Fix custom firewall rules for print hosts

Fix serial port number from homeassistant hosts
frigate: Get cameras from LDAP
2025-04-22 17:55:35 +00:00 · 2025-04-22 17:28:14 +00:00 · 2025-04-20 16:52:23 +00:00 · 2025-04-20 16:21:25 +00:00 · 2025-04-20 16:12:35 +00:00 · 2025-04-20 15:04:10 +00:00
444 changed files with 16479 additions and 2109 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 .*.swp
 __pycache__
 files/ssh/backup.pub
--- a/container-ports.md
+++ b/container-ports.md
@ -0,0 +1,16 @@
 # Ports used by container web services
 | Port | Ansible role        | Service name               |
 |------|---------------------|----------------------------|
 | 8001 | kerberos_kdc        | Kerberos KDC               |
 | 8002 | grafana             | Grafana                    |
 | 8003 | authcheck           | Authentication check       |
 | 8004 | roundcube           | Roundcube webmail          |
 | 8005 | php4dvd             | php4dvd movie catalog      |
 | 8006 | scanservjs          | SANE Scanner webui         |
 | 8007 | frigate             | Network video recorder     |
 | 8008 | hoemeassistant      | Home Assistant             |
 | 8009 | rocketchat          | Rocket.Chat                |
 | 8010 | google-spell-pspell | Google Spell Check XML API |
 | 8011 | ipsilon             | Ipsilon Identity Provider  |
 | 8012 | nodered             | Node Red                   |
--- a/files/ssh/backup.pub
+++ b/files/ssh/backup.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdaNO9dLpI8CVx1rwGsKN45Pgiz+Btrlf2Q/nXCx4Ru root@backup02.home.foo.sh
--- a/group_vars/adm.yml
+++ b/group_vars/adm.yml
@ -1,8 +1,12 @@
 ---
 datadisks:
-  - {size: 10}
+  - {size: 10, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 80, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
 sssd_allow_groups:
  - sysadm
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -31,8 +31,10 @@ boot_url: https://boot.foo.sh
 # ssh public keys for logsync user
 logsync_publickeys: "{{ lookup('file', '../files/ssh/logsync.pub') }}"
-# ssh public keys for backup user
+# default name servers
-backup_publickeys: "{{ lookup('file', '../files/ssh/backup.pub') }}"
+network_dns_servers:
  - 8.8.8.8
  - 8.8.4.4
 # hardcode this for now
 ansible_datacenter: home
--- a/group_vars/audiobooks.yml
+++ b/group_vars/audiobooks.yml
@ -1,8 +1,8 @@
 ---
 datadisks:
-  - {size: 10, type: hdd}
+  - {size: 50, type: hdd}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/backup.yml
+++ b/group_vars/backup.yml
@ -1,3 +1,4 @@
 ---
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/collab.yml
+++ b/group_vars/collab.yml
@ -5,4 +5,4 @@ datadisks:
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/dnagw.yml
+++ b/group_vars/dnagw.yml
@ -12,12 +12,32 @@ network_vip_interfaces:
    netmask: 255.255.252.0
    pass: "{{ vip10_pass }}"
    priority: 120
  - device: vio0
    vhid: 11
    ipaddr: 172.20.20.11
    netmask: 255.255.252.0
    pass: "{{ vip11_pass }}"
    priority: "{{ vip11_priority }}"
  - device: vio0
    vhid: 12
    ipaddr: 172.20.20.12
    netmask: 255.255.252.0
    pass: "{{ vip12_pass }}"
    priority: "{{ vip12_priority }}"
 network_ether_interfaces:
  - device: vio1
    proto: none
 unbound_zones:
  - 20.172.in-addr.arpa
  - home.foo.sh
 # use custom firewall config
 firewall_src: pf.conf.gw_home
 # ifstated config
 ifstated_config: ifstated-dna.conf.j2
 # ssh host alaises
 ssh_hostnames:
  - gw.home.foo.sh
--- a/group_vars/fedora.yml
+++ b/group_vars/fedora.yml
@ -1,7 +1,7 @@
 ---
 # default resources for new vm
 dsk_size: 20
-mem_size: 2048
+mem_size: 4096
 num_cpus: 2
 # extra args for virt-install
@ -18,7 +18,7 @@ ipcmd: >-
  {% endif %}
 virt_install_os_args: >-
  --location
-  https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/38/Everything/x86_64/os/
+  https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/41/Everything/x86_64/os/
  --extra-args
  "inst.ks={{ ks_file }}
  console=ttyS0
--- a/group_vars/forgejo.yml
+++ b/group_vars/forgejo.yml
@ -0,0 +1,8 @@
 ---
 datadisks:
  - {size: 10, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/frigate.yml
+++ b/group_vars/frigate.yml
@ -1,8 +1,9 @@
 ---
-mem_size: 4096
+mem_size: 8192
 num_cpus: 2
 datadisks:
-  - {size: 500}
+  - {size: 50, type: nvme}
  - {size: 500, type: hdd}
 network_vip_interfaces:
  - device: eth1
@ -11,13 +12,16 @@ network_vip_interfaces:
    netmask: 255.255.0.0
    pass: "{{ vip26_pass }}"
-zm_mysql_host: sqldb02.home.foo.sh
+unbound_zones:
  - 26.20.172.in-addr.arpa
  - cam.foo.sh
 dhcpd_template: dhcpd.conf.cam.j2
 dhcpd_ldap_filter: >-
  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.cam.foo.sh))
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
 firewall_raw:
-  - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
+  - "ip daddr 224.0.0.0/8 accept"
  - "-A INPUT -i eth1 -p vrrp -j ACCEPT"
--- a/group_vars/fsolgw.yml
+++ b/group_vars/fsolgw.yml
@ -4,8 +4,9 @@ network_vip_interfaces:
    vhid: 145
    ipaddr: 37.16.96.145
    netmask: 255.255.255.240
    ip6addr: 2a00:4cc1:6:1006::1
    ip6netmask: 64
    pass: "{{ vip145_pass }}"
 network_dns_servers: [172.20.20.10, 172.20.21.1, 172.20.21.2]
 # use custom firewall and ifstated config
 firewall_src: pf.conf.gw_fsol
--- a/group_vars/gitearunner.yml
+++ b/group_vars/gitearunner.yml
@ -1,4 +0,0 @@
 ---
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
--- a/group_vars/home.yml
+++ b/group_vars/home.yml
@ -0,0 +1,5 @@
 ---
 network_dns_servers:
  - 172.20.20.10
  - 172.20.20.11
  - 172.20.20.12
--- a/group_vars/homeassistant.yml
+++ b/group_vars/homeassistant.yml
@ -1,7 +1,7 @@
 ---
 datadisks:
-  - {size: 10, type: hdd}
+  - {size: 10, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/influxdb.yml
+++ b/group_vars/influxdb.yml
@ -5,4 +5,4 @@ datadisks:
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/ldap.yml
+++ b/group_vars/ldap.yml
@ -3,6 +3,5 @@ saslauthd_mech: ldap
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 636, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/log.yml
+++ b/group_vars/log.yml
@ -1,8 +1,9 @@
 ---
 mem_size: 512
 datadisks:
-  - {size: 50}
+  - {size: 50, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
  - {proto: tcp, port: 6514}
--- a/group_vars/mail.yml
+++ b/group_vars/mail.yml
@ -1,6 +1,7 @@
 ---
 datadisks:
-  - {size: 10}
+  - {size: 10, type: nvme}
 mem_size: 4192
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
@ -10,4 +11,7 @@ firewall_in:
  - {proto: tcp, port: 465}
  - {proto: tcp, port: 587}
  - {proto: tcp, port: 993}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
 sssd_allow_groups:
  - sysadm
--- a/group_vars/minecraft.yml
+++ b/group_vars/minecraft.yml
@ -1,9 +1,9 @@
 ---
 mem_size: 4096
 datadisks:
-  - {size: 100}
+  - {size: 100, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.30.0/24]}
+  - {proto: tcp, port: 9100, from: [172.20.30.0/24]}
  - {proto: tcp, port: 25565, from: [172.20.30.0/24]}
  - {proto: udp, port: 25565, from: [172.20.30.0/24]}
--- a/group_vars/mirror.yml
+++ b/group_vars/mirror.yml
@ -1,10 +1,9 @@
 ---
 datadisks:
-  - {size: 1000}
+  - {size: 1500, type: hdd}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 873, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/mongodb.yml
+++ b/group_vars/mongodb.yml
@ -4,3 +4,4 @@ datadisks:
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 27017, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/mqtt.yml
+++ b/group_vars/mqtt.yml
@ -3,5 +3,5 @@ firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.27.0/24]}
  - {proto: tcp, port: 1883, from: [172.20.27.0/24]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
  - {proto: tcp, port: 8883, from: [172.20.20.0/22, 172.20.27.0/24]}
--- a/group_vars/nas.yml
+++ b/group_vars/nas.yml
@ -2,11 +2,14 @@
 mem_size: 8192
 num_cpus: 2
 datadisks:
-  - {size: 1000}
+  - {size: 500, type: nvme}
-  - {size: 400, type: nvme}
+  - {size: 50, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 2049, from: [172.20.20.0/22]}
  - {proto: tcp, port: 2049, from: [172.20.30.0/24]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
 sssd_allow_groups:
  - root
--- a/group_vars/nms.yml
+++ b/group_vars/nms.yml
@ -1,12 +1,24 @@
 ---
 datadisks:
-  - {size: 10}
+  - {size: 10, type: nvme}
 unbound_zones:
  - 25.20.172.in-addr.arpa
  - oob.foo.sh
 dhcpd_template: dhcpd.conf.oob.j2
 dhcpd_ldap_filter: >-
  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh))
 network_vip_interfaces:
  - device: eth0
    vhid: 11
    ipaddr: 172.20.20.21
    netmask: 255.255.240.0
    pass: "{{ vip21_pass }}"
  - device: eth1
    vhid: 25
    ipaddr: 172.20.25.1
-    netmask: 255.255.0.0
+    netmask: 255.255.255.0
    pass: "{{ vip25_pass }}"
    priority: "{{ vip25_priority }}"
@ -19,7 +31,10 @@ firewall_in:
  - {proto: udp, port: 123, from: [172.20.25.0/24]}
  - {proto: tcp, port: 443, from: [172.20.25.0/24]}
  - {proto: udp, port: 514, from: [172.20.25.0/24]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9116, from: [172.20.20.0/22]}
 firewall_raw:
-  - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
+  - "ip daddr 224.0.0.0/8 accept"
-  - "-A INPUT -i eth1 -p vrrp -j ACCEPT"
+
 sssd_allow_groups:
  - sysadm
--- a/group_vars/ns.yml
+++ b/group_vars/ns.yml
@ -1,12 +1,13 @@
 ---
 firewall_in:
-  - {proto: tcp, port: 22, from: [172.20.20.0/22, 81.175.130.44/32]}
