Fix custom firewall rules for print hosts

This now affects only Fedora and OpenBSD hosts

.gitignore

@@ -1,2 +1,3 @@
 .*.swp
 __pycache__
+files/ssh/backup.pub

container-ports.md

@@ -0,0 +1,16 @@
+# Ports used by container web services
+
+| Port | Ansible role        | Service name               |
+|------|---------------------|----------------------------|
+| 8001 | kerberos_kdc        | Kerberos KDC               |
+| 8002 | grafana             | Grafana                    |
+| 8003 | authcheck           | Authentication check       |
+| 8004 | roundcube           | Roundcube webmail          |
+| 8005 | php4dvd             | php4dvd movie catalog      |
+| 8006 | scanservjs          | SANE Scanner webui         |
+| 8007 | frigate             | Network video recorder     |
+| 8008 | hoemeassistant      | Home Assistant             |
+| 8009 | rocketchat          | Rocket.Chat                |
+| 8010 | google-spell-pspell | Google Spell Check XML API |
+| 8011 | ipsilon             | Ipsilon Identity Provider  |
+| 8012 | nodered             | Node Red                   |

files/ssh/backup.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdaNO9dLpI8CVx1rwGsKN45Pgiz+Btrlf2Q/nXCx4Ru root@backup02.home.foo.sh

group_vars/adm.yml

@@ -1,8 +1,12 @@
 ---
 datadisks:
-  - {size: 10}
+  - {size: 10, type: nvme}
 
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 80, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+
+sssd_allow_groups:
+  - sysadm

group_vars/all.yml

@@ -31,8 +31,10 @@ boot_url: https://boot.foo.sh
 # ssh public keys for logsync user
 logsync_publickeys: "{{ lookup('file', '../files/ssh/logsync.pub') }}"
 
-# ssh public keys for backup user
-backup_publickeys: "{{ lookup('file', '../files/ssh/backup.pub') }}"
+# default name servers
+network_dns_servers:
+  - 8.8.8.8
+  - 8.8.4.4
 
 # hardcode this for now
 ansible_datacenter: home

group_vars/audiobooks.yml

@@ -1,8 +1,8 @@
 ---
 datadisks:
-  - {size: 10, type: hdd}
+  - {size: 50, type: hdd}
 
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/backup.yml

@@ -1,3 +1,4 @@
 ---
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/collab.yml

@@ -5,4 +5,4 @@ datadisks:
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/dnagw.yml

@@ -12,12 +12,32 @@ network_vip_interfaces:
     netmask: 255.255.252.0
     pass: "{{ vip10_pass }}"
     priority: 120
+  - device: vio0
+    vhid: 11
+    ipaddr: 172.20.20.11
+    netmask: 255.255.252.0
+    pass: "{{ vip11_pass }}"
+    priority: "{{ vip11_priority }}"
+  - device: vio0
+    vhid: 12
+    ipaddr: 172.20.20.12
+    netmask: 255.255.252.0
+    pass: "{{ vip12_pass }}"
+    priority: "{{ vip12_priority }}"
 network_ether_interfaces:
   - device: vio1
     proto: none
 
+unbound_zones:
+  - 20.172.in-addr.arpa
+  - home.foo.sh
+
 # use custom firewall config
 firewall_src: pf.conf.gw_home
 
 # ifstated config
 ifstated_config: ifstated-dna.conf.j2
+
+# ssh host alaises
+ssh_hostnames:
+  - gw.home.foo.sh

group_vars/fedora.yml

@@ -1,7 +1,7 @@
 ---
 # default resources for new vm
 dsk_size: 20
-mem_size: 2048
+mem_size: 4096
 num_cpus: 2
 
 # extra args for virt-install
@@ -18,7 +18,7 @@ ipcmd: >-
   {% endif %}
 virt_install_os_args: >-
   --location
-  https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/38/Everything/x86_64/os/
+  https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/41/Everything/x86_64/os/
   --extra-args
   "inst.ks={{ ks_file }}
   console=ttyS0

group_vars/forgejo.yml

@@ -0,0 +1,8 @@
+---
+datadisks:
+  - {size: 10, type: nvme}
+
+firewall_in:
+  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/frigate.yml

@@ -1,8 +1,9 @@
 ---
-mem_size: 4096
+mem_size: 8192
 num_cpus: 2
 datadisks:
-  - {size: 500}
+  - {size: 50, type: nvme}
+  - {size: 500, type: hdd}
 
 network_vip_interfaces:
   - device: eth1
@@ -11,13 +12,16 @@ network_vip_interfaces:
     netmask: 255.255.0.0
     pass: "{{ vip26_pass }}"
 
-zm_mysql_host: sqldb02.home.foo.sh
+unbound_zones:
+  - 26.20.172.in-addr.arpa
+  - cam.foo.sh
 dhcpd_template: dhcpd.conf.cam.j2
+dhcpd_ldap_filter: >-
+  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.cam.foo.sh))
 
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
 firewall_raw:
-  - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
-  - "-A INPUT -i eth1 -p vrrp -j ACCEPT"
+  - "ip daddr 224.0.0.0/8 accept"

group_vars/fsolgw.yml

@@ -4,8 +4,9 @@ network_vip_interfaces:
     vhid: 145
     ipaddr: 37.16.96.145
     netmask: 255.255.255.240
+    ip6addr: 2a00:4cc1:6:1006::1
+    ip6netmask: 64
     pass: "{{ vip145_pass }}"
-network_dns_servers: [172.20.20.10, 172.20.21.1, 172.20.21.2]
 
 # use custom firewall and ifstated config
 firewall_src: pf.conf.gw_fsol

group_vars/gitearunner.yml

@@ -1,4 +0,0 @@
----
-firewall_in:
-  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}

group_vars/home.yml

@@ -0,0 +1,5 @@
+---
+network_dns_servers:
+  - 172.20.20.10
+  - 172.20.20.11
+  - 172.20.20.12

group_vars/homeassistant.yml

@@ -1,7 +1,7 @@
 ---
 datadisks:
-  - {size: 10, type: hdd}
+  - {size: 10, type: nvme}
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/influxdb.yml

@@ -5,4 +5,4 @@ datadisks:
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/ldap.yml

@@ -3,6 +3,5 @@ saslauthd_mech: ldap
 
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
   - {proto: tcp, port: 636, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/log.yml

@@ -1,8 +1,9 @@
 ---
+mem_size: 512
 datadisks:
-  - {size: 50}
+  - {size: 50, type: nvme}
 
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
   - {proto: tcp, port: 6514}

group_vars/mail.yml

@@ -1,6 +1,7 @@
 ---
 datadisks:
-  - {size: 10}
+  - {size: 10, type: nvme}
+mem_size: 4192
 
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
@@ -10,4 +11,7 @@ firewall_in:
   - {proto: tcp, port: 465}
   - {proto: tcp, port: 587}
   - {proto: tcp, port: 993}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+
+sssd_allow_groups:
+  - sysadm

group_vars/minecraft.yml

@@ -1,9 +1,9 @@
 ---
 mem_size: 4096
 datadisks:
-  - {size: 100}
+  - {size: 100, type: nvme}
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.30.0/24]}
+  - {proto: tcp, port: 9100, from: [172.20.30.0/24]}
   - {proto: tcp, port: 25565, from: [172.20.30.0/24]}
   - {proto: udp, port: 25565, from: [172.20.30.0/24]}

group_vars/mirror.yml

@@ -1,10 +1,9 @@
 ---
-
 datadisks:
-  - {size: 1000}
+  - {size: 1500, type: hdd}
 
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
   - {proto: tcp, port: 873, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/mongodb.yml

@@ -4,3 +4,4 @@ datadisks:
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 27017, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/mqtt.yml

@@ -3,5 +3,5 @@ firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.27.0/24]}
   - {proto: tcp, port: 1883, from: [172.20.27.0/24]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
   - {proto: tcp, port: 8883, from: [172.20.20.0/22, 172.20.27.0/24]}

group_vars/nas.yml

@@ -2,11 +2,14 @@
 mem_size: 8192
 num_cpus: 2
 datadisks:
-  - {size: 1000}
-  - {size: 400, type: nvme}
+  - {size: 500, type: nvme}
+  - {size: 50, type: nvme}
 
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 2049, from: [172.20.20.0/22]}
   - {proto: tcp, port: 2049, from: [172.20.30.0/24]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+
+sssd_allow_groups:
+  - root

group_vars/nms.yml

@@ -1,12 +1,24 @@
 ---
 datadisks:
-  - {size: 10}
+  - {size: 10, type: nvme}
+
+unbound_zones:
+  - 25.20.172.in-addr.arpa
+  - oob.foo.sh
+dhcpd_template: dhcpd.conf.oob.j2
+dhcpd_ldap_filter: >-
+  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh))
 
 network_vip_interfaces:
+  - device: eth0
+    vhid: 11
+    ipaddr: 172.20.20.21
+    netmask: 255.255.240.0
+    pass: "{{ vip21_pass }}"
   - device: eth1
     vhid: 25
     ipaddr: 172.20.25.1
-    netmask: 255.255.0.0
+    netmask: 255.255.255.0
     pass: "{{ vip25_pass }}"
     priority: "{{ vip25_priority }}"
 
@@ -19,7 +31,10 @@ firewall_in:
   - {proto: udp, port: 123, from: [172.20.25.0/24]}
   - {proto: tcp, port: 443, from: [172.20.25.0/24]}
   - {proto: udp, port: 514, from: [172.20.25.0/24]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9116, from: [172.20.20.0/22]}
 firewall_raw:
-  - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
-  - "-A INPUT -i eth1 -p vrrp -j ACCEPT"
+  - "ip daddr 224.0.0.0/8 accept"
+
+sssd_allow_groups:
+  - sysadm

group_vars/ns.yml

@@ -1,12 +1,13 @@
 ---
 firewall_in:
-  - {proto: tcp, port: 22, from: [172.20.20.0/22, 81.175.130.44/32]}
+  - {proto: tcp, port: 22, from: [172.20.20.0/22, 212.149.225.204/32]}
   - {proto: tcp, port: 53}
   - {proto: udp, port: 53}
   - {proto: tcp, port: 80}
   - {proto: tcp, port: 443}
   - {proto: tcp, port: 853}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22, 81.175.130.44/32]}
+  - {proto: tcp, port: 9100}
+  - {proto: tcp, port: 9115}
 firewall_raw:
   - pass quick proto carp
 

group_vars/ocinode.yml

@@ -1,7 +1,10 @@
 ---
 # increase memory size
-mem_size: 4192
+mem_size: 8192
+# increase disk size to store docker images
+dsk_size: 100
 
