxy.yml index c3ffdcd..3966f13 100644 --- a/group_vars/proxy.yml +++ b/group_vars/proxy.yml @@ -48,6 +48,4 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 636} - {proto: tcp, port: 4949, from: [172.20.20.0/22]} - - {proto: tcp, port: 6514} From 902575569506b4f9f760d5915a3f086d14f253d8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:32:15 +0000 Subject: [PATCH 028/713] node_exporter: Add OpenBSD support --- roles/node_exporter/handlers/main.yml | 2 +- roles/node_exporter/tasks/main.yml | 21 +++++++++++++++++---- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml index 29d67a9..f522d75 100644 --- a/roles/node_exporter/handlers/main.yml +++ b/roles/node_exporter/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Restart node_exporter ansible.builtin.service: - name: prometheus-node-exporter + name: "{{ node_exporter_package }}" state: restarted diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index d65eb8a..00b9898 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -1,12 +1,15 @@ --- +- name: Include OS-specific variables + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" + - name: Install packages ansible.builtin.package: - name: golang-github-prometheus-node-exporter + name: "{{ node_exporter_package }}" state: installed - name: Allow prometheus user to read private key ansible.builtin.user: - name: prometheus + name: "{{ node_exporter_user }}" groups: hostkey append: true notify: Restart node_exporter @@ -40,9 +43,19 @@ --web.config=/etc/node_exporter/web-config.yml --collector.textfile.directory /var/lib/prometheus/node-exporter" notify: Restart node_exporter + when: ansible_os_family == "RedHat" -- name: Enable node_exporter service +- name: Enable service ansible.builtin.service: - name: prometheus-node-exporter + name: "{{ node_exporter_service }}" state: started enabled: true + arguments: --web.config.file=/etc/node_exporter/web-config.yml + when: ansible_os_family == "OpenBSD" + +- name: Enable service + ansible.builtin.service: + name: "{{ node_exporter_service }}" + state: started + enabled: true + when: ansible_os_family == "RedHat" From 5ec34f54c810232900b9205e92052fec568f25b2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:32:43 +0000 Subject: [PATCH 029/713] node_exporter: Add missing files --- roles/node_exporter/vars/OpenBSD.yml | 4 ++++ roles/node_exporter/vars/RedHat.yml | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 roles/node_exporter/vars/OpenBSD.yml create mode 100644 roles/node_exporter/vars/RedHat.yml diff --git a/roles/node_exporter/vars/OpenBSD.yml b/roles/node_exporter/vars/OpenBSD.yml new file mode 100644 index 0000000..170fb93 --- /dev/null +++ b/roles/node_exporter/vars/OpenBSD.yml @@ -0,0 +1,4 @@ +--- +node_exporter_package: node_exporter +node_exporter_service: node_exporter +node_exporter_user: _nodeexporter diff --git a/roles/node_exporter/vars/RedHat.yml b/roles/node_exporter/vars/RedHat.yml new file mode 100644 index 0000000..0a6f1b2 --- /dev/null +++ b/roles/node_exporter/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- +node_exporter_package: golang-github-prometheus-node-exporter +node_exporter_service: prometheus-node-exporter +node_exporter_user: prometheus From 946c7d0772897482e1ab125167cd31c8dcf31d8c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:33:39 +0000 Subject: [PATCH 030/713] Add node_exporter to all hosts --- group_vars/adm.yml | 2 +- group_vars/backup.yml | 1 + group_vars/collab.yml | 2 +- group_vars/gitea.yml | 2 +- group_vars/gitearunner.yml | 2 +- group_vars/homeassistant.yml | 2 +- group_vars/influxdb.yml | 2 +- group_vars/ldap.yml | 2 +- group_vars/log.yml | 2 +- group_vars/mail.yml | 2 +- group_vars/minecraft.yml | 2 +- group_vars/mirror.yml | 2 +- group_vars/mongodb.yml | 1 + group_vars/mqtt.yml | 2 +- group_vars/nas.yml | 2 +- group_vars/nms.yml | 2 +- group_vars/ocinode.yml | 1 + group_vars/print.yml | 2 +- group_vars/proxy.yml | 2 +- group_vars/relay.yml | 1 + group_vars/shell.yml | 2 +- group_vars/sqldb.yml | 1 + group_vars/static.yml | 2 +- group_vars/vmhost.yml | 2 +- group_vars/zm.yml | 2 +- roles/base/tasks/main.yml | 1 + roles/pf/files/pf.conf.gw_fsol | 4 ++-- roles/pf/files/pf.conf.gw_home | 4 ++-- 28 files changed, 30 insertions(+), 24 deletions(-) diff --git a/group_vars/adm.yml b/group_vars/adm.yml index a49673c..e80e98c 100644 --- a/group_vars/adm.yml +++ b/group_vars/adm.yml @@ -5,4 +5,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/backup.yml b/group_vars/backup.yml index ec4ea73..0b7f509 100644 --- a/group_vars/backup.yml +++ b/group_vars/backup.yml @@ -1,3 +1,4 @@ --- firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/collab.yml b/group_vars/collab.yml index a49673c..e80e98c 100644 --- a/group_vars/collab.yml +++ b/group_vars/collab.yml @@ -5,4 +5,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml index a49673c..e80e98c 100644 --- a/group_vars/gitea.yml +++ b/group_vars/gitea.yml @@ -5,4 +5,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/gitearunner.yml b/group_vars/gitearunner.yml index c611eea..0b7f509 100644 --- a/group_vars/gitearunner.yml +++ b/group_vars/gitearunner.yml @@ -1,4 +1,4 @@ --- firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/homeassistant.yml b/group_vars/homeassistant.yml index 92e8f6a..d344ed1 100644 --- a/group_vars/homeassistant.yml +++ b/group_vars/homeassistant.yml @@ -4,4 +4,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/influxdb.yml b/group_vars/influxdb.yml index fcdcc1b..be5bea6 100644 --- a/group_vars/influxdb.yml +++ b/group_vars/influxdb.yml @@ -5,4 +5,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/ldap.yml b/group_vars/ldap.yml index 85b7b5c..1e3e573 100644 --- a/group_vars/ldap.yml +++ b/group_vars/ldap.yml @@ -4,4 +4,4 @@ saslauthd_mech: ldap firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 636, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/log.yml b/group_vars/log.yml index af1b495..00882e3 100644 --- a/group_vars/log.yml +++ b/group_vars/log.yml @@ -4,5 +4,5 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} - {proto: tcp, port: 6514} diff --git a/group_vars/mail.yml b/group_vars/mail.yml index de75efd..43e2603 100644 --- a/group_vars/mail.yml +++ b/group_vars/mail.yml @@ -10,4 +10,4 @@ firewall_in: - {proto: tcp, port: 465} - {proto: tcp, port: 587} - {proto: tcp, port: 993} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/minecraft.yml b/group_vars/minecraft.yml index d87c715..a7ff2b1 100644 --- a/group_vars/minecraft.yml +++ b/group_vars/minecraft.yml @@ -4,6 +4,6 @@ datadisks: - {size: 100, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.30.0/24]} + - {proto: tcp, port: 9100, from: [172.20.30.0/24]} - {proto: tcp, port: 25565, from: [172.20.30.0/24]} - {proto: udp, port: 25565, from: [172.20.30.0/24]} diff --git a/group_vars/mirror.yml b/group_vars/mirror.yml index 4ac63b1..9515b80 100644 --- a/group_vars/mirror.yml +++ b/group_vars/mirror.yml @@ -7,4 +7,4 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 873, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/mongodb.yml b/group_vars/mongodb.yml index e17dd45..656811d 100644 --- a/group_vars/mongodb.yml +++ b/group_vars/mongodb.yml @@ -4,3 +4,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 27017, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/mqtt.yml b/group_vars/mqtt.yml index ec10fe7..e64ff98 100644 --- a/group_vars/mqtt.yml +++ b/group_vars/mqtt.yml @@ -3,5 +3,5 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.27.0/24]} - {proto: tcp, port: 1883, from: [172.20.27.0/24]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} - {proto: tcp, port: 8883, from: [172.20.20.0/22, 172.20.27.0/24]} diff --git a/group_vars/nas.yml b/group_vars/nas.yml index 84be798..3cb95e1 100644 --- a/group_vars/nas.yml +++ b/group_vars/nas.yml @@ -9,4 +9,4 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 2049, from: [172.20.20.0/22]} - {proto: tcp, port: 2049, from: [172.20.30.0/24]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/nms.yml b/group_vars/nms.yml index cbf2fdb..3ebd807 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -19,7 +19,7 @@ firewall_in: - {proto: udp, port: 123, from: [172.20.25.0/24]} - {proto: tcp, port: 443, from: [172.20.25.0/24]} - {proto: udp, port: 514, from: [172.20.25.0/24]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/group_vars/ocinode.yml b/group_vars/ocinode.yml index 9945015..d87fa04 100644 --- a/group_vars/ocinode.yml +++ b/group_vars/ocinode.yml @@ -5,3 +5,4 @@ mem_size: 4192 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/print.yml b/group_vars/print.yml index 7029178..2dbeb2c 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -14,7 +14,7 @@ firewall_in: - {proto: tcp, port: 53, from: [172.20.24.0/24]} - {proto: udp, port: 53, from: [172.20.24.0/24]} - {proto: tcp, port: 631, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/group_vars/proxy.yml b/group_vars/proxy.yml index 3966f13..ec6b4a8 100644 --- a/group_vars/proxy.yml +++ b/group_vars/proxy.yml @@ -48,4 +48,4 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/relay.yml b/group_vars/relay.yml index b48a3a2..f65b541 100644 --- a/group_vars/relay.yml +++ b/group_vars/relay.yml @@ -41,3 +41,4 @@ firewall_in: - {proto: tcp, port: 443} - {proto: tcp, port: 636} - {proto: tcp, port: 6514} + - {proto: tcp, port: 9100} diff --git a/group_vars/shell.yml b/group_vars/shell.yml index cefac15..2af3bb2 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -9,4 +9,4 @@ firewall_in: - {proto: tcp, port: 22} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 4949, from: [81.175.130.44/32]} + - {proto: tcp, port: 9100, from: [81.175.130.44/32]} diff --git a/group_vars/sqldb.yml b/group_vars/sqldb.yml index df3c506..f2d2337 100644 --- a/group_vars/sqldb.yml +++ b/group_vars/sqldb.yml @@ -4,3 +4,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 3306, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/static.yml b/group_vars/static.yml index 24c3e3a..a6636ac 100644 --- a/group_vars/static.yml +++ b/group_vars/static.yml @@ -2,4 +2,4 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/vmhost.yml b/group_vars/vmhost.yml index c611eea..0b7f509 100644 --- a/group_vars/vmhost.yml +++ b/group_vars/vmhost.yml @@ -1,4 +1,4 @@ --- firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/zm.yml b/group_vars/zm.yml index 4da1f4f..03177dc 100644 --- a/group_vars/zm.yml +++ b/group_vars/zm.yml @@ -17,7 +17,7 @@ dhcpd_template: dhcpd.conf.cam.j2 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 5281333..7bec34b 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -48,6 +48,7 @@ - pki - psacct - sshd + - node_exporter loop_control: loop_var: role diff --git a/roles/pf/files/pf.conf.gw_fsol b/roles/pf/files/pf.conf.gw_fsol index c6bfb1b..48215c0 100644 --- a/roles/pf/files/pf.conf.gw_fsol +++ b/roles/pf/files/pf.conf.gw_fsol @@ -30,9 +30,9 @@ pass quick inet6 proto icmp6 antispoof for lo0 antispoof for vio0 -# admin connection and munin (internal) +# admin connection and node_exporter (internal) pass in quick on $int_if proto tcp from $int_net to self port ssh keep state (no-sync) -pass in quick on $int_if proto tcp from $int_net to self port 4949 keep state (no-sync) +pass in quick on $int_if proto tcp from $int_net to self port 9100 keep state (no-sync) # internal network block in quick from any to self diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index a71029d..9dd3095 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -45,8 +45,8 @@ pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh pass in quick on $ext_if proto tcp from 81.175.155.142/32 to self port ssh -# munin from internal network -pass in quick on $int_if proto tcp from $int_net to self port 4949 +# node_exporter from internal network +pass in quick on $int_if proto tcp from $int_net to self port 9100 # allow dns queries from internal net pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain From f664e0271b4bfaacba392a98f4fdf7768961ada2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:34:11 +0000 Subject: [PATCH 031/713] php4dvd: Initial version of role --- roles/php4dvd/handlers/main.yml | 17 ++++++ roles/php4dvd/meta/main.yml | 5 ++ roles/php4dvd/tasks/main.yml | 55 +++++++++++++++++++ .../templates/php4dvd-container.service.j2 | 19 +++++++ .../templates/php4dvd-container.sysconfig.j2 | 5 ++ 5 files changed, 101 insertions(+) create mode 100644 roles/php4dvd/handlers/main.yml create mode 100644 roles/php4dvd/meta/main.yml create mode 100644 roles/php4dvd/tasks/main.yml create mode 100644 roles/php4dvd/templates/php4dvd-container.service.j2 create mode 100644 roles/php4dvd/templates/php4dvd-container.sysconfig.j2 diff --git a/roles/php4dvd/handlers/main.yml b/roles/php4dvd/handlers/main.yml new file mode 100644 index 0000000..bc94087 --- /dev/null +++ b/roles/php4dvd/handlers/main.yml @@ -0,0 +1,17 @@ +--- +- name: Rebuild php4dvd-container + ansible.builtin.command: + argv: + - podman + - build + - -t + - php4dvd + - /usr/local/src/docker-php4dvd + become: true + become_user: php4dvd + notify: Restart php4dvd-container + +- name: Restart php4dvd-container + ansible.builtin.service: + name: php4dvd-container + state: restarted diff --git a/roles/php4dvd/meta/main.yml b/roles/php4dvd/meta/main.yml new file mode 100644 index 0000000..b8e2a3e --- /dev/null +++ b/roles/php4dvd/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - {role: git} + - {role: nginx} + - {role: podman} diff --git a/roles/php4dvd/tasks/main.yml b/roles/php4dvd/tasks/main.yml new file mode 100644 index 0000000..7728945 --- /dev/null +++ b/roles/php4dvd/tasks/main.yml @@ -0,0 +1,55 @@ +--- +- name: Create group + ansible.builtin.group: + name: php4dvd + +- name: Create user + ansible.builtin.user: + name: php4dvd + comment: Podman pphp4dvd + group: authcheck + shell: /sbin/nologin + +- name: Get container source + ansible.builtin.git: + dest: /usr/local/src/docker-php4dvd + repo: https://github.com/foo-sh/docker-php4dvd.git + update: false + version: master + notify: Rebuild php4dvd-container + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/php4dvd-container.service + src: php4dvd-container.service.j2 + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + +- name: Create service config + ansible.builtin.template: + dest: /etc/sysconfig/php4dvd-container + src: php4dvd-container.sysconfig.j2 + mode: 0600 + owner: root + group: "{{ ansible_wheel }}" + notify: Restart php4dvd-container + +- name: Enable service + ansible.builtin.service: + name: php4dvd-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/php4dvd-container.conf" + content: | + location /php4dvd { + proxy_pass http://127.0.0.1:8005/; + } + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx + diff --git a/roles/php4dvd/templates/php4dvd-container.service.j2 b/roles/php4dvd/templates/php4dvd-container.service.j2 new file mode 100644 index 0000000..277bb16 --- /dev/null +++ b/roles/php4dvd/templates/php4dvd-container.service.j2 @@ -0,0 +1,19 @@ +[Unit] +Description=php4dvd Container +Wants=network-online.target +After=network-online.target + +[Service] +User=php4dvd +EnvironmentFile=/etc/sysconfig/php4dvd-container +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8005:80 \ + --name php4dvd \ + --env PHP4DVD_* \ + --volume /export/volumes/php4dvd:/var/www/html/movies:rw,Z \ + php4dvd:latest +ExecStop=/usr/bin/podman stop --ignore php4dvd +ExecStopPost=/usr/bin/podman rm -f --ignore php4dvd + +[Install] +WantedBy=multi-user.target diff --git a/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 b/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 new file mode 100644 index 0000000..af894b5 --- /dev/null +++ b/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 @@ -0,0 +1,5 @@ +PHP4DVD_DB_HOST=sqldb02.home.foo.sh +PHP4DVD_DB_NAME=php4dvd +PHP4DVD_DB_USER=php4dvd +PHP4DVD_DB_PASS={{ php4dvd_mysql_pass }} +PHP4DVD_USER_GUESTVIEW=true From 31b38dfc2f44576b623c919d9751c5eb2be6048f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:34:33 +0000 Subject: [PATCH 032/713] Add movies.foo.sh to proxy servers --- playbooks/proxy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index e625b08..104f9fe 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -80,6 +80,10 @@ - role: nginx/site site: mirrors.foo.sh proxy: https://mirror01.home.foo.sh/ + - role: nginx/site + site: movies.foo.sh + proxy: + - https://oci-node01.home.foo.sh/php4dvd/ - role: nginx/site site: noc.foo.sh proxy: From 5fc2d161ad615a5e230b7b4979ec50ec73d34e7a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:35:00 +0000 Subject: [PATCH 033/713] Add php4dvd to oci-node01 and create local storage --- playbooks/oci-node.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/playbooks/oci-node.yml b/playbooks/oci-node.yml index 231a6c4..5d2a8c7 100644 --- a/playbooks/oci-node.yml +++ b/playbooks/oci-node.yml @@ -12,9 +12,24 @@ vars_files: - "{{ ansible_private }}/vars.yml" + pre_tasks: + - name: Mount /export + ansible.posix.mount: + name: /export + src: LABEL=/export + fstype: xfs + opts: noatime,noexec,nosuid,nodev + passno: "0" + dump: "0" + state: mounted + when: ansible_fqdn == 'oci-node01.home.foo.sh' + roles: - base - authcheck - grafana - kdc - - roundcube + - role: php4dvd + when: ansible_fqdn == 'oci-node01.home.foo.sh' + - role: roundcube + when: ansible_fqdn == 'oci-node01.home.foo.sh' From 61e057a7e9356217a2672ab10864a1b7a3af2ea4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:35:42 +0000 Subject: [PATCH 034/713] Add data disk to oci-node01 --- host_vars/oci-node01.home.foo.sh.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/host_vars/oci-node01.home.foo.sh.yml b/host_vars/oci-node01.home.foo.sh.yml index 0cc5278..9116611 100644 --- a/host_vars/oci-node01.home.foo.sh.yml +++ b/host_vars/oci-node01.home.foo.sh.yml @@ -1,5 +1,7 @@ --- vmhost: vmhost01.home.foo.sh +datadisks: + - {size: 10, type: nvme} network_interfaces: - device: eth0 vlan: 20 From b6754d49e7384def8224b93f7e70107296da1fed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:37:21 +0000 Subject: [PATCH 035/713] Reserve uid/gid for prometheus --- user.list | 1 + 1 file changed, 1 insertion(+) diff --git a/user.list b/user.list index 3fc5a6d..6e27844 100644 --- a/user.list +++ b/user.list @@ -9,6 +9,7 @@ id user group notes 301 influxdb influxdb 302 mongod mongod 303 gitea gitea +305 prometheus prometheus 1001 mirror mirror 1002 certbot certbot 1003 collab collab From 7f3bb95d2f5870bd96ed5b03eda7f0f8ef6fc11d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Aug 2023 16:26:11 +0000 Subject: [PATCH 036/713] mirror/thinlinc: Refactor download script --- ...nc-thinlinc-repo => sync-thinlinc-repo.sh} | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) rename roles/mirror/thinlinc/files/{sync-thinlinc-repo => sync-thinlinc-repo.sh} (59%) diff --git a/roles/mirror/thinlinc/files/sync-thinlinc-repo b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh similarity index 59% rename from roles/mirror/thinlinc/files/sync-thinlinc-repo rename to roles/mirror/thinlinc/files/sync-thinlinc-repo.sh index 2638197..6d6c44a 100755 --- a/roles/mirror/thinlinc/files/sync-thinlinc-repo +++ b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh @@ -1,4 +1,6 @@ -#!/bin/bash +#!/bin/sh + +set -eu umask 022 @@ -16,8 +18,8 @@ if [ ! -d "${REPODIR}" ]; then mkdir "${REPODIR}" fi -LOCATION=$(curl -s "${BASEURL}/thinlinc/download" | \ - sed -n 's/^.*64-bit.*/\1/p') +LOCATION=$(curl -sf "${BASEURL}/thinlinc/download/" | \ + sed -n 's/^.*&2 exit 1 @@ -25,20 +27,25 @@ fi PKGNAME="$(basename "${LOCATION}")" if [ ! -f "${REPODIR}/${PKGNAME}" ]; then - echo "New thinlinc version found" + VERSION="$(echo "$PKGNAME" | sed -n 's/^thinlinc-client-\([0-9\.]*\)-[0-9]*\.x86_64\.rpm/\1/p')" + + echo "New thinlinc version ${VERSION} found" echo "" + tmpfile="$(mktemp)" + trap 'rm -f "$tmpfile"' EXIT + # assume that server version goes in-line with client echo "Downloading server package:" - curl -so "${REPODIR}/.server.zip" "${BASEURL}/downloads/server/download.py" + curl -sfo "$tmpfile" "${BASEURL}/downloads/server/tl-${VERSION}-server.zip" echo "Extracting server rpm files:" - unzip -jd ${REPODIR} ${REPODIR}/.server.zip \*.rpm + unzip -jfvd "$REPODIR" "$tmpfile" \*.rpm echo "Cleaning up..." - rm -f ${REPODIR}/.server.zip echo "" echo "Downloading client rpm package:" - curl -so "${REPODIR}/${PKGNAME}" "${BASEURL}${LOCATION}" + echo $LOCATION + curl -sfo "${REPODIR}/${PKGNAME}" "${LOCATION}" echo "" echo "Updating repository metadata:" createrepo_c "${REPODIR}" From a78ac15a72f44209e67d3a0bd70dfa5f46ffc05b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Aug 2023 16:28:13 +0000 Subject: [PATCH 037/713] mirror/thinlinc: Remove debug print --- roles/mirror/thinlinc/files/sync-thinlinc-repo.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh index 6d6c44a..5c20723 100755 --- a/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh +++ b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh @@ -44,7 +44,6 @@ if [ ! -f "${REPODIR}/${PKGNAME}" ]; then echo "" echo "Downloading client rpm package:" - echo $LOCATION curl -sfo "${REPODIR}/${PKGNAME}" "${LOCATION}" echo "" echo "Updating repository metadata:" From 31152b904ac4b081d51baf6d8891b0528317d023 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Aug 2023 16:29:18 +0000 Subject: [PATCH 038/713] mirror/thinlinc: Fix deploying sync script --- roles/mirror/thinlinc/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mirror/thinlinc/tasks/main.yml b/roles/mirror/thinlinc/tasks/main.yml index 4a7f785..78e0525 100644 --- a/roles/mirror/thinlinc/tasks/main.yml +++ b/roles/mirror/thinlinc/tasks/main.yml @@ -27,7 +27,7 @@ - name: Copy sync script ansible.builtin.copy: dest: /usr/local/bin/sync-thinlinc-repo - src: sync-thinlinc-repo + src: sync-thinlinc-repo.sh mode: 0755 owner: root group: root From a231ea1ece83104a4385579d98fbf88a145413fd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 28 Aug 2023 19:42:21 +0000 Subject: [PATCH 039/713] mirror/base: Send cron mails to root --- roles/mirror/base/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/mirror/base/tasks/main.yml b/roles/mirror/base/tasks/main.yml index fbeeac4..513291c 100644 --- a/roles/mirror/base/tasks/main.yml +++ b/roles/mirror/base/tasks/main.yml @@ -75,6 +75,13 @@ owner: root group: root +- name: Send cron mails to root + ansible.builtin.cron: + name: MAILTO + job: root + env: true + user: mirror + - name: Create mirror cron job ansible.builtin.cron: name: sync-mirrors From 3a39e40710bc7d8cdfc7a61fa955e862d88c46bc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Sep 2023 16:36:35 +0000 Subject: [PATCH 040/713] Increase memory size on mail hosts --- group_vars/mail.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/mail.yml b/group_vars/mail.yml index 43e2603..ebf99cb 100644 --- a/group_vars/mail.yml +++ b/group_vars/mail.yml @@ -1,7 +1,7 @@ --- datadisks: - {size: 10, type: nvme} - +mem_size: 4192 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 25} From 0d621444c91afe8c8e1d3e45b0f6540d885090f0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Sep 2023 22:16:15 +0000 Subject: [PATCH 041/713] nginx/site: Move static data to static01 --- roles/nginx/site/templates/www.foo.sh.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx/site/templates/www.foo.sh.conf.j2 b/roles/nginx/site/templates/www.foo.sh.conf.j2 index ad34c06..c3af36f 100644 --- a/roles/nginx/site/templates/www.foo.sh.conf.j2 +++ b/roles/nginx/site/templates/www.foo.sh.conf.j2 @@ -3,9 +3,9 @@ } location /roles/ { - proxy_pass https://static02.home.foo.sh/roles/; + proxy_pass https://static01.home.foo.sh/roles/; } location /~ { - proxy_pass https://static02.home.foo.sh/~; + proxy_pass https://static01.home.foo.sh/~; } From c077b5a41a9bb8069d5e3791e36504df8bdcd043 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Sep 2023 22:16:36 +0000 Subject: [PATCH 042/713] node_exporter: Fix service name from restart --- roles/node_exporter/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml index f522d75..5018dae 100644 --- a/roles/node_exporter/handlers/main.yml +++ b/roles/node_exporter/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Restart node_exporter ansible.builtin.service: - name: "{{ node_exporter_package }}" + name: "{{ node_exporter_service }}" state: restarted From f701cfd4c9f7b90cedfa9ad2f52106fab5c6cbdb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 16 Sep 2023 19:18:09 +0000 Subject: [PATCH 043/713] ansible_host: Remove python 3.11 netaddr kludge --- roles/ansible_host/tasks/main.yml | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index 486e145..a5f93f1 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -8,27 +8,7 @@ - ansible-collection-ansible-posix - ansible-collection-community-general - python3.11-dns # required for lookup('dig', 'hostname') - - python3-netaddr # required by iptables role - -- name: Create python3.11 lib directories - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0755 - owner: root - group: "{{ ansible_wheel }}" - with_items: - - /usr/local/lib/python3.11 - - /usr/local/lib/python3.11/site-packages - -- name: Kludge to add netaddr to python3.11 until package is released - ansible.builtin.copy: - dest: /usr/local/lib/python3.11/site-packages/netaddr - src: /usr/lib/python3.9/site-packages/netaddr - mode: preserve - owner: root - group: "{{ ansible_wheel }}" - remote_src: true + - python3.11-netaddr # required by iptables role - name: Create private directory and force permissions ansible.builtin.file: @@ -55,7 +35,7 @@ - name: Clone ansible repository ansible.builtin.git: dest: /srv/ansible - repo: https://git.foo.sh/ansible.git + repo: https://git.foo.sh/foo.sh/ansible.git update: false version: master From b2339cd877cfdd1727c4fa0fa816effe9c71c5c5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 18 Sep 2023 16:09:08 +0000 Subject: [PATCH 044/713] mirror/thinlinc: Fix updating server packages --- roles/mirror/thinlinc/files/sync-thinlinc-repo.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh index 5c20723..fc0d3d2 100755 --- a/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh +++ b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh @@ -39,9 +39,7 @@ if [ ! -f "${REPODIR}/${PKGNAME}" ]; then echo "Downloading server package:" curl -sfo "$tmpfile" "${BASEURL}/downloads/server/tl-${VERSION}-server.zip" echo "Extracting server rpm files:" - unzip -jfvd "$REPODIR" "$tmpfile" \*.rpm - echo "Cleaning up..." - echo "" + unzip -jd "$REPODIR" "$tmpfile" \*.rpm echo "Downloading client rpm package:" curl -sfo "${REPODIR}/${PKGNAME}" "${LOCATION}" @@ -50,4 +48,3 @@ if [ ! -f "${REPODIR}/${PKGNAME}" ]; then createrepo_c "${REPODIR}" echo "" fi - From 9770232f66b0dd6672c23e98e4c6df2f4b014204 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 19 Sep 2023 06:27:25 +0000 Subject: [PATCH 045/713] thinlinc_server: Changes to support version 4.15.0 --- roles/thinlinc_server/files/tl-setup.local.sh | 2 ++ roles/thinlinc_server/tasks/main.yml | 11 ++--------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/roles/thinlinc_server/files/tl-setup.local.sh b/roles/thinlinc_server/files/tl-setup.local.sh index c657426..118350e 100755 --- a/roles/thinlinc_server/files/tl-setup.local.sh +++ b/roles/thinlinc_server/files/tl-setup.local.sh @@ -1,5 +1,7 @@ #!/bin/sh +set -eu + cat < /root/tl-setup.answer install-pygtk=yes email-address=adm@foo.sh diff --git a/roles/thinlinc_server/tasks/main.yml b/roles/thinlinc_server/tasks/main.yml index 554e527..76a2b43 100644 --- a/roles/thinlinc_server/tasks/main.yml +++ b/roles/thinlinc_server/tasks/main.yml @@ -5,6 +5,7 @@ state: installed with_items: - gtk3 + - librsvg2 - polkit - python3 - python3-gobject @@ -19,16 +20,8 @@ - name: Install packages ansible.builtin.package: - name: "{{ item }}" + name: "thinlinc-server" state: installed - with_items: - - thinlinc-tladm - - thinlinc-tlmisc - - thinlinc-tlmisc-libs - - thinlinc-tlprinter - - thinlinc-vnc-server - - thinlinc-vsm - - thinlinc-webaccess - name: Run ThinLinc setup ansible.builtin.script: From a92546e6673a3144a446e4ef38c5c907deacb197 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 8 Oct 2023 16:02:27 +0000 Subject: [PATCH 046/713] php4dvd: Install updates when available --- roles/php4dvd/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/php4dvd/tasks/main.yml b/roles/php4dvd/tasks/main.yml index 7728945..cfc53f6 100644 --- a/roles/php4dvd/tasks/main.yml +++ b/roles/php4dvd/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.git: dest: /usr/local/src/docker-php4dvd repo: https://github.com/foo-sh/docker-php4dvd.git - update: false + update: true version: master notify: Rebuild php4dvd-container From c653ac3f2f0e867880c1e363787a83359b9a6d1d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 8 Oct 2023 16:06:42 +0000 Subject: [PATCH 047/713] kdc: Keep container up to date --- roles/kdc/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/kdc/tasks/main.yml b/roles/kdc/tasks/main.yml index a2dcd3b..bb7a39f 100644 --- a/roles/kdc/tasks/main.yml +++ b/roles/kdc/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.git: dest: /usr/local/src/docker-kdc repo: https://github.com/foo-sh/docker-kdc.git - update: false + update: true version: main notify: Rebuild kdc-container From 42f725d6f87f803d38f2b65f458a083436dd43f8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 8 Oct 2023 16:09:31 +0000 Subject: [PATCH 048/713] authcheck: Keep container up to date --- roles/authcheck/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authcheck/tasks/main.yml b/roles/authcheck/tasks/main.yml index 222d5b4..36d96fa 100644 --- a/roles/authcheck/tasks/main.yml +++ b/roles/authcheck/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.git: dest: /usr/local/src/docker-authcheck repo: https://github.com/foo-sh/docker-authcheck.git - update: false + update: true version: main notify: Rebuild authcheck-container From 0db76e1481822a8c61fcfad4a6aca420b035ba4a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 10 Oct 2023 18:47:13 +0000 Subject: [PATCH 049/713] nginx/server: Update nginx to 1.22 on rhel hosts --- roles/nginx/server/tasks/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/nginx/server/tasks/main.yml b/roles/nginx/server/tasks/main.yml index 33fc042..d30b37e 100644 --- a/roles/nginx/server/tasks/main.yml +++ b/roles/nginx/server/tasks/main.yml @@ -2,18 +2,19 @@ - name: Include OS-specific variables ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -- name: Enable nginx:120 module +- name: Enable nginx:122 module ansible.builtin.command: argv: - dnf - module - -y - enable - - nginx:1.20 + - nginx:1.22 creates: /etc/dnf/modules.d/nginx.module + notify: Restart nginx when: - ansible_os_family == "RedHat" - - ansible_distribution_major_version | int == 8 + - ansible_distribution_major_version | int >= 8 - ansible_distribution != "Fedora" - name: Install packages From d7b9f69dd0db27cbce5ea2c1186bc3462307cb27 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 11 Oct 2023 20:28:42 +0000 Subject: [PATCH 050/713] Update software versions --- hosts.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index 7c55f68..5b738a1 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.20.2" + gitea_version: "1.20.5" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -31,7 +31,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.8.2" + homeassistant_version: "2023.10.1" homeassistant_integrations: - name: electrolux_status repo: https://github.com/mauro-midolo/homeassistant_electrolux_status.git @@ -78,9 +78,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.0.3" - rocketchat_version: "6.31" - roundcube_version: "1.6.1" + grafana_version: "10.1.4" + rocketchat_version: "6.4.1" + roundcube_version: "1.6.3" print: hosts: print01.home.foo.sh: From eb90c60317a6679eb805e6591b440c243f1d7525 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 11 Oct 2023 20:37:21 +0000 Subject: [PATCH 051/713] Update gitea_runner --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 5b738a1..c056a2c 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitearunner: hosts: gitea-runner02.home.foo.sh: vars: - gitea_runner_version: "0.2.5" + gitea_runner_version: "0.2.6" homeassistant: hosts: homeassistant01.home.foo.sh: From 04e140c8d535b5ec71340e8991ea25f3d087bdcd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 16:33:52 +0000 Subject: [PATCH 052/713] php4dvd: lint fixes --- roles/php4dvd/tasks/main.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/php4dvd/tasks/main.yml b/roles/php4dvd/tasks/main.yml index cfc53f6..85b1042 100644 --- a/roles/php4dvd/tasks/main.yml +++ b/roles/php4dvd/tasks/main.yml @@ -22,7 +22,7 @@ ansible.builtin.template: dest: /etc/systemd/system/php4dvd-container.service src: php4dvd-container.service.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -30,7 +30,7 @@ ansible.builtin.template: dest: /etc/sysconfig/php4dvd-container src: php4dvd-container.sysconfig.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart php4dvd-container @@ -48,8 +48,7 @@ location /php4dvd { proxy_pass http://127.0.0.1:8005/; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx - From baab3192b0c604052b7adf834fd33873a4fd7d23 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 17:56:44 +0000 Subject: [PATCH 053/713] prometheus: Make version configurable --- roles/prometheus/tasks/main.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 7ec1353..8f9face 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -16,7 +16,12 @@ - name: Extract package ansible.builtin.unarchive: - src: https://github.com/prometheus/prometheus/releases/download/v2.45.0/prometheus-2.45.0.linux-amd64.tar.gz + src: >- + {{ + "https://github.com/prometheus/prometheus/releases/download/v" + + prometheus_version + "/prometheus-" + prometheus_version + + ".linux-amd64.tar.gz" + }} dest: /usr/local/src owner: root group: "{{ ansible_wheel }}" @@ -25,11 +30,13 @@ - name: Copy binaries ansible.builtin.copy: dest: "/usr/local/sbin/{{ item }}" - src: "/usr/local/src/prometheus-2.45.0.linux-amd64/{{ item }}" + src: >- + /usr/local/src/prometheus-{{ prometheus_version }}.linux-amd64/{{ item }} mode: "0755" owner: root group: "{{ ansible_wheel }}" remote_src: true + notify: Restart prometheus with_items: - promtool - prometheus @@ -109,7 +116,7 @@ location / { proxy_pass http://127.0.0.1:9090; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx From 77df67fd664916f09a0af5d7e940eb38a306532a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:04:49 +0000 Subject: [PATCH 054/713] gitea: Linting and use .bashrc instead of .profile --- roles/gitea/defaults/main.yml | 6 +++++- roles/gitea/tasks/main.yml | 17 +++++++++-------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 6a37123..8581431 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -1,2 +1,6 @@ --- -gitea_url: "https://dl.gitea.com/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-{{ ansible_system | lower }}-amd64" +gitea_url: >- + {{ + "https://dl.gitea.com/gitea/" + gitea_version + "/gitea-" + + gitea_version + "-" + ansible_system | lower + "-amd64" + }} diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 5ef87c0..2eafa5e 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -4,7 +4,7 @@ url: "{{ gitea_url }}" checksum: "sha256:{{ gitea_url }}.sha256" dest: /usr/local/bin/gitea - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" notify: Restart gitea @@ -28,7 +28,7 @@ ansible.builtin.file: path: /etc/gitea state: directory - mode: 0750 + mode: "0750" owner: root group: gitea @@ -36,7 +36,7 @@ ansible.builtin.template: dest: /etc/gitea/app.ini src: app.ini.j2 - mode: 0640 + mode: "0640" owner: root group: gitea notify: Restart gitea @@ -45,7 +45,7 @@ ansible.builtin.file: path: /export/gitea state: directory - mode: 0750 + mode: "0750" owner: gitea group: gitea @@ -62,7 +62,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/gitea.service src: gitea.service - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart gitea @@ -87,14 +87,15 @@ location / { proxy_pass http://127.0.0.1:3000; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx - name: Add gitea alias for root ansible.builtin.blockinfile: - path: /root/.bash_profile + path: /root/.bashrc block: | # run gitea as gitea user - alias gitea='sudo -u gitea HOME=/srv/gitea GITEA_WORK_DIR=/srv/gitea /usr/local/bin/gitea -c /etc/gitea/app.ini' + alias gitea='sudo -u gitea HOME=/srv/gitea GITEA_WORK_DIR=/srv/gitea \ + /usr/local/bin/gitea -c /etc/gitea/app.ini' From e7f363cda58eeba0168387f140721db4894cabae Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:06:57 +0000 Subject: [PATCH 055/713] websockify: Lint fixes --- roles/websockify/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/websockify/tasks/main.yml b/roles/websockify/tasks/main.yml index 27d1ba0..1388e87 100644 --- a/roles/websockify/tasks/main.yml +++ b/roles/websockify/tasks/main.yml @@ -23,7 +23,7 @@ ansible.builtin.template: dest: /etc/websockify.conf src: websockify.conf.j2 - mode: 0640 + mode: "0640" owner: root group: websock notify: Restart websockify @@ -32,7 +32,7 @@ ansible.builtin.copy: dest: /etc/rc.d/websockify src: rc.websockify - mode: 0555 + mode: "0555" owner: root group: "{{ ansible_wheel }}" notify: Restart websockify From ae000b791b6def0f7baafb45a816c0fd82c70c08 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:08:07 +0000 Subject: [PATCH 056/713] mosquitto: Lint fixes --- roles/mosquitto/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index 44a1681..5e29a25 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -15,7 +15,7 @@ ansible.builtin.file: path: /etc/mosquitto/conf.d state: directory - mode: 0750 + mode: "0750" owner: root group: _mosquitto @@ -30,7 +30,7 @@ ansible.builtin.template: dest: /etc/mosquitto/conf.d/local.conf src: mosquitto.conf.j2 - mode: 0640 + mode: "0640" owner: root group: _mosquitto notify: Restart mosquitto @@ -39,7 +39,7 @@ ansible.builtin.copy: dest: /etc/mosquitto/acl.conf src: "{{ ansible_private }}/files/mosquitto/acl.conf" - mode: 0640 + mode: "0640" owner: root group: _mosquitto notify: Restart mosquitto @@ -48,7 +48,7 @@ ansible.builtin.copy: dest: /etc/mosquitto/passwd src: "{{ ansible_private }}/files/mosquitto/passwd" - mode: 0640 + mode: "0640" owner: root group: _mosquitto notify: Restart mosquitto From ee2f2154be41742abbc7bf9a3bcff23bf55ccd22 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:08:59 +0000 Subject: [PATCH 057/713] spamassassin: Lint fixes --- roles/spamassassin/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/spamassassin/tasks/main.yml b/roles/spamassassin/tasks/main.yml index efd698c..93310d5 100644 --- a/roles/spamassassin/tasks/main.yml +++ b/roles/spamassassin/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.copy: dest: /etc/mail/spamassassin/local.cf src: local.cf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart spamassassin From ee25d32b604c932b79b11b0b29abda0a823cb435 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:09:44 +0000 Subject: [PATCH 058/713] relayd: Lint fixes --- roles/relayd/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml index 35befda..1e82b13 100644 --- a/roles/relayd/tasks/main.yml +++ b/roles/relayd/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.template: dest: /etc/relayd.conf src: relayd.conf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" validate: "relayd -n -f %s" From 70cdfd46128bda97d89de550fe258c51c7be6de2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:32:40 +0000 Subject: [PATCH 059/713] mirror: Lint fixes --- playbooks/mirror.yml | 28 +++++++++++----------- roles/mirror/base/tasks/main.yml | 12 +++++----- roles/mirror/reportmirror/tasks/main.yml | 7 +++--- roles/mirror/sync/defaults/main.yml | 4 ++-- roles/mirror/sync/tasks/main.yml | 14 +++++------ roles/mirror/sync/templates/mirror.conf.j2 | 6 ++--- roles/mirror/thinlinc/tasks/main.yml | 4 ++-- 7 files changed, 38 insertions(+), 37 deletions(-) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 7300be7..18dc167 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -33,19 +33,19 @@ sitename: foo.sh password: "{{ report_mirror_pass }}" - role: mirror/sync - label: fedora-epel - source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\ - fedora.redhat.com/pub/epel" - rsyncoptions: + mirror_label: fedora-epel + mirror_source: + "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/epel" + mirror_rsyncoptions: - "--exclude=SRPMS" - "--exclude=debug" - "--delete-excluded" - postcmd: python3 /usr/local/bin/report_mirror + mirror_postcmd: python3 /usr/local/bin/report_mirror - role: mirror/sync - label: fedora - source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\ - fedora.redhat.com/pub/fedora/linux/" - rsyncoptions: + mirror_label: fedora + mirror_source: + "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/fedora/linux/" + mirror_rsyncoptions: - "--exclude=/atomic" - "--exclude=/development" - "--exclude=/releases/test" @@ -58,12 +58,12 @@ - "--exclude=armhfp" - "--exclude=debug" - "--delete-excluded" - postcmd: python3 /usr/local/bin/report_mirror + mirror_postcmd: python3 /usr/local/bin/report_mirror - role: mirror/sync - label: openbsd - source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\ - ftp.openbsd.org/pub/OpenBSD/" - rsyncoptions: + mirror_label: openbsd + mirror_source: + "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/ftp.openbsd.org/pub/OpenBSD/" + mirror_rsyncoptions: - "--include=/?.?/" - "--include=/?.?/amd64/" - "--include=/?.?/amd64/*" diff --git a/roles/mirror/base/tasks/main.yml b/roles/mirror/base/tasks/main.yml index 513291c..66ec50a 100644 --- a/roles/mirror/base/tasks/main.yml +++ b/roles/mirror/base/tasks/main.yml @@ -23,7 +23,7 @@ ansible.builtin.file: path: /export/mirrors state: directory - mode: 0755 + mode: "0755" owner: root group: root @@ -44,7 +44,7 @@ ansible.builtin.file: path: /etc/sync-mirrors state: directory - mode: 0755 + mode: "0755" owner: root group: root @@ -52,7 +52,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0755 + mode: "0755" owner: mirror group: mirror with_items: @@ -63,7 +63,7 @@ ansible.builtin.copy: dest: /usr/lib/tmpfiles.d/sync-mirrors.conf content: "d /run/sync-mirrors 0755 mirror mirror\n" - mode: 0644 + mode: "0644" owner: root group: root @@ -71,7 +71,7 @@ ansible.builtin.copy: dest: /usr/local/bin/sync-mirrors src: sync-mirrors - mode: 0755 + mode: "0755" owner: root group: root @@ -110,7 +110,7 @@ ansible.builtin.template: src: mirror.conf.j2 dest: /etc/httpd/conf.local.d/mirror.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/roles/mirror/reportmirror/tasks/main.yml b/roles/mirror/reportmirror/tasks/main.yml index 193fa2e..487027d 100644 --- a/roles/mirror/reportmirror/tasks/main.yml +++ b/roles/mirror/reportmirror/tasks/main.yml @@ -8,13 +8,14 @@ ansible.builtin.git: dest: /usr/local/src/report_mirror repo: https://github.com/fedora-infra/mirrormanager2.git + update: true version: master - name: Install reportmirror script ansible.builtin.copy: dest: /usr/local/bin/report_mirror src: /usr/local/src/report_mirror/client/report_mirror - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" remote_src: true @@ -23,7 +24,7 @@ ansible.builtin.file: dest: /etc/mirrormanager-client state: directory - mode: 0750 + mode: "0750" owner: root group: mirror @@ -31,6 +32,6 @@ ansible.builtin.template: dest: /etc/mirrormanager-client/report_mirror.conf src: report_mirror.conf.j2 - mode: 0640 + mode: "0640" owner: root group: mirror diff --git a/roles/mirror/sync/defaults/main.yml b/roles/mirror/sync/defaults/main.yml index 264336b..58b887d 100644 --- a/roles/mirror/sync/defaults/main.yml +++ b/roles/mirror/sync/defaults/main.yml @@ -1,3 +1,3 @@ --- -rsyncoptions: [] -postcmd: "" +mirror_rsyncoptions: [] +mirror_postcmd: "" diff --git a/roles/mirror/sync/tasks/main.yml b/roles/mirror/sync/tasks/main.yml index ab8c46d..168271d 100644 --- a/roles/mirror/sync/tasks/main.yml +++ b/roles/mirror/sync/tasks/main.yml @@ -1,24 +1,24 @@ --- -- name: Create config for {{ label }} +- name: Create config for {{ mirror_label }} ansible.builtin.template: - dest: "/etc/sync-mirrors/{{ label }}.conf" + dest: "/etc/sync-mirrors/{{ mirror_label }}.conf" src: mirror.conf.j2 - mode: 0644 + mode: "0644" owner: root group: root - name: Create target directory ansible.builtin.file: - path: "/srv/mirrors/{{ label }}" + path: "/srv/mirrors/{{ mirror_label }}" state: directory - mode: 0755 + mode: "0755" owner: mirror group: mirror - name: Link target directory to web ansible.builtin.file: - path: "/srv/web/{{ inventory_hostname }}/{{ label }}" - src: "/srv/mirrors/{{ label }}" + path: "/srv/web/{{ inventory_hostname }}/{{ mirror_label }}" + src: "/srv/mirrors/{{ mirror_label }}" state: link owner: mirror group: mirror diff --git a/roles/mirror/sync/templates/mirror.conf.j2 b/roles/mirror/sync/templates/mirror.conf.j2 index f605577..ab2b6ac 100644 --- a/roles/mirror/sync/templates/mirror.conf.j2 +++ b/roles/mirror/sync/templates/mirror.conf.j2 @@ -1,3 +1,3 @@ -SRC="{{ source }}" -RSYNCOPTS="{{ rsyncoptions | join(' ') }}" -POSTCMD="{{ postcmd }}" +SRC="{{ mirror_source }}" +RSYNCOPTS="{{ mirror_rsyncoptions | join(' ') }}" +POSTCMD="{{ mirror_postcmd }}" diff --git a/roles/mirror/thinlinc/tasks/main.yml b/roles/mirror/thinlinc/tasks/main.yml index 78e0525..2fb0edc 100644 --- a/roles/mirror/thinlinc/tasks/main.yml +++ b/roles/mirror/thinlinc/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.file: path: /srv/mirrors/thinlinc state: directory - mode: 0755 + mode: "0755" owner: mirror group: mirror @@ -28,7 +28,7 @@ ansible.builtin.copy: dest: /usr/local/bin/sync-thinlinc-repo src: sync-thinlinc-repo.sh - mode: 0755 + mode: "0755" owner: root group: root From 5f170a6cafd46f2602236fbe197dbd2181971e79 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:36:43 +0000 Subject: [PATCH 060/713] mirror: Lint fixes --- playbooks/mirror.yml | 8 ++++---- roles/mirror/reportmirror/defaults/main.yml | 4 ++-- .../reportmirror/templates/report_mirror.conf.j2 | 10 +++++----- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 18dc167..4ae2bab 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -28,10 +28,10 @@ - mirror/base - mirror/thinlinc - role: mirror/reportmirror - hostname: mirrors.foo.sh - mirrors: [epel, fedora] - sitename: foo.sh - password: "{{ report_mirror_pass }}" + mirror_hostname: mirrors.foo.sh + mirror_mirrors: [epel, fedora] + mirror_sitename: foo.sh + mirror_password: "{{ report_mirror_pass }}" - role: mirror/sync mirror_label: fedora-epel mirror_source: diff --git a/roles/mirror/reportmirror/defaults/main.yml b/roles/mirror/reportmirror/defaults/main.yml index c2ae745..79a2016 100644 --- a/roles/mirror/reportmirror/defaults/main.yml +++ b/roles/mirror/reportmirror/defaults/main.yml @@ -1,4 +1,4 @@ --- -hostname: "{{ inventory_hostname }}" -mirrors: [] +mirror_hostname: "{{ inventory_hostname }}" +mirror_mirrors: [] diff --git a/roles/mirror/reportmirror/templates/report_mirror.conf.j2 b/roles/mirror/reportmirror/templates/report_mirror.conf.j2 index ae793f3..59d4dbb 100644 --- a/roles/mirror/reportmirror/templates/report_mirror.conf.j2 +++ b/roles/mirror/reportmirror/templates/report_mirror.conf.j2 @@ -11,8 +11,8 @@ enabled=1 # Name and Password fields need to match the Site name and password # fields you entered for your Site in the MirrorManager database at # https://admin.fedoraproject.org/mirrormanager -name={{ sitename }} -password={{ password }} +name={{ mirror_sitename }} +password={{ mirror_password }} [host] # if enabled=0, no data about this host is sent to the database @@ -20,7 +20,7 @@ enabled=1 # Name field need to match the Host name field you entered for your # Host in the MirrorManager database at # https://admin.fedoraproject.org/mirrormanager -name={{ hostname }} +name={{ mirror_hostname }} # if user_active=0, no data about this category is given to the public # This can be used to toggle between serving and not serving data, # such enabled during the nighttime (when you have more idle bandwidth @@ -52,7 +52,7 @@ rsyncd=/var/log/rsyncd.log # path= is the path on your local disk to the top-level directory for this Category [Fedora Linux] -{% if "fedora" in mirrors %} +{% if "fedora" in mirror_mirrors %} enabled=1 {% else %} enabled=0 @@ -60,7 +60,7 @@ enabled=0 path=/srv/mrirors/fedora [Fedora EPEL] -{% if "epel" in mirrors %} +{% if "epel" in mirror_mirrors %} enabled=1 {% else %} enabled=0 From 86a7b60b46afd16d9adf22e7156a1b74f065bba7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:40:02 +0000 Subject: [PATCH 061/713] cups_server: Lint fixes --- roles/cups_server/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml index 418a672..5b98c24 100644 --- a/roles/cups_server/tasks/main.yml +++ b/roles/cups_server/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /etc/systemd/system/cups.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -16,7 +16,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/cups.service.d/keytab.conf content: "[Service]\nEnvironment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -111,7 +111,7 @@ ansible.builtin.copy: dest: "/usr/share/cups/www/{{ item }}" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: @@ -122,7 +122,7 @@ ansible.builtin.copy: dest: /usr/share/cups/templates/header.tmpl src: header.tmpl - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" From 1e973b3dde5209fda62a0a915cd66af22729cb1c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:41:57 +0000 Subject: [PATCH 062/713] gitea_runner: Update config to latest version --- roles/gitea_runner/files/config.yml | 2 +- roles/gitea_runner/tasks/main.yml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/gitea_runner/files/config.yml b/roles/gitea_runner/files/config.yml index bd7abba..641665f 100644 --- a/roles/gitea_runner/files/config.yml +++ b/roles/gitea_runner/files/config.yml @@ -41,7 +41,7 @@ cache: container: # Which network to use for the job containers. Could be bridge, host, none, # or the name of a custom network. - network_mode: bridge + network: bridge # Whether to use privileged mode or not when launching task containers # (privileged mode is required for Docker-in-Docker). privileged: false diff --git a/roles/gitea_runner/tasks/main.yml b/roles/gitea_runner/tasks/main.yml index 740a914..9a6eedb 100644 --- a/roles/gitea_runner/tasks/main.yml +++ b/roles/gitea_runner/tasks/main.yml @@ -30,7 +30,7 @@ "-" + ansible_system | lower + "-amd64" }} dest: /usr/local/bin/act_runner - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" notify: Restart act_runner @@ -39,7 +39,7 @@ ansible.builtin.file: path: /var/lib/act_runner state: directory - mode: 0750 + mode: "0750" owner: root group: act_runner @@ -56,7 +56,7 @@ ansible.builtin.copy: dest: /var/lib/act_runner/config.yml src: config.yml - mode: 0640 + mode: "0640" owner: root group: act_runner notify: Restart act_runner @@ -65,7 +65,7 @@ ansible.builtin.file: path: /var/lib/act_runner/.cache state: directory - mode: 0770 + mode: "0770" owner: root group: act_runner notify: Restart act_runner @@ -74,7 +74,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/act_runner.service src: act_runner.service - mode: 0644 + mode: "0644" owner: root group: root From 86d076ebc6d42adf7fdc3eedc9fb7db3d8daee32 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 19:14:54 +0000 Subject: [PATCH 063/713] Fix "Forbidden implicit octal value" lint errors --- roles/ansible_host/tasks/main.yml | 6 ++--- roles/apache/tasks/main.yml | 6 ++--- roles/authcheck/tasks/main.yml | 4 +-- roles/autofs/tasks/main.yml | 6 ++--- roles/backup_server/tasks/main.yml | 6 ++--- roles/base/tasks/OpenBSD.yml | 8 +++--- roles/base/tasks/RedHat.yml | 2 +- roles/base/tasks/main.yml | 6 ++--- roles/certbot/tasks/main.yml | 6 ++--- roles/clamav/tasks/main.yml | 2 +- roles/collab/tasks/main.yml | 24 +++++++++--------- roles/dhcpd/tasks/main.yml | 2 +- roles/dhparams/tasks/main.yml | 2 +- roles/docker/tasks/main.yml | 6 ++--- roles/docker_distribution/tasks/main.yml | 10 ++++---- roles/dovecot/tasks/main.yml | 8 +++--- roles/git_server/tasks/main.yml | 10 ++++---- roles/gitea_runner/tasks/main.yml | 2 +- roles/grafana/tasks/main.yml | 10 ++++---- roles/grossd/tasks/main.yml | 4 +-- roles/homeassistant/tasks/main.yml | 12 ++++----- roles/ifstated/tasks/main.yml | 2 +- roles/influxdb/tasks/main.yml | 8 +++--- roles/iptables/tasks/main.yml | 2 +- roles/kadmin/tasks/main.yml | 2 +- roles/kdc/tasks/main.yml | 6 ++--- roles/kvm_host/tasks/main.yml | 4 +-- roles/ldap_gravatar/tasks/main.yml | 2 +- roles/ldap_netdb/tasks/main.yml | 2 +- roles/ldap_server/tasks/main.yml | 30 +++++++++++------------ roles/mariadb/tasks/main.yml | 16 ++++++------ roles/minecraft/tasks/main.yml | 16 ++++++------ roles/mod_auth_gssapi/tasks/main.yml | 4 +-- roles/mongodb/tasks/main.yml | 10 ++++---- roles/network/tasks/OpenBSD.yml | 6 ++--- roles/network/tasks/RedHat.yml | 4 +-- roles/network/tasks/main.yml | 2 +- roles/nfs_client/tasks/main.yml | 2 +- roles/nfs_server/tasks/main.yml | 2 +- roles/nftables/tasks/main.yml | 2 +- roles/nginx/server/tasks/main.yml | 8 +++--- roles/nginx/site/tasks/main.yml | 8 +++--- roles/nsd/tasks/main.yml | 8 +++--- roles/openbgpd/tasks/main.yml | 2 +- roles/opensmtpd/tasks/main.yml | 4 +-- roles/openvpn/tasks/main.yml | 14 +++++------ roles/pf/tasks/main.yml | 4 +-- roles/pki/tasks/main.yml | 12 ++++----- roles/podman/tasks/main.yml | 2 +- roles/rclone/tasks/main.yml | 8 +++--- roles/roles_lists/tasks/main.yml | 4 +-- roles/roundcube/tasks/main.yml | 12 ++++----- roles/rpm_build/tasks/main.yml | 4 +-- roles/rsync/client/tasks/main.yml | 4 +-- roles/rsync/server/tasks/main.yml | 8 +++--- roles/rsyslog/tasks/main.yml | 6 ++--- roles/rsyslog/tasks/udp-listen.yml | 2 +- roles/saslauthd/tasks/main.yml | 2 +- roles/selinux/tasks/main.yml | 2 +- roles/sendmail/tasks/main.yml | 14 +++++------ roles/sftpuser/tasks/main.yml | 2 +- roles/spamassassin_clamav/tasks/main.yml | 4 +-- roles/spamassassin_razor/tasks/main.yml | 2 +- roles/spamassassin_textcat/tasks/main.yml | 2 +- roles/ssh_known_hosts/tasks/main.yml | 2 +- roles/sssd/tasks/main.yml | 2 +- roles/syslogd/tasks/main.yml | 2 +- roles/syslogd/tasks/server.yml | 8 +++--- roles/telegraf/tasks/main.yml | 2 +- roles/tftp/tasks/main.yml | 6 ++--- roles/thinlinc_server/tasks/main.yml | 6 ++--- roles/unbound/tasks/main.yml | 2 +- roles/web_build/tasks/main.yml | 4 +-- roles/web_logs/tasks/main.yml | 8 +++--- roles/zoneminder/tasks/main.yml | 10 ++++---- 75 files changed, 227 insertions(+), 227 deletions(-) diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index a5f93f1..b13d9f3 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -15,7 +15,7 @@ path: /export/private owner: root group: root - mode: 0700 + mode: "0700" state: directory - name: Link private directory @@ -52,7 +52,7 @@ ansible.builtin.copy: src: nginx.conf dest: /etc/nginx/conf.d/{{ inventory_hostname }}/ansible.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx @@ -63,4 +63,4 @@ src: root-bashrc.sh owner: root group: "{{ ansible_wheel }}" - mode: 0600 + mode: "0600" diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 0dbdd6f..c2745ed 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -40,7 +40,7 @@ ansible.builtin.file: state: directory path: "{{ item }}" - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" seuser: _default @@ -54,7 +54,7 @@ ansible.builtin.template: src: ssl.conf.j2 dest: /etc/httpd/conf.local.d/ssl.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache @@ -63,7 +63,7 @@ ansible.builtin.template: src: site.conf.j2 dest: "/etc/httpd/conf.local.d/{{ inventory_hostname }}.conf" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/roles/authcheck/tasks/main.yml b/roles/authcheck/tasks/main.yml index 36d96fa..09ef679 100644 --- a/roles/authcheck/tasks/main.yml +++ b/roles/authcheck/tasks/main.yml @@ -22,7 +22,7 @@ ansible.builtin.template: dest: /etc/systemd/system/authcheck-container.service src: authcheck-container.service.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -39,7 +39,7 @@ location /authcheck { proxy_pass http://127.0.0.1:8003/; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/autofs/tasks/main.yml b/roles/autofs/tasks/main.yml index d3a3121..19f9565 100644 --- a/roles/autofs/tasks/main.yml +++ b/roles/autofs/tasks/main.yml @@ -34,7 +34,7 @@ ansible.builtin.template: dest: /etc/autofs_ldap_auth.conf src: autofs_ldap_auth.conf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart autofs @@ -43,7 +43,7 @@ ansible.builtin.template: dest: /etc/auto.master src: auto.master.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart autofs @@ -74,7 +74,7 @@ ansible.builtin.copy: dest: "/etc/profile.d/{{ item }}" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_server/tasks/main.yml index 8577419..b952d09 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_server/tasks/main.yml @@ -26,7 +26,7 @@ ansible.builtin.file: path: /export/backup state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -43,7 +43,7 @@ ansible.builtin.file: path: /export/backup/bitbucket.org state: directory - mode: 0775 + mode: "0775" owner: root group: backup @@ -51,7 +51,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/backup-bitbucket src: backup-bitbucket.py - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/base/tasks/OpenBSD.yml b/roles/base/tasks/OpenBSD.yml index d925bf6..84c90af 100644 --- a/roles/base/tasks/OpenBSD.yml +++ b/roles/base/tasks/OpenBSD.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: /etc/myname content: "{{ inventory_hostname }}\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -11,7 +11,7 @@ ansible.builtin.copy: dest: /etc/installurl content: "https://mirrors.foo.sh/openbsd/\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" when: ansible_datacenter == "home" @@ -30,7 +30,7 @@ ansible.builtin.copy: dest: "{{ item }}" content: "VERBOSESTATUS=0\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: @@ -53,7 +53,7 @@ ansible.builtin.file: name: /srv state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index d266052..9f11e18 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -122,7 +122,7 @@ ansible.builtin.copy: dest: /etc/profile.d/history.sh content: 'export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "' - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 7bec34b..d7d7820 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -2,7 +2,7 @@ - name: Setup ansible custom facts ansible.builtin.file: dest: "{{ item }}" - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" state: directory @@ -20,7 +20,7 @@ else echo "false" fi - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -36,7 +36,7 @@ ansible.builtin.copy: content: "\n" dest: "/etc/at.allow" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 1d22823..b66300b 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -30,7 +30,7 @@ path: /srv/web/certbot.home.foo.sh/.well-known owner: root group: "{{ ansible_wheel }}" - mode: 0755 + mode: "0755" state: directory - name: Create certbot directories @@ -38,7 +38,7 @@ path: "{{ item }}" owner: root group: certbot - mode: 0775 + mode: "0775" state: directory with_items: - /srv/web/certbot.home.foo.sh/.well-known/acme-challenge @@ -57,7 +57,7 @@ ansible.builtin.copy: dest: /etc/letsencrypt/cli.ini src: cli.ini - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/clamav/tasks/main.yml b/roles/clamav/tasks/main.yml index 469e46a..bbd796a 100644 --- a/roles/clamav/tasks/main.yml +++ b/roles/clamav/tasks/main.yml @@ -12,7 +12,7 @@ ansible.builtin.copy: dest: /etc/tmpfiles.d/clamd.scan.conf content: "d /run/clamd.scan 711 clamscan clamscan" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Refresh clamd socket directory diff --git a/roles/collab/tasks/main.yml b/roles/collab/tasks/main.yml index 95c1446..9af4c7b 100644 --- a/roles/collab/tasks/main.yml +++ b/roles/collab/tasks/main.yml @@ -27,7 +27,7 @@ ansible.builtin.get_url: url: "https://static.moinmo.in/files/moin-{{ moin_version }}.tar.gz" dest: "{{ srcdir }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" checksum: sha1:3eb13b4730bd97259a41c4cd500f8433778ff8cf @@ -57,7 +57,7 @@ ansible.builtin.copy: src: foosh.py dest: "{{ srcdir }}/collabbackend/collabbackend/plugin/theme/foosh.py" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -114,14 +114,14 @@ ansible.builtin.copy: content: "umask 077\n" dest: /var/lib/collab/.profile - mode: 0440 + mode: "0440" owner: collab group: collab - name: Create config directories ansible.builtin.file: path: "{{ item }}" - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" state: directory @@ -133,7 +133,7 @@ ansible.builtin.copy: src: collab.ini dest: /etc/local/collab/collab.ini - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -145,7 +145,7 @@ - name: Create data directory ansible.builtin.file: path: /export/wikis - mode: 0755 + mode: "0755" owner: root group: root seuser: _default @@ -162,7 +162,7 @@ ansible.builtin.file: path: /srv/wikis/collab state: directory - mode: 0750 + mode: "0750" owner: root group: collab @@ -170,7 +170,7 @@ ansible.builtin.file: state: directory path: "{{ item }}" - mode: 02770 + mode: "02770" owner: collab group: collab with_items: @@ -196,7 +196,7 @@ ansible.builtin.copy: src: collab-htaccess dest: collab-htaccess - mode: 0660 + mode: "0660" owner: collab group: collab @@ -204,7 +204,7 @@ ansible.builtin.copy: src: "{{ srcdir }}/collabbackend/config/{{ item }}" dest: /srv/wikis/collab/config/{{ item }} - mode: 0660 + mode: "0660" owner: collab group: collab seuser: _default @@ -220,7 +220,7 @@ ansible.builtin.copy: src: "{{ srcdir }}/collabbackend/packages/CollabBase.zip" dest: /var/lib/collab/CollabBase.zip - mode: 0660 + mode: "0660" owner: collab group: collab remote_src: true @@ -265,7 +265,7 @@ ansible.builtin.template: src: collab.conf.j2 dest: /etc/httpd/conf.local.d/collab.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/roles/dhcpd/tasks/main.yml b/roles/dhcpd/tasks/main.yml index 8052208..7ec173e 100644 --- a/roles/dhcpd/tasks/main.yml +++ b/roles/dhcpd/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.template: dest: "{{ dhcpd_config }}" src: "{{ dhcpd_template | default('dhcpd.conf.j2') }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" # validate: "dhcpd -t -cf %s" diff --git a/roles/dhparams/tasks/main.yml b/roles/dhparams/tasks/main.yml index e871137..74ce0bf 100644 --- a/roles/dhparams/tasks/main.yml +++ b/roles/dhparams/tasks/main.yml @@ -4,6 +4,6 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/ffdhe3072.pem" src: ffdhe3072.pem - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index d1f4b05..a831262 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.get_url: url: "https://download.docker.com/linux/{{ docker_osname }}/docker-ce.repo" dest: /etc/yum.repos.d/docker-ce.repo - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -22,7 +22,7 @@ ansible.builtin.file: path: /etc/docker state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -30,7 +30,7 @@ ansible.builtin.copy: dest: /etc/docker/daemon.json src: daemon.json - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart docker diff --git a/roles/docker_distribution/tasks/main.yml b/roles/docker_distribution/tasks/main.yml index 07c6c8b..a224c13 100644 --- a/roles/docker_distribution/tasks/main.yml +++ b/roles/docker_distribution/tasks/main.yml @@ -24,7 +24,7 @@ ansible.builtin.file: path: /etc/systemd/system/docker-distribution.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -32,7 +32,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/docker-distribution.service.d/user.conf src: user.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart docker-distribution @@ -41,7 +41,7 @@ ansible.builtin.template: dest: /etc/docker-distribution/registry/config.yml src: config.yml.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart docker-distribution @@ -50,7 +50,7 @@ ansible.builtin.file: path: /srv/registry/docker state: directory - mode: 0770 + mode: "0770" owner: root group: docker @@ -58,7 +58,7 @@ ansible.builtin.copy: dest: /etc/docker-distribution/registry/htpasswd src: "{{ htpasswd }}" - mode: 0640 + mode: "0640" owner: root group: docker when: htpasswd is defined diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 01f9116..3e8b002 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -17,7 +17,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/{{ mail_server }}.key" src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -30,7 +30,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/{{ mail_server }}-fullchain.crt" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -43,7 +43,7 @@ ansible.builtin.template: dest: /etc/dovecot/conf.d/99-local.conf src: local.conf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: doveconf -n %s @@ -58,7 +58,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" setype: _default diff --git a/roles/git_server/tasks/main.yml b/roles/git_server/tasks/main.yml index 889897c..2e22a61 100644 --- a/roles/git_server/tasks/main.yml +++ b/roles/git_server/tasks/main.yml @@ -17,7 +17,7 @@ ansible.builtin.file: path: /export/git state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -33,7 +33,7 @@ ansible.builtin.copy: dest: /etc/gitweb.conf src: gitweb.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -41,7 +41,7 @@ ansible.builtin.copy: dest: /var/www/git/robots.txt content: "User-agent: *\nDisallow:\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -49,7 +49,7 @@ ansible.builtin.copy: dest: "/var/www/git/static/{{ item }}" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: @@ -60,7 +60,7 @@ ansible.builtin.copy: dest: /etc/httpd/conf.local.d/git.conf src: git.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/roles/gitea_runner/tasks/main.yml b/roles/gitea_runner/tasks/main.yml index 9a6eedb..d8eac04 100644 --- a/roles/gitea_runner/tasks/main.yml +++ b/roles/gitea_runner/tasks/main.yml @@ -47,7 +47,7 @@ ansible.builtin.copy: dest: /var/lib/act_runner/.runner src: "/srv/private/files/act_runner/{{ inventory_hostname }}.conf" - mode: 0640 + mode: "0640" owner: root group: act_runner notify: Restart act_runner diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 3ed3db6..13743dc 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/grafana.key" src: "{{ tls_private }}/{{ inventory_hostname }}.key" - mode: 0640 + mode: "0640" owner: root group: grafana remote_src: true @@ -23,7 +23,7 @@ ansible.builtin.template: dest: /etc/sysconfig/grafana-container src: grafana-container.sysconfig.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart grafana @@ -32,7 +32,7 @@ ansible.builtin.template: dest: /etc/systemd/system/grafana-container.service src: grafana-container.service.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart grafana @@ -41,7 +41,7 @@ ansible.builtin.template: dest: /etc/grafana-ldap.toml src: grafana-ldap.toml.j2 - mode: 0640 + mode: "0640" owner: root group: grafana notify: Restart grafana @@ -60,7 +60,7 @@ proxy_set_header Host noc.foo.sh; proxy_pass http://localhost:8002/; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/grossd/tasks/main.yml b/roles/grossd/tasks/main.yml index fe75f97..74079d3 100644 --- a/roles/grossd/tasks/main.yml +++ b/roles/grossd/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /var/db/grossd state: directory - mode: 0750 + mode: "0750" owner: gross group: "{{ ansible_wheel }}" @@ -16,7 +16,7 @@ ansible.builtin.copy: dest: /etc/grossd.conf src: grossd.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart grossd diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 46648b8..8456261 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -28,7 +28,7 @@ ansible.builtin.copy: dest: /usr/local/share/selinux/homeassistant-local.pp src: homeassistant-local.pp - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -59,7 +59,7 @@ ansible.builtin.file: path: /export/homeassistant state: directory - mode: 0700 + mode: "0700" owner: ha group: ha setype: _default @@ -77,7 +77,7 @@ ansible.builtin.copy: dest: /srv/homeassistant/auth-command.sh src: auth-command.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" setype: _default @@ -86,7 +86,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" setype: _default @@ -117,7 +117,7 @@ ansible.builtin.template: dest: /etc/systemd/system/homeassistant-container.service src: homeassistant-container.service.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart homeassistant @@ -135,7 +135,7 @@ location / { proxy_pass http://127.0.0.1:8001; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/ifstated/tasks/main.yml b/roles/ifstated/tasks/main.yml index 6dc9181..ec548b0 100644 --- a/roles/ifstated/tasks/main.yml +++ b/roles/ifstated/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.template: dest: /etc/ifstated.conf src: "{{ ifstated_config }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" # validate: "ifstated -n -f %s" diff --git a/roles/influxdb/tasks/main.yml b/roles/influxdb/tasks/main.yml index 90d8046..f77db0b 100644 --- a/roles/influxdb/tasks/main.yml +++ b/roles/influxdb/tasks/main.yml @@ -38,7 +38,7 @@ ansible.builtin.file: path: /etc/logrotate.d/influxdb state: file - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -46,7 +46,7 @@ ansible.builtin.file: path: /export/influxdb state: directory - mode: 0750 + mode: "0750" owner: influxdb group: influxdb @@ -63,7 +63,7 @@ ansible.builtin.copy: dest: /etc/influxdb/config.toml src: config.toml - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart influxdb @@ -87,7 +87,7 @@ location / { proxy_pass http://127.0.0.1:8086/; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index aa52ce5..f01888c 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -16,7 +16,7 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/etc/sysconfig/{{ item }}" - mode: 0600 + mode: "0600" owner: root group: root notify: "Reload {{ item }}" diff --git a/roles/kadmin/tasks/main.yml b/roles/kadmin/tasks/main.yml index 3b8ccc1..447b344 100644 --- a/roles/kadmin/tasks/main.yml +++ b/roles/kadmin/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.template: dest: /var/kerberos/krb5kdc/kdc.conf src: kdc.conf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/kdc/tasks/main.yml b/roles/kdc/tasks/main.yml index bb7a39f..c126fcb 100644 --- a/roles/kdc/tasks/main.yml +++ b/roles/kdc/tasks/main.yml @@ -22,7 +22,7 @@ ansible.builtin.template: dest: /etc/sysconfig/kdc-container src: kdc-container.sysconfig.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" @@ -30,7 +30,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/kdc-container.service src: kdc-container.service - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -47,7 +47,7 @@ location /KdcProxy { proxy_pass http://127.0.0.1:8001; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/kvm_host/tasks/main.yml b/roles/kvm_host/tasks/main.yml index bafddde..1b1748a 100644 --- a/roles/kvm_host/tasks/main.yml +++ b/roles/kvm_host/tasks/main.yml @@ -7,7 +7,7 @@ blacklist bluetooth blacklist btintel blacklist btusb - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -29,7 +29,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0770 + mode: "0770" owner: root group: qemu with_items: diff --git a/roles/ldap_gravatar/tasks/main.yml b/roles/ldap_gravatar/tasks/main.yml index ea21621..ee61b2d 100644 --- a/roles/ldap_gravatar/tasks/main.yml +++ b/roles/ldap_gravatar/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.copy: src: gravatar-update.py dest: /usr/local/sbin/gravatar-update - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/ldap_netdb/tasks/main.yml b/roles/ldap_netdb/tasks/main.yml index 53b6d45..11b0275 100644 --- a/roles/ldap_netdb/tasks/main.yml +++ b/roles/ldap_netdb/tasks/main.yml @@ -12,7 +12,7 @@ ansible.builtin.copy: src: netdb-update.py dest: /usr/local/sbin/netdb-update - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index c7e54a4..1e1389e 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -39,7 +39,7 @@ ansible.builtin.file: path: "{{ ldap_datadir }}" state: directory - mode: 0700 + mode: "0700" owner: ldap group: ldap seuser: _default @@ -67,7 +67,7 @@ ansible.builtin.file: path: "{{ ldap_backupdir }}" state: directory - mode: 0750 + mode: "0750" owner: root group: backup @@ -85,7 +85,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/ldap-backup src: ldap-backup.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -101,7 +101,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/ldapspn src: ldapspn.py - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" when: ldap_master is defined @@ -121,7 +121,7 @@ dest: /etc/sasl2/slapd.conf content: | pwcheck_method: saslauthd - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart slapd @@ -130,7 +130,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/{{ ldap_server_cert }}.crt" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/cert.pem" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: certificates @@ -140,7 +140,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/{{ ldap_server_cert }}.key" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/privkey.pem" - mode: 0640 + mode: "0640" owner: root group: ldap tags: certificates @@ -150,7 +150,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/{{ ldap_server_cert }}-chain.crt" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/chain.pem" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: certificates @@ -193,7 +193,7 @@ ansible.builtin.file: path: /etc/systemd/system/slapd.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" when: ansible_distribution == "Rocky" @@ -202,7 +202,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/slapd.service.d/local.conf src: slapd.service - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart slapd @@ -212,7 +212,7 @@ ansible.builtin.copy: dest: /etc/sysconfig/slapd src: slapd.sysconfig - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart slapd @@ -222,7 +222,7 @@ ansible.builtin.copy: dest: "/etc/openldap/schema/{{ item }}" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: @@ -237,7 +237,7 @@ ansible.builtin.copy: dest: /etc/openldap/check_password.conf src: check_password.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -245,7 +245,7 @@ ansible.builtin.template: dest: /etc/openldap/slapd.conf src: slapd.conf.j2 - mode: 0640 + mode: "0640" owner: root group: ldap notify: Restart slapd @@ -272,6 +272,6 @@ ansible.builtin.copy: dest: /etc/openldap/slapd.keytab src: "{{ ansible_private }}/files/keytabs/slapd.keytab" - mode: 0640 + mode: "0640" owner: root group: ldap diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 2673211..3746dd1 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -16,7 +16,7 @@ ansible.builtin.file: path: /export/mariadb state: directory - mode: 0750 + mode: "0750" owner: mysql group: mysql setype: _default @@ -41,7 +41,7 @@ ansible.builtin.file: path: /etc/mysql state: directory - mode: 0750 + mode: "0750" owner: root group: mysql @@ -56,7 +56,7 @@ ansible.builtin.template: dest: /etc/my.cnf.d/tls.cnf src: tls.cnf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart mariadb @@ -65,7 +65,7 @@ ansible.builtin.copy: dest: /etc/my.cnf.d/local.cnf content: "[mariadb]\ninnodb_file_per_table=ON\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart mariadb @@ -91,7 +91,7 @@ ansible.builtin.template: dest: /root/.my.cnf src: my.cnf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" when: mariadb_root_password is defined @@ -108,7 +108,7 @@ ansible.builtin.file: path: /export/backup state: directory - mode: 02750 + mode: "02750" owner: root group: backup @@ -125,7 +125,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/mariadb-backup src: mariadb-backup.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -140,7 +140,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/mysql_tzinfo_check src: mysql_tzinfo_check.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/minecraft/tasks/main.yml b/roles/minecraft/tasks/main.yml index 91f0630..db2e66e 100644 --- a/roles/minecraft/tasks/main.yml +++ b/roles/minecraft/tasks/main.yml @@ -23,7 +23,7 @@ ansible.builtin.file: path: /export/minecraft state: directory - mode: 0750 + mode: "0750" owner: root group: minecraft @@ -40,7 +40,7 @@ ansible.builtin.file: path: "/srv/minecraft/{{ item }}" state: directory - mode: 0770 + mode: "0770" owner: root group: minecraft with_items: @@ -55,7 +55,7 @@ dest: /srv/minecraft/eula.txt content: | eula=true - mode: 0640 + mode: "0640" owner: root group: minecraft @@ -63,7 +63,7 @@ ansible.builtin.copy: dest: /srv/minecraft/server.properties src: server.properties - mode: 0640 + mode: "0640" owner: root group: minecraft @@ -72,7 +72,7 @@ dest: "/srv/minecraft/{{ item }}" content: "[]" force: false - mode: 0660 + mode: "0660" owner: root group: minecraft with_items: @@ -85,7 +85,7 @@ ansible.builtin.file: path: /usr/local/lib/minecraft state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -95,7 +95,7 @@ url: >- https://launcher.mojang.com/v1/objects/{{ minecraft_sha1sum }}/server.jar checksum: "sha1:{{ minecraft_sha1sum }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -103,7 +103,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/minecraft.service src: minecraft.service - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/mod_auth_gssapi/tasks/main.yml b/roles/mod_auth_gssapi/tasks/main.yml index 621726e..029c374 100644 --- a/roles/mod_auth_gssapi/tasks/main.yml +++ b/roles/mod_auth_gssapi/tasks/main.yml @@ -15,7 +15,7 @@ ansible.builtin.file: path: /etc/systemd/system/httpd.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -23,7 +23,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/httpd.service.d/keytab.conf content: "[Service]\nEnvironment=KRB5_KTNAME=/etc/httpd/httpd.keytab\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 2004130..73e2808 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -40,7 +40,7 @@ ansible.builtin.file: path: /export/mongodb state: directory - mode: 0700 + mode: "0700" owner: mongod group: mongod setype: _default @@ -67,7 +67,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/mongodb.pem" content: "{{ mongodb_cert_key.stdout }}" - mode: 0640 + mode: "0640" owner: root group: mongod notify: Restart mongod @@ -76,7 +76,7 @@ ansible.builtin.copy: dest: /etc/logrotate.d/mongod src: mongod.logrotate - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -85,7 +85,7 @@ dest: /etc/sysconfig/mongod content: | OPTIONS="-f /etc/mongod.conf --logRotate reopen" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart mongod @@ -94,7 +94,7 @@ ansible.builtin.template: dest: /etc/mongod.conf src: mongod.conf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart mongod diff --git a/roles/network/tasks/OpenBSD.yml b/roles/network/tasks/OpenBSD.yml index 6c2a5ac..f28a5be 100644 --- a/roles/network/tasks/OpenBSD.yml +++ b/roles/network/tasks/OpenBSD.yml @@ -3,7 +3,7 @@ ansible.builtin.template: src: hostname.if.j2 dest: "/etc/hostname.{{ item.device }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_items: "{{ network_interfaces }}" @@ -13,7 +13,7 @@ ansible.builtin.template: src: hostname.carp.j2 dest: "/etc/hostname.carp{{ item.vhid }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_items: "{{ network_vip_interfaces }}" @@ -34,7 +34,7 @@ ansible.builtin.copy: content: "{{ network_default_gateway }}\n" dest: /etc/mygate - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart network diff --git a/roles/network/tasks/RedHat.yml b/roles/network/tasks/RedHat.yml index 19b71da..7c04aa3 100644 --- a/roles/network/tasks/RedHat.yml +++ b/roles/network/tasks/RedHat.yml @@ -15,7 +15,7 @@ ansible.builtin.template: src: ifcfg-eth.j2 dest: "/etc/sysconfig/network-scripts/ifcfg-{{ item.device }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Reload network manager connections @@ -33,7 +33,7 @@ ansible.builtin.template: dest: /etc/keepalived/keepalived.conf src: keepalived.conf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart keepalived diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml index 6f9d8b6..e1be7c5 100644 --- a/roles/network/tasks/main.yml +++ b/roles/network/tasks/main.yml @@ -6,7 +6,7 @@ ansible.builtin.template: src: resolv.conf.j2 dest: /etc/resolv.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" when: network_dns_servers is defined diff --git a/roles/nfs_client/tasks/main.yml b/roles/nfs_client/tasks/main.yml index 0953d3a..06fe6d6 100644 --- a/roles/nfs_client/tasks/main.yml +++ b/roles/nfs_client/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.copy: dest: /etc/modprobe.d/nfs.conf content: "options nfs nfs4_disable_idmapping=0\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/nfs_server/tasks/main.yml b/roles/nfs_server/tasks/main.yml index 32b1701..c73f100 100644 --- a/roles/nfs_server/tasks/main.yml +++ b/roles/nfs_server/tasks/main.yml @@ -21,7 +21,7 @@ ansible.builtin.copy: dest: "/usr/local/sbin/{{ item }}" src: "{{ item }}.sh" - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" with_items: diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml index f60342f..85a6424 100644 --- a/roles/nftables/tasks/main.yml +++ b/roles/nftables/tasks/main.yml @@ -13,7 +13,7 @@ ansible.builtin.template: src: nftables.conf.j2 dest: /etc/sysconfig/nftables.conf - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Reload nftables diff --git a/roles/nginx/server/tasks/main.yml b/roles/nginx/server/tasks/main.yml index d30b37e..03e8151 100644 --- a/roles/nginx/server/tasks/main.yml +++ b/roles/nginx/server/tasks/main.yml @@ -32,7 +32,7 @@ ansible.builtin.file: state: directory path: "{{ item }}" - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" seuser: _default @@ -46,7 +46,7 @@ ansible.builtin.template: src: nginx.conf.j2 dest: /etc/nginx/nginx.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx @@ -56,7 +56,7 @@ ansible.builtin.file: dest: /etc/systemd/system/nginx.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" when: ansible_os_family == "RedHat" @@ -65,7 +65,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/nginx.service.d/dependency.conf src: dependency.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" when: ansible_os_family == "RedHat" diff --git a/roles/nginx/site/tasks/main.yml b/roles/nginx/site/tasks/main.yml index fbb2793..fe8d61b 100644 --- a/roles/nginx/site/tasks/main.yml +++ b/roles/nginx/site/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "/srv/web/{{ site }}" state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" when: redirect is not defined and proxy is not defined @@ -12,7 +12,7 @@ ansible.builtin.template: dest: /etc/nginx/conf.d/{{ site }}.conf src: site.conf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx @@ -21,7 +21,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/{{ site }}.key" src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -35,7 +35,7 @@ ansible.builtin.copy: src: "{{ item }}" dest: "{{ tls_certs }}/{{ site }}-fullchain.crt" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml index 930a01d..b0d3ad6 100644 --- a/roles/nsd/tasks/main.yml +++ b/roles/nsd/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/{{ nsd_server }}.key" src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -17,7 +17,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/{{ nsd_server }}.crt" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -31,7 +31,7 @@ ansible.builtin.template: src: nsd.conf.j2 dest: /var/nsd/etc/nsd.conf - mode: 0640 + mode: "0640" owner: root group: _nsd notify: Restart nsd @@ -40,7 +40,7 @@ ansible.builtin.copy: dest: "/var/nsd/zones/master/{{ item | replace('/', '-') }}" src: "/srv/dns/{{ item | replace('/', '-') }}" - mode: 0640 + mode: "0640" owner: root group: _nsd tags: dns diff --git a/roles/openbgpd/tasks/main.yml b/roles/openbgpd/tasks/main.yml index 94e78fe..736ce90 100644 --- a/roles/openbgpd/tasks/main.yml +++ b/roles/openbgpd/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: /etc/bgpd.conf src: "{{ ansible_private }}/files/bgpd/bgpd.conf.{{ inventory_hostname }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart bgpd diff --git a/roles/opensmtpd/tasks/main.yml b/roles/opensmtpd/tasks/main.yml index 243a1e0..40e1891 100644 --- a/roles/opensmtpd/tasks/main.yml +++ b/roles/opensmtpd/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.template: src: smtpd.conf.j2 dest: /etc/mail/smtpd.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart opensmtpd @@ -12,7 +12,7 @@ ansible.builtin.copy: content: "{{ mail_domain }}\n" dest: /etc/mail//mailname - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart opensmtpd diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 7f1edca..84b8d2b 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /var/openvpn state: directory - mode: 0750 + mode: "0750" owner: root group: _openvpn @@ -16,7 +16,7 @@ ansible.builtin.file: path: /var/openvpn/tmp state: directory - mode: 0770 + mode: "0770" owner: _openvpn group: _openvpn @@ -24,7 +24,7 @@ ansible.builtin.file: path: /etc/openvpn state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -32,7 +32,7 @@ ansible.builtin.file: path: /etc/openvpn/keys state: directory - mode: 0700 + mode: "0700" owner: root group: "{{ ansible_wheel }}" @@ -40,7 +40,7 @@ ansible.builtin.copy: src: "{{ ansible_private }}/files/openvpn/{{ inventory_hostname }}.key" dest: /etc/openvpn/keys/tap0.key - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" @@ -48,7 +48,7 @@ ansible.builtin.copy: src: "{{ ansible_private }}/files/openvpn/{{ inventory_hostname }}.conf" dest: /etc/openvpn/tap0.conf - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" @@ -56,6 +56,6 @@ ansible.builtin.copy: src: hostname.tap0 dest: /etc/hostname.tap0 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml index 578a0d6..588dac6 100644 --- a/roles/pf/tasks/main.yml +++ b/roles/pf/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: src: "{{ firewall_src }}" dest: /etc/pf.conf - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" validate: pfctl -N -f %s @@ -14,7 +14,7 @@ ansible.builtin.template: src: pf.conf.j2 dest: /etc/pf.conf - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" validate: pfctl -N -f %s diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml index 020211e..b27715a 100644 --- a/roles/pki/tasks/main.yml +++ b/roles/pki/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.copy: src: "/srv/ca/certs/ca.crt" dest: "{{ tls_certs }}/ca.crt" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -32,7 +32,7 @@ - name: Fix private key directory permissions ansible.builtin.file: path: "{{ tls_private }}" - mode: 0750 + mode: "0750" owner: root group: hostkey when: ansible_system == "OpenBSD" @@ -41,7 +41,7 @@ ansible.builtin.copy: src: "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" dest: "{{ tls_certs }}/{{ inventory_hostname }}.crt" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -56,7 +56,7 @@ ' {{ tls_certs }}/{{ inventory_hostname }}.crt dest: /etc/ansible/facts.d/ansible_certificate.fact - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -73,7 +73,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt" content: "{{ pki_host_fullchain.stdout }}" - mode: 0640 + mode: "0640" owner: root group: "{{ ansible_wheel }}" @@ -81,6 +81,6 @@ ansible.builtin.copy: src: "/srv/ca/private/{{ inventory_hostname }}.key" dest: "{{ tls_private }}/{{ inventory_hostname }}.key" - mode: 0640 + mode: "0640" owner: root group: hostkey diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml index f574e4c..93660dd 100644 --- a/roles/podman/tasks/main.yml +++ b/roles/podman/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.copy: dest: /usr/local/share/selinux/podman-certs.pp src: podman-certs.pp - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index fe8ba2e..315ed79 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /etc/rclone state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -16,7 +16,7 @@ ansible.builtin.template: dest: /etc/rclone/rclone.conf src: rclone.conf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -24,7 +24,7 @@ ansible.builtin.file: path: /var/log/rclone state: directory - mode: 0750 + mode: "0750" owner: "{{ local_user | default('root') }}" group: "{{ local_user | default(ansible_wheel) }}" @@ -32,7 +32,7 @@ ansible.builtin.template: dest: /usr/local/bin/rclone-sync src: rclone-sync.sh.j2 - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/roles_lists/tasks/main.yml b/roles/roles_lists/tasks/main.yml index 5783bbf..049c0ef 100644 --- a/roles/roles_lists/tasks/main.yml +++ b/roles/roles_lists/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: /etc/smrsh/archiver src: archiver.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -20,7 +20,7 @@ ansible.builtin.copy: dest: /usr/local/share/selinux/sendmail-spamc.pp src: sendmail-spamc.pp - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/roundcube/tasks/main.yml b/roles/roundcube/tasks/main.yml index a3f66ec..eca261b 100644 --- a/roles/roundcube/tasks/main.yml +++ b/roles/roundcube/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/roundcube.key" src: "{{ tls_private }}/{{ inventory_hostname }}.key" - mode: 0640 + mode: "0640" owner: root group: roundcube remote_src: true @@ -23,7 +23,7 @@ ansible.builtin.file: path: /etc/roundcube state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -31,7 +31,7 @@ ansible.builtin.template: dest: /etc/roundcube/local.php src: local.php.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -39,7 +39,7 @@ ansible.builtin.template: dest: /etc/sysconfig/roundcube-container src: roundcube-container.sysconfig.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart roundcube @@ -48,7 +48,7 @@ ansible.builtin.template: dest: /etc/systemd/system/roundcube-container.service src: roundcube-container.service.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart roundcube @@ -66,7 +66,7 @@ location /roundcube/ { proxy_pass http://localhost:8004/; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/rpm_build/tasks/main.yml b/roles/rpm_build/tasks/main.yml index b24e952..450048b 100644 --- a/roles/rpm_build/tasks/main.yml +++ b/roles/rpm_build/tasks/main.yml @@ -14,7 +14,7 @@ state: directory owner: root group: "{{ ansible_wheel }}" - mode: 0755 + mode: "0755" with_items: - /export/rpmbuild - /export/rpmbuild/SOURCES @@ -34,6 +34,6 @@ ansible.builtin.copy: dest: /root/.rpmmacros content: "%_topdir /srv/rpmbuild\n" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/rsync/client/tasks/main.yml b/roles/rsync/client/tasks/main.yml index 1519109..32e4bdc 100644 --- a/roles/rsync/client/tasks/main.yml +++ b/roles/rsync/client/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.template: dest: /usr/local/libexec/rsync-ssl-tunnel src: rsync-ssl-tunnel.j2 - mode: 0755 + mode: "0755" owner: root group: root @@ -19,6 +19,6 @@ ansible.builtin.copy: dest: /usr/local/bin/rsync-ssl src: rsync-ssl - mode: 0755 + mode: "0755" owner: root group: root diff --git a/roles/rsync/server/tasks/main.yml b/roles/rsync/server/tasks/main.yml index 404f708..71f53fc 100644 --- a/roles/rsync/server/tasks/main.yml +++ b/roles/rsync/server/tasks/main.yml @@ -17,7 +17,7 @@ ansible.builtin.template: dest: /etc/rsyncd.conf src: rsyncd.conf.j2 - mode: 0644 + mode: "0644" owner: root group: root @@ -25,7 +25,7 @@ ansible.builtin.template: dest: /etc/stunnel/rsyncd.conf src: rsyncd-stunnel.conf.j2 - mode: 0644 + mode: "0644" owner: root group: root @@ -33,7 +33,7 @@ ansible.builtin.file: dest: /etc/systemd/system/rsyncd@.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: root @@ -41,7 +41,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/rsyncd@.service.d/stunnel.conf src: systemd-stunnel.conf - mode: 0644 + mode: "0644" owner: root group: root diff --git a/roles/rsyslog/tasks/main.yml b/roles/rsyslog/tasks/main.yml index 7372753..6cb4537 100644 --- a/roles/rsyslog/tasks/main.yml +++ b/roles/rsyslog/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.copy: dest: /etc/rsyslog.d/all.log.conf content: "*.* /var/log/all.log\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart rsyslog @@ -20,7 +20,7 @@ ansible.builtin.template: dest: /etc/rsyslog.d/remote.conf src: remote.conf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart rsyslog @@ -34,6 +34,6 @@ ansible.builtin.copy: dest: /etc/logrotate.d/syslog.all src: logrotate - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/rsyslog/tasks/udp-listen.yml b/roles/rsyslog/tasks/udp-listen.yml index cf9ac73..1585323 100644 --- a/roles/rsyslog/tasks/udp-listen.yml +++ b/roles/rsyslog/tasks/udp-listen.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: /etc/rsyslog.d/udp-listen.conf src: udp-listen.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart rsyslog diff --git a/roles/saslauthd/tasks/main.yml b/roles/saslauthd/tasks/main.yml index d0c7ce8..74023d2 100644 --- a/roles/saslauthd/tasks/main.yml +++ b/roles/saslauthd/tasks/main.yml @@ -19,7 +19,7 @@ ansible.builtin.template: dest: /etc/saslauthd.conf src: saslauthd.conf.j2 - mode: 0640 + mode: "0640" owner: root group: "{{ ansible_wheel }}" notify: Restart saslauthd diff --git a/roles/selinux/tasks/main.yml b/roles/selinux/tasks/main.yml index a99d822..a45757c 100644 --- a/roles/selinux/tasks/main.yml +++ b/roles/selinux/tasks/main.yml @@ -8,6 +8,6 @@ ansible.builtin.file: dest: /usr/local/share/selinux state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/sendmail/tasks/main.yml b/roles/sendmail/tasks/main.yml index ee11f6e..117b47c 100644 --- a/roles/sendmail/tasks/main.yml +++ b/roles/sendmail/tasks/main.yml @@ -12,7 +12,7 @@ ansible.builtin.file: path: /etc/mail/certs state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -20,7 +20,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/{{ mail_server }}.key" src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -34,7 +34,7 @@ ansible.builtin.copy: src: "{{ item }}" dest: "{{ tls_certs }}/{{ mail_server }}.crt" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout @@ -49,7 +49,7 @@ ansible.builtin.copy: src: "{{ item }}" dest: "{{ tls_certs }}/{{ mail_server }}-chain.crt" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout @@ -68,7 +68,7 @@ ansible.builtin.file: path: /export/mail state: directory - mode: 0775 + mode: "0775" owner: root group: mail setype: _default @@ -96,7 +96,7 @@ ansible.builtin.template: src: sendmail.mc.j2 dest: /etc/mail/sendmail.mc - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /bin/sh -c '/usr/bin/m4 %s > /dev/null' @@ -106,7 +106,7 @@ ansible.builtin.copy: src: "{{ ansible_private }}/files/sendmail/aliases" dest: /etc/aliases - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Update aliases diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml index 6cf95fd..412826c 100644 --- a/roles/sftpuser/tasks/main.yml +++ b/roles/sftpuser/tasks/main.yml @@ -18,7 +18,7 @@ ansible.builtin.copy: dest: "/etc/ssh/authorized_keys.{{ user }}" content: "{{ publickeys | join('\n') + '\n'}}" - mode: 0640 + mode: "0640" owner: root group: "{{ user }}" diff --git a/roles/spamassassin_clamav/tasks/main.yml b/roles/spamassassin_clamav/tasks/main.yml index 63e9e77..e8db4df 100644 --- a/roles/spamassassin_clamav/tasks/main.yml +++ b/roles/spamassassin_clamav/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: src: ClamAV.pm dest: /etc/mail/spamassassin/ClamAV.pm - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart spamassassin @@ -12,7 +12,7 @@ ansible.builtin.copy: src: clamav.cf dest: /etc/mail/spamassassin/clamav.cf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart spamassassin diff --git a/roles/spamassassin_razor/tasks/main.yml b/roles/spamassassin_razor/tasks/main.yml index b6268dc..dce1cfe 100644 --- a/roles/spamassassin_razor/tasks/main.yml +++ b/roles/spamassassin_razor/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /var/lib/razor state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" setype: _default diff --git a/roles/spamassassin_textcat/tasks/main.yml b/roles/spamassassin_textcat/tasks/main.yml index 2e3daad..08e645f 100644 --- a/roles/spamassassin_textcat/tasks/main.yml +++ b/roles/spamassassin_textcat/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: /etc/mail/spamassassin/textcat.pre content: "loadplugin Mail::SpamAssassin::Plugin::TextCat\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart spamassassin diff --git a/roles/ssh_known_hosts/tasks/main.yml b/roles/ssh_known_hosts/tasks/main.yml index e5caeff..31acc01 100644 --- a/roles/ssh_known_hosts/tasks/main.yml +++ b/roles/ssh_known_hosts/tasks/main.yml @@ -3,6 +3,6 @@ ansible.builtin.template: dest: /etc/ssh/ssh_known_hosts src: ssh_known_hosts.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml index dae5335..4f60e91 100644 --- a/roles/sssd/tasks/main.yml +++ b/roles/sssd/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.template: dest: /etc/sssd/sssd.conf src: sssd.conf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart sssd diff --git a/roles/syslogd/tasks/main.yml b/roles/syslogd/tasks/main.yml index 498d76c..69170e5 100644 --- a/roles/syslogd/tasks/main.yml +++ b/roles/syslogd/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /var/log/all.log state: touch - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" when: not result.stat.exists diff --git a/roles/syslogd/tasks/server.yml b/roles/syslogd/tasks/server.yml index 2f8f90f..ca342d1 100644 --- a/roles/syslogd/tasks/server.yml +++ b/roles/syslogd/tasks/server.yml @@ -3,7 +3,7 @@ ansible.builtin.file: dest: "{{ item }}" state: directory - mode: 0750 + mode: "0750" owner: root group: "{{ ansible_wheel }}" with_items: @@ -22,7 +22,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/0.0.0.0:6514.key" src: /srv/letsencrypt/live/loghost.foo.sh/privkey.pem - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart syslogd @@ -32,7 +32,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/0.0.0.0:6514.crt" src: /srv/letsencrypt/live/loghost.foo.sh/fullchain.pem - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart syslogd @@ -59,7 +59,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/syslog-archive src: syslog-archive.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/telegraf/tasks/main.yml b/roles/telegraf/tasks/main.yml index 068f1a4..98fed37 100644 --- a/roles/telegraf/tasks/main.yml +++ b/roles/telegraf/tasks/main.yml @@ -9,7 +9,7 @@ ansible.builtin.copy: dest: /etc/telegraf/telegraf.conf src: "{{ ansible_private }}/files/telegraf/telegraf.conf" - mode: 0640 + mode: "0640" owner: root group: _telegraf notify: Restart telegraf diff --git a/roles/tftp/tasks/main.yml b/roles/tftp/tasks/main.yml index b943c63..bae19d9 100644 --- a/roles/tftp/tasks/main.yml +++ b/roles/tftp/tasks/main.yml @@ -34,7 +34,7 @@ ansible.builtin.file: path: /export/tftpboot state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -51,7 +51,7 @@ ansible.builtin.file: path: /etc/systemd/system/tftp.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" when: ansible_service_mgr == "systemd" @@ -63,7 +63,7 @@ [Service] ExecStart= ExecStart=/usr/sbin/in.tftpd -s /srv/tftpboot -u tftpd -c -v - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart tftpd diff --git a/roles/thinlinc_server/tasks/main.yml b/roles/thinlinc_server/tasks/main.yml index 76a2b43..6455425 100644 --- a/roles/thinlinc_server/tasks/main.yml +++ b/roles/thinlinc_server/tasks/main.yml @@ -32,7 +32,7 @@ ansible.builtin.copy: dest: /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules src: 40-thinlinc-no-auth-dialogs.rules - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -59,7 +59,7 @@ ansible.builtin.copy: dest: /opt/thinlinc/etc/tlwebaccess/server.key src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -72,7 +72,7 @@ ansible.builtin.copy: dest: /opt/thinlinc/etc/tlwebaccess/server.crt src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 1f6699a..0c0ef91 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -19,7 +19,7 @@ ansible.builtin.template: dest: "{{ unbound_conf }}" src: "unbound.conf.{{ inventory_hostname }}.j2" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: "unbound-checkconf %s" diff --git a/roles/web_build/tasks/main.yml b/roles/web_build/tasks/main.yml index 6fb8ba2..d2aed36 100644 --- a/roles/web_build/tasks/main.yml +++ b/roles/web_build/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: /export/web-build state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -20,6 +20,6 @@ ansible.builtin.copy: dest: /usr/local/bin/web-sync src: web-sync.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/web_logs/tasks/main.yml b/roles/web_logs/tasks/main.yml index 04e1c7e..d554ce8 100644 --- a/roles/web_logs/tasks/main.yml +++ b/roles/web_logs/tasks/main.yml @@ -18,7 +18,7 @@ ansible.builtin.file: path: /etc/ssh/logsync state: directory - mode: 0750 + mode: "0750" owner: root group: logsync @@ -41,7 +41,7 @@ path: "{{ item }}" owner: root group: logsync - mode: 0640 + mode: "0640" with_items: - /etc/ssh/logsync/id_ed25519 - /etc/ssh/logsync/id_ed25519.pub @@ -60,7 +60,7 @@ ansible.builtin.file: path: /var/cache/sync-http-logs state: directory - mode: 0750 + mode: "0750" owner: logsync group: logsync @@ -68,7 +68,7 @@ ansible.builtin.file: path: /export/web-log state: directory - mode: 0750 + mode: "0750" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/zoneminder/tasks/main.yml b/roles/zoneminder/tasks/main.yml index 8ee40c0..c8de160 100644 --- a/roles/zoneminder/tasks/main.yml +++ b/roles/zoneminder/tasks/main.yml @@ -21,7 +21,7 @@ ansible.builtin.file: path: /export/zoneminder state: directory - mode: 0750 + mode: "0750" owner: apache group: apache setype: _default @@ -39,7 +39,7 @@ ansible.builtin.template: dest: /etc/zm/conf.d/local.conf src: zm.conf - mode: 0640 + mode: "0640" owner: root group: apache notify: Restart zoneminder @@ -76,7 +76,7 @@ ansible.builtin.file: dest: /var/log/zoneminder/web_php.log state: touch - mode: 0640 + mode: "0640" owner: apache group: apache access_time: preserve @@ -104,7 +104,7 @@ ansible.builtin.copy: dest: /etc/php.d/timezone.ini content: "date.timezone=UTC\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache @@ -118,7 +118,7 @@ ssl-ca={{ tls_certs }}/ca.crt ssl-cert={{ tls_certs }}/{{ inventory_hostname }}.crt ssl-key={{ tls_private }}/{{ inventory_hostname }}.key - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" From 644fcbe63873a78e929fd353177c310c9e037eed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 12:37:46 +0000 Subject: [PATCH 064/713] Update software versions --- hosts.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index c056a2c..d7faa20 100644 --- a/hosts.yml +++ b/hosts.yml @@ -34,8 +34,9 @@ homeassistant: homeassistant_version: "2023.10.1" homeassistant_integrations: - name: electrolux_status - repo: https://github.com/mauro-midolo/homeassistant_electrolux_status.git - version: v2.12.0 + repo: >- + https://github.com/mauro-midolo/homeassistant_electrolux_status.git + version: v3.2.1 influxdb: hosts: influxdb01.home.foo.sh: @@ -87,6 +88,8 @@ print: prometheus: hosts: prometheus02.home.foo.sh: + vars: + prometheus_version: "2.45.1" proxy: hosts: proxy01.home.foo.sh: From 317622a01d0f1a3041e227040c872cea8bacdd9e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 12:44:42 +0000 Subject: [PATCH 065/713] Fix Forbidden implicit octal value from playbooks --- playbooks/adm.yml | 2 +- playbooks/collab.yml | 4 ++-- playbooks/dna-gw.yml | 20 ++++++++++---------- playbooks/fsol-gw.yml | 4 ++-- playbooks/include/deploy-kvm-guest.yml | 2 +- playbooks/nas.yml | 2 +- playbooks/nms.yml | 2 +- playbooks/print.yml | 2 +- playbooks/shell.yml | 2 +- playbooks/static.yml | 2 +- playbooks/zm.yml | 4 ++-- 11 files changed, 23 insertions(+), 23 deletions(-) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 9833c14..3daeffe 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -63,6 +63,6 @@ Host shell??.foo.sh CheckHostIP no dest: /root/.ssh/config - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/playbooks/collab.yml b/playbooks/collab.yml index 6533222..38f5b8d 100644 --- a/playbooks/collab.yml +++ b/playbooks/collab.yml @@ -38,7 +38,7 @@ ansible.builtin.copy: content: "RedirectMatch permanent \"^/$\" /collab/\n" dest: "/etc/httpd/conf.local.d/redirects.conf" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache @@ -61,7 +61,7 @@ dest: /srv/wikis/collab/htdocs/.htaccess owner: collab group: collab - mode: 0660 + mode: "0660" seuser: _default setype: _default diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 533314a..224c9a1 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -27,7 +27,7 @@ ansible.builtin.copy: dest: /etc/dhclient.conf content: "ignore domain-name-servers, domain-name;\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -53,7 +53,7 @@ ansible.builtin.file: path: /srv/tftpboot/etc state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -64,7 +64,7 @@ stty com0 115200 set tty com0 boot tftp:bsd.rd - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -73,7 +73,7 @@ url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/pxeboot" checksum: sha1:161b36d4ae3d786aa98c4836abba25f2bca8979d dest: /srv/tftpboot/pxeboot - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -82,7 +82,7 @@ url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/bsd.rd" checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021 dest: /srv/tftpboot/bsd.rd - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -91,7 +91,7 @@ url: "https://boot.foo.sh/openbsd/install.conf" checksum: sha1:f6270708dad3f759df02eefeab300d9b8670f3d4 dest: /srv/tftpboot/install.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -113,7 +113,7 @@ } } } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx @@ -122,7 +122,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/dns.home.foo.sh.key" src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -135,7 +135,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/dns.home.foo.sh.crt" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -148,7 +148,7 @@ ansible.builtin.copy: dest: "/var/unbound/db/{{ item }}" src: "/srv/dns/{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: dns diff --git a/playbooks/fsol-gw.yml b/playbooks/fsol-gw.yml index 7d6efe8..1d11432 100644 --- a/playbooks/fsol-gw.yml +++ b/playbooks/fsol-gw.yml @@ -32,14 +32,14 @@ ansible.builtin.copy: dest: /etc/dhclient.conf content: "ignore domain-name-servers, domain-name;\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" - name: Create pfsync interface ansible.builtin.copy: dest: /etc/hostname.pfsync0 content: "up syncdev vio1\n" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/playbooks/include/deploy-kvm-guest.yml b/playbooks/include/deploy-kvm-guest.yml index 4f763fd..4bdb5d1 100644 --- a/playbooks/include/deploy-kvm-guest.yml +++ b/playbooks/include/deploy-kvm-guest.yml @@ -75,7 +75,7 @@ echo '{{ root_pubkey }}' > /root/.ssh/authorized_keys %end dest: "{{ tmpdir.path }}/include.ks" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" delegate_to: "{{ vmhost }}" diff --git a/playbooks/nas.yml b/playbooks/nas.yml index 4d451e7..58db737 100644 --- a/playbooks/nas.yml +++ b/playbooks/nas.yml @@ -51,7 +51,7 @@ /export/roles 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ @nfsclients-rw(rw,root_squash,secure) \ @nfsclients-ro(ro,root_squash,secure) - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nfs-server diff --git a/playbooks/nms.yml b/playbooks/nms.yml index f5ac7a0..9900ec7 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -49,7 +49,7 @@ ansible.builtin.copy: dest: "/var/lib/unbound/{{ item }}" src: "/srv/dns/{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: dns diff --git a/playbooks/print.yml b/playbooks/print.yml index d434c76..1f90c63 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -29,7 +29,7 @@ ansible.builtin.copy: dest: "/var/lib/unbound/{{ item }}" src: "/srv/dns/{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: dns diff --git a/playbooks/shell.yml b/playbooks/shell.yml index d331810..1380081 100644 --- a/playbooks/shell.yml +++ b/playbooks/shell.yml @@ -98,6 +98,6 @@ content: | Host *.home.foo.sh !gw.home.foo.sh ProxyJump root@gw.home.foo.sh - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/playbooks/static.yml b/playbooks/static.yml index 25636a9..b912fbe 100644 --- a/playbooks/static.yml +++ b/playbooks/static.yml @@ -48,7 +48,7 @@ AllowOverride AuthConfig FileInfo Indexes Limit Require all granted - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/playbooks/zm.yml b/playbooks/zm.yml index f96065c..f4b39e8 100644 --- a/playbooks/zm.yml +++ b/playbooks/zm.yml @@ -45,7 +45,7 @@ ansible.builtin.copy: dest: "/var/lib/unbound/{{ item }}" src: "/srv/dns/{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: dns @@ -80,7 +80,7 @@ AuthName "Password Required" Require valid-user - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache From 39fad6ed05911f1cc682a33a26d2d84d482f8bcc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 12:48:04 +0000 Subject: [PATCH 066/713] homeassistant: Style fixes --- roles/homeassistant/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 8456261..af7da3a 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -101,7 +101,7 @@ update: true version: "{{ item.version }}" notify: Restart homeassistant - with_items: "{{ homeassistant_integrations|default([]) }}" + with_items: "{{ homeassistant_integrations | default([]) }}" - name: Link extra integrations ansible.builtin.file: @@ -111,7 +111,7 @@ owner: root group: "{{ ansible_wheel }}" follow: false - with_items: "{{ homeassistant_integrations|default([]) }}" + with_items: "{{ homeassistant_integrations | default([]) }}" - name: Create service file ansible.builtin.template: From 15c612cb3b51c4db06e30be2465c1ca809598c56 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 16:17:07 +0000 Subject: [PATCH 067/713] Rename nginx/server to nginx_server --- playbooks/dna-gw.yml | 2 +- playbooks/mail.yml | 2 +- playbooks/mqtt.yml | 2 +- playbooks/nms.yml | 2 +- playbooks/ns.yml | 2 +- playbooks/proxy.yml | 58 +++++++++---------- playbooks/relay.yml | 6 +- roles/certbot/tasks/main.yml | 2 +- .../{nginx/site => nginx_site}/tasks/main.yml | 0 .../templates/git.foo.sh.conf.j2 | 0 .../templates/gw.home.foo.sh.conf.j2 | 0 .../templates/registry.foo.sh.conf.j2 | 0 .../templates/site.conf.j2 | 0 .../templates/www.foo.sh.conf.j2 | 0 14 files changed, 38 insertions(+), 38 deletions(-) rename roles/{nginx/site => nginx_site}/tasks/main.yml (100%) rename roles/{nginx/site => nginx_site}/templates/git.foo.sh.conf.j2 (100%) rename roles/{nginx/site => nginx_site}/templates/gw.home.foo.sh.conf.j2 (100%) rename roles/{nginx/site => nginx_site}/templates/registry.foo.sh.conf.j2 (100%) rename roles/{nginx/site => nginx_site}/templates/site.conf.j2 (100%) rename roles/{nginx/site => nginx_site}/templates/www.foo.sh.conf.j2 (100%) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 224c9a1..f94117c 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -17,7 +17,7 @@ - ifstated - dhcpd - nginx/server - - role: nginx/site + - role: nginx_site site: gw.home.foo.sh - tftp - websockify diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 072587d..ca0bf58 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -34,7 +34,7 @@ - autofs - dovecot - role: nginx/server - - role: nginx/site + - role: nginx_site site: "{{ mail_server }}" redirect: https://webmail.foo.sh/ - grossd diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 1a37f6e..89edf93 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -14,5 +14,5 @@ - mosquitto - telegraf - nginx/server - - role: nginx/site + - role: nginx_site site: iot.foo.sh diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 9900ec7..848ee50 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -26,7 +26,7 @@ roles: - base - nginx/server - - role: nginx/site + - role: nginx_site site: oob.foo.sh - sssd - mkhomedir diff --git a/playbooks/ns.yml b/playbooks/ns.yml index 495e358..82cca51 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -16,7 +16,7 @@ - base - nsd - role: nginx/server - - role: nginx/site + - role: nginx_site site: "{{ nsd_server }}" redirect: https://www.foo.sh/ - role: ifstated diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 104f9fe..11ef140 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -16,93 +16,93 @@ - base - ifstated - nginx/server - - role: nginx/site + - role: nginx_site site: ca.foo.sh - - role: nginx/site + - role: nginx_site site: foo.monster - - role: nginx/site + - role: nginx_site site: tuiradc.fi redirect: https://facebook.com/TuiraDC - - role: nginx/site + - role: nginx_site site: www.tuiradc.fi redirect: https://facebook.com/TuiraDC - - role: nginx/site + - role: nginx_site site: foo.sh redirect: https://www.foo.sh/ - - role: nginx/site + - role: nginx_site site: autoconfig.foo.sh - - role: nginx/site + - role: nginx_site site: boot.foo.sh ssl_config: old - - role: nginx/site + - role: nginx_site site: bitbucket.foo.sh redirect: https://bitbucket.org/tmakinen/ - - role: nginx/site + - role: nginx_site site: certbot.home.foo.sh proxy: https://certbot.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: chat.foo.sh proxy: - https://oci-node01.home.foo.sh/rocketchat/ - https://oci-node02.home.foo.sh/rocketchat/ - - role: nginx/site + - role: nginx_site site: collab.foo.sh proxy: https://collab01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: devel01.foo.sh proxy: https://devel01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: dns.home.foo.sh redirect: https://www.foo.sh/ - - role: nginx/site + - role: nginx_site site: git.foo.sh proxy: https://gitea02.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: gitea.foo.sh redirect: https://git.foo.sh/ - - role: nginx/site + - role: nginx_site site: ha.foo.sh proxy: https://homeassistant01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: id.foo.sh proxy: - https://oci-node01.home.foo.sh - https://oci-node02.home.foo.sh - - role: nginx/site + - role: nginx_site site: influxdb.foo.sh proxy: https://influxdb01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: iot.foo.sh redirect: https://www.foo.sh/ - - role: nginx/site + - role: nginx_site site: munin.foo.sh proxy: https://munin01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: mirrors.foo.sh proxy: https://mirror01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: movies.foo.sh proxy: - https://oci-node01.home.foo.sh/php4dvd/ - - role: nginx/site + - role: nginx_site site: noc.foo.sh proxy: - https://oci-node01.home.foo.sh/grafana/ - https://oci-node02.home.foo.sh/grafana/ - - role: nginx/site + - role: nginx_site site: print.foo.sh proxy: https://print01.home.foo.sh:631/ - - role: nginx/site + - role: nginx_site site: registry.foo.sh proxy: ["registry01.home.foo.sh:5000", "registry02.home.foo.sh:5000"] - - role: nginx/site + - role: nginx_site site: webmail.foo.sh proxy: - https://oci-node01.home.foo.sh/roundcube/ - - role: nginx/site + - role: nginx_site site: wpad.foo.sh - - role: nginx/site + - role: nginx_site site: www.foo.sh - - role: nginx/site + - role: nginx_site site: zm.foo.sh proxy: https://zm02.home.foo.sh/ diff --git a/playbooks/relay.yml b/playbooks/relay.yml index f6cd46d..9ed46a0 100644 --- a/playbooks/relay.yml +++ b/playbooks/relay.yml @@ -17,12 +17,12 @@ - ifstated - relayd - nginx/server - - role: nginx/site + - role: nginx_site site: ldap.foo.sh redirect: https://www.foo.sh/ - - role: nginx/site + - role: nginx_site site: ldap01.foo.sh redirect: https://www.foo.sh/ - - role: nginx/site + - role: nginx_site site: loghost.foo.sh redirect: https://www.foo.sh/ diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index b66300b..1a4cbb7 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -21,7 +21,7 @@ - name: Add certbot nginx site ansible.builtin.include_role: - name: nginx/site + name: nginx_site vars: site: certbot.home.foo.sh diff --git a/roles/nginx/site/tasks/main.yml b/roles/nginx_site/tasks/main.yml similarity index 100% rename from roles/nginx/site/tasks/main.yml rename to roles/nginx_site/tasks/main.yml diff --git a/roles/nginx/site/templates/git.foo.sh.conf.j2 b/roles/nginx_site/templates/git.foo.sh.conf.j2 similarity index 100% rename from roles/nginx/site/templates/git.foo.sh.conf.j2 rename to roles/nginx_site/templates/git.foo.sh.conf.j2 diff --git a/roles/nginx/site/templates/gw.home.foo.sh.conf.j2 b/roles/nginx_site/templates/gw.home.foo.sh.conf.j2 similarity index 100% rename from roles/nginx/site/templates/gw.home.foo.sh.conf.j2 rename to roles/nginx_site/templates/gw.home.foo.sh.conf.j2 diff --git a/roles/nginx/site/templates/registry.foo.sh.conf.j2 b/roles/nginx_site/templates/registry.foo.sh.conf.j2 similarity index 100% rename from roles/nginx/site/templates/registry.foo.sh.conf.j2 rename to roles/nginx_site/templates/registry.foo.sh.conf.j2 diff --git a/roles/nginx/site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 similarity index 100% rename from roles/nginx/site/templates/site.conf.j2 rename to roles/nginx_site/templates/site.conf.j2 diff --git a/roles/nginx/site/templates/www.foo.sh.conf.j2 b/roles/nginx_site/templates/www.foo.sh.conf.j2 similarity index 100% rename from roles/nginx/site/templates/www.foo.sh.conf.j2 rename to roles/nginx_site/templates/www.foo.sh.conf.j2 From 2119f96382f237420fc43d0ce181bd277a4fb520 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 17:14:14 +0000 Subject: [PATCH 068/713] nginx_site: Prefix all variables with role name --- playbooks/dna-gw.yml | 2 +- playbooks/mail.yml | 4 +- playbooks/mqtt.yml | 2 +- playbooks/nms.yml | 2 +- playbooks/ns.yml | 4 +- playbooks/proxy.yml | 108 ++++++++++++------------ playbooks/relay.yml | 12 +-- roles/nginx_site/tasks/main.yml | 26 +++--- roles/nginx_site/templates/site.conf.j2 | 44 +++++----- 9 files changed, 103 insertions(+), 101 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index f94117c..7e1d9d0 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -18,7 +18,7 @@ - dhcpd - nginx/server - role: nginx_site - site: gw.home.foo.sh + nginx_site_name: gw.home.foo.sh - tftp - websockify diff --git a/playbooks/mail.yml b/playbooks/mail.yml index ca0bf58..1289c52 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -35,8 +35,8 @@ - dovecot - role: nginx/server - role: nginx_site - site: "{{ mail_server }}" - redirect: https://webmail.foo.sh/ + nginx_site_name: "{{ mail_server }}" + nginx_site_redirect: https://webmail.foo.sh/ - grossd - spamassassin - spamassassin_clamav diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 89edf93..3b59540 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -15,4 +15,4 @@ - telegraf - nginx/server - role: nginx_site - site: iot.foo.sh + nginx_site_name: iot.foo.sh diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 848ee50..36bd7b8 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -27,7 +27,7 @@ - base - nginx/server - role: nginx_site - site: oob.foo.sh + nginx_site_name: oob.foo.sh - sssd - mkhomedir - tftp diff --git a/playbooks/ns.yml b/playbooks/ns.yml index 82cca51..43508a3 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -17,7 +17,7 @@ - nsd - role: nginx/server - role: nginx_site - site: "{{ nsd_server }}" - redirect: https://www.foo.sh/ + nginx_site_name: "{{ nsd_server }}" + nginx_site_redirect: https://www.foo.sh/ - role: ifstated when: "'vultr' not in group_names" diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 11ef140..72096f6 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -17,92 +17,94 @@ - ifstated - nginx/server - role: nginx_site - site: ca.foo.sh + nginx_site_name: ca.foo.sh - role: nginx_site - site: foo.monster + nginx_site_name: foo.monster - role: nginx_site - site: tuiradc.fi - redirect: https://facebook.com/TuiraDC + nginx_site_name: tuiradc.fi + nginx_site_redirect: https://facebook.com/TuiraDC - role: nginx_site - site: www.tuiradc.fi - redirect: https://facebook.com/TuiraDC + nginx_site_name: www.tuiradc.fi + nginx_site_redirect: https://facebook.com/TuiraDC - role: nginx_site - site: foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: autoconfig.foo.sh + nginx_site_name: autoconfig.foo.sh - role: nginx_site - site: boot.foo.sh - ssl_config: old + nginx_site_name: boot.foo.sh + nginx_site_ssl_config: old - role: nginx_site - site: bitbucket.foo.sh - redirect: https://bitbucket.org/tmakinen/ + nginx_site_name: bitbucket.foo.sh + nginx_site_redirect: https://bitbucket.org/tmakinen/ - role: nginx_site - site: certbot.home.foo.sh - proxy: https://certbot.home.foo.sh/ + nginx_site_name: certbot.home.foo.sh + nginx_site_proxy: https://certbot.home.foo.sh/ - role: nginx_site - site: chat.foo.sh - proxy: + nginx_site_name: chat.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/rocketchat/ - https://oci-node02.home.foo.sh/rocketchat/ - role: nginx_site - site: collab.foo.sh - proxy: https://collab01.home.foo.sh/ + nginx_site_name: collab.foo.sh + nginx_site_proxy: https://collab01.home.foo.sh/ - role: nginx_site - site: devel01.foo.sh - proxy: https://devel01.home.foo.sh/ + nginx_site_name: devel01.foo.sh + nginx_site_proxy: https://devel01.home.foo.sh/ - role: nginx_site - site: dns.home.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: dns.home.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: git.foo.sh - proxy: https://gitea02.home.foo.sh/ + nginx_site_name: git.foo.sh + nginx_site_proxy: https://gitea02.home.foo.sh/ - role: nginx_site - site: gitea.foo.sh - redirect: https://git.foo.sh/ + nginx_site_name: gitea.foo.sh + nginx_site_redirect: https://git.foo.sh/ - role: nginx_site - site: ha.foo.sh - proxy: https://homeassistant01.home.foo.sh/ + nginx_site_name: ha.foo.sh + nginx_site_proxy: https://homeassistant01.home.foo.sh/ - role: nginx_site - site: id.foo.sh - proxy: + nginx_site_name: id.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh - https://oci-node02.home.foo.sh - role: nginx_site - site: influxdb.foo.sh - proxy: https://influxdb01.home.foo.sh/ + nginx_site_name: influxdb.foo.sh + nginx_site_proxy: https://influxdb01.home.foo.sh/ - role: nginx_site - site: iot.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: iot.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: munin.foo.sh - proxy: https://munin01.home.foo.sh/ + nginx_site_name: munin.foo.sh + nginx_site_proxy: https://munin01.home.foo.sh/ - role: nginx_site - site: mirrors.foo.sh - proxy: https://mirror01.home.foo.sh/ + nginx_site_name: mirrors.foo.sh + nginx_site_proxy: https://mirror01.home.foo.sh/ - role: nginx_site - site: movies.foo.sh - proxy: + nginx_site_name: movies.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/php4dvd/ - role: nginx_site - site: noc.foo.sh - proxy: + nginx_site_name: noc.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/grafana/ - https://oci-node02.home.foo.sh/grafana/ - role: nginx_site - site: print.foo.sh - proxy: https://print01.home.foo.sh:631/ + nginx_site_name: print.foo.sh + nginx_site_proxy: https://print01.home.foo.sh:631/ - role: nginx_site - site: registry.foo.sh - proxy: ["registry01.home.foo.sh:5000", "registry02.home.foo.sh:5000"] + nginx_site_name: registry.foo.sh + nginx_site_proxy: + - "registry01.home.foo.sh:5000" + - "registry02.home.foo.sh:5000" - role: nginx_site - site: webmail.foo.sh - proxy: + nginx_site_name: webmail.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/roundcube/ - role: nginx_site - site: wpad.foo.sh + nginx_site_name: wpad.foo.sh - role: nginx_site - site: www.foo.sh + nginx_site_name: www.foo.sh - role: nginx_site - site: zm.foo.sh - proxy: https://zm02.home.foo.sh/ + nginx_site_name: zm.foo.sh + nginx_site_proxy: https://zm02.home.foo.sh/ diff --git a/playbooks/relay.yml b/playbooks/relay.yml index 9ed46a0..a7cd0b4 100644 --- a/playbooks/relay.yml +++ b/playbooks/relay.yml @@ -18,11 +18,11 @@ - relayd - nginx/server - role: nginx_site - site: ldap.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: ldap.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: ldap01.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: ldap01.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: loghost.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: loghost.foo.sh + nginx_site_redirect: https://www.foo.sh/ diff --git a/roles/nginx_site/tasks/main.yml b/roles/nginx_site/tasks/main.yml index fe8d61b..0afcf5e 100644 --- a/roles/nginx_site/tasks/main.yml +++ b/roles/nginx_site/tasks/main.yml @@ -1,47 +1,47 @@ --- -- name: "Create site data directory for {{ site }}" +- name: "Create site data directory for {{ nginx_site_name }}" ansible.builtin.file: - path: "/srv/web/{{ site }}" + path: "/srv/web/{{ nginx_site_name }}" state: directory mode: "0755" owner: root group: "{{ ansible_wheel }}" - when: redirect is not defined and proxy is not defined + when: nginx_site_redirect is not defined and nginx_site_proxy is not defined -- name: "Create site config for {{ site }}" +- name: "Create site config for {{ nginx_site_name }}" ansible.builtin.template: - dest: /etc/nginx/conf.d/{{ site }}.conf + dest: /etc/nginx/conf.d/{{ nginx_site_name }}.conf src: site.conf.j2 mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx -- name: "Copy site private key for {{ site }}" +- name: "Copy site private key for {{ nginx_site_name }}" ansible.builtin.copy: - dest: "{{ tls_private }}/{{ site }}.key" + dest: "{{ tls_private }}/{{ nginx_site_name }}.key" src: "{{ item }}" mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: - - "/srv/letsencrypt/live/{{ site }}/privkey.pem" - - "/srv/ca/private/{{ site }}.key" + - "/srv/letsencrypt/live/{{ nginx_site_name }}/privkey.pem" + - "/srv/ca/private/{{ nginx_site_name }}.key" - "/srv/ca/private/{{ inventory_hostname }}.key" tags: certificates notify: Restart nginx -- name: "Copy site certificate for {{ site }}" +- name: "Copy site certificate for {{ nginx_site_name }}" ansible.builtin.copy: src: "{{ item }}" - dest: "{{ tls_certs }}/{{ site }}-fullchain.crt" + dest: "{{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt" mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout with_first_found: - - "/srv/letsencrypt/live/{{ site }}/fullchain.pem" - - "/srv/ca/certs/hosts/{{ site }}.crt" + - "/srv/letsencrypt/live/{{ nginx_site_name }}/fullchain.pem" + - "/srv/ca/certs/hosts/{{ nginx_site_name }}.crt" - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" tags: certificates notify: Restart nginx diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index f13669c..6e4117b 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -1,6 +1,6 @@ -{% if proxy is defined and proxy is not string %} -upstream {{ site }} { -{% for item in proxy %} +{% if nginx_site_proxy is defined and nginx_site_proxy is not string %} +upstream {{ nginx_site_name }} { +{% for item in nginx_site_proxy %} {% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %} {% if item | regex_search(".*:[0-9]+$") %} server {{ item }}; @@ -13,52 +13,52 @@ upstream {{ site }} { server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ site }}; + server_name {{ nginx_site_name }}; - access_log {{ nginx_logdir }}/{{ site }}.access.log combined; - error_log {{ nginx_logdir }}/{{ site }}.error.log warn; + access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log combined; + error_log {{ nginx_logdir }}/{{ nginx_site_name }}.error.log warn; add_header Strict-Transport-Security "max-age=63072000" always; -{% if ssl_config is defined %} -{% if ssl_config == "old" %} +{% if nginx_site_ssl_config is defined %} +{% if nginx_site_ssl_config == "old" %} ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers on; {% endif %} {% endif %} - ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt; - ssl_certificate_key {{ tls_private }}/{{ site }}.key; + ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt; + ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key; -{% include "./{}.conf.j2".format(site) ignore missing %} -{% if redirect is defined %} - return 301 {{ redirect }}; -{% elif proxy is defined %} +{% include "./{}.conf.j2".format(nginx_site_name) ignore missing %} +{% if nginx_site_redirect is defined %} + return 301 {{ nginx_site_redirect }}; +{% elif nginx_site_proxy is defined %} location / { -{% if proxy is not string %} -{% set path = proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %} +{% if nginx_site_proxy is not string %} +{% set path = nginx_site_proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %} # https://trac.nginx.org/nginx/ticket/1307 proxy_ssl_verify off; - proxy_pass https://{{ site }}{{ path }}; + proxy_pass https://{{ nginx_site_name }}{{ path }}; {% else %} - proxy_pass {{ proxy }}; + proxy_pass {{ nginx_site_proxy }}; {% endif %} } {% else %} - root /srv/web/{{ site }}; + root /srv/web/{{ nginx_site_name }}; {% endif %} } server { listen 80; listen [::]:80; - server_name {{ site }}; + server_name {{ nginx_site_name }}; location /.well-known/acme-challenge/ { proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/; } location / { -{% if redirect is defined %} - return 301 {{ redirect }}; +{% if nginx_site_redirect is defined %} + return 301 {{ nginx_site_redirect }}; {% else %} return 301 https://$host$request_uri; {% endif %} From 4fb04065f9bbd4d84531cda9ebb9a7b87fecd30a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Oct 2023 15:48:51 +0000 Subject: [PATCH 069/713] nginx: Rename nginx/server to nginx --- playbooks/dna-gw.yml | 2 +- playbooks/mail.yml | 2 +- playbooks/mqtt.yml | 2 +- playbooks/nms.yml | 2 +- playbooks/ns.yml | 2 +- playbooks/proxy.yml | 2 +- playbooks/relay.yml | 2 +- playbooks/shell.yml | 4 ++-- roles/ansible_host/meta/main.yml | 2 +- roles/certbot/meta/main.yml | 2 +- roles/gitea/meta/main.yml | 2 +- roles/influxdb/meta/main.yml | 2 +- roles/nginx/{server => }/files/dependency.conf | 0 roles/nginx/{server => }/handlers/main.yml | 0 roles/nginx/{server => }/meta/main.yml | 0 roles/nginx/{server => }/tasks/main.yml | 0 roles/nginx/{server => }/templates/nginx-logrotate.sh | 0 roles/nginx/{server => }/templates/nginx.conf.j2 | 2 +- roles/nginx/{server => }/vars/OpenBSD.yml | 0 roles/nginx/{server => }/vars/RedHat.yml | 0 roles/podman/meta/main.yml | 2 +- roles/prometheus/meta/main.yml | 2 +- 22 files changed, 16 insertions(+), 16 deletions(-) rename roles/nginx/{server => }/files/dependency.conf (100%) rename roles/nginx/{server => }/handlers/main.yml (100%) rename roles/nginx/{server => }/meta/main.yml (100%) rename roles/nginx/{server => }/tasks/main.yml (100%) rename roles/nginx/{server => }/templates/nginx-logrotate.sh (100%) rename roles/nginx/{server => }/templates/nginx.conf.j2 (98%) rename roles/nginx/{server => }/vars/OpenBSD.yml (100%) rename roles/nginx/{server => }/vars/RedHat.yml (100%) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 7e1d9d0..fe74b0c 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -16,7 +16,7 @@ - base - ifstated - dhcpd - - nginx/server + - nginx - role: nginx_site nginx_site_name: gw.home.foo.sh - tftp diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 1289c52..cb72de2 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -33,7 +33,7 @@ - sssd - autofs - dovecot - - role: nginx/server + - role: nginx - role: nginx_site nginx_site_name: "{{ mail_server }}" nginx_site_redirect: https://webmail.foo.sh/ diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 3b59540..6c92d03 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -13,6 +13,6 @@ - base - mosquitto - telegraf - - nginx/server + - nginx - role: nginx_site nginx_site_name: iot.foo.sh diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 36bd7b8..e20f3e3 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -25,7 +25,7 @@ roles: - base - - nginx/server + - nginx - role: nginx_site nginx_site_name: oob.foo.sh - sssd diff --git a/playbooks/ns.yml b/playbooks/ns.yml index 43508a3..a7476ca 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -15,7 +15,7 @@ roles: - base - nsd - - role: nginx/server + - role: nginx - role: nginx_site nginx_site_name: "{{ nsd_server }}" nginx_site_redirect: https://www.foo.sh/ diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 72096f6..b1c0de0 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -15,7 +15,7 @@ roles: - base - ifstated - - nginx/server + - nginx - role: nginx_site nginx_site_name: ca.foo.sh - role: nginx_site diff --git a/playbooks/relay.yml b/playbooks/relay.yml index a7cd0b4..0d0e8b8 100644 --- a/playbooks/relay.yml +++ b/playbooks/relay.yml @@ -16,7 +16,7 @@ - base - ifstated - relayd - - nginx/server + - nginx - role: nginx_site nginx_site_name: ldap.foo.sh nginx_site_redirect: https://www.foo.sh/ diff --git a/playbooks/shell.yml b/playbooks/shell.yml index 1380081..7eee3e4 100644 --- a/playbooks/shell.yml +++ b/playbooks/shell.yml @@ -25,8 +25,8 @@ - epel_repo - foosh_repo - powertools_repo - - role: nginx/server - plaintext: true + - role: nginx + nginx_plaintext: true tasks: - name: Install extra package groups diff --git a/roles/ansible_host/meta/main.yml b/roles/ansible_host/meta/main.yml index 27b9b1f..516a2dd 100644 --- a/roles/ansible_host/meta/main.yml +++ b/roles/ansible_host/meta/main.yml @@ -2,4 +2,4 @@ dependencies: - {role: epel_repo} - {role: git} - - {role: nginx/server} + - {role: nginx} diff --git a/roles/certbot/meta/main.yml b/roles/certbot/meta/main.yml index b95ceec..954fabd 100644 --- a/roles/certbot/meta/main.yml +++ b/roles/certbot/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: nginx/server} + - {role: nginx} diff --git a/roles/gitea/meta/main.yml b/roles/gitea/meta/main.yml index f9c5d0d..d5e8ce4 100644 --- a/roles/gitea/meta/main.yml +++ b/roles/gitea/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - {role: git} - - {role: nginx/server} + - {role: nginx} diff --git a/roles/influxdb/meta/main.yml b/roles/influxdb/meta/main.yml index b95ceec..954fabd 100644 --- a/roles/influxdb/meta/main.yml +++ b/roles/influxdb/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: nginx/server} + - {role: nginx} diff --git a/roles/nginx/server/files/dependency.conf b/roles/nginx/files/dependency.conf similarity index 100% rename from roles/nginx/server/files/dependency.conf rename to roles/nginx/files/dependency.conf diff --git a/roles/nginx/server/handlers/main.yml b/roles/nginx/handlers/main.yml similarity index 100% rename from roles/nginx/server/handlers/main.yml rename to roles/nginx/handlers/main.yml diff --git a/roles/nginx/server/meta/main.yml b/roles/nginx/meta/main.yml similarity index 100% rename from roles/nginx/server/meta/main.yml rename to roles/nginx/meta/main.yml diff --git a/roles/nginx/server/tasks/main.yml b/roles/nginx/tasks/main.yml similarity index 100% rename from roles/nginx/server/tasks/main.yml rename to roles/nginx/tasks/main.yml diff --git a/roles/nginx/server/templates/nginx-logrotate.sh b/roles/nginx/templates/nginx-logrotate.sh similarity index 100% rename from roles/nginx/server/templates/nginx-logrotate.sh rename to roles/nginx/templates/nginx-logrotate.sh diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 similarity index 98% rename from roles/nginx/server/templates/nginx.conf.j2 rename to roles/nginx/templates/nginx.conf.j2 index 877fc4e..4a10039 100644 --- a/roles/nginx/server/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -28,7 +28,7 @@ http { proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; -{% if plaintext is defined %} +{% if nginx_plaintext is defined %} server { listen 80; listen [::]:80; diff --git a/roles/nginx/server/vars/OpenBSD.yml b/roles/nginx/vars/OpenBSD.yml similarity index 100% rename from roles/nginx/server/vars/OpenBSD.yml rename to roles/nginx/vars/OpenBSD.yml diff --git a/roles/nginx/server/vars/RedHat.yml b/roles/nginx/vars/RedHat.yml similarity index 100% rename from roles/nginx/server/vars/RedHat.yml rename to roles/nginx/vars/RedHat.yml diff --git a/roles/podman/meta/main.yml b/roles/podman/meta/main.yml index b95ceec..954fabd 100644 --- a/roles/podman/meta/main.yml +++ b/roles/podman/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: nginx/server} + - {role: nginx} diff --git a/roles/prometheus/meta/main.yml b/roles/prometheus/meta/main.yml index b95ceec..954fabd 100644 --- a/roles/prometheus/meta/main.yml +++ b/roles/prometheus/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: nginx/server} + - {role: nginx} From e2c59bc2207649cdcb940fcb0782dd605fb609b9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Oct 2023 16:01:08 +0000 Subject: [PATCH 070/713] keytab: Prefix variable names with keytab_ --- playbooks/adm.yml | 2 +- playbooks/collab.yml | 6 +++--- playbooks/mail.yml | 2 +- playbooks/nas.yml | 2 +- playbooks/print.yml | 4 ++-- playbooks/shell.yml | 2 +- playbooks/static.yml | 2 +- playbooks/zm.yml | 6 +++--- roles/dovecot/tasks/main.yml | 6 +++--- roles/keytab/defaults/main.yml | 4 ++-- roles/keytab/tasks/main.yml | 12 ++++++------ 11 files changed, 24 insertions(+), 24 deletions(-) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 3daeffe..f4db906 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -28,7 +28,7 @@ - ansible_host - certbot - role: keytab - principals: + keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - nfs_client - sssd diff --git a/playbooks/collab.yml b/playbooks/collab.yml index 38f5b8d..89edf92 100644 --- a/playbooks/collab.yml +++ b/playbooks/collab.yml @@ -28,9 +28,9 @@ - collab - mod_auth_gssapi - role: keytab - keytab: /etc/httpd/httpd.keytab - principals: HTTP/collab.foo.sh@FOO.SH - group: apache + keytab_path: /etc/httpd/httpd.keytab + keytab_principals: HTTP/collab.foo.sh@FOO.SH + keytab_group: apache - ldap tasks: diff --git a/playbooks/mail.yml b/playbooks/mail.yml index cb72de2..4019251 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -26,7 +26,7 @@ roles: - base - role: keytab - principals: + keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - "smtp/{{ mail_server }}@{{ kerberos_realm }}" - nfs_client diff --git a/playbooks/nas.yml b/playbooks/nas.yml index 58db737..ceffe23 100644 --- a/playbooks/nas.yml +++ b/playbooks/nas.yml @@ -38,7 +38,7 @@ - sssd - nfs_server - role: keytab - principals: "nfs/{{ inventory_hostname }}@FOO.SH" + keytab_principals: "nfs/{{ inventory_hostname }}@FOO.SH" tasks: - name: Copy exports file diff --git a/playbooks/print.yml b/playbooks/print.yml index 1f90c63..8bfea58 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -50,5 +50,5 @@ ansible.builtin.import_role: name: keytab vars: - keytab: /etc/cups/cups.keytab - principals: "HTTP/print.foo.sh@{{ kerberos_realm }}" + keytab_path: /etc/cups/cups.keytab + keytab_principals: "HTTP/print.foo.sh@{{ kerberos_realm }}" diff --git a/playbooks/shell.yml b/playbooks/shell.yml index 7eee3e4..2f031da 100644 --- a/playbooks/shell.yml +++ b/playbooks/shell.yml @@ -15,7 +15,7 @@ roles: - base - role: keytab - principals: + keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - "nfs/{{ inventory_hostname }}@{{ kerberos_realm }}" - nfs_client diff --git a/playbooks/static.yml b/playbooks/static.yml index b912fbe..8471c0a 100644 --- a/playbooks/static.yml +++ b/playbooks/static.yml @@ -15,7 +15,7 @@ roles: - base - role: keytab - principals: + keytab_principals: - "host/{{ inventory_hostname }}@FOO.SH" - "nfs/{{ inventory_hostname }}@FOO.SH" - nfs_client diff --git a/playbooks/zm.yml b/playbooks/zm.yml index f4b39e8..8dd9964 100644 --- a/playbooks/zm.yml +++ b/playbooks/zm.yml @@ -27,9 +27,9 @@ - base - mod_auth_gssapi - role: keytab - keytab: /etc/httpd/httpd.keytab - principals: HTTP/zm.foo.sh@FOO.SH - group: apache + keytab_path: /etc/httpd/httpd.keytab + keytab_principals: HTTP/zm.foo.sh@FOO.SH + keytab_group: apache tasks: - name: Run handlers to get interfaces configured diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 3e8b002..06932b1 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -8,10 +8,10 @@ ansible.builtin.include_role: name: keytab vars: - keytab: /etc/dovecot/dovecot.keytab - principals: + keytab_path: /etc/dovecot/dovecot.keytab + keytab_principals: - "imap/{{ mail_server }}@{{ kerberos_realm }}" - group: dovecot + keytab_group: dovecot - name: Install privatekey ansible.builtin.copy: diff --git a/roles/keytab/defaults/main.yml b/roles/keytab/defaults/main.yml index 8b08f0a..e4c4ebf 100644 --- a/roles/keytab/defaults/main.yml +++ b/roles/keytab/defaults/main.yml @@ -1,3 +1,3 @@ --- -keytab: /etc/krb5.keytab -group: "{{ ansible_wheel }}" +keytab_path: /etc/krb5.keytab +keytab_group: "{{ ansible_wheel }}" diff --git a/roles/keytab/tasks/main.yml b/roles/keytab/tasks/main.yml index c4e5496..828e4fd 100644 --- a/roles/keytab/tasks/main.yml +++ b/roles/keytab/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Check if keytab exists ansible.builtin.stat: - path: "{{ keytab }}" + path: "{{ keytab_path }}" register: keytab_status check_mode: false @@ -15,7 +15,7 @@ - -k - "/tmp/{{ inventory_hostname }}.kt" - "{{ item }}" - with_items: "{{ principals }}" + with_items: "{{ keytab_principals }}" delegate_to: ldap01.home.foo.sh when: not keytab_status.stat.exists @@ -39,12 +39,12 @@ ansible.builtin.shell: >- set -o pipefail && umask 077 && - echo '{{ keytab_data.stdout }}' | base64 -d > "{{ keytab }}" + echo '{{ keytab_data.stdout }}' | base64 -d > "{{ keytab_path }}" when: not keytab_status.stat.exists - name: Check keytab permissions ansible.builtin.file: - path: "{{ keytab }}" - mode: "{% if group == ansible_wheel %}0600{% else %}0640{% endif %}" + path: "{{ keytab_path }}" + mode: "{% if keytab_group == ansible_wheel %}0600{% else %}0640{% endif %}" owner: root - group: "{{ group }}" + group: "{{ keytab_group }}" From b7a341535215c00f9b7403faf073c44d0669f9c2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Oct 2023 16:06:27 +0000 Subject: [PATCH 071/713] Rename mirror/reportmirror to reportmirror --- playbooks/mirror.yml | 10 +++++----- roles/{mirror => }/reportmirror/defaults/main.yml | 0 roles/{mirror => }/reportmirror/meta/main.yml | 0 roles/{mirror => }/reportmirror/tasks/main.yml | 0 .../reportmirror/templates/report_mirror.conf.j2 | 12 ++++++------ 5 files changed, 11 insertions(+), 11 deletions(-) rename roles/{mirror => }/reportmirror/defaults/main.yml (100%) rename roles/{mirror => }/reportmirror/meta/main.yml (100%) rename roles/{mirror => }/reportmirror/tasks/main.yml (100%) rename roles/{mirror => }/reportmirror/templates/report_mirror.conf.j2 (91%) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 4ae2bab..6ff74cf 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -27,11 +27,11 @@ - base - mirror/base - mirror/thinlinc - - role: mirror/reportmirror - mirror_hostname: mirrors.foo.sh - mirror_mirrors: [epel, fedora] - mirror_sitename: foo.sh - mirror_password: "{{ report_mirror_pass }}" + - role: reportmirror + reportmirror_hostname: mirrors.foo.sh + reportmirror_mirrors: [epel, fedora] + reportmirror_sitename: foo.sh + reportmirror_password: "{{ report_mirror_pass }}" - role: mirror/sync mirror_label: fedora-epel mirror_source: diff --git a/roles/mirror/reportmirror/defaults/main.yml b/roles/reportmirror/defaults/main.yml similarity index 100% rename from roles/mirror/reportmirror/defaults/main.yml rename to roles/reportmirror/defaults/main.yml diff --git a/roles/mirror/reportmirror/meta/main.yml b/roles/reportmirror/meta/main.yml similarity index 100% rename from roles/mirror/reportmirror/meta/main.yml rename to roles/reportmirror/meta/main.yml diff --git a/roles/mirror/reportmirror/tasks/main.yml b/roles/reportmirror/tasks/main.yml similarity index 100% rename from roles/mirror/reportmirror/tasks/main.yml rename to roles/reportmirror/tasks/main.yml diff --git a/roles/mirror/reportmirror/templates/report_mirror.conf.j2 b/roles/reportmirror/templates/report_mirror.conf.j2 similarity index 91% rename from roles/mirror/reportmirror/templates/report_mirror.conf.j2 rename to roles/reportmirror/templates/report_mirror.conf.j2 index 59d4dbb..7181a22 100644 --- a/roles/mirror/reportmirror/templates/report_mirror.conf.j2 +++ b/roles/reportmirror/templates/report_mirror.conf.j2 @@ -11,8 +11,8 @@ enabled=1 # Name and Password fields need to match the Site name and password # fields you entered for your Site in the MirrorManager database at # https://admin.fedoraproject.org/mirrormanager -name={{ mirror_sitename }} -password={{ mirror_password }} +name={{ reportmirror_sitename }} +password={{ reportmirror_password }} [host] # if enabled=0, no data about this host is sent to the database @@ -20,7 +20,7 @@ enabled=1 # Name field need to match the Host name field you entered for your # Host in the MirrorManager database at # https://admin.fedoraproject.org/mirrormanager -name={{ mirror_hostname }} +name={{ reportmirror_hostname }} # if user_active=0, no data about this category is given to the public # This can be used to toggle between serving and not serving data, # such enabled during the nighttime (when you have more idle bandwidth @@ -52,15 +52,15 @@ rsyncd=/var/log/rsyncd.log # path= is the path on your local disk to the top-level directory for this Category [Fedora Linux] -{% if "fedora" in mirror_mirrors %} +{% if "fedora" in reportmirror_mirrors %} enabled=1 {% else %} enabled=0 {% endif %} path=/srv/mrirors/fedora -[Fedora EPEL] -{% if "epel" in mirror_mirrors %} +[Fedora EPELreport] +{% if "epel" in reportmirror_mirrors %} enabled=1 {% else %} enabled=0 From affcf7f572297e5b7875053f557c538fe0cb843d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Oct 2023 16:09:11 +0000 Subject: [PATCH 072/713] Rename mirror/thinlinc to thinlinc_mirror --- playbooks/mirror.yml | 2 +- .../thinlinc => thinlinc_mirror}/files/sync-thinlinc-repo.sh | 0 roles/{mirror/thinlinc => thinlinc_mirror}/tasks/main.yml | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename roles/{mirror/thinlinc => thinlinc_mirror}/files/sync-thinlinc-repo.sh (100%) rename roles/{mirror/thinlinc => thinlinc_mirror}/tasks/main.yml (100%) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 6ff74cf..198abb7 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -26,7 +26,7 @@ roles: - base - mirror/base - - mirror/thinlinc + - thinlinc_mirror - role: reportmirror reportmirror_hostname: mirrors.foo.sh reportmirror_mirrors: [epel, fedora] diff --git a/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh b/roles/thinlinc_mirror/files/sync-thinlinc-repo.sh similarity index 100% rename from roles/mirror/thinlinc/files/sync-thinlinc-repo.sh rename to roles/thinlinc_mirror/files/sync-thinlinc-repo.sh diff --git a/roles/mirror/thinlinc/tasks/main.yml b/roles/thinlinc_mirror/tasks/main.yml similarity index 100% rename from roles/mirror/thinlinc/tasks/main.yml rename to roles/thinlinc_mirror/tasks/main.yml From 8b2696de1a7557e3f56f4b6152948b2bf1d00c11 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Oct 2023 16:11:59 +0000 Subject: [PATCH 073/713] reportmirror: Fix variable names from defaults --- roles/reportmirror/defaults/main.