+  - {proto: tcp, port: 22, from: [172.20.20.0/22, 212.149.225.204/32]}
  - {proto: tcp, port: 53}
  - {proto: udp, port: 53}
  - {proto: tcp, port: 80}
  - {proto: tcp, port: 443}
  - {proto: tcp, port: 853}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22, 81.175.130.44/32]}
+  - {proto: tcp, port: 9100}
  - {proto: tcp, port: 9115}
 firewall_raw:
  - pass quick proto carp
--- a/group_vars/ocinode.yml
+++ b/group_vars/ocinode.yml
@ -1,7 +1,10 @@
 ---
 # increase memory size
-mem_size: 4192
+mem_size: 8192
 # increase disk size to store docker images
 dsk_size: 100
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/openbsd.yml
+++ b/group_vars/openbsd.yml
@ -17,5 +17,5 @@ num_cpus: 2
 # extra args for virt-install
 virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso
-virt_install_os_variant: openbsd7.0
+virt_install_os_variant: openbsd7.4
-virt_install_python_cmd: pkg_add python3 -I -x
+virt_install_python_cmd: pkg_add -I -x python
--- a/group_vars/print.yml
+++ b/group_vars/print.yml
@ -7,14 +7,20 @@ network_vip_interfaces:
    pass: "{{ vip24_pass }}"
    priority: "{{ vip24_priority }}"
 dhcpd_template: dhcpd.conf.print.j2
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 53, from: [172.20.24.0/24]}
  - {proto: udp, port: 53, from: [172.20.24.0/24]}
  - {proto: tcp, port: 631, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
 firewall_raw:
-  - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
+  - "ip daddr 224.0.0.0/8 accept"
-  - "-A INPUT -i eth1 -p vrrp -j ACCEPT"
+
 dhcpd_template: dhcpd.conf.print.j2
 dhcpd_ldap_filter: >-
  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh))
 sssd_allow_groups:
  - sysadm
 unbound_zones:
  - 24.20.172.in-addr.arpa
  - print.foo.sh
--- a/group_vars/prometheus.yml
+++ b/group_vars/prometheus.yml
@ -0,0 +1,8 @@
 ---
 datadisks:
  - {size: 100, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/proxy.yml
+++ b/group_vars/proxy.yml
@ -4,12 +4,6 @@ mem_size: 1024
 # use bigger disk for os as we have web site data there
 dsk_size: 30
 network_dns_servers:
  - 172.20.20.10
  - 172.20.21.7
  - 172.20.21.8
 network_dns_search:
  - foo.sh
 network_default_gateway: 37.16.96.145
 network_vip_interfaces:
@ -48,6 +42,4 @@ firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 80}
  - {proto: tcp, port: 443}
-  - {proto: tcp, port: 636}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
  - {proto: tcp, port: 6514}
--- a/group_vars/relay.yml
+++ b/group_vars/relay.yml
@ -1,10 +1,4 @@
 ---
 network_dns_servers:
  - 172.20.20.10
  - 172.20.21.7
  - 172.20.21.8
 network_dns_search:
  - foo.sh
 network_default_gateway: 37.16.96.145
 network_vip_interfaces:
@ -41,3 +35,4 @@ firewall_in:
  - {proto: tcp, port: 443}
  - {proto: tcp, port: 636}
  - {proto: tcp, port: 6514}
  - {proto: tcp, port: 9100}
--- a/group_vars/sane.yml
+++ b/group_vars/sane.yml
@ -0,0 +1,5 @@
 ---
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/shell.yml
+++ b/group_vars/shell.yml
@ -1,6 +1,4 @@
 ---
 # beef up shell hosts
 dsk_size: 40
 mem_size: 8192
 num_cpus: 4
@ -9,4 +7,10 @@ firewall_in:
  - {proto: tcp, port: 22}
  - {proto: tcp, port: 80}
  - {proto: tcp, port: 443}
-  - {proto: tcp, port: 4949, from: [81.175.130.44/32]}
+  - {proto: tcp, port: 9100, from: [212.149.248.65/32]}
 ssh_hostnames:
  - shell.foo.sh
 sssd_allow_groups:
  - foosh
--- a/group_vars/sqldb.yml
+++ b/group_vars/sqldb.yml
@ -1,6 +1,8 @@
 ---
 mem_size: 4096
 datadisks:
  - {size: 20, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 3306, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/static.yml
+++ b/group_vars/static.yml
@ -2,4 +2,7 @@
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
 sssd_allow_groups:
  - root
--- a/group_vars/vmhost.yml
+++ b/group_vars/vmhost.yml
@ -1,4 +1,4 @@
 ---
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/host_vars/audiobooks02.home.foo.sh.yml
+++ b/host_vars/audiobooks02.home.foo.sh.yml
@ -0,0 +1,6 @@
 ---
 vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
    mac: "52:54:00:ac:dc:48"
--- a/host_vars/backup02.home.foo.sh.yml
+++ b/host_vars/backup02.home.foo.sh.yml
@ -6,5 +6,5 @@ network_interfaces:
    mac: 52:54:00:ac:dc:50
 datadisks:
  - {size: 1000}
-passthrough_devices:
+virt_install_devices:
-  - "07:04.0"
+  - "02:04.0"
--- a/host_vars/dna-gw01.home.foo.sh.yml
+++ b/host_vars/dna-gw01.home.foo.sh.yml
@ -10,3 +10,5 @@ network_interfaces:
  - device: vio1
    vlan: 103
    proto: none
 vip11_priority: 240
 vip12_priority: 120
--- a/host_vars/dna-gw02.home.foo.sh.yml
+++ b/host_vars/dna-gw02.home.foo.sh.yml
@ -10,3 +10,5 @@ network_interfaces:
  - device: vio1
    vlan: 103
    proto: none
 vip11_priority: 120
 vip12_priority: 240
--- a/host_vars/gitea-runner02.home.foo.sh.yml
+++ b/host_vars/gitea-runner02.home.foo.sh.yml
@ -3,4 +3,4 @@ vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
-    mac: 52:54:00:ac:dc:7c
+    mac: 52:54:00:ac:dc:80
--- a/host_vars/frigate02.home.foo.sh.yml
+++ b/host_vars/frigate02.home.foo.sh.yml
@ -3,7 +3,7 @@ vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
-    mac: "52:54:00:ac:dc:4c"
+    mac: "52:54:00:ac:dc:8c"
    nameservers: []
  - device: eth1
    vlan: 26
@ -11,3 +11,5 @@ network_interfaces:
    netmask: 255.255.255.0
    proto: static
    nameservers: [172.20.26.1, 172.20.26.3]
 virt_install_devices:
  - 004.002
--- a/host_vars/fsol-gw01.home.foo.sh.yml
+++ b/host_vars/fsol-gw01.home.foo.sh.yml
@ -15,6 +15,7 @@ network_interfaces:
  - device: vio2
    vlan: 103
    proto: dhcp
    rdomain: 1
  - device: vio3
    vlan: 102
    proto: none
--- a/host_vars/fsol-gw02.home.foo.sh.yml
+++ b/host_vars/fsol-gw02.home.foo.sh.yml
@ -15,6 +15,7 @@ network_interfaces:
  - device: vio2
    vlan: 103
    proto: dhcp
    rdomain: 1
  - device: vio3
    vlan: 102
    proto: none
--- a/host_vars/homeassistant01.home.foo.sh.yml
+++ b/host_vars/homeassistant01.home.foo.sh.yml
@ -5,6 +5,10 @@ network_interfaces:
    vlan: 20
    mac: 52:54:00:ac:dc:73
  - device: eth1
    vlan: 27
  - device: eth2
    vlan: 30
 virt_install_devices:
-  - 003.002
+  - 0b05:190e
  - 10c4:ea60
  - /dev/ttyUSB0
--- a/host_vars/ldap01.home.foo.sh.yml
+++ b/host_vars/ldap01.home.foo.sh.yml
@ -5,6 +5,6 @@ network_interfaces:
    vlan: 20
    mac: 52:54:00:ac:dc:1f
 datadisks:
-  - {size: 10}
+  - {size: 10, type: nvme}
 ldap_master: true
--- a/host_vars/mirror02.home.foo.sh.yml
+++ b/host_vars/mirror02.home.foo.sh.yml
@ -3,4 +3,4 @@ vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
-    mac: 52:54:00:ac:dc:78
+    mac: 52:54:00:ac:dc:14
--- a/host_vars/nms02.home.foo.sh.yml
+++ b/host_vars/nms02.home.foo.sh.yml
@ -17,4 +17,4 @@ network_interfaces:
    netmask: 255.255.255.248
    proto: static
-vip25_priority: 0
+vip25_priority: 1
--- a/host_vars/oci-node01.home.foo.sh.yml
+++ b/host_vars/oci-node01.home.foo.sh.yml
@ -1,5 +1,7 @@
 ---
 vmhost: vmhost01.home.foo.sh
 datadisks:
  - {size: 10, type: nvme}
 network_interfaces:
  - device: eth0
    vlan: 20
--- a/host_vars/prometheus01.home.foo.sh.yml
+++ b/host_vars/prometheus01.home.foo.sh.yml
@ -3,4 +3,4 @@ vmhost: vmhost01.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
-    mac: 52:54:00:ac:dc:13
+    mac: "52:54:00:ac:dc:83"
--- a/host_vars/sane02.home.foo.sh.yml
+++ b/host_vars/sane02.home.foo.sh.yml
@ -0,0 +1,8 @@
 ---
 vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
    mac: "52:54:00:ac:dc:88"
 virt_install_devices:
  - 001.003
--- a/hosts.yml
+++ b/hosts.yml
@ -3,6 +3,9 @@ adm:
  hosts:
    adm01.home.foo.sh:
    adm02.home.foo.sh:
 audiobooks:
  hosts:
    audiobooks02.home.foo.sh:
 backup:
  hosts:
    backup02.home.foo.sh:
@ -13,25 +16,33 @@ dnagw:
  hosts:
    dna-gw01.home.foo.sh:
    dna-gw02.home.foo.sh:
 forgejo:
  hosts:
    forgejo02.home.foo.sh:
  vars:
    forgejo_version: "10.0.1"
 frigate:
  hosts:
    frigate02.home.foo.sh:
  vars:
    frigate_version: "0.15.0"
 fsolgw:
  hosts:
    fsol-gw01.home.foo.sh:
    fsol-gw02.home.foo.sh:
 gitea:
  hosts:
    gitea02.home.foo.sh:
  vars:
    gitea_version: "1.19.4"
 gitearunner:
  hosts:
    gitea-runner02.home.foo.sh:
  vars:
    gitea_runner_version: "0.2.3"
 homeassistant:
  hosts:
    homeassistant01.home.foo.sh:
  vars:
-    homeassistant_version: "2023.7"
+    homeassistant_version: "2025.3"
    homeassistant_integrations:
      - name: electrolux_status
        repo: https://github.com/albaintor/homeassistant_electrolux_status.git
        version: v2.0.9
      - name: espsomfy_rts
        repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git
        version: v2.4.7
    nodered_version: 4.0.9
 influxdb:
  hosts:
    influxdb01.home.foo.sh:
@ -45,12 +56,14 @@ log:
 mail:
  hosts:
    mail02.home.foo.sh:
  vars:
    opendkim_selector: 20250101
 minecraft:
  hosts:
    minecraft01.home.foo.sh:
 mirror:
  hosts:
-    mirror01.home.foo.sh:
+    mirror02.home.foo.sh:
 mongodb:
  hosts:
    mongodb01.home.foo.sh:
@ -64,6 +77,8 @@ nms:
  hosts:
    nms01.home.foo.sh:
    nms02.home.foo.sh:
  vars:
    snmp_exporter_version: "0.28.0"
 ns:
  hosts:
    ns01.home.foo.sh:
@ -74,20 +89,34 @@ ocinode:
    oci-node01.home.foo.sh:
    oci-node02.home.foo.sh:
  vars:
-    grafana_version: "10.0.2"
+    grafana_version: "11.4.2"
-    rocketchat_version: "6.2.10"
+    rocketchat_version: "7.4.0"
-    roundcube_version: "1.6.1"