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/openbsd.yml

@@ -17,5 +17,5 @@ num_cpus: 2
 
 # extra args for virt-install
 virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso
-virt_install_os_variant: openbsd7.0
-virt_install_python_cmd: pkg_add python3 -I -x
+virt_install_os_variant: openbsd7.4
+virt_install_python_cmd: pkg_add -I -x python

group_vars/print.yml

@@ -7,14 +7,20 @@ network_vip_interfaces:
     pass: "{{ vip24_pass }}"
     priority: "{{ vip24_priority }}"
 
-dhcpd_template: dhcpd.conf.print.j2
-
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 53, from: [172.20.24.0/24]}
   - {proto: udp, port: 53, from: [172.20.24.0/24]}
   - {proto: tcp, port: 631, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
 firewall_raw:
-  - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
-  - "-A INPUT -i eth1 -p vrrp -j ACCEPT"
+  - "ip daddr 224.0.0.0/8 accept"
+
+dhcpd_template: dhcpd.conf.print.j2
+dhcpd_ldap_filter: >-
+  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh))
+sssd_allow_groups:
+  - sysadm
+unbound_zones:
+  - 24.20.172.in-addr.arpa
+  - print.foo.sh

group_vars/prometheus.yml

@@ -0,0 +1,8 @@
+---
+datadisks:
+  - {size: 100, type: nvme}
+
+firewall_in:
+  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/proxy.yml

@@ -4,12 +4,6 @@ mem_size: 1024
 # use bigger disk for os as we have web site data there
 dsk_size: 30
 
-network_dns_servers:
-  - 172.20.20.10
-  - 172.20.21.7
-  - 172.20.21.8
-network_dns_search:
-  - foo.sh
 network_default_gateway: 37.16.96.145
 
 network_vip_interfaces:
@@ -48,6 +42,4 @@ firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 80}
   - {proto: tcp, port: 443}
-  - {proto: tcp, port: 636}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 6514}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/relay.yml

@@ -1,10 +1,4 @@
 ---
-network_dns_servers:
-  - 172.20.20.10
-  - 172.20.21.7
-  - 172.20.21.8
-network_dns_search:
-  - foo.sh
 network_default_gateway: 37.16.96.145
 
 network_vip_interfaces:
@@ -41,3 +35,4 @@ firewall_in:
   - {proto: tcp, port: 443}
   - {proto: tcp, port: 636}
   - {proto: tcp, port: 6514}
+  - {proto: tcp, port: 9100}

group_vars/sane.yml

@@ -0,0 +1,5 @@
+---
+firewall_in:
+  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/shell.yml

@@ -1,6 +1,4 @@
 ---
-
-# beef up shell hosts
 dsk_size: 40
 mem_size: 8192
 num_cpus: 4
@@ -9,4 +7,10 @@ firewall_in:
   - {proto: tcp, port: 22}
   - {proto: tcp, port: 80}
   - {proto: tcp, port: 443}
-  - {proto: tcp, port: 4949, from: [81.175.130.44/32]}
+  - {proto: tcp, port: 9100, from: [212.149.248.65/32]}
+
+ssh_hostnames:
+  - shell.foo.sh
+
+sssd_allow_groups:
+  - foosh

group_vars/sqldb.yml

@@ -1,6 +1,8 @@
 ---
+mem_size: 4096
 datadisks:
   - {size: 20, type: nvme}
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 3306, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

group_vars/static.yml

@@ -2,4 +2,7 @@
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+
+sssd_allow_groups:
+  - root

group_vars/vmhost.yml

@@ -1,4 +1,4 @@
 ---
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}

host_vars/audiobooks02.home.foo.sh.yml

@@ -0,0 +1,6 @@
+---
+vmhost: vmhost02.home.foo.sh
+network_interfaces:
+  - device: eth0
+    vlan: 20
+    mac: "52:54:00:ac:dc:48"

host_vars/backup02.home.foo.sh.yml

@@ -6,5 +6,5 @@ network_interfaces:
     mac: 52:54:00:ac:dc:50
 datadisks:
   - {size: 1000}
-passthrough_devices:
-  - "07:04.0"
+virt_install_devices:
+  - "02:04.0"

host_vars/dna-gw01.home.foo.sh.yml

@@ -10,3 +10,5 @@ network_interfaces:
   - device: vio1
     vlan: 103
     proto: none
+vip11_priority: 240
+vip12_priority: 120

host_vars/dna-gw02.home.foo.sh.yml

@@ -10,3 +10,5 @@ network_interfaces:
   - device: vio1
     vlan: 103
     proto: none
+vip11_priority: 120
+vip12_priority: 240

host_vars/forgejo02.home.foo.sh.yml

@@ -3,4 +3,4 @@ vmhost: vmhost02.home.foo.sh
 network_interfaces:
   - device: eth0
     vlan: 20
-    mac: 52:54:00:ac:dc:7c
+    mac: 52:54:00:ac:dc:80

host_vars/frigate02.home.foo.sh.yml

@@ -3,7 +3,7 @@ vmhost: vmhost02.home.foo.sh
 network_interfaces:
   - device: eth0
     vlan: 20
-    mac: "52:54:00:ac:dc:4c"
+    mac: "52:54:00:ac:dc:8c"
     nameservers: []
   - device: eth1
     vlan: 26
@@ -11,3 +11,5 @@ network_interfaces:
     netmask: 255.255.255.0
     proto: static
     nameservers: [172.20.26.1, 172.20.26.3]
+virt_install_devices:
+  - 004.002

host_vars/fsol-gw01.home.foo.sh.yml

@@ -15,6 +15,7 @@ network_interfaces:
   - device: vio2
     vlan: 103
     proto: dhcp
+    rdomain: 1
   - device: vio3
     vlan: 102
     proto: none

host_vars/fsol-gw02.home.foo.sh.yml

@@ -15,6 +15,7 @@ network_interfaces:
   - device: vio2
     vlan: 103
     proto: dhcp
+    rdomain: 1
   - device: vio3
     vlan: 102
     proto: none

host_vars/homeassistant01.home.foo.sh.yml

@@ -5,6 +5,10 @@ network_interfaces:
     vlan: 20
     mac: 52:54:00:ac:dc:73
   - device: eth1
+    vlan: 27
+  - device: eth2
     vlan: 30
 virt_install_devices:
-  - 003.002
+  - 0b05:190e
+  - 10c4:ea60
+  - /dev/ttyUSB0

host_vars/ldap01.home.foo.sh.yml

@@ -5,6 +5,6 @@ network_interfaces:
     vlan: 20
     mac: 52:54:00:ac:dc:1f
 datadisks:
-  - {size: 10}
+  - {size: 10, type: nvme}
 
 ldap_master: true

host_vars/mirror02.home.foo.sh.yml

@@ -3,4 +3,4 @@ vmhost: vmhost02.home.foo.sh
 network_interfaces:
   - device: eth0
     vlan: 20
-    mac: 52:54:00:ac:dc:78
+    mac: 52:54:00:ac:dc:14

host_vars/nms02.home.foo.sh.yml

@@ -17,4 +17,4 @@ network_interfaces:
     netmask: 255.255.255.248
     proto: static
 
-vip25_priority: 0
+vip25_priority: 1

host_vars/oci-node01.home.foo.sh.yml

@@ -1,5 +1,7 @@
 ---
 vmhost: vmhost01.home.foo.sh
+datadisks:
+  - {size: 10, type: nvme}
 network_interfaces:
   - device: eth0
     vlan: 20

host_vars/prometheus01.home.foo.sh.yml

@@ -3,4 +3,4 @@ vmhost: vmhost01.home.foo.sh
 network_interfaces:
   - device: eth0
     vlan: 20
-    mac: 52:54:00:ac:dc:13
+    mac: "52:54:00:ac:dc:83"

host_vars/sane02.home.foo.sh.yml

@@ -0,0 +1,8 @@
+---
+vmhost: vmhost02.home.foo.sh
+network_interfaces:
+  - device: eth0
+    vlan: 20
+    mac: "52:54:00:ac:dc:88"
+virt_install_devices:
+  - 001.003

hosts.yml

@@ -3,6 +3,9 @@ adm:
   hosts:
     adm01.home.foo.sh:
     adm02.home.foo.sh:
+audiobooks:
+  hosts:
+    audiobooks02.home.foo.sh:
 backup:
   hosts:
     backup02.home.foo.sh:
@@ -13,25 +16,33 @@ dnagw:
   hosts:
     dna-gw01.home.foo.sh:
     dna-gw02.home.foo.sh:
+forgejo:
+  hosts:
+    forgejo02.home.foo.sh:
+  vars:
+    forgejo_version: "10.0.1"
+frigate:
+  hosts:
+    frigate02.home.foo.sh:
+  vars:
+    frigate_version: "0.15.0"
 fsolgw:
   hosts:
     fsol-gw01.home.foo.sh:
     fsol-gw02.home.foo.sh:
-gitea:
-  hosts:
-    gitea02.home.foo.sh:
-  vars:
-    gitea_version: "1.19.4"
-gitearunner:
-  hosts:
-    gitea-runner02.home.foo.sh:
-  vars:
-    gitea_runner_version: "0.2.3"
 homeassistant:
   hosts:
     homeassistant01.home.foo.sh:
   vars:
-    homeassistant_version: "2023.7"
+    homeassistant_version: "2025.3"
+    homeassistant_integrations:
+      - name: electrolux_status
+        repo: https://github.com/albaintor/homeassistant_electrolux_status.git
+        version: v2.0.9
+      - name: espsomfy_rts
+        repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git
+        version: v2.4.7
+    nodered_version: 4.0.9
 influxdb:
   hosts:
     influxdb01.home.foo.sh:
@@ -45,12 +56,14 @@ log:
 mail:
   hosts:
     mail02.home.foo.sh:
+  vars:
+    opendkim_selector: 20250101
 minecraft:
   hosts:
     minecraft01.home.foo.sh:
 mirror:
   hosts:
-    mirror01.home.foo.sh:
+    mirror02.home.foo.sh:
 mongodb:
   hosts:
     mongodb01.home.foo.sh:
@@ -64,6 +77,8 @@ nms:
   hosts:
     nms01.home.foo.sh:
     nms02.home.foo.sh:
+  vars:
+    snmp_exporter_version: "0.28.0"
 ns:
   hosts:
     ns01.home.foo.sh:
@@ -74,20 +89,34 @@ ocinode:
     oci-node01.home.foo.sh:
     oci-node02.home.foo.sh:
   vars:
-    grafana_version: "10.0.2"
-    rocketchat_version: "6.2.10"
-    roundcube_version: "1.6.1"
+    grafana_version: "11.4.2"
+    rocketchat_version: "7.4.0"
+    roundcube_version: "1.6.10"
 print:
   hosts:
     print01.home.foo.sh:
+prometheus:
+  hosts:
+    prometheus01.home.foo.sh:
+  vars:
+    mysqld_exporter_version: "0.17.2"
+    nginx_exporter_version: "1.4.1"
 proxy:
   hosts:
     proxy01.home.foo.sh:
     proxy02.home.foo.sh:
+redis:
+  hosts:
+    redis01.home.foo.sh:
 relay:
   hosts:
     relay01.home.foo.sh:
     relay02.home.foo.sh:
+sane:
+  hosts:
+    sane02.home.foo.sh:
+  vars:
+    scanservjs_version: "v3.0.3"
 shell:
   hosts:
     shell01.foo.sh:
@@ -103,23 +132,15 @@ vmhost:
   hosts:
     vmhost01.home.foo.sh:
     vmhost02.home.foo.sh:
-zm:
-  hosts:
-    zm02.home.foo.sh:
 