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/reportmirror/defaults/main.yml b/roles/reportmirror/defaults/main.yml index 79a2016..934a0e9 100644 --- a/roles/reportmirror/defaults/main.yml +++ b/roles/reportmirror/defaults/main.yml @@ -1,4 +1,3 @@ --- - -mirror_hostname: "{{ inventory_hostname }}" -mirror_mirrors: [] +reportmirror_hostname: "{{ inventory_hostname }}" +reportmirror_mirrors: [] From fa469574b7a0391338a0804f86662f38889c140b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Oct 2023 15:27:28 +0000 Subject: [PATCH 074/713] certbot: Fix variable name --- roles/certbot/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 1a4cbb7..2680da5 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -23,7 +23,7 @@ ansible.builtin.include_role: name: nginx_site vars: - site: certbot.home.foo.sh + nginx_site_name: certbot.home.foo.sh - name: Create certbot .well-known directory ansible.builtin.file: From c8afd02fb29f134daee1e1e8cad169c36b4d0a5c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Oct 2023 16:27:12 +0000 Subject: [PATCH 075/713] sssd: Use command instead of shell --- roles/sssd/tasks/main.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml index 4f60e91..e0410dc 100644 --- a/roles/sssd/tasks/main.yml +++ b/roles/sssd/tasks/main.yml @@ -20,9 +20,13 @@ enabled: true - name: Get current state of authselect - ansible.builtin.shell: - cmd: /usr/bin/authselect current --raw ; /bin/true + ansible.builtin.command: + argv: + - /usr/bin/authselect + - current + - --raw register: result + failed_when: false check_mode: false changed_when: false @@ -33,4 +37,6 @@ - select - sssd - --force + register: result + changed_when: result.rc == 0 when: result.stdout.split()[0] != "sssd" From 03def639d530cc042c1b970244f741c6bedb3349 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Oct 2023 16:31:15 +0000 Subject: [PATCH 076/713] sendmail: Lint fixes for command execution --- roles/sendmail/handlers/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/sendmail/handlers/main.yml b/roles/sendmail/handlers/main.yml index fb8e4f1..811e9ee 100644 --- a/roles/sendmail/handlers/main.yml +++ b/roles/sendmail/handlers/main.yml @@ -11,9 +11,13 @@ - -C - /etc/mail - all + register: result + changed_when: result.rc == 0 notify: Restart sendmail - name: Update aliases ansible.builtin.command: argv: - newaliases + register: result + changed_when: result.rc == 0 From 6e2fd356220ded129f0c1c558877df2b68525052 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 25 Oct 2023 16:22:17 +0000 Subject: [PATCH 077/713] Fix adding tape drive to backup02.home.foo.sh --- host_vars/backup02.home.foo.sh.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/host_vars/backup02.home.foo.sh.yml b/host_vars/backup02.home.foo.sh.yml index 651b34f..44d02d4 100644 --- a/host_vars/backup02.home.foo.sh.yml +++ b/host_vars/backup02.home.foo.sh.yml @@ -6,5 +6,5 @@ network_interfaces: mac: 52:54:00:ac:dc:50 datadisks: - {size: 1000} -passthrough_devices: - - "07:04.0" +virt_install_devices: + - "02:04.0" From c2603ef8d847d9801d109f724e09973824c2c33d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 28 Oct 2023 15:46:02 +0000 Subject: [PATCH 078/713] nginx_site: Allow uploading larger files to collab --- roles/nginx_site/templates/collab.foo.sh.conf.j2 | 1 + 1 file changed, 1 insertion(+) create mode 100644 roles/nginx_site/templates/collab.foo.sh.conf.j2 diff --git a/roles/nginx_site/templates/collab.foo.sh.conf.j2 b/roles/nginx_site/templates/collab.foo.sh.conf.j2 new file mode 100644 index 0000000..d338ce4 --- /dev/null +++ b/roles/nginx_site/templates/collab.foo.sh.conf.j2 @@ -0,0 +1 @@ + client_max_body_size 50m; From 8e9a7fd4fc70f0ff4741054698ed47f48d5ccc00 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 1 Nov 2023 17:22:26 +0000 Subject: [PATCH 079/713] podman: Don't force use nginx as frontend --- roles/podman/meta/main.yml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 roles/podman/meta/main.yml diff --git a/roles/podman/meta/main.yml b/roles/podman/meta/main.yml deleted file mode 100644 index 954fabd..0000000 --- a/roles/podman/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - {role: nginx} From f0656502af7c38156c177cd4baad8b3e92252f40 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 19:39:30 +0000 Subject: [PATCH 080/713] sane: Intial version of role --- roles/sane/tasks/main.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 roles/sane/tasks/main.yml diff --git a/roles/sane/tasks/main.yml b/roles/sane/tasks/main.yml new file mode 100644 index 0000000..2d707b5 --- /dev/null +++ b/roles/sane/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Install packagers + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - sane-backends + - sane-backends-daemon + +- name: Enable service + ansible.builtin.systemd: + name: saned.socket + state: started + enabled: true From 94dc909bd97da5af38a7601bfc8d1db6a405c49d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 19:39:42 +0000 Subject: [PATCH 081/713] scanservjs: Initial version of role --- roles/scanservjs/defaults/main.yml | 2 + roles/scanservjs/handlers/main.yml | 6 +++ roles/scanservjs/meta/main.yml | 4 ++ roles/scanservjs/tasks/main.yml | 38 +++++++++++++++++++ .../templates/scanservjs-container.service.j2 | 17 +++++++++ 5 files changed, 67 insertions(+) create mode 100644 roles/scanservjs/defaults/main.yml create mode 100644 roles/scanservjs/handlers/main.yml create mode 100644 roles/scanservjs/meta/main.yml create mode 100644 roles/scanservjs/tasks/main.yml create mode 100644 roles/scanservjs/templates/scanservjs-container.service.j2 diff --git a/roles/scanservjs/defaults/main.yml b/roles/scanservjs/defaults/main.yml new file mode 100644 index 0000000..efff6f8 --- /dev/null +++ b/roles/scanservjs/defaults/main.yml @@ -0,0 +1,2 @@ +--- +scanservjs_version: latest diff --git a/roles/scanservjs/handlers/main.yml b/roles/scanservjs/handlers/main.yml new file mode 100644 index 0000000..5cffd92 --- /dev/null +++ b/roles/scanservjs/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart scanservjs + ansible.builtin.systemd: + name: scanservjs-container + daemon-reload: true + state: restarted diff --git a/roles/scanservjs/meta/main.yml b/roles/scanservjs/meta/main.yml new file mode 100644 index 0000000..19b52d0 --- /dev/null +++ b/roles/scanservjs/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: apache} + - {role: podman} diff --git a/roles/scanservjs/tasks/main.yml b/roles/scanservjs/tasks/main.yml new file mode 100644 index 0000000..160cf8d --- /dev/null +++ b/roles/scanservjs/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Create group + ansible.builtin.group: + name: scanserv + +- name: Create user + ansible.builtin.user: + name: scanserv + comment: Podman Scanservjs + group: scanserv + shell: /sbin/nologin + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/scanservjs-container.service + src: scanservjs-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart scanservjs + +- name: Enable service + ansible.builtin.service: + name: scanservjs-container + state: started + enabled: true + +- name: Copy apache config + ansible.builtin.copy: + dest: /etc/httpd/conf.local.d/scanservjs-container.conf + content: | + ProxyPass /scanservjs/ http://127.0.0.1:8006/ + ProxyPassReverse /scanservjs/ http://127.0.0.1:8006/ + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart apache + diff --git a/roles/scanservjs/templates/scanservjs-container.service.j2 b/roles/scanservjs/templates/scanservjs-container.service.j2 new file mode 100644 index 0000000..3a21dee --- /dev/null +++ b/roles/scanservjs/templates/scanservjs-container.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Scanserv Container +Wants=network-online.target +After=network-online.target + +[Service] +User=scanserv +ExecStartPre=/usr/bin/podman pull docker.io/sbs20/scanservjs:{{ scanservjs_version }} +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8006:8080 \ + --name scanservjs \ + docker.io/sbs20/scanservjs:{{ scanservjs_version }} +ExecStop=/usr/bin/podman stop --ignore scanservjs +ExecStopPost=/usr/bin/podman rm -f --ignore scanservjs + +[Install] +WantedBy=multi-user.target From ae27f5cc672116b38c51c4f90b0ef6b2e565e3f0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 19:42:11 +0000 Subject: [PATCH 082/713] Add sane hosts --- group_vars/sane.yml | 5 ++++ host_vars/sane02.home.foo.sh.yml | 8 +++++++ hosts.yml | 4 ++++ playbooks/sane.yml | 40 ++++++++++++++++++++++++++++++++ site.yml | 2 ++ 5 files changed, 59 insertions(+) create mode 100644 group_vars/sane.yml create mode 100644 host_vars/sane02.home.foo.sh.yml create mode 100644 playbooks/sane.yml diff --git a/group_vars/sane.yml b/group_vars/sane.yml new file mode 100644 index 0000000..a6636ac --- /dev/null +++ b/group_vars/sane.yml @@ -0,0 +1,5 @@ +--- +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/host_vars/sane02.home.foo.sh.yml b/host_vars/sane02.home.foo.sh.yml new file mode 100644 index 0000000..2c0bdad --- /dev/null +++ b/host_vars/sane02.home.foo.sh.yml @@ -0,0 +1,8 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: "52:54:00:ac:dc:88" +virt_install_devices: + - 001.003 diff --git a/hosts.yml b/hosts.yml index d7faa20..a8c8d80 100644 --- a/hosts.yml +++ b/hosts.yml @@ -98,6 +98,9 @@ relay: hosts: relay01.home.foo.sh: relay02.home.foo.sh: +sane: + hosts: + sane02.home.foo.sh: shell: hosts: shell01.foo.sh: @@ -161,6 +164,7 @@ rocky9: mirror: mongodb: prometheus: + sane: sqldb: static: vmhost: diff --git a/playbooks/sane.yml b/playbooks/sane.yml new file mode 100644 index 0000000..03ef6db --- /dev/null +++ b/playbooks/sane.yml @@ -0,0 +1,40 @@ +--- +- name: Deploy KVM virtual machines + ansible.builtin.import_playbook: include/deploy-kvm-guest.yml + vars: + myhosts: sane + +- name: Configure instance + hosts: sane + user: root + gather_facts: true + + vars_files: + - "{{ ansible_private }}/vars.yml" + + roles: + - base + - sane + - scanservjs + - mod_auth_gssapi + - role: keytab + keytab_path: /etc/httpd/httpd.keytab + keytab_principals: HTTP/scan.foo.sh@FOO.SH + keytab_group: apache + + tasks: + - name: Require authentication for scanservjs + ansible.builtin.copy: + dest: /etc/httpd/conf.local.d/scanservjs-auth.conf + content: | + + AuthType GSSAPI + GssapiBasicAuth On + AuthName "Password Required" + Require valid-user + + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart apache + diff --git a/site.yml b/site.yml index bcceabe..a942f1d 100644 --- a/site.yml +++ b/site.yml @@ -47,6 +47,8 @@ ansible.builtin.import_playbook: playbooks/proxy.yml - name: Configure relay hosts ansible.builtin.import_playbook: playbooks/relay.yml +- name: Configure sane hosts + ansible.builtin.import.playbook: playbooks/sane.yml - name: Configure shell hosts ansible.builtin.import_playbook: playbooks/shell.yml - name: Configure sqldb hosts From 7ee84bffd99bcb54c0e0c40dc3415a120df75d5a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 19:42:39 +0000 Subject: [PATCH 083/713] Add scan.foo.sh endpoint to proxies --- playbooks/proxy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index b1c0de0..a0653cb 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -97,6 +97,10 @@ nginx_site_proxy: - "registry01.home.foo.sh:5000" - "registry02.home.foo.sh:5000" + - role: nginx_site + nginx_site_name: scan.foo.sh + nginx_site_proxy: + - https://sane02.home.foo.sh/scanservjs/ - role: nginx_site nginx_site_name: webmail.foo.sh nginx_site_proxy: From 929738af882d9af07a16506ccbfbaa4bb63a2158 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 20:36:10 +0000 Subject: [PATCH 084/713] prometheus: Use os packaged prometheus --- roles/prometheus/files/prometheus.service | 23 ------ roles/prometheus/meta/main.yml | 1 + roles/prometheus/tasks/main.yml | 78 +++++++------------- roles/prometheus/templates/prometheus.yml.j2 | 2 +- 4 files changed, 30 insertions(+), 74 deletions(-) delete mode 100644 roles/prometheus/files/prometheus.service diff --git a/roles/prometheus/files/prometheus.service b/roles/prometheus/files/prometheus.service deleted file mode 100644 index 28f8d3a..0000000 --- a/roles/prometheus/files/prometheus.service +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=Prometheus -After=network-online.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=simple -Environment="GOMAXPROCS={{ ansible_processor_vcpus|default(ansible_processor_count) }}" -User=prometheus -Group=prometheus -UMask=007 -ExecReload=/bin/kill -HUP $MAINPID -ExecStart=/usr/local/sbin/prometheus \ - --config.file=/srv/prometheus/prometheus.yml \ - --log.level=info \ - --storage.tsdb.path=/srv/prometheus/data \ - --storage.tsdb.retention.time=365d \ - --web.console.libraries=/usr/local/share/prometheus/console_libraries -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/roles/prometheus/meta/main.yml b/roles/prometheus/meta/main.yml index 954fabd..1e5084e 100644 --- a/roles/prometheus/meta/main.yml +++ b/roles/prometheus/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: + - {role: epel_repo} - {role: nginx} diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 8f9face..eb47818 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -14,43 +14,18 @@ shell: /sbin/nologin uid: 305 -- name: Extract package - ansible.builtin.unarchive: - src: >- - {{ - "https://github.com/prometheus/prometheus/releases/download/v" + - prometheus_version + "/prometheus-" + prometheus_version + - ".linux-amd64.tar.gz" - }} - dest: /usr/local/src - owner: root - group: "{{ ansible_wheel }}" - remote_src: true +- name: Install packages + ansible.builtin.package: + name: golang-github-prometheus + state: installed -- name: Copy binaries - ansible.builtin.copy: - dest: "/usr/local/sbin/{{ item }}" - src: >- - /usr/local/src/prometheus-{{ prometheus_version }}.linux-amd64/{{ item }} - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" - remote_src: true - notify: Restart prometheus - with_items: - - promtool - - prometheus - -- name: Create data directories +- name: Create data directory ansible.builtin.file: - path: "{{ item }}" + path: /export/prometheus state: directory - mode: "0750" + mode: "0770" owner: root group: prometheus - with_items: - - /export/prometheus - - /export/prometheus/node.d - name: Link data directory ansible.builtin.file: @@ -61,26 +36,38 @@ group: "{{ ansible_wheel }}" follow: false -- name: Create database directory - ansible.builtin.file: - path: /srv/prometheus/data - state: directory - mode: "0770" - owner: root - group: prometheus +- name: Configure startup options + ansible.builtin.lineinfile: + path: /etc/default/prometheus + regexp: "^ARGS=" + line: >- + ARGS="--config.file=/etc/prometheus/prometheus.yml + --log.level=info + --storage.tsdb.path=/srv/prometheus + --storage.tsdb.retention.time=365d + --web.console.libraries=/usr/local/share/prometheus/console_libraries" + notify: Restart prometheus - name: Create configuration ansible.builtin.template: - dest: /srv/prometheus/prometheus.yml + dest: /etc/prometheus/prometheus.yml src: prometheus.yml.j2 mode: "0640" owner: root group: prometheus notify: Restart prometheus +- name: Create host config directory + ansible.builtin.file: + path: /etc/prometheus/node.d + state: directory + mode: "0750" + owner: root + group: prometheus + - name: Create host configs ansible.builtin.template: - dest: "/srv/prometheus/node.d/{{ item }}.json" + dest: "/etc/prometheus/node.d/{{ item }}.json" src: node.json.j2 mode: "0640" owner: root @@ -88,15 +75,6 @@ notify: Restart prometheus with_items: "{{ groups['all'] }}" -- name: Create service file - ansible.builtin.copy: - dest: /etc/systemd/system/prometheus.service - src: prometheus.service - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart prometheus - - name: Enable service ansible.builtin.service: name: prometheus diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index 81703ee..b37ae83 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -13,4 +13,4 @@ scrape_configs: cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" file_sd_configs: - files: - - /srv/prometheus/node.d/*.json + - /etc/prometheus/node.d/*.json From f6e2e4fe240fdb746ff0bacc6670b2afd071be3d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 20:36:46 +0000 Subject: [PATCH 085/713] No need to set prometheus version --- hosts.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index a8c8d80..4c66d4b 100644 --- a/hosts.yml +++ b/hosts.yml @@ -62,6 +62,9 @@ mongodb: mqtt: hosts: mqtt02.home.foo.sh: +mythtv: + hosts: + mythtv01.home.foo.sh: nas: hosts: nas02.home.foo.sh: @@ -88,8 +91,6 @@ print: prometheus: hosts: prometheus02.home.foo.sh: - vars: - prometheus_version: "2.45.1" proxy: hosts: proxy01.home.foo.sh: @@ -133,6 +134,7 @@ vultr: fedora: children: gitearunner: + mythtv: openbsd: children: backup: From 624ad96c8a198dc98624ce6ca8f7c45ee7e1a60c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 5 Nov 2023 18:10:21 +0000 Subject: [PATCH 086/713] Use different mirror for OpenBSD --- playbooks/mirror.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 198abb7..7559dd7 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -61,8 +61,7 @@ mirror_postcmd: python3 /usr/local/bin/report_mirror - role: mirror/sync mirror_label: openbsd - mirror_source: - "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/ftp.openbsd.org/pub/OpenBSD/" + mirror_source: "rsync://mirror.planetunix.net/OpenBSD/" mirror_rsyncoptions: - "--include=/?.?/" - "--include=/?.?/amd64/" From 42d604a9215df753abf851e455e147643b955e3b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 12 Nov 2023 15:53:15 +0000 Subject: [PATCH 087/713] nginx: Expose status page --- roles/nginx/templates/nginx.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 4a10039..85c6ecc 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -63,6 +63,10 @@ http { root /srv/web/{{ inventory_hostname }}; + location = /stub_status { + stub_status; + } + include /etc/nginx/conf.d/{{ inventory_hostname }}/*.conf; } From 5244f36adbb405bac19cfbbe480850493390b9cf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 12 Nov 2023 20:44:50 +0000 Subject: [PATCH 088/713] prometheus: Add prometheus itself to monitoring --- roles/prometheus/templates/prometheus.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index b37ae83..546d999 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -5,6 +5,11 @@ global: evaluation_interval: 1m scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - "127.0.0.1:9090" + - job_name: node scheme: https tls_config: From 7928d5fdb37a1b79204099d1d51ed0f779bcd483 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Nov 2023 16:52:15 +0000 Subject: [PATCH 089/713] Update software components --- hosts.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/hosts.yml b/hosts.yml index 4c66d4b..acf9c38 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.20.5" + gitea_version: "1.21.0" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -31,12 +31,12 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.10.1" + homeassistant_version: "2023.11.2" homeassistant_integrations: - name: electrolux_status repo: >- https://github.com/mauro-midolo/homeassistant_electrolux_status.git - version: v3.2.1 + version: v4.1.0 influxdb: hosts: influxdb01.home.foo.sh: @@ -82,9 +82,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.1.4" - rocketchat_version: "6.4.1" - roundcube_version: "1.6.3" + grafana_version: "10.2.1" + rocketchat_version: "6.4.6" + roundcube_version: "1.6.5" print: hosts: print01.home.foo.sh: From 84e42378b54baa7e0e50cc646e4804716b2ba79b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Nov 2023 15:17:09 +0000 Subject: [PATCH 090/713] mongodb: Update to version 6.0 --- roles/mongodb/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 73e2808..de1390e 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -17,10 +17,10 @@ - name: Enable repository ansible.builtin.yum_repository: name: mongodb - baseurl: https://repo.mongodb.org/yum/redhat/8/mongodb-org/5.0/x86_64 + baseurl: https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64 description: MongoDB gpgcheck: true - gpgkey: https://www.mongodb.org/static/pgp/server-5.0.asc + gpgkey: https://www.mongodb.org/static/pgp/server-6.0.asc enabled: true - name: Install packages @@ -28,8 +28,8 @@ name: "{{ item }}" state: installed with_items: + - mongodb-mongosh - mongodb-org-server - - mongodb-org-shell - name: Set SELinux file contexts on data directory community.general.sefcontext: From 5026dddb1ea1d9d627d5d4a4e5db6f2def870656 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 21 Nov 2023 09:26:06 +0000 Subject: [PATCH 091/713] Add norpool plugin to homeassistant --- hosts.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts.yml b/hosts.yml index acf9c38..4e89d6d 100644 --- a/hosts.yml +++ b/hosts.yml @@ -37,6 +37,9 @@ homeassistant: repo: >- https://github.com/mauro-midolo/homeassistant_electrolux_status.git version: v4.1.0 + - name: nordpool + repo: https://github.com/custom-components/nordpool.git + version: 0.0.14 influxdb: hosts: influxdb01.home.foo.sh: From 0eff4dd8041bc09119b61b346303e78195285cf6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Nov 2023 17:11:25 +0000 Subject: [PATCH 092/713] Update OpenBSD to 7.4 --- playbooks/dna-gw.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index fe74b0c..1714494 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -70,8 +70,8 @@ - name: Create tftp pxeboot loader for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/pxeboot" - checksum: sha1:161b36d4ae3d786aa98c4836abba25f2bca8979d + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/amd64/pxeboot" + checksum: sha1:677293059655da474ec81c45ed235b8497017e56 dest: /srv/tftpboot/pxeboot mode: "0644" owner: root @@ -79,8 +79,8 @@ - name: Create tftp ramdisk for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/bsd.rd" - checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021 + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/amd64/bsd.rd" + checksum: sha1:c0af0223ab0aa38c27fd55a2b94873345c2d88f7 dest: /srv/tftpboot/bsd.rd mode: "0644" owner: root From 023af1ae9118375bd5e11b4de4bd9480d815b473 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Nov 2023 17:11:19 +0000 Subject: [PATCH 093/713] Update oci-nodes to Rocky 9 --- hosts.yml | 2 +- roles/authcheck/tasks/main.yml | 8 ++++++++ roles/grafana/tasks/main.yml | 8 ++++++++ roles/kdc/tasks/main.yml | 8 ++++++++ roles/php4dvd/tasks/main.yml | 10 +++++++++- roles/roundcube/tasks/main.yml | 8 ++++++++ 6 files changed, 42 insertions(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index 4e89d6d..363d124 100644 --- a/hosts.yml +++ b/hosts.yml @@ -156,7 +156,6 @@ rocky8: minecraft: nas: nms: - ocinode: print: shell: zm: @@ -168,6 +167,7 @@ rocky9: ldap: mirror: mongodb: + ocinode: prometheus: sane: sqldb: diff --git a/roles/authcheck/tasks/main.yml b/roles/authcheck/tasks/main.yml index 09ef679..8ca80cf 100644 --- a/roles/authcheck/tasks/main.yml +++ b/roles/authcheck/tasks/main.yml @@ -10,6 +10,14 @@ group: authcheck shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - authcheck + creates: /var/lib/systemd/linger/authcheck + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-authcheck diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 13743dc..8180bc4 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -10,6 +10,14 @@ group: grafana shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - grafana + creates: /var/lib/systemd/linger/grafana + - name: Copy host key ansible.builtin.copy: dest: "{{ tls_private }}/grafana.key" diff --git a/roles/kdc/tasks/main.yml b/roles/kdc/tasks/main.yml index c126fcb..f7ef8eb 100644 --- a/roles/kdc/tasks/main.yml +++ b/roles/kdc/tasks/main.yml @@ -10,6 +10,14 @@ group: kdc shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - kdc + creates: /var/lib/systemd/linger/kdc + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-kdc diff --git a/roles/php4dvd/tasks/main.yml b/roles/php4dvd/tasks/main.yml index 85b1042..fc42fe8 100644 --- a/roles/php4dvd/tasks/main.yml +++ b/roles/php4dvd/tasks/main.yml @@ -7,9 +7,17 @@ ansible.builtin.user: name: php4dvd comment: Podman pphp4dvd - group: authcheck + group: php4dvd shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - php4dvd + creates: /var/lib/systemd/linger/php4dvd + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-php4dvd diff --git a/roles/roundcube/tasks/main.yml b/roles/roundcube/tasks/main.yml index eca261b..787a983 100644 --- a/roles/roundcube/tasks/main.yml +++ b/roles/roundcube/tasks/main.yml @@ -10,6 +10,14 @@ group: roundcube shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - roundcube + creates: /var/lib/systemd/linger/roundcube + - name: Copy host key ansible.builtin.copy: dest: "{{ tls_private }}/roundcube.key" From 7cf2ad1f5abf35d751537ddba2b1948cb02f64a6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Nov 2023 17:11:40 +0000 Subject: [PATCH 094/713] Fix memory size for oci-nodes --- group_vars/ocinode.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/ocinode.yml b/group_vars/ocinode.yml index d87fa04..7e132c3 100644 --- a/group_vars/ocinode.yml +++ b/group_vars/ocinode.yml @@ -1,6 +1,6 @@ --- # increase memory size -mem_size: 4192 +mem_size: 4096 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} From 0ed96a14f50dd699d977043b558927533018898f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Nov 2023 17:35:34 +0000 Subject: [PATCH 095/713] nginx_site: Serve static files from static02 --- roles/nginx_site/templates/www.foo.sh.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx_site/templates/www.foo.sh.conf.j2 b/roles/nginx_site/templates/www.foo.sh.conf.j2 index c3af36f..ad34c06 100644 --- a/roles/nginx_site/templates/www.foo.sh.conf.j2 +++ b/roles/nginx_site/templates/www.foo.sh.conf.j2 @@ -3,9 +3,9 @@ } location /roles/ { - proxy_pass https://static01.home.foo.sh/roles/; + proxy_pass https://static02.home.foo.sh/roles/; } location /~ { - proxy_pass https://static01.home.foo.sh/~; + proxy_pass https://static02.home.foo.sh/~; } From 4594bb608399834f3ae3a517ffe802115a382cf8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Nov 2023 18:15:53 +0000 Subject: [PATCH 096/713] Update Fedora to 39 --- group_vars/fedora.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/fedora.yml b/group_vars/fedora.yml index c0ed1a5..f10f398 100644 --- a/group_vars/fedora.yml +++ b/group_vars/fedora.yml @@ -18,7 +18,7 @@ ipcmd: >- {% endif %} virt_install_os_args: >- --location - https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/38/Everything/x86_64/os/ + https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/39/Everything/x86_64/os/ --extra-args "inst.ks={{ ks_file }} console=ttyS0 From ee6d3b4d52461b5f42d1c226f9d4a0eaf797c260 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Nov 2023 15:22:54 +0000 Subject: [PATCH 097/713] scanservjs: Fix sane host address --- roles/scanservjs/templates/scanservjs-container.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/scanservjs/templates/scanservjs-container.service.j2 b/roles/scanservjs/templates/scanservjs-container.service.j2 index 3a21dee..50f1306 100644 --- a/roles/scanservjs/templates/scanservjs-container.service.j2 +++ b/roles/scanservjs/templates/scanservjs-container.service.j2 @@ -8,6 +8,7 @@ User=scanserv ExecStartPre=/usr/bin/podman pull docker.io/sbs20/scanservjs:{{ scanservjs_version }} ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8006:8080 \ + --env "SANED_NET_HOSTS={{ inventory_hostname }}" \ --name scanservjs \ docker.io/sbs20/scanservjs:{{ scanservjs_version }} ExecStop=/usr/bin/podman stop --ignore scanservjs From 3fdbd62aca212cf199bce29b003479d47fd24cca Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Nov 2023 15:25:00 +0000 Subject: [PATCH 098/713] scanserv: Enable user lingering --- roles/scanservjs/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/scanservjs/tasks/main.yml b/roles/scanservjs/tasks/main.yml index 160cf8d..827faa8 100644 --- a/roles/scanservjs/tasks/main.yml +++ b/roles/scanservjs/tasks/main.yml @@ -10,6 +10,14 @@ group: scanserv shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - scanserv + creates: /var/lib/systemd/linger/scanserv + - name: Create service file ansible.builtin.template: dest: /etc/systemd/system/scanservjs-container.service From 270da668c32bef482b80433bb6be35f94ec590da Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Nov 2023 15:35:51 +0000 Subject: [PATCH 099/713] pki: Prevent OpenBSD from changing permissions --- roles/pki/files/mtree.patch | 11 +++++++++++ roles/pki/tasks/main.yml | 6 ++++++ 2 files changed, 17 insertions(+) create mode 100644 roles/pki/files/mtree.patch diff --git a/roles/pki/files/mtree.patch b/roles/pki/files/mtree.patch new file mode 100644 index 0000000..04e6e89 --- /dev/null +++ b/roles/pki/files/mtree.patch @@ -0,0 +1,11 @@ +--- 4.4BSD.dist.orig Sat Nov 25 20:29:26 2023 ++++ 4.4BSD.dist Sat Nov 25 20:29:36 2023 +@@ -105,7 +105,7 @@ + + # ./etc/ssl + ssl +- private uname=root mode=0700 ++ private uname=root mode=0750 + .. + .. + diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml index b27715a..3e20d68 100644 --- a/roles/pki/tasks/main.yml +++ b/roles/pki/tasks/main.yml @@ -29,6 +29,12 @@ ansible.builtin.set_fact: pki_cacert_hash: "{{ result.stdout }}" +- name: Patch mtree to set correct permissions on /etc/ssl/private + ansible.posix.patch: + dest: /etc/mtree/4.4BSD.dist + src: mtree.patch + when: ansible_system == "OpenBSD" + - name: Fix private key directory permissions ansible.builtin.file: path: "{{ tls_private }}" From ad187f51e35dde0b0417185b8963cac661723850 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Nov 2023 17:41:18 +0000 Subject: [PATCH 100/713] php4dvd: Use TLS for MariaDB connections --- roles/php4dvd/tasks/main.yml | 9 +++++++++ roles/php4dvd/templates/php4dvd-container.service.j2 | 3 +++ roles/php4dvd/templates/php4dvd-container.sysconfig.j2 | 3 +++ 3 files changed, 15 insertions(+) diff --git a/roles/php4dvd/tasks/main.yml b/roles/php4dvd/tasks/main.yml index fc42fe8..749a032 100644 --- a/roles/php4dvd/tasks/main.yml +++ b/roles/php4dvd/tasks/main.yml @@ -18,6 +18,15 @@ - php4dvd creates: /var/lib/systemd/linger/php4dvd +- name: Copy host key + ansible.builtin.copy: + dest: "{{ tls_private }}/php4dvd.key" + src: "{{ tls_private }}/{{ inventory_hostname }}.key" + mode: "0640" + owner: root + group: php4dvd + remote_src: true + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-php4dvd diff --git a/roles/php4dvd/templates/php4dvd-container.service.j2 b/roles/php4dvd/templates/php4dvd-container.service.j2 index 277bb16..af646cb 100644 --- a/roles/php4dvd/templates/php4dvd-container.service.j2 +++ b/roles/php4dvd/templates/php4dvd-container.service.j2 @@ -10,6 +10,9 @@ ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8005:80 \ --name php4dvd \ --env PHP4DVD_* \ + --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ + --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ + --volume={{ tls_private }}/php4dvd.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ --volume /export/volumes/php4dvd:/var/www/html/movies:rw,Z \ php4dvd:latest ExecStop=/usr/bin/podman stop --ignore php4dvd diff --git a/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 b/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 index af894b5..79c274b 100644 --- a/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 +++ b/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 @@ -2,4 +2,7 @@ PHP4DVD_DB_HOST=sqldb02.home.foo.sh PHP4DVD_DB_NAME=php4dvd PHP4DVD_DB_USER=php4dvd PHP4DVD_DB_PASS={{ php4dvd_mysql_pass }} +PHP4DVD_DB_KEY=/etc/ssl/private/{{ inventory_hostname }}.key +PHP4DVD_DB_CERT=/etc/ssl/certs/{{ inventory_hostname }}.crt +PHP4DVD_DB_CACERT=/etc/ssl/certs/ca.crt PHP4DVD_USER_GUESTVIEW=true From 8c66c9a6a06aa2c5a9a41be34689347e385e0b51 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 27 Nov 2023 10:43:00 +0000 Subject: [PATCH 101/713] Update gitea to 1.21.1 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 363d124..6133caa 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.0" + gitea_version: "1.21.1" gitearunner: hosts: gitea-runner02.home.foo.sh: From a4660f69cfbea2a080cd6c5d0b080f4cc3c415bb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 5 Dec 2023 17:15:16 +0000 Subject: [PATCH 102/713] homeassistant: Add support for zigbee dongle --- .../files/99-homeassistant.rules | 1 + .../files/homeassistant-local.pp | Bin 1737 -> 1919 bytes .../files/homeassistant-local.te | 4 +++- roles/homeassistant/tasks/main.yml | 14 ++++++++++++++ .../homeassistant-container.service.j2 | 1 + 5 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 roles/homeassistant/files/99-homeassistant.rules diff --git a/roles/homeassistant/files/99-homeassistant.rules b/roles/homeassistant/files/99-homeassistant.rules new file mode 100644 index 0000000..42b1684 --- /dev/null +++ b/roles/homeassistant/files/99-homeassistant.rules @@ -0,0 +1 @@ +SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", MODE="0660", GROUP="ha" diff --git a/roles/homeassistant/files/homeassistant-local.pp b/roles/homeassistant/files/homeassistant-local.pp index e3fe854c1d94f1f172df85610e67d50138d5d1b8..e202a252d317e3d7ace4f3fe3407dabd31587479 100644 GIT binary patch delta 201 zcmX@f`=4(@1e2k|WJM-nP8J3R1`uYRcvoB^C9?>`W(4A*)Wj4J8w6M;)@e`P!Xz+p zr#2(g#;5s=jBJw|nWZNeFu5?YOn%7h4rED8c3@(G@)DS3;H;F%8Z0Uk-*8O+z#KC9 z0W-(st!x651DIJRC$LCNo&&@aSU`pxWRjmeff>jHV};29tOk=eu&7LKVD%6II}hj# OpzA;`1LMUfSs4M+#WI=z delta 132 zcmey*canEP1e1Zo~f2o23~O7#Ue7KVXuc zJe|p9GCPY0kd~Ot%;GcoHFF9O%S=Ac!ZF#M* Date: Fri, 8 Dec 2023 18:07:14 +0000 Subject: [PATCH 103/713] Add zigbee device to homeassistant --- host_vars/homeassistant01.home.foo.sh.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index fefe24f..66a2c30 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -7,4 +7,6 @@ network_interfaces: - device: eth1 vlan: 30 virt_install_devices: + - 001.004 - 001.005 + - 001.006 From a4bbc5438052bf2857988b75646dc1dd231e5e28 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 8 Dec 2023 18:07:44 +0000 Subject: [PATCH 104/713] Increase memory on sql hosts --- group_vars/sqldb.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/sqldb.yml b/group_vars/sqldb.yml index f2d2337..5848832 100644 --- a/group_vars/sqldb.yml +++ b/group_vars/sqldb.yml @@ -1,4 +1,5 @@ --- +mem_size: 4096 datadisks: - {size: 20, type: nvme} firewall_in: From c7c77fcb0ba29822a7dec67b4350bfd33b3ef611 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 8 Dec 2023 18:08:34 +0000 Subject: [PATCH 105/713] Fix typo --- site.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site.yml b/site.yml index a942f1d..ce2ad46 100644 --- a/site.yml +++ b/site.yml @@ -48,7 +48,7 @@ - name: Configure relay hosts ansible.builtin.import_playbook: playbooks/relay.yml - name: Configure sane hosts - ansible.builtin.import.playbook: playbooks/sane.yml + ansible.builtin.import_playbook: playbooks/sane.yml - name: Configure shell hosts ansible.builtin.import_playbook: playbooks/shell.yml - name: Configure sqldb hosts From 2b475bf8ce39e6daea602f0d42eb9c5043f3726e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Dec 2023 21:18:25 +0000 Subject: [PATCH 106/713] Remove mythtv hosts --- hosts.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index 6133caa..71cd418 100644 --- a/hosts.yml +++ b/hosts.yml @@ -65,9 +65,6 @@ mongodb: mqtt: hosts: mqtt02.home.foo.sh: -mythtv: - hosts: - mythtv01.home.foo.sh: nas: hosts: nas02.home.foo.sh: @@ -137,7 +134,6 @@ vultr: fedora: children: gitearunner: - mythtv: openbsd: children: backup: From 79ecf7277f78bb27410831695f319860aa9ee95d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Dec 2023 21:34:26 +0000 Subject: [PATCH 107/713] Update software versions --- hosts.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index 71cd418..f9d26fa 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.1" + gitea_version: "1.21.2" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -31,7 +31,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.11.2" + homeassistant_version: "2023.12" homeassistant_integrations: - name: electrolux_status repo: >- @@ -82,8 +82,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.2.1" - rocketchat_version: "6.4.6" + grafana_version: "10.2.2" + rocketchat_version: "6.5.0" roundcube_version: "1.6.5" print: hosts: From b04edceb13f127f06ef6a46aef94311b6973b493 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Dec 2023 15:23:32 +0000 Subject: [PATCH 108/713] homeassistant: Fix updating to new version --- roles/homeassistant/handlers/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/homeassistant/handlers/main.yml b/roles/homeassistant/handlers/main.yml index 61fb83a..36f24f6 100644 --- a/roles/homeassistant/handlers/main.yml +++ b/roles/homeassistant/handlers/main.yml @@ -1,5 +1,6 @@ --- - name: Restart homeassistant - ansible.builtin.service: + ansible.builtin.systemd_service: name: homeassistant-container state: restarted + daemon_reload: true From eead2210467b5d6981b030b3d10f98981c0b652a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Dec 2023 15:23:57 +0000 Subject: [PATCH 109/713] Update homeassistant to 2023.12.3 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index f9d26fa..990f6f4 100644 --- a/hosts.yml +++ b/hosts.yml @@ -31,7 +31,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.12" + homeassistant_version: "2023.12.3" homeassistant_integrations: - name: electrolux_status repo: >- From 89a0cbddbf125de9bc00243f40915c9cf1988d2a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 22 Dec 2023 16:05:33 +0000 Subject: [PATCH 110/713] Update gitea --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 990f6f4..d0728df 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.2" + gitea_version: "1.21.3" gitearunner: hosts: gitea-runner02.home.foo.sh: From 23d8b9bcdcca82b185d34dcde68639a7df0be974 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 22 Dec 2023 18:06:18 +0000 Subject: [PATCH 111/713] pki: Fix group from OpenBSD private dir --- roles/pki/files/mtree.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/pki/files/mtree.patch b/roles/pki/files/mtree.patch index 04e6e89..17ce41e 100644 --- a/roles/pki/files/mtree.patch +++ b/roles/pki/files/mtree.patch @@ -1,11 +1,11 @@ ---- 4.4BSD.dist.orig Sat Nov 25 20:29:26 2023 -+++ 4.4BSD.dist Sat Nov 25 20:29:36 2023 +--- 4.4BSD.dist.orig Fri Dec 22 17:31:46 2023 ++++ 4.4BSD.dist Fri Dec 22 17:32:00 2023 @@ -105,7 +105,7 @@ # ./etc/ssl ssl - private uname=root mode=0700 -+ private uname=root mode=0750 ++ private gname=hostkey uname=root mode=0750 .. .. From 2247ce1d160d44ebc1a8ade1cf5a244385b1d4b2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Jan 2024 19:15:54 +0000 Subject: [PATCH 112/713] Update softwrae versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index d0728df..6515638 100644 --- a/hosts.yml +++ b/hosts.yml @@ -31,7 +31,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.12.3" + homeassistant_version: "2024.1.2" homeassistant_integrations: - name: electrolux_status repo: >- @@ -82,8 +82,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.2.2" - rocketchat_version: "6.5.0" + grafana_version: "10.2.3" + rocketchat_version: "6.5.2" roundcube_version: "1.6.5" print: hosts: From e43dd2a26efd1f1d7f5808d42d6edb13969b462a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Jan 2024 23:24:26 +0000 Subject: [PATCH 113/713] Fix changed ip addressses --- group_vars/ns.yml | 4 ++-- group_vars/shell.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index 6542553..544cf9b 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -1,12 +1,12 @@ --- firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22, 81.175.130.44/32]} + - {proto: tcp, port: 22, from: [172.20.20.0/22, 62.78.229.29/32]} - {proto: tcp, port: 53} - {proto: udp, port: 53} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - {proto: tcp, port: 853} - - {proto: tcp, port: 4949, from: [172.20.20.0/22, 81.175.130.44/32]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22, 62.78.229.29/32]} firewall_raw: - pass quick proto carp diff --git a/group_vars/shell.yml b/group_vars/shell.yml index 2af3bb2..19931a2 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -9,4 +9,4 @@ firewall_in: - {proto: tcp, port: 22} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 9100, from: [81.175.130.44/32]} + - {proto: tcp, port: 9100, from: [62.78.229.29/32]} From 98d52e577aca81596c4748dadc2ea9415e20c318 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 18:35:00 +0000 Subject: [PATCH 114/713] node_exporter: Enable text collector for OpenBSD --- roles/node_exporter/tasks/main.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index 00b9898..2be0e07 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -31,6 +31,15 @@ group: "{{ ansible_wheel }}" notify: Restart node_exporter +- name: Create textfile collector directory + ansible.builtin.file: + path: /var/db/node-exporter + state: directory + mode: 0755 + owner: _nodeexporter + group: _nodeexporter + when: ansible_os_family == "OpenBSD" + - name: Modify config ansible.builtin.lineinfile: path: /etc/default/prometheus-node-exporter @@ -50,7 +59,10 @@ name: "{{ node_exporter_service }}" state: started enabled: true - arguments: --web.config.file=/etc/node_exporter/web-config.yml + arguments: >- + --web.config.file=/etc/node_exporter/web-config.yml + --collector.textfile.directory /var/db/node-exporter + notify: Restart node_exporter when: ansible_os_family == "OpenBSD" - name: Enable service From c98c7fd7bb3fa201154d5474dd070a8e6a7875c9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 18:53:36 +0000 Subject: [PATCH 115/713] node_exporter: Use documented syntax for options --- roles/node_exporter/tasks/main.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index 2be0e07..fffda67 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -45,12 +45,11 @@ path: /etc/default/prometheus-node-exporter regexp: "^ARGS=" line: >- - ARGS="--collector.filesystem.ignored-mount-points - '^/(dev|proc|sys|run/(user|credentials/systemd-.+))($|/)' - --collector.netclass.ignored-devices '^(br-|docker|veth).+$' - --collector.netdev.device-exclude '^(br-|docker|veth).+$' + ARGS="--collector.filesystem.ignored-mount-points='^/(dev|proc|sys|run/(user|credentials/systemd-.+))($|/)' + --collector.netclass.ignored-devices='^(br-|docker|veth).+$' + --collector.netdev.device-exclude='^(br-|docker|veth).+$' --web.config=/etc/node_exporter/web-config.yml - --collector.textfile.directory /var/lib/prometheus/node-exporter" + --collector.textfile.directory=/var/lib/prometheus/node-exporter" notify: Restart node_exporter when: ansible_os_family == "RedHat" @@ -61,7 +60,7 @@ enabled: true arguments: >- --web.config.file=/etc/node_exporter/web-config.yml - --collector.textfile.directory /var/db/node-exporter + --collector.textfile.directory=/var/db/node-exporter notify: Restart node_exporter when: ansible_os_family == "OpenBSD" From e5d0752812e3dc768e476c7908c53bb2af9a61e8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 20:27:11 +0000 Subject: [PATCH 116/713] node_exporter: Run textfile collectors every 10min --- .../node-exporter-run-textfile-collector.sh | 21 ++++++++++++++++++ roles/node_exporter/tasks/main.yml | 22 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100755 roles/node_exporter/files/node-exporter-run-textfile-collector.sh diff --git a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh new file mode 100755 index 0000000..2b3d297 --- /dev/null +++ b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +set -eu + +umask 022 + +if [ "$(uname -s)" = "OpenBSD" ]; then + OUTDIR="/var/db/node-exporter" +else + OUTDIR="/var/lib/prometheus/node-exporter" +fi + +for script in /usr/local/libexec/node-exporter/*; do + [ -x "$script" ] || continue + target="${OUTDIR}/$(basename "$script")" + if "$script" > "${target}.tmp" ; then + mv "${target}.tmp" "${target}.prom" + else + rm -f "${target}.tmp" + fi +done diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index fffda67..1e35c32 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -40,6 +40,28 @@ group: _nodeexporter when: ansible_os_family == "OpenBSD" +- name: Create directory for textfile collector scripts + ansible.builtin.file: + path: /usr/local/libexec/node-exporter + state: directory + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Add script for running textfile collector scripts + ansible.builtin.copy: + dest: /usr/local/sbin/node-exporter-run-textfile-collector + src: node-exporter-run-textfile-collector.sh + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Add cron job for running textfile collector scripts + ansible.builtin.cron: + name: node-exporter-run-textfile-collector + job: /usr/local/sbin/node-exporter-run-textfile-collector + minute: "*/10" + - name: Modify config ansible.builtin.lineinfile: path: /etc/default/prometheus-node-exporter From d22236f5dfcf644fbad56cf6814c9686f9f65d18 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 20:30:13 +0000 Subject: [PATCH 117/713] scanservjs: yamllint fix --- roles/scanservjs/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/scanservjs/tasks/main.yml b/roles/scanservjs/tasks/main.yml index 827faa8..9399983 100644 --- a/roles/scanservjs/tasks/main.yml +++ b/roles/scanservjs/tasks/main.yml @@ -43,4 +43,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart apache - From 5900c39b592b57a667465f518b4b84c0171f0457 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 20:30:56 +0000 Subject: [PATCH 118/713] yamllint fix --- playbooks/sane.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/sane.yml b/playbooks/sane.yml index 03ef6db..cb8101f 100644 --- a/playbooks/sane.yml +++ b/playbooks/sane.yml @@ -37,4 +37,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart apache - From adbc274797cdfd6b60b9ae2062fe9af0fdb40369 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 20:41:53 +0000 Subject: [PATCH 119/713] homeassistant: More robust auth command --- roles/homeassistant/files/auth-command.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/homeassistant/files/auth-command.sh b/roles/homeassistant/files/auth-command.sh index 6b2c2dc..e64ee9c 100755 --- a/roles/homeassistant/files/auth-command.sh +++ b/roles/homeassistant/files/auth-command.sh @@ -2,6 +2,12 @@ set -eu +umask 077 + +if [ -z "${username:-}" ] || [ -z "${password:-}" ]; then + exit 2 +fi + if [ "$(echo "$username" | sed -r 's/^[a-z]+$/x/')" != "x" ]; then exit 2 fi From 7a02a28d0fd4a4617c1ae8371a8703723234129d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 19:28:26 +0000 Subject: [PATCH 120/713] network: Add support for OpenBSD rdomains --- roles/network/templates/hostname.if.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/network/templates/hostname.if.j2 b/roles/network/templates/hostname.if.j2 index 0db5d8b..862640b 100644 --- a/roles/network/templates/hostname.if.j2 +++ b/roles/network/templates/hostname.if.j2 @@ -1,3 +1,6 @@ +{% if item.rdomain is defined %} +rdomain {{ item.rdomain }} +{% endif %} {% if item.proto is not defined or item.proto == 'dhcp' %} dhcp {% elif item.proto == 'static' %} From 69ebc89858b3f87b3f8d6b7e9c7fea8ce40a1833 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 19:31:06 +0000 Subject: [PATCH 121/713] openvpn: Hardcode rdomain for now --- roles/openvpn/files/hostname.tap0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/files/hostname.tap0 b/roles/openvpn/files/hostname.tap0 index cd1c353..2b44eb9 100644 --- a/roles/openvpn/files/hostname.tap0 +++ b/roles/openvpn/files/hostname.tap0 @@ -1,2 +1,2 @@ up -!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/tap0.conf +!/sbin/route -T 1 exec /usr/local/sbin/openvpn --daemon --config /etc/openvpn/tap0.conf From cdd7e82b6a683d30d2b4da2af9596bf8dbab7a69 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 19:32:28 +0000 Subject: [PATCH 122/713] Move DNA interface to correct rdomain on fsol-gw --- host_vars/fsol-gw01.home.foo.sh.yml | 1 + host_vars/fsol-gw02.home.foo.sh.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/host_vars/fsol-gw01.home.foo.sh.yml b/host_vars/fsol-gw01.home.foo.sh.yml index 798ef20..d6e9acd 100644 --- a/host_vars/fsol-gw01.home.foo.sh.yml +++ b/host_vars/fsol-gw01.home.foo.sh.yml @@ -15,6 +15,7 @@ network_interfaces: - device: vio2 vlan: 103 proto: dhcp + rdomain: 1 - device: vio3 vlan: 102 proto: none diff --git a/host_vars/fsol-gw02.home.foo.sh.yml b/host_vars/fsol-gw02.home.foo.sh.yml index 88cce43..9b00140 100644 --- a/host_vars/fsol-gw02.home.foo.sh.yml +++ b/host_vars/fsol-gw02.home.foo.sh.yml @@ -15,6 +15,7 @@ network_interfaces: - device: vio2 vlan: 103 proto: dhcp + rdomain: 1 - device: vio3 vlan: 102 proto: none From 5a8fca650c297d38df3a09f8755a32323129b835 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 19:33:17 +0000 Subject: [PATCH 123/713] node_exporter: Force path to textfile collectors Cron ismissing sbin directories by default and /usr/local on OpenBSD so force them into path. --- .../node_exporter/files/node-exporter-run-textfile-collector.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh index 2b3d297..b8897ae 100755 --- a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh +++ b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh @@ -4,6 +4,8 @@ set -eu umask 022 +PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin" + if [ "$(uname -s)" = "OpenBSD" ]; then OUTDIR="/var/db/node-exporter" else From 3bcc12a16df1ea0255bdd7db81f2548b81efa891 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 20:41:59 +0000 Subject: [PATCH 124/713] Update homeassistant custom plugins --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 6515638..fc3ac80 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: - name: electrolux_status repo: >- https://github.com/mauro-midolo/homeassistant_electrolux_status.git - version: v4.1.0 + version: v5.0.0 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 From 93128bb624233b90b33a9b01fb526eac456188e0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 20:43:25 +0000 Subject: [PATCH 125/713] Update gitea --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index fc3ac80..105b411 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.3" + gitea_version: "1.21.4" gitearunner: hosts: gitea-runner02.home.foo.sh: From cb0d0a949d44310ce634fc74b9099caec083d16a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 1 Feb 2024 20:08:46 +0000 Subject: [PATCH 126/713] Update gitea --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 105b411..a1b91f0 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.4" + gitea_version: "1.21.5" gitearunner: hosts: gitea-runner02.home.foo.sh: From cb7ca70d1633779c28e812ca76cd25a869159dc9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:03:29 +0000 Subject: [PATCH 127/713] frigate: Initial version of role --- roles/frigate/defaults/main.yml | 2 + roles/frigate/handlers/main.yml | 6 ++ roles/frigate/meta/main.yml | 4 + roles/frigate/tasks/main.yml | 88 +++++++++++++++++++ .../templates/frigate-container.service.j2 | 19 ++++ roles/frigate/templates/frigate.yml.j2 | 20 +++++ 6 files changed, 139 insertions(+) create mode 100644 roles/frigate/defaults/main.yml create mode 100644 roles/frigate/handlers/main.yml create mode 100644 roles/frigate/meta/main.yml create mode 100644 roles/frigate/tasks/main.yml create mode 100644 roles/frigate/templates/frigate-container.service.j2 create mode 100644 roles/frigate/templates/frigate.yml.j2 diff --git a/roles/frigate/defaults/main.yml b/roles/frigate/defaults/main.yml new file mode 100644 index 0000000..3266cf2 --- /dev/null +++ b/roles/frigate/defaults/main.yml @@ -0,0 +1,2 @@ +--- +frigate_version: stable diff --git a/roles/frigate/handlers/main.yml b/roles/frigate/handlers/main.yml new file mode 100644 index 0000000..57e67ec --- /dev/null +++ b/roles/frigate/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart frigate + ansible.builtin.systemd_service: + name: frigate-container + state: restarted + daemon_reload: true diff --git a/roles/frigate/meta/main.yml b/roles/frigate/meta/main.yml new file mode 100644 index 0000000..19b52d0 --- /dev/null +++ b/roles/frigate/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: apache} + - {role: podman} diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml new file mode 100644 index 0000000..5a13994 --- /dev/null +++ b/roles/frigate/tasks/main.yml @@ -0,0 +1,88 @@ +--- +- name: Create group + ansible.builtin.group: + name: frigate + +- name: Create user + ansible.builtin.user: + name: frigate + comment: Podman Frigate + group: frigate + shell: /sbin/nologin + +- name: Create config + ansible.builtin.template: + dest: /etc/frigate.yml + src: frigate.yml.j2 + mode: "0750" + owner: root + group: frigate + notify: Restart frigate + +- name: Fix SELinux contexts from data directory + community.general.sefcontext: + path: /export/frigate(/.*)? + setype: container_file_t + when: ansible_selinux_python_present + +- name: Create data directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0770" + owner: root + group: frigate + setype: _default + with_items: + - /export/frigate + - /export/frigate/config + - /export/frigate/media + +- name: Link data directory + ansible.builtin.file: + dest: /srv/frigate + src: /export/frigate + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/frigate-container.service + src: frigate-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart frigate + +- name: Enable service + ansible.builtin.service: + name: frigate-container + state: started + enabled: true + +- name: Copy apache config + ansible.builtin.copy: + dest: /etc/httpd/conf.local.d/frigate-container.conf + content: | + ProxyPass /frigate/ http://127.0.0.1:8007/ + ProxyPassReverse /frigate/ http://127.0.0.1:8007/ + + ProxyPass /frigate/ws ws://127.0.0.1:8007/ws + ProxyPassReverse /frigate/ws ws://127.0.0.1:8007/ws + + ProxyPass /frigate/live ws://127.0.0.1:8007/live + ProxyPassReverse /frigate/live ws://127.0.0.1:8007/live + + + RewriteEngine on + RewriteCond %{HTTP:Upgrade} =websocket [NC] + RewriteRule /(.*) ws://127.0.0.1:8007/$1 [P,L] + RewriteCond %{HTTP:Upgrade} !=websocket [NC] + RewriteRule /(.*) http://127.0.0.1:8007/$1 [P,L] + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart apache + diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2 new file mode 100644 index 0000000..186d955 --- /dev/null +++ b/roles/frigate/templates/frigate-container.service.j2 @@ -0,0 +1,19 @@ +[Unit] +Description=Frigate Container +Wants=network-online.target +After=network-online.target + +[Service] +User=frigate +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8007:5000 \ + --name frigate \ + --volume /srv/frigate/config:/config:rw \ + --volume /etc/frigate.yml:/config/config.yml:ro \ + --volume /srv/frigate/media:/media/frigate:rw \ + ghcr.io/blakeblackshear/frigate:{{ frigate_version }} +ExecStop=/usr/bin/podman stop --ignore frigate +ExecStopPost=/usr/bin/podman rm -f --ignore frigate + +[Install] +WantedBy=multi-user.target diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 new file mode 100644 index 0000000..aa283f6 --- /dev/null +++ b/roles/frigate/templates/frigate.yml.j2 @@ -0,0 +1,20 @@ +--- +mqtt: + enabled: false + +cameras: +{% for camera in cctv_cameras %} + {{ camera.name }}: + enabled: true + ffmpeg: + inputs: + - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_sub" + input_args: preset-rtsp-restream + roles: + - detect + - rtmp + - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_main" + input_args: preset-rtsp-restream + roles: + - record +{% endfor %} From a0bee46545354930e84cc80512eef0556a1d74b4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:05:16 +0000 Subject: [PATCH 128/713] Remove zm hosts --- group_vars/zm.yml | 23 --------- host_vars/zm02.home.foo.sh.yml | 13 ----- hosts.yml | 4 -- playbooks/zm.yml | 92 ---------------------------------- 4 files changed, 132 deletions(-) delete mode 100644 group_vars/zm.yml delete mode 100644 host_vars/zm02.home.foo.sh.yml delete mode 100644 playbooks/zm.yml diff --git a/group_vars/zm.yml b/group_vars/zm.yml deleted file mode 100644 index 03177dc..0000000 --- a/group_vars/zm.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -mem_size: 4096 -num_cpus: 2 -datadisks: - - {size: 500} - -network_vip_interfaces: - - device: eth1 - vhid: 26 - ipaddr: 172.20.26.1 - netmask: 255.255.0.0 - pass: "{{ vip26_pass }}" - -zm_mysql_host: sqldb02.home.foo.sh -dhcpd_template: dhcpd.conf.cam.j2 - -firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 9100, from: [172.20.20.0/22]} -firewall_raw: - - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/host_vars/zm02.home.foo.sh.yml b/host_vars/zm02.home.foo.sh.yml deleted file mode 100644 index 340464a..0000000 --- a/host_vars/zm02.home.foo.sh.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -vmhost: vmhost02.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: "52:54:00:ac:dc:4c" - nameservers: [] - - device: eth1 - vlan: 26 - ipaddr: 172.20.26.3 - netmask: 255.255.255.0 - proto: static - nameservers: [172.20.26.1, 172.20.26.3] diff --git a/hosts.yml b/hosts.yml index a1b91f0..5931786 100644 --- a/hosts.yml +++ b/hosts.yml @@ -117,9 +117,6 @@ vmhost: hosts: vmhost01.home.foo.sh: vmhost02.home.foo.sh: -zm: - hosts: - zm02.home.foo.sh: sftpbackup: children: @@ -154,7 +151,6 @@ rocky8: nms: print: shell: - zm: rocky9: children: adm: diff --git a/playbooks/zm.yml b/playbooks/zm.yml deleted file mode 100644 index 8dd9964..0000000 --- a/playbooks/zm.yml +++ /dev/null @@ -1,92 +0,0 @@ ---- -- name: Deploy KVM virtual machines - ansible.builtin.import_playbook: include/deploy-kvm-guest.yml - vars: - myhosts: zm - -- name: Configure instance - hosts: zm - user: root - gather_facts: true - - vars_files: - - "{{ ansible_private }}/vars.yml" - - pre_tasks: - - name: Mount /export - ansible.posix.mount: - name: /export - src: LABEL=/export - fstype: xfs - opts: noatime,noexec,nosuid,nodev - passno: "0" - dump: "0" - state: mounted - - roles: - - base - - mod_auth_gssapi - - role: keytab - keytab_path: /etc/httpd/httpd.keytab - keytab_principals: HTTP/zm.foo.sh@FOO.SH - keytab_group: apache - - tasks: - - name: Run handlers to get interfaces configured - ansible.builtin.meta: flush_handlers - - # TODO: this should really be fixed - - name: Put selinux in permissive state - ansible.posix.selinux: - policy: targeted - state: permissive - - - name: Copy DNS zone files - ansible.builtin.copy: - dest: "/var/lib/unbound/{{ item }}" - src: "/srv/dns/{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - tags: dns - notify: Restart unbound - with_items: - - 26.20.172.in-addr.arpa - - cam.foo.sh - - - name: Include unbound role - ansible.builtin.import_role: - name: unbound - - - name: Include dhcpd and zoneminder roles - ansible.builtin.include_role: - name: "{{ item }}" - with_items: - - dhcpd - - zoneminder - - - name: Install extra packages for debugging - ansible.builtin.package: - name: rtmpdump - state: installed - - - name: Require authentication for zoneminder - ansible.builtin.copy: - dest: /etc/httpd/conf.local.d/zoneminder-auth.conf - content: | - - AuthType GSSAPI - GssapiBasicAuth Off - AuthName "Password Required" - Require valid-user - - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart apache - - - name: Enable NTP server for cam network - ansible.builtin.lineinfile: - path: /etc/chrony.conf - regexp: "^#?allow .*" - line: "allow 172.20.26.0/24" From 7a3a385eb5ef16c22a9cd86b61ce821c0ad876d6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:07:19 +0000 Subject: [PATCH 129/713] Add frigate host --- group_vars/frigate.yml | 23 ++++++ host_vars/frigate02.home.foo.sh.yml | 13 +++ hosts.yml | 4 + playbooks/frigate.yml | 82 +++++++++++++++++++ ... => unbound.conf.frigate02.home.foo.sh.j2} | 0 5 files changed, 122 insertions(+) create mode 100644 group_vars/frigate.yml create mode 100644 host_vars/frigate02.home.foo.sh.yml create mode 100644 playbooks/frigate.yml rename roles/unbound/templates/{unbound.conf.zm02.home.foo.sh.j2 => unbound.conf.frigate02.home.foo.sh.j2} (100%) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml new file mode 100644 index 0000000..03177dc --- /dev/null +++ b/group_vars/frigate.yml @@ -0,0 +1,23 @@ +--- +mem_size: 4096 +num_cpus: 2 +datadisks: + - {size: 500} + +network_vip_interfaces: + - device: eth1 + vhid: 26 + ipaddr: 172.20.26.1 + netmask: 255.255.0.0 + pass: "{{ vip26_pass }}" + +zm_mysql_host: sqldb02.home.foo.sh +dhcpd_template: dhcpd.conf.cam.j2 + +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} +firewall_raw: + - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" + - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/host_vars/frigate02.home.foo.sh.yml b/host_vars/frigate02.home.foo.sh.yml new file mode 100644 index 0000000..cc597b3 --- /dev/null +++ b/host_vars/frigate02.home.foo.sh.yml @@ -0,0 +1,13 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: "52:54:00:ac:dc:8c" + nameservers: [] + - device: eth1 + vlan: 26 + ipaddr: 172.20.26.3 + netmask: 255.255.255.0 + proto: static + nameservers: [172.20.26.1, 172.20.26.3] diff --git a/hosts.yml b/hosts.yml index 5931786..2317395 100644 --- a/hosts.yml +++ b/hosts.yml @@ -13,6 +13,9 @@ dnagw: hosts: dna-gw01.home.foo.sh: dna-gw02.home.foo.sh: +frigate: + hosts: + frigate02.home.foo.sh: fsolgw: hosts: fsol-gw01.home.foo.sh: @@ -144,6 +147,7 @@ openbsd: rocky8: children: collab: + frigate: homeassistant: mail: minecraft: diff --git a/playbooks/frigate.yml b/playbooks/frigate.yml new file mode 100644 index 0000000..9da0eb3 --- /dev/null +++ b/playbooks/frigate.yml @@ -0,0 +1,82 @@ +--- +- name: Deploy KVM virtual machines + ansible.builtin.import_playbook: include/deploy-kvm-guest.yml + vars: + myhosts: frigate + +- name: Configure instance + hosts: frigate + user: root + gather_facts: true + + vars_files: + - "{{ ansible_private }}/vars.yml" + + pre_tasks: + - name: Mount /export + ansible.posix.mount: + name: /export + src: LABEL=/export + fstype: xfs + opts: noatime,noexec,nosuid,nodev + passno: "0" + dump: "0" + state: mounted + + roles: + - base + - mod_auth_gssapi + - role: keytab + keytab_path: /etc/httpd/httpd.keytab + keytab_principals: HTTP/cctv.foo.sh@FOO.SH + keytab_group: apache + + tasks: + - name: Run handlers to get interfaces configured + ansible.builtin.meta: flush_handlers + + - name: Copy DNS zone files + ansible.builtin.copy: + dest: "/var/lib/unbound/{{ item }}" + src: "/srv/dns/{{ item }}" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + tags: dns + notify: Restart unbound + with_items: + - 26.20.172.in-addr.arpa + - cam.foo.sh + + - name: Include unbound role + ansible.builtin.import_role: + name: unbound + + - name: Include dhcpd role + ansible.builtin.include_role: + name: dhcpd + + - name: Include frigate role + ansible.builtin.include_role: + name: frigate + + - name: Require authentication for frigate + ansible.builtin.copy: + dest: /etc/httpd/conf.local.d/frigate-auth.conf + content: | + + AuthType GSSAPI + GssapiBasicAuth On + AuthName "Password Required" + Require valid-user + + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart apache + + - name: Enable NTP server for cam network + ansible.builtin.lineinfile: + path: /etc/chrony.conf + regexp: "^#?allow .*" + line: "allow 172.20.26.0/24" diff --git a/roles/unbound/templates/unbound.conf.zm02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 similarity index 100% rename from roles/unbound/templates/unbound.conf.zm02.home.foo.sh.j2 rename to roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 From 2da1995a73063229af3822aa09bc152f09f58b57 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:07:55 +0000 Subject: [PATCH 130/713] Remove zm web site and add cctv --- playbooks/proxy.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index a0653cb..d01e85c 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -37,6 +37,9 @@ - role: nginx_site nginx_site_name: bitbucket.foo.sh nginx_site_redirect: https://bitbucket.org/tmakinen/ + - role: nginx_site + nginx_site_name: cctv.foo.sh + nginx_site_proxy: https://frigate02.home.foo.sh/frigate/ - role: nginx_site nginx_site_name: certbot.home.foo.sh nginx_site_proxy: https://certbot.home.foo.sh/ @@ -74,9 +77,6 @@ - role: nginx_site nginx_site_name: iot.foo.sh nginx_site_redirect: https://www.foo.sh/ - - role: nginx_site - nginx_site_name: munin.foo.sh - nginx_site_proxy: https://munin01.home.foo.sh/ - role: nginx_site nginx_site_name: mirrors.foo.sh nginx_site_proxy: https://mirror01.home.foo.sh/ @@ -109,6 +109,3 @@ nginx_site_name: wpad.foo.sh - role: nginx_site nginx_site_name: www.foo.sh - - role: nginx_site - nginx_site_name: zm.foo.sh - nginx_site_proxy: https://zm02.home.foo.sh/ From 04ff09e3bf3aa59340930ce256291fbe2c54236c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:08:23 +0000 Subject: [PATCH 131/713] pf: Fix changed ip address --- roles/pf/files/pf.conf.gw_home | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 9dd3095..42dbe63 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -43,7 +43,7 @@ antispoof for vio1 pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 81.175.155.142/32 to self port ssh +pass in quick on $ext_if proto tcp from 89.166.9.218/32 to self port ssh # node_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From 8242f1112501fb5487bd3553d261282ea3fffa66 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:09:07 +0000 Subject: [PATCH 132/713] Sync site.yml --- site.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site.yml b/site.yml index ce2ad46..a231b55 100644 --- a/site.yml +++ b/site.yml @@ -7,6 +7,8 @@ ansible.builtin.import_playbook: playbooks/collab.yml - name: Configure dna-gw hosts ansible.builtin.import_playbook: playbooks/dna-gw.yml +- name: Configure frigate hosts + ansible.builtin.import_playbook: playbooks/frigate.yml - name: Configure fsol-gw hosts ansible.builtin.import_playbook: playbooks/fsol-gw.yml - name: Configure gitea-runner hosts @@ -57,5 +59,3 @@ ansible.builtin.import_playbook: playbooks/static.yml - name: Configure vmhost hosts ansible.builtin.import_playbook: playbooks/vmhost.yml -- name: Configure zm hosts - ansible.builtin.import_playbook: playbooks/zm.yml From e1604ce1933f60daec18e284d1e8c1ce63aa3b56 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 9 Feb 2024 12:12:01 +0000 Subject: [PATCH 133/713] frigate: Add USB Coral detector --- host_vars/frigate02.home.foo.sh.yml | 2 ++ roles/frigate/files/99-frigate.rules | 1 + roles/frigate/tasks/main.yml | 14 ++++++++++++++ .../frigate/templates/frigate-container.service.j2 | 1 + roles/frigate/templates/frigate.yml.j2 | 5 +++++ 5 files changed, 23 insertions(+) create mode 100644 roles/frigate/files/99-frigate.rules diff --git a/host_vars/frigate02.home.foo.sh.yml b/host_vars/frigate02.home.foo.sh.yml index cc597b3..0705564 100644 --- a/host_vars/frigate02.home.foo.sh.yml +++ b/host_vars/frigate02.home.foo.sh.yml @@ -11,3 +11,5 @@ network_interfaces: netmask: 255.255.255.0 proto: static nameservers: [172.20.26.1, 172.20.26.3] +virt_install_devices: + - 004.003 diff --git a/roles/frigate/files/99-frigate.rules b/roles/frigate/files/99-frigate.rules new file mode 100644 index 0000000..f22efc5 --- /dev/null +++ b/roles/frigate/files/99-frigate.rules @@ -0,0 +1 @@ +SUBSYSTEM=="tty", ATTRS{idVendor}=="1a6e", ATTRS{idProduct}=="089a", MODE="0660", GROUP="frigate" diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index 5a13994..a5a4439 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -10,6 +10,20 @@ group: frigate shell: /sbin/nologin +- name: Allow podman to use devices + ansible.posix.seboolean: + name: container_use_devices + state: true + persistent: true + +- name: Allow frigate to connect specific devices + ansible.builtin.copy: + dest: /etc/udev/rules.d/99-frigate.rules + src: 99-frigate.rules + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + - name: Create config ansible.builtin.template: dest: /etc/frigate.yml diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2 index 186d955..edb295e 100644 --- a/roles/frigate/templates/frigate-container.service.j2 +++ b/roles/frigate/templates/frigate-container.service.j2 @@ -11,6 +11,7 @@ ExecStart=/usr/bin/podman run \ --volume /srv/frigate/config:/config:rw \ --volume /etc/frigate.yml:/config/config.yml:ro \ --volume /srv/frigate/media:/media/frigate:rw \ + --volume /dev/bus/usb:/dev/bus/usb:rw \ ghcr.io/blakeblackshear/frigate:{{ frigate_version }} ExecStop=/usr/bin/podman stop --ignore frigate ExecStopPost=/usr/bin/podman rm -f --ignore frigate diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index aa283f6..d04353b 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -2,6 +2,11 @@ mqtt: enabled: false +detectors: + coral: + type: edgetpu + device: usb + cameras: {% for camera in cctv_cameras %} {{ camera.name }}: From 470010aa0ab88aba998d35568fa1032b07de68b3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 9 Feb 2024 16:37:38 +0000 Subject: [PATCH 134/713] udev: Add dummy role to support reloading rules --- roles/udev/handlers/main.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 roles/udev/handlers/main.yml diff --git a/roles/udev/handlers/main.yml b/roles/udev/handlers/main.yml new file mode 100644 index 0000000..46fb293 --- /dev/null +++ b/roles/udev/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: Reload udev rules + ansible.builtin.command: + argv: + - udevadm + - control + - --reload-rules + notify: Trigger udev rules + +- name: Trigger udev rules + ansible.builtin.command: + argv: + - udevadm + - trigger From c91568cd7e782d1e6493eba8aee3f4bb51b494ce Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 9 Feb 2024 16:38:34 +0000 Subject: [PATCH 135/713] frigate: Fix using Coral devices for detection --- host_vars/frigate02.home.foo.sh.yml | 2 +- roles/frigate/files/99-frigate.rules | 3 ++- roles/frigate/meta/main.yml | 1 + roles/frigate/tasks/main.yml | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/host_vars/frigate02.home.foo.sh.yml b/host_vars/frigate02.home.foo.sh.yml index 0705564..f8de6b1 100644 --- a/host_vars/frigate02.home.foo.sh.yml +++ b/host_vars/frigate02.home.foo.sh.yml @@ -12,4 +12,4 @@ network_interfaces: proto: static nameservers: [172.20.26.1, 172.20.26.3] virt_install_devices: - - 004.003 + - 004.004 diff --git a/roles/frigate/files/99-frigate.rules b/roles/frigate/files/99-frigate.rules index f22efc5..9d5516e 100644 --- a/roles/frigate/files/99-frigate.rules +++ b/roles/frigate/files/99-frigate.rules @@ -1 +1,2 @@ -SUBSYSTEM=="tty", ATTRS{idVendor}=="1a6e", ATTRS{idProduct}=="089a", MODE="0660", GROUP="frigate" +SUBSYSTEM=="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="9302", MODE="0660", GROUP="frigate" +SUBSYSTEM=="usb", ATTRS{idVendor}=="1a6e", ATTRS{idProduct}=="089a", MODE="0660", GROUP="frigate" diff --git a/roles/frigate/meta/main.yml b/roles/frigate/meta/main.yml index 19b52d0..9699a03 100644 --- a/roles/frigate/meta/main.yml +++ b/roles/frigate/meta/main.yml @@ -2,3 +2,4 @@ dependencies: - {role: apache} - {role: podman} + - {role: udev} diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index a5a4439..acc781e 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -23,6 +23,7 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + notify: Reload udev rules - name: Create config ansible.builtin.template: From 2eb65f713f4c6378b5c205fb7e94f707132590eb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 17:34:31 +0000 Subject: [PATCH 136/713] routeros_firmware: Initial version of role --- playbooks/nms.yml | 1 + .../files/download-routeros-firmware.sh | 40 +++++++++++++++++++ roles/routeros_firmware/tasks/main.yml | 39 ++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 roles/routeros_firmware/files/download-routeros-firmware.sh create mode 100644 roles/routeros_firmware/tasks/main.yml diff --git a/playbooks/nms.yml b/playbooks/nms.yml index e20f3e3..7979440 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -31,6 +31,7 @@ - sssd - mkhomedir - tftp + - routeros_firmware tasks: - name: Enable UDP rsyslog server diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh new file mode 100644 index 0000000..4347526 --- /dev/null +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +set -eu + +umask 022 + +cd /srv/web/oob.foo.sh/routeros + +verbose=false +if [ "${1:-}" = "-v" ]; then + verbose=true + shift +fi + +if [ $# -gt 0 ]; then + echo "Usage: $(basename "$0") [-v]" 1>&2 + exit 1 +fi + +packageurl="$(curl -sSf "https://mikrotik.com/download" | \ + sed -n 's/.*.*/\1/p')" +packagename="$(basename "$packageurl")" +if [ -f "$packagename" ]; then + "$verbose" && echo "Already up to date" + exit 0 +fi + +checksum="$(curl -sSf "https://mikrotik.com/download" | \ + sed -n 's/.*routeros-[0-9\.]*-arm\.npk<\/td>.*SHA256<\/td>\(.*\)<\/td>.*/\1/p')" + +echo "Downloading new package '${packagename}'" +trap 'rm -f -- "${packagename}.tmp"' EXIT +curl -sSf -o "${packagename}.tmp" "$packageurl" + +if [ "$(sha256sum "${packagename}.tmp" | cut -d " " -f 1)" != "$checksum" ]; then + echo "ERR: Checksum check failed, not saving package" 1>&2 + exit 1 +fi + +mv "${packagename}.tmp" "$packagename" diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros_firmware/tasks/main.yml new file mode 100644 index 0000000..a9fbc97 --- /dev/null +++ b/roles/routeros_firmware/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Create download directory + ansible.builtin.file: + path: /srv/web/oob.foo.sh/routeros + state: directory + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Install README.md + ansible.builtin.copy: + dest: /srv/web/oob.foo.sh/routeros/README.md + content: | + ## Update + + ``` + /system package update print + /tool fetch url=https://oob.foo.sh/routeros/routeros-7.13.4-arm.npk + /system reboot + /system package update print + ``` + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + +- name: Install download script + ansible.builtin.copy: + dest: /usr/local/bin/download-routeros-firmware + src: download-routeros-firmware.sh + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Install cron job + ansible.builtin.cron: + name: download-routeros-firmware + job: /usr/local/bin/download-routeros-firmware + hour: "05" + minute: "25" From 11c8da0558158693a347b134bc5435cdda08cd7a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 18:59:48 +0000 Subject: [PATCH 137/713] node_exporter: More restrictive tls configuration --- roles/node_exporter/templates/web-config.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/node_exporter/templates/web-config.yml.j2 b/roles/node_exporter/templates/web-config.yml.j2 index 01c911f..edc7ca3 100644 --- a/roles/node_exporter/templates/web-config.yml.j2 +++ b/roles/node_exporter/templates/web-config.yml.j2 @@ -4,3 +4,9 @@ tls_server_config: cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt client_ca_file: {{ tls_certs }}/ca.crt client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: + - prometheus01.home.foo.sh + - prometheus02.home.foo.sh + - prometheus03.home.foo.sh + - prometheus04.home.foo.sh + min_version: TLS13 From 47ee78221f650db0a3fcdea6a1c96b9898f1d00f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 19:21:05 +0000 Subject: [PATCH 138/713] node_exporter: Remove allowed sans option Some of our node_exporter versions are too old and don't support allowed sans option. --- roles/node_exporter/templates/web-config.yml.j2 | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/node_exporter/templates/web-config.yml.j2 b/roles/node_exporter/templates/web-config.yml.j2 index edc7ca3..07cdaf3 100644 --- a/roles/node_exporter/templates/web-config.yml.j2 +++ b/roles/node_exporter/templates/web-config.yml.j2 @@ -4,9 +4,4 @@ tls_server_config: cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt client_ca_file: {{ tls_certs }}/ca.crt client_auth_type: RequireAndVerifyClientCert - client_allowed_sans: - - prometheus01.home.foo.sh - - prometheus02.home.foo.sh - - prometheus03.home.foo.sh - - prometheus04.home.foo.sh min_version: TLS13 From 8a7159c0c4d33227b63f66fae421bd972d91ce26 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 21:55:24 +0000 Subject: [PATCH 139/713] snmp_exporter: Initial version of role --- roles/snmp_exporter/defaults/main.yml | 2 + .../snmp_exporter/files/snmp_exporter.service | 14 +++ roles/snmp_exporter/handlers/main.yml | 6 ++ roles/snmp_exporter/tasks/main.yml | 100 ++++++++++++++++++ .../snmp_exporter/templates/web-config.yml.j2 | 12 +++ 5 files changed, 134 insertions(+) create mode 100644 roles/snmp_exporter/defaults/main.yml create mode 100644 roles/snmp_exporter/files/snmp_exporter.service create mode 100644 roles/snmp_exporter/handlers/main.yml create mode 100644 roles/snmp_exporter/tasks/main.yml create mode 100644 roles/snmp_exporter/templates/web-config.yml.j2 diff --git a/roles/snmp_exporter/defaults/main.yml b/roles/snmp_exporter/defaults/main.yml new file mode 100644 index 0000000..de468b0 --- /dev/null +++ b/roles/snmp_exporter/defaults/main.yml @@ -0,0 +1,2 @@ +--- +snmp_exporter_pkg: "snmp_exporter-{{ snmp_exporter_version }}.linux-amd64" diff --git a/roles/snmp_exporter/files/snmp_exporter.service b/roles/snmp_exporter/files/snmp_exporter.service new file mode 100644 index 0000000..f96318e --- /dev/null +++ b/roles/snmp_exporter/files/snmp_exporter.service @@ -0,0 +1,14 @@ +[Unit] +Description=Prometheus SNMP Exporter +After=syslog.target +After=network.target + +[Service] +Type=simple +User=snmp +Group=snmp +ExecStart=/usr/local/bin/snmp_exporter --config.file=/etc/snmp_exporter/snmp.yml --web.config.file=/etc/snmp_exporter/web-config.yml +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/snmp_exporter/handlers/main.yml b/roles/snmp_exporter/handlers/main.yml new file mode 100644 index 0000000..13fdec5 --- /dev/null +++ b/roles/snmp_exporter/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart snmp_exporter + ansible.builtin.systemd: + name: snmp_exporter + daemon_reload: true + state: restarted diff --git a/roles/snmp_exporter/tasks/main.yml b/roles/snmp_exporter/tasks/main.yml new file mode 100644 index 0000000..e3a6e9f --- /dev/null +++ b/roles/snmp_exporter/tasks/main.yml @@ -0,0 +1,100 @@ +--- +- name: Create group + ansible.builtin.group: + name: snmp + +- name: Create user + ansible.builtin.user: + name: snmp + comment: Prometheus SNMP Exporter + group: snmp + create_home: false + home: /var/empty + shell: /sbin/nologin + +- name: Download package + ansible.builtin.get_url: + url: "https://github.com/prometheus/snmp_exporter/releases/download/v{{ snmp_exporter_version }}/{{ snmp_exporter_pkg }}.tar.gz" + dest: "/usr/local/src/{{ snmp_exporter_pkg }}.tar.gz" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + +- name: Extract package + ansible.builtin.unarchive: + src: "/usr/local/src/{{ snmp_exporter_pkg }}.tar.gz" + dest: /usr/local/src + owner: root + group: "{{ ansible_wheel }}" + creates: "/usr/local/src/{{ snmp_exporter_pkg }}" + remote_src: true + +- name: Copy binary + ansible.builtin.copy: + dest: /usr/local/bin/snmp_exporter + src: "/usr/local/src/{{ snmp_exporter_pkg }}/snmp_exporter" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + notify: Restart snmp_exporter + +- name: Create config directory + ansible.builtin.file: + path: /etc/snmp_exporter + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Copy TLS private key + ansible.builtin.copy: + src: "/srv/ca/private/nms.home.foo.sh.key" + dest: "{{ tls_private }}/nms.home.foo.sh.key" + mode: "0640" + owner: root + group: snmp + notify: Restart snmp_exporter + +- name: Copy TLS certificate + ansible.builtin.copy: + src: "/srv/ca/certs/hosts/nms.home.foo.sh.crt" + dest: "{{ tls_certs }}/nms.home.foo.sh.crt" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart snmp_exporter + +- name: Create web-config + ansible.builtin.template: + dest: /etc/snmp_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart snmp_exporter + +- name: Copy config + ansible.builtin.copy: + src: "/usr/local/src/{{ snmp_exporter_pkg }}/snmp.yml" + dest: /etc/snmp_exporter/snmp.yml + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + notify: Restart snmp_exporter + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/snmp_exporter.service + src: snmp_exporter.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart snmp_exporter + +- name: Enable service + ansible.builtin.service: + name: snmp_exporter + state: started + enabled: true diff --git a/roles/snmp_exporter/templates/web-config.yml.j2 b/roles/snmp_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..b88b84e --- /dev/null +++ b/roles/snmp_exporter/templates/web-config.yml.j2 @@ -0,0 +1,12 @@ +--- +tls_server_config: + key_file: {{ tls_private }}/nms.home.foo.sh.key + cert_file: {{ tls_certs }}/nms.home.foo.sh.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: + - prometheus01.home.foo.sh + - prometheus02.home.foo.sh + - prometheus03.home.foo.sh + - prometheus04.home.foo.sh + min_version: TLS13 From c826d36d0d87b4dfab24dcbe56eb2bf2a3a4e5da Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 21:57:36 +0000 Subject: [PATCH 140/713] Add snmp_exporter to nms hosts --- group_vars/nms.yml | 6 ++++++ playbooks/nms.yml | 1 + 2 files changed, 7 insertions(+) diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 3ebd807..42b35f2 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -3,6 +3,11 @@ datadisks: - {size: 10, type: nvme} network_vip_interfaces: + - device: eth0 + vhid: 11 + ipaddr: 172.20.20.11 + netmask: 255.255.240.0 + pass: "{{ vip11_pass }}" - device: eth1 vhid: 25 ipaddr: 172.20.25.1 @@ -20,6 +25,7 @@ firewall_in: - {proto: tcp, port: 443, from: [172.20.25.0/24]} - {proto: udp, port: 514, from: [172.20.25.0/24]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + - {proto: tcp, port: 9116, from: [172.20.20.0/22]} firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 7979440..9aa9d4b 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -32,6 +32,7 @@ - mkhomedir - tftp - routeros_firmware + - snmp_exporter tasks: - name: Enable UDP rsyslog server From d88de75b883c588833b9c2d84b09be7ec0d58d9a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 21:57:55 +0000 Subject: [PATCH 141/713] Set snmp_exporter version --- hosts.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts.yml b/hosts.yml index 2317395..8fb7bd0 100644 --- a/hosts.yml +++ b/hosts.yml @@ -75,6 +75,8 @@ nms: hosts: nms01.home.foo.sh: nms02.home.foo.sh: + vars: + snmp_exporter_version: "0.25.0" ns: hosts: ns01.home.foo.sh: From 4e5fb25a7a3b450eb4c41a28e44de07a593efde3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 11 Feb 2024 16:28:55 +0000 Subject: [PATCH 142/713] Exclude unused architectures from epel mirror --- playbooks/mirror.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 7559dd7..ea6ed1f 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -37,8 +37,11 @@ mirror_source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/epel" mirror_rsyncoptions: - - "--exclude=SRPMS" - "--exclude=debug" + - "--exclude=testing" + - "--exclude=ppc64le" + - "--exclude=s390x" + - "--exclude=source" - "--delete-excluded" mirror_postcmd: python3 /usr/local/bin/report_mirror - role: mirror/sync From cdc505274d8c66a9c4f6a03aff0e52b1e4ebca0d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 16:38:28 +0000 Subject: [PATCH 143/713] zoneminder: Remove deprecated role --- roles/zoneminder/defaults/main.yml | 4 - roles/zoneminder/handlers/main.yml | 5 -- roles/zoneminder/meta/main.yml | 4 - roles/zoneminder/tasks/main.yml | 129 ----------------------------- roles/zoneminder/templates/zm.conf | 13 --- 5 files changed, 155 deletions(-) delete mode 100644 roles/zoneminder/defaults/main.yml delete mode 100644 roles/zoneminder/handlers/main.yml delete mode 100644 roles/zoneminder/meta/main.yml delete mode 100644 roles/zoneminder/tasks/main.yml delete mode 100644 roles/zoneminder/templates/zm.conf diff --git a/roles/zoneminder/defaults/main.yml b/roles/zoneminder/defaults/main.yml deleted file mode 100644 index a4bf72a..0000000 --- a/roles/zoneminder/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -zm_mysql_host: localhost -zm_mysql_db: zm -zm_mysql_user: zmuser diff --git a/roles/zoneminder/handlers/main.yml b/roles/zoneminder/handlers/main.yml deleted file mode 100644 index d34c003..0000000 --- a/roles/zoneminder/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart zoneminder - ansible.builtin.service: - name: zoneminder - state: restarted diff --git a/roles/zoneminder/meta/main.yml b/roles/zoneminder/meta/main.yml deleted file mode 100644 index 39b2859..0000000 --- a/roles/zoneminder/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - {role: apache} - - {role: rpmfusion_free_repo} diff --git a/roles/zoneminder/tasks/main.yml b/roles/zoneminder/tasks/main.yml deleted file mode 100644 index c8de160..0000000 --- a/roles/zoneminder/tasks/main.yml +++ /dev/null @@ -1,129 +0,0 @@ ---- -- name: Fix SELinux contexts from cache directory - community.general.sefcontext: - path: "/var/cache/zoneminder(/.*)?" - setype: httpd_cache_t - -- name: Install packages - ansible.builtin.package: - name: "{{ item }}" - state: installed - with_items: - - mariadb - - zoneminder-httpd - -- name: Fix SELinux contexts from data directory - community.general.sefcontext: - path: "/export/zoneminder(/.*)?" - setype: zoneminder_var_lib_t - -- name: Create data directory - ansible.builtin.file: - path: /export/zoneminder - state: directory - mode: "0750" - owner: apache - group: apache - setype: _default - -- name: Link data directory - ansible.builtin.file: - dest: /srv/zoneminder - src: /export/zoneminder - state: link - owner: root - group: "{{ ansible_wheel }}" - follow: false - -- name: Create config - ansible.builtin.template: - dest: /etc/zm/conf.d/local.conf - src: zm.conf - mode: "0640" - owner: root - group: apache - notify: Restart zoneminder - -- name: Remove mariadb depency from unit file - ansible.builtin.shell: - cmd: >- - sed -e 's/mariadb\.service//' /lib/systemd/system/zoneminder.service - > /etc/systemd/system/zoneminder.service - creates: /etc/systemd/system/zoneminder.service - warn: false - notify: Restart zoneminder - when: zm_mysql_host != "localhost" - -- name: Allow zoneminder to read host private key - ansible.builtin.user: - name: apache - groups: hostkey - append: true - notify: Restart zoneminder - when: zm_mysql_host != "localhost" - -- name: Loosen SELinux settings - ansible.posix.seboolean: - name: "{{ item }}" - state: true - persistent: true - with_items: - - domain_can_mmap_files - - nis_enabled - -# selinux doesn't allow create this -- name: Create stub web log - ansible.builtin.file: - dest: /var/log/zoneminder/web_php.log - state: touch - mode: "0640" - owner: apache - group: apache - access_time: preserve - modification_time: preserve - -- name: Link apache config - ansible.builtin.file: - dest: /etc/httpd/conf.local.d/zm.conf - src: /etc/zm/www/zoneminder.httpd.conf - state: link - owner: root - group: "{{ ansible_wheel }}" - notify: Restart apache - -- name: Link apache php config - ansible.builtin.file: - dest: /etc/httpd/conf.local.d/php.conf - src: /etc/httpd/conf.d/php.conf - state: link - owner: root - group: "{{ ansible_wheel }}" - notify: Restart apache - -- name: Configure zoneminder timezone - ansible.builtin.copy: - dest: /etc/php.d/timezone.ini - content: "date.timezone=UTC\n" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart apache - -# required for database updates to work -- name: Configure mysql client to use ssl - ansible.builtin.copy: - dest: /root/.my.cnf - content: | - [client] - ssl-ca={{ tls_certs }}/ca.crt - ssl-cert={{ tls_certs }}/{{ inventory_hostname }}.crt - ssl-key={{ tls_private }}/{{ inventory_hostname }}.key - mode: "0600" - owner: root - group: "{{ ansible_wheel }}" - -- name: Enable service - ansible.builtin.service: - name: zoneminder - state: started - enabled: true diff --git a/roles/zoneminder/templates/zm.conf b/roles/zoneminder/templates/zm.conf deleted file mode 100644 index 9e29854..0000000 --- a/roles/zoneminder/templates/zm.conf +++ /dev/null @@ -1,13 +0,0 @@ -# {{ ansible_managed }} - -ZM_DIR_EVENTS=/srv/zoneminder - -ZM_DB_HOST={{ zm_mysql_host }} -ZM_DB_NAME={{ zm_mysql_db}} -ZM_DB_USER={{ zm_mysql_user }} -ZM_DB_PASS={{ zm_mysql_pass }} -{% if zm_mysql_host != "localhost" %} -ZM_DB_SSL_CA_CERT={{ tls_certs }}/ca.crt -ZM_DB_SSL_CLIENT_KEY={{ tls_private }}/{{ inventory_hostname }}.key -ZM_DB_SSL_CLIENT_CERT={{ tls_certs }}/{{ inventory_hostname }}.crt -{% endif %} From 31d00d0b9d94d5ad999293759573d5f07ff6dcf9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:01:25 +0000 Subject: [PATCH 144/713] kvm_host: Move os disks to dedicated disk --- playbooks/include/deploy-kvm-guest.yml | 2 +- playbooks/vmhost.yml | 10 ++++++++++ roles/kvm_host/tasks/main.yml | 2 ++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/playbooks/include/deploy-kvm-guest.yml b/playbooks/include/deploy-kvm-guest.yml index 4bdb5d1..3b72157 100644 --- a/playbooks/include/deploy-kvm-guest.yml +++ b/playbooks/include/deploy-kvm-guest.yml @@ -9,7 +9,7 @@ char: "{{ 'bcdefghijklmnopqrstuvwxyz'|list }}" console_log: "/var/log/libvirt/qemu/{{ inventory_hostname }}.console.log" - os_disk_image: "/srv/libvirt/ssd/{{ inventory_hostname }}.a.img" + os_disk_image: "/srv/libvirt/os/{{ inventory_hostname }}.a.img" dsk_opts: bus=virtio,cache=none,device=disk,format=raw,sparse=no inject: >- diff --git a/playbooks/vmhost.yml b/playbooks/vmhost.yml index 66a3139..f01b865 100644 --- a/playbooks/vmhost.yml +++ b/playbooks/vmhost.yml @@ -26,6 +26,15 @@ passno: "0" dump: "0" state: mounted + - name: Mount /export/libvirt/os + ansible.posix.mount: + name: /export/libvirt/os + src: LABEL=os + fstype: xfs + opts: noatime,noexec,nosuid,nodev + passno: "0" + dump: "0" + state: mounted - name: Mount /export/libvirt/ssd ansible.posix.mount: name: /export/libvirt/ssd @@ -35,6 +44,7 @@ passno: "0" dump: "0" state: mounted + when: inventory_hostname == "vmhost01.home.foo.sh" roles: - base diff --git a/roles/kvm_host/tasks/main.yml b/roles/kvm_host/tasks/main.yml index 1b1748a..6ed94d4 100644 --- a/roles/kvm_host/tasks/main.yml +++ b/roles/kvm_host/tasks/main.yml @@ -35,7 +35,9 @@ with_items: - /export/libvirt - /export/libvirt/hdd + - /export/libvirt/nvme - /export/libvirt/ssd + - /export/libvirt/os - name: Link data directory ansible.builtin.file: From bf10bc5c6c64b90399c3a6fad5beef38b141adb7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:02:01 +0000 Subject: [PATCH 145/713] shelly_firmware: Initial version of role --- playbooks/mqtt.yml | 1 + .../files/download-shelly-firmware.sh | 26 +++++++++++++++++ roles/shelly_firmware/tasks/main.yml | 28 +++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 roles/shelly_firmware/files/download-shelly-firmware.sh create mode 100644 roles/shelly_firmware/tasks/main.yml diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 6c92d03..5b29de0 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -16,3 +16,4 @@ - nginx - role: nginx_site nginx_site_name: iot.foo.sh + - shelly_firmware diff --git a/roles/shelly_firmware/files/download-shelly-firmware.sh b/roles/shelly_firmware/files/download-shelly-firmware.sh new file mode 100644 index 0000000..608b156 --- /dev/null +++ b/roles/shelly_firmware/files/download-shelly-firmware.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +set -eu + +umask 022 + +cd /srv/web/iot.foo.sh/shelly + +PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" + +URL="http://archive.shelly-tools.de/" + +for _prod in $(curl -sSf "${URL}/archive.php" | jq -r '.[].type') ; do + _ver="$(curl -sSf "${URL}/archive.php?type=${_prod}" | jq -r \ + 'max_by(.version[1:] | split(".") | map(try tonumber catch 0)) .version')" + _name="$(curl -sSf "${URL}/archive.php?type=${_prod}" | jq -r \ + 'limit(1; .[].file)')" + if [ ! -f "${_prod}.${_ver}.zip" ]; then + echo "New firmware for ${_prod} (version ${_ver})" + curl -sSf -o "${_prod}.${_ver}.zip" "${URL}/version/${_ver}/${_name}" + if [ -h "$_name" ]; then + rm -f "$_name" + fi + ln -s "${_prod}.${_ver}.zip" "$_name" + fi +done diff --git a/roles/shelly_firmware/tasks/main.yml b/roles/shelly_firmware/tasks/main.yml new file mode 100644 index 0000000..2d1dd3a --- /dev/null +++ b/roles/shelly_firmware/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Install dependencies + ansible.builtin.package: + name: jq + state: installed + +- name: Create download directory + ansible.builtin.file: + path: /srv/web/iot.foo.sh/shelly + state: directory + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Install download script + ansible.builtin.copy: + dest: /usr/local/bin/download-shelly-firmware + src: download-shelly-firmware.sh + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Install cron job + ansible.builtin.cron: + name: download-shelly-firmware + job: /usr/local/bin/download-shelly-firmware + hour: "05" + minute: 20 From 09b2156d782c451f784fbd7e8238447169c8b868 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:02:30 +0000 Subject: [PATCH 146/713] Fix Coral USB port --- host_vars/frigate02.home.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/frigate02.home.foo.sh.yml b/host_vars/frigate02.home.foo.sh.yml index f8de6b1..1f47a47 100644 --- a/host_vars/frigate02.home.foo.sh.yml +++ b/host_vars/frigate02.home.foo.sh.yml @@ -12,4 +12,4 @@ network_interfaces: proto: static nameservers: [172.20.26.1, 172.20.26.3] virt_install_devices: - - 004.004 + - 004.002 From 8136e107580bc7d124d6bbf9dd1021d3eb737ce3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:02:59 +0000 Subject: [PATCH 147/713] prometheus: Add snmp exporter Mostly hardcoded for now --- roles/prometheus/templates/prometheus.yml.j2 | 21 ++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index 546d999..e4a4956 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -10,6 +10,27 @@ scrape_configs: - targets: - "127.0.0.1:9090" + - job_name: snmp + scheme: https + tls_config: + ca_file: "{{ tls_certs }}/ca.crt" + key_file: "{{ tls_private }}/{{ inventory_hostname }}.key" + cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + static_configs: + - targets: + - 172.20.25.102 + metrics_path: /snmp + params: + auth: [public_v2] + module: [if_mib] + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: nms.home.foo.sh:9116 + - job_name: node scheme: https tls_config: From 1ff48427751f7091709598e046a325ecfb66b145 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:03:35 +0000 Subject: [PATCH 148/713] friage: Store recordings for 7 days --- roles/frigate/templates/frigate.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index d04353b..715272d 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -7,6 +7,12 @@ detectors: type: edgetpu device: usb +record: + enabled: true + retain: + days: 7 + mode: motion + cameras: {% for camera in cctv_cameras %} {{ camera.name }}: From f141ca0af95cde960272a2f38da6219e33d076ce Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:03:54 +0000 Subject: [PATCH 149/713] Disable syncing logs for now --- playbooks/log.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/log.yml b/playbooks/log.yml index 13bfd5d..5ea13da 100644 --- a/playbooks/log.yml +++ b/playbooks/log.yml @@ -25,7 +25,7 @@ roles: - base - - web_logs + #- web_logs tasks: - name: Install extra packages From 7f7532ccde010c646b61f8eed4d037ea0f04e236 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 21:20:31 +0000 Subject: [PATCH 150/713] homeassistant: Reload udev rules after change --- roles/homeassistant/meta/main.yml | 1 + roles/homeassistant/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/homeassistant/meta/main.yml b/roles/homeassistant/meta/main.yml index 305b1b2..34c289c 100644 --- a/roles/homeassistant/meta/main.yml +++ b/roles/homeassistant/meta/main.yml @@ -2,3 +2,4 @@ dependencies: - {role: nginx} - {role: podman} + - {role: udev} diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 46fb256..4d6e1bb 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -68,6 +68,7 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + notify: Reload udev rules - name: Create config directory ansible.builtin.file: From 1e55576ba341ccf2fe9f165bc09108070b9e55a3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 14 Feb 2024 17:40:43 +0000 Subject: [PATCH 151/713] Fix typo --- playbooks/print.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/print.yml b/playbooks/print.yml index 8bfea58..3a22ad2 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -33,7 +33,7 @@ owner: root group: "{{ ansible_wheel }}" tags: dns - notify: restart unbound + notify: Restart unbound with_items: - 24.20.172.in-addr.arpa - print.foo.sh From 58a90d692be3bfaa42652f4416693d63494688c6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 14 Feb 2024 18:47:19 +0000 Subject: [PATCH 152/713] grafana: Force ipv4 connection from proxy --- roles/grafana/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 8180bc4..4b59f21 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -66,7 +66,7 @@ content: | location /grafana/ { proxy_set_header Host noc.foo.sh; - proxy_pass http://localhost:8002/; + proxy_pass http://127.0.0.1:8002/; } mode: "0644" owner: root From bf8c5532cb24ef9d29fc11c4d9c800f3d07fe1b4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 14 Feb 2024 18:47:44 +0000 Subject: [PATCH 153/713] Fix usb device ports for homeassistant host --- host_vars/homeassistant01.home.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index 66a2c30..f5803cf 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -7,6 +7,6 @@ network_interfaces: - device: eth1 vlan: 30 virt_install_devices: - - 001.004 + - 001.002 - 001.005 - 001.006 From caf6b54774b5fd554b54b1339aaf4cf18fae8ac7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 14 Feb 2024 21:03:35 +0000 Subject: [PATCH 154/713] dovecot: Require TLS 1.3 --- roles/dovecot/templates/local.conf.j2 | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/roles/dovecot/templates/local.conf.j2 b/roles/dovecot/templates/local.conf.j2 index 730072b..51ce026 100644 --- a/roles/dovecot/templates/local.conf.j2 +++ b/roles/dovecot/templates/local.conf.j2 @@ -1,13 +1,11 @@ -# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.8&config=intermediate&openssl=1.1.1g&guideline=5.6 +# generated 2024-02-14, Mozilla Guideline v5.7, Dovecot 2.3.16, OpenSSL 1.1.1, modern configuration +# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.16&config=modern&openssl=1.1.1&guideline=5.7 ssl = required ssl_cert = <{{ tls_certs }}/{{ mail_server }}-fullchain.crt ssl_key = <{{ tls_private }}/{{ mail_server }}.key -ssl_dh = <{{ tls_certs }}/ffdhe3072.pem - -ssl_min_protocol = TLSv1.2 -ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +ssl_min_protocol = TLSv1.3 ssl_prefer_server_ciphers = no # kerberos From e21e372dc44788b9ddd041628f542524abbef662 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 Feb 2024 07:57:59 +0000 Subject: [PATCH 155/713] fwupd: First version of role --- roles/fwupd/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 roles/fwupd/tasks/main.yml diff --git a/roles/fwupd/tasks/main.yml b/roles/fwupd/tasks/main.yml new file mode 100644 index 0000000..5e71293 --- /dev/null +++ b/roles/fwupd/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Install packages + ansible.builtin.package: + name: fwupd + state: installed + +- name: Enable LVFS + ansible.builtin.lineinfile: + path: /etc/fwupd/remotes.d/lvfs.conf + regexp: "^Enabled=.*" + line: "Enabled=true" From 641e66237e63294a009764ef25de0b36191d6f3c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 Feb 2024 07:58:18 +0000 Subject: [PATCH 156/713] Add some scanning/testing tools to adm hosts --- playbooks/adm.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index f4db906..75a6cda 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -47,10 +47,12 @@ - libvirt-client # kvm host client - make # generic building - mariadb # mariadb client tools + - nmap # check for open ports - nsd # check dns zone files - podman # building containers - pylint # python linting - python3-flake8 # python linting + - speedtest-cli # testing network speed - virt-install # install kvm guests - wget # still in backbone for downloads - whois # read whois data From e39fc8c9927880bc032c6d62c70981119ed3da76 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 Feb 2024 07:58:41 +0000 Subject: [PATCH 157/713] base: Install fwupd on physical linux hosts --- roles/base/tasks/RedHat.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 9f11e18..50e0397 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -87,6 +87,12 @@ - vim-enhanced # working vi :) - xterm # resize +- name: Install roles for physical hardware + ansible.builtin.include_role: + name: fwupd + when: + - ansible_virtualization_role == "host" + - name: Install packages for physical hardware ansible.builtin.package: name: "{{ item }}" From 31c8b7aa6a4e57cffd2c6fe8e1f7ca837a23639c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 Feb 2024 12:02:57 +0000 Subject: [PATCH 158/713] node_exporter: Add physical host disk monitoring --- roles/node_exporter/files/md_info.sh | 59 ++++++++ roles/node_exporter/files/smartmon.sh | 204 ++++++++++++++++++++++++++ roles/node_exporter/tasks/main.yml | 14 ++ 3 files changed, 277 insertions(+) create mode 100755 roles/node_exporter/files/md_info.sh create mode 100755 roles/node_exporter/files/smartmon.sh diff --git a/roles/node_exporter/files/md_info.sh b/roles/node_exporter/files/md_info.sh new file mode 100755 index 0000000..bf72d1b --- /dev/null +++ b/roles/node_exporter/files/md_info.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash + +set -eu + +for MD_DEVICE in /dev/md/*; do + if [ -b "$MD_DEVICE" ]; then + # Subshell to avoid eval'd variables from leaking between iterations + ( + # Resolve symlink to discover device, e.g. /dev/md127 + MD_DEVICE_NUM=$(readlink -f "${MD_DEVICE}") + + # Remove /dev/ prefix + MD_DEVICE_NUM=${MD_DEVICE_NUM#/dev/} + MD_DEVICE=${MD_DEVICE#/dev/md/} + + # Query sysfs for info about md device + SYSFS_BASE="/sys/devices/virtual/block/${MD_DEVICE_NUM}/md" + MD_LAYOUT=$(cat "${SYSFS_BASE}/layout") + MD_LEVEL=$(cat "${SYSFS_BASE}/level") + MD_METADATA_VERSION=$(cat "${SYSFS_BASE}/metadata_version") + MD_NUM_RAID_DISKS=$(cat "${SYSFS_BASE}/raid_disks") + + # Remove 'raid' prefix from RAID level + MD_LEVEL=${MD_LEVEL#raid} + + # Output disk metrics + for RAID_DISK in "${SYSFS_BASE}"/rd[0-9]*; do + DISK=$(readlink -f "${RAID_DISK}/block") + DISK_DEVICE=$(basename "${DISK}") + RAID_DISK_DEVICE=$(basename "${RAID_DISK}") + RAID_DISK_INDEX=${RAID_DISK_DEVICE#rd} + RAID_DISK_STATE=$(cat "${RAID_DISK}/state") + + DISK_SET="" + # Determine disk set using logic from mdadm: https://github.com/neilbrown/mdadm/commit/2c096ebe4b + if [[ ${RAID_DISK_STATE} == "in_sync" && ${MD_LEVEL} == 10 && $((MD_LAYOUT & ~0x1ffff)) ]]; then + NEAR_COPIES=$((MD_LAYOUT & 0xff)) + FAR_COPIES=$(((MD_LAYOUT >> 8) & 0xff)) + COPIES=$((NEAR_COPIES * FAR_COPIES)) + + if [[ $((MD_NUM_RAID_DISKS % COPIES == 0)) && $((COPIES <= 26)) ]]; then + DISK_SET=$((RAID_DISK_INDEX % COPIES)) + fi + fi + + echo -n "node_md_disk_info{disk_device=\"${DISK_DEVICE}\", md_device=\"${MD_DEVICE_NUM}\"" + if [[ -n ${DISK_SET} ]]; then + SET_LETTERS=({A..Z}) + echo -n ", md_set=\"${SET_LETTERS[${DISK_SET}]}\"" + fi + echo "} 1" + done + + # Output RAID array metrics + # NOTE: Metadata version is a label rather than a separate metric because the version can be a string + echo "node_md_info{md_device=\"${MD_DEVICE_NUM}\", md_name=\"${MD_DEVICE}\", raid_level=\"${MD_LEVEL}\", md_metadata_version=\"${MD_METADATA_VERSION}\"} 1" + ) + fi +done diff --git a/roles/node_exporter/files/smartmon.sh b/roles/node_exporter/files/smartmon.sh new file mode 100755 index 0000000..c20a850 --- /dev/null +++ b/roles/node_exporter/files/smartmon.sh @@ -0,0 +1,204 @@ +#!/usr/bin/env bash +# +# Script informed by the collectd monitoring script for smartmontools (using smartctl) +# by Samuel B. (c) 2012 +# source at: http://devel.dob.sk/collectd-scripts/ + +# TODO: This probably needs to be a little more complex. The raw numbers can have more +# data in them than you'd think. +# http://arstechnica.com/civis/viewtopic.php?p=22062211 + +# Formatting done via shfmt -i 2 +# https://github.com/mvdan/sh + +# Ensure predictable numeric / date formats, etc. +export LC_ALL=C + +parse_smartctl_attributes_awk="$( + cat <<'SMARTCTLAWK' +$1 ~ /^ *[0-9]+$/ && $2 ~ /^[a-zA-Z0-9_-]+$/ { + gsub(/-/, "_"); + printf "%s_value{%s,smart_id=\"%s\"} %d\n", $2, labels, $1, $4 + printf "%s_worst{%s,smart_id=\"%s\"} %d\n", $2, labels, $1, $5 + printf "%s_threshold{%s,smart_id=\"%s\"} %d\n", $2, labels, $1, $6 + printf "%s_raw_value{%s,smart_id=\"%s\"} %e\n", $2, labels, $1, $10 +} +SMARTCTLAWK +)" + +smartmon_attrs="$( + cat <<'SMARTMONATTRS' +airflow_temperature_cel +command_timeout +current_pending_sector +end_to_end_error +erase_fail_count +g_sense_error_rate +hardware_ecc_recovered +host_reads_32mib +host_reads_mib +host_writes_32mib +host_writes_mib +load_cycle_count +media_wearout_indicator +nand_writes_1gib +offline_uncorrectable +power_cycle_count +power_on_hours +program_fail_cnt_total +program_fail_count +raw_read_error_rate +reallocated_event_count +reallocated_sector_ct +reported_uncorrect +runtime_bad_block +sata_downshift_count +seek_error_rate +spin_retry_count +spin_up_time +start_stop_count +temperature_case +temperature_celsius +temperature_internal +total_lbas_read +total_lbas_written +udma_crc_error_count +unsafe_shutdown_count +unused_rsvd_blk_cnt_tot +wear_leveling_count +workld_host_reads_perc +workld_media_wear_indic +workload_minutes +SMARTMONATTRS +)" +smartmon_attrs="$(echo "${smartmon_attrs}" | xargs | tr ' ' '|')" + +parse_smartctl_attributes() { + local disk="$1" + local disk_type="$2" + local labels="disk=\"${disk}\",type=\"${disk_type}\"" + sed 's/^ \+//g' | + awk -v labels="${labels}" "${parse_smartctl_attributes_awk}" 2>/dev/null | + tr '[:upper:]' '[:lower:]' | + grep -E "(${smartmon_attrs})" +} + +parse_smartctl_scsi_attributes() { + local disk="$1" + local disk_type="$2" + local labels="disk=\"${disk}\",type=\"${disk_type}\"" + while read -r line; do + attr_type="$(echo "${line}" | tr '=' ':' | cut -f1 -d: | sed 's/^ \+//g' | tr ' ' '_')" + attr_value="$(echo "${line}" | tr '=' ':' | cut -f2 -d: | sed 's/^ \+//g')" + case "${attr_type}" in + number_of_hours_powered_up_) power_on="$(echo "${attr_value}" | awk '{ printf "%e\n", $1 }')" ;; + Current_Drive_Temperature) temp_cel="$(echo "${attr_value}" | cut -f1 -d' ' | awk '{ printf "%e\n", $1 }')" ;; + Blocks_sent_to_initiator_) lbas_read="$(echo "${attr_value}" | awk '{ printf "%e\n", $1 }')" ;; + Blocks_received_from_initiator_) lbas_written="$(echo "${attr_value}" | awk '{ printf "%e\n", $1 }')" ;; + Accumulated_start-stop_cycles) power_cycle="$(echo "${attr_value}" | awk '{ printf "%e\n", $1 }')" ;; + Elements_in_grown_defect_list) grown_defects="$(echo "${attr_value}" | awk '{ printf "%e\n", $1 }')" ;; + esac + done + [ -n "$power_on" ] && echo "power_on_hours_raw_value{${labels},smart_id=\"9\"} ${power_on}" + [ -n "$temp_cel" ] && echo "temperature_celsius_raw_value{${labels},smart_id=\"194\"} ${temp_cel}" + [ -n "$lbas_read" ] && echo "total_lbas_read_raw_value{${labels},smart_id=\"242\"} ${lbas_read}" + [ -n "$lbas_written" ] && echo "total_lbas_written_raw_value{${labels},smart_id=\"241\"} ${lbas_written}" + [ -n "$power_cycle" ] && echo "power_cycle_count_raw_value{${labels},smart_id=\"12\"} ${power_cycle}" + [ -n "$grown_defects" ] && echo "grown_defects_count_raw_value{${labels},smart_id=\"-1\"} ${grown_defects}" +} + +parse_smartctl_info() { + local -i smart_available=0 smart_enabled=0 smart_healthy= + local disk="$1" disk_type="$2" + local model_family='' device_model='' serial_number='' fw_version='' vendor='' product='' revision='' lun_id='' + while read -r line; do + info_type="$(echo "${line}" | cut -f1 -d: | tr ' ' '_')" + info_value="$(echo "${line}" | cut -f2- -d: | sed 's/^ \+//g' | sed 's/"/\\"/')" + case "${info_type}" in + Model_Family) model_family="${info_value}" ;; + Device_Model) device_model="${info_value}" ;; + Serial_Number|Serial_number) serial_number="${info_value}" ;; + Firmware_Version) fw_version="${info_value}" ;; + Vendor) vendor="${info_value}" ;; + Product) product="${info_value}" ;; + Revision) revision="${info_value}" ;; + Logical_Unit_id) lun_id="${info_value}" ;; + esac + if [[ "${info_type}" == 'SMART_support_is' ]]; then + case "${info_value:0:7}" in + Enabled) smart_available=1; smart_enabled=1 ;; + Availab) smart_available=1; smart_enabled=0 ;; + Unavail) smart_available=0; smart_enabled=0 ;; + esac + fi + if [[ "${info_type}" == 'SMART_overall-health_self-assessment_test_result' ]]; then + case "${info_value:0:6}" in + PASSED) smart_healthy=1 ;; + *) smart_healthy=0 ;; + esac + elif [[ "${info_type}" == 'SMART_Health_Status' ]]; then + case "${info_value:0:2}" in + OK) smart_healthy=1 ;; + *) smart_healthy=0 ;; + esac + fi + done + echo "device_info{disk=\"${disk}\",type=\"${disk_type}\",vendor=\"${vendor}\",product=\"${product}\",revision=\"${revision}\",lun_id=\"${lun_id}\",model_family=\"${model_family}\",device_model=\"${device_model}\",serial_number=\"${serial_number}\",firmware_version=\"${fw_version}\"} 1" + echo "device_smart_available{disk=\"${disk}\",type=\"${disk_type}\"} ${smart_available}" + echo "device_smart_enabled{disk=\"${disk}\",type=\"${disk_type}\"} ${smart_enabled}" + [[ "${smart_healthy}" != "" ]] && echo "device_smart_healthy{disk=\"${disk}\",type=\"${disk_type}\"} ${smart_healthy}" +} + +output_format_awk="$( + cat <<'OUTPUTAWK' +BEGIN { v = "" } +v != $1 { + print "# HELP smartmon_" $1 " SMART metric " $1; + print "# TYPE smartmon_" $1 " gauge"; + v = $1 +} +{print "smartmon_" $0} +OUTPUTAWK +)" + +format_output() { + sort | + awk -F'{' "${output_format_awk}" +} + +smartctl_version="$(/usr/sbin/smartctl -V | head -n1 | awk '$1 == "smartctl" {print $2}')" + +echo "smartctl_version{version=\"${smartctl_version}\"} 1" | format_output + +if [[ "$(expr "${smartctl_version}" : '\([0-9]*\)\..*')" -lt 6 ]]; then + exit +fi + +device_list="$(/usr/sbin/smartctl --scan-open | awk '/^\/dev/{print $1 "|" $3}')" + +for device in ${device_list}; do + disk="$(echo "${device}" | cut -f1 -d'|')" + type="$(echo "${device}" | cut -f2 -d'|')" + active=1 + echo "smartctl_run{disk=\"${disk}\",type=\"${type}\"}" "$(TZ=UTC date '+%s')" + # Check if the device is in a low-power mode + /usr/sbin/smartctl -n standby -d "${type}" "${disk}" > /dev/null || active=0 + echo "device_active{disk=\"${disk}\",type=\"${type}\"}" "${active}" + # Skip further metrics to prevent the disk from spinning up + test ${active} -eq 0 && continue + # Get the SMART information and health + /usr/sbin/smartctl -i -H -d "${type}" "${disk}" | parse_smartctl_info "${disk}" "${type}" + # Get the SMART attributes + case ${type} in + sat) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_attributes "${disk}" "${type}" ;; + sat+megaraid*) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_attributes "${disk}" "${type}" ;; + scsi) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_scsi_attributes "${disk}" "${type}" ;; + megaraid*) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_scsi_attributes "${disk}" "${type}" ;; + nvme*) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_scsi_attributes "${disk}" "${type}" ;; + usbprolific) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_attributes "${disk}" "${type}" ;; + *) + (>&2 echo "disk type is not sat, scsi, nvme or megaraid but ${type}") + exit + ;; + esac +done | format_output diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index 1e35c32..395e624 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -75,6 +75,20 @@ notify: Restart node_exporter when: ansible_os_family == "RedHat" +- name: Install disk and raid monitoring scripts + ansible.builtin.copy: + dest: "/usr/local/libexec/node-exporter/{{ item }}" + src: "{{ item }}" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + with_items: + - md_info.sh + - smartmon.sh + when: + - ansible_virtualization_role == "host" + - ansible_os_family == "RedHat" + - name: Enable service ansible.builtin.service: name: "{{ node_exporter_service }}" From 5751c77b8fcaefe54f8243f06c628cab211a91b2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 17 Feb 2024 17:21:29 +0000 Subject: [PATCH 159/713] mariadb: Enable query log --- roles/mariadb/files/local.cnf | 4 ++++ roles/mariadb/tasks/main.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 roles/mariadb/files/local.cnf diff --git a/roles/mariadb/files/local.cnf b/roles/mariadb/files/local.cnf new file mode 100644 index 0000000..cedabc6 --- /dev/null +++ b/roles/mariadb/files/local.cnf @@ -0,0 +1,4 @@ +[mariadb] +innodb_file_per_table = ON +general_log +general_log_file = /var/log/mariadb/mariadb-query.log diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 3746dd1..af5cea7 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -64,7 +64,7 @@ - name: Create local configuration ansible.builtin.copy: dest: /etc/my.cnf.d/local.cnf - content: "[mariadb]\ninnodb_file_per_table=ON\n" + src: local.cnf mode: "0644" owner: root group: "{{ ansible_wheel }}" From 8bc5793d705aef70c5b9f276728f191697809c84 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 17 Feb 2024 17:58:32 +0000 Subject: [PATCH 160/713] mysqld_exporter: Initial version of role --- roles/mysqld_exporter/defaults/main.yml | 2 + .../files/mysqld_exporter.service | 14 ++++ roles/mysqld_exporter/handlers/main.yml | 6 ++ roles/mysqld_exporter/meta/main.yml | 3 + roles/mysqld_exporter/tasks/main.yml | 83 +++++++++++++++++++ roles/mysqld_exporter/templates/my.cnf.j2 | 6 ++ .../templates/web-config.yml.j2 | 11 +++ 7 files changed, 125 insertions(+) create mode 100644 roles/mysqld_exporter/defaults/main.yml create mode 100644 roles/mysqld_exporter/files/mysqld_exporter.service create mode 100644 roles/mysqld_exporter/handlers/main.yml create mode 100644 roles/mysqld_exporter/meta/main.yml create mode 100644 roles/mysqld_exporter/tasks/main.yml create mode 100644 roles/mysqld_exporter/templates/my.cnf.j2 create mode 100644 roles/mysqld_exporter/templates/web-config.yml.j2 diff --git a/roles/mysqld_exporter/defaults/main.yml b/roles/mysqld_exporter/defaults/main.yml new file mode 100644 index 0000000..77a7507 --- /dev/null +++ b/roles/mysqld_exporter/defaults/main.yml @@ -0,0 +1,2 @@ +--- +mysqld_exporter_pkg: "mysqld_exporter-{{ mysqld_exporter_version }}.linux-amd64" diff --git a/roles/mysqld_exporter/files/mysqld_exporter.service b/roles/mysqld_exporter/files/mysqld_exporter.service new file mode 100644 index 0000000..c623707 --- /dev/null +++ b/roles/mysqld_exporter/files/mysqld_exporter.service @@ -0,0 +1,14 @@ +[Unit] +Description=Prometheus MySQL Exporter +After=syslog.target +After=network.target + +[Service] +Type=simple +User=mysqld_exporter +Group=mysqld_exporter +ExecStart=/usr/local/bin/mysqld_exporter --config.my-cnf=/etc/mysqld_exporter/my.cnf --web.config.file=/etc/mysqld_exporter/web-config.yml +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/mysqld_exporter/handlers/main.yml b/roles/mysqld_exporter/handlers/main.yml new file mode 100644 index 0000000..855013c --- /dev/null +++ b/roles/mysqld_exporter/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart mysqld_exporter + ansible.builtin.systemd: + name: mysqld_exporter + daemon_reload: true + state: restarted diff --git a/roles/mysqld_exporter/meta/main.yml b/roles/mysqld_exporter/meta/main.yml new file mode 100644 index 0000000..9978a00 --- /dev/null +++ b/roles/mysqld_exporter/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: pki} diff --git a/roles/mysqld_exporter/tasks/main.yml b/roles/mysqld_exporter/tasks/main.yml new file mode 100644 index 0000000..e69ce1c --- /dev/null +++ b/roles/mysqld_exporter/tasks/main.yml @@ -0,0 +1,83 @@ +--- +- name: Create group + ansible.builtin.group: + name: mysqld_exporter + system: true + +- name: Create user + ansible.builtin.user: + name: mysqld_exporter + comment: Prometheus MySQL Exporter + group: mysqld_exporter + groups: hostkey + create_home: false + home: /var/empty + shell: /sbin/nologin + system: true + +- name: Download package + ansible.builtin.get_url: + url: "https://github.com/prometheus/mysqld_exporter/releases/download/v{{ mysqld_exporter_version }}/{{ mysqld_exporter_pkg }}.tar.gz" + dest: "/usr/local/src/{{ mysqld_exporter_pkg }}.tar.gz" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + +- name: Extract package + ansible.builtin.unarchive: + src: "/usr/local/src/{{ mysqld_exporter_pkg }}.tar.gz" + dest: /usr/local/src + owner: root + group: "{{ ansible_wheel }}" + creates: "/usr/local/src/{{ mysqld_exporter_pkg }}" + remote_src: true + +- name: Copy binary + ansible.builtin.copy: + dest: /usr/local/bin/mysqld_exporter + src: "/usr/local/src/{{ mysqld_exporter_pkg }}/mysqld_exporter" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + +- name: Create config directory + ansible.builtin.file: + path: /etc/mysqld_exporter + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create web-config + ansible.builtin.template: + dest: /etc/mysqld_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart mysqld_exporter + +- name: Create credentials config + ansible.builtin.template: + dest: /etc/mysqld_exporter/my.cnf + src: my.cnf.j2 + mode: "0640" + owner: root + group: mysqld_exporter + notify: Restart mysqld_exporter + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/mysqld_exporter.service + src: mysqld_exporter.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart mysqld_exporter + +- name: Enable service + ansible.builtin.service: + name: mysqld_exporter + state: started + enabled: true diff --git a/roles/mysqld_exporter/templates/my.cnf.j2 b/roles/mysqld_exporter/templates/my.cnf.j2 new file mode 100644 index 0000000..2627e84 --- /dev/null +++ b/roles/mysqld_exporter/templates/my.cnf.j2 @@ -0,0 +1,6 @@ +[client] +user = mysqld_exporter +password = {{ mysqld_exporter_pass }} +ssl-cert = {{ tls_certs }}/{{ inventory_hostname }}.crt +ssl-key = {{ tls_private }}/{{ inventory_hostname }}.key +ssl-ca = {{ tls_certs }}/ca.crt diff --git a/roles/mysqld_exporter/templates/web-config.yml.j2 b/roles/mysqld_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..626169b --- /dev/null +++ b/roles/mysqld_exporter/templates/web-config.yml.j2 @@ -0,0 +1,11 @@ +tls_server_config: + key_file: {{ tls_private }}/{{ inventory_hostname }}.key + cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: + - prometheus01.home.foo.sh + - prometheus02.home.foo.sh + - prometheus03.home.foo.sh + - prometheus04.home.foo.sh + min_version: TLS13 From 1f3e76e4f6f99ca134fc1eadd9ddb02343b82b9d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 17 Feb 2024 17:59:16 +0000 Subject: [PATCH 161/713] Enable mysqld_exporter for prometheus hosts --- hosts.yml | 2 ++ playbooks/prometheus.yml | 1 + roles/prometheus/templates/prometheus.yml.j2 | 19 +++++++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/hosts.yml b/hosts.yml index 8fb7bd0..7e8fc7c 100644 --- a/hosts.yml +++ b/hosts.yml @@ -96,6 +96,8 @@ print: prometheus: hosts: prometheus02.home.foo.sh: + vars: + mysqld_exporter_version: "0.15.1" proxy: hosts: proxy01.home.foo.sh: diff --git a/playbooks/prometheus.yml b/playbooks/prometheus.yml index bec40ff..856b0a3 100644 --- a/playbooks/prometheus.yml +++ b/playbooks/prometheus.yml @@ -26,3 +26,4 @@ roles: - base - prometheus + - mysqld_exporter diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index e4a4956..49520f9 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -10,6 +10,25 @@ scrape_configs: - targets: - "127.0.0.1:9090" + - job_name: mysqld + scheme: https + tls_config: + ca_file: "{{ tls_certs }}/ca.crt" + key_file: "{{ tls_private }}/{{ inventory_hostname }}.key" + cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + static_configs: + - targets: +{% for host in groups['sqldb'] %} + - {{ host }}:3306 +{% endfor %} + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: {{ inventory_hostname }}:9104 + - job_name: snmp scheme: https tls_config: From fc5d1579166a9902853859d3b148fd0a3a042ff1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 18 Feb 2024 19:00:30 +0000 Subject: [PATCH 162/713] Use new repo for homeassistant electrolux --- hosts.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 7e8fc7c..f70fd05 100644 --- a/hosts.yml +++ b/hosts.yml @@ -37,9 +37,8 @@ homeassistant: homeassistant_version: "2024.1.2" homeassistant_integrations: - name: electrolux_status - repo: >- - https://github.com/mauro-midolo/homeassistant_electrolux_status.git - version: v5.0.0 + repo: https://github.com/albaintor/homeassistant_electrolux_status.git + version: v1.0.12 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 From f42793670811b1e28e03acad86f9cced30376ceb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 18 Feb 2024 19:30:32 +0000 Subject: [PATCH 163/713] Update software versions --- hosts.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index f70fd05..f817260 100644 --- a/hosts.yml +++ b/hosts.yml @@ -34,7 +34,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.1.2" + homeassistant_version: "2024.2" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git @@ -86,9 +86,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.2.3" - rocketchat_version: "6.5.2" - roundcube_version: "1.6.5" + grafana_version: "10.2.4" + rocketchat_version: "6.6.0" + roundcube_version: "1.6.6" print: hosts: print01.home.foo.sh: From 04575b20ee71b8c3dcb5a08494f2a9c063cf9527 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 23 Feb 2024 05:52:17 +0000 Subject: [PATCH 164/713] Update gitea to 1.21.6 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index f817260..0b19d7f 100644 --- a/hosts.yml +++ b/hosts.yml @@ -24,7 +24,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.5" + gitea_version: "1.21.6" gitearunner: hosts: gitea-runner02.home.foo.sh: From a632b3efbf44ee8d2ed3a1e8e5bd68bb7be0cabc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 23 Feb 2024 05:53:10 +0000 Subject: [PATCH 165/713] mariadb: Add query log rotation --- roles/mariadb/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index af5cea7..746da67 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -136,6 +136,14 @@ hour: "0" minute: "30" +- name: Add logrotate job for query log + ansible.builtin.copy: + dest: /etc/logrotate.d/mariadb-querylog + src: mariadb-querylog.logrotate + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + - name: Copy script to check timezone data ansible.builtin.copy: dest: /usr/local/sbin/mysql_tzinfo_check From 171aa216d6294b272067ced7ca8beba3c1f9eb51 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 23 Feb 2024 05:53:34 +0000 Subject: [PATCH 166/713] mariadb: Add missing logrotate file --- roles/mariadb/files/mariadb-querylog.logrotate | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 roles/mariadb/files/mariadb-querylog.logrotate diff --git a/roles/mariadb/files/mariadb-querylog.logrotate b/roles/mariadb/files/mariadb-querylog.logrotate new file mode 100644 index 0000000..70002a1 --- /dev/null +++ b/roles/mariadb/files/mariadb-querylog.logrotate @@ -0,0 +1,17 @@ +/var/log/mariadb/mariadb-query.log { + create 600 mysql mysql + su mysql mysql + notifempty + daily + rotate 3 + missingok + compress + sharedscripts + postrotate + # just if mariadbd is really running + if [ -e /run/mariadb/mariadb.pid ] + then + kill -1 $( Date: Fri, 1 Mar 2024 12:32:53 +0000 Subject: [PATCH 167/713] sendmail: Fix EHLO message address --- roles/sendmail/templates/sendmail.mc.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/sendmail/templates/sendmail.mc.j2 b/roles/sendmail/templates/sendmail.mc.j2 index c0d9b08..2662045 100644 --- a/roles/sendmail/templates/sendmail.mc.j2 +++ b/roles/sendmail/templates/sendmail.mc.j2 @@ -60,6 +60,7 @@ FEATURE(`accept_unresolvable_domains')dnl dnl # define(`confMATCH_GECOS')dnl define(`confDOMAIN_NAME', `{{ mail_domain }}')dnl +define(`confHELO_NAME', `mail.{{ mail_domain }}')dnl define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirpathSafe,GroupWritableIncludeFile,GroupWritableIncludeFileSafe')dnl dnl # MAIL_FILTER(`grossd', `S=inet:5523@localhost, T=C:10m;R:5m') From 6c661f75b86ad21c736de10981e9fca425047a11 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 1 Mar 2024 18:38:01 +0000 Subject: [PATCH 168/713] nsd: Validate zone files during copy --- roles/nsd/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml index b0d3ad6..da21b4f 100644 --- a/roles/nsd/tasks/main.yml +++ b/roles/nsd/tasks/main.yml @@ -43,6 +43,7 @@ mode: "0640" owner: root group: _nsd + validate: "nsd-checkzone '{{ item }}' '%s'" tags: dns notify: Restart nsd with_items: "{{ nsd_zones }}" From 546f091e9195fbd9940ce94c2e51356ff402efe1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 2 Mar 2024 19:00:44 +0000 Subject: [PATCH 169/713] opendkim: Initial version of role --- roles/opendkim/defaults/main.yml | 2 + roles/opendkim/files/keystore.Makefile | 28 +++++++++ roles/opendkim/handlers/main.yml | 5 ++ roles/opendkim/tasks/main.yml | 85 ++++++++++++++++++++++++++ 4 files changed, 120 insertions(+) create mode 100644 roles/opendkim/defaults/main.yml create mode 100644 roles/opendkim/files/keystore.Makefile create mode 100644 roles/opendkim/handlers/main.yml create mode 100644 roles/opendkim/tasks/main.yml diff --git a/roles/opendkim/defaults/main.yml b/roles/opendkim/defaults/main.yml new file mode 100644 index 0000000..ae208c6 --- /dev/null +++ b/roles/opendkim/defaults/main.yml @@ -0,0 +1,2 @@ +--- +opendkim_selector: default diff --git a/roles/opendkim/files/keystore.Makefile b/roles/opendkim/files/keystore.Makefile new file mode 100644 index 0000000..1a04593 --- /dev/null +++ b/roles/opendkim/files/keystore.Makefile @@ -0,0 +1,28 @@ +TARGETS := $(shell { \ + if [ $$(date +%m) -lt 6 ]; then \ + echo "$$(date +%Y)0101.key $$(date +%Y)0601.key" ; \ + else \ + echo "$$(date +%Y)0601.key $$(($$(date +%Y) + 1))0101.key" ; \ + fi \ + }) + +all: $(TARGETS) + +%.key: + @set -eu ; \ + openssl genrsa -out "$@" 2048 ; \ + chgrp opendkim "$@" ; \ + chmod 0640 "$@" ; \ + echo ; \ + data="$$(printf "v=DKIM1; k=rsa; p=%s" \ + "$$(openssl rsa -in "$@" -pubout -outform der 2>/dev/null | openssl base64 -A)")" ; \ + pos=0 ; \ + printf "%s._domainkey\tIN\tTXT\t" "$$(echo "$@" | cut -d. -f1)" ; \ + while true ; do \ + printf "\"%s\"" \ + "$$(echo "$$data" | cut -c $$((pos + 1))-$$((pos + 254)))" ; \ + pos="$$((pos + 254))" ; \ + [ $${#data} -gt $$pos ] || break ; \ + printf " " ; \ + done ; \ + echo diff --git a/roles/opendkim/handlers/main.yml b/roles/opendkim/handlers/main.yml new file mode 100644 index 0000000..e98da1b --- /dev/null +++ b/roles/opendkim/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart opendkim + ansible.builtin.service: + name: opendkim + state: restarted diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml new file mode 100644 index 0000000..7c1001a --- /dev/null +++ b/roles/opendkim/tasks/main.yml @@ -0,0 +1,85 @@ +--- +- name: Install packages + ansible.builtin.package: + name: opendkim + state: installed + +- name: Fix SELinux contexts from keystore + community.general.sefcontext: + path: "/export/dkim(/.*)?" + setype: etc_t + +- name: Create keystore + ansible.builtin.file: + path: /export/dkim + state: directory + mode: "0710" + owner: root + group: opendkim + setype: _default + +- name: Link keystore + ansible.builtin.file: + dest: /srv/dkim + src: /export/dkim + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Add keystore Makefile + ansible.builtin.copy: + dest: /srv/dkim/Makefile + src: keystore.Makefile + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + setype: _default + +- name: Set selector + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?Selector\s' + line: "Selector\t{{ opendkim_selector }}" + notify: Restart opendkim + +- name: Set key file path + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?KeyFile\s' + line: "KeyFile\t/srv/dkim/{{ opendkim_selector }}.key" + notify: Restart opendkim + +- name: Enable signing and verifying messages + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?Mode\s' + line: "Mode\tsv" + notify: Restart opendkim + +- name: Configure signing domains + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?Domain\s' + line: "Domain\t{{ mail_domain }}" + notify: Restart opendkim + +- name: Configure report address + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?ReportAddress\s' + line: "ReportAddress\tpostmaster@{{ mail_domain }}" + notify: Restart opendkim + +- name: Don't add DKIM-Filter header + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?SoftwareHeader\s' + line: "SoftwareHeader\tno" + notify: Restart opendkim + +- name: Enable service + ansible.builtin.service: + name: opendkim + state: started + enabled: true From 55a9a77e71ad0790b62ec5c0ae4980b231d1d303 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 2 Mar 2024 19:00:59 +0000 Subject: [PATCH 170/713] sendmail: Add opendkim filter --- roles/sendmail/templates/sendmail.mc.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/sendmail/templates/sendmail.mc.j2 b/roles/sendmail/templates/sendmail.mc.j2 index 2662045..ad31555 100644 --- a/roles/sendmail/templates/sendmail.mc.j2 +++ b/roles/sendmail/templates/sendmail.mc.j2 @@ -64,6 +64,7 @@ define(`confHELO_NAME', `mail.{{ mail_domain }}')dnl define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirpathSafe,GroupWritableIncludeFile,GroupWritableIncludeFileSafe')dnl dnl # MAIL_FILTER(`grossd', `S=inet:5523@localhost, T=C:10m;R:5m') +INPUT_MAIL_FILTER(`opendkim', `S=local:/run/opendkim/opendkim.sock') dnl MAILER(smtp)dnl MAILER(procmail)dnl From a81b15edcdf0b7fc803ca18f70a6f5224a2a499b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 2 Mar 2024 19:01:12 +0000 Subject: [PATCH 171/713] Enable opendkim for mail servers --- playbooks/mail.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 4019251..686ed79 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -38,6 +38,8 @@ nginx_site_name: "{{ mail_server }}" nginx_site_redirect: https://webmail.foo.sh/ - grossd + - role: opendkim + opendkim_selector: 20240101 - spamassassin - spamassassin_clamav - spamassassin_ixhash From 427fbd9fc4363bd6d44461823782d8a394ec6598 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 4 Mar 2024 15:34:58 +0000 Subject: [PATCH 172/713] Add mta-sts.foo.sh virtual host --- playbooks/proxy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index d01e85c..0a0ed17 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -84,6 +84,8 @@ nginx_site_name: movies.foo.sh nginx_site_proxy: - https://oci-node01.home.foo.sh/php4dvd/ + - role: nginx_site + nginx_site_name: mta-sts.foo.sh - role: nginx_site nginx_site_name: noc.foo.sh nginx_site_proxy: From 3288f9ec5840282f69fcbf566041fc3e789423b5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 7 Mar 2024 07:17:17 +0000 Subject: [PATCH 173/713] routeros_firmware: Fix parsing mikrotik web page --- roles/routeros_firmware/files/download-routeros-firmware.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index 4347526..e6a0b65 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -18,7 +18,11 @@ if [ $# -gt 0 ]; then fi packageurl="$(curl -sSf "https://mikrotik.com/download" | \ - sed -n 's/.*.*/\1/p')" + sed -n 's/.* ].*/\1/p')" +if [ -z "$packageurl" ]; then + echo "ERR: Got empty package URL, exiting" 1>&2 + exit 1 +fi packagename="$(basename "$packageurl")" if [ -f "$packagename" ]; then "$verbose" && echo "Already up to date" From 778f8e99d7c656af38084415c221b177ae47944d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Mar 2024 18:39:38 +0000 Subject: [PATCH 174/713] Update softwrae versions --- hosts.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index 0b19d7f..1aae5c9 100644 --- a/hosts.yml +++ b/hosts.yml @@ -16,6 +16,8 @@ dnagw: frigate: hosts: frigate02.home.foo.sh: + vars: + frigate_version: "0.13.2" fsolgw: hosts: fsol-gw01.home.foo.sh: @@ -24,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.6" + gitea_version: "1.21.7" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -34,11 +36,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.2" + homeassistant_version: "2024.3" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v1.0.12 + version: v1.0.15 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 @@ -86,8 +88,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.2.4" - rocketchat_version: "6.6.0" + grafana_version: "10.3.4" + rocketchat_version: "6.6.3" roundcube_version: "1.6.6" print: hosts: From 7c9727c6a6223d2ec29afb09a0d6fa8916996a6b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Mar 2024 18:41:50 +0000 Subject: [PATCH 175/713] sendmail: Add automatic ca certificate updates --- roles/sendmail/files/update-sendmail-certs.sh | 25 +++++++++++++++++++ roles/sendmail/handlers/main.yml | 8 ++++++ roles/sendmail/meta/main.yml | 2 +- roles/sendmail/tasks/main.yml | 16 ++++++++++++ 4 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 roles/sendmail/files/update-sendmail-certs.sh diff --git a/roles/sendmail/files/update-sendmail-certs.sh b/roles/sendmail/files/update-sendmail-certs.sh new file mode 100644 index 0000000..0e0bbc9 --- /dev/null +++ b/roles/sendmail/files/update-sendmail-certs.