+    roundcube_version: "1.6.10"
 print:
  hosts:
    print01.home.foo.sh:
 prometheus:
  hosts:
    prometheus01.home.foo.sh:
  vars:
    mysqld_exporter_version: "0.17.2"
    nginx_exporter_version: "1.4.1"
 proxy:
  hosts:
    proxy01.home.foo.sh:
    proxy02.home.foo.sh:
 redis:
  hosts:
    redis01.home.foo.sh:
 relay:
  hosts:
    relay01.home.foo.sh:
    relay02.home.foo.sh:
 sane:
  hosts:
    sane02.home.foo.sh:
  vars:
    scanservjs_version: "v3.0.3"
 shell:
  hosts:
    shell01.foo.sh:
@ -103,23 +132,15 @@ vmhost:
  hosts:
    vmhost01.home.foo.sh:
    vmhost02.home.foo.sh:
 zm:
  hosts:
    zm02.home.foo.sh:
 sftpbackup:
  children:
    collab:
    ldap:
    mongodb:
    sqldb:
 vultr:
  hosts:
    atl01.vultr.foo.sh:
 fedora:
  children:
    gitearunner:
 openbsd:
  children:
    backup:
@ -129,27 +150,31 @@ openbsd:
    mqtt:
    ns:
    proxy:
    redis:
    relay:
 rocky8:
  children:
    collab:
 rocky9:
  children:
    adm:
    audiobooks:
    forgejo:
    frigate:
    homeassistant:
    influxdb:
    ldap:
    mail:
    minecraft:
    mirror:
    mongodb:
    nas:
    nms:
    ocinode:
    print:
    prometheus:
    sane:
    shell:
    zm:
 rocky9:
  children:
    adm:
    gitea:
    influxdb:
    ldap:
    mirror:
    mongodb:
    sqldb:
    static:
    vmhost:
--- a/playbooks/adm.yml
+++ b/playbooks/adm.yml
@ -18,7 +18,7 @@
        name: /export
        src: LABEL=/export
        fstype: xfs
-        opts: noatime,noexec,nosuid,nodev
+        opts: noatime,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
@ -27,10 +27,15 @@
    - base
    - ansible_host
    - certbot
    - cups
    - sshca
    - ssh_known_hosts
    - role: keytab
-      principals:
+      keytab_principals:
        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
    - nfs_client
    - role: autofs
      autofs_home: false
    - sssd
    - mkhomedir
    - rpm_build
@ -42,15 +47,21 @@
        name: "{{ item }}"
        state: installed
      with_items:
        - emacs-nox           # more editors
        - httpd-tools         # htpasswd
        - knot-utils          # kdig (dns over tls)
        - libvirt-client      # kvm host client
        - make                # generic building
        - mariadb             # mariadb client tools
        - mosquitto           # mqtt reading
        - nano                # more editors
        - nmap                # check for open ports
        - nsd                 # check dns zone files
        - podman              # building containers
        - pylint              # python linting
        - python3-flake8      # python linting
        - speedtest-cli       # testing network speed
        - ShellCheck          # shell script linting
        - virt-install        # install kvm guests
        - wget                # still in backbone for downloads
        - whois               # read whois data
@ -63,6 +74,67 @@
          Host shell??.foo.sh
            CheckHostIP no
        dest: /root/.ssh/config
-        mode: 0600
+        mode: "0600"
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Clone dns repo
      ansible.builtin.git:
        dest: /export/dns
        repo: https://adm01.home.foo.sh/dns.git
        update: true
        version: master
      environment:
        GIT_SSL_CAINFO: "{{ tls_certs }}/ca.crt"
        GIT_SSL_CERT: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
        GIT_SSL_KEY: "{{ tls_private }}/{{ inventory_hostname }}.key"
      when: 'inventory_hostname != "adm01.home.foo.sh"'
    - name: Link dns repo
      ansible.builtin.file:
        dest: /srv/dns
        src: /export/dns
        state: link
        owner: root
        group: "{{ ansible_wheel }}"
        follow: false
    - name: Add cron job to sync dns repo
      ansible.builtin.cron:
        name: sync dns repository
        job: >-
          GIT_SSL_CAINFO="{{ tls_certs }}/ca.crt"
          GIT_SSL_CERT="{{ tls_certs }}/{{ inventory_hostname }}.crt"
          GIT_SSL_KEY="{{ tls_private }}/{{ inventory_hostname }}.key"
          git -C /srv/dns pull -q
        minute: "02"
      when: 'inventory_hostname != "adm01.home.foo.sh"'
    - name: Links dns repo to web
      ansible.builtin.file:
        dest: "/srv/web/{{ inventory_hostname }}/dns.git"
        src: /srv/dns/.git
        state: link
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Add mqtt-tail script
      ansible.builtin.copy:
        dest: /usr/local/bin/mqtt-tail
        content: |
          #!/bin/sh
          set -eu
          if [ -n "${1:-}" ]; then
              topic="$1"
              shift
          else
              topic="#"
          fi
          if [ $# -ne 0 ]; then
              echo "Usage: $(basename "$0") [topic]" 1>&2
              exit 1
          fi
          exec mosquitto_sub -h mqtt02.home.foo.sh -v -t "$topic" \
              --cafile "{{ tls_certs }}/ca.crt" \
              --cert "{{ tls_certs }}/{{ inventory_hostname }}.crt" \
              --key "{{ tls_private }}/{{ inventory_hostname }}.key" \
        mode: "0755"
        owner: root
        group: "{{ ansible_wheel }}"
--- a/playbooks/audiobooks.yml
+++ b/playbooks/audiobooks.yml
@ -0,0 +1,25 @@
 ---
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: audiobooks
 - name: Configure instance
  hosts: audiobooks
  user: root
  gather_facts: true
  pre_tasks:
    - name: Mount /export
      ansible.posix.mount:
        name: /export
        src: LABEL=/export
        fstype: xfs
        opts: noatime,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
  roles:
    - base
    - audiobookshelf
--- a/playbooks/backup.yml
+++ b/playbooks/backup.yml
@ -15,7 +15,7 @@
        name: /export
        src: /dev/sd1a
        fstype: ffs
-        opts: rw,softdep,noatime
+        opts: rw,softdep,noatime,noexec,nosuid,nodev
        passno: "1"
        dump: "2"
        state: mounted
@ -25,5 +25,10 @@
  roles:
    - base
-    - backup_server
+    - backup_base
-    - sftpbackup
+    - backup_bitbucket
    - backup_github
    - role: rclone
      rclone_hostgroup: sftpbackup
      rclone_service: backup
    - rsync_backup
--- a/playbooks/collab.yml
+++ b/playbooks/collab.yml
@ -28,9 +28,9 @@
    - collab
    - mod_auth_gssapi
    - role: keytab
-      keytab: /etc/httpd/httpd.keytab
+      keytab_path: /etc/httpd/httpd.keytab
-      principals: HTTP/collab.foo.sh@FOO.SH
+      keytab_principals: HTTP/collab.foo.sh@FOO.SH
-      group: apache
+      keytab_group: apache
    - ldap
  tasks:
@ -38,7 +38,7 @@
      ansible.builtin.copy:
        content: "RedirectMatch permanent \"^/$\" /collab/\n"
        dest: "/etc/httpd/conf.local.d/redirects.conf"
-        mode: 0644
+        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart apache
@ -61,7 +61,7 @@
        dest: /srv/wikis/collab/htdocs/.htaccess
        owner: collab
        group: collab
-        mode: 0660
+        mode: "0660"
        seuser: _default
        setype: _default
--- a/playbooks/dna-gw.yml
+++ b/playbooks/dna-gw.yml
@ -14,29 +14,14 @@
  roles:
    - base
    - ifstated
    - dhcpd
-    - nginx/server
+    - nginx
-    - role: nginx/site
+    - role: nginx_site
-      site: gw.home.foo.sh
+      nginx_site_name: gw.home.foo.sh
    - tftp
    - websockify
  tasks:
    - name: Use configured dns servers and domain name
      ansible.builtin.copy:
        dest: /etc/dhclient.conf
        content: "ignore domain-name-servers, domain-name;\n"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Disable resolvd
      ansible.builtin.service:
        name: resolvd
        state: stopped
        enabled: false
    - name: Enable ip forwarding
      ansible.posix.sysctl:
        name: "{{ item }}"
@ -49,11 +34,49 @@
    - name: Run handlers to get interfaces configured
      ansible.builtin.meta: flush_handlers
    - name: Import ifstated role
      ansible.builtin.import_role:
        name: ifstated
    - name: Copy DNS private key
      ansible.builtin.copy:
        dest: "{{ tls_private }}/dns.home.foo.sh.key"
        src: "{{ item }}"
        mode: "0600"
        owner: root
        group: "{{ ansible_wheel }}"
      with_first_found:
        - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
        - "/srv/ca/private/{{ inventory_hostname }}.key"
      tags: certificates
      notify: Restart unbound
    - name: Copy DNS certificate and ca cert
      ansible.builtin.copy:
        dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
        src: "{{ item }}"
        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
      with_first_found:
        - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
        - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
      tags: certificates
      notify: Restart unbound
    - name: Import unbound role
      ansible.builtin.import_role:
        name: unbound
    - name: Import unbound_exporter role
      ansible.builtin.import_role:
        name: unbound_exporter
    - name: Create tftp boot directories
      ansible.builtin.file:
        path: /srv/tftpboot/etc
        state: directory
-        mode: 0755
+        mode: "0755"
        owner: root
        group: "{{ ansible_wheel }}"
@ -64,25 +87,25 @@
          stty com0 115200
          set tty com0
          boot tftp:bsd.rd
-        mode: 0644
+        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Create tftp pxeboot loader for OpenBSD installs
      ansible.builtin.get_url:
-        url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/pxeboot"
+        url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/pxeboot"
-        checksum: sha1:161b36d4ae3d786aa98c4836abba25f2bca8979d
+        checksum: sha1:c696836c1e6cc67c6c31f6ceb5daaaa4ec0632b7
        dest: /srv/tftpboot/pxeboot
-        mode: 0644
+        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Create tftp ramdisk for OpenBSD installs
      ansible.builtin.get_url:
-        url: "https://ftp.eu.openbsd.org/pub/OpenBSD//7.3/amd64/bsd.rd"
+        url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/bsd.rd"
-        checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021
+        checksum: sha1:f690655c768ec9ef208188921ac53634a9233aca
        dest: /srv/tftpboot/bsd.rd
-        mode: 0644
+        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
@ -91,7 +114,7 @@
        url: "https://boot.foo.sh/openbsd/install.conf"
        checksum: sha1:f6270708dad3f759df02eefeab300d9b8670f3d4
        dest: /srv/tftpboot/install.conf
-        mode: 0644
+        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
@ -113,50 +136,7 @@
              }
            }
          }
-        mode: 0644
+        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart nginx
    - name: Copy DNS private key
      ansible.builtin.copy:
        dest: "{{ tls_private }}/dns.home.foo.sh.key"
        src: "{{ item }}"
        mode: 0600
        owner: root
        group: "{{ ansible_wheel }}"
      with_first_found:
        - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
        - "/srv/ca/private/{{ inventory_hostname }}.key"
      tags: certificates
      notify: Restart unbound
    - name: Copy DNS certificate and ca cert
      ansible.builtin.copy:
        dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
        src: "{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      with_first_found:
        - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
        - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
      tags: certificates
      notify: Restart unbound
    - name: Copy DNS zone files
      ansible.builtin.copy:
        dest: "/var/unbound/db/{{ item }}"
        src: "/srv/dns/{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      tags: dns
      notify: Restart unbound
      with_items:
        - 20.172.in-addr.arpa
        - home.foo.sh
    - name: Import unbound role
      ansible.builtin.import_role:
        name: unbound
--- a/playbooks/forgejo.yml
+++ b/playbooks/forgejo.yml
@ -2,10 +2,10 @@
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
-    myhosts: gitea
+    myhosts: forgejo
 - name: Configure instance
-  hosts: gitea
+  hosts: forgejo
  user: root
  gather_facts: true
@ -25,4 +25,4 @@
  roles:
    - base
-    - gitea
+    - forgejo
--- a/playbooks/frigate.yml
+++ b/playbooks/frigate.yml
@ -2,10 +2,10 @@
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
-    myhosts: zm
+    myhosts: frigate
 - name: Configure instance
-  hosts: zm
+  hosts: frigate
  user: root
  gather_facts: true
@ -13,74 +13,54 @@
    - "{{ ansible_private }}/vars.yml"
  pre_tasks:
-    - name: Mount /export
+    - name: Mount datadirectories
      ansible.posix.mount:
-        name: /export
+        name: "/export/frigate/{{ item }}"
-        src: LABEL=/export
+        src: "LABEL={{ item }}"
        fstype: xfs
        opts: noatime,noexec,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
      with_items:
        - config
        - media
  roles:
    - base
    - mod_auth_gssapi
    - role: keytab
-      keytab: /etc/httpd/httpd.keytab
+      keytab_path: /etc/httpd/httpd.keytab
-      principals: HTTP/zm.foo.sh@FOO.SH
+      keytab_principals: HTTP/cctv.foo.sh@FOO.SH
-      group: apache
+      keytab_group: apache
  tasks:
    - name: Run handlers to get interfaces configured
      ansible.builtin.meta: flush_handlers
    # TODO: this should really be fixed
    - name: Put selinux in permissive state
      ansible.posix.selinux:
        policy: targeted
        state: permissive
    - name: Copy DNS zone files
      ansible.builtin.copy:
        dest: "/var/lib/unbound/{{ item }}"
        src: "/srv/dns/{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      tags: dns
      notify: Restart unbound
      with_items:
        - 26.20.172.in-addr.arpa
        - cam.foo.sh
    - name: Include unbound role
      ansible.builtin.import_role:
        name: unbound
-    - name: Include dhcpd and zoneminder roles
+    - name: Run handlers to get interfaces configured
      ansible.builtin.meta: flush_handlers
    - name: Include dhcpd role
      ansible.builtin.include_role:
-        name: "{{ item }}"
+        name: dhcpd
      with_items:
        - dhcpd
        - zoneminder
-    - name: Install extra packages for debugging
+    - name: Include frigate role
-      ansible.builtin.package:
+      ansible.builtin.include_role:
-        name: rtmpdump
+        name: frigate
        state: installed
-    - name: Require authentication for zoneminder
+    - name: Require authentication for frigate
      ansible.builtin.copy:
-        dest: /etc/httpd/conf.local.d/zoneminder-auth.conf
+        dest: /etc/httpd/conf.local.d/frigate-auth.conf
        content: |
-          <Location /zm>
+          <Location /frigate>
            AuthType        GSSAPI
-            GssapiBasicAuth Off
+            GssapiBasicAuth On
            AuthName        "Password Required"
            Require         valid-user
          </Location>
-        mode: 0644
+        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart apache
--- a/playbooks/fsol-gw.yml
+++ b/playbooks/fsol-gw.yml
@ -12,13 +12,6 @@
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  pre_tasks:
    - name: Disable resolvd service
      ansible.builtin.service:
        name: resolvd
        state: stopped
        enabled: false
  tasks:
    - name: Enable IP forwarding
      ansible.posix.sysctl:
@ -30,16 +23,19 @@
        - net.inet6.ip6.forwarding
    - name: Manually set DNS servers
      ansible.builtin.copy:
-        dest: /etc/dhclient.conf
+        dest: /etc/dhcpleased.conf
-        content: "ignore domain-name-servers, domain-name;\n"
+        content: |
-        mode: 0644
+          interface vio2 {
            ignore dns
          }
        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Create pfsync interface
      ansible.builtin.copy:
        dest: /etc/hostname.pfsync0
        content: "up syncdev vio1\n"
-        mode: 0600
+        mode: "0600"
        owner: root
        group: "{{ ansible_wheel }}"
--- a/playbooks/gitea-runner.yml
+++ b/playbooks/gitea-runner.yml
@ -1,14 +0,0 @@
 ---
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: gitearunner
 - name: Configure instance
  hosts: gitearunner
  user: root
  gather_facts: true
  roles:
    - base
    - gitea_runner
--- a/playbooks/homeassistant.yml
+++ b/playbooks/homeassistant.yml
@ -9,6 +9,9 @@
  user: root
  gather_facts: true
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  pre_tasks:
    - name: Mount /export
      ansible.posix.mount:
@ -24,3 +27,4 @@
    - base
    - ldap
    - homeassistant
    - nodered
--- a/playbooks/include/deploy-kvm-guest.yml
+++ b/playbooks/include/deploy-kvm-guest.yml
@ -9,7 +9,7 @@
    char: "{{ 'bcdefghijklmnopqrstuvwxyz'|list }}"
    console_log: "/var/log/libvirt/qemu/{{ inventory_hostname }}.console.log"
-    os_disk_image: "/srv/libvirt/ssd/{{ inventory_hostname }}.a.img"
+    os_disk_image: "/srv/libvirt/os/{{ inventory_hostname }}.a.img"
    dsk_opts: bus=virtio,cache=none,device=disk,format=raw,sparse=no
    inject: >-
@ -75,7 +75,7 @@
          echo '{{ root_pubkey }}' > /root/.ssh/authorized_keys
          %end
        dest: "{{ tmpdir.path }}/include.ks"
-        mode: 0600
+        mode: "0600"
        owner: root
        group: "{{ ansible_wheel }}"
      delegate_to: "{{ vmhost }}"
@ -99,7 +99,11 @@
          {% endif -%}
          {% if virt_install_devices is defined -%}
          {%   for dev in virt_install_devices -%}
          {%     if dev | regex_search('^/dev/tty') -%}
          --serial dev,path={{ dev }}
          {%     else -%}
          --hostdev {{ dev }} \
          {%     endif -%}
          {%   endfor -%}
          {% else -%}
          --controller usb,model=none \
--- a/playbooks/ldap.yml
+++ b/playbooks/ldap.yml
@ -19,7 +19,7 @@
        passno: "0"
        dump: "0"
        state: mounted
-      when: ldap_master is defined
+      when: ldap_master
  vars_files:
    - "{{ ansible_private }}/vars.yml"
@ -28,8 +28,8 @@
    - base
    - ldap_server
    - role: kadmin
-      when: ldap_master is defined
+      when: ldap_master
    - role: ldap_netdb
-      when: ldap_master is defined
+      when: ldap_master
    - role: ldap_gravatar
-      when: ldap_master is defined
+      when: ldap_master
--- a/playbooks/log.yml
+++ b/playbooks/log.yml
@ -15,7 +15,7 @@
        name: /export
        src: /dev/sd1a
        fstype: ffs
-        opts: rw,softdep,noatime
+        opts: rw,softdep,noatime,noexec,nosuid,nodev
        passno: "1"
        dump: "2"
        state: mounted
--- a/playbooks/mail.yml
+++ b/playbooks/mail.yml
@ -26,18 +26,19 @@
  roles:
    - base
    - role: keytab
-      principals:
+      keytab_principals:
        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
        - "smtp/{{ mail_server }}@{{ kerberos_realm }}"
    - nfs_client
    - sssd
    - autofs
    - dovecot
-    - role: nginx/server
+    - role: nginx
-    - role: nginx/site
+    - role: nginx_site
-      site: "{{ mail_server }}"
+      nginx_site_name: "{{ mail_server }}"
-      redirect: https://webmail.foo.sh/
+      nginx_site_redirect: https://webmail.foo.sh/
    - grossd
    - opendkim
    - spamassassin
    - spamassassin_clamav
    - spamassassin_ixhash
--- a/playbooks/manual/check-updates.yml
+++ b/playbooks/manual/check-updates.yml
@ -0,0 +1,23 @@
 ---
 - hosts: all
  gather_facts: true
  tasks:
    - name: Check updates (Linux)
      ansible.builtin.command:
        argv:
          - dnf
          - -q
          - check-update
      register: result
      changed_when: result.rc == 100
      failed_when: result.rc not in [0, 100]
      when: ansible_os_family == "RedHat"
    - name: Check updates (OpenBSD)
      ansible.builtin.command:
        argv:
          - syspatch
          - -c
      register: result
      changed_when: result.stdout != ""
      when: ansible_os_family == "OpenBSD"
--- a/playbooks/minecraft.yml
+++ b/playbooks/minecraft.yml
@ -15,7 +15,7 @@
        name: /export
        src: LABEL=/export
        fstype: xfs
-        opts: noatime
+        opts: noatime,noexec,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
--- a/playbooks/mirror.yml
+++ b/playbooks/mirror.yml
@ -26,26 +26,30 @@
  roles:
    - base
    - mirror/base
-    - mirror/thinlinc
+    - thinlinc_mirror
-    - role: mirror/reportmirror
+    - role: reportmirror
-      hostname: mirrors.foo.sh
+      reportmirror_hostname: mirrors.foo.sh
-      mirrors: [epel, fedora]
+      reportmirror_mirrors: [epel, fedora]
-      sitename: foo.sh
+      reportmirror_sitename: foo.sh
-      password: "{{ report_mirror_pass }}"
+      reportmirror_password: "{{ report_mirror_pass }}"
    - role: mirror/sync
-      label: fedora-epel
+      mirror_label: fedora-epel
-      source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
+      mirror_source:
-       fedora.redhat.com/pub/epel"
+        "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/epel"
-      rsyncoptions:
+      mirror_rsyncoptions:
        - "--exclude=SRPMS"
        - "--exclude=debug"
        - "--exclude=testing"
        - "--exclude=aarch64"
        - "--exclude=ppc64le"
        - "--exclude=s390x"
        - "--exclude=source"
        - "--delete-excluded"
-      postcmd: python3 /usr/local/bin/report_mirror
+      mirror_postcmd: python3 /usr/local/bin/report_mirror
    - role: mirror/sync
-      label: fedora
+      mirror_label: fedora
-      source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
+      mirror_source:
-       fedora.redhat.com/pub/fedora/linux/"
+        "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/fedora/linux/"
-      rsyncoptions:
+      mirror_rsyncoptions:
        - "--exclude=/atomic"
        - "--exclude=/development"
        - "--exclude=/releases/test"
@ -58,12 +62,11 @@
        - "--exclude=armhfp"
        - "--exclude=debug"
        - "--delete-excluded"
-      postcmd: python3 /usr/local/bin/report_mirror
+      mirror_postcmd: python3 /usr/local/bin/report_mirror
    - role: mirror/sync
-      label: openbsd
+      mirror_label: openbsd
-      source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
+      mirror_source: "rsync://ftp.nluug.nl/openbsd/"
-        ftp.openbsd.org/pub/OpenBSD/"
+      mirror_rsyncoptions:
      rsyncoptions:
        - "--include=/?.?/"
        - "--include=/?.?/amd64/"
        - "--include=/?.?/amd64/*"
--- a/playbooks/mqtt.yml
+++ b/playbooks/mqtt.yml
@ -9,10 +9,15 @@
  user: root
  gather_facts: true
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  roles:
    - base
    - mosquitto
    - ha_mqtt_configd
    - telegraf
-    - nginx/server
+    - nginx
-    - role: nginx/site
+    - role: nginx_site
-      site: iot.foo.sh
+      nginx_site_name: iot.foo.sh
    - shelly_firmware
--- a/playbooks/nas.yml
+++ b/playbooks/nas.yml
@ -18,7 +18,7 @@
        name: /export/home
        src: LABEL=home
        fstype: xfs
-        opts: noatime
+        opts: noatime,nodev
        passno: "0"
        dump: "0"
        state: mounted
@ -27,7 +27,7 @@
        name: /export/roles
        src: LABEL=roles
        fstype: xfs
-        opts: noatime
+        opts: noatime,nodev
        passno: "0"
        dump: "0"
        state: mounted
@ -38,20 +38,4 @@
    - sssd
    - nfs_server
    - role: keytab
-      principals: "nfs/{{ inventory_hostname }}@FOO.SH"
+      keytab_principals: "nfs/{{ inventory_hostname }}@FOO.SH"
  tasks:
    - name: Copy exports file
      ansible.builtin.copy:
        dest: /etc/exports
        content: |
          /export/home   172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \
                         @nfsclients-rw(rw,root_squash,secure) \
                         @nfsclients-ro(ro,root_squash,secure)
          /export/roles  172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \
                         @nfsclients-rw(rw,root_squash,secure) \
                         @nfsclients-ro(ro,root_squash,secure)
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart nfs-server
--- a/playbooks/nms.yml
+++ b/playbooks/nms.yml
@ -25,12 +25,22 @@
  roles:
    - base
-    - nginx/server
+    - cups
-    - role: nginx/site
+    - nginx
-      site: oob.foo.sh
+    - role: nginx_site
      nginx_site_name: oob.foo.sh
      nginx_site_plaintext: false
    - role: keytab
      keytab_principals:
        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
    - nfs_client
    - role: autofs
      autofs_home: false
    - sssd
    - mkhomedir
-    - tftp
+    - aten_pdu
    - routeros
    - snmp_exporter
  tasks:
    - name: Enable UDP rsyslog server
@ -45,23 +55,14 @@
      vars:
        relay_domains: [foo.sh]
    - name: Copy DNS zone files
      ansible.builtin.copy:
        dest: "/var/lib/unbound/{{ item }}"
        src: "/srv/dns/{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      tags: dns
      notify: Restart unbound
      with_items:
        - 25.20.172.in-addr.arpa
        - oob.foo.sh
    - name: Import unbound role
      ansible.builtin.import_role:
        name: unbound
    - name: Import dhcpd role
      ansible.builtin.import_role:
        name: dhcpd
    # convert this to role for restart support
    - name: Enable NTP server for oob network
      ansible.builtin.lineinfile:
@ -74,10 +75,18 @@
        name: "{{ item }}"
        state: installed
      with_items:
        - net-snmp-utils
        - nmap
        - rcs
        - scanssh
        - sslscan
        - unzip
        - wget
    - name: Create sw-backup script
      ansible.builtin.copy:
        dest: /usr/local/bin/sw-backup
        content: |
          #!/bin/sh
          set -eu
          ssh "admin@${1}" /export > "/srv/backup/${1}.rsc"
        mode: "0755"
        owner: root
        group: "{{ ansible_wheel }}"
--- a/playbooks/ns.yml
+++ b/playbooks/ns.yml
@ -2,7 +2,7 @@
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
-    myhosts: ns:!vultr
+    myhosts: ns:!atl01.vultr.foo.sh
 - name: Configure instance
  hosts: ns
@ -15,9 +15,11 @@
  roles:
    - base
    - nsd
-    - role: nginx/server
+    - role: nginx
-    - role: nginx/site
+    - role: nginx_site
-      site: "{{ nsd_server }}"
+      nginx_site_name: "{{ nsd_server }}"
-      redirect: https://www.foo.sh/
+      nginx_site_redirect: https://www.foo.sh/
    - role: ifstated
      when: "'vultr' not in group_names"
    - role: blackbox_exporter
      when: "inventory_hostname == 'atl01.vultr.foo.sh'"
--- a/playbooks/oci-node.yml
+++ b/playbooks/oci-node.yml
@ -12,9 +12,25 @@
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  pre_tasks:
    - name: Mount /export
      ansible.posix.mount:
        name: /export
        src: LABEL=/export
        fstype: xfs
        opts: noatime,noexec,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
      when: ansible_fqdn == 'oci-node01.home.foo.sh'
  roles:
    - base
    - authcheck
    - grafana
    - ipsilon
    - kdc
    - roundcube
    - role: php4dvd
      when: ansible_fqdn == 'oci-node01.home.foo.sh'
    - rocketchat
--- a/playbooks/print.yml
+++ b/playbooks/print.yml
@ -14,10 +14,17 @@
  roles:
    - base
    - role: keytab
      keytab_principals:
        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
    - sssd
    - mkhomedir
  tasks:
    - name: Install unbound role
      ansible.builtin.import_role:
        name: unbound
    - name: Run handlers to get interfaces configured
      ansible.builtin.meta: flush_handlers
@ -25,30 +32,20 @@
      ansible.builtin.import_role:
        name: dhcpd
    - name: Copy DNS zone files
      ansible.builtin.copy:
        dest: "/var/lib/unbound/{{ item }}"
        src: "/srv/dns/{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      tags: dns
      notify: restart unbound
      with_items:
        - 24.20.172.in-addr.arpa
        - print.foo.sh
    - name: Install unbound role
      ansible.builtin.import_role:
        name: unbound
    - name: Install cups_server role
      ansible.builtin.import_role:
        name: cups_server
    - name: Install keytab for CUPS
-      ansible.builtin.import_role:
+      ansible.builtin.include_role:
        name: keytab
      vars:
-        keytab: /etc/cups/cups.keytab
+        keytab_path: /etc/cups/cups.keytab
-        principals: "HTTP/print.foo.sh@{{ kerberos_realm }}"
+        keytab_principals: "HTTP/print.foo.sh@{{ kerberos_realm }}"
    - name: Enable postfix mail relay
      ansible.builtin.import_role:
        name: postfix
        tasks_from: relay
      vars:
        relay_domains: [foo.sh]
--- a/playbooks/prometheus.yml
+++ b/playbooks/prometheus.yml
@ -0,0 +1,30 @@
 ---
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: prometheus
 - name: Configure instance
  hosts: prometheus
  user: root
  gather_facts: true
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  pre_tasks:
    - name: Mount /export
      ansible.posix.mount:
        name: /export
        src: LABEL=/export
        fstype: xfs
        opts: noatime,noexec,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
  roles:
    - base
    - prometheus
    - mysqld_exporter
    - nginx_exporter
--- a/playbooks/proxy.yml
+++ b/playbooks/proxy.yml
@ -15,90 +15,116 @@
  roles:
    - base
    - ifstated
-    - nginx/server
+    - nginx
-    - role: nginx/site
+    - nginx_logsync
-      site: ca.foo.sh
+    - role: nginx_site
-    - role: nginx/site
+      nginx_site_name: ca.foo.sh
-      site: foo.monster
+    - role: nginx_site
-    - role: nginx/site
+      nginx_site_name: foo.monster
-      site: tuiradc.fi
+    - role: nginx_site
-      redirect: https://facebook.com/TuiraDC
+      nginx_site_name: tuiradc.fi
-    - role: nginx/site
+      nginx_site_redirect: https://facebook.com/TuiraDC
-      site: www.tuiradc.fi
+    - role: nginx_site
-      redirect: https://facebook.com/TuiraDC
+      nginx_site_name: www.tuiradc.fi
-    - role: nginx/site
+      nginx_site_redirect: https://facebook.com/TuiraDC
-      site: foo.sh
+    - role: nginx_site
-      redirect: https://www.foo.sh/
+      nginx_site_name: foo.sh
-    - role: nginx/site
+      nginx_site_redirect: https://www.foo.sh/
-      site: autoconfig.foo.sh
+    - role: nginx_site
-    - role: nginx/site
+      nginx_site_name: apps.foo.sh
-      site: boot.foo.sh
+      nginx_site_load_balance_method: ip_hash
-      ssl_config: old
+      nginx_site_proxy:
    - role: nginx/site
      site: bitbucket.foo.sh
      redirect: https://bitbucket.org/tmakinen/
    - role: nginx/site
      site: certbot.home.foo.sh
      proxy: https://certbot.home.foo.sh/
    - role: nginx/site
      site: chat.foo.sh
      proxy:
        - https://oci-node01.home.foo.sh/rocketchat/
        - https://oci-node02.home.foo.sh/rocketchat/
    - role: nginx/site
      site: collab.foo.sh
      proxy: https://collab01.home.foo.sh/
    - role: nginx/site
      site: devel01.foo.sh
      proxy: https://devel01.home.foo.sh/
    - role: nginx/site
      site: dns.home.foo.sh
      redirect: https://www.foo.sh/
    - role: nginx/site
      site: git.foo.sh
      proxy: https://gitea02.home.foo.sh/
    - role: nginx/site
      site: gitea.foo.sh
      redirect: https://git.foo.sh/
    - role: nginx/site
      site: ha.foo.sh
      proxy: https://homeassistant01.home.foo.sh/
    - role: nginx/site
      site: id.foo.sh
      proxy:
        - https://oci-node01.home.foo.sh
        - https://oci-node02.home.foo.sh
-    - role: nginx/site
+    - role: nginx_site
-      site: influxdb.foo.sh
+      nginx_site_name: audiobooks.foo.sh
-      proxy: https://influxdb01.home.foo.sh/
+      nginx_site_proxy: https://audiobooks02.home.foo.sh/
-    - role: nginx/site
+    - role: nginx_site
-      site: iot.foo.sh
+      nginx_site_name: autoconfig.foo.sh
-      redirect: https://www.foo.sh/
+    - role: nginx_site
-    - role: nginx/site
+      nginx_site_name: boot.foo.sh
-      site: munin.foo.sh
+    - role: nginx_site
-      proxy: https://munin01.home.foo.sh/
+      nginx_site_name: bitbucket.foo.sh
-    - role: nginx/site
+      nginx_site_redirect: https://bitbucket.org/tmakinen/
-      site: mirrors.foo.sh
+    - role: nginx_site
-      proxy: https://mirror01.home.foo.sh/
+      nginx_site_name: cctv.foo.sh
-    - role: nginx/site
+      nginx_site_proxy: https://frigate02.home.foo.sh/frigate/
-      site: noc.foo.sh
+    - role: nginx_site
-      proxy:
+      nginx_site_name: certbot.home.foo.sh
      nginx_site_proxy: https://certbot.home.foo.sh/
    - role: nginx_site
      nginx_site_name: chat.foo.sh
      nginx_site_proxy:
        - https://oci-node01.home.foo.sh/rocketchat/
        - https://oci-node02.home.foo.sh/rocketchat/
    - role: nginx_site
      nginx_site_name: collab.foo.sh
      nginx_site_proxy: https://collab01.home.foo.sh/
    - role: nginx_site
      nginx_site_name: devel01.foo.sh
      nginx_site_proxy: https://devel01.home.foo.sh/
    - role: nginx_site
      nginx_site_name: dns.home.foo.sh
      nginx_site_redirect: https://www.foo.sh/
    - role: nginx_site
      nginx_site_name: forgejo.foo.sh
      nginx_site_redirect: https://git.foo.sh/
    - role: nginx_site
      nginx_site_name: git.foo.sh
      nginx_site_proxy: https://forgejo02.home.foo.sh/
    - role: nginx_site
      nginx_site_name: gitea.foo.sh
      nginx_site_redirect: https://git.foo.sh/
    - role: nginx_site
      nginx_site_name: ha.foo.sh
      nginx_site_proxy: https://homeassistant01.home.foo.sh/
    - role: nginx_site
      nginx_site_name: id.foo.sh
      nginx_site_proxy:
        - https://oci-node01.home.foo.sh
        - https://oci-node02.home.foo.sh
    - role: nginx_site
      nginx_site_name: idp.foo.sh
      nginx_site_proxy: https://oci-node01.home.foo.sh/ipsilon/
    - role: nginx_site
      nginx_site_name: influxdb.foo.sh
      nginx_site_proxy: https://influxdb01.home.foo.sh/
    - role: nginx_site
      nginx_site_name: iot.foo.sh
      nginx_site_redirect: https://www.foo.sh/
    - role: nginx_site
      nginx_site_name: mirrors.foo.sh
      nginx_site_proxy: https://mirror02.home.foo.sh/
    - role: nginx_site
      nginx_site_name: movies.foo.sh
      nginx_site_proxy:
        - https://oci-node01.home.foo.sh/php4dvd/
    - role: nginx_site
      nginx_site_name: mta-sts.foo.sh
    - role: nginx_site
      nginx_site_name: noc.foo.sh
      nginx_site_proxy:
        - https://oci-node01.home.foo.sh/grafana/
        - https://oci-node02.home.foo.sh/grafana/
-    - role: nginx/site
+    - role: nginx_site
-      site: print.foo.sh
+      nginx_site_name: print.foo.sh
-      proxy: https://print01.home.foo.sh:631/
+      nginx_site_proxy: https://print01.home.foo.sh:631/
-    - role: nginx/site
+    - role: nginx_site
-      site: registry.foo.sh
+      nginx_site_name: registry.foo.sh
-      proxy: ["registry01.home.foo.sh:5000", "registry02.home.foo.sh:5000"]
+      nginx_site_proxy:
-    - role: nginx/site
+        - "registry01.home.foo.sh:5000"
-      site: webmail.foo.sh
+        - "registry02.home.foo.sh:5000"
-      proxy:
+    - role: nginx_site
      nginx_site_name: scan.foo.sh
      nginx_site_proxy:
        - https://sane02.home.foo.sh/scanservjs/
    - role: nginx_site
      nginx_site_name: webmail.foo.sh
      nginx_site_load_balance_method: ip_hash
      nginx_site_proxy:
        - https://oci-node01.home.foo.sh/roundcube/
-    - role: nginx/site
+        - https://oci-node02.home.foo.sh/roundcube/
-      site: wpad.foo.sh
+    - role: nginx_site
-    - role: nginx/site
+      nginx_site_name: wpad.foo.sh
-      site: www.foo.sh
+    - role: nginx_site
-    - role: nginx/site
+      nginx_site_name: www.foo.sh
      site: zm.foo.sh
      proxy: https://zm02.home.foo.sh/
--- a/playbooks/relay.yml
+++ b/playbooks/relay.yml
@ -16,13 +16,13 @@
    - base
    - ifstated
    - relayd
-    - nginx/server
+    - nginx
-    - role: nginx/site
+    - role: nginx_site
-      site: ldap.foo.sh
+      nginx_site_name: ldap.foo.sh
-      redirect: https://www.foo.sh/
+      nginx_site_redirect: https://www.foo.sh/
-    - role: nginx/site
+    - role: nginx_site
-      site: ldap01.foo.sh
+      nginx_site_name: ldap01.foo.sh
-      redirect: https://www.foo.sh/
+      nginx_site_redirect: https://www.foo.sh/
-    - role: nginx/site
+    - role: nginx_site
-      site: loghost.foo.sh
+      nginx_site_name: loghost.foo.sh
-      redirect: https://www.foo.sh/
+      nginx_site_redirect: https://www.foo.sh/
--- a/playbooks/sane.yml
+++ b/playbooks/sane.yml
@ -0,0 +1,39 @@
 ---
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: sane
 - name: Configure instance
  hosts: sane
  user: root
  gather_facts: true
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  roles:
    - base
    - sane
    - scanservjs
    - mod_auth_gssapi
    - role: keytab
      keytab_path: /etc/httpd/httpd.keytab
      keytab_principals: HTTP/scan.foo.sh@FOO.SH
      keytab_group: apache
  tasks:
    - name: Require authentication for scanservjs
      ansible.builtin.copy:
        dest: /etc/httpd/conf.local.d/scanservjs-auth.conf
        content: |
          <Location /scanservjs>
            AuthType        GSSAPI
            GssapiBasicAuth On
            AuthName        "Password Required"
            Require         valid-user
          </Location>
        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart apache
--- a/playbooks/shell.yml
+++ b/playbooks/shell.yml
@ -15,7 +15,7 @@
  roles:
    - base
    - role: keytab
-      principals:
+      keytab_principals:
        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
        - "nfs/{{ inventory_hostname }}@{{ kerberos_realm }}"
    - nfs_client
@ -24,9 +24,8 @@
    - thinlinc_server
    - epel_repo
    - foosh_repo
-    - powertools_repo
+    - role: nginx
-    - role: nginx/server
+      nginx_plaintext: true
      plaintext: true
  tasks:
    - name: Install extra package groups
@ -63,6 +62,7 @@
        - pandoc
        - php-cli
        - python3-netaddr
        - python3-requests
        - rcs
        - rpmlint
        - syslinux
@ -71,7 +71,6 @@
        - tmux
        - whois
        - wireshark
        - wkhtmltopdf
        - yamllint
        - zsh
      loop_control:
@ -98,6 +97,6 @@
        content: |
          Host *.home.foo.sh !gw.home.foo.sh
            ProxyJump root@gw.home.foo.sh
-        mode: 0644
+        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
--- a/playbooks/static.yml
+++ b/playbooks/static.yml
@ -15,7 +15,7 @@
  roles:
    - base
    - role: keytab
-      principals:
+      keytab_principals:
        - "host/{{ inventory_hostname }}@FOO.SH"
        - "nfs/{{ inventory_hostname }}@FOO.SH"
    - nfs_client
@ -48,7 +48,7 @@
            AllowOverride AuthConfig FileInfo Indexes Limit
            Require all granted
          </Directory>
-        mode: 0644
+        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart apache
--- a/playbooks/vmhost.yml
+++ b/playbooks/vmhost.yml
@ -17,6 +17,7 @@
        passno: "0"
        dump: "0"
        state: mounted
      when: inventory_hostname == "vmhost02.home.foo.sh"
    - name: Mount /export/libvirt/nvme
      ansible.posix.mount:
        name: /export/libvirt/nvme
@ -26,10 +27,10 @@
        passno: "0"
        dump: "0"
        state: mounted
-    - name: Mount /export/libvirt/ssd
+    - name: Mount /export/libvirt/os
      ansible.posix.mount:
-        name: /export/libvirt/ssd
+        name: /export/libvirt/os
-        src: LABEL=ssd
+        src: LABEL=os
        fstype: xfs
        opts: noatime,noexec,nosuid,nodev
        passno: "0"
@ -39,3 +40,4 @@
  roles:
    - base
    - kvm_host
    - ssh_known_hosts
--- a/roles/ansible_host/files/urls.py.patch
+++ b/roles/ansible_host/files/urls.py.patch
@ -0,0 +1,86 @@
 --- ./urls.py.orig	2024-03-27 18:55:18.077213253 +0000
 +++ urls.py	2024-03-27 18:21:07.613270952 +0000
@@ -535,15 +535,18 @@
 UnixHTTPSConnection = None
 if hasattr(httplib, 'HTTPSConnection') and hasattr(urllib_request, 'HTTPSHandler'):
     class CustomHTTPSConnection(httplib.HTTPSConnection):  # type: ignore[no-redef]
 -        def __init__(self, *args, **kwargs):
 +        def __init__(self, client_cert=None, client_key=None, *args, **kwargs):
             httplib.HTTPSConnection.__init__(self, *args, **kwargs)
             self.context = None
             if HAS_SSLCONTEXT:
                 self.context = self._context
             elif HAS_URLLIB3_PYOPENSSLCONTEXT:
                 self.context = self._context = PyOpenSSLContext(PROTOCOL)
 -            if self.context and self.cert_file:
 -                self.context.load_cert_chain(self.cert_file, self.key_file)
 +
 +            self._client_cert = client_cert
 +            self._client_key = client_key
 +            if self.context and self._client_cert:
 +                self.context.load_cert_chain(self._client_cert, self._client_key)
         def connect(self):
             "Connect to a host on a given (SSL) port."
@@ -564,10 +567,10 @@
             if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT:
                 self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname)
             elif HAS_URLLIB3_SSL_WRAP_SOCKET:
 -                self.sock = ssl_wrap_socket(sock, keyfile=self.key_file, cert_reqs=ssl.CERT_NONE,  # pylint: disable=used-before-assignment
 -                                            certfile=self.cert_file, ssl_version=PROTOCOL, server_hostname=server_hostname)
 +                self.sock = ssl_wrap_socket(sock, keyfile=self._client_key, cert_reqs=ssl.CERT_NONE,  # pylint: disable=used-before-assignment
 +                                            certfile=self._client_cert, ssl_version=PROTOCOL, server_hostname=server_hostname)
             else:
 -                self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, certfile=self.cert_file, ssl_version=PROTOCOL)
 +                self.sock = ssl.wrap_socket(sock, keyfile=self._client_key, certfile=self._client_cert, ssl_version=PROTOCOL)
     class CustomHTTPSHandler(urllib_request.HTTPSHandler):  # type: ignore[no-redef]
@@ -602,10 +605,6 @@
             return self.do_open(self._build_https_connection, req)
         def _build_https_connection(self, host, **kwargs):
 -            kwargs.update({
 -                'cert_file': self.client_cert,
 -                'key_file': self.client_key,
 -            })
             try:
                 kwargs['context'] = self._context
             except AttributeError:
@@ -613,7 +612,7 @@
             if self._unix_socket:
                 return UnixHTTPSConnection(self._unix_socket)(host, **kwargs)
             if not HAS_SSLCONTEXT:
 -                return CustomHTTPSConnection(host, **kwargs)
 +                return CustomHTTPSConnection(host, client_cert=self.client_cert, client_key=self.client_key, **kwargs)
             return httplib.HTTPSConnection(host, **kwargs)
     @contextmanager
@@ -979,7 +978,7 @@
             pass
 -def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True):
 +def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True, client_cert=None, client_key=None):
     if ciphers is None:
         ciphers = []
@@ -1006,6 +1005,9 @@
     if ciphers:
         context.set_ciphers(':'.join(map(to_native, ciphers)))
 +    if client_cert:
 +        context.load_cert_chain(client_cert, keyfile=client_key)
 +
     return context
@@ -1514,6 +1516,8 @@
                 cadata=cadata,
                 ciphers=ciphers,
                 validate_certs=validate_certs,
 +                client_cert=client_cert,
 +                client_key=client_key,
             )
             handlers.append(HTTPSClientAuthHandler(client_cert=client_cert,
                                                    client_key=client_key,
--- a/roles/ansible_host/meta/main.yml
+++ b/roles/ansible_host/meta/main.yml
@ -2,4 +2,4 @@
 dependencies:
  - {role: epel_repo}
  - {role: git}
-  - {role: nginx/server}
+  - {role: nginx}
--- a/roles/ansible_host/tasks/main.yml
+++ b/roles/ansible_host/tasks/main.yml
@ -7,35 +7,22 @@
    - ansible
    - ansible-collection-ansible-posix
    - ansible-collection-community-general
-    - python3.11-dns        # required for lookup('dig', 'hostname')
+    - patch                # needed in next step
-    - python3-netaddr       # required by iptables role
+    - python3.9-dns        # required for lookup('dig', 'hostname')
    - python3.9-ldap       # required for ldap modules
    - python3.9-netaddr    # required by iptables role
- name: Create python3.11 lib directories
+- name: Patch ansible to support python 3.12 clients
-  ansible.builtin.file:
+  ansible.posix.patch:
-    path: "{{ item }}"
+    src: urls.py.patch
-    state: directory
+    dest: /usr/lib/python3.9/site-packages/ansible/module_utils/urls.py
    mode: 0755
    owner: root
    group: "{{ ansible_wheel }}"
  with_items:
    - /usr/local/lib/python3.11
    - /usr/local/lib/python3.11/site-packages
 - name: Kludge to add netaddr to python3.11 until package is released
  ansible.builtin.copy:
    dest: /usr/local/lib/python3.11/site-packages/netaddr
    src: /usr/lib/python3.9/site-packages/netaddr
    mode: preserve
    owner: root
    group: "{{ ansible_wheel }}"
    remote_src: true
 - name: Create private directory and force permissions
  ansible.builtin.file:
    path: /export/private
    owner: root
    group: root
-    mode: 0700
+    mode: "0700"
    state: directory
 - name: Link private directory
@ -55,7 +42,7 @@
 - name: Clone ansible repository
  ansible.builtin.git:
    dest: /srv/ansible
-    repo: https://git.foo.sh/ansible.git
+    repo: https://git.foo.sh/foo.sh/ansible.git
    update: false
    version: master
@ -72,7 +59,7 @@
  ansible.builtin.copy:
    src: nginx.conf
    dest: /etc/nginx/conf.d/{{ inventory_hostname }}/ansible.conf
-    mode: 0644
+    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart nginx
@ -83,4 +70,4 @@
    src: root-bashrc.sh
    owner: root
    group: "{{ ansible_wheel }}"
-    mode: 0600
+    mode: "0600"
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@ -40,7 +40,7 @@
  ansible.builtin.file:
    state: directory
    path: "{{ item }}"
-    mode: 0755
+    mode: "0755"
    owner: root
    group: "{{ ansible_wheel }}"
    seuser: _default
@ -54,7 +54,7 @@
  ansible.builtin.template:
    src: ssl.conf.j2
    dest: /etc/httpd/conf.local.d/ssl.conf
-    mode: 0644
+    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart apache
@ -63,7 +63,7 @@
  ansible.builtin.template:
    src: site.conf.j2
    dest: "/etc/httpd/conf.local.d/{{ inventory_hostname }}.conf"
-    mode: 0644
+    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart apache
--- a/roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib
+++ b/roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib
--- a/roles/aten_pdu/files/aten-mqtt-publish.sh
+++ b/roles/aten_pdu/files/aten-mqtt-publish.sh
@ -0,0 +1,93 @@
 #!/bin/sh
 set -eu
 umask 077
 community="public"
 if [ "${1:-}" = "-n" ]; then
    _noop=true
 else
    _noop=false
 fi
 mqtt_send() {
    topic="$1"
    value="$2"
    tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')"
    mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \
        --cafile "${tlsdir}/certs/ca.crt" \
        --key "${tlsdir}/private/$(hostname -f).key" \
        --cert "${tlsdir}/certs/$(hostname -f).crt"
 }
 snmp_get() {
    host="$1"
    key="$2"
    snmpget -v 1 -c "$community" "$host" -Oqv -m ATEN-PE-CFG "$key" | tr -d '"'
 }
 # only run script if first vrrp interface is in master state
 for state in /run/keepalived/*.state ; do
    if [ "$(cat "$state")" != "MASTER" ]; then
        exit 0
    fi
    break
 done
 ldapsearch -Q -LLL "(&(objectClass=device)(description=Aten PE*))" cn l | awk '
    {
        if ($1 == "cn:") {
            cn = $2
        }
        if ($1 == "l:") {
            l = substr($0, 3)
        }
        if ($0 == "" && cn != "" && l != "") {
            print cn l
            cn = ""
            l = ""
        }
    }
    ' | while read -r name location
 do
    snmpwalk -v 1 -c "$community" "$name" -Oq \
        -m ATEN-PE-CFG ATEN-PE-CFG::outletName | while read -r port device
    do
        port="$(echo "$port" | cut -d '.' -f 2)"
        device="$(echo "$device" | tr -d '"')"
        case "$device" in
            "N/A"|"00 "|"unused")
                continue
                ;;
        esac
        if device_name="$(ldapsearch -Q -LLL \
            "(&(objectClass=device)(cn=${device}.*))" cn | awk "
            {
                if (\$1 == \"cn:\") {
                    if (name) {
                        exit 1
                    }
                    name=\$2
                }
            } END {
                if (!name) {
                    exit 1
                }
                print name
            }
        ")" ; then
            device="$device_name"
        fi
        for key in Current Power Voltage ; do
            topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')"
 	    value="$(snmp_get "$name" "ATEN-PE-CFG::outlet${key}.${port}")"
            if $_noop ; then
                echo "${topic} -> ${value}"
            else
                mqtt_send "$topic" "$value"
            fi
        done
    done
 done
--- a/roles/aten_pdu/meta/main.yml
+++ b/roles/aten_pdu/meta/main.yml
@ -0,0 +1,3 @@
 ---
 dependencies:
  - {role: ldap}
--- a/roles/aten_pdu/tasks/main.yml
+++ b/roles/aten_pdu/tasks/main.yml
@ -0,0 +1,31 @@
 ---
 - name: Install packages
  ansible.builtin.package:
    name: "{{ item }}"
    state: installed
  with_items:
    - mosquitto
    - net-snmp-utils
 # https://www.aten.com/eu/en/products/power-distribution-&-racks/rack-pdu/pe8108/
 - name: Install custom mib
  ansible.builtin.copy:
    dest: /usr/share/snmp/mibs/ATEN-PE-CFG.txt
    src: ATEN-PE-CFG_str_1.3.128.mib
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
 - name: Install mqtt publish script
  ansible.builtin.copy:
    dest: /usr/local/bin/aten-mqtt-publish
    src: aten-mqtt-publish.sh
    mode: "0755"
    owner: root
    group: "{{ ansible_wheel }}"
 - name: Add mqtt publish cron job
  ansible.builtin.cron:
    name: aten-mqtt-publish
    job: /usr/local/bin/aten-mqtt-publish
    minute: "*/5"
--- a/roles/audiobookshelf/files/audiobookshelf.default
+++ b/roles/audiobookshelf/files/audiobookshelf.default
@ -0,0 +1,4 @@
 METADATA_PATH=/srv/audiobookshelf/metadata
 CONFIG_PATH=/srv/audiobookshelf/config
 PORT=13378
 HOST=127.0.0.1
--- a/roles/audiobookshelf/files/meta.md
+++ b/roles/audiobookshelf/files/meta.md
@ -0,0 +1,30 @@
 = Preparing files for upload =
 == Filenames ==
 Filenames should always contain track number (and optionally disc number) with leading zeros first and subtitle after that. Few exmaples:
 ```
 01. Luku.mp3
 01. Osa.mp3
 CD 1 - 01.mp3
 ```
 Directory should also contain `cover.jpg` with book cover picture and `desc.txt` containing book description.
 == Metadata (id3 tags) ==
 First clear old tags then set new ones:
 ```
 id3v2 -D "01. Osa.mp3"
 id3v2 \
    --TPE1 "Douglas Adams" \
    --TALB "$(echo 'Linnunradan käsikirja liftareille' | iconv -f utf-8 -t iso-8859-1)" \
    --TCOM "$(echo 'Heikki Kinnunen,Pekka Autiovuori,Yrjö Järvinen,Martti Järvinen,Esa Saario,Kauko Helavirta,Aila Svedberg' | iconv -f utf-8 -t iso-8859-1)" \
    --TLAN "fi" \
    --TPUB "Yleisradio" \
    --TYER 1984 \
    --genre "Science Fiction/Fiction/Humor" \
    "01. Osa.mp3"
 ```
--- a/roles/audiobookshelf/handlers/main.yml
+++ b/roles/audiobookshelf/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: Restart audiobookshelf
  ansible.builtin.service:
    name: audiobookshelf
    state: restarted
--- a/roles/audiobookshelf/meta/main.yml
+++ b/roles/audiobookshelf/meta/main.yml
@ -0,0 +1,3 @@
 ---
 dependencies:
  - {role: nginx}
--- a/roles/audiobookshelf/tasks/main.yml
+++ b/roles/audiobookshelf/tasks/main.yml
@ -0,0 +1,90 @@
 ---
 - name: Enable repository
  ansible.builtin.yum_repository:
    name: audiobookshelf
    baseurl: https://raw.githubusercontent.com/lkiesow/audiobookshelf-rpm/el$releasever/
    description: Audiobookshelf el$releasever repository
    gpgcheck: true
    gpgkey: https://raw.githubusercontent.com/lkiesow/audiobookshelf-rpm/main/audiobookshelf-rpm.key
    enabled: true
 - name: Install packcages
  ansible.builtin.package:
    name: audiobookshelf
    state: present
 - name: Create data directories
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0770"
    owner: root
    group: audiobookshelf
  with_items:
    - /export/audiobookshelf
    - /export/audiobookshelf/audiobooks
    - /export/audiobookshelf/config
    - /export/audiobookshelf/metadata
    - /export/audiobookshelf/podcasts
    - /export/audiobookshelf/radioplays
 - name: Link data directory
  ansible.builtin.file:
    dest: /srv/audiobookshelf
    src: /export/audiobookshelf
    state: link
    owner: root
    group: "{{ ansible_wheel }}"
    follow: false
 - name: Copy naming instructions
  ansible.builtin.copy:
    dest: /srv/audiobookshelf/audiobooks/README.md
    src: meta.md
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
 - name: Copy service config
  ansible.builtin.copy:
    dest: /etc/default/audiobookshelf
    src: audiobookshelf.default
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart audiobookshelf
 - name: Enable service
  ansible.builtin.service:
    name: audiobookshelf
    state: started
    enabled: true
 - name: Allow nginx to connect audiobookshelf
  ansible.posix.seboolean:
    name: httpd_can_network_connect
    state: true
    persistent: true
 - name: Copy nginx config
  ansible.builtin.copy:
    dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/audiobookshelf.conf"
    content: |
      location / {
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host audiobooks.foo.sh;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_pass http://127.0.0.1:13378/;
        location /audiobookshelf/api/upload {
          # increase size to allow uploads
          client_max_body_size 10g;
          proxy_pass http://127.0.0.1:13378/api/upload;
        }
      }
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart nginx
--- a/roles/authcheck/tasks/main.yml
+++ b/roles/authcheck/tasks/main.yml
@ -10,11 +10,19 @@
    group: authcheck
    shell: /sbin/nologin
 - name: Enable user lingering
  ansible.builtin.command:
    argv:
      - loginctl
      - enable-linger
      - authcheck
    creates: /var/lib/systemd/linger/authcheck
 - name: Get container source
  ansible.builtin.git:
    dest: /usr/local/src/docker-authcheck
    repo: https://github.com/foo-sh/docker-authcheck.git
-    update: false
+    update: true
    version: main
  notify: Rebuild authcheck-container
@ -22,7 +30,7 @@
  ansible.builtin.template:
    dest: /etc/systemd/system/authcheck-container.service
    src: authcheck-container.service.j2
-    mode: 0644
+    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
@ -39,7 +47,7 @@
      location /authcheck {
        proxy_pass http://127.0.0.1:8003/;
      }
-    mode: 0644
+    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart nginx
--- a/roles/autofs/defaults/main.yml
+++ b/roles/autofs/defaults/main.yml
@ -0,0 +1,3 @@
 ---
 autofs_home: true
 autofs_roles: true
--- a/roles/autofs/tasks/main.yml
+++ b/roles/autofs/tasks/main.yml
@ -34,7 +34,7 @@
  ansible.builtin.template:
    dest: /etc/autofs_ldap_auth.conf
    src: autofs_ldap_auth.conf.j2
-    mode: 0600
+    mode: "0600"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart autofs
@ -43,7 +43,7 @@
  ansible.builtin.template:
    dest: /etc/auto.master
    src: auto.master.j2
-    mode: 0644
+    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart autofs
@ -74,7 +74,7 @@
  ansible.builtin.copy:
    dest: "/etc/profile.d/{{ item }}"
    src: "{{ item }}"
-    mode: 0644
+    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  with_items:
--- a/Show more
+++ b/Show more
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdaNO9dLpI8CVx1rwGsKN45Pgiz+Btrlf2Q/nXCx4Ru root@backup02.home.foo.sh`