 sftpbackup:
   children:
-    collab:
     ldap:
+    mongodb:
     sqldb:
 
-vultr:
-  hosts:
-    atl01.vultr.foo.sh:
-
 fedora:
   children:
-    gitearunner:
 openbsd:
   children:
     backup:
@@ -129,27 +150,31 @@ openbsd:
     mqtt:
     ns:
     proxy:
+    redis:
     relay:
 rocky8:
   children:
     collab:
+rocky9:
+  children:
+    adm:
+    audiobooks:
+    forgejo:
+    frigate:
     homeassistant:
+    influxdb:
+    ldap:
     mail:
     minecraft:
+    mirror:
+    mongodb:
     nas:
     nms:
     ocinode:
     print:
+    prometheus:
+    sane:
     shell:
-    zm:
-rocky9:
-  children:
-    adm:
-    gitea:
-    influxdb:
-    ldap:
-    mirror:
-    mongodb:
     sqldb:
     static:
     vmhost:

playbooks/adm.yml

@@ -18,7 +18,7 @@
         name: /export
         src: LABEL=/export
         fstype: xfs
-        opts: noatime,noexec,nosuid,nodev
+        opts: noatime,nosuid,nodev
         passno: "0"
         dump: "0"
         state: mounted
@@ -27,10 +27,15 @@
     - base
     - ansible_host
     - certbot
+    - cups
+    - sshca
+    - ssh_known_hosts
     - role: keytab
-      principals:
+      keytab_principals:
         - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
     - nfs_client
+    - role: autofs
+      autofs_home: false
     - sssd
     - mkhomedir
     - rpm_build
@@ -42,15 +47,21 @@
         name: "{{ item }}"
         state: installed
       with_items:
+        - emacs-nox           # more editors
         - httpd-tools         # htpasswd
         - knot-utils          # kdig (dns over tls)
         - libvirt-client      # kvm host client
         - make                # generic building
         - mariadb             # mariadb client tools
+        - mosquitto           # mqtt reading
+        - nano                # more editors
+        - nmap                # check for open ports
         - nsd                 # check dns zone files
         - podman              # building containers
         - pylint              # python linting
         - python3-flake8      # python linting
+        - speedtest-cli       # testing network speed
+        - ShellCheck          # shell script linting
         - virt-install        # install kvm guests
         - wget                # still in backbone for downloads
         - whois               # read whois data
@@ -63,6 +74,67 @@
           Host shell??.foo.sh
             CheckHostIP no
         dest: /root/.ssh/config
-        mode: 0600
+        mode: "0600"
+        owner: root
+        group: "{{ ansible_wheel }}"
+
+    - name: Clone dns repo
+      ansible.builtin.git:
+        dest: /export/dns
+        repo: https://adm01.home.foo.sh/dns.git
+        update: true
+        version: master
+      environment:
+        GIT_SSL_CAINFO: "{{ tls_certs }}/ca.crt"
+        GIT_SSL_CERT: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
+        GIT_SSL_KEY: "{{ tls_private }}/{{ inventory_hostname }}.key"
+      when: 'inventory_hostname != "adm01.home.foo.sh"'
+    - name: Link dns repo
+      ansible.builtin.file:
+        dest: /srv/dns
+        src: /export/dns
+        state: link
+        owner: root
+        group: "{{ ansible_wheel }}"
+        follow: false
+    - name: Add cron job to sync dns repo
+      ansible.builtin.cron:
+        name: sync dns repository
+        job: >-
+          GIT_SSL_CAINFO="{{ tls_certs }}/ca.crt"
+          GIT_SSL_CERT="{{ tls_certs }}/{{ inventory_hostname }}.crt"
+          GIT_SSL_KEY="{{ tls_private }}/{{ inventory_hostname }}.key"
+          git -C /srv/dns pull -q
+        minute: "02"
+      when: 'inventory_hostname != "adm01.home.foo.sh"'
+    - name: Links dns repo to web
+      ansible.builtin.file:
+        dest: "/srv/web/{{ inventory_hostname }}/dns.git"
+        src: /srv/dns/.git
+        state: link
+        owner: root
+        group: "{{ ansible_wheel }}"
+
+    - name: Add mqtt-tail script
+      ansible.builtin.copy:
+        dest: /usr/local/bin/mqtt-tail
+        content: |
+          #!/bin/sh
+          set -eu
+          if [ -n "${1:-}" ]; then
+              topic="$1"
+              shift
+          else
+              topic="#"
+          fi
+          if [ $# -ne 0 ]; then
+              echo "Usage: $(basename "$0") [topic]" 1>&2
+              exit 1
+          fi
+          exec mosquitto_sub -h mqtt02.home.foo.sh -v -t "$topic" \
+              --cafile "{{ tls_certs }}/ca.crt" \
+              --cert "{{ tls_certs }}/{{ inventory_hostname }}.crt" \
+              --key "{{ tls_private }}/{{ inventory_hostname }}.key" \
+        mode: "0755"
         owner: root
         group: "{{ ansible_wheel }}"

playbooks/audiobooks.yml

@@ -0,0 +1,25 @@
+---
+- name: Deploy KVM virtual machines
+  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
+  vars:
+    myhosts: audiobooks
+
+- name: Configure instance
+  hosts: audiobooks
+  user: root
+  gather_facts: true
+
+  pre_tasks:
+    - name: Mount /export
+      ansible.posix.mount:
+        name: /export
+        src: LABEL=/export
+        fstype: xfs
+        opts: noatime,nosuid,nodev
+        passno: "0"
+        dump: "0"
+        state: mounted
+
+  roles:
+    - base
+    - audiobookshelf

playbooks/backup.yml

@@ -15,7 +15,7 @@
         name: /export
         src: /dev/sd1a
         fstype: ffs
-        opts: rw,softdep,noatime
+        opts: rw,softdep,noatime,noexec,nosuid,nodev
         passno: "1"
         dump: "2"
         state: mounted
@@ -25,5 +25,10 @@
 
   roles:
     - base
-    - backup_server
-    - sftpbackup
+    - backup_base
+    - backup_bitbucket
+    - backup_github
+    - role: rclone
+      rclone_hostgroup: sftpbackup
+      rclone_service: backup
+    - rsync_backup

playbooks/collab.yml

@@ -28,9 +28,9 @@
     - collab
     - mod_auth_gssapi
     - role: keytab
-      keytab: /etc/httpd/httpd.keytab
-      principals: HTTP/collab.foo.sh@FOO.SH
-      group: apache
+      keytab_path: /etc/httpd/httpd.keytab
+      keytab_principals: HTTP/collab.foo.sh@FOO.SH
+      keytab_group: apache
     - ldap
 
   tasks:
@@ -38,7 +38,7 @@
       ansible.builtin.copy:
         content: "RedirectMatch permanent \"^/$\" /collab/\n"
         dest: "/etc/httpd/conf.local.d/redirects.conf"
-        mode: 0644
+        mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"
       notify: Restart apache
@@ -61,7 +61,7 @@
         dest: /srv/wikis/collab/htdocs/.htaccess
         owner: collab
         group: collab
-        mode: 0660
+        mode: "0660"
         seuser: _default
         setype: _default
 

playbooks/dna-gw.yml

@@ -14,29 +14,14 @@
 
   roles:
     - base
-    - ifstated
     - dhcpd
-    - nginx/server
-    - role: nginx/site
-      site: gw.home.foo.sh
+    - nginx
+    - role: nginx_site
+      nginx_site_name: gw.home.foo.sh
     - tftp
     - websockify
 
   tasks:
-    - name: Use configured dns servers and domain name
-      ansible.builtin.copy:
-        dest: /etc/dhclient.conf
-        content: "ignore domain-name-servers, domain-name;\n"
-        mode: 0644
-        owner: root
-        group: "{{ ansible_wheel }}"
-
-    - name: Disable resolvd
-      ansible.builtin.service:
-        name: resolvd
-        state: stopped
-        enabled: false
-
     - name: Enable ip forwarding
       ansible.posix.sysctl:
         name: "{{ item }}"
@@ -49,11 +34,49 @@
     - name: Run handlers to get interfaces configured
       ansible.builtin.meta: flush_handlers
 