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -eu +umask 022 + +tmpdir="$(mktemp -d -p /etc/mail)" +trap 'rm -rf "$tmpdir"' EXIT +chmod 0755 "$tmpdir" + +awk '{ + if ($0 == "-----BEGIN CERTIFICATE-----") cert="" + else if ($0 == "-----END CERTIFICATE-----") print cert + else cert=cert$0 +}' /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca.crt | while read -r CERT; do + echo "$CERT" | base64 -d | openssl x509 -inform DER > \ + "${tmpdir}/$(echo "$CERT" | base64 -d | openssl x509 -inform DER -hash -noout).0" +done + +if ! diff -q "$tmpdir" "/etc/mail/certs" > /dev/null 2>&1 ; then + rm -rf /etc/mail/certs + mv "$tmpdir" /etc/mail/certs + exit 0 +fi + +exit 1 diff --git a/roles/sendmail/handlers/main.yml b/roles/sendmail/handlers/main.yml index 811e9ee..3c47d7f 100644 --- a/roles/sendmail/handlers/main.yml +++ b/roles/sendmail/handlers/main.yml @@ -21,3 +21,11 @@ - newaliases register: result changed_when: result.rc == 0 + +- name: Update sendmail root certs + ansible.builtin.command: + argv: + - update-sendmail-certs + register: result + failed_when: false + changed_when: result.rc == 0 diff --git a/roles/sendmail/meta/main.yml b/roles/sendmail/meta/main.yml index 4dc7ba0..ad8bde3 100644 --- a/roles/sendmail/meta/main.yml +++ b/roles/sendmail/meta/main.yml @@ -1,5 +1,5 @@ --- - dependencies: - {role: dhparams} + - {role: pki} - {role: saslauthd} diff --git a/roles/sendmail/tasks/main.yml b/roles/sendmail/tasks/main.yml index 117b47c..c247eed 100644 --- a/roles/sendmail/tasks/main.yml +++ b/roles/sendmail/tasks/main.yml @@ -16,6 +16,22 @@ owner: root group: "{{ ansible_wheel }}" +- name: Add script to update root certs + ansible.builtin.copy: + dest: /usr/local/sbin/update-sendmail-certs + src: update-sendmail-certs.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Update sendmail root certs + +- name: Add cronjob to update root certs + ansible.builtin.cron: + name: update-sendmail-certs + job: /usr/local/sbin/update-sendmail-certs + hour: "05" + minute: "30" + - name: Copy private key ansible.builtin.copy: dest: "{{ tls_private }}/{{ mail_server }}.key" From ec3b486e7c22c3da3f50547b2794a62fef831a90 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 18:46:40 +0000 Subject: [PATCH 176/713] collab: Fix extra newline from graphviz repo conf --- roles/collab/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/collab/tasks/main.yml b/roles/collab/tasks/main.yml index 9af4c7b..6a51371 100644 --- a/roles/collab/tasks/main.yml +++ b/roles/collab/tasks/main.yml @@ -2,7 +2,7 @@ - name: Add graphviz repository ansible.builtin.yum_repository: name: graphviz - baseurl: > + baseurl: >- {{ "https://www2.graphviz.org" + "/Packages/stable/centos/$releasever/os/$basearch/" From dfe1ea7db334133eb17f7a7e7cbb88bd99b46f4d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 19:33:26 +0000 Subject: [PATCH 177/713] Set scanservjs version --- hosts.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts.yml b/hosts.yml index 1aae5c9..41bcf57 100644 --- a/hosts.yml +++ b/hosts.yml @@ -110,6 +110,8 @@ relay: sane: hosts: sane02.home.foo.sh: + vars: + scanservjs_version: "v3.0.3" shell: hosts: shell01.foo.sh: From 0a0074873244186e6df5311d1f8bc5a31cb4d9ed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 19:33:40 +0000 Subject: [PATCH 178/713] Update software subrepo --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 270b14c..2c232f1 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 270b14ce153c3cf80de744d8d4128f2506a7e3d0 +Subproject commit 2c232f1654ea87f26c2248a1ff18b925f5c96c18 From 7229b6bad7d5ff5ff27f57bf86c400f152063595 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 19:51:35 +0000 Subject: [PATCH 179/713] pki: Fix running ansible with check option --- roles/pki/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml index 3e20d68..c6aac08 100644 --- a/roles/pki/tasks/main.yml +++ b/roles/pki/tasks/main.yml @@ -73,6 +73,7 @@ - "{{ tls_certs }}/{{ inventory_hostname }}.crt" - "{{ tls_certs }}/ca.crt" changed_when: false + check_mode: false register: pki_host_fullchain - name: Copy full chain certificate file From cb3961001956f91a2b65993f6d21916b3a715562 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 20:17:19 +0000 Subject: [PATCH 180/713] ldap_server: Fix running role in check mode --- roles/ldap_server/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 1e1389e..3d9a76e 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -168,6 +168,7 @@ delegate_to: localhost register: result changed_when: false + check_mode: false tags: certificates - name: Link server chain certificate From b229c177183b146596475e9f3127f0495e10fd58 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 20:17:31 +0000 Subject: [PATCH 181/713] pki: Store local CA hash even in check mode --- roles/pki/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml index c6aac08..90d160e 100644 --- a/roles/pki/tasks/main.yml +++ b/roles/pki/tasks/main.yml @@ -24,6 +24,7 @@ delegate_to: localhost register: result changed_when: false + check_mode: false - name: Store ca certificate hash ansible.builtin.set_fact: From 525565073bd971d4e121bd0a21e4d9233026a397 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:00:17 +0000 Subject: [PATCH 182/713] mongodb: Fix running role in check mode --- roles/mongodb/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index de1390e..f7d5747 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -61,6 +61,7 @@ - "{{ tls_certs }}/{{ inventory_hostname }}.crt" - "{{ tls_private }}/{{ inventory_hostname }}.key" changed_when: false + check_mode: false register: mongodb_cert_key - name: Create combined certificate/private key file From a3de09e2f2395b553d13b6527777f306239ffd90 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:10:36 +0000 Subject: [PATCH 183/713] mongodb: Don't hardcode os release version --- roles/mongodb/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index f7d5747..d1dafa9 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -17,7 +17,8 @@ - name: Enable repository ansible.builtin.yum_repository: name: mongodb - baseurl: https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64 + baseurl: >- + https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/6.0/x86_64 description: MongoDB gpgcheck: true gpgkey: https://www.mongodb.org/static/pgp/server-6.0.asc From ead2775c41d11ba8655f806c3b1a0c64976dbca2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:16:29 +0000 Subject: [PATCH 184/713] shelly_firmware: Fix lint errors --- roles/shelly_firmware/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/shelly_firmware/tasks/main.yml b/roles/shelly_firmware/tasks/main.yml index 2d1dd3a..db0e0ea 100644 --- a/roles/shelly_firmware/tasks/main.yml +++ b/roles/shelly_firmware/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /srv/web/iot.foo.sh/shelly state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -16,7 +16,7 @@ ansible.builtin.copy: dest: /usr/local/bin/download-shelly-firmware src: download-shelly-firmware.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" From 6bef2b01654c6c5fb19dc5f54733f87ad16e111f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:18:09 +0000 Subject: [PATCH 185/713] routeros_firmware: Fix lint errors --- roles/routeros_firmware/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros_firmware/tasks/main.yml index a9fbc97..39d244b 100644 --- a/roles/routeros_firmware/tasks/main.yml +++ b/roles/routeros_firmware/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: /srv/web/oob.foo.sh/routeros state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -19,7 +19,7 @@ /system reboot /system package update print ``` - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -27,7 +27,7 @@ ansible.builtin.copy: dest: /usr/local/bin/download-routeros-firmware src: download-routeros-firmware.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" From cbe78a3bd0ee8c7cc0898ac46238c352698cb85c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:24:21 +0000 Subject: [PATCH 186/713] frigate: Fix lint errors --- roles/frigate/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index acc781e..7f5e321 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -100,4 +100,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart apache - From 7ba39e01c7560ad344dc1d205d9e8db5189e097e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:25:55 +0000 Subject: [PATCH 187/713] Remove unnecessary comments --- playbooks/log.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/log.yml b/playbooks/log.yml index 5ea13da..2c7fcf4 100644 --- a/playbooks/log.yml +++ b/playbooks/log.yml @@ -25,7 +25,6 @@ roles: - base - #- web_logs tasks: - name: Install extra packages From cd1f83bb681deeef43537c941a2a942d64abf544 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 15:27:57 +0000 Subject: [PATCH 188/713] Add list of reserved ports by containers --- container-ports.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 container-ports.md diff --git a/container-ports.md b/container-ports.md new file mode 100644 index 0000000..9782749 --- /dev/null +++ b/container-ports.md @@ -0,0 +1,11 @@ +# Ports used by container web services + +Port | Ansible role | Service name +-----|--------------------------------------- +8001 | kerberos_kdc | Kerberos KDC +8002 | grafana | Grafana +8003 | authcheck | Authentication check +8004 | roundcube | Roundcube webmail +8005 | php4dvd | php4dvd movie catalog +8006 | scanservjs | SANE Scanner webui +8007 | frigate | Network video recorder From 6e58bc2a60d2d3df2b6c92836c1d59b03227561a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 15:30:26 +0000 Subject: [PATCH 189/713] Reformat table --- container-ports.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/container-ports.md b/container-ports.md index 9782749..3506ce0 100644 --- a/container-ports.md +++ b/container-ports.md @@ -1,11 +1,11 @@ # Ports used by container web services -Port | Ansible role | Service name ------|--------------------------------------- -8001 | kerberos_kdc | Kerberos KDC -8002 | grafana | Grafana -8003 | authcheck | Authentication check -8004 | roundcube | Roundcube webmail -8005 | php4dvd | php4dvd movie catalog -8006 | scanservjs | SANE Scanner webui -8007 | frigate | Network video recorder +| Port | Ansible role | Service name | +|------|---------------------------------------- +| 8001 | kerberos_kdc | Kerberos KDC | +| 8002 | grafana | Grafana | +| 8003 | authcheck | Authentication check | +| 8004 | roundcube | Roundcube webmail | +| 8005 | php4dvd | php4dvd movie catalog | +| 8006 | scanservjs | SANE Scanner webui | +| 8007 | frigate | Network video recorder | From 8465cf1d8b27bf50cf37842aa61dff46ee92c52d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 15:33:09 +0000 Subject: [PATCH 190/713] Try to fix table formatting again --- container-ports.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-ports.md b/container-ports.md index 3506ce0..3efb0cd 100644 --- a/container-ports.md +++ b/container-ports.md @@ -1,7 +1,7 @@ # Ports used by container web services | Port | Ansible role | Service name | -|------|---------------------------------------- +|------|--------------|------------------------| | 8001 | kerberos_kdc | Kerberos KDC | | 8002 | grafana | Grafana | | 8003 | authcheck | Authentication check | From eba736f107ae411a461049d2da61191352b00f60 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 15:38:00 +0000 Subject: [PATCH 191/713] Convert user.list to markdown --- user.list | 18 ------------------ users.md | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 18 deletions(-) delete mode 100644 user.list create mode 100644 users.md diff --git a/user.list b/user.list deleted file mode 100644 index 6e27844..0000000 --- a/user.list +++ /dev/null @@ -1,18 +0,0 @@ - -This file lists all users and groups that have reserved uid/gid and are -created using ansible rules. If a user/group pair is created, they share -the same uid/gid. If a user is member of a system group, leave the group -entry empty. If only a group is created, leave the user entry empty. - -id user group notes -------------------------------------------------------------------------------- -301 influxdb influxdb -302 mongod mongod -303 gitea gitea -305 prometheus prometheus -1001 mirror mirror -1002 certbot certbot -1003 collab collab -1004 docker docker docker registry -1005 backup backup -1007 minecraft minecraft diff --git a/users.md b/users.md new file mode 100644 index 0000000..48a6c2b --- /dev/null +++ b/users.md @@ -0,0 +1,19 @@ +# List of reserved UID and GID numbers + +This file lists all users and groups that have reserved uid/gid and are +created using ansible rules. If a user/group pair is created, they share +the same uid/gid. If a user is member of a system group, leave the group +entry empty. If only a group is created, leave the user entry empty. + +| id | user | group | notes | +|------|------------|------------|-----------------| +| 301 | influxdb | influxdb | | +| 302 | mongod | mongod | | +| 303 | gitea | gitea | | +| 305 | prometheus | prometheus | | +| 1001 | mirror | mirror | | +| 1002 | certbot | certbot | | +| 1003 | collab | collab | | +| 1004 | docker | docker | docker registry | +| 1005 | backup | backup | | +| 1007 | minecraft | minecraft | | From 8df5271accb6feedc57e640c4708d9330e10b703 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 15:58:23 +0000 Subject: [PATCH 192/713] mongodb: Fix mongo client cmd for mongo 6.0 --- roles/mongodb/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index d1dafa9..71ad3ce 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -111,7 +111,7 @@ ansible.builtin.lineinfile: path: /root/.bashrc line: > - alias mongo='mongo + alias mongosh='mongosh --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem --tlsCAFile {{ tls_certs }}/ca.crt --tls mongodb://{{ inventory_hostname }}/' From 7489a0c89531e93b7bf5887541c82b9f6638ec55 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 17:16:16 +0000 Subject: [PATCH 193/713] homeassistant: Move container to different port --- container-ports.md | 19 ++++++++++--------- roles/homeassistant/tasks/main.yml | 2 +- .../homeassistant-container.service.j2 | 2 +- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/container-ports.md b/container-ports.md index 3efb0cd..3fc1018 100644 --- a/container-ports.md +++ b/container-ports.md @@ -1,11 +1,12 @@ # Ports used by container web services -| Port | Ansible role | Service name | -|------|--------------|------------------------| -| 8001 | kerberos_kdc | Kerberos KDC | -| 8002 | grafana | Grafana | -| 8003 | authcheck | Authentication check | -| 8004 | roundcube | Roundcube webmail | -| 8005 | php4dvd | php4dvd movie catalog | -| 8006 | scanservjs | SANE Scanner webui | -| 8007 | frigate | Network video recorder | +| Port | Ansible role | Service name | +|------|----------------|------------------------| +| 8001 | kerberos_kdc | Kerberos KDC | +| 8002 | grafana | Grafana | +| 8003 | authcheck | Authentication check | +| 8004 | roundcube | Roundcube webmail | +| 8005 | php4dvd | php4dvd movie catalog | +| 8006 | scanservjs | SANE Scanner webui | +| 8007 | frigate | Network video recorder | +| 8008 | hoemeassistant | Home Assistant | diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 4d6e1bb..2a510a0 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -148,7 +148,7 @@ dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/homeassistant.conf" content: | location / { - proxy_pass http://127.0.0.1:8001; + proxy_pass http://127.0.0.1:8008; } mode: "0644" owner: root diff --git a/roles/homeassistant/templates/homeassistant-container.service.j2 b/roles/homeassistant/templates/homeassistant-container.service.j2 index 28d325e..9f14fa7 100644 --- a/roles/homeassistant/templates/homeassistant-container.service.j2 +++ b/roles/homeassistant/templates/homeassistant-container.service.j2 @@ -6,7 +6,7 @@ After=network-online.target [Service] User=ha ExecStart=/usr/bin/podman run \ - --rm -p 127.0.0.1:8001:8123 \ + --rm -p 127.0.0.1:8008:8123 \ --name homeassistant \ --env TZ=Europe/Helsinki \ --userns keep-id \ From 1f10474860222d46bd8d1ac84ea931025af491c5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 16 Mar 2024 16:13:56 +0000 Subject: [PATCH 194/713] mongosh: Use startup params and enable replset --- roles/mongodb/tasks/main.yml | 43 +++++++++++++++++++------- roles/mongodb/templates/mongod.conf.j2 | 2 +- 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 71ad3ce..41c12a2 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -82,20 +82,39 @@ owner: root group: "{{ ansible_wheel }}" +- name: Create configuration directory + ansible.builtin.file: + path: /etc/mongod + state: directory + mode: 0750 + owner: root + group: mongod + +- name: Copy keyfile + ansible.builtin.copy: + dest: /etc/mongod/mongod.key + src: "{{ ansible_private }}/files/mongod/mongod.key" + mode: "0400" + owner: mongod + group: mongod + notify: Restart mongod + - name: Configure startup options ansible.builtin.copy: dest: /etc/sysconfig/mongod content: | - OPTIONS="-f /etc/mongod.conf --logRotate reopen" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart mongod - -- name: Create configuration - ansible.builtin.template: - dest: /etc/mongod.conf - src: mongod.conf.j2 + OPTIONS="-f /etc/mongod.conf \ + --auth \ + --bind_ip_all \ + --dbpath /srv/mongodb \ + --keyFile /etc/mongod/mongod.key \ + --logRotate reopen \ + --nounixsocket + --replSet rs0 \ + --tlsMode requireTLS \ + --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem + --tlsCAFile {{ tls_certs }}/ca.crt + --tlsDisabledProtocols TLS1_0,TLS1_1,TLS1_2" mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -114,5 +133,7 @@ alias mongosh='mongosh --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem --tlsCAFile {{ tls_certs }}/ca.crt + --username root + --password {{ mongodb_root_password }} --tls mongodb://{{ inventory_hostname }}/' - regexp: ^alias mongo=.* + regexp: ^alias mongosh=.* diff --git a/roles/mongodb/templates/mongod.conf.j2 b/roles/mongodb/templates/mongod.conf.j2 index a05d000..dd90429 100644 --- a/roles/mongodb/templates/mongod.conf.j2 +++ b/roles/mongodb/templates/mongod.conf.j2 @@ -19,5 +19,5 @@ net: bindIpAll: true tls: mode: requireTLS - certificateKeyFile: /etc/pki/tls/private/mongodb.pem + certificateKeyFile: {{ tls_private }}/mongodb.pem CAFile: {{ tls_certs }}/ca.crt From 1952f5f96e4132735fac9064601a4544a88f85ef Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 16 Mar 2024 18:00:27 +0000 Subject: [PATCH 195/713] rocketchat: First version of role --- container-ports.md | 1 + playbooks/oci-node.yml | 1 + roles/rocketchat/defaults/main.yml | 2 + roles/rocketchat/handlers/main.yml | 6 ++ roles/rocketchat/meta/main.yml | 3 + roles/rocketchat/tasks/main.yml | 74 +++++++++++++++++++ .../templates/rocketchat-container.service.j2 | 21 ++++++ .../rocketchat-container.sysconfig.j2 | 3 + 8 files changed, 111 insertions(+) create mode 100644 roles/rocketchat/defaults/main.yml create mode 100644 roles/rocketchat/handlers/main.yml create mode 100644 roles/rocketchat/meta/main.yml create mode 100644 roles/rocketchat/tasks/main.yml create mode 100644 roles/rocketchat/templates/rocketchat-container.service.j2 create mode 100644 roles/rocketchat/templates/rocketchat-container.sysconfig.j2 diff --git a/container-ports.md b/container-ports.md index 3fc1018..63429e3 100644 --- a/container-ports.md +++ b/container-ports.md @@ -10,3 +10,4 @@ | 8006 | scanservjs | SANE Scanner webui | | 8007 | frigate | Network video recorder | | 8008 | hoemeassistant | Home Assistant | +| 8009 | rocketchat | Rocket.Chat | diff --git a/playbooks/oci-node.yml b/playbooks/oci-node.yml index 5d2a8c7..77c57fd 100644 --- a/playbooks/oci-node.yml +++ b/playbooks/oci-node.yml @@ -33,3 +33,4 @@ when: ansible_fqdn == 'oci-node01.home.foo.sh' - role: roundcube when: ansible_fqdn == 'oci-node01.home.foo.sh' + - rocketchat diff --git a/roles/rocketchat/defaults/main.yml b/roles/rocketchat/defaults/main.yml new file mode 100644 index 0000000..6b40b0a --- /dev/null +++ b/roles/rocketchat/defaults/main.yml @@ -0,0 +1,2 @@ +--- +rocketchat_versin: default diff --git a/roles/rocketchat/handlers/main.yml b/roles/rocketchat/handlers/main.yml new file mode 100644 index 0000000..93b2616 --- /dev/null +++ b/roles/rocketchat/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart rocketchat + ansible.builtin.systemd: + name: rocketchat-container + daemon_reload: true + state: restarted diff --git a/roles/rocketchat/meta/main.yml b/roles/rocketchat/meta/main.yml new file mode 100644 index 0000000..700494e --- /dev/null +++ b/roles/rocketchat/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: podman} diff --git a/roles/rocketchat/tasks/main.yml b/roles/rocketchat/tasks/main.yml new file mode 100644 index 0000000..07fd33a --- /dev/null +++ b/roles/rocketchat/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: Create group + ansible.builtin.group: + name: rocketchat + +- name: Create user + ansible.builtin.user: + name: rocketchat + comment: Podman Rocket.Chat + group: rocketchat + shell: /sbin/nologin + +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - rocketchat + creates: /var/lib/systemd/linger/rocketchat + +- name: Generate combined certificate/private key file contents + ansible.builtin.command: + argv: + - /bin/cat + - "{{ tls_certs }}/{{ inventory_hostname }}.crt" + - "{{ tls_private }}/{{ inventory_hostname }}.key" + changed_when: false + check_mode: false + register: rocketchat_cert_key + +- name: Create combined certificate/private key file + ansible.builtin.copy: + dest: "{{ tls_private }}/rocketchat.pem" + content: "{{ rocketchat_cert_key.stdout }}" + mode: "0640" + owner: root + group: rocketchat + notify: Restart rocketchat + +- name: Create service config + ansible.builtin.template: + dest: /etc/sysconfig/rocketchat-container + src: rocketchat-container.sysconfig.j2 + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart rocketchat + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/rocketchat-container.service + src: rocketchat-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart rocketchat + +- name: Enable service + ansible.builtin.service: + name: rocketchat-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: /etc/nginx/conf.d/{{ inventory_hostname }}/rocketchat-container.conf + content: | + location /rocketchat/ { + proxy_pass http://127.0.0.1:8008/; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx diff --git a/roles/rocketchat/templates/rocketchat-container.service.j2 b/roles/rocketchat/templates/rocketchat-container.service.j2 new file mode 100644 index 0000000..acbb866 --- /dev/null +++ b/roles/rocketchat/templates/rocketchat-container.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=Rocket.Chat Container +Wants=network-online.target +After=network-online.target + +[Service] +User=rocketchat +EnvironmentFile=/etc/sysconfig/rocketchat-container +ExecStartPre=/usr/bin/podman pull docker.io/rocketchat/rocket.chat:{{ rocketchat_version }}-alpine +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8008:3000 \ + --name rocketchat \ + --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ + --volume={{ tls_private }}/rocketchat.pem:/etc/ssl/private/rocketchat.pem:ro \ + --env ROOT_URL --env MONGO_URL --env MONGO_OPLOG_URL \ + docker.io/rocketchat/rocket.chat:{{ rocketchat_version }}-alpine +ExecStop=/usr/bin/podman stop --ignore rocketchat +ExecStopPost=/usr/bin/podman rm -f --ignore rocketchat + +[Install] +WantedBy=multi-user.target diff --git a/roles/rocketchat/templates/rocketchat-container.sysconfig.j2 b/roles/rocketchat/templates/rocketchat-container.sysconfig.j2 new file mode 100644 index 0000000..e023f32 --- /dev/null +++ b/roles/rocketchat/templates/rocketchat-container.sysconfig.j2 @@ -0,0 +1,3 @@ +ROOT_URL="https://chat.foo.sh/" +MONGO_URL="mongodb://rocketchat:{{ rocketchat_mongodb_pass }}@mongodb01.home.foo.sh:27017/rocketchat?tls=true&tlscafile=/etc/ssl/certs/ca.crt&tlscertificatekeyfile=/etc/ssl/private/rocketchat.pem" +MONGO_OPLOG_URL="mongodb://mongodb01.home.foo.sh:27017/local" From 92ca4fcba40b90adfddb3822003c0226ebdb4069 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:32:14 +0000 Subject: [PATCH 196/713] nginx_exporter First version of role --- roles/nginx_exporter/defaults/main.yml | 2 + roles/nginx_exporter/handlers/main.yml | 6 ++ roles/nginx_exporter/tasks/main.yml | 83 +++++++++++++++++++ .../templates/nginx_exporter.service.j2 | 23 +++++ .../templates/web-config.yml.j2 | 11 +++ 5 files changed, 125 insertions(+) create mode 100644 roles/nginx_exporter/defaults/main.yml create mode 100644 roles/nginx_exporter/handlers/main.yml create mode 100644 roles/nginx_exporter/tasks/main.yml create mode 100644 roles/nginx_exporter/templates/nginx_exporter.service.j2 create mode 100644 roles/nginx_exporter/templates/web-config.yml.j2 diff --git a/roles/nginx_exporter/defaults/main.yml b/roles/nginx_exporter/defaults/main.yml new file mode 100644 index 0000000..863f6d4 --- /dev/null +++ b/roles/nginx_exporter/defaults/main.yml @@ -0,0 +1,2 @@ +--- +nginx_exporter_pkg: "nginx-prometheus-exporter_{{ nginx_exporter_version }}_linux_amd64" diff --git a/roles/nginx_exporter/handlers/main.yml b/roles/nginx_exporter/handlers/main.yml new file mode 100644 index 0000000..690f1c7 --- /dev/null +++ b/roles/nginx_exporter/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart nginx_exporter + ansible.builtin.systemd: + name: nginx_exporter + daemon_reload: true + state: restarted diff --git a/roles/nginx_exporter/tasks/main.yml b/roles/nginx_exporter/tasks/main.yml new file mode 100644 index 0000000..1c94615 --- /dev/null +++ b/roles/nginx_exporter/tasks/main.yml @@ -0,0 +1,83 @@ +--- +- name: Create group + ansible.builtin.group: + name: nginx_exporter + system: true + +- name: Create user + ansible.builtin.user: + name: nginx_exporter + comment: Prometheus NGINX Exporter + group: nginx_exporter + groups: hostkey + create_home: false + home: /var/empty + shell: /sbin/nologin + system: true + +- name: Download package + ansible.builtin.get_url: + url: https://github.com/nginxinc/nginx-prometheus-exporter/releases/download/v{{ nginx_exporter_version }}/{{ nginx_exporter_pkg }}.tar.gz + dest: "/usr/local/src/{{ nginx_exporter_pkg }}.tar.gz" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create directory for extracing package + ansible.builtin.file: + path: "/usr/local/src/{{ nginx_exporter_pkg }}" + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Extract nginx_exporter + ansible.builtin.unarchive: + src: "/usr/local/src/{{ nginx_exporter_pkg }}.tar.gz" + dest: "/usr/local/src/{{ nginx_exporter_pkg }}" + owner: root + group: "{{ ansible_wheel }}" + creates: "/usr/local/src/{{ nginx_exporter_pkg }}/nginx-prometheus-exporter" + remote_src: true + +- name: Copy binary + ansible.builtin.copy: + dest: "/usr/local/bin/nginx_exporter" + src: "/usr/local/src/{{ nginx_exporter_pkg }}/nginx-prometheus-exporter" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + notify: Restart nginx_exporter + +- name: Create config directory + ansible.builtin.file: + path: /etc/nginx_exporter + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create web-config + ansible.builtin.template: + dest: /etc/nginx_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx_exporter + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/nginx_exporter.service + src: nginx_exporter.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx_exporter + +- name: Enable service + ansible.builtin.service: + name: nginx_exporter + state: started + enabled: true diff --git a/roles/nginx_exporter/templates/nginx_exporter.service.j2 b/roles/nginx_exporter/templates/nginx_exporter.service.j2 new file mode 100644 index 0000000..d9356ca --- /dev/null +++ b/roles/nginx_exporter/templates/nginx_exporter.service.j2 @@ -0,0 +1,23 @@ +[Unit] +Description=Prometheus NGINX Exporter +After=syslog.target +After=network.target + +[Service] +Type=simple +User=nginx_exporter +Group=nginx_exporter +#Environment="SCRAPE_URI={% for host in groups['proxy'] -%}https://{{ host }}/stub_status {% endfor %}" +ExecStart=/usr/local/bin/nginx_exporter \ + --web.config.file=/etc/nginx_exporter/web-config.yml \ +{% for host in groups['proxy'] %} + --nginx.scrape-uri=https://{{ host }}/stub_status \ +{% endfor %} + --nginx.ssl-ca-cert={{ tls_certs }}/ca.crt \ + --nginx.ssl-client-cert={{ tls_certs }}/{{ inventory_hostname }}.crt \ + --nginx.ssl-client-key={{ tls_private }}/{{ inventory_hostname }}.key + +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/nginx_exporter/templates/web-config.yml.j2 b/roles/nginx_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..03e5466 --- /dev/null +++ b/roles/nginx_exporter/templates/web-config.yml.j2 @@ -0,0 +1,11 @@ +--- +tls_server_config: + key_file: {{ tls_private }}/{{ inventory_hostname }}.key + cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: +{% for host in groups['prometheus'] %} + - {{ host }} +{% endfor %} + min_version: TLS13 From 6e4cbe8b4007bc299b1b53391e3e49ba939bbe86 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:44:04 +0000 Subject: [PATCH 197/713] nginx_exporter: Remove empty line --- roles/nginx_exporter/templates/nginx_exporter.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/nginx_exporter/templates/nginx_exporter.service.j2 b/roles/nginx_exporter/templates/nginx_exporter.service.j2 index d9356ca..133f770 100644 --- a/roles/nginx_exporter/templates/nginx_exporter.service.j2 +++ b/roles/nginx_exporter/templates/nginx_exporter.service.j2 @@ -16,7 +16,6 @@ ExecStart=/usr/local/bin/nginx_exporter \ --nginx.ssl-ca-cert={{ tls_certs }}/ca.crt \ --nginx.ssl-client-cert={{ tls_certs }}/{{ inventory_hostname }}.crt \ --nginx.ssl-client-key={{ tls_private }}/{{ inventory_hostname }}.key - Restart=always [Install] From a7432b2208ae471101732b15123715451fe42052 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:44:43 +0000 Subject: [PATCH 198/713] Add nginx_exporter to prometheus servers --- hosts.yml | 1 + playbooks/prometheus.yml | 1 + roles/prometheus/templates/prometheus.yml.j2 | 10 ++++++++++ 3 files changed, 12 insertions(+) diff --git a/hosts.yml b/hosts.yml index 41bcf57..f211541 100644 --- a/hosts.yml +++ b/hosts.yml @@ -99,6 +99,7 @@ prometheus: prometheus02.home.foo.sh: vars: mysqld_exporter_version: "0.15.1" + nginx_exporter_version: "1.1.0" proxy: hosts: proxy01.home.foo.sh: diff --git a/playbooks/prometheus.yml b/playbooks/prometheus.yml index 856b0a3..cef9acf 100644 --- a/playbooks/prometheus.yml +++ b/playbooks/prometheus.yml @@ -27,3 +27,4 @@ - base - prometheus - mysqld_exporter + - nginx_exporter diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index 49520f9..ee9c9cb 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -29,6 +29,16 @@ scrape_configs: - target_label: __address__ replacement: {{ inventory_hostname }}:9104 + - job_name: nginx + scheme: https + tls_config: + ca_file: "{{ tls_certs }}/ca.crt" + key_file: "{{ tls_private }}/{{ inventory_hostname }}.key" + cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + static_configs: + - targets: + - {{ inventory_hostname }}:9113 + - job_name: snmp scheme: https tls_config: From 7f5a66e6c81d82d73611ac3857ea5a3f1e23a080 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:45:56 +0000 Subject: [PATCH 199/713] nginx_exporter: Remove unused test lines --- roles/nginx_exporter/templates/nginx_exporter.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/nginx_exporter/templates/nginx_exporter.service.j2 b/roles/nginx_exporter/templates/nginx_exporter.service.j2 index 133f770..bf1eb12 100644 --- a/roles/nginx_exporter/templates/nginx_exporter.service.j2 +++ b/roles/nginx_exporter/templates/nginx_exporter.service.j2 @@ -7,7 +7,6 @@ After=network.target Type=simple User=nginx_exporter Group=nginx_exporter -#Environment="SCRAPE_URI={% for host in groups['proxy'] -%}https://{{ host }}/stub_status {% endfor %}" ExecStart=/usr/local/bin/nginx_exporter \ --web.config.file=/etc/nginx_exporter/web-config.yml \ {% for host in groups['proxy'] %} From 122e27518b18358f57f67b5626b131cb28fcc734 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:47:41 +0000 Subject: [PATCH 200/713] snmp_exporter: Don't hardcode prometheus servers --- roles/snmp_exporter/templates/web-config.yml.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/snmp_exporter/templates/web-config.yml.j2 b/roles/snmp_exporter/templates/web-config.yml.j2 index b88b84e..eb60f11 100644 --- a/roles/snmp_exporter/templates/web-config.yml.j2 +++ b/roles/snmp_exporter/templates/web-config.yml.j2 @@ -5,8 +5,7 @@ tls_server_config: client_ca_file: {{ tls_certs }}/ca.crt client_auth_type: RequireAndVerifyClientCert client_allowed_sans: - - prometheus01.home.foo.sh - - prometheus02.home.foo.sh - - prometheus03.home.foo.sh - - prometheus04.home.foo.sh +{% for host in groups['prometheus'] %} + - {{ host }} +{% endfor %} min_version: TLS13 From 0618cde4d10fccfa8afae9f1c03d3bbebfb23b3d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:48:07 +0000 Subject: [PATCH 201/713] mysqld_exporter: Don't hardcode prometheus servers --- roles/mysqld_exporter/templates/web-config.yml.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/mysqld_exporter/templates/web-config.yml.j2 b/roles/mysqld_exporter/templates/web-config.yml.j2 index 626169b..25b4d05 100644 --- a/roles/mysqld_exporter/templates/web-config.yml.j2 +++ b/roles/mysqld_exporter/templates/web-config.yml.j2 @@ -4,8 +4,7 @@ tls_server_config: client_ca_file: {{ tls_certs }}/ca.crt client_auth_type: RequireAndVerifyClientCert client_allowed_sans: - - prometheus01.home.foo.sh - - prometheus02.home.foo.sh - - prometheus03.home.foo.sh - - prometheus04.home.foo.sh +{% for host in groups['prometheus'] %} + - {{ host }} +{% endfor %} min_version: TLS13 From 917674bac86108bcff5991e461d2390dedcdb613 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 18:19:00 +0000 Subject: [PATCH 202/713] sshca: First version of role --- playbooks/adm.yml | 1 + roles/sshca/files/signcert.sh | 26 +++++++++++++++++++++++++ roles/sshca/tasks/main.yml | 36 +++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100755 roles/sshca/files/signcert.sh create mode 100644 roles/sshca/tasks/main.yml diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 75a6cda..2219ed5 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -27,6 +27,7 @@ - base - ansible_host - certbot + - sshca - role: keytab keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" diff --git a/roles/sshca/files/signcert.sh b/roles/sshca/files/signcert.sh new file mode 100755 index 0000000..3d237dd --- /dev/null +++ b/roles/sshca/files/signcert.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +set -eu + +umask 022 + +if [ $# -ne 1 ]; then + echo "Usage: $(basename "$0") " 1>&2 + exit 1 +fi + +_basedir="/srv/sshca" +_name="$1" + +if ! echo "$_name" | grep -Eq '.foo.sh$'; then + echo "ERROR: Only '*.foo.sh' certificates are allowed" 1>&2 + exit 1 +fi + +if [ ! -f "/srv/ansible/facts/${_name}" ]; then + echo "ERROR: Cannot find host '${_name}'" 1>&2 + exit 1 +fi + +ssh-keygen -s "${_basedir}/ca/ca" -I "$_name" -n "$_name" -V -5m:+365d -h \ + "${_basedir}/pubkeys/${_name}.pub" diff --git a/roles/sshca/tasks/main.yml b/roles/sshca/tasks/main.yml new file mode 100644 index 0000000..403c94a --- /dev/null +++ b/roles/sshca/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: Create datadirectories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + with_items: + - /export/sshca + - /export/sshca/pubkeys + +- name: Create CA directory + ansible.builtin.file: + path: "/export/ssh/ca" + state: directory + mode: "0700" + owner: root + group: "{{ ansible_wheel }}" + +- name: Link datadirectory + ansible.builtin.file: + dest: /srv/sshca + src: /export/sshca + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Copy signing script + ansible.builtin.copy: + dest: /srv/sshca/signcert.sh + src: signcert.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" From df2573a650ae3b81ae957a6d7c7430ddaba25d25 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 18:28:23 +0000 Subject: [PATCH 203/713] sshd: Fix crypto configs for el8 systems --- roles/sshd/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index ff28d65..a90c594 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -28,8 +28,8 @@ line: "CRYPTO_POLICY=" notify: Restart sshd when: - - ansible_distribution == "CentOS" - - ansible_distribution_version is version_compare("8", ">=") + - ansible_distribution == "Rocky" + - ansible_distribution_version | int == 8 - name: Tighten ssh kex algorithm ansible.builtin.lineinfile: From 7ce6d5892321c36be7798076adc83b92a0799e03 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 19:18:30 +0000 Subject: [PATCH 204/713] sshd_cert: First version of role --- roles/base/tasks/main.yml | 1 + roles/sshd_cert/meta/main.yml | 3 +++ roles/sshd_cert/tasks/main.yml | 43 ++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 roles/sshd_cert/meta/main.yml create mode 100644 roles/sshd_cert/tasks/main.yml diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index d7d7820..03f630d 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -48,6 +48,7 @@ - pki - psacct - sshd + - sshd_cert - node_exporter loop_control: loop_var: role diff --git a/roles/sshd_cert/meta/main.yml b/roles/sshd_cert/meta/main.yml new file mode 100644 index 0000000..bc03e65 --- /dev/null +++ b/roles/sshd_cert/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: sshd} diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml new file mode 100644 index 0000000..4852748 --- /dev/null +++ b/roles/sshd_cert/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: Copy public key for signing + ansible.builtin.fetch: + src: /etc/ssh/ssh_host_ed25519_key.pub + dest: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" + flat: true + +- name: Sign key + ansible.builtin.command: + argv: + - ssh-keygen + - -s + - /srv/sshca/ca/ca + - -I + - "{{ inventory_hostname }}" + - -h + - -n + - "{{ inventory_hostname }}" + - -V + - -1h:+365d + - -z + - "{{ ansible_date_time.epoch }}" + - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" + creates: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub" + delegate_to: localhost + +- name: Install certificate + ansible.builtin.copy: + dest: /etc/ssh/ssh_host_ed25519_key-cert.pub + src: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart sshd + +- name: Enable host certificate + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + line: HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub + regexp: "^(# )?HostCertificate .*" + insertafter: "^HostKey .*" + validate: "sshd -t -f %s" + notify: Restart sshd From b1c3597fa974eb8b65f34d55af9237922fab0933 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 19:51:32 +0000 Subject: [PATCH 205/713] ssh_known_hosts: Use ssh certificate authority --- roles/ssh_known_hosts/templates/ssh_known_hosts.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 b/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 index d6fc971..6019166 100644 --- a/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 +++ b/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 @@ -1,5 +1,5 @@ -{% for host, vars in hostvars|dictsort %} -{% if vars["ansible_ssh_host_key_ed25519_public"] is defined %} -{{ host }} ssh-ed25519 {{ vars["ansible_ssh_host_key_ed25519_public"] }} -{% endif %} +{% set keys = lookup('fileglob', '/srv/sshca/ca/*.pub', wantlist=True) %} +{% for key in keys %} +{% set data = lookup('ansible.builtin.file', key) | split() %} +@cert-authority *.foo.sh {{ data[0:2] | join(' ') }} {% endfor %} From 365d0af6a6b6f48ee415759daf745f324758f525 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 19:54:57 +0000 Subject: [PATCH 206/713] Add global ssh_known_hosts to adm hosts --- playbooks/adm.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 2219ed5..2f99193 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -28,6 +28,7 @@ - ansible_host - certbot - sshca + - ssh_known_hosts - role: keytab keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" From 55aed1a36dd16d0e3883afa31e73a93f5edb81f3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 20:29:53 +0000 Subject: [PATCH 207/713] sshd_cert: Add support for aliases in certificate --- roles/sshd_cert/defaults/main.yml | 2 ++ roles/sshd_cert/tasks/main.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 roles/sshd_cert/defaults/main.yml diff --git a/roles/sshd_cert/defaults/main.yml b/roles/sshd_cert/defaults/main.yml new file mode 100644 index 0000000..79b179b --- /dev/null +++ b/roles/sshd_cert/defaults/main.yml @@ -0,0 +1,2 @@ +--- +sshd_cert_hostnames: "{{ ssh_hostnames | default([]) + [inventory_hostname] }}" diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index 4852748..fea0499 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -15,7 +15,7 @@ - "{{ inventory_hostname }}" - -h - -n - - "{{ inventory_hostname }}" + - "{{ sshd_cert_hostnames | join(',') }}" - -V - -1h:+365d - -z From 61e8ebdd203fd9de5eb1b86d3056d0bc2470a828 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 21:33:13 +0000 Subject: [PATCH 208/713] sshd_cert: Sign if pubkey is newer than cert --- roles/sshd_cert/tasks/main.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index fea0499..28aa96d 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -5,6 +5,22 @@ dest: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" flat: true +- name: Check status of public key + ansible.builtin.stat: + path: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" + changed_when: false + failed_when: false + check_mode: false + register: sshd_cert_pubkey + +- name: Check status of certificate + ansible.builtin.stat: + path: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub" + changed_when: false + failed_when: false + check_mode: false + register: sshd_cert_status + - name: Sign key ansible.builtin.command: argv: @@ -21,7 +37,7 @@ - -z - "{{ ansible_date_time.epoch }}" - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" - creates: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub" + when: not sshd_cert_status.stat.exists or sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int delegate_to: localhost - name: Install certificate From 5f4f8e35aa58111fb5135c8f7e0e4054718c3645 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 11:55:08 +0000 Subject: [PATCH 209/713] sshd_cert: Fix checking certificate status --- roles/sshd_cert/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index 28aa96d..c564aab 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -11,6 +11,7 @@ changed_when: false failed_when: false check_mode: false + delegate_to: localhost register: sshd_cert_pubkey - name: Check status of certificate @@ -19,6 +20,7 @@ changed_when: false failed_when: false check_mode: false + delegate_to: localhost register: sshd_cert_status - name: Sign key From 315d89c750a059695921a1e5cd15d61c1eacfe20 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 11:55:27 +0000 Subject: [PATCH 210/713] Add ssh host aliases for shell and dna-gw hosts --- group_vars/dnagw.yml | 4 ++++ group_vars/shell.yml | 3 +++ 2 files changed, 7 insertions(+) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index 9b2bacc..f224e9f 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -21,3 +21,7 @@ firewall_src: pf.conf.gw_home # ifstated config ifstated_config: ifstated-dna.conf.j2 + +# ssh host alaises +ssh_hostnames: + - gw.home.foo.sh diff --git a/group_vars/shell.yml b/group_vars/shell.yml index 19931a2..202b4dc 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -10,3 +10,6 @@ firewall_in: - {proto: tcp, port: 80} - {proto: tcp, port: 443} - {proto: tcp, port: 9100, from: [62.78.229.29/32]} + +ssh_hostnames: + - shell.foo.sh From d8cf025fbe4bf875761040c4cb6d45c5faf4448b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 18:23:46 +0000 Subject: [PATCH 211/713] sshd_cert: Fix lint errors --- roles/sshd_cert/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index c564aab..8d5e841 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -39,7 +39,9 @@ - -z - "{{ ansible_date_time.epoch }}" - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" - when: not sshd_cert_status.stat.exists or sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int + when: > + not sshd_cert_status.stat.exists or + sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int delegate_to: localhost - name: Install certificate From ea8db3ab6be9b6ec4e412f662e1479df2fc65fdf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 18:52:31 +0000 Subject: [PATCH 212/713] nginx_exporter: Lint fixes --- roles/nginx_exporter/defaults/main.yml | 3 ++- roles/nginx_exporter/tasks/main.yml | 7 ++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/nginx_exporter/defaults/main.yml b/roles/nginx_exporter/defaults/main.yml index 863f6d4..6f214a3 100644 --- a/roles/nginx_exporter/defaults/main.yml +++ b/roles/nginx_exporter/defaults/main.yml @@ -1,2 +1,3 @@ --- -nginx_exporter_pkg: "nginx-prometheus-exporter_{{ nginx_exporter_version }}_linux_amd64" +nginx_exporter_pkg: >- + nginx-prometheus-exporter_{{ nginx_exporter_version }}_linux_amd64 diff --git a/roles/nginx_exporter/tasks/main.yml b/roles/nginx_exporter/tasks/main.yml index 1c94615..8d445ed 100644 --- a/roles/nginx_exporter/tasks/main.yml +++ b/roles/nginx_exporter/tasks/main.yml @@ -17,7 +17,12 @@ - name: Download package ansible.builtin.get_url: - url: https://github.com/nginxinc/nginx-prometheus-exporter/releases/download/v{{ nginx_exporter_version }}/{{ nginx_exporter_pkg }}.tar.gz + url: >- + {{ + "https://github.com/nginxinc/nginx-prometheus-exporter/releases/" + + "download/v" + nginx_exporter_version + "/" + nginx_exporter_pkg + + ".tar.gz" + }} dest: "/usr/local/src/{{ nginx_exporter_pkg }}.tar.gz" mode: "0644" owner: root From 5aa57c8358aff980fc8191f983ef9e64b254ca70 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 18:56:19 +0000 Subject: [PATCH 213/713] snmp_exporter: Lint fixes --- roles/snmp_exporter/tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/snmp_exporter/tasks/main.yml b/roles/snmp_exporter/tasks/main.yml index e3a6e9f..57a557b 100644 --- a/roles/snmp_exporter/tasks/main.yml +++ b/roles/snmp_exporter/tasks/main.yml @@ -14,7 +14,11 @@ - name: Download package ansible.builtin.get_url: - url: "https://github.com/prometheus/snmp_exporter/releases/download/v{{ snmp_exporter_version }}/{{ snmp_exporter_pkg }}.tar.gz" + url: >- + {{ + "https://github.com/prometheus/snmp_exporter/releases/download/v" + + snmp_exporter_version + "/" + snmp_exporter_pkg + ".tar.gz" + }} dest: "/usr/local/src/{{ snmp_exporter_pkg }}.tar.gz" mode: "0644" owner: root From 433a9114dfd24727c821410ab9e3af6d8164ff38 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 18:58:52 +0000 Subject: [PATCH 214/713] mysql_exporter: Lint fixes --- roles/mysqld_exporter/tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/mysqld_exporter/tasks/main.yml b/roles/mysqld_exporter/tasks/main.yml index e69ce1c..1c08cf4 100644 --- a/roles/mysqld_exporter/tasks/main.yml +++ b/roles/mysqld_exporter/tasks/main.yml @@ -17,7 +17,11 @@ - name: Download package ansible.builtin.get_url: - url: "https://github.com/prometheus/mysqld_exporter/releases/download/v{{ mysqld_exporter_version }}/{{ mysqld_exporter_pkg }}.tar.gz" + url: >- + {{ + "https://github.com/prometheus/mysqld_exporter/releases/download/v" + + mysqld_exporter_version + "/" + mysqld_exporter_pkg + ".tar.gz" + }} dest: "/usr/local/src/{{ mysqld_exporter_pkg }}.tar.gz" mode: "0644" owner: root From 6d3b1e15382b54210f17e8a73062211b5b77d1cf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 19:04:41 +0000 Subject: [PATCH 215/713] tests: Use new naming for tests 0*.sh - Tests for ansible yaml files 1*.sh - Tests for shell scripts --- tests/{03-shellcheck.sh => 11-shellcheck.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/{03-shellcheck.sh => 11-shellcheck.sh} (100%) diff --git a/tests/03-shellcheck.sh b/tests/11-shellcheck.sh similarity index 100% rename from tests/03-shellcheck.sh rename to tests/11-shellcheck.sh From 604ae205541936ea01dca94c5694b4561c454efc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 19:24:28 +0000 Subject: [PATCH 216/713] mongodb: Lint fixes --- roles/mongodb/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 41c12a2..828356c 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -86,7 +86,7 @@ ansible.builtin.file: path: /etc/mongod state: directory - mode: 0750 + mode: "0750" owner: root group: mongod From 50f02e85acec3b11a0ad6c516691c76cb3b2c638 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 30 Mar 2024 13:55:20 +0000 Subject: [PATCH 217/713] routeros_firmware: Give error if checksum fetch fails --- roles/routeros_firmware/files/download-routeros-firmware.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index e6a0b65..8f199f0 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -31,6 +31,10 @@ fi checksum="$(curl -sSf "https://mikrotik.com/download" | \ sed -n 's/.*routeros-[0-9\.]*-arm\.npk<\/td>.*SHA256<\/td>\(.*\)<\/td>.*/\1/p')" +if [ -z "$checksum" ]; then + echo "ERR: Failed to determine package checksum" 1>&2 + exit 1 +fi echo "Downloading new package '${packagename}'" trap 'rm -f -- "${packagename}.tmp"' EXIT From 583b106d39ab04a294e6e1a2a9709afe2f401b25 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 2 Apr 2024 16:47:49 +0000 Subject: [PATCH 218/713] nginx_site: Add more strict headers to collab --- roles/nginx_site/templates/collab.foo.sh.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/nginx_site/templates/collab.foo.sh.conf.j2 b/roles/nginx_site/templates/collab.foo.sh.conf.j2 index d338ce4..93e1c8b 100644 --- a/roles/nginx_site/templates/collab.foo.sh.conf.j2 +++ b/roles/nginx_site/templates/collab.foo.sh.conf.j2 @@ -1 +1,6 @@ client_max_body_size 50m; + + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"; + add_header Referrer-Policy "no-referrer"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; From e57cd06891ee0b4deed6ce59749e70e31038db63 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 2 Apr 2024 18:01:02 +0000 Subject: [PATCH 219/713] nginx_site: Add security headers for movies.foo.sh --- roles/nginx_site/templates/movies.foo.sh.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 roles/nginx_site/templates/movies.foo.sh.conf.j2 diff --git a/roles/nginx_site/templates/movies.foo.sh.conf.j2 b/roles/nginx_site/templates/movies.foo.sh.conf.j2 new file mode 100644 index 0000000..760e07b --- /dev/null +++ b/roles/nginx_site/templates/movies.foo.sh.conf.j2 @@ -0,0 +1,5 @@ + add_header Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com"; + add_header Referrer-Policy "no-referrer"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + From e2fb4921957e254dde454c084a0e868b8383eff9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 6 Apr 2024 18:27:35 +0000 Subject: [PATCH 220/713] routeros_firmware: Fix download for new html --- .../files/download-routeros-firmware.sh | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index 8f199f0..4691f9e 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -17,8 +17,19 @@ if [ $# -gt 0 ]; then exit 1 fi -packageurl="$(curl -sSf "https://mikrotik.com/download" | \ - sed -n 's/.* ].*/\1/p')" +packageinfo=$(curl -sSf "https://mikrotik.com/download" | awk -F '"' ' + { + if (!url && $0 ~ /routeros-[0-9\.]+-arm.npk/) { + url=$2 + } else if (!found && url && $0 ~ /data-checksum-sha256/) { + print url " " $6 + found = 1 + } + } + ') + +packageurl="$(echo "$packageinfo" | cut -d " " -f 1)" +checksum="$(echo "$packageinfo" | cut -d " " -f 2)" if [ -z "$packageurl" ]; then echo "ERR: Got empty package URL, exiting" 1>&2 exit 1 @@ -29,8 +40,6 @@ if [ -f "$packagename" ]; then exit 0 fi -checksum="$(curl -sSf "https://mikrotik.com/download" | \ - sed -n 's/.*routeros-[0-9\.]*-arm\.npk<\/td>.*SHA256<\/td>\(.*\)<\/td>.*/\1/p')" if [ -z "$checksum" ]; then echo "ERR: Failed to determine package checksum" 1>&2 exit 1 From 7496125098640351398825e7cce571b7d27e2784 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 6 Apr 2024 18:30:53 +0000 Subject: [PATCH 221/713] routeros_firmware: Show changelog after download --- roles/routeros_firmware/files/download-routeros-firmware.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index 4691f9e..b6784bc 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -55,3 +55,8 @@ if [ "$(sha256sum "${packagename}.tmp" | cut -d " " -f 1)" != "$checksum" ]; the fi mv "${packagename}.tmp" "$packagename" + +echo +curl -sSf "https://cdn.mikrotik.com/routeros/$(echo "$packagename" | cut -d "-" -f 2)/CHANGELOG" +echo +echo From 0d72e9e92031c3f1780c210e29c38dbe3eb49539 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 13:38:21 +0000 Subject: [PATCH 222/713] backup_bitbucket: New role --- .../files/backup-bitbucket.sh | 24 ++++++++++++++ roles/backup_bitbucket/meta/main.yml | 3 ++ roles/backup_bitbucket/tasks/main.yml | 32 +++++++++++++++++++ 3 files changed, 59 insertions(+) create mode 100644 roles/backup_bitbucket/files/backup-bitbucket.sh create mode 100644 roles/backup_bitbucket/meta/main.yml create mode 100644 roles/backup_bitbucket/tasks/main.yml diff --git a/roles/backup_bitbucket/files/backup-bitbucket.sh b/roles/backup_bitbucket/files/backup-bitbucket.sh new file mode 100644 index 0000000..a97097e --- /dev/null +++ b/roles/backup_bitbucket/files/backup-bitbucket.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +USERS="tmakinen" + +set -eu +umask 027 + +cd /srv/backup/bitbucket.org + +for _user in $USERS ; do + curl -sSf "https://api.bitbucket.org/2.0/repositories/${_user}" | \ + jq -r '.values | .[] | [.name, .scm] | @tsv' | \ + while read -r _repo _scm + do + [ "$_scm" = "git" ] || continue + _url="https://bitbucket.org/${_user}/${_repo}" + _gitdir="${_user}/${_repo}" + if [ ! -d "$_gitdir" ]; then + mkdir -p "$_gitdir" + git --git-dir="$_gitdir" init --quiet --bare + fi + git --git-dir="$_gitdir" fetch --quiet --force --prune --tags "$_url" "refs/heads/*:refs/heads/*" + done +done diff --git a/roles/backup_bitbucket/meta/main.yml b/roles/backup_bitbucket/meta/main.yml new file mode 100644 index 0000000..9eea2ce --- /dev/null +++ b/roles/backup_bitbucket/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: backup_server} diff --git a/roles/backup_bitbucket/tasks/main.yml b/roles/backup_bitbucket/tasks/main.yml new file mode 100644 index 0000000..d41605a --- /dev/null +++ b/roles/backup_bitbucket/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Install dependencies + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - git + - jq + +- name: Create backup directory + ansible.builtin.file: + path: /srv/backup/bitbucket.org + state: directory + mode: "0770" + owner: root + group: backup + +- name: Copy backup script + ansible.builtin.copy: + dest: /usr/local/sbin/backup-bitbucket + src: backup-bitbucket.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Add cron job + ansible.builtin.cron: + name: bitbucket-backup + job: /usr/local/sbin/backup-bitbucket + hour: "03" + minute: "10" + user: backup From 1520f8dabffda36dfacc0432ebdaf117e7260831 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 13:42:32 +0000 Subject: [PATCH 223/713] backup_server: Move bitbucket backup to own role --- roles/backup_server/files/backup-bitbucket.py | 51 ------------------- roles/backup_server/tasks/main.yml | 29 +---------- 2 files changed, 1 insertion(+), 79 deletions(-) delete mode 100644 roles/backup_server/files/backup-bitbucket.py diff --git a/roles/backup_server/files/backup-bitbucket.py b/roles/backup_server/files/backup-bitbucket.py deleted file mode 100644 index 15cb651..0000000 --- a/roles/backup_server/files/backup-bitbucket.py +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env python3 - -import os -import json -from subprocess import call -from urllib.request import urlopen - -USERS = ["tmakinen"] -BACKUPDIR = "/srv/backup/bitbucket.org" - - -def repolist(username): - f = urlopen(f"https://api.bitbucket.org/2.0/repositories/{username}") - data = json.load(f) - f.close() - - for repo in data["values"]: - yield ( - { - "name": repo["name"], - "scm": repo["scm"], - "wiki": repo["has_wiki"], - "issues": repo["has_issues"], - } - ) - - -def gitbackup(destination, repo): - if not os.path.exists(destination): - os.makedirs(destination) - call(["git", "clone", "--quiet", repo, destination]) - else: - os.chdir(destination) - call(["git", f"--git-dir={destination}/.git", "pull", "--quiet"]) - - -if __name__ == "__main__": - for user in USERS: - for repo in repolist(user): - if repo["scm"] == "git": - gitbackup( - f"{BACKUPDIR}/{user}/{repo['name']}", - f"https://bitbucket.org/{user}/{repo['name']}.git", - ) - if repo["wiki"]: - gitbackup( - f"{BACKUPDIR}/{user}/{repo['name']}-wiki", - f"https://bitbucket.org/{user}/{repo['name']}.git/wiki", - ) - else: - raise NotImplementedError("{repo['scm']} repositories not supported") diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_server/tasks/main.yml index b952d09..5308e82 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_server/tasks/main.yml @@ -1,11 +1,8 @@ --- - name: Install packages ansible.builtin.package: - name: "{{ item }}" + name: rclone state: installed - with_items: - - git - - rclone - name: Create backup group ansible.builtin.group: @@ -38,27 +35,3 @@ owner: root group: "{{ ansible_wheel }}" follow: false - -- name: Create Bitbucket backup directory - ansible.builtin.file: - path: /export/backup/bitbucket.org - state: directory - mode: "0775" - owner: root - group: backup - -- name: Install Bitbucket backup script - ansible.builtin.copy: - dest: /usr/local/sbin/backup-bitbucket - src: backup-bitbucket.py - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" - -- name: Add Bitbucket backup cron job - ansible.builtin.cron: - name: bitbucket-backup - job: /usr/local/sbin/backup-bitbucket - hour: "03" - minute: "10" - user: backup From 1a3e1dbeeb108f92d5e2a205fd1df2f6c80e9d7a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 13:43:07 +0000 Subject: [PATCH 224/713] Add bitbucket backups --- playbooks/backup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/backup.yml b/playbooks/backup.yml index 3973aab..e3e8ec0 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -26,4 +26,5 @@ roles: - base - backup_server + - backup_bitbucket - sftpbackup From 8752c363918bc42084dda7966b3f2d15a8689329 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 14:09:00 +0000 Subject: [PATCH 225/713] backup_server: Move data to new UID/GID --- roles/backup_server/tasks/main.yml | 4 ++-- users.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_server/tasks/main.yml index 5308e82..94caf61 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_server/tasks/main.yml @@ -7,7 +7,7 @@ - name: Create backup group ansible.builtin.group: name: backup - gid: 1005 + gid: 306 - name: Create backup user ansible.builtin.user: @@ -17,7 +17,7 @@ group: backup home: /var/empty shell: /bin/sh - uid: 1005 + uid: 306 - name: Create backup directory ansible.builtin.file: diff --git a/users.md b/users.md index 48a6c2b..d0ca8d9 100644 --- a/users.md +++ b/users.md @@ -11,9 +11,9 @@ entry empty. If only a group is created, leave the user entry empty. | 302 | mongod | mongod | | | 303 | gitea | gitea | | | 305 | prometheus | prometheus | | +| 306 | backup | backup | | | 1001 | mirror | mirror | | | 1002 | certbot | certbot | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | -| 1005 | backup | backup | | | 1007 | minecraft | minecraft | | From 5cd6edc1b1531005dd916c8d68c9a522129bc408 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 14:09:24 +0000 Subject: [PATCH 226/713] Update to OpenBSD 7.5 --- playbooks/dna-gw.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 1714494..f9672d0 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -70,8 +70,8 @@ - name: Create tftp pxeboot loader for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/amd64/pxeboot" - checksum: sha1:677293059655da474ec81c45ed235b8497017e56 + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.5/amd64/pxeboot" + checksum: sha1:187d24bc9fddf2b032540017cec375051fc65afc dest: /srv/tftpboot/pxeboot mode: "0644" owner: root @@ -79,8 +79,8 @@ - name: Create tftp ramdisk for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/amd64/bsd.rd" - checksum: sha1:c0af0223ab0aa38c27fd55a2b94873345c2d88f7 + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.5/amd64/bsd.rd" + checksum: sha1:4362ec59d407f369be4840002cbc6942015afd8c dest: /srv/tftpboot/bsd.rd mode: "0644" owner: root From febee5c72e0894847579c7aae2a58f95640009a9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 14:35:04 +0000 Subject: [PATCH 227/713] backup_github: New role --- roles/backup_github/files/backup-github.sh | 22 +++++++++++++++ roles/backup_github/meta/main.yml | 3 ++ roles/backup_github/tasks/main.yml | 32 ++++++++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100755 roles/backup_github/files/backup-github.sh create mode 100644 roles/backup_github/meta/main.yml create mode 100644 roles/backup_github/tasks/main.yml diff --git a/roles/backup_github/files/backup-github.sh b/roles/backup_github/files/backup-github.sh new file mode 100755 index 0000000..6d2c598 --- /dev/null +++ b/roles/backup_github/files/backup-github.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +ORGS="foo-sh" + +set -eu +umask 027 + +cd /srv/backup/github.com + +for _org in $ORGS ; do + curl -sSf "https://api.github.com/orgs/foo-sh/repos" | jq -r '.[] | .name' | \ + while read -r _repo + do + _url="https://github.com/${_org}/${_repo}.git" + _gitdir="${_org}/${_repo}" + if [ ! -d "$_gitdir" ]; then + mkdir -p "$_gitdir" + git --git-dir="$_gitdir" init --quiet --bare + fi + git --git-dir="$_gitdir" fetch --quiet --force --prune --tags "$_url" "refs/heads/*:refs/heads/*" + done +done diff --git a/roles/backup_github/meta/main.yml b/roles/backup_github/meta/main.yml new file mode 100644 index 0000000..9eea2ce --- /dev/null +++ b/roles/backup_github/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: backup_server} diff --git a/roles/backup_github/tasks/main.yml b/roles/backup_github/tasks/main.yml new file mode 100644 index 0000000..6d6ffdc --- /dev/null +++ b/roles/backup_github/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Install dependencies + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - git + - jq + +- name: Create backup directory + ansible.builtin.file: + path: /srv/backup/github.com + state: directory + mode: "0770" + owner: root + group: backup + +- name: Copy backup script + ansible.builtin.copy: + dest: /usr/local/sbin/backup-github + src: backup-github.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Add cron job + ansible.builtin.cron: + name: github-backup + job: /usr/local/sbin/backup-github + hour: "03" + minute: "20" + user: backup From cd8e979ded29f21289236b6c4ed7288c1b774941 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 14:35:26 +0000 Subject: [PATCH 228/713] Add github backups --- playbooks/backup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/backup.yml b/playbooks/backup.yml index e3e8ec0..bb1d261 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -27,4 +27,5 @@ - base - backup_server - backup_bitbucket + - backup_github - sftpbackup From f3293d4b05d563c491434342f9c823557bb990bc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 16:15:38 +0000 Subject: [PATCH 229/713] rclone: Don't use template for backup script --- .../{templates/rclone-sync.sh.j2 => files/rclone-sync.sh} | 4 ++-- roles/rclone/meta/main.yml | 3 +++ roles/rclone/tasks/main.yml | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) rename roles/rclone/{templates/rclone-sync.sh.j2 => files/rclone-sync.sh} (95%) create mode 100644 roles/rclone/meta/main.yml diff --git a/roles/rclone/templates/rclone-sync.sh.j2 b/roles/rclone/files/rclone-sync.sh similarity index 95% rename from roles/rclone/templates/rclone-sync.sh.j2 rename to roles/rclone/files/rclone-sync.sh index a7aadb6..def667c 100755 --- a/roles/rclone/templates/rclone-sync.sh.j2 +++ b/roles/rclone/files/rclone-sync.sh @@ -1,9 +1,9 @@ #!/bin/sh -set -u +set -eu umask 027 -TARGET="{{ destination }}" +TARGET="/srv/backup" CONFIG="/etc/rclone/rclone.conf" LOGDIR="/var/log/rclone" RCLONE="/usr/local/bin/rclone" diff --git a/roles/rclone/meta/main.yml b/roles/rclone/meta/main.yml new file mode 100644 index 0000000..9eea2ce --- /dev/null +++ b/roles/rclone/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: backup_server} diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index 315ed79..9700039 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -29,9 +29,9 @@ group: "{{ local_user | default(ansible_wheel) }}" - name: Copy rclone sync script - ansible.builtin.template: + ansible.builtin.copy: dest: /usr/local/bin/rclone-sync - src: rclone-sync.sh.j2 + src: rclone-sync.sh mode: "0755" owner: root group: "{{ ansible_wheel }}" From 5dc08701b2ae5a620ada8bd593fc6daa02c03396 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 16:31:06 +0000 Subject: [PATCH 230/713] backup_server: Allow backup user to write --- roles/backup_server/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_server/tasks/main.yml index 94caf61..18d8222 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_server/tasks/main.yml @@ -23,9 +23,9 @@ ansible.builtin.file: path: /export/backup state: directory - mode: "0755" + mode: "0770" owner: root - group: "{{ ansible_wheel }}" + group: backup - name: Link backup directory ansible.builtin.file: From 0a724359dcf946202e7c97a12e83f4f5b171a3ed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:21:41 +0000 Subject: [PATCH 231/713] rclone: Add ssh key generation and run as backup --- roles/rclone/tasks/main.yml | 49 +++++++++++++++++++++------ roles/rclone/templates/rclone.conf.j2 | 2 +- 2 files changed, 39 insertions(+), 12 deletions(-) diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index 9700039..1019fb7 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -8,25 +8,55 @@ ansible.builtin.file: path: /etc/rclone state: directory - mode: "0755" + mode: "0750" owner: root - group: "{{ ansible_wheel }}" + group: backup - name: Create host config ansible.builtin.template: dest: /etc/rclone/rclone.conf src: rclone.conf.j2 - mode: "0644" + mode: "0640" owner: root - group: "{{ ansible_wheel }}" + group: backup + +- name: Create ssh keys + ansible.builtin.command: + argv: + - ssh-keygen + - -t + - ed25519 + - -C + - "backup@{{ inventory_hostname }}" + - -N + - "" + - -f + - /etc/rclone/id_ed25519 + creates: /etc/rclone/id_ed25519 + +- name: Fix ssh key permissions + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: backup + mode: "0640" + with_items: + - /etc/rclone/id_ed25519 + - /etc/rclone/id_ed25519.pub + +- name: Fetch ssh public key + ansible.builtin.fetch: + src: /etc/rclone/id_ed25519.pub + dest: ../files/ssh/backup.pub + flat: true - name: Create log directory ansible.builtin.file: path: /var/log/rclone state: directory mode: "0750" - owner: "{{ local_user | default('root') }}" - group: "{{ local_user | default(ansible_wheel) }}" + owner: backup + group: backup - name: Copy rclone sync script ansible.builtin.copy: @@ -40,16 +70,13 @@ ansible.builtin.cron: name: MAILTO env: true - user: "{{ local_user }}" + user: backup value: root - when: - - local_user is defined - - local_user != "root" - name: Add rclone sync cron job ansible.builtin.cron: name: rclone-sync - user: "{{ local_user | default('root') }}" + user: backup hour: "3" minute: "{{ 60 | random(seed=inventory_hostname) }}" job: /usr/local/bin/rclone-sync diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index 9389314..440fcc6 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -5,6 +5,6 @@ type = sftp host = {{ host }} user = {{ remote_user }} -key_file = {{ private_key | default('~/.ssh/id_ed25519') }} +key_file = /etc/rclone/id_ed25519 known_hosts_file = /etc/ssh/ssh_known_hosts {% endfor %} From 646aada779dd249b1ae58c5a650a3b98d3ac6e2e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:22:58 +0000 Subject: [PATCH 232/713] sftpuser: Read ssh key from correct place --- group_vars/all.yml | 3 --- roles/sftpuser/tasks/main.yml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 39ac197..4814110 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -31,8 +31,5 @@ boot_url: https://boot.foo.sh # ssh public keys for logsync user logsync_publickeys: "{{ lookup('file', '../files/ssh/logsync.pub') }}" -# ssh public keys for backup user -backup_publickeys: "{{ lookup('file', '../files/ssh/backup.pub') }}" - # hardcode this for now ansible_datacenter: home diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml index 412826c..4821c6c 100644 --- a/roles/sftpuser/tasks/main.yml +++ b/roles/sftpuser/tasks/main.yml @@ -17,7 +17,7 @@ - name: "Create authorized_keys for {{ user }}" ansible.builtin.copy: dest: "/etc/ssh/authorized_keys.{{ user }}" - content: "{{ publickeys | join('\n') + '\n'}}" + src: ../files/ssh/backup.pub mode: "0640" owner: root group: "{{ user }}" From 4d127f05e76b666f6f9f5376e9437cd3df236fb9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:24:06 +0000 Subject: [PATCH 233/713] Don't include backup ssh key in git --- .gitignore | 1 + files/ssh/backup.pub | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 files/ssh/backup.pub diff --git a/.gitignore b/.gitignore index d513b9e..afb6b4c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .*.swp __pycache__ +files/ssh/backup.pub diff --git a/files/ssh/backup.pub b/files/ssh/backup.pub deleted file mode 100644 index 336fbc7..0000000 --- a/files/ssh/backup.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdaNO9dLpI8CVx1rwGsKN45Pgiz+Btrlf2Q/nXCx4Ru root@backup02.home.foo.sh From d050c5c723d1679fca28d09bf7f1f56ac4c451e4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:36:56 +0000 Subject: [PATCH 234/713] sftpbackup: Remove wrapper role --- playbooks/backup.yml | 2 +- roles/sftpbackup/files/backup-sftp.sh | 29 --------------------------- roles/sftpbackup/meta/main.yml | 3 --- roles/sftpbackup/tasks/main.yml | 9 --------- 4 files changed, 1 insertion(+), 42 deletions(-) delete mode 100644 roles/sftpbackup/files/backup-sftp.sh delete mode 100644 roles/sftpbackup/meta/main.yml delete mode 100644 roles/sftpbackup/tasks/main.yml diff --git a/playbooks/backup.yml b/playbooks/backup.yml index bb1d261..91230bc 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -28,4 +28,4 @@ - backup_server - backup_bitbucket - backup_github - - sftpbackup + - rclone diff --git a/roles/sftpbackup/files/backup-sftp.sh b/roles/sftpbackup/files/backup-sftp.sh deleted file mode 100644 index 0dcc172..0000000 --- a/roles/sftpbackup/files/backup-sftp.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -set -u -umas 077 - -TARGET="/export/backup" -CONFIG="/etc/rclone/rclone.conf" -LOGDIR="/var/log/rclone" -RCLONE="/usr/local/bin/rclone" - -timestamp="$(date %Y%m%d)" - -if [ ! -d "$TARGET" ]; then - echo "ERR: Destination directory '${TARGET}' does not exist" 1>&2 - exit 1 -fi - -for host in $("$RCLONE" --config "$CONFIG" listremotes | tr -d ":") ; do - fqdn="$("$RCLONE" --config "$CONFIG" config show "$host" | \ - awk '{ if ($1 == "host") print $3 }')" - if [ ! -d "${TARGET}/${fqdn}" ]; then - mkdir "${TARGET}/${fqdn}" - fi - log="${LOGDIR}/${fqdn}.${timestamp}.log" - if ! "$RCLONE" --config "$CONFIG" --log-file "$log" --log-level INFO \ - sync "${host}:/" "${TARGET}/${fqdn}/"; then - cat "$log" - fi -done diff --git a/roles/sftpbackup/meta/main.yml b/roles/sftpbackup/meta/main.yml deleted file mode 100644 index 61cc3ce..0000000 --- a/roles/sftpbackup/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - {role: ssh_known_hosts} diff --git a/roles/sftpbackup/tasks/main.yml b/roles/sftpbackup/tasks/main.yml deleted file mode 100644 index e131de3..0000000 --- a/roles/sftpbackup/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Import rclone role - ansible.builtin.import_role: - name: rclone - vars: - hostgroup: sftpbackup - remote_user: backup - destination: /export/backup - private_key: /root/.ssh/id_ed25519 From 567691c3c4fc2bc6c97032194da4f5335a87845b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:37:46 +0000 Subject: [PATCH 235/713] rclone: Use hardcoded user on remote host --- roles/rclone/templates/rclone.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index 440fcc6..8324411 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -4,7 +4,7 @@ [{{ host.split('.')[0] }}] type = sftp host = {{ host }} -user = {{ remote_user }} +user = backup key_file = /etc/rclone/id_ed25519 known_hosts_file = /etc/ssh/ssh_known_hosts {% endfor %} From 8ef3592786b9ed20bc219a9958ebf3f0aef891b1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:38:03 +0000 Subject: [PATCH 236/713] sftpuser: Hardcode username --- roles/sftpuser/tasks/main.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml index 4821c6c..be66266 100644 --- a/roles/sftpuser/tasks/main.yml +++ b/roles/sftpuser/tasks/main.yml @@ -1,35 +1,35 @@ --- -- name: "Create group {{ user }}" +- name: Create group ansible.builtin.group: - name: "{{ user }}" + name: backup system: true -- name: "Create user {{ user }}" +- name: Create user ansible.builtin.user: - name: "{{ user }}" - comment: "Service {{ user }}" + name: backup + comment: Service backup createhome: false - group: "{{ user }}" + group: backup home: /var/empty shell: /sbin/nologin system: true -- name: "Create authorized_keys for {{ user }}" +- name: Create authorized_keys ansible.builtin.copy: - dest: "/etc/ssh/authorized_keys.{{ user }}" + dest: /etc/ssh/authorized_keys.backup src: ../files/ssh/backup.pub mode: "0640" owner: root - group: "{{ user }}" + group: backup - name: Configure sshd chroot ansible.builtin.blockinfile: path: /etc/ssh/sshd_config block: | - Match User {{ user }} + Match User backup ChrootDirectory {{ chroot }} ForceCommand internal-sftp - AuthorizedKeysFile /etc/ssh/authorized_keys.{{ user }} - marker: "# {mark} ANSIBLE MANAGED BLOCK (user {{ user }})" + AuthorizedKeysFile /etc/ssh/authorized_keys.backup + marker: "# {mark} ANSIBLE MANAGED BLOCK (user backup)" validate: "sshd -t -f %s" notify: Restart sshd From 9cb17a88c72d7c10c9da9bd4dcbe37dc961b75cc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:42:57 +0000 Subject: [PATCH 237/713] rclone: Hardcode hostgroup for sftp backups --- roles/rclone/templates/rclone.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index 8324411..ac601cd 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -{% for host in groups[hostgroup] %} +{% for host in groups['sftpbackup'] %} [{{ host.split('.')[0] }}] type = sftp From 29c989711c015bf5c01076c4edb5b1d9c27f06ef Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:57:05 +0000 Subject: [PATCH 238/713] sftpuser: Prefix variables correctly --- roles/collab/tasks/main.yml | 4 +--- roles/ldap_server/tasks/main.yml | 4 +--- roles/mariadb/tasks/main.yml | 4 +--- roles/sftpuser/tasks/main.yml | 2 +- 4 files changed, 4 insertions(+), 10 deletions(-) diff --git a/roles/collab/tasks/main.yml b/roles/collab/tasks/main.yml index 6a51371..64c43b9 100644 --- a/roles/collab/tasks/main.yml +++ b/roles/collab/tasks/main.yml @@ -274,9 +274,7 @@ ansible.builtin.import_role: name: sftpuser vars: - chroot: /srv/wikis/collab - user: backup - publickeys: "{{ backup_publickeys }}" + sftpuser_chroot: /srv/wikis/collab - name: Add backup user to collab group ansible.builtin.user: diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 3d9a76e..c36a8ad 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -59,9 +59,7 @@ ansible.builtin.import_role: name: sftpuser vars: - chroot: /srv/backup - user: backup - publickeys: "{{ backup_publickeys }}" + sftpuser_chroot: /srv/backup - name: Create backup directory ansible.builtin.file: diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 746da67..13e67cb 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -100,9 +100,7 @@ ansible.builtin.import_role: name: sftpuser vars: - chroot: /srv/backup - user: backup - publickeys: "{{ backup_publickeys }}" + sftpuser_chroot: /srv/backup - name: Create backup directory ansible.builtin.file: diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml index be66266..e6ef7ab 100644 --- a/roles/sftpuser/tasks/main.yml +++ b/roles/sftpuser/tasks/main.yml @@ -27,7 +27,7 @@ path: /etc/ssh/sshd_config block: | Match User backup - ChrootDirectory {{ chroot }} + ChrootDirectory {{ sftpuser_chroot }} ForceCommand internal-sftp AuthorizedKeysFile /etc/ssh/authorized_keys.backup marker: "# {mark} ANSIBLE MANAGED BLOCK (user backup)" From 5ba21ae4bf71095788fb653658ca25d5116255be Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 18:02:14 +0000 Subject: [PATCH 239/713] sftpuser: Set default chroot path --- roles/ldap_server/tasks/main.yml | 2 -- roles/mariadb/tasks/main.yml | 2 -- roles/sftpuser/defaults/main.yml | 2 ++ 3 files changed, 2 insertions(+), 4 deletions(-) create mode 100644 roles/sftpuser/defaults/main.yml diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index c36a8ad..5602d60 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -58,8 +58,6 @@ - name: Import sftpuser role ansible.builtin.import_role: name: sftpuser - vars: - sftpuser_chroot: /srv/backup - name: Create backup directory ansible.builtin.file: diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 13e67cb..00894d6 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -99,8 +99,6 @@ - name: Import sftpuser role ansible.builtin.import_role: name: sftpuser - vars: - sftpuser_chroot: /srv/backup - name: Create backup directory ansible.builtin.file: diff --git a/roles/sftpuser/defaults/main.yml b/roles/sftpuser/defaults/main.yml new file mode 100644 index 0000000..0634078 --- /dev/null +++ b/roles/sftpuser/defaults/main.yml @@ -0,0 +1,2 @@ +--- +sftpuser_chroot: /srv/backup From 8cd80becd79f8e0f987d5163de6a57e383ae881a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 18:06:06 +0000 Subject: [PATCH 240/713] rclone: Don't randomize cron job start time --- roles/rclone/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index 1019fb7..eaf6bee 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -78,5 +78,5 @@ name: rclone-sync user: backup hour: "3" - minute: "{{ 60 | random(seed=inventory_hostname) }}" + minute: "00" job: /usr/local/bin/rclone-sync From f512d8e83e5d323274895968b068e145e2e6fa4b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 18:15:33 +0000 Subject: [PATCH 241/713] rclone: Include ssh_known_hosts role --- roles/rclone/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rclone/meta/main.yml b/roles/rclone/meta/main.yml index 9eea2ce..107754b 100644 --- a/roles/rclone/meta/main.yml +++ b/roles/rclone/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: - {role: backup_server} + - {role: ssh_known_hosts} From 9309a901e310584c11748b31bed37766d52eeed1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Apr 2024 19:51:56 +0000 Subject: [PATCH 242/713] Monthly software updates --- hosts.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index f211541..50aa429 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.7" + gitea_version: "1.21.10" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -36,11 +36,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.3" + homeassistant_version: "2024.4" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v1.0.15 + version: v1.0.17 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 @@ -88,8 +88,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.3.4" - rocketchat_version: "6.6.3" + grafana_version: "10.4.1" + rocketchat_version: "6.7.0" roundcube_version: "1.6.6" print: hosts: From 4ae88c17a022fbd328cd2adab2769ba2d6abb87e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Apr 2024 19:52:36 +0000 Subject: [PATCH 243/713] dhcpd: Hotfix broken ISC DHCPd for OpenBSD --- roles/dhcpd/tasks/main.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/dhcpd/tasks/main.yml b/roles/dhcpd/tasks/main.yml index 7ec173e..4b81ae3 100644 --- a/roles/dhcpd/tasks/main.yml +++ b/roles/dhcpd/tasks/main.yml @@ -17,9 +17,19 @@ # validate: "dhcpd -t -cf %s" notify: Restart dhcpd +- name: Create leases file + ansible.builtin.copy: + dest: /var/db/isc-dhcpd/dhcpd.leases + content: "" + mode: "0644" + owner: _isc-dhcp + group: _isc-dhcp + force: false + when: ansible_os_family == "OpenBSD" + - name: Enable service ansible.builtin.service: name: "{{ dhcpd_service }}" state: started enabled: true - arguments: "-user _isc-dhcp -group _isc-dhcp vio0" + arguments: "-lf /var/db/isc-dhcpd/dhcpd.leases -user _isc-dhcp -group _isc-dhcp vio0" From a275cadcbdffddaa4192e2821cacd8e093a8edd2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 13 Apr 2024 18:43:56 +0000 Subject: [PATCH 244/713] roundcube: Store uploads to databse --- roles/roundcube/templates/local.php.j2 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/roundcube/templates/local.php.j2 b/roles/roundcube/templates/local.php.j2 index 2935f09..ea54a4b 100644 --- a/roles/roundcube/templates/local.php.j2 +++ b/roles/roundcube/templates/local.php.j2 @@ -3,4 +3,11 @@ $config["domain"] = "{{ mail_domain }}"; $config["product_name"] = "foo.sh - Webmail"; +$config["plugins"] = array( + "database_attachments", +); + +$config['database_attachments_cache'] = 'db'; +$config['database_attachments_cache_ttl'] = 12 * 60 * 60; + ?> From f08c478bf6f36a545c0303ff6f40e7e3c9783799 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 13 Apr 2024 18:47:40 +0000 Subject: [PATCH 245/713] Run roundcube on all oci-node instances --- playbooks/oci-node.yml | 3 +-- playbooks/proxy.yml | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/oci-node.yml b/playbooks/oci-node.yml index 77c57fd..2c70ab9 100644 --- a/playbooks/oci-node.yml +++ b/playbooks/oci-node.yml @@ -29,8 +29,7 @@ - authcheck - grafana - kdc + - roundcube - role: php4dvd when: ansible_fqdn == 'oci-node01.home.foo.sh' - - role: roundcube - when: ansible_fqdn == 'oci-node01.home.foo.sh' - rocketchat diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 0a0ed17..f204c5e 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -107,6 +107,7 @@ nginx_site_name: webmail.foo.sh nginx_site_proxy: - https://oci-node01.home.foo.sh/roundcube/ + - https://oci-node02.home.foo.sh/roundcube/ - role: nginx_site nginx_site_name: wpad.foo.sh - role: nginx_site From 80b7a7c97fcfa0e6e4f13550ab92bfb1fc99995d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 13 Apr 2024 20:20:58 +0000 Subject: [PATCH 246/713] google_spell_pspell: Initial version of role --- container-ports.md | 23 ++++---- .../google-spell-pspell-container.service | 16 ++++++ roles/google_spell_pspell/handlers/main.yml | 18 +++++++ roles/google_spell_pspell/meta/main.yml | 5 ++ roles/google_spell_pspell/tasks/main.yml | 54 +++++++++++++++++++ 5 files changed, 105 insertions(+), 11 deletions(-) create mode 100644 roles/google_spell_pspell/files/google-spell-pspell-container.service create mode 100644 roles/google_spell_pspell/handlers/main.yml create mode 100644 roles/google_spell_pspell/meta/main.yml create mode 100644 roles/google_spell_pspell/tasks/main.yml diff --git a/container-ports.md b/container-ports.md index 63429e3..39a8bec 100644 --- a/container-ports.md +++ b/container-ports.md @@ -1,13 +1,14 @@ # Ports used by container web services -| Port | Ansible role | Service name | -|------|----------------|------------------------| -| 8001 | kerberos_kdc | Kerberos KDC | -| 8002 | grafana | Grafana | -| 8003 | authcheck | Authentication check | -| 8004 | roundcube | Roundcube webmail | -| 8005 | php4dvd | php4dvd movie catalog | -| 8006 | scanservjs | SANE Scanner webui | -| 8007 | frigate | Network video recorder | -| 8008 | hoemeassistant | Home Assistant | -| 8009 | rocketchat | Rocket.Chat | +| Port | Ansible role | Service name | +|------|---------------------|----------------------------| +| 8001 | kerberos_kdc | Kerberos KDC | +| 8002 | grafana | Grafana | +| 8003 | authcheck | Authentication check | +| 8004 | roundcube | Roundcube webmail | +| 8005 | php4dvd | php4dvd movie catalog | +| 8006 | scanservjs | SANE Scanner webui | +| 8007 | frigate | Network video recorder | +| 8008 | hoemeassistant | Home Assistant | +| 8009 | rocketchat | Rocket.Chat | +| 8010 | google-spell-pspell | Google Spell Check XML API | diff --git a/roles/google_spell_pspell/files/google-spell-pspell-container.service b/roles/google_spell_pspell/files/google-spell-pspell-container.service new file mode 100644 index 0000000..705ff29 --- /dev/null +++ b/roles/google_spell_pspell/files/google-spell-pspell-container.service @@ -0,0 +1,16 @@ +[Unit] +Description=google-spell-pspell Container +Wants=network-online.target +After=network-online.target + +[Service] +User=pspell +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8010:80 \ + --name google-spell-pspell \ + google-spell-pspell:latest +ExecStop=/usr/bin/podman stop --ignore google-spell-pspell +ExecStopPost=/usr/bin/podman rm -f --ignore google-spell-pspell + +[Install] +WantedBy=multi-user.target diff --git a/roles/google_spell_pspell/handlers/main.yml b/roles/google_spell_pspell/handlers/main.yml new file mode 100644 index 0000000..c6f29db --- /dev/null +++ b/roles/google_spell_pspell/handlers/main.yml @@ -0,0 +1,18 @@ +--- +- name: Rebuild google-spell-pspell-container + ansible.builtin.command: + argv: + - podman + - build + - -t + - google-spell-pspell + - /usr/local/src/docker-google-spell-pspell + become: true + become_user: pspell + notify: Restart google-spell-pspell-container + +- name: Restart google-spell-pspell-container + ansible.builtin.service: + name: google-spell-pspell-container + daemon_reload: true + state: restarted diff --git a/roles/google_spell_pspell/meta/main.yml b/roles/google_spell_pspell/meta/main.yml new file mode 100644 index 0000000..b8e2a3e --- /dev/null +++ b/roles/google_spell_pspell/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - {role: git} + - {role: nginx} + - {role: podman} diff --git a/roles/google_spell_pspell/tasks/main.yml b/roles/google_spell_pspell/tasks/main.yml new file mode 100644 index 0000000..2fe09ee --- /dev/null +++ b/roles/google_spell_pspell/tasks/main.yml @@ -0,0 +1,54 @@ +--- +- name: Create group + ansible.builtin.group: + name: pspell + +- name: Create user + ansible.builtin.user: + name: pspell + comment: Podman google-spell-pspell + group: pspell + shell: /sbin/nologin + +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - pspell + creates: /var/lib/systemd/linger/pspell + +- name: Get container source + ansible.builtin.git: + dest: /usr/local/src/docker-google-spell-pspell + repo: https://github.com/foo-sh/docker-google-spell-pspell.git + update: true + version: main + notify: Rebuild google-spell-pspell-container + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/google-spell-pspell-container.service + src: google-spell-pspell-container.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart google-spell-pspell-container + +- name: Enable service + ansible.builtin.service: + name: google-spell-pspell-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/google-spell-pspell.conf" + content: | + location /tbproxy/spell { + proxy_pass http://127.0.0.1:8010/; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx From 518e522a50860c5fb1e425d0f72716cad260ff64 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 16 Apr 2024 07:15:42 +0000 Subject: [PATCH 247/713] Update gitea to latest version --- hosts.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 50aa429..b894fbe 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.10" + gitea_version: "1.21.11" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -104,6 +104,9 @@ proxy: hosts: proxy01.home.foo.sh: proxy02.home.foo.sh: +redis: + hosts: + redis01.home.foo.sh: relay: hosts: relay01.home.foo.sh: @@ -151,6 +154,7 @@ openbsd: mqtt: ns: proxy: + redis: relay: rocky8: children: From d7527a8a6ffa8019701d91f67d161db388bdeeac Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 18 Apr 2024 09:27:01 +0000 Subject: [PATCH 248/713] rclone: Fix config directory permissions --- roles/rclone/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index eaf6bee..13facd4 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /etc/rclone state: directory - mode: "0750" + mode: "0770" owner: root group: backup From 191e322e9e0c32de52579ee856b584d360c9ac14 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 20 Apr 2024 15:18:30 +0000 Subject: [PATCH 249/713] Remove tftp daemon from nms hosts --- playbooks/nms.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 9aa9d4b..3c73d5f 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -30,7 +30,6 @@ nginx_site_name: oob.foo.sh - sssd - mkhomedir - - tftp - routeros_firmware - snmp_exporter From b2da9de4d6335f3b7a5fb559e82f2dba3c55ff3d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 23 Apr 2024 07:19:30 +0000 Subject: [PATCH 250/713] syslogd: Fix local logging on servers --- roles/syslogd/tasks/server.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/syslogd/tasks/server.yml b/roles/syslogd/tasks/server.yml index ca342d1..cfd8e92 100644 --- a/roles/syslogd/tasks/server.yml +++ b/roles/syslogd/tasks/server.yml @@ -46,7 +46,7 @@ # everything goes to archive *.* /srv/log/all.log # only local goes to the standard logs - +{{ inventory_hostname }} + +{{ ansible_hostname }} marker: "# {mark} ANSIBLE MANAGED BLOCK (syslogd)" notify: Restart syslogd From 885c01ebaa2f1a5283ba4a97fef46c3086542a0c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 23 Apr 2024 15:30:22 +0000 Subject: [PATCH 251/713] mongodb: Limit max connections to database --- roles/mongodb/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 828356c..329e17d 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -111,6 +111,7 @@ --logRotate reopen \ --nounixsocket --replSet rs0 \ + --maxConns 16384 \ --tlsMode requireTLS \ --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem --tlsCAFile {{ tls_certs }}/ca.crt From 8c93ba043d35a496b63a2d3d36f91ea70269d9d0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Apr 2024 05:19:19 +0000 Subject: [PATCH 252/713] Drop aarch64 architecture from epel mirror --- playbooks/mirror.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index ea6ed1f..d363ba8 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -39,6 +39,7 @@ mirror_rsyncoptions: - "--exclude=debug" - "--exclude=testing" + - "--exclude=aarch64" - "--exclude=ppc64le" - "--exclude=s390x" - "--exclude=source" From cdbd70ec1df1a73f90acc5cf91ead417107329a8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 15:52:59 +0000 Subject: [PATCH 253/713] Update homeassistant --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index b894fbe..dcb70ae 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.4" + homeassistant_version: "2024.5" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git From 2329b5d5e63867ab37dee7498bedb9935cfd62d9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 18:22:06 +0000 Subject: [PATCH 254/713] Increase memory for log hosts --- group_vars/log.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/log.yml b/group_vars/log.yml index 00882e3..f7c44ba 100644 --- a/group_vars/log.yml +++ b/group_vars/log.yml @@ -1,4 +1,5 @@ --- +mem_size: 512 datadisks: - {size: 50, type: nvme} From 3b2c2a453eb437d1045fa49bf808e199e7622a99 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 18:23:21 +0000 Subject: [PATCH 255/713] unbound: Add support for copying zone files --- group_vars/dnagw.yml | 4 ++++ group_vars/frigate.yml | 4 +++- group_vars/nms.yml | 4 ++++ group_vars/print.yml | 4 ++++ playbooks/dna-gw.yml | 13 ------------- playbooks/frigate.yml | 13 ------------- playbooks/nms.yml | 13 ------------- playbooks/print.yml | 13 ------------- roles/unbound/tasks/main.yml | 11 +++++++++++ roles/unbound/vars/OpenBSD.yml | 1 + roles/unbound/vars/RedHat.yml | 1 + 11 files changed, 28 insertions(+), 53 deletions(-) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index f224e9f..3bffd50 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -16,6 +16,10 @@ network_ether_interfaces: - device: vio1 proto: none +unbound_zones: + - 20.172.in-addr.arpa + - home.foo.sh + # use custom firewall config firewall_src: pf.conf.gw_home diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index 03177dc..7a7df80 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -11,7 +11,9 @@ network_vip_interfaces: netmask: 255.255.0.0 pass: "{{ vip26_pass }}" -zm_mysql_host: sqldb02.home.foo.sh +unbound_zones: + - 26.20.172.in-addr.arpa + - cam.foo.sh dhcpd_template: dhcpd.conf.cam.j2 firewall_in: diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 42b35f2..4278cfd 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -2,6 +2,10 @@ datadisks: - {size: 10, type: nvme} +unbound_zones: + - 25.20.172.in-addr.arpa + - oob.foo.sh + network_vip_interfaces: - device: eth0 vhid: 11 diff --git a/group_vars/print.yml b/group_vars/print.yml index 2dbeb2c..469cb94 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -9,6 +9,10 @@ network_vip_interfaces: dhcpd_template: dhcpd.conf.print.j2 +unbound_zones: + - 24.20.172.in-addr.arpa + - print.foo.sh + firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 53, from: [172.20.24.0/24]} diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index f9672d0..360d7be 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -144,19 +144,6 @@ tags: certificates notify: Restart unbound - - name: Copy DNS zone files - ansible.builtin.copy: - dest: "/var/unbound/db/{{ item }}" - src: "/srv/dns/{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - tags: dns - notify: Restart unbound - with_items: - - 20.172.in-addr.arpa - - home.foo.sh - - name: Import unbound role ansible.builtin.import_role: name: unbound diff --git a/playbooks/frigate.yml b/playbooks/frigate.yml index 9da0eb3..2b37b1c 100644 --- a/playbooks/frigate.yml +++ b/playbooks/frigate.yml @@ -35,19 +35,6 @@ - name: Run handlers to get interfaces configured ansible.builtin.meta: flush_handlers - - name: Copy DNS zone files - ansible.builtin.copy: - dest: "/var/lib/unbound/{{ item }}" - src: "/srv/dns/{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - tags: dns - notify: Restart unbound - with_items: - - 26.20.172.in-addr.arpa - - cam.foo.sh - - name: Include unbound role ansible.builtin.import_role: name: unbound diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 3c73d5f..c557d36 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -46,19 +46,6 @@ vars: relay_domains: [foo.sh] - - name: Copy DNS zone files - ansible.builtin.copy: - dest: "/var/lib/unbound/{{ item }}" - src: "/srv/dns/{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - tags: dns - notify: Restart unbound - with_items: - - 25.20.172.in-addr.arpa - - oob.foo.sh - - name: Import unbound role ansible.builtin.import_role: name: unbound diff --git a/playbooks/print.yml b/playbooks/print.yml index 3a22ad2..baa33c8 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -25,19 +25,6 @@ ansible.builtin.import_role: name: dhcpd - - name: Copy DNS zone files - ansible.builtin.copy: - dest: "/var/lib/unbound/{{ item }}" - src: "/srv/dns/{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - tags: dns - notify: Restart unbound - with_items: - - 24.20.172.in-addr.arpa - - print.foo.sh - - name: Install unbound role ansible.builtin.import_role: name: unbound diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 0c0ef91..5ec99fb 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -15,6 +15,17 @@ creates: "{{ unbound_control_key }}" notify: Restart unbound +- name: Copy zone files + ansible.builtin.copy: + dest: "{{ unbound_zonedir }}/{{ item }}" + src: "/srv/dns/{{ item }}" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + with_items: "{{ unbound_zones }}" + notify: Restart unbound + when: unbound_zones is defined + - name: Copy config ansible.builtin.template: dest: "{{ unbound_conf }}" diff --git a/roles/unbound/vars/OpenBSD.yml b/roles/unbound/vars/OpenBSD.yml index 4ce4313..c952c8a 100644 --- a/roles/unbound/vars/OpenBSD.yml +++ b/roles/unbound/vars/OpenBSD.yml @@ -1,3 +1,4 @@ --- unbound_conf: /var/unbound/etc/unbound.conf unbound_control_key: /var/unbound/etc/unbound_control.key +unbound_zonedir: /var/unbound/db diff --git a/roles/unbound/vars/RedHat.yml b/roles/unbound/vars/RedHat.yml index 48bfadd..a15473b 100644 --- a/roles/unbound/vars/RedHat.yml +++ b/roles/unbound/vars/RedHat.yml @@ -1,3 +1,4 @@ --- unbound_conf: /etc/unbound/unbound.conf unbound_control_key: /etc/unbound/unbound_control.key +unbound_zonedir: /var/lib/unbound From fd495036f248dbc5131e342fc99e25b48c0acb60 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 18:42:42 +0000 Subject: [PATCH 256/713] unbound: Don't hardcode zones --- .../templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 9 ++++----- .../templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 9 ++++----- .../templates/unbound.conf.frigate02.home.foo.sh.j2 | 9 ++++----- .../unbound/templates/unbound.conf.nms01.home.foo.sh.j2 | 9 ++++----- .../templates/unbound.conf.print01.home.foo.sh.j2 | 9 ++++----- 5 files changed, 20 insertions(+), 25 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 7977574..97db90b 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -26,9 +26,8 @@ remote-control: control-enable: yes control-interface: /var/run/unbound.sock +{% for zone in unbound_zones %} auth-zone: - name: "home.foo.sh" - zonefile: "/var/unbound/db/home.foo.sh" -auth-zone: - name: "20.172.in-addr.arpa" - zonefile: "/var/unbound/db/20.172.in-addr.arpa" + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index c7090c2..59d99d8 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -26,9 +26,8 @@ remote-control: control-enable: yes control-interface: /var/run/unbound.sock +{% for zone in unbound_zones %} auth-zone: - name: "home.foo.sh" - zonefile: "/var/unbound/db/home.foo.sh" -auth-zone: - name: "20.172.in-addr.arpa" - zonefile: "/var/unbound/db/20.172.in-addr.arpa" + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} diff --git a/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 index a4d3f59..4fa13e5 100644 --- a/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 @@ -30,9 +30,8 @@ forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh +{% for zone in unbound_zones %} auth-zone: - name: "cam.foo.sh" - zonefile: "/var/lib/unbound/cam.foo.sh" -auth-zone: - name: "26.20.172.in-addr.arpa" - zonefile: "/var/lib/unbound/26.20.172.in-addr.arpa" + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} diff --git a/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 index a842fcd..5812def 100644 --- a/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 @@ -30,9 +30,8 @@ forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh +{% for zone in unbound_zones %} auth-zone: - name: "oob.foo.sh" - zonefile: "/var/lib/unbound/oob.foo.sh" -auth-zone: - name: "25.20.172.in-addr.arpa" - zonefile: "/var/lib/unbound/25.20.172.in-addr.arpa" + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} diff --git a/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 index 4799b50..46a4ab4 100644 --- a/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 @@ -30,9 +30,8 @@ forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh +{% for zone in unbound_zones %} auth-zone: - name: "print.foo.sh" - zonefile: "/var/lib/unbound/print.foo.sh" -auth-zone: - name: "24.20.172.in-addr.arpa" - zonefile: "/var/lib/unbound/24.20.172.in-addr.arpa" + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} From eb1b324c8d44e29088b58062f1b530cc0d0fdb35 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 19:42:35 +0000 Subject: [PATCH 257/713] network: Add support for NetworkManager --- roles/network/tasks/RedHat.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/roles/network/tasks/RedHat.yml b/roles/network/tasks/RedHat.yml index 7c04aa3..96e3734 100644 --- a/roles/network/tasks/RedHat.yml +++ b/roles/network/tasks/RedHat.yml @@ -18,8 +18,24 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + # notify: Reload network manager connections + with_items: "{{ network_interfaces }}" + when: + - ansible_distribution != "Fedora" + - ansible_distribution_major_version | int <= 8 + +- name: Create ethernet interface configurations + ansible.builtin.template: + src: nmconnection.j2 + dest: "/etc/NetworkManager/system-connections/{{ item.device }}.nmconnection" + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" notify: Reload network manager connections with_items: "{{ network_interfaces }}" + when: >- + ansible_distribution == "Fedora" or + ansible_distribution_major_version | int >= 9 - name: Install keepalived ansible.builtin.package: From ce46c5fb90bac5c195a6d35465e33bb10aeb6dc0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 20:08:34 +0000 Subject: [PATCH 258/713] Remove sshscan and sslscan from nms hosts --- playbooks/nms.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index c557d36..d3eeea7 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -65,7 +65,5 @@ - net-snmp-utils - nmap - rcs - - scanssh - - sslscan - unzip - wget From 7c7b632fc882b719d417bf91abde6532b082eb50 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 00:17:50 +0000 Subject: [PATCH 259/713] network: Add missing template --- roles/network/templates/nmconnection.j2 | 42 +++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 roles/network/templates/nmconnection.j2 diff --git a/roles/network/templates/nmconnection.j2 b/roles/network/templates/nmconnection.j2 new file mode 100644 index 0000000..3e7797d --- /dev/null +++ b/roles/network/templates/nmconnection.j2 @@ -0,0 +1,42 @@ +[connection] +id={{ item.device }} +{% for line in interface_uuid.stdout_lines %} +{% if line.split()[0] == item.device %} +uuid={{ line.split()[1] }} +{% elif line.split()[2] == item.device %} +uuid={{ line.split()[1] }} +{% endif %} +{% endfor %} +type=ethernet +interface-name={{ item.device }} + +[ethernet] + +[ipv4] +{% if item.proto is not defined or item.proto == 'dhcp' %} +method=auto +{% elif item.proto == 'static' %} +method=manual +address1={{ item.ipaddr }}/{{ item.netmask }} +{% if item.gateway is defined %} +gateway={{ item.gateway }} +{% endif %} +{% elif item.proto == 'none' %} +method=disabled +{% endif %} +{% if item.nameservers is defined %} +dns={% for name in item.nameservers %}{{ name }};{% endfor %} +{% endif %} + +[ipv6] +addr-gen-mode=eui64 +{% if item.ip6addr is not defined or item.ip6addr == 'none' %} +method=disabled +{% elif item.ip6addr == 'auto' %} +method=auto +{% else %} +method=manual +address1={{ item.ip6addr }} +{% endif %} + +[proxy] From 2ac737061316ee9b07a08b22550b1a7f795e7b38 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 00:25:24 +0000 Subject: [PATCH 260/713] network: Fix empty nameserver list --- roles/network/templates/nmconnection.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/network/templates/nmconnection.j2 b/roles/network/templates/nmconnection.j2 index 3e7797d..2dc1ef9 100644 --- a/roles/network/templates/nmconnection.j2 +++ b/roles/network/templates/nmconnection.j2 @@ -24,7 +24,7 @@ gateway={{ item.gateway }} {% elif item.proto == 'none' %} method=disabled {% endif %} -{% if item.nameservers is defined %} +{% if item.nameservers is defined and item.nameservers != [] %} dns={% for name in item.nameservers %}{{ name }};{% endfor %} {% endif %} From 8aa7a8aaa2f6ea2baf3b001df4fb0d7407442e2b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 01:08:04 +0000 Subject: [PATCH 261/713] network: Fix setting DNS server priorities --- roles/network/templates/nmconnection.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/network/templates/nmconnection.j2 b/roles/network/templates/nmconnection.j2 index 2dc1ef9..867c357 100644 --- a/roles/network/templates/nmconnection.j2 +++ b/roles/network/templates/nmconnection.j2 @@ -26,6 +26,8 @@ method=disabled {% endif %} {% if item.nameservers is defined and item.nameservers != [] %} dns={% for name in item.nameservers %}{{ name }};{% endfor %} + +dns-priority=-10 {% endif %} [ipv6] From e35f425d077f42295a207067304671fd0158f04b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 01:46:28 +0000 Subject: [PATCH 262/713] Update bunch of hosts to rocky linux 9 --- hosts.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index dcb70ae..7b77ec4 100644 --- a/hosts.yml +++ b/hosts.yml @@ -159,23 +159,23 @@ openbsd: rocky8: children: collab: - frigate: - homeassistant: mail: - minecraft: nas: - nms: - print: shell: rocky9: children: adm: + frigate: gitea: + homeassistant: influxdb: ldap: + minecraft: mirror: mongodb: + nms: ocinode: + print: prometheus: sane: sqldb: From 42fddcc2781825635d1e683eda83b873f5992d9a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 15:12:03 +0000 Subject: [PATCH 263/713] nginx: Enable nginx 1.24 module for EL9 --- roles/nginx/tasks/main.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 03e8151..3c2af48 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -14,7 +14,22 @@ notify: Restart nginx when: - ansible_os_family == "RedHat" - - ansible_distribution_major_version | int >= 8 + - ansible_distribution_major_version | int == 8 + - ansible_distribution != "Fedora" + +- name: Enable nginx:124 module + ansible.builtin.command: + argv: + - dnf + - module + - -y + - enable + - nginx:1.22 + creates: /etc/dnf/modules.d/nginx.module + notify: Restart nginx + when: + - ansible_os_family == "RedHat" + - ansible_distribution_major_version | int >= 9 - ansible_distribution != "Fedora" - name: Install packages From 2a750a57f362f82ec79ed29bbe90caff17b51873 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 15:14:53 +0000 Subject: [PATCH 264/713] nginx_site: Add support for disabling plain text --- roles/nginx_site/defaults/main.yml | 2 ++ roles/nginx_site/templates/site.conf.j2 | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 roles/nginx_site/defaults/main.yml diff --git a/roles/nginx_site/defaults/main.yml b/roles/nginx_site/defaults/main.yml new file mode 100644 index 0000000..2296dbc --- /dev/null +++ b/roles/nginx_site/defaults/main.yml @@ -0,0 +1,2 @@ +--- +nginx_site_plaintext: true diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index 6e4117b..f3af053 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -48,6 +48,7 @@ server { root /srv/web/{{ nginx_site_name }}; {% endif %} } +{% if nginx_site_plaintext %} server { listen 80; @@ -64,3 +65,4 @@ server { {% endif %} } } +{% endif %} From 91f1fe3fbc026255c1d2cdc4b428a1e712aeeb8e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 15:15:41 +0000 Subject: [PATCH 265/713] Don't enable plain text web server on nms hosts --- playbooks/nms.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index d3eeea7..e4d523e 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -28,6 +28,7 @@ - nginx - role: nginx_site nginx_site_name: oob.foo.sh + nginx_site_plaintext: false - sssd - mkhomedir - routeros_firmware From c06d3cdc7e48870bf0f3024c926a32669d4861de Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 16:14:33 +0000 Subject: [PATCH 266/713] nginx: Fix typo --- roles/nginx/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 3c2af48..14e5d2a 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -24,7 +24,7 @@ - module - -y - enable - - nginx:1.22 + - nginx:1.24 creates: /etc/dnf/modules.d/nginx.module notify: Restart nginx when: From da371980aaf0f47c31bbe33eaa6dcbbe9040631d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 16:22:42 +0000 Subject: [PATCH 267/713] nginx: Fix crash on el9 with plain text http --- roles/nginx/templates/nginx.conf.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 85c6ecc..80f7786 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -10,13 +10,6 @@ events { http { access_log {{ nginx_logdir }}/access.log combined; - proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt; - proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key; - proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt; - proxy_ssl_protocols TLSv1.2 TLSv1.3; - proxy_ssl_server_name on; - proxy_ssl_verify on; - map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -42,6 +35,13 @@ http { } } {% else %} + proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt; + proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key; + proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt; + proxy_ssl_protocols TLSv1.2 TLSv1.3; + proxy_ssl_server_name on; + proxy_ssl_verify on; + ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; From f4b34de6c4e120ba9f1bb2dc1e718252a0067c80 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 09:03:22 +0000 Subject: [PATCH 268/713] Continue el9 upgrades --- hosts.yml | 4 ++-- playbooks/shell.yml | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index 7b77ec4..c1c5339 100644 --- a/hosts.yml +++ b/hosts.yml @@ -160,8 +160,6 @@ rocky8: children: collab: mail: - nas: - shell: rocky9: children: adm: @@ -173,11 +171,13 @@ rocky9: minecraft: mirror: mongodb: + nas: nms: ocinode: print: prometheus: sane: + shell: sqldb: static: vmhost: diff --git a/playbooks/shell.yml b/playbooks/shell.yml index 2f031da..9b4b060 100644 --- a/playbooks/shell.yml +++ b/playbooks/shell.yml @@ -24,7 +24,6 @@ - thinlinc_server - epel_repo - foosh_repo - - powertools_repo - role: nginx nginx_plaintext: true @@ -63,6 +62,7 @@ - pandoc - php-cli - python3-netaddr + - python3-requests - rcs - rpmlint - syslinux @@ -71,7 +71,6 @@ - tmux - whois - wireshark - - wkhtmltopdf - yamllint - zsh loop_control: From e20873cbd3ba1922e7c439b414eb37350a52003d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 17:29:29 +0000 Subject: [PATCH 269/713] network: Set netmask in correct format --- roles/network/templates/nmconnection.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/network/templates/nmconnection.j2 b/roles/network/templates/nmconnection.j2 index 867c357..4a27ddb 100644 --- a/roles/network/templates/nmconnection.j2 +++ b/roles/network/templates/nmconnection.j2 @@ -17,7 +17,7 @@ interface-name={{ item.device }} method=auto {% elif item.proto == 'static' %} method=manual -address1={{ item.ipaddr }}/{{ item.netmask }} +address1={{ item.ipaddr }}/{{ (item.ipaddr + '/' + item.netmask) | ansible.utils.ipaddr('prefix') }} {% if item.gateway is defined %} gateway={{ item.gateway }} {% endif %} From a25cd83e947fd53dca56f1020d07d9604add69ed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:00:51 +0000 Subject: [PATCH 270/713] Revert "nginx: Fix crash on el9 with plain text http" This reverts commit da371980aaf0f47c31bbe33eaa6dcbbe9040631d. --- roles/nginx/templates/nginx.conf.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 80f7786..85c6ecc 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -10,6 +10,13 @@ events { http { access_log {{ nginx_logdir }}/access.log combined; + proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt; + proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key; + proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt; + proxy_ssl_protocols TLSv1.2 TLSv1.3; + proxy_ssl_server_name on; + proxy_ssl_verify on; + map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -35,13 +42,6 @@ http { } } {% else %} - proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt; - proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key; - proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt; - proxy_ssl_protocols TLSv1.2 TLSv1.3; - proxy_ssl_server_name on; - proxy_ssl_verify on; - ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; From a2fe24955b3ba61f3a9fb3863a4437dad7f1c1c3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:01:13 +0000 Subject: [PATCH 271/713] nginx_site: Use plain http for certbot --- roles/nginx_site/templates/site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index f3af053..fc70329 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -55,7 +55,7 @@ server { listen [::]:80; server_name {{ nginx_site_name }}; location /.well-known/acme-challenge/ { - proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/; + proxy_pass http://certbot.home.foo.sh/.well-known/acme-challenge/; } location / { {% if nginx_site_redirect is defined %} From 96f28d63ccfe47e8ccb92557b8fdb25968df1caa Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:01:37 +0000 Subject: [PATCH 272/713] grossd: Fix install on EL9 --- roles/grossd/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/grossd/meta/main.yml b/roles/grossd/meta/main.yml index 7ae8670..50b8afb 100644 --- a/roles/grossd/meta/main.yml +++ b/roles/grossd/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: + - {role: crb_repo} - {role: foosh_repo} From d0f814475327d17feccbf76911d4c4d834ecabc7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:03:14 +0000 Subject: [PATCH 273/713] Convert mail hosts to Rocky Linux 9 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index c1c5339..eb80242 100644 --- a/hosts.yml +++ b/hosts.yml @@ -159,7 +159,6 @@ openbsd: rocky8: children: collab: - mail: rocky9: children: adm: @@ -168,6 +167,7 @@ rocky9: homeassistant: influxdb: ldap: + mail: minecraft: mirror: mongodb: From ce72d0d17a81e27a3559a4a974e9a5fc80e2fb90 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:13:04 +0000 Subject: [PATCH 274/713] nginx_site: Fix certbot virtual host --- roles/nginx_site/templates/site.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index fc70329..eaf21e4 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -54,6 +54,7 @@ server { listen 80; listen [::]:80; server_name {{ nginx_site_name }}; +{% if nginx_site_name != 'certbot.home.foo.sh' %} location /.well-known/acme-challenge/ { proxy_pass http://certbot.home.foo.sh/.well-known/acme-challenge/; } @@ -64,5 +65,8 @@ server { return 301 https://$host$request_uri; {% endif %} } +{% else %} + root /srv/web/{{ nginx_site_name }}; +{% endif %} } {% endif %} From eb4a2fa842d177f4db4113089d301e28389f958c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:13:29 +0000 Subject: [PATCH 275/713] Open port 80 from adm hosts for certbot --- group_vars/adm.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/adm.yml b/group_vars/adm.yml index e80e98c..0a9a22a 100644 --- a/group_vars/adm.yml +++ b/group_vars/adm.yml @@ -4,5 +4,6 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 80, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} From 62463860e4f18fa848de4d68c32ca4706af9ee3f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:17:23 +0000 Subject: [PATCH 276/713] rclone: Fix extra spaces --- roles/rclone/templates/rclone.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index ac601cd..222ebf1 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -6,5 +6,5 @@ type = sftp host = {{ host }} user = backup key_file = /etc/rclone/id_ed25519 -known_hosts_file = /etc/ssh/ssh_known_hosts +known_hosts_file = /etc/ssh/ssh_known_hosts {% endfor %} From 5fd1b776bed26973f7c93a1bb964b09584b10b07 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:27:13 +0000 Subject: [PATCH 277/713] rclone: Disable checksumming --- roles/rclone/templates/rclone.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index 222ebf1..99e1d3e 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -5,6 +5,7 @@ type = sftp host = {{ host }} user = backup +shell_type = none key_file = /etc/rclone/id_ed25519 known_hosts_file = /etc/ssh/ssh_known_hosts {% endfor %} From 2d7113f6e680e74387de3212005c4ee398464e77 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 May 2024 19:29:41 +0000 Subject: [PATCH 278/713] Update software versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index eb80242..3e6f577 100644 --- a/hosts.yml +++ b/hosts.yml @@ -77,7 +77,7 @@ nms: nms01.home.foo.sh: nms02.home.foo.sh: vars: - snmp_exporter_version: "0.25.0" + snmp_exporter_version: "0.26.0" ns: hosts: ns01.home.foo.sh: @@ -88,8 +88,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.4.1" - rocketchat_version: "6.7.0" + grafana_version: "11.0.0" + rocketchat_version: "6.8.0" roundcube_version: "1.6.6" print: hosts: From bb8b48626310ba641d149e618689e112b39c54d7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 May 2024 19:54:43 +0000 Subject: [PATCH 279/713] Increase os disk size for oci-nodes --- group_vars/ocinode.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/ocinode.yml b/group_vars/ocinode.yml index 7e132c3..7f06eb1 100644 --- a/group_vars/ocinode.yml +++ b/group_vars/ocinode.yml @@ -1,6 +1,8 @@ --- # increase memory size mem_size: 4096 +# increase disk size to store docker images +dsk_size: 50 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} From dc2a6f57889a43581195032d6df3a08487eb0539 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Jun 2024 19:29:38 +0000 Subject: [PATCH 280/713] blackbox_exporter: Initial version of role --- roles/blackbox_exporter/files/blackbox.yml | 17 ++++++++ roles/blackbox_exporter/handlers/main.yml | 5 +++ roles/blackbox_exporter/tasks/main.yml | 39 +++++++++++++++++++ .../templates/web-config.yml.j2 | 11 ++++++ 4 files changed, 72 insertions(+) create mode 100644 roles/blackbox_exporter/files/blackbox.yml create mode 100644 roles/blackbox_exporter/handlers/main.yml create mode 100644 roles/blackbox_exporter/tasks/main.yml create mode 100644 roles/blackbox_exporter/templates/web-config.yml.j2 diff --git a/roles/blackbox_exporter/files/blackbox.yml b/roles/blackbox_exporter/files/blackbox.yml new file mode 100644 index 0000000..9152489 --- /dev/null +++ b/roles/blackbox_exporter/files/blackbox.yml @@ -0,0 +1,17 @@ +--- +modules: + http: + prober: http + http: + valid_status_codes: + - 200 + - 401 + - 403 + ssh: + prober: tcp + tcp: + query_response: + - expect: "^SSH-2.0-" + - send: "SSH-2.0-blackbox-ssh-check" + tcp: + prober: tcp diff --git a/roles/blackbox_exporter/handlers/main.yml b/roles/blackbox_exporter/handlers/main.yml new file mode 100644 index 0000000..34e0f2d --- /dev/null +++ b/roles/blackbox_exporter/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart blackbox_exporter + ansible.builtin.service: + name: blackbox_exporter + state: restarted diff --git a/roles/blackbox_exporter/tasks/main.yml b/roles/blackbox_exporter/tasks/main.yml new file mode 100644 index 0000000..b3e2410 --- /dev/null +++ b/roles/blackbox_exporter/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Install packages + ansible.builtin.package: + name: blackbox_exporter + state: installed + +- name: Add user to hostkey group + ansible.builtin.user: + name: _blackboxexporter + groups: hostkey + append: true + notify: Restart blackbox_exporter + +- name: Create main config + ansible.builtin.copy: + dest: /etc/blackbox_exporter/blackbox.yml + src: blackbox.yml + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart blackbox_exporter + +- name: Create web-config + ansible.builtin.template: + dest: /etc/blackbox_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart blackbox_exporter + +- name: Enable service + ansible.builtin.service: + name: blackbox_exporter + state: started + arguments: > + --config.file=/etc/blackbox_exporter/blackbox.yml + --web.config.file=/etc/blackbox_exporter/web-config.yml + enabled: true diff --git a/roles/blackbox_exporter/templates/web-config.yml.j2 b/roles/blackbox_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..03e5466 --- /dev/null +++ b/roles/blackbox_exporter/templates/web-config.yml.j2 @@ -0,0 +1,11 @@ +--- +tls_server_config: + key_file: {{ tls_private }}/{{ inventory_hostname }}.key + cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: +{% for host in groups['prometheus'] %} + - {{ host }} +{% endfor %} + min_version: TLS13 From 20d91ff1b001260b136758a6ea0ac5eadb55f170 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Jun 2024 19:30:05 +0000 Subject: [PATCH 281/713] Add blackbox_exporter to external ns host --- group_vars/ns.yml | 3 ++- playbooks/ns.yml | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index 544cf9b..79a23ca 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -6,7 +6,8 @@ firewall_in: - {proto: tcp, port: 80} - {proto: tcp, port: 443} - {proto: tcp, port: 853} - - {proto: tcp, port: 9100, from: [172.20.20.0/22, 62.78.229.29/32]} + - {proto: tcp, port: 9100} + - {proto: tcp, port: 9115} firewall_raw: - pass quick proto carp diff --git a/playbooks/ns.yml b/playbooks/ns.yml index a7476ca..b4e6dbf 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -21,3 +21,5 @@ nginx_site_redirect: https://www.foo.sh/ - role: ifstated when: "'vultr' not in group_names" + - role: blackbox_exporter + when: "inventory_hostname == 'atl01.vultr.foo.sh'" From 9f69d421f2b7eea4a63d8e29184a2f90eb7da8f9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Jun 2024 19:31:40 +0000 Subject: [PATCH 282/713] frigate: Store events for 1 month --- roles/frigate/templates/frigate.yml.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index 715272d..7ceb0c7 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -12,6 +12,10 @@ record: retain: days: 7 mode: motion + events: + retain: + default: 30 + mode: motion cameras: {% for camera in cctv_cameras %} From c08a8158f72a7cca4c7198930b7df4f8220342a4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 11 Jun 2024 16:48:25 +0000 Subject: [PATCH 283/713] Update software versions --- hosts.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index 3e6f577..fac3b7e 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.5" + homeassistant_version: "2024.6" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git @@ -89,8 +89,8 @@ ocinode: oci-node02.home.foo.sh: vars: grafana_version: "11.0.0" - rocketchat_version: "6.8.0" - roundcube_version: "1.6.6" + rocketchat_version: "6.9.0" + roundcube_version: "1.6.7" print: hosts: print01.home.foo.sh: @@ -99,7 +99,7 @@ prometheus: prometheus02.home.foo.sh: vars: mysqld_exporter_version: "0.15.1" - nginx_exporter_version: "1.1.0" + nginx_exporter_version: "1.2.0" proxy: hosts: proxy01.home.foo.sh: From 1b9b9962a795e8b16eb7a3308bade2a2380e9577 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 12 Jun 2024 13:27:49 +0000 Subject: [PATCH 284/713] base: Set LC_TIME correctly to get 24h clock --- roles/base/tasks/RedHat.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 50e0397..992c088 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -124,6 +124,27 @@ dest: /etc/GREP_COLORS state: absent +- name: Check date format + ansible.builtin.shell: + cmd: | + set -o pipefail + localectl status | grep -E '^\s+LC_TIME=C.UTF-8$' + executable: /bin/bash + register: locale_check + changed_when: false + failed_when: false + check_mode: false + +- name: Set date format to use 24 hour clock + ansible.builtin.command: + argv: + - localectl + - set-locale + - LC_TIME=C.UTF-8 + register: result + changed_when: result.rc == 0 + when: locale_check.rc != 0 + - name: Store date and time for bash history ansible.builtin.copy: dest: /etc/profile.d/history.sh From 66c25d20b8571e29460a46e8d67984d4944ffb05 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 15 Jun 2024 20:57:58 +0000 Subject: [PATCH 285/713] nginx_site: Disable support for custom tls config --- roles/nginx_site/templates/site.conf.j2 | 7 ------- 1 file changed, 7 deletions(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index eaf21e4..afc3dae 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -20,13 +20,6 @@ server { add_header Strict-Transport-Security "max-age=63072000" always; -{% if nginx_site_ssl_config is defined %} -{% if nginx_site_ssl_config == "old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; -{% endif %} -{% endif %} ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt; ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key; From 023257ae558c96cc57d2a84546bb9f77ea215739 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 15 Jun 2024 20:59:01 +0000 Subject: [PATCH 286/713] Remove unneeded option --- playbooks/proxy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index f204c5e..daa19be 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -33,7 +33,6 @@ nginx_site_name: autoconfig.foo.sh - role: nginx_site nginx_site_name: boot.foo.sh - nginx_site_ssl_config: old - role: nginx_site nginx_site_name: bitbucket.foo.sh nginx_site_redirect: https://bitbucket.org/tmakinen/ From 813146b1062aec75a40aa7d44d273d18191f0b27 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 16 Jun 2024 20:48:31 +0000 Subject: [PATCH 287/713] minecraft: Change uid and gid --- roles/minecraft/tasks/main.yml | 4 ++-- users.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/minecraft/tasks/main.yml b/roles/minecraft/tasks/main.yml index db2e66e..50961a4 100644 --- a/roles/minecraft/tasks/main.yml +++ b/roles/minecraft/tasks/main.yml @@ -7,13 +7,13 @@ - name: Create group ansible.builtin.group: name: minecraft - gid: 1007 + gid: 307 - name: Create user ansible.builtin.user: name: minecraft comment: Service Minecraft - uid: 1007 + uid: 307 group: minecraft create_home: false home: /var/empty diff --git a/users.md b/users.md index d0ca8d9..c6f02a5 100644 --- a/users.md +++ b/users.md @@ -12,8 +12,8 @@ entry empty. If only a group is created, leave the user entry empty. | 303 | gitea | gitea | | | 305 | prometheus | prometheus | | | 306 | backup | backup | | +| 307 | minecraft | minecraft | | | 1001 | mirror | mirror | | | 1002 | certbot | certbot | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | -| 1007 | minecraft | minecraft | | From 8ef5f5b18e36f4cbf1d6bfbe5300c31e47c2ce1e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 18 Jun 2024 16:38:45 +0000 Subject: [PATCH 288/713] Rotate dkim keys --- playbooks/mail.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 686ed79..1b86873 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -39,7 +39,7 @@ nginx_site_redirect: https://webmail.foo.sh/ - grossd - role: opendkim - opendkim_selector: 20240101 + opendkim_selector: 20240601 - spamassassin - spamassassin_clamav - spamassassin_ixhash From 750b3bab7d320e49c7355ef480d7857e99c44c21 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jun 2024 15:14:44 +0000 Subject: [PATCH 289/713] ldap_server: Store backups for 30 days --- roles/ldap_server/files/ldap-backup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ldap_server/files/ldap-backup.sh b/roles/ldap_server/files/ldap-backup.sh index 7942743..d6a95d4 100755 --- a/roles/ldap_server/files/ldap-backup.sh +++ b/roles/ldap_server/files/ldap-backup.sh @@ -12,7 +12,7 @@ if [ "$(whoami)" != "root" ]; then fi BACKUPDIR="/srv/backup" -BACKUPAGE="7" +BACKUPAGE="30" DATE="$(date '+%Y-%m-%d')" From 0eeed22092a7ed48f50120ad13d9fa4833d39f03 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jun 2024 15:17:39 +0000 Subject: [PATCH 290/713] ldap_server: Style fixes for backup script --- roles/ldap_server/files/ldap-backup.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/roles/ldap_server/files/ldap-backup.sh b/roles/ldap_server/files/ldap-backup.sh index d6a95d4..2e84891 100755 --- a/roles/ldap_server/files/ldap-backup.sh +++ b/roles/ldap_server/files/ldap-backup.sh @@ -16,19 +16,20 @@ BACKUPAGE="30" DATE="$(date '+%Y-%m-%d')" +cd "$BACKUPDIR" + ldapsearch -LLL -x -H ldapi:// -s base -b 'cn=Databases,cn=Monitor' \ '(objectClass=*)' namingContexts | \ sed -n 's/^namingContexts: \(.*\)/\1/p' | while read -r db ; do - [ "${db}" = "cn=config" ] && continue - if ! slapcat -f /etc/openldap/slapd.conf -b "${db}" 2> /dev/null | \ - gzip > "${BACKUPDIR}/${db}.${DATE}.gz" ; then + [ "$db" = "cn=config" ] && continue + if ! slapcat -f /etc/openldap/slapd.conf -b "$db" 2> /dev/null | \ + gzip > "${db}.${DATE}.gz" + then echo "ERR: Failed to backup database ${db}" 1>&2 continue fi chgrp backup "${BACKUPDIR}/${db}.${DATE}.gz" done -cd ${BACKUPDIR} && { - find . -xdev -depth -mindepth 1 -maxdepth 1 -type f -mtime +${BACKUPAGE} \ - -name '*.gz' -execdir rm -f -- {} \; -} +find . -xdev -depth -mindepth 1 -maxdepth 1 -type f -mtime +${BACKUPAGE} \ + -name '*.gz' -execdir rm -f -- {} \; From 6dd5cfa68113d6d76d2e41bdf43d3e569ebfcebc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jun 2024 15:20:02 +0000 Subject: [PATCH 291/713] mariadb: Style fixes and store 30 days of backups --- roles/mariadb/files/mariadb-backup.sh | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/roles/mariadb/files/mariadb-backup.sh b/roles/mariadb/files/mariadb-backup.sh index e2181bb..b2ac7cb 100755 --- a/roles/mariadb/files/mariadb-backup.sh +++ b/roles/mariadb/files/mariadb-backup.sh @@ -4,23 +4,16 @@ set -eu umask 027 -DESTDIR="/export/backup" +DESTDIR="/srv/backup" DATE="$(date +%Y-%m-%d)" -if [ ! -d "$DESTDIR" ]; then - echo "ERR: MariaDB backup directory [${DESTDIR}] does not exist" 1>&2 - exit 1 -fi +cd "$DESTDIR" +find . -xdev -mindepth 2 -maxdepth 2 -type f -mtime +30 \ + -execdir rm -f -- {} \; +find . -xdev -depth -mindepth 1 -maxdepth 1 -type d -empty \ + -execdir rmdir -- {} \; -cd "$DESTDIR" && { - find . -xdev -mindepth 2 -maxdepth 2 -type f -mtime +7 \ - -execdir rm -f -- {} \; - find . -xdev -depth -mindepth 1 -maxdepth 1 -type d -empty \ - -execdir rmdir -- {} \; -} - -DESTDIR="${DESTDIR}/${DATE}" -mkdir "$DESTDIR" +mkdir "$DATE" for db in $(mysql -e "show databases" -s) ; do case "$db" in @@ -28,5 +21,5 @@ for db in $(mysql -e "show databases" -s) ; do continue ;; esac - mysqldump -E --add-drop-table "$db" | gzip > "${DESTDIR}/${db}.${DATE}.gz" + mysqldump -E --add-drop-table "$db" | gzip > "${DATE}/${db}.${DATE}.gz" done From 195d9c3b035b313bb28e433bc82d49705f6a0a74 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 18:11:04 +0000 Subject: [PATCH 292/713] backup_base: Rename role --- roles/{backup_server => backup_base}/tasks/main.yml | 5 ----- 1 file changed, 5 deletions(-) rename roles/{backup_server => backup_base}/tasks/main.yml (87%) diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_base/tasks/main.yml similarity index 87% rename from roles/backup_server/tasks/main.yml rename to roles/backup_base/tasks/main.yml index 18d8222..e87400a 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_base/tasks/main.yml @@ -1,9 +1,4 @@ --- -- name: Install packages - ansible.builtin.package: - name: rclone - state: installed - - name: Create backup group ansible.builtin.group: name: backup From e233860b7bd445f4a5cf12811ef5a79998365772 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 18:51:49 +0000 Subject: [PATCH 293/713] mongodb: Add database backups --- roles/mongodb/meta/main.yml | 4 +++ roles/mongodb/tasks/main.yml | 17 ++++++++++++ roles/mongodb/templates/mongodb-backup.sh.j2 | 28 ++++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 roles/mongodb/meta/main.yml create mode 100755 roles/mongodb/templates/mongodb-backup.sh.j2 diff --git a/roles/mongodb/meta/main.yml b/roles/mongodb/meta/main.yml new file mode 100644 index 0000000..683bc95 --- /dev/null +++ b/roles/mongodb/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: backup_base} + diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 329e17d..582b32c 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -29,6 +29,7 @@ name: "{{ item }}" state: installed with_items: + - mongodb-database-tools - mongodb-mongosh - mongodb-org-server @@ -127,6 +128,22 @@ state: started enabled: true +- name: Copy backup script + ansible.builtin.template: + dest: /usr/local/sbin/mongodb-backup + src: mongodb-backup.sh.j2 + mode: "0700" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create backup cron job + ansible.builtin.cron: + name: mongodb-backup + job: /usr/local/sbin/mongodb-backup + hour: "0" + minute: "20" + user: root + - name: Create mongo alias cmd for root ansible.builtin.lineinfile: path: /root/.bashrc diff --git a/roles/mongodb/templates/mongodb-backup.sh.j2 b/roles/mongodb/templates/mongodb-backup.sh.j2 new file mode 100755 index 0000000..2cca05a --- /dev/null +++ b/roles/mongodb/templates/mongodb-backup.sh.j2 @@ -0,0 +1,28 @@ +#!/bin/sh + +set -eu + +umask 027 + +DESTDIR="/srv/backup" +DATE="$(date +%Y-%m-%d)" + +cd "$DESTDIR" +find . -xdev -mindepth 2 -maxdepth 2 -type f -mtime +30 \ + -execdir rm -f -- {} \; +find . -xdev -depth -mindepth 1 -maxdepth 1 -type d -empty \ + -execdir rmdir -- {} \; + +mkdir -m 2750 "$DATE" +chgrp backup "$DATE" + +mongodump \ + --sslPEMKeyFile=/etc/pki/tls/private/mongodb.pem \ + --sslCAFile=/etc/pki/tls/certs/ca.crt \ + --ssl \ + --username=backup \ + --password="{{ mongodb_backup_password }}" \ + --gzip \ + --out="${DATE}" \ + --quiet \ + --uri="mongodb://$(hostname -f)/" From 788c9fa45345280bc8b7601951eecdef38146d18 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:09:20 +0000 Subject: [PATCH 294/713] backup_base: Add sftp ssh config when needed --- roles/backup_base/tasks/main.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/roles/backup_base/tasks/main.yml b/roles/backup_base/tasks/main.yml index e87400a..9a28a8f 100644 --- a/roles/backup_base/tasks/main.yml +++ b/roles/backup_base/tasks/main.yml @@ -30,3 +30,25 @@ owner: root group: "{{ ansible_wheel }}" follow: false + +- name: Create authorized_keys + ansible.builtin.copy: + dest: /etc/ssh/authorized_keys.backup + src: ../files/ssh/backup.pub + mode: "0640" + owner: root + group: backup + when: "'sftpbackup' in group_names" + +- name: Configure sshd chroot + ansible.builtin.blockinfile: + path: /etc/ssh/sshd_config + block: | + Match User backup + ChrootDirectory /srv/backup + ForceCommand internal-sftp + AuthorizedKeysFile /etc/ssh/authorized_keys.backup + marker: "# {mark} ANSIBLE MANAGED BLOCK (user backup)" + validate: "sshd -t -f %s" + when: "'sftpbackup' in group_names" + notify: Restart sshd From 5e5ebf937c18173b53e6313c3bc0fdf393449683 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:09:43 +0000 Subject: [PATCH 295/713] backup_base: More restrictive permissions --- roles/backup_base/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/backup_base/tasks/main.yml b/roles/backup_base/tasks/main.yml index 9a28a8f..3d842b6 100644 --- a/roles/backup_base/tasks/main.yml +++ b/roles/backup_base/tasks/main.yml @@ -18,7 +18,7 @@ ansible.builtin.file: path: /export/backup state: directory - mode: "0770" + mode: "0750" owner: root group: backup From db996daf14b0e7a832125bb8479ba670bad3cf97 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:10:18 +0000 Subject: [PATCH 296/713] rclone: Migrate to use backup_base role --- roles/rclone/meta/main.yml | 2 +- roles/rclone/tasks/main.yml | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/rclone/meta/main.yml b/roles/rclone/meta/main.yml index 107754b..a6cb84e 100644 --- a/roles/rclone/meta/main.yml +++ b/roles/rclone/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - - {role: backup_server} + - {role: backup_base} - {role: ssh_known_hosts} diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index 13facd4..335d66e 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -58,6 +58,15 @@ owner: backup group: backup +- name: Create backup directories + ansible.builtin.file: + path: "/srv/backup/{{ item }}" + state: directory + mode: "0770" + owner: root + group: backup + with_items: "{{ groups['sftpbackup'] }}" + - name: Copy rclone sync script ansible.builtin.copy: dest: /usr/local/bin/rclone-sync From 1534104bf49c71dc19428aadaccfd13aa086f101 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:10:42 +0000 Subject: [PATCH 297/713] Migrate from backup_server to backup_base --- roles/backup_bitbucket/meta/main.yml | 2 +- roles/backup_github/meta/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/backup_bitbucket/meta/main.yml b/roles/backup_bitbucket/meta/main.yml index 9eea2ce..f178512 100644 --- a/roles/backup_bitbucket/meta/main.yml +++ b/roles/backup_bitbucket/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: backup_server} + - {role: backup_base} diff --git a/roles/backup_github/meta/main.yml b/roles/backup_github/meta/main.yml index 9eea2ce..f178512 100644 --- a/roles/backup_github/meta/main.yml +++ b/roles/backup_github/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: backup_server} + - {role: backup_base} From b692084f16aa0d7f3e7bd9f7416a0ad88658e772 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:11:36 +0000 Subject: [PATCH 298/713] Add mongodb hosts to sftp backups --- hosts.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts.yml b/hosts.yml index fac3b7e..7eb5c70 100644 --- a/hosts.yml +++ b/hosts.yml @@ -136,6 +136,7 @@ sftpbackup: children: collab: ldap: + mongodb: sqldb: vultr: From 849b4ab88740c5fd70af189618777f49cd54ca36 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:25:04 +0000 Subject: [PATCH 299/713] mariadb: Migrate to use backup_base --- roles/mariadb/files/mariadb-backup.sh | 3 ++- roles/mariadb/meta/main.yml | 4 ++++ roles/mariadb/tasks/main.yml | 21 --------------------- 3 files changed, 6 insertions(+), 22 deletions(-) create mode 100644 roles/mariadb/meta/main.yml diff --git a/roles/mariadb/files/mariadb-backup.sh b/roles/mariadb/files/mariadb-backup.sh index b2ac7cb..9a4a354 100755 --- a/roles/mariadb/files/mariadb-backup.sh +++ b/roles/mariadb/files/mariadb-backup.sh @@ -13,7 +13,8 @@ find . -xdev -mindepth 2 -maxdepth 2 -type f -mtime +30 \ find . -xdev -depth -mindepth 1 -maxdepth 1 -type d -empty \ -execdir rmdir -- {} \; -mkdir "$DATE" +mkdir -m 2770 "$DATE" +chgrp backup "$DATE" for db in $(mysql -e "show databases" -s) ; do case "$db" in diff --git a/roles/mariadb/meta/main.yml b/roles/mariadb/meta/main.yml new file mode 100644 index 0000000..683bc95 --- /dev/null +++ b/roles/mariadb/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: backup_base} + diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 00894d6..b2a9ca9 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -96,27 +96,6 @@ group: "{{ ansible_wheel }}" when: mariadb_root_password is defined -- name: Import sftpuser role - ansible.builtin.import_role: - name: sftpuser - -- name: Create backup directory - ansible.builtin.file: - path: /export/backup - state: directory - mode: "02750" - owner: root - group: backup - -- name: Link backup directory - ansible.builtin.file: - path: /srv/backup - src: /export/backup - state: link - owner: root - group: "{{ ansible_wheel }}" - follow: false - - name: Copy backup script ansible.builtin.copy: dest: /usr/local/sbin/mariadb-backup From e60c786b76c3e69c297c4041d181fc03a6a544f0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:25:22 +0000 Subject: [PATCH 300/713] ldap_server: Migrate to use backup_base --- roles/ldap_server/meta/main.yml | 1 + roles/ldap_server/tasks/main.yml | 22 ---------------------- 2 files changed, 1 insertion(+), 22 deletions(-) diff --git a/roles/ldap_server/meta/main.yml b/roles/ldap_server/meta/main.yml index e59e67d..84aca43 100644 --- a/roles/ldap_server/meta/main.yml +++ b/roles/ldap_server/meta/main.yml @@ -1,5 +1,6 @@ --- dependencies: + - {role: backup_base} - {role: kerberos} - {role: ldap} - {role: saslauthd} diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 5602d60..9669610 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -55,28 +55,6 @@ follow: false when: ldap_datadir != "/srv/ldap" -- name: Import sftpuser role - ansible.builtin.import_role: - name: sftpuser - -- name: Create backup directory - ansible.builtin.file: - path: "{{ ldap_backupdir }}" - state: directory - mode: "0750" - owner: root - group: backup - -- name: Link backup directory - ansible.builtin.file: - path: /srv/backup - src: /export/backup - state: link - owner: root - group: "{{ ansible_wheel }}" - follow: false - when: ldap_backupdir != "/srv/backup" - - name: Copy backup script ansible.builtin.copy: dest: /usr/local/sbin/ldap-backup From 3127ddf841c0e8ba4816bd2d8828d6bb11d169c3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:30:33 +0000 Subject: [PATCH 301/713] Disable sftp backups from collab hosts --- hosts.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 7eb5c70..0102176 100644 --- a/hosts.yml +++ b/hosts.yml @@ -134,7 +134,6 @@ vmhost: sftpbackup: children: - collab: ldap: mongodb: sqldb: From c9e8ec6d7c5f255680414e598b3bb3dd3ba98c78 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:32:05 +0000 Subject: [PATCH 302/713] mongodb: Remove unused config --- roles/mongodb/templates/mongod.conf.j2 | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 roles/mongodb/templates/mongod.conf.j2 diff --git a/roles/mongodb/templates/mongod.conf.j2 b/roles/mongodb/templates/mongod.conf.j2 deleted file mode 100644 index dd90429..0000000 --- a/roles/mongodb/templates/mongod.conf.j2 +++ /dev/null @@ -1,23 +0,0 @@ - -systemLog: - destination: file - logAppend: true - path: /var/log/mongodb/mongod.log - -storage: - dbPath: /srv/mongodb - journal: - enabled: true - -processManagement: - fork: true - pidFilePath: /var/run/mongodb/mongod.pid - timeZoneInfo: /usr/share/zoneinfo - -net: - port: 27017 - bindIpAll: true - tls: - mode: requireTLS - certificateKeyFile: {{ tls_private }}/mongodb.pem - CAFile: {{ tls_certs }}/ca.crt From de94e75549366c5050e44f6af1249324303e928b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:32:50 +0000 Subject: [PATCH 303/713] sftpuser: Remove unused role --- roles/sftpuser/defaults/main.yml | 2 -- roles/sftpuser/meta/main.yml | 3 --- roles/sftpuser/tasks/main.yml | 35 -------------------------------- 3 files changed, 40 deletions(-) delete mode 100644 roles/sftpuser/defaults/main.yml delete mode 100644 roles/sftpuser/meta/main.yml delete mode 100644 roles/sftpuser/tasks/main.yml diff --git a/roles/sftpuser/defaults/main.yml b/roles/sftpuser/defaults/main.yml deleted file mode 100644 index 0634078..0000000 --- a/roles/sftpuser/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -sftpuser_chroot: /srv/backup diff --git a/roles/sftpuser/meta/main.yml b/roles/sftpuser/meta/main.yml deleted file mode 100644 index bc03e65..0000000 --- a/roles/sftpuser/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - {role: sshd} diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml deleted file mode 100644 index e6ef7ab..0000000 --- a/roles/sftpuser/tasks/main.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -- name: Create group - ansible.builtin.group: - name: backup - system: true - -- name: Create user - ansible.builtin.user: - name: backup - comment: Service backup - createhome: false - group: backup - home: /var/empty - shell: /sbin/nologin - system: true - -- name: Create authorized_keys - ansible.builtin.copy: - dest: /etc/ssh/authorized_keys.backup - src: ../files/ssh/backup.pub - mode: "0640" - owner: root - group: backup - -- name: Configure sshd chroot - ansible.builtin.blockinfile: - path: /etc/ssh/sshd_config - block: | - Match User backup - ChrootDirectory {{ sftpuser_chroot }} - ForceCommand internal-sftp - AuthorizedKeysFile /etc/ssh/authorized_keys.backup - marker: "# {mark} ANSIBLE MANAGED BLOCK (user backup)" - validate: "sshd -t -f %s" - notify: Restart sshd From 71c5229adb5d80ebbb3a1ddc6767c85710c5ff6b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 23 Jun 2024 18:13:42 +0000 Subject: [PATCH 304/713] Re-organize disks for nas hosts --- group_vars/nas.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/nas.yml b/group_vars/nas.yml index 3cb95e1..18f29d9 100644 --- a/group_vars/nas.yml +++ b/group_vars/nas.yml @@ -2,8 +2,8 @@ mem_size: 8192 num_cpus: 2 datadisks: - - {size: 1000} - - {size: 400, type: nvme} + - {size: 500, type: nvme} + - {size: 50, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} From 13e602a76d296cd0f82d58cce1a61be024faebff Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 24 Jun 2024 15:37:16 +0000 Subject: [PATCH 305/713] Update software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 2c232f1..56a7d07 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 2c232f1654ea87f26c2248a1ff18b925f5c96c18 +Subproject commit 56a7d070924ab4e515020a0422653ffc4ab34131 From acf2853223f58e1881a1c72b76a05677f4791428 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 25 Jun 2024 16:13:35 +0000 Subject: [PATCH 306/713] frigate: Don't store plaintext passwords in config --- roles/frigate/tasks/main.yml | 9 +++++++++ roles/frigate/templates/frigate-container.service.j2 | 3 ++- roles/frigate/templates/frigate-container.sysconfig.j2 | 3 +++ roles/frigate/templates/frigate.yml.j2 | 4 ++-- 4 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 roles/frigate/templates/frigate-container.sysconfig.j2 diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index 7f5e321..a897972 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -71,6 +71,15 @@ group: "{{ ansible_wheel }}" notify: Restart frigate +- name: Create environment config for service + ansible.builtin.template: + dest: /etc/sysconfig/frigate-container + src: frigate-container.sysconfig.j2 + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart frigate + - name: Enable service ansible.builtin.service: name: frigate-container diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2 index edb295e..e835cf6 100644 --- a/roles/frigate/templates/frigate-container.service.j2 +++ b/roles/frigate/templates/frigate-container.service.j2 @@ -5,6 +5,7 @@ After=network-online.target [Service] User=frigate +EnvironmentFile=/etc/sysconfig/frigate-container ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8007:5000 \ --name frigate \ @@ -12,7 +13,7 @@ ExecStart=/usr/bin/podman run \ --volume /etc/frigate.yml:/config/config.yml:ro \ --volume /srv/frigate/media:/media/frigate:rw \ --volume /dev/bus/usb:/dev/bus/usb:rw \ - ghcr.io/blakeblackshear/frigate:{{ frigate_version }} + --env=FRIGATE_* ghcr.io/blakeblackshear/frigate:{{ frigate_version }} ExecStop=/usr/bin/podman stop --ignore frigate ExecStopPost=/usr/bin/podman rm -f --ignore frigate diff --git a/roles/frigate/templates/frigate-container.sysconfig.j2 b/roles/frigate/templates/frigate-container.sysconfig.j2 new file mode 100644 index 0000000..c6b07ef --- /dev/null +++ b/roles/frigate/templates/frigate-container.sysconfig.j2 @@ -0,0 +1,3 @@ +{% for camera in cctv_cameras %} +FRIGATE_{{ camera.name | upper }}_PASS="{{ camera.pass }}" +{% endfor %} diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index 7ceb0c7..433dfa0 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -23,12 +23,12 @@ cameras: enabled: true ffmpeg: inputs: - - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_sub" + - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_sub" input_args: preset-rtsp-restream roles: - detect - rtmp - - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_main" + - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_main" input_args: preset-rtsp-restream roles: - record From 9982ee43868acc537ae73ed9c3cbadcf99876843 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 25 Jun 2024 16:56:46 +0000 Subject: [PATCH 307/713] frigate: Enable user lingering --- roles/frigate/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index a897972..1a8d430 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -10,6 +10,14 @@ group: frigate shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - frigate + creates: /var/lib/systemd/linger/frigate + - name: Allow podman to use devices ansible.posix.seboolean: name: container_use_devices From a92d72034ee10680d5aef3989ee23ca5db212606 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 26 Jun 2024 14:55:28 +0000 Subject: [PATCH 308/713] Move mirror host to vmhost02 --- group_vars/mirror.yml | 3 +-- host_vars/mirror01.home.foo.sh.yml | 6 ------ host_vars/mirror02.home.foo.sh.yml | 6 ++++++ hosts.yml | 2 +- playbooks/proxy.yml | 2 +- 5 files changed, 9 insertions(+), 10 deletions(-) delete mode 100644 host_vars/mirror01.home.foo.sh.yml create mode 100644 host_vars/mirror02.home.foo.sh.yml diff --git a/group_vars/mirror.yml b/group_vars/mirror.yml index 9515b80..c21d751 100644 --- a/group_vars/mirror.yml +++ b/group_vars/mirror.yml @@ -1,7 +1,6 @@ --- - datadisks: - - {size: 1000} + - {size: 1500, type: hdd} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/host_vars/mirror01.home.foo.sh.yml b/host_vars/mirror01.home.foo.sh.yml deleted file mode 100644 index bc25b7a..0000000 --- a/host_vars/mirror01.home.foo.sh.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -vmhost: vmhost01.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: 52:54:00:ac:dc:13 diff --git a/host_vars/mirror02.home.foo.sh.yml b/host_vars/mirror02.home.foo.sh.yml new file mode 100644 index 0000000..d8c639e --- /dev/null +++ b/host_vars/mirror02.home.foo.sh.yml @@ -0,0 +1,6 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: 52:54:00:ac:dc:14 diff --git a/hosts.yml b/hosts.yml index 0102176..0fc2ef0 100644 --- a/hosts.yml +++ b/hosts.yml @@ -62,7 +62,7 @@ minecraft: minecraft01.home.foo.sh: mirror: hosts: - mirror01.home.foo.sh: + mirror02.home.foo.sh: mongodb: hosts: mongodb01.home.foo.sh: diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index daa19be..65ce5e3 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -78,7 +78,7 @@ nginx_site_redirect: https://www.foo.sh/ - role: nginx_site nginx_site_name: mirrors.foo.sh - nginx_site_proxy: https://mirror01.home.foo.sh/ + nginx_site_proxy: https://mirror02.home.foo.sh/ - role: nginx_site nginx_site_name: movies.foo.sh nginx_site_proxy: From 991a129f28d4a482f87437e4f8f15bff9069935b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 26 Jun 2024 15:45:41 +0000 Subject: [PATCH 309/713] Move prometheus host to vmhost01 --- group_vars/prometheus.yml | 2 +- host_vars/prometheus01.home.foo.sh.yml | 6 ++++++ host_vars/prometheus02.home.foo.sh.yml | 6 ------ hosts.yml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) create mode 100644 host_vars/prometheus01.home.foo.sh.yml delete mode 100644 host_vars/prometheus02.home.foo.sh.yml diff --git a/group_vars/prometheus.yml b/group_vars/prometheus.yml index e80e98c..be5bea6 100644 --- a/group_vars/prometheus.yml +++ b/group_vars/prometheus.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10, type: nvme} + - {size: 100, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/host_vars/prometheus01.home.foo.sh.yml b/host_vars/prometheus01.home.foo.sh.yml new file mode 100644 index 0000000..e88cf8b --- /dev/null +++ b/host_vars/prometheus01.home.foo.sh.yml @@ -0,0 +1,6 @@ +--- +vmhost: vmhost01.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: "52:54:00:ac:dc:83" diff --git a/host_vars/prometheus02.home.foo.sh.yml b/host_vars/prometheus02.home.foo.sh.yml deleted file mode 100644 index 6c7cc03..0000000 --- a/host_vars/prometheus02.home.foo.sh.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -vmhost: vmhost02.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: "52:54:00:ac:dc:84" diff --git a/hosts.yml b/hosts.yml index 0fc2ef0..c8efeaf 100644 --- a/hosts.yml +++ b/hosts.yml @@ -96,7 +96,7 @@ print: print01.home.foo.sh: prometheus: hosts: - prometheus02.home.foo.sh: + prometheus01.home.foo.sh: vars: mysqld_exporter_version: "0.15.1" nginx_exporter_version: "1.2.0" From be4f2cfce51d1f5e5c2287903c8c89865b239cf3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 28 Jun 2024 14:30:25 +0000 Subject: [PATCH 310/713] Update rocketchat --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index c8efeaf..48bdd35 100644 --- a/hosts.yml +++ b/hosts.yml @@ -89,7 +89,7 @@ ocinode: oci-node02.home.foo.sh: vars: grafana_version: "11.0.0" - rocketchat_version: "6.9.0" + rocketchat_version: "6.9.3" roundcube_version: "1.6.7" print: hosts: From ed5bc5028b49742c101617a6e65728f4df2e4985 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 28 Jun 2024 14:30:49 +0000 Subject: [PATCH 311/713] collab: Disable sftp backups --- roles/collab/tasks/main.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/roles/collab/tasks/main.yml b/roles/collab/tasks/main.yml index 64c43b9..6de89a0 100644 --- a/roles/collab/tasks/main.yml +++ b/roles/collab/tasks/main.yml @@ -269,15 +269,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart apache - -- name: Import sftpuser role - ansible.builtin.import_role: - name: sftpuser - vars: - sftpuser_chroot: /srv/wikis/collab - -- name: Add backup user to collab group - ansible.builtin.user: - name: backup - groups: collab - append: true From 8ad160b0464196033c680b2804d42683df28891c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 28 Jun 2024 15:22:17 +0000 Subject: [PATCH 312/713] nginx_site: Fix certbot virtual host --- roles/nginx_site/templates/site.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index afc3dae..ecc4f64 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -47,7 +47,9 @@ server { listen 80; listen [::]:80; server_name {{ nginx_site_name }}; -{% if nginx_site_name != 'certbot.home.foo.sh' %} +{% if nginx_site_name == 'certbot.home.foo.sh' and 'proxy' not in groups %} + root /srv/web/{{ nginx_site_name }}; +{% else %} location /.well-known/acme-challenge/ { proxy_pass http://certbot.home.foo.sh/.well-known/acme-challenge/; } @@ -58,8 +60,6 @@ server { return 301 https://$host$request_uri; {% endif %} } -{% else %} - root /srv/web/{{ nginx_site_name }}; {% endif %} } {% endif %} From c7606378f2d4178e392d1221675826dc2a2b95b6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 28 Jun 2024 15:22:49 +0000 Subject: [PATCH 313/713] nginx: Fix certbot proxy config --- roles/nginx/templates/nginx.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 85c6ecc..0a503cc 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -35,7 +35,7 @@ http { server_name {{ inventory_hostname }}; location /.well-known/acme-challenge/ { - proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/; + proxy_pass http://certbot.home.foo.sh/.well-known/acme-challenge/; } location / { return 301 https://$host$request_uri; From 7ac216baf84b2163db36742a0088fa53ce32e419 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Jul 2024 20:35:13 +0000 Subject: [PATCH 314/713] Update software versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 48bdd35..75d126c 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,11 +36,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.6" + homeassistant_version: "2024.7" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v1.0.17 + version: v1.0.18 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 @@ -88,7 +88,7 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.0.0" + grafana_version: "11.1.0" rocketchat_version: "6.9.3" roundcube_version: "1.6.7" print: From d747f3a1508823e2664428a39fc1e4386835f70e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 11 Jul 2024 07:40:44 +0000 Subject: [PATCH 315/713] thinlinc_mirror: Print changelog after download --- roles/thinlinc_mirror/files/sync-thinlinc-repo.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/thinlinc_mirror/files/sync-thinlinc-repo.sh b/roles/thinlinc_mirror/files/sync-thinlinc-repo.sh index fc0d3d2..f510f8f 100755 --- a/roles/thinlinc_mirror/files/sync-thinlinc-repo.sh +++ b/roles/thinlinc_mirror/files/sync-thinlinc-repo.sh @@ -47,4 +47,6 @@ if [ ! -f "${REPODIR}/${PKGNAME}" ]; then echo "Updating repository metadata:" createrepo_c "${REPODIR}" echo "" + + unzip -p "$tmpfile" "*release-notes-*.txt" fi From 78485bc490529e5a7f21cfee4b3bdc8896a8b2dd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 27 Aug 2024 15:56:52 +0000 Subject: [PATCH 316/713] Change OpenBSD mirror source --- playbooks/mirror.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index d363ba8..8be9d04 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -65,7 +65,7 @@ mirror_postcmd: python3 /usr/local/bin/report_mirror - role: mirror/sync mirror_label: openbsd - mirror_source: "rsync://mirror.planetunix.net/OpenBSD/" + mirror_source: "rsync://ftp.nluug.nl/openbsd/" mirror_rsyncoptions: - "--include=/?.?/" - "--include=/?.?/amd64/" From 884e276aae9e32d2e88d28e88b341870e81640b5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 9 Sep 2024 19:49:15 +0000 Subject: [PATCH 317/713] Update software versions --- hosts.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/hosts.yml b/hosts.yml index 75d126c..1fbbf09 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,11 +36,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.7" + homeassistant_version: "2024.9" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v1.0.18 + version: v1.0.19 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 @@ -88,9 +88,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.1.0" - rocketchat_version: "6.9.3" - roundcube_version: "1.6.7" + grafana_version: "11.2.0" + rocketchat_version: "6.12.0" + roundcube_version: "1.6.9" print: hosts: print01.home.foo.sh: @@ -99,7 +99,7 @@ prometheus: prometheus01.home.foo.sh: vars: mysqld_exporter_version: "0.15.1" - nginx_exporter_version: "1.2.0" + nginx_exporter_version: "1.3.0" proxy: hosts: proxy01.home.foo.sh: From 264594636f279bd11fd8ecf221c48727510bc335 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 10 Sep 2024 20:10:13 +0000 Subject: [PATCH 318/713] frigate: Update to 0.14.1 version --- hosts.yml | 2 +- roles/frigate/templates/frigate.yml.j2 | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index 1fbbf09..8794ec5 100644 --- a/hosts.yml +++ b/hosts.yml @@ -17,7 +17,7 @@ frigate: hosts: frigate02.home.foo.sh: vars: - frigate_version: "0.13.2" + frigate_version: "0.14.1" fsolgw: hosts: fsol-gw01.home.foo.sh: diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index 433dfa0..7f98235 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -27,7 +27,6 @@ cameras: input_args: preset-rtsp-restream roles: - detect - - rtmp - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_main" input_args: preset-rtsp-restream roles: From c4db933785959563120a1428a208f8ee1b6c20f9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 11 Sep 2024 07:36:47 +0000 Subject: [PATCH 319/713] node_exporter: Fix model name for nvme disks --- roles/node_exporter/files/smartmon.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/node_exporter/files/smartmon.sh b/roles/node_exporter/files/smartmon.sh index c20a850..4cefec5 100755 --- a/roles/node_exporter/files/smartmon.sh +++ b/roles/node_exporter/files/smartmon.sh @@ -116,7 +116,7 @@ parse_smartctl_info() { info_value="$(echo "${line}" | cut -f2- -d: | sed 's/^ \+//g' | sed 's/"/\\"/')" case "${info_type}" in Model_Family) model_family="${info_value}" ;; - Device_Model) device_model="${info_value}" ;; + Device_Model|Model_Number) device_model="${info_value}" ;; Serial_Number|Serial_number) serial_number="${info_value}" ;; Firmware_Version) fw_version="${info_value}" ;; Vendor) vendor="${info_value}" ;; From 7643d02c5e96bfae34c785a7daa967a58a0ff828 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 28 Sep 2024 15:02:42 +0000 Subject: [PATCH 320/713] homeassistant: Enable ha user lingering --- roles/homeassistant/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 2a510a0..1f1c11a 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -10,6 +10,14 @@ group: ha shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - ha + creates: /var/lib/systemd/linger/ha + - name: Install dependencies ansible.builtin.package: name: "{{ item }}" From bd8ae569f264fdc6d869d1a5acb717c4506bd0d3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 28 Sep 2024 15:03:01 +0000 Subject: [PATCH 321/713] Remove nordpool plugin from homeassistant --- hosts.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 8794ec5..26a3f1b 100644 --- a/hosts.yml +++ b/hosts.yml @@ -41,9 +41,6 @@ homeassistant: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git version: v1.0.19 - - name: nordpool - repo: https://github.com/custom-components/nordpool.git - version: 0.0.14 influxdb: hosts: influxdb01.home.foo.sh: From f8cbdb29a14d1d9ee89ae7e9e2fa054851bd24a7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 8 Oct 2024 19:09:03 +0000 Subject: [PATCH 322/713] Update changed dynamic ip addresses --- group_vars/ns.yml | 2 +- group_vars/shell.yml | 2 +- roles/pf/files/pf.conf.gw_home | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index 79a23ca..d22952f 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -1,6 +1,6 @@ --- firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22, 62.78.229.29/32]} + - {proto: tcp, port: 22, from: [172.20.20.0/22, 62.78.229.26/32]} - {proto: tcp, port: 53} - {proto: udp, port: 53} - {proto: tcp, port: 80} diff --git a/group_vars/shell.yml b/group_vars/shell.yml index 202b4dc..55e4a34 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -9,7 +9,7 @@ firewall_in: - {proto: tcp, port: 22} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 9100, from: [62.78.229.29/32]} + - {proto: tcp, port: 9100, from: [62.78.229.26/32]} ssh_hostnames: - shell.foo.sh diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 42dbe63..8a91465 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -43,7 +43,7 @@ antispoof for vio1 pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 89.166.9.218/32 to self port ssh +pass in quick on $ext_if proto tcp from 62.78.229.19/32 to self port ssh # node_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From 8cef5964ba668161d93a4b8d95ce17cb7fa8e59e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 11 Oct 2024 15:24:54 +0000 Subject: [PATCH 323/713] Update OpenBSD installs to 7.6 --- group_vars/openbsd.yml | 2 +- playbooks/dna-gw.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/group_vars/openbsd.yml b/group_vars/openbsd.yml index 51337c9..d1da74f 100644 --- a/group_vars/openbsd.yml +++ b/group_vars/openbsd.yml @@ -17,5 +17,5 @@ num_cpus: 2 # extra args for virt-install virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso -virt_install_os_variant: openbsd7.0 +virt_install_os_variant: openbsd7.4 virt_install_python_cmd: pkg_add python3 -I -x diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 360d7be..8663ef0 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -70,8 +70,8 @@ - name: Create tftp pxeboot loader for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.5/amd64/pxeboot" - checksum: sha1:187d24bc9fddf2b032540017cec375051fc65afc + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/pxeboot" + checksum: sha1:c696836c1e6cc67c6c31f6ceb5daaaa4ec0632b7 dest: /srv/tftpboot/pxeboot mode: "0644" owner: root @@ -79,8 +79,8 @@ - name: Create tftp ramdisk for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.5/amd64/bsd.rd" - checksum: sha1:4362ec59d407f369be4840002cbc6942015afd8c + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/bsd.rd" + checksum: sha1:f690655c768ec9ef208188921ac53634a9233aca dest: /srv/tftpboot/bsd.rd mode: "0644" owner: root From 84f85491457831626fd9d629fd12454dd3901470 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 11 Oct 2024 15:37:00 +0000 Subject: [PATCH 324/713] Fix python install for OpenBSD --- group_vars/openbsd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/openbsd.yml b/group_vars/openbsd.yml index d1da74f..2695e29 100644 --- a/group_vars/openbsd.yml +++ b/group_vars/openbsd.yml @@ -18,4 +18,4 @@ num_cpus: 2 # extra args for virt-install virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso virt_install_os_variant: openbsd7.4 -virt_install_python_cmd: pkg_add python3 -I -x +virt_install_python_cmd: pkg_add -I -x python From 119ecd3e0a7df6176a32808ce594deba827f8898 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 15:19:48 +0000 Subject: [PATCH 325/713] Spinning disks only on vmhost02 --- playbooks/vmhost.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/vmhost.yml b/playbooks/vmhost.yml index f01b865..9572856 100644 --- a/playbooks/vmhost.yml +++ b/playbooks/vmhost.yml @@ -17,6 +17,7 @@ passno: "0" dump: "0" state: mounted + when: inventory_hostname == "vmhost02.home.foo.sh" - name: Mount /export/libvirt/nvme ansible.posix.mount: name: /export/libvirt/nvme From e9c9f0a47caa27b650e27097ca95f5a1e71c2451 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 15:20:19 +0000 Subject: [PATCH 326/713] Add iot interface to homeassistant hosts --- host_vars/homeassistant01.home.foo.sh.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index f5803cf..922e502 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -5,6 +5,8 @@ network_interfaces: vlan: 20 mac: 52:54:00:ac:dc:73 - device: eth1 + vlan: 27 + - device: eth2 vlan: 30 virt_install_devices: - 001.002 From b5224f77331856c7cc5a16cd8e2f74bb251f568b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 16:46:22 +0000 Subject: [PATCH 327/713] Add ipv6 address to gateway hosts --- group_vars/fsolgw.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/fsolgw.yml b/group_vars/fsolgw.yml index fc3b312..f45c486 100644 --- a/group_vars/fsolgw.yml +++ b/group_vars/fsolgw.yml @@ -4,6 +4,8 @@ network_vip_interfaces: vhid: 145 ipaddr: 37.16.96.145 netmask: 255.255.255.240 + ip6addr: 2a00:4cc1:6:1006::1 + ip6netmask: 64 pass: "{{ vip145_pass }}" network_dns_servers: [172.20.20.10, 172.20.21.1, 172.20.21.2] From 13840dd12ae525460bc5a0077553535ce476b715 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 17:02:49 +0000 Subject: [PATCH 328/713] dhcpd: Fix leases file for OpenBSD 7.6 --- roles/dhcpd/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/dhcpd/tasks/main.yml b/roles/dhcpd/tasks/main.yml index 4b81ae3..8722f27 100644 --- a/roles/dhcpd/tasks/main.yml +++ b/roles/dhcpd/tasks/main.yml @@ -19,7 +19,7 @@ - name: Create leases file ansible.builtin.copy: - dest: /var/db/isc-dhcpd/dhcpd.leases + dest: /var/db/isc-dhcp/dhcpd.leases content: "" mode: "0644" owner: _isc-dhcp @@ -32,4 +32,4 @@ name: "{{ dhcpd_service }}" state: started enabled: true - arguments: "-lf /var/db/isc-dhcpd/dhcpd.leases -user _isc-dhcp -group _isc-dhcp vio0" + arguments: "-user _isc-dhcp -group _isc-dhcp vio0" From 58bde398c0aeb093c1abee9c220b7c0cecd5ee7c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 18:09:09 +0000 Subject: [PATCH 329/713] unbound: Use Google as external resolver --- .../unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 7 ++++++- .../unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 97db90b..4fb2134 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -8,7 +8,7 @@ server: tls-service-key: {{ tls_private }}/dns.home.foo.sh.key tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt - tls-cert-bundle: {{ tls_certs }}/ca.crt + tls-cert-bundle: {{ tls_bundle }} access-control: 127.0.0.0/8 allow access-control: ::1 allow @@ -26,6 +26,11 @@ remote-control: control-enable: yes control-interface: /var/run/unbound.sock +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: 8.8.8.8@853#dns.google + {% for zone in unbound_zones %} auth-zone: name: "{{ zone }}" diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index 59d99d8..22e579c 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -8,7 +8,7 @@ server: tls-service-key: {{ tls_private }}/dns.home.foo.sh.key tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt - tls-cert-bundle: {{ tls_certs }}/ca.crt + tls-cert-bundle: {{ tls_bundle }} access-control: 127.0.0.0/8 allow access-control: ::1 allow @@ -26,6 +26,11 @@ remote-control: control-enable: yes control-interface: /var/run/unbound.sock +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: 8.8.8.8@853#dns.google + {% for zone in unbound_zones %} auth-zone: name: "{{ zone }}" From aaeae7002a1470c56b8c83af8bda8601698aa81f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 18:57:26 +0000 Subject: [PATCH 330/713] Add ssh public host keys to vmhosts --- playbooks/vmhost.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/vmhost.yml b/playbooks/vmhost.yml index 9572856..3d545f9 100644 --- a/playbooks/vmhost.yml +++ b/playbooks/vmhost.yml @@ -50,3 +50,4 @@ roles: - base - kvm_host + - ssh_known_hosts From 4b27e6c3165159936b248f6a7bb2229a022b7664 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 19:42:38 +0000 Subject: [PATCH 331/713] ifstated: Fix dna-gw config for OpenBSD 7.6 --- roles/ifstated/templates/ifstated-dna.conf.j2 | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/roles/ifstated/templates/ifstated-dna.conf.j2 b/roles/ifstated/templates/ifstated-dna.conf.j2 index 7fcbd5f..ed794f3 100644 --- a/roles/ifstated/templates/ifstated-dna.conf.j2 +++ b/roles/ifstated/templates/ifstated-dna.conf.j2 @@ -17,10 +17,9 @@ state master { init { # spoof mac to keep dhcp lease in sync with both gw's run "/sbin/ifconfig vio1 lladdr {{ gw_home_mac }} up" - # flush routes and run dhclient and dhcpcd + # flush routes and renew lease run "/sbin/route -qn flush" - run "/sbin/dhclient vio1" - #run "/sbin/rcctl restart dhcpcd > /dev/null" + run "/usr/sbin/dhcpleasectl vio1" # reset firewall rules run "sleep 5 ; pfctl -f /etc/pf.conf" } @@ -31,8 +30,6 @@ state master { state backup { init { - # kill dhclient (TODO: better command for this) - run "pkill -9 dhclient" # bring down interface and reset mac run "/sbin/ifconfig vio1 delete lladdr {{ gw_home_mac }} down" # flush routes and fix default route From e617040bfd33f10dc315c3de9cf2f9dcd7a05cff Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 19:43:37 +0000 Subject: [PATCH 332/713] Fix dhcp client configs for OpenBSD 7.6 --- playbooks/dna-gw.yml | 7 +++++-- playbooks/fsol-gw.yml | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 8663ef0..71ef499 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -25,8 +25,11 @@ tasks: - name: Use configured dns servers and domain name ansible.builtin.copy: - dest: /etc/dhclient.conf - content: "ignore domain-name-servers, domain-name;\n" + dest: /etc/dhcpleased.conf + content: | + interface vio1 { + ignore dns + } mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/playbooks/fsol-gw.yml b/playbooks/fsol-gw.yml index 1d11432..1dd8747 100644 --- a/playbooks/fsol-gw.yml +++ b/playbooks/fsol-gw.yml @@ -30,8 +30,11 @@ - net.inet6.ip6.forwarding - name: Manually set DNS servers ansible.builtin.copy: - dest: /etc/dhclient.conf - content: "ignore domain-name-servers, domain-name;\n" + dest: /etc/dhcpleased.conf + content: | + interface vio2 { + ignore dns + } mode: "0644" owner: root group: "{{ ansible_wheel }}" From 4eddc7498c450d1eea466a9c2b20f18cf1e2ee48 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 20:19:55 +0000 Subject: [PATCH 333/713] Remove ssd storage from vmhost01 --- playbooks/vmhost.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/playbooks/vmhost.yml b/playbooks/vmhost.yml index 3d545f9..3869f1c 100644 --- a/playbooks/vmhost.yml +++ b/playbooks/vmhost.yml @@ -36,16 +36,6 @@ passno: "0" dump: "0" state: mounted - - name: Mount /export/libvirt/ssd - ansible.posix.mount: - name: /export/libvirt/ssd - src: LABEL=ssd - fstype: xfs - opts: noatime,noexec,nosuid,nodev - passno: "0" - dump: "0" - state: mounted - when: inventory_hostname == "vmhost01.home.foo.sh" roles: - base From 04be788c0908e7d76a6135280514e738b0b04e95 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 20:23:41 +0000 Subject: [PATCH 334/713] Add more memory to frigate hosts --- group_vars/frigate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index 7a7df80..8111625 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -1,5 +1,5 @@ --- -mem_size: 4096 +mem_size: 8192 num_cpus: 2 datadisks: - {size: 500} From 68114937c665668a80c987b89b05fcb3954950e5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 13 Oct 2024 15:27:34 +0000 Subject: [PATCH 335/713] Update software versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 26a3f1b..ef41725 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.9" + homeassistant_version: "2024.10" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git @@ -85,8 +85,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.2.0" - rocketchat_version: "6.12.0" + grafana_version: "11.2.2" + rocketchat_version: "6.13.0" roundcube_version: "1.6.9" print: hosts: From b0ca80f4c2fc5ffe19b1e6c734ff11784e7393b5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 14 Oct 2024 22:10:02 +0000 Subject: [PATCH 336/713] Update homeassistant electorlux status plugin --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index ef41725..3d1c998 100644 --- a/hosts.yml +++ b/hosts.yml @@ -40,7 +40,7 @@ homeassistant: homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v1.0.19 + version: v2.0.0 influxdb: hosts: influxdb01.home.foo.sh: From b16dcb832951f837db9190867049d2ec6c0d9612 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Oct 2024 17:08:09 +0000 Subject: [PATCH 337/713] nginx_site: Fix certbot proxy --- roles/nginx_site/templates/site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index ecc4f64..a967023 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -51,7 +51,7 @@ server { root /srv/web/{{ nginx_site_name }}; {% else %} location /.well-known/acme-challenge/ { - proxy_pass http://certbot.home.foo.sh/.well-known/acme-challenge/; + proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/; } location / { {% if nginx_site_redirect is defined %} From 0a0d966d084f09671fb4e2e245d7b9deb5e662df Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Oct 2024 17:09:14 +0000 Subject: [PATCH 338/713] certbot: Change certbot user UID/GID --- roles/certbot/tasks/main.yml | 4 ++-- users.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 2680da5..189b36b 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -7,7 +7,7 @@ - name: Create certbot group ansible.builtin.group: name: certbot - gid: 1002 + gid: 307 - name: Create certbot user ansible.builtin.user: @@ -17,7 +17,7 @@ group: certbot home: /var/empty shell: /sbin/nologin - uid: 1002 + uid: 307 - name: Add certbot nginx site ansible.builtin.include_role: diff --git a/users.md b/users.md index c6f02a5..1854978 100644 --- a/users.md +++ b/users.md @@ -13,7 +13,7 @@ entry empty. If only a group is created, leave the user entry empty. | 305 | prometheus | prometheus | | | 306 | backup | backup | | | 307 | minecraft | minecraft | | +| 308 | certbot | certbot | | | 1001 | mirror | mirror | | -| 1002 | certbot | certbot | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | From 78319d29b54ba50a670467bf7ac91f2973f1a0b7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Oct 2024 18:24:16 +0000 Subject: [PATCH 339/713] frigate: Increase shm size --- roles/frigate/templates/frigate-container.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2 index e835cf6..3d5a507 100644 --- a/roles/frigate/templates/frigate-container.service.j2 +++ b/roles/frigate/templates/frigate-container.service.j2 @@ -13,6 +13,7 @@ ExecStart=/usr/bin/podman run \ --volume /etc/frigate.yml:/config/config.yml:ro \ --volume /srv/frigate/media:/media/frigate:rw \ --volume /dev/bus/usb:/dev/bus/usb:rw \ + --shm-size 1024M \ --env=FRIGATE_* ghcr.io/blakeblackshear/frigate:{{ frigate_version }} ExecStop=/usr/bin/podman stop --ignore frigate ExecStopPost=/usr/bin/podman rm -f --ignore frigate From 5865d0da5c450b54c91fabf8fb96011604d674c4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Oct 2024 18:24:34 +0000 Subject: [PATCH 340/713] frigate: Split data into two disks (hdd + nvme) --- group_vars/frigate.yml | 3 ++- playbooks/frigate.yml | 15 +++++++++------ roles/frigate/tasks/main.yml | 10 +++++++++- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index 8111625..48bed7f 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -2,7 +2,8 @@ mem_size: 8192 num_cpus: 2 datadisks: - - {size: 500} + - {size: 50, type: nvme} + - {size: 500, type: hdd} network_vip_interfaces: - device: eth1 diff --git a/playbooks/frigate.yml b/playbooks/frigate.yml index 2b37b1c..83bc482 100644 --- a/playbooks/frigate.yml +++ b/playbooks/frigate.yml @@ -13,15 +13,18 @@ - "{{ ansible_private }}/vars.yml" pre_tasks: - - name: Mount /export + - name: Mount datadirectories ansible.posix.mount: - name: /export - src: LABEL=/export + name: "/export/frigate/{{ item }}" + src: "LABEL={{ item }}" fstype: xfs opts: noatime,noexec,nosuid,nodev passno: "0" dump: "0" state: mounted + with_items: + - config + - media roles: - base @@ -32,13 +35,13 @@ keytab_group: apache tasks: - - name: Run handlers to get interfaces configured - ansible.builtin.meta: flush_handlers - - name: Include unbound role ansible.builtin.import_role: name: unbound + - name: Run handlers to get interfaces configured + ansible.builtin.meta: flush_handlers + - name: Include dhcpd role ansible.builtin.include_role: name: dhcpd diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index 1a8d430..a52e7d2 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -48,6 +48,15 @@ setype: container_file_t when: ansible_selinux_python_present +- name: Create base directory + ansible.builtin.file: + path: /export/frigate + state: directory + mode: "0755" + owner: root + group: root + setype: _default + - name: Create data directories ansible.builtin.file: path: "{{ item }}" @@ -57,7 +66,6 @@ group: frigate setype: _default with_items: - - /export/frigate - /export/frigate/config - /export/frigate/media From 4f408bac9d119bd8fa5569a54709c614997332ca Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 21 Oct 2024 05:17:12 +0000 Subject: [PATCH 341/713] mongodb: Fix removing old backups --- roles/mongodb/templates/mongodb-backup.sh.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mongodb/templates/mongodb-backup.sh.j2 b/roles/mongodb/templates/mongodb-backup.sh.j2 index 2cca05a..fc415e8 100755 --- a/roles/mongodb/templates/mongodb-backup.sh.j2 +++ b/roles/mongodb/templates/mongodb-backup.sh.j2 @@ -8,9 +8,9 @@ DESTDIR="/srv/backup" DATE="$(date +%Y-%m-%d)" cd "$DESTDIR" -find . -xdev -mindepth 2 -maxdepth 2 -type f -mtime +30 \ +find . -xdev -mindepth 3 -maxdepth 3 -type f -mtime +30 \ -execdir rm -f -- {} \; -find . -xdev -depth -mindepth 1 -maxdepth 1 -type d -empty \ +find . -xdev -depth -mindepth 1 -maxdepth 2 -type d -empty \ -execdir rmdir -- {} \; mkdir -m 2750 "$DATE" From 2a4af75d53c63f72b01e9547cdaeb23440f19513 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Nov 2024 17:58:47 +0000 Subject: [PATCH 342/713] mysqld_exporter: Restart service after update --- roles/mysqld_exporter/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mysqld_exporter/tasks/main.yml b/roles/mysqld_exporter/tasks/main.yml index 1c08cf4..d8722d1 100644 --- a/roles/mysqld_exporter/tasks/main.yml +++ b/roles/mysqld_exporter/tasks/main.yml @@ -44,6 +44,7 @@ owner: root group: "{{ ansible_wheel }}" remote_src: true + notify: Restart mysqld_exporter - name: Create config directory ansible.builtin.file: From ff42297fad11dc2856d90863e31851c542eee266 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Nov 2024 17:59:16 +0000 Subject: [PATCH 343/713] rocketchat: No alpine version of 7.0.0 and newer --- roles/rocketchat/templates/rocketchat-container.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/rocketchat/templates/rocketchat-container.service.j2 b/roles/rocketchat/templates/rocketchat-container.service.j2 index acbb866..16f511a 100644 --- a/roles/rocketchat/templates/rocketchat-container.service.j2 +++ b/roles/rocketchat/templates/rocketchat-container.service.j2 @@ -6,14 +6,14 @@ After=network-online.target [Service] User=rocketchat EnvironmentFile=/etc/sysconfig/rocketchat-container -ExecStartPre=/usr/bin/podman pull docker.io/rocketchat/rocket.chat:{{ rocketchat_version }}-alpine +ExecStartPre=/usr/bin/podman pull docker.io/rocketchat/rocket.chat:{{ rocketchat_version }} ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8008:3000 \ --name rocketchat \ --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ --volume={{ tls_private }}/rocketchat.pem:/etc/ssl/private/rocketchat.pem:ro \ --env ROOT_URL --env MONGO_URL --env MONGO_OPLOG_URL \ - docker.io/rocketchat/rocket.chat:{{ rocketchat_version }}-alpine + docker.io/rocketchat/rocket.chat:{{ rocketchat_version }} ExecStop=/usr/bin/podman stop --ignore rocketchat ExecStopPost=/usr/bin/podman rm -f --ignore rocketchat From 76c7a2a5114e19fde6cdba852ffe3dd63eaf5592 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Nov 2024 18:00:53 +0000 Subject: [PATCH 344/713] Update software versions --- hosts.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index 3d1c998..59f1046 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,11 +36,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.10" + homeassistant_version: "2024.11" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v2.0.0 + version: v2.0.9 influxdb: hosts: influxdb01.home.foo.sh: @@ -85,8 +85,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.2.2" - rocketchat_version: "6.13.0" + grafana_version: "11.3.0" + rocketchat_version: "7.0.0" roundcube_version: "1.6.9" print: hosts: @@ -95,7 +95,7 @@ prometheus: hosts: prometheus01.home.foo.sh: vars: - mysqld_exporter_version: "0.15.1" + mysqld_exporter_version: "0.16.0" nginx_exporter_version: "1.3.0" proxy: hosts: From 2c63423a9a095ae0d338a4be974d0099d4cd124d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 26 Nov 2024 07:57:21 +0000 Subject: [PATCH 345/713] Update gitea version --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 59f1046..eff12ed 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.11" + gitea_version: "1.22.4" gitearunner: hosts: gitea-runner02.home.foo.sh: From 773dff1aa9031191454af44904abbfaf9d6c1df6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 26 Nov 2024 13:03:33 +0000 Subject: [PATCH 346/713] Update changed ip addresses --- group_vars/ns.yml | 2 +- group_vars/shell.yml | 2 +- roles/pf/files/pf.conf.gw_home | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index d22952f..5a6101f 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -1,6 +1,6 @@ --- firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22, 62.78.229.26/32]} + - {proto: tcp, port: 22, from: [172.20.20.0/22, 212.149.248.65/32]} - {proto: tcp, port: 53} - {proto: udp, port: 53} - {proto: tcp, port: 80} diff --git a/group_vars/shell.yml b/group_vars/shell.yml index 55e4a34..f61151a 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -9,7 +9,7 @@ firewall_in: - {proto: tcp, port: 22} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 9100, from: [62.78.229.26/32]} + - {proto: tcp, port: 9100, from: [212.149.248.65/32]} ssh_hostnames: - shell.foo.sh diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 8a91465..8fe7df5 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -43,7 +43,7 @@ antispoof for vio1 pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 62.78.229.19/32 to self port ssh +pass in quick on $ext_if proto tcp from 89.27.104.10/32 to self port ssh # node_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From 8c042d5ba867d71e10eb60e80ce18bed131f1941 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 27 Nov 2024 15:18:44 +0000 Subject: [PATCH 347/713] ssh_known_hosts: Move under ansible-software repo --- roles/ssh_known_hosts/tasks/main.yml | 8 -------- roles/ssh_known_hosts/templates/ssh_known_hosts.j2 | 5 ----- 2 files changed, 13 deletions(-) delete mode 100644 roles/ssh_known_hosts/tasks/main.yml delete mode 100644 roles/ssh_known_hosts/templates/ssh_known_hosts.j2 diff --git a/roles/ssh_known_hosts/tasks/main.yml b/roles/ssh_known_hosts/tasks/main.yml deleted file mode 100644 index 31acc01..0000000 --- a/roles/ssh_known_hosts/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Create SSH known_hosts - ansible.builtin.template: - dest: /etc/ssh/ssh_known_hosts - src: ssh_known_hosts.j2 - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" diff --git a/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 b/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 deleted file mode 100644 index 6019166..0000000 --- a/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 +++ /dev/null @@ -1,5 +0,0 @@ -{% set keys = lookup('fileglob', '/srv/sshca/ca/*.pub', wantlist=True) %} -{% for key in keys %} -{% set data = lookup('ansible.builtin.file', key) | split() %} -@cert-authority *.foo.sh {{ data[0:2] | join(' ') }} -{% endfor %} From 7e062a95927e57b4f601b2045a3eae514a60da11 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 27 Nov 2024 15:23:08 +0000 Subject: [PATCH 348/713] Update ansible-software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 56a7d07..0929d28 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 56a7d070924ab4e515020a0422653ffc4ab34131 +Subproject commit 0929d284c80241068902dbc0bef5feaa6e1667f4 From b62ef003925eb0fe4b486faffc4ac1debc9798aa Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 28 Nov 2024 13:18:04 +0000 Subject: [PATCH 349/713] mirror: Update mirror user UID/GID --- roles/mirror/base/tasks/main.yml | 4 ++-- users.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/mirror/base/tasks/main.yml b/roles/mirror/base/tasks/main.yml index 66ec50a..ef230e0 100644 --- a/roles/mirror/base/tasks/main.yml +++ b/roles/mirror/base/tasks/main.yml @@ -7,7 +7,7 @@ - name: Create mirror group ansible.builtin.group: name: mirror - gid: 1001 + gid: 309 - name: Create mirror user ansible.builtin.user: @@ -17,7 +17,7 @@ group: mirror home: /var/empty shell: /sbin/nologin - uid: 1001 + uid: 309 - name: Create data directory ansible.builtin.file: diff --git a/users.md b/users.md index 1854978..7e006e4 100644 --- a/users.md +++ b/users.md @@ -14,6 +14,7 @@ entry empty. If only a group is created, leave the user entry empty. | 306 | backup | backup | | | 307 | minecraft | minecraft | | | 308 | certbot | certbot | | +| 309 | mirror | mirror | | | 1001 | mirror | mirror | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | From d11b2a17e3717d1a83c486a4d582b95cc3a914df Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 29 Nov 2024 07:24:41 +0000 Subject: [PATCH 350/713] rsyslog: Use FQDN when remote logging is used --- roles/rsyslog/templates/remote.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/rsyslog/templates/remote.conf.j2 b/roles/rsyslog/templates/remote.conf.j2 index f93141b..767b9b5 100644 --- a/roles/rsyslog/templates/remote.conf.j2 +++ b/roles/rsyslog/templates/remote.conf.j2 @@ -1,3 +1,6 @@ +# Log with FQDN +global(LocalHostName="{{ inventory_hostname }}") + # Certificates global(DefaultNetstreamDriverCAFile="{{ tls_bundle }}" DefaultNetstreamDriverCertFile="{{ tls_certs }}/{{ inventory_hostname }}.crt" From fff2153a8a738545416b3ff778d5640370f70f45 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 1 Dec 2024 17:10:57 +0000 Subject: [PATCH 351/713] pf: Fix changed ip addresses --- roles/pf/files/pf.conf.gw_home | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 8fe7df5..077b457 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -39,11 +39,11 @@ antispoof for lo0 antispoof for vio0 antispoof for vio1 -# admin connection (internal, fsol and arc office) +# admin connection (internal, arcsec office, dmz, lan) pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 89.27.104.10/32 to self port ssh +pass in quick on $ext_if proto tcp from 212.149.228.253/32 to self port ssh # node_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From 72de1a5478551631747f577acba96a7f6c972ccc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 2 Dec 2024 21:35:31 +0000 Subject: [PATCH 352/713] lm_sensors: Moved to ansible-software repo --- roles/lm_sensors/handlers/main.yml | 8 -------- roles/lm_sensors/tasks/main.yml | 12 ------------ 2 files changed, 20 deletions(-) delete mode 100644 roles/lm_sensors/handlers/main.yml delete mode 100644 roles/lm_sensors/tasks/main.yml diff --git a/roles/lm_sensors/handlers/main.yml b/roles/lm_sensors/handlers/main.yml deleted file mode 100644 index ea6cb47..0000000 --- a/roles/lm_sensors/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Run sensors-detect - ansible.builtin.shell: "cat /dev/null | sensors-detect" - -- name: Restart lm_sensors - ansible.builtin.service: - name: lm_sensors - state: restarted diff --git a/roles/lm_sensors/tasks/main.yml b/roles/lm_sensors/tasks/main.yml deleted file mode 100644 index 9231b53..0000000 --- a/roles/lm_sensors/tasks/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Install packages - ansible.builtin.package: - name: lm_sensors - state: installed - notify: Run sensors-detect - -- name: Enable service - ansible.builtin.service: - name: lm_sensors - state: started - enabled: true From 3b1c65ad82e249db1a04842c69472270a536d738 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 2 Dec 2024 21:35:53 +0000 Subject: [PATCH 353/713] Update software subrepo --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 0929d28..0696900 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 0929d284c80241068902dbc0bef5feaa6e1667f4 +Subproject commit 069690089424d86455399a8cf2363f8354cd0738 From 205b82f1d832210a88d62f7206ec099290bd498e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 4 Dec 2024 17:13:03 +0000 Subject: [PATCH 354/713] Update software versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index eff12ed..b8e121b 100644 --- a/hosts.yml +++ b/hosts.yml @@ -85,8 +85,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.3.0" - rocketchat_version: "7.0.0" + grafana_version: "11.3.1" + rocketchat_version: "7.1.0" roundcube_version: "1.6.9" print: hosts: @@ -96,7 +96,7 @@ prometheus: prometheus01.home.foo.sh: vars: mysqld_exporter_version: "0.16.0" - nginx_exporter_version: "1.3.0" + nginx_exporter_version: "1.4.0" proxy: hosts: proxy01.home.foo.sh: From 770d6a74d3d3b6d602475b11bc8d8c734eae4211 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 6 Dec 2024 10:10:46 +0000 Subject: [PATCH 355/713] mirror: Refactoring sync-mirrors script --- .../files/{sync-mirrors => sync-mirrors.sh} | 93 +++++++++---------- roles/mirror/base/tasks/main.yml | 2 +- 2 files changed, 46 insertions(+), 49 deletions(-) rename roles/mirror/base/files/{sync-mirrors => sync-mirrors.sh} (55%) diff --git a/roles/mirror/base/files/sync-mirrors b/roles/mirror/base/files/sync-mirrors.sh similarity index 55% rename from roles/mirror/base/files/sync-mirrors rename to roles/mirror/base/files/sync-mirrors.sh index ef6100e..609857a 100755 --- a/roles/mirror/base/files/sync-mirrors +++ b/roles/mirror/base/files/sync-mirrors.sh @@ -1,4 +1,7 @@ -#!/bin/bash +#!/bin/sh + +set -eu +umask 022 LOCKFILE="/var/run/sync-mirrors/lockfile" LOGFILE="/var/log/sync-mirrors/sync-mirrors-$(date +%Y%m%d%H%M%S).log" @@ -9,30 +12,35 @@ usage() { echo " $(basename "$0") -l" 1>&2 } -logmsg() { - [ "${VERBOSE}" -eq 1 ] && echo "$1" - echo "$(date '+%Y/%m/%d %H:%M:%S') [$$] $1" >> "${LOGFILE}" +list_mirrors() { + for f in "$CONFDIR"/*.conf ; do + basename "$f" ".conf" + done } -if [ -d ${CONFDIR} ]; then - MIRRORLIST="$(find ${CONFDIR}/ -name \*.conf | while read -r f ; \ - do basename "${f}" | sed -e 's/\.conf$//' ; done)" - if [ "${MIRRORLIST}" = "" ]; then - echo "ERR: No configured mirrors found" 1>&2 - exit 1 - fi -else +logmsg() { + "$VERBOSE" && echo "$1" + echo "$(date '+%Y/%m/%d %H:%M:%S') [$$] $1" >> "$LOGFILE" +} + +logstream() { + while read -r line; do + logmsg "$line" + done +} + +if [ ! -d "$CONFDIR" ]; then echo "ERR: Config directory [${CONFDIR}] missing" 1>&2 exit 1 fi -VERBOSE=0 +VERBOSE=false NOOP="" EXTRA_OPTS="" while getopts "vhln" c ; do case $c in v) - VERBOSE=1 + VERBOSE=true EXTRA_OPTS="${EXTRA_OPTS} -v --progress" ;; h) @@ -41,9 +49,7 @@ while getopts "vhln" c ; do ;; l) echo "Available mirrors:" - for name in ${MIRRORLIST} ; do - echo " ${name}" - done + list_mirrors | sed -e 's/^/ /' exit 0 ;; n) @@ -59,17 +65,19 @@ done shift "$((OPTIND - 1))" -if [ $# -gt 0 ]; then +if [ $# -eq 0 ]; then + set -- $(list_mirrors) + if [ $# -eq 0 ]; then + echo "ERR: No configured mirrors found" 1>&2 + exit 1 + fi +else for mirror in "$@" ; do if [ ! -f "${CONFDIR}/$1.conf" ]; then echo "ERR: No mirror named [$1]" 1>&2 exit 1 fi - SYNC="${MIRRORS} $1" - shift done -else - SYNC="${MIRRORLIST}" fi if [ "$(whoami)" != "mirror" ]; then @@ -77,52 +85,41 @@ if [ "$(whoami)" != "mirror" ]; then exit 1 fi -umask 022 - -if [ -f "${LOCKFILE}" ]; then - if kill -0 "$(cat ${LOCKFILE})" ; then - STARTED=" ($(stat --format='%y' ${LOCKFILE}))" +if [ -f "$LOCKFILE" ]; then + if kill -0 "$(cat $LOCKFILE)" ; then + STARTED=" ($(stat --format='%y' $LOCKFILE))" echo "ERR: Lockfile exists${STARTED}, exiting" 1>&2 exit 1 else echo "WARN: Removing stale lock file..." 1>&2 - rm -f "${LOCKFILE}" + rm -f "$LOCKFILE" fi fi -trap 'rm -f ${LOCKFILE}' INT TERM EXIT -echo "$$" > "${LOCKFILE}" +trap 'rm -f $LOCKFILE' INT TERM EXIT +echo "$$" > "$LOCKFILE" -for mirror in ${SYNC} ; do +for mirror in "$@" ; do POSTCMD="" SRC="" RSYNCOPTS="" + # shellcheck source=/dev/null . "${CONFDIR}/${mirror}.conf" - if [ "${SRC}" = "" ]; then + if [ "$SRC" = "" ]; then echo "ERR: No SRC set for mirror ${mirror} ..." 1>&2 exit 1 fi logmsg "Starting ${mirror} sync${NOOP}..." - rsync -aH -4 ${EXTRA_OPTS} --numeric-ids --delete --delete-delay \ - --delay-updates --no-motd ${RSYNCOPTS} --log-file="${LOGFILE}" \ - --exclude=.~tmp~/ "${SRC}" "/srv/mirrors/${mirror}/" + rsync -aH -4 $EXTRA_OPTS --numeric-ids --delete --delete-delay \ + --delay-updates --no-motd $RSYNCOPTS --log-file="$LOGFILE" \ + --exclude=.~tmp~/ "$SRC" "/srv/mirrors/${mirror}/" STATUS=$? - if [ ${STATUS} -ne 0 ]; then + if [ $STATUS -ne 0 ]; then echo "WARN: Encountered errors on ${mirror} sync, see ${LOGFILE} for details" 1>&2 fi logmsg "Finished ${mirror} sync with exit status ${STATUS}${NOOP} ..." - if [ "${POSTCMD}" != "" ]; then + if [ "$POSTCMD" != "" ]; then logmsg "Running post for ${mirror} ..." - if [ "${VERBOSE}" -eq 1 ]; then - ${POSTCMD} 2>&1 | tee >( \ - awk "{ print strftime(\"%Y/%m/%d %H:%M:%S\") \" [$$] \" \$0 }" \ - >> "${LOGFILE}" ) - else - ${POSTCMD} 2>&1 | \ - awk "{ print strftime(\"%Y/%m/%d %H:%M:%S\") \" [$$] \" \$0 }" \ - >> "${LOGFILE}" - fi + $POSTCMD 2>&1 | logstream logmsg "Finished post for ${mirror} ..." fi done - -rm -f "${LOCKFILE}" diff --git a/roles/mirror/base/tasks/main.yml b/roles/mirror/base/tasks/main.yml index ef230e0..c28f54b 100644 --- a/roles/mirror/base/tasks/main.yml +++ b/roles/mirror/base/tasks/main.yml @@ -70,7 +70,7 @@ - name: Copy mirroring script ansible.builtin.copy: dest: /usr/local/bin/sync-mirrors - src: sync-mirrors + src: sync-mirrors.sh mode: "0755" owner: root group: root From 0be436e8b0106e2ff77503cf79281adf0405ddaa Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 6 Dec 2024 10:15:14 +0000 Subject: [PATCH 356/713] mirror: Fix tabs to spaces --- roles/mirror/base/files/sync-mirrors.sh | 32 ++++++++++++------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/mirror/base/files/sync-mirrors.sh b/roles/mirror/base/files/sync-mirrors.sh index 609857a..2dba204 100755 --- a/roles/mirror/base/files/sync-mirrors.sh +++ b/roles/mirror/base/files/sync-mirrors.sh @@ -39,19 +39,19 @@ NOOP="" EXTRA_OPTS="" while getopts "vhln" c ; do case $c in - v) - VERBOSE=true - EXTRA_OPTS="${EXTRA_OPTS} -v --progress" - ;; - h) - usage - exit 1 - ;; - l) - echo "Available mirrors:" - list_mirrors | sed -e 's/^/ /' - exit 0 - ;; + v) + VERBOSE=true + EXTRA_OPTS="${EXTRA_OPTS} -v --progress" + ;; + h) + usage + exit 0 + ;; + l) + echo "Available mirrors:" + list_mirrors | sed -e 's/^/ /' + exit 0 + ;; n) NOOP=" (DRY RUN)" EXTRA_OPTS="${EXTRA_OPTS} -n" @@ -87,11 +87,11 @@ fi if [ -f "$LOCKFILE" ]; then if kill -0 "$(cat $LOCKFILE)" ; then - STARTED=" ($(stat --format='%y' $LOCKFILE))" + STARTED=" ($(stat --format='%y' $LOCKFILE))" echo "ERR: Lockfile exists${STARTED}, exiting" 1>&2 exit 1 else - echo "WARN: Removing stale lock file..." 1>&2 + echo "WARN: Removing stale lock file..." 1>&2 rm -f "$LOCKFILE" fi fi @@ -119,7 +119,7 @@ for mirror in "$@" ; do logmsg "Finished ${mirror} sync with exit status ${STATUS}${NOOP} ..." if [ "$POSTCMD" != "" ]; then logmsg "Running post for ${mirror} ..." - $POSTCMD 2>&1 | logstream + $POSTCMD 2>&1 | logstream logmsg "Finished post for ${mirror} ..." fi done From fb3608fa6ee495c0e8e5e0c28e30de79b19729fa Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:44:30 +0000 Subject: [PATCH 357/713] ipsilon: Initial version of role --- roles/ipsilon/handlers/main.yml | 18 +++++ roles/ipsilon/meta/main.yml | 5 ++ roles/ipsilon/tasks/main.yml | 74 +++++++++++++++++++ .../templates/ipsilon-container.service.j2 | 21 ++++++ .../templates/ipsilon-container.sysconfig.j2 | 10 +++ 5 files changed, 128 insertions(+) create mode 100644 roles/ipsilon/handlers/main.yml create mode 100644 roles/ipsilon/meta/main.yml create mode 100644 roles/ipsilon/tasks/main.yml create mode 100644 roles/ipsilon/templates/ipsilon-container.service.j2 create mode 100644 roles/ipsilon/templates/ipsilon-container.sysconfig.j2 diff --git a/roles/ipsilon/handlers/main.yml b/roles/ipsilon/handlers/main.yml new file mode 100644 index 0000000..072010a --- /dev/null +++ b/roles/ipsilon/handlers/main.yml @@ -0,0 +1,18 @@ +--- +- name: Rebuild ipsilon-container + ansible.builtin.command: + argv: + - podman + - build + - -t + - ipsilon + - /usr/local/src/docker-ipsilon + become: true + become_user: ipsilon + notify: Restart ipsilon-container + +- name: Restart ipsilon-container + ansible.builtin.systemd: + name: ipsilon-container + daemon_reload: true + state: restarted diff --git a/roles/ipsilon/meta/main.yml b/roles/ipsilon/meta/main.yml new file mode 100644 index 0000000..b8e2a3e --- /dev/null +++ b/roles/ipsilon/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - {role: git} + - {role: nginx} + - {role: podman} diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml new file mode 100644 index 0000000..deadb3d --- /dev/null +++ b/roles/ipsilon/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: Create group + ansible.builtin.group: + name: ipsilon + +- name: Create user + ansible.builtin.user: + name: ipsilon + comment: Podman Ipsilon + group: ipsilon + shell: /sbin/nologin + +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - ipsilon + creates: /var/lib/systemd/linger/ipsilon + +- name: Copy host key + ansible.builtin.copy: + dest: "{{ tls_private }}/ipsilon.key" + src: "{{ tls_private }}/{{ inventory_hostname }}.key" + mode: "0640" + owner: root + group: ipsilon + remote_src: true + +- name: Get container source + ansible.builtin.git: + dest: /usr/local/src/docker-ipsilon + repo: https://github.com/foo-sh/docker-ipsilon.git + update: true + version: master + notify: Rebuild ipsilon-container + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/ipsilon-container.service + src: ipsilon-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart ipsilon-container + +- name: Create service config + ansible.builtin.template: + dest: /etc/sysconfig/ipsilon-container + src: ipsilon-container.sysconfig.j2 + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart ipsilon-container + +- name: Enable service + ansible.builtin.service: + name: ipsilon-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/ipsilon-container.conf" + content: | + location /ipsilon { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host idp.foo.sh; + proxy_pass http://127.0.0.1:8011/; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2 new file mode 100644 index 0000000..0560343 --- /dev/null +++ b/roles/ipsilon/templates/ipsilon-container.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=Ipsilon Container +Wants=network-online.target +After=network-online.target + +[Service] +User=ipsilon +EnvironmentFile=/etc/sysconfig/ipsilon-container +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8011:80 \ + --name ipsilon \ + --env LDAP_* --env IPSILON_*\ + --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ + --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ + --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ + ipsilon:latest +ExecStop=/usr/bin/podman stop --ignore ipsilon +ExecStopPost=/usr/bin/podman rm -f --ignore ipsilon + +[Install] +WantedBy=multi-user.target diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 new file mode 100644 index 0000000..6d0b562 --- /dev/null +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -0,0 +1,10 @@ +LDAP_BASEDN="{{ ldap_basedn }}" +IPSILON_DB_USER="ipsilon" +IPSILON_DB_PASS="jFmMGUXsQgOuW9FE5ABX" +IPSILON_DB_HOST="sqldb02.home.foo.sh" +IPSILON_DB_USERPREFS="ipsilon" +IPSILON_DB_TRANSACTIONS="ipsilon" +IPSILON_DB_SESSIONS="ipsilon" +IPSILON_DB_CA="/etc/ssl/certs/ca.crt" +IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" +IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt" From 215823b6b2087e245899ae8a817d35cfcaeaccb0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:45:17 +0000 Subject: [PATCH 358/713] Add ipsilon vhost and related services --- playbooks/oci-node.yml | 1 + playbooks/proxy.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/playbooks/oci-node.yml b/playbooks/oci-node.yml index 2c70ab9..d67e62f 100644 --- a/playbooks/oci-node.yml +++ b/playbooks/oci-node.yml @@ -28,6 +28,7 @@ - base - authcheck - grafana + - ipsilon - kdc - roundcube - role: php4dvd diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 65ce5e3..3d03d9a 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -70,6 +70,9 @@ nginx_site_proxy: - https://oci-node01.home.foo.sh - https://oci-node02.home.foo.sh + - role: nginx_site + nginx_site_name: idp.foo.sh + nginx_site_proxy: https://oci-node01.home.foo.sh/ipsilon/ - role: nginx_site nginx_site_name: influxdb.foo.sh nginx_site_proxy: https://influxdb01.home.foo.sh/ From 54775e72e90558b9d9e11d7e63077ba2f8b268eb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:45:53 +0000 Subject: [PATCH 359/713] ipsilon: Reserve port for container --- container-ports.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-ports.md b/container-ports.md index 39a8bec..7c6aa6e 100644 --- a/container-ports.md +++ b/container-ports.md @@ -11,4 +11,4 @@ | 8007 | frigate | Network video recorder | | 8008 | hoemeassistant | Home Assistant | | 8009 | rocketchat | Rocket.Chat | -| 8010 | google-spell-pspell | Google Spell Check XML API | +| 8011 | ipsilon | Ipsilon Identity Provider | From afdec531ddbeb52f08a83f4d541dd140b5ede391 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:47:54 +0000 Subject: [PATCH 360/713] Revert "ipsilon: Reserve port for container" This reverts commit 54775e72e90558b9d9e11d7e63077ba2f8b268eb. --- container-ports.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-ports.md b/container-ports.md index 7c6aa6e..39a8bec 100644 --- a/container-ports.md +++ b/container-ports.md @@ -11,4 +11,4 @@ | 8007 | frigate | Network video recorder | | 8008 | hoemeassistant | Home Assistant | | 8009 | rocketchat | Rocket.Chat | -| 8011 | ipsilon | Ipsilon Identity Provider | +| 8010 | google-spell-pspell | Google Spell Check XML API | From 58c7f89448aa56dd1b6103687da9169933fe54c0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:48:13 +0000 Subject: [PATCH 361/713] Reserve port for ipsilon container --- container-ports.md | 1 + 1 file changed, 1 insertion(+) diff --git a/container-ports.md b/container-ports.md index 39a8bec..30b7205 100644 --- a/container-ports.md +++ b/container-ports.md @@ -12,3 +12,4 @@ | 8008 | hoemeassistant | Home Assistant | | 8009 | rocketchat | Rocket.Chat | | 8010 | google-spell-pspell | Google Spell Check XML API | +| 8011 | ipsilon | Ipsilon Identity Provider | From 0c06d1b6517d7832382b4cf07e1b4c615da95cec Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:49:04 +0000 Subject: [PATCH 362/713] Remove old mirror user --- users.md | 1 - 1 file changed, 1 deletion(-) diff --git a/users.md b/users.md index 7e006e4..dfd38ea 100644 --- a/users.md +++ b/users.md @@ -15,6 +15,5 @@ entry empty. If only a group is created, leave the user entry empty. | 307 | minecraft | minecraft | | | 308 | certbot | certbot | | | 309 | mirror | mirror | | -| 1001 | mirror | mirror | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | From 11ddc0397a0a14f65bfdacd1d4ddba375c7a3997 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 14:04:59 +0000 Subject: [PATCH 363/713] Increase oci-node memory and disk --- group_vars/ocinode.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/ocinode.yml b/group_vars/ocinode.yml index 7f06eb1..d66dfb6 100644 --- a/group_vars/ocinode.yml +++ b/group_vars/ocinode.yml @@ -1,8 +1,8 @@ --- # increase memory size -mem_size: 4096 +mem_size: 8192 # increase disk size to store docker images -dsk_size: 50 +dsk_size: 100 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} From 6e72234b1db96440c58f662736848982c7dd734d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 15:24:41 +0000 Subject: [PATCH 364/713] nginx_site: Add load balance method config option --- roles/nginx_site/templates/site.conf.j2 | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index a967023..13a3ec7 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -1,13 +1,16 @@ {% if nginx_site_proxy is defined and nginx_site_proxy is not string %} upstream {{ nginx_site_name }} { -{% for item in nginx_site_proxy %} -{% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %} -{% if item | regex_search(".*:[0-9]+$") %} +{% if nginx_site_load_balance_method is defined %} + {{ nginx_site_load_balance_method }}; +{% endif %} +{% for item in nginx_site_proxy %} +{% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %} +{% if item | regex_search(".*:[0-9]+$") %} server {{ item }}; -{% else %} +{% else %} server {{ item }}:443; -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} } {% endif %} server { From 4775bb8947896e47a014cbee2e1b62f06924e4cb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 15:25:10 +0000 Subject: [PATCH 365/713] Use session persistence for webmail backends --- playbooks/proxy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 3d03d9a..89f7a53 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -107,6 +107,7 @@ - https://sane02.home.foo.sh/scanservjs/ - role: nginx_site nginx_site_name: webmail.foo.sh + nginx_site_load_balance_method: ip_hash nginx_site_proxy: - https://oci-node01.home.foo.sh/roundcube/ - https://oci-node02.home.foo.sh/roundcube/ From b1d5d2c7f2b2477e375a9776cd325bf6924dd004 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 15:56:59 +0000 Subject: [PATCH 366/713] collab: Change collab user uid/gid --- roles/collab/tasks/main.yml | 4 ++-- users.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/collab/tasks/main.yml b/roles/collab/tasks/main.yml index 6de89a0..b3df48d 100644 --- a/roles/collab/tasks/main.yml +++ b/roles/collab/tasks/main.yml @@ -99,13 +99,13 @@ - name: Create group collab ansible.builtin.group: name: collab - gid: 1003 + gid: 310 - name: Create user collab ansible.builtin.user: name: collab comment: Service Collab - uid: 1003 + uid: 310 group: collab home: /var/lib/collab shell: /sbin/nologin diff --git a/users.md b/users.md index dfd38ea..0b8fc08 100644 --- a/users.md +++ b/users.md @@ -15,5 +15,6 @@ entry empty. If only a group is created, leave the user entry empty. | 307 | minecraft | minecraft | | | 308 | certbot | certbot | | | 309 | mirror | mirror | | +| 310 | collab | collab | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | From 381a7bd2269f843d81638ddfe4d87c5c77037c10 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 15:57:29 +0000 Subject: [PATCH 367/713] Remove old collab user --- users.md | 1 - 1 file changed, 1 deletion(-) diff --git a/users.md b/users.md index 0b8fc08..fdc2aa7 100644 --- a/users.md +++ b/users.md @@ -16,5 +16,4 @@ entry empty. If only a group is created, leave the user entry empty. | 308 | certbot | certbot | | | 309 | mirror | mirror | | | 310 | collab | collab | | -| 1003 | collab | collab | | | 1004 | docker | docker | docker registry | From 856f5b286ca4099f309cc22268f48911be227246 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 15:59:12 +0000 Subject: [PATCH 368/713] docker_distribution Change service user uid/gid --- roles/docker_distribution/tasks/main.yml | 4 ++-- users.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/docker_distribution/tasks/main.yml b/roles/docker_distribution/tasks/main.yml index a224c13..cf85697 100644 --- a/roles/docker_distribution/tasks/main.yml +++ b/roles/docker_distribution/tasks/main.yml @@ -7,7 +7,7 @@ - name: Create docker group ansible.builtin.group: name: docker - gid: 1004 + gid: 311 - name: Create docker user ansible.builtin.user: @@ -18,7 +18,7 @@ groups: hostkey home: /var/empty shell: /sbin/nologin - uid: 1004 + uid: 311 - name: Create unit file drop-in directory ansible.builtin.file: diff --git a/users.md b/users.md index fdc2aa7..132c84e 100644 --- a/users.md +++ b/users.md @@ -16,4 +16,4 @@ entry empty. If only a group is created, leave the user entry empty. | 308 | certbot | certbot | | | 309 | mirror | mirror | | | 310 | collab | collab | | -| 1004 | docker | docker | docker registry | +| 311 | docker | docker | docker registry | From 2bf1320e3c6d59ab5b6660350da212d0a82fdfc1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 8 Dec 2024 09:50:59 +0000 Subject: [PATCH 369/713] ipsilon: Use default database names --- roles/ipsilon/templates/ipsilon-container.sysconfig.j2 | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 index 6d0b562..fcfb7a5 100644 --- a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -2,9 +2,6 @@ LDAP_BASEDN="{{ ldap_basedn }}" IPSILON_DB_USER="ipsilon" IPSILON_DB_PASS="jFmMGUXsQgOuW9FE5ABX" IPSILON_DB_HOST="sqldb02.home.foo.sh" -IPSILON_DB_USERPREFS="ipsilon" -IPSILON_DB_TRANSACTIONS="ipsilon" -IPSILON_DB_SESSIONS="ipsilon" IPSILON_DB_CA="/etc/ssl/certs/ca.crt" IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt" From e5e2604a68dfb05e8c26829c76df28b04dccd472 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 9 Dec 2024 22:45:00 +0000 Subject: [PATCH 370/713] docker: No need to set max user namespaces --- roles/docker/tasks/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index a831262..cc4b9b1 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -12,12 +12,6 @@ name: docker-ce state: installed -- name: Enable user namespaces - ansible.posix.sysctl: - name: user.max_user_namespaces - value: "10240" - sysctl_file: /etc/sysctl.d/00-docker.conf - - name: Create config directory ansible.builtin.file: path: /etc/docker From ac765ed6f267cc69c9aa09ba86a381d33c433a9b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Dec 2024 07:12:49 +0000 Subject: [PATCH 371/713] Update gitea to latest version --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index b8e121b..057dbc6 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.22.4" + gitea_version: "1.22.5" gitearunner: hosts: gitea-runner02.home.foo.sh: From 2f6ca52acd73d2acfb4cf94daab13cced75c7c2c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Dec 2024 09:40:36 +0000 Subject: [PATCH 372/713] Update gitea (security fix) --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 057dbc6..a627b9a 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.22.5" + gitea_version: "1.22.6" gitearunner: hosts: gitea-runner02.home.foo.sh: From 8a3e283c27b72f057e6e5041b47126f2f89f845f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 13:48:18 +0000 Subject: [PATCH 373/713] scanservjs: Allow service to connect host --- roles/scanservjs/templates/scanservjs-container.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/scanservjs/templates/scanservjs-container.service.j2 b/roles/scanservjs/templates/scanservjs-container.service.j2 index 50f1306..157cb4f 100644 --- a/roles/scanservjs/templates/scanservjs-container.service.j2 +++ b/roles/scanservjs/templates/scanservjs-container.service.j2 @@ -8,6 +8,7 @@ User=scanserv ExecStartPre=/usr/bin/podman pull docker.io/sbs20/scanservjs:{{ scanservjs_version }} ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8006:8080 \ + --network slirp4netns:allow_host_loopback=true \ --env "SANED_NET_HOSTS={{ inventory_hostname }}" \ --name scanservjs \ docker.io/sbs20/scanservjs:{{ scanservjs_version }} From 7089f389997032072da02188146557ceb2c2ea5b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 21:24:28 +0000 Subject: [PATCH 374/713] cups_server: Fix authentication and authorization --- roles/cups_server/tasks/main.yml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml index 5b98c24..9b4bcc3 100644 --- a/roles/cups_server/tasks/main.yml +++ b/roles/cups_server/tasks/main.yml @@ -15,7 +15,9 @@ - name: Configure cups keytab location ansible.builtin.copy: dest: /etc/systemd/system/cups.service.d/keytab.conf - content: "[Service]\nEnvironment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab\n" + content: | + [Service] + Environment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -38,7 +40,7 @@ ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf line: "SSLListen 631" - insertafter: "Listen /var/run/cups/cups.sock" + insertafter: "^Listen .*.sock" notify: Restart cups - name: Require tls 1.3 @@ -94,10 +96,18 @@ - name: Disable unauthenticated access from cups ansible.builtin.blockinfile: path: /etc/cups/cupsd.conf - insertafter: "^" - block: | - AuthType Default - Require user @foosh + marker: "{mark}" + marker_begin: "" + marker_end: "" + block: |2 + AuthType Default + Require group foosh + Order deny,allow + + + AuthType Default + Require group sysadm + Order deny,allow notify: Restart cups - name: Configure cups admin group From 31473548e1fb491b84f80a39d6f061c09e135640 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 21:36:12 +0000 Subject: [PATCH 375/713] dovecot: Update TLS configurations --- roles/dovecot/templates/local.conf.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/dovecot/templates/local.conf.j2 b/roles/dovecot/templates/local.conf.j2 index 51ce026..6276c88 100644 --- a/roles/dovecot/templates/local.conf.j2 +++ b/roles/dovecot/templates/local.conf.j2 @@ -1,5 +1,5 @@ -# generated 2024-02-14, Mozilla Guideline v5.7, Dovecot 2.3.16, OpenSSL 1.1.1, modern configuration -# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.16&config=modern&openssl=1.1.1&guideline=5.7 +# generated 2024-12-15, Mozilla Guideline v5.7, Dovecot 2.3.16, OpenSSL 3.2.2, modern config +# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.16&config=modern&openssl=3.2.2&guideline=5.7 ssl = required ssl_cert = <{{ tls_certs }}/{{ mail_server }}-fullchain.crt @@ -7,6 +7,7 @@ ssl_key = <{{ tls_private }}/{{ mail_server }}.key ssl_min_protocol = TLSv1.3 ssl_prefer_server_ciphers = no +ssl_curve_list = X25519:prime256v1:secp384r1 # kerberos auth_gssapi_hostname = "$ALL" From a64d1b0fa7dda959528ad2d4cf497ca40092bd7d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 21:40:55 +0000 Subject: [PATCH 376/713] mariadb: Require TLSv3 connections --- roles/mariadb/templates/tls.cnf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mariadb/templates/tls.cnf.j2 b/roles/mariadb/templates/tls.cnf.j2 index e193b3f..7aebd43 100644 --- a/roles/mariadb/templates/tls.cnf.j2 +++ b/roles/mariadb/templates/tls.cnf.j2 @@ -2,3 +2,4 @@ ssl-cert = {{ tls_certs }}/{{ inventory_hostname }}.crt ssl-key = {{ tls_private }}/{{ inventory_hostname }}.key ssl-ca = {{ tls_certs }}/ca.crt +tls_version = TLSv1.3 From da76cec8622227a683f2fbdc632e565d68add0a2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 22:36:45 +0000 Subject: [PATCH 377/713] Fix install ordering --- playbooks/print.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/print.yml b/playbooks/print.yml index baa33c8..6b5e6d1 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -18,6 +18,10 @@ - mkhomedir tasks: + - name: Install unbound role + ansible.builtin.import_role: + name: unbound + - name: Run handlers to get interfaces configured ansible.builtin.meta: flush_handlers @@ -25,10 +29,6 @@ ansible.builtin.import_role: name: dhcpd - - name: Install unbound role - ansible.builtin.import_role: - name: unbound - - name: Install cups_server role ansible.builtin.import_role: name: cups_server From 6b24643f62faf209ef87599c72d568efae9cc3c6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 23:28:44 +0000 Subject: [PATCH 378/713] mariadb: Fix yaml lint errors --- roles/mariadb/meta/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/mariadb/meta/main.yml b/roles/mariadb/meta/main.yml index 683bc95..f178512 100644 --- a/roles/mariadb/meta/main.yml +++ b/roles/mariadb/meta/main.yml @@ -1,4 +1,3 @@ --- dependencies: - {role: backup_base} - From ab066a81b76d58cb2b2764932ae57228c77fdbf5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 23:30:24 +0000 Subject: [PATCH 379/713] mongodb: Fix yamllint tests --- roles/mongodb/meta/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/mongodb/meta/main.yml b/roles/mongodb/meta/main.yml index 683bc95..f178512 100644 --- a/roles/mongodb/meta/main.yml +++ b/roles/mongodb/meta/main.yml @@ -1,4 +1,3 @@ --- dependencies: - {role: backup_base} - From e630255364f26950d8eea45f35864a8850e7f306 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Dec 2024 23:09:52 +0000 Subject: [PATCH 380/713] sshca: Fix incorrect path --- roles/sshca/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/sshca/tasks/main.yml b/roles/sshca/tasks/main.yml index 403c94a..2a604b6 100644 --- a/roles/sshca/tasks/main.yml +++ b/roles/sshca/tasks/main.yml @@ -12,7 +12,7 @@ - name: Create CA directory ansible.builtin.file: - path: "/export/ssh/ca" + path: "/export/sshca/ca" state: directory mode: "0700" owner: root From 5f38645fee53599b4a1f65b2b8c81d1d6f7224fb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Dec 2024 23:10:14 +0000 Subject: [PATCH 381/713] sshca: Add genkey.sh script --- roles/sshca/files/genkey.sh | 28 ++++++++++++++++++++++++++++ roles/sshca/tasks/main.yml | 8 ++++++++ 2 files changed, 36 insertions(+) create mode 100755 roles/sshca/files/genkey.sh diff --git a/roles/sshca/files/genkey.sh b/roles/sshca/files/genkey.sh new file mode 100755 index 0000000..29bd3ed --- /dev/null +++ b/roles/sshca/files/genkey.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +set -eu + +if [ $# -ne 1 ]; then + echo "Usage: $(basename "$0") " 1>&2 + exit +fi + +cd /srv/sshca/ca + +year="$1" +if [ "$year" -eq "$year" ] 2> /dev/null; then + if [ "$year" -lt "$(date +%Y)" ]; then + echo "ERROR: Invalid year \"${year}\", time in the past" 1>&2 + exit 1 + fi +else + echo "ERROR: Invalid year \"${year}\"" 1>&2 + exit 1 +fi + +if [ -f "ca.${year}" ]; then + echo "ERROR: Key \"${year}\" already exists" 1>&2 + exit 1 +fi + +ssh-keygen -t ed25519 -f "/srv/sshca/ca/ca.${year}" -C "foo.sh - SSH CA ${year}" diff --git a/roles/sshca/tasks/main.yml b/roles/sshca/tasks/main.yml index 2a604b6..d55c742 100644 --- a/roles/sshca/tasks/main.yml +++ b/roles/sshca/tasks/main.yml @@ -27,6 +27,14 @@ group: "{{ ansible_wheel }}" follow: false +- name: Copy key generation script + ansible.builtin.copy: + dest: /srv/sshca/ca/genkey.sh + src: genkey.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + - name: Copy signing script ansible.builtin.copy: dest: /srv/sshca/signcert.sh From f4cc662c1a123b949c545a8a3bed5df0492c9cbd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Dec 2024 23:17:32 +0000 Subject: [PATCH 382/713] Update software subrepo --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 0696900..bbe8e4f 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 069690089424d86455399a8cf2363f8354cd0738 +Subproject commit bbe8e4f819fd748e41ff1938fc7ae0c20aa3d33b From ba7086f3b17920bc277f6cca463a105f0c1e71d3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Dec 2024 23:42:08 +0000 Subject: [PATCH 383/713] sshd_cert: Use correct CA cert for signing --- roles/sshd_cert/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index 8d5e841..30e52c5 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -23,12 +23,12 @@ delegate_to: localhost register: sshd_cert_status -- name: Sign key +- name: Sign certificate ansible.builtin.command: argv: - ssh-keygen - -s - - /srv/sshca/ca/ca + - "/srv/sshca/ca/ca.{{ ansible_date_time['year'] }}" - -I - "{{ inventory_hostname }}" - -h From 70629e547e92e411542efaafc8e941d51c24ce71 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Dec 2024 23:50:28 +0000 Subject: [PATCH 384/713] sshca: Remove unused signcert script --- roles/sshca/files/signcert.sh | 26 -------------------------- roles/sshca/tasks/main.yml | 8 -------- 2 files changed, 34 deletions(-) delete mode 100755 roles/sshca/files/signcert.sh diff --git a/roles/sshca/files/signcert.sh b/roles/sshca/files/signcert.sh deleted file mode 100755 index 3d237dd..0000000 --- a/roles/sshca/files/signcert.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -set -eu - -umask 022 - -if [ $# -ne 1 ]; then - echo "Usage: $(basename "$0") " 1>&2 - exit 1 -fi - -_basedir="/srv/sshca" -_name="$1" - -if ! echo "$_name" | grep -Eq '.foo.sh$'; then - echo "ERROR: Only '*.foo.sh' certificates are allowed" 1>&2 - exit 1 -fi - -if [ ! -f "/srv/ansible/facts/${_name}" ]; then - echo "ERROR: Cannot find host '${_name}'" 1>&2 - exit 1 -fi - -ssh-keygen -s "${_basedir}/ca/ca" -I "$_name" -n "$_name" -V -5m:+365d -h \ - "${_basedir}/pubkeys/${_name}.pub" diff --git a/roles/sshca/tasks/main.yml b/roles/sshca/tasks/main.yml index d55c742..41edb8b 100644 --- a/roles/sshca/tasks/main.yml +++ b/roles/sshca/tasks/main.yml @@ -34,11 +34,3 @@ mode: "0755" owner: root group: "{{ ansible_wheel }}" - -- name: Copy signing script - ansible.builtin.copy: - dest: /srv/sshca/signcert.sh - src: signcert.sh - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" From e9752c560a7f66c5dd093b5ec57062f7058f283f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 00:23:31 +0000 Subject: [PATCH 385/713] kvm_host: Add script for checking orphaned vm data --- roles/kvm_host/files/check-orphaned-vm.sh | 24 +++++++++++++++++++++++ roles/kvm_host/tasks/main.yml | 15 ++++++++++++++ 2 files changed, 39 insertions(+) create mode 100755 roles/kvm_host/files/check-orphaned-vm.sh diff --git a/roles/kvm_host/files/check-orphaned-vm.sh b/roles/kvm_host/files/check-orphaned-vm.sh new file mode 100755 index 0000000..43954e1 --- /dev/null +++ b/roles/kvm_host/files/check-orphaned-vm.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +set -eu + +# check that all vm's are in ldap +virsh list --all --name | while read -r vm ; do + [ "$vm" = "" ] && continue + if ! ldapsearch -LLL "(&(cn=${vm})(objectClass=device))" dn 2> /dev/null | \ + grep -qE "^dn: cn=${vm},ou=Hosts," + then + echo "WARNING: Host \"${vm}\" registered in KVM but not in LDAP" 1>62 + fi +done + +# check that all disks have owner +for dir in /srv/libvirt/{hdd,nvme,os,ssd} ; do + [ -d "$dir" ] || continue + find "$dir" -name \*.img | while read -r image ; do + vm="$(basename "$image" ".img" | sed -e 's/\.[a-z]$//')" + if ! virsh dominfo "$vm" > /dev/null 2>&1 ; then + echo "WARNING: Orphaned disk image \"${image}\" found" 1>&2 + fi + done +done diff --git a/roles/kvm_host/tasks/main.yml b/roles/kvm_host/tasks/main.yml index 6ed94d4..78ea78e 100644 --- a/roles/kvm_host/tasks/main.yml +++ b/roles/kvm_host/tasks/main.yml @@ -53,3 +53,18 @@ name: libvirtd state: started enabled: true + +- name: Install script for checking orphaned vm's + ansible.builtin.copy: + dest: /usr/local/bin/check-orphaned-vm + src: check-orphaned-vm.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Add cronjob to check orphaned vm's + ansible.builtin.cron: + name: check-orphaned-vm + hour: "5" + minute: "5" + job: /usr/local/bin/check-orphaned-vm From e51363ed8a0dd466e9102d8a97016f280832ceed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 00:24:41 +0000 Subject: [PATCH 386/713] kvm_host: Add LDAP client as dependency --- roles/kvm_host/meta/main.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 roles/kvm_host/meta/main.yml diff --git a/roles/kvm_host/meta/main.yml b/roles/kvm_host/meta/main.yml new file mode 100644 index 0000000..d2f9d51 --- /dev/null +++ b/roles/kvm_host/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: ldap} From 050eee3f235888ebc7d691e27be3dbea477270dd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 15:46:56 +0000 Subject: [PATCH 387/713] base: More el7 cleanups mainly yum -> dnf --- roles/base/tasks/RedHat.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 992c088..a8b8ac4 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -103,7 +103,7 @@ when: - ansible_virtualization_role == "host" -- name: Install el7/el8 packages +- name: Install packages (el8 and older) ansible.builtin.package: name: "{{ item }}" state: installed @@ -111,7 +111,7 @@ - mailx when: ansible_distribution_major_version|int <= 8 -- name: Install el9 packages +- name: Install packages (el9 and newer) ansible.builtin.package: name: "{{ item }}" state: installed @@ -153,10 +153,10 @@ owner: root group: "{{ ansible_wheel }}" -- name: Cron job for downloading yum updates +- name: Cron job for downloading updates ansible.builtin.cron: - name: yum-downloadonly + name: dnf-downloadonly user: root hour: "3" minute: "{{ 59 | random(seed=inventory_hostname) }}" - job: "yum -d 0 -e 0 -y --downloadonly update > /dev/null" + job: "dnf -d 0 -e 0 -y --downloadonly update > /dev/null" From 8f4cc595424e24c6546f53a102704c82472c4b48 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 15:53:31 +0000 Subject: [PATCH 388/713] autofs: Add option which NFS mounts to enable --- roles/autofs/defaults/main.yml | 3 +++ roles/autofs/templates/auto.master.j2 | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 roles/autofs/defaults/main.yml diff --git a/roles/autofs/defaults/main.yml b/roles/autofs/defaults/main.yml new file mode 100644 index 0000000..404004a --- /dev/null +++ b/roles/autofs/defaults/main.yml @@ -0,0 +1,3 @@ +--- +autofs_home: true +autofs_roles: true diff --git a/roles/autofs/templates/auto.master.j2 b/roles/autofs/templates/auto.master.j2 index ee9e28f..bec2b4b 100644 --- a/roles/autofs/templates/auto.master.j2 +++ b/roles/autofs/templates/auto.master.j2 @@ -1,2 +1,6 @@ +{% if autofs_home %} /home ldap:///ou=People,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576 +{% endif %} +{% if autofs_roles %} /roles ldap:///ou=Groups,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576 --ghost +{% endif %} From 0cc512ca9a3a4df4492bf3fa6111c613ce9deeba Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 15:54:46 +0000 Subject: [PATCH 389/713] Allow server network hosts to use NFS with krb5 --- playbooks/nas.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/playbooks/nas.yml b/playbooks/nas.yml index ceffe23..f7372ae 100644 --- a/playbooks/nas.yml +++ b/playbooks/nas.yml @@ -45,10 +45,12 @@ ansible.builtin.copy: dest: /etc/exports content: | - /export/home 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ + /export/home 172.20.20.0/22(rw,root_squash,secure,sec=krb5p) \ + 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ @nfsclients-rw(rw,root_squash,secure) \ @nfsclients-ro(ro,root_squash,secure) - /export/roles 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ + /export/roles 172.20.20.0/22(rw,root_squash,secure,sec=krb5p) \ + 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ @nfsclients-rw(rw,root_squash,secure) \ @nfsclients-ro(ro,root_squash,secure) mode: "0644" From 9d6418ca71e3f3dce8d7e8828da8adb28a3629e6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 15:56:30 +0000 Subject: [PATCH 390/713] Mount role directories to adm hosts --- playbooks/adm.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 2f99193..8bea617 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -33,6 +33,8 @@ keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - nfs_client + - role: autofs + autofs_home: false - sssd - mkhomedir - rpm_build From 121687ad7c1e0667e07c6f58f5e8094081da131a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 18:14:42 +0000 Subject: [PATCH 391/713] tlshd: First version of role --- roles/tlshd/handlers/main.yml | 5 +++++ roles/tlshd/tasks/main.yml | 30 +++++++++++++++++++++++++++++ roles/tlshd/templates/tlshd.conf.j2 | 16 +++++++++++++++ 3 files changed, 51 insertions(+) create mode 100644 roles/tlshd/handlers/main.yml create mode 100644 roles/tlshd/tasks/main.yml create mode 100644 roles/tlshd/templates/tlshd.conf.j2 diff --git a/roles/tlshd/handlers/main.yml b/roles/tlshd/handlers/main.yml new file mode 100644 index 0000000..ed0f6fd --- /dev/null +++ b/roles/tlshd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart tlshd + ansible.builtin.service: + name: tlshd + state: restarted diff --git a/roles/tlshd/tasks/main.yml b/roles/tlshd/tasks/main.yml new file mode 100644 index 0000000..7105884 --- /dev/null +++ b/roles/tlshd/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Install packages + ansible.builtin.package: + name: ktls-utils + +- name: Configure tlshd + ansible.builtin.template: + dest: /etc/tlshd.conf + src: tlshd.conf.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart tlshd + +- name: Configure tlshd private key + ansible.builtin.copy: + dest: "{{ tls_private }}/tlshd.key" + src: "{{ tls_private }}/{{ inventory_hostname }}.key" + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + tags: certificates + notify: Restart tlshd + +- name: Enable tlshd services + ansible.builtin.service: + name: tlshd + state: started + enabled: true diff --git a/roles/tlshd/templates/tlshd.conf.j2 b/roles/tlshd/templates/tlshd.conf.j2 new file mode 100644 index 0000000..5063216 --- /dev/null +++ b/roles/tlshd/templates/tlshd.conf.j2 @@ -0,0 +1,16 @@ +[debug] +loglevel=0 +tls=0 +nl=0 + +[authenticate] + +[authenticate.client] +x509.truststore = {{ tls_certs }}/ca.crt +x509.certificate = {{ tls_certs }}/{{ inventory_hostname }}.crt +x509.private_key = {{ tls_private }}/tlshd.key + +[authenticate.server] +x509.truststore = {{ tls_certs }}/ca.crt +x509.certificate = {{ tls_certs }}/{{ inventory_hostname }}.crt +x509.private_key = {{ tls_private }}/tlshd.key From d6e857fd84facb6c5ebb6216f87d651e70987718 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 18:15:15 +0000 Subject: [PATCH 392/713] nfs_client: Add support for RPC-with-TLS --- roles/nfs_client/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nfs_client/meta/main.yml b/roles/nfs_client/meta/main.yml index 14a902c..b5c17d7 100644 --- a/roles/nfs_client/meta/main.yml +++ b/roles/nfs_client/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: - {role: kerberos} + - {role: tlshd} From 1e2e45551ecb6cacd86fea30177cf4a25ec19df6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 20:14:02 +0000 Subject: [PATCH 393/713] autofs: Require TLS authentication for NFS mounts --- roles/autofs/templates/auto.master.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/autofs/templates/auto.master.j2 b/roles/autofs/templates/auto.master.j2 index bec2b4b..53c7637 100644 --- a/roles/autofs/templates/auto.master.j2 +++ b/roles/autofs/templates/auto.master.j2 @@ -1,6 +1,6 @@ {% if autofs_home %} -/home ldap:///ou=People,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576 +/home ldap:///ou=People,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls {% endif %} {% if autofs_roles %} -/roles ldap:///ou=Groups,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576 --ghost +/roles ldap:///ou=Groups,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls --ghost {% endif %} From 112ad23a66698735e2fcbdc5bcbb9227497b4fed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 20:15:20 +0000 Subject: [PATCH 394/713] nfs_server: Move configs to include file --- roles/nfs_server/files/local.conf | 7 +++++++ roles/nfs_server/tasks/main.yml | 30 ++++++++++++++---------------- 2 files changed, 21 insertions(+), 16 deletions(-) create mode 100644 roles/nfs_server/files/local.conf diff --git a/roles/nfs_server/files/local.conf b/roles/nfs_server/files/local.conf new file mode 100644 index 0000000..b5085c3 --- /dev/null +++ b/roles/nfs_server/files/local.conf @@ -0,0 +1,7 @@ +[mountd] +debug="auth,general" + +[nfsd] +udp=n +tcp=y +vers3=n diff --git a/roles/nfs_server/tasks/main.yml b/roles/nfs_server/tasks/main.yml index c73f100..c2ca5fd 100644 --- a/roles/nfs_server/tasks/main.yml +++ b/roles/nfs_server/tasks/main.yml @@ -1,21 +1,19 @@ --- -- name: Disable NFS versions 2 and 3 - ansible.builtin.lineinfile: - path: /etc/nfs.conf - line: "{{ item }}=n" - regexp: '^(#\s*)?{{ item }}=.*' - with_items: - - vers2 - - vers3 - notify: Restart nfs-server +- name: Create config directory + ansible.builtin.file: + path: /etc/nfs.conf.d + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" -- name: Disable NFS over UDP - ansible.builtin.lineinfile: - path: /etc/nfs.conf - line: "udp=n" - regexp: '^(#\s*)?udp=.*' - insertbefore: vers2=n - notify: Restart nfs-server +- name: Create local config + ansible.builtin.copy: + dest: /etc/nfs.conf.d/local.conf + src: local.conf + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" - name: Install home/role autocreate scripts ansible.builtin.copy: From 9fd303c4adaa537f80e4ca2b84f32ed8ff450047 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 20:16:02 +0000 Subject: [PATCH 395/713] nfs_server: Move exports file under roles --- playbooks/nas.yml | 18 ------------------ roles/nfs_server/files/exports | 6 ++++++ roles/nfs_server/tasks/main.yml | 9 +++++++++ 3 files changed, 15 insertions(+), 18 deletions(-) create mode 100644 roles/nfs_server/files/exports diff --git a/playbooks/nas.yml b/playbooks/nas.yml index f7372ae..cb65fe3 100644 --- a/playbooks/nas.yml +++ b/playbooks/nas.yml @@ -39,21 +39,3 @@ - nfs_server - role: keytab keytab_principals: "nfs/{{ inventory_hostname }}@FOO.SH" - - tasks: - - name: Copy exports file - ansible.builtin.copy: - dest: /etc/exports - content: | - /export/home 172.20.20.0/22(rw,root_squash,secure,sec=krb5p) \ - 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ - @nfsclients-rw(rw,root_squash,secure) \ - @nfsclients-ro(ro,root_squash,secure) - /export/roles 172.20.20.0/22(rw,root_squash,secure,sec=krb5p) \ - 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ - @nfsclients-rw(rw,root_squash,secure) \ - @nfsclients-ro(ro,root_squash,secure) - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart nfs-server diff --git a/roles/nfs_server/files/exports b/roles/nfs_server/files/exports new file mode 100644 index 0000000..51916e7 --- /dev/null +++ b/roles/nfs_server/files/exports @@ -0,0 +1,6 @@ +/export/home @nfsclients-rw(rw,root_squash,secure,xprtsec=mtls,sec=sys) \ + @nfsclients-ro(ro,root_squash,secure,xprtsec=mtls,sec=sys) \ + @nfsclients-krb(rw,root_squash,secure,xprtsec=mtls,sec=krb5p) +/export/roles @nfsclients-rw(rw,root_squash,secure,xprtsec=mtls,sec=sys) \ + @nfsclients-ro(ro,root_squash,secure,xprtsec=mtls,sec=sys) \ + @nfsclients-krb(rw,root_squash,secure,xprtsec=mtls,sec=krb5p) diff --git a/roles/nfs_server/tasks/main.yml b/roles/nfs_server/tasks/main.yml index c2ca5fd..8ac57b1 100644 --- a/roles/nfs_server/tasks/main.yml +++ b/roles/nfs_server/tasks/main.yml @@ -15,6 +15,15 @@ owner: root group: "{{ ansible_wheel }}" +- name: Create exports + ansible.builtin.copy: + dest: /etc/exports + src: exports + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nfs-server + - name: Install home/role autocreate scripts ansible.builtin.copy: dest: "/usr/local/sbin/{{ item }}" From c534d83e04a78aed681905882da99481e058ab22 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 20:27:52 +0000 Subject: [PATCH 396/713] Add roles mount to nms hosts --- playbooks/nms.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index e4d523e..61de5ee 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -29,6 +29,12 @@ - role: nginx_site nginx_site_name: oob.foo.sh nginx_site_plaintext: false + - role: keytab + keytab_principals: + - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" + - nfs_client + - role: autofs + autofs_home: false - sssd - mkhomedir - routeros_firmware From 1bab94601963279fe1c3a4a4542bdcbeb270b46b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 21:57:26 +0000 Subject: [PATCH 397/713] ipsilon: Move db password to secrets --- roles/ipsilon/templates/ipsilon-container.sysconfig.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 index fcfb7a5..1f76bc0 100644 --- a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -1,6 +1,6 @@ LDAP_BASEDN="{{ ldap_basedn }}" IPSILON_DB_USER="ipsilon" -IPSILON_DB_PASS="jFmMGUXsQgOuW9FE5ABX" +IPSILON_DB_PASS="{{ ipsilon_mysql_pass }}" IPSILON_DB_HOST="sqldb02.home.foo.sh" IPSILON_DB_CA="/etc/ssl/certs/ca.crt" IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" From 46c41d2d776a5eed87f52eb0ac81e8c2b870df62 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 22:00:21 +0000 Subject: [PATCH 398/713] ipsilon: Add OIDC key --- roles/ipsilon/tasks/main.yml | 9 +++++++++ roles/ipsilon/templates/ipsilon-container.service.j2 | 1 + roles/ipsilon/templates/ipsilon-container.sysconfig.j2 | 3 +++ 3 files changed, 13 insertions(+) diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index deadb3d..b02b9df 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -27,6 +27,15 @@ group: ipsilon remote_src: true +- name: Copy OIDC key + ansible.builtin.copy: + dest: "{{ tls_private }}/openidc.key" + src: "{{ ansible_private }}/files/ipsilon/openidc.key" + mode: "0640" + owner: root + group: ipsilon + notify: Restart ipsilon-container + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-ipsilon diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2 index 0560343..74bc2b0 100644 --- a/roles/ipsilon/templates/ipsilon-container.service.j2 +++ b/roles/ipsilon/templates/ipsilon-container.service.j2 @@ -13,6 +13,7 @@ ExecStart=/usr/bin/podman run \ --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ + --volume={{ tls_private }}/openidc.key:/etc/ipsilon/openidc.key:ro \ ipsilon:latest ExecStop=/usr/bin/podman stop --ignore ipsilon ExecStopPost=/usr/bin/podman rm -f --ignore ipsilon diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 index 1f76bc0..7a4ba72 100644 --- a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -5,3 +5,6 @@ IPSILON_DB_HOST="sqldb02.home.foo.sh" IPSILON_DB_CA="/etc/ssl/certs/ca.crt" IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt" +IPSILON_HOSTNAME="idp.foo.sh" +IPSILON_OPENIDC_KEYID="{{ ipsilon_openidc_keyid }}" +IPSILON_OPENIDC_SALT="{{ ipsilon_openidc_salt }}" From 3efe44b50bed4c5972c8050c08a80022cf1aa27a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 22:32:25 +0000 Subject: [PATCH 399/713] rsync_backup: Initial version of role --- roles/rsync_backup/files/backup-daily.sh | 150 +++++++++++++++++++++++ roles/rsync_backup/meta/main.yml | 4 + roles/rsync_backup/tasks/main.yml | 52 ++++++++ 3 files changed, 206 insertions(+) create mode 100755 roles/rsync_backup/files/backup-daily.sh create mode 100644 roles/rsync_backup/meta/main.yml create mode 100644 roles/rsync_backup/tasks/main.yml diff --git a/roles/rsync_backup/files/backup-daily.sh b/roles/rsync_backup/files/backup-daily.sh new file mode 100755 index 0000000..4840732 --- /dev/null +++ b/roles/rsync_backup/files/backup-daily.sh @@ -0,0 +1,150 @@ +#!/bin/sh + +set -eu + +umask 077 + +ROTATED=30 + +CONFDIR="/etc/rsync-backup" +DESTDIR="/srv/backup" +LOGDIR="/var/log/rsync-backup" +RUNDIR="/var/run/rsync-backup" + +find_rotated() { + # sort dailys from oldest to newest, daily.7 daily.6 daily.5 ... + find "$1" -mindepth 1 -maxdepth 1 -type d -name "daily.*" | sort -V -r +} + +rotate_dirs() { + for host in "$@"; do + # rotate dailys starting from oldest + if [ ! -d "${DESTDIR}/${host}" ]; then + continue + fi + find_rotated "${DESTDIR}/${host}" | while read -r dir; do + ext="${dir##*.}" + next="${dir%.*}.$((ext+1))" + mv "$dir" "$next" + done + done + # compress logs over 1 day old + find "$LOGDIR" -type f -name '*.log' -mtime +1 -execdir gzip -f {} ';' +} + +prune_dirs() { + for host in "$@"; do + # remove oldest dailys + find_rotated "${DESTDIR}/${host}" | while read -r dir ; do + num="$(basename "$dir" | sed -e 's/^daily.//')" + if [ "$num" -gt $ROTATED ]; then + rm -rf "$dir" + fi + done + done + # remove logs over ROTATED*2 days old + find "$LOGDIR" -type f -name '*.log.gz' -mtime +$((ROTATED*2)) -delete +} + +rsync_pull() { + dirs="" + opts="" + host="$1" + conf="${CONFDIR}/${host}.conf" + if [ -s "$conf" ] && [ -x "$conf" ]; then + # shellcheck source=/dev/null + . "$conf" || return + else + echo "skipped: ${1}" 1>&2 + return + fi + + lockdir="${RUNDIR}/${host}.lock" + mkdir -m 0755 "$lockdir" || return + + if [ "$host" = "$(hostname)" ]; then + # skip ssh for localhost + set -- $dirs + else + set -- $(for d in $dirs; do echo "${host}:${d}" ; done) + fi + + base="${DESTDIR}/${host}" + if [ ! -d "$base" ]; then + mkdir -m 0700 "$base" || return + fi + dest="${base}/daily.0" + last="${base}/daily.1" + if [ ! -d "$dest" ]; then + mkdir -m 0700 "$dest" || return + fi + if [ -d "$last" ]; then + # hardlink unchanged files to previous daily + opts="--ignore-existing --link-dest=${last}" + fi + + logfile="${LOGDIR}/${host}.$(date +%Y%m%d-%H%M%S).log" + if ! /usr/local/bin/rsync \ + -e "ssh -o BatchMode=yes -i ${CONFDIR}/id_ed25519" \ + -Raqxz --no-devices $opts \ + --log-file="$logfile" \ + "$@" "$dest" + then + echo "rsync log: ${logfile}" 1>&2 + fi + rmdir "$lockdir" +} + +if [ ! -d "$DESTDIR" ]; then + echo "ERROR: ${DESTDIR} does not exist" 1>&2 + exit 1 +fi + +if [ ! -d "$LOGDIR" ]; then + echo "ERROR: ${LOGDIR} does not exist" 1>&2 + exit 1 +fi + +if [ ! -d "$RUNDIR" ]; then + mkdir -m 0755 "$RUNDIR" +fi + +ALL=false +PRUNE=false +ROTATE=false +while getopts "apr" OPT; do + case "$OPT" in + a) + ALL=true + ;; + p) + PRUNE=true + ;; + r) + ROTATE=true + ;; + *) + echo "Usage: $(basename "$0") [-apr] [host ...]" 1>&2 + exit 1 + ;; + esac +done +shift $((OPTIND-1)) + +mkdir -m 0755 "${RUNDIR}/daily.lock" +trap 'rmdir "${RUNDIR}/daily.lock"' EXIT + +if [ $ALL ]; then + for conf in "${CONFDIR}"/*.conf ; do + host="$(basename "$conf" ".conf")" + set -- "$host" "$@" + done +fi + +$ROTATE && rotate_dirs "$@" + +for host in "$@" ; do + rsync_pull "$host" +done + +$PRUNE && prune_dirs "$@" diff --git a/roles/rsync_backup/meta/main.yml b/roles/rsync_backup/meta/main.yml new file mode 100644 index 0000000..a6cb84e --- /dev/null +++ b/roles/rsync_backup/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: backup_base} + - {role: ssh_known_hosts} diff --git a/roles/rsync_backup/tasks/main.yml b/roles/rsync_backup/tasks/main.yml new file mode 100644 index 0000000..7562bb0 --- /dev/null +++ b/roles/rsync_backup/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: Copy backup script + ansible.builtin.copy: + dest: /usr/local/sbin/backup-daily + src: backup-daily.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create config directory + ansible.builtin.file: + path: /etc/rsync-backup + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create logdir + ansible.builtin.file: + path: /var/log/rsync-backup + state: directory + mode: "0700" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create ssh keys + ansible.builtin.command: + argv: + - ssh-keygen + - -t + - ed25519 + - -C + - "root@{{ inventory_hostname }}" + - -N + - "" + - -f + - /etc/rsync-backup/id_ed25519 + creates: /etc/rsync-backup/id_ed25519 + +- name: Fetch ssh public key + ansible.builtin.fetch: + src: /etc/rsync-backup/id_ed25519.pub + dest: ../files/ssh/rsync-backup.pub + flat: true + +- name: Install cron job + ansible.builtin.cron: + name: daily rsync backup + job: /usr/local/sbin/backup-daily -a -p -r + hour: "00" + minute: "30" + From 9babcce554f5a9fbca7e3dcf9bf01b6e143099f1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 22:32:57 +0000 Subject: [PATCH 400/713] Enable rsync backups --- playbooks/backup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/backup.yml b/playbooks/backup.yml index 91230bc..cf58b10 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -25,7 +25,7 @@ roles: - base - - backup_server - backup_bitbucket - backup_github - rclone + - rsync_backup From 10d87f35d564939ab49c6981074735d012b81df1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 20 Dec 2024 16:33:07 +0000 Subject: [PATCH 401/713] mosquitto: Use only TLSv3 --- roles/mosquitto/templates/mosquitto.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index f0bc82a..8d81ed2 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -15,3 +15,4 @@ protocol websockets certfile {{ tls_certs }}/{{ inventory_hostname }}.crt keyfile {{ tls_private }}/{{ inventory_hostname }}.key cafile {{ tls_certs }}/ca.crt +tls_version tlsv1.3 From 4756acbaf0ec52377ddcebe243e5ae709c0936d7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 20 Dec 2024 17:39:10 +0000 Subject: [PATCH 402/713] mosquitto: Fix warnings about config file perms --- roles/mosquitto/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index 5e29a25..2d09f14 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -39,8 +39,8 @@ ansible.builtin.copy: dest: /etc/mosquitto/acl.conf src: "{{ ansible_private }}/files/mosquitto/acl.conf" - mode: "0640" - owner: root + mode: "0400" + owner: _mosquitto group: _mosquitto notify: Restart mosquitto @@ -48,8 +48,8 @@ ansible.builtin.copy: dest: /etc/mosquitto/passwd src: "{{ ansible_private }}/files/mosquitto/passwd" - mode: "0640" - owner: root + mode: "0400" + owner: _mosquitto group: _mosquitto notify: Restart mosquitto From 8dd1e61c3bd693a58677c9423929a8051754c084 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 20 Dec 2024 18:06:14 +0000 Subject: [PATCH 403/713] ansible_host: Fix for python 3.12 clients --- roles/ansible_host/files/urls.py.patch | 86 ++++++++++++++++++++++++++ roles/ansible_host/tasks/main.yml | 5 ++ 2 files changed, 91 insertions(+) create mode 100644 roles/ansible_host/files/urls.py.patch diff --git a/roles/ansible_host/files/urls.py.patch b/roles/ansible_host/files/urls.py.patch new file mode 100644 index 0000000..ee1dda4 --- /dev/null +++ b/roles/ansible_host/files/urls.py.patch @@ -0,0 +1,86 @@ +--- ./urls.py.orig 2024-03-27 18:55:18.077213253 +0000 ++++ urls.py 2024-03-27 18:21:07.613270952 +0000 +@@ -535,15 +535,18 @@ + UnixHTTPSConnection = None + if hasattr(httplib, 'HTTPSConnection') and hasattr(urllib_request, 'HTTPSHandler'): + class CustomHTTPSConnection(httplib.HTTPSConnection): # type: ignore[no-redef] +- def __init__(self, *args, **kwargs): ++ def __init__(self, client_cert=None, client_key=None, *args, **kwargs): + httplib.HTTPSConnection.__init__(self, *args, **kwargs) + self.context = None + if HAS_SSLCONTEXT: + self.context = self._context + elif HAS_URLLIB3_PYOPENSSLCONTEXT: + self.context = self._context = PyOpenSSLContext(PROTOCOL) +- if self.context and self.cert_file: +- self.context.load_cert_chain(self.cert_file, self.key_file) ++ ++ self._client_cert = client_cert ++ self._client_key = client_key ++ if self.context and self._client_cert: ++ self.context.load_cert_chain(self._client_cert, self._client_key) + + def connect(self): + "Connect to a host on a given (SSL) port." +@@ -564,10 +567,10 @@ + if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT: + self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname) + elif HAS_URLLIB3_SSL_WRAP_SOCKET: +- self.sock = ssl_wrap_socket(sock, keyfile=self.key_file, cert_reqs=ssl.CERT_NONE, # pylint: disable=used-before-assignment +- certfile=self.cert_file, ssl_version=PROTOCOL, server_hostname=server_hostname) ++ self.sock = ssl_wrap_socket(sock, keyfile=self._client_key, cert_reqs=ssl.CERT_NONE, # pylint: disable=used-before-assignment ++ certfile=self._client_cert, ssl_version=PROTOCOL, server_hostname=server_hostname) + else: +- self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, certfile=self.cert_file, ssl_version=PROTOCOL) ++ self.sock = ssl.wrap_socket(sock, keyfile=self._client_key, certfile=self._client_cert, ssl_version=PROTOCOL) + + class CustomHTTPSHandler(urllib_request.HTTPSHandler): # type: ignore[no-redef] + +@@ -602,10 +605,6 @@ + return self.do_open(self._build_https_connection, req) + + def _build_https_connection(self, host, **kwargs): +- kwargs.update({ +- 'cert_file': self.client_cert, +- 'key_file': self.client_key, +- }) + try: + kwargs['context'] = self._context + except AttributeError: +@@ -613,7 +612,7 @@ + if self._unix_socket: + return UnixHTTPSConnection(self._unix_socket)(host, **kwargs) + if not HAS_SSLCONTEXT: +- return CustomHTTPSConnection(host, **kwargs) ++ return CustomHTTPSConnection(host, client_cert=self.client_cert, client_key=self.client_key, **kwargs) + return httplib.HTTPSConnection(host, **kwargs) + + @contextmanager +@@ -979,7 +978,7 @@ + pass + + +-def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True): ++def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True, client_cert=None, client_key=None): + if ciphers is None: + ciphers = [] + +@@ -1006,6 +1005,9 @@ + if ciphers: + context.set_ciphers(':'.join(map(to_native, ciphers))) + ++ if client_cert: ++ context.load_cert_chain(client_cert, keyfile=client_key) ++ + return context + + +@@ -1514,6 +1516,8 @@ + cadata=cadata, + ciphers=ciphers, + validate_certs=validate_certs, ++ client_cert=client_cert, ++ client_key=client_key, + ) + handlers.append(HTTPSClientAuthHandler(client_cert=client_cert, + client_key=client_key, diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index b13d9f3..15e4728 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -10,6 +10,11 @@ - python3.11-dns # required for lookup('dig', 'hostname') - python3.11-netaddr # required by iptables role +- name: Patch ansible to support python 3.12 clients + ansible.posix.patch: + src: urls.py.patch + dest: /usr/lib/python3.9/site-packages/ansible/module_utils/urls.py + - name: Create private directory and force permissions ansible.builtin.file: path: /export/private From 82a91857d05f251070e3dfc7938edd0b5230eb7f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 20 Dec 2024 18:06:45 +0000 Subject: [PATCH 404/713] ansible_host: Fix python dependencies for ansible --- roles/ansible_host/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index 15e4728..812a779 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -7,8 +7,8 @@ - ansible - ansible-collection-ansible-posix - ansible-collection-community-general - - python3.11-dns # required for lookup('dig', 'hostname') - - python3.11-netaddr # required by iptables role + - python3.9-dns # required for lookup('dig', 'hostname') + - python3.9-netaddr # required by iptables role - name: Patch ansible to support python 3.12 clients ansible.posix.patch: From ad85a0c46b4a20c7f7fbcc9353e616364d1ee004 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Dec 2024 16:41:18 +0000 Subject: [PATCH 405/713] ansible_host: Fix installing ansible patch --- roles/ansible_host/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index 812a779..bc8f455 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -7,6 +7,7 @@ - ansible - ansible-collection-ansible-posix - ansible-collection-community-general + - patch # needed in next step - python3.9-dns # required for lookup('dig', 'hostname') - python3.9-netaddr # required by iptables role From 2dd0fb75c9bf741bc8a5b041ae17ae9fa01aa011 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Dec 2024 17:41:03 +0000 Subject: [PATCH 406/713] autofs: Mount volumes with noatime --- roles/autofs/templates/auto.master.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/autofs/templates/auto.master.j2 b/roles/autofs/templates/auto.master.j2 index 53c7637..4087487 100644 --- a/roles/autofs/templates/auto.master.j2 +++ b/roles/autofs/templates/auto.master.j2 @@ -1,6 +1,6 @@ {% if autofs_home %} -/home ldap:///ou=People,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls +/home ldap:///ou=People,{{ ldap_basedn }} rw,noatime,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls {% endif %} {% if autofs_roles %} -/roles ldap:///ou=Groups,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls --ghost +/roles ldap:///ou=Groups,{{ ldap_basedn }} rw,noatime,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls --ghost {% endif %} From cfcdb4e935868bc3bcde7051ba80fc4f17516766 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Dec 2024 18:57:44 +0000 Subject: [PATCH 407/713] thinlinc_server: Fixes for thinlinc 4.18 release --- roles/thinlinc_server/files/tl-setup.local.sh | 28 ++++++++++--------- roles/thinlinc_server/tasks/main.yml | 7 ----- 2 files changed, 15 insertions(+), 20 deletions(-) diff --git a/roles/thinlinc_server/files/tl-setup.local.sh b/roles/thinlinc_server/files/tl-setup.local.sh index 118350e..acd3b39 100755 --- a/roles/thinlinc_server/files/tl-setup.local.sh +++ b/roles/thinlinc_server/files/tl-setup.local.sh @@ -3,22 +3,24 @@ set -eu cat < /root/tl-setup.answer -install-pygtk=yes -email-address=adm@foo.sh -setup-selinux=yes -setup-nearest=no -server-type=master -setup-firewall=no -install-python-ldap=no -setup-apparmor=no -missing-answer=ask -install-nfs=no -setup-thinlocal=no -install-sshd=no -tlwebadm-password=$(dd if=/dev/urandom count=1 2> /dev/null | base64 | tail -n 1 | cut -c 1-20) accept-eula=yes +server-type=master migrate-conf=old install-required-libs=yes +install-nfs=no +install-sshd=no +install-gtk=yes +install-python-ldap=no +agent-hostname-choice=manual +manual-agent-hostname=$(hostname -f) +email-address=adm@foo.sh +tlwebadm-password=$(dd if=/dev/urandom count=1 2> /dev/null | base64 | tail -n 1 | cut -c 1-20) +setup-thinlocal=no +setup-nearest=no +setup-firewall=no +setup-selinux=yes +setup-apparmor=no +missing-answer=abort EOF /opt/thinlinc/sbin/tl-setup -a /root/tl-setup.answer diff --git a/roles/thinlinc_server/tasks/main.yml b/roles/thinlinc_server/tasks/main.yml index 6455425..19eca7e 100644 --- a/roles/thinlinc_server/tasks/main.yml +++ b/roles/thinlinc_server/tasks/main.yml @@ -48,13 +48,6 @@ regexp: "^show_intro=.*" line: show_intro=false -- name: Configure vsmagent hostname - ansible.builtin.lineinfile: - path: /opt/thinlinc/etc/conf.d/vsmagent.hconf - regexp: "^agent_hostname=.*" - line: "agent_hostname={{ inventory_hostname }}" - notify: Restart vsmagent - - name: Copy private key ansible.builtin.copy: dest: /opt/thinlinc/etc/tlwebaccess/server.key From 81252de1452362705ab06c332b6da4c2e34c9547 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 22 Dec 2024 18:22:19 +0000 Subject: [PATCH 408/713] homeassistant: Convert auth command to python --- roles/homeassistant/files/auth-command.py | 25 +++++++++++++++++++++++ roles/homeassistant/files/auth-command.sh | 18 ---------------- roles/homeassistant/tasks/main.yml | 4 ++-- 3 files changed, 27 insertions(+), 20 deletions(-) create mode 100755 roles/homeassistant/files/auth-command.py delete mode 100755 roles/homeassistant/files/auth-command.sh diff --git a/roles/homeassistant/files/auth-command.py b/roles/homeassistant/files/auth-command.py new file mode 100755 index 0000000..02fff52 --- /dev/null +++ b/roles/homeassistant/files/auth-command.py @@ -0,0 +1,25 @@ +#!/usr/bin/env python3 + +import os +import re +import sys +import requests + +username = os.environ.get("username") +password = os.environ.get("password") + +if username is None or password is None: + sys.exit(2) +if not re.search(r"^[a-z]+$", username): + sys.exit(2) + +resp = requests.post( + "https://id.foo.sh/authcheck", + json={"username": username, "password": password, "group": "foosh"}, +) +if resp.status_code != 200: + sys.exit(2) + +print("name = {}".format(resp.json()["name"])) +print("group = system-users") +print("local_only = false") diff --git a/roles/homeassistant/files/auth-command.sh b/roles/homeassistant/files/auth-command.sh deleted file mode 100755 index e64ee9c..0000000 --- a/roles/homeassistant/files/auth-command.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -set -eu - -umask 077 - -if [ -z "${username:-}" ] || [ -z "${password:-}" ]; then - exit 2 -fi - -if [ "$(echo "$username" | sed -r 's/^[a-z]+$/x/')" != "x" ]; then - exit 2 -fi - -curl -sf -X POST -H "Content-Type: application/json" -d @- \ - https://id.foo.sh/authcheck < Date: Mon, 23 Dec 2024 07:40:34 +0000 Subject: [PATCH 409/713] Add shell script linting tools to adm hosts --- playbooks/adm.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 8bea617..5900555 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -57,6 +57,7 @@ - pylint # python linting - python3-flake8 # python linting - speedtest-cli # testing network speed + - ShellCheck # shell script linting - virt-install # install kvm guests - wget # still in backbone for downloads - whois # read whois data From 0a861b0b8ef87e0a92f3de7dbd075fb10583bfb3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 08:05:57 +0000 Subject: [PATCH 410/713] mosquitto: Fix connections using TLS --- roles/mosquitto/templates/mosquitto.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index 8d81ed2..e228124 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -9,7 +9,7 @@ protocol mqtt # listen to mqtt over websockets listener 8883 -protocol websockets +protocol mqtt # tls options certfile {{ tls_certs }}/{{ inventory_hostname }}.crt From 0adad8fa18c1e7c8a6c672bfc26c1ca4b4eac5a6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 09:14:29 +0000 Subject: [PATCH 411/713] frigate: Temporary kludge to fix startup errors --- roles/frigate/handlers/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/frigate/handlers/main.yml b/roles/frigate/handlers/main.yml index 57e67ec..0eac148 100644 --- a/roles/frigate/handlers/main.yml +++ b/roles/frigate/handlers/main.yml @@ -1,5 +1,11 @@ --- - name: Restart frigate + ansible.builtin.file: + path: /srv/frigate/media/clips/preview_restart_cache + state: absent + notify: Restart frigate service + +- name: Restart frigate service ansible.builtin.systemd_service: name: frigate-container state: restarted From aa4b46465c1d93cc598486ab5b7753ccd672216b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 09:47:01 +0000 Subject: [PATCH 412/713] mosquitto: Configure TLS listener authorization --- roles/mosquitto/tasks/main.yml | 11 ++++++++++- roles/mosquitto/templates/mosquitto.conf.j2 | 15 ++++++++++----- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index 2d09f14..6343432 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -35,7 +35,7 @@ group: _mosquitto notify: Restart mosquitto -- name: Copy acl file +- name: Copy acl file for plaintext server ansible.builtin.copy: dest: /etc/mosquitto/acl.conf src: "{{ ansible_private }}/files/mosquitto/acl.conf" @@ -44,6 +44,15 @@ group: _mosquitto notify: Restart mosquitto +- name: Copy acl file for tls server + ansible.builtin.copy: + dest: /etc/mosquitto/acl-tls.conf + src: "{{ ansible_private }}/files/mosquitto/acl-tls.conf" + mode: "0400" + owner: _mosquitto + group: _mosquitto + notify: Restart mosquitto + - name: Copy passwd file ansible.builtin.copy: dest: /etc/mosquitto/passwd diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index e228124..ffad7dd 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -1,18 +1,23 @@ -# authentication -acl_file /etc/mosquitto/acl.conf -password_file /etc/mosquitto/passwd -allow_anonymous false +# use different settings for plaintext and tls listeners +per_listener_settings true # listen to mqtt listener 1883 protocol mqtt +acl_file /etc/mosquitto/acl.conf +password_file /etc/mosquitto/passwd +allow_anonymous false + # listen to mqtt over websockets listener 8883 protocol mqtt -# tls options certfile {{ tls_certs }}/{{ inventory_hostname }}.crt keyfile {{ tls_private }}/{{ inventory_hostname }}.key cafile {{ tls_certs }}/ca.crt tls_version tlsv1.3 + +acl_file /etc/mosquitto/acl-tls.conf +require_certificate true +use_identity_as_username true From 990d3ed1764b8e659b0e2aafb14b5d101b99de69 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 09:47:47 +0000 Subject: [PATCH 413/713] frigate: More robust restart --- roles/frigate/handlers/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/frigate/handlers/main.yml b/roles/frigate/handlers/main.yml index 0eac148..9b0555a 100644 --- a/roles/frigate/handlers/main.yml +++ b/roles/frigate/handlers/main.yml @@ -1,11 +1,11 @@ --- -- name: Restart frigate +- name: Clear preview restart cache ansible.builtin.file: path: /srv/frigate/media/clips/preview_restart_cache state: absent - notify: Restart frigate service + listen: Restart frigate -- name: Restart frigate service +- name: Restart frigate ansible.builtin.systemd_service: name: frigate-container state: restarted From 504cb33a9492d7c62c4895e31adbe8b19403b442 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 09:48:15 +0000 Subject: [PATCH 414/713] frigate: Enable MQTT support --- roles/frigate/tasks/main.yml | 10 ++++++++++ roles/frigate/templates/frigate-container.service.j2 | 3 +++ roles/frigate/templates/frigate.yml.j2 | 9 ++++++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index a52e7d2..bc539d7 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -33,6 +33,16 @@ group: "{{ ansible_wheel }}" notify: Reload udev rules +- name: Copy host key + ansible.builtin.copy: + dest: "{{ tls_private }}/frigate.key" + src: "{{ tls_private }}/{{ inventory_hostname }}.key" + mode: "0640" + owner: root + group: frigate + remote_src: true + notify: Restart frigate + - name: Create config ansible.builtin.template: dest: /etc/frigate.yml diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2 index 3d5a507..8766bb6 100644 --- a/roles/frigate/templates/frigate-container.service.j2 +++ b/roles/frigate/templates/frigate-container.service.j2 @@ -9,6 +9,9 @@ EnvironmentFile=/etc/sysconfig/frigate-container ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8007:5000 \ --name frigate \ + --volume {{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ + --volume {{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ + --volume {{ tls_private }}/frigate.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ --volume /srv/frigate/config:/config:rw \ --volume /etc/frigate.yml:/config/config.yml:ro \ --volume /srv/frigate/media:/media/frigate:rw \ diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index 7f98235..b1045d6 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -1,6 +1,13 @@ --- mqtt: - enabled: false + enabled: true + host: mqtt02.home.foo.sh + port: 8883 + topic_prefix: frigate/{{ inventory_hostname }} + client_id: {{ inventory_hostname }} + tls_ca_certs: /etc/ssl/certs/ca.crt + tls_client_cert: /etc/ssl/certs/{{ inventory_hostname }}.crt + tls_client_key: /etc/ssl/private/{{ inventory_hostname }}.key detectors: coral: From 649cf7b22d3887675256cb778f9675c2bbbec3ed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 09:59:36 +0000 Subject: [PATCH 415/713] telegraf: Allow telegraf to read hostkey --- roles/telegraf/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/telegraf/tasks/main.yml b/roles/telegraf/tasks/main.yml index 98fed37..8cd7022 100644 --- a/roles/telegraf/tasks/main.yml +++ b/roles/telegraf/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Add telegraf to hostkey group + ansible.builtin.user: + name: _telegraf + groups: hostkey - name: Install packages ansible.builtin.package: From 84daad7b79d2be016150ee17bf237830269043e1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 10:10:48 +0000 Subject: [PATCH 416/713] mosquitto: Move acl files to repo --- roles/mosquitto/files/acl-tls.conf | 4 ++++ roles/mosquitto/files/acl.conf | 4 ++++ roles/mosquitto/tasks/main.yml | 4 ++-- 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 roles/mosquitto/files/acl-tls.conf create mode 100644 roles/mosquitto/files/acl.conf diff --git a/roles/mosquitto/files/acl-tls.conf b/roles/mosquitto/files/acl-tls.conf new file mode 100644 index 0000000..b41e9b2 --- /dev/null +++ b/roles/mosquitto/files/acl-tls.conf @@ -0,0 +1,4 @@ +pattern read # + +user frigate*.home.foo.sh +pattern readwrite frigate/%u/# diff --git a/roles/mosquitto/files/acl.conf b/roles/mosquitto/files/acl.conf new file mode 100644 index 0000000..5bb8e0a --- /dev/null +++ b/roles/mosquitto/files/acl.conf @@ -0,0 +1,4 @@ +topic deny # + +user shellyplug-s-* +pattern write shellies/%u/# diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index 6343432..a4bbc4f 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -38,7 +38,7 @@ - name: Copy acl file for plaintext server ansible.builtin.copy: dest: /etc/mosquitto/acl.conf - src: "{{ ansible_private }}/files/mosquitto/acl.conf" + src: acl.conf mode: "0400" owner: _mosquitto group: _mosquitto @@ -47,7 +47,7 @@ - name: Copy acl file for tls server ansible.builtin.copy: dest: /etc/mosquitto/acl-tls.conf - src: "{{ ansible_private }}/files/mosquitto/acl-tls.conf" + src: acl-tls.conf mode: "0400" owner: _mosquitto group: _mosquitto From e9372af0aadfde88d442fe57c800c79bee95a34a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 20:10:30 +0000 Subject: [PATCH 417/713] mosquitto: Allow shelly door/window writes --- roles/mosquitto/files/acl.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/mosquitto/files/acl.conf b/roles/mosquitto/files/acl.conf index 5bb8e0a..aa76e34 100644 --- a/roles/mosquitto/files/acl.conf +++ b/roles/mosquitto/files/acl.conf @@ -2,3 +2,6 @@ topic deny # user shellyplug-s-* pattern write shellies/%u/# + +user shellydw2-* +pattern write shellies/%u/# From a0f7145f9cb41b4cb0934754eaab15b2aac93805 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 22:04:55 +0000 Subject: [PATCH 418/713] Add DNS repo sync to adm hosts --- playbooks/adm.yml | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 5900555..272dbdf 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -18,7 +18,7 @@ name: /export src: LABEL=/export fstype: xfs - opts: noatime,noexec,nosuid,nodev + opts: noatime,nosuid,nodev passno: "0" dump: "0" state: mounted @@ -73,3 +73,40 @@ mode: "0600" owner: root group: "{{ ansible_wheel }}" + + - name: Clone dns repo + ansible.builtin.git: + dest: /export/dns + repo: https://adm01.home.foo.sh/dns.git + update: true + version: master + environment: + GIT_SSL_CAINFO: "{{ tls_certs }}/ca.crt" + GIT_SSL_CERT: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + GIT_SSL_KEY: "{{ tls_private }}/{{ inventory_hostname }}.key" + when: 'inventory_hostname != "adm01.home.foo.sh"' + - name: Link dns repo + ansible.builtin.file: + dest: /srv/dns + src: /export/dns + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + - name: Add cron job to sync dns repo + ansible.builtin.cron: + name: sync dns repository + job: >- + GIT_SSL_CAINFO="{{ tls_certs }}/ca.crt" + GIT_SSL_CERT="{{ tls_certs }}/{{ inventory_hostname }}.crt" + GIT_SSL_KEY="{{ tls_private }}/{{ inventory_hostname }}.key" + git -C /srv/dns pull -q + minute: "02" + when: 'inventory_hostname != "adm01.home.foo.sh"' + - name: Links dns repo to web + ansible.builtin.file: + dest: "/srv/web/{{ inventory_hostname }}/dns.git" + src: /srv/dns/.git + state: link + owner: root + group: "{{ ansible_wheel }}" From 10f47b45e0a25033a768d526a5f73af2c047727a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 25 Dec 2024 07:50:34 +0000 Subject: [PATCH 419/713] syslogd: Don't run sync for every write in all.log --- roles/syslogd/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/syslogd/tasks/main.yml b/roles/syslogd/tasks/main.yml index 69170e5..723afd3 100644 --- a/roles/syslogd/tasks/main.yml +++ b/roles/syslogd/tasks/main.yml @@ -16,7 +16,8 @@ - name: Enable all.log ansible.builtin.lineinfile: path: /etc/syslog.conf - line: "*.* /var/log/all.log" + line: "*.* -/var/log/all.log" + regexp: '^\*\.\*\s.*\/var\/log\/all\.log' notify: Restart syslogd - name: Enable all.log rotation From f88606022718b00124ff6e98cdcdd971ad555db5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 25 Dec 2024 08:09:35 +0000 Subject: [PATCH 420/713] base: Add hdparm to physical hosts --- roles/base/tasks/RedHat.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index a8b8ac4..81ef9e9 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -98,6 +98,7 @@ name: "{{ item }}" state: installed with_items: + - hdparm - pciutils - powertop when: From a855e1fcaa9684b26757bf06d5ae1fd5a3905034 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 25 Dec 2024 08:32:26 +0000 Subject: [PATCH 421/713] Harmonize disk mount options --- playbooks/backup.yml | 2 +- playbooks/log.yml | 2 +- playbooks/minecraft.yml | 2 +- playbooks/nas.yml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/playbooks/backup.yml b/playbooks/backup.yml index cf58b10..c677db0 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -15,7 +15,7 @@ name: /export src: /dev/sd1a fstype: ffs - opts: rw,softdep,noatime + opts: rw,softdep,noatime,noexec,nosuid,nodev passno: "1" dump: "2" state: mounted diff --git a/playbooks/log.yml b/playbooks/log.yml index 2c7fcf4..c63276a 100644 --- a/playbooks/log.yml +++ b/playbooks/log.yml @@ -15,7 +15,7 @@ name: /export src: /dev/sd1a fstype: ffs - opts: rw,softdep,noatime + opts: rw,softdep,noatime,noexec,nosuid,nodev passno: "1" dump: "2" state: mounted diff --git a/playbooks/minecraft.yml b/playbooks/minecraft.yml index 9a88509..48b237c 100644 --- a/playbooks/minecraft.yml +++ b/playbooks/minecraft.yml @@ -15,7 +15,7 @@ name: /export src: LABEL=/export fstype: xfs - opts: noatime + opts: noatime,noexec,nosuid,nodev passno: "0" dump: "0" state: mounted diff --git a/playbooks/nas.yml b/playbooks/nas.yml index cb65fe3..22c11f2 100644 --- a/playbooks/nas.yml +++ b/playbooks/nas.yml @@ -18,7 +18,7 @@ name: /export/home src: LABEL=home fstype: xfs - opts: noatime + opts: noatime,nodev passno: "0" dump: "0" state: mounted @@ -27,7 +27,7 @@ name: /export/roles src: LABEL=roles fstype: xfs - opts: noatime + opts: noatime,nodev passno: "0" dump: "0" state: mounted From 22ef6bbc0af8d466e412862c064d382591054625 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 26 Dec 2024 13:35:34 +0000 Subject: [PATCH 422/713] nodered: Initial version of role --- roles/nodered/defaults/main.yml | 2 + roles/nodered/handlers/main.yml | 6 ++ roles/nodered/meta/main.yml | 4 + roles/nodered/tasks/main.yml | 79 +++++++++++++++++++ .../templates/nodered-container.service.j2 | 18 +++++ 5 files changed, 109 insertions(+) create mode 100644 roles/nodered/defaults/main.yml create mode 100644 roles/nodered/handlers/main.yml create mode 100644 roles/nodered/meta/main.yml create mode 100644 roles/nodered/tasks/main.yml create mode 100644 roles/nodered/templates/nodered-container.service.j2 diff --git a/roles/nodered/defaults/main.yml b/roles/nodered/defaults/main.yml new file mode 100644 index 0000000..bf68f6d --- /dev/null +++ b/roles/nodered/defaults/main.yml @@ -0,0 +1,2 @@ +--- +nodered_version: latest diff --git a/roles/nodered/handlers/main.yml b/roles/nodered/handlers/main.yml new file mode 100644 index 0000000..073db56 --- /dev/null +++ b/roles/nodered/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart nodered + ansible.builtin.systemd_service: + name: nodered-container + state: restarted + daemon_reload: true diff --git a/roles/nodered/meta/main.yml b/roles/nodered/meta/main.yml new file mode 100644 index 0000000..305b1b2 --- /dev/null +++ b/roles/nodered/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: nginx} + - {role: podman} diff --git a/roles/nodered/tasks/main.yml b/roles/nodered/tasks/main.yml new file mode 100644 index 0000000..77ee8f0 --- /dev/null +++ b/roles/nodered/tasks/main.yml @@ -0,0 +1,79 @@ +--- +- name: Create group + ansible.builtin.group: + name: nodered + +- name: Create user + ansible.builtin.user: + name: nodered + comment: Podman NodeRed + group: nodered + shell: /sbin/nologin + +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - nodered + creates: /var/lib/systemd/linger/nodered + +- name: Fix SELinux contexts from config directory + community.general.sefcontext: + path: /export/nodered(/.*)? + setype: container_file_t + when: ansible_selinux_python_present + +- name: Get subgid number + ansible.builtin.command: + argv: + - awk + - "-F:" + - '{ if ($1 == "nodered") print $2 + 999 }' + - /etc/subgid + register: subgid + +- name: Create config directory + ansible.builtin.file: + path: /export/nodered + state: directory + mode: "0770" + owner: root + group: "{{ subgid.stdout }}" + setype: _default + +- name: Link config directory + ansible.builtin.file: + dest: /srv/nodered + src: /export/nodered + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/nodered-container.service + src: nodered-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nodered + +- name: Enable service + ansible.builtin.service: + name: nodered-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/nodered.conf" + content: | + location /nodered/ { + proxy_pass http://127.0.0.1:8012; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx diff --git a/roles/nodered/templates/nodered-container.service.j2 b/roles/nodered/templates/nodered-container.service.j2 new file mode 100644 index 0000000..fa188a7 --- /dev/null +++ b/roles/nodered/templates/nodered-container.service.j2 @@ -0,0 +1,18 @@ +[Unit] +Description=NodeRed Container +Wants=network-online.target +After=network-online.target + +[Service] +User=nodered +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8012:1880 \ + --name nodered \ + --env TZ=Europe/Helsinki \ + --volume /srv/nodered:/data:rw \ + docker.io/nodered/node-red:{{ nodered_version }} +ExecStop=/usr/bin/podman stop --ignore nodered +ExecStopPost=/usr/bin/podman rm -f --ignore nodered + +[Install] +WantedBy=multi-user.target From 2153bd8452b019eb25d5f33228dd88b8129ddc83 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 26 Dec 2024 14:19:46 +0000 Subject: [PATCH 423/713] nodered: Fix nginx proxy config --- roles/nodered/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nodered/tasks/main.yml b/roles/nodered/tasks/main.yml index 77ee8f0..f256833 100644 --- a/roles/nodered/tasks/main.yml +++ b/roles/nodered/tasks/main.yml @@ -68,10 +68,10 @@ - name: Copy nginx config ansible.builtin.copy: - dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/nodered.conf" + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/00-nodered.conf" content: | location /nodered/ { - proxy_pass http://127.0.0.1:8012; + proxy_pass http://127.0.0.1:8012/; } mode: "0644" owner: root From fd0e1bc0289797bea0af5269aa0295b719222e12 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 26 Dec 2024 14:20:04 +0000 Subject: [PATCH 424/713] Reserve port for nodered container --- container-ports.md | 1 + 1 file changed, 1 insertion(+) diff --git a/container-ports.md b/container-ports.md index 30b7205..25fcc97 100644 --- a/container-ports.md +++ b/container-ports.md @@ -13,3 +13,4 @@ | 8009 | rocketchat | Rocket.Chat | | 8010 | google-spell-pspell | Google Spell Check XML API | | 8011 | ipsilon | Ipsilon Identity Provider | +| 8012 | nodered | Node Red | From ad5cf29b12b821d4d4b443342535fbb56383f169 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 26 Dec 2024 14:20:22 +0000 Subject: [PATCH 425/713] nodered: Don't report changes when finding subgid --- roles/nodered/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nodered/tasks/main.yml b/roles/nodered/tasks/main.yml index f256833..011e6f3 100644 --- a/roles/nodered/tasks/main.yml +++ b/roles/nodered/tasks/main.yml @@ -31,6 +31,7 @@ - "-F:" - '{ if ($1 == "nodered") print $2 + 999 }' - /etc/subgid + changed_when: false register: subgid - name: Create config directory From a8841252d1b9ec01127c0cc8124ab54e37e74d9b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 26 Dec 2024 14:55:17 +0000 Subject: [PATCH 426/713] Revert "syslogd: Don't run sync for every write in all.log" This reverts commit 10f47b45e0a25033a768d526a5f73af2c047727a. --- roles/syslogd/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/syslogd/tasks/main.yml b/roles/syslogd/tasks/main.yml index 723afd3..69170e5 100644 --- a/roles/syslogd/tasks/main.yml +++ b/roles/syslogd/tasks/main.yml @@ -16,8 +16,7 @@ - name: Enable all.log ansible.builtin.lineinfile: path: /etc/syslog.conf - line: "*.* -/var/log/all.log" - regexp: '^\*\.\*\s.*\/var\/log\/all\.log' + line: "*.* /var/log/all.log" notify: Restart syslogd - name: Enable all.log rotation From 7ee2572e04b3834e26429eae2cd43047d8454ee8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 27 Dec 2024 15:10:40 +0000 Subject: [PATCH 427/713] mosquitto: Refactor mqtt infra --- roles/mosquitto/files/mosquitto_tls.ksh | 10 +++ roles/mosquitto/handlers/main.yml | 5 ++ roles/mosquitto/tasks/main.yml | 78 +++++++++++++++---- .../acl-tls.conf.j2} | 3 + .../mosquitto/templates/mosquitto-tls.conf.j2 | 11 +++ roles/mosquitto/templates/mosquitto.conf.j2 | 23 ++---- 6 files changed, 99 insertions(+), 31 deletions(-) create mode 100644 roles/mosquitto/files/mosquitto_tls.ksh rename roles/mosquitto/{files/acl-tls.conf => templates/acl-tls.conf.j2} (59%) create mode 100644 roles/mosquitto/templates/mosquitto-tls.conf.j2 diff --git a/roles/mosquitto/files/mosquitto_tls.ksh b/roles/mosquitto/files/mosquitto_tls.ksh new file mode 100644 index 0000000..9481c35 --- /dev/null +++ b/roles/mosquitto/files/mosquitto_tls.ksh @@ -0,0 +1,10 @@ +#!/bin/ksh + +# shellcheck disable=SC2034 +daemon="/usr/local/sbin/mosquitto -d" +daemon_flags="-c /etc/mosquitto-tls/mosquitto.conf" + +# shellcheck source=/dev/null +. /etc/rc.d/rc.subr + +rc_cmd "$1" diff --git a/roles/mosquitto/handlers/main.yml b/roles/mosquitto/handlers/main.yml index 7e1bb2c..268abc3 100644 --- a/roles/mosquitto/handlers/main.yml +++ b/roles/mosquitto/handlers/main.yml @@ -3,3 +3,8 @@ ansible.builtin.service: name: mosquitto state: restarted + +- name: Restart mosquitto-tls + ansible.builtin.service: + name: mosquitto_tls + state: restarted diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index a4bbc4f..d405371 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -9,15 +9,21 @@ name: _mosquitto groups: hostkey append: true - notify: Restart mosquitto + notify: + - Restart mosquitto + - Restart mosquitto-tls -- name: Create include directory for config +- name: Create config directories ansible.builtin.file: - path: /etc/mosquitto/conf.d + path: "{{ item }}" state: directory mode: "0750" owner: root group: _mosquitto + with_items: + - /etc/mosquitto/conf.d + - /etc/mosquitto-tls + - /etc/mosquitto-tls/conf.d - name: Include extra configs ansible.builtin.lineinfile: @@ -26,7 +32,7 @@ regexp: "^#?include_dir( .*)?$" notify: Restart mosquitto -- name: Create custom config +- name: Create custom config for plaintext server ansible.builtin.template: dest: /etc/mosquitto/conf.d/local.conf src: mosquitto.conf.j2 @@ -44,16 +50,7 @@ group: _mosquitto notify: Restart mosquitto -- name: Copy acl file for tls server - ansible.builtin.copy: - dest: /etc/mosquitto/acl-tls.conf - src: acl-tls.conf - mode: "0400" - owner: _mosquitto - group: _mosquitto - notify: Restart mosquitto - -- name: Copy passwd file +- name: Copy passwd file for plaintext server ansible.builtin.copy: dest: /etc/mosquitto/passwd src: "{{ ansible_private }}/files/mosquitto/passwd" @@ -62,8 +59,57 @@ group: _mosquitto notify: Restart mosquitto -- name: Enable service +- name: Create default config for tls server + ansible.builtin.command: + argv: + - sed + - "s|^include_dir .*|include_dir /etc/mosquitto-tls/conf.d|" + - /etc/mosquitto/mosquitto.conf + changed_when: false + register: result + +- name: Write default config for tls server + ansible.builtin.copy: + dest: /etc/mosquitto-tls/mosquitto.conf + content: "{{ result.stdout }}\n" + mode: "0640" + owner: root + group: _mosquitto + remote_src: true + notify: Restart mosquitto-tls + +- name: Create custom config for tls server + ansible.builtin.template: + dest: /etc/mosquitto-tls/conf.d/local.conf + src: mosquitto-tls.conf.j2 + mode: "0640" + owner: root + group: _mosquitto + notify: Restart mosquitto-tls + +- name: Create acl file for tls server + ansible.builtin.template: + dest: /etc/mosquitto-tls/acl.conf + src: acl-tls.conf.j2 + mode: "0400" + owner: _mosquitto + group: _mosquitto + notify: Restart mosquitto-tls + +- name: Create mosquitto-tls control script + ansible.builtin.copy: + dest: /etc/rc.d/mosquitto_tls + src: mosquitto_tls.ksh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart mosquitto-tls + +- name: Enable services ansible.builtin.service: - name: mosquitto + name: "{{ item }}" enabled: true state: started + with_items: + - mosquitto + - mosquitto_tls diff --git a/roles/mosquitto/files/acl-tls.conf b/roles/mosquitto/templates/acl-tls.conf.j2 similarity index 59% rename from roles/mosquitto/files/acl-tls.conf rename to roles/mosquitto/templates/acl-tls.conf.j2 index b41e9b2..b7eed5c 100644 --- a/roles/mosquitto/files/acl-tls.conf +++ b/roles/mosquitto/templates/acl-tls.conf.j2 @@ -1,4 +1,7 @@ pattern read # +user {{ inventory_hostname }} +topic readwrite # + user frigate*.home.foo.sh pattern readwrite frigate/%u/# diff --git a/roles/mosquitto/templates/mosquitto-tls.conf.j2 b/roles/mosquitto/templates/mosquitto-tls.conf.j2 new file mode 100644 index 0000000..7cf1712 --- /dev/null +++ b/roles/mosquitto/templates/mosquitto-tls.conf.j2 @@ -0,0 +1,11 @@ +listener 8883 +protocol mqtt + +certfile {{ tls_certs }}/{{ inventory_hostname }}.crt +keyfile {{ tls_private }}/{{ inventory_hostname }}.key +cafile {{ tls_certs }}/ca.crt +tls_version tlsv1.3 + +acl_file /etc/mosquitto-tls/acl.conf +require_certificate true +use_identity_as_username true diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index ffad7dd..917467e 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -1,7 +1,3 @@ -# use different settings for plaintext and tls listeners -per_listener_settings true - -# listen to mqtt listener 1883 protocol mqtt @@ -9,15 +5,12 @@ acl_file /etc/mosquitto/acl.conf password_file /etc/mosquitto/passwd allow_anonymous false -# listen to mqtt over websockets -listener 8883 -protocol mqtt +connection tls-bridge +address {{ inventory_hostname }}:8883 +bridge_cafile {{ tls_certs }}/ca.crt +bridge_certfile {{ tls_certs }}/{{ inventory_hostname }}.crt +bridge_keyfile {{ tls_private }}/{{ inventory_hostname }}.key -certfile {{ tls_certs }}/{{ inventory_hostname }}.crt -keyfile {{ tls_private }}/{{ inventory_hostname }}.key -cafile {{ tls_certs }}/ca.crt -tls_version tlsv1.3 - -acl_file /etc/mosquitto/acl-tls.conf -require_certificate true -use_identity_as_username true +{% for shelly in shellies %} +topic # out 0 shellies/{{ shelly['name'] }}/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/ +{% endfor %} From eb1478abcb726fe740b32900a7821d297de84b48 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 27 Dec 2024 15:11:43 +0000 Subject: [PATCH 428/713] Inlucde secrets into mqtt playbook --- playbooks/mqtt.