+    - name: Import ifstated role
+      ansible.builtin.import_role:
+        name: ifstated
+
+    - name: Copy DNS private key
+      ansible.builtin.copy:
+        dest: "{{ tls_private }}/dns.home.foo.sh.key"
+        src: "{{ item }}"
+        mode: "0600"
+        owner: root
+        group: "{{ ansible_wheel }}"
+      with_first_found:
+        - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
+        - "/srv/ca/private/{{ inventory_hostname }}.key"
+      tags: certificates
+      notify: Restart unbound
+
+    - name: Copy DNS certificate and ca cert
+      ansible.builtin.copy:
+        dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
+        src: "{{ item }}"
+        mode: "0644"
+        owner: root
+        group: "{{ ansible_wheel }}"
+      with_first_found:
+        - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
+        - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
+      tags: certificates
+      notify: Restart unbound
+
+    - name: Import unbound role
+      ansible.builtin.import_role:
+        name: unbound
+
+    - name: Import unbound_exporter role
+      ansible.builtin.import_role:
+        name: unbound_exporter
+
     - name: Create tftp boot directories
       ansible.builtin.file:
         path: /srv/tftpboot/etc
         state: directory
-        mode: 0755
+        mode: "0755"
         owner: root
         group: "{{ ansible_wheel }}"
 
@@ -64,25 +87,25 @@
           stty com0 115200
           set tty com0
           boot tftp:bsd.rd
-        mode: 0644
+        mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"
 
     - name: Create tftp pxeboot loader for OpenBSD installs
       ansible.builtin.get_url:
-        url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/pxeboot"
-        checksum: sha1:161b36d4ae3d786aa98c4836abba25f2bca8979d
+        url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/pxeboot"
+        checksum: sha1:c696836c1e6cc67c6c31f6ceb5daaaa4ec0632b7
         dest: /srv/tftpboot/pxeboot
-        mode: 0644
+        mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"
 
     - name: Create tftp ramdisk for OpenBSD installs
       ansible.builtin.get_url:
-        url: "https://ftp.eu.openbsd.org/pub/OpenBSD//7.3/amd64/bsd.rd"
-        checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021
+        url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/bsd.rd"
+        checksum: sha1:f690655c768ec9ef208188921ac53634a9233aca
         dest: /srv/tftpboot/bsd.rd
-        mode: 0644
+        mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"
 
@@ -91,7 +114,7 @@
         url: "https://boot.foo.sh/openbsd/install.conf"
         checksum: sha1:f6270708dad3f759df02eefeab300d9b8670f3d4
         dest: /srv/tftpboot/install.conf
-        mode: 0644
+        mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"
 
@@ -113,50 +136,7 @@
               }
             }
           }
-        mode: 0644
+        mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"
       notify: Restart nginx
-
-    - name: Copy DNS private key
-      ansible.builtin.copy:
-        dest: "{{ tls_private }}/dns.home.foo.sh.key"
-        src: "{{ item }}"
-        mode: 0600
-        owner: root
-        group: "{{ ansible_wheel }}"
-      with_first_found:
-        - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
-        - "/srv/ca/private/{{ inventory_hostname }}.key"
-      tags: certificates
-      notify: Restart unbound
-
-    - name: Copy DNS certificate and ca cert
-      ansible.builtin.copy:
-        dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
-        src: "{{ item }}"
-        mode: 0644
-        owner: root
-        group: "{{ ansible_wheel }}"
-      with_first_found:
-        - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
-        - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
-      tags: certificates
-      notify: Restart unbound
-
-    - name: Copy DNS zone files
-      ansible.builtin.copy:
-        dest: "/var/unbound/db/{{ item }}"
-        src: "/srv/dns/{{ item }}"
-        mode: 0644
-        owner: root
-        group: "{{ ansible_wheel }}"
-      tags: dns
-      notify: Restart unbound
-      with_items:
-        - 20.172.in-addr.arpa
-        - home.foo.sh
-
-    - name: Import unbound role
-      ansible.builtin.import_role:
-        name: unbound

playbooks/forgejo.yml

@@ -2,10 +2,10 @@
 - name: Deploy KVM virtual machines
   ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
   vars:
-    myhosts: gitea
+    myhosts: forgejo
 
 - name: Configure instance
-  hosts: gitea
+  hosts: forgejo
   user: root
   gather_facts: true
 
@@ -25,4 +25,4 @@
 
   roles:
     - base
-    - gitea
+    - forgejo

playbooks/frigate.yml

@@ -2,10 +2,10 @@
 - name: Deploy KVM virtual machines
   ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
   vars:
-    myhosts: zm
+    myhosts: frigate
 
 - name: Configure instance
-  hosts: zm
+  hosts: frigate
   user: root
   gather_facts: true
 
@@ -13,74 +13,54 @@
     - "{{ ansible_private }}/vars.yml"
 
   pre_tasks:
-    - name: Mount /export
+    - name: Mount datadirectories
       ansible.posix.mount:
-        name: /export
-        src: LABEL=/export
+        name: "/export/frigate/{{ item }}"
+        src: "LABEL={{ item }}"
         fstype: xfs
         opts: noatime,noexec,nosuid,nodev
         passno: "0"
         dump: "0"
         state: mounted
+      with_items:
+        - config
+        - media
 
   roles:
     - base
     - mod_auth_gssapi
     - role: keytab
-      keytab: /etc/httpd/httpd.keytab
-      principals: HTTP/zm.foo.sh@FOO.SH
-      group: apache
+      keytab_path: /etc/httpd/httpd.keytab
+      keytab_principals: HTTP/cctv.foo.sh@FOO.SH
+      keytab_group: apache
 
   tasks:
-    - name: Run handlers to get interfaces configured
-      ansible.builtin.meta: flush_handlers
-
-    # TODO: this should really be fixed
-    - name: Put selinux in permissive state
-      ansible.posix.selinux:
-        policy: targeted
-        state: permissive
-
-    - name: Copy DNS zone files
-      ansible.builtin.copy:
-        dest: "/var/lib/unbound/{{ item }}"
-        src: "/srv/dns/{{ item }}"
-        mode: 0644
-        owner: root
-        group: "{{ ansible_wheel }}"
-      tags: dns
-      notify: Restart unbound
-      with_items:
-        - 26.20.172.in-addr.arpa
-        - cam.foo.sh
-
     - name: Include unbound role
       ansible.builtin.import_role:
         name: unbound
 
-    - name: Include dhcpd and zoneminder roles
+    - name: Run handlers to get interfaces configured
+      ansible.builtin.meta: flush_handlers
+
+    - name: Include dhcpd role
       ansible.builtin.include_role:
-        name: "{{ item }}"
-      with_items:
-        - dhcpd
-        - zoneminder
+        name: dhcpd
 
-    - name: Install extra packages for debugging
-      ansible.builtin.package:
-        name: rtmpdump
-        state: installed
+    - name: Include frigate role
+      ansible.builtin.include_role:
+        name: frigate
 
-    - name: Require authentication for zoneminder
+    - name: Require authentication for frigate
       ansible.builtin.copy:
-        dest: /etc/httpd/conf.local.d/zoneminder-auth.conf
+        dest: /etc/httpd/conf.local.d/frigate-auth.conf
         content: |
-          <Location /zm>
+          <Location /frigate>
             AuthType        GSSAPI
-            GssapiBasicAuth Off
+            GssapiBasicAuth On
             AuthName        "Password Required"
             Require         valid-user
           </Location>
-        mode: 0644
+        mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"
       notify: Restart apache

playbooks/fsol-gw.yml

@@ -12,13 +12,6 @@
   vars_files:
     - "{{ ansible_private }}/vars.yml"
 
-  pre_tasks:
-    - name: Disable resolvd service
-      ansible.builtin.service:
-        name: resolvd
-        state: stopped
-        enabled: false
-
   tasks:
     - name: Enable IP forwarding
       ansible.posix.sysctl:
@@ -30,16 +23,19 @@
         - net.inet6.ip6.forwarding
     - name: Manually set DNS servers
       ansible.builtin.copy:
-        dest: /etc/dhclient.conf
-        content: "ignore domain-name-servers, domain-name;\n"
-        mode: 0644
+        dest: /etc/dhcpleased.conf
+        content: |
+          interface vio2 {
+            ignore dns
+          }
+        mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"
     - name: Create pfsync interface
       ansible.builtin.copy:
         dest: /etc/hostname.pfsync0
         content: "up syncdev vio1\n"
-        mode: 0600
+        mode: "0600"
         owner: root
         group: "{{ ansible_wheel }}"
 

playbooks/gitea-runner.yml

@@ -1,14 +0,0 @@
----
-- name: Deploy KVM virtual machines
-  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
-  vars:
-    myhosts: gitearunner
-
-- name: Configure instance
-  hosts: gitearunner
-  user: root
-  gather_facts: true
-
-  roles:
-    - base
-    - gitea_runner

playbooks/homeassistant.yml

@@ -9,6 +9,9 @@
   user: root
   gather_facts: true
 
+  vars_files:
+    - "{{ ansible_private }}/vars.yml"
+
   pre_tasks:
     - name: Mount /export
       ansible.posix.mount:
@@ -24,3 +27,4 @@
     - base
     - ldap
     - homeassistant
+    - nodered

playbooks/include/deploy-kvm-guest.yml

@@ -9,7 +9,7 @@
 
     char: "{{ 'bcdefghijklmnopqrstuvwxyz'|list }}"
     console_log: "/var/log/libvirt/qemu/{{ inventory_hostname }}.console.log"
-    os_disk_image: "/srv/libvirt/ssd/{{ inventory_hostname }}.a.img"
+    os_disk_image: "/srv/libvirt/os/{{ inventory_hostname }}.a.img"
     dsk_opts: bus=virtio,cache=none,device=disk,format=raw,sparse=no
 
     inject: >-
@@ -75,7 +75,7 @@
           echo '{{ root_pubkey }}' > /root/.ssh/authorized_keys
           %end
         dest: "{{ tmpdir.path }}/include.ks"
-        mode: 0600
+        mode: "0600"
         owner: root
         group: "{{ ansible_wheel }}"
       delegate_to: "{{ vmhost }}"
@@ -99,7 +99,11 @@
           {% endif -%}
           {% if virt_install_devices is defined -%}
           {%   for dev in virt_install_devices -%}
+          {%     if dev | regex_search('^/dev/tty') -%}
+          --serial dev,path={{ dev }}
+          {%     else -%}
           --hostdev {{ dev }} \
+          {%     endif -%}
           {%   endfor -%}
           {% else -%}
           --controller usb,model=none \

playbooks/ldap.yml

@@ -19,7 +19,7 @@
         passno: "0"
         dump: "0"
         state: mounted
-      when: ldap_master is defined
+      when: ldap_master
 
   vars_files:
     - "{{ ansible_private }}/vars.yml"
@@ -28,8 +28,8 @@
     - base
     - ldap_server
     - role: kadmin
-      when: ldap_master is defined
+      when: ldap_master
     - role: ldap_netdb
-      when: ldap_master is defined
+      when: ldap_master
     - role: ldap_gravatar
-      when: ldap_master is defined
+      when: ldap_master

playbooks/log.yml

@@ -15,7 +15,7 @@
         name: /export
         src: /dev/sd1a
         fstype: ffs
-        opts: rw,softdep,noatime
+        opts: rw,softdep,noatime,noexec,nosuid,nodev
         passno: "1"
         dump: "2"
         state: mounted

playbooks/mail.yml

@@ -26,18 +26,19 @@
   roles:
     - base
     - role: keytab
-      principals:
+      keytab_principals:
         - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
         - "smtp/{{ mail_server }}@{{ kerberos_realm }}"
     - nfs_client
     - sssd
     - autofs
     - dovecot
-    - role: nginx/server
-    - role: nginx/site
-      site: "{{ mail_server }}"
-      redirect: https://webmail.foo.sh/
+    - role: nginx
+    - role: nginx_site
+      nginx_site_name: "{{ mail_server }}"
+      nginx_site_redirect: https://webmail.foo.sh/
     - grossd
+    - opendkim
     - spamassassin
     - spamassassin_clamav
     - spamassassin_ixhash

playbooks/manual/check-updates.yml

@@ -0,0 +1,23 @@
+---
+- hosts: all
+  gather_facts: true
+  tasks:
+    - name: Check updates (Linux)
+      ansible.builtin.command:
+        argv:
+          - dnf
+          - -q
+          - check-update
+      register: result
+      changed_when: result.rc == 100
+      failed_when: result.rc not in [0, 100]
+      when: ansible_os_family == "RedHat"
+
+    - name: Check updates (OpenBSD)
+      ansible.builtin.command:
+        argv:
+          - syspatch
+          - -c
+      register: result
+      changed_when: result.stdout != ""
+      when: ansible_os_family == "OpenBSD"

playbooks/minecraft.yml

@@ -15,7 +15,7 @@
         name: /export
         src: LABEL=/export
         fstype: xfs
-        opts: noatime
+        opts: noatime,noexec,nosuid,nodev
         passno: "0"
         dump: "0"
         state: mounted

playbooks/mirror.yml

@@ -26,26 +26,30 @@
   roles:
     - base
     - mirror/base
-    - mirror/thinlinc
-    - role: mirror/reportmirror
-      hostname: mirrors.foo.sh
-      mirrors: [epel, fedora]
-      sitename: foo.sh
-      password: "{{ report_mirror_pass }}"
+    - thinlinc_mirror
+    - role: reportmirror
+      reportmirror_hostname: mirrors.foo.sh
+      reportmirror_mirrors: [epel, fedora]
+      reportmirror_sitename: foo.sh
+      reportmirror_password: "{{ report_mirror_pass }}"
     - role: mirror/sync
-      label: fedora-epel
-      source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
-       fedora.redhat.com/pub/epel"
-      rsyncoptions:
-        - "--exclude=SRPMS"
+      mirror_label: fedora-epel
+      mirror_source:
+        "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/epel"
+      mirror_rsyncoptions:
         - "--exclude=debug"
+        - "--exclude=testing"
+        - "--exclude=aarch64"
+        - "--exclude=ppc64le"
+        - "--exclude=s390x"
+        - "--exclude=source"
         - "--delete-excluded"
-      postcmd: python3 /usr/local/bin/report_mirror
+      mirror_postcmd: python3 /usr/local/bin/report_mirror
     - role: mirror/sync
-      label: fedora
-      source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
-       fedora.redhat.com/pub/fedora/linux/"
-      rsyncoptions:
+      mirror_label: fedora
+      mirror_source:
+        "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/fedora/linux/"
+      mirror_rsyncoptions:
         - "--exclude=/atomic"
         - "--exclude=/development"
         - "--exclude=/releases/test"
@@ -58,12 +62,11 @@
         - "--exclude=armhfp"
         - "--exclude=debug"
         - "--delete-excluded"
-      postcmd: python3 /usr/local/bin/report_mirror
+      mirror_postcmd: python3 /usr/local/bin/report_mirror
     - role: mirror/sync
-      label: openbsd
-      source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
-        ftp.openbsd.org/pub/OpenBSD/"
-      rsyncoptions:
+      mirror_label: openbsd
+      mirror_source: "rsync://ftp.nluug.nl/openbsd/"
+      mirror_rsyncoptions:
         - "--include=/?.?/"
         - "--include=/?.?/amd64/"
         - "--include=/?.?/amd64/*"

playbooks/mqtt.yml

@@ -9,10 +9,15 @@
   user: root
   gather_facts: true
 
+  vars_files:
+    - "{{ ansible_private }}/vars.yml"
+
   roles:
     - base
     - mosquitto
+    - ha_mqtt_configd
     - telegraf
-    - nginx/server
-    - role: nginx/site
-      site: iot.foo.sh
+    - nginx
+    - role: nginx_site
+      nginx_site_name: iot.foo.sh
+    - shelly_firmware

playbooks/nas.yml

@@ -18,7 +18,7 @@
         name: /export/home
         src: LABEL=home
         fstype: xfs
-        opts: noatime
+        opts: noatime,nodev
         passno: "0"
         dump: "0"
         state: mounted
@@ -27,7 +27,7 @@
         name: /export/roles
         src: LABEL=roles
         fstype: xfs
-        opts: noatime
+        opts: noatime,nodev
         passno: "0"
         dump: "0"
         state: mounted
@@ -38,20 +38,4 @@
     - sssd
     - nfs_server
     - role: keytab
-      principals: "nfs/{{ inventory_hostname }}@FOO.SH"
-
-  tasks:
-    - name: Copy exports file
-      ansible.builtin.copy:
-        dest: /etc/exports
-        content: |
-          /export/home   172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \
-                         @nfsclients-rw(rw,root_squash,secure) \
-                         @nfsclients-ro(ro,root_squash,secure)
-          /export/roles  172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \
-                         @nfsclients-rw(rw,root_squash,secure) \
-                         @nfsclients-ro(ro,root_squash,secure)
-        mode: 0644
-        owner: root
-        group: "{{ ansible_wheel }}"
-      notify: Restart nfs-server
+      keytab_principals: "nfs/{{ inventory_hostname }}@FOO.SH"

playbooks/nms.yml

@@ -25,12 +25,22 @@
 
   roles:
     - base
-    - nginx/server
-    - role: nginx/site
-      site: oob.foo.sh
+    - cups
+    - nginx
+    - role: nginx_site
+      nginx_site_name: oob.foo.sh
+      nginx_site_plaintext: false
+    - role: keytab
+      keytab_principals:
+        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
+    - nfs_client
+    - role: autofs
+      autofs_home: false
     - sssd
     - mkhomedir
-    - tftp
+    - aten_pdu
+    - routeros
+    - snmp_exporter
 
   tasks:
     - name: Enable UDP rsyslog server
@@ -45,23 +55,14 @@
       vars:
         relay_domains: [foo.sh]
 
-    - name: Copy DNS zone files
-      ansible.builtin.copy:
-        dest: "/var/lib/unbound/{{ item }}"
-        src: "/srv/dns/{{ item }}"
-        mode: 0644
-        owner: root
-        group: "{{ ansible_wheel }}"
-      tags: dns
-      notify: Restart unbound
-      with_items:
-        - 25.20.172.in-addr.arpa
-        - oob.foo.sh
-
     - name: Import unbound role
       ansible.builtin.import_role:
         name: unbound
 
+    - name: Import dhcpd role
+      ansible.builtin.import_role:
+        name: dhcpd
+
     # convert this to role for restart support
     - name: Enable NTP server for oob network
       ansible.builtin.lineinfile:
@@ -74,10 +75,18 @@
         name: "{{ item }}"
         state: installed
       with_items:
-        - net-snmp-utils
         - nmap
         - rcs
-        - scanssh
-        - sslscan
         - unzip
         - wget
+
+    - name: Create sw-backup script
+      ansible.builtin.copy:
+        dest: /usr/local/bin/sw-backup
+        content: |
+          #!/bin/sh
+          set -eu
+          ssh "admin@${1}" /export > "/srv/backup/${1}.rsc"
+        mode: "0755"
+        owner: root
+        group: "{{ ansible_wheel }}"

playbooks/ns.yml

@@ -2,7 +2,7 @@
 - name: Deploy KVM virtual machines
   ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
   vars:
-    myhosts: ns:!vultr
+    myhosts: ns:!atl01.vultr.foo.sh
 
 - name: Configure instance
   hosts: ns
@@ -15,9 +15,11 @@
   roles:
     - base
     - nsd
-    - role: nginx/server
-    - role: nginx/site
-      site: "{{ nsd_server }}"
-      redirect: https://www.foo.sh/
+    - role: nginx
+    - role: nginx_site
+      nginx_site_name: "{{ nsd_server }}"
+      nginx_site_redirect: https://www.foo.sh/
     - role: ifstated
       when: "'vultr' not in group_names"
+    - role: blackbox_exporter
+      when: "inventory_hostname == 'atl01.vultr.foo.sh'"

playbooks/oci-node.yml

@@ -12,9 +12,25 @@
   vars_files:
     - "{{ ansible_private }}/vars.yml"
 
+  pre_tasks:
+    - name: Mount /export
+      ansible.posix.mount:
+        name: /export
+        src: LABEL=/export
+        fstype: xfs
+        opts: noatime,noexec,nosuid,nodev
+        passno: "0"
+        dump: "0"
+        state: mounted
+      when: ansible_fqdn == 'oci-node01.home.foo.sh'
+
   roles:
     - base
     - authcheck
     - grafana
+    - ipsilon
     - kdc
     - roundcube
+    - role: php4dvd
+      when: ansible_fqdn == 'oci-node01.home.foo.sh'
+    - rocketchat

playbooks/print.yml

@@ -14,10 +14,17 @@
 
   roles:
     - base
+    - role: keytab
+      keytab_principals:
+        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
     - sssd
     - mkhomedir
 
   tasks:
+    - name: Install unbound role
+      ansible.builtin.import_role:
+        name: unbound
+
     - name: Run handlers to get interfaces configured
       ansible.builtin.meta: flush_handlers
 