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 5b29de0..d67c977 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -9,6 +9,9 @@ user: root gather_facts: true + vars_files: + - "{{ ansible_private }}/vars.yml" + roles: - base - mosquitto From 47157118e7870e0c42ad945006109deb1d50c61b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 27 Dec 2024 15:12:48 +0000 Subject: [PATCH 429/713] telegraf: Move config into repository --- roles/telegraf/tasks/main.yml | 6 ++-- roles/telegraf/templates/telegraf.conf.j2 | 36 +++++++++++++++++++++++ 2 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 roles/telegraf/templates/telegraf.conf.j2 diff --git a/roles/telegraf/tasks/main.yml b/roles/telegraf/tasks/main.yml index 8cd7022..d1ab303 100644 --- a/roles/telegraf/tasks/main.yml +++ b/roles/telegraf/tasks/main.yml @@ -9,10 +9,10 @@ name: telegraf state: installed -- name: Copy config - ansible.builtin.copy: +- name: Create config + ansible.builtin.template: dest: /etc/telegraf/telegraf.conf - src: "{{ ansible_private }}/files/telegraf/telegraf.conf" + src: telegraf.conf.j2 mode: "0640" owner: root group: _telegraf diff --git a/roles/telegraf/templates/telegraf.conf.j2 b/roles/telegraf/templates/telegraf.conf.j2 new file mode 100644 index 0000000..2f1056e --- /dev/null +++ b/roles/telegraf/templates/telegraf.conf.j2 @@ -0,0 +1,36 @@ +[[outputs.influxdb_v2]] + urls = ["https://influxdb.foo.sh:443"] + token = "{{ influxdb_token }}" + organization = "foo.sh" + bucket = "sensordata" + +[[inputs.mqtt_consumer]] + servers = ["ssl://{{ inventory_hostname }}:8883"] + tls_ca = "{{ tls_certs }}/ca.crt" + tls_cert = "{{ tls_certs }}/{{ inventory_hostname }}.crt" + tls_key = "{{ tls_private }}/{{ inventory_hostname }}.key" + topics = [ + "+/+/+/relay/0/power", + "+/+/+/temperature", + "+/+/+/sensor/battery", + "+/+/+/sensor/lux", + "+/+/+/sensor/state", + "+/+/+/sensor/temperature", + ] + data_type = "float" + data_format = "value" + + [[inputs.mqtt_consumer.topic_parsing]] + topic = "+/+/+/relay/0/power" + tags = "location/room/device/_/_/_" + measurement = "_/_/_/_/_/measurement" + + [[inputs.mqtt_consumer.topic_parsing]] + topic = "+/+/+/temperature" + tags = "location/room/device/_" + measurement = "_/_/_/temperature" + + [[inputs.mqtt_consumer.topic_parsing]] + topic = "+/+/+/sensor/+" + tags = "location/room/device/_/_" + measurement = "_/_/_/_/measurement" From 68965cd57ff5620ba827bb0aad734e32b7d54e96 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 27 Dec 2024 15:13:20 +0000 Subject: [PATCH 430/713] Add nodered to homeassistant hosts --- playbooks/homeassistant.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/homeassistant.yml b/playbooks/homeassistant.yml index 965d818..cbe61cc 100644 --- a/playbooks/homeassistant.yml +++ b/playbooks/homeassistant.yml @@ -24,3 +24,4 @@ - base - ldap - homeassistant + - nodered From e3d702ecafbb9e71ffde844760aa9d98c924ed94 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 29 Dec 2024 17:22:46 +0000 Subject: [PATCH 431/713] Update homeassistant --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index a627b9a..0cf86c4 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.11" + homeassistant_version: "2024.12" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git From 85c882043c98412d1ab2b0aa118e2e4ba467bbcc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 29 Dec 2024 17:42:29 +0000 Subject: [PATCH 432/713] ipsilon: Finish up openidc config --- roles/ipsilon/tasks/main.yml | 45 +++++++++++++++++++ .../templates/ipsilon-container.service.j2 | 1 + 2 files changed, 46 insertions(+) diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index b02b9df..86414ee 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -36,6 +36,51 @@ group: ipsilon notify: Restart ipsilon-container +- name: Fix SELinux contexts from config directory + community.general.sefcontext: + path: /etc/ipsilon(/.*)? + setype: container_file_t + when: ansible_selinux_python_present + +- name: Get subuid number + ansible.builtin.command: + argv: + - awk + - "-F:" + - '{ if ($1 == "ipsilon") print $2 + 899 }' + - /etc/subuid + changed_when: false + register: subuid + +- name: Get subgid number + ansible.builtin.command: + argv: + - awk + - "-F:" + - '{ if ($1 == "ipsilon") print $2 + 899 }' + - /etc/subgid + changed_when: false + register: subgid + +- name: Create config directory + ansible.builtin.file: + path: /etc/ipsilon + state: directory + mode: "0750" + owner: root + group: ipsilon + setype: _default + +- name: Copy OIDC static config + ansible.builtin.copy: + dest: /etc/ipsilon/openidc-static.conf + src: "{{ ansible_private }}/files/ipsilon/openidc-static.conf" + mode: "0600" + owner: "{{ subuid.stdout }}" + group: "{{ subgid.stdout }}" + setype: _default + notify: Restart ipsilon-container + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-ipsilon diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2 index 74bc2b0..d3fe6bf 100644 --- a/roles/ipsilon/templates/ipsilon-container.service.j2 +++ b/roles/ipsilon/templates/ipsilon-container.service.j2 @@ -14,6 +14,7 @@ ExecStart=/usr/bin/podman run \ --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ --volume={{ tls_private }}/openidc.key:/etc/ipsilon/openidc.key:ro \ + --volume=/etc/ipsilon/openidc-static.conf:/etc/ipsilon/root/openidc-static.conf:rw \ ipsilon:latest ExecStop=/usr/bin/podman stop --ignore ipsilon ExecStopPost=/usr/bin/podman rm -f --ignore ipsilon From ba98d5223bf297221dd5e0c3c4f7e51b32e73960 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 29 Dec 2024 18:48:12 +0000 Subject: [PATCH 433/713] ipsilon: Convert oidc config to template --- roles/ipsilon/tasks/main.yml | 6 ++--- .../ipsilon/templates/openidc-static.conf.j2 | 26 +++++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 roles/ipsilon/templates/openidc-static.conf.j2 diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index 86414ee..c82bcd1 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -71,10 +71,10 @@ group: ipsilon setype: _default -- name: Copy OIDC static config - ansible.builtin.copy: +- name: Create OIDC static config + ansible.builtin.template: dest: /etc/ipsilon/openidc-static.conf - src: "{{ ansible_private }}/files/ipsilon/openidc-static.conf" + src: openidc-static.conf.j2 mode: "0600" owner: "{{ subuid.stdout }}" group: "{{ subgid.stdout }}" diff --git a/roles/ipsilon/templates/openidc-static.conf.j2 b/roles/ipsilon/templates/openidc-static.conf.j2 new file mode 100644 index 0000000..a200a3a --- /dev/null +++ b/roles/ipsilon/templates/openidc-static.conf.j2 @@ -0,0 +1,26 @@ +[client] +{% for client in openidc_clients %} +{{ client["name"] }} application_type="web" +{{ client["name"] }} client_id=null +{{ client["name"] }} client_id_issued_at=0 +{{ client["name"] }} client_name="{{ client["name"] }}" +{{ client["name"] }} client_secret="{{ client["client_secret"] }}" +{{ client["name"] }} client_secret_expires_at=0 +{{ client["name"] }} client_uri="{{ client["client_uri"] }}" +{{ client["name"] }} contacts=["adm@foo.sh"] +{{ client["name"] }} grant_types=["authorization_code"] +{{ client["name"] }} id_token_signed_response_alg="RS256" +{{ client["name"] }} ipsilon_internal={"type": "static", "client_id": "{{ client["name"] }}", "trusted": true} +{{ client["name"] }} jwks=null +{{ client["name"] }} jwks_uri=null +{{ client["name"] }} logo_uri=null +{{ client["name"] }} policy_uri=null +{{ client["name"] }} redirect_uris=["{{ client["redirect_uri"] }}"] +{{ client["name"] }} request_uris=[] +{{ client["name"] }} require_auth_time=null +{{ client["name"] }} response_types=["code"] +{{ client["name"] }} subject_type="pairwise" +{{ client["name"] }} sector_identifier_uri=null +{{ client["name"] }} token_endpoint_auth_method="client_secret_post" +{{ client["name"] }} tos_uri=null +{% endfor %} From 868041257d350372bf586c700843aec857dbc052 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 3 Jan 2025 17:13:30 +0000 Subject: [PATCH 434/713] Move DKIM key selector to host inventory --- hosts.yml | 2 ++ playbooks/mail.yml | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index 0cf86c4..4d4c106 100644 --- a/hosts.yml +++ b/hosts.yml @@ -54,6 +54,8 @@ log: mail: hosts: mail02.home.foo.sh: + vars: + opendkim_selector: 20240601 minecraft: hosts: minecraft01.home.foo.sh: diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 1b86873..c3c8041 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -38,8 +38,7 @@ nginx_site_name: "{{ mail_server }}" nginx_site_redirect: https://webmail.foo.sh/ - grossd - - role: opendkim - opendkim_selector: 20240601 + - opendkim - spamassassin - spamassassin_clamav - spamassassin_ixhash From 9d5d05e713422a2d1d4c363b8eae35534e362b4c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 3 Jan 2025 17:16:50 +0000 Subject: [PATCH 435/713] Rotate DKIM keys --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 4d4c106..c3e929f 100644 --- a/hosts.yml +++ b/hosts.yml @@ -55,7 +55,7 @@ mail: hosts: mail02.home.foo.sh: vars: - opendkim_selector: 20240601 + opendkim_selector: 20250101 minecraft: hosts: minecraft01.home.foo.sh: From 29e747db4201c34e3b29459a2a7cbeacf6e205fd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:24:29 +0000 Subject: [PATCH 436/713] nsd: Don't listen to localhost interface --- roles/nsd/templates/nsd.conf.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/nsd/templates/nsd.conf.j2 b/roles/nsd/templates/nsd.conf.j2 index 60251c1..9e8afec 100644 --- a/roles/nsd/templates/nsd.conf.j2 +++ b/roles/nsd/templates/nsd.conf.j2 @@ -7,10 +7,10 @@ server: server-count: {{ ansible_processor_count }} verbosity: 2 - interface: ::0@53 - interface: 0.0.0.0@53 - interface: ::0@853 - interface: 0.0.0.0@853 +{% for ip in ansible_all_ipv4_addresses + ansible_all_ipv6_addresses %} + interface: {{ ip }}@53 + interface: {{ ip }}@853 +{% endfor %} tls-service-key: {{ tls_private }}/{{ nsd_server }}.key tls-service-pem: {{ tls_certs }}/{{ nsd_server }}.crt From cc0a16e3ee656e96883a905ec565d6ecf02bf882 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:24:59 +0000 Subject: [PATCH 437/713] unbound: Don't listen to localhost on dna-gw hosts --- roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 2 -- roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 2 -- 2 files changed, 4 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 4fb2134..e3dc5b6 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -1,7 +1,5 @@ server: - interface: 127.0.0.1 - interface: ::1 interface: 172.20.20.10@53 interface: 172.20.20.10@853 interface: 172.20.21.1@53 diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index 22e579c..4607459 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -1,7 +1,5 @@ server: - interface: 127.0.0.1 - interface: ::1 interface: 172.20.20.10@53 interface: 172.20.20.10@853 interface: 172.20.21.2@53 From e02e45c8a68c80a95b53b20708faa28453914964 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:26:24 +0000 Subject: [PATCH 438/713] Only use lb dns server for relay and proxy hosts --- group_vars/proxy.yml | 4 ---- group_vars/relay.yml | 4 ---- 2 files changed, 8 deletions(-) diff --git a/group_vars/proxy.yml b/group_vars/proxy.yml index ec6b4a8..bb5decb 100644 --- a/group_vars/proxy.yml +++ b/group_vars/proxy.yml @@ -6,10 +6,6 @@ dsk_size: 30 network_dns_servers: - 172.20.20.10 - - 172.20.21.7 - - 172.20.21.8 -network_dns_search: - - foo.sh network_default_gateway: 37.16.96.145 network_vip_interfaces: diff --git a/group_vars/relay.yml b/group_vars/relay.yml index f65b541..622e743 100644 --- a/group_vars/relay.yml +++ b/group_vars/relay.yml @@ -1,10 +1,6 @@ --- network_dns_servers: - 172.20.20.10 - - 172.20.21.7 - - 172.20.21.8 -network_dns_search: - - foo.sh network_default_gateway: 37.16.96.145 network_vip_interfaces: From 9696f406cebcb797d89d51fa00f73a439c9e7e3b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:27:55 +0000 Subject: [PATCH 439/713] unwind: Initial version of role --- roles/unwind/handlers/main.yml | 5 +++++ roles/unwind/tasks/main.yml | 15 +++++++++++++++ roles/unwind/templates/unwind.conf.j2 | 10 ++++++++++ 3 files changed, 30 insertions(+) create mode 100644 roles/unwind/handlers/main.yml create mode 100644 roles/unwind/tasks/main.yml create mode 100644 roles/unwind/templates/unwind.conf.j2 diff --git a/roles/unwind/handlers/main.yml b/roles/unwind/handlers/main.yml new file mode 100644 index 0000000..05d7492 --- /dev/null +++ b/roles/unwind/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart unwind + ansible.builtin.service: + name: unwind + state: restarted diff --git a/roles/unwind/tasks/main.yml b/roles/unwind/tasks/main.yml new file mode 100644 index 0000000..3c2e9a6 --- /dev/null +++ b/roles/unwind/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Copy config + ansible.builtin.template: + dest: /etc/unwind.conf + src: unwind.conf.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart unwind + +- name: Enable service + ansible.builtin.service: + name: unwind + state: started + enabled: true diff --git a/roles/unwind/templates/unwind.conf.j2 b/roles/unwind/templates/unwind.conf.j2 new file mode 100644 index 0000000..2a704ce --- /dev/null +++ b/roles/unwind/templates/unwind.conf.j2 @@ -0,0 +1,10 @@ +{% if network_dns_servers is defined %} +forwarder { +{% for addr in network_dns_servers %} + {{ addr }} port 853 authentication name "{{ lookup('community.general.dig', addr + '/PTR')[:-1] }}" DoT +{% endfor %} +} +preference { DoT } +{% else %} +preference { oDoT-autoconf } +{% endif %} From a1db16b329b7002bc2af33c55409d9c3247496e0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:28:11 +0000 Subject: [PATCH 440/713] base: Configure OpenBSD DNS using unwind --- roles/base/tasks/OpenBSD.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/OpenBSD.yml b/roles/base/tasks/OpenBSD.yml index 84c90af..b8ca184 100644 --- a/roles/base/tasks/OpenBSD.yml +++ b/roles/base/tasks/OpenBSD.yml @@ -64,5 +64,6 @@ - opensmtpd - pf - syslogd + - unwind loop_control: loop_var: role From fa7402a8eb6464201bc0520325594fc9bd7c2695 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:28:29 +0000 Subject: [PATCH 441/713] network: Don't use static resolv.conf for OpenBSD --- roles/network/tasks/main.yml | 9 --------- roles/network/templates/resolv.conf.j2 | 6 ------ 2 files changed, 15 deletions(-) delete mode 100644 roles/network/templates/resolv.conf.j2 diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml index e1be7c5..83d8005 100644 --- a/roles/network/tasks/main.yml +++ b/roles/network/tasks/main.yml @@ -1,12 +1,3 @@ --- - name: Include OS spcific tasks ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml" - -- name: Create resolv.conf - ansible.builtin.template: - src: resolv.conf.j2 - dest: /etc/resolv.conf - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - when: network_dns_servers is defined diff --git a/roles/network/templates/resolv.conf.j2 b/roles/network/templates/resolv.conf.j2 deleted file mode 100644 index 0e8f587..0000000 --- a/roles/network/templates/resolv.conf.j2 +++ /dev/null @@ -1,6 +0,0 @@ -{% if network_dns_search is defined %} -search {{ network_dns_search|join(' ') }} -{% endif %} -{% for addr in network_dns_servers %} -nameserver {{ addr }} -{% endfor %} From 9a5cd91532b5382acb314005c1c6932fc59720f1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 21:02:55 +0000 Subject: [PATCH 442/713] base: Make sure python dnf bindings are installed --- roles/base/tasks/RedHat.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 81ef9e9..d0dbbd9 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -3,6 +3,25 @@ ansible.builtin.hostname: name: "{{ inventory_hostname }}" +- name: Check if dnf python bindings are installed + ansible.builtin.command: + argv: + - rpm + - "-q" + - python3-dnf + register: result + failed_when: false + changed_when: false + +- name: Install dnf python bindings + ansible.builtin.command: + argv: + - dnf + - install + - "-y" + - python3-dnf + when: result.rc != 0 + - name: Install OS specific roles for physical hardware ansible.builtin.include_role: name: cpupower From d9c5d73889f2bc983fdcda8c6088cb786d00adf8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 7 Jan 2025 00:10:33 +0000 Subject: [PATCH 443/713] Update Fedora installer to version 41 --- group_vars/fedora.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/fedora.yml b/group_vars/fedora.yml index f10f398..1f7eeea 100644 --- a/group_vars/fedora.yml +++ b/group_vars/fedora.yml @@ -1,7 +1,7 @@ --- # default resources for new vm dsk_size: 20 -mem_size: 2048 +mem_size: 4096 num_cpus: 2 # extra args for virt-install @@ -18,7 +18,7 @@ ipcmd: >- {% endif %} virt_install_os_args: >- --location - https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/39/Everything/x86_64/os/ + https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/41/Everything/x86_64/os/ --extra-args "inst.ks={{ ks_file }} console=ttyS0 From fff5b5a43138bb689f86cab1773d8494628d04cf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 7 Jan 2025 00:11:15 +0000 Subject: [PATCH 444/713] node_exporter: Drop os specific var files --- roles/node_exporter/handlers/main.yml | 7 ++++++- roles/node_exporter/tasks/main.yml | 21 ++++++++++++++------- roles/node_exporter/vars/OpenBSD.yml | 4 ---- roles/node_exporter/vars/RedHat.yml | 4 ---- 4 files changed, 20 insertions(+), 16 deletions(-) delete mode 100644 roles/node_exporter/vars/OpenBSD.yml delete mode 100644 roles/node_exporter/vars/RedHat.yml diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml index 5018dae..5bfbd16 100644 --- a/roles/node_exporter/handlers/main.yml +++ b/roles/node_exporter/handlers/main.yml @@ -1,5 +1,10 @@ --- - name: Restart node_exporter ansible.builtin.service: - name: "{{ node_exporter_service }}" + name: >- + {% if ansible_distribution == "OpenBSD" -%} + {{ "node_exporter" -}} + {% else -%} + {{ "prometheus-node-exporter" -}} + {% endif -%} state: restarted diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index 395e624..a873906 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -1,15 +1,22 @@ --- -- name: Include OS-specific variables - ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" - - name: Install packages ansible.builtin.package: - name: "{{ node_exporter_package }}" + name: >- + {% if ansible_distribution in ["Fedora", "OpenBSD"] -%} + {{ "node_exporter" -}} + {% else -%} + {{ "golang-github-prometheus-node-exporter" -}} + {% endif -%} state: installed - name: Allow prometheus user to read private key ansible.builtin.user: - name: "{{ node_exporter_user }}" + name: >- + {% if ansible_distribution == "OpenBSD" -%} + {{ "_nodeexporter" -}} + {% else -%} + {{ "prometheus" -}} + {% endif -%} groups: hostkey append: true notify: Restart node_exporter @@ -91,7 +98,7 @@ - name: Enable service ansible.builtin.service: - name: "{{ node_exporter_service }}" + name: node_exporter state: started enabled: true arguments: >- @@ -102,7 +109,7 @@ - name: Enable service ansible.builtin.service: - name: "{{ node_exporter_service }}" + name: prometheus-node-exporter state: started enabled: true when: ansible_os_family == "RedHat" diff --git a/roles/node_exporter/vars/OpenBSD.yml b/roles/node_exporter/vars/OpenBSD.yml deleted file mode 100644 index 170fb93..0000000 --- a/roles/node_exporter/vars/OpenBSD.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -node_exporter_package: node_exporter -node_exporter_service: node_exporter -node_exporter_user: _nodeexporter diff --git a/roles/node_exporter/vars/RedHat.yml b/roles/node_exporter/vars/RedHat.yml deleted file mode 100644 index 0a6f1b2..0000000 --- a/roles/node_exporter/vars/RedHat.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -node_exporter_package: golang-github-prometheus-node-exporter -node_exporter_service: prometheus-node-exporter -node_exporter_user: prometheus From b576f18c93d2df0ac5270b07ac4d08f5734928b2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 Jan 2025 06:37:17 +0000 Subject: [PATCH 445/713] base: Simplify daily dnf download cron job --- roles/base/tasks/RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index d0dbbd9..bc514fe 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -179,4 +179,4 @@ user: root hour: "3" minute: "{{ 59 | random(seed=inventory_hostname) }}" - job: "dnf -d 0 -e 0 -y --downloadonly update > /dev/null" + job: "dnf-3 -q -y update --downloadonly" From 1bc3805dedf3c547a67fa920bdfe3a7dccdd3e58 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 Jan 2025 07:30:32 +0000 Subject: [PATCH 446/713] node_exporter: Fix startup options for Fedora --- roles/node_exporter/tasks/main.yml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index a873906..afb5e76 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -69,7 +69,7 @@ job: /usr/local/sbin/node-exporter-run-textfile-collector minute: "*/10" -- name: Modify config +- name: Modify config (pre 1.5.0) ansible.builtin.lineinfile: path: /etc/default/prometheus-node-exporter regexp: "^ARGS=" @@ -80,7 +80,23 @@ --web.config=/etc/node_exporter/web-config.yml --collector.textfile.directory=/var/lib/prometheus/node-exporter" notify: Restart node_exporter - when: ansible_os_family == "RedHat" + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Fedora" + +- name: Modify config + ansible.builtin.lineinfile: + path: /etc/default/prometheus-node-exporter + regexp: "^ARGS=" + line: >- + ARGS="--collector.filesystem.ignored-mount-points='^/(dev|proc|sys|run/(user|credentials/systemd-.+))($|/)' + --collector.netclass.ignored-devices='^(br-|docker|veth).+$' + --collector.netdev.device-exclude='^(br-|docker|veth).+$' + --web.config.file=/etc/node_exporter/web-config.yml + --collector.textfile.directory=/var/lib/prometheus/node-exporter" + notify: Restart node_exporter + when: + - ansible_distribution == "Fedora" - name: Install disk and raid monitoring scripts ansible.builtin.copy: From 7b6edbfe441982fd158800c8ec9309edf6920152 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 18:43:44 +0000 Subject: [PATCH 447/713] Add check-updates script --- playbooks/manual/check-updates.yml | 23 +++++++++++++++++++++++ scripts/check-updates | 16 ++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 playbooks/manual/check-updates.yml create mode 100755 scripts/check-updates diff --git a/playbooks/manual/check-updates.yml b/playbooks/manual/check-updates.yml new file mode 100644 index 0000000..1045eb0 --- /dev/null +++ b/playbooks/manual/check-updates.yml @@ -0,0 +1,23 @@ +--- +- hosts: all + gather_facts: true + tasks: + - name: Check updates (Linux) + ansible.builtin.command: + argv: + - dnf + - -q + - check-update + register: result + changed_when: result.rc == 100 + failed_when: result.rc not in [0, 100] + when: ansible_os_family == "RedHat" + + - name: Check updates (OpenBSD) + ansible.builtin.command: + argv: + - syspatch + - -c + register: result + changed_when: result.stdout != "" + when: ansible_os_family == "OpenBSD" diff --git a/scripts/check-updates b/scripts/check-updates new file mode 100755 index 0000000..5a00e56 --- /dev/null +++ b/scripts/check-updates @@ -0,0 +1,16 @@ +#!/bin/sh + +set -eu + +if [ $# -eq 1 ]; then + limit="$1" +elif [ $# -ne 0 ]; then + echo "Usage: $(basename "$0") [hostname]" 1>&2 + exit 1 +else + limit="all" +fi + +cd "$(dirname "$0")/.." + +ansible-playbook playbooks/manual/check-updates.yml -l "$limit" From f0c66b63f3597c44668c1290e471ddc0dc24e022 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 18:54:34 +0000 Subject: [PATCH 448/713] unwind: Validate config before restart --- roles/unwind/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/unwind/tasks/main.yml b/roles/unwind/tasks/main.yml index 3c2e9a6..99dd212 100644 --- a/roles/unwind/tasks/main.yml +++ b/roles/unwind/tasks/main.yml @@ -6,6 +6,7 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + validate: "unwind -n -f %s" notify: Restart unwind - name: Enable service From 0579a2076885111222cd947bee118709cdee9cf3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 18:55:04 +0000 Subject: [PATCH 449/713] Manually set nameservers for hosts in Vultr cloud --- group_vars/vultr.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 group_vars/vultr.yml diff --git a/group_vars/vultr.yml b/group_vars/vultr.yml new file mode 100644 index 0000000..af46a03 --- /dev/null +++ b/group_vars/vultr.yml @@ -0,0 +1,4 @@ +--- +network_dns_servers: + - 8.8.8.8 + - 9.9.9.9 From ec4812a15735a4f9260639e9f4938aa89ee4b494 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 20:04:17 +0000 Subject: [PATCH 450/713] Add group based on domainname if found --- hosts.yml | 4 ---- playbooks/ns.yml | 2 +- roles/base/tasks/main.yml | 6 ++++++ 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index c3e929f..c142740 100644 --- a/hosts.yml +++ b/hosts.yml @@ -137,10 +137,6 @@ sftpbackup: mongodb: sqldb: -vultr: - hosts: - atl01.vultr.foo.sh: - fedora: children: gitearunner: diff --git a/playbooks/ns.yml b/playbooks/ns.yml index b4e6dbf..4642197 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -2,7 +2,7 @@ - name: Deploy KVM virtual machines ansible.builtin.import_playbook: include/deploy-kvm-guest.yml vars: - myhosts: ns:!vultr + myhosts: ns:!atl01.vultr.foo.sh - name: Configure instance hosts: ns diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 03f630d..5e3e14b 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: Group by domainname + ansible.builtin.group_by: + key: "{{ inventory_hostname.split('.')[1] }}" + changed_when: false + when: inventory_hostname | split('.') | length == 4 + - name: Setup ansible custom facts ansible.builtin.file: dest: "{{ item }}" From 8a9fd29c72c61ac3f7eca1ba43387972069efc0d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 21:26:29 +0000 Subject: [PATCH 451/713] unbound: Refactor variables --- roles/unbound/tasks/main.yml | 4 ++-- roles/unbound/vars/OpenBSD.yml | 6 +++--- roles/unbound/vars/RedHat.yml | 3 +-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 5ec99fb..a64720b 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -12,7 +12,7 @@ ansible.builtin.command: argv: - unbound-control-setup - creates: "{{ unbound_control_key }}" + creates: "{{ unbound_confdir }}/unbound_control.key" notify: Restart unbound - name: Copy zone files @@ -28,7 +28,7 @@ - name: Copy config ansible.builtin.template: - dest: "{{ unbound_conf }}" + dest: "{{ unbound_confdir }}/unbound.conf" src: "unbound.conf.{{ inventory_hostname }}.j2" mode: "0644" owner: root diff --git a/roles/unbound/vars/OpenBSD.yml b/roles/unbound/vars/OpenBSD.yml index c952c8a..5f41acd 100644 --- a/roles/unbound/vars/OpenBSD.yml +++ b/roles/unbound/vars/OpenBSD.yml @@ -1,4 +1,4 @@ --- -unbound_conf: /var/unbound/etc/unbound.conf -unbound_control_key: /var/unbound/etc/unbound_control.key -unbound_zonedir: /var/unbound/db +unbound_chroot: /var/unbound +unbound_confdir: "{{ unbound_chroot }}/etc" +unbound_zonedir: "{{ unbound_chroot }}/db" diff --git a/roles/unbound/vars/RedHat.yml b/roles/unbound/vars/RedHat.yml index a15473b..816739c 100644 --- a/roles/unbound/vars/RedHat.yml +++ b/roles/unbound/vars/RedHat.yml @@ -1,4 +1,3 @@ --- -unbound_conf: /etc/unbound/unbound.conf -unbound_control_key: /etc/unbound/unbound_control.key +unbound_confdir: /etc/unbound unbound_zonedir: /var/lib/unbound From f6a8776a6ea58c3fe8f1f14318ad5eb61f596db6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 23:45:54 +0000 Subject: [PATCH 452/713] systemd_resolved: Initial version of role --- roles/systemd_resolved/handlers/main.yml | 5 ++++ roles/systemd_resolved/tasks/main.yml | 28 +++++++++++++++++++ .../systemd_resolved/templates/local.conf.j2 | 4 +++ 3 files changed, 37 insertions(+) create mode 100644 roles/systemd_resolved/handlers/main.yml create mode 100644 roles/systemd_resolved/tasks/main.yml create mode 100644 roles/systemd_resolved/templates/local.conf.j2 diff --git a/roles/systemd_resolved/handlers/main.yml b/roles/systemd_resolved/handlers/main.yml new file mode 100644 index 0000000..0bbce3d --- /dev/null +++ b/roles/systemd_resolved/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart systemd-resolved + ansible.builtin.service: + name: systemd-resolved + state: restarted diff --git a/roles/systemd_resolved/tasks/main.yml b/roles/systemd_resolved/tasks/main.yml new file mode 100644 index 0000000..43371a6 --- /dev/null +++ b/roles/systemd_resolved/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Install packages + ansible.builtin.package: + name: systemd-resolved + state: installed + +- name: Create config directory + ansible.builtin.file: + path: /etc/systemd/resolved.conf.d + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create config + ansible.builtin.template: + dest: /etc/systemd/resolved.conf.d/local.conf + src: local.conf.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart systemd-resolved + +- name: Enable service + ansible.builtin.service: + name: systemd-resolved + state: started + enabled: true diff --git a/roles/systemd_resolved/templates/local.conf.j2 b/roles/systemd_resolved/templates/local.conf.j2 new file mode 100644 index 0000000..23d7dc6 --- /dev/null +++ b/roles/systemd_resolved/templates/local.conf.j2 @@ -0,0 +1,4 @@ +[Resolve] +DNS={% for addr in network_dns_servers %}{{ addr }}#{{ lookup('community.general.dig', addr + '/PTR')[:-1] }} {% endfor %} + +DNSOverTLS=yes From 974595756cbf81d5eb7f35f18d9ed4778bc0c7e4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 18:33:23 +0000 Subject: [PATCH 453/713] unbound: Add backup DNS server to external resolve --- roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 2 +- roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index e3dc5b6..1479483 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -1,4 +1,3 @@ - server: interface: 172.20.20.10@53 interface: 172.20.20.10@853 @@ -28,6 +27,7 @@ forward-zone: name: "." forward-tls-upstream: yes forward-addr: 8.8.8.8@853#dns.google + forward-addr: 8.8.4.4@853#dns.google {% for zone in unbound_zones %} auth-zone: diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index 4607459..c2f67ef 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -1,4 +1,3 @@ - server: interface: 172.20.20.10@53 interface: 172.20.20.10@853 @@ -28,6 +27,7 @@ forward-zone: name: "." forward-tls-upstream: yes forward-addr: 8.8.8.8@853#dns.google + forward-addr: 8.8.4.4@853#dns.google {% for zone in unbound_zones %} auth-zone: From 231fe0103a296a7d7a25bb2757f1cc906015807a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 18:47:04 +0000 Subject: [PATCH 454/713] unbound: Optimize CPU core usage --- .../unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 7 +++++++ .../unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 1479483..9cd96f8 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -1,4 +1,11 @@ server: + # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ + num-threads: {{ ansible_processor_cores }} + msg-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + rrset-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + interface: 172.20.20.10@53 interface: 172.20.20.10@853 interface: 172.20.21.1@53 diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index c2f67ef..de8a3d4 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -1,4 +1,11 @@ server: + # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ + num-threads: {{ ansible_processor_cores }} + msg-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + rrset-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + interface: 172.20.20.10@53 interface: 172.20.20.10@853 interface: 172.20.21.2@53 From 4739a3758df86df147ead2065b8a860520e3d5ac Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 18:54:43 +0000 Subject: [PATCH 455/713] node_exporter: Don't create home on user modify --- roles/node_exporter/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index afb5e76..f1c0968 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -19,6 +19,7 @@ {% endif -%} groups: hostkey append: true + create_home: false notify: Restart node_exporter - name: Create config directory From 86551d6dec61267854ef058feaae9e9d0996ba88 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 18:55:59 +0000 Subject: [PATCH 456/713] Move nms.home.foo.sh to new address --- group_vars/nms.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 4278cfd..4bdca2a 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -9,7 +9,7 @@ unbound_zones: network_vip_interfaces: - device: eth0 vhid: 11 - ipaddr: 172.20.20.11 + ipaddr: 172.20.20.21 netmask: 255.255.240.0 pass: "{{ vip11_pass }}" - device: eth1 From 107a2cd48b5c274d103c1e360f99c7efa4f513d3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 19:12:59 +0000 Subject: [PATCH 457/713] Use correct password for virtual IP interface --- group_vars/nms.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 4bdca2a..bdfe2a9 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -11,7 +11,7 @@ network_vip_interfaces: vhid: 11 ipaddr: 172.20.20.21 netmask: 255.255.240.0 - pass: "{{ vip11_pass }}" + pass: "{{ vip21_pass }}" - device: eth1 vhid: 25 ipaddr: 172.20.25.1 From d4bfc7586fe31e40b15f187cb5069b8730fbb24e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 19:14:08 +0000 Subject: [PATCH 458/713] unbound: Add better failover config --- group_vars/dnagw.yml | 12 ++++++++++++ host_vars/dna-gw01.home.foo.sh.yml | 2 ++ host_vars/dna-gw02.home.foo.sh.yml | 2 ++ .../templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 4 ++++ .../templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 4 ++++ 5 files changed, 24 insertions(+) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index 3bffd50..fe380e8 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -12,6 +12,18 @@ network_vip_interfaces: netmask: 255.255.252.0 pass: "{{ vip10_pass }}" priority: 120 + - device: vio0 + vhid: 11 + ipaddr: 172.20.20.11 + netmask: 255.255.252.0 + pass: "{{ vip11_pass }}" + priority: "{{ vip11_priority }}" + - device: vio0 + vhid: 12 + ipaddr: 172.20.20.12 + netmask: 255.255.252.0 + pass: "{{ vip12_pass }}" + priority: "{{ vip12_priority }}" network_ether_interfaces: - device: vio1 proto: none diff --git a/host_vars/dna-gw01.home.foo.sh.yml b/host_vars/dna-gw01.home.foo.sh.yml index d7c25b9..481ae6c 100644 --- a/host_vars/dna-gw01.home.foo.sh.yml +++ b/host_vars/dna-gw01.home.foo.sh.yml @@ -10,3 +10,5 @@ network_interfaces: - device: vio1 vlan: 103 proto: none +vip11_priority: 240 +vip12_priority: 120 diff --git a/host_vars/dna-gw02.home.foo.sh.yml b/host_vars/dna-gw02.home.foo.sh.yml index fae4c34..d9977c7 100644 --- a/host_vars/dna-gw02.home.foo.sh.yml +++ b/host_vars/dna-gw02.home.foo.sh.yml @@ -10,3 +10,5 @@ network_interfaces: - device: vio1 vlan: 103 proto: none +vip11_priority: 120 +vip12_priority: 240 diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 9cd96f8..4765817 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -8,6 +8,10 @@ server: interface: 172.20.20.10@53 interface: 172.20.20.10@853 + interface: 172.20.20.11@53 + interface: 172.20.20.11@853 + interface: 172.20.20.12@53 + interface: 172.20.20.12@853 interface: 172.20.21.1@53 tls-service-key: {{ tls_private }}/dns.home.foo.sh.key diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index de8a3d4..c08d855 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -8,6 +8,10 @@ server: interface: 172.20.20.10@53 interface: 172.20.20.10@853 + interface: 172.20.20.11@53 + interface: 172.20.20.11@853 + interface: 172.20.20.12@53 + interface: 172.20.20.12@853 interface: 172.20.21.2@53 tls-service-key: {{ tls_private }}/dns.home.foo.sh.key From ae491f8977a9802bb6624c8b87e14b58298488eb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 16:15:24 +0000 Subject: [PATCH 459/713] unbound_exporter: Initial version of role --- roles/unbound_exporter/handlers/main.yml | 5 +++ roles/unbound_exporter/tasks/main.yml | 36 +++++++++++++++++++ .../templates/web-config.yml.j2 | 11 ++++++ 3 files changed, 52 insertions(+) create mode 100644 roles/unbound_exporter/handlers/main.yml create mode 100644 roles/unbound_exporter/tasks/main.yml create mode 100644 roles/unbound_exporter/templates/web-config.yml.j2 diff --git a/roles/unbound_exporter/handlers/main.yml b/roles/unbound_exporter/handlers/main.yml new file mode 100644 index 0000000..bfbf5bf --- /dev/null +++ b/roles/unbound_exporter/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart unbound_exporter + ansible.builtin.service: + name: unbound_exporter + state: restarted diff --git a/roles/unbound_exporter/tasks/main.yml b/roles/unbound_exporter/tasks/main.yml new file mode 100644 index 0000000..d8936f3 --- /dev/null +++ b/roles/unbound_exporter/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: Install packages + ansible.builtin.package: + name: unbound_exporter + state: installed + +- name: Add user to hostkey group + ansible.builtin.user: + name: _unboundexporter + groups: hostkey + append: true + create_home: false + notify: Restart unbound_exporter + +- name: Create config directory + ansible.builtin.file: + path: /etc/unbound_exporter + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create web-config + ansible.builtin.template: + dest: /etc/unbound_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart unbound_exporter + +- name: Enable service + ansible.builtin.service: + name: unbound_exporter + state: started + enabled: true diff --git a/roles/unbound_exporter/templates/web-config.yml.j2 b/roles/unbound_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..03e5466 --- /dev/null +++ b/roles/unbound_exporter/templates/web-config.yml.j2 @@ -0,0 +1,11 @@ +--- +tls_server_config: + key_file: {{ tls_private }}/{{ inventory_hostname }}.key + cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: +{% for host in groups['prometheus'] %} + - {{ host }} +{% endfor %} + min_version: TLS13 From 271eb09669c359cf2f0aaef28065fce2a7385829 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 16:15:42 +0000 Subject: [PATCH 460/713] pf: Open unbound_exporter port for dna-gw hosts --- roles/pf/files/pf.conf.gw_home | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 077b457..981f783 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -45,8 +45,9 @@ pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh pass in quick on $ext_if proto tcp from 212.149.228.253/32 to self port ssh -# node_exporter from internal network +# node_exporter and unbound_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 +pass in quick on $int_if proto tcp from $int_net to self port 9167 # allow dns queries from internal net pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain From 964e841c1df100022a8088f585a1de1f56c1622a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 17:51:18 +0000 Subject: [PATCH 461/713] unbound_exporter: Add TLS support Currently unbound_exporter doesn't support TLS connections so proxy connections through stunnel. --- roles/unbound_exporter/handlers/main.yml | 5 +++ roles/unbound_exporter/tasks/main.yml | 36 +++++++++++++++---- .../templates/web-config.yml.j2 | 11 ------ 3 files changed, 35 insertions(+), 17 deletions(-) delete mode 100644 roles/unbound_exporter/templates/web-config.yml.j2 diff --git a/roles/unbound_exporter/handlers/main.yml b/roles/unbound_exporter/handlers/main.yml index bfbf5bf..2cd8d99 100644 --- a/roles/unbound_exporter/handlers/main.yml +++ b/roles/unbound_exporter/handlers/main.yml @@ -3,3 +3,8 @@ ansible.builtin.service: name: unbound_exporter state: restarted + +- name: Restart unbound_exporter_stunnel + ansible.builtin.service: + name: unbound_exporter_stunnel + state: restarted diff --git a/roles/unbound_exporter/tasks/main.yml b/roles/unbound_exporter/tasks/main.yml index d8936f3..b194422 100644 --- a/roles/unbound_exporter/tasks/main.yml +++ b/roles/unbound_exporter/tasks/main.yml @@ -1,8 +1,11 @@ --- - name: Install packages ansible.builtin.package: - name: unbound_exporter + name: "{{ item }}" state: installed + with_items: + - stunnel + - unbound_exporter - name: Add user to hostkey group ansible.builtin.user: @@ -10,7 +13,7 @@ groups: hostkey append: true create_home: false - notify: Restart unbound_exporter + notify: Restart unbound_exporter_stunnel - name: Create config directory ansible.builtin.file: @@ -20,17 +23,38 @@ owner: root group: "{{ ansible_wheel }}" -- name: Create web-config +- name: Create stunnel config ansible.builtin.template: - dest: /etc/unbound_exporter/web-config.yml - src: web-config.yml.j2 + dest: /etc/unbound_exporter/stunnel.conf + src: stunnel.conf.j2 mode: "0644" owner: root group: "{{ ansible_wheel }}" - notify: Restart unbound_exporter + notify: Restart unbound_exporter_stunnel - name: Enable service ansible.builtin.service: name: unbound_exporter state: started enabled: true + arguments: >- + -unbound.ca + -unbound.cert + -unbound.host unix:///var/run/unbound.sock + -web.listen-address 127.0.0.1:9167 + notify: Restart unbound_exporter + +- name: Create stunnel service config + ansible.builtin.copy: + dest: /etc/rc.d/unbound_exporter_stunnel + src: unbound_exporter_stunnel.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart unbound_exporter_stunnel + +- name: Enable stunnel service + ansible.builtin.service: + name: unbound_exporter_stunnel + state: started + enabled: true diff --git a/roles/unbound_exporter/templates/web-config.yml.j2 b/roles/unbound_exporter/templates/web-config.yml.j2 deleted file mode 100644 index 03e5466..0000000 --- a/roles/unbound_exporter/templates/web-config.yml.j2 +++ /dev/null @@ -1,11 +0,0 @@ ---- -tls_server_config: - key_file: {{ tls_private }}/{{ inventory_hostname }}.key - cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt - client_ca_file: {{ tls_certs }}/ca.crt - client_auth_type: RequireAndVerifyClientCert - client_allowed_sans: -{% for host in groups['prometheus'] %} - - {{ host }} -{% endfor %} - min_version: TLS13 From e1dd03e85930aafdd2480436e001fd2bcd25109a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 18:21:33 +0000 Subject: [PATCH 462/713] Add unbound_exporter to dna-gw hosts --- playbooks/dna-gw.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 71ef499..7a8e99b 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -150,3 +150,7 @@ - name: Import unbound role ansible.builtin.import_role: name: unbound + + - name: Import unbound_exporter role + ansible.builtin.import_role: + name: unbound_exporter From cdd1495f0cdbe0e404c4a1cc868755982c0d3a7c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 18:40:49 +0000 Subject: [PATCH 463/713] dhcpd: Fix DNS server addresses --- roles/dhcpd/templates/dhcpd.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 063a27f..7b41b05 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -52,7 +52,7 @@ shared-network FOOSH { option routers 172.20.20.1; option domain-name "home.foo.sh"; - option domain-name-servers 172.20.20.10, 172.20.21.1, 172.20.21.2; + option domain-name-servers 172.20.20.10, 172.20.20.11, 172.20.20.12; use-host-decl-names on; } From c8bbd563b45b40aff50a82529896b644e8da2ecd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 21:18:10 +0000 Subject: [PATCH 464/713] base: Use systemd-resolved for Fedora hosts --- roles/base/tasks/RedHat.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index bc514fe..0e477a1 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -37,6 +37,11 @@ loop_control: loop_var: role +- name: Install systemd-resolved + ansible.builtin.include_role: + name: systemd_resolved + when: ansible_distribution == "Fedora" + - name: Install firewall ansible.builtin.include_role: name: iptables From 7a6e4e596f3634c1c768b1950b42b630552fbe0c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 23 Jan 2025 05:53:44 +0000 Subject: [PATCH 465/713] nginx: Use custom log format --- roles/nginx/templates/nginx.conf.j2 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 0a503cc..b6733d2 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -8,7 +8,10 @@ events { } http { - access_log {{ nginx_logdir }}/access.log combined; + log_format custom '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ($request_time)'; + access_log {{ nginx_logdir }}/access.log custom; proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt; proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key; From c3497c2440951432409b35bd3dfe4333e3c0cde5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 23 Jan 2025 05:54:23 +0000 Subject: [PATCH 466/713] nginx_site: Enable custom log format --- roles/nginx_site/templates/site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index 13a3ec7..ca54573 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -18,7 +18,7 @@ server { listen [::]:443 ssl http2; server_name {{ nginx_site_name }}; - access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log combined; + access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log custom; error_log {{ nginx_logdir }}/{{ nginx_site_name }}.error.log warn; add_header Strict-Transport-Security "max-age=63072000" always; From 338f4e2f0d3f7bacc816d19cccd303182da8e3d7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 11:41:49 +0000 Subject: [PATCH 467/713] rclone: Make role more modular --- roles/rclone/files/rclone-sync.sh | 12 +++++-- roles/rclone/meta/main.yml | 1 - roles/rclone/tasks/main.yml | 52 +++++++++++++++------------ roles/rclone/templates/rclone.conf.j2 | 6 ++-- 4 files changed, 42 insertions(+), 29 deletions(-) diff --git a/roles/rclone/files/rclone-sync.sh b/roles/rclone/files/rclone-sync.sh index def667c..83ecfb2 100755 --- a/roles/rclone/files/rclone-sync.sh +++ b/roles/rclone/files/rclone-sync.sh @@ -3,13 +3,19 @@ set -eu umask 027 -TARGET="/srv/backup" -CONFIG="/etc/rclone/rclone.conf" -LOGDIR="/var/log/rclone" +SERVICE="$(whoami)" + +TARGET="/srv/${SERVICE}" +CONFIG="/etc/rclone/${SERVICE}.conf" +LOGDIR="/var/log/rclone/${SERVICE}" RCLONE="/usr/local/bin/rclone" timestamp="$(date +%Y%m%d%H%M%S)" +if [ ! -f "$CONFIG" ]; then + echo "ERR: Config file '${CONFIG}' does not exist" 1>&2 + exit 1 +fi if [ ! -d "$TARGET" ]; then echo "ERR: Destination directory '${TARGET}' does not exist" 1>&2 exit 1 diff --git a/roles/rclone/meta/main.yml b/roles/rclone/meta/main.yml index a6cb84e..61cc3ce 100644 --- a/roles/rclone/meta/main.yml +++ b/roles/rclone/meta/main.yml @@ -1,4 +1,3 @@ --- dependencies: - - {role: backup_base} - {role: ssh_known_hosts} diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index 335d66e..455de9b 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -8,17 +8,17 @@ ansible.builtin.file: path: /etc/rclone state: directory - mode: "0770" + mode: "0755" owner: root - group: backup + group: "{{ ansible_wheel }}" - name: Create host config ansible.builtin.template: - dest: /etc/rclone/rclone.conf + dest: "/etc/rclone/{{ rclone_service }}.conf" src: rclone.conf.j2 mode: "0640" owner: root - group: backup + group: "{{ rclone_service }}" - name: Create ssh keys ansible.builtin.command: @@ -27,45 +27,53 @@ - -t - ed25519 - -C - - "backup@{{ inventory_hostname }}" + - "{{ rclone_service }}@{{ inventory_hostname }}" - -N - "" - -f - - /etc/rclone/id_ed25519 - creates: /etc/rclone/id_ed25519 + - "/etc/rclone/ssh_{{ rclone_service }}_ed25519_key" + creates: "/etc/rclone/ssh_{{ rclone_service }}_ed25519_key" - name: Fix ssh key permissions ansible.builtin.file: path: "{{ item }}" owner: root - group: backup + group: "{{ rclone_service }}" mode: "0640" with_items: - - /etc/rclone/id_ed25519 - - /etc/rclone/id_ed25519.pub + - "/etc/rclone/ssh_{{ rclone_service }}_ed25519_key" + - "/etc/rclone/ssh_{{ rclone_service }}_ed25519_key.pub" - name: Fetch ssh public key ansible.builtin.fetch: - src: /etc/rclone/id_ed25519.pub - dest: ../files/ssh/backup.pub + src: "/etc/rclone/ssh_{{ rclone_service }}_ed25519_key.pub" + dest: "../files/ssh/{{ rclone_service }}.pub" flat: true -- name: Create log directory +- name: Create base log directory ansible.builtin.file: path: /var/log/rclone state: directory - mode: "0750" - owner: backup - group: backup + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" -- name: Create backup directories +- name: Create log directory ansible.builtin.file: - path: "/srv/backup/{{ item }}" + path: "/var/log/rclone/{{ rclone_service }}" + state: directory + mode: "0750" + owner: "{{ rclone_service }}" + group: "{{ rclone_service }}" + +- name: Create data directories + ansible.builtin.file: + path: "/srv/{{ rclone_service }}/{{ item }}" state: directory mode: "0770" owner: root - group: backup - with_items: "{{ groups['sftpbackup'] }}" + group: "{{ rclone_service }}" + with_items: "{{ groups[rclone_hostgroup | default(rclone_service)] }}" - name: Copy rclone sync script ansible.builtin.copy: @@ -79,13 +87,13 @@ ansible.builtin.cron: name: MAILTO env: true - user: backup + user: "{{ rclone_service }}" value: root - name: Add rclone sync cron job ansible.builtin.cron: name: rclone-sync - user: backup + user: "{{ rclone_service }}" hour: "3" minute: "00" job: /usr/local/bin/rclone-sync diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index 99e1d3e..bc4f312 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -1,11 +1,11 @@ # {{ ansible_managed }} -{% for host in groups['sftpbackup'] %} +{% for host in groups[rclone_hostgroup | default(rclone_service)] %} [{{ host.split('.')[0] }}] type = sftp host = {{ host }} -user = backup +user = {{ rclone_service }} shell_type = none -key_file = /etc/rclone/id_ed25519 +key_file = /etc/rclone/ssh_{{ rclone_service }}_ed25519_key known_hosts_file = /etc/ssh/ssh_known_hosts {% endfor %} From af5655e131518c6a52297c15f88bdd9a74c17eb6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:19:18 +0000 Subject: [PATCH 468/713] rclone: Remove logs older than 30 days --- roles/rclone/files/rclone-sync.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/rclone/files/rclone-sync.sh b/roles/rclone/files/rclone-sync.sh index 83ecfb2..40323ce 100755 --- a/roles/rclone/files/rclone-sync.sh +++ b/roles/rclone/files/rclone-sync.sh @@ -33,3 +33,5 @@ for host in $("$RCLONE" --config "$CONFIG" listremotes | tr -d ":") ; do cat "$log" fi done + +find "$LOGDIR" -type f -name "*.log" -mtime +30 -delete From b6131534f68b8a237a9a8ae281bc7f57ffbf3115 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:47:18 +0000 Subject: [PATCH 469/713] nginx_logsync: Initial version of role --- roles/nginx_logsync/tasks/main.yml | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 roles/nginx_logsync/tasks/main.yml diff --git a/roles/nginx_logsync/tasks/main.yml b/roles/nginx_logsync/tasks/main.yml new file mode 100644 index 0000000..0d7c9ff --- /dev/null +++ b/roles/nginx_logsync/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: Create group + ansible.builtin.group: + name: logsync + system: true + +- name: Create user + ansible.builtin.user: + name: logsync + comment: Service logsync + create_home: false + group: logsync + home: /var/empty + shell: /sbin/nologin + +- name: Create authorized_keys + ansible.builtin.copy: + dest: /etc/ssh/authorized_keys.logsync + src: ../files/ssh/logsync.pub + mode: "0640" + owner: root + group: logsync + +- name: Configure sshd chroot + ansible.builtin.blockinfile: + path: /etc/ssh/sshd_config + block: | + Match User logsync + ChrootDirectory /var/www/logs + ForceCommand internal-sftp + AuthorizedKeysFile /etc/ssh/authorized_keys.logsync + marker: "# {mark} ANSIBLE MANAGED BLOCK (user logsync)" + validate: "sshd -t -f %s" + notify: Restart sshd From d0d9f3430a0393836032ace55552622c4db2fa9e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:47:51 +0000 Subject: [PATCH 470/713] web_logs: Refactor role completely --- roles/web_logs/meta/main.yml | 3 -- roles/web_logs/tasks/main.yml | 70 +++---------------------- roles/web_logs/templates/rclone.conf.j2 | 10 ---- users.md | 1 + 4 files changed, 8 insertions(+), 76 deletions(-) delete mode 100644 roles/web_logs/meta/main.yml delete mode 100644 roles/web_logs/templates/rclone.conf.j2 diff --git a/roles/web_logs/meta/main.yml b/roles/web_logs/meta/main.yml deleted file mode 100644 index 61cc3ce..0000000 --- a/roles/web_logs/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - {role: ssh_known_hosts} diff --git a/roles/web_logs/tasks/main.yml b/roles/web_logs/tasks/main.yml index d554ce8..0cb63fb 100644 --- a/roles/web_logs/tasks/main.yml +++ b/roles/web_logs/tasks/main.yml @@ -2,6 +2,7 @@ - name: Create logsync group ansible.builtin.group: name: logsync + gid: 312 system: true - name: Create logsync user @@ -11,72 +12,15 @@ createhome: false group: logsync home: /var/empty - shell: /sbin/nologin + shell: /bin/sh system: true + uid: 312 -- name: Create logsync ssh key directory - ansible.builtin.file: - path: /etc/ssh/logsync - state: directory - mode: "0750" - owner: root - group: logsync - -- name: Create logsync ssh keys - ansible.builtin.command: - argv: - - ssh-keygen - - -t - - ed25519 - - -C - - "logsync@{{ inventory_hostname }}" - - -N - - "" - - -f - - /etc/ssh/logsync/id_ed25519 - creates: /etc/ssh/logsync/id_ed25519 - -- name: Fix logsync ssh key permissions - ansible.builtin.file: - path: "{{ item }}" - owner: root - group: logsync - mode: "0640" - with_items: - - /etc/ssh/logsync/id_ed25519 - - /etc/ssh/logsync/id_ed25519.pub - -- name: Import rclone role - ansible.builtin.import_role: +- name: Include rclone role + ansible.builtin.include_role: name: rclone vars: - local_user: logsync - remote_user: logsync - hostgroup: webservers - destination: /var/cache/sync-http-logs - private_key: /etc/ssh/logsync/id_ed25519 + rclone_hostgroup: proxy + rclone_service: logsync -- name: Create cache directory - ansible.builtin.file: - path: /var/cache/sync-http-logs - state: directory - mode: "0750" - owner: logsync - group: logsync -- name: Create log directory - ansible.builtin.file: - path: /export/web-log - state: directory - mode: "0750" - owner: root - group: "{{ ansible_wheel }}" - -- name: Link data directory - ansible.builtin.file: - dest: /srv/web-log - src: /export/web-log - state: link - owner: root - group: "{{ ansible_wheel }}" - follow: false diff --git a/roles/web_logs/templates/rclone.conf.j2 b/roles/web_logs/templates/rclone.conf.j2 deleted file mode 100644 index 34524ec..0000000 --- a/roles/web_logs/templates/rclone.conf.j2 +++ /dev/null @@ -1,10 +0,0 @@ -# {{ ansible_managed }} -{% for host in groups['webservers'] %} - -[{{ host.split('.')[0] }}] -type = sftp -host = {{ host }} -user = logsync -key_file = ~/.ssh/id_ed25519 -known_hosts_file = /etc/ssh/ssh_known_hosts -{% endfor %} diff --git a/users.md b/users.md index 132c84e..70e9176 100644 --- a/users.md +++ b/users.md @@ -17,3 +17,4 @@ entry empty. If only a group is created, leave the user entry empty. | 309 | mirror | mirror | | | 310 | collab | collab | | | 311 | docker | docker | docker registry | +| 312 | logsync | logsync | nginx log sync | From 74a517f94211feb48c6f537d5e3573e627b485de Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:48:36 +0000 Subject: [PATCH 471/713] unbound_exporter: Initial version of role --- .../files/unbound_exporter_stunnel.sh | 10 ++++++++ .../templates/stunnel.conf.j2 | 23 +++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100755 roles/unbound_exporter/files/unbound_exporter_stunnel.sh create mode 100644 roles/unbound_exporter/templates/stunnel.conf.j2 diff --git a/roles/unbound_exporter/files/unbound_exporter_stunnel.sh b/roles/unbound_exporter/files/unbound_exporter_stunnel.sh new file mode 100755 index 0000000..8328224 --- /dev/null +++ b/roles/unbound_exporter/files/unbound_exporter_stunnel.sh @@ -0,0 +1,10 @@ +#!/bin/ksh + +daemon="/usr/local/sbin/stunnel" +daemon_flags="/etc/unbound_exporter/stunnel.conf" + +. /etc/rc.d/rc.subr + +rc_reload=NO + +rc_cmd $1 diff --git a/roles/unbound_exporter/templates/stunnel.conf.j2 b/roles/unbound_exporter/templates/stunnel.conf.j2 new file mode 100644 index 0000000..8f4aab4 --- /dev/null +++ b/roles/unbound_exporter/templates/stunnel.conf.j2 @@ -0,0 +1,23 @@ +setuid = _unboundexporter +setgid = _unboundexporter + +sslVersionMin = TLSv1.3 +ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 +curves = X25519:prime256v1:secp384r1 + +key = {{ tls_private }}/{{ inventory_hostname }}.key +cert = {{ tls_certs }}/{{ inventory_hostname }}.crt + +verify = 2 +CAfile = {{ tls_certs }}/ca.crt + +syslog = yes + +[unbound_exporter] +{% for ip in ansible_all_ipv4_addresses %} +accept = {{ ip }}:9167 +{% endfor %} +connect = 127.0.0.1:9167 +{% for host in groups['prometheus'] %} +checkHost = {{ host }} +{% endfor %} From 53f30103b32289a3416a91b79b42df0f8fd6aa77 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:49:07 +0000 Subject: [PATCH 472/713] prometheus: Add unbound_exporter targets --- roles/prometheus/templates/prometheus.yml.j2 | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index ee9c9cb..74aa03f 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -60,6 +60,17 @@ scrape_configs: - target_label: __address__ replacement: nms.home.foo.sh:9116 + - job_name: unbound + scheme: https + tls_config: + ca_file: "{{ tls_certs }}/ca.crt" + key_file: "{{ tls_private }}/{{ inventory_hostname }}.key" + cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + static_configs: + - targets: + - dna-gw01.home.foo.sh:9167 + - dna-gw02.home.foo.sh:9167 + - job_name: node scheme: https tls_config: From b116d3e2c013d7d25cf0f0d29afcab86737c0a97 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:49:40 +0000 Subject: [PATCH 473/713] Convert backup hosts to use new rclone role --- playbooks/backup.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/backup.yml b/playbooks/backup.yml index c677db0..3712638 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -25,7 +25,10 @@ roles: - base + - backup_base - backup_bitbucket - backup_github - - rclone + - role: rclone + rclone_hostgroup: sftpbackup + rclone_service: backup - rsync_backup From 8b7d8da733a386f393dbd0b3863f1603b6e9aba3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:50:20 +0000 Subject: [PATCH 474/713] Add web_logs role to log hosts --- playbooks/log.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/log.yml b/playbooks/log.yml index c63276a..50caf5f 100644 --- a/playbooks/log.yml +++ b/playbooks/log.yml @@ -25,6 +25,7 @@ roles: - base + - web_logs tasks: - name: Install extra packages From ec405bb1c0534d6968403225b6344c599af11765 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:50:46 +0000 Subject: [PATCH 475/713] Add nginx_logsync role to proxy servers --- playbooks/proxy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 89f7a53..7780db6 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -16,6 +16,7 @@ - base - ifstated - nginx + - nginx_logsync - role: nginx_site nginx_site_name: ca.foo.sh - role: nginx_site From 8742d750a3c43e71ef94bcc2a6d6495a08ea9468 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 15:24:38 +0000 Subject: [PATCH 476/713] nginx: Remove RHEL8 support --- roles/nginx/tasks/main.yml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 14e5d2a..9158ee5 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -2,21 +2,6 @@ - name: Include OS-specific variables ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -- name: Enable nginx:122 module - ansible.builtin.command: - argv: - - dnf - - module - - -y - - enable - - nginx:1.22 - creates: /etc/dnf/modules.d/nginx.module - notify: Restart nginx - when: - - ansible_os_family == "RedHat" - - ansible_distribution_major_version | int == 8 - - ansible_distribution != "Fedora" - - name: Enable nginx:124 module ansible.builtin.command: argv: From fa42610bff9a2fd64e18924c0dde31ce95427f2a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 15:46:24 +0000 Subject: [PATCH 477/713] Add more editors to adm hosts --- playbooks/adm.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 272dbdf..06d5894 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -46,11 +46,13 @@ name: "{{ item }}" state: installed with_items: + - emacs-nox # more editors - httpd-tools # htpasswd - knot-utils # kdig (dns over tls) - libvirt-client # kvm host client - make # generic building - mariadb # mariadb client tools + - nano # more editors - nmap # check for open ports - nsd # check dns zone files - podman # building containers From 34daaee91e869b1f9f3db8f865bfab3012362d39 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 16:12:47 +0000 Subject: [PATCH 478/713] syslogd: Fix whitespaces from newsyslog config --- roles/syslogd/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/syslogd/tasks/main.yml b/roles/syslogd/tasks/main.yml index 69170e5..cd005bc 100644 --- a/roles/syslogd/tasks/main.yml +++ b/roles/syslogd/tasks/main.yml @@ -24,7 +24,7 @@ path: /etc/newsyslog.conf regexp: "^/var/log/all.log.*" line: |- - /var/log/all.log root:{{ ansible_wheel }} 640 7 * $D0 Z + /var/log/all.log root:{{ ansible_wheel }} 640 7 * $D0 Z - name: Configure certificates for remote logging ansible.builtin.service: From a5dafee6cb48e1c00f6ff39d04dd3bd31622daa8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 16:13:24 +0000 Subject: [PATCH 479/713] nginx: Fix newsyslog config on OpenBSD --- roles/nginx/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 9158ee5..4a2f2c9 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -70,6 +70,17 @@ group: "{{ ansible_wheel }}" when: ansible_os_family == "RedHat" +- name: Fix rotating access.log + ansible.builtin.lineinfile: + path: /etc/newsyslog.conf + regexp: "^{{ item }}\\s" + line: |- + {{ '{:<40}'.format(item) }}644 7 250 * Z /var/run/nginx.pid + with_items: + - /var/www/logs/access.log + - /var/www/logs/error.log + when: ansible_system == "OpenBSD" + - name: Enable nginx service ansible.builtin.service: name: nginx From 1a71f92138fb1e3c6647c00125c362619c1d1807 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 16:18:44 +0000 Subject: [PATCH 480/713] web_logs: Create data directories --- roles/web_logs/tasks/main.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/roles/web_logs/tasks/main.yml b/roles/web_logs/tasks/main.yml index 0cb63fb..a9742f7 100644 --- a/roles/web_logs/tasks/main.yml +++ b/roles/web_logs/tasks/main.yml @@ -23,4 +23,19 @@ rclone_hostgroup: proxy rclone_service: logsync +- name: Create data directory + ansible.builtin.file: + path: /export/web-log + state: directory + mode: "0750" + owner: root + group: "{{ ansible_wheel }}" +- name: Link data directory + ansible.builtin.file: + path: /srv/web-log + src: /export/web-log + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false From 0e570efebd84a885b1aa41d8591c47b9783afae2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 16:26:14 +0000 Subject: [PATCH 481/713] nginx: Rotate logs daily on OpenBSD --- roles/nginx/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 4a2f2c9..0461f73 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -75,7 +75,7 @@ path: /etc/newsyslog.conf regexp: "^{{ item }}\\s" line: |- - {{ '{:<40}'.format(item) }}644 7 250 * Z /var/run/nginx.pid + {{ '{:<40}'.format(item) }}644 7 * $D0 Z /var/run/nginx.pid with_items: - /var/www/logs/access.log - /var/www/logs/error.log From d0699117bc851c1aef8ebe775a6354e2607a98da Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Jan 2025 18:33:59 +0000 Subject: [PATCH 482/713] Update homeassistant --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index c142740..bc70c20 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.12" + homeassistant_version: "2025.1" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git From a0a70e4289b8c67b9c731ea9a670a5b3d7788c94 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Jan 2025 18:57:17 +0000 Subject: [PATCH 483/713] Add ESPSomfy plugin to homeassistant --- hosts.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts.yml b/hosts.yml index bc70c20..0603e62 100644 --- a/hosts.yml +++ b/hosts.yml @@ -41,6 +41,9 @@ homeassistant: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git version: v2.0.9 + - name: espsomfy_rts + repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git + version: v2.4.7 influxdb: hosts: influxdb01.home.foo.sh: From 11e094eeda5fb901a1237726c0f548f7c41e93b6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Jan 2025 21:20:19 +0000 Subject: [PATCH 484/713] Fix nodered version --- hosts.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts.yml b/hosts.yml index 0603e62..e9d66be 100644 --- a/hosts.yml +++ b/hosts.yml @@ -44,6 +44,7 @@ homeassistant: - name: espsomfy_rts repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git version: v2.4.7 + nodered_version: 4.0.8 influxdb: hosts: influxdb01.home.foo.sh: From 8b90b85b8fefe4a5837e392542fb98767d58bab6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 27 Jan 2025 04:43:43 +0000 Subject: [PATCH 485/713] blackbox_exporter: Don't create home directory --- roles/blackbox_exporter/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/blackbox_exporter/tasks/main.yml b/roles/blackbox_exporter/tasks/main.yml index b3e2410..ade2edd 100644 --- a/roles/blackbox_exporter/tasks/main.yml +++ b/roles/blackbox_exporter/tasks/main.yml @@ -9,6 +9,7 @@ name: _blackboxexporter groups: hostkey append: true + create_home: false notify: Restart blackbox_exporter - name: Create main config From ec1b8cb9e6609aae5c60bcd9089bcbae369e6480 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 28 Jan 2025 15:13:10 +0000 Subject: [PATCH 486/713] homeassistant: Run service as non root user --- .../files/99-homeassistant.rules | 2 +- .../files/homeassistant-docker-venv.patch | 139 ++++++++++++++++++ roles/homeassistant/tasks/main.yml | 56 ++++++- .../homeassistant-container.service.j2 | 6 +- 4 files changed, 193 insertions(+), 10 deletions(-) create mode 100644 roles/homeassistant/files/homeassistant-docker-venv.patch diff --git a/roles/homeassistant/files/99-homeassistant.rules b/roles/homeassistant/files/99-homeassistant.rules index 42b1684..04728a9 100644 --- a/roles/homeassistant/files/99-homeassistant.rules +++ b/roles/homeassistant/files/99-homeassistant.rules @@ -1 +1 @@ -SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", MODE="0660", GROUP="ha" +SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", MODE="0660", GROUP="homeassistant" diff --git a/roles/homeassistant/files/homeassistant-docker-venv.patch b/roles/homeassistant/files/homeassistant-docker-venv.patch new file mode 100644 index 0000000..60eac58 --- /dev/null +++ b/roles/homeassistant/files/homeassistant-docker-venv.patch @@ -0,0 +1,139 @@ +--- run.orig 2025-01-28 08:45:53.981024625 +0000 ++++ run 2025-01-28 08:45:38.177986885 +0000 +@@ -21,49 +21,52 @@ + # Create user + # + +-# Some HA commands seem to fail if we don't have an actual user. +-# ie: shell_command would return error code 255 +-bashio::log.info "Creating user $USER with $PUID:$PGID" +- +-deluser "$USER" >/dev/null 2>&1 || true +-delgroup "$GROUP" >/dev/null 2>&1 || true +- +-# Re-use existing group (can't delgroup a group that is in use) +-group="$(getent group "$PGID" | cut -d: -f1 || true)" +-if [ -z "$group" ]; then +- addgroup -g "$PGID" "$GROUP" +-else +- bashio::log.notice "Re-using existing group with gid $PGID: $group" +- GROUP="$group" +-fi +- +-# Replace existing user (ensures correct shell and primary group) +-user="$(getent passwd "$PUID" | cut -d: -f1 || true)" +-if [ -n "$user" ]; then +- bashio::log.notice "Replacing existing user with uid $PUID: $user" +- deluser "$user" +-fi +-adduser -G "$GROUP" -D -u "$PUID" "$USER" ++if [ "$(whoami)" != "homeassistant" ]; then + +-if [ -n "${EXTRA_GID:-}" ]; then +- bashio::log.info "Resolving supplementary GIDs: $EXTRA_GID" +- supplementary_groups=() +- +- for gid in $EXTRA_GID; do +- group="$(getent group "$gid" | cut -d: -f1 || true)" +- +- if [ -z "$group" ]; then +- group="$USER-$gid" +- addgroup -g "$gid" "$group" +- fi ++ # Some HA commands seem to fail if we don't have an actual user. ++ # ie: shell_command would return error code 255 ++ bashio::log.info "Creating user $USER with $PUID:$PGID" ++ ++ deluser "$USER" >/dev/null 2>&1 || true ++ delgroup "$GROUP" >/dev/null 2>&1 || true ++ ++ # Re-use existing group (can't delgroup a group that is in use) ++ group="$(getent group "$PGID" | cut -d: -f1 || true)" ++ if [ -z "$group" ]; then ++ addgroup -g "$PGID" "$GROUP" ++ else ++ bashio::log.notice "Re-using existing group with gid $PGID: $group" ++ GROUP="$group" ++ fi + +- supplementary_groups+=( "$group" ) +- done ++ # Replace existing user (ensures correct shell and primary group) ++ user="$(getent passwd "$PUID" | cut -d: -f1 || true)" ++ if [ -n "$user" ]; then ++ bashio::log.notice "Replacing existing user with uid $PUID: $user" ++ deluser "$user" ++ fi ++ adduser -G "$GROUP" -D -u "$PUID" "$USER" + +- bashio::log.info "Appending supplementary groups: ${supplementary_groups[*]}" +- for group in "${supplementary_groups[@]}"; do +- addgroup "$USER" "$group" +- done ++ if [ -n "${EXTRA_GID:-}" ]; then ++ bashio::log.info "Resolving supplementary GIDs: $EXTRA_GID" ++ supplementary_groups=() ++ ++ for gid in $EXTRA_GID; do ++ group="$(getent group "$gid" | cut -d: -f1 || true)" ++ ++ if [ -z "$group" ]; then ++ group="$USER-$gid" ++ addgroup -g "$gid" "$group" ++ fi ++ ++ supplementary_groups+=( "$group" ) ++ done ++ ++ bashio::log.info "Appending supplementary groups: ${supplementary_groups[*]}" ++ for group in "${supplementary_groups[@]}"; do ++ addgroup "$USER" "$group" ++ done ++ fi + fi + + # +@@ -82,8 +85,12 @@ + # + + bashio::log.info "Initializing venv in $VENV_PATH" +-su "$USER" \ +- -c "python3 -m venv --system-site-packages '$VENV_PATH'" ++if [ "$(whoami)" = "homeassistant" ]; then ++ python3 -m venv --system-site-package "$VENV_PATH" ++else ++ su "$USER" \ ++ -c "python3 -m venv --system-site-packages '$VENV_PATH'" ++fi + + # + # Fix permissions +@@ -104,8 +111,12 @@ + export UV_SYSTEM_PYTHON=false + + bashio::log.info "Installing uv into venv" +-uv --version && su "$USER" \ +- -c "uv pip freeze --system|grep ^uv=|xargs uv pip install" ++if [ "$(whoami)" = "homeassistant" ]; then ++ uv --version && uv pip freeze --system|grep ^uv=|xargs uv pip install ++else ++ uv --version && su "$USER" \ ++ -c "uv pip freeze --system|grep ^uv=|xargs uv pip install" ++fi + + bashio::log.info "Setting new \$HOME" + HOME="$( getent passwd "$USER" | cut -d: -f6 )" +@@ -122,6 +133,10 @@ + fi + + bashio::log.info "Starting homeassistant" +-exec \ +- s6-setuidgid "$USER" \ +- python3 -m homeassistant --config "$CONFIG_PATH" ++if [ "$(whoami)" = "homeassistant" ]; then ++ exec python3 -m homeassistant --config "$CONFIG_PATH" ++else ++ exec \ ++ s6-setuidgid "$USER" \ ++ python3 -m homeassistant --config "$CONFIG_PATH" ++fi diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index c11dfcb..ab6bc4f 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -1,13 +1,13 @@ --- - name: Create group ansible.builtin.group: - name: ha + name: homeassistant - name: Create user ansible.builtin.user: - name: ha + name: homeassistant comment: Podman HomeAssistant - group: ha + group: homeassistant shell: /sbin/nologin - name: Enable user lingering @@ -15,8 +15,8 @@ argv: - loginctl - enable-linger - - ha - creates: /var/lib/systemd/linger/ha + - homeassistant + creates: /var/lib/systemd/linger/homeassistant - name: Install dependencies ansible.builtin.package: @@ -25,6 +25,46 @@ with_items: - bluez - git + - patch + +- name: Get venv support for container + ansible.builtin.git: + dest: /usr/local/src/homeassistant-docker-venv + repo: https://github.com/tribut/homeassistant-docker-venv.git + update: true + version: master + register: git_result + +- name: Create venv support directory + ansible.builtin.file: + path: /usr/local/libexec/homeassistant-docker-venv + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Check if venv support script exists + ansible.builtin.stat: + path: /usr/local/libexec/homeassistant-docker-venv/run + changed_when: false + register: stat_result + +- name: Copy venv support script + ansible.builtin.copy: + dest: /usr/local/libexec/homeassistant-docker-venv/run + src: /usr/local/src/homeassistant-docker-venv/run + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + when: not stat_result.stat.exists or git_result.changed + +# https://github.com/home-assistant/core/issues/128214 +- name: Patch venv support script + ansible.posix.patch: + dest: /usr/local/libexec/homeassistant-docker-venv/run + src: homeassistant-docker-venv.patch + notify: Restart homeassistant - name: Enable bluetooth services ansible.builtin.service: @@ -69,7 +109,7 @@ state: true persistent: true -- name: Allow ha to connect specific devices +- name: Allow homeassistant to connect specific devices ansible.builtin.copy: dest: /etc/udev/rules.d/99-homeassistant.rules src: 99-homeassistant.rules @@ -83,8 +123,8 @@ path: /export/homeassistant state: directory mode: "0700" - owner: ha - group: ha + owner: homeassistant + group: homeassistant setype: _default - name: Link config directory diff --git a/roles/homeassistant/templates/homeassistant-container.service.j2 b/roles/homeassistant/templates/homeassistant-container.service.j2 index 9f14fa7..a22c105 100644 --- a/roles/homeassistant/templates/homeassistant-container.service.j2 +++ b/roles/homeassistant/templates/homeassistant-container.service.j2 @@ -4,15 +4,19 @@ Wants=network-online.target After=network-online.target [Service] -User=ha +User=homeassistant ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8008:8123 \ --name homeassistant \ + --env PGID=1000 \ + --env PUID=1000 \ --env TZ=Europe/Helsinki \ + --env UMASK=007 \ --userns keep-id \ --device /dev/ttyUSB0 \ --volume /run/dbus:/run/dbus:ro \ --volume /srv/homeassistant:/config:rw \ + --volume /usr/local/libexec/homeassistant-docker-venv/run:/etc/services.d/home-assistant/run:ro \ docker.io/homeassistant/home-assistant:{{ homeassistant_version }} ExecStop=/usr/bin/podman stop --ignore homeassistant ExecStopPost=/usr/bin/podman rm -f --ignore homeassistant From e2fdee682d9b9701efa04af039f23278d002ba15 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 29 Jan 2025 23:30:44 +0000 Subject: [PATCH 487/713] homeassistant: Automatically add shellies to mqtt --- roles/homeassistant/tasks/main.yml | 10 ++++++++++ roles/homeassistant/templates/mqtt.yaml.j2 | 13 +++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 roles/homeassistant/templates/mqtt.yaml.j2 diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index ab6bc4f..d76b79d 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -145,6 +145,16 @@ group: "{{ ansible_wheel }}" setype: _default +- name: Create mqtt config file + ansible.builtin.template: + dest: /srv/homeassistant/mqtt.yaml + src: mqtt.yaml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + setype: _default + notify: Restart homeassistant + - name: Create directories for custom integrations ansible.builtin.file: path: "{{ item }}" diff --git a/roles/homeassistant/templates/mqtt.yaml.j2 b/roles/homeassistant/templates/mqtt.yaml.j2 new file mode 100644 index 0000000..8d70762 --- /dev/null +++ b/roles/homeassistant/templates/mqtt.yaml.j2 @@ -0,0 +1,13 @@ +--- +sensor: +{% for shelly in shellies | selectattr("name", "match", "^shellyplug-s-") | list %} + - name: Power Usage + state_topic: home/{{ shelly["room"] }}/{{ shelly["device"] }}/relay/0/power + unique_id: {{ shelly["name"] }} + unit_of_measurement: W + device: + name: {{ shelly["device"] | capitalize }} + suggested_area: {{ shelly["room"] | replace("_", " ") | capitalize }} + identifiers: + - {{ shelly["name"] }} +{% endfor %} From 04b98d5b7f3971e3c31279f0603a61c0f6945a7d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 29 Jan 2025 23:31:20 +0000 Subject: [PATCH 488/713] homeassistant: Add yamllint to check configs --- roles/homeassistant/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index d76b79d..3e368d1 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -26,6 +26,7 @@ - bluez - git - patch + - yamllint - name: Get venv support for container ansible.builtin.git: From d9b6c2d27ffe37200148c5b430ca2c9890224614 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 12:30:33 +0000 Subject: [PATCH 489/713] nginx: Add custom logrotate script for OpenBSD --- roles/nginx/tasks/main.yml | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 0461f73..a397adf 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -70,15 +70,28 @@ group: "{{ ansible_wheel }}" when: ansible_os_family == "RedHat" -- name: Fix rotating access.log - ansible.builtin.lineinfile: +- name: Disable web logs from newsyslog + ansible.builtin.replace: path: /etc/newsyslog.conf - regexp: "^{{ item }}\\s" - line: |- - {{ '{:<40}'.format(item) }}644 7 * $D0 Z /var/run/nginx.pid - with_items: - - /var/www/logs/access.log - - /var/www/logs/error.log + regexp: "^/var/www/logs/" + replace: "#/var/www/logs/" + when: ansible_system == "OpenBSD" + +- name: Install logrotate script + ansible.builtin.copy: + dest: /usr/local/bin/nginx-logrotate + src: nginx-logrotate.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + when: ansible_system == "OpenBSD" + +- name: Add logrotate cron job + ansible.builtin.cron: + name: nginx-logrotate + hour: "0" + minute: "0" + job: /usr/local/bin/nginx-logrotate when: ansible_system == "OpenBSD" - name: Enable nginx service From ee6fbb48c7d65c92d16455db363e1f1363189da5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 12:31:29 +0000 Subject: [PATCH 490/713] routeros_firmware: Move README to own file --- roles/routeros_firmware/files/README.md | 16 ++++++++++++++++ roles/routeros_firmware/tasks/main.yml | 10 +--------- 2 files changed, 17 insertions(+), 9 deletions(-) create mode 100644 roles/routeros_firmware/files/README.md diff --git a/roles/routeros_firmware/files/README.md b/roles/routeros_firmware/files/README.md new file mode 100644 index 0000000..91fed9c --- /dev/null +++ b/roles/routeros_firmware/files/README.md @@ -0,0 +1,16 @@ +# Mikrotik Routeros Cheat Sheet + +## Update + +``` +/system package update print +/tool fetch url=https://oob.foo.sh/routeros/routeros-7.13.4-arm.npk +/system reboot +/system package update print +``` + +## Change port vlan + +``` +/interface/bridge/port/set [find where bridge=bridge and interface=ether1] pvid=30 +``` diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros_firmware/tasks/main.yml index 39d244b..248abde 100644 --- a/roles/routeros_firmware/tasks/main.yml +++ b/roles/routeros_firmware/tasks/main.yml @@ -10,15 +10,7 @@ - name: Install README.md ansible.builtin.copy: dest: /srv/web/oob.foo.sh/routeros/README.md - content: | - ## Update - - ``` - /system package update print - /tool fetch url=https://oob.foo.sh/routeros/routeros-7.13.4-arm.npk - /system reboot - /system package update print - ``` + src: README.md mode: "0644" owner: root group: "{{ ansible_wheel }}" From 943ad5ef8b45a3465d165ec93492336bc8d9c701 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 12:31:58 +0000 Subject: [PATCH 491/713] Add switch config backup script to nms hosts --- playbooks/nms.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 61de5ee..8232a67 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -74,3 +74,14 @@ - rcs - unzip - wget + + - name: Create sw-backup script + ansible.builtin.copy: + dest: /usr/local/bin/sw-backup + content: | + #!/bin/sh + set -eu + ssh "admin@{$1}" /export > "/srv/backup/${1}.rsc" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" From 11fbb4a7209c92f8c9f7442b8514558c4c48d818 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 12:32:49 +0000 Subject: [PATCH 492/713] nginx: Add missing logrotate script --- roles/nginx/files/nginx-logrotate.sh | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100755 roles/nginx/files/nginx-logrotate.sh diff --git a/roles/nginx/files/nginx-logrotate.sh b/roles/nginx/files/nginx-logrotate.sh new file mode 100755 index 0000000..8fe8338 --- /dev/null +++ b/roles/nginx/files/nginx-logrotate.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +set -eu + +cd /var/www/logs + +find_rotated() { + find . -mindepth 1 -maxdepth 1 -type f -name "${1}.*" | sort -V -r +} + +for log in *.log ; do + find_rotated "$log" | while read -r name; do + ext="${name##*.}" + next="${name%.*}.$((ext+1))" + mv "$name" "$next" + done + mv "$log" "${log}.1" + touch "$log" + + find_rotated "$log" | while read -r name; do + num="$(echo "$name" | awk -F. '{ print $NF }')" + if [ "$num" -gt 7 ]; then + rm -f "$log" + fi + done +done + +kill -USR1 "$(cat /var/run/nginx.pid)" From 20626d18d5f937318d4297e51fef709f37e37548 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 16:56:35 +0000 Subject: [PATCH 493/713] Allow serial port passthrough to virtual machines --- playbooks/include/deploy-kvm-guest.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/include/deploy-kvm-guest.yml b/playbooks/include/deploy-kvm-guest.yml index 3b72157..5464cd5 100644 --- a/playbooks/include/deploy-kvm-guest.yml +++ b/playbooks/include/deploy-kvm-guest.yml @@ -99,7 +99,11 @@ {% endif -%} {% if virt_install_devices is defined -%} {% for dev in virt_install_devices -%} + {% if dev | regex_search('^/dev/tty') -%} + --serial dev,path={{ dev }} + {% else -%} --hostdev {{ dev }} \ + {% endif -%} {% endfor -%} {% else -%} --controller usb,model=none \ From 5a4a6de8be30ef165ede3b86ea7d983be053b2b9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 16:57:17 +0000 Subject: [PATCH 494/713] Use device id's for passthrough --- host_vars/homeassistant01.home.foo.sh.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index 922e502..b2ab0ee 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -9,6 +9,6 @@ network_interfaces: - device: eth2 vlan: 30 virt_install_devices: - - 001.002 - - 001.005 - - 001.006 + - 0b05:190e + - 10c4:ea60 + - /dev/ttyUSB8 From 5832a1208446354465140ba465f0ab874163b4c3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 16:58:18 +0000 Subject: [PATCH 495/713] Pass secrets to homeassistant playbook --- playbooks/homeassistant.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/homeassistant.yml b/playbooks/homeassistant.yml index cbe61cc..1baf203 100644 --- a/playbooks/homeassistant.yml +++ b/playbooks/homeassistant.yml @@ -9,6 +9,9 @@ user: root gather_facts: true + vars_files: + - "{{ ansible_private }}/vars.yml" + pre_tasks: - name: Mount /export ansible.posix.mount: From 27fbb3eca61614f2682d216060370ba0acd34ec2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 18:06:40 +0000 Subject: [PATCH 496/713] Update software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index bbe8e4f..2f00235 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit bbe8e4f819fd748e41ff1938fc7ae0c20aa3d33b +Subproject commit 2f00235a10cbd03324e3f21cbdebbf0b2f9ca1e5 From ad625d47d61b4de9ca6c3351672dd2d9f715010c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 18:20:47 +0000 Subject: [PATCH 497/713] rsync_backup: Fix yamllint errors --- roles/rsync_backup/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/rsync_backup/tasks/main.yml b/roles/rsync_backup/tasks/main.yml index 7562bb0..d0cfa26 100644 --- a/roles/rsync_backup/tasks/main.yml +++ b/roles/rsync_backup/tasks/main.yml @@ -49,4 +49,3 @@ job: /usr/local/sbin/backup-daily -a -p -r hour: "00" minute: "30" - From f0b1b064db853b572d35762a77094019fd6db95c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 19:13:32 +0000 Subject: [PATCH 498/713] mkhomedir: Convert shell to command --- roles/mkhomedir/tasks/main.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/mkhomedir/tasks/main.yml b/roles/mkhomedir/tasks/main.yml index eac4cc3..7ec1627 100644 --- a/roles/mkhomedir/tasks/main.yml +++ b/roles/mkhomedir/tasks/main.yml @@ -5,11 +5,15 @@ state: installed - name: Get current state of authselect - ansible.builtin.shell: - cmd: /usr/bin/authselect current --raw ; /bin/true + ansible.builtin.command: + argv: + - /usr/bin/authselect + - current + - "--raw" register: result check_mode: false changed_when: false + failed_when: result.rc not in [0, 2] - name: Enable mkhomedir ansible.builtin.command: From 243574e4150b24d1585960b7410bb7a4196ff9bd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 19:17:45 +0000 Subject: [PATCH 499/713] sssd: Better error handling --- roles/sssd/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml index e0410dc..1ce5a2a 100644 --- a/roles/sssd/tasks/main.yml +++ b/roles/sssd/tasks/main.yml @@ -26,9 +26,9 @@ - current - --raw register: result - failed_when: false check_mode: false changed_when: false + failed_when: result.rc not in [0, 2] - name: Switch authselect to use sssd ansible.builtin.command: From 872115a9a98f9dc7f66d0813d6e34f32b7b9a0e4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 19:32:52 +0000 Subject: [PATCH 500/713] keytab: Don't use hardcoded tempfile --- roles/keytab/tasks/main.yml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/roles/keytab/tasks/main.yml b/roles/keytab/tasks/main.yml index 828e4fd..d41a2e3 100644 --- a/roles/keytab/tasks/main.yml +++ b/roles/keytab/tasks/main.yml @@ -5,6 +5,21 @@ register: keytab_status check_mode: false +- name: Create temporary file + ansible.builtin.tempfile: + state: file + register: tempfile + when: not keytab_status.stat.exists + +- name: Initialize keytab + ansible.builtin.copy: + dest: tempfile.path + content: "\\0005\\0002\\c" + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + when: not keytab_status.stat.exists + - name: Add principal to keytab ansible.builtin.command: argv: @@ -13,7 +28,7 @@ - host=ldaps://ldap01.foo.sh - ktadd - -k - - "/tmp/{{ inventory_hostname }}.kt" + - "{{ tempfile.path }}" - "{{ item }}" with_items: "{{ keytab_principals }}" delegate_to: ldap01.home.foo.sh @@ -23,14 +38,14 @@ ansible.builtin.command: argv: - base64 - - "/tmp/{{ inventory_hostname }}.kt" + - "{{ tempfile.path }}" register: keytab_data delegate_to: ldap01.home.foo.sh when: not keytab_status.stat.exists - name: Delete temporary file ansible.builtin.file: - path: "/tmp/{{ inventory_hostname }}.kt" + path: "{{ tempfile.path }}" state: absent delegate_to: ldap01.home.foo.sh when: not keytab_status.stat.exists From 981b954682becf06559760349a08670bf57aefca Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 20:05:47 +0000 Subject: [PATCH 501/713] keytab: Try make code cleaner --- roles/keytab/files/empty.keytab | 1 + roles/keytab/tasks/main.yml | 78 ++++++++++++++++----------------- 2 files changed, 38 insertions(+), 41 deletions(-) create mode 100644 roles/keytab/files/empty.keytab diff --git a/roles/keytab/files/empty.keytab b/roles/keytab/files/empty.keytab new file mode 100644 index 0000000..2e2a96a --- /dev/null +++ b/roles/keytab/files/empty.keytab @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/roles/keytab/tasks/main.yml b/roles/keytab/tasks/main.yml index d41a2e3..ef83269 100644 --- a/roles/keytab/tasks/main.yml +++ b/roles/keytab/tasks/main.yml @@ -5,50 +5,46 @@ register: keytab_status check_mode: false -- name: Create temporary file - ansible.builtin.tempfile: - state: file - register: tempfile - when: not keytab_status.stat.exists +- name: Create keytab + block: + - name: Create temporary file + ansible.builtin.tempfile: + state: file + register: tempfile -- name: Initialize keytab - ansible.builtin.copy: - dest: tempfile.path - content: "\\0005\\0002\\c" - mode: "0600" - owner: root - group: "{{ ansible_wheel }}" - when: not keytab_status.stat.exists + - name: Initialize keytab + ansible.builtin.copy: + dest: "{{ tempfile.path }}" + src: empty.keytab + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" -- name: Add principal to keytab - ansible.builtin.command: - argv: - - kadmin.local - - -x - - host=ldaps://ldap01.foo.sh - - ktadd - - -k - - "{{ tempfile.path }}" - - "{{ item }}" - with_items: "{{ keytab_principals }}" + - name: Add principal to keytab + ansible.builtin.command: + argv: + - kadmin.local + - -x + - host=ldaps://ldap01.foo.sh + - ktadd + - -k + - "{{ tempfile.path }}" + - "{{ item }}" + with_items: "{{ keytab_principals }}" + + - name: Get keytab + ansible.builtin.command: + argv: + - base64 + - "{{ tempfile.path }}" + register: keytab_data + + - name: Delete temporary file + ansible.builtin.file: + path: "{{ tempfile.path }}" + state: absent + when: not keytab_status.stat.exists delegate_to: ldap01.home.foo.sh - when: not keytab_status.stat.exists - -- name: Get keytab - ansible.builtin.command: - argv: - - base64 - - "{{ tempfile.path }}" - register: keytab_data - delegate_to: ldap01.home.foo.sh - when: not keytab_status.stat.exists - -- name: Delete temporary file - ansible.builtin.file: - path: "{{ tempfile.path }}" - state: absent - delegate_to: ldap01.home.foo.sh - when: not keytab_status.stat.exists - name: Deploy keytab file ansible.builtin.shell: >- From 139ef2183c86692ac0ee07adf0aac69b8f23705a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 15:51:35 +0000 Subject: [PATCH 502/713] Fix typo from sw-backup script --- playbooks/nms.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 8232a67..e0ce461 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -81,7 +81,7 @@ content: | #!/bin/sh set -eu - ssh "admin@{$1}" /export > "/srv/backup/${1}.rsc" + ssh "admin@${1}" /export > "/srv/backup/${1}.rsc" mode: "0755" owner: root group: "{{ ansible_wheel }}" From eaead4bc7f3fbc57afa7e3e5b3a1abbb781098fd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 16:16:26 +0000 Subject: [PATCH 503/713] Allow kerberos logins to print hosts --- playbooks/print.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/print.yml b/playbooks/print.yml index 6b5e6d1..518f424 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -14,6 +14,9 @@ roles: - base + - role: keytab + keytab_principals: + - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - sssd - mkhomedir @@ -34,7 +37,7 @@ name: cups_server - name: Install keytab for CUPS - ansible.builtin.import_role: + ansible.builtin.include_role: name: keytab vars: keytab_path: /etc/cups/cups.keytab From 71a69af472fcee16de221039f7f6d3e5f149455a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 16:42:02 +0000 Subject: [PATCH 504/713] sssd: Sort and group config options --- roles/sssd/templates/sssd.conf.j2 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2 index 82aa6b1..6aed734 100644 --- a/roles/sssd/templates/sssd.conf.j2 +++ b/roles/sssd/templates/sssd.conf.j2 @@ -8,11 +8,11 @@ domains = {{ kerberos_realm }} [pam] [domain/{{ kerberos_realm }}] -id_provider = ldap -auth_provider = krb5 -chpass_provider = ldap autofs_provider = none sudo_provider = none + +id_provider = ldap +chpass_provider = ldap ldap_uri = ldaps://{{ ldap_server[0] }} ldap_search_base = {{ ldap_basedn }} ldap_schema = rfc2307bis @@ -25,4 +25,6 @@ ldap_sasl_mech = EXTERNAL ldap_tls_cacert = {{ tls_bundle }} ldap_tls_cert = {{ tls_certs }}/{{ inventory_hostname }}.crt ldap_tls_key = {{ tls_private }}/{{ inventory_hostname }}.key + +auth_provider = krb5 krb5_realm = {{ kerberos_realm }} From 2c423fc0cafe4d2c2cd04774aebfc6ec63a45cd2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 16:42:23 +0000 Subject: [PATCH 505/713] sssd: Allow limiting access by groups --- roles/sssd/templates/sssd.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2 index 6aed734..38e7cf8 100644 --- a/roles/sssd/templates/sssd.conf.j2 +++ b/roles/sssd/templates/sssd.conf.j2 @@ -28,3 +28,8 @@ ldap_tls_key = {{ tls_private }}/{{ inventory_hostname }}.key auth_provider = krb5 krb5_realm = {{ kerberos_realm }} +{% if sssd_allow_groups is defined %} + +access_provider = simple +simple_allow_groups = {{ sssd_allow_groups | join(',') }} +{% endif %} From dc9a3a072530f67af655c966b7c30c93aed04932 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 17:01:03 +0000 Subject: [PATCH 506/713] Limit access to hosts that have sssd running --- group_vars/adm.yml | 3 +++ group_vars/mail.yml | 4 ++++ group_vars/nas.yml | 3 +++ group_vars/nms.yml | 3 +++ group_vars/print.yml | 3 +++ group_vars/shell.yml | 5 +++-- group_vars/static.yml | 3 +++ 7 files changed, 22 insertions(+), 2 deletions(-) diff --git a/group_vars/adm.yml b/group_vars/adm.yml index 0a9a22a..a06d51b 100644 --- a/group_vars/adm.yml +++ b/group_vars/adm.yml @@ -7,3 +7,6 @@ firewall_in: - {proto: tcp, port: 80, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - sysadm diff --git a/group_vars/mail.yml b/group_vars/mail.yml index ebf99cb..4de52d0 100644 --- a/group_vars/mail.yml +++ b/group_vars/mail.yml @@ -2,6 +2,7 @@ datadisks: - {size: 10, type: nvme} mem_size: 4192 + firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 25} @@ -11,3 +12,6 @@ firewall_in: - {proto: tcp, port: 587} - {proto: tcp, port: 993} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - sysadm diff --git a/group_vars/nas.yml b/group_vars/nas.yml index 18f29d9..5dac726 100644 --- a/group_vars/nas.yml +++ b/group_vars/nas.yml @@ -10,3 +10,6 @@ firewall_in: - {proto: tcp, port: 2049, from: [172.20.20.0/22]} - {proto: tcp, port: 2049, from: [172.20.30.0/24]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - root diff --git a/group_vars/nms.yml b/group_vars/nms.yml index bdfe2a9..b05d9f0 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -33,3 +33,6 @@ firewall_in: firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + +sssd_allow_groups: + - sysadm diff --git a/group_vars/print.yml b/group_vars/print.yml index 469cb94..27c7c02 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -22,3 +22,6 @@ firewall_in: firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + +sssd_allow_groups: + - sysadm diff --git a/group_vars/shell.yml b/group_vars/shell.yml index f61151a..6300cab 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -1,6 +1,4 @@ --- - -# beef up shell hosts dsk_size: 40 mem_size: 8192 num_cpus: 4 @@ -13,3 +11,6 @@ firewall_in: ssh_hostnames: - shell.foo.sh + +sssd_allow_groups: + - foosh diff --git a/group_vars/static.yml b/group_vars/static.yml index a6636ac..f211563 100644 --- a/group_vars/static.yml +++ b/group_vars/static.yml @@ -3,3 +3,6 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - root From 20f1af0ee44f0e7422084d5238771f4ec8eaa359 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 18:03:18 +0000 Subject: [PATCH 507/713] ansible_host: Add support for LDAP queries --- roles/ansible_host/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index bc8f455..171debe 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -9,6 +9,7 @@ - ansible-collection-community-general - patch # needed in next step - python3.9-dns # required for lookup('dig', 'hostname') + - python3.9-ldap # required for ldap modules - python3.9-netaddr # required by iptables role - name: Patch ansible to support python 3.12 clients From 0530194ac03cdeb37a0e5e60e22704ccde922bd5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 18:56:03 +0000 Subject: [PATCH 508/713] base: Add ansible_server fact --- roles/base/tasks/main.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 5e3e14b..7fc1e5a 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -5,6 +5,20 @@ changed_when: false when: inventory_hostname | split('.') | length == 4 +- name: Get ansible server name + ansible.builtin.command: + argv: + - hostname + - -f + changed_when: false + delegate_to: localhost + register: result + +- name: Store ansible server name + ansible.builtin.set_fact: + ansible_server: "{{ result.stdout }}" + cacheable: false + - name: Setup ansible custom facts ansible.builtin.file: dest: "{{ item }}" From 45557e0bc156fed5eea29212166d6d2d1c8fbfbc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 19:11:09 +0000 Subject: [PATCH 509/713] dhcpd: Add support for reading host data from LDAP --- roles/dhcpd/tasks/main.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/roles/dhcpd/tasks/main.yml b/roles/dhcpd/tasks/main.yml index 8722f27..134b4ed 100644 --- a/roles/dhcpd/tasks/main.yml +++ b/roles/dhcpd/tasks/main.yml @@ -7,6 +7,24 @@ name: "{{ dhcpd_package }}" state: installed +- name: Get host data from LDAP + community.general.ldap_search: + attrs: + - cn + - ipHostNumber + - macAddress + client_cert: >- + {{ hostvars[ansible_server]['tls_certs'] + '/' + ansible_server }}.crt + client_key: >- + {{ hostvars[ansible_server]['tls_private'] + '/' + ansible_server }}.key + dn: "{{ dhcpd_ldap_basedn | default(ldap_basedn) }}" + filter: "{{ dhcpd_ldap_filter }}" + scope: subordinate + server_uri: "ldaps://{{ ldap_server[0] }}" + delegate_to: localhost + register: ldap_hosts + when: dhcpd_ldap_filter is defined + - name: Create config ansible.builtin.template: dest: "{{ dhcpd_config }}" From a935deb439f0a56e3423e3e73d0680bbb455122c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 19:12:06 +0000 Subject: [PATCH 510/713] dhcpd: Read printers from LDAP --- group_vars/print.yml | 1 + roles/dhcpd/templates/dhcpd.conf.print.j2 | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/group_vars/print.yml b/group_vars/print.yml index 27c7c02..71357fb 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -23,5 +23,6 @@ firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" +dhcpd_ldap_filter: "(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh))" sssd_allow_groups: - sysadm diff --git a/roles/dhcpd/templates/dhcpd.conf.print.j2 b/roles/dhcpd/templates/dhcpd.conf.print.j2 index ca0ab35..da5c2e7 100644 --- a/roles/dhcpd/templates/dhcpd.conf.print.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.print.j2 @@ -29,10 +29,12 @@ shared-network PRINTNET { use-host-decl-names on; } - host hp1.print.foo.sh { - option host-name "hp1.print.foo.sh"; - hardware ethernet 00:15:99:22:79:46; - fixed-address 172.20.24.101; +{% for host in ldap_hosts.results %} + host {{ host['cn'] }} { + option host-name "{{ host['cn'] }}"; + hardware ethernet {{ host['macAddress'] }}; + fixed-address {{ host['ipHostNumber'] }}; } +{% endfor %} } From 07a6e1b1245e87280ccdaf8befee7176fd11812a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 19:15:12 +0000 Subject: [PATCH 511/713] Fix yamllint errors --- group_vars/print.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/print.yml b/group_vars/print.yml index 71357fb..8ee8cd3 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -23,6 +23,7 @@ firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" -dhcpd_ldap_filter: "(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh))" +dhcpd_ldap_filter: >- + (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh)) sssd_allow_groups: - sysadm From 3328152314f1ef2f77897b7606acc8c70f3066f9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 15:17:41 +0000 Subject: [PATCH 512/713] rocketchat: Update to 7.3.0 --- hosts.yml | 2 +- roles/rocketchat/tasks/main.yml | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index e9d66be..5c9c473 100644 --- a/hosts.yml +++ b/hosts.yml @@ -92,7 +92,7 @@ ocinode: oci-node02.home.foo.sh: vars: grafana_version: "11.3.1" - rocketchat_version: "7.1.0" + rocketchat_version: "7.3.0" roundcube_version: "1.6.9" print: hosts: diff --git a/roles/rocketchat/tasks/main.yml b/roles/rocketchat/tasks/main.yml index 07fd33a..da102d0 100644 --- a/roles/rocketchat/tasks/main.yml +++ b/roles/rocketchat/tasks/main.yml @@ -28,13 +28,23 @@ check_mode: false register: rocketchat_cert_key +- name: Get rocketchat subgid value + ansible.builtin.command: + argv: + - sed + - -n + - 's/^rocketchat:\([0-9]\+\):[0-9]\+$/\1/p' + - /etc/subuid + changed_when: false + register: result + - name: Create combined certificate/private key file ansible.builtin.copy: dest: "{{ tls_private }}/rocketchat.pem" content: "{{ rocketchat_cert_key.stdout }}" mode: "0640" owner: root - group: rocketchat + group: "{{ result.stdout | int + 65532 }}" notify: Restart rocketchat - name: Create service config From 13eed061245f8ccb4b8245cc503c93f6d1b04fbf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 16:33:37 +0000 Subject: [PATCH 513/713] cups_server: Fix sharing options --- .../files/cups-ppd/Samsung_ML-3051ND.ppd | 219 ++++++++++++++++++ roles/cups_server/tasks/main.yml | 19 +- 2 files changed, 236 insertions(+), 2 deletions(-) create mode 100644 roles/cups_server/files/cups-ppd/Samsung_ML-3051ND.ppd diff --git a/roles/cups_server/files/cups-ppd/Samsung_ML-3051ND.ppd b/roles/cups_server/files/cups-ppd/Samsung_ML-3051ND.ppd new file mode 100644 index 0000000..2e13ae2 --- /dev/null +++ b/roles/cups_server/files/cups-ppd/Samsung_ML-3051ND.ppd @@ -0,0 +1,219 @@ +*PPD-Adobe: "4.3" +*% +*% For information on using this, and to obtain the required backend +*% script, consult http://www.openprinting.org/ +*% +*% This file is published under the GNU General Public License +*% +*% PPD-O-MATIC (4.0.0 or newer) generated this PPD file. It is for use with +*% all programs and environments which use PPD files for dealing with +*% printer capability information. The printer must be configured with the +*% "foomatic-rip" backend filter script of Foomatic 4.0.0 or newer. This +*% file and "foomatic-rip" work together to support PPD-controlled printer +*% driver option access with all supported printer drivers and printing +*% spoolers. +*% +*% To save this file on your disk, wait until the download has completed +*% (the animation of the browser logo must stop) and then use the +*% "Save as..." command in the "File" menu of your browser or in the +*% pop-up manu when you click on this document with the right mouse button. +*% DO NOT cut and paste this file into an editor with your mouse. This can +*% introduce additional line breaks which lead to unexpected results. +*% +*% You may save this file as 'Samsung-ML-3051ND-Postscript.ppd' +*% +*% +*FormatVersion: "4.3" +*FileVersion: "1.1" +*LanguageVersion: English +*LanguageEncoding: ISOLatin1 +*PCFileName: "POSTSCRI.PPD" +*Manufacturer: "Samsung" +*Product: "(ML-3051ND)" +*cupsVersion: 1.0 +*cupsManualCopies: True +*cupsModelNumber: 2 +*cupsFilter: "application/vnd.cups-postscript 100 foomatic-rip" +*cupsFilter: "application/vnd.cups-pdf 0 foomatic-rip" +*%pprRIP: foomatic-rip other +*ModelName: "Samsung ML-3051ND" +*ShortNickName: "Samsung ML-3051ND Postscript" +*NickName: "Samsung ML-3051ND Foomatic/Postscript (recommended)" +*PSVersion: "(3010.000) 550" +*PSVersion: "(3010.000) 651" +*PSVersion: "(3010.000) 652" +*PSVersion: "(3010.000) 653" +*PSVersion: "(3010.000) 704" +*PSVersion: "(3010.000) 705" +*PSVersion: "(3010.000) 800" +*PSVersion: "(3010.000) 815" +*PSVersion: "(3010.000) 850" +*PSVersion: "(3010.000) 860" +*PSVersion: "(3010.000) 861" +*PSVersion: "(3010.000) 862" +*PSVersion: "(3010.000) 863" +*PSVersion: "(3010.000) 864" +*PSVersion: "(3010.000) 870" +*LanguageLevel: "3" +*ColorDevice: False +*DefaultColorSpace: Gray +*FileSystem: False +*Throughput: "1" +*LandscapeOrientation: Plus90 +*TTRasterizer: Type42 +*1284DeviceID: "MFG:Samsung;MDL:ML-3051ND;DRV:DPostscript,R1,M0,TP;" + +*driverName Postscript: "" +*driverType P/PostScript: "" +*driverUrl: "http://partners.adobe.com/public/developer/ps/index_specs.html" +*driverObsolete: False +*driverManufacturerSupplied: False + + + + +*HWMargins: 18 36 18 36 +*VariablePaperSize: True +*MaxMediaWidth: 100000 +*MaxMediaHeight: 100000 +*NonUIOrderDependency: 100 AnySetup *CustomPageSize +*CustomPageSize True: "pop pop pop +<>setpagedevice" +*End +*ParamCustomPageSize Width: 1 points 36 100000 +*ParamCustomPageSize Height: 2 points 36 100000 +*ParamCustomPageSize Orientation: 3 int 0 0 +*ParamCustomPageSize WidthOffset: 4 points 0 0 +*ParamCustomPageSize HeightOffset: 5 points 0 0 + +*FoomaticIDs: Samsung-ML-3051ND Postscript +*FoomaticRIPCommandLine: "cat%A%B%Z" +*FoomaticRIPNoPageAccounting: True + +*OpenGroup: General/General + +*OpenUI *PageSize/Page Size: PickOne +*OrderDependency: 100 AnySetup *PageSize +*DefaultPageSize: Letter +*PageSize Letter/US Letter: "<>setpagedevice" +*PageSize A4/A4: "<>setpagedevice" +*PageSize 11x17/11x17: "<>setpagedevice" +*PageSize A3/A3: "<>setpagedevice" +*PageSize A5/A5: "<>setpagedevice" +*PageSize B5/B5 (JIS): "<>setpagedevice" +*PageSize Env10/Envelope #10: "<>setpagedevice" +*PageSize EnvC5/Envelope C5: "<>setpagedevice" +*PageSize EnvDL/Envelope DL: "<>setpagedevice" +*PageSize EnvISOB5/Envelope B5: "<>setpagedevice" +*PageSize EnvMonarch/Envelope Monarch: "<>setpagedevice" +*PageSize Executive/Executive: "<>setpagedevice" +*PageSize Legal/US Legal: "<>setpagedevice" +*CloseUI: *PageSize + +*OpenUI *PageRegion: PickOne +*OrderDependency: 100 AnySetup *PageRegion +*DefaultPageRegion: Letter +*PageRegion Letter/US Letter: "<>setpagedevice" +*PageRegion A4/A4: "<>setpagedevice" +*PageRegion 11x17/11x17: "<>setpagedevice" +*PageRegion A3/A3: "<>setpagedevice" +*PageRegion A5/A5: "<>setpagedevice" +*PageRegion B5/B5 (JIS): "<>setpagedevice" +*PageRegion Env10/Envelope #10: "<>setpagedevice" +*PageRegion EnvC5/Envelope C5: "<>setpagedevice" +*PageRegion EnvDL/Envelope DL: "<>setpagedevice" +*PageRegion EnvISOB5/Envelope B5: "<>setpagedevice" +*PageRegion EnvMonarch/Envelope Monarch: "<>setpagedevice" +*PageRegion Executive/Executive: "<>setpagedevice" +*PageRegion Legal/US Legal: "<>setpagedevice" +*CloseUI: *PageRegion + +*DefaultImageableArea: Letter +*ImageableArea Letter/US Letter: "18 36 594 756" +*ImageableArea A4/A4: "18 36 577 806" +*ImageableArea 11x17/11x17: "18 36 774 1188" +*ImageableArea A3/A3: "18 36 824 1155" +*ImageableArea A5/A5: "18 36 403 559" +*ImageableArea B5/B5 (JIS): "18 36 498 693" +*ImageableArea Env10/Envelope #10: "18 36 279 648" +*ImageableArea EnvC5/Envelope C5: "18 36 441 613" +*ImageableArea EnvDL/Envelope DL: "18 36 294 588" +*ImageableArea EnvISOB5/Envelope B5: "18 36 481 673" +*ImageableArea EnvMonarch/Envelope Monarch: "18 36 261 504" +*ImageableArea Executive/Executive: "18 36 504 720" +*ImageableArea Legal/US Legal: "18 36 594 972" + +*DefaultPaperDimension: Letter +*PaperDimension Letter/US Letter: "612 792" +*PaperDimension A4/A4: "595 842" +*PaperDimension 11x17/11x17: "792 1224" +*PaperDimension A3/A3: "842 1191" +*PaperDimension A5/A5: "421 595" +*PaperDimension B5/B5 (JIS): "516 729" +*PaperDimension Env10/Envelope #10: "297 684" +*PaperDimension EnvC5/Envelope C5: "459 649" +*PaperDimension EnvDL/Envelope DL: "312 624" +*PaperDimension EnvISOB5/Envelope B5: "499 709" +*PaperDimension EnvMonarch/Envelope Monarch: "279 540" +*PaperDimension Executive/Executive: "522 756" +*PaperDimension Legal/US Legal: "612 1008" + +*OpenUI *Duplex/Double-Sided Printing: PickOne +*OrderDependency: 130 AnySetup *Duplex +*DefaultDuplex: None +*Duplex DuplexNoTumble/Long Edge (Standard): "<>setpagedevice" +*Duplex DuplexTumble/Short Edge (Flip): "<>setpagedevice" +*Duplex None/Off: "<>setpagedevice" +*CloseUI: *Duplex + +*OpenUI *Resolution/Resolution: PickOne +*OrderDependency: 90 AnySetup *Resolution +*DefaultResolution: 600x600dpi +*Resolution 150x150dpi/150x150 DPI: "<>setpagedevice" +*Resolution 300x300dpi/300x300 DPI: "<>setpagedevice" +*Resolution 600x600dpi/600x600 DPI: "<>setpagedevice" +*Resolution 1200x1200dpi/1200x1200 DPI: "<>setpagedevice" +*CloseUI: *Resolution + +*CloseGroup: General + + +*% Generic boilerplate PPD stuff as standard PostScript fonts and so on + +*DefaultFont: Courier +*Font AvantGarde-Book: Standard "(001.006S)" Standard ROM +*Font AvantGarde-BookOblique: Standard "(001.006S)" Standard ROM +*Font AvantGarde-Demi: Standard "(001.007S)" Standard ROM +*Font AvantGarde-DemiOblique: Standard "(001.007S)" Standard ROM +*Font Bookman-Demi: Standard "(001.004S)" Standard ROM +*Font Bookman-DemiItalic: Standard "(001.004S)" Standard ROM +*Font Bookman-Light: Standard "(001.004S)" Standard ROM +*Font Bookman-LightItalic: Standard "(001.004S)" Standard ROM +*Font Courier: Standard "(002.004S)" Standard ROM +*Font Courier-Bold: Standard "(002.004S)" Standard ROM +*Font Courier-BoldOblique: Standard "(002.004S)" Standard ROM +*Font Courier-Oblique: Standard "(002.004S)" Standard ROM +*Font Helvetica: Standard "(001.006S)" Standard ROM +*Font Helvetica-Bold: Standard "(001.007S)" Standard ROM +*Font Helvetica-BoldOblique: Standard "(001.007S)" Standard ROM +*Font Helvetica-Narrow: Standard "(001.006S)" Standard ROM +*Font Helvetica-Narrow-Bold: Standard "(001.007S)" Standard ROM +*Font Helvetica-Narrow-BoldOblique: Standard "(001.007S)" Standard ROM +*Font Helvetica-Narrow-Oblique: Standard "(001.006S)" Standard ROM +*Font Helvetica-Oblique: Standard "(001.006S)" Standard ROM +*Font NewCenturySchlbk-Bold: Standard "(001.009S)" Standard ROM +*Font NewCenturySchlbk-BoldItalic: Standard "(001.007S)" Standard ROM +*Font NewCenturySchlbk-Italic: Standard "(001.006S)" Standard ROM +*Font NewCenturySchlbk-Roman: Standard "(001.007S)" Standard ROM +*Font Palatino-Bold: Standard "(001.005S)" Standard ROM +*Font Palatino-BoldItalic: Standard "(001.005S)" Standard ROM +*Font Palatino-Italic: Standard "(001.005S)" Standard ROM +*Font Palatino-Roman: Standard "(001.005S)" Standard ROM +*Font Symbol: Special "(001.007S)" Special ROM +*Font Times-Bold: Standard "(001.007S)" Standard ROM +*Font Times-BoldItalic: Standard "(001.009S)" Standard ROM +*Font Times-Italic: Standard "(001.007S)" Standard ROM +*Font Times-Roman: Standard "(001.007S)" Standard ROM +*Font ZapfChancery-MediumItalic: Standard "(001.007S)" Standard ROM +*Font ZapfDingbats: Special "(001.004S)" Standard ROM + diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml index 9b4bcc3..1c44960 100644 --- a/roles/cups_server/tasks/main.yml +++ b/roles/cups_server/tasks/main.yml @@ -36,6 +36,13 @@ line: "#Listen 631" notify: Restart cups +- name: Share printers + ansible.builtin.lineinfile: + path: /etc/cups/cupsd.conf + line: "Port 631" + insertbefore: "^Listen .*.sock" + notify: Restart cups + - name: Set ssl listen port ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf @@ -86,11 +93,11 @@ force: true notify: Restart cups -- name: Disable printer advertising +- name: Enable printer sharing ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf regexp: "^Browsing .*" - line: "Browsing No" + line: "Browsing Yes" notify: Restart cups - name: Disable unauthenticated access from cups @@ -147,3 +154,11 @@ name: cups enabled: true state: started + +- name: Copy ppd files + ansible.builtin.copy: + dest: /usr/local/share/cups-ppd/ + src: cups-ppd/ + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" From 12cb205ff52bfb7c239584640884624bbe15cb95 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 16:38:01 +0000 Subject: [PATCH 514/713] Update software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 2f00235..f650a93 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 2f00235a10cbd03324e3f21cbdebbf0b2f9ca1e5 +Subproject commit f650a934cd4494f909c58f5d22a0ee89544679e7 From 2468b1ffcd804507f382cd1d3c6b90993a79037d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 16:52:37 +0000 Subject: [PATCH 515/713] Update software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index f650a93..4e49fa0 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit f650a934cd4494f909c58f5d22a0ee89544679e7 +Subproject commit 4e49fa062a7fe4145c9d4cd3b3f79428e101b3f4 From 56d15d0cf161920d2c16ad7962ca5d869e66bef8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 17:19:43 +0000 Subject: [PATCH 516/713] Update software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 4e49fa0..b9a2d06 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 4e49fa062a7fe4145c9d4cd3b3f79428e101b3f4 +Subproject commit b9a2d06df00afafcc47403cc5334c64c7fa2f594 From 34624667dced4a6062dc9c24f6fef6772a77a251 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 17:24:07 +0000 Subject: [PATCH 517/713] Add printing support to adm and nms hosts --- playbooks/adm.yml | 1 + playbooks/nms.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 06d5894..69cfb42 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -27,6 +27,7 @@ - base - ansible_host - certbot + - cups - sshca - ssh_known_hosts - role: keytab diff --git a/playbooks/nms.yml b/playbooks/nms.yml index e0ce461..856e221 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -25,6 +25,7 @@ roles: - base + - cups - nginx - role: nginx_site nginx_site_name: oob.foo.sh From a7290490609e407a3ae1a83d63ad6e5913a6ec81 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 18:36:49 +0000 Subject: [PATCH 518/713] cups_server: Configure printers from LDAP No modify supported just add and delete. --- roles/cups_server/tasks/main.yml | 80 ++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml index 1c44960..849543c 100644 --- a/roles/cups_server/tasks/main.yml +++ b/roles/cups_server/tasks/main.yml @@ -162,3 +162,83 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + +- name: Get printers from LDAP + community.general.ldap_search: + attrs: + - cn + - description + - l + client_cert: >- + {{ hostvars[ansible_server]['tls_certs'] + '/' + ansible_server }}.crt + client_key: >- + {{ hostvars[ansible_server]['tls_private'] + '/' + ansible_server }}.key + dn: "{{ ldap_basedn }}" + filter: "(&(objectClass=device)(cn=*.print.foo.sh))" + scope: subordinate + server_uri: "ldaps://{{ ldap_server[0] }}" + delegate_to: localhost + register: printers + +- name: Get printers list + ansible.builtin.command: + argv: + - lpstat + - -e + changed_when: false + register: result + +- name: Add printers + ansible.builtin.command: + argv: + - lpadmin + - -D + - "{{ item.description }}" + - -i + - >- + {{ + '/usr/local/share/cups-ppd/' + + item.description | regex_replace(' ', '_') + + '.ppd' + }} + - -L + - "{{ item.l }}" + - -o + - media=a4 + - -o + - cupsSNMPSupplies=true + - -o + - printer-error-policy=abort-job + - -o + - printer-is-shared=true + - -v + - "http://{{ item.cn }}:631" + - -p + - "{{ item.cn | split('.') | first }}" + - -E + with_items: >- + {{ + printers.results | rejectattr( + 'cn', + 'in', + result.stdout_lines | map('regex_replace', '$', '.print.foo.sh' + ) | list) | list + }} + +- name: Remove printers + ansible.builtin.command: + argv: + - lpadmin + - -x + - "{{ item }}" + with_items: >- + {{ + result.stdout_lines | reject( + 'in', + printers.results | map(attribute='cn') | map( + 'regex_replace', + '.print.foo.sh$', + '' + ) | list + ) | list + }} From 4325511f350ef1a334e1a4e41e265b49b825031e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 19:00:41 +0000 Subject: [PATCH 519/713] Sort and group variables --- group_vars/print.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/group_vars/print.yml b/group_vars/print.yml index 8ee8cd3..ede482a 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -7,12 +7,6 @@ network_vip_interfaces: pass: "{{ vip24_pass }}" priority: "{{ vip24_priority }}" -dhcpd_template: dhcpd.conf.print.j2 - -unbound_zones: - - 24.20.172.in-addr.arpa - - print.foo.sh - firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 53, from: [172.20.24.0/24]} @@ -23,7 +17,11 @@ firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" +dhcpd_template: dhcpd.conf.print.j2 dhcpd_ldap_filter: >- (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh)) sssd_allow_groups: - sysadm +unbound_zones: + - 24.20.172.in-addr.arpa + - print.foo.sh From dff8b4d72b5618beec28d6c2a4189da41add98f3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 19:01:12 +0000 Subject: [PATCH 520/713] Add mail relay to print hosts --- playbooks/print.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/playbooks/print.yml b/playbooks/print.yml index 518f424..733aa88 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -42,3 +42,10 @@ vars: keytab_path: /etc/cups/cups.keytab keytab_principals: "HTTP/print.foo.sh@{{ kerberos_realm }}" + + - name: Enable postfix mail relay + ansible.builtin.import_role: + name: postfix + tasks_from: relay + vars: + relay_domains: [foo.sh] From db91fe6345fc3f78e82ceb752f35f251be5c7cbb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:18:47 +0000 Subject: [PATCH 521/713] base: Refactor export mount fact --- roles/base/files/export.fact.sh | 9 +++++++++ roles/base/tasks/main.yml | 8 +------- 2 files changed, 10 insertions(+), 7 deletions(-) create mode 100755 roles/base/files/export.fact.sh diff --git a/roles/base/files/export.fact.sh b/roles/base/files/export.fact.sh new file mode 100755 index 0000000..1f3075e --- /dev/null +++ b/roles/base/files/export.fact.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +set -eu + +if mount | grep -qE "on /export" ; then + echo "true" +else + echo "false" +fi diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 7fc1e5a..cf661ed 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -33,13 +33,7 @@ - name: Add ansible_export fact ansible.builtin.copy: dest: /etc/ansible/facts.d/export.fact - content: | - #!/bin/sh - if [ -d /export ]; then - echo "true" - else - echo "false" - fi + src: export.fact.sh mode: "0755" owner: root group: "{{ ansible_wheel }}" From d2fb048b7deb8352549b62f42cc8c3aed72c2862 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:19:38 +0000 Subject: [PATCH 522/713] backup_base: Fix data directory path --- roles/backup_base/tasks/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/backup_base/tasks/main.yml b/roles/backup_base/tasks/main.yml index 3d842b6..cb10097 100644 --- a/roles/backup_base/tasks/main.yml +++ b/roles/backup_base/tasks/main.yml @@ -16,7 +16,7 @@ - name: Create backup directory ansible.builtin.file: - path: /export/backup + path: "{{ backup_datadir }}" state: directory mode: "0750" owner: root @@ -25,11 +25,12 @@ - name: Link backup directory ansible.builtin.file: dest: /srv/backup - src: /export/backup + src: "{{ backup_datadir }}" state: link owner: root group: "{{ ansible_wheel }}" follow: false + when: backup_datadir != "/srv/backup" - name: Create authorized_keys ansible.builtin.copy: From b3ebfa71e722b2a992b7a4c8428a8e298cb6faae Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:21:26 +0000 Subject: [PATCH 523/713] ldap_server: Refactor variables --- roles/ldap_server/defaults/main.yml | 1 + roles/ldap_server/tasks/main.yml | 2 +- roles/ldap_server/templates/slapd.conf.j2 | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml index 3454578..0563395 100644 --- a/roles/ldap_server/defaults/main.yml +++ b/roles/ldap_server/defaults/main.yml @@ -5,3 +5,4 @@ ldap_datadir: >- {% if ansible_local['export'] %}/export{% else %}/srv{% endif %}/ldap ldap_backupdir: >- {% if ansible_local['export'] -%}/export{% else -%}/srv{% endif -%}/backup +ldap_master: false diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 9669610..834ac03 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -48,7 +48,7 @@ - name: Link LDAP data directory ansible.builtin.file: path: /srv/ldap - src: /export/ldap + src: "{{ ldap_datadir }}" state: link owner: root group: root diff --git a/roles/ldap_server/templates/slapd.conf.j2 b/roles/ldap_server/templates/slapd.conf.j2 index 903639c..7ec559c 100644 --- a/roles/ldap_server/templates/slapd.conf.j2 +++ b/roles/ldap_server/templates/slapd.conf.j2 @@ -88,7 +88,7 @@ memberof-memberof-ad memberOf # access without access to clear text data directory /srv/ldap -{% if ldap_master is not defined %} +{% if not ldap_master %} # replication syncrepl rid={{ 999 | random(seed=inventory_hostname) }} provider=ldaps://ldap01.foo.sh From 1ae9d88346021914681c3d41e3cde2c8cbd8d342 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:21:59 +0000 Subject: [PATCH 524/713] ldap_server: Allow everyone to read root object --- roles/ldap_server/templates/slapd.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/ldap_server/templates/slapd.conf.j2 b/roles/ldap_server/templates/slapd.conf.j2 index 7ec559c..98efbea 100644 --- a/roles/ldap_server/templates/slapd.conf.j2 +++ b/roles/ldap_server/templates/slapd.conf.j2 @@ -139,6 +139,10 @@ authz-regexp "uid=([^.]\+),cn=login,cn=auth" "ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))" +# allow everyone to read root object +access to dn.base={{ ldap_basedn }} + by * read + # require authentication for authenticated users that don't match above access to * by dn.children="cn=peercred,cn=external,cn=auth" auth From eaf1b3ffb909b039c5cb8d24c23248923379defe Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:24:20 +0000 Subject: [PATCH 525/713] backup_base: Add missing defaults file --- roles/backup_base/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 roles/backup_base/defaults/main.yml diff --git a/roles/backup_base/defaults/main.yml b/roles/backup_base/defaults/main.yml new file mode 100644 index 0000000..2a14dc3 --- /dev/null +++ b/roles/backup_base/defaults/main.yml @@ -0,0 +1,3 @@ +--- +backup_datadir: >- + {% if ansible_local['export'] %}/export{% else %}/srv{% endif %}/backup From 5fdeef32e8378fe3b1919574f6ddd9a511eabb01 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:39:26 +0000 Subject: [PATCH 526/713] Add apps.foo.sh virtual host --- playbooks/proxy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 7780db6..f5b232d 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -30,6 +30,12 @@ - role: nginx_site nginx_site_name: foo.sh nginx_site_redirect: https://www.foo.sh/ + - role: nginx_site + nginx_site_name: apps.foo.sh + nginx_site_load_balance_method: ip_hash + nginx_site_proxy: + - https://oci-node01.home.foo.sh + - https://oci-node02.home.foo.sh - role: nginx_site nginx_site_name: autoconfig.foo.sh - role: nginx_site From a226b1d5601c344d759e8714f03b53a7c0070bf2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:41:45 +0000 Subject: [PATCH 527/713] Fix ldap_master variable handling --- playbooks/ldap.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/ldap.yml b/playbooks/ldap.yml index 7379a52..6c97c98 100644 --- a/playbooks/ldap.yml +++ b/playbooks/ldap.yml @@ -19,7 +19,7 @@ passno: "0" dump: "0" state: mounted - when: ldap_master is defined + when: ldap_master vars_files: - "{{ ansible_private }}/vars.yml" @@ -28,8 +28,8 @@ - base - ldap_server - role: kadmin - when: ldap_master is defined + when: ldap_master - role: ldap_netdb - when: ldap_master is defined + when: ldap_master - role: ldap_gravatar - when: ldap_master is defined + when: ldap_master From 80ac346c4e64168840d8e5ca85ba68f69f3230a7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:42:09 +0000 Subject: [PATCH 528/713] nginx: Fix removing old logs --- roles/nginx/files/nginx-logrotate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/files/nginx-logrotate.sh b/roles/nginx/files/nginx-logrotate.sh index 8fe8338..b7fc0cf 100755 --- a/roles/nginx/files/nginx-logrotate.sh +++ b/roles/nginx/files/nginx-logrotate.sh @@ -20,7 +20,7 @@ for log in *.log ; do find_rotated "$log" | while read -r name; do num="$(echo "$name" | awk -F. '{ print $NF }')" if [ "$num" -gt 7 ]; then - rm -f "$log" + rm -f "${log}.${num}" fi done done From 39e504dd61c89901da35f5a9bc242761e7b5db3d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Feb 2025 07:52:21 +0000 Subject: [PATCH 529/713] Update gitea to 1.23.3 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 5c9c473..8ccb647 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.22.6" + gitea_version: "1.23.3" gitearunner: hosts: gitea-runner02.home.foo.sh: From 423cafe98d84ef80ee4e7672042a84c7d906b36d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 7 Feb 2025 07:25:45 +0000 Subject: [PATCH 530/713] routeros_firmware: Use dedicated user for download --- roles/routeros_firmware/tasks/main.yml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros_firmware/tasks/main.yml index 248abde..024b37d 100644 --- a/roles/routeros_firmware/tasks/main.yml +++ b/roles/routeros_firmware/tasks/main.yml @@ -1,11 +1,26 @@ --- +- name: Create group + ansible.builtin.group: + name: routeros + system: true + +- name: Create user + ansible.builtin.user: + name: routeros + comment: RouterOS Downloader + group: routeros + create_home: false + home: /var/empty + shell: /sbin/nologin + system: true + - name: Create download directory ansible.builtin.file: path: /srv/web/oob.foo.sh/routeros state: directory - mode: "0755" + mode: "0775" owner: root - group: "{{ ansible_wheel }}" + group: routeros - name: Install README.md ansible.builtin.copy: @@ -27,5 +42,6 @@ ansible.builtin.cron: name: download-routeros-firmware job: /usr/local/bin/download-routeros-firmware + user: routeros hour: "05" minute: "25" From 821e783702686f533fc39fd9c374ee7136c73ac0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 8 Feb 2025 17:25:34 +0000 Subject: [PATCH 531/713] Update DNA gw IP's --- group_vars/ns.yml | 2 +- roles/pf/files/pf.conf.gw_home | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index 5a6101f..2a284b1 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -1,6 +1,6 @@ --- firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22, 212.149.248.65/32]} + - {proto: tcp, port: 22, from: [172.20.20.0/22, 212.149.225.204/32]} - {proto: tcp, port: 53} - {proto: udp, port: 53} - {proto: tcp, port: 80} diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 981f783..3f211fb 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -43,7 +43,7 @@ antispoof for vio1 pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 212.149.228.253/32 to self port ssh +pass in quick on $ext_if proto tcp from 212.149.225.198/32 to self port ssh # node_exporter and unbound_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From f3d9e52f7e51f3f267deb28edc5d41b6829508cc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 15 Feb 2025 17:16:17 +0000 Subject: [PATCH 532/713] Fix install order on dna-gw hosts --- playbooks/dna-gw.yml | 90 +++++++++++++++++++------------------------- 1 file changed, 38 insertions(+), 52 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 7a8e99b..17cb310 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -14,7 +14,6 @@ roles: - base - - ifstated - dhcpd - nginx - role: nginx_site @@ -23,23 +22,6 @@ - websockify tasks: - - name: Use configured dns servers and domain name - ansible.builtin.copy: - dest: /etc/dhcpleased.conf - content: | - interface vio1 { - ignore dns - } - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - - - name: Disable resolvd - ansible.builtin.service: - name: resolvd - state: stopped - enabled: false - - name: Enable ip forwarding ansible.posix.sysctl: name: "{{ item }}" @@ -52,6 +34,44 @@ - name: Run handlers to get interfaces configured ansible.builtin.meta: flush_handlers + - name: Import ifstated role + ansible.builtin.import_role: + name: ifstated + + - name: Copy DNS private key + ansible.builtin.copy: + dest: "{{ tls_private }}/dns.home.foo.sh.key" + src: "{{ item }}" + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + with_first_found: + - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem + - "/srv/ca/private/{{ inventory_hostname }}.key" + tags: certificates + notify: Restart unbound + + - name: Copy DNS certificate and ca cert + ansible.builtin.copy: + dest: "{{ tls_certs }}/dns.home.foo.sh.crt" + src: "{{ item }}" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + with_first_found: + - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem + - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" + tags: certificates + notify: Restart unbound + + - name: Import unbound role + ansible.builtin.import_role: + name: unbound + + - name: Import unbound_exporter role + ansible.builtin.import_role: + name: unbound_exporter + - name: Create tftp boot directories ansible.builtin.file: path: /srv/tftpboot/etc @@ -120,37 +140,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart nginx - - - name: Copy DNS private key - ansible.builtin.copy: - dest: "{{ tls_private }}/dns.home.foo.sh.key" - src: "{{ item }}" - mode: "0600" - owner: root - group: "{{ ansible_wheel }}" - with_first_found: - - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem - - "/srv/ca/private/{{ inventory_hostname }}.key" - tags: certificates - notify: Restart unbound - - - name: Copy DNS certificate and ca cert - ansible.builtin.copy: - dest: "{{ tls_certs }}/dns.home.foo.sh.crt" - src: "{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - with_first_found: - - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem - - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" - tags: certificates - notify: Restart unbound - - - name: Import unbound role - ansible.builtin.import_role: - name: unbound - - - name: Import unbound_exporter role - ansible.builtin.import_role: - name: unbound_exporter From cc7698436f7548a51e7bde7602d7be0e50ef1b46 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 16 Feb 2025 16:24:20 +0000 Subject: [PATCH 533/713] Update frigate to 0.15.0 --- hosts.yml | 2 +- roles/frigate/templates/frigate.yml.j2 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 8ccb647..49408cd 100644 --- a/hosts.yml +++ b/hosts.yml @@ -17,7 +17,7 @@ frigate: hosts: frigate02.home.foo.sh: vars: - frigate_version: "0.14.1" + frigate_version: "0.15.0" fsolgw: hosts: fsol-gw01.home.foo.sh: diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index b1045d6..08c83f7 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -19,9 +19,9 @@ record: retain: days: 7 mode: motion - events: + detections: retain: - default: 30 + days: 30 mode: motion cameras: From b6f4b8cd51aa05239591a968985807f3bc53d746 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 16 Feb 2025 17:02:14 +0000 Subject: [PATCH 534/713] Update software versions --- hosts.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hosts.yml b/hosts.yml index 49408cd..c11e15b 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2025.1" + homeassistant_version: "2025.2" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git @@ -44,7 +44,7 @@ homeassistant: - name: espsomfy_rts repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git version: v2.4.7 - nodered_version: 4.0.8 + nodered_version: 4.0.9 influxdb: hosts: influxdb01.home.foo.sh: @@ -80,7 +80,7 @@ nms: nms01.home.foo.sh: nms02.home.foo.sh: vars: - snmp_exporter_version: "0.26.0" + snmp_exporter_version: "0.28.0" ns: hosts: ns01.home.foo.sh: @@ -91,9 +91,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.3.1" - rocketchat_version: "7.3.0" - roundcube_version: "1.6.9" + grafana_version: "11.4.1" + rocketchat_version: "7.3.1" + roundcube_version: "1.6.10" print: hosts: print01.home.foo.sh: @@ -102,7 +102,7 @@ prometheus: prometheus01.home.foo.sh: vars: mysqld_exporter_version: "0.16.0" - nginx_exporter_version: "1.4.0" + nginx_exporter_version: "1.4.1" proxy: hosts: proxy01.home.foo.sh: From 5c7bb11c0c27825c630bb1829a36baf3aa4bdfe4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 16 Feb 2025 18:49:50 +0000 Subject: [PATCH 535/713] frigate: Fix config file permissions --- roles/frigate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index bc539d7..8189acd 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -47,7 +47,7 @@ ansible.builtin.template: dest: /etc/frigate.yml src: frigate.yml.j2 - mode: "0750" + mode: "0640" owner: root group: frigate notify: Restart frigate From 57e43b1396dcc326ac2ef98425d9db41d1c4fb3a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Feb 2025 21:11:08 +0000 Subject: [PATCH 536/713] systemd_resolved: Don't use dns from connections --- roles/systemd_resolved/files/resolved.conf | 2 ++ roles/systemd_resolved/handlers/main.yml | 5 +++++ roles/systemd_resolved/tasks/main.yml | 9 +++++++++ 3 files changed, 16 insertions(+) create mode 100644 roles/systemd_resolved/files/resolved.conf diff --git a/roles/systemd_resolved/files/resolved.conf b/roles/systemd_resolved/files/resolved.conf new file mode 100644 index 0000000..e4d2629 --- /dev/null +++ b/roles/systemd_resolved/files/resolved.conf @@ -0,0 +1,2 @@ +[global-dns-domain-*] +servers=127.0.0.53 diff --git a/roles/systemd_resolved/handlers/main.yml b/roles/systemd_resolved/handlers/main.yml index 0bbce3d..dd37621 100644 --- a/roles/systemd_resolved/handlers/main.yml +++ b/roles/systemd_resolved/handlers/main.yml @@ -3,3 +3,8 @@ ansible.builtin.service: name: systemd-resolved state: restarted + +- name: Restart NetworkManager + ansible.builtin.service: + name: NetworkManager + state: restarted diff --git a/roles/systemd_resolved/tasks/main.yml b/roles/systemd_resolved/tasks/main.yml index 43371a6..bb690d6 100644 --- a/roles/systemd_resolved/tasks/main.yml +++ b/roles/systemd_resolved/tasks/main.yml @@ -21,6 +21,15 @@ group: "{{ ansible_wheel }}" notify: Restart systemd-resolved +- name: Do not use connection specific DNS servers + ansible.builtin.copy: + dest: /etc/NetworkManager/conf.d/resolved.conf + src: resolved.conf + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart NetworkManager + - name: Enable service ansible.builtin.service: name: systemd-resolved From 21e0c495935d799d358ddd03672727e8454452a9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Feb 2025 21:51:08 +0000 Subject: [PATCH 537/713] No need to disable resolvd after moving to unwind --- playbooks/fsol-gw.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/playbooks/fsol-gw.yml b/playbooks/fsol-gw.yml index 1dd8747..639bd27 100644 --- a/playbooks/fsol-gw.yml +++ b/playbooks/fsol-gw.yml @@ -12,13 +12,6 @@ vars_files: - "{{ ansible_private }}/vars.yml" - pre_tasks: - - name: Disable resolvd service - ansible.builtin.service: - name: resolvd - state: stopped - enabled: false - tasks: - name: Enable IP forwarding ansible.posix.sysctl: From 6cba945cb8684736b1478383768f52b294968810 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Feb 2025 21:52:58 +0000 Subject: [PATCH 538/713] Move to static DNS servers and use DoT This now affects only Fedora and OpenBSD hosts --- group_vars/all.yml | 5 +++++ group_vars/fsolgw.yml | 1 - group_vars/home.yml | 5 +++++ group_vars/proxy.yml | 2 -- group_vars/relay.yml | 2 -- group_vars/vultr.yml | 4 ---- 6 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 group_vars/home.yml delete mode 100644 group_vars/vultr.yml diff --git a/group_vars/all.yml b/group_vars/all.yml index 4814110..13c4354 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -31,5 +31,10 @@ boot_url: https://boot.foo.sh # ssh public keys for logsync user logsync_publickeys: "{{ lookup('file', '../files/ssh/logsync.pub') }}" +# default name servers +network_dns_servers: + - 8.8.8.8 + - 8.8.4.4 + # hardcode this for now ansible_datacenter: home diff --git a/group_vars/fsolgw.yml b/group_vars/fsolgw.yml index f45c486..6012a52 100644 --- a/group_vars/fsolgw.yml +++ b/group_vars/fsolgw.yml @@ -7,7 +7,6 @@ network_vip_interfaces: ip6addr: 2a00:4cc1:6:1006::1 ip6netmask: 64 pass: "{{ vip145_pass }}" -network_dns_servers: [172.20.20.10, 172.20.21.1, 172.20.21.2] # use custom firewall and ifstated config firewall_src: pf.conf.gw_fsol diff --git a/group_vars/home.yml b/group_vars/home.yml new file mode 100644 index 0000000..d8558c0 --- /dev/null +++ b/group_vars/home.yml @@ -0,0 +1,5 @@ +--- +network_dns_servers: + - 172.20.20.10 + - 172.20.20.11 + - 172.20.20.12 diff --git a/group_vars/proxy.yml b/group_vars/proxy.yml index bb5decb..ea7cba9 100644 --- a/group_vars/proxy.yml +++ b/group_vars/proxy.yml @@ -4,8 +4,6 @@ mem_size: 1024 # use bigger disk for os as we have web site data there dsk_size: 30 -network_dns_servers: - - 172.20.20.10 network_default_gateway: 37.16.96.145 network_vip_interfaces: diff --git a/group_vars/relay.yml b/group_vars/relay.yml index 622e743..a52f0b5 100644 --- a/group_vars/relay.yml +++ b/group_vars/relay.yml @@ -1,6 +1,4 @@ --- -network_dns_servers: - - 172.20.20.10 network_default_gateway: 37.16.96.145 network_vip_interfaces: diff --git a/group_vars/vultr.yml b/group_vars/vultr.yml deleted file mode 100644 index af46a03..0000000 --- a/group_vars/vultr.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -network_dns_servers: - - 8.8.8.8 - - 9.9.9.9 From d4d11508bcd3da59582136dcd405a54dc38e6a44 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Feb 2025 22:15:04 +0000 Subject: [PATCH 539/713] systemd_resolved: Remove double spaces --- roles/systemd_resolved/templates/local.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/systemd_resolved/templates/local.conf.j2 b/roles/systemd_resolved/templates/local.conf.j2 index 23d7dc6..7d8e03d 100644 --- a/roles/systemd_resolved/templates/local.conf.j2 +++ b/roles/systemd_resolved/templates/local.conf.j2 @@ -1,4 +1,4 @@ [Resolve] -DNS={% for addr in network_dns_servers %}{{ addr }}#{{ lookup('community.general.dig', addr + '/PTR')[:-1] }} {% endfor %} +DNS={% for addr in network_dns_servers %}{{ addr }}#{{ lookup('community.general.dig', addr + '/PTR')[:-1] }} {% endfor %} DNSOverTLS=yes From 5f412a50c5f3b2e768c10492690ef787cc97d742 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Feb 2025 15:46:57 +0000 Subject: [PATCH 540/713] unbound: Use multiple local forwarders --- roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 | 2 ++ roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 | 2 ++ roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 | 2 ++ 3 files changed, 6 insertions(+) diff --git a/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 index 4fa13e5..3f51925 100644 --- a/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 @@ -29,6 +29,8 @@ remote-control: forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh + forward-addr: 172.20.20.11@853#dns.home.foo.sh + forward-addr: 172.20.20.12@853#dns.home.foo.sh {% for zone in unbound_zones %} auth-zone: diff --git a/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 index 5812def..c29a61c 100644 --- a/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 @@ -29,6 +29,8 @@ remote-control: forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh + forward-addr: 172.20.20.11@853#dns.home.foo.sh + forward-addr: 172.20.20.12@853#dns.home.foo.sh {% for zone in unbound_zones %} auth-zone: diff --git a/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 index 46a4ab4..481064f 100644 --- a/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 @@ -29,6 +29,8 @@ remote-control: forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh + forward-addr: 172.20.20.11@853#dns.home.foo.sh + forward-addr: 172.20.20.12@853#dns.home.foo.sh {% for zone in unbound_zones %} auth-zone: From a793f59a33a721ec12ab6275a9f3af7876dfa19c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Mar 2025 19:09:07 +0000 Subject: [PATCH 541/713] ipsilon: Fix configuration --- roles/ipsilon/README.md | 28 +++++++++++++++++++ .../templates/ipsilon-container.service.j2 | 6 ++-- .../templates/ipsilon-container.sysconfig.j2 | 7 +++-- .../ipsilon/templates/openidc-static.conf.j2 | 4 +-- 4 files changed, 37 insertions(+), 8 deletions(-) create mode 100644 roles/ipsilon/README.md diff --git a/roles/ipsilon/README.md b/roles/ipsilon/README.md new file mode 100644 index 0000000..5e29d18 --- /dev/null +++ b/roles/ipsilon/README.md @@ -0,0 +1,28 @@ +== Creating openidc key == + +Create two rsa keys: +``` +openssl genrsa -out signing.key 4096 +openssl genrsa -out encryption.key 4096 +``` + +Create JWK keys: +``` +python3 -c ' +from datetime import datetime +from jwcrypto.jwk import JWK, JWKSet +keyset = JWKSet() +date = datetime.now().strftime("%Y%m%d") +with open("./signing.key", "r") as key: + jwkkey = JWK.from_pem(key.read().encode("UTF-8")) + jwkkey.update(use="sig") + jwkkey.update(kid=f"{date}-sig") + keyset.add(jwkkey) +with open("./encryption.key", "r") as key: + jwkkey = JWK.from_pem(key.read().encode("UTF-8")) + jwkkey.update(use="enc") + jwkkey.update(kid=f"{date}-enc") + keyset.add(jwkkey) +print(keyset.export()) +' +``` diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2 index d3fe6bf..2c08f94 100644 --- a/roles/ipsilon/templates/ipsilon-container.service.j2 +++ b/roles/ipsilon/templates/ipsilon-container.service.j2 @@ -10,9 +10,9 @@ ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8011:80 \ --name ipsilon \ --env LDAP_* --env IPSILON_*\ - --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ - --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ - --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ + --volume={{ tls_certs }}/ca.crt:/etc/pki/tls/certs/ca.crt:ro \ + --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/pki/tls/certs/{{ inventory_hostname }}.crt:ro \ + --volume={{ tls_private }}/ipsilon.key:/etc/pki/tls/private/{{ inventory_hostname }}.key:ro \ --volume={{ tls_private }}/openidc.key:/etc/ipsilon/openidc.key:ro \ --volume=/etc/ipsilon/openidc-static.conf:/etc/ipsilon/root/openidc-static.conf:rw \ ipsilon:latest diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 index 7a4ba72..4150eaf 100644 --- a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -1,10 +1,11 @@ LDAP_BASEDN="{{ ldap_basedn }}" +LDAP_BINDPW="{{ ipsilon_ldap_pass }}" IPSILON_DB_USER="ipsilon" IPSILON_DB_PASS="{{ ipsilon_mysql_pass }}" IPSILON_DB_HOST="sqldb02.home.foo.sh" -IPSILON_DB_CA="/etc/ssl/certs/ca.crt" -IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" -IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt" +IPSILON_DB_CA="{{ tls_certs }}/ca.crt" +IPSILON_DB_KEY="{{ tls_private }}/{{ inventory_hostname }}.key" +IPSILON_DB_CERT="{{ tls_certs }}/{{ inventory_hostname}}.crt" IPSILON_HOSTNAME="idp.foo.sh" IPSILON_OPENIDC_KEYID="{{ ipsilon_openidc_keyid }}" IPSILON_OPENIDC_SALT="{{ ipsilon_openidc_salt }}" diff --git a/roles/ipsilon/templates/openidc-static.conf.j2 b/roles/ipsilon/templates/openidc-static.conf.j2 index a200a3a..f6bb88d 100644 --- a/roles/ipsilon/templates/openidc-static.conf.j2 +++ b/roles/ipsilon/templates/openidc-static.conf.j2 @@ -15,12 +15,12 @@ {{ client["name"] }} jwks_uri=null {{ client["name"] }} logo_uri=null {{ client["name"] }} policy_uri=null -{{ client["name"] }} redirect_uris=["{{ client["redirect_uri"] }}"] +{{ client["name"] }} redirect_uris={{ client["redirect_uris"] | ansible.builtin.to_json }} {{ client["name"] }} request_uris=[] {{ client["name"] }} require_auth_time=null {{ client["name"] }} response_types=["code"] {{ client["name"] }} subject_type="pairwise" {{ client["name"] }} sector_identifier_uri=null -{{ client["name"] }} token_endpoint_auth_method="client_secret_post" +{{ client["name"] }} token_endpoint_auth_method="{{ client["token_endpoint_auth_method"] | default("client_secret_post") }}" {{ client["name"] }} tos_uri=null {% endfor %} From 4c7c0e3261259d7450ae3faab237083bcefc3a34 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Mar 2025 19:10:16 +0000 Subject: [PATCH 542/713] audiobookshelf: Initial version of role --- .../files/audiobookshelf.default | 4 + roles/audiobookshelf/files/meta.md | 30 +++++++ roles/audiobookshelf/handlers/main.yml | 5 ++ roles/audiobookshelf/meta/main.yml | 3 + roles/audiobookshelf/tasks/main.yml | 90 +++++++++++++++++++ 5 files changed, 132 insertions(+) create mode 100644 roles/audiobookshelf/files/audiobookshelf.default create mode 100644 roles/audiobookshelf/files/meta.md create mode 100644 roles/audiobookshelf/handlers/main.yml create mode 100644 roles/audiobookshelf/meta/main.yml create mode 100644 roles/audiobookshelf/tasks/main.yml diff --git a/roles/audiobookshelf/files/audiobookshelf.default b/roles/audiobookshelf/files/audiobookshelf.default new file mode 100644 index 0000000..4b553f5 --- /dev/null +++ b/roles/audiobookshelf/files/audiobookshelf.default @@ -0,0 +1,4 @@ +METADATA_PATH=/srv/audiobookshelf/metadata +CONFIG_PATH=/srv/audiobookshelf/config +PORT=13378 +HOST=127.0.0.1 diff --git a/roles/audiobookshelf/files/meta.md b/roles/audiobookshelf/files/meta.md new file mode 100644 index 0000000..5e22e02 --- /dev/null +++ b/roles/audiobookshelf/files/meta.md @@ -0,0 +1,30 @@ += Preparing files for upload = + +== Filenames == + +Filenames should always contain track number (and optionally disc number) with leading zeros first and subtitle after that. Few exmaples: + +``` +01. Luku.mp3 +01. Osa.mp3 +CD 1 - 01.mp3 +``` + +Directory should also contain `cover.jpg` with book cover picture and `desc.txt` containing book description. + +== Metadata (id3 tags) == + +First clear old tags then set new ones: + +``` +id3v2 -D "01. Osa.mp3" +id3v2 \ + --TPE1 "Douglas Adams" \ + --TALB "$(echo 'Linnunradan käsikirja liftareille' | iconv -f utf-8 -t iso-8859-1)" \ + --TCOM "$(echo 'Heikki Kinnunen,Pekka Autiovuori,Yrjö Järvinen,Martti Järvinen,Esa Saario,Kauko Helavirta,Aila Svedberg' | iconv -f utf-8 -t iso-8859-1)" \ + --TLAN "fi" \ + --TPUB "Yleisradio" \ + --TYER 1984 \ + --genre "Science Fiction/Fiction/Humor" \ + "01. Osa.mp3" +``` diff --git a/roles/audiobookshelf/handlers/main.yml b/roles/audiobookshelf/handlers/main.yml new file mode 100644 index 0000000..fd2df00 --- /dev/null +++ b/roles/audiobookshelf/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart audiobookshelf + ansible.builtin.service: + name: audiobookshelf + state: restarted diff --git a/roles/audiobookshelf/meta/main.yml b/roles/audiobookshelf/meta/main.yml new file mode 100644 index 0000000..954fabd --- /dev/null +++ b/roles/audiobookshelf/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: nginx} diff --git a/roles/audiobookshelf/tasks/main.yml b/roles/audiobookshelf/tasks/main.yml new file mode 100644 index 0000000..1bc2f99 --- /dev/null +++ b/roles/audiobookshelf/tasks/main.yml @@ -0,0 +1,90 @@ +--- +- name: Enable repository + ansible.builtin.yum_repository: + name: audiobookshelf + baseurl: https://raw.githubusercontent.com/lkiesow/audiobookshelf-rpm/el$releasever/ + description: Audiobookshelf el$releasever repository + gpgcheck: true + gpgkey: https://raw.githubusercontent.com/lkiesow/audiobookshelf-rpm/main/audiobookshelf-rpm.key + enabled: true + +- name: Install packcages + ansible.builtin.package: + name: audiobookshelf + state: present + +- name: Create data directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0770" + owner: root + group: audiobookshelf + with_items: + - /export/audiobookshelf + - /export/audiobookshelf/audiobooks + - /export/audiobookshelf/config + - /export/audiobookshelf/metadata + - /export/audiobookshelf/podcasts + - /export/audiobookshelf/radioplays + +- name: Link data directory + ansible.builtin.file: + dest: /srv/audiobookshelf + src: /export/audiobookshelf + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Copy naming instructions + ansible.builtin.copy: + dest: /srv/audiobookshelf/audiobooks/README.md + src: meta.md + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + +- name: Copy service config + ansible.builtin.copy: + dest: /etc/default/audiobookshelf + src: audiobookshelf.default + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart audiobookshelf + +- name: Enable service + ansible.builtin.service: + name: audiobookshelf + state: started + enabled: true + +- name: Allow nginx to connect audiobookshelf + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/audiobookshelf.conf" + content: | + location / { + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host audiobooks.foo.sh; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_pass http://127.0.0.1:13378/; + location /audiobookshelf/api/upload { + # increase size to allow uploads + client_max_body_size 10g; + proxy_pass http://127.0.0.1:13378/api/upload; + } + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx From ae7ec4680f164a40d530a263f4eab0310ea0c87f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Mar 2025 19:11:33 +0000 Subject: [PATCH 543/713] Add audiobook hosts --- group_vars/audiobooks.yml | 8 ++++++++ host_vars/audiobooks02.home.foo.sh.yml | 6 ++++++ hosts.yml | 4 ++++ playbooks/audiobooks.yml | 25 +++++++++++++++++++++++++ 4 files changed, 43 insertions(+) create mode 100644 group_vars/audiobooks.yml create mode 100644 host_vars/audiobooks02.home.foo.sh.yml create mode 100644 playbooks/audiobooks.yml diff --git a/group_vars/audiobooks.yml b/group_vars/audiobooks.yml new file mode 100644 index 0000000..4fcc30e --- /dev/null +++ b/group_vars/audiobooks.yml @@ -0,0 +1,8 @@ +--- +datadisks: + - {size: 50, type: hdd} + +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/host_vars/audiobooks02.home.foo.sh.yml b/host_vars/audiobooks02.home.foo.sh.yml new file mode 100644 index 0000000..d6cf2c6 --- /dev/null +++ b/host_vars/audiobooks02.home.foo.sh.yml @@ -0,0 +1,6 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: "52:54:00:ac:dc:48" diff --git a/hosts.yml b/hosts.yml index c11e15b..429fe68 100644 --- a/hosts.yml +++ b/hosts.yml @@ -3,6 +3,9 @@ adm: hosts: adm01.home.foo.sh: adm02.home.foo.sh: +audiobooks: + hosts: + audiobooks02.home.foo.sh: backup: hosts: backup02.home.foo.sh: @@ -161,6 +164,7 @@ rocky8: rocky9: children: adm: + audiobooks: frigate: gitea: homeassistant: diff --git a/playbooks/audiobooks.yml b/playbooks/audiobooks.yml new file mode 100644 index 0000000..3d8ce19 --- /dev/null +++ b/playbooks/audiobooks.yml @@ -0,0 +1,25 @@ +--- +- name: Deploy KVM virtual machines + ansible.builtin.import_playbook: include/deploy-kvm-guest.yml + vars: + myhosts: audiobooks + +- name: Configure instance + hosts: audiobooks + user: root + gather_facts: true + + pre_tasks: + - name: Mount /export + ansible.posix.mount: + name: /export + src: LABEL=/export + fstype: xfs + opts: noatime,nosuid,nodev + passno: "0" + dump: "0" + state: mounted + + roles: + - base + - audiobookshelf From bbe61d4180ea8c7ed9c5563bb831edb82e90dd06 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Mar 2025 19:12:10 +0000 Subject: [PATCH 544/713] Add audiobooks.foo.sh virtual host --- playbooks/proxy.yml | 3 +++ roles/nginx_site/templates/audiobooks.foo.sh.conf.j2 | 3 +++ 2 files changed, 6 insertions(+) create mode 100644 roles/nginx_site/templates/audiobooks.foo.sh.conf.j2 diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index f5b232d..1968633 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -36,6 +36,9 @@ nginx_site_proxy: - https://oci-node01.home.foo.sh - https://oci-node02.home.foo.sh + - role: nginx_site + nginx_site_name: audiobooks.foo.sh + nginx_site_proxy: https://audiobooks02.home.foo.sh/ - role: nginx_site nginx_site_name: autoconfig.foo.sh - role: nginx_site diff --git a/roles/nginx_site/templates/audiobooks.foo.sh.conf.j2 b/roles/nginx_site/templates/audiobooks.foo.sh.conf.j2 new file mode 100644 index 0000000..e838c5f --- /dev/null +++ b/roles/nginx_site/templates/audiobooks.foo.sh.conf.j2 @@ -0,0 +1,3 @@ + # this should be changed to only affect uploads + client_max_body_size 10g; + From 4031afdbdbf3a6c77e4b5b805fc7fd0347b5cda2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 5 Mar 2025 17:29:25 +0000 Subject: [PATCH 545/713] Update rockechat version to 7.4.0 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 429fe68..3a69313 100644 --- a/hosts.yml +++ b/hosts.yml @@ -95,7 +95,7 @@ ocinode: oci-node02.home.foo.sh: vars: grafana_version: "11.4.1" - rocketchat_version: "7.3.1" + rocketchat_version: "7.4.0" roundcube_version: "1.6.10" print: hosts: From c479b7fcea2fc9184420d4b935f59d2f0df321ac Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:22:39 +0000 Subject: [PATCH 546/713] forgejo: Initial version of role --- roles/forgejo/defaults/main.yml | 7 ++ roles/forgejo/files/forgejo.service | 16 +++++ roles/forgejo/handlers/main.yml | 5 ++ roles/forgejo/meta/main.yml | 4 ++ roles/forgejo/tasks/main.yml | 107 ++++++++++++++++++++++++++++ roles/forgejo/templates/app.ini.j2 | 78 ++++++++++++++++++++ 6 files changed, 217 insertions(+) create mode 100644 roles/forgejo/defaults/main.yml create mode 100644 roles/forgejo/files/forgejo.service create mode 100644 roles/forgejo/handlers/main.yml create mode 100644 roles/forgejo/meta/main.yml create mode 100644 roles/forgejo/tasks/main.yml create mode 100644 roles/forgejo/templates/app.ini.j2 diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml new file mode 100644 index 0000000..848f7a1 --- /dev/null +++ b/roles/forgejo/defaults/main.yml @@ -0,0 +1,7 @@ +--- +forgejo_url: >- + {{ + "https://codeberg.org/forgejo/forgejo/releases/download/v" + + forgejo_version + "/forgejo-" + forgejo_version + "-" + + ansible_system | lower + "-amd64" + }} diff --git a/roles/forgejo/files/forgejo.service b/roles/forgejo/files/forgejo.service new file mode 100644 index 0000000..289ccdc --- /dev/null +++ b/roles/forgejo/files/forgejo.service @@ -0,0 +1,16 @@ +[Unit] +Description=Forgejo (Beyond coding. We forge.) +After=syslog.target +After=network.target + +[Service] +Type=simple +User=forgejo +Group=forgejo +WorkingDirectory=/srv/forgejo +ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini +Restart=always +Environment=HOME=/srv/forgejo FORGEJO_WORK_DIR=/srv/forgejo + +[Install] +WantedBy=multi-user.target diff --git a/roles/forgejo/handlers/main.yml b/roles/forgejo/handlers/main.yml new file mode 100644 index 0000000..4b650b4 --- /dev/null +++ b/roles/forgejo/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart forgejo + ansible.builtin.service: + name: forgejo + state: restarted diff --git a/roles/forgejo/meta/main.yml b/roles/forgejo/meta/main.yml new file mode 100644 index 0000000..d5e8ce4 --- /dev/null +++ b/roles/forgejo/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: git} + - {role: nginx} diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml new file mode 100644 index 0000000..4b8c6f2 --- /dev/null +++ b/roles/forgejo/tasks/main.yml @@ -0,0 +1,107 @@ +--- +- name: Install dependencies + ansible.builtin.package: + name: git-lfs + state: installed + +- name: Download binary + ansible.builtin.get_url: + url: "{{ forgejo_url }}" + checksum: "sha256:{{ forgejo_url }}.sha256" + dest: /usr/local/bin/forgejo + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart forgejo + +- name: Create group + ansible.builtin.group: + name: forgejo + gid: 303 + +- name: Create user + ansible.builtin.user: + name: forgejo + comment: Service Forgejo + createhome: false + group: forgejo + home: /var/empty + shell: /sbin/nologin + uid: 303 + +- name: Create config directory + ansible.builtin.file: + path: /etc/forgejo + state: directory + mode: "0750" + owner: root + group: forgejo + +- name: Create config + ansible.builtin.template: + dest: /etc/forgejo/app.ini + src: app.ini.j2 + mode: "0640" + owner: root + group: forgejo + notify: Restart forgejo + +- name: Create data directory + ansible.builtin.file: + path: /export/forgejo + state: directory + mode: "0750" + owner: forgejo + group: forgejo + +- name: Link data directory + ansible.builtin.file: + path: /srv/forgejo + state: link + src: /export/forgejo + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/forgejo.service + src: forgejo.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart forgejo + +- name: Enable service + ansible.builtin.service: + name: forgejo + state: started + enabled: true + +- name: Allow nginx to connect forgejo + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/forgejo.conf" + content: | + client_max_body_size 100m; + location / { + proxy_pass http://127.0.0.1:3000; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx + +- name: Add forgejo alias for root + ansible.builtin.blockinfile: + path: /root/.bashrc + block: | + # run forgejo as forgejo user + alias forgejo='sudo -u forgejo HOME=/srv/forgejo \ + GITEA_WORK_DIR=/srv/forgejo \ + /usr/local/bin/forgejo -c /etc/forgejo/app.ini' diff --git a/roles/forgejo/templates/app.ini.j2 b/roles/forgejo/templates/app.ini.j2 new file mode 100644 index 0000000..2355cb3 --- /dev/null +++ b/roles/forgejo/templates/app.ini.j2 @@ -0,0 +1,78 @@ +APP_NAME = foo.sh - GIT +RUN_USER = forgejo +RUN_MODE = prod + +[database] +DB_TYPE = mysql +HOST = sqldb02.home.foo.sh +NAME = forgejo +USER = forgejo +PASSWD = {{ forgejo_mysql_pass }} +SCHEMA = +SSL_MODE = true +CHARSET = utf8 +PATH = /srv/forgejo/data/forgejo.db +LOG_SQL = false + +[repository] +ROOT = /srv/forgejo/data/forgejo-repositories + +[server] +SSH_DOMAIN = localhost +DOMAIN = git.foo.sh +HTTP_ADDR = 127.0.0.1 +HTTP_PORT = 3000 +ROOT_URL = https://git.foo.sh/ +DISABLE_SSH = true +SSH_PORT = 22 +LFS_START_SERVER = true +LFS_JWT_SECRET = {{ forgejo_lfs_jwt_secret }} +OFFLINE_MODE = false + +[lfs] +PATH = /srv/forgejo/data/lfs + +[mailer] +ENABLED = false + +[service] +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +DISABLE_REGISTRATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.localhost + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[session] +PROVIDER = file + +[log] +MODE = console +LEVEL = info + +[repository.pull-request] +DEFAULT_MERGE_STYLE = merge + +[repository.signing] +DEFAULT_TRUST_MODEL = committer + +[security] +INSTALL_LOCK = true +INTERNAL_TOKEN = {{ forgejo_internal_token }} +PASSWORD_HASH_ALGO = pbkdf2 +REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 +REVERSE_PROXY_LIMIT = 1 + +[actions] +ENABLED = true + +[oauth2] +JWT_SECRET = {{ gitea_oauth_jwt_secret }} From 9a5f632ce40331f4e64aa40fbfe178714788f1b0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:27:23 +0000 Subject: [PATCH 547/713] Add forgejo hosts --- group_vars/forgejo.yml | 8 ++++++++ host_vars/forgejo02.home.foo.sh.yml | 6 ++++++ hosts.yml | 6 ++++++ playbooks/forgejo.yml | 28 ++++++++++++++++++++++++++++ 4 files changed, 48 insertions(+) create mode 100644 group_vars/forgejo.yml create mode 100644 host_vars/forgejo02.home.foo.sh.yml create mode 100644 playbooks/forgejo.yml diff --git a/group_vars/forgejo.yml b/group_vars/forgejo.yml new file mode 100644 index 0000000..e80e98c --- /dev/null +++ b/group_vars/forgejo.yml @@ -0,0 +1,8 @@ +--- +datadisks: + - {size: 10, type: nvme} + +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/host_vars/forgejo02.home.foo.sh.yml b/host_vars/forgejo02.home.foo.sh.yml new file mode 100644 index 0000000..72e305b --- /dev/null +++ b/host_vars/forgejo02.home.foo.sh.yml @@ -0,0 +1,6 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: 52:54:00:ac:dc:80 diff --git a/hosts.yml b/hosts.yml index 3a69313..517e1a1 100644 --- a/hosts.yml +++ b/hosts.yml @@ -16,6 +16,11 @@ dnagw: hosts: dna-gw01.home.foo.sh: dna-gw02.home.foo.sh: +forgejo: + hosts: + forgejo02.home.foo.sh: + vars: + forgejo_version: "10.0.1" frigate: hosts: frigate02.home.foo.sh: @@ -165,6 +170,7 @@ rocky9: children: adm: audiobooks: + forgejo: frigate: gitea: homeassistant: diff --git a/playbooks/forgejo.yml b/playbooks/forgejo.yml new file mode 100644 index 0000000..ab0ac1b --- /dev/null +++ b/playbooks/forgejo.yml @@ -0,0 +1,28 @@ +--- +- name: Deploy KVM virtual machines + ansible.builtin.import_playbook: include/deploy-kvm-guest.yml + vars: + myhosts: forgejo + +- name: Configure instance + hosts: forgejo + user: root + gather_facts: true + + vars_files: + - "{{ ansible_private }}/vars.yml" + + pre_tasks: + - name: Mount /export + ansible.posix.mount: + name: /export + src: LABEL=/export + fstype: xfs + opts: noatime,noexec,nosuid,nodev + passno: "0" + dump: "0" + state: mounted + + roles: + - base + - forgejo From b02af6f9e6bfe5ad667642c512239e175a365cf6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:29:04 +0000 Subject: [PATCH 548/713] Remove gitea hosts --- group_vars/gitea.yml | 8 ------- group_vars/gitearunner.yml | 4 ---- host_vars/gitea-runner02.home.foo.sh.yml | 6 ----- host_vars/gitea02.home.foo.sh.yml | 6 ----- hosts.yml | 12 ---------- playbooks/gitea-runner.yml | 14 ------------ playbooks/gitea.yml | 28 ------------------------ 7 files changed, 78 deletions(-) delete mode 100644 group_vars/gitea.yml delete mode 100644 group_vars/gitearunner.yml delete mode 100644 host_vars/gitea-runner02.home.foo.sh.yml delete mode 100644 host_vars/gitea02.home.foo.sh.yml delete mode 100644 playbooks/gitea-runner.yml delete mode 100644 playbooks/gitea.yml diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml deleted file mode 100644 index e80e98c..0000000 --- a/group_vars/gitea.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -datadisks: - - {size: 10, type: nvme} - -firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/gitearunner.yml b/group_vars/gitearunner.yml deleted file mode 100644 index 0b7f509..0000000 --- a/group_vars/gitearunner.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/host_vars/gitea-runner02.home.foo.sh.yml b/host_vars/gitea-runner02.home.foo.sh.yml deleted file mode 100644 index 617957c..0000000 --- a/host_vars/gitea-runner02.home.foo.sh.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -vmhost: vmhost02.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: 52:54:00:ac:dc:7c diff --git a/host_vars/gitea02.home.foo.sh.yml b/host_vars/gitea02.home.foo.sh.yml deleted file mode 100644 index 56bb5fa..0000000 --- a/host_vars/gitea02.home.foo.sh.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -vmhost: vmhost02.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: 52:54:00:ac:dc:78 diff --git a/hosts.yml b/hosts.yml index 517e1a1..75013c2 100644 --- a/hosts.yml +++ b/hosts.yml @@ -30,16 +30,6 @@ fsolgw: hosts: fsol-gw01.home.foo.sh: fsol-gw02.home.foo.sh: -gitea: - hosts: - gitea02.home.foo.sh: - vars: - gitea_version: "1.23.3" -gitearunner: - hosts: - gitea-runner02.home.foo.sh: - vars: - gitea_runner_version: "0.2.6" homeassistant: hosts: homeassistant01.home.foo.sh: @@ -151,7 +141,6 @@ sftpbackup: fedora: children: - gitearunner: openbsd: children: backup: @@ -172,7 +161,6 @@ rocky9: audiobooks: forgejo: frigate: - gitea: homeassistant: influxdb: ldap: diff --git a/playbooks/gitea-runner.yml b/playbooks/gitea-runner.yml deleted file mode 100644 index c87211c..0000000 --- a/playbooks/gitea-runner.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Deploy KVM virtual machines - ansible.builtin.import_playbook: include/deploy-kvm-guest.yml - vars: - myhosts: gitearunner - -- name: Configure instance - hosts: gitearunner - user: root - gather_facts: true - - roles: - - base - - gitea_runner diff --git a/playbooks/gitea.yml b/playbooks/gitea.yml deleted file mode 100644 index 72fec32..0000000 --- a/playbooks/gitea.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: Deploy KVM virtual machines - ansible.builtin.import_playbook: include/deploy-kvm-guest.yml - vars: - myhosts: gitea - -- name: Configure instance - hosts: gitea - user: root - gather_facts: true - - vars_files: - - "{{ ansible_private }}/vars.yml" - - pre_tasks: - - name: Mount /export - ansible.posix.mount: - name: /export - src: LABEL=/export - fstype: xfs - opts: noatime,noexec,nosuid,nodev - passno: "0" - dump: "0" - state: mounted - - roles: - - base - - gitea From ba2770c69679c1bd90992fa03f14bec3f16371c7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:29:39 +0000 Subject: [PATCH 549/713] Remove obsolete gitea roles --- roles/gitea/defaults/main.yml | 6 -- roles/gitea/files/gitea.service | 16 ---- roles/gitea/handlers/main.yml | 5 - roles/gitea/meta/main.yml | 4 - roles/gitea/tasks/main.yml | 101 -------------------- roles/gitea/templates/app.ini.j2 | 80 ---------------- roles/gitea_runner/defaults/main.yml | 2 - roles/gitea_runner/files/act_runner.service | 14 --- roles/gitea_runner/files/config.yml | 50 ---------- roles/gitea_runner/handlers/main.yml | 5 - roles/gitea_runner/meta/main.yml | 4 - roles/gitea_runner/tasks/main.yml | 85 ---------------- 12 files changed, 372 deletions(-) delete mode 100644 roles/gitea/defaults/main.yml delete mode 100644 roles/gitea/files/gitea.service delete mode 100644 roles/gitea/handlers/main.yml delete mode 100644 roles/gitea/meta/main.yml delete mode 100644 roles/gitea/tasks/main.yml delete mode 100644 roles/gitea/templates/app.ini.j2 delete mode 100644 roles/gitea_runner/defaults/main.yml delete mode 100644 roles/gitea_runner/files/act_runner.service delete mode 100644 roles/gitea_runner/files/config.yml delete mode 100644 roles/gitea_runner/handlers/main.yml delete mode 100644 roles/gitea_runner/meta/main.yml delete mode 100644 roles/gitea_runner/tasks/main.yml diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml deleted file mode 100644 index 8581431..0000000 --- a/roles/gitea/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -gitea_url: >- - {{ - "https://dl.gitea.com/gitea/" + gitea_version + "/gitea-" + - gitea_version + "-" + ansible_system | lower + "-amd64" - }} diff --git a/roles/gitea/files/gitea.service b/roles/gitea/files/gitea.service deleted file mode 100644 index 0dfec4a..0000000 --- a/roles/gitea/files/gitea.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Gitea (Git with a cup of tea) -After=syslog.target -After=network.target - -[Service] -Type=simple -User=gitea -Group=gitea -WorkingDirectory=/srv/gitea -ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini -Restart=always -Environment=HOME=/srv/gitea GITEA_WORK_DIR=/srv/gitea - -[Install] -WantedBy=multi-user.target diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml deleted file mode 100644 index a8e19c4..0000000 --- a/roles/gitea/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart gitea - ansible.builtin.service: - name: gitea - state: restarted diff --git a/roles/gitea/meta/main.yml b/roles/gitea/meta/main.yml deleted file mode 100644 index d5e8ce4..0000000 --- a/roles/gitea/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - {role: git} - - {role: nginx} diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml deleted file mode 100644 index 2eafa5e..0000000 --- a/roles/gitea/tasks/main.yml +++ /dev/null @@ -1,101 +0,0 @@ ---- -- name: Download binary - ansible.builtin.get_url: - url: "{{ gitea_url }}" - checksum: "sha256:{{ gitea_url }}.sha256" - dest: /usr/local/bin/gitea - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart gitea - -- name: Create group - ansible.builtin.group: - name: gitea - gid: 303 - -- name: Create user - ansible.builtin.user: - name: gitea - comment: Service Gitea - createhome: false - group: gitea - home: /var/empty - shell: /sbin/nologin - uid: 303 - -- name: Create config directory - ansible.builtin.file: - path: /etc/gitea - state: directory - mode: "0750" - owner: root - group: gitea - -- name: Create config - ansible.builtin.template: - dest: /etc/gitea/app.ini - src: app.ini.j2 - mode: "0640" - owner: root - group: gitea - notify: Restart gitea - -- name: Create data directory - ansible.builtin.file: - path: /export/gitea - state: directory - mode: "0750" - owner: gitea - group: gitea - -- name: Link data directory - ansible.builtin.file: - path: /srv/gitea - state: link - src: /export/gitea - owner: root - group: "{{ ansible_wheel }}" - follow: false - -- name: Create service file - ansible.builtin.copy: - dest: /etc/systemd/system/gitea.service - src: gitea.service - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart gitea - -- name: Enable service - ansible.builtin.service: - name: gitea - state: started - enabled: true - -- name: Allow nginx to connect gitea - ansible.posix.seboolean: - name: httpd_can_network_connect - state: true - persistent: true - -- name: Copy nginx config - ansible.builtin.copy: - dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/gitea.conf" - content: | - client_max_body_size 100m; - location / { - proxy_pass http://127.0.0.1:3000; - } - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart nginx - -- name: Add gitea alias for root - ansible.builtin.blockinfile: - path: /root/.bashrc - block: | - # run gitea as gitea user - alias gitea='sudo -u gitea HOME=/srv/gitea GITEA_WORK_DIR=/srv/gitea \ - /usr/local/bin/gitea -c /etc/gitea/app.ini' diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 deleted file mode 100644 index 3a797b9..0000000 --- a/roles/gitea/templates/app.ini.j2 +++ /dev/null @@ -1,80 +0,0 @@ -APP_NAME = foo.sh - GIT -RUN_USER = gitea -RUN_MODE = prod - -[database] -DB_TYPE = mysql -HOST = sqldb02.home.foo.sh -NAME = gitea -USER = gitea -PASSWD = {{ gitea_mysql_pass }} -SCHEMA = -SSL_MODE = true -CHARSET = utf8 -PATH = /srv/gitea/data/gitea.db -LOG_SQL = false - -[repository] -ROOT = /srv/gitea/data/gitea-repositories - -[server] -SSH_DOMAIN = localhost -DOMAIN = git.foo.sh -HTTP_ADDR = 127.0.0.1 -HTTP_PORT = 3000 -ROOT_URL = https://git.foo.sh/ -DISABLE_SSH = true -SSH_PORT = 22 -LFS_START_SERVER = true -LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }} -OFFLINE_MODE = false - -[lfs] -PATH = /srv/gitea/data/lfs - -[mailer] -ENABLED = false - -[service] -REGISTER_EMAIL_CONFIRM = false -ENABLE_NOTIFY_MAIL = false -DISABLE_REGISTRATION = true -ALLOW_ONLY_EXTERNAL_REGISTRATION = false -ENABLE_CAPTCHA = false -REQUIRE_SIGNIN_VIEW = false -DEFAULT_KEEP_EMAIL_PRIVATE = false -DEFAULT_ALLOW_CREATE_ORGANIZATION = true -DEFAULT_ENABLE_TIMETRACKING = true -NO_REPLY_ADDRESS = noreply.localhost - -[openid] -ENABLE_OPENID_SIGNIN = false -ENABLE_OPENID_SIGNUP = false - -[session] -PROVIDER = file - -[log] -MODE = console -LEVEL = info -ROOT_PATH = /srv/gitea/log -ROUTER = console - -[repository.pull-request] -DEFAULT_MERGE_STYLE = merge - -[repository.signing] -DEFAULT_TRUST_MODEL = committer - -[security] -INSTALL_LOCK = true -INTERNAL_TOKEN = {{ gitea_internal_token }} -PASSWORD_HASH_ALGO = pbkdf2 -REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 -REVERSE_PROXY_LIMIT = 1 - -[actions] -ENABLED = true - -[oauth2] -JWT_SECRET = {{ gitea_oauth_jwt_secret }} diff --git a/roles/gitea_runner/defaults/main.yml b/roles/gitea_runner/defaults/main.yml deleted file mode 100644 index bb9e11e..0000000 --- a/roles/gitea_runner/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -gitea_runner_version: main diff --git a/roles/gitea_runner/files/act_runner.service b/roles/gitea_runner/files/act_runner.service deleted file mode 100644 index 1533c88..0000000 --- a/roles/gitea_runner/files/act_runner.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Act Runner for Gitea -After=syslog.target -After=network.target - -[Service] -User=act_runner -Group=act_runner -WorkingDirectory=/var/lib/act_runner -Environment=HOME=/var/lib/act_runner -ExecStart=/usr/local/bin/act_runner daemon -c /var/lib/act_runner/config.yml - -[Install] -WantedBy=multi-user.target diff --git a/roles/gitea_runner/files/config.yml b/roles/gitea_runner/files/config.yml deleted file mode 100644 index 641665f..0000000 --- a/roles/gitea_runner/files/config.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -log: - # The level of logging, can be trace, debug, info, warn, error, fatal - level: info - -runner: - # Where to store the registration result. - file: .runner - # Execute how many tasks concurrently at the same time. - capacity: 1 - # Extra environment variables to run jobs from a file. - # It will be ignored if it's empty or the file doesn't exist. - env_file: .env - # The timeout for a job to be finished. - # Please note that the Gitea instance also has a timeout (3h by default) - # for the job. So the job could be stopped by the Gitea instance if it's - # timeout is shorter than this. - timeout: 3h - # Whether skip verifying the TLS certificate of the Gitea instance. - insecure: false - # The timeout for fetching the job from the Gitea instance. - fetch_timeout: 5s - # The interval for fetching the job from the Gitea instance. - fetch_interval: 2s - -cache: - # Enable cache server to use actions/cache. - enabled: true - # The directory to store the cache data. - # If it's empty, the cache data will be stored in $HOME/.cache/actcache. - dir: "" - # The host of the cache server. - # It's not for the address to listen, but the address to connect from job - # containers. So 0.0.0.0 is a bad choice, leave it empty to detect - # automatically. - host: "" - # The port of the cache server. - # 0 means to use a random available port. - port: 0 - -container: - # Which network to use for the job containers. Could be bridge, host, none, - # or the name of a custom network. - network: bridge - # Whether to use privileged mode or not when launching task containers - # (privileged mode is required for Docker-in-Docker). - privileged: false - # And other options to be used when the container is started - # (eg, --add-host=my.gitea.url:host-gateway). - options: diff --git a/roles/gitea_runner/handlers/main.yml b/roles/gitea_runner/handlers/main.yml deleted file mode 100644 index 3f4dbfd..0000000 --- a/roles/gitea_runner/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart act_runner - ansible.builtin.service: - name: act_runner - state: restarted diff --git a/roles/gitea_runner/meta/main.yml b/roles/gitea_runner/meta/main.yml deleted file mode 100644 index 4dfd1ac..0000000 --- a/roles/gitea_runner/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - {role: docker} - - {role: git} diff --git a/roles/gitea_runner/tasks/main.yml b/roles/gitea_runner/tasks/main.yml deleted file mode 100644 index d8eac04..0000000 --- a/roles/gitea_runner/tasks/main.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -- name: Create group - ansible.builtin.group: - name: act_runner - system: true - -- name: Create user - ansible.builtin.user: - name: act_runner - system: true - comment: Gitea act_runner - create_home: false - home: /var/empty - group: act_runner - groups: - - docker - shell: /sbin/nologin - -- name: Install dependencies - ansible.builtin.package: - name: golang - state: installed - -- name: Download binary - ansible.builtin.get_url: - url: > - {{ - "https://gitea.com/gitea/act_runner/releases/download/v" + - gitea_runner_version + "/act_runner-" + gitea_runner_version + - "-" + ansible_system | lower + "-amd64" - }} - dest: /usr/local/bin/act_runner - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart act_runner - -- name: Create config directory - ansible.builtin.file: - path: /var/lib/act_runner - state: directory - mode: "0750" - owner: root - group: act_runner - -- name: Copy config file - ansible.builtin.copy: - dest: /var/lib/act_runner/.runner - src: "/srv/private/files/act_runner/{{ inventory_hostname }}.conf" - mode: "0640" - owner: root - group: act_runner - notify: Restart act_runner - -- name: Copy config file - ansible.builtin.copy: - dest: /var/lib/act_runner/config.yml - src: config.yml - mode: "0640" - owner: root - group: act_runner - notify: Restart act_runner - -- name: Create cache directory - ansible.builtin.file: - path: /var/lib/act_runner/.cache - state: directory - mode: "0770" - owner: root - group: act_runner - notify: Restart act_runner - -- name: Copy unit file - ansible.builtin.copy: - dest: /etc/systemd/system/act_runner.service - src: act_runner.service - mode: "0644" - owner: root - group: root - -- name: Enable service - ansible.builtin.service: - name: act_runner - state: started - enabled: true From 5bed0838005a706fb81a69db175a78f0512ac6d4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:30:25 +0000 Subject: [PATCH 550/713] Migrate gitea user to forgejo --- users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users.md b/users.md index 70e9176..7601659 100644 --- a/users.md +++ b/users.md @@ -9,7 +9,7 @@ entry empty. If only a group is created, leave the user entry empty. |------|------------|------------|-----------------| | 301 | influxdb | influxdb | | | 302 | mongod | mongod | | -| 303 | gitea | gitea | | +| 303 | forgejo | forgejo | | | 305 | prometheus | prometheus | | | 306 | backup | backup | | | 307 | minecraft | minecraft | | From 36947f349b4128566c099a9080eec38c234aa109 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:31:01 +0000 Subject: [PATCH 551/713] Migrate from gitea to forgejo --- playbooks/proxy.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 1968633..da8b9b7 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -66,9 +66,12 @@ - role: nginx_site nginx_site_name: dns.home.foo.sh nginx_site_redirect: https://www.foo.sh/ + - role: nginx_site + nginx_site_name: forgejo.foo.sh + nginx_site_redirect: https://git.foo.sh/ - role: nginx_site nginx_site_name: git.foo.sh - nginx_site_proxy: https://gitea02.home.foo.sh/ + nginx_site_proxy: https://forgejo02.home.foo.sh/ - role: nginx_site nginx_site_name: gitea.foo.sh nginx_site_redirect: https://git.foo.sh/ From 020b2afa0d9ca166c85002bbccadbc7b9060ed05 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:31:26 +0000 Subject: [PATCH 552/713] forgejo: Use correct variable for jwk key --- roles/forgejo/templates/app.ini.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/forgejo/templates/app.ini.j2 b/roles/forgejo/templates/app.ini.j2 index 2355cb3..a8a7716 100644 --- a/roles/forgejo/templates/app.ini.j2 +++ b/roles/forgejo/templates/app.ini.j2 @@ -75,4 +75,4 @@ REVERSE_PROXY_LIMIT = 1 ENABLED = true [oauth2] -JWT_SECRET = {{ gitea_oauth_jwt_secret }} +JWT_SECRET = {{ forgejo_oauth_jwt_secret }} From cf87333ef89fcb643a549b706e5f5196dbb0a9b4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:31:56 +0000 Subject: [PATCH 553/713] Update site.yml --- site.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/site.yml b/site.yml index a231b55..bee03dd 100644 --- a/site.yml +++ b/site.yml @@ -1,20 +1,20 @@ --- - name: Configure adm hosts ansible.builtin.import_playbook: playbooks/adm.yml +- name: Configure audiobooks hosts + ansible.builtin.import_playbook: playbooks/audiobooks.yml - name: Configure backup hosts ansible.builtin.import_playbook: playbooks/backup.yml - name: Configure collab hosts ansible.builtin.import_playbook: playbooks/collab.yml - name: Configure dna-gw hosts ansible.builtin.import_playbook: playbooks/dna-gw.yml +- name: Configure forgejo hosts + ansible.builtin.import_playbook: playbooks/forgejo.yml - name: Configure frigate hosts ansible.builtin.import_playbook: playbooks/frigate.yml - name: Configure fsol-gw hosts ansible.builtin.import_playbook: playbooks/fsol-gw.yml -- name: Configure gitea-runner hosts - ansible.builtin.import_playbook: playbooks/gitea-runner.yml -- name: Configure gitea hosts - ansible.builtin.import_playbook: playbooks/gitea.yml - name: Configure homeassistant hosts ansible.builtin.import_playbook: playbooks/homeassistant.yml - name: Configure influxdb hosts From ffe43b8498f757f3110d8008c6b5c019ccc247eb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 8 Mar 2025 20:59:48 +0000 Subject: [PATCH 554/713] web_logs: Add script to combine log files --- roles/web_logs/files/combine-logs.py | 70 ++++++++++++++++++++++++++++ roles/web_logs/tasks/main.yml | 8 ++++ 2 files changed, 78 insertions(+) create mode 100644 roles/web_logs/files/combine-logs.py diff --git a/roles/web_logs/files/combine-logs.py b/roles/web_logs/files/combine-logs.py new file mode 100644 index 0000000..e7044fa --- /dev/null +++ b/roles/web_logs/files/combine-logs.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 + +import argparse +import datetime +import os +import sys + +from time import mktime + + +def read_line(log, date=None): + while True: + line = log["fp"].readline().strip() + if not line: + raise EOFError + time = datetime.datetime.strptime( + " ".join(line.split()[3:5]), "[%d/%b/%Y:%H:%M:%S +0000]" + ) + if date is not None and time.strftime("%Y-%m-%d") != date: + continue + log["time"] = time + log["line"] = line + log["linenum"] += 1 + break + + +def combine_logs(logfiles, date=None): + logs = [] + for logfile in logfiles: + if os.stat(logfile).st_size == 0: + continue + logs.append( + {"fp": open(logfile, "r"), "line": None, "linenum": 0, "time": None} + ) + try: + read_line(logs[-1], date) + except EOFError: + del logs[-1] + + while True: + if len(logs) == 0: + break + logs = sorted(logs, key=lambda x: x["time"]) + print(logs[0]["line"]) + try: + read_line(logs[0], date) + except EOFError: + del logs[0] + + +def date_now(): + return datetime.datetime.now() + + +if __name__ == "__main__": + try: + parser = argparse.ArgumentParser() + parser.add_argument("-d", "--date", default=None) + parser.add_argument("logfiles", nargs="+") + args = parser.parse_args() + if args.date is not None: + if args.date == "today": + date = date_now().strftime("%Y-%m-%d") + elif args.date == "yesterday": + date = (date_now() - datetime.timedelta(days=1)).strftime("%Y-%m-%d") + else: + date = args.date + combine_logs(args.logfiles, date=date) + except KeyboardInterrupt: + sys.ext(1) diff --git a/roles/web_logs/tasks/main.yml b/roles/web_logs/tasks/main.yml index a9742f7..27bf8ab 100644 --- a/roles/web_logs/tasks/main.yml +++ b/roles/web_logs/tasks/main.yml @@ -39,3 +39,11 @@ owner: root group: "{{ ansible_wheel }}" follow: false + +- name: Copy log combiner + ansible.builtin.copy: + dest: /usr/local/bin/combine-logs + src: combine-logs.py + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" From 1aaf78c3ab531a6f22edb57e317b1d654d307c2f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 11 Mar 2025 20:45:32 +0000 Subject: [PATCH 555/713] Update software versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 75013c2..73a073d 100644 --- a/hosts.yml +++ b/hosts.yml @@ -34,7 +34,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2025.2" + homeassistant_version: "2025.3" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git @@ -89,7 +89,7 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.4.1" + grafana_version: "11.4.2" rocketchat_version: "7.4.0" roundcube_version: "1.6.10" print: @@ -99,7 +99,7 @@ prometheus: hosts: prometheus01.home.foo.sh: vars: - mysqld_exporter_version: "0.16.0" + mysqld_exporter_version: "0.17.2" nginx_exporter_version: "1.4.1" proxy: hosts: From c2a39ecc56c21b41f41f832e04b3f1665d2566d9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 2 Apr 2025 21:47:47 +0000 Subject: [PATCH 556/713] Add dhcpd to nms hosts --- group_vars/nms.yml | 3 ++ playbooks/nms.yml | 4 +++ roles/dhcpd/templates/dhcpd.conf.oob.j2 | 40 +++++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 roles/dhcpd/templates/dhcpd.conf.oob.j2 diff --git a/group_vars/nms.yml b/group_vars/nms.yml index b05d9f0..1f2f050 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -5,6 +5,9 @@ datadisks: unbound_zones: - 25.20.172.in-addr.arpa - oob.foo.sh +dhcpd_template: dhcpd.conf.oob.j2 +dhcpd_ldap_filter: >- + (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh)) network_vip_interfaces: - device: eth0 diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 856e221..969b6a5 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -58,6 +58,10 @@ ansible.builtin.import_role: name: unbound + - name: Import dhcpd role + ansible.builtin.import_role: + name: dhcpd + # convert this to role for restart support - name: Enable NTP server for oob network ansible.builtin.lineinfile: diff --git a/roles/dhcpd/templates/dhcpd.conf.oob.j2 b/roles/dhcpd/templates/dhcpd.conf.oob.j2 new file mode 100644 index 0000000..b1a9034 --- /dev/null +++ b/roles/dhcpd/templates/dhcpd.conf.oob.j2 @@ -0,0 +1,40 @@ + +authorative; +ddns-update-style none; + +# logging +on commit { + log(info, + concat("Client ", + binary-to-ascii(16, 8, ":", substring(hardware, 1, 6)), + " requests ", + binary-to-ascii(16, 8, ":", option dhcp-parameter-request-list), + " - ", + pick-first-value(option vendor-class-identifier, "no vendor-id"), + " - ", + pick-first-value(option user-class, "no user-class")) + ); +} + +shared-network OOBNET { + + subnet 172.20.25.0 netmask 255.255.255.0 { + default-lease-time 86400; + max-lease-time 604800; + option subnet-mask 255.255.255.0; + option broadcast-address 172.20.25.255; + + option domain-name "oob.foo.sh"; + option domain-name-servers 172.20.25.1, 172.20.25.2, 172.20.25.3; + use-host-decl-names on; + } + +{% for host in ldap_hosts.results %} + host {{ host['cn'] }} { + option host-name "{{ host['cn'] }}"; + hardware ethernet {{ host['macAddress'] }}; + fixed-address {{ host['ipHostNumber'] }}; + } +{% endfor %} + +} From b6bceb64a41e32068cd58d5c1183ecb47497a4e7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 4 Apr 2025 05:29:19 +0000 Subject: [PATCH 557/713] node_exporter: Use real tempfile --- .../files/node-exporter-run-textfile-collector.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh index b8897ae..7a6d1a0 100755 --- a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh +++ b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh @@ -15,9 +15,10 @@ fi for script in /usr/local/libexec/node-exporter/*; do [ -x "$script" ] || continue target="${OUTDIR}/$(basename "$script")" - if "$script" > "${target}.tmp" ; then - mv "${target}.tmp" "${target}.prom" + tmpfile="$(mktemp -p "$OUTDIR")" + if "$script" > "$tmpfile" ; then + mv "$tmpfile" "$target" else - rm -f "${target}.tmp" + rm -f "$tmpfile" fi done From 56ed9010ac8c61707096a30c0ba8bff0df67a4e0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 4 Apr 2025 05:46:33 +0000 Subject: [PATCH 558/713] node_exporter: Add verbose option --- .../node-exporter-run-textfile-collector.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh index 7a6d1a0..97dd14c 100755 --- a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh +++ b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh @@ -6,19 +6,35 @@ umask 022 PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin" +if [ "${1:-}" = "-v" ]; then + shift + VERBOSE=true +else + VERBOSE=false +fi + +if [ -n "${1:-}" ]; then + echo "Usage: $(basename "$0") [-v]" 1>&2 + exit 1 +fi + if [ "$(uname -s)" = "OpenBSD" ]; then OUTDIR="/var/db/node-exporter" else OUTDIR="/var/lib/prometheus/node-exporter" fi +"$VERBOSE" && echo "Using output directory '${OUTDIR}'" for script in /usr/local/libexec/node-exporter/*; do [ -x "$script" ] || continue + "$VERBOSE" && echo "Processing script '${script}'" target="${OUTDIR}/$(basename "$script")" tmpfile="$(mktemp -p "$OUTDIR")" if "$script" > "$tmpfile" ; then + "$VERBOSE" && echo " Success, updating stats" mv "$tmpfile" "$target" else + "$VERBOSE" && echo " Failure, skipping stats update" rm -f "$tmpfile" fi done From d282b132ab9909101345551fb5eb08f85c45085c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 4 Apr 2025 07:58:33 +0000 Subject: [PATCH 559/713] routeros_firmware: Fix tabs to spaces --- roles/routeros_firmware/files/download-routeros-firmware.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index b6784bc..1cdbd53 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -23,7 +23,7 @@ packageinfo=$(curl -sSf "https://mikrotik.com/download" | awk -F '"' ' url=$2 } else if (!found && url && $0 ~ /data-checksum-sha256/) { print url " " $6 - found = 1 + found = 1 } } ') From 776b562abe9f6cacfebf687e8b570dce04b60704 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 4 Apr 2025 16:01:43 +0000 Subject: [PATCH 560/713] routeros_firmware: Use real tmpfile --- .../files/download-routeros-firmware.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index 1cdbd53..96260ca 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -46,15 +46,16 @@ if [ -z "$checksum" ]; then fi echo "Downloading new package '${packagename}'" -trap 'rm -f -- "${packagename}.tmp"' EXIT -curl -sSf -o "${packagename}.tmp" "$packageurl" +tmpfile="$(mktemp -p .)" +trap 'rm -f -- "$tmpfile"' EXIT +curl -sSf -o "$tmpfile" "$packageurl" -if [ "$(sha256sum "${packagename}.tmp" | cut -d " " -f 1)" != "$checksum" ]; then +if [ "$(sha256sum "$tmpfile" | cut -d " " -f 1)" != "$checksum" ]; then echo "ERR: Checksum check failed, not saving package" 1>&2 exit 1 fi -mv "${packagename}.tmp" "$packagename" +mv "$tmpfile" "$packagename" echo curl -sSf "https://cdn.mikrotik.com/routeros/$(echo "$packagename" | cut -d "-" -f 2)/CHANGELOG" From 95c66d976fe9b61e74ec9b2aac61b3aa10eb2b56 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 16:35:24 +0000 Subject: [PATCH 561/713] Add mqtt-tail script to adm hosts --- playbooks/adm.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 69cfb42..3c2bd6c 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -53,6 +53,7 @@ - libvirt-client # kvm host client - make # generic building - mariadb # mariadb client tools + - mosquitto # mqtt reading - nano # more editors - nmap # check for open ports - nsd # check dns zone files @@ -113,3 +114,27 @@ state: link owner: root group: "{{ ansible_wheel }}" + + - name: Add mqtt-tail script + ansible.builtin.copy: + dest: /usr/local/bin/mqtt-tail + content: | + #!/bin/sh + set -eu + if [ -n "${1:-}" ]; then + topic="$1" + shift + else + topic="#" + fi + if [ $# -ne 0 ]; then + echo "Usage: $(basename "$0") [topic]" 1>&2 + exit 1 + fi + exec mosquitto_sub -h mqtt02.home.foo.sh -v -t "$topic" \ + --cafile "{{ tls_certs }}/ca.crt" \ + --cert "{{ tls_certs }}/{{ inventory_hostname }}.crt" \ + --key "{{ tls_private }}/{{ inventory_hostname }}.key" \ + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" From d6cc79dcb3dcc18398f011c482bd00bf7ba0ea5b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 17:37:56 +0000 Subject: [PATCH 562/713] Refactor mqtt topics for shelly plugs --- roles/homeassistant/templates/mqtt.yaml.j2 | 2 +- roles/mosquitto/templates/mosquitto.conf.j2 | 5 +++++ roles/telegraf/templates/telegraf.conf.j2 | 8 ++++---- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/roles/homeassistant/templates/mqtt.yaml.j2 b/roles/homeassistant/templates/mqtt.yaml.j2 index 8d70762..c0b7ac3 100644 --- a/roles/homeassistant/templates/mqtt.yaml.j2 +++ b/roles/homeassistant/templates/mqtt.yaml.j2 @@ -2,7 +2,7 @@ sensor: {% for shelly in shellies | selectattr("name", "match", "^shellyplug-s-") | list %} - name: Power Usage - state_topic: home/{{ shelly["room"] }}/{{ shelly["device"] }}/relay/0/power + state_topic: home/{{ shelly["room"] }}/{{ shelly["device"] }}/power unique_id: {{ shelly["name"] }} unit_of_measurement: W device: diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index 917467e..4232fba 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -12,5 +12,10 @@ bridge_certfile {{ tls_certs }}/{{ inventory_hostname }}.crt bridge_keyfile {{ tls_private }}/{{ inventory_hostname }}.key {% for shelly in shellies %} +{% if shelly['name'] | regex_search("^shellyplug-s-") %} +topic power out 0 shellies/{{ shelly['name'] }}/relay/0/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/ +topic temperature out 0 shellies/{{ shelly['name'] }}/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/ +{% else %} topic # out 0 shellies/{{ shelly['name'] }}/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/ +{% endif %} {% endfor %} diff --git a/roles/telegraf/templates/telegraf.conf.j2 b/roles/telegraf/templates/telegraf.conf.j2 index 2f1056e..07b71ba 100644 --- a/roles/telegraf/templates/telegraf.conf.j2 +++ b/roles/telegraf/templates/telegraf.conf.j2 @@ -10,7 +10,7 @@ tls_cert = "{{ tls_certs }}/{{ inventory_hostname }}.crt" tls_key = "{{ tls_private }}/{{ inventory_hostname }}.key" topics = [ - "+/+/+/relay/0/power", + "+/+/+/power", "+/+/+/temperature", "+/+/+/sensor/battery", "+/+/+/sensor/lux", @@ -21,9 +21,9 @@ data_format = "value" [[inputs.mqtt_consumer.topic_parsing]] - topic = "+/+/+/relay/0/power" - tags = "location/room/device/_/_/_" - measurement = "_/_/_/_/_/measurement" + topic = "+/+/+/power" + tags = "location/room/device/_" + measurement = "_/_/_/power" [[inputs.mqtt_consumer.topic_parsing]] topic = "+/+/+/temperature" From 043104f062b92aaf33c0734cd0c29c62fbd15483 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 18:48:16 +0000 Subject: [PATCH 563/713] network: Write keepalived interface status to file --- roles/network/files/keepalived-notify.sh | 7 ++++ roles/network/handlers/main.yml | 7 ++++ roles/network/tasks/RedHat.yml | 44 ++++++++++++++++++++++ roles/network/templates/keepalived.conf.j2 | 3 +- 4 files changed, 60 insertions(+), 1 deletion(-) create mode 100755 roles/network/files/keepalived-notify.sh diff --git a/roles/network/files/keepalived-notify.sh b/roles/network/files/keepalived-notify.sh new file mode 100755 index 0000000..bd709f9 --- /dev/null +++ b/roles/network/files/keepalived-notify.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +set -eu + +umask 022 + +echo "$3" > "/run/keepalived/${2}.state" diff --git a/roles/network/handlers/main.yml b/roles/network/handlers/main.yml index 290312a..945ccb9 100644 --- a/roles/network/handlers/main.yml +++ b/roles/network/handlers/main.yml @@ -12,6 +12,13 @@ - c - reload +- name: Refresh keepalived run directory + ansible.builtin.command: + argv: + - systemd-tmpfiles + - --create + - /etc/tmpfiles.d/keepalived.conf + - name: Restart keepalived ansible.builtin.service: name: keepalived diff --git a/roles/network/tasks/RedHat.yml b/roles/network/tasks/RedHat.yml index 96e3734..92b38c9 100644 --- a/roles/network/tasks/RedHat.yml +++ b/roles/network/tasks/RedHat.yml @@ -45,6 +45,50 @@ - network_vip_interfaces is defined - network_vip_interfaces != [] +- name: Create keepalived group + ansible.builtin.group: + name: keepalived + system: true + when: + - network_vip_interfaces is defined + - network_vip_interfaces != [] + +- name: Create keepalived user + ansible.builtin.user: + name: keepalived + comment: Service keepalived + createhome: false + group: keepalived + home: /var/empty + shell: /sbin/nologin + system: true + when: + - network_vip_interfaces is defined + - network_vip_interfaces != [] + +- name: Create run directory + ansible.builtin.copy: + dest: /etc/tmpfiles.d/keepalived.conf + content: "d /run/keepalived 755 keepalived keepalived" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Refresh keepalived run directory + when: + - network_vip_interfaces is defined + - network_vip_interfaces != [] + +- name: Copy keepalived notify script + ansible.builtin.copy: + dest: /usr/local/libexec/keepalived-notify + src: keepalived-notify.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + when: + - network_vip_interfaces is defined + - network_vip_interfaces != [] + - name: Create keepalived config ansible.builtin.template: dest: /etc/keepalived/keepalived.conf diff --git a/roles/network/templates/keepalived.conf.j2 b/roles/network/templates/keepalived.conf.j2 index 83c873b..af8f792 100644 --- a/roles/network/templates/keepalived.conf.j2 +++ b/roles/network/templates/keepalived.conf.j2 @@ -1,7 +1,7 @@ ! {{ ansible_managed }} global_defs { - + script_user keepalived } {% for vip in network_vip_interfaces %} @@ -18,5 +18,6 @@ vrrp_instance VI_{{ vip.vhid }} { virtual_ipaddress { {{ vip.ipaddr }} } + notify /usr/local/libexec/keepalived-notify } {% endfor %} From a7860a01049e81f7fcc036cc6ac96de2ff27939e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 19:29:52 +0000 Subject: [PATCH 564/713] network: Enable keepalived script security --- roles/network/templates/keepalived.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/network/templates/keepalived.conf.j2 b/roles/network/templates/keepalived.conf.j2 index af8f792..639eb3d 100644 --- a/roles/network/templates/keepalived.conf.j2 +++ b/roles/network/templates/keepalived.conf.j2 @@ -1,6 +1,7 @@ ! {{ ansible_managed }} global_defs { + enable_script_security script_user keepalived } From 46a15fb9cea2e05acbc516c33c38db16fd52f939 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 19:51:35 +0000 Subject: [PATCH 565/713] nftables: Validate config before applying --- roles/nftables/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml index 85a6424..5069a93 100644 --- a/roles/nftables/tasks/main.yml +++ b/roles/nftables/tasks/main.yml @@ -16,6 +16,7 @@ mode: "0600" owner: root group: "{{ ansible_wheel }}" + validate: "nft -c -f %s" notify: Reload nftables - name: Enable service From ededecd1670f6ffc7dbc488087372bca7b388aa6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 19:51:54 +0000 Subject: [PATCH 566/713] nftables: Fix support for raw rules --- roles/nftables/templates/nftables.conf.j2 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/nftables/templates/nftables.conf.j2 b/roles/nftables/templates/nftables.conf.j2 index 44f153c..067285c 100644 --- a/roles/nftables/templates/nftables.conf.j2 +++ b/roles/nftables/templates/nftables.conf.j2 @@ -8,6 +8,11 @@ table ip filter { ct state vmap { established : accept, related : accept } ip protocol icmp accept iifname lo accept +{% if firewall_raw is defined %} +{% for rule in firewall_raw %} + {{ rule }} +{% endfor %} +{% endif %} {% for rule in firewall_in %} {% if rule.from is defined %} {% for from in rule.from %} @@ -35,6 +40,11 @@ table ip6 filter { type filter hook input priority 0; policy accept ct state vmap { established : accept, related : accept } ip6 nexthdr icmpv6 accept +{% if firewall_raw6 is defined %} +{% for rule in firewall_raw6 %} + {{ rule }} +{% endfor %} +{% endif %} {% for rule in firewall_in %} {% if rule.from is defined %} {% for from in rule.from %} From 5cedf628c853b7352e8926086f3e240fd8ba3226 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 19:53:39 +0000 Subject: [PATCH 567/713] Fix firewall rules on nms hosts for VRRP --- group_vars/nms.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 1f2f050..cf78647 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -34,8 +34,7 @@ firewall_in: - {proto: tcp, port: 9100, from: [172.20.20.0/22]} - {proto: tcp, port: 9116, from: [172.20.20.0/22]} firewall_raw: - - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + - "ip daddr 224.0.0.0/8 accept" sssd_allow_groups: - sysadm From 4772b948fad74f88d2920d6133ea33bad7d3def6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 20:06:34 +0000 Subject: [PATCH 568/713] Fix vrrp priority from nms02 host --- host_vars/nms02.home.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/nms02.home.foo.sh.yml b/host_vars/nms02.home.foo.sh.yml index 4e1a686..cb1b86b 100644 --- a/host_vars/nms02.home.foo.sh.yml +++ b/host_vars/nms02.home.foo.sh.yml @@ -17,4 +17,4 @@ network_interfaces: netmask: 255.255.255.248 proto: static -vip25_priority: 0 +vip25_priority: 1 From bfa41678221626df95f1214f495ea510fbf78b93 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 6 Apr 2025 15:16:27 +0000 Subject: [PATCH 569/713] network: Fix keepalived ip address config --- roles/network/templates/keepalived.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/network/templates/keepalived.conf.j2 b/roles/network/templates/keepalived.conf.j2 index 639eb3d..c68642d 100644 --- a/roles/network/templates/keepalived.conf.j2 +++ b/roles/network/templates/keepalived.conf.j2 @@ -17,7 +17,7 @@ vrrp_instance VI_{{ vip.vhid }} { auth_pass {{ vip.pass }} } virtual_ipaddress { - {{ vip.ipaddr }} + {{ vip.ipaddr }}/{{ (vip.ipaddr + '/' + vip.netmask) | ansible.utils.ipaddr('prefix') }} } notify /usr/local/libexec/keepalived-notify } From 2b8b9f69f71c86d46c429e2a5e578e04c7ad867b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 6 Apr 2025 16:38:30 +0000 Subject: [PATCH 570/713] Fix netmask from virtual ip on nms hosts --- group_vars/nms.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/nms.yml b/group_vars/nms.yml index cf78647..bd86e46 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -18,7 +18,7 @@ network_vip_interfaces: - device: eth1 vhid: 25 ipaddr: 172.20.25.1 - netmask: 255.255.0.0 + netmask: 255.255.255.0 pass: "{{ vip25_pass }}" priority: "{{ vip25_priority }}" From 211e04ae992e5230de38cd599fed1f3c0dd70aad Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 6 Apr 2025 16:44:30 +0000 Subject: [PATCH 571/713] aten_pdu: First version of role --- .../files/ATEN-PE-CFG_str_1.3.128.mib | 5065 +++++++++++++++++ roles/aten_pdu/files/aten-mqtt-publish.sh | 54 + roles/aten_pdu/meta/main.yml | 3 + roles/aten_pdu/tasks/main.yml | 31 + 4 files changed, 5153 insertions(+) create mode 100644 roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib create mode 100644 roles/aten_pdu/files/aten-mqtt-publish.sh create mode 100644 roles/aten_pdu/meta/main.yml create mode 100644 roles/aten_pdu/tasks/main.yml diff --git a/roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib b/roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib new file mode 100644 index 0000000..d3f0ae6 --- /dev/null +++ b/roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib @@ -0,0 +1,5065 @@ + -- MIB version: 1.3.128 + + -- MIB release note + -- | date | MIB version | note + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 12/06/2021 | 1.3.128 | New dry contact sensor type: water leakage sensor + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 11/25/2020 | 1.3.127 | Add new OID: communityLock and passwordLock for California passes law + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 12/30/2019 | 1.3.126 | Add new OID: outletAlwaysON + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 06/22/2016 | 1.3.125 | delete OID: outletRemoteAccessLock , add OID: outletLocalAccessLock & outletSequentialReboot + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 04/28/2016 | 1.3.124 | Modify the string length in the description of outletName from 0~15 into 0~48 + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 04/06/2016 | 1.3.123 | Modify minimum environmental humidity range from 15% into 10% + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 02/22/2016 | 1.3.122 | Relocate OID: outletRemoteAccessLock + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 02/03/2016 | 1.3.121 | Add new OID: outletRemoteAccessLock + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 12/29/2015 | 1.1.119 | Add new OID: smtpPort + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 07/31/2015 | 1.1.118 | Add new OID: popPriorityList + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 07/13/2015 | 1.1.117 | Add Two dry contact & hide door sensor info + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 02/11/2015 | 1.1.116 | Syntax modification of POP modes + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 12/02/2014 | 1.1.115 | Wording modification + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 10/22/2014 | 1.1.114 | Add get/set function for new POP feature + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 07/28/2014 | 1.1.113 | Modify and unify responses of empty and not-support measurement values + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 10/31/2013 | 1.1.112 | updated mib to pass smilint level 3 + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 10/03/2013 | 1.1.111 | updated mib to pass smilint level 3 + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 08/09/2013 | 1.1.110 | Add outlet init mode + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 07/17/2013 | 1.1.109 | Add CAP Priority Settings + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 07/05/2013 | 1.1.108 | Add Description and change some Syntax of oids + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 05/23/2013 | 1.1.107 | Change "usrEnable" order from 40 to 47 in "UsrListEntry" + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 05/21/2013 | 1.1.106 | Hide CAP function + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 05/14/2013 | 1.1.105 | Modify Power Threshold Description + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 05/07/2013 | 1.1.104 | Add CAP Function OID + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 04/26/2013 | 1.1.103 | Add Door Sensor Type OID + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 04/24/2013 | 1.1.102 | Modify Status Description of Door Sensor + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 02/20/2013 | 1.1.101 | + -- -------------------------------------------------------------------------------------------------------------------------- + + -- ATEN International Co., Ltd. + -- This file defines the mib struct of Management in PE series + -- We attach this mib node on enterprises.aten.atenProducts.overip.poweroverip.pe subtree + + +ATEN-PE-CFG DEFINITIONS ::= BEGIN + + IMPORTS + enterprises, IpAddress, Gauge, TimeTicks FROM RFC1155-SMI + enterprises FROM RFC1155-SMI + DisplayString FROM RFC1213-MIB + OBJECT-TYPE FROM RFC-1212 + TRAP-TYPE FROM RFC-1215 + MODULE-IDENTITY, + NOTIFICATION-TYPE FROM SNMPv2-SMI + KeyChange FROM SNMP-USER-BASED-SM-MIB + TEXTUAL-CONVENTION FROM SNMPv2-TC; + + + + aten MODULE-IDENTITY + LAST-UPDATED "201310311110Z" + ORGANIZATION "ATEN" + CONTACT-INFO "Aten, Inc." + DESCRIPTION + "ATEN PE MIB" + REVISION "201310311110Z" + DESCRIPTION + "updated mib to pass smilint level 3" + ::= { enterprises 21317 } + + + atenProducts OBJECT IDENTIFIER ::= { aten 1 } + overip OBJECT IDENTIFIER ::= { atenProducts 3 } + poweroverip OBJECT IDENTIFIER ::= { overip 2} + pe OBJECT IDENTIFIER ::= {poweroverip 2} + userManagement OBJECT IDENTIFIER ::= { pe 1 } + control OBJECT IDENTIFIER ::= { pe 2 } + device OBJECT IDENTIFIER ::= { control 1 } + pop OBJECT IDENTIFIER ::= { device 17 } + cap OBJECT IDENTIFIER ::= { device 18 } + outlet OBJECT IDENTIFIER ::= { control 2 } + bank OBJECT IDENTIFIER ::= { control 3 } +deviceManagement OBJECT IDENTIFIER ::= { pe 3 } + config OBJECT IDENTIFIER ::= { deviceManagement 4 } + dashBoard OBJECT IDENTIFIER ::= { config 4 } + servicePorts OBJECT IDENTIFIER ::= { config 5 } + ipv4config OBJECT IDENTIFIER ::= { config 6 } + eventNotification OBJECT IDENTIFIER ::= { config 7 } + devicesnmp OBJECT IDENTIFIER ::= { eventNotification 1 } + syslog OBJECT IDENTIFIER ::= { eventNotification 2 } + smtp OBJECT IDENTIFIER ::= { eventNotification 3 } + configurationNotification OBJECT IDENTIFIER ::= { eventNotification 9 } + + + dateTime OBJECT IDENTIFIER ::= { config 8 } + timeZone OBJECT IDENTIFIER ::= { dateTime 1 } + manualInput OBJECT IDENTIFIER ::= { dateTime 2 } + networkTime OBJECT IDENTIFIER ::= { dateTime 3 } + + devicesecurity OBJECT IDENTIFIER ::= { deviceManagement 5 } + loginFailures OBJECT IDENTIFIER ::= { devicesecurity 1 } + workingMode OBJECT IDENTIFIER ::= { devicesecurity 2 } + accountPolicy OBJECT IDENTIFIER ::= { devicesecurity 3 } + loginRestriction OBJECT IDENTIFIER ::= { devicesecurity 4 } + ipFilter OBJECT IDENTIFIER ::= { loginRestriction 2 } + macFilter OBJECT IDENTIFIER ::= { loginRestriction 3 } + authentication OBJECT IDENTIFIER ::= { devicesecurity 5 } + radius OBJECT IDENTIFIER ::= { authentication 1 } +--deviceLock OBJECT IDENTIFIER ::= { pe 4 } +--CPM OBJECT IDENTIFIER ::= { pe 7 } +-- CPMDevice OBJECT IDENTIFIER ::= { CPM 9 } +-- Sensor OBJECT IDENTIFIER ::= { CPM 10 } +-- EnergySensor OBJECT IDENTIFIER ::= { CPM 11 } + + +--SNMPv3UsmAuthPrivProtocol ::= TEXTUAL-CONVENTION +-- STATUS current +-- DESCRIPTION +-- "This textual convention enumerates the authentication and privledge +-- protocol for USM configuration. +-- " +-- SYNTAX INTEGER +-- { +-- hmacMD5Auth(2), +-- hmacSHAAuth(3) +-- desPrivProtocol(5), +-- aesPrivProtocol(6) +-- } + +-- Device Control +modelName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Indicate PE device model name." + ::= { device 1 } + +deviceName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The name of PE device. + string length: 1~39 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { device 2 } + +deviceValueTable OBJECT-TYPE + SYNTAX SEQUENCE OF DeviceValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device value table. This table displays device's current, voltage, power and + power dissipation. + " + ::= { device 3 } + +deviceValueEntry OBJECT-TYPE + SYNTAX DeviceValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single deviceValue entry containing device info." + INDEX { deviceValueIndex } + ::= { deviceValueTable 1 } + +DeviceValueEntry ::= + SEQUENCE { + deviceValueIndex + INTEGER, + deviceCurrent + DisplayString, + deviceVoltage + DisplayString, + devicePower + DisplayString, + devicePowerDissipation + DisplayString, + inputMaxVoltage + INTEGER, + inputMaxCurrent + INTEGER, + powerCapacity + INTEGER, + devicePowerFactor + DisplayString + } + +deviceValueIndex OBJECT-TYPE + SYNTAX INTEGER (1) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of deviceValue." + ::= { deviceValueEntry 1 } +deviceCurrent OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device electric current value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { deviceValueEntry 2 } +deviceVoltage OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device voltage value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { deviceValueEntry 3 } +devicePower OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device power value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { deviceValueEntry 4 } + +devicePowerDissipation OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device power dissipation value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { deviceValueEntry 5 } + +inputMaxVoltage OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device input Voltage value. unit:(V) + If the device does not support this OID, we show value 0. + " + ::= { deviceValueEntry 6 } + +inputMaxCurrent OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device input Current value. unit:(A) + If the device does not support this OID, we show value 0." + ::= { deviceValueEntry 7 } + +powerCapacity OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device power Capacity value.unit:(VA) + If the device does not support this OID, we show value 0." + ::= { deviceValueEntry 8 } + +devicePowerFactor OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device power Factor value. + If the device does not support this OID, it returns: not-support." + ::= { deviceValueEntry 9 } + +sensorValueTable OBJECT-TYPE + SYNTAX SEQUENCE OF SensorValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device's sensor value table. This table displays sensor's temperature, humidity and + pressure. + " + ::= { device 4 } + +sensorValueEntry OBJECT-TYPE + SYNTAX SensorValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single device's sensor value entry containing device info." + INDEX { sensorValueIndex } + ::= { sensorValueTable 1 } + +SensorValueEntry ::= + SEQUENCE { + sensorValueIndex + INTEGER, + sensorTemperature + DisplayString, + sensorHumidity + DisplayString, + sensorPressure + DisplayString, + sensorProperty + INTEGER + } + +sensorValueIndex OBJECT-TYPE + SYNTAX INTEGER (1..6) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of sensor number." + ::= { sensorValueEntry 1 } +sensorTemperature OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Sensor's Temperature value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { sensorValueEntry 2 } +sensorHumidity OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Sensor's Humidity value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { sensorValueEntry 3 } +sensorPressure OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Sensor's Pressure value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { sensorValueEntry 4 } + +sensorProperty OBJECT-TYPE + SYNTAX INTEGER { intake(1), exhaust(2), floor(3) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Sensor's Property." + ::= { sensorValueEntry 5 } + +deviceOutletStatusTable OBJECT-TYPE + SYNTAX SEQUENCE OF DeviceOutletStatusEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device outlet status value table." + ::= { device 5 } + +deviceOutletStatusEntry OBJECT-TYPE + SYNTAX DeviceOutletStatusEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single deviceOutletStatus entry containing device info." + INDEX { deviceOutletStatusIndex } + ::= { deviceOutletStatusTable 1 } + +DeviceOutletStatusEntry ::= + SEQUENCE { + deviceOutletStatusIndex + INTEGER, + displayOutletStatus + INTEGER + + } + +deviceOutletStatusIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of deviceOutletStatus" + ::= { deviceOutletStatusEntry 1 } +displayOutletStatus OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), fault(4), noauth(5), not-support(6), pop(7) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Display outlet status." + ::= { deviceOutletStatusEntry 2 } + + +deviceConfigTable OBJECT-TYPE + SYNTAX SEQUENCE OF DeviceConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device configuration table" + ::= { device 6 } + +deviceConfigEntry OBJECT-TYPE + SYNTAX DeviceConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single deviceConfig entry containing device info." + INDEX { deviceConfigIndex } + ::= { deviceConfigTable 1 } + +DeviceConfigEntry ::= + SEQUENCE { + deviceConfigIndex + INTEGER, + deviceMinCurMT + INTEGER, + deviceMaxCurMT + INTEGER, + + deviceMinVolMT + INTEGER, + deviceMaxVolMT + INTEGER, + deviceMinPMT + INTEGER, + deviceMaxPMT + INTEGER, + + --deviceMinPDMT + --INTEGER, + deviceMaxPDMT + INTEGER + --deviceCurFlu + -- INTEGER, + --deviceVolFlu + -- INTEGER, + --devicePFlu + -- INTEGER + --devicePDFlu + --INTEGER + } + +deviceConfigIndex OBJECT-TYPE + SYNTAX INTEGER (1) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of deviceConfig" + ::= { deviceConfigEntry 1 } +deviceMinCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device minimum electric current measurement threshold. + Example: range 0.0~32.0 represents 0~320. + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 2 } +deviceMaxCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device maximum electric current measurement threshold. + Example: range 0.0~32.0 represents 0~320 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 3 } + +deviceMinVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device minimum voltage measurement threshold. + Exapmple: range 90.0~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 4 } + +deviceMaxVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device maximum voltage measurement threshold. + Example: range 90.0~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 5 } + +deviceMinPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device minimum power measurement threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 6 } + +deviceMaxPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device maximum power measurement threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 7 } + +--deviceCurFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display device electric current fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceConfigEntry 9 } + +--deviceVolFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display device voltage fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceConfigEntry 10 } + +--devicePFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display device power fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceConfigEntry 11 } + +--deviceMinPDMT OBJECT-TYPE + --SYNTAX INTEGER (0..2000) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set device minimum power dissipation measurement threshold." + --::= { deviceConfigEntry 8 } +deviceMaxPDMT OBJECT-TYPE + SYNTAX INTEGER (0..999990 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device maximum power dissipation measurement threshold. + Example: range 0.0 ~ 99999.0 represents 0~999990 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 8 } +--devicePDFlu OBJECT-TYPE + --SYNTAX INTEGER (0..2000) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display device power dissipation fluctuation threshold." + --::= { deviceConfigEntry 13 } + + +deviceSensorTresholdTable OBJECT-TYPE + SYNTAX SEQUENCE OF DeviceSensorTresholdEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device environment value table" + ::= { device 7 } + +deviceSensorTresholdEntry OBJECT-TYPE + SYNTAX DeviceSensorTresholdEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device's sensor Environment entry containing sensor info." + INDEX { deviceSensorTresholdIndex } + ::= { deviceSensorTresholdTable 1 } + +DeviceSensorTresholdEntry ::= + SEQUENCE { + deviceSensorTresholdIndex + INTEGER, + sensorMinTempMT + INTEGER, + sensorMaxTempMT + INTEGER, + + sensorMinHumMT + INTEGER, + sensorMaxHumMT + INTEGER, + sensorMinPressMT + INTEGER, + sensorMaxPressMT + INTEGER + --sensorTempFlu + --INTEGER, + --sensorHumFlu + --INTEGER, + --sensorPressFlu + --INTEGER + } + +deviceSensorTresholdIndex OBJECT-TYPE + SYNTAX INTEGER (1..6) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of sensor number" + ::= { deviceSensorTresholdEntry 1 } + +sensorMinTempMT OBJECT-TYPE + SYNTAX INTEGER (-200..600 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor minimum temperature measurement threshold. + Example: range -20.0 ~ 60.0 represents -200~600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 2 } +sensorMaxTempMT OBJECT-TYPE + SYNTAX INTEGER (-200..600 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor maximum temperature measurement threshold. + Example: range -20.0 ~ 60.0 represents -200~600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 3 } + +sensorMinHumMT OBJECT-TYPE + SYNTAX INTEGER (100..950 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor minimum humidity measurement threshold. + Example: range 10.0 ~ 95.0 represents 100~950 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 4 } +sensorMaxHumMT OBJECT-TYPE + SYNTAX INTEGER (100..950 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor maximum humidity measurement threshold. + Example: range 10.0 ~ 95.0 represents 100~950 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 5 } + +sensorMinPressMT OBJECT-TYPE + SYNTAX INTEGER (-2500..2500 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor minimum pressure measurement threshold. + Example: range -250.0 ~ 250.0 represents -2500 ~ 2500 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 6 } + +sensorMaxPressMT OBJECT-TYPE + SYNTAX INTEGER (-2500..2500 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor maximum pressure measurement threshold. + Example: range -250.0 ~ 250.0 represents -2500 ~ 2500 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 7 } + +--sensorTempFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display sensor temperature fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceEnvironmentEntry 8 } + +--sensorHumFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display sensor humidity fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceEnvironmentEntry 9 } + + +--sensorPressFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display sensor pressure fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceEnvironmentEntry 10 } + +deviceOutletControl OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), nostatus(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This function is used for all outlet ports control. + Set off(1) to turn off for all outlet ports. + Set on(2) to turn on for all outlet ports. + Get this object always return nostatus(3), because there is no device status. + + " + ::= { device 8 } + +deviceOutletReboot OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This function is used for all outlet ports to reboot. + Only when outlet status is ON can do outlet reboot action to all ports. + Set yes(2) to reboot all outlet ports. + Get this object always return no(1). + " + ::= { device 9 } + +switchable OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2), mix(3)} + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " Outlet is switchable or not." + ::= { device 10 } + +perportreading OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " Outlet is per-port reading or not." + ::= { device 11 } + +sensornumber OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " Sensor number." + ::= { device 12 } + +outletnumber OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " Outlet number." + ::= { device 13 } + +banknumber OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " Bank number." + ::= { device 14 } + +--chainnumber OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-only + --STATUS current + --DESCRIPTION + -- " The slave device number." + --::= { device 15 } + +dryContactTable OBJECT-TYPE + SYNTAX SEQUENCE OF DryContactEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device's Dry Contact table." + ::= { device 15 } + +dryContactEntry OBJECT-TYPE + SYNTAX DryContactEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single device's dry contact value entry containing device info." + INDEX { dryContactIndex } + ::= { dryContactTable 1 } + +DryContactEntry ::= + SEQUENCE { + dryContactIndex + INTEGER, + dryContactStatus + INTEGER, + dryContactType + INTEGER + } + +dryContactIndex OBJECT-TYPE + SYNTAX INTEGER (1..2) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of dry contact number." + ::= { dryContactEntry 1 } + +dryContactStatus OBJECT-TYPE + SYNTAX INTEGER { normal(0), alert(1), not-attached(2), not-support(10) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Display dry contact status." + ::= { dryContactEntry 2 } + +dryContactType OBJECT-TYPE + SYNTAX INTEGER { notinstalled(0), photo(1), inductiveproximity(2), reed(3), waterleakage(4), not-support(10) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Dry contact Type Selection" + ::= { dryContactEntry 3 } + +-- +-- pop +enablePOPmode OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Enable/Disable POP mode." + ::= { pop 1 } + +popThreshold OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " (-1)means default value same as Bank Max Current 16 A. + + Example: range 0.0~32.0 represents 0~320 + You can define the POP threshold or set as default(-1) value." + ::= { pop 2 } + +enableOutletPOPmode OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2), not-support(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Enable/Disable Outlet POP mode." + ::= { pop 3 } + +enableLIFOPOPmode OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2), not-support(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Enable/Disable LIFO POP mode." + ::= { pop 4 } + +enablePriorityPOPmode OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2), not-support(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Enable/Disable Priority POP mode." + ::= { pop 5 } + +popPriorityList OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Indicate Outlets' power OFF priorities under Priority POP mode. + Outlet Separator ',' + Bank Separator '#' + Assign each priority in each bank by Outlet index or zero (indicate N/A) with separators in ascendant order. + e.g. for model PE8324 ( Bank1: outlet 1 ~ 16, Bank2: outlet 17 ~ 24 ) + If you want to assign priority 2, 5 of Bank 1 with Outlet 14, 3, + and priority 2, 6, 8 with of Bank 2 with Outlet 17, 23, 24 and left the rest with N/A, + please type: 0,14,0,0,3,0,0,0,0,0,0,0,0,0,0,0#0,17,0,0,0,23,0,24 + " + ::= { pop 6} + +-- CAP +enableCAPmode OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Enable/Disable CAP mode." + ::= { cap 1 } + +outletCAPTable OBJECT-TYPE + SYNTAX SEQUENCE OF OutletCAPEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Outlet CAP table" + ::= { cap 2 } + +outletCAPEntry OBJECT-TYPE + SYNTAX OutletCAPEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Outlet CAP entry containing CAP info." + INDEX { outletCAPIndex } + ::= { outletCAPTable 1 } + +OutletCAPEntry ::= + SEQUENCE { + outletCAPIndex + INTEGER, + outletCAPPriority + INTEGER + } + +outletCAPIndex OBJECT-TYPE + SYNTAX INTEGER (1..40) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of outlet's CAP configuration" + ::= { outletCAPEntry 1 } + +outletCAPPriority OBJECT-TYPE + SYNTAX INTEGER (0..99) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the CAP Priority of outlet. + Priority 0 means this outlet does not support this OID." + ::= { outletCAPEntry 2 } +-- ontlet control init mode + +outletInitMode OBJECT-TYPE + SYNTAX INTEGER {no-delaytime(1), delaytime(2), not-support(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "choose outlet init mode you want." + ::= { device 19 } + +-- outlet sequential reboot by crystal +outletSequentialReboot OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2), not-support(3) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This function is used to enable or disable all outlet ports to sequential reboot. + " + ::= { device 20 } + + +-- integer value + +--deviceIntegerValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF DeviceIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Device value table. This table displays device's current, voltage, power and +-- power dissipation. +-- " +-- ::= { device 99 } + +--deviceIntegerValueEntry OBJECT-TYPE +-- SYNTAX DeviceIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single deviceValue entry containing device info." +-- INDEX { deviceIntegerValueIndex } +-- ::= { deviceIntegerValueTable 1 } + +--DeviceIntegerValueEntry ::= +-- SEQUENCE { +-- deviceIntegerValueIndex +-- INTEGER, +-- deviceIntegerCurrent +-- INTEGER, +-- deviceIntegerVoltage +-- INTEGER, +-- deviceIntegerPower +-- INTEGER, +-- deviceIntegerPowerDissipation +-- INTEGER + --inputMaxVoltage + -- INTEGER, + --inputMaxCurrent + -- INTEGER, + --powerCapacity + -- INTEGER + --devicePowerFactor + -- INTEGER +-- } + +--deviceIntegerValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1) +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Index of deviceValue." +-- ::= { deviceIntegerValueEntry 1 } + +--deviceIntegerCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device electric current value. +-- This value indicates that 1,000 times. +-- " +-- ::= { deviceIntegerValueEntry 2 } + +--deviceIntegerVoltage OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device voltage value. +-- This value indicates that 1,000 times +-- " +-- ::= { deviceIntegerValueEntry 3 } + +--deviceIntegerPower OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power value. +-- This value indicates that 1,000 times. +-- " +-- ::= { deviceIntegerValueEntry 4 } + +--deviceIntegerPowerDissipation OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power dissipation value. +-- This value indicates that 1,000 times +-- " +-- ::= { deviceIntegerValueEntry 5 } + +--inputMaxVoltage OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device input Voltage value. unit:(V)" +-- ::= { deviceValueEntry 6 } + +--inputMaxCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device input Current value. unit:(A)" +-- ::= { deviceValueEntry 7 } + +--powerCapacity OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power Capacity value.unit:(VA)" +-- ::= { deviceValueEntry 8 } + +--devicePowerFactor OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power Factor value." +-- ::= { deviceValueEntry 9 } +-- + +--sensorIntegerValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF SensorIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Device's sensor value table. This table displays sensor's temperature, humidity and +-- pressure. +-- " +-- ::= { device 100 } + +--sensorIntegerValueEntry OBJECT-TYPE +-- SYNTAX SensorIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single device's sensor value entry containing device info." +-- INDEX { sensorIntegerValueIndex } +-- ::= { sensorIntegerValueTable 1 } + +--SensorIntegerValueEntry ::= +-- SEQUENCE { +-- sensorIntegerValueIndex +-- INTEGER, +-- sensorIntegerTemperature +-- INTEGER, +-- sensorIntegerHumidity +-- INTEGER, +-- sensorIntegerPressure +-- INTEGER + --sensorIntegerProperty + -- INTEGER +-- } + +--sensorIntegerValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..6) +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Index of sensor number." +-- ::= { sensorIntegerValueEntry 1 } + +--sensorIntegerTemperature OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Sensor's Temperature value. +-- This value indicates that 1,000 times. +-- Value -300000 represents empty value." +-- ::= { sensorIntegerValueEntry 2 } + +--sensorIntegerHumidity OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Sensor's Humidity value. +-- This value indicates that 1,000 times. +-- Value -300000 represents empty value." +-- ::= { sensorIntegerValueEntry 3 } + +--sensorIntegerPressure OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Sensor's Pressure value. +-- This value indicates that 1,000 times. +-- Value -300000 represents empty value." +-- ::= { sensorIntegerValueEntry 4 } + +--sensorIntegerProperty OBJECT-TYPE +-- SYNTAX INTEGER { intake(1), exhaust(2), floor(3) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Sensor's Property." +-- ::= { sensorIntegerValueEntry 5 } + +-- Device Control End + +-- Outlet Control +outletValueTable OBJECT-TYPE + SYNTAX SEQUENCE OF OutletValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Display total outlet value table" + ::= { outlet 1 } + +outletValueEntry OBJECT-TYPE + SYNTAX OutletValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single outletValue entry containing outlet info." + INDEX { outletValueIndex } + ::= { outletValueTable 1 } + +OutletValueEntry ::= + SEQUENCE { + outletValueIndex + INTEGER, + outletCurrent + DisplayString, + outletVoltage + DisplayString, + outletPower + DisplayString, + outletPowerDissipation + DisplayString, + outletMaxCurrent + INTEGER, + outletPowerFactor + DisplayString + } + +outletValueIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of outlet number" + ::= { outletValueEntry 1 } +outletCurrent OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet electric current value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { outletValueEntry 2 } +outletVoltage OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet voltage value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { outletValueEntry 3 } +outletPower OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet power value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { outletValueEntry 4 } +outletPowerDissipation OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet power dissipation value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { outletValueEntry 5 } + +outletMaxCurrent OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet Max Current value. unit: (A). + If the device does not support this OID, we show value 0. + " + ::= { outletValueEntry 6 } + +outletPowerFactor OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet Power Factor value. + If the device does not support this OID, it returns: not-support." + ::= { outletValueEntry 7 } + +outlet1Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 1 status. Can't set pending status." + ::= { outlet 2 } + +outlet2Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 2 status. Can't set pending status." + ::= { outlet 3 } +outlet3Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 3 status. Can't set pending status." + ::= { outlet 4 } +outlet4Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 4 status. Can't set pending status." + ::= { outlet 5 } +outlet5Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 5 status. Can't set pending status." + ::= { outlet 6 } +outlet6Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 6 status. Can't set pending status." + ::= { outlet 7 } +outlet7Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 7 status. Can't set pending status." + ::= { outlet 8 } +outlet8Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 8 status. Can't set pending status." + ::= { outlet 9 } + +outlet9Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 9 status. Can't set pending status." + ::= { outlet 11 } + +outlet10Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 10 status. Can't set pending status." + ::= { outlet 12 } + +outlet11Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 11 status. Can't set pending status." + ::= { outlet 13 } + +outlet12Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 12 status. Can't set pending status." + ::= { outlet 14 } + +outlet13Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 13 status. Can't set pending status." + ::= { outlet 15 } + +outlet14Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 14 status. Can't set pending status." + ::= { outlet 16 } + +outlet15Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 15 status. Can't set pending status." + ::= { outlet 17 } + +outlet16Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 16 status. Can't set pending status." + ::= { outlet 18 } + +outlet17Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 17 status. Can't set pending status." + ::= { outlet 19 } + +outlet18Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 18 status. Can't set pending status." + ::= { outlet 20 } + +outlet19Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 19 status. Can't set pending status." + ::= { outlet 21 } + +outlet20Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 20 status. Can't set pending status." + ::= { outlet 22 } + +outlet21Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 21 status. Can't set pending status." + ::= { outlet 23 } + +outlet22Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 22 status. Can't set pending status." + ::= { outlet 24 } + +outlet23Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 23 status. Can't set pending status." + ::= { outlet 25 } + +outlet24Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 24 status. Can't set pending status." + ::= { outlet 26 } + +outlet25Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 25 status. Can't set pending status." + ::= { outlet 27 } + +outlet26Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 26 status. Can't set pending status." + ::= { outlet 28 } + +outlet27Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 27 status. Can't set pending status." + ::= { outlet 29 } + +outlet28Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 28 status. Can't set pending status." + ::= { outlet 30 } + +outlet29Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 29 status. Can't set pending status." + ::= { outlet 31 } + +outlet30Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 30 status. Can't set pending status." + ::= { outlet 32 } + +outlet31Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 31 status. Can't set pending status." + ::= { outlet 33 } + +outlet32Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 32 status. Can't set pending status." + ::= { outlet 34 } + +outlet33Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 33 status. Can't set pending status." + ::= { outlet 35 } + + +outlet34Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 34 status. Can't set pending status." + ::= { outlet 36 } + +outlet35Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 35 status. Can't set pending status." + ::= { outlet 37 } + +outlet36Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 36 status. Can't set pending status." + ::= { outlet 38 } + +outlet37Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 37 status. Can't set pending status." + ::= { outlet 39 } + +outlet38Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 38 status. Can't set pending status." + ::= { outlet 40 } + +outlet39Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 39 status. Can't set pending status." + ::= { outlet 41 } + +outlet40Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 40 status. Can't set pending status." + ::= { outlet 42 } + +outlet41Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 41 status. Can't set pending status." + ::= { outlet 43 } + +outlet42Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 42 status. Can't set pending status." + ::= { outlet 44 } + +-- + +outletSwitchableTable OBJECT-TYPE + SYNTAX SEQUENCE OF OutletSwitchableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + " + " + ::= { outlet 70 } + +outletSwitchableEntry OBJECT-TYPE + SYNTAX OutletSwitchableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "" + INDEX { outletSwitchableIndex } + ::= { outletSwitchableTable 1 } + + OutletSwitchableEntry ::= + SEQUENCE { + outletSwitchableIndex + INTEGER, + outletSwitchable + INTEGER + + } + +outletSwitchableIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of outlet number. + " + ::= { outletSwitchableEntry 1 } + +outletSwitchable OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " + " + ::= { outletSwitchableEntry 2 } + + +--outlet integer value + +--outletIntegerValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF OutletIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Display total outlet value table" +-- ::= { outlet 99 } + +--outletIntegerValueEntry OBJECT-TYPE +-- SYNTAX OutletIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single outletValue entry containing outlet info." +-- INDEX { outletIntegerValueIndex } +-- ::= { outletIntegerValueTable 1 } + +--OutletIntegerValueEntry ::= +-- SEQUENCE { +-- outletIntegerValueIndex +-- INTEGER, +-- outletIntegerCurrent +-- INTEGER, +-- outletIntegerVoltage +-- INTEGER, +-- outletIntegerPower +-- INTEGER, +-- outletIntegerPowerDissipation +-- INTEGER +-- } + +--outletIntegerValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..30) +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Index of outlet number. +-- " +-- ::= { outletIntegerValueEntry 1 } + +--outletIntegerCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Outlet electric current value. +-- This value indicates that 1,000 times. +-- " +-- ::= { outletIntegerValueEntry 2 } + +--outletIntegerVoltage OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Outlet voltage value. +-- This value indicates that 1,000 times. +-- " +-- ::= { outletIntegerValueEntry 3 } + +--outletIntegerPower OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Outlet power value. +-- This value indicates that 1,000 times." +-- ::= { outletIntegerValueEntry 4 } + +--outletIntegerPowerDissipation OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Outlet power dissipation value. +-- This value indicates that 1,000 times." +-- ::= { outletIntegerValueEntry 5 } + + + + + +outletConfigTable OBJECT-TYPE + SYNTAX SEQUENCE OF OutletConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Outlet configuration table" + ::= { outlet 10 } + +outletConfigEntry OBJECT-TYPE + SYNTAX OutletConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Outlet Config entry containing outlet info." + INDEX { outletConfigIndex } + ::= { outletConfigTable 1 } + +OutletConfigEntry ::= + SEQUENCE { + outletConfigIndex + INTEGER, + outletName + DisplayString, + outletConfirmation + INTEGER, + outletOnDelayTime + INTEGER, + outletOffDelayTime + INTEGER, + outletShutdownMethod + INTEGER, + outletMAC + DisplayString, + outletMinCurMT + INTEGER, + outletMaxCurMT + INTEGER, + outletMinVolMT + INTEGER, + outletMaxVolMT + INTEGER, + outletMinPMT + INTEGER, + outletMaxPMT + INTEGER, + outletMaxPDMT + INTEGER, + outletLocalAccessLock + INTEGER +-- outletAlwaysON +-- INTEGER + } + +outletConfigIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of outlet number" + ::= { outletConfigEntry 1 } +outletName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the name of outlet. + If the device does not support this OID, we show n/a. + string length: 0~48 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { outletConfigEntry 2 } +outletConfirmation OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) , noauth(3), not-support(4)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the confirmation of outlet." + ::= { outletConfigEntry 3 } +outletOnDelayTime OBJECT-TYPE + SYNTAX INTEGER (0..999 | -1) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the ON delay time of outlet. + When this model does not support the OID, we show value -1. " + ::= { outletConfigEntry 4 } +outletOffDelayTime OBJECT-TYPE + SYNTAX INTEGER (0..999 | -1) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the OFF delay time of outlet. + When this model does not support the OID, we show value -1. " + ::= { outletConfigEntry 5 } +outletShutdownMethod OBJECT-TYPE + SYNTAX INTEGER { kill-the-power(1), wake-on-lan(2), after-ac-back(3), not-support(4)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the shutdown mehtod of outlet." + ::= { outletConfigEntry 6 } +outletMAC OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the MAC address of ShutdownMethod. + If the device does not support this OID, we show n/a. + string length: 12 + " + ::= { outletConfigEntry 7 } +outletMinCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum electric current measurment threshold. + Example: range 0.0 ~16.0 rerpresnts 0~160 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 8 } +outletMaxCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum electric current measurment threshold. + Example: range 0.0 ~16.0 represents 0~160 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 9 } + +outletMinVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum voltage measurment threshold. + Example: range 90.0 ~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 10 } +outletMaxVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum voltage measurment threshold. + Example: range 90.0 ~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 11 } + +outletMinPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum power measurment threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 12 } +outletMaxPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum power measurment threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 13 } + +outletMaxPDMT OBJECT-TYPE + SYNTAX INTEGER (0..999990 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum power dissipation measurment threshold. + Example: range 0.0 ~ 99999.0 represents 0~999990 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 14 } + +outletLocalAccessLock OBJECT-TYPE + SYNTAX INTEGER {unlocked(1), locked(2), not-support(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Whether local access of Outlet is locked by remote or not." + ::= { outletConfigEntry 15} + +--outletAlwaysON OBJECT-TYPE +-- SYNTAX INTEGER {no(1), yes(2), not-support(3)} +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Whether the outlet is always ON or not." +-- ::= { outletConfigEntry 16 } + +-- Outlet Control End +-- Bank control +breakerStatusTable OBJECT-TYPE + SYNTAX SEQUENCE OF BreakerStatusEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Display total bank value table" + ::= { bank 1 } + +breakerStatusEntry OBJECT-TYPE + SYNTAX BreakerStatusEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single bankValue entry containing bank info." + INDEX { breakerStatusIndex } + ::= { breakerStatusTable 1 } + +BreakerStatusEntry ::= + SEQUENCE { + breakerStatusIndex + INTEGER, + breakerStatus + INTEGER + } + +breakerStatusIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of breaker number." + ::= { breakerStatusEntry 1 } + +breakerStatus OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), not-support(3)} + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Breaker status." + ::= { breakerStatusEntry 2 } + + +bankValueTable OBJECT-TYPE + SYNTAX SEQUENCE OF BankValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Display total bank value table" + ::= { bank 2 } + +bankValueEntry OBJECT-TYPE + SYNTAX BankValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single bankValue entry containing bank info." + INDEX { bankValueIndex } + ::= { bankValueTable 1 } + +BankValueEntry ::= + SEQUENCE { + bankValueIndex + INTEGER, + bankCurrent + DisplayString, + bankVoltage + DisplayString, + bankPower + DisplayString, + bankPowerDissipation + DisplayString, + bankMaxCurrent + INTEGER, + bankAttachStatus + INTEGER, + bankPowerFactor + DisplayString + } + +bankValueIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of bank number" + ::= { bankValueEntry 1 } +bankCurrent OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Bank electric current value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { bankValueEntry 2 } +bankVoltage OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Bank voltage value. + We put this OID to write access type for user to set the reference voltage on EC1000 model. + And the setting should be the numbers. You can set 0 to clear the setting. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { bankValueEntry 3 } + +bankPower OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Bank power value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { bankValueEntry 4 } + +bankPowerDissipation OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Bank power dissipation value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { bankValueEntry 5 } + + +bankMaxCurrent OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Bank Max Current value. unit: (A) + EC1000:0A~320A + " + ::= { bankValueEntry 6 } + +bankAttachStatus OBJECT-TYPE + SYNTAX INTEGER { noattached(1), attached(2), error(3), noexisted(4) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The status of Energy sensor Bank attached status." + ::= { bankValueEntry 7 } + +bankPowerFactor OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Bank Power Factor value. + If the device does not support this OID, it returns: not-support." + ::= { bankValueEntry 8 } + +bankConfigTable OBJECT-TYPE + SYNTAX SEQUENCE OF BankConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Bank configuration table" + ::= { bank 3 } + +bankConfigEntry OBJECT-TYPE + SYNTAX BankConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Bank Config entry containing Bank info." + INDEX { bankConfigIndex } + ::= { bankConfigTable 1 } + +BankConfigEntry ::= + SEQUENCE { + bankConfigIndex + INTEGER, + bankName + DisplayString, + bankMinCurMT + INTEGER, + bankMaxCurMT + INTEGER, + + bankMinVolMT + INTEGER, + bankMaxVolMT + INTEGER, + + bankMinPMT + INTEGER, + bankMaxPMT + INTEGER, + --outletMinPDMT + --INTEGER, + bankMaxPDMT + INTEGER + --outletCurFlu + --INTEGER, + --outletVolFlu + --INTEGER, + --outletPFlu + --INTEGER + --outletPDFlu + --INTEGER + } + +bankConfigIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of bank number" + ::= { bankConfigEntry 1 } + +bankName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the name of bank. + When this model does not support the OID, we show n/a. + string length: 0~15 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { bankConfigEntry 2 } + + +bankMinCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum electric current measurment threshold. + Example: range 0.0 ~16.0 rerpresnts 0~160 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 3 } + +bankMaxCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum electric current measurment threshold. + Example: range 0.0 ~16.0 represents 0~160 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 4} + +bankMinVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum voltage measurment threshold. + Example: range 90.0 ~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 5 } +bankMaxVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum voltage measurment threshold. + Example: range 90.0 ~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 6 } + +bankMinPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999| -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum power measurment threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 7 } +bankMaxPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum power measurment threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 8 } + +--outletMinPDMT OBJECT-TYPE + --SYNTAX INTEGER (0..100) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the outlet minimum power dissipation measurment threshold ." + --::= { outletConfigEntry 14 } + +bankMaxPDMT OBJECT-TYPE + SYNTAX INTEGER (0..999990 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum power dissipation measurment threshold. + Example: range 0.0 ~ 99999.0 represents 0~999990 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 9 } + + +bankControlTable OBJECT-TYPE + SYNTAX SEQUENCE OF BankControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Bank Control table" + ::= { bank 4 } + +bankControlEntry OBJECT-TYPE + SYNTAX BankControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Bank control entry." + INDEX { bankControlIndex } + ::= { bankControlTable 1 } + +BankControlEntry ::= + SEQUENCE { + bankControlIndex + INTEGER, + bankControlStatus + INTEGER + } + +bankControlIndex OBJECT-TYPE + SYNTAX INTEGER (1..4) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of bank number" + ::= { bankControlEntry 1 } + +bankControlStatus OBJECT-TYPE + SYNTAX INTEGER {off(1), on(2), reboot(3), nostatus(4), not-support(5)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This function is used for outlet control of bank. + Set off(1) to turn off for outlet control of bank. + Set on(2) to turn on for all outlet control of bank. + Set reboot(3) to turn on for outlet control of bank. + Get this object always return nostatus(3), because there is no bank status. + " + ::= { bankControlEntry 2 } + +-- Bank control End + + +--bankIntegerValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF BankIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Display total bank value table" +-- ::= { bank 99 } + +--bankIntegerValueEntry OBJECT-TYPE +-- SYNTAX BankIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single bankValue entry containing bank info." +-- INDEX { bankIntegerValueIndex } +-- ::= { bankIntegerValueTable 1 } + +--BankIntegerValueEntry ::= +-- SEQUENCE { +-- bankIntegerValueIndex +-- INTEGER, +-- bankIntegerCurrent +-- INTEGER, +-- bankIntegerVoltage +-- INTEGER, +-- bankIntegerPower +-- INTEGER, +-- bankIntegerPowerDissipation +-- INTEGER + --bankIntegerMaxCurrent + -- INTEGER, + --bankIntegerAttachStatus + -- INTEGER, + --bankIntegerPowerFactor + --INTEGER +-- } + +--bankIntegerValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..30) +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Index of bank number. +-- " +-- ::= { bankIntegerValueEntry 1 } + +--bankIntegerCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Bank electric current value. +-- This value indicates that 1,000 times." +-- ::= { bankIntegerValueEntry 2 } +--bankIntegerVoltage OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Bank voltage value. +-- This value indicates that 1,000 times." +-- ::= { bankIntegerValueEntry 3 } + +--bankIntegerPower OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Bank power value. +-- This value indicates that 1,000 times." +-- ::= { bankIntegerValueEntry 4 } + +--bankIntegerPowerDissipation OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Bank power dissipation value. +-- This value indicates that 1,000 times." +-- ::= { bankIntegerValueEntry 5 } + + +--bankMaxCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "The Bank Max Current value. unit: (A) +-- EC1000:0A~320A +-- " +-- ::= { bankValueEntry 6 } + +--bankAttachStatus OBJECT-TYPE +-- SYNTAX INTEGER { noattached(1), attached(2), error(3) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "The status of Energy sensor Bank attached status." +-- ::= { bankValueEntry 7 } + +--bankPowerFactor OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Bank Power Factor value" +-- ::= { bankValueEntry 8 } + + + +-- Device Management +deviceMAC OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Display device MAC address." + ::= { config 1 } + +deviceIPv4 OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Display device IP address." + ::= { config 2 } + +deviceFWversion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Display device FW version." + ::= { config 3 } + +-- dashboard settings +dashboardRow OBJECT-TYPE + SYNTAX INTEGER (1..26) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device's dashboard row number." + ::= { dashBoard 1 } + +dashboardColumn OBJECT-TYPE + SYNTAX INTEGER (1..26) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device's dashboard column number." + ::= { dashBoard 2 } + +dashboardRackName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device's dashboard rack name. + string length: 1~32 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { dashBoard 3 } + +httpPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the HTTP port of PE device." + ::= { servicePorts 1 } + +httpsPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the HTTPs port of PE device." + ::= { servicePorts 2 } + +httpsOnlyEnable OBJECT-TYPE + SYNTAX INTEGER {yes(1), no(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Enable to use Webpage HTTPs only or disable to use Webpage HTTP/HTTPs" + ::= { servicePorts 3 } + + + +staticIPEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set IPv4 address automatically or not" + ::= { ipv4config 1 } +fixedIPv4 OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set fixed IPv4 address" + ::= { ipv4config 2 } +subnetMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set subnet mask address" + ::= { ipv4config 3 } +gateway OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set gateway address" + ::= { ipv4config 4 } +staticDNSEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set DNS address automatically or not" + ::= { ipv4config 5 } +dnsPreferIPv4 OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set prefer DNS address" + ::= { ipv4config 6 } +dnsAlternateIPv4 OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set alternate DNS address" + ::= { ipv4config 7 } + +trapEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Indicates if this trap entry is enabled or not. + You should set the username/auth-password/priv-password first, when choosing snmpv3. + You should set the community string first, when choosing snmpv1/v2c." + ::= { devicesnmp 1 } + +trapVersion OBJECT-TYPE + SYNTAX INTEGER { v1(1), v2c(2), v3(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Choose SNMP Trap version to send trap. + You should set the username/auth-password/priv-password first, when choosing snmpv3. + You should set the community string first, when choosing snmpv1/v2c." + ::= { devicesnmp 2 } + +snmpTrapTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpTrapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "PE SNMP agent trap setup table. If users want to use trap, + they must set enable trap, ip and community first." + ::= { devicesnmp 3 } + +snmpTrapEntry OBJECT-TYPE + SYNTAX SnmpTrapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single trap entry containing trap receiver info." + INDEX { trapReceiverNumber } + ::= { snmpTrapTable 1 } + +SnmpTrapEntry ::= + SEQUENCE { + trapReceiverNumber + INTEGER, + --trapEnabled + --INTEGER, + trapReceiverIPAddress + IpAddress, + --trapCommunity + --DisplayString, + trapPort + INTEGER, + trapCommunity + DisplayString, + trapUsername + DisplayString, + trapAuthpassword + DisplayString, + trapPrivpassword + DisplayString + } + +trapReceiverNumber OBJECT-TYPE + SYNTAX INTEGER (1..2) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of trap receiver" + ::= { snmpTrapEntry 1 } + + + +trapReceiverIPAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Trap receiver IP address" + ::= { snmpTrapEntry 2 } + + +trapPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "NMS trap port to be used by agent to send trap" + ::= { snmpTrapEntry 3 } + +trapCommunity OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..20)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "If use SNMPv1/v2c to receive trap should set this Community string. + MAX string length: 20 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { snmpTrapEntry 4 } +trapUsername OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..20)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "If use SNMPv3 to receive trap should set this string. + NOTE: Input string as /empty to set this object to NULL. + MAX string length: 20 + " + ::= { snmpTrapEntry 5 } +trapAuthpassword OBJECT-TYPE + SYNTAX DisplayString (SIZE (8..20)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "If use SNMPv3 to receive trap should set this string. + MAX string length: 20 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { snmpTrapEntry 6 } +trapPrivpassword OBJECT-TYPE + SYNTAX DisplayString (SIZE (8..20)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "If use SNMPv3 to receive trap should set this string. + MAX string length: 20 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { snmpTrapEntry 7 } + + +--privacypassword OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "SNMPv3 privacy password to be used by agent to send trap +-- string length: 8~20 +-- " +-- ::= { devicesnmp 4 } + +--engineID OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "EngineID" +-- ::= { devicesnmp 5 } +--engineBoot OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "EngineBoot" +-- ::= { devicesnmp 6 } +--engineTime OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "EngineTime" +-- ::= { devicesnmp 7 } +--engineMaxMSG OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "EngineMaxMSG" +-- ::= { devicesnmp 8 } +sysLogServerEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set syslog server address automatically or not" + ::= { syslog 1 } +sysLogServerIPv4 OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set syslog server address" + ::= { syslog 2 } +sysLogServerPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set syslog server port" + ::= { syslog 3 } + +smtpServerEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set SMTP server enable status." + ::= { smtp 1 } +smtpServerName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a SMTP server name. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { smtp 2 } +smtpAuthEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set authentication of SMTP server." + ::= { smtp 3 } +smtpAccountName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a user's name of SMTP server. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { smtp 4 } +smtpAccountPwd OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a user's password of SMTP server. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { smtp 5 } +smtpMailFrom OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a mail of SMTP server. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { smtp 6 } +smtpMailTo OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a mail of SMTP server. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { smtp 7 } +smtpPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set SMTP server port" + ::= { smtp 8 } + +-- + +configurationNotifyEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " " + ::= { configurationNotification 1 } + +configurationNotifyTrapMSG NOTIFICATION-TYPE + STATUS current + --OBJECTS { customTrapMSG } + DESCRIPTION " " + ::= { configurationNotification 2 } + + +-- +timeZoneSetting OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the time zone of PE device. + (0) [GMT-12:00] Eniwetok Kwajalein + (1) [GMT-11:00] Midway Island Samoa + (2) [GMT-10:00] Hawaii + (3) [GMT-09:00] Alaska + (4) [GMT-08:00] Pacific Time (US & Canada); Tijuana + (5) [GMT-07:00] Mountain Time (US & Canada) + (6) [GMT-07:00] Arizona + (7) [GMT-06:00] Central Time (US & Canada) + (8) [GMT-06:00] Mexico City + (9) [GMT-06:00] Saskatchewan + (10)[GMT-06:00] Central America + (11)[GMT-05:00] Eastern Time (US & Canada) + (12)[GMT-05:00] Indiana (East) + (13)[GMT-05:00] Bogota Lima Quito + (14)[GMT-04:00] Atlantic Time (Canada) + (15)[GMT-04:00] Caracas La Paz + (16)[GMT-04:00] Santiago + (17)[GMT-03:30] Newfoundland + (18)[GMT-03:00] Buenos Aires Georgetown + (19)[GMT-03:00] Brasilia + (20)[GMT-03:00] Greenland + (21)[GMT-02:00] Mid-Atlantic + (22)[GMT-01:00] Azores + (23)[GMT-01:00] Cape Verde Is + (24)[GMT] Casablanca Monrovia + (25)[GMT] Greenwich Mean Time: Dublin Edinburgh Lisbon London + (26)[GMT+01:00] Amsterdam Copenhagen Madrid Paris Vilnius + (27)[GMT+01:00] West Central Africa + (28)[GMT+01:00] Belgrade Sarajevo Skopje Sofija Zagreb + (29)[GMT+01:00] Bratislava Budapest Ljubljana Prague Warsaw + (30)[GMT+01:00] Brussels Berlin Bern Rome Stockholm Vienna + (31)[GMT+02:00] Cairo + (32)[GMT+02:00] Harare Pretoria + (33)[GMT+02:00] Jerusalem + (34)[GMT+02:00] Bucharest + (35)[GMT+02:00] Helsinki Riga Tallinn + (36)[GMT+02:00] Athens Istanbul Minsk + (37)[GMT+03:00] Kuwait Riyadh + (38)[GMT+03:00] Nairobi + (39)[GMT+03:00] Baghdad + (40)[GMT+03:00] Moscow St. Petersburg Volgograd + (41)[GMT+03:30] Tehran + (42)[GMT+04:00] Abu Dhabi Muscat + (43)[GMT+04:00] Baku Tbilisi Yerevan + (44)[GMT+04:30] Kabul + (45)[GMT+05:00] Islamabad Karachi Tashkent + (46)[GMT+05:00] Ekaterinburg + (47)[GMT+05:30] Calcutta Chennai Mumbai New Delhi + (48)[GMT+05:45] Kathmandu + (49)[GMT+06:00] Astana Dhaka + (50)[GMT+06:00] Sri Jayawardenepura + (51)[GMT+06:00] Almaty Novosibirsk + (52)[GMT+06:30] Rangoon + (53)[GMT+07:00] Bangkok Hanoi Jakarta + (54)[GMT+07:00] Krasnoyarsk + (55)[GMT+08:00] Beijing Chongqing Hong Kong Urumqi + (56)[GMT+08:00] Perth + (57)[GMT+08:00] Kuala Lumpur Singapore + (58)[GMT+08:00] Taipei + (59)[GMT+08:00] Irkutsk Ulaan Bataar + (60)[GMT+09:00] Osaka Sapporo Tokyo + (61)[GMT+09:00] Seoul + (62)[GMT+09:00] Yakutsk + (63)[GMT+09:30] Darwin + (64)[GMT+09:30] Adelaide + (65)[GMT+10:00] Canberra Melbourne Sydney + (66)[GMT+10:00] Brisbane + (67)[GMT+10:00] Guam Port Moresby + (68)[GMT+10:00] Hobart + (69)[GMT+10:00] Vladivostok + (70)[GMT+11:00] Magadan Solomon Is New Caledonia + (71)[GMT+12:00] Fiji Kamchatka Marshall Is. + (72)[GMT+12:00] Auckland Wellington + (73)[GMT+13:00] Nuku'alofa + " + ::= { timeZone 1 } + +dstEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set daylight savings time ." + ::= { timeZone 2 } + +dateSetting OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set date in a manual way.(This is Greenwich Mean Time, GMT) + string length: 10 + This value format must match the following form: + YYYY-MM-DD + ex. 2011-01-01 + Note: range of year: 2000-2099 + range of month: 01-12 + range of day: 01-31 + " + ::= { manualInput 1 } + +timeSetting OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set time in a manual way.(This is Greenwich Mean Time, GMT) + string length: 8 + This value format must match the following form: + HH:MM:SS + ex. 02:02:02 + Note: range of hour: 00-24 + range of minute: 00-60 + range of second: 00-60 + + " + ::= { manualInput 2 } + +--syncWithPC OBJECT-TYPE +-- SYNTAX INTEGER { no(1), yes(2) } +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set date time useing sync PC way." +-- ::= { manualInput 3 } + +autoAdjustEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set date time useing auto adjustment way." + ::= { networkTime 1 } + +preferNTP OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set prefer NTP server. + AU | ntp1.cs.mu.OZ.AU(0), + AU | ntp0.cs.mu.OZ.AU(1), + BE | ntp2.oma.be(2), + BE | ntp1.oma.be(3), + BR | ntps1.pads.ufrj.br(4), + CH | swisstime.ethz.ch(5), + CL | ntp.shoa.cl(6), + CZ | ntp.nic.cz(7), + DE | ntp.stairweb.de(8), + DE | ntps1-0.cs.tu-berlin.de(9), + DE | ptbtime1.ptb.de(10), + DE | ntp1.fau.de(11), + DE | ptbtime2.ptb.de(12), + DE | time1.one4vision.de(13), + DE | rustime01.rus.uni-stuttgart.de(14), + DE | ntp.probe-networks.de(15), + DE | ntp2.fau.de(16), + ES | hora.roa.es(17), + HK | stdtime.gov.hk(18), + IE | ntp-galway.hea.net(19), + IT | ntp1.inrim.it(20), + IT | ntp2.inrim.it(21), + JP | clock.tl.fukuoka-u.ac.jp(22), + JP | ntp.nict.jp(23), + JP | clock.nc.fukuoka-u.ac.jp(24), + KR | ntp.xbsd.kr(25), + MX | cronos.cenam.mx(26), + NL | ntp0.nl.uu.net(27), + NL | ntp1.nl.uu.net(28), + NL | ntp.remco.org(29), + NL | ntp0.nl.net(30), + PL | vega.cbk.poznan.pl(31), + PL | ntp.ntp-servers.com(32), + RO | ntp3.usv.ro(33), + RO | ntp2.usv.ro(34), + RU | ntp1.vniiftri.ru; ntp1.imvp.ru(35), + RU | ntp2.vniiftri.ru; ntp2.imvp.ru(36), + SE | ntp1.mmo.netnod.se(37), + SE | ntp1.sth.netnod.se(38), + SE | ntp2.mmo.netnod.se(39), + SE | ntp2.sth.netnod.se(40), + SE | time2.stupi.se(41), + SE | ntp1.sp.se(42), + SE | timehost.lysator.liu.se(43), + SI | ntp.mostovna.com(44), + US CA | timekeeper.isi.edu(45), + US CA | clock.sjc.he.net(46), + US CA | nist1.symmetricom.com(47), + US CA | clock.via.net(48), + US CA | nist1.aol-ca.truetime.com(49), + US CA | clock.isc.org(50), + US CA | clepsydra.dec.com(51), + US CA | gps.layer42.net(52), + US CA | time.no-such-agency.net(53), + US CA | nist1-sj.WiTime.net(54), + US CA | clock.fmt.he.net(55), + US CO | time-b.timefreq.bldrdoc.gov(56), + US CO | time-a.timefreq.bldrdoc.gov(57), + US CO | utcnist.colorado.edu(58), + US CO | time-c.timefreq.bldrdoc.gov(59), + US DE | rackety.udel.edu(60), + US DE | mizbeaver.udel.edu(61), + US GA | nist1.columbiacountyga.gov(62), + US IL | ntp.your.org(63), + US MA | bonehed.lcs.mit.edu(64), + US MA | time.keneli.org(65), + US MA | ntp0.broad.mit.edu(66), + US MD | time-a.nist.gov(67), + US MD | time-b.nist.gov(68), + US MI | nist.netservicesgroup.com(69), + US NY | nist1-ny.WiTime.net(70), + US NY | clock.nyc.he.net(71), + US UT | time.xmission.com(72), + US VA | nist1-dc.WiTime.net(73), + US VA | nist1.aol-va.truetime.com(74), + US WA | time-nw.nist.gov(75), + FR | utp.univ-lyon1.fr(76), + FR | ntp-sop.inria.fr(77), + FR | ntp.tuxfamily.net(78), + UK | bear.zoo.bt.co.uk(79) + " + ::= { networkTime 2 } + +preferServerIPenable OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Enable or disable prefer custom server IP." + ::= { networkTime 3 } + +preferNTPIp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set prefer NTP server IP." + ::= { networkTime 4 } + +alternateNtpEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set date time using alternate NTP server." + ::= { networkTime 5 } + +alternateNtp OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set alternative NTP server. + AU | ntp1.cs.mu.OZ.AU(0), + AU | ntp0.cs.mu.OZ.AU(1), + BE | ntp2.oma.be(2), + BE | ntp1.oma.be(3), + BR | ntps1.pads.ufrj.br(4), + CH | swisstime.ethz.ch(5), + CL | ntp.shoa.cl(6), + CZ | ntp.nic.cz(7), + DE | ntp.stairweb.de(8), + DE | ntps1-0.cs.tu-berlin.de(9), + DE | ptbtime1.ptb.de(10), + DE | ntp1.fau.de(11), + DE | ptbtime2.ptb.de(12), + DE | time1.one4vision.de(13), + DE | rustime01.rus.uni-stuttgart.de(14), + DE | ntp.probe-networks.de(15), + DE | ntp2.fau.de(16), + ES | hora.roa.es(17), + HK | stdtime.gov.hk(18), + IE | ntp-galway.hea.net(19), + IT | ntp1.inrim.it(20), + IT | ntp2.inrim.it(21), + JP | clock.tl.fukuoka-u.ac.jp(22), + JP | ntp.nict.jp(23), + JP | clock.nc.fukuoka-u.ac.jp(24), + KR | ntp.xbsd.kr(25), + MX | cronos.cenam.mx(26), + NL | ntp0.nl.uu.net(27), + NL | ntp1.nl.uu.net(28), + NL | ntp.remco.org(29), + NL | ntp0.nl.net(30), + PL | vega.cbk.poznan.pl(31), + PL | ntp.ntp-servers.com(32), + RO | ntp3.usv.ro(33), + RO | ntp2.usv.ro(34), + RU | ntp1.vniiftri.ru; ntp1.imvp.ru(35), + RU | ntp2.vniiftri.ru; ntp2.imvp.ru(36), + SE | ntp1.mmo.netnod.se(37), + SE | ntp1.sth.netnod.se(38), + SE | ntp2.mmo.netnod.se(39), + SE | ntp2.sth.netnod.se(40), + SE | time2.stupi.se(41), + SE | ntp1.sp.se(42), + SE | timehost.lysator.liu.se(43), + SI | ntp.mostovna.com(44), + US CA | timekeeper.isi.edu(45), + US CA | clock.sjc.he.net(46), + US CA | nist1.symmetricom.com(47), + US CA | clock.via.net(48), + US CA | nist1.aol-ca.truetime.com(49), + US CA | clock.isc.org(50), + US CA | clepsydra.dec.com(51), + US CA | gps.layer42.net(52), + US CA | time.no-such-agency.net(53), + US CA | nist1-sj.WiTime.net(54), + US CA | clock.fmt.he.net(55), + US CO | time-b.timefreq.bldrdoc.gov(56), + US CO | time-a.timefreq.bldrdoc.gov(57), + US CO | utcnist.colorado.edu(58), + US CO | time-c.timefreq.bldrdoc.gov(59), + US DE | rackety.udel.edu(60), + US DE | mizbeaver.udel.edu(61), + US GA | nist1.columbiacountyga.gov(62), + US IL | ntp.your.org(63), + US MA | bonehed.lcs.mit.edu(64), + US MA | time.keneli.org(65), + US MA | ntp0.broad.mit.edu(66), + US MD | time-a.nist.gov(67), + US MD | time-b.nist.gov(68), + US MI | nist.netservicesgroup.com(69), + US NY | nist1-ny.WiTime.net(70), + US NY | clock.nyc.he.net(71), + US UT | time.xmission.com(72), + US VA | nist1-dc.WiTime.net(73), + US VA | nist1.aol-va.truetime.com(74), + US WA | time-nw.nist.gov(75), + FR | utp.univ-lyon1.fr(76), + FR | ntp-sop.inria.fr(77), + FR | ntp.tuxfamily.net(78), + UK | bear.zoo.bt.co.uk(79) + " + ::= { networkTime 6 } + +alternateServerIPenable OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Enable or disable alternate custom server IP." + ::= { networkTime 7 } + +alternateNtpIp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set alternative NTP server IP." + ::= { networkTime 8 } + +adjustTimeEveryDays OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set frequency of adjustment in days." + ::= { networkTime 9 } + +--adjustTimeNow OBJECT-TYPE + --SYNTAX INTEGER { no(1), yes(2) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Adjust time using NTP server." + --::= { networkTime 8 } + +loginAllowTimes OBJECT-TYPE + SYNTAX INTEGER (1..99) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set time of login faliure." + ::= { loginFailures 1 } + +loginTimeOut OBJECT-TYPE + SYNTAX INTEGER (1..240) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set login time out." + ::= { loginFailures 2 } + +icmpEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of ICMP." + ::= { workingMode 1 } + +--multiUserEnabled OBJECT-TYPE + --SYNTAX INTEGER { no(1), yes(2) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set status of multi-user operation." + --::= { workingMode 2 } + +--browserEnabled OBJECT-TYPE + --SYNTAX INTEGER { no(1), yes(2) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set status of browser." + --::= { workingMode 3 } + +minUserNameLen OBJECT-TYPE + SYNTAX INTEGER (1..16) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set minimum length of user name." + ::= { accountPolicy 1 } + +minUserPwdLen OBJECT-TYPE + SYNTAX INTEGER (1..16) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set minimum length of user password. + " + ::= { accountPolicy 2 } + +upperCaseEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set one upper case rule in user password." + ::= { accountPolicy 3 } + +lowerCaseEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set one lower case rule in user password." + ::= { accountPolicy 4 } + +numberEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set one number rule in user password." + ::= { accountPolicy 5 } + +disableDuplicateLogin OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of disabled duplicate login rule." + ::= { accountPolicy 6 } + +loginString OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a login string. + string length: 0~32 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { loginRestriction 1 } + +ipFilterEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of ip filter." + ::= { ipFilter 1 } + +ipFilterRule OBJECT-TYPE + SYNTAX INTEGER { include(1), exclude(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of ip filter rule." + ::= { ipFilter 2 } + +ipFilterTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpFilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of restricted ip." + ::= { ipFilter 3 } + +ipFilterEntry OBJECT-TYPE + SYNTAX IpFilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Status and parameter values for a PE's restricted IP." + INDEX { ipFilterIndex } + ::= { ipFilterTable 1 } + +IpFilterEntry ::= + SEQUENCE { + ipFilterIndex + INTEGER, + ipFilterFrom + IpAddress, + ipFilterTo + IpAddress + } + +ipFilterIndex OBJECT-TYPE + SYNTAX INTEGER (1..5) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of index for the ip filter. + " + ::= { ipFilterEntry 1 } + +ipFilterFrom OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A set of restricted ip. + ex. 192.168.0.1 + + Note: Users must follow in order to set the ip address. + Note: To clear the settings to set the ip 0.0.0.0 + " + ::= { ipFilterEntry 2 } + +ipFilterTo OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A set of restricted ip. + ex. 192.168.0.255 + + Note: Users must follow in order to set the ip address. + Note: To clear the settings to set the ip 0.0.0.0 + " + ::= { ipFilterEntry 3 } + +macFilterEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of mac filter." + ::= { macFilter 1 } + +macFilterRule OBJECT-TYPE + SYNTAX INTEGER { include(1), exclude(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of mac filter rule." + ::= { macFilter 2 } + +macFilterTable OBJECT-TYPE + SYNTAX SEQUENCE OF MacFilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of restricted mac." + ::= { macFilter 3 } + +macFilterEntry OBJECT-TYPE + SYNTAX MacFilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Status and parameter values for a PE's restricted MAC." + INDEX { macFilterIndex } + ::= { macFilterTable 1 } + +MacFilterEntry ::= + SEQUENCE { + macFilterIndex + INTEGER, + macFilterSet + DisplayString + } + +macFilterIndex OBJECT-TYPE + SYNTAX INTEGER (1..5) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of index for the mac filter. + " + ::= { macFilterEntry 1 } + +macFilterSet OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A set of restricted mac. + string length: 12 + ex. 004854655511 + + Note: Users must follow in order to set the MAC address. + Note: To clear the settings to set the MAC 000000000000 + " + ::= { macFilterEntry 2 } + +--LocalAuth OBJECT-TYPE + --SYNTAX INTEGER { no(1), yes(2) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set status of disable local authentication." + --::= { authentication 1 } + +radiusEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of RADIUS server." + ::= { radius 1 } + +preferRadiusIp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set prefer RADIUS server IP." + ::= { radius 2 } + +preferRadiusPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set prefer RADIUS server port." + ::= { radius 3 } + +alternateRadiusIp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set alternative RADIUS server IP." + ::= { radius 4 } + +alternateRadiusPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set alternative RADIUS server port." + ::= { radius 5 } + +radiusTimeOut OBJECT-TYPE + SYNTAX INTEGER (1..60) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set time out of authentication using RADIUS server. + The unit is sec. + " + ::= { radius 6 } + +radiusRetry OBJECT-TYPE + SYNTAX INTEGER (0..10) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set retry times of authentication using RADIUS server." + ::= { radius 7 } + +radiusSecret OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set shared secret of RADIUS server. + string length: 6~15 + At least 6 characters. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { radius 8 } + +-- Device Management End + +-- User Management +usrListTable OBJECT-TYPE + SYNTAX SEQUENCE OF UsrListEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of user. The number of user is + given by the value of usrcfgNumber." + ::= { userManagement 1 } + +usrListEntry OBJECT-TYPE + SYNTAX UsrListEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Status and parameter values for a pe8208 user." + INDEX { usrIndex } + ::= { usrListTable 1 } + +UsrListEntry ::= + SEQUENCE { + usrIndex + INTEGER, + usrType + INTEGER, + usrName + DisplayString, + usrPassword + DisplayString, + usrPort1Auth + INTEGER, + usrPort2Auth + INTEGER, + usrPort3Auth + INTEGER, + usrPort4Auth + INTEGER, + usrPort5Auth + INTEGER, + usrPort6Auth + INTEGER, + usrPort7Auth + INTEGER, + usrPort8Auth + INTEGER, + + usrPort9Auth + INTEGER, + usrPort10Auth + INTEGER, + usrPort11Auth + INTEGER, + usrPort12Auth + INTEGER, + usrPort13Auth + INTEGER, + usrPort14Auth + INTEGER, + usrPort15Auth + INTEGER, + usrPort16Auth + INTEGER, + usrPort17Auth + INTEGER, + usrPort18Auth + INTEGER, + usrPort19Auth + INTEGER, + usrPort20Auth + INTEGER, + usrPort21Auth + INTEGER, + usrPort22Auth + INTEGER, + usrPort23Auth + INTEGER, + usrPort24Auth + INTEGER, + usrPort25Auth + INTEGER, + usrPort26Auth + INTEGER, + usrPort27Auth + INTEGER, + usrPort28Auth + INTEGER, + usrPort29Auth + INTEGER, + usrPort30Auth + INTEGER, + usrPort31Auth + INTEGER, + usrPort32Auth + INTEGER, + usrPort33Auth + INTEGER, + usrPort34Auth + INTEGER, + usrPort35Auth + INTEGER, + usrPort36Auth + INTEGER, + usrPort37Auth + INTEGER, + usrPort38Auth + INTEGER, + usrPort39Auth + INTEGER, + usrPort40Auth + INTEGER, + usrPort41Auth + INTEGER, + usrPort42Auth + INTEGER, + usrEnable + INTEGER + } + +usrIndex OBJECT-TYPE + SYNTAX INTEGER (1..9) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of usrIndex for the user. We have 1 administrator and 8 users. + The index 9 will be the administrator. + " + ::= { usrListEntry 1 } + +usrType OBJECT-TYPE + SYNTAX INTEGER { administrator(1), user(2)} + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The user's type." + ::= { usrListEntry 2 } + +usrName OBJECT-TYPE + SYNTAX DisplayString (SIZE (1..16)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A textual string containing name of the user. + string length: 1~16 + " + ::= { usrListEntry 3 } + +usrPassword OBJECT-TYPE + SYNTAX DisplayString (SIZE (1..16)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A textual string containing password of the user. + string length: 1~16 + " + ::= { usrListEntry 4 } + +usrPort1Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 1 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 5 } +usrPort2Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 2 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 6 } +usrPort3Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 3 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 7 } +usrPort4Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 4 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 8 } +usrPort5Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 5 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 9 } +usrPort6Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Dispaly or set this user's outlet 6 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 10 } +usrPort7Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 7 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 11 } +usrPort8Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 8 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 12 } +usrEnable OBJECT-TYPE + SYNTAX INTEGER { disable(1), enable(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user is enable or not" + ::= { usrListEntry 47 } + +usrPort9Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 9 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 13 } + +usrPort10Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 10 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 14 } + +usrPort11Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 11 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 15 } + +usrPort12Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 12 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 16 } + +usrPort13Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 13 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 17 } + + +usrPort14Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 14 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 18 } + +usrPort15Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 15 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 19 } + +usrPort16Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 16 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 20 } + +usrPort17Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 17 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 21 } + +usrPort18Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 18 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 22 } + +usrPort19Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 19 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 23 } + +usrPort20Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 20 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 24 } + +usrPort21Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 21 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 25 } + +usrPort22Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 22 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 26 } + +usrPort23Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 23 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 27 } + +usrPort24Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 24 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 28 } + +usrPort25Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 25 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 29 } + +usrPort26Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 26 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 30 } + +usrPort27Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 27 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 31 } +usrPort28Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 28 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 32 } + +usrPort29Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 29 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 33 } + +usrPort30Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 30 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 34 } + +usrPort31Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 31 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 35 } + +usrPort32Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 32 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 36 } + +usrPort33Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 33 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 37 } + +usrPort34Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 34 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 38 } + +usrPort35Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 35 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 39 } + +usrPort36Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 36 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 40 } + +usrPort37Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 37 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 41 } + +usrPort38Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 38 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 42 } + +usrPort39Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 39 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 43 } + +usrPort40Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 40 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 44 } + +usrPort41Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 41 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 45 } + +usrPort42Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 42 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 46 } + +-- User Management End + +-- DeviceLock +--communityLock OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Change SNMPV1 or SNMPV2 community for California passes law. +-- Please follow the format as readcommunity||writecommunity" +-- ::= { deviceLock 1 } + +--passwordLock OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Change SNMPV3 password for California passes law. +-- Please follow the format as authpassword||privpassword" +-- ::= { deviceLock 2 } +-- DeviceLock End + +-- SNMPv3 USM Settings +--snmpv3UsmUserTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF Snmpv3UsmUserEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION "This table is used to configure PE SNMPv3 USM. +-- To get the SNMPv3 access, One need to configure security +-- name,authentication,auth password,priv protocol and priv +-- password. +-- " +-- ::= { snmp 2 } + +--snmpv3UsmUserEntry OBJECT-TYPE +-- SYNTAX Snmpv3UsmUserEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION "A user configured for the User-based +-- Security Model. +-- " +-- INDEX { usmIndex } +-- ::= { snmpv3UsmUserTable 1 } + +--Snmpv3UsmUserEntry ::= SEQUENCE { +-- usmIndex INTEGER, +-- usmSecurityName SnmpAdminString, +-- smAuthProtocol SNMPv3UsmAuthPrivProtocol, +-- usmPrivPassword SnmpAdminString +-- } + +--usmIndex OBJECT-TYPE +-- SYNTAX INTEGER (1) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION "Usm configuration index. " +-- ::= { snmpv3UsmUserEntry 1 } + + +--usmSecurityName OBJECT-TYPE +-- SYNTAX SnmpAdminString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION "A human readable string representing the user in +-- Security Model independent format. + +-- The default transformation of the User-based Security +-- Model dependent security ID to the securityName and +-- vice versa is the identity function so that the +-- securityName is the same as the userName. +-- " +-- ::= { snmpv3UsmUserEntry 2 } + + +--usmKeyAlgorithm OBJECT-TYPE +-- SYNTAX SNMPv3UsmAuthPrivProtocol +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION " +-- If usmAuthProtocol == HMACMD5Auth , supports MD5 AuthKey and PrivKey +-- If usmAuthProtocol == HMACSHAAuth, supports SHA AuthKey and PrivKey +-- " +-- ::= { snmpv3UsmUserEntry 3 } + +--usmPrivProtocol OBJECT-TYPE +-- SYNTAX SNMPv3UsmAuthPrivProtocol +-- MAX-ACCESS read-only + -- STATUS current + -- DESCRIPTION " A privacy protocol to provide encryption and decryption +-- SNMPv3 pdu. + -- " + -- ::= { snmpv3UsmUserEntry 4 } + +--usmPrivPassword OBJECT-TYPE +-- SYNTAX SnmpAdminString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION "An user's privacy password, Associated protocol +-- and a secret key is used to establish a connection +-- for the snmp agent and manager commnucation. +-- " +-- ::= { snmpv3UsmUserEntry 4 } + + +-- SNMPv3 Target MIB + +--snmpv3TargetTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF Snmpv3TargetEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION + -- "A table of SNMP target information to be used + -- in the generation of SNMP trap messages." + -- ::= { snmp 3 } + +--snmpv3TargetEntry OBJECT-TYPE +-- SYNTAX Snmpv3TargetEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "A set of SNMP target information. +-- " +-- INDEX { snmpv3TargetIndex } +-- ::= { snmpv3TargetTable 1 } + +--Snmpv3TargetEntry ::= SEQUENCE { +-- snmpv3TargetIndex INTEGER, +-- snmpv3TargetMPModel SnmpMessageProcessingModel, +-- snmpv3TargetSecurityModel SnmpSecurityModel, + -- snmpv3TargetSecurityName SnmpAdminString +--} +--snmpv3TargetIndex OBJECT-TYPE + -- SYNTAX INTEGER(1) + -- MAX-ACCESS not-accessible + -- STATUS current + -- DESCRIPTION + -- "The locally arbitrary, but unique identifier associated + -- with this snmpv3TargetEntry." + -- ::= { snmpv3TargetEntry 1 } + +--snmpv3TargetMPModel OBJECT-TYPE + -- SYNTAX SnmpMessageProcessingModel + -- MAX-ACCESS read-only + -- STATUS current + -- DESCRIPTION + -- "The Message Processing Model to be used when generating + -- SNMP messages using this entry." + -- ::= { snmpv3TargetEntry 2 } + +--snmpv3TargetSecurityModel OBJECT-TYPE + -- SYNTAX SnmpSecurityModel (1..2147483647) + -- MAX-ACCESS read-only + -- STATUS current + -- DESCRIPTION + -- "The Security Model to be used when generating SNMP + -- messages using this entry. An implementation may + -- choose to return an inconsistentValue error if an + -- attempt is made to set this variable to a value + -- for a security model which the implementation does + -- not support." + -- ::= { snmpv3TargetEntry 3 } + +--snmpv3TargetSecurityName OBJECT-TYPE + -- SYNTAX SnmpAdminString + -- MAX-ACCESS read-only + -- STATUS current + -- DESCRIPTION + -- "The securityName which identifies the Principal on + -- whose behalf SNMP messages will be generated using + -- this entry." + -- ::= { snmpv3TargetEntry 4 } + +--snmpv3TargetSecurityLevel OBJECT-TYPE + -- SYNTAX SnmpSecurityLevel + -- MAX-ACCESS read-only + -- STATUS current + -- DESCRIPTION + -- "The Level of Security to be used when generating + -- SNMP messages using this entry." + -- ::= { snmpv3TargetEntry 5 } + +-- Custom Trap Message + +customTrapMSG NOTIFICATION-TYPE + STATUS current + --OBJECTS { customTrapMSG } + DESCRIPTION "Display custom trap message." + ::= { pe 5 } + +rebootDevice OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION "Reboot PE Device" + ::= { pe 6 } +-- CPM +--modelName OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Indicate CPM device model name." +-- ::= { CPM 1 } + +--cpmName OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "The name of CPM device. +-- string length: 1~39 +-- NOTE: Input string as /empty to set this object to NULL. +-- " +-- ::= { CPM 2 } + +--cpmswitchable OBJECT-TYPE +-- SYNTAX INTEGER { no(1), yes(2) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- " Switchable or not. " +-- ::= { CPM 3 } + +--cpmPDUreading OBJECT-TYPE +-- SYNTAX INTEGER { no(1), yes(2) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- " CPM is per-PDU reading or not." +-- ::= { CPM 4 } + +--cpmSensornumber OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- " CPM's Sensor number." +-- ::= { CPM 5 } + +--cpmOutletnumber OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- " CPM's Outlet number." +-- ::= { CPM 6 } + +--cpmbreaker OBJECT-TYPE + --SYNTAX INTEGER { off(1), on(2) } + --MAX-ACCESS read-only + --STATUS current + --DESCRIPTION + -- "CPM's breaker status." + --::= { CPM 7 } + +-- Device +--cpmdeviceValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmDeviceValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Device value table. This table displays device's current. +-- " +-- ::= { CPMDevice 1 } + +--cpmdeviceValueEntry OBJECT-TYPE +-- SYNTAX cpmDeviceValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single deviceValue entry containing device info." +-- INDEX { cpmdeviceValueIndex } +-- ::= { cpmdeviceValueTable 1 } + +--cpmDeviceValueEntry ::= +-- SEQUENCE { +-- cpmdeviceValueIndex +-- INTEGER, +-- cpmdeviceCurrent +-- DisplayString, + --cpmdeviceVoltage + -- DisplayString, + --cpmdevicePower + -- DisplayString, + --cpmdevicePowerDissipation + -- DisplayString, + --cpminputMaxVoltage + -- INTEGER, +-- cpminputMaxCurrent +-- INTEGER + --cpmpowerCapacity + -- INTEGER + +-- } + +--cpmdeviceValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of device Value." +-- ::= { cpmdeviceValueEntry 1 } + +--cpmdeviceCurrent OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device electric current value. +-- " +-- ::= { cpmdeviceValueEntry 2 } + +--cpmdeviceVoltage OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device voltage value." +-- ::= { cpmdeviceValueEntry 3 } +--cpmdevicePower OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power value." +-- ::= { cpmdeviceValueEntry 4 } + +--cpmdevicePowerDissipation OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power dissipation value." +-- ::= { cpmdeviceValueEntry 5 } + +--cpminputMaxVoltage OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device input Voltage value. unit:(V)" +-- ::= { cpmdeviceValueEntry 6 } + +--cpminputMaxCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device input Current value. unit:(A)" +-- ::= { cpmdeviceValueEntry 7 } + +--cpmpowerCapacity OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power Capacity value.unit:(VA)" +-- ::= { cpmdeviceValueEntry 8 } + +--cpmdeviceConfigTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmDeviceConfigEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Device configuration table" +-- ::= { CPMDevice 2 } + +--cpmdeviceConfigEntry OBJECT-TYPE +-- SYNTAX cpmDeviceConfigEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single deviceConfig entry containing device info." +-- INDEX { cpmdeviceConfigIndex } +-- ::= { cpmdeviceConfigTable 1 } + +--cpmDeviceConfigEntry ::= +-- SEQUENCE { +-- cpmdeviceConfigIndex +-- INTEGER, + --cpmdeviceMinCurMT + -- INTEGER, +-- cpmdeviceMaxCurMT +-- INTEGER + --cpmdeviceMinVolMT + -- INTEGER, + --cpmdeviceMaxVolMT + -- INTEGER, +-- } + +--cpmdeviceConfigIndex OBJECT-TYPE +-- SYNTAX INTEGER (1) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of deviceConfig" +-- ::= { cpmdeviceConfigEntry 1 } + +--cpmdeviceMinCurMT OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set device minimum electric current measurement threshold. +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. +-- range:0.0~32.0 represents:0~320 +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmdeviceConfigEntry 2 } + +--cpmdeviceMaxCurMT OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set device maximum electric current measurement threshold. +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. +-- Example: range 0.0~32.0 represents: 0~320 + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmdeviceConfigEntry 3 } + +--cpmdeviceMinVolMT OBJECT-TYPE +-- SYNTAX INTEGER (900..2600 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set device minimum voltage measurement threshold. +-- range:90.0~260.0 represents:900~2600 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmdeviceConfigEntry 4 } + +--cpmdeviceMaxVolMT OBJECT-TYPE +-- SYNTAX INTEGER (900..2600 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set device maximum voltage measurement threshold. +-- range:90.0~260.0 represents:900~2600 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmdeviceConfigEntry 5 } + + + +-- Sensor +--cpmSensorValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmSensorValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's sensor value table. This table displays sensor's temperature, humidity and +-- pressure. +-- " +-- ::= { Sensor 1 } + +--cpmSensorValueEntry OBJECT-TYPE +-- SYNTAX cpmSensorValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's sensor value entry containing Sensor info." +-- INDEX { cpmSensorValueIndex } +-- ::= { cpmSensorValueTable 1 } + +--cpmSensorValueEntry ::= +-- SEQUENCE { +-- cpmSensorValueIndex +-- INTEGER, +-- cpmSensorTemperature +-- DisplayString, +-- cpmSensorHumidity +-- DisplayString, +-- cpmSensorPressure +-- DisplayString, +-- cpmSensorProperty +-- INTEGER +-- } + +--cpmSensorValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..4) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of CPM's Sensor number." +-- ::= { cpmSensorValueEntry 1 } + +--cpmSensorTemperature OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's Sensor Temperature value." +-- ::= { cpmSensorValueEntry 2 } + +--cpmSensorHumidity OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's Sensor Humidity value." +-- ::= { cpmSensorValueEntry 3 } + +--cpmSensorPressure OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's Sensor Pressure value." +-- ::= { cpmSensorValueEntry 4 } + +--cpmSensorProperty OBJECT-TYPE +-- SYNTAX INTEGER { intake(1), exhaust(2) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's Sensor Property." +-- ::= { cpmSensorValueEntry 5 } + +--cpmSensorThresholdTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmSensorThresholdEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's Sensor value table" +-- ::= { Sensor 2 } + +--cpmSensorThresholdEntry OBJECT-TYPE +-- SYNTAX cpmSensorThresholdEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's sensor threshold entry containing sensor info." +-- INDEX { cpmSensorThresholdIndex } +-- ::= { cpmSensorThresholdTable 1 } + +--cpmSensorThresholdEntry ::= +-- SEQUENCE { +-- cpmSensorThresholdIndex +-- INTEGER, +-- cpmsensorMinTempMT +-- INTEGER, +-- cpmsensorMaxTempMT +-- INTEGER, + +-- cpmsensorMinHumMT +-- INTEGER, +-- cpmsensorMaxHumMT +-- INTEGER, +-- cpmsensorMinPressMT +-- INTEGER, +-- cpmsensorMaxPressMT +-- INTEGER + --sensorTempFlu + --INTEGER, + --sensorHumFlu + --INTEGER, + --sensorPressFlu + --INTEGER +-- } + +--cpmSensorThresholdIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..4) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of CPM's sensor number" +-- ::= { cpmSensorThresholdEntry 1 } + +--cpmsensorMinTempMT OBJECT-TYPE +-- SYNTAX INTEGER (-200..600 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor minimum temperature measurement threshold. +-- Example: range 0.0 ~ 60.0 represents 0~600 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold. +-- " +-- ::= { cpmSensorThresholdEntry 2 } + +--cpmsensorMaxTempMT OBJECT-TYPE +-- SYNTAX INTEGER (-200..600 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor maximum temperature measurement threshold. +-- Example: range 0.0 ~ 60.0 represents 0~600 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmSensorThresholdEntry 3 } + +--cpmsensorMinHumMT OBJECT-TYPE +-- SYNTAX INTEGER (150..950 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor minimum humidity measurement threshold. +-- Example: range 15.0 ~ 95.0 represents 150~950 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmSensorThresholdEntry 4 } +--cpmsensorMaxHumMT OBJECT-TYPE +-- SYNTAX INTEGER (150..950 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor maximum humidity measurement threshold. +-- Example: range 15.0 ~ 95.0 represents 150~950 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmSensorThresholdEntry 5 } + +--cpmsensorMinPressMT OBJECT-TYPE +-- SYNTAX INTEGER (-2500..2500 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor minimum pressure measurement threshold. +-- Example: range -250.0 ~ 250.0 represents -2500 ~ 2500 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmSensorThresholdEntry 6 } + +--cpmsensorMaxPressMT OBJECT-TYPE +-- SYNTAX INTEGER (-2500..2500 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor maximum pressure measurement threshold. +-- Example: range -250.0 ~ 250.0 represents -2500 ~ 2500 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmSensorThresholdEntry 7 } + + +-- pdu + +--cpmPDUValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmPDUValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Display the PDU's current value of CPM" +-- ::= { EnergySensor 1 } + +--cpmPDUValueEntry OBJECT-TYPE +-- SYNTAX cpmPDUValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's monitor pdu Value entry containing outlet info." +-- INDEX { cpmPDUValueIndex } +-- ::= { cpmPDUValueTable 1 } + +--cpmPDUValueEntry ::= +-- SEQUENCE { +-- cpmPDUValueIndex +-- INTEGER, +-- cpmPDUCurrent +-- DisplayString, + --cpmPDUVoltage + -- DisplayString, + --cpmPDUPower + -- DisplayString, + --cpmPDUPowerDissipation + -- DisplayString, +-- cpmPDUMaxCurrent +-- INTEGER +-- } + +--cpmPDUValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..4) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of PDU number" +-- ::= { cpmPDUValueEntry 1 } + +--cpmPDUCurrent OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's monitor PDU electric current value" +-- ::= { cpmPDUValueEntry 2 } + +--cpmPDUVoltage OBJECT-TYPE + --SYNTAX DisplayString + --MAX-ACCESS read-only + --STATUS current + --DESCRIPTION + -- "CPM's monitor PDU voltage value" + --::= { cpmPDUValueEntry 3 } + +--cpmPDUPower OBJECT-TYPE + --SYNTAX DisplayString + --MAX-ACCESS read-only + --STATUS current + --DESCRIPTION + -- "CPM's monitor PDU power value" + --::= { cpmPDUValueEntry 4 } + +--cpmPDUPowerDissipation OBJECT-TYPE + --SYNTAX DisplayString + --MAX-ACCESS read-only + --STATUS current + --DESCRIPTION + -- "CPM's monitor PDU power dissipation value" + --::= { cpmPDUValueEntry 5 } + +--cpmPDUMaxCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's monitor PDU Max Current value. unit: (A)" +-- ::= { cpmPDUValueEntry 6 } + +--cpmBankStatus OBJECT-TYPE +-- SYNTAX INTEGER { noattached(1), attached(2) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "The status CPM device Bank status." +-- ::= { cpmPDUValueEntry 7 } + + +--cpmPDUConfigTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmPDUConfigEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's monitor PDU configuration table" +-- ::= { EnergySensor 2 } + +--cpmPDUConfigEntry OBJECT-TYPE +-- SYNTAX cpmPDUConfigEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's monitor PDU config entry containing PDU info." +-- INDEX { cpmPDUConfigIndex } +-- ::= { cpmPDUConfigTable 1 } + +--cpmPDUConfigEntry ::= +-- SEQUENCE { +-- cpmPDUConfigIndex +-- INTEGER, +-- cpmPDUName +-- DisplayString, + --cpmPDUConfirmation + -- INTEGER, + --cpmPDUOnDelayTime + -- INTEGER, + --cpmPDUOffDelayTime + -- INTEGER, + --cpmPDUShutdownMethod + -- INTEGER, + --cpmPDUMAC + -- DisplayString, + --cpmPDUMinCurMT + -- INTEGER, +-- cpmPDUMaxCurMT +-- INTEGER + + --cpmPDUMinVolMT + -- INTEGER, + --cpmPDUMaxVolMT + -- INTEGER, + + +-- } + +--cpmPDUConfigIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..4) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of PDU number" +-- ::= { cpmPDUConfigEntry 1 } + +--cpmPDUName OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set the name of pdu. +-- string length: 0~15 +-- NOTE: Input string as /empty to set this object to NULL. +-- " +-- ::= { cpmPDUConfigEntry 2 } + +--cpmPDUConfirmation OBJECT-TYPE + --SYNTAX INTEGER { no(1), yes(2) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the confirmation of outlet." + --::= { cpmPDUConfigEntry 3 } + +--cpmPDUOnDelayTime OBJECT-TYPE + --SYNTAX INTEGER (0..999) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the ON delay time of outlet." + --::= { cpmPDUConfigEntry 4 } + +--cpmPDUOffDelayTime OBJECT-TYPE + --SYNTAX INTEGER (0..999) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the OFF delay time of outlet." + --::= { cpmPDUConfigEntry 5 } + +--cpmPDUShutdownMethod OBJECT-TYPE + --SYNTAX INTEGER { kill-the-power(1), wake-on-lan(2), after-ac-back(3) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the shutdown mehtod of outlet." + --::= { cpmPDUConfigEntry 6 } + +--cpmPDUMAC OBJECT-TYPE + --SYNTAX DisplayString + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the MAC address of ShutdownMethod. + -- string length: 12 + -- " + --::= { cpmPDUConfigEntry 7 } + +--cpmPDUMinCurMT OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set the PDU minimum electric current measurment threshold. +-- Range:0.0 ~16.0 rerpresnts 0~160 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. +-- +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmPDUConfigEntry 3 } + +--cpmPDUMaxCurMT OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set the PDU maximum electric current measurment threshold. +-- Example: range 0.0 ~16.0 represents 0~160 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmPDUConfigEntry 4 } + +--cpmPDUMinVolMT OBJECT-TYPE + --SYNTAX INTEGER (900..2600) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the outlet minimum voltage measurment threshold. + -- Range:90.0 ~260.0 represents 900~2600 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { cpmPDUConfigEntry 10 } + +--cpmPDUMaxVolMT OBJECT-TYPE + --SYNTAX INTEGER (900..2600) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the outlet maximum voltage measurment threshold. + -- Range:90.0 ~260.0 represents 900~2600 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { cpmPDUConfigEntry 11 } + + +END diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh new file mode 100644 index 0000000..5b486c6 --- /dev/null +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +set -eu +umask 077 + +community="public" + +mqtt_send() { + topic="$1" + value="$2" + + tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')" + mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \ + --cafile "${tlsdir}/certs/ca.crt" \ + --key "${tlsdir}/private/$(hostname -f).key" \ + --cert "${tlsdir}/certs/$(hostname -f).crt" +} + +snmp_get() { + host="$1" + key="$2" + snmpget -v 1 -c "$community" "$host" -Oqv -m ATEN-PE-CFG "$key" | tr -d '"' +} + +# only run script if first vrrp interface is in master state +for state in /run/keepalived/*.state ; do + if [ "$(cat "$state")" != "MASTER" ]; then + exit 0 + fi + break +done + +ldapsearch -Q -LLL "(&(objectClass=device)(description=Aten PE*))" cn | \ + awk '{ if ($1 == "cn:") print $2 }' | while read -r name +do + location="$(snmp_get "$name" RFC1213-MIB::sysLocation.0 | \ + tr '[:upper:]' '[:lower:]' | tr ' ' '_')" + snmpwalk -v 1 -c "$community" "$name" -Oq \ + -m ATEN-PE-CFG ATEN-PE-CFG::outletName | while read -r port device + do + port="$(echo "$port" | cut -d '.' -f 2)" + device="$(echo "$device" | tr -d '"')" + case "$device" in + "N/A"|"00 "|"unused") + continue + ;; + esac + for key in Current Power Voltage ; do + topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')" + value="$(snmp_get "$name" "ATEN-PE-CFG::outlet${key}.${port}")" + mqtt_send "$topic" "$value" + done + done +done diff --git a/roles/aten_pdu/meta/main.yml b/roles/aten_pdu/meta/main.yml new file mode 100644 index 0000000..d2f9d51 --- /dev/null +++ b/roles/aten_pdu/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: ldap} diff --git a/roles/aten_pdu/tasks/main.yml b/roles/aten_pdu/tasks/main.yml new file mode 100644 index 0000000..8bb9112 --- /dev/null +++ b/roles/aten_pdu/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: Install packages + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - mosquitto + - net-snmp-utils + +# https://www.aten.com/eu/en/products/power-distribution-&-racks/rack-pdu/pe8108/ +- name: Install custom mib + ansible.builtin.copy: + dest: /usr/share/snmp/mibs/ATEN-PE-CFG.txt + src: ATEN-PE-CFG_str_1.3.128.mib + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + +- name: Install mqtt publish script + ansible.builtin.copy: + dest: /usr/local/bin/aten-mqtt-publish + src: aten-mqtt-publish.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Add mqtt publish cron job + ansible.builtin.cron: + name: aten-mqtt-publish + job: /usr/local/bin/aten-mqtt-publish + minute: "*/5" From 4c9a7dbcfb2e6fae81ba4ac76f1a11bef7a6fe2c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 6 Apr 2025 16:44:47 +0000 Subject: [PATCH 572/713] Add aten_pdu role to nms hosts --- playbooks/nms.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 969b6a5..075054c 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -38,6 +38,7 @@ autofs_home: false - sssd - mkhomedir + - aten_pdu - routeros_firmware - snmp_exporter @@ -74,7 +75,6 @@ name: "{{ item }}" state: installed with_items: - - net-snmp-utils - nmap - rcs - unzip From f114a2d5d973445ae1801a9099f0400e7b6867cb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 6 Apr 2025 17:32:32 +0000 Subject: [PATCH 573/713] routeros: Rename role --- playbooks/nms.yml | 2 +- roles/{routeros_firmware => routeros}/files/README.md | 0 .../files/download-routeros-firmware.sh | 0 roles/{routeros_firmware => routeros}/tasks/main.yml | 0 4 files changed, 1 insertion(+), 1 deletion(-) rename roles/{routeros_firmware => routeros}/files/README.md (100%) rename roles/{routeros_firmware => routeros}/files/download-routeros-firmware.sh (100%) rename roles/{routeros_firmware => routeros}/tasks/main.yml (100%) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 075054c..f326b55 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -39,7 +39,7 @@ - sssd - mkhomedir - aten_pdu - - routeros_firmware + - routeros - snmp_exporter tasks: diff --git a/roles/routeros_firmware/files/README.md b/roles/routeros/files/README.md similarity index 100% rename from roles/routeros_firmware/files/README.md rename to roles/routeros/files/README.md diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros/files/download-routeros-firmware.sh similarity index 100% rename from roles/routeros_firmware/files/download-routeros-firmware.sh rename to roles/routeros/files/download-routeros-firmware.sh diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros/tasks/main.yml similarity index 100% rename from roles/routeros_firmware/tasks/main.yml rename to roles/routeros/tasks/main.yml From 2fedbd505bcb6f7362864666ca87b08e07e38315 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 18:55:58 +0000 Subject: [PATCH 574/713] ha_mqtt_configd: Initial version of role --- .../ha_mqtt_configd/files/ha_mqtt_configd.py | 70 +++++++++++++++++++ .../ha_mqtt_configd/files/ha_mqtt_configd.rc | 12 ++++ roles/ha_mqtt_configd/handlers/main.yml | 5 ++ roles/ha_mqtt_configd/tasks/main.yml | 45 ++++++++++++ 4 files changed, 132 insertions(+) create mode 100755 roles/ha_mqtt_configd/files/ha_mqtt_configd.py create mode 100755 roles/ha_mqtt_configd/files/ha_mqtt_configd.rc create mode 100644 roles/ha_mqtt_configd/handlers/main.yml create mode 100644 roles/ha_mqtt_configd/tasks/main.yml diff --git a/roles/ha_mqtt_configd/files/ha_mqtt_configd.py b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py new file mode 100755 index 0000000..3cff8c1 --- /dev/null +++ b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 + +import hashlib +import json +import paho.mqtt.client as mqtt +import socket +import ssl +import syslog +import time + +notify = {} + + +def on_message(client, userdata, msg): + if not msg.topic in notify: + syslog.syslog(syslog.LOG_INFO, f"Publish config for {msg.topic}") + elif notify[msg.topic] < time.monotonic() - 600: + syslog.syslog(syslog.LOG_INFO, f"Refresh config for {msg.topic}") + else: + return + topic = msg.topic.split("/") + uniqueid = hashlib.md5(msg.topic.encode()).hexdigest() + config = { + "dev": { + "name": topic[2].capitalize(), + "suggested_area": topic[1].capitalize(), + "identifiers": [ + uniqueid, + ], + }, + "name": "Power Usage", + "state_topic": msg.topic, + "unit_of_measurement": "W", + "unique_id": uniqueid, + } + client.publish( + topic=f"homeassistant/sensor/{uniqueid}/config", payload=json.dumps(config) + ) + notify[msg.topic] = time.monotonic() + + +def connect(hostname): + client = mqtt.Client(protocol=mqtt.MQTTv5) + client.tls_set( + certfile=f"/etc/ssl/{socket.gethostname()}.crt", + keyfile=f"/etc/ssl/private/{socket.gethostname()}.key", + ca_certs="/etc/ssl/ca.crt", + cert_reqs=ssl.CERT_REQUIRED, + ) + client.on_message = on_message + client.connect(hostname, 8883) + syslog.syslog(syslog.LOG_INFO, f"Connected to MQTT broker {hostname}") + return client + + +def main(): + syslog.openlog( + "ha_mqtt_configd", logoption=syslog.LOG_PID, facility=syslog.LOG_DAEMON + ) + client = connect(socket.gethostname()) + try: + client.subscribe("home/+/+/power") + client.loop_forever() + except KeyboardInterrupt: + client.disconnect() + syslog.closelog() + + +if __name__ == "__main__": + main() diff --git a/roles/ha_mqtt_configd/files/ha_mqtt_configd.rc b/roles/ha_mqtt_configd/files/ha_mqtt_configd.rc new file mode 100755 index 0000000..dc63988 --- /dev/null +++ b/roles/ha_mqtt_configd/files/ha_mqtt_configd.rc @@ -0,0 +1,12 @@ +#!/bin/ksh + +daemon="/usr/local/sbin/ha_mqtt_configd" +daemon_user="ha-mqtt" + +. /etc/rc.d/rc.subr + +rc_bg=YES +rc_reload=NO +pexp="python3 /usr/local/sbin/ha_mqtt_configd" + +rc_cmd $1 diff --git a/roles/ha_mqtt_configd/handlers/main.yml b/roles/ha_mqtt_configd/handlers/main.yml new file mode 100644 index 0000000..79a2cc5 --- /dev/null +++ b/roles/ha_mqtt_configd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart ha_mqtt_configd + ansible.builtin.service: + name: ha_mqtt_configd + state: restarted diff --git a/roles/ha_mqtt_configd/tasks/main.yml b/roles/ha_mqtt_configd/tasks/main.yml new file mode 100644 index 0000000..0757fa8 --- /dev/null +++ b/roles/ha_mqtt_configd/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: Install packages + ansible.builtin.package: + name: py3-paho-mqtt + state: installed + +- name: Create group + ansible.builtin.group: + name: ha-mqtt + system: true + +- name: Create user + ansible.builtin.user: + name: ha-mqtt + comment: ha-mqtt-configd + group: ha-mqtt + groups: hostkey + create_home: false + home: /var/empty + shell: /sbin/nologin + system: true + +- name: Copy daemon + ansible.builtin.copy: + dest: /usr/local/sbin/ha_mqtt_configd + src: ha_mqtt_configd.py + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart ha_mqtt_configd + +- name: Copy startup script + ansible.builtin.copy: + dest: /etc/rc.d/ha_mqtt_configd + src: ha_mqtt_configd.rc + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart ha_mqtt_configd + +- name: Enable service + ansible.builtin.service: + name: ha_mqtt_configd + state: started + enabled: true From bb572040ef13539a3617e7ad0288ff2104328e30 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 18:56:27 +0000 Subject: [PATCH 575/713] Add ha_mqtt_configd to mqtt hosts --- playbooks/mqtt.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index d67c977..8a5c0b7 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -15,6 +15,7 @@ roles: - base - mosquitto + - ha_mqtt_configd - telegraf - nginx - role: nginx_site From ed4debd59de1eb184ffa22cb668048d91ddf30b7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 19:12:46 +0000 Subject: [PATCH 576/713] ha_mqtt_configd: Add icon for power measurements --- roles/ha_mqtt_configd/files/ha_mqtt_configd.py | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ha_mqtt_configd/files/ha_mqtt_configd.py b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py index 3cff8c1..b5d2c03 100755 --- a/roles/ha_mqtt_configd/files/ha_mqtt_configd.py +++ b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py @@ -28,6 +28,7 @@ def on_message(client, userdata, msg): uniqueid, ], }, + "icon": "mdi:lightning-bolt", "name": "Power Usage", "state_topic": msg.topic, "unit_of_measurement": "W", From ae59e21a2e56afe5b709e14e931036ee5d403783 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 19:14:07 +0000 Subject: [PATCH 577/713] homeassistant: Disable manual mqtt configuration --- roles/homeassistant/tasks/main.yml | 10 ---------- roles/homeassistant/templates/mqtt.yaml.j2 | 13 ------------- 2 files changed, 23 deletions(-) delete mode 100644 roles/homeassistant/templates/mqtt.yaml.j2 diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 3e368d1..746b312 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -146,16 +146,6 @@ group: "{{ ansible_wheel }}" setype: _default -- name: Create mqtt config file - ansible.builtin.template: - dest: /srv/homeassistant/mqtt.yaml - src: mqtt.yaml.j2 - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - setype: _default - notify: Restart homeassistant - - name: Create directories for custom integrations ansible.builtin.file: path: "{{ item }}" diff --git a/roles/homeassistant/templates/mqtt.yaml.j2 b/roles/homeassistant/templates/mqtt.yaml.j2 deleted file mode 100644 index c0b7ac3..0000000 --- a/roles/homeassistant/templates/mqtt.yaml.j2 +++ /dev/null @@ -1,13 +0,0 @@ ---- -sensor: -{% for shelly in shellies | selectattr("name", "match", "^shellyplug-s-") | list %} - - name: Power Usage - state_topic: home/{{ shelly["room"] }}/{{ shelly["device"] }}/power - unique_id: {{ shelly["name"] }} - unit_of_measurement: W - device: - name: {{ shelly["device"] | capitalize }} - suggested_area: {{ shelly["room"] | replace("_", " ") | capitalize }} - identifiers: - - {{ shelly["name"] }} -{% endfor %} From e7902763598ef11e252e702ac6c27778a9bcde15 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 19:20:02 +0000 Subject: [PATCH 578/713] routeros: Add script to publish poe power to mqtt --- roles/routeros/files/mikrotik.mib | 4159 +++++++++++++++++ .../files/routeros-poe-mqtt-publish.sh | 54 + roles/routeros/meta/main.yml | 3 + roles/routeros/tasks/main.yml | 32 +- 4 files changed, 4247 insertions(+), 1 deletion(-) create mode 100644 roles/routeros/files/mikrotik.mib create mode 100644 roles/routeros/files/routeros-poe-mqtt-publish.sh create mode 100644 roles/routeros/meta/main.yml diff --git a/roles/routeros/files/mikrotik.mib b/roles/routeros/files/mikrotik.mib new file mode 100644 index 0000000..d640b4a --- /dev/null +++ b/roles/routeros/files/mikrotik.mib @@ -0,0 +1,4159 @@ +MIKROTIK-MIB DEFINITIONS ::= BEGIN + +IMPORTS +InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB +MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32, Gauge32, IpAddress, +Counter64, enterprises, NOTIFICATION-TYPE, TimeTicks FROM SNMPv2-SMI +TEXTUAL-CONVENTION, DisplayString, MacAddress, TruthValue, DateAndTime FROM SNMPv2-TC +OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF; + +mikrotikExperimentalModule MODULE-IDENTITY + LAST-UPDATED "202502050000Z" + ORGANIZATION "MikroTik" + CONTACT-INFO "support@mikrotik.com" + DESCRIPTION "" + REVISION "202502050000Z" + DESCRIPTION "" + ::= { mikrotik 1 } + +mikrotik OBJECT IDENTIFIER ::= { enterprises 14988 } +mtXMetaInfo OBJECT IDENTIFIER ::= { mikrotikExperimentalModule 2 } +mtXRouterOsGroups OBJECT IDENTIFIER ::= { mtXMetaInfo 1 } + +mtXRouterOs OBJECT IDENTIFIER ::= { mikrotikExperimentalModule 1 } +mtxrWireless OBJECT IDENTIFIER ::= { mtXRouterOs 1 } +mtxrQueues OBJECT IDENTIFIER ::= { mtXRouterOs 2 } +mtxrHealth OBJECT IDENTIFIER ::= { mtXRouterOs 3 } +mtxrLicense OBJECT IDENTIFIER ::= { mtXRouterOs 4 } +mtxrHotspot OBJECT IDENTIFIER ::= { mtXRouterOs 5 } +mtxrDHCP OBJECT IDENTIFIER ::= { mtXRouterOs 6 } +mtxrSystem OBJECT IDENTIFIER ::= { mtXRouterOs 7 } +mtxrScripts OBJECT IDENTIFIER ::= { mtXRouterOs 8 } +mtxrTraps OBJECT IDENTIFIER ::= { mtXRouterOs 9 } +mtxrNstremeDual OBJECT IDENTIFIER ::= { mtXRouterOs 10 } +mtxrNeighbor OBJECT IDENTIFIER ::= { mtXRouterOs 11 } +mtxrGps OBJECT IDENTIFIER ::= { mtXRouterOs 12 } +mtxrWirelessModem OBJECT IDENTIFIER ::= { mtXRouterOs 13 } +mtxrInterfaceStats OBJECT IDENTIFIER ::= { mtXRouterOs 14 } +mtxrPOE OBJECT IDENTIFIER ::= { mtXRouterOs 15 } +mtxrLTEModem OBJECT IDENTIFIER ::= { mtXRouterOs 16 } +mtxrPartition OBJECT IDENTIFIER ::= { mtXRouterOs 17 } +mtxrScriptRun OBJECT IDENTIFIER ::= { mtXRouterOs 18 } +mtxrOptical OBJECT IDENTIFIER ::= { mtXRouterOs 19 } +mtxrIPSec OBJECT IDENTIFIER ::= { mtXRouterOs 20 } +mtxrWifi OBJECT IDENTIFIER ::= { mtXRouterOs 21 } + +ObjectIndex ::= TEXTUAL-CONVENTION + DISPLAY-HINT "x" + STATUS current + DESCRIPTION "Internal " + SYNTAX Integer32 (0..2147483647) +-- Note that actually in RouterOs index values can be in range 0..4294967294, +-- this can sometimes make them negative. Any of the following syntaxes would +-- be more appropriate, but since Integer32 is used for InterfaceIndex in +-- IF-MIB, where it can also take negative values in RouterOs, it is used +-- here for consistency. +-- Also note that ObjectIndex value is not related to item numbers that are +-- used by console and shown by console print command. +-- +-- SYNTAX Integer32 (-2147483648..2147483647) +-- SYNTAX Unsigned32 (0..4294967295) + +HexInt ::= TEXTUAL-CONVENTION + DISPLAY-HINT "x" + STATUS current + DESCRIPTION "Hex" + SYNTAX Integer32 (-2147483648..2147483647) + +Voltage ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-1" + STATUS current + DESCRIPTION "" + SYNTAX Integer32 (-2147483648..2147483647) + +Temperature ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-1" + STATUS current + DESCRIPTION "" + SYNTAX Integer32 (-2147483648..2147483647) + +Power ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-1" + STATUS current + DESCRIPTION "" + SYNTAX Integer32 (-2147483648..2147483647) + +GDiv100 ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-2" + STATUS current + DESCRIPTION "/100" + SYNTAX Gauge32 + +GDiv1000 ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-3" + STATUS current + DESCRIPTION "/1000" + SYNTAX Gauge32 + +IDiv1000 ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-3" + STATUS current + DESCRIPTION "/1000" + SYNTAX Integer32 (-2147483648..2147483647) + +BoolValue ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Boolean value." + SYNTAX INTEGER { false(0), true(1) } + +IsakmpCookie ::= TEXTUAL-CONVENTION + DISPLAY-HINT "16a" + STATUS current + DESCRIPTION "ISAKMP cookie string" + SYNTAX OCTET STRING (SIZE (16)) + +-- WIRELESS ******************************************************************** + +mtxrWlStatTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlStatEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 1 } + +mtxrWlStatEntry OBJECT-TYPE + SYNTAX MtxrWlStatEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Wireless station mode interface" + INDEX { mtxrWlStatIndex } + ::= { mtxrWlStatTable 1 } + +MtxrWlStatEntry ::= SEQUENCE { + mtxrWlStatIndex ObjectIndex, + mtxrWlStatTxRate Gauge32, + mtxrWlStatRxRate Gauge32, + mtxrWlStatStrength Integer32, + mtxrWlStatSsid DisplayString, + mtxrWlStatBssid MacAddress, + mtxrWlStatFreq Integer32, + mtxrWlStatBand DisplayString, + mtxrWlStatTxCCQ Counter32, + mtxrWlStatRxCCQ Counter32 +} + +mtxrWlStatIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 1 } + +mtxrWlStatTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlStatEntry 2 } + +mtxrWlStatRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlStatEntry 3 } + +mtxrWlStatStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrWlStatEntry 4 } + +mtxrWlStatSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 5 } + +mtxrWlStatBssid OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 6 } + +mtxrWlStatFreq OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "megahertz" + ::= { mtxrWlStatEntry 7 } + +mtxrWlStatBand OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 8 } + +mtxrWlStatTxCCQ OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 9 } + +mtxrWlStatRxCCQ OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 10 } + +-- WlRtabTable +mtxrWlRtabTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlRtabEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 2 } + +mtxrWlRtabEntry OBJECT-TYPE + SYNTAX MtxrWlRtabEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Wireless registration table. It is indexed by remote + mac-address and local interface index" + INDEX { mtxrWlRtabAddr, mtxrWlRtabIface } + ::= { mtxrWlRtabTable 1 } + +MtxrWlRtabEntry ::= SEQUENCE { + mtxrWlRtabAddr MacAddress, + mtxrWlRtabIface ObjectIndex, + mtxrWlRtabStrength Integer32, + mtxrWlRtabTxBytes Counter32, + mtxrWlRtabRxBytes Counter32, + mtxrWlRtabTxPackets Counter32, + mtxrWlRtabRxPackets Counter32, + mtxrWlRtabTxRate Gauge32, + mtxrWlRtabRxRate Gauge32, + mtxrWlRtabRouterOSVersion DisplayString, + mtxrWlRtabUptime TimeTicks, + mtxrWlRtabSignalToNoise Integer32, + mtxrWlRtabTxStrengthCh0 Integer32, + mtxrWlRtabRxStrengthCh0 Integer32, + mtxrWlRtabTxStrengthCh1 Integer32, + mtxrWlRtabRxStrengthCh1 Integer32, + mtxrWlRtabTxStrengthCh2 Integer32, + mtxrWlRtabRxStrengthCh2 Integer32, + mtxrWlRtabTxStrength Integer32, + mtxrWlRtabRadioName DisplayString +} + +mtxrWlRtabAddr OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 1 } + +mtxrWlRtabIface OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 2 } + +mtxrWlRtabStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrWlRtabEntry 3 } + +mtxrWlRtabTxBytes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 4 } + +mtxrWlRtabRxBytes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 5 } + +mtxrWlRtabTxPackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 6 } + +mtxrWlRtabRxPackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 7 } + +mtxrWlRtabTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlRtabEntry 8 } + +mtxrWlRtabRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlRtabEntry 9 } + +mtxrWlRtabRouterOSVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "RouterOS version" + ::= { mtxrWlRtabEntry 10 } + +mtxrWlRtabUptime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION "uptime" + ::= { mtxrWlRtabEntry 11 } + +mtxrWlRtabSignalToNoise OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Measured in dB, if value does not exist it is indicated with 0" + ::= { mtxrWlRtabEntry 12 } + +mtxrWlRtabTxStrengthCh0 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 13 } + +mtxrWlRtabRxStrengthCh0 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 14 } + +mtxrWlRtabTxStrengthCh1 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 15 } + +mtxrWlRtabRxStrengthCh1 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 16 } + +mtxrWlRtabTxStrengthCh2 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 17 } + +mtxrWlRtabRxStrengthCh2 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 18 } + +mtxrWlRtabTxStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 19 } + +mtxrWlRtabRadioName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 20 } + +mtxrWlRtabEntryCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Wireless registration table entry count" + ::= { mtxrWireless 4 } + +mtxrWlApTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlApEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 3 } + +mtxrWlApEntry OBJECT-TYPE + SYNTAX MtxrWlApEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Wireless access point mode interface" + INDEX { mtxrWlApIndex } + ::= { mtxrWlApTable 1 } + +MtxrWlApEntry ::= SEQUENCE { + mtxrWlApIndex ObjectIndex, + mtxrWlApTxRate Gauge32, + mtxrWlApRxRate Gauge32, + mtxrWlApSsid DisplayString, + mtxrWlApBssid MacAddress, + mtxrWlApClientCount Counter32, + mtxrWlApFreq Integer32, + mtxrWlApBand DisplayString, + mtxrWlApNoiseFloor Integer32, + mtxrWlApOverallTxCCQ Counter32, + mtxrWlApAuthClientCount Counter32 +} + +mtxrWlApIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 1 } + +mtxrWlApTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlApEntry 2 } + +mtxrWlApRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlApEntry 3 } + +mtxrWlApSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 4 } + +mtxrWlApBssid OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 5 } + +mtxrWlApClientCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 6 } + +mtxrWlApFreq OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "megahertz" + ::= { mtxrWlApEntry 7 } + +mtxrWlApBand OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 8 } + +mtxrWlApNoiseFloor OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 9 } + +mtxrWlApOverallTxCCQ OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 10 } + +mtxrWlApAuthClientCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 11 } + +mtxrWlCMRtabTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlCMRtabEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 5 } + +mtxrWlCMRtabEntry OBJECT-TYPE + SYNTAX MtxrWlCMRtabEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Wireless CAPSMAN registration table. It is indexed by remote + mac-address and local interface index" + INDEX { mtxrWlCMRtabAddr, mtxrWlCMRtabIface } + ::= { mtxrWlCMRtabTable 1 } + +MtxrWlCMRtabEntry ::= SEQUENCE { + mtxrWlCMRtabAddr MacAddress, + mtxrWlCMRtabIface ObjectIndex, + mtxrWlCMRtabUptime TimeTicks, + mtxrWlCMRtabTxBytes Counter32, + mtxrWlCMRtabRxBytes Counter32, + mtxrWlCMRtabTxPackets Counter32, + mtxrWlCMRtabRxPackets Counter32, + mtxrWlCMRtabTxRate Gauge32, + mtxrWlCMRtabRxRate Gauge32, + mtxrWlCMRtabTxStrength Integer32, + mtxrWlCMRtabRxStrength Integer32, + mtxrWlCMRtabSsid DisplayString, + mtxrWlCMRtabEapIdent DisplayString +} + +mtxrWlCMRtabAddr OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 1 } + -- should not be accessible in SMIv2 + +mtxrWlCMRtabIface OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 2 } + +mtxrWlCMRtabUptime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION "uptime" + ::= { mtxrWlCMRtabEntry 3 } + +mtxrWlCMRtabTxBytes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 4 } + +mtxrWlCMRtabRxBytes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 5 } + +mtxrWlCMRtabTxPackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 6 } + +mtxrWlCMRtabRxPackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 7 } + +mtxrWlCMRtabTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlCMRtabEntry 8 } + +mtxrWlCMRtabRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlCMRtabEntry 9 } + +mtxrWlCMRtabTxStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 10 } + +mtxrWlCMRtabRxStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 11 } + +mtxrWlCMRtabSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 12 } + +mtxrWlCMRtabEapIdent OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 13 } + +mtxrWlCMRtabEntryCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Wireless CAPSMAN registration table entry count" + ::= { mtxrWireless 6 } + +mtxrWlCMREntryCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Wireless CAPSMAN remote-cap entry count" + ::= { mtxrWireless 10 } + +mtxrWlCMTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlCMEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 7 } + +mtxrWlCMEntry OBJECT-TYPE + SYNTAX MtxrWlCMEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "CAPS-MAN mode interface" + INDEX { mtxrWlCMIndex } + ::= { mtxrWlCMTable 1 } + +MtxrWlCMEntry ::= SEQUENCE { + mtxrWlCMIndex ObjectIndex, + mtxrWlCMRegClientCount Counter32, + mtxrWlCMAuthClientCount Counter32, + mtxrWlCMState DisplayString, + mtxrWlCMChannel DisplayString +} + +mtxrWlCMIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMEntry 1 } + +mtxrWlCMRegClientCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMEntry 2 } + +mtxrWlCMAuthClientCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMEntry 3 } + +mtxrWlCMState OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMEntry 4 } + +mtxrWlCMChannel OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "for master only" + ::= { mtxrWlCMEntry 5 } + +-- +mtxrWlCMRemoteTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlCMRemoteEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 11 } + +mtxrWlCMRemoteEntry OBJECT-TYPE + SYNTAX MtxrWlCMRemoteEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "CAPSMAN remote-cap list" + INDEX { mtxrWlCMRemoteIndex } + ::= { mtxrWlCMRemoteTable 1 } + +MtxrWlCMRemoteEntry ::= SEQUENCE { + mtxrWlCMRemoteIndex ObjectIndex, + mtxrWlCMRemoteName DisplayString, + mtxrWlCMRemoteState DisplayString, + mtxrWlCMRemoteAddress DisplayString, + mtxrWlCMRemoteRadios Counter32 +} + +mtxrWlCMRemoteIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRemoteEntry 1 } + +mtxrWlCMRemoteName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRemoteEntry 2 } + +mtxrWlCMRemoteState OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRemoteEntry 3 } + +mtxrWlCMRemoteAddress OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRemoteEntry 4 } + +mtxrWlCMRemoteRadios OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRemoteEntry 5 } + +-- W60G +mtxrWl60GTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWl60GEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 8 } + +mtxrWl60GEntry OBJECT-TYPE + SYNTAX MtxrWl60GEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "W60G interface" + INDEX { mtxrWl60GIndex } + ::= { mtxrWl60GTable 1 } + +MtxrWl60GEntry ::= SEQUENCE { + mtxrWl60GIndex ObjectIndex, + mtxrWl60GMode INTEGER, + mtxrWl60GSsid DisplayString, + mtxrWl60GConnected BoolValue, + mtxrWl60GRemote MacAddress, + mtxrWl60GFreq Integer32, + mtxrWl60GMcs Integer32, + mtxrWl60GSignal Integer32, + mtxrWl60GTxSector Integer32, + mtxrWl60GTxSectorInfo DisplayString, + mtxrWl60GRssi Integer32, + mtxrWl60GPhyRate Gauge32 +} + +mtxrWl60GIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 1 } + +mtxrWl60GMode OBJECT-TYPE + SYNTAX INTEGER { + apBridge(0), + stationBridge(1), + sniff(2), + bridge(3) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 2 } + +mtxrWl60GSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 3 } + +mtxrWl60GConnected OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 4 } + +mtxrWl60GRemote OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 5 } + +mtxrWl60GFreq OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Mhz" + ::= { mtxrWl60GEntry 6 } + +mtxrWl60GMcs OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 7 } + +mtxrWl60GSignal OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 8 } + +mtxrWl60GTxSector OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 9 } + +mtxrWl60GTxSectorInfo OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 11 } + +mtxrWl60GRssi OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 12 } + +mtxrWl60GPhyRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 13 } + +-- W60GSta +mtxrWl60GStaTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWl60GStaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 9 } + +mtxrWl60GStaEntry OBJECT-TYPE + SYNTAX MtxrWl60GStaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "W60G stations" + INDEX { mtxrWl60GStaIndex } + ::= { mtxrWl60GStaTable 1 } + +MtxrWl60GStaEntry ::= SEQUENCE { + mtxrWl60GStaIndex ObjectIndex, + mtxrWl60GStaConnected BoolValue, + mtxrWl60GStaRemote MacAddress, + mtxrWl60GStaMcs Integer32, + mtxrWl60GStaSignal Integer32, + mtxrWl60GStaTxSector Integer32, + mtxrWl60GStaPhyRate Gauge32, + mtxrWl60GStaRssi Integer32, + mtxrWl60GStaDistance Integer32 +} + +mtxrWl60GStaIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 1 } + +mtxrWl60GStaConnected OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 2 } + +mtxrWl60GStaRemote OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 3 } + +mtxrWl60GStaMcs OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 4 } + +mtxrWl60GStaSignal OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 5 } + +mtxrWl60GStaTxSector OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 6 } + +mtxrWl60GStaPhyRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Mbits per second" + ::= { mtxrWl60GStaEntry 8 } + +mtxrWl60GStaRssi OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 9 } + +mtxrWl60GStaDistance OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "meters" + ::= { mtxrWl60GStaEntry 10 } + + +mtxrWirelessGroup OBJECT-GROUP OBJECTS { + mtxrWlStatTxRate, + mtxrWlStatRxRate, + mtxrWlStatStrength, + mtxrWlStatSsid, + mtxrWlStatBssid, + mtxrWlStatFreq, + mtxrWlStatBand, + mtxrWlStatTxCCQ, + mtxrWlStatRxCCQ, + mtxrWlRtabStrength, + mtxrWlRtabTxBytes, + mtxrWlRtabRxBytes, + mtxrWlRtabTxPackets, + mtxrWlRtabRxPackets, + mtxrWlRtabTxRate, + mtxrWlRtabRxRate, + mtxrWlRtabEntryCount, + mtxrWlRtabRouterOSVersion, + mtxrWlRtabUptime, + mtxrWlRtabSignalToNoise, + mtxrWlRtabTxStrengthCh0, + mtxrWlRtabRxStrengthCh0, + mtxrWlRtabTxStrengthCh1, + mtxrWlRtabRxStrengthCh1, + mtxrWlRtabTxStrengthCh2, + mtxrWlRtabRxStrengthCh2, + mtxrWlRtabTxStrength, + mtxrWlRtabRadioName, + mtxrWlApTxRate, + mtxrWlApRxRate, + mtxrWlApSsid, + mtxrWlApBssid, + mtxrWlApClientCount, + mtxrWlApBand, + mtxrWlApFreq, + mtxrWlApNoiseFloor, + mtxrWlApOverallTxCCQ, + mtxrWlApAuthClientCount, + mtxrWlCMRtabAddr, + mtxrWlCMRtabTxBytes, + mtxrWlCMRtabRxBytes, + mtxrWlCMRtabTxPackets, + mtxrWlCMRtabRxPackets, + mtxrWlCMRtabTxRate, + mtxrWlCMRtabRxRate, + mtxrWlCMRtabUptime, + mtxrWlCMRtabTxStrength, + mtxrWlCMRtabRxStrength, + mtxrWlCMRtabSsid, + mtxrWlCMRtabEntryCount, + mtxrWlCMREntryCount, + mtxrWlCMRegClientCount, + mtxrWlCMAuthClientCount, + mtxrWl60GMode, + mtxrWl60GSsid, + mtxrWl60GConnected, + mtxrWl60GRemote, + mtxrWl60GFreq, + mtxrWl60GMcs, + mtxrWl60GSignal, + mtxrWl60GTxSector, + mtxrWl60GTxSectorInfo, + mtxrWl60GRssi, + mtxrWl60GPhyRate, + mtxrWl60GStaConnected, + mtxrWl60GStaRemote, + mtxrWl60GStaMcs, + mtxrWl60GStaSignal, + mtxrWl60GStaTxSector + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 1 } + +-- QUEUES ******************************************************************** + +mtxrQueueSimpleTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrQueueSimpleEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrQueues 1 } + +mtxrQueueSimpleEntry OBJECT-TYPE + SYNTAX MtxrQueueSimpleEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Simple queue" + INDEX { mtxrQueueSimpleIndex } + ::= { mtxrQueueSimpleTable 1 } + +MtxrQueueSimpleEntry ::= SEQUENCE { + mtxrQueueSimpleIndex ObjectIndex, + mtxrQueueSimpleName DisplayString, + mtxrQueueSimpleSrcAddr IpAddress, + mtxrQueueSimpleSrcMask IpAddress, + mtxrQueueSimpleDstAddr IpAddress, + mtxrQueueSimpleDstMask IpAddress, + mtxrQueueSimpleIface ObjectIndex, + mtxrQueueSimpleBytesIn Counter64, + mtxrQueueSimpleBytesOut Counter64, + mtxrQueueSimplePacketsIn Counter32, + mtxrQueueSimplePacketsOut Counter32, + mtxrQueueSimplePCQQueuesIn Counter32, + mtxrQueueSimplePCQQueuesOut Counter32, + mtxrQueueSimpleDroppedIn Counter32, + mtxrQueueSimpleDroppedOut Counter32 +} + +mtxrQueueSimpleIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 1 } + +mtxrQueueSimpleName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 2 } + +mtxrQueueSimpleSrcAddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 3 } + +mtxrQueueSimpleSrcMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 4 } + +mtxrQueueSimpleDstAddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 5 } + +mtxrQueueSimpleDstMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 6 } + +mtxrQueueSimpleIface OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION "interface index" + ::= { mtxrQueueSimpleEntry 7 } + +mtxrQueueSimpleBytesIn OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 8 } + +mtxrQueueSimpleBytesOut OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 9 } + +mtxrQueueSimplePacketsIn OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 10 } + +mtxrQueueSimplePacketsOut OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 11 } + +mtxrQueueSimplePCQQueuesIn OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 12 } + +mtxrQueueSimplePCQQueuesOut OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 13 } + +mtxrQueueSimpleDroppedIn OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 14 } + +mtxrQueueSimpleDroppedOut OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 15 } + +mtxrQueueTreeTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrQueueTreeEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrQueues 2 } + +mtxrQueueTreeEntry OBJECT-TYPE + SYNTAX MtxrQueueTreeEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Tree queue" + INDEX { mtxrQueueTreeIndex } + ::= { mtxrQueueTreeTable 1 } + +MtxrQueueTreeEntry ::= SEQUENCE { + mtxrQueueTreeIndex ObjectIndex, + mtxrQueueTreeName DisplayString, + mtxrQueueTreeFlow DisplayString, + mtxrQueueTreeParentIndex ObjectIndex, + mtxrQueueTreeBytes Counter32, + mtxrQueueTreePackets Counter32, + mtxrQueueTreeHCBytes Counter64, + mtxrQueueTreePCQQueues Counter32, + mtxrQueueTreeDropped Counter32 +} + +mtxrQueueTreeIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 1 } + +mtxrQueueTreeName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 2 } + +mtxrQueueTreeFlow OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "flowmark" + ::= { mtxrQueueTreeEntry 3 } + +mtxrQueueTreeParentIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION "index of parent tree queue or parent interface" + ::= { mtxrQueueTreeEntry 4 } + +mtxrQueueTreeBytes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 5 } + +mtxrQueueTreePackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 6 } + +mtxrQueueTreeHCBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 7 } + +mtxrQueueTreePCQQueues OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 8 } + +mtxrQueueTreeDropped OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 9 } + +mtxrQueueGroup OBJECT-GROUP OBJECTS { + mtxrQueueSimpleName, mtxrQueueSimpleSrcAddr, mtxrQueueSimpleSrcMask, + mtxrQueueSimpleDstAddr, mtxrQueueSimpleDstMask, mtxrQueueSimpleIface, + mtxrQueueSimpleBytesIn, mtxrQueueSimpleBytesOut, + mtxrQueueSimplePacketsIn, mtxrQueueSimplePacketsOut, mtxrQueueTreeName, + mtxrQueueSimplePCQQueuesIn, + mtxrQueueSimplePCQQueuesOut, + mtxrQueueSimpleDroppedIn, + mtxrQueueSimpleDroppedOut, + mtxrQueueTreeFlow, mtxrQueueTreeParentIndex, mtxrQueueTreeBytes, + mtxrQueueTreePackets, + mtxrQueueTreeHCBytes, + mtxrQueueTreePCQQueues, + mtxrQueueTreeDropped + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 2 } + +-- HEALTH ******************************************************************** + +mtxrHlCoreVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "core voltage" + ::= { mtxrHealth 1 } + +mtxrHlThreeDotThreeVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "3.3V voltage" + ::= { mtxrHealth 2 } + +mtxrHlFiveVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "5V voltage" + ::= { mtxrHealth 3 } + +mtxrHlTwelveVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "12V voltage" + ::= { mtxrHealth 4 } + +mtxrHlSensorTemperature OBJECT-TYPE + SYNTAX Temperature + MAX-ACCESS read-only + STATUS current + DESCRIPTION "temperature at sensor chip" + ::= { mtxrHealth 5 } + +mtxrHlCpuTemperature OBJECT-TYPE + SYNTAX Temperature + MAX-ACCESS read-only + STATUS current + DESCRIPTION "temperature near cpu" + ::= { mtxrHealth 6 } + +mtxrHlBoardTemperature OBJECT-TYPE + SYNTAX Temperature + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 7 } + +mtxrHlVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 8 } + +mtxrHlActiveFan OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 9 } + +mtxrHlTemperature OBJECT-TYPE + SYNTAX Temperature + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 10 } + +mtxrHlProcessorTemperature OBJECT-TYPE + SYNTAX Temperature + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 11 } + +mtxrHlPower OBJECT-TYPE + SYNTAX Power + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Watts" + ::= { mtxrHealth 12 } + +mtxrHlCurrent OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "mA" + ::= { mtxrHealth 13 } + +mtxrHlProcessorFrequency OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Mhz" + ::= { mtxrHealth 14 } + +mtxrHlPowerSupplyState OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "PSU state ok" + ::= { mtxrHealth 15 } + +mtxrHlBackupPowerSupplyState OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "backup PSU state ok" + ::= { mtxrHealth 16 } + +mtxrHlFanSpeed1 OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "rpm" + ::= { mtxrHealth 17 } + +mtxrHlFanSpeed2 OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "rpm" + ::= { mtxrHealth 18 } + +mtxrAlarmSocketStatus OBJECT-TYPE + SYNTAX INTEGER { + inactive(0), + active(1) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Alarm socket status" + ::= { mtxrHealth 19 } + +mtxrGaugeTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrGaugeTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 100 } + +mtxrGaugeTableEntry OBJECT-TYPE + SYNTAX MtxrGaugeTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrGaugeIndex } + ::= { mtxrGaugeTable 1 } + +MtxrGaugeTableEntry ::= SEQUENCE { + mtxrGaugeIndex ObjectIndex, + mtxrGaugeName DisplayString, + mtxrGaugeValue Integer32, + mtxrGaugeUnit INTEGER +} + +mtxrGaugeIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrGaugeTableEntry 1 } + +mtxrGaugeName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrGaugeTableEntry 2 } + +mtxrGaugeValue OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrGaugeTableEntry 3 } + +mtxrGaugeUnit OBJECT-TYPE + SYNTAX INTEGER { + celsius(1), + rpm(2), + dV(3), + dA(4), + dW(5), + status(6) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "units" + ::= { mtxrGaugeTableEntry 4 } + +mtxrHealthGroup OBJECT-GROUP OBJECTS { + mtxrHlCoreVoltage, mtxrHlThreeDotThreeVoltage, mtxrHlFiveVoltage, + mtxrHlTwelveVoltage, mtxrHlSensorTemperature, mtxrHlCpuTemperature, + mtxrHlBoardTemperature, mtxrHlVoltage, mtxrHlActiveFan, + mtxrHlTemperature, mtxrHlProcessorTemperature, + mtxrHlCurrent, mtxrHlPower, + mtxrHlProcessorFrequency, + mtxrHlPowerSupplyState, mtxrHlBackupPowerSupplyState, + mtxrHlFanSpeed1, mtxrHlFanSpeed2, mtxrAlarmSocketStatus, + mtxrGaugeName, mtxrGaugeValue, mtxrGaugeUnit + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 3 } + +-- LICENSE ******************************************************************** + +mtxrLicSoftwareId OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "software id" + ::= { mtxrLicense 1 } + +mtxrLicUpgrUntil OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION "current key allows upgrading until this date" + ::= { mtxrLicense 2 } + +mtxrLicLevel OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "current key level" + ::= { mtxrLicense 3 } + +mtxrLicVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "software version" + ::= { mtxrLicense 4 } + +mtxrLicUpgradableTo OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "upgradable to" + ::= { mtxrLicense 5 } + +mtxrLincenseGroup OBJECT-GROUP OBJECTS { + mtxrLicSoftwareId, mtxrLicUpgrUntil, mtxrLicLevel, mtxrLicVersion, mtxrLicUpgradableTo + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 4 } + +-- HOTSPOT *************************************************************** + +mtxrHotspotActiveUsersTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrHotspotActiveUsersTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrHotspot 1 } + +mtxrHotspotActiveUsersTableEntry OBJECT-TYPE + SYNTAX MtxrHotspotActiveUsersTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrHotspotActiveUserIndex } + ::= { mtxrHotspotActiveUsersTable 1 } + +MtxrHotspotActiveUsersTableEntry ::= SEQUENCE { + mtxrHotspotActiveUserIndex ObjectIndex, + mtxrHotspotActiveUserServerID Integer32, + mtxrHotspotActiveUserName DisplayString, + mtxrHotspotActiveUserDomain DisplayString, + mtxrHotspotActiveUserIP IpAddress, + mtxrHotspotActiveUserMAC MacAddress, + mtxrHotspotActiveUserConnectTime Integer32, + mtxrHotspotActiveUserValidTillTime Integer32, + mtxrHotspotActiveUserIdleStartTime Integer32, + mtxrHotspotActiveUserIdleTimeout Integer32, + mtxrHotspotActiveUserPingTimeout Integer32, + mtxrHotspotActiveUserBytesIn Counter64, + mtxrHotspotActiveUserBytesOut Counter64, + mtxrHotspotActiveUserPacketsIn Counter64, + mtxrHotspotActiveUserPacketsOut Counter64, + mtxrHotspotActiveUserLimitBytesIn Counter64, + mtxrHotspotActiveUserLimitBytesOut Counter64, + mtxrHotspotActiveUserAdvertStatus Integer32, + mtxrHotspotActiveUserRadius Integer32, + mtxrHotspotActiveUserBlockedByAdvert Integer32 +} + +mtxrHotspotActiveUserIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 1 } + +mtxrHotspotActiveUserServerID OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 2 } + +mtxrHotspotActiveUserName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 3 } + +mtxrHotspotActiveUserDomain OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 4 } + +mtxrHotspotActiveUserIP OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 5 } + +mtxrHotspotActiveUserMAC OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 6 } + +mtxrHotspotActiveUserConnectTime OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 7 } + +mtxrHotspotActiveUserValidTillTime OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 8 } + +mtxrHotspotActiveUserIdleStartTime OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 9 } + +mtxrHotspotActiveUserIdleTimeout OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 10 } + +mtxrHotspotActiveUserPingTimeout OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 11 } + +mtxrHotspotActiveUserBytesIn OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 12 } + +mtxrHotspotActiveUserBytesOut OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 13 } + +mtxrHotspotActiveUserPacketsIn OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 14 } + +mtxrHotspotActiveUserPacketsOut OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 15 } + +mtxrHotspotActiveUserLimitBytesIn OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 16 } + +mtxrHotspotActiveUserLimitBytesOut OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 17 } + +mtxrHotspotActiveUserAdvertStatus OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 18 } + +mtxrHotspotActiveUserRadius OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 19 } + +mtxrHotspotActiveUserBlockedByAdvert OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 20 } + +mtxrHotspotActiveUserGroup OBJECT-GROUP OBJECTS { + mtxrHotspotActiveUserServerID, + mtxrHotspotActiveUserName, + mtxrHotspotActiveUserDomain, + mtxrHotspotActiveUserIP, + mtxrHotspotActiveUserMAC, + mtxrHotspotActiveUserConnectTime, + mtxrHotspotActiveUserValidTillTime, + mtxrHotspotActiveUserIdleStartTime, + mtxrHotspotActiveUserIdleTimeout, + mtxrHotspotActiveUserPingTimeout, + mtxrHotspotActiveUserBytesIn, + mtxrHotspotActiveUserBytesOut, + mtxrHotspotActiveUserPacketsIn, + mtxrHotspotActiveUserPacketsOut, + mtxrHotspotActiveUserLimitBytesIn, + mtxrHotspotActiveUserLimitBytesOut, + mtxrHotspotActiveUserAdvertStatus, + mtxrHotspotActiveUserRadius, + mtxrHotspotActiveUserBlockedByAdvert + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 5 } + +-- DHCP ******************************************************************** + +mtxrDHCPLeaseCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrDHCP 1 } + +mtxrDHCPGroup OBJECT-GROUP OBJECTS { + mtxrDHCPLeaseCount + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 12 } + +-- SYSTEM ******************************************************************** + +mtxrSystemReboot OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION "set non zero to reboot" + ::= { mtxrSystem 1 } + +mtxrUSBPowerReset OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION "switches off usb power for specified amout of seconds" + ::= { mtxrSystem 2 } + +mtxrSerialNumber OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "RouterBOARD serial number" + ::= { mtxrSystem 3 } + +mtxrFirmwareVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Current firmware version" + ::= { mtxrSystem 4 } + +mtxrNote OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "note" + ::= { mtxrSystem 5 } + +mtxrBuildTime OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "build time" + ::= { mtxrSystem 6 } + +mtxrFirmwareUpgradeVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Upgrade firmware version" + ::= { mtxrSystem 7 } + +mtxrDisplayName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "display name" + ::= { mtxrSystem 8 } + +mtxrBoardName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "board name" + ::= { mtxrSystem 9 } + +mtxrSystemGroup OBJECT-GROUP OBJECTS { + mtxrSystemReboot, + mtxrUSBPowerReset, + mtxrSerialNumber, + mtxrFirmwareVersion, + mtxrNote, + mtxrBuildTime, + mtxrFirmwareUpgradeVersion, + mtxrBoardName + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 13 } + +-- SCRIPTS ******************************************************************** + +mtxrScriptTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrScriptTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrScripts 1 } + +mtxrScriptTableEntry OBJECT-TYPE + SYNTAX MtxrScriptTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrScriptIndex } + ::= { mtxrScriptTable 1 } + +MtxrScriptTableEntry ::= SEQUENCE { + mtxrScriptIndex ObjectIndex, + mtxrScriptName DisplayString, + mtxrScriptRunCmd Integer32 +} + +mtxrScriptIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrScriptTableEntry 1 } + +mtxrScriptName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrScriptTableEntry 2 } + +mtxrScriptRunCmd OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION "set non zero to run" + ::= { mtxrScriptTableEntry 3 } + +mtxrScriptGroup OBJECT-GROUP OBJECTS { + mtxrScriptName, mtxrScriptRunCmd + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 8 } + +-- SCRIPT RUN ***************************************************************** + +mtxrScriptRunTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrScriptRunTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "invisible to getnext, accesible only with get request and write premission" + ::= { mtxrScriptRun 1 } + +mtxrScriptRunTableEntry OBJECT-TYPE + SYNTAX MtxrScriptRunTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrScriptRunIndex } + ::= { mtxrScriptRunTable 1 } + +MtxrScriptRunTableEntry ::= SEQUENCE { + mtxrScriptRunIndex ObjectIndex, + mtxrScriptRunOutput DisplayString +} + +mtxrScriptRunIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrScriptRunTableEntry 1 } + +mtxrScriptRunOutput OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "this oid on get request will run script and return it's output" + ::= { mtxrScriptRunTableEntry 2 } + +mtxrScriptRunGroup OBJECT-GROUP OBJECTS { + mtxrScriptRunOutput + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 21 } + +-- Dual Nstreme *************************************************************** + +mtxrDnStatTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrDnStatEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrNstremeDual 1 } + +mtxrDnStatEntry OBJECT-TYPE + SYNTAX MtxrDnStatEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Nstreme Dual interface" + INDEX { mtxrDnStatIndex } + ::= { mtxrDnStatTable 1 } + +MtxrDnStatEntry ::= SEQUENCE { + mtxrDnStatIndex ObjectIndex, + mtxrDnStatTxRate Gauge32, + mtxrDnStatRxRate Gauge32, + mtxrDnStatTxStrength Integer32, + mtxrDnStatRxStrength Integer32, + mtxrDnConnected Integer32 +} + +mtxrDnStatIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrDnStatEntry 1 } + +mtxrDnStatTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrDnStatEntry 2 } + +mtxrDnStatRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrDnStatEntry 3 } + +mtxrDnStatTxStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrDnStatEntry 4 } + +mtxrDnStatRxStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrDnStatEntry 5 } + +mtxrDnConnected OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "0 - not connected, connected otherwise" + ::= { mtxrDnStatEntry 6 } + +mtxrNstremeDualGroup OBJECT-GROUP OBJECTS { + mtxrDnStatTxRate, mtxrDnStatRxRate, + mtxrDnStatTxStrength, mtxrDnStatRxStrength, mtxrDnConnected + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 10 } + +-- NEIGHBOR ******************************************************************* + +mtxrNeighborTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrNeighborTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrNeighbor 1 } + +mtxrNeighborTableEntry OBJECT-TYPE + SYNTAX MtxrNeighborTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrNeighborIndex } + ::= { mtxrNeighborTable 1 } + +MtxrNeighborTableEntry ::= SEQUENCE { + mtxrNeighborIndex ObjectIndex, + mtxrNeighborIpAddress IpAddress, + mtxrNeighborMacAddress MacAddress, + mtxrNeighborVersion DisplayString, + mtxrNeighborPlatform DisplayString, + mtxrNeighborIdentity DisplayString, + mtxrNeighborSoftwareID DisplayString, + mtxrNeighborInterfaceID ObjectIndex +} + +mtxrNeighborIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 1 } + +mtxrNeighborIpAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 2 } + +mtxrNeighborMacAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 3 } + +mtxrNeighborVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 4 } + +mtxrNeighborPlatform OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 5 } + +mtxrNeighborIdentity OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 6 } + +mtxrNeighborSoftwareID OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 7 } + +mtxrNeighborInterfaceID OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 8 } + +mtxrNeighborGroup OBJECT-GROUP OBJECTS { + mtxrNeighborIpAddress, + mtxrNeighborMacAddress, + mtxrNeighborVersion, + mtxrNeighborPlatform, + mtxrNeighborIdentity, + mtxrNeighborSoftwareID, + mtxrNeighborInterfaceID + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 11 } + +-- GPS ************************************************************************ + +mtxrDate OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "UNIX time" + ::= { mtxrGps 1 } + +mtxrLongtitude OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "longtitude" + ::= { mtxrGps 2 } + +mtxrLatitude OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "latitude" + ::= { mtxrGps 3 } + +mtxrAltitude OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "altitude" + ::= { mtxrGps 4 } + +mtxrSpeed OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "speed" + ::= { mtxrGps 5 } + +mtxrSattelites OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "visible sattelite count" + ::= { mtxrGps 6 } + +mtxrValid OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "is the data valid" + ::= { mtxrGps 7 } + +mtxrGPSGroup OBJECT-GROUP OBJECTS { + mtxrDate, + mtxrLongtitude, + mtxrLatitude, + mtxrAltitude, + mtxrSpeed, + mtxrSattelites, + mtxrValid + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 15 } + +-- Wireless Modem ************************************************************ + +mtxrWirelessModemSignalStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "signal strength in dBm (if first ppp-client modem supports)" + ::= { mtxrWirelessModem 1 } + +mtxrWirelessModemSignalECIO OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "signal EC/IO in dB (if first ppp-client modem supports)" + ::= { mtxrWirelessModem 2 } + +mtxrWirelessModemManufacturer OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Modem manufacturer name" + ::= { mtxrWirelessModem 3 } + +mtxrWirelessModemModel OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Modem model name" + ::= { mtxrWirelessModem 4 } + +mtxrWirelessModemRevision OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Modem firmware revision" + ::= { mtxrWirelessModem 5 } + +mtxrWirelessModemIMEI OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Modem serial number" + ::= { mtxrWirelessModem 6 } + +mtxrWirelessModemIMSI OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "International mobile subscriber identity" + ::= { mtxrWirelessModem 7 } + +mtxrWirelessModemAccessTechnology OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Access technology" + ::= { mtxrWirelessModem 8 } + +mtxrWirelessModemFrameErrorRate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Signal frame error rate" + ::= { mtxrWirelessModem 9 } + +mtxrWirelessModemRSRP OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Reference Signal Receive Power" + ::= { mtxrWirelessModem 10 } + +mtxrWirelessModemRSRQ OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Reference Signal Received Quality" + ::= { mtxrWirelessModem 11 } + +mtxrWirelessModemSINR OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Signal-to-Interference-plus-Noise Ratio" + ::= { mtxrWirelessModem 12 } + +mtxrWirelessModemGroup OBJECT-GROUP OBJECTS { + mtxrWirelessModemSignalStrength, + mtxrWirelessModemSignalECIO, + mtxrWirelessModemManufacturer, + mtxrWirelessModemModel, + mtxrWirelessModemRevision, + mtxrWirelessModemIMEI, + mtxrWirelessModemIMSI, + mtxrWirelessModemAccessTechnology, + mtxrWirelessModemFrameErrorRate, + mtxrWirelessModemRSRP, + mtxrWirelessModemRSRQ, + mtxrWirelessModemSINR + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 16 } + +-- Interface Stats ************************************************************ + +mtxrInterfaceStatsTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrInterfaceStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Extended interface statistics. + Some interfaces may have only parts of this table + with unavailable values set to zero." + ::= { mtxrInterfaceStats 1 } + +mtxrInterfaceStatsEntry OBJECT-TYPE + SYNTAX MtxrInterfaceStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrInterfaceStatsIndex } + ::= { mtxrInterfaceStatsTable 1 } + +MtxrInterfaceStatsEntry ::= SEQUENCE { + mtxrInterfaceStatsIndex ObjectIndex, + mtxrInterfaceStatsName DisplayString, + + mtxrInterfaceStatsDriverRxBytes Counter64, + mtxrInterfaceStatsDriverRxPackets Counter64, + mtxrInterfaceStatsDriverTxBytes Counter64, + mtxrInterfaceStatsDriverTxPackets Counter64, + + mtxrInterfaceStatsTxRx64 Counter64, + mtxrInterfaceStatsTxRx65To127 Counter64, + mtxrInterfaceStatsTxRx128To255 Counter64, + mtxrInterfaceStatsTxRx256To511 Counter64, + mtxrInterfaceStatsTxRx512To1023 Counter64, + mtxrInterfaceStatsTxRx1024To1518 Counter64, + mtxrInterfaceStatsTxRx1519ToMax Counter64, + + mtxrInterfaceStatsRxBytes Counter64, + mtxrInterfaceStatsRxPackets Counter64, + mtxrInterfaceStatsRxTooShort Counter64, + mtxrInterfaceStatsRx64 Counter64, + mtxrInterfaceStatsRx65To127 Counter64, + mtxrInterfaceStatsRx128To255 Counter64, + mtxrInterfaceStatsRx256To511 Counter64, + mtxrInterfaceStatsRx512To1023 Counter64, + mtxrInterfaceStatsRx1024To1518 Counter64, + mtxrInterfaceStatsRx1519ToMax Counter64, + mtxrInterfaceStatsRxTooLong Counter64, + mtxrInterfaceStatsRxBroadcast Counter64, + mtxrInterfaceStatsRxPause Counter64, + mtxrInterfaceStatsRxMulticast Counter64, + mtxrInterfaceStatsRxFCSError Counter64, + mtxrInterfaceStatsRxAlignError Counter64, + mtxrInterfaceStatsRxFragment Counter64, + mtxrInterfaceStatsRxOverflow Counter64, + mtxrInterfaceStatsRxControl Counter64, + mtxrInterfaceStatsRxUnknownOp Counter64, + mtxrInterfaceStatsRxLengthError Counter64, + mtxrInterfaceStatsRxCodeError Counter64, + mtxrInterfaceStatsRxCarrierError Counter64, + mtxrInterfaceStatsRxJabber Counter64, + mtxrInterfaceStatsRxDrop Counter64, + + mtxrInterfaceStatsTxBytes Counter64, + mtxrInterfaceStatsTxPackets Counter64, + mtxrInterfaceStatsTxTooShort Counter64, + mtxrInterfaceStatsTx64 Counter64, + mtxrInterfaceStatsTx65To127 Counter64, + mtxrInterfaceStatsTx128To255 Counter64, + mtxrInterfaceStatsTx256To511 Counter64, + mtxrInterfaceStatsTx512To1023 Counter64, + mtxrInterfaceStatsTx1024To1518 Counter64, + mtxrInterfaceStatsTx1519ToMax Counter64, + mtxrInterfaceStatsTxTooLong Counter64, + mtxrInterfaceStatsTxBroadcast Counter64, + mtxrInterfaceStatsTxPause Counter64, + mtxrInterfaceStatsTxMulticast Counter64, + mtxrInterfaceStatsTxUnderrun Counter64, + mtxrInterfaceStatsTxCollision Counter64, + mtxrInterfaceStatsTxExcessiveCollision Counter64, + mtxrInterfaceStatsTxMultipleCollision Counter64, + mtxrInterfaceStatsTxSingleCollision Counter64, + mtxrInterfaceStatsTxExcessiveDeferred Counter64, + mtxrInterfaceStatsTxDeferred Counter64, + mtxrInterfaceStatsTxLateCollision Counter64, + mtxrInterfaceStatsTxTotalCollision Counter64, + mtxrInterfaceStatsTxPauseHonored Counter64, + mtxrInterfaceStatsTxDrop Counter64, + mtxrInterfaceStatsTxJabber Counter64, + mtxrInterfaceStatsTxFCSError Counter64, + mtxrInterfaceStatsTxControl Counter64, + mtxrInterfaceStatsTxFragment Counter64, + mtxrInterfaceStatsLinkDowns Counter32, + mtxrInterfaceStatsTxRx1024ToMax Counter64 +} + +mtxrInterfaceStatsIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 1 } + +mtxrInterfaceStatsName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 2 } + +mtxrInterfaceStatsDriverRxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 11 } + +mtxrInterfaceStatsDriverRxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 12 } + +mtxrInterfaceStatsDriverTxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 13 } + +mtxrInterfaceStatsDriverTxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 14 } + +mtxrInterfaceStatsTxRx64 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 15 } + +mtxrInterfaceStatsTxRx65To127 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 16 } + +mtxrInterfaceStatsTxRx128To255 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 17 } + +mtxrInterfaceStatsTxRx256To511 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 18 } + +mtxrInterfaceStatsTxRx512To1023 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 19 } + +mtxrInterfaceStatsTxRx1024To1518 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 20 } + +mtxrInterfaceStatsTxRx1519ToMax OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 21 } + +mtxrInterfaceStatsRxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 31 } + +mtxrInterfaceStatsRxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 32 } + +mtxrInterfaceStatsRxTooShort OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 33 } + +mtxrInterfaceStatsRx64 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 34 } + +mtxrInterfaceStatsRx65To127 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 35 } + +mtxrInterfaceStatsRx128To255 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 36 } + +mtxrInterfaceStatsRx256To511 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 37 } + +mtxrInterfaceStatsRx512To1023 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 38 } + +mtxrInterfaceStatsRx1024To1518 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 39 } + +mtxrInterfaceStatsRx1519ToMax OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 40 } + +mtxrInterfaceStatsRxTooLong OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 41 } + +mtxrInterfaceStatsRxBroadcast OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 42 } + +mtxrInterfaceStatsRxPause OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 43 } + +mtxrInterfaceStatsRxMulticast OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 44 } + +mtxrInterfaceStatsRxFCSError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 45 } + +mtxrInterfaceStatsRxAlignError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 46 } + +mtxrInterfaceStatsRxFragment OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 47 } + +mtxrInterfaceStatsRxOverflow OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 48 } + +mtxrInterfaceStatsRxControl OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 49 } + +mtxrInterfaceStatsRxUnknownOp OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 50 } + +mtxrInterfaceStatsRxLengthError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 51 } + +mtxrInterfaceStatsRxCodeError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 52 } + +mtxrInterfaceStatsRxCarrierError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 53 } + +mtxrInterfaceStatsRxJabber OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 54 } + +mtxrInterfaceStatsRxDrop OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 55 } + +mtxrInterfaceStatsTxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 61 } + +mtxrInterfaceStatsTxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 62 } + +mtxrInterfaceStatsTxTooShort OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 63 } + +mtxrInterfaceStatsTx64 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 64 } + +mtxrInterfaceStatsTx65To127 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 65 } + +mtxrInterfaceStatsTx128To255 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 66 } + +mtxrInterfaceStatsTx256To511 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 67 } + +mtxrInterfaceStatsTx512To1023 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 68 } + +mtxrInterfaceStatsTx1024To1518 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 69 } + +mtxrInterfaceStatsTx1519ToMax OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 70 } + +mtxrInterfaceStatsTxTooLong OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 71 } + +mtxrInterfaceStatsTxBroadcast OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 72 } + +mtxrInterfaceStatsTxPause OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 73 } + +mtxrInterfaceStatsTxMulticast OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 74 } + +mtxrInterfaceStatsTxUnderrun OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 75 } + +mtxrInterfaceStatsTxCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 76 } + +mtxrInterfaceStatsTxExcessiveCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 77 } + +mtxrInterfaceStatsTxMultipleCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 78 } + +mtxrInterfaceStatsTxSingleCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 79 } + +mtxrInterfaceStatsTxExcessiveDeferred OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 80 } + +mtxrInterfaceStatsTxDeferred OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 81 } + +mtxrInterfaceStatsTxLateCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 82 } + +mtxrInterfaceStatsTxTotalCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 83 } + +mtxrInterfaceStatsTxPauseHonored OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 84 } + +mtxrInterfaceStatsTxDrop OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 85 } + +mtxrInterfaceStatsTxJabber OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 86 } + +mtxrInterfaceStatsTxFCSError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 87 } + +mtxrInterfaceStatsTxControl OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 88 } + +mtxrInterfaceStatsTxFragment OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 89 } + +mtxrInterfaceStatsLinkDowns OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 90 } + +mtxrInterfaceStatsTxRx1024ToMax OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 91 } + +mtxrInterfaceStatsGroup OBJECT-GROUP OBJECTS { + mtxrInterfaceStatsName, + mtxrInterfaceStatsDriverRxBytes, + mtxrInterfaceStatsDriverRxPackets, + mtxrInterfaceStatsDriverTxBytes, + mtxrInterfaceStatsDriverTxPackets, + + mtxrInterfaceStatsTxRx64, + mtxrInterfaceStatsTxRx65To127, + mtxrInterfaceStatsTxRx128To255, + mtxrInterfaceStatsTxRx256To511, + mtxrInterfaceStatsTxRx512To1023, + mtxrInterfaceStatsTxRx1024To1518, + mtxrInterfaceStatsTxRx1519ToMax, + + mtxrInterfaceStatsRxBytes, + mtxrInterfaceStatsRxPackets, + mtxrInterfaceStatsRxTooShort, + mtxrInterfaceStatsRx64, + mtxrInterfaceStatsRx65To127, + mtxrInterfaceStatsRx128To255, + mtxrInterfaceStatsRx256To511, + mtxrInterfaceStatsRx512To1023, + mtxrInterfaceStatsRx1024To1518, + mtxrInterfaceStatsRx1519ToMax, + mtxrInterfaceStatsRxTooLong, + mtxrInterfaceStatsRxBroadcast, + mtxrInterfaceStatsRxPause, + mtxrInterfaceStatsRxMulticast, + mtxrInterfaceStatsRxFCSError, + mtxrInterfaceStatsRxAlignError, + mtxrInterfaceStatsRxFragment, + mtxrInterfaceStatsRxOverflow, + mtxrInterfaceStatsRxControl, + mtxrInterfaceStatsRxUnknownOp, + mtxrInterfaceStatsRxLengthError, + mtxrInterfaceStatsRxCodeError, + mtxrInterfaceStatsRxCarrierError, + mtxrInterfaceStatsRxJabber, + mtxrInterfaceStatsRxDrop, + + mtxrInterfaceStatsTxBytes, + mtxrInterfaceStatsTxPackets, + mtxrInterfaceStatsTxTooShort, + mtxrInterfaceStatsTx64, + mtxrInterfaceStatsTx65To127, + mtxrInterfaceStatsTx128To255, + mtxrInterfaceStatsTx256To511, + mtxrInterfaceStatsTx512To1023, + mtxrInterfaceStatsTx1024To1518, + mtxrInterfaceStatsTx1519ToMax, + mtxrInterfaceStatsTxTooLong, + mtxrInterfaceStatsTxBroadcast, + mtxrInterfaceStatsTxPause, + mtxrInterfaceStatsTxMulticast, + mtxrInterfaceStatsTxUnderrun, + mtxrInterfaceStatsTxCollision, + mtxrInterfaceStatsTxExcessiveCollision, + mtxrInterfaceStatsTxMultipleCollision, + mtxrInterfaceStatsTxSingleCollision, + mtxrInterfaceStatsTxExcessiveDeferred, + mtxrInterfaceStatsTxDeferred, + mtxrInterfaceStatsTxLateCollision, + mtxrInterfaceStatsTxTotalCollision, + mtxrInterfaceStatsTxPauseHonored, + mtxrInterfaceStatsTxDrop, + mtxrInterfaceStatsTxJabber, + mtxrInterfaceStatsTxFCSError, + mtxrInterfaceStatsTxControl, + mtxrInterfaceStatsTxFragment, + mtxrInterfaceStatsLinkDowns, + mtxrInterfaceStatsTxRx1024ToMax + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 17 } + +-- POE ************************************************************************ + +mtxrPOETable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrPOEEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Power Over Ethernet" + ::= { mtxrPOE 1 } + +mtxrPOEEntry OBJECT-TYPE + SYNTAX MtxrPOEEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrPOEInterfaceIndex } + ::= { mtxrPOETable 1 } + +MtxrPOEEntry ::= SEQUENCE { + mtxrPOEInterfaceIndex ObjectIndex, + mtxrPOEName DisplayString, + mtxrPOEStatus INTEGER, + mtxrPOEVoltage Voltage, + mtxrPOECurrent Integer32, + mtxrPOEPower Power +} + +mtxrPOEInterfaceIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrPOEEntry 1 } + +mtxrPOEName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPOEEntry 2 } + +mtxrPOEStatus OBJECT-TYPE + SYNTAX INTEGER { + disabled(1), + waitingForLoad(2), + poweredOn(3), + overload(4), + shortCircuit(5), + voltageTooLow(6), + currentTooLow(7), + powerReset(8), + voltageTooHigh(9), + controllerError(10), + controllerUpgrade(11), + poeInDetected(12), + noValidPsu(13), + controllerInit(14), + lowVoltageTooLow(15) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPOEEntry 3 } + +mtxrPOEVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "V" + ::= { mtxrPOEEntry 4 } + +mtxrPOECurrent OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "mA" + ::= { mtxrPOEEntry 5 } + +mtxrPOEPower OBJECT-TYPE + SYNTAX Power + MAX-ACCESS read-only + STATUS current + DESCRIPTION "W" + ::= { mtxrPOEEntry 6 } + +mtxrPOEGroup OBJECT-GROUP OBJECTS { + mtxrPOEName, + mtxrPOEStatus, + mtxrPOEVoltage, + mtxrPOECurrent, + mtxrPOEPower + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 18 } + +-- LTE Modem ************************************************************ + +mtxrLTEModemTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrLTEModemEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "LTE Modems" + ::= { mtxrLTEModem 1 } + +mtxrLTEModemEntry OBJECT-TYPE + SYNTAX MtxrLTEModemEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrLTEModemInterfaceIndex } + ::= { mtxrLTEModemTable 1 } + +MtxrLTEModemEntry ::= SEQUENCE { + mtxrLTEModemInterfaceIndex ObjectIndex, + mtxrLTEModemSignalRSSI Integer32, + mtxrLTEModemSignalRSRQ Integer32, + mtxrLTEModemSignalRSRP Integer32, + mtxrLTEModemCellId HexInt, + mtxrLTEModemAccessTechnology INTEGER, + mtxrLTEModemSignalSINR Integer32, + mtxrLTEModemEnbId Integer32, + mtxrLTEModemSectorId Integer32, + mtxrLTEModemLac Integer32, + mtxrLTEModemIMEI DisplayString, + mtxrLTEModemIMSI DisplayString, + mtxrLTEModemUICC DisplayString, + mtxrLTEModemRAT DisplayString +} + +mtxrLTEModemInterfaceIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 1 } + +mtxrLTEModemSignalRSSI OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrLTEModemEntry 2 } + +mtxrLTEModemSignalRSRQ OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dB" + ::= { mtxrLTEModemEntry 3 } + +mtxrLTEModemSignalRSRP OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrLTEModemEntry 4 } + +mtxrLTEModemCellId OBJECT-TYPE + SYNTAX HexInt + MAX-ACCESS read-only + STATUS current + DESCRIPTION "current cell ID" + ::= { mtxrLTEModemEntry 5 } + +mtxrLTEModemAccessTechnology OBJECT-TYPE + SYNTAX INTEGER { + unknown(-1), + gsmcompact(0), + gsm(1), + utran(2), + egprs(3), + hsdpa(4), + hsupa(5), + hsdpahsupa(6), + eutran(7), + nr-sa(11), + nr-nsa(13) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "as reported by +CREG" + ::= { mtxrLTEModemEntry 6 } + +mtxrLTEModemSignalSINR OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dB" + ::= { mtxrLTEModemEntry 7 } + +mtxrLTEModemEnbId OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 8 } + +mtxrLTEModemSectorId OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 9 } + +mtxrLTEModemLac OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 10 } + +mtxrLTEModemIMEI OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 11 } + +mtxrLTEModemIMSI OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 12 } + +mtxrLTEModemUICC OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 13 } + +mtxrLTEModemRAT OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 14 } + +mtxrLTEModemGroup OBJECT-GROUP OBJECTS { + mtxrLTEModemSignalRSSI, + mtxrLTEModemSignalRSRQ, + mtxrLTEModemSignalRSRP, + mtxrLTEModemCellId, + mtxrLTEModemAccessTechnology, + mtxrLTEModemSignalSINR, + mtxrLTEModemEnbId, + mtxrLTEModemSectorId, + mtxrLTEModemLac, + mtxrLTEModemIMEI, + mtxrLTEModemIMSI, + mtxrLTEModemUICC, + mtxrLTEModemRAT + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 19 } + +-- Partition ************************************************************ + +mtxrPartitionTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrPartitionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "system partitions" + ::= { mtxrPartition 1 } + +mtxrPartitionEntry OBJECT-TYPE + SYNTAX MtxrPartitionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrPartitionIndex } + ::= { mtxrPartitionTable 1 } + +MtxrPartitionEntry ::= SEQUENCE { + mtxrPartitionIndex ObjectIndex, + mtxrPartitionName DisplayString, + mtxrPartitionSize Integer32, + mtxrPartitionVersion DisplayString, + mtxrPartitionActive BoolValue, + mtxrPartitionRunning BoolValue +} + +mtxrPartitionIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrPartitionEntry 1 } + +mtxrPartitionName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPartitionEntry 2 } + +mtxrPartitionSize OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "MB" + ::= { mtxrPartitionEntry 3 } + +mtxrPartitionVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPartitionEntry 4 } + +mtxrPartitionActive OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPartitionEntry 5 } + +mtxrPartitionRunning OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPartitionEntry 6 } + +mtxrPartitionGroup OBJECT-GROUP OBJECTS { + mtxrPartitionName, + mtxrPartitionSize, + mtxrPartitionVersion, + mtxrPartitionActive, + mtxrPartitionRunning + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 20 } + +-- OPTICAL ***************************************************************** + +mtxrOpticalTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrOpticalTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "SFP and GPON information" + ::= { mtxrOptical 1 } + +mtxrOpticalTableEntry OBJECT-TYPE + SYNTAX MtxrOpticalTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrOpticalIndex } + ::= { mtxrOpticalTable 1 } + +MtxrOpticalTableEntry ::= SEQUENCE { + mtxrOpticalIndex ObjectIndex, + mtxrOpticalName DisplayString, + mtxrOpticalRxLoss BoolValue, + mtxrOpticalTxFault BoolValue, + mtxrOpticalWavelength GDiv100, + mtxrOpticalTemperature Gauge32, + mtxrOpticalSupplyVoltage GDiv1000, + mtxrOpticalTxBiasCurrent Gauge32, + mtxrOpticalTxPower IDiv1000, + mtxrOpticalRxPower IDiv1000, + mtxrOpticalVendorName DisplayString, + mtxrOpticalVendorSerial DisplayString + +} + +mtxrOpticalGroup OBJECT-GROUP OBJECTS { + mtxrOpticalName, + mtxrOpticalRxLoss, + mtxrOpticalTxFault, + mtxrOpticalWavelength, + mtxrOpticalTemperature, + mtxrOpticalSupplyVoltage, + mtxrOpticalTxBiasCurrent, + mtxrOpticalTxPower, + mtxrOpticalRxPower, + mtxrOpticalVendorName, + mtxrOpticalVendorSerial + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 6 } + +mtxrOpticalIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 1 } + +mtxrOpticalName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 2 } + +mtxrOpticalRxLoss OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 3 } + +mtxrOpticalTxFault OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 4 } + +mtxrOpticalWavelength OBJECT-TYPE + SYNTAX GDiv100 + UNITS "nm" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 5 } + +mtxrOpticalTemperature OBJECT-TYPE + SYNTAX Gauge32 + UNITS "C" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 6 } + +mtxrOpticalSupplyVoltage OBJECT-TYPE + SYNTAX GDiv1000 + UNITS "V" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 7 } + +mtxrOpticalTxBiasCurrent OBJECT-TYPE + SYNTAX Gauge32 + UNITS "mA" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 8 } + +mtxrOpticalTxPower OBJECT-TYPE + SYNTAX IDiv1000 + UNITS "dBm" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 9 } + +mtxrOpticalRxPower OBJECT-TYPE + SYNTAX IDiv1000 + UNITS "dBm" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 10 } + +mtxrOpticalVendorName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 11 } + +mtxrOpticalVendorSerial OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 12 } + +-- IPSec ***************************************************************** + +mtxrIkeSACount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "IKE SA count" + ::= { mtxrIPSec 1 } + +mtxrIkeSATable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrIkeSATableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "IKE SA table" + ::= { mtxrIPSec 2 } + +mtxrIkeSATableEntry OBJECT-TYPE + SYNTAX MtxrIkeSATableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { + mtxrIkeSAIndex + } + ::= { mtxrIkeSATable 1 } + +MtxrIkeSATableEntry ::= SEQUENCE { + mtxrIkeSAIndex ObjectIndex, + mtxrIkeSAInitiatorCookie IsakmpCookie, + mtxrIkeSAResponderCookie IsakmpCookie, + mtxrIkeSAResponder BoolValue, + mtxrIkeSANatt BoolValue, + mtxrIkeSAVersion Gauge32, + mtxrIkeSAState INTEGER, + mtxrIkeSAUptime TimeTicks, + mtxrIkeSASeen TimeTicks, + mtxrIkeSAIdentity DisplayString, + mtxrIkeSAPh2Count Gauge32, + mtxrIkeSALocalAddressType InetAddressType, + mtxrIkeSALocalAddress InetAddress, + mtxrIkeSALocalPort InetPortNumber, + mtxrIkeSAPeerAddressType InetAddressType, + mtxrIkeSAPeerAddress InetAddress, + mtxrIkeSAPeerPort InetPortNumber, + mtxrIkeSADynamicAddressType InetAddressType, + mtxrIkeSADynamicAddress InetAddress, + mtxrIkeSATxBytes Counter64, + mtxrIkeSARxBytes Counter64, + mtxrIkeSATxPackets Counter64, + mtxrIkeSARxPackets Counter64 +} + +mtxrIkeSAGroup OBJECT-GROUP OBJECTS { + mtxrIkeSACount, + mtxrIkeSAInitiatorCookie, + mtxrIkeSAResponderCookie, + mtxrIkeSAResponder, + mtxrIkeSANatt, + mtxrIkeSAVersion, + mtxrIkeSAState, + mtxrIkeSAUptime, + mtxrIkeSASeen, + mtxrIkeSAIdentity, + mtxrIkeSAPh2Count, + mtxrIkeSALocalAddressType, + mtxrIkeSALocalAddress, + mtxrIkeSALocalPort, + mtxrIkeSAPeerAddressType, + mtxrIkeSAPeerAddress, + mtxrIkeSAPeerPort, + mtxrIkeSADynamicAddressType, + mtxrIkeSADynamicAddress, + mtxrIkeSATxBytes, + mtxrIkeSARxBytes, + mtxrIkeSATxPackets, + mtxrIkeSARxPackets + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 7 } + +mtxrIkeSAIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 1 } + +mtxrIkeSAInitiatorCookie OBJECT-TYPE + SYNTAX IsakmpCookie + MAX-ACCESS read-only + STATUS current + DESCRIPTION "initiator SPI" + ::= { mtxrIkeSATableEntry 2 } + +mtxrIkeSAResponderCookie OBJECT-TYPE + SYNTAX IsakmpCookie + MAX-ACCESS read-only + STATUS current + DESCRIPTION "responder SPI" + ::= { mtxrIkeSATableEntry 3 } + +mtxrIkeSAResponder OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "IKE side" + ::= { mtxrIkeSATableEntry 4 } + +mtxrIkeSANatt OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "NAT is detected" + ::= { mtxrIkeSATableEntry 5 } + +mtxrIkeSAVersion OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "protocol version" + ::= { mtxrIkeSATableEntry 6 } + +mtxrIkeSAState OBJECT-TYPE + SYNTAX INTEGER { + exchange(1), + established(2), + expired(3), + eap(4) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 7 } + +mtxrIkeSAUptime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 8 } + +mtxrIkeSASeen OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION "time elapsed since last valid IKE packet" + ::= { mtxrIkeSATableEntry 9 } + +mtxrIkeSAIdentity OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "peer identity" + ::= { mtxrIkeSATableEntry 10 } + +mtxrIkeSAPh2Count OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "total ph2 SA pairs" + ::= { mtxrIkeSATableEntry 11 } + +mtxrIkeSALocalAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 12 } + +mtxrIkeSALocalAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 13 } + +mtxrIkeSALocalPort OBJECT-TYPE + SYNTAX InetPortNumber + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 14 } + +mtxrIkeSAPeerAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 15 } + +mtxrIkeSAPeerAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 16 } + +mtxrIkeSAPeerPort OBJECT-TYPE + SYNTAX InetPortNumber + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 17 } + +mtxrIkeSADynamicAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 18 } + +mtxrIkeSADynamicAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dynamic address allocated by mode config" + ::= { mtxrIkeSATableEntry 19 } + +mtxrIkeSATxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "ph2 SA tx bytes" + ::= { mtxrIkeSATableEntry 20 } + +mtxrIkeSARxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "ph2 SA rx bytes" + ::= { mtxrIkeSATableEntry 21 } + +mtxrIkeSATxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "ph2 SA tx packets" + ::= { mtxrIkeSATableEntry 22 } + +mtxrIkeSARxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "ph2 SA rx packets" + ::= { mtxrIkeSATableEntry 23 } + +mtxrWifiCapsman OBJECT IDENTIFIER ::= { mtxrWifi 1 } + +mtxrWifiCapsmanEnabled OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Indicates whether the Capsman is enabled." + ::= { mtxrWifiCapsman 1 } + +mtxrWifiCapsmanInterfaces OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "List of interfaces associated with Capsman." + ::= { mtxrWifiCapsman 2 } + +mtxrWifiCapsmanCACertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The CA certificate used by Capsman." + ::= { mtxrWifiCapsman 3 } + +mtxrWifiCapsmanCertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The local certificate used by Capsman." + ::= { mtxrWifiCapsman 4 } + +mtxrWifiCapsmanRequirePeerCertificate OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Whether a peer certificate is required." + ::= { mtxrWifiCapsman 5 } + +mtxrWifiCapsmanPackagePath OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Path to the Capsman package directory." + ::= { mtxrWifiCapsman 6 } + +mtxrWifiCapsmanUpgradePolicy OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Capsman upgrade policy." + ::= { mtxrWifiCapsman 7 } + +mtxrWifiCapsmanGeneratedCaCertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Automatically generated CA certificate." + ::= { mtxrWifiCapsman 8 } + +mtxrWifiCapsmanGeneratedCertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Automatically generated local certificate." + ::= { mtxrWifiCapsman 9 } + +mtxrWifiCap OBJECT IDENTIFIER ::= { mtxrWifi 2 } + +mtxrCapEnabled OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Indicates whether the CAP is enabled." + ::= { mtxrWifiCap 1 } + +mtxrCapInterfaces OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "List of interfaces used by the CAP." + ::= { mtxrWifiCap 2 } + +mtxrCapCertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The local certificate used by the CAP." + ::= { mtxrWifiCap 3 } + +mtxrCapCapsManAddresses OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Addresses of associated CapsMan controllers." + ::= { mtxrWifiCap 4 } + +mtxrCapCapsManNames OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Names of associated CapsMan controllers." + ::= { mtxrWifiCap 5 } + +mtxrCapCapsManCertificateCommonNames OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Common names of CapsMan certificates." + ::= { mtxrWifiCap 6 } + +mtxrCapLockToCapsMan OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Indicates if the CAP is locked to a specific CapsMan." + ::= { mtxrWifiCap 7 } + +mtxrCapSlavesStatic OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Indicates if CAP slaves are set to static mode." + ::= { mtxrWifiCap 8 } + +mtxrCapSlavesDatapath OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Datapath configuration of CAP slaves." + ::= { mtxrWifiCap 9 } + +mtxrCapRequestedCertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Requested certificate for the CAP." + ::= { mtxrWifiCap 10 } + +mtxrCapLockedCapsManCommonName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Locked CapsMan common name." + ::= { mtxrWifiCap 11 } + +mtxrCapCurrentCapsManAddress OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Current CapsMan address being used." + ::= { mtxrWifiCap 12 } + +mtxrCapCurrentCapsManIdentity OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Current identity of the connected CapsMan." + ::= { mtxrWifiCap 13 } + +-- Remote Caps ************************************************* + +mtxrRemoteCapTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWifiRemoteCapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWifi 3 } + +mtxrWifiRemoteCapEntry OBJECT-TYPE + SYNTAX MtxrWifiRemoteCapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Entry containing remote CAP statistics" + INDEX { mtxrRemoteCapId } + ::= { mtxrRemoteCapTable 1 } + +MtxrWifiRemoteCapEntry ::= SEQUENCE { + mtxrRemoteCapId ObjectIndex, + mtxrRemoteCapAddress DisplayString, + mtxrRemoteCapIdentity DisplayString, + mtxrRemoteCapBoardName DisplayString, + mtxrRemoteCapSerial DisplayString, + mtxrRemoteCapVersion DisplayString, + mtxrRemoteCapBaseMac MacAddress, + mtxrRemoteCapCommonName DisplayString, + mtxrRemoteCapState DisplayString +} + +mtxrRemoteCapId OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "ID of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 1 } + +mtxrRemoteCapAddress OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "IP address of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 2 } + +mtxrRemoteCapIdentity OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Identity name of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 3 } + +mtxrRemoteCapBoardName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Board name of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 4 } + +mtxrRemoteCapSerial OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Serial number of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 5 } + +mtxrRemoteCapVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "RouterOS version of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 6 } + +mtxrRemoteCapBaseMac OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Base MAC address of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 7 } + +mtxrRemoteCapCommonName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Certificate common name of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 8 } + +mtxrRemoteCapState OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "State of the remote CAP (e.g., connected, disconnected)." + ::= { mtxrWifiRemoteCapEntry 9 } + +-- Wifi Registration Table ************************************************* + +mtxrWifiRegistrationTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWifiRegistrationTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWifi 4 } + +mtxrWifiRegistrationTableEntry OBJECT-TYPE + SYNTAX MtxrWifiRegistrationTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Entry containing wifi registration statistics" + INDEX { mtxrWifiRegistrationMacAddress, mtxrWifiRegistrationInterface } + ::= { mtxrWifiRegistrationTable 1 } + +MtxrWifiRegistrationTableEntry ::= SEQUENCE { + mtxrWifiRegistrationMacAddress MacAddress, + mtxrWifiRegistrationInterface ObjectIndex, + mtxrWifiRegistrationSsid DisplayString, + mtxrWifiRegistrationUptime TimeTicks, + mtxrWifiRegistrationLastActivity Integer32, + mtxrWifiRegistrationSignal Integer32, + mtxrWifiRegistrationAuthType DisplayString, + mtxrWifiRegistrationBand DisplayString, + mtxrWifiRegistrationTxRate Gauge32, + mtxrWifiRegistrationRxRate Gauge32, + mtxrWifiRegistrationTxPackets Counter64, + mtxrWifiRegistrationRxPackets Counter64, + mtxrWifiRegistrationTxBytes Counter64, + mtxrWifiRegistrationRxBytes Counter64, + mtxrWifiRegistrationTxBitsPerSecond Integer32, + mtxrWifiRegistrationRxBitsPerSecond Integer32, + mtxrWifiRegistrationVlanId Integer32, + mtxrWifiRegistrationAuthorized TruthValue +} + +mtxrWifiRegistrationMacAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "MAC address of the registered device." + ::= { mtxrWifiRegistrationTableEntry 1 } + +mtxrWifiRegistrationInterface OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Interface id of the registered device." + ::= { mtxrWifiRegistrationTableEntry 2 } + +mtxrWifiRegistrationSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "SSID of the connected access point." + ::= { mtxrWifiRegistrationTableEntry 3 } + +mtxrWifiRegistrationUptime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Uptime of the registered connection." + ::= { mtxrWifiRegistrationTableEntry 4 } + +mtxrWifiRegistrationLastActivity OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Time since the last activity of the registered device." + ::= { mtxrWifiRegistrationTableEntry 5 } + +mtxrWifiRegistrationSignal OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Signal strength of the registered device." + ::= { mtxrWifiRegistrationTableEntry 6 } + +mtxrWifiRegistrationAuthType OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Authentication type used by the registered device." + ::= { mtxrWifiRegistrationTableEntry 7 } + +mtxrWifiRegistrationBand OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Wireless band used by the registered device." + ::= { mtxrWifiRegistrationTableEntry 8 } + +mtxrWifiRegistrationTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Transmission rate of the registered device." + ::= { mtxrWifiRegistrationTableEntry 9 } + +mtxrWifiRegistrationRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Reception rate of the registered device." + ::= { mtxrWifiRegistrationTableEntry 10 } + +mtxrWifiRegistrationTxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Number of transmitted packets." + ::= { mtxrWifiRegistrationTableEntry 11 } + +mtxrWifiRegistrationRxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Number of received packets." + ::= { mtxrWifiRegistrationTableEntry 12 } + +mtxrWifiRegistrationTxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Number of transmitted bytes." + ::= { mtxrWifiRegistrationTableEntry 13 } + +mtxrWifiRegistrationRxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Number of received bytes." + ::= {mtxrWifiRegistrationTableEntry 14 } + +mtxrWifiRegistrationTxBitsPerSecond OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Transmission rate in bits per second." + ::= { mtxrWifiRegistrationTableEntry 15 } + +mtxrWifiRegistrationRxBitsPerSecond OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Reception rate in bits per second." + ::= { mtxrWifiRegistrationTableEntry 16 } + +mtxrWifiRegistrationVlanId OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "VLAN ID of the registered device." + ::= { mtxrWifiRegistrationTableEntry 17 } + +mtxrWifiRegistrationAuthorized OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Indicates whether the device is authorized." + ::= { mtxrWifiRegistrationTableEntry 18 } + +-- Wifi Interfaces *********************************************** + +mtxrWifiInterfaces OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWifiInterfacesEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWifi 5 } + +mtxrWifiInterfacesEntry OBJECT-TYPE + SYNTAX MtxrWifiInterfacesEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "An entry representing WiFi interface" + INDEX { mtxrWifiInterfacesId } + ::= { mtxrWifiInterfaces 1 } + +MtxrWifiInterfacesEntry ::= SEQUENCE { + mtxrWifiInterfacesId ObjectIndex, + mtxrWifiInterfacesName DisplayString, + mtxrWifiInterfacesSsid DisplayString, + mtxrWifiInterfacesFreq DisplayString +} + +mtxrWifiInterfacesId OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Unique identifier for each WiFi interface" + ::= { mtxrWifiInterfacesEntry 1 } + +mtxrWifiInterfacesName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Name of the WiFi interface" + ::= { mtxrWifiInterfacesEntry 2 } + +mtxrWifiInterfacesSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "SSID associated with the WiFi interface" + ::= { mtxrWifiInterfacesEntry 3 } + +mtxrWifiInterfacesFreq OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Frequency used by the WiFi interface" + ::= { mtxrWifiInterfacesEntry 4 } + +-- TRAPS ********************************************************************** + +mtxrNotifications OBJECT IDENTIFIER ::= { mtxrTraps 0 } + +mtxrTrap NOTIFICATION-TYPE + STATUS current + DESCRIPTION "Mikrotik trap OID" + ::= { mtxrNotifications 1 } + +mtxrTemperatureException NOTIFICATION-TYPE + STATUS current + DESCRIPTION "Mikrotik CPU temperature exception trap" + ::= { mtxrNotifications 2 } + +mtxrTrapGroup NOTIFICATION-GROUP NOTIFICATIONS { + mtxrTrap, + mtxrTemperatureException + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 14 } + +-- *************************************************************************** + +END + diff --git a/roles/routeros/files/routeros-poe-mqtt-publish.sh b/roles/routeros/files/routeros-poe-mqtt-publish.sh new file mode 100644 index 0000000..1b5afd5 --- /dev/null +++ b/roles/routeros/files/routeros-poe-mqtt-publish.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +set -eu +umask 077 + +community="public" + +mqtt_send() { + topic="$1" + value="$2" + + tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')" + mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \ + --cafile "${tlsdir}/certs/ca.crt" \ + --key "${tlsdir}/private/$(hostname -f).key" \ + --cert "${tlsdir}/certs/$(hostname -f).crt" +} + +snmp_get() { + host="$1" + key="$2" + snmpget -v 1 -c "$community" "$host" -Oqv -m MIKROTIK-MIB "$key" | tr -d '"' +} + +# only run script if first vrrp interface is in master state +for state in /run/keepalived/*.state ; do + if [ "$(cat "$state")" != "MASTER" ]; then + exit 0 + fi + break +done + +ldapsearch -Q -LLL "(&(objectClass=device)(description=MikroTik *))" cn | \ + awk '{ if ($1 == "cn:") print $2 }' | while read -r name +do + snmpwalk -v 1 -c "$community" "$name" -Oq -m MIKROTIK-MIB \ + MIKROTIK-MIB::mtxrPOEStatus | while read -r port status + do + port="$(echo "$port" | cut -d "." -f 2)" + [ "$status" = "poweredOn" ] || continue + + device="$(snmp_get "$name" "SNMPv2-SMI::mib-2.31.1.1.1.18.${port}")" + [ -z "$device" ] && continue + location="$(ldapsearch -Q -LLL "(&(objectClass=device)(cn=${device}))" l | \ + sed -n 's/^l: \(.\+\)/\1/p' | tr '[:upper:]' '[:lower:]' | tr ' ' '_')" + [ -z "$location" ] && continue + + for key in Current Power Voltage ; do + topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')" + value="$(snmp_get "$name" "MIKROTIK-MIB::mtxrPOE${key}.${port}")" + mqtt_send "$topic" "$value" + done + done +done diff --git a/roles/routeros/meta/main.yml b/roles/routeros/meta/main.yml new file mode 100644 index 0000000..d2f9d51 --- /dev/null +++ b/roles/routeros/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: ldap} diff --git a/roles/routeros/tasks/main.yml b/roles/routeros/tasks/main.yml index 024b37d..8f73b67 100644 --- a/roles/routeros/tasks/main.yml +++ b/roles/routeros/tasks/main.yml @@ -1,4 +1,20 @@ --- +- name: Install packages + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - mosquitto + - net-snmp-utils + +- name: Install routeros mib + ansible.builtin.copy: + dest: /usr/share/snmp/mibs/MIKROTIK-MIB.txt + src: mikrotik.mib + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + - name: Create group ansible.builtin.group: name: routeros @@ -38,10 +54,24 @@ owner: root group: "{{ ansible_wheel }}" -- name: Install cron job +- name: Install download cron job ansible.builtin.cron: name: download-routeros-firmware job: /usr/local/bin/download-routeros-firmware user: routeros hour: "05" minute: "25" + +- name: Install mqtt publish script + ansible.builtin.copy: + dest: /usr/local/bin/routeros-poe-mqtt-publish + src: routeros-poe-mqtt-publish.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Install mqtt publish cron job + ansible.builtin.cron: + name: routeros-poe-mqtt-publish + job: /usr/local/bin/routeros-poe-mqtt-publish + minute: "*/5" From 48beb781b356542e01f204b2cf279ebce4b76728 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 19:25:02 +0000 Subject: [PATCH 579/713] mosquitto: Allow nms hosts to write mqtt messages --- roles/mosquitto/templates/acl-tls.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/mosquitto/templates/acl-tls.conf.j2 b/roles/mosquitto/templates/acl-tls.conf.j2 index b7eed5c..7422313 100644 --- a/roles/mosquitto/templates/acl-tls.conf.j2 +++ b/roles/mosquitto/templates/acl-tls.conf.j2 @@ -3,5 +3,8 @@ pattern read # user {{ inventory_hostname }} topic readwrite # +user nms*.home.foo.sh +pattern readwrite # + user frigate*.home.foo.sh pattern readwrite frigate/%u/# From d4d68dc962815a88690c262bf51e9fd480d04f3a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 19:29:38 +0000 Subject: [PATCH 580/713] sshd_cert: Renew cert if it's close to expire --- roles/sshd_cert/tasks/main.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index 30e52c5..964696e 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -23,6 +23,20 @@ delegate_to: localhost register: sshd_cert_status +- name: Get certificate info + ansible.builtin.command: + argv: + - ssh-keygen + - -L + - -f + - "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub" + changed_when: false + failed_when: false + check_mode: false + when: sshd_cert_status.stat.exists + delegate_to: localhost + register: sshd_cert_info + - name: Sign certificate ansible.builtin.command: argv: @@ -41,7 +55,11 @@ - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" when: > not sshd_cert_status.stat.exists or - sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int + sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int or + ( + sshd_cert_info.stdout_lines | select('match', '^[ ]*Valid: ') | + first | split() | last | to_datetime('%Y-%m-%dT%H:%M:%S') + ).strftime('%s') | int < ansible_date_time.epoch | int + 2592000 delegate_to: localhost - name: Install certificate From 20c91fad847158d41d1790503ad003747bfd6697 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 20:02:30 +0000 Subject: [PATCH 581/713] aten_pdu: Add noop mode to mqtt publish script --- roles/aten_pdu/files/aten-mqtt-publish.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index 5b486c6..7dcfcaa 100644 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -5,6 +5,12 @@ umask 077 community="public" +if [ "${1:-}" = "-n" ]; then + _noop=true +else + _noop=false +fi + mqtt_send() { topic="$1" value="$2" @@ -48,7 +54,11 @@ do for key in Current Power Voltage ; do topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')" value="$(snmp_get "$name" "ATEN-PE-CFG::outlet${key}.${port}")" - mqtt_send "$topic" "$value" + if $_noop ; then + echo "${topic} -> ${value}" + else + mqtt_send "$topic" "$value" + fi done done done From 190a377076613e947c83640a5413c76e7c5eda92 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 20:05:48 +0000 Subject: [PATCH 582/713] aten_pdu: Try to get full hosntname for mqtt pub --- roles/aten_pdu/files/aten-mqtt-publish.sh | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index 7dcfcaa..1d6d49a 100644 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -51,7 +51,24 @@ do continue ;; esac - for key in Current Power Voltage ; do + if device_name="$(ldapsearch -Q -LLL cn="${device}.*" cn | awk " + { + if (\$1 == \"cn:\") { + if (name) { + exit 1 + } + name=\$2 + } + } END { + if (!name) { + exit 1 + } + print name + } + ")" ; then + device="$device_name" + fi + for key in Current Power Voltage ; do topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')" value="$(snmp_get "$name" "ATEN-PE-CFG::outlet${key}.${port}")" if $_noop ; then From c820614f44ece7aca11044639f77e87816078774 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 14:22:39 +0000 Subject: [PATCH 583/713] aten_pdu: Get PDU location from LDAP --- roles/aten_pdu/files/aten-mqtt-publish.sh | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index 1d6d49a..13432a0 100644 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -36,11 +36,22 @@ for state in /run/keepalived/*.state ; do break done -ldapsearch -Q -LLL "(&(objectClass=device)(description=Aten PE*))" cn | \ - awk '{ if ($1 == "cn:") print $2 }' | while read -r name +ldapsearch -Q -LLL "(&(objectClass=device)(description=Aten PE*))" cn l | awk ' + { + if ($1 == "cn:") { + cn = $2 + } + if ($1 == "l:") { + l = substr($0, 3) + } + if ($0 == "" && cn != "" && l != "") { + print cn l + cn = "" + l = "" + } + } + ' | while read -r name location do - location="$(snmp_get "$name" RFC1213-MIB::sysLocation.0 | \ - tr '[:upper:]' '[:lower:]' | tr ' ' '_')" snmpwalk -v 1 -c "$community" "$name" -Oq \ -m ATEN-PE-CFG ATEN-PE-CFG::outletName | while read -r port device do From b1481de12cb14bf3e05d152844225ad06bcfc30e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 14:28:26 +0000 Subject: [PATCH 584/713] ha_mqtt_configd: Fix underscore handling in topics --- roles/ha_mqtt_configd/files/ha_mqtt_configd.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ha_mqtt_configd/files/ha_mqtt_configd.py b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py index b5d2c03..bc1c3e7 100755 --- a/roles/ha_mqtt_configd/files/ha_mqtt_configd.py +++ b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py @@ -23,7 +23,7 @@ def on_message(client, userdata, msg): config = { "dev": { "name": topic[2].capitalize(), - "suggested_area": topic[1].capitalize(), + "suggested_area": topic[1].capitalize().replace("_", " "), "identifiers": [ uniqueid, ], From 2ef627998f0be5c6b84bd23541a6a41f9ae65c5a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 15:02:21 +0000 Subject: [PATCH 585/713] aten_pdu: Use more strict LDAP query --- roles/aten_pdu/files/aten-mqtt-publish.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index 13432a0..ba81c93 100644 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -62,7 +62,8 @@ do continue ;; esac - if device_name="$(ldapsearch -Q -LLL cn="${device}.*" cn | awk " + if device_name="$(ldapsearch -Q -LLL \ + "(&(objectClass=device)(cn=${device}.*))" cn | awk " { if (\$1 == \"cn:\") { if (name) { From d4e9c308e25dfcb78d1393f0f2a4848eb0aadcd0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 15:02:52 +0000 Subject: [PATCH 586/713] aten_pdu: Fix script permissions --- roles/aten_pdu/files/aten-mqtt-publish.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 roles/aten_pdu/files/aten-mqtt-publish.sh diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh old mode 100644 new mode 100755 From e6fe9af993e85aa0dd8bfc1ae5d402313cbce8ca Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 15:04:10 +0000 Subject: [PATCH 587/713] aten_pdu: Fix tabs to spaces --- roles/aten_pdu/files/aten-mqtt-publish.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index ba81c93..60803fa 100755 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -62,7 +62,7 @@ do continue ;; esac - if device_name="$(ldapsearch -Q -LLL \ + if device_name="$(ldapsearch -Q -LLL \ "(&(objectClass=device)(cn=${device}.*))" cn | awk " { if (\$1 == \"cn:\") { From c95c7d1308afabd13f2f27749902bfe10c83b9b4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 16:12:35 +0000 Subject: [PATCH 588/713] Fix custom firewall rules on frigate hosts --- group_vars/frigate.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index 48bed7f..f22e3ef 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -22,5 +22,4 @@ firewall_in: - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} firewall_raw: - - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + - "ip daddr 224.0.0.0/8 accept" From c88f8e6374bdb03c2fbffe107b85564a3c9b6be4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 16:21:25 +0000 Subject: [PATCH 589/713] Get IP cameras from LDAP --- group_vars/frigate.yml | 2 ++ roles/dhcpd/templates/dhcpd.conf.cam.j2 | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index f22e3ef..81a93e1 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -16,6 +16,8 @@ unbound_zones: - 26.20.172.in-addr.arpa - cam.foo.sh dhcpd_template: dhcpd.conf.cam.j2 +dhcpd_ldap_filter: >- + (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.cam.foo.sh)) firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/roles/dhcpd/templates/dhcpd.conf.cam.j2 b/roles/dhcpd/templates/dhcpd.conf.cam.j2 index edddc1a..54eff12 100644 --- a/roles/dhcpd/templates/dhcpd.conf.cam.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.cam.j2 @@ -29,10 +29,12 @@ shared-network CAMNET { use-host-decl-names on; } - host ipcam01.cam.foo.sh { - option host-name "ipcam01.cam.foo.sh"; - hardware ethernet ec:71:db:6e:bc:0f; - fixed-address 172.20.26.101; +{% for host in ldap_hosts.results %} + host {{ host['cn'] }} { + option host-name "{{ host['cn'] }}"; + hardware ethernet {{ host['macAddress'] }}; + fixed-address {{ host['ipHostNumber'] }}; } +{% endfor %} } From ec8ae902ed90f89a3d0de598462b4798f88d2b54 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 16:52:23 +0000 Subject: [PATCH 590/713] frigate: Get cameras from LDAP --- roles/frigate/tasks/main.yml | 16 ++++++++++++++++ .../templates/frigate-container.sysconfig.j2 | 4 ++-- roles/frigate/templates/frigate.yml.j2 | 8 ++++---- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index 8189acd..7401e1f 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -43,6 +43,22 @@ remote_src: true notify: Restart frigate +- name: Get cameras from LDAP + community.general.ldap_search: + attrs: + - cn + - l + client_cert: >- + {{ hostvars[ansible_server]['tls_certs'] + '/' + ansible_server }}.crt + client_key: >- + {{ hostvars[ansible_server]['tls_private'] + '/' + ansible_server }}.key + dn: "{{ ldap_basedn }}" + filter: (&(objectClass=ipHost)(cn=ipcam*.cam.foo.sh)) + scope: subordinate + server_uri: "ldaps://{{ ldap_server[0] }}" + delegate_to: localhost + register: ldap_cams + - name: Create config ansible.builtin.template: dest: /etc/frigate.yml diff --git a/roles/frigate/templates/frigate-container.sysconfig.j2 b/roles/frigate/templates/frigate-container.sysconfig.j2 index c6b07ef..1f9f038 100644 --- a/roles/frigate/templates/frigate-container.sysconfig.j2 +++ b/roles/frigate/templates/frigate-container.sysconfig.j2 @@ -1,3 +1,3 @@ -{% for camera in cctv_cameras %} -FRIGATE_{{ camera.name | upper }}_PASS="{{ camera.pass }}" +{% for camera in ldap_cams.results %} +FRIGATE_{{ camera['l'] | upper }}_PASS="{{ cctv_cameras[camera['cn']] }}" {% endfor %} diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index 08c83f7..c269f6d 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -25,16 +25,16 @@ record: mode: motion cameras: -{% for camera in cctv_cameras %} - {{ camera.name }}: +{% for camera in ldap_cams.results %} + {{ camera['l'] }}: enabled: true ffmpeg: inputs: - - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_sub" + - path: "rtsp://viewer:{FRIGATE_{{ camera['l'] | upper }}_PASS}@{{ camera['cn'] }}/h264Preview_01_sub" input_args: preset-rtsp-restream roles: - detect - - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_main" + - path: "rtsp://viewer:{FRIGATE_{{ camera['l'] | upper }}_PASS}@{{ camera['cn'] }}/h264Preview_01_main" input_args: preset-rtsp-restream roles: - record From 1ff80f9171dfa985f42b54ebca0a2a40d9af3452 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 22 Apr 2025 17:28:14 +0000 Subject: [PATCH 591/713] Fix serial port number from homeassistant hosts --- host_vars/homeassistant01.home.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index b2ab0ee..e952693 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -11,4 +11,4 @@ network_interfaces: virt_install_devices: - 0b05:190e - 10c4:ea60 - - /dev/ttyUSB8 + - /dev/ttyUSB0 From 14c718942999c05a8af04b1f8dc46f32d3e2d6c1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 22 Apr 2025 17:55:35 +0000 Subject: [PATCH 592/713] Fix custom firewall rules for print hosts --- group_vars/print.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/print.yml b/group_vars/print.yml index ede482a..fc2e3fb 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -14,8 +14,7 @@ firewall_in: - {proto: tcp, port: 631, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} firewall_raw: - - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + - "ip daddr 224.0.0.0/8 accept" dhcpd_template: dhcpd.conf.print.j2 dhcpd_ldap_filter: >- From 8c6974f856918718699a515a50a96fb787c30962 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Apr 2025 18:16:52 +0000 Subject: [PATCH 593/713] Update software versions --- hosts.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hosts.yml b/hosts.yml index 73a073d..4c3f054 100644 --- a/hosts.yml +++ b/hosts.yml @@ -20,12 +20,12 @@ forgejo: hosts: forgejo02.home.foo.sh: vars: - forgejo_version: "10.0.1" + forgejo_version: "11.0.0" frigate: hosts: frigate02.home.foo.sh: vars: - frigate_version: "0.15.0" + frigate_version: "0.15.1" fsolgw: hosts: fsol-gw01.home.foo.sh: @@ -34,11 +34,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2025.3" + homeassistant_version: "2025.4" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v2.0.9 + version: v2.0.10 - name: espsomfy_rts repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git version: v2.4.7 @@ -78,7 +78,7 @@ nms: nms01.home.foo.sh: nms02.home.foo.sh: vars: - snmp_exporter_version: "0.28.0" + snmp_exporter_version: "0.29.0" ns: hosts: ns01.home.foo.sh: @@ -89,8 +89,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.4.2" - rocketchat_version: "7.4.0" + grafana_version: "11.6.1" + rocketchat_version: "7.5.1" roundcube_version: "1.6.10" print: hosts: From 894f69f82f2cff5505e63c9c8915fbff7178f014 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Apr 2025 20:04:49 +0000 Subject: [PATCH 594/713] routeros: Add force option to mqtt publish script --- roles/routeros/files/routeros-poe-mqtt-publish.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/roles/routeros/files/routeros-poe-mqtt-publish.sh b/roles/routeros/files/routeros-poe-mqtt-publish.sh index 1b5afd5..d622f2a 100644 --- a/roles/routeros/files/routeros-poe-mqtt-publish.sh +++ b/roles/routeros/files/routeros-poe-mqtt-publish.sh @@ -23,12 +23,14 @@ snmp_get() { } # only run script if first vrrp interface is in master state -for state in /run/keepalived/*.state ; do - if [ "$(cat "$state")" != "MASTER" ]; then - exit 0 - fi - break -done +if [ "${1:-}" != "-f" ]; then + for state in /run/keepalived/*.state ; do + if [ "$(cat "$state")" != "MASTER" ]; then + exit 0 + fi + break + done +fi ldapsearch -Q -LLL "(&(objectClass=device)(description=MikroTik *))" cn | \ awk '{ if ($1 == "cn:") print $2 }' | while read -r name From 3a21dbfa35b32c6cec4fbe7867a7905096bbb249 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Apr 2025 20:33:23 +0000 Subject: [PATCH 595/713] routeros: Don't run mqtt publish script as root --- roles/routeros/files/README.md | 6 ++++++ .../files/routeros-poe-mqtt-publish.sh | 18 +++++++++++------- roles/routeros/tasks/main.yml | 2 ++ 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/roles/routeros/files/README.md b/roles/routeros/files/README.md index 91fed9c..9e5cc1e 100644 --- a/roles/routeros/files/README.md +++ b/roles/routeros/files/README.md @@ -14,3 +14,9 @@ ``` /interface/bridge/port/set [find where bridge=bridge and interface=ether1] pvid=30 ``` + +## Add name to port + +``` +/interface/ethernet/set [ find default-name=ether20 ] comment="name" +``` diff --git a/roles/routeros/files/routeros-poe-mqtt-publish.sh b/roles/routeros/files/routeros-poe-mqtt-publish.sh index d622f2a..4395ba0 100644 --- a/roles/routeros/files/routeros-poe-mqtt-publish.sh +++ b/roles/routeros/files/routeros-poe-mqtt-publish.sh @@ -4,16 +4,19 @@ set -eu umask 077 community="public" +tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')" +cafile="${tlsdir}/certs/ca.crt" +keyfile="${tlsdir}/private/$(hostname -f).key" +certfile="${tlsdir}/certs/$(hostname -f).crt" + +export LDAPTLS_KEY="$keyfile" +export LDAPTLS_CERT="$certfile" mqtt_send() { topic="$1" value="$2" - - tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')" mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \ - --cafile "${tlsdir}/certs/ca.crt" \ - --key "${tlsdir}/private/$(hostname -f).key" \ - --cert "${tlsdir}/certs/$(hostname -f).crt" + --cafile "$cafile" --key "$keyfile" --cert "$certfile" } snmp_get() { @@ -32,7 +35,7 @@ if [ "${1:-}" != "-f" ]; then done fi -ldapsearch -Q -LLL "(&(objectClass=device)(description=MikroTik *))" cn | \ +ldapsearch -Q -LLL -Y EXTERNAL "(&(objectClass=device)(description=MikroTik *))" cn | \ awk '{ if ($1 == "cn:") print $2 }' | while read -r name do snmpwalk -v 1 -c "$community" "$name" -Oq -m MIKROTIK-MIB \ @@ -43,7 +46,8 @@ do device="$(snmp_get "$name" "SNMPv2-SMI::mib-2.31.1.1.1.18.${port}")" [ -z "$device" ] && continue - location="$(ldapsearch -Q -LLL "(&(objectClass=device)(cn=${device}))" l | \ + location="$(ldapsearch -Q -LLL -Y EXTERNAL \ + "(&(objectClass=device)(cn=${device}))" l | \ sed -n 's/^l: \(.\+\)/\1/p' | tr '[:upper:]' '[:lower:]' | tr ' ' '_')" [ -z "$location" ] && continue diff --git a/roles/routeros/tasks/main.yml b/roles/routeros/tasks/main.yml index 8f73b67..f9693ad 100644 --- a/roles/routeros/tasks/main.yml +++ b/roles/routeros/tasks/main.yml @@ -25,6 +25,7 @@ name: routeros comment: RouterOS Downloader group: routeros + groups: hostkey create_home: false home: /var/empty shell: /sbin/nologin @@ -74,4 +75,5 @@ ansible.builtin.cron: name: routeros-poe-mqtt-publish job: /usr/local/bin/routeros-poe-mqtt-publish + user: routeros minute: "*/5" From b96bf22b92c31efc7d9791e0b7b9007efd574455 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Apr 2025 20:34:05 +0000 Subject: [PATCH 596/713] routeros: Fix script permissions --- roles/routeros/files/download-routeros-firmware.sh | 0 roles/routeros/files/routeros-poe-mqtt-publish.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 roles/routeros/files/download-routeros-firmware.sh mode change 100644 => 100755 roles/routeros/files/routeros-poe-mqtt-publish.sh diff --git a/roles/routeros/files/download-routeros-firmware.sh b/roles/routeros/files/download-routeros-firmware.sh old mode 100644 new mode 100755 diff --git a/roles/routeros/files/routeros-poe-mqtt-publish.sh b/roles/routeros/files/routeros-poe-mqtt-publish.sh old mode 100644 new mode 100755 From 3c0e1c2a9fc2a564f3e5ac0b436a2c7da96f7a26 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 27 Apr 2025 13:55:04 +0000 Subject: [PATCH 597/713] routeros: Add script to check switch versions --- .../routeros/files/routeros-check-versions.sh | 40 +++++++++++++++++++ roles/routeros/tasks/main.yml | 16 ++++++++ 2 files changed, 56 insertions(+) create mode 100755 roles/routeros/files/routeros-check-versions.sh diff --git a/roles/routeros/files/routeros-check-versions.sh b/roles/routeros/files/routeros-check-versions.sh new file mode 100755 index 0000000..57ed144 --- /dev/null +++ b/roles/routeros/files/routeros-check-versions.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +set -eu + +community="public" +if [ "${1:-}" = "-f" ]; then + force=true +else + force=false +fi + +tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')" +LDAPTLS_KEY="${tlsdir}/private/$(hostname -f).key" +LDAPTLS_CERT="${tlsdir}/certs/$(hostname -f).crt" +export LDAPTLS_KEY LDAPTLS_CERT + +# only run script if first vrrp interface is in master state if not forced +if ! $force; then + for state in /run/keepalived/*.state ; do + if [ "$(cat "$state")" != "MASTER" ]; then + exit 0 + fi + break + done +fi + +version="$(find /srv/web/oob.foo.sh/routeros/ -name \*.npk \ + -exec basename {} .npk \; | awk -F- '{ print $2 }' | sort -nr | head -n 1)" + +ldapsearch -Q -LLL -Y EXTERNAL "(&(objectClass=device)(description=MikroTik *))" cn | \ + awk '{ if ($1 == "cn:") print $2 }' | while read -r host +do + current="$(snmpget -v 1 -c "$community" "$host" -Oqv -m MIKROTIK-MIB \ + "MIKROTIK-MIB::mtxrFirmwareUpgradeVersion.0")" + if [ "$current" != "$version" ]; then + echo "${host}: Running old version (${current}) of RouterOS" + elif $force; then + echo "${host}: Up to date" + fi +done diff --git a/roles/routeros/tasks/main.yml b/roles/routeros/tasks/main.yml index f9693ad..e0f7e4d 100644 --- a/roles/routeros/tasks/main.yml +++ b/roles/routeros/tasks/main.yml @@ -77,3 +77,19 @@ job: /usr/local/bin/routeros-poe-mqtt-publish user: routeros minute: "*/5" + +- name: Install version check script + ansible.builtin.copy: + dest: /usr/local/bin/routeros-check-versions + src: routeros-check-versions.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Install version check cron job + ansible.builtin.cron: + name: routeros-check-versions + job: /usr/local/bin/routeros-check-versions + user: routeros + hour: "05" + minute: "30" From 5b6b7af580993ce5c60948a1d78b1aecb425664e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 27 Apr 2025 13:55:47 +0000 Subject: [PATCH 598/713] node_exporter: Fix textfile collector script --- .../node_exporter/files/node-exporter-run-textfile-collector.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh index 97dd14c..dbc3c68 100755 --- a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh +++ b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh @@ -28,7 +28,7 @@ fi for script in /usr/local/libexec/node-exporter/*; do [ -x "$script" ] || continue "$VERBOSE" && echo "Processing script '${script}'" - target="${OUTDIR}/$(basename "$script")" + target="${OUTDIR}/$(basename "$script").prom" tmpfile="$(mktemp -p "$OUTDIR")" if "$script" > "$tmpfile" ; then "$VERBOSE" && echo " Success, updating stats" From 2ab0ad40a3971f76abb7fc4052ead9844c3c0b43 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 28 Apr 2025 03:46:12 +0000 Subject: [PATCH 599/713] lldpd: Initial version of role --- playbooks/vmhost.yml | 1 + roles/lldpd/tasks/main.yml | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 roles/lldpd/tasks/main.yml diff --git a/playbooks/vmhost.yml b/playbooks/vmhost.yml index 3869f1c..21efb79 100644 --- a/playbooks/vmhost.yml +++ b/playbooks/vmhost.yml @@ -40,4 +40,5 @@ roles: - base - kvm_host + - lldpd - ssh_known_hosts diff --git a/roles/lldpd/tasks/main.yml b/roles/lldpd/tasks/main.yml new file mode 100644 index 0000000..4cdf42e --- /dev/null +++ b/roles/lldpd/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Install packages + ansible.builtin.package: + name: lldpd + state: installed + +- name: Enable service + ansible.builtin.service: + name: lldpd + enabled: true + state: started From 300ea72da2246d391bafe0505200659b5566571b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 May 2025 16:02:36 +0000 Subject: [PATCH 600/713] Update OpenBSD installer to 7.7 --- group_vars/openbsd.yml | 2 +- playbooks/dna-gw.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/group_vars/openbsd.yml b/group_vars/openbsd.yml index 2695e29..8e460c6 100644 --- a/group_vars/openbsd.yml +++ b/group_vars/openbsd.yml @@ -18,4 +18,4 @@ num_cpus: 2 # extra args for virt-install virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso virt_install_os_variant: openbsd7.4 -virt_install_python_cmd: pkg_add -I -x python +virt_install_python_cmd: pkg_add -I -x python%3 diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 17cb310..3d6d6ec 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -93,7 +93,7 @@ - name: Create tftp pxeboot loader for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/pxeboot" + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.7/amd64/pxeboot" checksum: sha1:c696836c1e6cc67c6c31f6ceb5daaaa4ec0632b7 dest: /srv/tftpboot/pxeboot mode: "0644" @@ -102,8 +102,8 @@ - name: Create tftp ramdisk for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/bsd.rd" - checksum: sha1:f690655c768ec9ef208188921ac53634a9233aca + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.7/amd64/bsd.rd" + checksum: sha1:1331f4ec1ba94866399d19423706e7848de2bd42 dest: /srv/tftpboot/bsd.rd mode: "0644" owner: root From 65431fc83a6cf3ddabdc8e89e0ba9575b6cd540a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 May 2025 17:08:57 +0000 Subject: [PATCH 601/713] dhcpd: Return filename for OpenBSD auto installer --- roles/dhcpd/templates/dhcpd.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 7b41b05..31cfa87 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -40,6 +40,7 @@ class "OpenBSD" { match if not exists vendor-class-identifier and not exists user-class; next-server 172.20.20.10; + filename "auto_install"; } shared-network FOOSH { From 43153431afe853cf2bb12c4d86af63f001acea4a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 May 2025 17:51:21 +0000 Subject: [PATCH 602/713] Use local config for OpenBSD installs --- playbooks/dna-gw.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 3d6d6ec..e226745 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -110,10 +110,20 @@ group: "{{ ansible_wheel }}" - name: Create install.conf for OpenBSD installs - ansible.builtin.get_url: - url: "https://boot.foo.sh/openbsd/install.conf" - checksum: sha1:f6270708dad3f759df02eefeab300d9b8670f3d4 + ansible.builtin.copy: dest: /srv/tftpboot/install.conf + content: | + Password for root account = ************* + Public ssh key for root account = {{ + lookup('file', '../files/ssh/adm.pub') + }} + Allow root ssh login = yes + URL to autopartitioning template for disklabel = {{ + boot_url + "/openbsd/autopart.conf" + }} + Location of sets = http + HTTP Server = cdn.openbsd.org + What timezone are you in = UTC mode: "0644" owner: root group: "{{ ansible_wheel }}" From d82d2ef5cf15fd6788d756a01b637b6fa2d62a9d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 May 2025 17:51:54 +0000 Subject: [PATCH 603/713] Fix extra whitespaces --- playbooks/dna-gw.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index e226745..6d94060 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -115,7 +115,7 @@ content: | Password for root account = ************* Public ssh key for root account = {{ - lookup('file', '../files/ssh/adm.pub') + lookup('file', '../files/ssh/adm.pub') }} Allow root ssh login = yes URL to autopartitioning template for disklabel = {{ From 099304e7e62c5cf363741915024a96a08db656f4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 15 May 2025 17:01:10 +0000 Subject: [PATCH 604/713] telegraf: Allow package installer to create user --- roles/telegraf/tasks/main.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/telegraf/tasks/main.yml b/roles/telegraf/tasks/main.yml index d1ab303..cee2ebc 100644 --- a/roles/telegraf/tasks/main.yml +++ b/roles/telegraf/tasks/main.yml @@ -1,14 +1,15 @@ --- -- name: Add telegraf to hostkey group - ansible.builtin.user: - name: _telegraf - groups: hostkey - - name: Install packages ansible.builtin.package: name: telegraf state: installed +- name: Add telegraf to hostkey group + ansible.builtin.user: + name: _telegraf + groups: hostkey + append: true + - name: Create config ansible.builtin.template: dest: /etc/telegraf/telegraf.conf From 61eade7662f36b3e917406f2a420690cbe98a9a3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 May 2025 16:44:13 +0000 Subject: [PATCH 605/713] web_logs: Refactor and store daily logs --- roles/web_logs/files/parse-access-logs.sh | 37 +++++++++++++ roles/web_logs/tasks/main.yml | 64 ++++++++++++++--------- 2 files changed, 77 insertions(+), 24 deletions(-) create mode 100755 roles/web_logs/files/parse-access-logs.sh diff --git a/roles/web_logs/files/parse-access-logs.sh b/roles/web_logs/files/parse-access-logs.sh new file mode 100755 index 0000000..dadf557 --- /dev/null +++ b/roles/web_logs/files/parse-access-logs.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +set -eu +umask 027 + +get_vhosts() { + { + for hostdir in /srv/weblog/* ; do + [ -d "$hostdir" ] || continue + for log in "${hostdir}/"*.access.log ; do + [ -f "$log" ] || continue + basename "$log" ".access.log" + done + done + } | sort | uniq +} + +print_date() { + date -r "$(($(date +%s) - $1 * 86400))" "+%Y-%m-%d" +} + +get_vhosts | while read -r vhost ; do + destdir="/srv/weblog/parsed/${vhost}" + [ -d "$destdir" ] || mkdir "$destdir" + for i in $(seq 0 7); do + isodate="$(print_date $i)" + outfile="${destdir}/access.log.${isodate}" + combine-logs -d "$isodate" \ + /srv/weblog/*/"${vhost}".access.log* > "${outfile}.tmp" + if [ -s "${outfile}.tmp" ]; then + mv "${outfile}.tmp" "$outfile" + else + rm -f "${outfile}.tmp" + break + fi + done +done diff --git a/roles/web_logs/tasks/main.yml b/roles/web_logs/tasks/main.yml index 27bf8ab..1d62ac6 100644 --- a/roles/web_logs/tasks/main.yml +++ b/roles/web_logs/tasks/main.yml @@ -1,44 +1,44 @@ --- -- name: Create logsync group +- name: Create weblog group ansible.builtin.group: - name: logsync + name: weblog gid: 312 system: true -- name: Create logsync user +- name: Create weblog user ansible.builtin.user: - name: logsync - comment: Service logsync + name: weblog + comment: Service weblog createhome: false - group: logsync + group: weblog home: /var/empty shell: /bin/sh system: true uid: 312 +- name: Create data directory + ansible.builtin.file: + path: /export/weblog + state: directory + mode: "0770" + owner: root + group: weblog + +- name: Link data directory + ansible.builtin.file: + path: /srv/weblog + src: /export/weblog + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + - name: Include rclone role ansible.builtin.include_role: name: rclone vars: rclone_hostgroup: proxy - rclone_service: logsync - -- name: Create data directory - ansible.builtin.file: - path: /export/web-log - state: directory - mode: "0750" - owner: root - group: "{{ ansible_wheel }}" - -- name: Link data directory - ansible.builtin.file: - path: /srv/web-log - src: /export/web-log - state: link - owner: root - group: "{{ ansible_wheel }}" - follow: false + rclone_service: weblog - name: Copy log combiner ansible.builtin.copy: @@ -47,3 +47,19 @@ mode: "0755" owner: root group: "{{ ansible_wheel }}" + +- name: Copy log parser + ansible.builtin.copy: + dest: /usr/local/bin/parse-access-logs + src: parse-access-logs.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Install log parser cron job + ansible.builtin.cron: + name: parse-access-logs + job: /usr/local/bin/parse-access-logs + user: weblog + hour: "04" + minute: "00" From de5a72dc8d490e7b70ba2a0b198578ec82972d8d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 May 2025 16:45:11 +0000 Subject: [PATCH 606/713] nginx_logsync: Rename logsync user to weblog --- roles/nginx_logsync/tasks/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/nginx_logsync/tasks/main.yml b/roles/nginx_logsync/tasks/main.yml index 0d7c9ff..9ae7565 100644 --- a/roles/nginx_logsync/tasks/main.yml +++ b/roles/nginx_logsync/tasks/main.yml @@ -1,34 +1,34 @@ --- - name: Create group ansible.builtin.group: - name: logsync + name: weblog system: true - name: Create user ansible.builtin.user: - name: logsync - comment: Service logsync + name: weblog + comment: Service weblog create_home: false - group: logsync + group: weblog home: /var/empty shell: /sbin/nologin - name: Create authorized_keys ansible.builtin.copy: - dest: /etc/ssh/authorized_keys.logsync - src: ../files/ssh/logsync.pub + dest: /etc/ssh/authorized_keys.weblog + src: ../files/ssh/weblog.pub mode: "0640" owner: root - group: logsync + group: weblog - name: Configure sshd chroot ansible.builtin.blockinfile: path: /etc/ssh/sshd_config block: | - Match User logsync + Match User weblog ChrootDirectory /var/www/logs ForceCommand internal-sftp - AuthorizedKeysFile /etc/ssh/authorized_keys.logsync - marker: "# {mark} ANSIBLE MANAGED BLOCK (user logsync)" + AuthorizedKeysFile /etc/ssh/authorized_keys.weblog + marker: "# {mark} ANSIBLE MANAGED BLOCK (user weblog)" validate: "sshd -t -f %s" notify: Restart sshd From 951e0071cd639435cf4bd1bbd3deb55b5f24bf60 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 May 2025 16:46:27 +0000 Subject: [PATCH 607/713] Don't store ssh public keys to variables --- group_vars/all.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 13c4354..67d5671 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -28,9 +28,6 @@ tls_bundle: /etc/pki/tls/cert.pem # url where installer data is located boot_url: https://boot.foo.sh -# ssh public keys for logsync user -logsync_publickeys: "{{ lookup('file', '../files/ssh/logsync.pub') }}" - # default name servers network_dns_servers: - 8.8.8.8 From 137b48cf3f9047b14f7d7575d5173eff550e649d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 May 2025 16:47:19 +0000 Subject: [PATCH 608/713] Renamed to weblog --- files/ssh/logsync.pub | 1 - 1 file changed, 1 deletion(-) delete mode 100644 files/ssh/logsync.pub diff --git a/files/ssh/logsync.pub b/files/ssh/logsync.pub deleted file mode 100644 index e276db6..0000000 --- a/files/ssh/logsync.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIlXfTeMQoYjYVXFH5qhp+YgIBM/1r+BwzME7aEOu2yE logsync@log01.home.foo.sh From 17c2b560cc3583061a681f214dd7d7c767bbe314 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 May 2025 17:07:08 +0000 Subject: [PATCH 609/713] aten_pdu: Also log pdu info itself --- roles/aten_pdu/files/aten-mqtt-publish.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index 60803fa..971def7 100755 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -52,6 +52,16 @@ ldapsearch -Q -LLL "(&(objectClass=device)(description=Aten PE*))" cn l | awk ' } ' | while read -r name location do + for key in Current Voltage Power ; do + topic="home/${location}/${name}/$(echo "$key" | tr '[:upper:]' '[:lower:]')" + value="$(snmp_get "$name" "ATEN-PE-CFG:device${key}.1")" + if $_noop ; then + echo "${topic} -> ${value}" + else + mqtt_send "$topic" "$value" + fi + done + snmpwalk -v 1 -c "$community" "$name" -Oq \ -m ATEN-PE-CFG ATEN-PE-CFG::outletName | while read -r port device do From 39ac3ddb266db57c9d507b212e2d7bf537ffe205 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 17 May 2025 16:39:05 +0000 Subject: [PATCH 610/713] web_logs: Compress parsed logs --- roles/web_logs/files/parse-access-logs.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/web_logs/files/parse-access-logs.sh b/roles/web_logs/files/parse-access-logs.sh index dadf557..7983a99 100755 --- a/roles/web_logs/files/parse-access-logs.sh +++ b/roles/web_logs/files/parse-access-logs.sh @@ -29,6 +29,7 @@ get_vhosts | while read -r vhost ; do /srv/weblog/*/"${vhost}".access.log* > "${outfile}.tmp" if [ -s "${outfile}.tmp" ]; then mv "${outfile}.tmp" "$outfile" + xz -6 "$outfile" else rm -f "${outfile}.tmp" break From d92728e896211987eded1d15dd81e7c7180d23c6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 17 May 2025 18:14:53 +0000 Subject: [PATCH 611/713] Remove gitea.foo.sh website --- playbooks/proxy.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index da8b9b7..75357d3 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -72,9 +72,6 @@ - role: nginx_site nginx_site_name: git.foo.sh nginx_site_proxy: https://forgejo02.home.foo.sh/ - - role: nginx_site - nginx_site_name: gitea.foo.sh - nginx_site_redirect: https://git.foo.sh/ - role: nginx_site nginx_site_name: ha.foo.sh nginx_site_proxy: https://homeassistant01.home.foo.sh/ From c46a78dd70629daa9ab42a487cd8465b77d346c4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 21 May 2025 21:39:27 +0000 Subject: [PATCH 612/713] Increase memory size on dna-gw hosts --- group_vars/dnagw.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index fe380e8..b53027a 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -1,4 +1,7 @@ --- +# increase memory size +mem_size: 512 + network_vip_interfaces: - device: vio0 vhid: 1 From 56280d51a71da0f7020db34a42f32b4c930d824b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 21 May 2025 21:52:28 +0000 Subject: [PATCH 613/713] unbound: Use recommended outgoing-range --- roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 2 ++ roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 4765817..8e3a7b5 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -6,6 +6,8 @@ server: infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + outgoing-range: {{ ( 1024 / ansible_processor_cores | int - 50 ) | int }} + interface: 172.20.20.10@53 interface: 172.20.20.10@853 interface: 172.20.20.11@53 diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index c08d855..afac857 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -6,6 +6,8 @@ server: infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + outgoing-range: {{ ( 1024 / ansible_processor_cores | int - 50 ) | int }} + interface: 172.20.20.10@53 interface: 172.20.20.10@853 interface: 172.20.20.11@53 From 1fdb448fc43bab0f4244144930cee087fefaf75c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 24 May 2025 19:47:41 +0000 Subject: [PATCH 614/713] unbound: Download DNSSEC root key --- roles/unbound/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index a64720b..a9f4f6d 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -15,6 +15,15 @@ creates: "{{ unbound_confdir }}/unbound_control.key" notify: Restart unbound +- name: Update DNSSEC root key + ansible.builtin.command: + argv: + - unbound-anchor + creates: "{{ unbound_zonedir }}/root.key" + register: result + failed_when: result.rc not in [0, 1] + notify: Restart unbound + - name: Copy zone files ansible.builtin.copy: dest: "{{ unbound_zonedir }}/{{ item }}" From 5ec0221634a49b17c934585b481f91be8fa661ac Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 27 May 2025 16:31:01 +0000 Subject: [PATCH 615/713] web_logs: Use mktemp for tmpfile --- roles/web_logs/files/parse-access-logs.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/roles/web_logs/files/parse-access-logs.sh b/roles/web_logs/files/parse-access-logs.sh index 7983a99..92efe87 100755 --- a/roles/web_logs/files/parse-access-logs.sh +++ b/roles/web_logs/files/parse-access-logs.sh @@ -24,15 +24,16 @@ get_vhosts | while read -r vhost ; do [ -d "$destdir" ] || mkdir "$destdir" for i in $(seq 0 7); do isodate="$(print_date $i)" - outfile="${destdir}/access.log.${isodate}" + tmpfile="$(mktemp -p "$destdir")" + trap 'rm -f "$tmpfile"' EXIT combine-logs -d "$isodate" \ - /srv/weblog/*/"${vhost}".access.log* > "${outfile}.tmp" - if [ -s "${outfile}.tmp" ]; then - mv "${outfile}.tmp" "$outfile" - xz -6 "$outfile" - else - rm -f "${outfile}.tmp" + /srv/weblog/*/"${vhost}".access.log* | xz -6 > "$tmpfile" + if [ "$(xzcat "$tmpfile" | cut -c 1)" = "" ]; then + rm -f "$tmpfile" break + else + chmod 0640 "$tmpfile" + mv "$tmpfile" "${destdir}/access.log.${isodate}.xz" fi done done From 0155f456baa67ced768d65b7a1bdbcdce34a26d5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 27 May 2025 17:31:15 +0000 Subject: [PATCH 616/713] Move tests to forgejo --- {.gitea => .forgejo}/workflows/test.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) rename {.gitea => .forgejo}/workflows/test.yml (76%) diff --git a/.gitea/workflows/test.yml b/.forgejo/workflows/test.yml similarity index 76% rename from .gitea/workflows/test.yml rename to .forgejo/workflows/test.yml index 275f027..6c15dbf 100644 --- a/.gitea/workflows/test.yml +++ b/.forgejo/workflows/test.yml @@ -13,11 +13,9 @@ jobs: uses: actions/checkout@v2 - name: Install package dependencies run: | - sudo apt-get install \ + apt-get install \ ansible-lint \ - jsonlint \ shellcheck \ yamllint - ln -s /usr/bin/jsonlint-php /usr/local/bin/jsonlint - name: Run linters run: make -C ./tests From 1b3a2a80008d90758890f1950d25b49fc59a3df9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 29 May 2025 17:16:58 +0000 Subject: [PATCH 617/713] web_logs: Better directory naming --- roles/web_logs/files/parse-access-logs.sh | 2 +- roles/web_logs/tasks/main.yml | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/web_logs/files/parse-access-logs.sh b/roles/web_logs/files/parse-access-logs.sh index 92efe87..6207c34 100755 --- a/roles/web_logs/files/parse-access-logs.sh +++ b/roles/web_logs/files/parse-access-logs.sh @@ -20,7 +20,7 @@ print_date() { } get_vhosts | while read -r vhost ; do - destdir="/srv/weblog/parsed/${vhost}" + destdir="/srv/weblog/archive/${vhost}" [ -d "$destdir" ] || mkdir "$destdir" for i in $(seq 0 7); do isodate="$(print_date $i)" diff --git a/roles/web_logs/tasks/main.yml b/roles/web_logs/tasks/main.yml index 1d62ac6..7b022ff 100644 --- a/roles/web_logs/tasks/main.yml +++ b/roles/web_logs/tasks/main.yml @@ -18,11 +18,14 @@ - name: Create data directory ansible.builtin.file: - path: /export/weblog + path: "{{ item }}" state: directory mode: "0770" owner: root group: weblog + with_items: + - /export/weblog + - /export/weblog/archive - name: Link data directory ansible.builtin.file: From 40e834144ff29c06c5f939681e1fbddb04d91b47 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 9 Jun 2025 16:18:15 +0000 Subject: [PATCH 618/713] autofs: Add more strict umask to users --- roles/autofs/files/umask.csh | 3 +++ roles/autofs/files/umask.sh | 5 +++++ roles/autofs/tasks/main.yml | 11 +++++++++++ 3 files changed, 19 insertions(+) create mode 100755 roles/autofs/files/umask.csh create mode 100755 roles/autofs/files/umask.sh diff --git a/roles/autofs/files/umask.csh b/roles/autofs/files/umask.csh new file mode 100755 index 0000000..c021f50 --- /dev/null +++ b/roles/autofs/files/umask.csh @@ -0,0 +1,3 @@ +if ($uid > 999 && "`/usr/bin/id -gn`" == "`/usr/bin/id -un`") then + umask 007 +endif diff --git a/roles/autofs/files/umask.sh b/roles/autofs/files/umask.sh new file mode 100755 index 0000000..4ed8452 --- /dev/null +++ b/roles/autofs/files/umask.sh @@ -0,0 +1,5 @@ +# shellcheck shell=sh +if [ "$(id -u)" -gt 999 ] && [ "$(id -gn)" = "$(id -un)" ]; then + umask 007 +fi + diff --git a/roles/autofs/tasks/main.yml b/roles/autofs/tasks/main.yml index 19f9565..3514acb 100644 --- a/roles/autofs/tasks/main.yml +++ b/roles/autofs/tasks/main.yml @@ -80,3 +80,14 @@ with_items: - usercache.sh - usercache.csh + +- name: Set umask for users + ansible.builtin.copy: + dest: "/etc/profile.d/{{ item }}" + src: "{{ item }}" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + with_items: + - umask.sh + - umask.csh From 171802608d2db1e6a3e08d32745691a626751713 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Jun 2025 19:08:14 +0000 Subject: [PATCH 619/713] nginx: Update nginx dnf module to 1.26 --- roles/nginx/tasks/main.yml | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index a397adf..38f9c67 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -2,20 +2,36 @@ - name: Include OS-specific variables ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -- name: Enable nginx:124 module +- name: Check if correct nginx dnf module is enabled + ansible.builtin.command: + argv: + - grep + - -E + - "^stream=1.26" + - /etc/dnf/modules.d/nginx.module + changed_when: false + check_mode: false + failed_when: result.rc not in [0, 1, 2] + register: result + when: + - ansible_os_family == "RedHat" + - ansible_distribution_major_version | int == 9 + - ansible_distribution != "Fedora" + +- name: Enable nginx:1.26 module ansible.builtin.command: argv: - dnf - module - -y - - enable - - nginx:1.24 - creates: /etc/dnf/modules.d/nginx.module + - switch-to + - nginx:1.26 notify: Restart nginx when: - ansible_os_family == "RedHat" - - ansible_distribution_major_version | int >= 9 + - ansible_distribution_major_version | int == 9 - ansible_distribution != "Fedora" + - result.rc != 0 - name: Install packages ansible.builtin.package: From 6edf3b6608edaaed055a8a66664a969a6bc9b50c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Jun 2025 20:02:40 +0000 Subject: [PATCH 620/713] nginx: Update config to 1.26 format --- roles/nginx/templates/nginx.conf.j2 | 7 +++++-- roles/nginx_site/templates/site.conf.j2 | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index b6733d2..40fa906 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -54,8 +54,11 @@ http { ssl_prefer_server_ciphers off; server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + http3 off; + server_name {{ inventory_hostname }}; ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt; diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index ca54573..a806608 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -14,8 +14,11 @@ upstream {{ nginx_site_name }} { } {% endif %} server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + http3 off; + server_name {{ nginx_site_name }}; access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log custom; From d4e47f227348294a8ab9e87b884fc26a9c9e2131 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Jun 2025 21:47:34 +0000 Subject: [PATCH 621/713] Update software versions --- hosts.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/hosts.yml b/hosts.yml index 4c3f054..237c811 100644 --- a/hosts.yml +++ b/hosts.yml @@ -20,7 +20,7 @@ forgejo: hosts: forgejo02.home.foo.sh: vars: - forgejo_version: "11.0.0" + forgejo_version: "11.0.1" frigate: hosts: frigate02.home.foo.sh: @@ -34,11 +34,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2025.4" + homeassistant_version: "2025.6" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v2.0.10 + version: v2.1.0 - name: espsomfy_rts repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git version: v2.4.7 @@ -89,9 +89,10 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.6.1" - rocketchat_version: "7.5.1" - roundcube_version: "1.6.10" + grafana_version: "12.0.1" + phpldapadmin_version: "2.1.4" + rocketchat_version: "7.6.3" + roundcube_version: "1.6.11" print: hosts: print01.home.foo.sh: @@ -100,7 +101,7 @@ prometheus: prometheus01.home.foo.sh: vars: mysqld_exporter_version: "0.17.2" - nginx_exporter_version: "1.4.1" + nginx_exporter_version: "1.4.2" proxy: hosts: proxy01.home.foo.sh: From e409252eba63923915c2a48af1de5acc7ab6ff9b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Jun 2025 07:47:26 +0000 Subject: [PATCH 622/713] Add support for installing Rocky 10 hosts --- group_vars/rocky10.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 group_vars/rocky10.yml diff --git a/group_vars/rocky10.yml b/group_vars/rocky10.yml new file mode 100644 index 0000000..4d2020a --- /dev/null +++ b/group_vars/rocky10.yml @@ -0,0 +1,29 @@ +--- +# default resources for new vm +dsk_size: 20 +mem_size: 2048 +num_cpus: 2 + +# extra args for virt-install +ks_file: "{{ boot_url }}/ks/rocky10.ks" +ipcmd: >- + {% if network_interfaces[0]['proto'] is defined %} + {% if network_interfaces[0]['proto'] == 'static' %} + {% set int=network_interfaces[0] %} + {% if int['ipaddr'] is defined and int['gateway'] is defined %} + nameserver=8.8.8.8 + ip={{ int['ipaddr'] }}::{{ int['gateway'] }}:{{ int['netmask'] }}::eth0:none + {% endif %} + {% endif %} + {% endif %} +virt_install_os_args: >- + --location + https://nic.funet.fi/pub/mirrors/rockylinux.org/10/BaseOS/x86_64/os + --extra-args + "inst.ks={{ ks_file }} + console=ttyS0 + net.ifnames=0 + bootdev=eth0 + inst.repo=https://nic.funet.fi/pub/mirrors/rockylinux.org/10/BaseOS/x86_64/os + {{ ipcmd }}" +virt_install_os_variant: rhel10-unknown From ea3c05c2b5cd9e0f396787f23a446cfc3b465421 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Jun 2025 13:50:03 +0000 Subject: [PATCH 623/713] dhcpd: Move host declarations to global section No need to set host declarations in subnet or shared-network since they are always global and it gives warning during startup: WARNING: Host declarations are global. They are not limited to the scope you declared them in. --- roles/dhcpd/templates/dhcpd.conf.cam.j2 | 14 ++++++-------- roles/dhcpd/templates/dhcpd.conf.j2 | 14 ++++++-------- roles/dhcpd/templates/dhcpd.conf.oob.j2 | 14 ++++++-------- roles/dhcpd/templates/dhcpd.conf.print.j2 | 14 ++++++-------- 4 files changed, 24 insertions(+), 32 deletions(-) diff --git a/roles/dhcpd/templates/dhcpd.conf.cam.j2 b/roles/dhcpd/templates/dhcpd.conf.cam.j2 index 54eff12..b8d3668 100644 --- a/roles/dhcpd/templates/dhcpd.conf.cam.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.cam.j2 @@ -17,7 +17,6 @@ on commit { } shared-network CAMNET { - subnet 172.20.26.0 netmask 255.255.255.0 { default-lease-time 86400; max-lease-time 604800; @@ -28,13 +27,12 @@ shared-network CAMNET { option domain-name-servers 172.20.26.1, 172.20.26.2, 172.20.26.3; use-host-decl-names on; } +} {% for host in ldap_hosts.results %} - host {{ host['cn'] }} { - option host-name "{{ host['cn'] }}"; - hardware ethernet {{ host['macAddress'] }}; - fixed-address {{ host['ipHostNumber'] }}; - } -{% endfor %} - +host {{ host['cn'] }} { + option host-name "{{ host['cn'] }}"; + hardware ethernet {{ host['macAddress'] }}; + fixed-address {{ host['ipHostNumber'] }}; } +{% endfor %} diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 31cfa87..5ec89f0 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -44,7 +44,6 @@ class "OpenBSD" { } shared-network FOOSH { - subnet 172.20.20.0 netmask 255.255.252.0 { default-lease-time 86400; max-lease-time 604800; @@ -56,6 +55,7 @@ shared-network FOOSH { option domain-name-servers 172.20.20.10, 172.20.20.11, 172.20.20.12; use-host-decl-names on; } +} {% for hostname in hostvars %} {% if hostvars[hostname]['network_interfaces'] is defined %} @@ -66,14 +66,12 @@ shared-network FOOSH { {% else %} {% set ipaddr = '172.20.21.' + interface['mac'].split(':')[5] | int(base=16) | string %} {% endif %} - host {{ hostname }} { - option host-name "{{ hostname }}"; - hardware ethernet {{ interface['mac'] }}; - fixed-address {{ ipaddr }}; - } +host {{ hostname }} { + option host-name "{{ hostname }}"; + hardware ethernet {{ interface['mac'] }}; + fixed-address {{ ipaddr }}; +} {% endif %} {% endfor %} {% endif %} {% endfor %} - -} diff --git a/roles/dhcpd/templates/dhcpd.conf.oob.j2 b/roles/dhcpd/templates/dhcpd.conf.oob.j2 index b1a9034..b6e9a2e 100644 --- a/roles/dhcpd/templates/dhcpd.conf.oob.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.oob.j2 @@ -17,7 +17,6 @@ on commit { } shared-network OOBNET { - subnet 172.20.25.0 netmask 255.255.255.0 { default-lease-time 86400; max-lease-time 604800; @@ -28,13 +27,12 @@ shared-network OOBNET { option domain-name-servers 172.20.25.1, 172.20.25.2, 172.20.25.3; use-host-decl-names on; } +} {% for host in ldap_hosts.results %} - host {{ host['cn'] }} { - option host-name "{{ host['cn'] }}"; - hardware ethernet {{ host['macAddress'] }}; - fixed-address {{ host['ipHostNumber'] }}; - } -{% endfor %} - +host {{ host['cn'] }} { + option host-name "{{ host['cn'] }}"; + hardware ethernet {{ host['macAddress'] }}; + fixed-address {{ host['ipHostNumber'] }}; } +{% endfor %} diff --git a/roles/dhcpd/templates/dhcpd.conf.print.j2 b/roles/dhcpd/templates/dhcpd.conf.print.j2 index da5c2e7..dee631d 100644 --- a/roles/dhcpd/templates/dhcpd.conf.print.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.print.j2 @@ -17,7 +17,6 @@ on commit { } shared-network PRINTNET { - subnet 172.20.24.0 netmask 255.255.255.0 { default-lease-time 86400; max-lease-time 604800; @@ -28,13 +27,12 @@ shared-network PRINTNET { option domain-name-servers 172.20.24.1, 172.20.24.2, 172.20.24.3; use-host-decl-names on; } +} {% for host in ldap_hosts.results %} - host {{ host['cn'] }} { - option host-name "{{ host['cn'] }}"; - hardware ethernet {{ host['macAddress'] }}; - fixed-address {{ host['ipHostNumber'] }}; - } -{% endfor %} - +host {{ host['cn'] }} { + option host-name "{{ host['cn'] }}"; + hardware ethernet {{ host['macAddress'] }}; + fixed-address {{ host['ipHostNumber'] }}; } +{% endfor %} From abedf6102a63b8c76dac8d13dc2b27a5218940ed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Jun 2025 14:00:27 +0000 Subject: [PATCH 624/713] dhcpd: No need to use shared-networks --- roles/dhcpd/templates/dhcpd.conf.cam.j2 | 18 ++++++++---------- roles/dhcpd/templates/dhcpd.conf.j2 | 20 +++++++++----------- roles/dhcpd/templates/dhcpd.conf.oob.j2 | 18 ++++++++---------- roles/dhcpd/templates/dhcpd.conf.print.j2 | 18 ++++++++---------- 4 files changed, 33 insertions(+), 41 deletions(-) diff --git a/roles/dhcpd/templates/dhcpd.conf.cam.j2 b/roles/dhcpd/templates/dhcpd.conf.cam.j2 index b8d3668..fa49359 100644 --- a/roles/dhcpd/templates/dhcpd.conf.cam.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.cam.j2 @@ -16,17 +16,15 @@ on commit { ); } -shared-network CAMNET { - subnet 172.20.26.0 netmask 255.255.255.0 { - default-lease-time 86400; - max-lease-time 604800; - option subnet-mask 255.255.255.0; - option broadcast-address 172.20.26.255; +subnet 172.20.26.0 netmask 255.255.255.0 { + default-lease-time 86400; + max-lease-time 604800; + option subnet-mask 255.255.255.0; + option broadcast-address 172.20.26.255; - option domain-name "cam.foo.sh"; - option domain-name-servers 172.20.26.1, 172.20.26.2, 172.20.26.3; - use-host-decl-names on; - } + option domain-name "cam.foo.sh"; + option domain-name-servers 172.20.26.1, 172.20.26.2, 172.20.26.3; + use-host-decl-names on; } {% for host in ldap_hosts.results %} diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 5ec89f0..e7e148c 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -43,18 +43,16 @@ class "OpenBSD" { filename "auto_install"; } -shared-network FOOSH { - subnet 172.20.20.0 netmask 255.255.252.0 { - default-lease-time 86400; - max-lease-time 604800; - option subnet-mask 255.255.252.0; - option broadcast-address 172.20.23.255; - option routers 172.20.20.1; +subnet 172.20.20.0 netmask 255.255.252.0 { + default-lease-time 86400; + max-lease-time 604800; + option subnet-mask 255.255.252.0; + option broadcast-address 172.20.23.255; + option routers 172.20.20.1; - option domain-name "home.foo.sh"; - option domain-name-servers 172.20.20.10, 172.20.20.11, 172.20.20.12; - use-host-decl-names on; - } + option domain-name "home.foo.sh"; + option domain-name-servers 172.20.20.10, 172.20.20.11, 172.20.20.12; + use-host-decl-names on; } {% for hostname in hostvars %} diff --git a/roles/dhcpd/templates/dhcpd.conf.oob.j2 b/roles/dhcpd/templates/dhcpd.conf.oob.j2 index b6e9a2e..6a0382a 100644 --- a/roles/dhcpd/templates/dhcpd.conf.oob.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.oob.j2 @@ -16,17 +16,15 @@ on commit { ); } -shared-network OOBNET { - subnet 172.20.25.0 netmask 255.255.255.0 { - default-lease-time 86400; - max-lease-time 604800; - option subnet-mask 255.255.255.0; - option broadcast-address 172.20.25.255; +subnet 172.20.25.0 netmask 255.255.255.0 { + default-lease-time 86400; + max-lease-time 604800; + option subnet-mask 255.255.255.0; + option broadcast-address 172.20.25.255; - option domain-name "oob.foo.sh"; - option domain-name-servers 172.20.25.1, 172.20.25.2, 172.20.25.3; - use-host-decl-names on; - } + option domain-name "oob.foo.sh"; + option domain-name-servers 172.20.25.1, 172.20.25.2, 172.20.25.3; + use-host-decl-names on; } {% for host in ldap_hosts.results %} diff --git a/roles/dhcpd/templates/dhcpd.conf.print.j2 b/roles/dhcpd/templates/dhcpd.conf.print.j2 index dee631d..1a4b772 100644 --- a/roles/dhcpd/templates/dhcpd.conf.print.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.print.j2 @@ -16,17 +16,15 @@ on commit { ); } -shared-network PRINTNET { - subnet 172.20.24.0 netmask 255.255.255.0 { - default-lease-time 86400; - max-lease-time 604800; - option subnet-mask 255.255.255.0; - option broadcast-address 172.20.24.255; +subnet 172.20.24.0 netmask 255.255.255.0 { + default-lease-time 86400; + max-lease-time 604800; + option subnet-mask 255.255.255.0; + option broadcast-address 172.20.24.255; - option domain-name "print.foo.sh"; - option domain-name-servers 172.20.24.1, 172.20.24.2, 172.20.24.3; - use-host-decl-names on; - } + option domain-name "print.foo.sh"; + option domain-name-servers 172.20.24.1, 172.20.24.2, 172.20.24.3; + use-host-decl-names on; } {% for host in ldap_hosts.results %} From e5646b673e9e9a7030efc5322db29d406b3d33d7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Jun 2025 16:30:06 +0000 Subject: [PATCH 625/713] Add global ssh_known_hosts to shell hosts --- playbooks/shell.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/shell.yml b/playbooks/shell.yml index 9b4b060..71d62d3 100644 --- a/playbooks/shell.yml +++ b/playbooks/shell.yml @@ -87,6 +87,7 @@ - lynx - mutt - opencollab + - ssh_known_hosts - thunderbird loop_control: loop_var: role From d680e43b706e3e6b34fa2b5655c3beaaf3815c91 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Jun 2025 18:21:06 +0000 Subject: [PATCH 626/713] routeros: Fix permissions of downloaded firmware --- roles/routeros/files/download-routeros-firmware.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/routeros/files/download-routeros-firmware.sh b/roles/routeros/files/download-routeros-firmware.sh index 96260ca..56f0cd0 100755 --- a/roles/routeros/files/download-routeros-firmware.sh +++ b/roles/routeros/files/download-routeros-firmware.sh @@ -2,7 +2,7 @@ set -eu -umask 022 +umask 077 cd /srv/web/oob.foo.sh/routeros @@ -56,6 +56,7 @@ if [ "$(sha256sum "$tmpfile" | cut -d " " -f 1)" != "$checksum" ]; then fi mv "$tmpfile" "$packagename" +chmod 644 "$packagename" echo curl -sSf "https://cdn.mikrotik.com/routeros/$(echo "$packagename" | cut -d "-" -f 2)/CHANGELOG" From d492ccc654c8483fe7874858c25510894b11bf86 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Jun 2025 18:21:34 +0000 Subject: [PATCH 627/713] routeros: Add SSH config for routeros devices --- roles/routeros/files/routeros.conf | 2 ++ roles/routeros/tasks/main.yml | 8 ++++++++ 2 files changed, 10 insertions(+) create mode 100644 roles/routeros/files/routeros.conf diff --git a/roles/routeros/files/routeros.conf b/roles/routeros/files/routeros.conf new file mode 100644 index 0000000..5b0f6b0 --- /dev/null +++ b/roles/routeros/files/routeros.conf @@ -0,0 +1,2 @@ +Host ap*.oob.foo.sh sw*.oob.foo.sh + User admin diff --git a/roles/routeros/tasks/main.yml b/roles/routeros/tasks/main.yml index e0f7e4d..356995d 100644 --- a/roles/routeros/tasks/main.yml +++ b/roles/routeros/tasks/main.yml @@ -93,3 +93,11 @@ user: routeros hour: "05" minute: "30" + +- name: Copy ssh config + ansible.builtin.copy: + dest: /etc/ssh/ssh_config.d/routeros.conf + src: routeros.conf + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" From 06889e36b2c03cce4fdd3a2e932818d21cef7691 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Jun 2025 18:42:06 +0000 Subject: [PATCH 628/713] Simplify OpenBSD installs Use custom openbsd boot cd for installs: https://github.com/tmakinen/openbsd-autoinstall --- group_vars/openbsd.yml | 2 +- playbooks/dna-gw.yml | 79 ----------------------------- roles/dhcpd/templates/dhcpd.conf.j2 | 8 --- 3 files changed, 1 insertion(+), 88 deletions(-) diff --git a/group_vars/openbsd.yml b/group_vars/openbsd.yml index 8e460c6..5eb5d31 100644 --- a/group_vars/openbsd.yml +++ b/group_vars/openbsd.yml @@ -17,5 +17,5 @@ num_cpus: 2 # extra args for virt-install virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso -virt_install_os_variant: openbsd7.4 +virt_install_os_variant: openbsd7.6 virt_install_python_cmd: pkg_add -I -x python%3 diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 6d94060..b0e69c6 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -71,82 +71,3 @@ - name: Import unbound_exporter role ansible.builtin.import_role: name: unbound_exporter - - - name: Create tftp boot directories - ansible.builtin.file: - path: /srv/tftpboot/etc - state: directory - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" - - - name: Create tftp boot config for OpenBSD installs - ansible.builtin.copy: - dest: /srv/tftpboot/etc/boot.conf - content: | - stty com0 115200 - set tty com0 - boot tftp:bsd.rd - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - - - name: Create tftp pxeboot loader for OpenBSD installs - ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.7/amd64/pxeboot" - checksum: sha1:c696836c1e6cc67c6c31f6ceb5daaaa4ec0632b7 - dest: /srv/tftpboot/pxeboot - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - - - name: Create tftp ramdisk for OpenBSD installs - ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.7/amd64/bsd.rd" - checksum: sha1:1331f4ec1ba94866399d19423706e7848de2bd42 - dest: /srv/tftpboot/bsd.rd - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - - - name: Create install.conf for OpenBSD installs - ansible.builtin.copy: - dest: /srv/tftpboot/install.conf - content: | - Password for root account = ************* - Public ssh key for root account = {{ - lookup('file', '../files/ssh/adm.pub') - }} - Allow root ssh login = yes - URL to autopartitioning template for disklabel = {{ - boot_url + "/openbsd/autopart.conf" - }} - Location of sets = http - HTTP Server = cdn.openbsd.org - What timezone are you in = UTC - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - - - name: Copy custom to allow plaint http access with internal IP - ansible.builtin.copy: - dest: /etc/nginx/conf.d/172.20.20.1.conf - content: | - server { - listen 172.20.20.10:80; - server_name 172.20.20.10; - access_log /var/www/logs/172.20.20.10.access.log combined; - error_log /var/www/logs/172.20.20.10.error.log warn; - location / { - location /install.conf { - alias /srv/tftpboot/install.conf; - } - location / { - deny all; - } - } - } - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart nginx diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index e7e148c..53dbd87 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -35,14 +35,6 @@ class "PXEClient" { } } -# kludge to try to detect openbsd installer -class "OpenBSD" { - match if not exists vendor-class-identifier and not exists user-class; - - next-server 172.20.20.10; - filename "auto_install"; -} - subnet 172.20.20.0 netmask 255.255.252.0 { default-lease-time 86400; max-lease-time 604800; From 911f22d3a5273b74383d84c4d3966d5880a392e6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 20:16:01 +0000 Subject: [PATCH 629/713] unbound: Allow setting config name --- roles/unbound/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index a9f4f6d..5ee92b6 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -38,7 +38,7 @@ - name: Copy config ansible.builtin.template: dest: "{{ unbound_confdir }}/unbound.conf" - src: "unbound.conf.{{ inventory_hostname }}.j2" + src: "{{ unbound_config | default('unbound.conf.' + inventory_hostname + '.j2') }}" mode: "0644" owner: root group: "{{ ansible_wheel }}" From 1ac05ad5cc0bdd3899bba85b86fb614b2d6ffddd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 20:36:12 +0000 Subject: [PATCH 630/713] Use more dynamic group config for dna-gw hosts --- group_vars/dnagw.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index b53027a..e533ff6 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -2,29 +2,38 @@ # increase memory size mem_size: 512 +intnet_netmask: "{{ network_interfaces[0].netmask }}" +intnet_prefix: >- + {% set ip = network_interfaces[0].ipaddr.split('.') -%} + {% if intnet_netmask == '255.255.252.0' -%} + {{ [ ip[0], ip[1], ip[2] | int - 1 ] | join('.') -}} + {% else -%} + {{ [ ip[0], ip[1], ip[2] ] | join('.') -}} + {% endif -%} + network_vip_interfaces: - device: vio0 vhid: 1 - ipaddr: 172.20.20.1 - netmask: 255.255.252.0 + ipaddr: "{{ intnet_prefix }}.1" + netmask: "{{ intnet_netmask }}" pass: "{{ vip1_pass }}" priority: 120 - device: vio0 vhid: 10 - ipaddr: 172.20.20.10 - netmask: 255.255.252.0 + ipaddr: "{{ intnet_prefix }}.10" + netmask: "{{ intnet_netmask }}" pass: "{{ vip10_pass }}" priority: 120 - device: vio0 vhid: 11 - ipaddr: 172.20.20.11 - netmask: 255.255.252.0 + ipaddr: "{{ intnet_prefix }}.11" + netmask: "{{ intnet_netmask }}" pass: "{{ vip11_pass }}" priority: "{{ vip11_priority }}" - device: vio0 vhid: 12 - ipaddr: 172.20.20.12 - netmask: 255.255.252.0 + ipaddr: "{{ intnet_prefix }}.12" + netmask: "{{ intnet_netmask }}" pass: "{{ vip12_pass }}" priority: "{{ vip12_priority }}" network_ether_interfaces: @@ -43,4 +52,4 @@ ifstated_config: ifstated-dna.conf.j2 # ssh host alaises ssh_hostnames: - - gw.home.foo.sh + - "gw.{{ inventory_hostname.split('.')[1] }}.foo.sh" From c4e00297806e303d98dd5da9e15c67ccc4cb3bc8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 20:38:55 +0000 Subject: [PATCH 631/713] unbound: More dynamic config for dna-gw hosts --- group_vars/dnagw.yml | 5 +- .../unbound.conf.dna-gw02.home.foo.sh.j2 | 49 ------------------- ...w01.home.foo.sh.j2 => unbound.conf.dna.j2} | 16 +++--- 3 files changed, 12 insertions(+), 58 deletions(-) delete mode 100644 roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 rename roles/unbound/templates/{unbound.conf.dna-gw01.home.foo.sh.j2 => unbound.conf.dna.j2} (75%) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index e533ff6..d6f1446 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -45,7 +45,10 @@ unbound_zones: - home.foo.sh # use custom firewall config -firewall_src: pf.conf.gw_home +firewall_src: pf.conf.gw_home.j2 + +# unbound config +unbound_config: unbound.conf.dna.j2 # ifstated config ifstated_config: ifstated-dna.conf.j2 diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 deleted file mode 100644 index afac857..0000000 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ /dev/null @@ -1,49 +0,0 @@ -server: - # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ - num-threads: {{ ansible_processor_cores }} - msg-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} - rrset-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} - infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} - key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} - - outgoing-range: {{ ( 1024 / ansible_processor_cores | int - 50 ) | int }} - - interface: 172.20.20.10@53 - interface: 172.20.20.10@853 - interface: 172.20.20.11@53 - interface: 172.20.20.11@853 - interface: 172.20.20.12@53 - interface: 172.20.20.12@853 - interface: 172.20.21.2@53 - - tls-service-key: {{ tls_private }}/dns.home.foo.sh.key - tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt - tls-cert-bundle: {{ tls_bundle }} - - access-control: 127.0.0.0/8 allow - access-control: ::1 allow - access-control: 172.20.20.0/22 allow - - extended-statistics: yes - - hide-identity: yes - hide-version: yes - - prefetch: yes - unblock-lan-zones: yes - -remote-control: - control-enable: yes - control-interface: /var/run/unbound.sock - -forward-zone: - name: "." - forward-tls-upstream: yes - forward-addr: 8.8.8.8@853#dns.google - forward-addr: 8.8.4.4@853#dns.google - -{% for zone in unbound_zones %} -auth-zone: - name: "{{ zone }}" - zonefile: "{{ unbound_zonedir }}/{{ zone }}" -{% endfor %} diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna.j2 similarity index 75% rename from roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 rename to roles/unbound/templates/unbound.conf.dna.j2 index 8e3a7b5..335da99 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna.j2 @@ -8,13 +8,12 @@ server: outgoing-range: {{ ( 1024 / ansible_processor_cores | int - 50 ) | int }} - interface: 172.20.20.10@53 - interface: 172.20.20.10@853 - interface: 172.20.20.11@53 - interface: 172.20.20.11@853 - interface: 172.20.20.12@53 - interface: 172.20.20.12@853 - interface: 172.20.21.1@53 + interface: {{ intnet_prefix }}.10@53 + interface: {{ intnet_prefix }}.10@853 + interface: {{ intnet_prefix }}.11@53 + interface: {{ intnet_prefix }}.11@853 + interface: {{ intnet_prefix }}.12@53 + interface: {{ intnet_prefix }}.12@853 tls-service-key: {{ tls_private }}/dns.home.foo.sh.key tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt @@ -22,9 +21,10 @@ server: access-control: 127.0.0.0/8 allow access-control: ::1 allow - access-control: 172.20.20.0/22 allow + access-control: {{ intnet_prefix }}.0/{{ (intnet_prefix + '.0/' + intnet_netmask) | ansible.utils.ipaddr('prefix') }} allow extended-statistics: yes + verbosity: 1 hide-identity: yes hide-version: yes From b8f08d5aafb0c4d6d514c28304f501dd043faace Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 20:40:23 +0000 Subject: [PATCH 632/713] pf: Use templates for static firewall configs --- group_vars/dnagw.yml | 2 +- group_vars/fsolgw.yml | 2 +- roles/pf/tasks/main.yml | 2 +- roles/pf/{files/pf.conf.gw_home => templates/pf.conf.gw_dna.j2} | 0 .../pf/{files/pf.conf.gw_fsol => templates/pf.conf.gw_fsol.j2} | 0 5 files changed, 3 insertions(+), 3 deletions(-) rename roles/pf/{files/pf.conf.gw_home => templates/pf.conf.gw_dna.j2} (100%) rename roles/pf/{files/pf.conf.gw_fsol => templates/pf.conf.gw_fsol.j2} (100%) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index d6f1446..36e764b 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -45,7 +45,7 @@ unbound_zones: - home.foo.sh # use custom firewall config -firewall_src: pf.conf.gw_home.j2 +firewall_src: pf.conf.gw_dna.j2 # unbound config unbound_config: unbound.conf.dna.j2 diff --git a/group_vars/fsolgw.yml b/group_vars/fsolgw.yml index 6012a52..7022257 100644 --- a/group_vars/fsolgw.yml +++ b/group_vars/fsolgw.yml @@ -9,5 +9,5 @@ network_vip_interfaces: pass: "{{ vip145_pass }}" # use custom firewall and ifstated config -firewall_src: pf.conf.gw_fsol +firewall_src: pf.conf.gw_fsol.j2 ifstated_config: ifstated-fsol.conf diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml index 588dac6..1b40203 100644 --- a/roles/pf/tasks/main.yml +++ b/roles/pf/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Copy pf.conf - ansible.builtin.copy: + ansible.builtin.template: src: "{{ firewall_src }}" dest: /etc/pf.conf mode: "0600" diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/templates/pf.conf.gw_dna.j2 similarity index 100% rename from roles/pf/files/pf.conf.gw_home rename to roles/pf/templates/pf.conf.gw_dna.j2 diff --git a/roles/pf/files/pf.conf.gw_fsol b/roles/pf/templates/pf.conf.gw_fsol.j2 similarity index 100% rename from roles/pf/files/pf.conf.gw_fsol rename to roles/pf/templates/pf.conf.gw_fsol.j2 From 69b102f7080e43822bd7a7ba3e3f8c1e3c26ffc9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 20:41:03 +0000 Subject: [PATCH 633/713] pf: Get dynamic ip's from variables --- roles/pf/templates/pf.conf.gw_dna.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/pf/templates/pf.conf.gw_dna.j2 b/roles/pf/templates/pf.conf.gw_dna.j2 index 3f211fb..e9627b1 100644 --- a/roles/pf/templates/pf.conf.gw_dna.j2 +++ b/roles/pf/templates/pf.conf.gw_dna.j2 @@ -43,7 +43,8 @@ antispoof for vio1 pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 212.149.225.198/32 to self port ssh +pass in quick on $ext_if proto tcp from {{ gw_home_ip }}/32 to self port ssh +pass in quick on $ext_if proto tcp from {{ gw_lan_ip }}/32 to self port ssh # node_exporter and unbound_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From 4cf472f5249cd56932e639bbd1d1e26a80e21ba1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 20:44:00 +0000 Subject: [PATCH 634/713] dhcpd: Use more dynamic default dhcpd config --- roles/dhcpd/templates/dhcpd.conf.j2 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 53dbd87..79bb885 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -35,15 +35,15 @@ class "PXEClient" { } } -subnet 172.20.20.0 netmask 255.255.252.0 { +subnet {{ intnet_prefix }}.0 netmask {{ intnet_netmask }} { default-lease-time 86400; max-lease-time 604800; - option subnet-mask 255.255.252.0; - option broadcast-address 172.20.23.255; - option routers 172.20.20.1; + option subnet-mask {{ intnet_netmask }}; + #option broadcast-address 172.20.23.255; + option routers {{ intnet_prefix }}.1; - option domain-name "home.foo.sh"; - option domain-name-servers 172.20.20.10, 172.20.20.11, 172.20.20.12; + option domain-name "{{ inventory_hostname.split('.')[1] }}.foo.sh"; + option domain-name-servers {{ intnet_prefix }}.10, {{ intnet_prefix }}.11, {{ intnet_prefix }}.12; use-host-decl-names on; } From 8e35d4f0c1e6436e0a6d4facb8c939dd150f4d79 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 22:30:37 +0000 Subject: [PATCH 635/713] unwind: Fallback to UDP if cannot resolve servers --- roles/unwind/templates/unwind.conf.j2 | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/unwind/templates/unwind.conf.j2 b/roles/unwind/templates/unwind.conf.j2 index 2a704ce..20af19f 100644 --- a/roles/unwind/templates/unwind.conf.j2 +++ b/roles/unwind/templates/unwind.conf.j2 @@ -1,10 +1,15 @@ {% if network_dns_servers is defined %} forwarder { {% for addr in network_dns_servers %} - {{ addr }} port 853 authentication name "{{ lookup('community.general.dig', addr + '/PTR')[:-1] }}" DoT +{% set reverse = lookup('community.general.dig', addr + '/PTR')[:-1] %} +{% if reverse != "NXDOMAI" %} + {{ addr }} port 853 authentication name "{{ reverse }}" DoT +{% else %} + {{ addr }} port 53 +{% endif %} {% endfor %} } -preference { DoT } +preference { DoT forwarder } {% else %} preference { oDoT-autoconf } {% endif %} From a69a1f5d7dc56729b8b6972e3ef5506ccca89767 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 22:33:22 +0000 Subject: [PATCH 636/713] Use new DNS servers for shell hosts --- host_vars/shell01.foo.sh.yml | 2 +- host_vars/shell02.foo.sh.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/host_vars/shell01.foo.sh.yml b/host_vars/shell01.foo.sh.yml index 5864afe..d61fbf0 100644 --- a/host_vars/shell01.foo.sh.yml +++ b/host_vars/shell01.foo.sh.yml @@ -12,5 +12,5 @@ network_interfaces: ipaddr: 172.20.30.21 netmask: 255.255.255.0 proto: static - nameservers: [172.20.30.2] + nameservers: [172.20.30.10, 172.20.30.11, 172.20.30.12] ip6addr: none diff --git a/host_vars/shell02.foo.sh.yml b/host_vars/shell02.foo.sh.yml index ce88e70..276b4b1 100644 --- a/host_vars/shell02.foo.sh.yml +++ b/host_vars/shell02.foo.sh.yml @@ -12,5 +12,5 @@ network_interfaces: ipaddr: 172.20.30.22 netmask: 255.255.255.0 proto: static - nameservers: [172.20.30.2] + nameservers: [172.20.30.10, 172.20.30.11, 172.20.30.12] ip6addr: none From 3ba9a2a789b71c5b1c723f32c19d41b698b08e31 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 22:33:56 +0000 Subject: [PATCH 637/713] Add new dna-gw hosts for lan network --- host_vars/dna-gw03.lan.foo.sh.yml | 14 ++++++++++++++ host_vars/dna-gw04.lan.foo.sh.yml | 14 ++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 host_vars/dna-gw03.lan.foo.sh.yml create mode 100644 host_vars/dna-gw04.lan.foo.sh.yml diff --git a/host_vars/dna-gw03.lan.foo.sh.yml b/host_vars/dna-gw03.lan.foo.sh.yml new file mode 100644 index 0000000..b7f139d --- /dev/null +++ b/host_vars/dna-gw03.lan.foo.sh.yml @@ -0,0 +1,14 @@ +--- +vmhost: vmhost01.home.foo.sh +network_interfaces: + - device: vio0 + vlan: 30 + mac: 52:54:00:ca:fe:03 + ipaddr: 172.20.30.2 + netmask: 255.255.255.0 + proto: static + - device: vio1 + vlan: 103 + proto: none +vip11_priority: 120 +vip12_priority: 240 diff --git a/host_vars/dna-gw04.lan.foo.sh.yml b/host_vars/dna-gw04.lan.foo.sh.yml new file mode 100644 index 0000000..26e8d41 --- /dev/null +++ b/host_vars/dna-gw04.lan.foo.sh.yml @@ -0,0 +1,14 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: vio0 + vlan: 30 + mac: 52:54:00:ca:fe:04 + ipaddr: 172.20.30.3 + netmask: 255.255.255.0 + proto: static + - device: vio1 + vlan: 103 + proto: none +vip11_priority: 120 +vip12_priority: 240 From c2323e52382398696b6e6388d035f49c267c2650 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 22:34:32 +0000 Subject: [PATCH 638/713] Fix DNS servers for lan.foo.sh network --- group_vars/lan.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 group_vars/lan.yml diff --git a/group_vars/lan.yml b/group_vars/lan.yml new file mode 100644 index 0000000..7f5510d --- /dev/null +++ b/group_vars/lan.yml @@ -0,0 +1,5 @@ +--- +network_dns_servers: + - 172.20.30.10 + - 172.20.30.11 + - 172.20.30.12 From 581dde2c9b431d7e813f9676fcc283a4cef98c2f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 22:46:00 +0000 Subject: [PATCH 639/713] Fix ip address for dna-gw03 --- host_vars/dna-gw03.lan.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/dna-gw03.lan.foo.sh.yml b/host_vars/dna-gw03.lan.foo.sh.yml index b7f139d..66e93ae 100644 --- a/host_vars/dna-gw03.lan.foo.sh.yml +++ b/host_vars/dna-gw03.lan.foo.sh.yml @@ -4,7 +4,7 @@ network_interfaces: - device: vio0 vlan: 30 mac: 52:54:00:ca:fe:03 - ipaddr: 172.20.30.2 + ipaddr: 172.20.30.3 netmask: 255.255.255.0 proto: static - device: vio1 From fbf3d56f7986df7f12ea4c896adc45eefdba5f41 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Jun 2025 22:48:06 +0000 Subject: [PATCH 640/713] Fix ip address for dna-gw04 --- host_vars/dna-gw04.lan.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/dna-gw04.lan.foo.sh.yml b/host_vars/dna-gw04.lan.foo.sh.yml index 26e8d41..ee0a1c3 100644 --- a/host_vars/dna-gw04.lan.foo.sh.yml +++ b/host_vars/dna-gw04.lan.foo.sh.yml @@ -4,7 +4,7 @@ network_interfaces: - device: vio0 vlan: 30 mac: 52:54:00:ca:fe:04 - ipaddr: 172.20.30.3 + ipaddr: 172.20.30.4 netmask: 255.255.255.0 proto: static - device: vio1 From 8ebceed3053a346777a6bfc5287e04f35eaccc05 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 04:47:44 +0000 Subject: [PATCH 641/713] ifstated: Fix dna conf to work on all hosts --- roles/ifstated/templates/ifstated-dna.conf.j2 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/ifstated/templates/ifstated-dna.conf.j2 b/roles/ifstated/templates/ifstated-dna.conf.j2 index ed794f3..f42de35 100644 --- a/roles/ifstated/templates/ifstated-dna.conf.j2 +++ b/roles/ifstated/templates/ifstated-dna.conf.j2 @@ -16,7 +16,7 @@ state auto { state master { init { # spoof mac to keep dhcp lease in sync with both gw's - run "/sbin/ifconfig vio1 lladdr {{ gw_home_mac }} up" + run "/sbin/ifconfig vio1 lladdr {{ lookup('vars', 'gw_mac_' + inventory_hostname.split('.')[1]) }} up" # flush routes and renew lease run "/sbin/route -qn flush" run "/usr/sbin/dhcpleasectl vio1" @@ -31,13 +31,17 @@ state master { state backup { init { # bring down interface and reset mac - run "/sbin/ifconfig vio1 delete lladdr {{ gw_home_mac }} down" + run "/sbin/ifconfig vio1 delete lladdr {{ lookup('vars', 'gw_mac_' + inventory_hostname.split('.')[1]) }} down" # flush routes and fix default route run "/sbin/route -qn flush" {% if inventory_hostname == "dna-gw01.home.foo.sh" %} run "/sbin/route -qn add default 172.20.21.2" {% elif inventory_hostname == "dna-gw02.home.foo.sh" %} run "/sbin/route -qn add default 172.20.21.1" +{% elif inventory_hostname == "dna-gw03.home.lan.foo.sh" %} + run "/sbin/route -qn add default 172.20.30.3" +{% elif inventory_hostname == "dna-gw04.home.lan.foo.sh" %} + run "/sbin/route -qn add default 172.20.30.2" {% endif %} } if $if_carp_up { From 78ac8fc6f40f70f9009212563f6d7445bb52484c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 10:02:52 +0000 Subject: [PATCH 642/713] Use more generic way to set python interpreter --- group_vars/openbsd.yml | 3 --- group_vars/rocky8.yml | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/openbsd.yml b/group_vars/openbsd.yml index 5eb5d31..107ec1e 100644 --- a/group_vars/openbsd.yml +++ b/group_vars/openbsd.yml @@ -1,7 +1,4 @@ --- -# fix python path errors -ansible_python_interpreter: "/usr/local/bin/python3" - # we have real wheel group ansible_wheel: wheel diff --git a/group_vars/rocky8.yml b/group_vars/rocky8.yml index 6ff4236..6fd253f 100644 --- a/group_vars/rocky8.yml +++ b/group_vars/rocky8.yml @@ -4,6 +4,9 @@ dsk_size: 20 mem_size: 2048 num_cpus: 2 +# el8 hosts have different python +ansible_python_interpreter: /usr/libexec/platform-python + # extra args for virt-install ks_file: "{{ boot_url }}/ks/rocky8.ks" ipcmd: >- From e7169517987bc0bebcc1ac17eabef8a2a9da2eb7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 10:03:57 +0000 Subject: [PATCH 643/713] More robust way to install python to hosts --- group_vars/openbsd.yml | 6 +++++- playbooks/include/deploy-kvm-guest.yml | 10 ++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/group_vars/openbsd.yml b/group_vars/openbsd.yml index 107ec1e..6fdbdb1 100644 --- a/group_vars/openbsd.yml +++ b/group_vars/openbsd.yml @@ -15,4 +15,8 @@ num_cpus: 2 # extra args for virt-install virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso virt_install_os_variant: openbsd7.6 -virt_install_python_cmd: pkg_add -I -x python%3 +virt_install_python_cmd: + - pkg_add + - -I + - -x + - python%3 diff --git a/playbooks/include/deploy-kvm-guest.yml b/playbooks/include/deploy-kvm-guest.yml index 5464cd5..e7c0262 100644 --- a/playbooks/include/deploy-kvm-guest.yml +++ b/playbooks/include/deploy-kvm-guest.yml @@ -170,12 +170,10 @@ when: inventory_hostname not in result.list_vms - name: Install python if required - ansible.builtin.command: - argv: - - ssh - - "{{ inventory_hostname }}" - - "{{ virt_install_python_cmd }}" - delegate_to: localhost + ansible.builtin.raw: >- + {{ virt_install_python_cmd | map('quote') | join(' ') }} + args: + executable: /bin/sh when: - inventory_hostname not in result.list_vms - virt_install_python_cmd is defined From c8918b1a354b4c95fae572ba3469201f8a1fd5cf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 10:04:47 +0000 Subject: [PATCH 644/713] Skip comment lines when adding host ssh keys --- playbooks/include/deploy-kvm-guest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/include/deploy-kvm-guest.yml b/playbooks/include/deploy-kvm-guest.yml index e7c0262..e23e878 100644 --- a/playbooks/include/deploy-kvm-guest.yml +++ b/playbooks/include/deploy-kvm-guest.yml @@ -165,7 +165,7 @@ path: /root/.ssh/known_hosts key: "{{ item }}" host: "{{ inventory_hostname }}" - with_items: "{{ hostkeys.stdout.splitlines() }}" + with_items: "{{ hostkeys.stdout.splitlines() | reject('match', '^#.*') }}" delegate_to: localhost when: inventory_hostname not in result.list_vms From 02cddddc5c9b9b33e8473fe1880dcaf563ff78cb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 10:05:25 +0000 Subject: [PATCH 645/713] Handle hosts behing jumphost better --- playbooks/include/deploy-kvm-guest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/include/deploy-kvm-guest.yml b/playbooks/include/deploy-kvm-guest.yml index e23e878..8f76d9f 100644 --- a/playbooks/include/deploy-kvm-guest.yml +++ b/playbooks/include/deploy-kvm-guest.yml @@ -146,7 +146,7 @@ port: 22 state: started timeout: 1200 - delegate_to: localhost + delegate_to: "{{ ssh_jumphost | default('localhost') }}" when: inventory_hostname not in result.list_vms - name: Get SSH public keys from new host @@ -156,7 +156,7 @@ - -t - ed25519 - "{{ inventory_hostname }}" - delegate_to: localhost + delegate_to: "{{ ssh_jumphost | default('localhost') }}" register: hostkeys when: inventory_hostname not in result.list_vms From a8e47bbbb5d7d06b98075927ca11688abbb873a7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 10:20:34 +0000 Subject: [PATCH 646/713] ifstated: Fix typo from hostnames --- roles/ifstated/templates/ifstated-dna.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ifstated/templates/ifstated-dna.conf.j2 b/roles/ifstated/templates/ifstated-dna.conf.j2 index f42de35..aa1060d 100644 --- a/roles/ifstated/templates/ifstated-dna.conf.j2 +++ b/roles/ifstated/templates/ifstated-dna.conf.j2 @@ -38,9 +38,9 @@ state backup { run "/sbin/route -qn add default 172.20.21.2" {% elif inventory_hostname == "dna-gw02.home.foo.sh" %} run "/sbin/route -qn add default 172.20.21.1" -{% elif inventory_hostname == "dna-gw03.home.lan.foo.sh" %} +{% elif inventory_hostname == "dna-gw03.lan.foo.sh" %} run "/sbin/route -qn add default 172.20.30.3" -{% elif inventory_hostname == "dna-gw04.home.lan.foo.sh" %} +{% elif inventory_hostname == "dna-gw04.lan.foo.sh" %} run "/sbin/route -qn add default 172.20.30.2" {% endif %} } From 5560d81a8a0ad50504fc0e99f44040055c9f5d50 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 16:07:47 +0000 Subject: [PATCH 647/713] Add dns aliases for proxy to get certificates --- playbooks/proxy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 75357d3..cc8434d 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -66,6 +66,12 @@ - role: nginx_site nginx_site_name: dns.home.foo.sh nginx_site_redirect: https://www.foo.sh/ + - role: nginx_site + nginx_site_name: dns.iot.foo.sh + nginx_site_redirect: https://www.foo.sh/ + - role: nginx_site + nginx_site_name: dns.lan.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site nginx_site_name: forgejo.foo.sh nginx_site_redirect: https://git.foo.sh/ From 6e7aea1b22070df3b51571db3eaf6bb149f3a2e9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 16:08:47 +0000 Subject: [PATCH 648/713] Fix ip and disk type for nas hosts --- group_vars/nas.yml | 2 +- host_vars/nas02.home.foo.sh.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/nas.yml b/group_vars/nas.yml index 5dac726..332395f 100644 --- a/group_vars/nas.yml +++ b/group_vars/nas.yml @@ -2,7 +2,7 @@ mem_size: 8192 num_cpus: 2 datadisks: - - {size: 500, type: nvme} + - {size: 500, type: hdd} - {size: 50, type: nvme} firewall_in: diff --git a/host_vars/nas02.home.foo.sh.yml b/host_vars/nas02.home.foo.sh.yml index 7c2e941..567ecc6 100644 --- a/host_vars/nas02.home.foo.sh.yml +++ b/host_vars/nas02.home.foo.sh.yml @@ -6,6 +6,6 @@ network_interfaces: mac: 52:54:00:ac:dc:34 - device: eth1 vlan: 30 - ipaddr: 172.20.30.11 + ipaddr: 172.20.30.32 netmask: 255.255.255.0 proto: static From f67b681d6ac07963b63f7301282271303adff1d8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 16:09:38 +0000 Subject: [PATCH 649/713] Set generic python interpreter --- group_vars/all.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/group_vars/all.yml b/group_vars/all.yml index 67d5671..3a591d3 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -35,3 +35,6 @@ network_dns_servers: # hardcode this for now ansible_datacenter: home + +# use as generic as possible python binary so delegate_to works +ansible_python_interpreter: python3 From 167f78ed8454dadef606dc4ffb01490516a680e1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 16:10:45 +0000 Subject: [PATCH 650/713] Increase memory for homeassistant hosts --- group_vars/homeassistant.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/homeassistant.yml b/group_vars/homeassistant.yml index d344ed1..56d63c2 100644 --- a/group_vars/homeassistant.yml +++ b/group_vars/homeassistant.yml @@ -1,4 +1,5 @@ --- +mem_size: 4096 datadisks: - {size: 10, type: nvme} firewall_in: From 6fa5b18c964d95d27b6ce737ac6068fc1cf99a8f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 16:11:12 +0000 Subject: [PATCH 651/713] Don't hardcode DNA ip addresses --- group_vars/ns.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index 2a284b1..0d25c16 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -1,6 +1,6 @@ --- firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22, 212.149.225.204/32]} + - {proto: tcp, port: 22, from: [172.20.20.0/22, "{{ gw_home_ip }}/32"]} - {proto: tcp, port: 53} - {proto: udp, port: 53} - {proto: tcp, port: 80} From 59c5f7b5332806d8e47e32e67a542a800304421a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 16:43:17 +0000 Subject: [PATCH 652/713] nfs_server: Add more logging --- roles/nfs_server/files/local.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nfs_server/files/local.conf b/roles/nfs_server/files/local.conf index b5085c3..19555c0 100644 --- a/roles/nfs_server/files/local.conf +++ b/roles/nfs_server/files/local.conf @@ -2,6 +2,7 @@ debug="auth,general" [nfsd] +debug="auth,general" udp=n tcp=y vers3=n From f197409c5d7b7fe1ce612ac9da5dd53d043bb882 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 16:44:32 +0000 Subject: [PATCH 653/713] More compatible playbook with new dna-gw hosts --- playbooks/dna-gw.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index b0e69c6..38245f0 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -15,9 +15,11 @@ roles: - base - dhcpd - - nginx + - role: nginx + when: "'gw.home.foo.sh' in ssh_hostnames" - role: nginx_site nginx_site_name: gw.home.foo.sh + when: "'gw.home.foo.sh' in ssh_hostnames" - tftp - websockify @@ -40,26 +42,26 @@ - name: Copy DNS private key ansible.builtin.copy: - dest: "{{ tls_private }}/dns.home.foo.sh.key" + dest: "{{ tls_private }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.key" src: "{{ item }}" mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: - - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem + - "/srv/letsencrypt/live/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh/privkey.pem" - "/srv/ca/private/{{ inventory_hostname }}.key" tags: certificates notify: Restart unbound - name: Copy DNS certificate and ca cert ansible.builtin.copy: - dest: "{{ tls_certs }}/dns.home.foo.sh.crt" + dest: "{{ tls_certs }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.crt" src: "{{ item }}" mode: "0644" owner: root group: "{{ ansible_wheel }}" with_first_found: - - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem + - "/srv/letsencrypt/live/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh/fullchain.pem" - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" tags: certificates notify: Restart unbound @@ -71,3 +73,4 @@ - name: Import unbound_exporter role ansible.builtin.import_role: name: unbound_exporter + when: "'gw.home.foo.sh' in ssh_hostnames" From c07a0fbd92ffb1845c3081057490be33465f5218 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 16:45:53 +0000 Subject: [PATCH 654/713] unbound: Use correct certs for dna-gw hosts --- roles/unbound/templates/unbound.conf.dna.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.dna.j2 b/roles/unbound/templates/unbound.conf.dna.j2 index 335da99..d8928fb 100644 --- a/roles/unbound/templates/unbound.conf.dna.j2 +++ b/roles/unbound/templates/unbound.conf.dna.j2 @@ -15,8 +15,8 @@ server: interface: {{ intnet_prefix }}.12@53 interface: {{ intnet_prefix }}.12@853 - tls-service-key: {{ tls_private }}/dns.home.foo.sh.key - tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt + tls-service-key: {{ tls_private }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.key + tls-service-pem: {{ tls_certs }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.crt tls-cert-bundle: {{ tls_bundle }} access-control: 127.0.0.0/8 allow From 9c802f9919762d6c579ba1ca7ff90bd810ab4269 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 17:45:23 +0000 Subject: [PATCH 655/713] Configure jumphosts for adm hosts --- playbooks/adm.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 3c2bd6c..8028d9d 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -78,6 +78,18 @@ owner: root group: "{{ ansible_wheel }}" + - name: Configure jumphosts + ansible.builtin.copy: + dest: /etc/ssh/ssh_config.d/jumphost.conf + content: | + Host *.iot.foo.sh !gw.iot.foo.sh + ProxyJump gw.iot.foo.sh + Host *.lan.foo.sh !gw.lan.foo.sh + ProxyJump gw.lan.foo.sh + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + - name: Clone dns repo ansible.builtin.git: dest: /export/dns From cf4ba967526c27e6429029e8186a99c022dfc5c8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 18:30:42 +0000 Subject: [PATCH 656/713] Fix carp interface priorities from dna-gw03 --- host_vars/dna-gw03.lan.foo.sh.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/host_vars/dna-gw03.lan.foo.sh.yml b/host_vars/dna-gw03.lan.foo.sh.yml index 66e93ae..f96f627 100644 --- a/host_vars/dna-gw03.lan.foo.sh.yml +++ b/host_vars/dna-gw03.lan.foo.sh.yml @@ -10,5 +10,5 @@ network_interfaces: - device: vio1 vlan: 103 proto: none -vip11_priority: 120 -vip12_priority: 240 +vip11_priority: 240 +vip12_priority: 120 From 31370651faa882d4fc4f597650525023ccd02885 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 18:31:17 +0000 Subject: [PATCH 657/713] ifstated: Fix ip addresses from dna-gw03/04 hosts --- roles/ifstated/templates/ifstated-dna.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ifstated/templates/ifstated-dna.conf.j2 b/roles/ifstated/templates/ifstated-dna.conf.j2 index aa1060d..89bf18e 100644 --- a/roles/ifstated/templates/ifstated-dna.conf.j2 +++ b/roles/ifstated/templates/ifstated-dna.conf.j2 @@ -39,9 +39,9 @@ state backup { {% elif inventory_hostname == "dna-gw02.home.foo.sh" %} run "/sbin/route -qn add default 172.20.21.1" {% elif inventory_hostname == "dna-gw03.lan.foo.sh" %} - run "/sbin/route -qn add default 172.20.30.3" + run "/sbin/route -qn add default 172.20.30.4" {% elif inventory_hostname == "dna-gw04.lan.foo.sh" %} - run "/sbin/route -qn add default 172.20.30.2" + run "/sbin/route -qn add default 172.20.30.3" {% endif %} } if $if_carp_up { From cc4bedb1eebbbb820944ecc1dbe196cb8b2b5a04 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 18:32:24 +0000 Subject: [PATCH 658/713] Add dna-gw03 and dna-gw04 hosts --- hosts.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 237c811..65efb97 100644 --- a/hosts.yml +++ b/hosts.yml @@ -13,9 +13,18 @@ collab: hosts: collab01.home.foo.sh: dnagw: - hosts: - dna-gw01.home.foo.sh: - dna-gw02.home.foo.sh: + children: + dnagw_home: + hosts: + dna-gw01.home.foo.sh: + dna-gw02.home.foo.sh: + dnagw_lan: + hosts: + dna-gw03.lan.foo.sh: + dna-gw04.lan.foo.sh: + vars: + ssh_jumphost: gw.lan.foo.sh + ansible_ssh_common_args: "{{ ('-J root@' + ssh_jumphost) | default(undef) }}" forgejo: hosts: forgejo02.home.foo.sh: From 93882ff716b24276d66ce8939b44c67b0d6b3a73 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 22:07:52 +0000 Subject: [PATCH 659/713] ifstated: Enable config validation --- roles/ifstated/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ifstated/tasks/main.yml b/roles/ifstated/tasks/main.yml index ec548b0..b60bf5d 100644 --- a/roles/ifstated/tasks/main.yml +++ b/roles/ifstated/tasks/main.yml @@ -6,7 +6,7 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" - # validate: "ifstated -n -f %s" + validate: "ifstated -n -f %s" notify: Restart ifstated - name: Enable ifstated From ba057bb8c9d650b35dac099eef5eac4b07024ac5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 22:08:10 +0000 Subject: [PATCH 660/713] ifstated: Add new dna-gw hosts --- roles/ifstated/templates/ifstated-dna.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/ifstated/templates/ifstated-dna.conf.j2 b/roles/ifstated/templates/ifstated-dna.conf.j2 index 89bf18e..505d9dd 100644 --- a/roles/ifstated/templates/ifstated-dna.conf.j2 +++ b/roles/ifstated/templates/ifstated-dna.conf.j2 @@ -42,6 +42,10 @@ state backup { run "/sbin/route -qn add default 172.20.30.4" {% elif inventory_hostname == "dna-gw04.lan.foo.sh" %} run "/sbin/route -qn add default 172.20.30.3" +{% elif inventory_hostname == "dna-gw05.iot.foo.sh" %} + run "/sbin/route -qn add default 172.20.27.6" +{% elif inventory_hostname == "dna-gw06.iot.foo.sh" %} + run "/sbin/route -qn add default 172.20.27.5" {% endif %} } if $if_carp_up { From bd18ce3d22ec8a5fed482811b3e4d0efce129c55 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 22:09:02 +0000 Subject: [PATCH 661/713] Add dna-gw hosts for iot network --- host_vars/dna-gw05.iot.foo.sh.yml | 14 ++++++++++++++ host_vars/dna-gw06.iot.foo.sh.yml | 14 ++++++++++++++ hosts.yml | 7 +++++++ 3 files changed, 35 insertions(+) create mode 100644 host_vars/dna-gw05.iot.foo.sh.yml create mode 100644 host_vars/dna-gw06.iot.foo.sh.yml diff --git a/host_vars/dna-gw05.iot.foo.sh.yml b/host_vars/dna-gw05.iot.foo.sh.yml new file mode 100644 index 0000000..c94dbf8 --- /dev/null +++ b/host_vars/dna-gw05.iot.foo.sh.yml @@ -0,0 +1,14 @@ +--- +vmhost: vmhost01.home.foo.sh +network_interfaces: + - device: vio0 + vlan: 27 + mac: 52:54:00:da:da:05 + ipaddr: 172.20.27.5 + netmask: 255.255.255.0 + proto: static + - device: vio1 + vlan: 103 + proto: none +vip11_priority: 240 +vip12_priority: 120 diff --git a/host_vars/dna-gw06.iot.foo.sh.yml b/host_vars/dna-gw06.iot.foo.sh.yml new file mode 100644 index 0000000..df0ff75 --- /dev/null +++ b/host_vars/dna-gw06.iot.foo.sh.yml @@ -0,0 +1,14 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: vio0 + vlan: 27 + mac: 52:54:00:da:da:06 + ipaddr: 172.20.27.6 + netmask: 255.255.255.0 + proto: static + - device: vio1 + vlan: 103 + proto: none +vip11_priority: 120 +vip12_priority: 240 diff --git a/hosts.yml b/hosts.yml index 65efb97..6067b60 100644 --- a/hosts.yml +++ b/hosts.yml @@ -25,6 +25,13 @@ dnagw: vars: ssh_jumphost: gw.lan.foo.sh ansible_ssh_common_args: "{{ ('-J root@' + ssh_jumphost) | default(undef) }}" + dnagw_iot: + hosts: + dna-gw05.iot.foo.sh: + dna-gw06.iot.foo.sh: + vars: + ssh_jumphost: gw.iot.foo.sh + ansible_ssh_common_args: "{{ ('-J root@' + ssh_jumphost) | default(undef) }}" forgejo: hosts: forgejo02.home.foo.sh: From 1269427fb25c6b3820550cd370ae4a52d673b483 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 18 Jun 2025 23:12:09 +0000 Subject: [PATCH 662/713] Use ipaddr filter instead of string manipulation --- group_vars/dnagw.yml | 25 ++++++++------------- roles/dhcpd/templates/dhcpd.conf.j2 | 10 ++++----- roles/unbound/templates/unbound.conf.dna.j2 | 14 ++++++------ 3 files changed, 21 insertions(+), 28 deletions(-) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index 36e764b..1434d5a 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -2,38 +2,31 @@ # increase memory size mem_size: 512 -intnet_netmask: "{{ network_interfaces[0].netmask }}" -intnet_prefix: >- - {% set ip = network_interfaces[0].ipaddr.split('.') -%} - {% if intnet_netmask == '255.255.252.0' -%} - {{ [ ip[0], ip[1], ip[2] | int - 1 ] | join('.') -}} - {% else -%} - {{ [ ip[0], ip[1], ip[2] ] | join('.') -}} - {% endif -%} +intnet: "{{ network_interfaces[0].ipaddr + '/' + network_interfaces[0].netmask }}" network_vip_interfaces: - device: vio0 vhid: 1 - ipaddr: "{{ intnet_prefix }}.1" - netmask: "{{ intnet_netmask }}" + ipaddr: "{{ intnet | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}" + netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}" pass: "{{ vip1_pass }}" priority: 120 - device: vio0 vhid: 10 - ipaddr: "{{ intnet_prefix }}.10" - netmask: "{{ intnet_netmask }}" + ipaddr: "{{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}" + netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}" pass: "{{ vip10_pass }}" priority: 120 - device: vio0 vhid: 11 - ipaddr: "{{ intnet_prefix }}.11" - netmask: "{{ intnet_netmask }}" + ipaddr: "{{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}" + netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}" pass: "{{ vip11_pass }}" priority: "{{ vip11_priority }}" - device: vio0 vhid: 12 - ipaddr: "{{ intnet_prefix }}.12" - netmask: "{{ intnet_netmask }}" + ipaddr: "{{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}" + netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}" pass: "{{ vip12_pass }}" priority: "{{ vip12_priority }}" network_ether_interfaces: diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 79bb885..45dd165 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -35,15 +35,15 @@ class "PXEClient" { } } -subnet {{ intnet_prefix }}.0 netmask {{ intnet_netmask }} { +subnet {{ intnet | ansible.utils.ipaddr('network') }} netmask {{ intnet | ansible.utils.ipaddr('netmask') }} { default-lease-time 86400; max-lease-time 604800; - option subnet-mask {{ intnet_netmask }}; - #option broadcast-address 172.20.23.255; - option routers {{ intnet_prefix }}.1; + option subnet-mask {{ intnet | ansible.utils.ipaddr('netmask') }}; + option broadcast-address {{ intnet | ansible.utils.ipaddr('broadcast') }}; + option routers {{ intnet | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address')}}; option domain-name "{{ inventory_hostname.split('.')[1] }}.foo.sh"; - option domain-name-servers {{ intnet_prefix }}.10, {{ intnet_prefix }}.11, {{ intnet_prefix }}.12; + option domain-name-servers {{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}, {{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}, {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}; use-host-decl-names on; } diff --git a/roles/unbound/templates/unbound.conf.dna.j2 b/roles/unbound/templates/unbound.conf.dna.j2 index d8928fb..7d49662 100644 --- a/roles/unbound/templates/unbound.conf.dna.j2 +++ b/roles/unbound/templates/unbound.conf.dna.j2 @@ -8,12 +8,12 @@ server: outgoing-range: {{ ( 1024 / ansible_processor_cores | int - 50 ) | int }} - interface: {{ intnet_prefix }}.10@53 - interface: {{ intnet_prefix }}.10@853 - interface: {{ intnet_prefix }}.11@53 - interface: {{ intnet_prefix }}.11@853 - interface: {{ intnet_prefix }}.12@53 - interface: {{ intnet_prefix }}.12@853 + interface: {{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}@53 + interface: {{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}@853 + interface: {{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}@53 + interface: {{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}@853 + interface: {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}@53 + interface: {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}@853 tls-service-key: {{ tls_private }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.key tls-service-pem: {{ tls_certs }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.crt @@ -21,7 +21,7 @@ server: access-control: 127.0.0.0/8 allow access-control: ::1 allow - access-control: {{ intnet_prefix }}.0/{{ (intnet_prefix + '.0/' + intnet_netmask) | ansible.utils.ipaddr('prefix') }} allow + access-control: {{ intnet | ansible.utils.ipaddr(0) }} allow extended-statistics: yes verbosity: 1 From 05b4c3a9f44f9ccd832f8a5e9d638091ffd037e8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 19 Jun 2025 13:55:28 +0000 Subject: [PATCH 663/713] Add only required reverse zones for dna gw hosts --- group_vars/dnagw.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index 1434d5a..c79813f 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -34,8 +34,16 @@ network_ether_interfaces: proto: none unbound_zones: - - 20.172.in-addr.arpa - - home.foo.sh + - 144-28.96.16.37.in-addr.arpa + - foo.sh + - >- + {% set reverse = intnet | ansible.utils.ipaddr('network') | ansible.utils.ipaddr('revdns') -%} + {% if intnet | ansible.utils.ipaddr('prefix') < 24 -%} + {{ reverse[:-1] | split('.', 2) | last -}} + {% else -%} + {{ reverse[:-1] | split('.', 1) | last -}} + {% endif -%} + - "{{ inventory_hostname.split('.')[1:] | join('.') }}" # use custom firewall config firewall_src: pf.conf.gw_dna.j2 From e55dd35605511b89b17e4edd2a12ab7350e13e94 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Jun 2025 16:02:57 +0000 Subject: [PATCH 664/713] Add intdomain variable to simplify configs --- group_vars/dnagw.yml | 3 ++- playbooks/dna-gw.yml | 8 ++++---- roles/dhcpd/templates/dhcpd.conf.j2 | 2 +- roles/unbound/templates/unbound.conf.dna.j2 | 4 ++-- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index c79813f..8c9b11d 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -3,6 +3,7 @@ mem_size: 512 intnet: "{{ network_interfaces[0].ipaddr + '/' + network_interfaces[0].netmask }}" +intdomain: "{{ inventory_hostname.split('.')[1:] | join('.') }}" network_vip_interfaces: - device: vio0 @@ -43,7 +44,7 @@ unbound_zones: {% else -%} {{ reverse[:-1] | split('.', 1) | last -}} {% endif -%} - - "{{ inventory_hostname.split('.')[1:] | join('.') }}" + - "{{ intdomain }}" # use custom firewall config firewall_src: pf.conf.gw_dna.j2 diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 38245f0..c5a3196 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -42,26 +42,26 @@ - name: Copy DNS private key ansible.builtin.copy: - dest: "{{ tls_private }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.key" + dest: "{{ tls_private }}/dns.{{ intdomain }}.key" src: "{{ item }}" mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: - - "/srv/letsencrypt/live/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh/privkey.pem" + - "/srv/letsencrypt/live/dns.{{ intdomain }}/privkey.pem" - "/srv/ca/private/{{ inventory_hostname }}.key" tags: certificates notify: Restart unbound - name: Copy DNS certificate and ca cert ansible.builtin.copy: - dest: "{{ tls_certs }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.crt" + dest: "{{ tls_certs }}/dns.{{ intdomain }}.crt" src: "{{ item }}" mode: "0644" owner: root group: "{{ ansible_wheel }}" with_first_found: - - "/srv/letsencrypt/live/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh/fullchain.pem" + - "/srv/letsencrypt/live/dns.{{ intdomain }}/fullchain.pem" - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" tags: certificates notify: Restart unbound diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 45dd165..ea77174 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -42,7 +42,7 @@ subnet {{ intnet | ansible.utils.ipaddr('network') }} netmask {{ intnet | ansibl option broadcast-address {{ intnet | ansible.utils.ipaddr('broadcast') }}; option routers {{ intnet | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address')}}; - option domain-name "{{ inventory_hostname.split('.')[1] }}.foo.sh"; + option domain-name "{{ intdomain }}"; option domain-name-servers {{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}, {{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}, {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}; use-host-decl-names on; } diff --git a/roles/unbound/templates/unbound.conf.dna.j2 b/roles/unbound/templates/unbound.conf.dna.j2 index 7d49662..75ce886 100644 --- a/roles/unbound/templates/unbound.conf.dna.j2 +++ b/roles/unbound/templates/unbound.conf.dna.j2 @@ -15,8 +15,8 @@ server: interface: {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}@53 interface: {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}@853 - tls-service-key: {{ tls_private }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.key - tls-service-pem: {{ tls_certs }}/dns.{{ inventory_hostname.split('.')[1] }}.foo.sh.crt + tls-service-key: {{ tls_private }}/dns.{{ intdomain }}.key + tls-service-pem: {{ tls_certs }}/dns.{{ intdomain }}.crt tls-cert-bundle: {{ tls_bundle }} access-control: 127.0.0.0/8 allow From d5d6176b13e1133e6fd7c4c79d55c92aeeb8e6ac Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Jun 2025 16:04:01 +0000 Subject: [PATCH 665/713] dhcpd: Fix static hosts for iot and lan gateways --- roles/dhcpd/templates/dhcpd.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index ea77174..400b3c6 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -50,7 +50,7 @@ subnet {{ intnet | ansible.utils.ipaddr('network') }} netmask {{ intnet | ansibl {% for hostname in hostvars %} {% if hostvars[hostname]['network_interfaces'] is defined %} {% for interface in hostvars[hostname]['network_interfaces'] %} -{% if interface['vlan'] == 20 and interface['mac'] is defined %} +{% if interface['vlan'] == network_interfaces[0].vlan and interface['mac'] is defined %} {% if interface['ipaddr'] is defined %} {% set ipaddr = interface['ipaddr'] %} {% else %} From f64c9cac17d908f8b7be0996485dc6b79b6d0f3c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Jun 2025 16:14:33 +0000 Subject: [PATCH 666/713] unbound_exporter: Only listen to primary interface --- roles/unbound_exporter/templates/stunnel.conf.j2 | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/unbound_exporter/templates/stunnel.conf.j2 b/roles/unbound_exporter/templates/stunnel.conf.j2 index 8f4aab4..e7fd342 100644 --- a/roles/unbound_exporter/templates/stunnel.conf.j2 +++ b/roles/unbound_exporter/templates/stunnel.conf.j2 @@ -14,9 +14,7 @@ CAfile = {{ tls_certs }}/ca.crt syslog = yes [unbound_exporter] -{% for ip in ansible_all_ipv4_addresses %} -accept = {{ ip }}:9167 -{% endfor %} +accept = {{ network_interfaces[0].ipaddr }}:9167 connect = 127.0.0.1:9167 {% for host in groups['prometheus'] %} checkHost = {{ host }} From 7ec8cd3483d00e631fb494a9f6ab32d83a708830 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Jun 2025 16:15:32 +0000 Subject: [PATCH 667/713] Only enable websockify for home gateways --- playbooks/dna-gw.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index c5a3196..1b540a4 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -21,7 +21,8 @@ nginx_site_name: gw.home.foo.sh when: "'gw.home.foo.sh' in ssh_hostnames" - tftp - - websockify + - role: websockify + when: "'gw.home.foo.sh' in ssh_hostnames" tasks: - name: Enable ip forwarding From 25acba7adc58dc59ab12d9dbc60efc927ffcdb5e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Jun 2025 16:25:03 +0000 Subject: [PATCH 668/713] Enable nginx for all dna-gw hosts --- playbooks/dna-gw.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 1b540a4..1df1771 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -15,8 +15,7 @@ roles: - base - dhcpd - - role: nginx - when: "'gw.home.foo.sh' in ssh_hostnames" + - nginx - role: nginx_site nginx_site_name: gw.home.foo.sh when: "'gw.home.foo.sh' in ssh_hostnames" From a2d3202c694291578c7c1c785521def78f215980 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Jun 2025 16:38:09 +0000 Subject: [PATCH 669/713] Configure DNS servers for iot.foo.sh network --- group_vars/iot.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 group_vars/iot.yml diff --git a/group_vars/iot.yml b/group_vars/iot.yml new file mode 100644 index 0000000..e230b29 --- /dev/null +++ b/group_vars/iot.yml @@ -0,0 +1,5 @@ +--- +network_dns_servers: + - 172.20.27.10 + - 172.20.27.11 + - 172.20.27.12 From 38f09717abc2dedf2c46a39b16b4c0f878c615aa Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 22 Jun 2025 13:44:54 +0000 Subject: [PATCH 670/713] pf: Re-order rules for easier blocking --- roles/pf/templates/pf.conf.gw_dna.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/pf/templates/pf.conf.gw_dna.j2 b/roles/pf/templates/pf.conf.gw_dna.j2 index e9627b1..bae9ee8 100644 --- a/roles/pf/templates/pf.conf.gw_dna.j2 +++ b/roles/pf/templates/pf.conf.gw_dna.j2 @@ -64,9 +64,6 @@ pass in quick proto tcp from any to self port https # block rest of packets coming to me block in quick from any to self -# allow communication from internal to world -pass in quick on $int_if from $int_net to !$int_net - # allow myself to communicate outside (both routes) pass out quick on $ext_if from self to any pass out quick on $int_if from self to any @@ -74,6 +71,9 @@ pass out quick on $int_if from self to any # allow traffic from outside pass out quick on $int_if from any to $int_net +# allow communication from internal to world +pass in quick on $int_if from $int_net to !$int_net + # drop rest block in quick log all block out quick log all From ad81c46228920f4f14667c475a3235f059aa5bd9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 22 Jun 2025 14:13:15 +0000 Subject: [PATCH 671/713] Simplify more --- group_vars/dnagw.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index 8c9b11d..980ec34 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -57,4 +57,4 @@ ifstated_config: ifstated-dna.conf.j2 # ssh host alaises ssh_hostnames: - - "gw.{{ inventory_hostname.split('.')[1] }}.foo.sh" + - "gw.{{ intdomain }}" From 4b4ba7a8149304b760da5ad3ae0c8e5055123cd3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 22 Jun 2025 14:22:47 +0000 Subject: [PATCH 672/713] dhcpd: Add extra hosts from LDAP to config --- group_vars/dnagw.yml | 4 ++++ roles/dhcpd/templates/dhcpd.conf.j2 | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index 980ec34..dcb6654 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -52,6 +52,10 @@ firewall_src: pf.conf.gw_dna.j2 # unbound config unbound_config: unbound.conf.dna.j2 +# get extra hosts from ldap +dhcpd_ldap_filter: >- + (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.{{ intdomain }})) + # ifstated config ifstated_config: ifstated-dna.conf.j2 diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 400b3c6..e7c83be 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -65,3 +65,11 @@ host {{ hostname }} { {% endfor %} {% endif %} {% endfor %} + +{% for host in ldap_hosts.results %} +host {{ host['cn'] }} { + option host-name "{{ host['cn'] }}"; + hardware ethernet {{ host['macAddress'] }}; + fixed-address {{ host['ipHostNumber'] }}; +} +{% endfor %} From 97c9467b89042c2b9f95a88d2f2dedfc42c07ce1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 22 Jun 2025 14:23:09 +0000 Subject: [PATCH 673/713] dhcpd: Add dynamic range for lan.foo.sh network --- roles/dhcpd/templates/dhcpd.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index e7c83be..3a0bc58 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -45,6 +45,10 @@ subnet {{ intnet | ansible.utils.ipaddr('network') }} netmask {{ intnet | ansibl option domain-name "{{ intdomain }}"; option domain-name-servers {{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}, {{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}, {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}; use-host-decl-names on; +{% if network_interfaces[0].vlan == 30 %} + + range {{ intnet | ansible.utils.ipaddr(100) | ansible.utils.ipaddr('address') }} {{ intnet | ansible.utils.ipaddr(200) | ansible.utils.ipaddr('address') }}; +{% endif %} } {% for hostname in hostvars %} From 5e803c87fbad9ec293a836d5638ec15b42b7df3a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 22 Jun 2025 17:52:29 +0000 Subject: [PATCH 674/713] dhcpd/pf: Add DHCP failover support --- roles/dhcpd/templates/dhcpd.conf.j2 | 31 +++++++++++++++++++++++++++- roles/pf/templates/pf.conf.gw_dna.j2 | 10 +++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 3a0bc58..3f48b10 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -2,6 +2,28 @@ authoritative; ddns-update-style none; +{% if network_interfaces[0].vlan == 30 %} +# failover config +{% for host in groups['dnagw_' + intdomain.split('.')[0]] %} +{% if host != inventory_hostname %} +failover peer "failover-peer" { +{% if inventory_hostname.split('.')[0][-2:] | int % 2 == 0 %} + secondary; +{% else %} + primary; + mclt 3600; + split 128; +{% endif %} + address {{ inventory_hostname }}; + peer address {{ host }}; + max-response-delay 60; + max-unacked-updates 10; + load balance max seconds 3; +} +{% endif %} +{% endfor %} + +{% endif %} # custom options option arch code 93 = unsigned integer 16; @@ -47,7 +69,14 @@ subnet {{ intnet | ansible.utils.ipaddr('network') }} netmask {{ intnet | ansibl use-host-decl-names on; {% if network_interfaces[0].vlan == 30 %} - range {{ intnet | ansible.utils.ipaddr(100) | ansible.utils.ipaddr('address') }} {{ intnet | ansible.utils.ipaddr(200) | ansible.utils.ipaddr('address') }}; + pool { +{% for host in groups['dnagw_' + intdomain.split('.')[0]] %} +{% if host != inventory_hostname %} + failover peer "failover-peer"; +{% endif %} +{% endfor %} + range {{ intnet | ansible.utils.ipaddr(100) | ansible.utils.ipaddr('address') }} {{ intnet | ansible.utils.ipaddr(200) | ansible.utils.ipaddr('address') }}; + } {% endif %} } diff --git a/roles/pf/templates/pf.conf.gw_dna.j2 b/roles/pf/templates/pf.conf.gw_dna.j2 index bae9ee8..b4cc151 100644 --- a/roles/pf/templates/pf.conf.gw_dna.j2 +++ b/roles/pf/templates/pf.conf.gw_dna.j2 @@ -50,6 +50,11 @@ pass in quick on $ext_if proto tcp from {{ gw_lan_ip }}/32 to self port ssh pass in quick on $int_if proto tcp from $int_net to self port 9100 pass in quick on $int_if proto tcp from $int_net to self port 9167 +# allow dhcpd failover +{% for host in groups['dnagw_' + intdomain.split('.')[0]] %} +pass in quick on $int_if proto tcp from {{ hostvars[host]['network_interfaces'][0].ipaddr }} to self port 647 +{% endfor %} + # allow dns queries from internal net pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain pass in quick on $int_if proto tcp from $int_net to self port domain-s @@ -71,6 +76,11 @@ pass out quick on $int_if from self to any # allow traffic from outside pass out quick on $int_if from any to $int_net +{% if intdomain == 'iot.foo.sh' %} +# block ip's 50-100 from iot network +block in quick on $int_if from 172.20.27.192/26 to !$int_net + +{% endif %} # allow communication from internal to world pass in quick on $int_if from $int_net to !$int_net From 71ac6d17544f910250878758001072e182ca54c4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 22 Jun 2025 17:54:26 +0000 Subject: [PATCH 675/713] pf: Fix comments --- roles/pf/templates/pf.conf.gw_dna.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pf/templates/pf.conf.gw_dna.j2 b/roles/pf/templates/pf.conf.gw_dna.j2 index b4cc151..1cfcf2b 100644 --- a/roles/pf/templates/pf.conf.gw_dna.j2 +++ b/roles/pf/templates/pf.conf.gw_dna.j2 @@ -77,7 +77,7 @@ pass out quick on $int_if from self to any pass out quick on $int_if from any to $int_net {% if intdomain == 'iot.foo.sh' %} -# block ip's 50-100 from iot network +# block ip's: 192-255 from iot network block in quick on $int_if from 172.20.27.192/26 to !$int_net {% endif %} From 6c153937dd63d0de073be9fb504c8e40fb7ac2f1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Jun 2025 14:53:18 +0000 Subject: [PATCH 676/713] Fix iot interface from homeassistant and mqtt host --- host_vars/homeassistant01.home.foo.sh.yml | 6 ++++-- host_vars/mqtt02.home.foo.sh.yml | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index e952693..bd8cb38 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -5,9 +5,11 @@ network_interfaces: vlan: 20 mac: 52:54:00:ac:dc:73 - device: eth1 + mac: 52:54:00:da:da:15 vlan: 27 - - device: eth2 - vlan: 30 + ipaddr: 172.20.27.21 + netmask: 255.255.255.0 + proto: static virt_install_devices: - 0b05:190e - 10c4:ea60 diff --git a/host_vars/mqtt02.home.foo.sh.yml b/host_vars/mqtt02.home.foo.sh.yml index 85836c4..8db2f48 100644 --- a/host_vars/mqtt02.home.foo.sh.yml +++ b/host_vars/mqtt02.home.foo.sh.yml @@ -6,6 +6,7 @@ network_interfaces: mac: 52:54:00:ac:dc:70 - device: vio1 vlan: 27 - ipaddr: 172.20.27.3 + mac: 52:54:00:da:da:16 + ipaddr: 172.20.27.22 netmask: 255.255.255.0 proto: static From 44c3621a55febe68cc9315fd1c86c4739306393b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Jun 2025 17:54:14 +0000 Subject: [PATCH 677/713] Fix install order from mqtt hosts --- playbooks/mqtt.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 8a5c0b7..490bce3 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -15,9 +15,16 @@ roles: - base - mosquitto - - ha_mqtt_configd - telegraf - nginx - role: nginx_site nginx_site_name: iot.foo.sh - shelly_firmware + + tasks: + - name: Run handlers to get interfaces + ansible.builtin.meta: flush_handlers + + - name: Import ha_mqtt_configd role + ansible.builtin.import_role: + name: ha_mqtt_configd From 00ee556f5e90c1cf12e365c09a987512de110bdd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Jun 2025 17:54:30 +0000 Subject: [PATCH 678/713] Add carp interface for mqtt failover --- group_vars/mqtt.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/group_vars/mqtt.yml b/group_vars/mqtt.yml index e64ff98..fae17c8 100644 --- a/group_vars/mqtt.yml +++ b/group_vars/mqtt.yml @@ -5,3 +5,10 @@ firewall_in: - {proto: tcp, port: 1883, from: [172.20.27.0/24]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} - {proto: tcp, port: 8883, from: [172.20.20.0/22, 172.20.27.0/24]} + +network_vip_interfaces: + - device: vio1 + vhid: 13 + ipaddr: 172.20.27.13 + netmask: 255.255.255.0 + pass: "{{ vip13_pass }}" From 973854dc8d544521c6b4a74cc606b22f949d12df Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Jun 2025 18:57:44 +0000 Subject: [PATCH 679/713] ldap_server: Enable server side sorting extension --- roles/ldap_server/templates/slapd.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ldap_server/templates/slapd.conf.j2 b/roles/ldap_server/templates/slapd.conf.j2 index 98efbea..68e96b6 100644 --- a/roles/ldap_server/templates/slapd.conf.j2 +++ b/roles/ldap_server/templates/slapd.conf.j2 @@ -40,6 +40,7 @@ moduleload syncprov.la #moduleload smbkrb5pwd.la moduleload constraint.la moduleload memberof.la +moduleload sssvlv.la # certificates and ciphers (unfortunately modern cipher suite didn't work) TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt From 4846e3a2844d32f0b29ec3e67935b106779baad6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Jun 2025 19:33:24 +0000 Subject: [PATCH 680/713] dhcpd: Make config more readable --- roles/dhcpd/templates/dhcpd.conf.j2 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 3f48b10..4225a2b 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -65,7 +65,13 @@ subnet {{ intnet | ansible.utils.ipaddr('network') }} netmask {{ intnet | ansibl option routers {{ intnet | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address')}}; option domain-name "{{ intdomain }}"; - option domain-name-servers {{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}, {{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}, {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}; + option domain-name-servers {{ + [ + intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address'), + intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address'), + intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') + ] | join(', ') + }}; use-host-decl-names on; {% if network_interfaces[0].vlan == 30 %} From e1edd338aa1444ddef5f667348c5f19ba2ad7096 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 24 Jun 2025 12:38:19 +0000 Subject: [PATCH 681/713] dhcpd: Advertise NTP servers on dna-gw hosts --- roles/dhcpd/templates/dhcpd.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 4225a2b..5f3d59e 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -73,6 +73,10 @@ subnet {{ intnet | ansible.utils.ipaddr('network') }} netmask {{ intnet | ansibl ] | join(', ') }}; use-host-decl-names on; + option ntp-servers {% for host in groups['dnagw_' + intdomain.split('.')[0]] -%} + {{ hostvars[host]['network_interfaces'][0].ipaddr -}} + {{ ', ' if not loop.last -}} + {% endfor %}; {% if network_interfaces[0].vlan == 30 %} pool { From 554e3f9701c88e70029143398656689f60b3ff06 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 24 Jun 2025 14:29:05 +0000 Subject: [PATCH 682/713] ntpd: Initial version of role --- roles/ntpd/defaults/main.yml | 3 +++ roles/ntpd/handlers/main.yml | 5 +++++ roles/ntpd/tasks/main.yml | 16 ++++++++++++++++ roles/ntpd/templates/ntpd.conf.j2 | 11 +++++++++++ 4 files changed, 35 insertions(+) create mode 100644 roles/ntpd/defaults/main.yml create mode 100644 roles/ntpd/handlers/main.yml create mode 100644 roles/ntpd/tasks/main.yml create mode 100644 roles/ntpd/templates/ntpd.conf.j2 diff --git a/roles/ntpd/defaults/main.yml b/roles/ntpd/defaults/main.yml new file mode 100644 index 0000000..67789e7 --- /dev/null +++ b/roles/ntpd/defaults/main.yml @@ -0,0 +1,3 @@ +--- +ntpd_servers: + - time.foo.sh diff --git a/roles/ntpd/handlers/main.yml b/roles/ntpd/handlers/main.yml new file mode 100644 index 0000000..d85d8c7 --- /dev/null +++ b/roles/ntpd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart ntpd + ansible.builtin.service: + name: ntpd + state: restarted diff --git a/roles/ntpd/tasks/main.yml b/roles/ntpd/tasks/main.yml new file mode 100644 index 0000000..384df39 --- /dev/null +++ b/roles/ntpd/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: Create config + ansible.builtin.template: + dest: /etc/ntpd.conf + src: ntpd.conf.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + validate: "/usr/sbin/ntpd -f %s -n" + notify: Restart ntpd + +- name: Enable service + ansible.builtin.service: + name: ntpd + state: started + enabled: true diff --git a/roles/ntpd/templates/ntpd.conf.j2 b/roles/ntpd/templates/ntpd.conf.j2 new file mode 100644 index 0000000..8802991 --- /dev/null +++ b/roles/ntpd/templates/ntpd.conf.j2 @@ -0,0 +1,11 @@ +{% if ntpd_listen is defined %} +# listen to network +{% for listen in ntpd_listen %} +listen on {{ listen }} +{% endfor %} + +{% endif %} +# remote servers +{% for server in ntpd_servers %} +server {{ server }} +{% endfor %} From fe51e74afe612535d14eea957b86ab3a4883a211 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 24 Jun 2025 14:31:03 +0000 Subject: [PATCH 683/713] Configure static NTP servers for networks --- group_vars/dnagw.yml | 8 ++++++++ group_vars/home.yml | 3 +++ group_vars/iot.yml | 3 +++ group_vars/lan.yml | 3 +++ 4 files changed, 17 insertions(+) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index dcb6654..ae172fd 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -59,6 +59,14 @@ dhcpd_ldap_filter: >- # ifstated config ifstated_config: ifstated-dna.conf.j2 +# ntp settings +ntpd_servers: + - time1.mikes.fi + - time2.mikes.fi + - time3.mikes.fi +ntpd_listen: + - "{{ network_interfaces[0].ipaddr }}" + # ssh host alaises ssh_hostnames: - "gw.{{ intdomain }}" diff --git a/group_vars/home.yml b/group_vars/home.yml index d8558c0..058e247 100644 --- a/group_vars/home.yml +++ b/group_vars/home.yml @@ -3,3 +3,6 @@ network_dns_servers: - 172.20.20.10 - 172.20.20.11 - 172.20.20.12 +ntpd_servers: + - time1.home.foo.sh + - time2.home.foo.sh diff --git a/group_vars/iot.yml b/group_vars/iot.yml index e230b29..49adcb8 100644 --- a/group_vars/iot.yml +++ b/group_vars/iot.yml @@ -3,3 +3,6 @@ network_dns_servers: - 172.20.27.10 - 172.20.27.11 - 172.20.27.12 +ntpd_servers: + - time1.iot.foo.sh + - time2.iot.foo.sh diff --git a/group_vars/lan.yml b/group_vars/lan.yml index 7f5510d..130adf3 100644 --- a/group_vars/lan.yml +++ b/group_vars/lan.yml @@ -3,3 +3,6 @@ network_dns_servers: - 172.20.30.10 - 172.20.30.11 - 172.20.30.12 +ntpd_servers: + - time1.lan.foo.sh + - time2.lan.foo.sh From 2bf2d4bae30cc4baa4ff3bd6b738a1207f2cce64 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 24 Jun 2025 14:31:52 +0000 Subject: [PATCH 684/713] base: Configure NTP manually for OpenBSD hosts --- roles/base/tasks/OpenBSD.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/OpenBSD.yml b/roles/base/tasks/OpenBSD.yml index b8ca184..2bd7030 100644 --- a/roles/base/tasks/OpenBSD.yml +++ b/roles/base/tasks/OpenBSD.yml @@ -61,6 +61,7 @@ ansible.builtin.include_role: name: "{{ role }}" with_items: + - ntpd - opensmtpd - pf - syslogd From 41d7480acf1f5cf5d9c07ae30a08c8c20ef97405 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 24 Jun 2025 16:04:53 +0000 Subject: [PATCH 685/713] chrony: Initial version of role --- roles/chrony/defaults/main.yml | 3 +++ roles/chrony/handlers/main.yml | 5 +++++ roles/chrony/tasks/main.yml | 20 ++++++++++++++++++++ roles/chrony/templates/chrony.conf.j2 | 24 ++++++++++++++++++++++++ 4 files changed, 52 insertions(+) create mode 100644 roles/chrony/defaults/main.yml create mode 100644 roles/chrony/handlers/main.yml create mode 100644 roles/chrony/tasks/main.yml create mode 100644 roles/chrony/templates/chrony.conf.j2 diff --git a/roles/chrony/defaults/main.yml b/roles/chrony/defaults/main.yml new file mode 100644 index 0000000..e682c96 --- /dev/null +++ b/roles/chrony/defaults/main.yml @@ -0,0 +1,3 @@ +--- +chrony_servers: + - time.foo.sh diff --git a/roles/chrony/handlers/main.yml b/roles/chrony/handlers/main.yml new file mode 100644 index 0000000..dfbde8e --- /dev/null +++ b/roles/chrony/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart chronyd + ansible.builtin.service: + name: chronyd + state: restarted diff --git a/roles/chrony/tasks/main.yml b/roles/chrony/tasks/main.yml new file mode 100644 index 0000000..9ddb27c --- /dev/null +++ b/roles/chrony/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Install packages + ansible.builtin.package: + name: chrony + state: installed + +- name: Create config + ansible.builtin.template: + dest: /etc/chrony.conf + src: chrony.conf.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart chronyd + +- name: Enable service + ansible.builtin.service: + name: chronyd + state: started + enabled: true diff --git a/roles/chrony/templates/chrony.conf.j2 b/roles/chrony/templates/chrony.conf.j2 new file mode 100644 index 0000000..ca80dc2 --- /dev/null +++ b/roles/chrony/templates/chrony.conf.j2 @@ -0,0 +1,24 @@ +# Remote servers +{% for server in chrony_servers %} +server {{ server }} iburst +{% endfor %} + +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift + +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep 1.0 3 + +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync +{% if chrony_allow is defined %} + +# Allow NTP client access. +{% for allow in chrony_allow %} +allow {{ allow }} +{% endfor %} +{% endif %} + +# Get TAI-UTC offset and leap seconds from the system tz database. +leapsectz right/UTC From 3f0dc214f73a36fb187f57d87badfc3e84143c55 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 24 Jun 2025 16:05:31 +0000 Subject: [PATCH 686/713] base: Enable chrony for all RedHat based hosts --- roles/base/tasks/RedHat.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 0e477a1..00f0bab 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -33,6 +33,7 @@ name: "{{ role }}" with_items: - selinux # selinux first to get fcontexts working + - chrony - rsyslog loop_control: loop_var: role From 9562eabc2a13f902ce1798db5e8501f7ee5f956f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 24 Jun 2025 16:06:41 +0000 Subject: [PATCH 687/713] Configure chrony for all networks --- group_vars/frigate.yml | 3 +++ group_vars/home.yml | 1 + group_vars/iot.yml | 1 + group_vars/lan.yml | 1 + group_vars/nms.yml | 3 +++ 5 files changed, 9 insertions(+) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index 81a93e1..bbe15d9 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -12,6 +12,9 @@ network_vip_interfaces: netmask: 255.255.0.0 pass: "{{ vip26_pass }}" +chrony_allow: + - 172.20.26.0/24 + unbound_zones: - 26.20.172.in-addr.arpa - cam.foo.sh diff --git a/group_vars/home.yml b/group_vars/home.yml index 058e247..4f742f4 100644 --- a/group_vars/home.yml +++ b/group_vars/home.yml @@ -6,3 +6,4 @@ network_dns_servers: ntpd_servers: - time1.home.foo.sh - time2.home.foo.sh +chrony_servers: "{{ ntpd_servers }}" diff --git a/group_vars/iot.yml b/group_vars/iot.yml index 49adcb8..b2d2a4c 100644 --- a/group_vars/iot.yml +++ b/group_vars/iot.yml @@ -6,3 +6,4 @@ network_dns_servers: ntpd_servers: - time1.iot.foo.sh - time2.iot.foo.sh +chrony_servers: "{{ ntpd_servers }}" diff --git a/group_vars/lan.yml b/group_vars/lan.yml index 130adf3..d6d7890 100644 --- a/group_vars/lan.yml +++ b/group_vars/lan.yml @@ -6,3 +6,4 @@ network_dns_servers: ntpd_servers: - time1.lan.foo.sh - time2.lan.foo.sh +chrony_servers: "{{ ntpd_servers }}" diff --git a/group_vars/nms.yml b/group_vars/nms.yml index bd86e46..85d3b80 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -2,6 +2,9 @@ datadisks: - {size: 10, type: nvme} +chrony_allow: + - 172.20.25.0/24 + unbound_zones: - 25.20.172.in-addr.arpa - oob.foo.sh From ba758364f56b3d2c13d611013473cd645cb487a7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 24 Jun 2025 16:07:09 +0000 Subject: [PATCH 688/713] Remove chrony kludges from frigate and nms hosts --- playbooks/frigate.yml | 6 ------ playbooks/nms.yml | 7 ------- 2 files changed, 13 deletions(-) diff --git a/playbooks/frigate.yml b/playbooks/frigate.yml index 83bc482..3c1fdf5 100644 --- a/playbooks/frigate.yml +++ b/playbooks/frigate.yml @@ -64,9 +64,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart apache - - - name: Enable NTP server for cam network - ansible.builtin.lineinfile: - path: /etc/chrony.conf - regexp: "^#?allow .*" - line: "allow 172.20.26.0/24" diff --git a/playbooks/nms.yml b/playbooks/nms.yml index f326b55..4537054 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -63,13 +63,6 @@ ansible.builtin.import_role: name: dhcpd - # convert this to role for restart support - - name: Enable NTP server for oob network - ansible.builtin.lineinfile: - path: /etc/chrony.conf - regexp: "^#?allow .*" - line: "allow 172.20.25.0/24" - - name: Install extra packages ansible.builtin.package: name: "{{ item }}" From 62c9576df520bee025612d8916c2bccbe01ce9d3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 24 Jun 2025 16:07:59 +0000 Subject: [PATCH 689/713] pf: Open NTP port from dna-gw hosts to clients --- roles/pf/templates/pf.conf.gw_dna.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/pf/templates/pf.conf.gw_dna.j2 b/roles/pf/templates/pf.conf.gw_dna.j2 index 1cfcf2b..56f19e9 100644 --- a/roles/pf/templates/pf.conf.gw_dna.j2 +++ b/roles/pf/templates/pf.conf.gw_dna.j2 @@ -62,6 +62,9 @@ pass in quick on $int_if proto tcp from $int_net to self port domain-s # allow tftp from internal net pass in quick on $int_if proto udp from $int_net to self port tftp +# allow ntp from internal net +pass in quick on $int_if proto udp from $int_net to self port ntp + # allow http and https from outside pass in quick proto tcp from any to self port http pass in quick proto tcp from any to self port https From f85e2f1150e6020b26bc3b77ac390e2b0f38038f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 24 Jun 2025 17:59:03 +0000 Subject: [PATCH 690/713] Fix mikes time servers --- group_vars/dnagw.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index ae172fd..7192969 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -61,9 +61,9 @@ ifstated_config: ifstated-dna.conf.j2 # ntp settings ntpd_servers: + - time.mikes.fi - time1.mikes.fi - time2.mikes.fi - - time3.mikes.fi ntpd_listen: - "{{ network_interfaces[0].ipaddr }}" From 4c32ae71da413df4dcdbefac3894fbbc6138b129 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 11 Jul 2025 07:11:14 +0000 Subject: [PATCH 691/713] Update software versions --- hosts.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hosts.yml b/hosts.yml index 6067b60..eb9c2d8 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ forgejo: hosts: forgejo02.home.foo.sh: vars: - forgejo_version: "11.0.1" + forgejo_version: "11.0.3" frigate: hosts: frigate02.home.foo.sh: @@ -50,11 +50,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2025.6" + homeassistant_version: "2025.7.1" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v2.1.0 + version: v2.2.0 - name: espsomfy_rts repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git version: v2.4.7 @@ -73,7 +73,7 @@ mail: hosts: mail02.home.foo.sh: vars: - opendkim_selector: 20250101 + opendkim_selector: 20250601 minecraft: hosts: minecraft01.home.foo.sh: @@ -105,9 +105,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "12.0.1" - phpldapadmin_version: "2.1.4" - rocketchat_version: "7.6.3" + grafana_version: "12.0.2" + phpldapadmin_version: "2.2.1" + rocketchat_version: "7.8.0" roundcube_version: "1.6.11" print: hosts: From fe5444052bb1b037693c5ff3f249534bccaee0d7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Jul 2025 13:18:18 +0000 Subject: [PATCH 692/713] Move nms host roles to adm hosts --- group_vars/adm.yml | 34 ++++++++++++++++- host_vars/adm01.home.foo.sh.yml | 13 +++++++ host_vars/adm02.home.foo.sh.yml | 13 +++++++ hosts.yml | 2 + playbooks/adm.yml | 41 +++++++++++++++++++++ roles/unbound/templates/unbound.conf.oob.j2 | 38 +++++++++++++++++++ 6 files changed, 140 insertions(+), 1 deletion(-) create mode 100644 roles/unbound/templates/unbound.conf.oob.j2 diff --git a/group_vars/adm.yml b/group_vars/adm.yml index a06d51b..b12c642 100644 --- a/group_vars/adm.yml +++ b/group_vars/adm.yml @@ -2,11 +2,43 @@ datadisks: - {size: 10, type: nvme} +chrony_allow: + - 172.20.25.0/24 + +unbound_zones: + - 25.20.172.in-addr.arpa + - oob.foo.sh +dhcpd_template: dhcpd.conf.oob.j2 +dhcpd_ldap_filter: >- + (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh)) +unbound_config: unbound.conf.oob.j2 + +network_vip_interfaces: + - device: eth0 + vhid: 11 + ipaddr: 172.20.20.21 + netmask: 255.255.240.0 + pass: "{{ vip21_pass }}" + - device: eth1 + vhid: 25 + ipaddr: 172.20.25.1 + netmask: 255.255.255.0 + pass: "{{ vip25_pass }}" + priority: "{{ vip25_priority }}" + firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 25, from: [172.20.25.0/24]} + - {proto: tcp, port: 53, from: [172.20.25.0/24]} + - {proto: udp, port: 53, from: [172.20.25.0/24]} - {proto: tcp, port: 80, from: [172.20.20.0/22]} - - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: udp, port: 123, from: [172.20.25.0/24]} + - {proto: tcp, port: 443, from: [172.20.20.0/22, 172.20.25.0/24]} + - {proto: udp, port: 514, from: [172.20.25.0/24]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + - {proto: tcp, port: 9116, from: [172.20.20.0/22]} +firewall_raw: + - "ip daddr 224.0.0.0/8 accept" sssd_allow_groups: - sysadm diff --git a/host_vars/adm01.home.foo.sh.yml b/host_vars/adm01.home.foo.sh.yml index f4095d3..fbab7fc 100644 --- a/host_vars/adm01.home.foo.sh.yml +++ b/host_vars/adm01.home.foo.sh.yml @@ -4,3 +4,16 @@ network_interfaces: - device: eth0 vlan: 20 mac: "52:54:00:ac:dc:0b" + - device: eth1 + vlan: 25 + ipaddr: 172.20.25.2 + netmask: 255.255.255.0 + proto: static + nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3] + - device: eth2 + vlan: 103 + ipaddr: 192.168.100.2 + netmask: 255.255.255.248 + proto: static + +vip25_priority: 128 diff --git a/host_vars/adm02.home.foo.sh.yml b/host_vars/adm02.home.foo.sh.yml index a55bf18..e8ea2f8 100644 --- a/host_vars/adm02.home.foo.sh.yml +++ b/host_vars/adm02.home.foo.sh.yml @@ -4,3 +4,16 @@ network_interfaces: - device: eth0 vlan: 20 mac: "52:54:00:ac:dc:0c" + - device: eth1 + vlan: 25 + ipaddr: 172.20.25.3 + netmask: 255.255.255.0 + proto: static + nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3] + - device: eth2 + vlan: 103 + ipaddr: 192.168.100.3 + netmask: 255.255.255.248 + proto: static + +vip25_priority: 1 diff --git a/hosts.yml b/hosts.yml index eb9c2d8..37823e4 100644 --- a/hosts.yml +++ b/hosts.yml @@ -3,6 +3,8 @@ adm: hosts: adm01.home.foo.sh: adm02.home.foo.sh: + vars: + snmp_exporter_version: "0.29.0" audiobooks: hosts: audiobooks02.home.foo.sh: diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 8028d9d..fbe2b96 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -28,6 +28,10 @@ - ansible_host - certbot - cups + - nginx + - role: nginx_site + nginx_site_name: oob.foo.sh + nginx_site_plaintest: false - sshca - ssh_known_hosts - role: keytab @@ -38,10 +42,36 @@ autofs_home: false - sssd - mkhomedir + - aten_pdu + - routeros - rpm_build + - snmp_exporter - web_build tasks: + - name: Run handlers to get interfaces configured + ansible.builtin.meta: flush_handlers + + - name: Enable UDP rsyslog server + ansible.builtin.import_role: + name: rsyslog + tasks_from: udp-listen + + - name: Enable postfix mail relay + ansible.builtin.import_role: + name: postfix + tasks_from: relay + vars: + relay_domains: [foo.sh] + + - name: Import unbound role + ansible.builtin.import_role: + name: unbound + + - name: Import dhcpd role + ansible.builtin.import_role: + name: dhcpd + - name: Install packages ansible.builtin.package: name: "{{ item }}" @@ -150,3 +180,14 @@ mode: "0755" owner: root group: "{{ ansible_wheel }}" + + - name: Create sw-backup script + ansible.builtin.copy: + dest: /usr/local/bin/sw-backup + content: | + #!/bin/sh + set -eu + ssh "admin@${1}" /export > "/srv/backup/${1}.rsc" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" diff --git a/roles/unbound/templates/unbound.conf.oob.j2 b/roles/unbound/templates/unbound.conf.oob.j2 new file mode 100644 index 0000000..f8a2e61 --- /dev/null +++ b/roles/unbound/templates/unbound.conf.oob.j2 @@ -0,0 +1,38 @@ + +server: + interface: eth1 + + access-control: 127.0.0.0/8 allow + access-control: ::1 allow + access-control: 172.20.25.1/32 allow + access-control: 172.20.25.2/32 allow + access-control: 172.20.25.3/32 allow + access-control: 172.20.25.0/24 refuse_non_local + + extended-statistics: yes + + hide-identity: yes + hide-version: yes + + tls-upstream: yes + tls-cert-bundle: {{ tls_bundle }} + + chroot: "" + + unblock-lan-zones: yes + +remote-control: + control-enable: yes + control-interface: /var/run/unbound.sock + +forward-zone: + name: "." + forward-addr: 172.20.20.10@853#dns.home.foo.sh + forward-addr: 172.20.20.11@853#dns.home.foo.sh + forward-addr: 172.20.20.12@853#dns.home.foo.sh + +{% for zone in unbound_zones %} +auth-zone: + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} From fd6b5542d977a6bd5f3c4e24e2ba61b980ecb976 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Jul 2025 13:19:43 +0000 Subject: [PATCH 693/713] Remove nms hosts --- group_vars/nms.yml | 43 ---------- host_vars/nms01.home.foo.sh.yml | 20 ----- host_vars/nms02.home.foo.sh.yml | 20 ----- hosts.yml | 7 -- playbooks/nms.yml | 85 ------------------- .../unbound.conf.nms01.home.foo.sh.j2 | 39 --------- .../unbound.conf.nms02.home.foo.sh.j2 | 1 - 7 files changed, 215 deletions(-) delete mode 100644 group_vars/nms.yml delete mode 100644 host_vars/nms01.home.foo.sh.yml delete mode 100644 host_vars/nms02.home.foo.sh.yml delete mode 100644 playbooks/nms.yml delete mode 100644 roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 delete mode 120000 roles/unbound/templates/unbound.conf.nms02.home.foo.sh.j2 diff --git a/group_vars/nms.yml b/group_vars/nms.yml deleted file mode 100644 index 85d3b80..0000000 --- a/group_vars/nms.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -datadisks: - - {size: 10, type: nvme} - -chrony_allow: - - 172.20.25.0/24 - -unbound_zones: - - 25.20.172.in-addr.arpa - - oob.foo.sh -dhcpd_template: dhcpd.conf.oob.j2 -dhcpd_ldap_filter: >- - (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh)) - -network_vip_interfaces: - - device: eth0 - vhid: 11 - ipaddr: 172.20.20.21 - netmask: 255.255.240.0 - pass: "{{ vip21_pass }}" - - device: eth1 - vhid: 25 - ipaddr: 172.20.25.1 - netmask: 255.255.255.0 - pass: "{{ vip25_pass }}" - priority: "{{ vip25_priority }}" - -firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 25, from: [172.20.25.0/24]} - - {proto: tcp, port: 53, from: [172.20.25.0/24]} - - {proto: udp, port: 53, from: [172.20.25.0/24]} - - {proto: udp, port: 69, from: [172.20.25.0/24]} - - {proto: udp, port: 123, from: [172.20.25.0/24]} - - {proto: tcp, port: 443, from: [172.20.25.0/24]} - - {proto: udp, port: 514, from: [172.20.25.0/24]} - - {proto: tcp, port: 9100, from: [172.20.20.0/22]} - - {proto: tcp, port: 9116, from: [172.20.20.0/22]} -firewall_raw: - - "ip daddr 224.0.0.0/8 accept" - -sssd_allow_groups: - - sysadm diff --git a/host_vars/nms01.home.foo.sh.yml b/host_vars/nms01.home.foo.sh.yml deleted file mode 100644 index a644173..0000000 --- a/host_vars/nms01.home.foo.sh.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -vmhost: vmhost01.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: "52:54:00:ac:dc:43" - nameservers: [] - - device: eth1 - vlan: 25 - ipaddr: 172.20.25.2 - netmask: 255.255.255.0 - proto: static - nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3] - - device: eth2 - vlan: 103 - ipaddr: 192.168.100.2 - netmask: 255.255.255.248 - proto: static - -vip25_priority: 128 diff --git a/host_vars/nms02.home.foo.sh.yml b/host_vars/nms02.home.foo.sh.yml deleted file mode 100644 index cb1b86b..0000000 --- a/host_vars/nms02.home.foo.sh.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -vmhost: vmhost02.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: "52:54:00:ac:dc:44" - nameservers: [] - - device: eth1 - vlan: 25 - ipaddr: 172.20.25.3 - netmask: 255.255.255.0 - proto: static - nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3] - - device: eth2 - vlan: 103 - ipaddr: 192.168.100.3 - netmask: 255.255.255.248 - proto: static - -vip25_priority: 1 diff --git a/hosts.yml b/hosts.yml index 37823e4..374c1db 100644 --- a/hosts.yml +++ b/hosts.yml @@ -91,12 +91,6 @@ mqtt: nas: hosts: nas02.home.foo.sh: -nms: - hosts: - nms01.home.foo.sh: - nms02.home.foo.sh: - vars: - snmp_exporter_version: "0.29.0" ns: hosts: ns01.home.foo.sh: @@ -188,7 +182,6 @@ rocky9: mirror: mongodb: nas: - nms: ocinode: print: prometheus: diff --git a/playbooks/nms.yml b/playbooks/nms.yml deleted file mode 100644 index 4537054..0000000 --- a/playbooks/nms.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -- name: Deploy KVM virtual machines - ansible.builtin.import_playbook: include/deploy-kvm-guest.yml - vars: - myhosts: nms - -- name: Configure instance - hosts: nms - user: root - gather_facts: true - - pre_tasks: - - name: Mount /export - ansible.posix.mount: - name: /export - src: LABEL=/export - fstype: xfs - opts: noatime,noexec,nosuid,nodev - passno: "0" - dump: "0" - state: mounted - - vars_files: - - "{{ ansible_private }}/vars.yml" - - roles: - - base - - cups - - nginx - - role: nginx_site - nginx_site_name: oob.foo.sh - nginx_site_plaintext: false - - role: keytab - keytab_principals: - - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - - nfs_client - - role: autofs - autofs_home: false - - sssd - - mkhomedir - - aten_pdu - - routeros - - snmp_exporter - - tasks: - - name: Enable UDP rsyslog server - ansible.builtin.import_role: - name: rsyslog - tasks_from: udp-listen - - - name: Enable postfix mail relay - ansible.builtin.import_role: - name: postfix - tasks_from: relay - vars: - relay_domains: [foo.sh] - - - name: Import unbound role - ansible.builtin.import_role: - name: unbound - - - name: Import dhcpd role - ansible.builtin.import_role: - name: dhcpd - - - name: Install extra packages - ansible.builtin.package: - name: "{{ item }}" - state: installed - with_items: - - nmap - - rcs - - unzip - - wget - - - name: Create sw-backup script - ansible.builtin.copy: - dest: /usr/local/bin/sw-backup - content: | - #!/bin/sh - set -eu - ssh "admin@${1}" /export > "/srv/backup/${1}.rsc" - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" diff --git a/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 deleted file mode 100644 index c29a61c..0000000 --- a/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 +++ /dev/null @@ -1,39 +0,0 @@ - -server: - interface: 0.0.0.0 - interface: ::0 - - access-control: 127.0.0.0/8 allow - access-control: ::1 allow - access-control: 172.20.25.1/32 allow - access-control: 172.20.25.2/32 allow - access-control: 172.20.25.3/32 allow - access-control: 172.20.25.0/24 refuse_non_local - - extended-statistics: yes - - hide-identity: yes - hide-version: yes - - tls-upstream: yes - tls-cert-bundle: {{ tls_bundle }} - - chroot: "" - - unblock-lan-zones: yes - -remote-control: - control-enable: yes - control-interface: /var/run/unbound.sock - -forward-zone: - name: "." - forward-addr: 172.20.20.10@853#dns.home.foo.sh - forward-addr: 172.20.20.11@853#dns.home.foo.sh - forward-addr: 172.20.20.12@853#dns.home.foo.sh - -{% for zone in unbound_zones %} -auth-zone: - name: "{{ zone }}" - zonefile: "{{ unbound_zonedir }}/{{ zone }}" -{% endfor %} diff --git a/roles/unbound/templates/unbound.conf.nms02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.nms02.home.foo.sh.j2 deleted file mode 120000 index 4b3c596..0000000 --- a/roles/unbound/templates/unbound.conf.nms02.home.foo.sh.j2 +++ /dev/null @@ -1 +0,0 @@ -unbound.conf.nms01.home.foo.sh.j2 \ No newline at end of file From 7f7abc0ee74dd350267c6f781f6afa8793d23eb5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Jul 2025 13:39:46 +0000 Subject: [PATCH 694/713] routeros: Move sw-backup script to role --- playbooks/adm.yml | 11 ----------- roles/routeros/files/sw-backup.sh | 11 +++++++++++ roles/routeros/tasks/main.yml | 8 ++++++++ 3 files changed, 19 insertions(+), 11 deletions(-) create mode 100755 roles/routeros/files/sw-backup.sh diff --git a/playbooks/adm.yml b/playbooks/adm.yml index fbe2b96..f424596 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -180,14 +180,3 @@ mode: "0755" owner: root group: "{{ ansible_wheel }}" - - - name: Create sw-backup script - ansible.builtin.copy: - dest: /usr/local/bin/sw-backup - content: | - #!/bin/sh - set -eu - ssh "admin@${1}" /export > "/srv/backup/${1}.rsc" - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" diff --git a/roles/routeros/files/sw-backup.sh b/roles/routeros/files/sw-backup.sh new file mode 100755 index 0000000..f6626d5 --- /dev/null +++ b/roles/routeros/files/sw-backup.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +set -eu +umask 022 + +if [ $# -ne 1 ]; then + echo "Usage: $(basename "$0") " 1>&2 + exit 1 +fi + +ssh "admin@${1}" /export > "/srv/backup/${1}.rsc" diff --git a/roles/routeros/tasks/main.yml b/roles/routeros/tasks/main.yml index 356995d..1907ce9 100644 --- a/roles/routeros/tasks/main.yml +++ b/roles/routeros/tasks/main.yml @@ -101,3 +101,11 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + +- name: Copy sw-backup script + ansible.builtin.copy: + dest: /usr/local/bin/sw-backup + src: sw-backup.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" From 7fceed3e52cc222ff6e23c571942cbffb03565bc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Jul 2025 13:45:17 +0000 Subject: [PATCH 695/713] routeros: Create backup directories --- roles/routeros/tasks/main.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/roles/routeros/tasks/main.yml b/roles/routeros/tasks/main.yml index 1907ce9..b9932f9 100644 --- a/roles/routeros/tasks/main.yml +++ b/roles/routeros/tasks/main.yml @@ -102,6 +102,23 @@ owner: root group: "{{ ansible_wheel }}" +- name: Create backup directory + ansible.builtin.file: + path: /export/backup + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Link backup directory + ansible.builtin.file: + path: /srv/backup + src: /export/backup + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + - name: Copy sw-backup script ansible.builtin.copy: dest: /usr/local/bin/sw-backup From 8c99bb1323b1e65356acc530722b1c7809772f9c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 13 Jul 2025 17:25:09 +0000 Subject: [PATCH 696/713] network: Fix keepalived tmpfiles config --- roles/network/tasks/RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/network/tasks/RedHat.yml b/roles/network/tasks/RedHat.yml index 92b38c9..568fc2d 100644 --- a/roles/network/tasks/RedHat.yml +++ b/roles/network/tasks/RedHat.yml @@ -69,7 +69,7 @@ - name: Create run directory ansible.builtin.copy: dest: /etc/tmpfiles.d/keepalived.conf - content: "d /run/keepalived 755 keepalived keepalived" + content: "d /run/keepalived 0755 keepalived keepalived -\n" mode: "0644" owner: root group: "{{ ansible_wheel }}" From df5ecb1a047ac0eec8293773ee9e3211245dfffc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 15 Jul 2025 17:32:23 +0000 Subject: [PATCH 697/713] routeros: Add verbose option to PoE MQTT script --- roles/routeros/files/routeros-poe-mqtt-publish.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/routeros/files/routeros-poe-mqtt-publish.sh b/roles/routeros/files/routeros-poe-mqtt-publish.sh index 4395ba0..bf38ca0 100755 --- a/roles/routeros/files/routeros-poe-mqtt-publish.sh +++ b/roles/routeros/files/routeros-poe-mqtt-publish.sh @@ -3,6 +3,11 @@ set -eu umask 077 +_verbose=false +if [ "${1:-}" = "-v" ]; then + _verbose=true +fi + community="public" tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')" cafile="${tlsdir}/certs/ca.crt" @@ -15,6 +20,7 @@ export LDAPTLS_CERT="$certfile" mqtt_send() { topic="$1" value="$2" + [ $_verbose ] && echo "Publishing data for ${topic}" mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \ --cafile "$cafile" --key "$keyfile" --cert "$certfile" } @@ -29,6 +35,7 @@ snmp_get() { if [ "${1:-}" != "-f" ]; then for state in /run/keepalived/*.state ; do if [ "$(cat "$state")" != "MASTER" ]; then + [ $_verbose ] && echo "Not running as master, skipping run" exit 0 fi break From 14c421a81cc870c3b455dbec7404025187bb93be Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 16 Jul 2025 17:48:53 +0000 Subject: [PATCH 698/713] base: Make sure OpenBSD hostname is updated --- roles/base/handlers/main.yml | 6 ++++++ roles/base/tasks/OpenBSD.yml | 1 + 2 files changed, 7 insertions(+) create mode 100644 roles/base/handlers/main.yml diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml new file mode 100644 index 0000000..c1027f2 --- /dev/null +++ b/roles/base/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Update hostname + ansible.builtin.command: + argv: + - hostname + - "{{ inventory_hostname }}" diff --git a/roles/base/tasks/OpenBSD.yml b/roles/base/tasks/OpenBSD.yml index 2bd7030..7110ef5 100644 --- a/roles/base/tasks/OpenBSD.yml +++ b/roles/base/tasks/OpenBSD.yml @@ -6,6 +6,7 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + notify: Update hostname - name: Configure mirror for packages and updates ansible.builtin.copy: From 8d016ea2b3882070a0f667d37aa8367532f0dc8b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 16 Jul 2025 17:49:39 +0000 Subject: [PATCH 699/713] keepalived: FOrce using version 3 for messages --- roles/network/templates/keepalived.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/network/templates/keepalived.conf.j2 b/roles/network/templates/keepalived.conf.j2 index c68642d..3719d66 100644 --- a/roles/network/templates/keepalived.conf.j2 +++ b/roles/network/templates/keepalived.conf.j2 @@ -1,6 +1,7 @@ ! {{ ansible_managed }} global_defs { + version 3 enable_script_security script_user keepalived } From 02ea915d36f73499235827df46e040667c460ac4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 16 Jul 2025 17:50:19 +0000 Subject: [PATCH 700/713] Fix install order for ns hosts --- playbooks/ns.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/playbooks/ns.yml b/playbooks/ns.yml index 4642197..0f2e315 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -19,7 +19,14 @@ - role: nginx_site nginx_site_name: "{{ nsd_server }}" nginx_site_redirect: https://www.foo.sh/ - - role: ifstated - when: "'vultr' not in group_names" - role: blackbox_exporter when: "inventory_hostname == 'atl01.vultr.foo.sh'" + + tasks: + - name: Run handlers to get interfaces configured + ansible.builtin.meta: flush_handlers + + - name: Import ifstated role + ansible.builtin.import_role: + name: ifstated + when: "'vultr' not in group_names" From d23da671ca14d4b53d24b64f0311abc6f4bae95e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 16 Jul 2025 17:51:03 +0000 Subject: [PATCH 701/713] Use Google NTP servers for dna-gw hosts --- group_vars/dnagw.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index 7192969..f663b1a 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -61,9 +61,10 @@ ifstated_config: ifstated-dna.conf.j2 # ntp settings ntpd_servers: - - time.mikes.fi - - time1.mikes.fi - - time2.mikes.fi + - time1.google.com + - time2.google.com + - time3.google.com + - time4.google.com ntpd_listen: - "{{ network_interfaces[0].ipaddr }}" From 72736c8b13606d54d7b100f89de507d7fa4a6367 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 16 Jul 2025 17:53:48 +0000 Subject: [PATCH 702/713] unbound: Enable DNSSEC validation for dna-gw hosts --- roles/unbound/templates/unbound.conf.dna.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/unbound/templates/unbound.conf.dna.j2 b/roles/unbound/templates/unbound.conf.dna.j2 index 75ce886..955e007 100644 --- a/roles/unbound/templates/unbound.conf.dna.j2 +++ b/roles/unbound/templates/unbound.conf.dna.j2 @@ -29,7 +29,10 @@ server: hide-identity: yes hide-version: yes + auto-trust-anchor-file: {{ unbound_zonedir }}/root.key + prefetch: yes + prefetch-key: yes unblock-lan-zones: yes remote-control: From fd69bcdec0e5703f9ab7dfec42f474219421cced Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 16 Jul 2025 20:50:48 +0000 Subject: [PATCH 703/713] nginx_site: Allow to run site in custom port --- roles/nginx_site/tasks/main.yml | 7 ++++++- roles/nginx_site/templates/site.conf.j2 | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/roles/nginx_site/tasks/main.yml b/roles/nginx_site/tasks/main.yml index 0afcf5e..0b2d9ab 100644 --- a/roles/nginx_site/tasks/main.yml +++ b/roles/nginx_site/tasks/main.yml @@ -10,7 +10,12 @@ - name: "Create site config for {{ nginx_site_name }}" ansible.builtin.template: - dest: /etc/nginx/conf.d/{{ nginx_site_name }}.conf + dest: >- + /etc/nginx/conf.d/{{ nginx_site_name }}{% + if nginx_site_port is defined + %}:{{nginx_site_port }}{% + endif + %}.conf src: site.conf.j2 mode: "0644" owner: root diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index a806608..d55fe5c 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -14,8 +14,8 @@ upstream {{ nginx_site_name }} { } {% endif %} server { - listen 443 ssl; - listen [::]:443 ssl; + listen {{ nginx_site_port | default('443') }} ssl; + listen [::]:{{ nginx_site_port | default('443') }} ssl; http2 on; http3 off; From 0df977f078d691fbbed0124cf955752005fa4fab Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 24 Jul 2025 18:31:52 +0000 Subject: [PATCH 704/713] nginx_site: Fix including config with custom port --- roles/nginx_site/templates/gw.home.foo.sh.conf.j2 | 3 --- roles/nginx_site/templates/site.conf.j2 | 6 +++++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/nginx_site/templates/gw.home.foo.sh.conf.j2 b/roles/nginx_site/templates/gw.home.foo.sh.conf.j2 index 72a9bc3..51b7052 100644 --- a/roles/nginx_site/templates/gw.home.foo.sh.conf.j2 +++ b/roles/nginx_site/templates/gw.home.foo.sh.conf.j2 @@ -1,6 +1,3 @@ - ssl_client_certificate {{ tls_certs }}/ca.crt; - ssl_verify_client on; - {% for host in ssh_proxy_hosts %} location /{{ host | hash('sha1') }}/ { proxy_pass http://127.0.0.1:6000?token={{ host | hash('sha1') }}; diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index d55fe5c..386f023 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -29,7 +29,11 @@ server { ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt; ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key; -{% include "./{}.conf.j2".format(nginx_site_name) ignore missing %} +{% if nginx_site_port is defined %} +{% include "./{}:{}.conf.j2".format(nginx_site_name, nginx_site_port) ignore missing %} +{% else %} +{% include "./{}.conf.j2".format(nginx_site_name) ignore missing %} +{% endif %} {% if nginx_site_redirect is defined %} return 301 {{ nginx_site_redirect }}; {% elif nginx_site_proxy is defined %} From 92ec72b29b4fac88eecb396c3890df34d9aceff6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 24 Jul 2025 18:32:20 +0000 Subject: [PATCH 705/713] nginx_site: Add support for verify client option --- roles/nginx_site/templates/site.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index 386f023..774a823 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -29,6 +29,11 @@ server { ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt; ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key; +{% if nginx_site_verify_client is defined and nginx_site_verify_client %} + ssl_client_certificate {{ tls_certs }}/ca.crt; + ssl_verify_client on; + +{% endif %} {% if nginx_site_port is defined %} {% include "./{}:{}.conf.j2".format(nginx_site_name, nginx_site_port) ignore missing %} {% else %} From 7a249edecebcd81470f656171b0260bef5401ec5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 24 Jul 2025 18:33:04 +0000 Subject: [PATCH 706/713] ntpd: Add support for constaints --- roles/ntpd/templates/ntpd.conf.j2 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/ntpd/templates/ntpd.conf.j2 b/roles/ntpd/templates/ntpd.conf.j2 index 8802991..a1191f3 100644 --- a/roles/ntpd/templates/ntpd.conf.j2 +++ b/roles/ntpd/templates/ntpd.conf.j2 @@ -4,6 +4,15 @@ listen on {{ listen }} {% endfor %} +{% endif %} +{% if ntpd_constraints is defined %} +# constraints +constraint from {% for constraint in ntpd_constraints -%} +{{ '"' + constraint + '"' -}} +{{ ', ' if not loop.last -}} +{% endfor %} + + {% endif %} # remote servers {% for server in ntpd_servers %} From 063e7ffdc807754957e854a0a4d75b73aa725eec Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 24 Jul 2025 18:33:31 +0000 Subject: [PATCH 707/713] Use google ntp servers for vmhosts --- group_vars/vmhost.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/group_vars/vmhost.yml b/group_vars/vmhost.yml index 0b7f509..d7b5c45 100644 --- a/group_vars/vmhost.yml +++ b/group_vars/vmhost.yml @@ -2,3 +2,8 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} +chrony_servers: + - time1.google.com + - time2.google.com + - time3.google.com + - time4.google.com From 2571320316d0994cce4ea40be8edd4d253c7422b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 24 Jul 2025 18:33:50 +0000 Subject: [PATCH 708/713] Add constraints for NTP config in dna-gw hosts --- group_vars/dnagw.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index f663b1a..5598e61 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -65,6 +65,8 @@ ntpd_servers: - time2.google.com - time3.google.com - time4.google.com +ntpd_constraints: + - "https://www.google.com" ntpd_listen: - "{{ network_interfaces[0].ipaddr }}" From 43cde5d884e2f18a1d1b518f3da388f348ecc53a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 24 Jul 2025 18:34:44 +0000 Subject: [PATCH 709/713] Require client cert for gw.home.foo.sh site --- playbooks/dna-gw.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 1df1771..4f753d4 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -18,6 +18,7 @@ - nginx - role: nginx_site nginx_site_name: gw.home.foo.sh + nginx_site_verify_client: true when: "'gw.home.foo.sh' in ssh_hostnames" - tftp - role: websockify From 782d504abaeea4ed2e04df3b3e986eae13e0ec80 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 24 Jul 2025 18:36:15 +0000 Subject: [PATCH 710/713] dhcpd: Check that LDAP filter is not empty --- roles/dhcpd/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/dhcpd/tasks/main.yml b/roles/dhcpd/tasks/main.yml index 134b4ed..7909f30 100644 --- a/roles/dhcpd/tasks/main.yml +++ b/roles/dhcpd/tasks/main.yml @@ -23,7 +23,9 @@ server_uri: "ldaps://{{ ldap_server[0] }}" delegate_to: localhost register: ldap_hosts - when: dhcpd_ldap_filter is defined + when: + - dhcpd_ldap_filter is defined + - dhcpd_ldap_filter != "" - name: Create config ansible.builtin.template: From b666991b51969d48cf8949758a1ef18e999263f0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 30 Jul 2025 16:30:07 +0000 Subject: [PATCH 711/713] Remove unused nodered from homeassistant hosts --- playbooks/homeassistant.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/homeassistant.yml b/playbooks/homeassistant.yml index 1baf203..db6a3f2 100644 --- a/playbooks/homeassistant.yml +++ b/playbooks/homeassistant.yml @@ -27,4 +27,3 @@ - base - ldap - homeassistant - - nodered From 1f9eeab7b6295b6becd2e0340a36357462b1ab2b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 30 Jul 2025 16:30:28 +0000 Subject: [PATCH 712/713] Move from USB devices to networked (esp32 based) --- host_vars/homeassistant01.home.foo.sh.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index bd8cb38..f4ea39c 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -10,7 +10,3 @@ network_interfaces: ipaddr: 172.20.27.21 netmask: 255.255.255.0 proto: static -virt_install_devices: - - 0b05:190e - - 10c4:ea60 - - /dev/ttyUSB0 From 23dd98a34b0c4b12fb9fea25c086297d5a2b7ce6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 31 Jul 2025 06:25:31 +0000 Subject: [PATCH 713/713] homeassistant: Remove USB serial port redirection --- roles/homeassistant/templates/homeassistant-container.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/homeassistant/templates/homeassistant-container.service.j2 b/roles/homeassistant/templates/homeassistant-container.service.j2 index a22c105..fc47331 100644 --- a/roles/homeassistant/templates/homeassistant-container.service.j2 +++ b/roles/homeassistant/templates/homeassistant-container.service.j2 @@ -13,7 +13,6 @@ ExecStart=/usr/bin/podman run \ --env TZ=Europe/Helsinki \ --env UMASK=007 \ --userns keep-id \ - --device /dev/ttyUSB0 \ --volume /run/dbus:/run/dbus:ro \ --volume /srv/homeassistant:/config:rw \ --volume /usr/local/libexec/homeassistant-docker-venv/run:/etc/services.d/home-assistant/run:ro \