@@ -25,30 +32,20 @@
       ansible.builtin.import_role:
         name: dhcpd
 
-    - name: Copy DNS zone files
-      ansible.builtin.copy:
-        dest: "/var/lib/unbound/{{ item }}"
-        src: "/srv/dns/{{ item }}"
-        mode: 0644
-        owner: root
-        group: "{{ ansible_wheel }}"
-      tags: dns
-      notify: restart unbound
-      with_items:
-        - 24.20.172.in-addr.arpa
-        - print.foo.sh
-
-    - name: Install unbound role
-      ansible.builtin.import_role:
-        name: unbound
-
     - name: Install cups_server role
       ansible.builtin.import_role:
         name: cups_server
 
     - name: Install keytab for CUPS
-      ansible.builtin.import_role:
+      ansible.builtin.include_role:
         name: keytab
       vars:
-        keytab: /etc/cups/cups.keytab
-        principals: "HTTP/print.foo.sh@{{ kerberos_realm }}"
+        keytab_path: /etc/cups/cups.keytab
+        keytab_principals: "HTTP/print.foo.sh@{{ kerberos_realm }}"
+
+    - name: Enable postfix mail relay
+      ansible.builtin.import_role:
+        name: postfix
+        tasks_from: relay
+      vars:
+        relay_domains: [foo.sh]

playbooks/prometheus.yml

@@ -0,0 +1,30 @@
+---
+- name: Deploy KVM virtual machines
+  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
+  vars:
+    myhosts: prometheus
+
+- name: Configure instance
+  hosts: prometheus
+  user: root
+  gather_facts: true
+
+  vars_files:
+    - "{{ ansible_private }}/vars.yml"
+
+  pre_tasks:
+    - name: Mount /export
+      ansible.posix.mount:
+        name: /export
+        src: LABEL=/export
+        fstype: xfs
+        opts: noatime,noexec,nosuid,nodev
+        passno: "0"
+        dump: "0"
+        state: mounted
+
+  roles:
+    - base
+    - prometheus
+    - mysqld_exporter
+    - nginx_exporter

playbooks/proxy.yml

@@ -15,90 +15,116 @@
   roles:
     - base
     - ifstated
-    - nginx/server
-    - role: nginx/site
-      site: ca.foo.sh
-    - role: nginx/site
-      site: foo.monster
-    - role: nginx/site
-      site: tuiradc.fi
-      redirect: https://facebook.com/TuiraDC
-    - role: nginx/site
-      site: www.tuiradc.fi
-      redirect: https://facebook.com/TuiraDC
-    - role: nginx/site
-      site: foo.sh
-      redirect: https://www.foo.sh/
-    - role: nginx/site
-      site: autoconfig.foo.sh
-    - role: nginx/site
-      site: boot.foo.sh
-      ssl_config: old
-    - role: nginx/site
-      site: bitbucket.foo.sh
-      redirect: https://bitbucket.org/tmakinen/
-    - role: nginx/site
-      site: certbot.home.foo.sh
-      proxy: https://certbot.home.foo.sh/
-    - role: nginx/site
-      site: chat.foo.sh
-      proxy:
-        - https://oci-node01.home.foo.sh/rocketchat/
-        - https://oci-node02.home.foo.sh/rocketchat/
-    - role: nginx/site
-      site: collab.foo.sh
-      proxy: https://collab01.home.foo.sh/
-    - role: nginx/site
-      site: devel01.foo.sh
-      proxy: https://devel01.home.foo.sh/
-    - role: nginx/site
-      site: dns.home.foo.sh
-      redirect: https://www.foo.sh/
-    - role: nginx/site
-      site: git.foo.sh
-      proxy: https://gitea02.home.foo.sh/
-    - role: nginx/site
-      site: gitea.foo.sh
-      redirect: https://git.foo.sh/
-    - role: nginx/site
-      site: ha.foo.sh
-      proxy: https://homeassistant01.home.foo.sh/
-    - role: nginx/site
-      site: id.foo.sh
-      proxy:
+    - nginx
+    - nginx_logsync
+    - role: nginx_site
+      nginx_site_name: ca.foo.sh
+    - role: nginx_site
+      nginx_site_name: foo.monster
+    - role: nginx_site
+      nginx_site_name: tuiradc.fi
+      nginx_site_redirect: https://facebook.com/TuiraDC
+    - role: nginx_site
+      nginx_site_name: www.tuiradc.fi
+      nginx_site_redirect: https://facebook.com/TuiraDC
+    - role: nginx_site
+      nginx_site_name: foo.sh
+      nginx_site_redirect: https://www.foo.sh/
+    - role: nginx_site
+      nginx_site_name: apps.foo.sh
+      nginx_site_load_balance_method: ip_hash
+      nginx_site_proxy:
         - https://oci-node01.home.foo.sh
         - https://oci-node02.home.foo.sh
-    - role: nginx/site
-      site: influxdb.foo.sh
-      proxy: https://influxdb01.home.foo.sh/
-    - role: nginx/site
-      site: iot.foo.sh
-      redirect: https://www.foo.sh/
-    - role: nginx/site
-      site: munin.foo.sh
-      proxy: https://munin01.home.foo.sh/
-    - role: nginx/site
-      site: mirrors.foo.sh
-      proxy: https://mirror01.home.foo.sh/
-    - role: nginx/site
-      site: noc.foo.sh
-      proxy:
+    - role: nginx_site
+      nginx_site_name: audiobooks.foo.sh
+      nginx_site_proxy: https://audiobooks02.home.foo.sh/
+    - role: nginx_site
+      nginx_site_name: autoconfig.foo.sh
+    - role: nginx_site
+      nginx_site_name: boot.foo.sh
+    - role: nginx_site
+      nginx_site_name: bitbucket.foo.sh
+      nginx_site_redirect: https://bitbucket.org/tmakinen/
+    - role: nginx_site
+      nginx_site_name: cctv.foo.sh
+      nginx_site_proxy: https://frigate02.home.foo.sh/frigate/
+    - role: nginx_site
+      nginx_site_name: certbot.home.foo.sh
+      nginx_site_proxy: https://certbot.home.foo.sh/
+    - role: nginx_site
+      nginx_site_name: chat.foo.sh
+      nginx_site_proxy:
+        - https://oci-node01.home.foo.sh/rocketchat/
+        - https://oci-node02.home.foo.sh/rocketchat/
+    - role: nginx_site
+      nginx_site_name: collab.foo.sh
+      nginx_site_proxy: https://collab01.home.foo.sh/
+    - role: nginx_site
+      nginx_site_name: devel01.foo.sh
+      nginx_site_proxy: https://devel01.home.foo.sh/
+    - role: nginx_site
+      nginx_site_name: dns.home.foo.sh
+      nginx_site_redirect: https://www.foo.sh/
+    - role: nginx_site
+      nginx_site_name: forgejo.foo.sh
+      nginx_site_redirect: https://git.foo.sh/
+    - role: nginx_site
+      nginx_site_name: git.foo.sh
+      nginx_site_proxy: https://forgejo02.home.foo.sh/
+    - role: nginx_site
+      nginx_site_name: gitea.foo.sh
+      nginx_site_redirect: https://git.foo.sh/
+    - role: nginx_site
+      nginx_site_name: ha.foo.sh
+      nginx_site_proxy: https://homeassistant01.home.foo.sh/
+    - role: nginx_site
+      nginx_site_name: id.foo.sh
+      nginx_site_proxy:
+        - https://oci-node01.home.foo.sh
+        - https://oci-node02.home.foo.sh
+    - role: nginx_site
+      nginx_site_name: idp.foo.sh
+      nginx_site_proxy: https://oci-node01.home.foo.sh/ipsilon/
+    - role: nginx_site
+      nginx_site_name: influxdb.foo.sh
+      nginx_site_proxy: https://influxdb01.home.foo.sh/
+    - role: nginx_site
+      nginx_site_name: iot.foo.sh
+      nginx_site_redirect: https://www.foo.sh/
+    - role: nginx_site
+      nginx_site_name: mirrors.foo.sh
+      nginx_site_proxy: https://mirror02.home.foo.sh/
+    - role: nginx_site
+      nginx_site_name: movies.foo.sh
+      nginx_site_proxy:
+        - https://oci-node01.home.foo.sh/php4dvd/
+    - role: nginx_site
+      nginx_site_name: mta-sts.foo.sh
+    - role: nginx_site
+      nginx_site_name: noc.foo.sh
+      nginx_site_proxy:
         - https://oci-node01.home.foo.sh/grafana/
         - https://oci-node02.home.foo.sh/grafana/
-    - role: nginx/site
-      site: print.foo.sh
-      proxy: https://print01.home.foo.sh:631/
-    - role: nginx/site
-      site: registry.foo.sh
-      proxy: ["registry01.home.foo.sh:5000", "registry02.home.foo.sh:5000"]
-    - role: nginx/site
-      site: webmail.foo.sh
-      proxy:
+    - role: nginx_site
+      nginx_site_name: print.foo.sh
+      nginx_site_proxy: https://print01.home.foo.sh:631/
+    - role: nginx_site
+      nginx_site_name: registry.foo.sh
+      nginx_site_proxy:
+        - "registry01.home.foo.sh:5000"
+        - "registry02.home.foo.sh:5000"
+    - role: nginx_site
+      nginx_site_name: scan.foo.sh
+      nginx_site_proxy:
+        - https://sane02.home.foo.sh/scanservjs/
+    - role: nginx_site
+      nginx_site_name: webmail.foo.sh
+      nginx_site_load_balance_method: ip_hash
+      nginx_site_proxy:
         - https://oci-node01.home.foo.sh/roundcube/
-    - role: nginx/site
-      site: wpad.foo.sh
-    - role: nginx/site
-      site: www.foo.sh
-    - role: nginx/site
-      site: zm.foo.sh
-      proxy: https://zm02.home.foo.sh/
+        - https://oci-node02.home.foo.sh/roundcube/
+    - role: nginx_site
+      nginx_site_name: wpad.foo.sh
+    - role: nginx_site
+      nginx_site_name: www.foo.sh

playbooks/relay.yml

@@ -16,13 +16,13 @@
     - base
     - ifstated
     - relayd
-    - nginx/server
-    - role: nginx/site
-      site: ldap.foo.sh
-      redirect: https://www.foo.sh/
-    - role: nginx/site
-      site: ldap01.foo.sh
-      redirect: https://www.foo.sh/
-    - role: nginx/site
-      site: loghost.foo.sh
-      redirect: https://www.foo.sh/
+    - nginx
+    - role: nginx_site
+      nginx_site_name: ldap.foo.sh
+      nginx_site_redirect: https://www.foo.sh/
+    - role: nginx_site
+      nginx_site_name: ldap01.foo.sh
+      nginx_site_redirect: https://www.foo.sh/
+    - role: nginx_site
+      nginx_site_name: loghost.foo.sh
+      nginx_site_redirect: https://www.foo.sh/

playbooks/sane.yml

@@ -0,0 +1,39 @@
+---
+- name: Deploy KVM virtual machines
+  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
+  vars:
+    myhosts: sane
+
+- name: Configure instance
+  hosts: sane
+  user: root
+  gather_facts: true
+
+  vars_files:
+    - "{{ ansible_private }}/vars.yml"
+
+  roles:
+    - base
+    - sane
+    - scanservjs
+    - mod_auth_gssapi
+    - role: keytab
+      keytab_path: /etc/httpd/httpd.keytab
+      keytab_principals: HTTP/scan.foo.sh@FOO.SH
+      keytab_group: apache
+
+  tasks:
+    - name: Require authentication for scanservjs
+      ansible.builtin.copy:
+        dest: /etc/httpd/conf.local.d/scanservjs-auth.conf
+        content: |
+          <Location /scanservjs>
+            AuthType        GSSAPI
+            GssapiBasicAuth On
+            AuthName        "Password Required"
+            Require         valid-user
+          </Location>
+        mode: "0644"
+        owner: root
+        group: "{{ ansible_wheel }}"
+      notify: Restart apache

playbooks/shell.yml

@@ -15,7 +15,7 @@
   roles:
     - base
     - role: keytab
-      principals:
+      keytab_principals:
         - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
         - "nfs/{{ inventory_hostname }}@{{ kerberos_realm }}"
     - nfs_client
@@ -24,9 +24,8 @@
     - thinlinc_server
     - epel_repo
     - foosh_repo
-    - powertools_repo
-    - role: nginx/server
-      plaintext: true
+    - role: nginx
+      nginx_plaintext: true
 
   tasks:
     - name: Install extra package groups
@@ -63,6 +62,7 @@
         - pandoc
         - php-cli
         - python3-netaddr
+        - python3-requests
         - rcs
         - rpmlint
         - syslinux
@@ -71,7 +71,6 @@
         - tmux
         - whois
         - wireshark
-        - wkhtmltopdf
         - yamllint
         - zsh
       loop_control:
@@ -98,6 +97,6 @@
         content: |
           Host *.home.foo.sh !gw.home.foo.sh
             ProxyJump root@gw.home.foo.sh
-        mode: 0644
+        mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"

playbooks/static.yml

@@ -15,7 +15,7 @@
   roles:
     - base
     - role: keytab
-      principals:
+      keytab_principals:
         - "host/{{ inventory_hostname }}@FOO.SH"
         - "nfs/{{ inventory_hostname }}@FOO.SH"
     - nfs_client
@@ -48,7 +48,7 @@
             AllowOverride AuthConfig FileInfo Indexes Limit
             Require all granted
           </Directory>
-        mode: 0644
+        mode: "0644"
         owner: root
         group: "{{ ansible_wheel }}"
       notify: Restart apache

playbooks/vmhost.yml

@@ -17,6 +17,7 @@
         passno: "0"
         dump: "0"
         state: mounted
+      when: inventory_hostname == "vmhost02.home.foo.sh"
     - name: Mount /export/libvirt/nvme
       ansible.posix.mount:
         name: /export/libvirt/nvme
@@ -26,10 +27,10 @@
         passno: "0"
         dump: "0"
         state: mounted
-    - name: Mount /export/libvirt/ssd
+    - name: Mount /export/libvirt/os
       ansible.posix.mount:
-        name: /export/libvirt/ssd
-        src: LABEL=ssd
+        name: /export/libvirt/os
+        src: LABEL=os
         fstype: xfs
         opts: noatime,noexec,nosuid,nodev
         passno: "0"
@@ -39,3 +40,4 @@
   roles:
     - base
     - kvm_host
+    - ssh_known_hosts

roles/ansible_host/files/urls.py.patch

@@ -0,0 +1,86 @@
+--- ./urls.py.orig	2024-03-27 18:55:18.077213253 +0000
++++ urls.py	2024-03-27 18:21:07.613270952 +0000
+@@ -535,15 +535,18 @@
+ UnixHTTPSConnection = None
+ if hasattr(httplib, 'HTTPSConnection') and hasattr(urllib_request, 'HTTPSHandler'):
+     class CustomHTTPSConnection(httplib.HTTPSConnection):  # type: ignore[no-redef]
+-        def __init__(self, *args, **kwargs):
++        def __init__(self, client_cert=None, client_key=None, *args, **kwargs):
+             httplib.HTTPSConnection.__init__(self, *args, **kwargs)
+             self.context = None
+             if HAS_SSLCONTEXT:
+                 self.context = self._context
+             elif HAS_URLLIB3_PYOPENSSLCONTEXT:
+                 self.context = self._context = PyOpenSSLContext(PROTOCOL)
+-            if self.context and self.cert_file:
+-                self.context.load_cert_chain(self.cert_file, self.key_file)
++
++            self._client_cert = client_cert
++            self._client_key = client_key
++            if self.context and self._client_cert:
++                self.context.load_cert_chain(self._client_cert, self._client_key)
+ 
+         def connect(self):
+             "Connect to a host on a given (SSL) port."
+@@ -564,10 +567,10 @@
+             if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT:
+                 self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname)
+             elif HAS_URLLIB3_SSL_WRAP_SOCKET:
+-                self.sock = ssl_wrap_socket(sock, keyfile=self.key_file, cert_reqs=ssl.CERT_NONE,  # pylint: disable=used-before-assignment
+-                                            certfile=self.cert_file, ssl_version=PROTOCOL, server_hostname=server_hostname)
++                self.sock = ssl_wrap_socket(sock, keyfile=self._client_key, cert_reqs=ssl.CERT_NONE,  # pylint: disable=used-before-assignment
++                                            certfile=self._client_cert, ssl_version=PROTOCOL, server_hostname=server_hostname)
+             else:
+-                self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, certfile=self.cert_file, ssl_version=PROTOCOL)
++                self.sock = ssl.wrap_socket(sock, keyfile=self._client_key, certfile=self._client_cert, ssl_version=PROTOCOL)
+ 
+     class CustomHTTPSHandler(urllib_request.HTTPSHandler):  # type: ignore[no-redef]
+ 
+@@ -602,10 +605,6 @@
+             return self.do_open(self._build_https_connection, req)
+ 
+         def _build_https_connection(self, host, **kwargs):
+-            kwargs.update({
+-                'cert_file': self.client_cert,
+-                'key_file': self.client_key,
+-            })
+             try:
+                 kwargs['context'] = self._context
+             except AttributeError:
+@@ -613,7 +612,7 @@
+             if self._unix_socket:
+                 return UnixHTTPSConnection(self._unix_socket)(host, **kwargs)
+             if not HAS_SSLCONTEXT:
+-                return CustomHTTPSConnection(host, **kwargs)
++                return CustomHTTPSConnection(host, client_cert=self.client_cert, client_key=self.client_key, **kwargs)
+             return httplib.HTTPSConnection(host, **kwargs)
+ 
+     @contextmanager
+@@ -979,7 +978,7 @@
+             pass
+ 
+ 
+-def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True):
++def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True, client_cert=None, client_key=None):
+     if ciphers is None:
+         ciphers = []
+ 
+@@ -1006,6 +1005,9 @@
+     if ciphers:
+         context.set_ciphers(':'.join(map(to_native, ciphers)))
+ 
++    if client_cert:
++        context.load_cert_chain(client_cert, keyfile=client_key)
++
+     return context
+ 
+ 
+@@ -1514,6 +1516,8 @@
+                 cadata=cadata,
+                 ciphers=ciphers,
+                 validate_certs=validate_certs,
++                client_cert=client_cert,
++                client_key=client_key,
+             )
+             handlers.append(HTTPSClientAuthHandler(client_cert=client_cert,
+                                                    client_key=client_key,

roles/ansible_host/meta/main.yml

@@ -2,4 +2,4 @@
 dependencies:
   - {role: epel_repo}
   - {role: git}
-  - {role: nginx/server}
+  - {role: nginx}

roles/ansible_host/tasks/main.yml

@@ -7,35 +7,22 @@
     - ansible
     - ansible-collection-ansible-posix
     - ansible-collection-community-general
-    - python3.11-dns        # required for lookup('dig', 'hostname')
-    - python3-netaddr       # required by iptables role
+    - patch                # needed in next step
+    - python3.9-dns        # required for lookup('dig', 'hostname')
+    - python3.9-ldap       # required for ldap modules
+    - python3.9-netaddr    # required by iptables role
 
-- name: Create python3.11 lib directories
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: directory
-    mode: 0755
-    owner: root
-    group: "{{ ansible_wheel }}"
-  with_items:
-    - /usr/local/lib/python3.11
-    - /usr/local/lib/python3.11/site-packages
-
-- name: Kludge to add netaddr to python3.11 until package is released
-  ansible.builtin.copy:
-    dest: /usr/local/lib/python3.11/site-packages/netaddr
-    src: /usr/lib/python3.9/site-packages/netaddr
-    mode: preserve
-    owner: root
-    group: "{{ ansible_wheel }}"
-    remote_src: true
+- name: Patch ansible to support python 3.12 clients
+  ansible.posix.patch:
+    src: urls.py.patch
+    dest: /usr/lib/python3.9/site-packages/ansible/module_utils/urls.py
 
 - name: Create private directory and force permissions
   ansible.builtin.file:
     path: /export/private
     owner: root
     group: root
-    mode: 0700
+    mode: "0700"
     state: directory
 
 - name: Link private directory
@@ -55,7 +42,7 @@
 - name: Clone ansible repository
   ansible.builtin.git:
     dest: /srv/ansible
-    repo: https://git.foo.sh/ansible.git
+    repo: https://git.foo.sh/foo.sh/ansible.git
     update: false
     version: master
 
@@ -72,7 +59,7 @@
   ansible.builtin.copy:
     src: nginx.conf
     dest: /etc/nginx/conf.d/{{ inventory_hostname }}/ansible.conf
-    mode: 0644
+    mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
   notify: Restart nginx
@@ -83,4 +70,4 @@
     src: root-bashrc.sh
     owner: root
     group: "{{ ansible_wheel }}"
-    mode: 0600
+    mode: "0600"

roles/apache/tasks/main.yml

@@ -40,7 +40,7 @@
   ansible.builtin.file:
     state: directory
     path: "{{ item }}"
-    mode: 0755
+    mode: "0755"
     owner: root
     group: "{{ ansible_wheel }}"
     seuser: _default
@@ -54,7 +54,7 @@
   ansible.builtin.template:
     src: ssl.conf.j2
     dest: /etc/httpd/conf.local.d/ssl.conf
-    mode: 0644
+    mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
   notify: Restart apache
@@ -63,7 +63,7 @@
   ansible.builtin.template:
     src: site.conf.j2
     dest: "/etc/httpd/conf.local.d/{{ inventory_hostname }}.conf"
-    mode: 0644
+    mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
   notify: Restart apache

roles/aten_pdu/files/aten-mqtt-publish.sh

@@ -0,0 +1,93 @@
+#!/bin/sh
+
+set -eu
+umask 077
+
+community="public"
+
+if [ "${1:-}" = "-n" ]; then
+    _noop=true
+else
+    _noop=false
+fi
+
+mqtt_send() {
+    topic="$1"
+    value="$2"
+
+    tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')"
+    mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \
+        --cafile "${tlsdir}/certs/ca.crt" \
+        --key "${tlsdir}/private/$(hostname -f).key" \
+        --cert "${tlsdir}/certs/$(hostname -f).crt"
+}
+
+snmp_get() {
+    host="$1"
+    key="$2"
+    snmpget -v 1 -c "$community" "$host" -Oqv -m ATEN-PE-CFG "$key" | tr -d '"'
+}
+
+# only run script if first vrrp interface is in master state
+for state in /run/keepalived/*.state ; do
+    if [ "$(cat "$state")" != "MASTER" ]; then
+        exit 0
+    fi
+    break
+done
+
+ldapsearch -Q -LLL "(&(objectClass=device)(description=Aten PE*))" cn l | awk '
+    {
+        if ($1 == "cn:") {
+            cn = $2
+        }
+        if ($1 == "l:") {
+            l = substr($0, 3)
+        }
+        if ($0 == "" && cn != "" && l != "") {
+            print cn l
+            cn = ""
+            l = ""
+        }
+    }
+    ' | while read -r name location
+do
+    snmpwalk -v 1 -c "$community" "$name" -Oq \
+        -m ATEN-PE-CFG ATEN-PE-CFG::outletName | while read -r port device
+    do
+        port="$(echo "$port" | cut -d '.' -f 2)"
+        device="$(echo "$device" | tr -d '"')"
+        case "$device" in
+            "N/A"|"00 "|"unused")
+                continue
+                ;;
+        esac
+        if device_name="$(ldapsearch -Q -LLL \
+            "(&(objectClass=device)(cn=${device}.*))" cn | awk "
+            {
+                if (\$1 == \"cn:\") {
+                    if (name) {
+                        exit 1
+                    }
+                    name=\$2
+                }
+            } END {
+                if (!name) {
+                    exit 1
+                }
+                print name
+            }
+        ")" ; then
+            device="$device_name"
+        fi
+        for key in Current Power Voltage ; do
+            topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')"
+	    value="$(snmp_get "$name" "ATEN-PE-CFG::outlet${key}.${port}")"
+            if $_noop ; then
+                echo "${topic} -> ${value}"
+            else
+                mqtt_send "$topic" "$value"
+            fi
+        done
+    done
+done

roles/aten_pdu/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: ldap}

roles/aten_pdu/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- name: Install packages
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: installed
+  with_items:
+    - mosquitto
+    - net-snmp-utils
+
+# https://www.aten.com/eu/en/products/power-distribution-&-racks/rack-pdu/pe8108/
+- name: Install custom mib
+  ansible.builtin.copy:
+    dest: /usr/share/snmp/mibs/ATEN-PE-CFG.txt
+    src: ATEN-PE-CFG_str_1.3.128.mib
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Install mqtt publish script
+  ansible.builtin.copy:
+    dest: /usr/local/bin/aten-mqtt-publish
+    src: aten-mqtt-publish.sh
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Add mqtt publish cron job
+  ansible.builtin.cron:
+    name: aten-mqtt-publish
+    job: /usr/local/bin/aten-mqtt-publish
+    minute: "*/5"

roles/audiobookshelf/files/audiobookshelf.default

@@ -0,0 +1,4 @@
+METADATA_PATH=/srv/audiobookshelf/metadata
+CONFIG_PATH=/srv/audiobookshelf/config
+PORT=13378
+HOST=127.0.0.1

roles/audiobookshelf/files/meta.md

@@ -0,0 +1,30 @@
+= Preparing files for upload =
+
+== Filenames ==
+
+Filenames should always contain track number (and optionally disc number) with leading zeros first and subtitle after that. Few exmaples:
+
+```
+01. Luku.mp3
+01. Osa.mp3
+CD 1 - 01.mp3
+```
+
+Directory should also contain `cover.jpg` with book cover picture and `desc.txt` containing book description.
+
+== Metadata (id3 tags) ==
+
+First clear old tags then set new ones:
+
+```
+id3v2 -D "01. Osa.mp3"
+id3v2 \
+    --TPE1 "Douglas Adams" \
+    --TALB "$(echo 'Linnunradan käsikirja liftareille' | iconv -f utf-8 -t iso-8859-1)" \
+    --TCOM "$(echo 'Heikki Kinnunen,Pekka Autiovuori,Yrjö Järvinen,Martti Järvinen,Esa Saario,Kauko Helavirta,Aila Svedberg' | iconv -f utf-8 -t iso-8859-1)" \
+    --TLAN "fi" \
+    --TPUB "Yleisradio" \
+    --TYER 1984 \
+    --genre "Science Fiction/Fiction/Humor" \
+    "01. Osa.mp3"
+```

roles/audiobookshelf/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart audiobookshelf
+  ansible.builtin.service:
+    name: audiobookshelf
+    state: restarted

roles/audiobookshelf/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: nginx}

roles/audiobookshelf/tasks/main.yml

@@ -0,0 +1,90 @@
+---
+- name: Enable repository
+  ansible.builtin.yum_repository:
+    name: audiobookshelf
+    baseurl: https://raw.githubusercontent.com/lkiesow/audiobookshelf-rpm/el$releasever/
+    description: Audiobookshelf el$releasever repository
+    gpgcheck: true
+    gpgkey: https://raw.githubusercontent.com/lkiesow/audiobookshelf-rpm/main/audiobookshelf-rpm.key
+    enabled: true
+
+- name: Install packcages
+  ansible.builtin.package:
+    name: audiobookshelf
+    state: present
+
+- name: Create data directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0770"
+    owner: root
+    group: audiobookshelf
+  with_items:
+    - /export/audiobookshelf
+    - /export/audiobookshelf/audiobooks
+    - /export/audiobookshelf/config
+    - /export/audiobookshelf/metadata
+    - /export/audiobookshelf/podcasts
+    - /export/audiobookshelf/radioplays
+
+- name: Link data directory
+  ansible.builtin.file:
+    dest: /srv/audiobookshelf
+    src: /export/audiobookshelf
+    state: link
+    owner: root
+    group: "{{ ansible_wheel }}"
+    follow: false
+
+- name: Copy naming instructions
+  ansible.builtin.copy:
+    dest: /srv/audiobookshelf/audiobooks/README.md
+    src: meta.md
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Copy service config
+  ansible.builtin.copy:
+    dest: /etc/default/audiobookshelf
+    src: audiobookshelf.default
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart audiobookshelf
+
+- name: Enable service
+  ansible.builtin.service:
+    name: audiobookshelf
+    state: started
+    enabled: true
+
+- name: Allow nginx to connect audiobookshelf
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+
+- name: Copy nginx config
+  ansible.builtin.copy:
+    dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/audiobookshelf.conf"
+    content: |
+      location / {
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host audiobooks.foo.sh;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_pass http://127.0.0.1:13378/;
+        location /audiobookshelf/api/upload {
+          # increase size to allow uploads
+          client_max_body_size 10g;
+          proxy_pass http://127.0.0.1:13378/api/upload;
+        }
+      }
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart nginx

roles/authcheck/tasks/main.yml

@@ -10,11 +10,19 @@
     group: authcheck
     shell: /sbin/nologin
 
+- name: Enable user lingering
+  ansible.builtin.command:
+    argv:
+      - loginctl
+      - enable-linger
+      - authcheck
+    creates: /var/lib/systemd/linger/authcheck
+
 - name: Get container source
   ansible.builtin.git:
     dest: /usr/local/src/docker-authcheck
     repo: https://github.com/foo-sh/docker-authcheck.git
-    update: false
+    update: true
     version: main
   notify: Rebuild authcheck-container
 
@@ -22,7 +30,7 @@
   ansible.builtin.template:
     dest: /etc/systemd/system/authcheck-container.service
     src: authcheck-container.service.j2
-    mode: 0644
+    mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
 
@@ -39,7 +47,7 @@
       location /authcheck {
         proxy_pass http://127.0.0.1:8003/;
       }
-    mode: 0644
+    mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
   notify: Restart nginx

roles/autofs/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+autofs_home: true
+autofs_roles: true

roles/autofs/tasks/main.yml

@@ -34,7 +34,7 @@
   ansible.builtin.template:
     dest: /etc/autofs_ldap_auth.conf
     src: autofs_ldap_auth.conf.j2
-    mode: 0600
+    mode: "0600"
     owner: root
     group: "{{ ansible_wheel }}"
   notify: Restart autofs
@@ -43,7 +43,7 @@
   ansible.builtin.template:
     dest: /etc/auto.master
     src: auto.master.j2
-    mode: 0644
+    mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
   notify: Restart autofs
@@ -74,7 +74,7 @@
   ansible.builtin.copy:
     dest: "/etc/profile.d/{{ item }}"
     src: "{{ item }}"
-    mode: 0644
+    mode: "0644"
     owner: root
     group: "{{ ansible_wheel }}"
   with_items: