From b11e3e57e08af9a24c1b4e90be0b79a2e3ad86b5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Jul 2023 17:42:41 +0000 Subject: [PATCH 001/596] Try another syntax --- .gitea/workflows/test.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/test.yml index 275f027..003e047 100644 --- a/.gitea/workflows/test.yml +++ b/.gitea/workflows/test.yml @@ -1,8 +1,7 @@ --- name: tests # yamllint disable-line rule:truthy -on: - - push +on: [push] jobs: lint: From 330360d977ce0ea72bfd2d63e29ca953ed6233ee Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Jul 2023 17:44:11 +0000 Subject: [PATCH 002/596] Try renaming file --- .gitea/workflows/{test.yml => demo.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .gitea/workflows/{test.yml => demo.yaml} (100%) diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/demo.yaml similarity index 100% rename from .gitea/workflows/test.yml rename to .gitea/workflows/demo.yaml From dbf62bc397c95c5a5d39e273630f956f5ab7f376 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Jul 2023 17:45:46 +0000 Subject: [PATCH 003/596] Syntax changes --- .gitea/workflows/demo.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/demo.yaml b/.gitea/workflows/demo.yaml index 003e047..ccbf274 100644 --- a/.gitea/workflows/demo.yaml +++ b/.gitea/workflows/demo.yaml @@ -1,11 +1,10 @@ --- name: tests -# yamllint disable-line rule:truthy +run-name: just testing on: [push] jobs: - lint: - name: run linter + linter: runs-on: ubuntu-latest steps: - name: Checkout repository From e683b138b30fb8260739f1ff8a60a3f6fc01461c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jul 2023 08:52:02 +0000 Subject: [PATCH 004/596] Move BT USB adapter to different port --- host_vars/homeassistant01.home.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index c9c1d5f..fefe24f 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -7,4 +7,4 @@ network_interfaces: - device: eth1 vlan: 30 virt_install_devices: - - 003.002 + - 001.005 From c0e00b7b08c42edf2554fe4612d35d692ca5f194 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jul 2023 10:01:21 +0000 Subject: [PATCH 005/596] Update ansible-software subrepo --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 225d79a..40a4b9b 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 225d79acad76f0becbd4db481abc7a8039014a8c +Subproject commit 40a4b9b1fdc54de26c817d26cc5867d58657cd90 From 7c921cf76be5286d349c064f3480e3340304595e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jul 2023 10:35:57 +0000 Subject: [PATCH 006/596] Update ansible-software subrepo --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 40a4b9b..270b14c 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 40a4b9b1fdc54de26c817d26cc5867d58657cd90 +Subproject commit 270b14ce153c3cf80de744d8d4128f2506a7e3d0 From 69411beca5bd2641ccc96c59157f45e4653e5b0a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jul 2023 17:07:13 +0000 Subject: [PATCH 007/596] gitea: Increase limit for http request body size --- roles/gitea/tasks/main.yml | 1 + roles/nginx/site/templates/git.foo.sh.conf.j2 | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 roles/nginx/site/templates/git.foo.sh.conf.j2 diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 208eed0..5ef87c0 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -83,6 +83,7 @@ ansible.builtin.copy: dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/gitea.conf" content: | + client_max_body_size 100m; location / { proxy_pass http://127.0.0.1:3000; } diff --git a/roles/nginx/site/templates/git.foo.sh.conf.j2 b/roles/nginx/site/templates/git.foo.sh.conf.j2 new file mode 100644 index 0000000..4bfc067 --- /dev/null +++ b/roles/nginx/site/templates/git.foo.sh.conf.j2 @@ -0,0 +1,2 @@ + # disable any limits to avoid HTTP 413 for large pushes + client_max_body_size 100m; From 8b75d26eb8f889ce23fd418d81ef1dad4e73753b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jul 2023 16:29:36 +0000 Subject: [PATCH 008/596] homeassistant: Add support for custom integrations --- roles/homeassistant/tasks/main.yml | 36 +++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index f2f53d1..46648b8 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -12,8 +12,11 @@ - name: Install dependencies ansible.builtin.package: - name: bluez + name: "{{ item }}" state: installed + with_items: + - bluez + - git - name: Enable bluetooth services ansible.builtin.service: @@ -79,6 +82,37 @@ group: "{{ ansible_wheel }}" setype: _default +- name: Create directories for custom integrations + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + setype: _default + with_items: + - /srv/homeassistant/custom_components + - /srv/homeassistant/downloads + +- name: Download extra integrations + ansible.builtin.git: + dest: "/srv/homeassistant/downloads/{{ item.name }}" + repo: "{{ item.repo }}" + update: true + version: "{{ item.version }}" + notify: Restart homeassistant + with_items: "{{ homeassistant_integrations|default([]) }}" + +- name: Link extra integrations + ansible.builtin.file: + dest: "/srv/homeassistant/custom_components/{{ item.name }}" + src: "../downloads/{{ item.name }}/custom_components/{{ item.name }}" + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + with_items: "{{ homeassistant_integrations|default([]) }}" + - name: Create service file ansible.builtin.template: dest: /etc/systemd/system/homeassistant-container.service From be04450c81901d75563de5a671c0ae5721b23dbc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jul 2023 16:30:33 +0000 Subject: [PATCH 009/596] Add Electrolux integration to homeassistant --- hosts.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts.yml b/hosts.yml index ba6f047..8f7b912 100644 --- a/hosts.yml +++ b/hosts.yml @@ -32,6 +32,10 @@ homeassistant: homeassistant01.home.foo.sh: vars: homeassistant_version: "2023.7" + homeassistant_integrations: + - name: electrolux_status + repo: https://github.com/mauro-midolo/homeassistant_electrolux_status.git + version: v2.12.0 influxdb: hosts: influxdb01.home.foo.sh: From 4ef795d02e2e0e8d1852f6e7cef5572541a6c822 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jul 2023 17:38:11 +0000 Subject: [PATCH 010/596] Update gitea to version 1.20.1 --- hosts.yml | 2 +- roles/gitea/templates/app.ini.j2 | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 8f7b912..3e67283 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.19.4" + gitea_version: "1.20.1" gitearunner: hosts: gitea-runner02.home.foo.sh: diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 index 9ce2612..3a797b9 100644 --- a/roles/gitea/templates/app.ini.j2 +++ b/roles/gitea/templates/app.ini.j2 @@ -75,3 +75,6 @@ REVERSE_PROXY_LIMIT = 1 [actions] ENABLED = true + +[oauth2] +JWT_SECRET = {{ gitea_oauth_jwt_secret }} From 9c449996827ba57b7e04245bc41bf40f6d16920a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 23 Jul 2023 17:12:41 +0000 Subject: [PATCH 011/596] mariadb: Add timezone information to database --- roles/mariadb/files/mysql_tzinfo_check.sh | 22 ++++++++++++++++++++++ roles/mariadb/tasks/main.yml | 15 +++++++++++++++ 2 files changed, 37 insertions(+) create mode 100755 roles/mariadb/files/mysql_tzinfo_check.sh diff --git a/roles/mariadb/files/mysql_tzinfo_check.sh b/roles/mariadb/files/mysql_tzinfo_check.sh new file mode 100755 index 0000000..44e2de2 --- /dev/null +++ b/roles/mariadb/files/mysql_tzinfo_check.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +set -eu + +_timestamp=$(cat <&2 + exit 1 +fi diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 519068d..2673211 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -135,3 +135,18 @@ job: /usr/local/sbin/mariadb-backup hour: "0" minute: "30" + +- name: Copy script to check timezone data + ansible.builtin.copy: + dest: /usr/local/sbin/mysql_tzinfo_check + src: mysql_tzinfo_check.sh + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Create cron job for checking timezone data + ansible.builtin.cron: + name: mysql_tzinfo_check + job: /usr/local/sbin/mysql_tzinfo_check + hour: "3" + minute: "15" From 6b2e64df913a00a534bafe1429152a2c4aa0968d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 25 Jul 2023 16:15:01 +0000 Subject: [PATCH 012/596] Fix typo --- playbooks/dna-gw.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 00f50ea..533314a 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -79,7 +79,7 @@ - name: Create tftp ramdisk for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD//7.3/amd64/bsd.rd" + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/bsd.rd" checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021 dest: /srv/tftpboot/bsd.rd mode: 0644 From 07125310bd1e83ea294884734a30cb9f4006aded Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 29 Jul 2023 18:03:03 +0000 Subject: [PATCH 013/596] Update gitea to 1.20.2 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 3e67283..efae683 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.20.1" + gitea_version: "1.20.2" gitearunner: hosts: gitea-runner02.home.foo.sh: From 08fbb136408e02325ba836b64fac7a622b8e1ca7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 9 Aug 2023 22:33:10 +0000 Subject: [PATCH 014/596] nginx: Add more proxy headers --- roles/nginx/server/templates/nginx.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2 index 1bc0e2b..877fc4e 100644 --- a/roles/nginx/server/templates/nginx.conf.j2 +++ b/roles/nginx/server/templates/nginx.conf.j2 @@ -23,6 +23,9 @@ http { } proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; {% if plaintext is defined %} From 4a09185aebbfb4c3509f9ab17cdeaeb1941ffcbe Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 10 Aug 2023 13:46:38 +0000 Subject: [PATCH 015/596] nginx/site: Fix upstream hostname --- roles/nginx/site/templates/site.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx/site/templates/site.conf.j2 b/roles/nginx/site/templates/site.conf.j2 index a277ec5..f13669c 100644 --- a/roles/nginx/site/templates/site.conf.j2 +++ b/roles/nginx/site/templates/site.conf.j2 @@ -1,5 +1,5 @@ {% if proxy is defined and proxy is not string %} -upstream upstream-{{ site }} { +upstream {{ site }} { {% for item in proxy %} {% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %} {% if item | regex_search(".*:[0-9]+$") %} @@ -39,7 +39,7 @@ server { {% set path = proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %} # https://trac.nginx.org/nginx/ticket/1307 proxy_ssl_verify off; - proxy_pass https://upstream-{{ site }}{{ path }}; + proxy_pass https://{{ site }}{{ path }}; {% else %} proxy_pass {{ proxy }}; {% endif %} From 4846fc9bf5f0192f6b0cb2f3902f0a38aa691a7b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 14 Aug 2023 17:04:33 +0000 Subject: [PATCH 016/596] Update software versions --- hosts.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index efae683..fe4345c 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,12 +26,12 @@ gitearunner: hosts: gitea-runner02.home.foo.sh: vars: - gitea_runner_version: "0.2.3" + gitea_runner_version: "0.2.5" homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.7" + homeassistant_version: "2023.8.2" homeassistant_integrations: - name: electrolux_status repo: https://github.com/mauro-midolo/homeassistant_electrolux_status.git @@ -78,8 +78,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.0.2" - rocketchat_version: "6.2.10" + grafana_version: "10.0.3" + rocketchat_version: "6.31" roundcube_version: "1.6.1" print: hosts: From 45c124a82b3261acc710526971ef48d7145b47e7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 14 Aug 2023 17:15:28 +0000 Subject: [PATCH 017/596] cpupower: Initial version of role --- roles/cpupower/files/cpupower.sysconfig | 3 +++ roles/cpupower/handlers/main.yml | 5 +++++ roles/cpupower/tasks/main.yml | 15 +++++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 roles/cpupower/files/cpupower.sysconfig create mode 100644 roles/cpupower/handlers/main.yml create mode 100644 roles/cpupower/tasks/main.yml diff --git a/roles/cpupower/files/cpupower.sysconfig b/roles/cpupower/files/cpupower.sysconfig new file mode 100644 index 0000000..a75fd87 --- /dev/null +++ b/roles/cpupower/files/cpupower.sysconfig @@ -0,0 +1,3 @@ +# See 'cpupower help' and cpupower(1) for more info +CPUPOWER_START_OPTS="frequency-set -g ondemand" +CPUPOWER_STOP_OPTS="frequency-set -g performance" diff --git a/roles/cpupower/handlers/main.yml b/roles/cpupower/handlers/main.yml new file mode 100644 index 0000000..c37fd46 --- /dev/null +++ b/roles/cpupower/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart cpupower + ansible.builtin.service: + name: cpupower + state: restarted diff --git a/roles/cpupower/tasks/main.yml b/roles/cpupower/tasks/main.yml new file mode 100644 index 0000000..4cd1f83 --- /dev/null +++ b/roles/cpupower/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Copy config + ansible.builtin.copy: + dest: /etc/sysconfig/cpupower + src: cpupower.sysconfig + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart cpupower + +- name: Enable service + ansible.builtin.service: + name: cpupower + state: started + enabled: true From 112d900b8f44edadbf9496525dbfd1821e3c42e5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 14 Aug 2023 17:17:25 +0000 Subject: [PATCH 018/596] base: Add cpupower to physical hosts --- roles/base/tasks/RedHat.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 8e6ca6e..d266052 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -3,6 +3,12 @@ ansible.builtin.hostname: name: "{{ inventory_hostname }}" +- name: Install OS specific roles for physical hardware + ansible.builtin.include_role: + name: cpupower + when: + - ansible_virtualization_role == "host" + - name: Install OS specific roles ansible.builtin.include_role: name: "{{ role }}" From f573704b3419380b0f43eb251709a69adea6b882 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 13:55:29 +0000 Subject: [PATCH 019/596] Move data disks to nvme storage --- group_vars/adm.yml | 2 +- group_vars/gitea.yml | 2 +- group_vars/homeassistant.yml | 2 +- group_vars/log.yml | 2 +- group_vars/mail.yml | 2 +- group_vars/minecraft.yml | 2 +- group_vars/nms.yml | 2 +- host_vars/ldap01.home.foo.sh.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/group_vars/adm.yml b/group_vars/adm.yml index 0eff70a..a49673c 100644 --- a/group_vars/adm.yml +++ b/group_vars/adm.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10} + - {size: 10, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml index 985e033..a49673c 100644 --- a/group_vars/gitea.yml +++ b/group_vars/gitea.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10, type: hdd} + - {size: 10, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/group_vars/homeassistant.yml b/group_vars/homeassistant.yml index 91f88e0..92e8f6a 100644 --- a/group_vars/homeassistant.yml +++ b/group_vars/homeassistant.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10, type: hdd} + - {size: 10, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} diff --git a/group_vars/log.yml b/group_vars/log.yml index 7457482..af1b495 100644 --- a/group_vars/log.yml +++ b/group_vars/log.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 50} + - {size: 50, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/group_vars/mail.yml b/group_vars/mail.yml index 7976023..de75efd 100644 --- a/group_vars/mail.yml +++ b/group_vars/mail.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10} + - {size: 10, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/group_vars/minecraft.yml b/group_vars/minecraft.yml index cf60405..d87c715 100644 --- a/group_vars/minecraft.yml +++ b/group_vars/minecraft.yml @@ -1,7 +1,7 @@ --- mem_size: 4096 datadisks: - - {size: 100} + - {size: 100, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 4949, from: [172.20.30.0/24]} diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 83c016a..cbf2fdb 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10} + - {size: 10, type: nvme} network_vip_interfaces: - device: eth1 diff --git a/host_vars/ldap01.home.foo.sh.yml b/host_vars/ldap01.home.foo.sh.yml index 8951d67..a64ca14 100644 --- a/host_vars/ldap01.home.foo.sh.yml +++ b/host_vars/ldap01.home.foo.sh.yml @@ -5,6 +5,6 @@ network_interfaces: vlan: 20 mac: 52:54:00:ac:dc:1f datadisks: - - {size: 10} + - {size: 10, type: nvme} ldap_master: true From 051acc86cc16deb995d6e1865144d706202d100e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:28:30 +0000 Subject: [PATCH 020/596] node_exporter: First version of role --- roles/node_exporter/handlers/main.yml | 5 ++ roles/node_exporter/meta/main.yml | 3 ++ roles/node_exporter/tasks/main.yml | 48 +++++++++++++++++++ .../node_exporter/templates/web-config.yml.j2 | 6 +++ 4 files changed, 62 insertions(+) create mode 100644 roles/node_exporter/handlers/main.yml create mode 100644 roles/node_exporter/meta/main.yml create mode 100644 roles/node_exporter/tasks/main.yml create mode 100644 roles/node_exporter/templates/web-config.yml.j2 diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml new file mode 100644 index 0000000..29d67a9 --- /dev/null +++ b/roles/node_exporter/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart node_exporter + ansible.builtin.service: + name: prometheus-node-exporter + state: restarted diff --git a/roles/node_exporter/meta/main.yml b/roles/node_exporter/meta/main.yml new file mode 100644 index 0000000..ebfb16f --- /dev/null +++ b/roles/node_exporter/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: epel_repo, when: ansible_os_family == "RedHat"} diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml new file mode 100644 index 0000000..d65eb8a --- /dev/null +++ b/roles/node_exporter/tasks/main.yml @@ -0,0 +1,48 @@ +--- +- name: Install packages + ansible.builtin.package: + name: golang-github-prometheus-node-exporter + state: installed + +- name: Allow prometheus user to read private key + ansible.builtin.user: + name: prometheus + groups: hostkey + append: true + notify: Restart node_exporter + +- name: Create config directory + ansible.builtin.file: + path: /etc/node_exporter + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create web-config + ansible.builtin.template: + dest: /etc/node_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart node_exporter + +- name: Modify config + ansible.builtin.lineinfile: + path: /etc/default/prometheus-node-exporter + regexp: "^ARGS=" + line: >- + ARGS="--collector.filesystem.ignored-mount-points + '^/(dev|proc|sys|run/(user|credentials/systemd-.+))($|/)' + --collector.netclass.ignored-devices '^(br-|docker|veth).+$' + --collector.netdev.device-exclude '^(br-|docker|veth).+$' + --web.config=/etc/node_exporter/web-config.yml + --collector.textfile.directory /var/lib/prometheus/node-exporter" + notify: Restart node_exporter + +- name: Enable node_exporter service + ansible.builtin.service: + name: prometheus-node-exporter + state: started + enabled: true diff --git a/roles/node_exporter/templates/web-config.yml.j2 b/roles/node_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..01c911f --- /dev/null +++ b/roles/node_exporter/templates/web-config.yml.j2 @@ -0,0 +1,6 @@ +--- +tls_server_config: + key_file: {{ tls_private }}/{{ inventory_hostname }}.key + cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert From 9b1aa236c55ee99a003b1d2ff8f9bdc8f8ee0f15 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:29:00 +0000 Subject: [PATCH 021/596] prometheus: First version of role --- roles/prometheus/files/prometheus.service | 23 ++++ roles/prometheus/handlers/main.yml | 5 + roles/prometheus/meta/main.yml | 3 + roles/prometheus/tasks/main.yml | 115 +++++++++++++++++++ roles/prometheus/templates/node.json.j2 | 10 ++ roles/prometheus/templates/prometheus.yml.j2 | 16 +++ 6 files changed, 172 insertions(+) create mode 100644 roles/prometheus/files/prometheus.service create mode 100644 roles/prometheus/handlers/main.yml create mode 100644 roles/prometheus/meta/main.yml create mode 100644 roles/prometheus/tasks/main.yml create mode 100644 roles/prometheus/templates/node.json.j2 create mode 100644 roles/prometheus/templates/prometheus.yml.j2 diff --git a/roles/prometheus/files/prometheus.service b/roles/prometheus/files/prometheus.service new file mode 100644 index 0000000..28f8d3a --- /dev/null +++ b/roles/prometheus/files/prometheus.service @@ -0,0 +1,23 @@ +[Unit] +Description=Prometheus +After=network-online.target +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=simple +Environment="GOMAXPROCS={{ ansible_processor_vcpus|default(ansible_processor_count) }}" +User=prometheus +Group=prometheus +UMask=007 +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/local/sbin/prometheus \ + --config.file=/srv/prometheus/prometheus.yml \ + --log.level=info \ + --storage.tsdb.path=/srv/prometheus/data \ + --storage.tsdb.retention.time=365d \ + --web.console.libraries=/usr/local/share/prometheus/console_libraries +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/prometheus/handlers/main.yml b/roles/prometheus/handlers/main.yml new file mode 100644 index 0000000..690e0bd --- /dev/null +++ b/roles/prometheus/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart prometheus + ansible.builtin.service: + name: prometheus + state: restarted diff --git a/roles/prometheus/meta/main.yml b/roles/prometheus/meta/main.yml new file mode 100644 index 0000000..b95ceec --- /dev/null +++ b/roles/prometheus/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: nginx/server} diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml new file mode 100644 index 0000000..05145f4 --- /dev/null +++ b/roles/prometheus/tasks/main.yml @@ -0,0 +1,115 @@ +--- +- name: Create group + ansible.builtin.group: + name: prometheus + gid: 305 + +- name: Create user + ansible.builtin.user: + name: prometheus + comment: Service Prometheus + createhome: false + group: prometheus + home: /var/empty + shell: /sbin/nologin + uid: 305 + +- name: Extract package + ansible.builtin.unarchive: + src: https://github.com/prometheus/prometheus/releases/download/v2.45.0/prometheus-2.45.0.linux-amd64.tar.gz + dest: /usr/local/src + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + +- name: Copy binaries + ansible.builtin.copy: + dest: "/usr/local/sbin/{{ item }}" + src: "/usr/local/src/prometheus-2.45.0.linux-amd64/{{ item }}" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + with_items: + - promtool + - prometheus + +- name: Create data directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0750" + owner: root + group: prometheus + with_items: + - /export/prometheus + - /export/prometheus/node.d + +- name: Link data directory + ansible.builtin.file: + path: /srv/prometheus + src: /export/prometheus + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Create database directory + ansible.builtin.file: + path: /srv/prometheus/data + state: directory + mode: "0770" + owner: root + group: prometheus + +- name: Create configuration + ansible.builtin.template: + dest: /srv/prometheus/prometheus.yml + src: prometheus.yml.j2 + mode: "0640" + owner: root + group: prometheus + notify: Restart prometheus + +- name: Create host configs + ansible.builtin.template: + dest: "/srv/prometheus/node.d/{{ item }}" + src: node.json.j2 + mode: "0640" + owner: root + group: prometheus + notify: Restart prometheus + with_items: "{{ groups['all'] }}" + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/prometheus.service + src: prometheus.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart prometheus + +- name: Enable service + ansible.builtin.service: + name: prometheus + state: started + enabled: true + +- name: Allow nginx to connect prometheus + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/prometheus.conf" + content: | + location / { + proxy_pass http://127.0.0.1:9090; + } + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx diff --git a/roles/prometheus/templates/node.json.j2 b/roles/prometheus/templates/node.json.j2 new file mode 100644 index 0000000..d2bef64 --- /dev/null +++ b/roles/prometheus/templates/node.json.j2 @@ -0,0 +1,10 @@ +[ + { + "labels": { + "instance": "{{ item }}" + }, + "targets": [ + "{{ item }}" + ] + } +] diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 new file mode 100644 index 0000000..81703ee --- /dev/null +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -0,0 +1,16 @@ +--- +global: + scrape_interval: 1m + scrape_timeout: 10s + evaluation_interval: 1m + +scrape_configs: + - job_name: node + scheme: https + tls_config: + ca_file: "{{ tls_certs }}/ca.crt" + key_file: "{{ tls_private }}/{{ inventory_hostname }}.key" + cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + file_sd_configs: + - files: + - /srv/prometheus/node.d/*.json From 20fb7aeacfe9585bfc74940dabb16639954c7391 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:29:54 +0000 Subject: [PATCH 022/596] Add prometheus hosts --- group_vars/prometheus.yml | 8 ++++++++ host_vars/prometheus02.home.foo.sh.yml | 6 ++++++ hosts.yml | 4 ++++ playbooks/prometheus.yml | 28 ++++++++++++++++++++++++++ 4 files changed, 46 insertions(+) create mode 100644 group_vars/prometheus.yml create mode 100644 host_vars/prometheus02.home.foo.sh.yml create mode 100644 playbooks/prometheus.yml diff --git a/group_vars/prometheus.yml b/group_vars/prometheus.yml new file mode 100644 index 0000000..e80e98c --- /dev/null +++ b/group_vars/prometheus.yml @@ -0,0 +1,8 @@ +--- +datadisks: + - {size: 10, type: nvme} + +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/host_vars/prometheus02.home.foo.sh.yml b/host_vars/prometheus02.home.foo.sh.yml new file mode 100644 index 0000000..6c7cc03 --- /dev/null +++ b/host_vars/prometheus02.home.foo.sh.yml @@ -0,0 +1,6 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: "52:54:00:ac:dc:84" diff --git a/hosts.yml b/hosts.yml index fe4345c..7c55f68 100644 --- a/hosts.yml +++ b/hosts.yml @@ -84,6 +84,9 @@ ocinode: print: hosts: print01.home.foo.sh: +prometheus: + hosts: + prometheus02.home.foo.sh: proxy: hosts: proxy01.home.foo.sh: @@ -154,6 +157,7 @@ rocky9: ldap: mirror: mongodb: + prometheus: sqldb: static: vmhost: diff --git a/playbooks/prometheus.yml b/playbooks/prometheus.yml new file mode 100644 index 0000000..bec40ff --- /dev/null +++ b/playbooks/prometheus.yml @@ -0,0 +1,28 @@ +--- +- name: Deploy KVM virtual machines + ansible.builtin.import_playbook: include/deploy-kvm-guest.yml + vars: + myhosts: prometheus + +- name: Configure instance + hosts: prometheus + user: root + gather_facts: true + + vars_files: + - "{{ ansible_private }}/vars.yml" + + pre_tasks: + - name: Mount /export + ansible.posix.mount: + name: /export + src: LABEL=/export + fstype: xfs + opts: noatime,noexec,nosuid,nodev + passno: "0" + dump: "0" + state: mounted + + roles: + - base + - prometheus From f8319730234eaee78087af2e47d371a5a589d52f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:31:02 +0000 Subject: [PATCH 023/596] Add prometheus playbook to master playbook --- site.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/site.yml b/site.yml index 41765a2..bcceabe 100644 --- a/site.yml +++ b/site.yml @@ -41,6 +41,8 @@ ansible.builtin.import_playbook: playbooks/oci-node.yml - name: Configure print hosts ansible.builtin.import_playbook: playbooks/print.yml +- name: Configure prometheus hosts + ansible.builtin.import_playbook: playbooks/prometheus.yml - name: Configure proxy hosts ansible.builtin.import_playbook: playbooks/proxy.yml - name: Configure relay hosts From 1fdce68b75da2e2ab31f2f4fadd5736226339b73 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:46:44 +0000 Subject: [PATCH 024/596] node_exporter: Fix installing for Fedora --- roles/node_exporter/meta/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/node_exporter/meta/main.yml b/roles/node_exporter/meta/main.yml index ebfb16f..ed212b9 100644 --- a/roles/node_exporter/meta/main.yml +++ b/roles/node_exporter/meta/main.yml @@ -1,3 +1,6 @@ --- dependencies: - - {role: epel_repo, when: ansible_os_family == "RedHat"} + - role: epel_repo + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Fedora" From d7edba1a0fdf40c2e56fef8bb6a0a86e1cf9023e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 17:48:43 +0000 Subject: [PATCH 025/596] No use for port 443 on ldap hosts --- group_vars/ldap.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/group_vars/ldap.yml b/group_vars/ldap.yml index 660bcb5..85b7b5c 100644 --- a/group_vars/ldap.yml +++ b/group_vars/ldap.yml @@ -3,6 +3,5 @@ saslauthd_mech: ldap firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 636, from: [172.20.20.0/22]} - {proto: tcp, port: 4949, from: [172.20.20.0/22]} From 7516f5813e8d939fdbbb7fccaed29e8bff7092a9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Aug 2023 18:21:43 +0000 Subject: [PATCH 026/596] prometheus: Fix node configs --- roles/prometheus/tasks/main.yml | 2 +- roles/prometheus/templates/node.json.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 05145f4..7ec1353 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -73,7 +73,7 @@ - name: Create host configs ansible.builtin.template: - dest: "/srv/prometheus/node.d/{{ item }}" + dest: "/srv/prometheus/node.d/{{ item }}.json" src: node.json.j2 mode: "0640" owner: root diff --git a/roles/prometheus/templates/node.json.j2 b/roles/prometheus/templates/node.json.j2 index d2bef64..0f4e396 100644 --- a/roles/prometheus/templates/node.json.j2 +++ b/roles/prometheus/templates/node.json.j2 @@ -4,7 +4,7 @@ "instance": "{{ item }}" }, "targets": [ - "{{ item }}" + "{{ item }}:9100" ] } ] From 3d0cf42e8eee3b9d7de95cde3183f22614b74213 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:06:40 +0000 Subject: [PATCH 027/596] Remove obsolete ports from proxy pf config --- group_vars/proxy.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/group_vars/proxy.yml b/group_vars/proxy.yml index c3ffdcd..3966f13 100644 --- a/group_vars/proxy.yml +++ b/group_vars/proxy.yml @@ -48,6 +48,4 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 636} - {proto: tcp, port: 4949, from: [172.20.20.0/22]} - - {proto: tcp, port: 6514} From 902575569506b4f9f760d5915a3f086d14f253d8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:32:15 +0000 Subject: [PATCH 028/596] node_exporter: Add OpenBSD support --- roles/node_exporter/handlers/main.yml | 2 +- roles/node_exporter/tasks/main.yml | 21 +++++++++++++++++---- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml index 29d67a9..f522d75 100644 --- a/roles/node_exporter/handlers/main.yml +++ b/roles/node_exporter/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Restart node_exporter ansible.builtin.service: - name: prometheus-node-exporter + name: "{{ node_exporter_package }}" state: restarted diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index d65eb8a..00b9898 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -1,12 +1,15 @@ --- +- name: Include OS-specific variables + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" + - name: Install packages ansible.builtin.package: - name: golang-github-prometheus-node-exporter + name: "{{ node_exporter_package }}" state: installed - name: Allow prometheus user to read private key ansible.builtin.user: - name: prometheus + name: "{{ node_exporter_user }}" groups: hostkey append: true notify: Restart node_exporter @@ -40,9 +43,19 @@ --web.config=/etc/node_exporter/web-config.yml --collector.textfile.directory /var/lib/prometheus/node-exporter" notify: Restart node_exporter + when: ansible_os_family == "RedHat" -- name: Enable node_exporter service +- name: Enable service ansible.builtin.service: - name: prometheus-node-exporter + name: "{{ node_exporter_service }}" state: started enabled: true + arguments: --web.config.file=/etc/node_exporter/web-config.yml + when: ansible_os_family == "OpenBSD" + +- name: Enable service + ansible.builtin.service: + name: "{{ node_exporter_service }}" + state: started + enabled: true + when: ansible_os_family == "RedHat" From 5ec34f54c810232900b9205e92052fec568f25b2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:32:43 +0000 Subject: [PATCH 029/596] node_exporter: Add missing files --- roles/node_exporter/vars/OpenBSD.yml | 4 ++++ roles/node_exporter/vars/RedHat.yml | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 roles/node_exporter/vars/OpenBSD.yml create mode 100644 roles/node_exporter/vars/RedHat.yml diff --git a/roles/node_exporter/vars/OpenBSD.yml b/roles/node_exporter/vars/OpenBSD.yml new file mode 100644 index 0000000..170fb93 --- /dev/null +++ b/roles/node_exporter/vars/OpenBSD.yml @@ -0,0 +1,4 @@ +--- +node_exporter_package: node_exporter +node_exporter_service: node_exporter +node_exporter_user: _nodeexporter diff --git a/roles/node_exporter/vars/RedHat.yml b/roles/node_exporter/vars/RedHat.yml new file mode 100644 index 0000000..0a6f1b2 --- /dev/null +++ b/roles/node_exporter/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- +node_exporter_package: golang-github-prometheus-node-exporter +node_exporter_service: prometheus-node-exporter +node_exporter_user: prometheus From 946c7d0772897482e1ab125167cd31c8dcf31d8c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:33:39 +0000 Subject: [PATCH 030/596] Add node_exporter to all hosts --- group_vars/adm.yml | 2 +- group_vars/backup.yml | 1 + group_vars/collab.yml | 2 +- group_vars/gitea.yml | 2 +- group_vars/gitearunner.yml | 2 +- group_vars/homeassistant.yml | 2 +- group_vars/influxdb.yml | 2 +- group_vars/ldap.yml | 2 +- group_vars/log.yml | 2 +- group_vars/mail.yml | 2 +- group_vars/minecraft.yml | 2 +- group_vars/mirror.yml | 2 +- group_vars/mongodb.yml | 1 + group_vars/mqtt.yml | 2 +- group_vars/nas.yml | 2 +- group_vars/nms.yml | 2 +- group_vars/ocinode.yml | 1 + group_vars/print.yml | 2 +- group_vars/proxy.yml | 2 +- group_vars/relay.yml | 1 + group_vars/shell.yml | 2 +- group_vars/sqldb.yml | 1 + group_vars/static.yml | 2 +- group_vars/vmhost.yml | 2 +- group_vars/zm.yml | 2 +- roles/base/tasks/main.yml | 1 + roles/pf/files/pf.conf.gw_fsol | 4 ++-- roles/pf/files/pf.conf.gw_home | 4 ++-- 28 files changed, 30 insertions(+), 24 deletions(-) diff --git a/group_vars/adm.yml b/group_vars/adm.yml index a49673c..e80e98c 100644 --- a/group_vars/adm.yml +++ b/group_vars/adm.yml @@ -5,4 +5,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/backup.yml b/group_vars/backup.yml index ec4ea73..0b7f509 100644 --- a/group_vars/backup.yml +++ b/group_vars/backup.yml @@ -1,3 +1,4 @@ --- firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/collab.yml b/group_vars/collab.yml index a49673c..e80e98c 100644 --- a/group_vars/collab.yml +++ b/group_vars/collab.yml @@ -5,4 +5,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml index a49673c..e80e98c 100644 --- a/group_vars/gitea.yml +++ b/group_vars/gitea.yml @@ -5,4 +5,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/gitearunner.yml b/group_vars/gitearunner.yml index c611eea..0b7f509 100644 --- a/group_vars/gitearunner.yml +++ b/group_vars/gitearunner.yml @@ -1,4 +1,4 @@ --- firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/homeassistant.yml b/group_vars/homeassistant.yml index 92e8f6a..d344ed1 100644 --- a/group_vars/homeassistant.yml +++ b/group_vars/homeassistant.yml @@ -4,4 +4,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/influxdb.yml b/group_vars/influxdb.yml index fcdcc1b..be5bea6 100644 --- a/group_vars/influxdb.yml +++ b/group_vars/influxdb.yml @@ -5,4 +5,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/ldap.yml b/group_vars/ldap.yml index 85b7b5c..1e3e573 100644 --- a/group_vars/ldap.yml +++ b/group_vars/ldap.yml @@ -4,4 +4,4 @@ saslauthd_mech: ldap firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 636, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/log.yml b/group_vars/log.yml index af1b495..00882e3 100644 --- a/group_vars/log.yml +++ b/group_vars/log.yml @@ -4,5 +4,5 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} - {proto: tcp, port: 6514} diff --git a/group_vars/mail.yml b/group_vars/mail.yml index de75efd..43e2603 100644 --- a/group_vars/mail.yml +++ b/group_vars/mail.yml @@ -10,4 +10,4 @@ firewall_in: - {proto: tcp, port: 465} - {proto: tcp, port: 587} - {proto: tcp, port: 993} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/minecraft.yml b/group_vars/minecraft.yml index d87c715..a7ff2b1 100644 --- a/group_vars/minecraft.yml +++ b/group_vars/minecraft.yml @@ -4,6 +4,6 @@ datadisks: - {size: 100, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.30.0/24]} + - {proto: tcp, port: 9100, from: [172.20.30.0/24]} - {proto: tcp, port: 25565, from: [172.20.30.0/24]} - {proto: udp, port: 25565, from: [172.20.30.0/24]} diff --git a/group_vars/mirror.yml b/group_vars/mirror.yml index 4ac63b1..9515b80 100644 --- a/group_vars/mirror.yml +++ b/group_vars/mirror.yml @@ -7,4 +7,4 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 873, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/mongodb.yml b/group_vars/mongodb.yml index e17dd45..656811d 100644 --- a/group_vars/mongodb.yml +++ b/group_vars/mongodb.yml @@ -4,3 +4,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 27017, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/mqtt.yml b/group_vars/mqtt.yml index ec10fe7..e64ff98 100644 --- a/group_vars/mqtt.yml +++ b/group_vars/mqtt.yml @@ -3,5 +3,5 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.27.0/24]} - {proto: tcp, port: 1883, from: [172.20.27.0/24]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} - {proto: tcp, port: 8883, from: [172.20.20.0/22, 172.20.27.0/24]} diff --git a/group_vars/nas.yml b/group_vars/nas.yml index 84be798..3cb95e1 100644 --- a/group_vars/nas.yml +++ b/group_vars/nas.yml @@ -9,4 +9,4 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 2049, from: [172.20.20.0/22]} - {proto: tcp, port: 2049, from: [172.20.30.0/24]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/nms.yml b/group_vars/nms.yml index cbf2fdb..3ebd807 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -19,7 +19,7 @@ firewall_in: - {proto: udp, port: 123, from: [172.20.25.0/24]} - {proto: tcp, port: 443, from: [172.20.25.0/24]} - {proto: udp, port: 514, from: [172.20.25.0/24]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/group_vars/ocinode.yml b/group_vars/ocinode.yml index 9945015..d87fa04 100644 --- a/group_vars/ocinode.yml +++ b/group_vars/ocinode.yml @@ -5,3 +5,4 @@ mem_size: 4192 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/print.yml b/group_vars/print.yml index 7029178..2dbeb2c 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -14,7 +14,7 @@ firewall_in: - {proto: tcp, port: 53, from: [172.20.24.0/24]} - {proto: udp, port: 53, from: [172.20.24.0/24]} - {proto: tcp, port: 631, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/group_vars/proxy.yml b/group_vars/proxy.yml index 3966f13..ec6b4a8 100644 --- a/group_vars/proxy.yml +++ b/group_vars/proxy.yml @@ -48,4 +48,4 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/relay.yml b/group_vars/relay.yml index b48a3a2..f65b541 100644 --- a/group_vars/relay.yml +++ b/group_vars/relay.yml @@ -41,3 +41,4 @@ firewall_in: - {proto: tcp, port: 443} - {proto: tcp, port: 636} - {proto: tcp, port: 6514} + - {proto: tcp, port: 9100} diff --git a/group_vars/shell.yml b/group_vars/shell.yml index cefac15..2af3bb2 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -9,4 +9,4 @@ firewall_in: - {proto: tcp, port: 22} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 4949, from: [81.175.130.44/32]} + - {proto: tcp, port: 9100, from: [81.175.130.44/32]} diff --git a/group_vars/sqldb.yml b/group_vars/sqldb.yml index df3c506..f2d2337 100644 --- a/group_vars/sqldb.yml +++ b/group_vars/sqldb.yml @@ -4,3 +4,4 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 3306, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/static.yml b/group_vars/static.yml index 24c3e3a..a6636ac 100644 --- a/group_vars/static.yml +++ b/group_vars/static.yml @@ -2,4 +2,4 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/vmhost.yml b/group_vars/vmhost.yml index c611eea..0b7f509 100644 --- a/group_vars/vmhost.yml +++ b/group_vars/vmhost.yml @@ -1,4 +1,4 @@ --- firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/zm.yml b/group_vars/zm.yml index 4da1f4f..03177dc 100644 --- a/group_vars/zm.yml +++ b/group_vars/zm.yml @@ -17,7 +17,7 @@ dhcpd_template: dhcpd.conf.cam.j2 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 4949, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 5281333..7bec34b 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -48,6 +48,7 @@ - pki - psacct - sshd + - node_exporter loop_control: loop_var: role diff --git a/roles/pf/files/pf.conf.gw_fsol b/roles/pf/files/pf.conf.gw_fsol index c6bfb1b..48215c0 100644 --- a/roles/pf/files/pf.conf.gw_fsol +++ b/roles/pf/files/pf.conf.gw_fsol @@ -30,9 +30,9 @@ pass quick inet6 proto icmp6 antispoof for lo0 antispoof for vio0 -# admin connection and munin (internal) +# admin connection and node_exporter (internal) pass in quick on $int_if proto tcp from $int_net to self port ssh keep state (no-sync) -pass in quick on $int_if proto tcp from $int_net to self port 4949 keep state (no-sync) +pass in quick on $int_if proto tcp from $int_net to self port 9100 keep state (no-sync) # internal network block in quick from any to self diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index a71029d..9dd3095 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -45,8 +45,8 @@ pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh pass in quick on $ext_if proto tcp from 81.175.155.142/32 to self port ssh -# munin from internal network -pass in quick on $int_if proto tcp from $int_net to self port 4949 +# node_exporter from internal network +pass in quick on $int_if proto tcp from $int_net to self port 9100 # allow dns queries from internal net pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain From f664e0271b4bfaacba392a98f4fdf7768961ada2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:34:11 +0000 Subject: [PATCH 031/596] php4dvd: Initial version of role --- roles/php4dvd/handlers/main.yml | 17 ++++++ roles/php4dvd/meta/main.yml | 5 ++ roles/php4dvd/tasks/main.yml | 55 +++++++++++++++++++ .../templates/php4dvd-container.service.j2 | 19 +++++++ .../templates/php4dvd-container.sysconfig.j2 | 5 ++ 5 files changed, 101 insertions(+) create mode 100644 roles/php4dvd/handlers/main.yml create mode 100644 roles/php4dvd/meta/main.yml create mode 100644 roles/php4dvd/tasks/main.yml create mode 100644 roles/php4dvd/templates/php4dvd-container.service.j2 create mode 100644 roles/php4dvd/templates/php4dvd-container.sysconfig.j2 diff --git a/roles/php4dvd/handlers/main.yml b/roles/php4dvd/handlers/main.yml new file mode 100644 index 0000000..bc94087 --- /dev/null +++ b/roles/php4dvd/handlers/main.yml @@ -0,0 +1,17 @@ +--- +- name: Rebuild php4dvd-container + ansible.builtin.command: + argv: + - podman + - build + - -t + - php4dvd + - /usr/local/src/docker-php4dvd + become: true + become_user: php4dvd + notify: Restart php4dvd-container + +- name: Restart php4dvd-container + ansible.builtin.service: + name: php4dvd-container + state: restarted diff --git a/roles/php4dvd/meta/main.yml b/roles/php4dvd/meta/main.yml new file mode 100644 index 0000000..b8e2a3e --- /dev/null +++ b/roles/php4dvd/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - {role: git} + - {role: nginx} + - {role: podman} diff --git a/roles/php4dvd/tasks/main.yml b/roles/php4dvd/tasks/main.yml new file mode 100644 index 0000000..7728945 --- /dev/null +++ b/roles/php4dvd/tasks/main.yml @@ -0,0 +1,55 @@ +--- +- name: Create group + ansible.builtin.group: + name: php4dvd + +- name: Create user + ansible.builtin.user: + name: php4dvd + comment: Podman pphp4dvd + group: authcheck + shell: /sbin/nologin + +- name: Get container source + ansible.builtin.git: + dest: /usr/local/src/docker-php4dvd + repo: https://github.com/foo-sh/docker-php4dvd.git + update: false + version: master + notify: Rebuild php4dvd-container + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/php4dvd-container.service + src: php4dvd-container.service.j2 + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + +- name: Create service config + ansible.builtin.template: + dest: /etc/sysconfig/php4dvd-container + src: php4dvd-container.sysconfig.j2 + mode: 0600 + owner: root + group: "{{ ansible_wheel }}" + notify: Restart php4dvd-container + +- name: Enable service + ansible.builtin.service: + name: php4dvd-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/php4dvd-container.conf" + content: | + location /php4dvd { + proxy_pass http://127.0.0.1:8005/; + } + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx + diff --git a/roles/php4dvd/templates/php4dvd-container.service.j2 b/roles/php4dvd/templates/php4dvd-container.service.j2 new file mode 100644 index 0000000..277bb16 --- /dev/null +++ b/roles/php4dvd/templates/php4dvd-container.service.j2 @@ -0,0 +1,19 @@ +[Unit] +Description=php4dvd Container +Wants=network-online.target +After=network-online.target + +[Service] +User=php4dvd +EnvironmentFile=/etc/sysconfig/php4dvd-container +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8005:80 \ + --name php4dvd \ + --env PHP4DVD_* \ + --volume /export/volumes/php4dvd:/var/www/html/movies:rw,Z \ + php4dvd:latest +ExecStop=/usr/bin/podman stop --ignore php4dvd +ExecStopPost=/usr/bin/podman rm -f --ignore php4dvd + +[Install] +WantedBy=multi-user.target diff --git a/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 b/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 new file mode 100644 index 0000000..af894b5 --- /dev/null +++ b/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 @@ -0,0 +1,5 @@ +PHP4DVD_DB_HOST=sqldb02.home.foo.sh +PHP4DVD_DB_NAME=php4dvd +PHP4DVD_DB_USER=php4dvd +PHP4DVD_DB_PASS={{ php4dvd_mysql_pass }} +PHP4DVD_USER_GUESTVIEW=true From 31b38dfc2f44576b623c919d9751c5eb2be6048f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:34:33 +0000 Subject: [PATCH 032/596] Add movies.foo.sh to proxy servers --- playbooks/proxy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index e625b08..104f9fe 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -80,6 +80,10 @@ - role: nginx/site site: mirrors.foo.sh proxy: https://mirror01.home.foo.sh/ + - role: nginx/site + site: movies.foo.sh + proxy: + - https://oci-node01.home.foo.sh/php4dvd/ - role: nginx/site site: noc.foo.sh proxy: From 5fc2d161ad615a5e230b7b4979ec50ec73d34e7a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:35:00 +0000 Subject: [PATCH 033/596] Add php4dvd to oci-node01 and create local storage --- playbooks/oci-node.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/playbooks/oci-node.yml b/playbooks/oci-node.yml index 231a6c4..5d2a8c7 100644 --- a/playbooks/oci-node.yml +++ b/playbooks/oci-node.yml @@ -12,9 +12,24 @@ vars_files: - "{{ ansible_private }}/vars.yml" + pre_tasks: + - name: Mount /export + ansible.posix.mount: + name: /export + src: LABEL=/export + fstype: xfs + opts: noatime,noexec,nosuid,nodev + passno: "0" + dump: "0" + state: mounted + when: ansible_fqdn == 'oci-node01.home.foo.sh' + roles: - base - authcheck - grafana - kdc - - roundcube + - role: php4dvd + when: ansible_fqdn == 'oci-node01.home.foo.sh' + - role: roundcube + when: ansible_fqdn == 'oci-node01.home.foo.sh' From 61e057a7e9356217a2672ab10864a1b7a3af2ea4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:35:42 +0000 Subject: [PATCH 034/596] Add data disk to oci-node01 --- host_vars/oci-node01.home.foo.sh.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/host_vars/oci-node01.home.foo.sh.yml b/host_vars/oci-node01.home.foo.sh.yml index 0cc5278..9116611 100644 --- a/host_vars/oci-node01.home.foo.sh.yml +++ b/host_vars/oci-node01.home.foo.sh.yml @@ -1,5 +1,7 @@ --- vmhost: vmhost01.home.foo.sh +datadisks: + - {size: 10, type: nvme} network_interfaces: - device: eth0 vlan: 20 From b6754d49e7384def8224b93f7e70107296da1fed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Aug 2023 14:37:21 +0000 Subject: [PATCH 035/596] Reserve uid/gid for prometheus --- user.list | 1 + 1 file changed, 1 insertion(+) diff --git a/user.list b/user.list index 3fc5a6d..6e27844 100644 --- a/user.list +++ b/user.list @@ -9,6 +9,7 @@ id user group notes 301 influxdb influxdb 302 mongod mongod 303 gitea gitea +305 prometheus prometheus 1001 mirror mirror 1002 certbot certbot 1003 collab collab From 7f3bb95d2f5870bd96ed5b03eda7f0f8ef6fc11d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Aug 2023 16:26:11 +0000 Subject: [PATCH 036/596] mirror/thinlinc: Refactor download script --- ...nc-thinlinc-repo => sync-thinlinc-repo.sh} | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) rename roles/mirror/thinlinc/files/{sync-thinlinc-repo => sync-thinlinc-repo.sh} (59%) diff --git a/roles/mirror/thinlinc/files/sync-thinlinc-repo b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh similarity index 59% rename from roles/mirror/thinlinc/files/sync-thinlinc-repo rename to roles/mirror/thinlinc/files/sync-thinlinc-repo.sh index 2638197..6d6c44a 100755 --- a/roles/mirror/thinlinc/files/sync-thinlinc-repo +++ b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh @@ -1,4 +1,6 @@ -#!/bin/bash +#!/bin/sh + +set -eu umask 022 @@ -16,8 +18,8 @@ if [ ! -d "${REPODIR}" ]; then mkdir "${REPODIR}" fi -LOCATION=$(curl -s "${BASEURL}/thinlinc/download" | \ - sed -n 's/^.*64-bit.*/\1/p') +LOCATION=$(curl -sf "${BASEURL}/thinlinc/download/" | \ + sed -n 's/^.*&2 exit 1 @@ -25,20 +27,25 @@ fi PKGNAME="$(basename "${LOCATION}")" if [ ! -f "${REPODIR}/${PKGNAME}" ]; then - echo "New thinlinc version found" + VERSION="$(echo "$PKGNAME" | sed -n 's/^thinlinc-client-\([0-9\.]*\)-[0-9]*\.x86_64\.rpm/\1/p')" + + echo "New thinlinc version ${VERSION} found" echo "" + tmpfile="$(mktemp)" + trap 'rm -f "$tmpfile"' EXIT + # assume that server version goes in-line with client echo "Downloading server package:" - curl -so "${REPODIR}/.server.zip" "${BASEURL}/downloads/server/download.py" + curl -sfo "$tmpfile" "${BASEURL}/downloads/server/tl-${VERSION}-server.zip" echo "Extracting server rpm files:" - unzip -jd ${REPODIR} ${REPODIR}/.server.zip \*.rpm + unzip -jfvd "$REPODIR" "$tmpfile" \*.rpm echo "Cleaning up..." - rm -f ${REPODIR}/.server.zip echo "" echo "Downloading client rpm package:" - curl -so "${REPODIR}/${PKGNAME}" "${BASEURL}${LOCATION}" + echo $LOCATION + curl -sfo "${REPODIR}/${PKGNAME}" "${LOCATION}" echo "" echo "Updating repository metadata:" createrepo_c "${REPODIR}" From a78ac15a72f44209e67d3a0bd70dfa5f46ffc05b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Aug 2023 16:28:13 +0000 Subject: [PATCH 037/596] mirror/thinlinc: Remove debug print --- roles/mirror/thinlinc/files/sync-thinlinc-repo.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh index 6d6c44a..5c20723 100755 --- a/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh +++ b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh @@ -44,7 +44,6 @@ if [ ! -f "${REPODIR}/${PKGNAME}" ]; then echo "" echo "Downloading client rpm package:" - echo $LOCATION curl -sfo "${REPODIR}/${PKGNAME}" "${LOCATION}" echo "" echo "Updating repository metadata:" From 31152b904ac4b081d51baf6d8891b0528317d023 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Aug 2023 16:29:18 +0000 Subject: [PATCH 038/596] mirror/thinlinc: Fix deploying sync script --- roles/mirror/thinlinc/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mirror/thinlinc/tasks/main.yml b/roles/mirror/thinlinc/tasks/main.yml index 4a7f785..78e0525 100644 --- a/roles/mirror/thinlinc/tasks/main.yml +++ b/roles/mirror/thinlinc/tasks/main.yml @@ -27,7 +27,7 @@ - name: Copy sync script ansible.builtin.copy: dest: /usr/local/bin/sync-thinlinc-repo - src: sync-thinlinc-repo + src: sync-thinlinc-repo.sh mode: 0755 owner: root group: root From a231ea1ece83104a4385579d98fbf88a145413fd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 28 Aug 2023 19:42:21 +0000 Subject: [PATCH 039/596] mirror/base: Send cron mails to root --- roles/mirror/base/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/mirror/base/tasks/main.yml b/roles/mirror/base/tasks/main.yml index fbeeac4..513291c 100644 --- a/roles/mirror/base/tasks/main.yml +++ b/roles/mirror/base/tasks/main.yml @@ -75,6 +75,13 @@ owner: root group: root +- name: Send cron mails to root + ansible.builtin.cron: + name: MAILTO + job: root + env: true + user: mirror + - name: Create mirror cron job ansible.builtin.cron: name: sync-mirrors From 3a39e40710bc7d8cdfc7a61fa955e862d88c46bc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Sep 2023 16:36:35 +0000 Subject: [PATCH 040/596] Increase memory size on mail hosts --- group_vars/mail.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/mail.yml b/group_vars/mail.yml index 43e2603..ebf99cb 100644 --- a/group_vars/mail.yml +++ b/group_vars/mail.yml @@ -1,7 +1,7 @@ --- datadisks: - {size: 10, type: nvme} - +mem_size: 4192 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 25} From 0d621444c91afe8c8e1d3e45b0f6540d885090f0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Sep 2023 22:16:15 +0000 Subject: [PATCH 041/596] nginx/site: Move static data to static01 --- roles/nginx/site/templates/www.foo.sh.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx/site/templates/www.foo.sh.conf.j2 b/roles/nginx/site/templates/www.foo.sh.conf.j2 index ad34c06..c3af36f 100644 --- a/roles/nginx/site/templates/www.foo.sh.conf.j2 +++ b/roles/nginx/site/templates/www.foo.sh.conf.j2 @@ -3,9 +3,9 @@ } location /roles/ { - proxy_pass https://static02.home.foo.sh/roles/; + proxy_pass https://static01.home.foo.sh/roles/; } location /~ { - proxy_pass https://static02.home.foo.sh/~; + proxy_pass https://static01.home.foo.sh/~; } From c077b5a41a9bb8069d5e3791e36504df8bdcd043 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Sep 2023 22:16:36 +0000 Subject: [PATCH 042/596] node_exporter: Fix service name from restart --- roles/node_exporter/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml index f522d75..5018dae 100644 --- a/roles/node_exporter/handlers/main.yml +++ b/roles/node_exporter/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Restart node_exporter ansible.builtin.service: - name: "{{ node_exporter_package }}" + name: "{{ node_exporter_service }}" state: restarted From f701cfd4c9f7b90cedfa9ad2f52106fab5c6cbdb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 16 Sep 2023 19:18:09 +0000 Subject: [PATCH 043/596] ansible_host: Remove python 3.11 netaddr kludge --- roles/ansible_host/tasks/main.yml | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index 486e145..a5f93f1 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -8,27 +8,7 @@ - ansible-collection-ansible-posix - ansible-collection-community-general - python3.11-dns # required for lookup('dig', 'hostname') - - python3-netaddr # required by iptables role - -- name: Create python3.11 lib directories - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0755 - owner: root - group: "{{ ansible_wheel }}" - with_items: - - /usr/local/lib/python3.11 - - /usr/local/lib/python3.11/site-packages - -- name: Kludge to add netaddr to python3.11 until package is released - ansible.builtin.copy: - dest: /usr/local/lib/python3.11/site-packages/netaddr - src: /usr/lib/python3.9/site-packages/netaddr - mode: preserve - owner: root - group: "{{ ansible_wheel }}" - remote_src: true + - python3.11-netaddr # required by iptables role - name: Create private directory and force permissions ansible.builtin.file: @@ -55,7 +35,7 @@ - name: Clone ansible repository ansible.builtin.git: dest: /srv/ansible - repo: https://git.foo.sh/ansible.git + repo: https://git.foo.sh/foo.sh/ansible.git update: false version: master From b2339cd877cfdd1727c4fa0fa816effe9c71c5c5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 18 Sep 2023 16:09:08 +0000 Subject: [PATCH 044/596] mirror/thinlinc: Fix updating server packages --- roles/mirror/thinlinc/files/sync-thinlinc-repo.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh index 5c20723..fc0d3d2 100755 --- a/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh +++ b/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh @@ -39,9 +39,7 @@ if [ ! -f "${REPODIR}/${PKGNAME}" ]; then echo "Downloading server package:" curl -sfo "$tmpfile" "${BASEURL}/downloads/server/tl-${VERSION}-server.zip" echo "Extracting server rpm files:" - unzip -jfvd "$REPODIR" "$tmpfile" \*.rpm - echo "Cleaning up..." - echo "" + unzip -jd "$REPODIR" "$tmpfile" \*.rpm echo "Downloading client rpm package:" curl -sfo "${REPODIR}/${PKGNAME}" "${LOCATION}" @@ -50,4 +48,3 @@ if [ ! -f "${REPODIR}/${PKGNAME}" ]; then createrepo_c "${REPODIR}" echo "" fi - From 9770232f66b0dd6672c23e98e4c6df2f4b014204 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 19 Sep 2023 06:27:25 +0000 Subject: [PATCH 045/596] thinlinc_server: Changes to support version 4.15.0 --- roles/thinlinc_server/files/tl-setup.local.sh | 2 ++ roles/thinlinc_server/tasks/main.yml | 11 ++--------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/roles/thinlinc_server/files/tl-setup.local.sh b/roles/thinlinc_server/files/tl-setup.local.sh index c657426..118350e 100755 --- a/roles/thinlinc_server/files/tl-setup.local.sh +++ b/roles/thinlinc_server/files/tl-setup.local.sh @@ -1,5 +1,7 @@ #!/bin/sh +set -eu + cat < /root/tl-setup.answer install-pygtk=yes email-address=adm@foo.sh diff --git a/roles/thinlinc_server/tasks/main.yml b/roles/thinlinc_server/tasks/main.yml index 554e527..76a2b43 100644 --- a/roles/thinlinc_server/tasks/main.yml +++ b/roles/thinlinc_server/tasks/main.yml @@ -5,6 +5,7 @@ state: installed with_items: - gtk3 + - librsvg2 - polkit - python3 - python3-gobject @@ -19,16 +20,8 @@ - name: Install packages ansible.builtin.package: - name: "{{ item }}" + name: "thinlinc-server" state: installed - with_items: - - thinlinc-tladm - - thinlinc-tlmisc - - thinlinc-tlmisc-libs - - thinlinc-tlprinter - - thinlinc-vnc-server - - thinlinc-vsm - - thinlinc-webaccess - name: Run ThinLinc setup ansible.builtin.script: From a92546e6673a3144a446e4ef38c5c907deacb197 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 8 Oct 2023 16:02:27 +0000 Subject: [PATCH 046/596] php4dvd: Install updates when available --- roles/php4dvd/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/php4dvd/tasks/main.yml b/roles/php4dvd/tasks/main.yml index 7728945..cfc53f6 100644 --- a/roles/php4dvd/tasks/main.yml +++ b/roles/php4dvd/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.git: dest: /usr/local/src/docker-php4dvd repo: https://github.com/foo-sh/docker-php4dvd.git - update: false + update: true version: master notify: Rebuild php4dvd-container From c653ac3f2f0e867880c1e363787a83359b9a6d1d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 8 Oct 2023 16:06:42 +0000 Subject: [PATCH 047/596] kdc: Keep container up to date --- roles/kdc/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/kdc/tasks/main.yml b/roles/kdc/tasks/main.yml index a2dcd3b..bb7a39f 100644 --- a/roles/kdc/tasks/main.yml +++ b/roles/kdc/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.git: dest: /usr/local/src/docker-kdc repo: https://github.com/foo-sh/docker-kdc.git - update: false + update: true version: main notify: Rebuild kdc-container From 42f725d6f87f803d38f2b65f458a083436dd43f8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 8 Oct 2023 16:09:31 +0000 Subject: [PATCH 048/596] authcheck: Keep container up to date --- roles/authcheck/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authcheck/tasks/main.yml b/roles/authcheck/tasks/main.yml index 222d5b4..36d96fa 100644 --- a/roles/authcheck/tasks/main.yml +++ b/roles/authcheck/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.git: dest: /usr/local/src/docker-authcheck repo: https://github.com/foo-sh/docker-authcheck.git - update: false + update: true version: main notify: Rebuild authcheck-container From 0db76e1481822a8c61fcfad4a6aca420b035ba4a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 10 Oct 2023 18:47:13 +0000 Subject: [PATCH 049/596] nginx/server: Update nginx to 1.22 on rhel hosts --- roles/nginx/server/tasks/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/nginx/server/tasks/main.yml b/roles/nginx/server/tasks/main.yml index 33fc042..d30b37e 100644 --- a/roles/nginx/server/tasks/main.yml +++ b/roles/nginx/server/tasks/main.yml @@ -2,18 +2,19 @@ - name: Include OS-specific variables ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -- name: Enable nginx:120 module +- name: Enable nginx:122 module ansible.builtin.command: argv: - dnf - module - -y - enable - - nginx:1.20 + - nginx:1.22 creates: /etc/dnf/modules.d/nginx.module + notify: Restart nginx when: - ansible_os_family == "RedHat" - - ansible_distribution_major_version | int == 8 + - ansible_distribution_major_version | int >= 8 - ansible_distribution != "Fedora" - name: Install packages From d7b9f69dd0db27cbce5ea2c1186bc3462307cb27 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 11 Oct 2023 20:28:42 +0000 Subject: [PATCH 050/596] Update software versions --- hosts.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index 7c55f68..5b738a1 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.20.2" + gitea_version: "1.20.5" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -31,7 +31,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.8.2" + homeassistant_version: "2023.10.1" homeassistant_integrations: - name: electrolux_status repo: https://github.com/mauro-midolo/homeassistant_electrolux_status.git @@ -78,9 +78,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.0.3" - rocketchat_version: "6.31" - roundcube_version: "1.6.1" + grafana_version: "10.1.4" + rocketchat_version: "6.4.1" + roundcube_version: "1.6.3" print: hosts: print01.home.foo.sh: From eb90c60317a6679eb805e6591b440c243f1d7525 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 11 Oct 2023 20:37:21 +0000 Subject: [PATCH 051/596] Update gitea_runner --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 5b738a1..c056a2c 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitearunner: hosts: gitea-runner02.home.foo.sh: vars: - gitea_runner_version: "0.2.5" + gitea_runner_version: "0.2.6" homeassistant: hosts: homeassistant01.home.foo.sh: From 04e140c8d535b5ec71340e8991ea25f3d087bdcd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 16:33:52 +0000 Subject: [PATCH 052/596] php4dvd: lint fixes --- roles/php4dvd/tasks/main.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/php4dvd/tasks/main.yml b/roles/php4dvd/tasks/main.yml index cfc53f6..85b1042 100644 --- a/roles/php4dvd/tasks/main.yml +++ b/roles/php4dvd/tasks/main.yml @@ -22,7 +22,7 @@ ansible.builtin.template: dest: /etc/systemd/system/php4dvd-container.service src: php4dvd-container.service.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -30,7 +30,7 @@ ansible.builtin.template: dest: /etc/sysconfig/php4dvd-container src: php4dvd-container.sysconfig.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart php4dvd-container @@ -48,8 +48,7 @@ location /php4dvd { proxy_pass http://127.0.0.1:8005/; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx - From baab3192b0c604052b7adf834fd33873a4fd7d23 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 17:56:44 +0000 Subject: [PATCH 053/596] prometheus: Make version configurable --- roles/prometheus/tasks/main.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 7ec1353..8f9face 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -16,7 +16,12 @@ - name: Extract package ansible.builtin.unarchive: - src: https://github.com/prometheus/prometheus/releases/download/v2.45.0/prometheus-2.45.0.linux-amd64.tar.gz + src: >- + {{ + "https://github.com/prometheus/prometheus/releases/download/v" + + prometheus_version + "/prometheus-" + prometheus_version + + ".linux-amd64.tar.gz" + }} dest: /usr/local/src owner: root group: "{{ ansible_wheel }}" @@ -25,11 +30,13 @@ - name: Copy binaries ansible.builtin.copy: dest: "/usr/local/sbin/{{ item }}" - src: "/usr/local/src/prometheus-2.45.0.linux-amd64/{{ item }}" + src: >- + /usr/local/src/prometheus-{{ prometheus_version }}.linux-amd64/{{ item }} mode: "0755" owner: root group: "{{ ansible_wheel }}" remote_src: true + notify: Restart prometheus with_items: - promtool - prometheus @@ -109,7 +116,7 @@ location / { proxy_pass http://127.0.0.1:9090; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx From 77df67fd664916f09a0af5d7e940eb38a306532a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:04:49 +0000 Subject: [PATCH 054/596] gitea: Linting and use .bashrc instead of .profile --- roles/gitea/defaults/main.yml | 6 +++++- roles/gitea/tasks/main.yml | 17 +++++++++-------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 6a37123..8581431 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -1,2 +1,6 @@ --- -gitea_url: "https://dl.gitea.com/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-{{ ansible_system | lower }}-amd64" +gitea_url: >- + {{ + "https://dl.gitea.com/gitea/" + gitea_version + "/gitea-" + + gitea_version + "-" + ansible_system | lower + "-amd64" + }} diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 5ef87c0..2eafa5e 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -4,7 +4,7 @@ url: "{{ gitea_url }}" checksum: "sha256:{{ gitea_url }}.sha256" dest: /usr/local/bin/gitea - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" notify: Restart gitea @@ -28,7 +28,7 @@ ansible.builtin.file: path: /etc/gitea state: directory - mode: 0750 + mode: "0750" owner: root group: gitea @@ -36,7 +36,7 @@ ansible.builtin.template: dest: /etc/gitea/app.ini src: app.ini.j2 - mode: 0640 + mode: "0640" owner: root group: gitea notify: Restart gitea @@ -45,7 +45,7 @@ ansible.builtin.file: path: /export/gitea state: directory - mode: 0750 + mode: "0750" owner: gitea group: gitea @@ -62,7 +62,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/gitea.service src: gitea.service - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart gitea @@ -87,14 +87,15 @@ location / { proxy_pass http://127.0.0.1:3000; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx - name: Add gitea alias for root ansible.builtin.blockinfile: - path: /root/.bash_profile + path: /root/.bashrc block: | # run gitea as gitea user - alias gitea='sudo -u gitea HOME=/srv/gitea GITEA_WORK_DIR=/srv/gitea /usr/local/bin/gitea -c /etc/gitea/app.ini' + alias gitea='sudo -u gitea HOME=/srv/gitea GITEA_WORK_DIR=/srv/gitea \ + /usr/local/bin/gitea -c /etc/gitea/app.ini' From e7f363cda58eeba0168387f140721db4894cabae Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:06:57 +0000 Subject: [PATCH 055/596] websockify: Lint fixes --- roles/websockify/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/websockify/tasks/main.yml b/roles/websockify/tasks/main.yml index 27d1ba0..1388e87 100644 --- a/roles/websockify/tasks/main.yml +++ b/roles/websockify/tasks/main.yml @@ -23,7 +23,7 @@ ansible.builtin.template: dest: /etc/websockify.conf src: websockify.conf.j2 - mode: 0640 + mode: "0640" owner: root group: websock notify: Restart websockify @@ -32,7 +32,7 @@ ansible.builtin.copy: dest: /etc/rc.d/websockify src: rc.websockify - mode: 0555 + mode: "0555" owner: root group: "{{ ansible_wheel }}" notify: Restart websockify From ae000b791b6def0f7baafb45a816c0fd82c70c08 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:08:07 +0000 Subject: [PATCH 056/596] mosquitto: Lint fixes --- roles/mosquitto/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index 44a1681..5e29a25 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -15,7 +15,7 @@ ansible.builtin.file: path: /etc/mosquitto/conf.d state: directory - mode: 0750 + mode: "0750" owner: root group: _mosquitto @@ -30,7 +30,7 @@ ansible.builtin.template: dest: /etc/mosquitto/conf.d/local.conf src: mosquitto.conf.j2 - mode: 0640 + mode: "0640" owner: root group: _mosquitto notify: Restart mosquitto @@ -39,7 +39,7 @@ ansible.builtin.copy: dest: /etc/mosquitto/acl.conf src: "{{ ansible_private }}/files/mosquitto/acl.conf" - mode: 0640 + mode: "0640" owner: root group: _mosquitto notify: Restart mosquitto @@ -48,7 +48,7 @@ ansible.builtin.copy: dest: /etc/mosquitto/passwd src: "{{ ansible_private }}/files/mosquitto/passwd" - mode: 0640 + mode: "0640" owner: root group: _mosquitto notify: Restart mosquitto From ee2f2154be41742abbc7bf9a3bcff23bf55ccd22 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:08:59 +0000 Subject: [PATCH 057/596] spamassassin: Lint fixes --- roles/spamassassin/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/spamassassin/tasks/main.yml b/roles/spamassassin/tasks/main.yml index efd698c..93310d5 100644 --- a/roles/spamassassin/tasks/main.yml +++ b/roles/spamassassin/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.copy: dest: /etc/mail/spamassassin/local.cf src: local.cf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart spamassassin From ee25d32b604c932b79b11b0b29abda0a823cb435 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:09:44 +0000 Subject: [PATCH 058/596] relayd: Lint fixes --- roles/relayd/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml index 35befda..1e82b13 100644 --- a/roles/relayd/tasks/main.yml +++ b/roles/relayd/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.template: dest: /etc/relayd.conf src: relayd.conf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" validate: "relayd -n -f %s" From 70cdfd46128bda97d89de550fe258c51c7be6de2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:32:40 +0000 Subject: [PATCH 059/596] mirror: Lint fixes --- playbooks/mirror.yml | 28 +++++++++++----------- roles/mirror/base/tasks/main.yml | 12 +++++----- roles/mirror/reportmirror/tasks/main.yml | 7 +++--- roles/mirror/sync/defaults/main.yml | 4 ++-- roles/mirror/sync/tasks/main.yml | 14 +++++------ roles/mirror/sync/templates/mirror.conf.j2 | 6 ++--- roles/mirror/thinlinc/tasks/main.yml | 4 ++-- 7 files changed, 38 insertions(+), 37 deletions(-) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 7300be7..18dc167 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -33,19 +33,19 @@ sitename: foo.sh password: "{{ report_mirror_pass }}" - role: mirror/sync - label: fedora-epel - source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\ - fedora.redhat.com/pub/epel" - rsyncoptions: + mirror_label: fedora-epel + mirror_source: + "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/epel" + mirror_rsyncoptions: - "--exclude=SRPMS" - "--exclude=debug" - "--delete-excluded" - postcmd: python3 /usr/local/bin/report_mirror + mirror_postcmd: python3 /usr/local/bin/report_mirror - role: mirror/sync - label: fedora - source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\ - fedora.redhat.com/pub/fedora/linux/" - rsyncoptions: + mirror_label: fedora + mirror_source: + "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/fedora/linux/" + mirror_rsyncoptions: - "--exclude=/atomic" - "--exclude=/development" - "--exclude=/releases/test" @@ -58,12 +58,12 @@ - "--exclude=armhfp" - "--exclude=debug" - "--delete-excluded" - postcmd: python3 /usr/local/bin/report_mirror + mirror_postcmd: python3 /usr/local/bin/report_mirror - role: mirror/sync - label: openbsd - source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\ - ftp.openbsd.org/pub/OpenBSD/" - rsyncoptions: + mirror_label: openbsd + mirror_source: + "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/ftp.openbsd.org/pub/OpenBSD/" + mirror_rsyncoptions: - "--include=/?.?/" - "--include=/?.?/amd64/" - "--include=/?.?/amd64/*" diff --git a/roles/mirror/base/tasks/main.yml b/roles/mirror/base/tasks/main.yml index 513291c..66ec50a 100644 --- a/roles/mirror/base/tasks/main.yml +++ b/roles/mirror/base/tasks/main.yml @@ -23,7 +23,7 @@ ansible.builtin.file: path: /export/mirrors state: directory - mode: 0755 + mode: "0755" owner: root group: root @@ -44,7 +44,7 @@ ansible.builtin.file: path: /etc/sync-mirrors state: directory - mode: 0755 + mode: "0755" owner: root group: root @@ -52,7 +52,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0755 + mode: "0755" owner: mirror group: mirror with_items: @@ -63,7 +63,7 @@ ansible.builtin.copy: dest: /usr/lib/tmpfiles.d/sync-mirrors.conf content: "d /run/sync-mirrors 0755 mirror mirror\n" - mode: 0644 + mode: "0644" owner: root group: root @@ -71,7 +71,7 @@ ansible.builtin.copy: dest: /usr/local/bin/sync-mirrors src: sync-mirrors - mode: 0755 + mode: "0755" owner: root group: root @@ -110,7 +110,7 @@ ansible.builtin.template: src: mirror.conf.j2 dest: /etc/httpd/conf.local.d/mirror.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/roles/mirror/reportmirror/tasks/main.yml b/roles/mirror/reportmirror/tasks/main.yml index 193fa2e..487027d 100644 --- a/roles/mirror/reportmirror/tasks/main.yml +++ b/roles/mirror/reportmirror/tasks/main.yml @@ -8,13 +8,14 @@ ansible.builtin.git: dest: /usr/local/src/report_mirror repo: https://github.com/fedora-infra/mirrormanager2.git + update: true version: master - name: Install reportmirror script ansible.builtin.copy: dest: /usr/local/bin/report_mirror src: /usr/local/src/report_mirror/client/report_mirror - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" remote_src: true @@ -23,7 +24,7 @@ ansible.builtin.file: dest: /etc/mirrormanager-client state: directory - mode: 0750 + mode: "0750" owner: root group: mirror @@ -31,6 +32,6 @@ ansible.builtin.template: dest: /etc/mirrormanager-client/report_mirror.conf src: report_mirror.conf.j2 - mode: 0640 + mode: "0640" owner: root group: mirror diff --git a/roles/mirror/sync/defaults/main.yml b/roles/mirror/sync/defaults/main.yml index 264336b..58b887d 100644 --- a/roles/mirror/sync/defaults/main.yml +++ b/roles/mirror/sync/defaults/main.yml @@ -1,3 +1,3 @@ --- -rsyncoptions: [] -postcmd: "" +mirror_rsyncoptions: [] +mirror_postcmd: "" diff --git a/roles/mirror/sync/tasks/main.yml b/roles/mirror/sync/tasks/main.yml index ab8c46d..168271d 100644 --- a/roles/mirror/sync/tasks/main.yml +++ b/roles/mirror/sync/tasks/main.yml @@ -1,24 +1,24 @@ --- -- name: Create config for {{ label }} +- name: Create config for {{ mirror_label }} ansible.builtin.template: - dest: "/etc/sync-mirrors/{{ label }}.conf" + dest: "/etc/sync-mirrors/{{ mirror_label }}.conf" src: mirror.conf.j2 - mode: 0644 + mode: "0644" owner: root group: root - name: Create target directory ansible.builtin.file: - path: "/srv/mirrors/{{ label }}" + path: "/srv/mirrors/{{ mirror_label }}" state: directory - mode: 0755 + mode: "0755" owner: mirror group: mirror - name: Link target directory to web ansible.builtin.file: - path: "/srv/web/{{ inventory_hostname }}/{{ label }}" - src: "/srv/mirrors/{{ label }}" + path: "/srv/web/{{ inventory_hostname }}/{{ mirror_label }}" + src: "/srv/mirrors/{{ mirror_label }}" state: link owner: mirror group: mirror diff --git a/roles/mirror/sync/templates/mirror.conf.j2 b/roles/mirror/sync/templates/mirror.conf.j2 index f605577..ab2b6ac 100644 --- a/roles/mirror/sync/templates/mirror.conf.j2 +++ b/roles/mirror/sync/templates/mirror.conf.j2 @@ -1,3 +1,3 @@ -SRC="{{ source }}" -RSYNCOPTS="{{ rsyncoptions | join(' ') }}" -POSTCMD="{{ postcmd }}" +SRC="{{ mirror_source }}" +RSYNCOPTS="{{ mirror_rsyncoptions | join(' ') }}" +POSTCMD="{{ mirror_postcmd }}" diff --git a/roles/mirror/thinlinc/tasks/main.yml b/roles/mirror/thinlinc/tasks/main.yml index 78e0525..2fb0edc 100644 --- a/roles/mirror/thinlinc/tasks/main.yml +++ b/roles/mirror/thinlinc/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.file: path: /srv/mirrors/thinlinc state: directory - mode: 0755 + mode: "0755" owner: mirror group: mirror @@ -28,7 +28,7 @@ ansible.builtin.copy: dest: /usr/local/bin/sync-thinlinc-repo src: sync-thinlinc-repo.sh - mode: 0755 + mode: "0755" owner: root group: root From 5f170a6cafd46f2602236fbe197dbd2181971e79 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:36:43 +0000 Subject: [PATCH 060/596] mirror: Lint fixes --- playbooks/mirror.yml | 8 ++++---- roles/mirror/reportmirror/defaults/main.yml | 4 ++-- .../reportmirror/templates/report_mirror.conf.j2 | 10 +++++----- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 18dc167..4ae2bab 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -28,10 +28,10 @@ - mirror/base - mirror/thinlinc - role: mirror/reportmirror - hostname: mirrors.foo.sh - mirrors: [epel, fedora] - sitename: foo.sh - password: "{{ report_mirror_pass }}" + mirror_hostname: mirrors.foo.sh + mirror_mirrors: [epel, fedora] + mirror_sitename: foo.sh + mirror_password: "{{ report_mirror_pass }}" - role: mirror/sync mirror_label: fedora-epel mirror_source: diff --git a/roles/mirror/reportmirror/defaults/main.yml b/roles/mirror/reportmirror/defaults/main.yml index c2ae745..79a2016 100644 --- a/roles/mirror/reportmirror/defaults/main.yml +++ b/roles/mirror/reportmirror/defaults/main.yml @@ -1,4 +1,4 @@ --- -hostname: "{{ inventory_hostname }}" -mirrors: [] +mirror_hostname: "{{ inventory_hostname }}" +mirror_mirrors: [] diff --git a/roles/mirror/reportmirror/templates/report_mirror.conf.j2 b/roles/mirror/reportmirror/templates/report_mirror.conf.j2 index ae793f3..59d4dbb 100644 --- a/roles/mirror/reportmirror/templates/report_mirror.conf.j2 +++ b/roles/mirror/reportmirror/templates/report_mirror.conf.j2 @@ -11,8 +11,8 @@ enabled=1 # Name and Password fields need to match the Site name and password # fields you entered for your Site in the MirrorManager database at # https://admin.fedoraproject.org/mirrormanager -name={{ sitename }} -password={{ password }} +name={{ mirror_sitename }} +password={{ mirror_password }} [host] # if enabled=0, no data about this host is sent to the database @@ -20,7 +20,7 @@ enabled=1 # Name field need to match the Host name field you entered for your # Host in the MirrorManager database at # https://admin.fedoraproject.org/mirrormanager -name={{ hostname }} +name={{ mirror_hostname }} # if user_active=0, no data about this category is given to the public # This can be used to toggle between serving and not serving data, # such enabled during the nighttime (when you have more idle bandwidth @@ -52,7 +52,7 @@ rsyncd=/var/log/rsyncd.log # path= is the path on your local disk to the top-level directory for this Category [Fedora Linux] -{% if "fedora" in mirrors %} +{% if "fedora" in mirror_mirrors %} enabled=1 {% else %} enabled=0 @@ -60,7 +60,7 @@ enabled=0 path=/srv/mrirors/fedora [Fedora EPEL] -{% if "epel" in mirrors %} +{% if "epel" in mirror_mirrors %} enabled=1 {% else %} enabled=0 From 86a7b60b46afd16d9adf22e7156a1b74f065bba7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:40:02 +0000 Subject: [PATCH 061/596] cups_server: Lint fixes --- roles/cups_server/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml index 418a672..5b98c24 100644 --- a/roles/cups_server/tasks/main.yml +++ b/roles/cups_server/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /etc/systemd/system/cups.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -16,7 +16,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/cups.service.d/keytab.conf content: "[Service]\nEnvironment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -111,7 +111,7 @@ ansible.builtin.copy: dest: "/usr/share/cups/www/{{ item }}" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: @@ -122,7 +122,7 @@ ansible.builtin.copy: dest: /usr/share/cups/templates/header.tmpl src: header.tmpl - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" From 1e973b3dde5209fda62a0a915cd66af22729cb1c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 18:41:57 +0000 Subject: [PATCH 062/596] gitea_runner: Update config to latest version --- roles/gitea_runner/files/config.yml | 2 +- roles/gitea_runner/tasks/main.yml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/gitea_runner/files/config.yml b/roles/gitea_runner/files/config.yml index bd7abba..641665f 100644 --- a/roles/gitea_runner/files/config.yml +++ b/roles/gitea_runner/files/config.yml @@ -41,7 +41,7 @@ cache: container: # Which network to use for the job containers. Could be bridge, host, none, # or the name of a custom network. - network_mode: bridge + network: bridge # Whether to use privileged mode or not when launching task containers # (privileged mode is required for Docker-in-Docker). privileged: false diff --git a/roles/gitea_runner/tasks/main.yml b/roles/gitea_runner/tasks/main.yml index 740a914..9a6eedb 100644 --- a/roles/gitea_runner/tasks/main.yml +++ b/roles/gitea_runner/tasks/main.yml @@ -30,7 +30,7 @@ "-" + ansible_system | lower + "-amd64" }} dest: /usr/local/bin/act_runner - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" notify: Restart act_runner @@ -39,7 +39,7 @@ ansible.builtin.file: path: /var/lib/act_runner state: directory - mode: 0750 + mode: "0750" owner: root group: act_runner @@ -56,7 +56,7 @@ ansible.builtin.copy: dest: /var/lib/act_runner/config.yml src: config.yml - mode: 0640 + mode: "0640" owner: root group: act_runner notify: Restart act_runner @@ -65,7 +65,7 @@ ansible.builtin.file: path: /var/lib/act_runner/.cache state: directory - mode: 0770 + mode: "0770" owner: root group: act_runner notify: Restart act_runner @@ -74,7 +74,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/act_runner.service src: act_runner.service - mode: 0644 + mode: "0644" owner: root group: root From 86d076ebc6d42adf7fdc3eedc9fb7db3d8daee32 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Oct 2023 19:14:54 +0000 Subject: [PATCH 063/596] Fix "Forbidden implicit octal value" lint errors --- roles/ansible_host/tasks/main.yml | 6 ++--- roles/apache/tasks/main.yml | 6 ++--- roles/authcheck/tasks/main.yml | 4 +-- roles/autofs/tasks/main.yml | 6 ++--- roles/backup_server/tasks/main.yml | 6 ++--- roles/base/tasks/OpenBSD.yml | 8 +++--- roles/base/tasks/RedHat.yml | 2 +- roles/base/tasks/main.yml | 6 ++--- roles/certbot/tasks/main.yml | 6 ++--- roles/clamav/tasks/main.yml | 2 +- roles/collab/tasks/main.yml | 24 +++++++++--------- roles/dhcpd/tasks/main.yml | 2 +- roles/dhparams/tasks/main.yml | 2 +- roles/docker/tasks/main.yml | 6 ++--- roles/docker_distribution/tasks/main.yml | 10 ++++---- roles/dovecot/tasks/main.yml | 8 +++--- roles/git_server/tasks/main.yml | 10 ++++---- roles/gitea_runner/tasks/main.yml | 2 +- roles/grafana/tasks/main.yml | 10 ++++---- roles/grossd/tasks/main.yml | 4 +-- roles/homeassistant/tasks/main.yml | 12 ++++----- roles/ifstated/tasks/main.yml | 2 +- roles/influxdb/tasks/main.yml | 8 +++--- roles/iptables/tasks/main.yml | 2 +- roles/kadmin/tasks/main.yml | 2 +- roles/kdc/tasks/main.yml | 6 ++--- roles/kvm_host/tasks/main.yml | 4 +-- roles/ldap_gravatar/tasks/main.yml | 2 +- roles/ldap_netdb/tasks/main.yml | 2 +- roles/ldap_server/tasks/main.yml | 30 +++++++++++------------ roles/mariadb/tasks/main.yml | 16 ++++++------ roles/minecraft/tasks/main.yml | 16 ++++++------ roles/mod_auth_gssapi/tasks/main.yml | 4 +-- roles/mongodb/tasks/main.yml | 10 ++++---- roles/network/tasks/OpenBSD.yml | 6 ++--- roles/network/tasks/RedHat.yml | 4 +-- roles/network/tasks/main.yml | 2 +- roles/nfs_client/tasks/main.yml | 2 +- roles/nfs_server/tasks/main.yml | 2 +- roles/nftables/tasks/main.yml | 2 +- roles/nginx/server/tasks/main.yml | 8 +++--- roles/nginx/site/tasks/main.yml | 8 +++--- roles/nsd/tasks/main.yml | 8 +++--- roles/openbgpd/tasks/main.yml | 2 +- roles/opensmtpd/tasks/main.yml | 4 +-- roles/openvpn/tasks/main.yml | 14 +++++------ roles/pf/tasks/main.yml | 4 +-- roles/pki/tasks/main.yml | 12 ++++----- roles/podman/tasks/main.yml | 2 +- roles/rclone/tasks/main.yml | 8 +++--- roles/roles_lists/tasks/main.yml | 4 +-- roles/roundcube/tasks/main.yml | 12 ++++----- roles/rpm_build/tasks/main.yml | 4 +-- roles/rsync/client/tasks/main.yml | 4 +-- roles/rsync/server/tasks/main.yml | 8 +++--- roles/rsyslog/tasks/main.yml | 6 ++--- roles/rsyslog/tasks/udp-listen.yml | 2 +- roles/saslauthd/tasks/main.yml | 2 +- roles/selinux/tasks/main.yml | 2 +- roles/sendmail/tasks/main.yml | 14 +++++------ roles/sftpuser/tasks/main.yml | 2 +- roles/spamassassin_clamav/tasks/main.yml | 4 +-- roles/spamassassin_razor/tasks/main.yml | 2 +- roles/spamassassin_textcat/tasks/main.yml | 2 +- roles/ssh_known_hosts/tasks/main.yml | 2 +- roles/sssd/tasks/main.yml | 2 +- roles/syslogd/tasks/main.yml | 2 +- roles/syslogd/tasks/server.yml | 8 +++--- roles/telegraf/tasks/main.yml | 2 +- roles/tftp/tasks/main.yml | 6 ++--- roles/thinlinc_server/tasks/main.yml | 6 ++--- roles/unbound/tasks/main.yml | 2 +- roles/web_build/tasks/main.yml | 4 +-- roles/web_logs/tasks/main.yml | 8 +++--- roles/zoneminder/tasks/main.yml | 10 ++++---- 75 files changed, 227 insertions(+), 227 deletions(-) diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index a5f93f1..b13d9f3 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -15,7 +15,7 @@ path: /export/private owner: root group: root - mode: 0700 + mode: "0700" state: directory - name: Link private directory @@ -52,7 +52,7 @@ ansible.builtin.copy: src: nginx.conf dest: /etc/nginx/conf.d/{{ inventory_hostname }}/ansible.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx @@ -63,4 +63,4 @@ src: root-bashrc.sh owner: root group: "{{ ansible_wheel }}" - mode: 0600 + mode: "0600" diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 0dbdd6f..c2745ed 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -40,7 +40,7 @@ ansible.builtin.file: state: directory path: "{{ item }}" - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" seuser: _default @@ -54,7 +54,7 @@ ansible.builtin.template: src: ssl.conf.j2 dest: /etc/httpd/conf.local.d/ssl.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache @@ -63,7 +63,7 @@ ansible.builtin.template: src: site.conf.j2 dest: "/etc/httpd/conf.local.d/{{ inventory_hostname }}.conf" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/roles/authcheck/tasks/main.yml b/roles/authcheck/tasks/main.yml index 36d96fa..09ef679 100644 --- a/roles/authcheck/tasks/main.yml +++ b/roles/authcheck/tasks/main.yml @@ -22,7 +22,7 @@ ansible.builtin.template: dest: /etc/systemd/system/authcheck-container.service src: authcheck-container.service.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -39,7 +39,7 @@ location /authcheck { proxy_pass http://127.0.0.1:8003/; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/autofs/tasks/main.yml b/roles/autofs/tasks/main.yml index d3a3121..19f9565 100644 --- a/roles/autofs/tasks/main.yml +++ b/roles/autofs/tasks/main.yml @@ -34,7 +34,7 @@ ansible.builtin.template: dest: /etc/autofs_ldap_auth.conf src: autofs_ldap_auth.conf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart autofs @@ -43,7 +43,7 @@ ansible.builtin.template: dest: /etc/auto.master src: auto.master.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart autofs @@ -74,7 +74,7 @@ ansible.builtin.copy: dest: "/etc/profile.d/{{ item }}" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_server/tasks/main.yml index 8577419..b952d09 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_server/tasks/main.yml @@ -26,7 +26,7 @@ ansible.builtin.file: path: /export/backup state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -43,7 +43,7 @@ ansible.builtin.file: path: /export/backup/bitbucket.org state: directory - mode: 0775 + mode: "0775" owner: root group: backup @@ -51,7 +51,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/backup-bitbucket src: backup-bitbucket.py - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/base/tasks/OpenBSD.yml b/roles/base/tasks/OpenBSD.yml index d925bf6..84c90af 100644 --- a/roles/base/tasks/OpenBSD.yml +++ b/roles/base/tasks/OpenBSD.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: /etc/myname content: "{{ inventory_hostname }}\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -11,7 +11,7 @@ ansible.builtin.copy: dest: /etc/installurl content: "https://mirrors.foo.sh/openbsd/\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" when: ansible_datacenter == "home" @@ -30,7 +30,7 @@ ansible.builtin.copy: dest: "{{ item }}" content: "VERBOSESTATUS=0\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: @@ -53,7 +53,7 @@ ansible.builtin.file: name: /srv state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index d266052..9f11e18 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -122,7 +122,7 @@ ansible.builtin.copy: dest: /etc/profile.d/history.sh content: 'export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "' - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 7bec34b..d7d7820 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -2,7 +2,7 @@ - name: Setup ansible custom facts ansible.builtin.file: dest: "{{ item }}" - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" state: directory @@ -20,7 +20,7 @@ else echo "false" fi - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -36,7 +36,7 @@ ansible.builtin.copy: content: "\n" dest: "/etc/at.allow" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 1d22823..b66300b 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -30,7 +30,7 @@ path: /srv/web/certbot.home.foo.sh/.well-known owner: root group: "{{ ansible_wheel }}" - mode: 0755 + mode: "0755" state: directory - name: Create certbot directories @@ -38,7 +38,7 @@ path: "{{ item }}" owner: root group: certbot - mode: 0775 + mode: "0775" state: directory with_items: - /srv/web/certbot.home.foo.sh/.well-known/acme-challenge @@ -57,7 +57,7 @@ ansible.builtin.copy: dest: /etc/letsencrypt/cli.ini src: cli.ini - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/clamav/tasks/main.yml b/roles/clamav/tasks/main.yml index 469e46a..bbd796a 100644 --- a/roles/clamav/tasks/main.yml +++ b/roles/clamav/tasks/main.yml @@ -12,7 +12,7 @@ ansible.builtin.copy: dest: /etc/tmpfiles.d/clamd.scan.conf content: "d /run/clamd.scan 711 clamscan clamscan" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Refresh clamd socket directory diff --git a/roles/collab/tasks/main.yml b/roles/collab/tasks/main.yml index 95c1446..9af4c7b 100644 --- a/roles/collab/tasks/main.yml +++ b/roles/collab/tasks/main.yml @@ -27,7 +27,7 @@ ansible.builtin.get_url: url: "https://static.moinmo.in/files/moin-{{ moin_version }}.tar.gz" dest: "{{ srcdir }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" checksum: sha1:3eb13b4730bd97259a41c4cd500f8433778ff8cf @@ -57,7 +57,7 @@ ansible.builtin.copy: src: foosh.py dest: "{{ srcdir }}/collabbackend/collabbackend/plugin/theme/foosh.py" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -114,14 +114,14 @@ ansible.builtin.copy: content: "umask 077\n" dest: /var/lib/collab/.profile - mode: 0440 + mode: "0440" owner: collab group: collab - name: Create config directories ansible.builtin.file: path: "{{ item }}" - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" state: directory @@ -133,7 +133,7 @@ ansible.builtin.copy: src: collab.ini dest: /etc/local/collab/collab.ini - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -145,7 +145,7 @@ - name: Create data directory ansible.builtin.file: path: /export/wikis - mode: 0755 + mode: "0755" owner: root group: root seuser: _default @@ -162,7 +162,7 @@ ansible.builtin.file: path: /srv/wikis/collab state: directory - mode: 0750 + mode: "0750" owner: root group: collab @@ -170,7 +170,7 @@ ansible.builtin.file: state: directory path: "{{ item }}" - mode: 02770 + mode: "02770" owner: collab group: collab with_items: @@ -196,7 +196,7 @@ ansible.builtin.copy: src: collab-htaccess dest: collab-htaccess - mode: 0660 + mode: "0660" owner: collab group: collab @@ -204,7 +204,7 @@ ansible.builtin.copy: src: "{{ srcdir }}/collabbackend/config/{{ item }}" dest: /srv/wikis/collab/config/{{ item }} - mode: 0660 + mode: "0660" owner: collab group: collab seuser: _default @@ -220,7 +220,7 @@ ansible.builtin.copy: src: "{{ srcdir }}/collabbackend/packages/CollabBase.zip" dest: /var/lib/collab/CollabBase.zip - mode: 0660 + mode: "0660" owner: collab group: collab remote_src: true @@ -265,7 +265,7 @@ ansible.builtin.template: src: collab.conf.j2 dest: /etc/httpd/conf.local.d/collab.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/roles/dhcpd/tasks/main.yml b/roles/dhcpd/tasks/main.yml index 8052208..7ec173e 100644 --- a/roles/dhcpd/tasks/main.yml +++ b/roles/dhcpd/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.template: dest: "{{ dhcpd_config }}" src: "{{ dhcpd_template | default('dhcpd.conf.j2') }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" # validate: "dhcpd -t -cf %s" diff --git a/roles/dhparams/tasks/main.yml b/roles/dhparams/tasks/main.yml index e871137..74ce0bf 100644 --- a/roles/dhparams/tasks/main.yml +++ b/roles/dhparams/tasks/main.yml @@ -4,6 +4,6 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/ffdhe3072.pem" src: ffdhe3072.pem - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index d1f4b05..a831262 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.get_url: url: "https://download.docker.com/linux/{{ docker_osname }}/docker-ce.repo" dest: /etc/yum.repos.d/docker-ce.repo - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -22,7 +22,7 @@ ansible.builtin.file: path: /etc/docker state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -30,7 +30,7 @@ ansible.builtin.copy: dest: /etc/docker/daemon.json src: daemon.json - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart docker diff --git a/roles/docker_distribution/tasks/main.yml b/roles/docker_distribution/tasks/main.yml index 07c6c8b..a224c13 100644 --- a/roles/docker_distribution/tasks/main.yml +++ b/roles/docker_distribution/tasks/main.yml @@ -24,7 +24,7 @@ ansible.builtin.file: path: /etc/systemd/system/docker-distribution.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -32,7 +32,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/docker-distribution.service.d/user.conf src: user.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart docker-distribution @@ -41,7 +41,7 @@ ansible.builtin.template: dest: /etc/docker-distribution/registry/config.yml src: config.yml.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart docker-distribution @@ -50,7 +50,7 @@ ansible.builtin.file: path: /srv/registry/docker state: directory - mode: 0770 + mode: "0770" owner: root group: docker @@ -58,7 +58,7 @@ ansible.builtin.copy: dest: /etc/docker-distribution/registry/htpasswd src: "{{ htpasswd }}" - mode: 0640 + mode: "0640" owner: root group: docker when: htpasswd is defined diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 01f9116..3e8b002 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -17,7 +17,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/{{ mail_server }}.key" src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -30,7 +30,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/{{ mail_server }}-fullchain.crt" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -43,7 +43,7 @@ ansible.builtin.template: dest: /etc/dovecot/conf.d/99-local.conf src: local.conf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: doveconf -n %s @@ -58,7 +58,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" setype: _default diff --git a/roles/git_server/tasks/main.yml b/roles/git_server/tasks/main.yml index 889897c..2e22a61 100644 --- a/roles/git_server/tasks/main.yml +++ b/roles/git_server/tasks/main.yml @@ -17,7 +17,7 @@ ansible.builtin.file: path: /export/git state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -33,7 +33,7 @@ ansible.builtin.copy: dest: /etc/gitweb.conf src: gitweb.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -41,7 +41,7 @@ ansible.builtin.copy: dest: /var/www/git/robots.txt content: "User-agent: *\nDisallow:\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -49,7 +49,7 @@ ansible.builtin.copy: dest: "/var/www/git/static/{{ item }}" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: @@ -60,7 +60,7 @@ ansible.builtin.copy: dest: /etc/httpd/conf.local.d/git.conf src: git.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/roles/gitea_runner/tasks/main.yml b/roles/gitea_runner/tasks/main.yml index 9a6eedb..d8eac04 100644 --- a/roles/gitea_runner/tasks/main.yml +++ b/roles/gitea_runner/tasks/main.yml @@ -47,7 +47,7 @@ ansible.builtin.copy: dest: /var/lib/act_runner/.runner src: "/srv/private/files/act_runner/{{ inventory_hostname }}.conf" - mode: 0640 + mode: "0640" owner: root group: act_runner notify: Restart act_runner diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 3ed3db6..13743dc 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/grafana.key" src: "{{ tls_private }}/{{ inventory_hostname }}.key" - mode: 0640 + mode: "0640" owner: root group: grafana remote_src: true @@ -23,7 +23,7 @@ ansible.builtin.template: dest: /etc/sysconfig/grafana-container src: grafana-container.sysconfig.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart grafana @@ -32,7 +32,7 @@ ansible.builtin.template: dest: /etc/systemd/system/grafana-container.service src: grafana-container.service.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart grafana @@ -41,7 +41,7 @@ ansible.builtin.template: dest: /etc/grafana-ldap.toml src: grafana-ldap.toml.j2 - mode: 0640 + mode: "0640" owner: root group: grafana notify: Restart grafana @@ -60,7 +60,7 @@ proxy_set_header Host noc.foo.sh; proxy_pass http://localhost:8002/; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/grossd/tasks/main.yml b/roles/grossd/tasks/main.yml index fe75f97..74079d3 100644 --- a/roles/grossd/tasks/main.yml +++ b/roles/grossd/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /var/db/grossd state: directory - mode: 0750 + mode: "0750" owner: gross group: "{{ ansible_wheel }}" @@ -16,7 +16,7 @@ ansible.builtin.copy: dest: /etc/grossd.conf src: grossd.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart grossd diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 46648b8..8456261 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -28,7 +28,7 @@ ansible.builtin.copy: dest: /usr/local/share/selinux/homeassistant-local.pp src: homeassistant-local.pp - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -59,7 +59,7 @@ ansible.builtin.file: path: /export/homeassistant state: directory - mode: 0700 + mode: "0700" owner: ha group: ha setype: _default @@ -77,7 +77,7 @@ ansible.builtin.copy: dest: /srv/homeassistant/auth-command.sh src: auth-command.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" setype: _default @@ -86,7 +86,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" setype: _default @@ -117,7 +117,7 @@ ansible.builtin.template: dest: /etc/systemd/system/homeassistant-container.service src: homeassistant-container.service.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart homeassistant @@ -135,7 +135,7 @@ location / { proxy_pass http://127.0.0.1:8001; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/ifstated/tasks/main.yml b/roles/ifstated/tasks/main.yml index 6dc9181..ec548b0 100644 --- a/roles/ifstated/tasks/main.yml +++ b/roles/ifstated/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.template: dest: /etc/ifstated.conf src: "{{ ifstated_config }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" # validate: "ifstated -n -f %s" diff --git a/roles/influxdb/tasks/main.yml b/roles/influxdb/tasks/main.yml index 90d8046..f77db0b 100644 --- a/roles/influxdb/tasks/main.yml +++ b/roles/influxdb/tasks/main.yml @@ -38,7 +38,7 @@ ansible.builtin.file: path: /etc/logrotate.d/influxdb state: file - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -46,7 +46,7 @@ ansible.builtin.file: path: /export/influxdb state: directory - mode: 0750 + mode: "0750" owner: influxdb group: influxdb @@ -63,7 +63,7 @@ ansible.builtin.copy: dest: /etc/influxdb/config.toml src: config.toml - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart influxdb @@ -87,7 +87,7 @@ location / { proxy_pass http://127.0.0.1:8086/; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index aa52ce5..f01888c 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -16,7 +16,7 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/etc/sysconfig/{{ item }}" - mode: 0600 + mode: "0600" owner: root group: root notify: "Reload {{ item }}" diff --git a/roles/kadmin/tasks/main.yml b/roles/kadmin/tasks/main.yml index 3b8ccc1..447b344 100644 --- a/roles/kadmin/tasks/main.yml +++ b/roles/kadmin/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.template: dest: /var/kerberos/krb5kdc/kdc.conf src: kdc.conf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/kdc/tasks/main.yml b/roles/kdc/tasks/main.yml index bb7a39f..c126fcb 100644 --- a/roles/kdc/tasks/main.yml +++ b/roles/kdc/tasks/main.yml @@ -22,7 +22,7 @@ ansible.builtin.template: dest: /etc/sysconfig/kdc-container src: kdc-container.sysconfig.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" @@ -30,7 +30,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/kdc-container.service src: kdc-container.service - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -47,7 +47,7 @@ location /KdcProxy { proxy_pass http://127.0.0.1:8001; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/kvm_host/tasks/main.yml b/roles/kvm_host/tasks/main.yml index bafddde..1b1748a 100644 --- a/roles/kvm_host/tasks/main.yml +++ b/roles/kvm_host/tasks/main.yml @@ -7,7 +7,7 @@ blacklist bluetooth blacklist btintel blacklist btusb - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -29,7 +29,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0770 + mode: "0770" owner: root group: qemu with_items: diff --git a/roles/ldap_gravatar/tasks/main.yml b/roles/ldap_gravatar/tasks/main.yml index ea21621..ee61b2d 100644 --- a/roles/ldap_gravatar/tasks/main.yml +++ b/roles/ldap_gravatar/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.copy: src: gravatar-update.py dest: /usr/local/sbin/gravatar-update - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/ldap_netdb/tasks/main.yml b/roles/ldap_netdb/tasks/main.yml index 53b6d45..11b0275 100644 --- a/roles/ldap_netdb/tasks/main.yml +++ b/roles/ldap_netdb/tasks/main.yml @@ -12,7 +12,7 @@ ansible.builtin.copy: src: netdb-update.py dest: /usr/local/sbin/netdb-update - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index c7e54a4..1e1389e 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -39,7 +39,7 @@ ansible.builtin.file: path: "{{ ldap_datadir }}" state: directory - mode: 0700 + mode: "0700" owner: ldap group: ldap seuser: _default @@ -67,7 +67,7 @@ ansible.builtin.file: path: "{{ ldap_backupdir }}" state: directory - mode: 0750 + mode: "0750" owner: root group: backup @@ -85,7 +85,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/ldap-backup src: ldap-backup.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -101,7 +101,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/ldapspn src: ldapspn.py - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" when: ldap_master is defined @@ -121,7 +121,7 @@ dest: /etc/sasl2/slapd.conf content: | pwcheck_method: saslauthd - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart slapd @@ -130,7 +130,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/{{ ldap_server_cert }}.crt" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/cert.pem" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: certificates @@ -140,7 +140,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/{{ ldap_server_cert }}.key" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/privkey.pem" - mode: 0640 + mode: "0640" owner: root group: ldap tags: certificates @@ -150,7 +150,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/{{ ldap_server_cert }}-chain.crt" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/chain.pem" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: certificates @@ -193,7 +193,7 @@ ansible.builtin.file: path: /etc/systemd/system/slapd.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" when: ansible_distribution == "Rocky" @@ -202,7 +202,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/slapd.service.d/local.conf src: slapd.service - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart slapd @@ -212,7 +212,7 @@ ansible.builtin.copy: dest: /etc/sysconfig/slapd src: slapd.sysconfig - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart slapd @@ -222,7 +222,7 @@ ansible.builtin.copy: dest: "/etc/openldap/schema/{{ item }}" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: @@ -237,7 +237,7 @@ ansible.builtin.copy: dest: /etc/openldap/check_password.conf src: check_password.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -245,7 +245,7 @@ ansible.builtin.template: dest: /etc/openldap/slapd.conf src: slapd.conf.j2 - mode: 0640 + mode: "0640" owner: root group: ldap notify: Restart slapd @@ -272,6 +272,6 @@ ansible.builtin.copy: dest: /etc/openldap/slapd.keytab src: "{{ ansible_private }}/files/keytabs/slapd.keytab" - mode: 0640 + mode: "0640" owner: root group: ldap diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 2673211..3746dd1 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -16,7 +16,7 @@ ansible.builtin.file: path: /export/mariadb state: directory - mode: 0750 + mode: "0750" owner: mysql group: mysql setype: _default @@ -41,7 +41,7 @@ ansible.builtin.file: path: /etc/mysql state: directory - mode: 0750 + mode: "0750" owner: root group: mysql @@ -56,7 +56,7 @@ ansible.builtin.template: dest: /etc/my.cnf.d/tls.cnf src: tls.cnf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart mariadb @@ -65,7 +65,7 @@ ansible.builtin.copy: dest: /etc/my.cnf.d/local.cnf content: "[mariadb]\ninnodb_file_per_table=ON\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart mariadb @@ -91,7 +91,7 @@ ansible.builtin.template: dest: /root/.my.cnf src: my.cnf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" when: mariadb_root_password is defined @@ -108,7 +108,7 @@ ansible.builtin.file: path: /export/backup state: directory - mode: 02750 + mode: "02750" owner: root group: backup @@ -125,7 +125,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/mariadb-backup src: mariadb-backup.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -140,7 +140,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/mysql_tzinfo_check src: mysql_tzinfo_check.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/minecraft/tasks/main.yml b/roles/minecraft/tasks/main.yml index 91f0630..db2e66e 100644 --- a/roles/minecraft/tasks/main.yml +++ b/roles/minecraft/tasks/main.yml @@ -23,7 +23,7 @@ ansible.builtin.file: path: /export/minecraft state: directory - mode: 0750 + mode: "0750" owner: root group: minecraft @@ -40,7 +40,7 @@ ansible.builtin.file: path: "/srv/minecraft/{{ item }}" state: directory - mode: 0770 + mode: "0770" owner: root group: minecraft with_items: @@ -55,7 +55,7 @@ dest: /srv/minecraft/eula.txt content: | eula=true - mode: 0640 + mode: "0640" owner: root group: minecraft @@ -63,7 +63,7 @@ ansible.builtin.copy: dest: /srv/minecraft/server.properties src: server.properties - mode: 0640 + mode: "0640" owner: root group: minecraft @@ -72,7 +72,7 @@ dest: "/srv/minecraft/{{ item }}" content: "[]" force: false - mode: 0660 + mode: "0660" owner: root group: minecraft with_items: @@ -85,7 +85,7 @@ ansible.builtin.file: path: /usr/local/lib/minecraft state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -95,7 +95,7 @@ url: >- https://launcher.mojang.com/v1/objects/{{ minecraft_sha1sum }}/server.jar checksum: "sha1:{{ minecraft_sha1sum }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -103,7 +103,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/minecraft.service src: minecraft.service - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/mod_auth_gssapi/tasks/main.yml b/roles/mod_auth_gssapi/tasks/main.yml index 621726e..029c374 100644 --- a/roles/mod_auth_gssapi/tasks/main.yml +++ b/roles/mod_auth_gssapi/tasks/main.yml @@ -15,7 +15,7 @@ ansible.builtin.file: path: /etc/systemd/system/httpd.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -23,7 +23,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/httpd.service.d/keytab.conf content: "[Service]\nEnvironment=KRB5_KTNAME=/etc/httpd/httpd.keytab\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 2004130..73e2808 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -40,7 +40,7 @@ ansible.builtin.file: path: /export/mongodb state: directory - mode: 0700 + mode: "0700" owner: mongod group: mongod setype: _default @@ -67,7 +67,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/mongodb.pem" content: "{{ mongodb_cert_key.stdout }}" - mode: 0640 + mode: "0640" owner: root group: mongod notify: Restart mongod @@ -76,7 +76,7 @@ ansible.builtin.copy: dest: /etc/logrotate.d/mongod src: mongod.logrotate - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -85,7 +85,7 @@ dest: /etc/sysconfig/mongod content: | OPTIONS="-f /etc/mongod.conf --logRotate reopen" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart mongod @@ -94,7 +94,7 @@ ansible.builtin.template: dest: /etc/mongod.conf src: mongod.conf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart mongod diff --git a/roles/network/tasks/OpenBSD.yml b/roles/network/tasks/OpenBSD.yml index 6c2a5ac..f28a5be 100644 --- a/roles/network/tasks/OpenBSD.yml +++ b/roles/network/tasks/OpenBSD.yml @@ -3,7 +3,7 @@ ansible.builtin.template: src: hostname.if.j2 dest: "/etc/hostname.{{ item.device }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_items: "{{ network_interfaces }}" @@ -13,7 +13,7 @@ ansible.builtin.template: src: hostname.carp.j2 dest: "/etc/hostname.carp{{ item.vhid }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_items: "{{ network_vip_interfaces }}" @@ -34,7 +34,7 @@ ansible.builtin.copy: content: "{{ network_default_gateway }}\n" dest: /etc/mygate - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart network diff --git a/roles/network/tasks/RedHat.yml b/roles/network/tasks/RedHat.yml index 19b71da..7c04aa3 100644 --- a/roles/network/tasks/RedHat.yml +++ b/roles/network/tasks/RedHat.yml @@ -15,7 +15,7 @@ ansible.builtin.template: src: ifcfg-eth.j2 dest: "/etc/sysconfig/network-scripts/ifcfg-{{ item.device }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Reload network manager connections @@ -33,7 +33,7 @@ ansible.builtin.template: dest: /etc/keepalived/keepalived.conf src: keepalived.conf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart keepalived diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml index 6f9d8b6..e1be7c5 100644 --- a/roles/network/tasks/main.yml +++ b/roles/network/tasks/main.yml @@ -6,7 +6,7 @@ ansible.builtin.template: src: resolv.conf.j2 dest: /etc/resolv.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" when: network_dns_servers is defined diff --git a/roles/nfs_client/tasks/main.yml b/roles/nfs_client/tasks/main.yml index 0953d3a..06fe6d6 100644 --- a/roles/nfs_client/tasks/main.yml +++ b/roles/nfs_client/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.copy: dest: /etc/modprobe.d/nfs.conf content: "options nfs nfs4_disable_idmapping=0\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/nfs_server/tasks/main.yml b/roles/nfs_server/tasks/main.yml index 32b1701..c73f100 100644 --- a/roles/nfs_server/tasks/main.yml +++ b/roles/nfs_server/tasks/main.yml @@ -21,7 +21,7 @@ ansible.builtin.copy: dest: "/usr/local/sbin/{{ item }}" src: "{{ item }}.sh" - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" with_items: diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml index f60342f..85a6424 100644 --- a/roles/nftables/tasks/main.yml +++ b/roles/nftables/tasks/main.yml @@ -13,7 +13,7 @@ ansible.builtin.template: src: nftables.conf.j2 dest: /etc/sysconfig/nftables.conf - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Reload nftables diff --git a/roles/nginx/server/tasks/main.yml b/roles/nginx/server/tasks/main.yml index d30b37e..03e8151 100644 --- a/roles/nginx/server/tasks/main.yml +++ b/roles/nginx/server/tasks/main.yml @@ -32,7 +32,7 @@ ansible.builtin.file: state: directory path: "{{ item }}" - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" seuser: _default @@ -46,7 +46,7 @@ ansible.builtin.template: src: nginx.conf.j2 dest: /etc/nginx/nginx.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx @@ -56,7 +56,7 @@ ansible.builtin.file: dest: /etc/systemd/system/nginx.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" when: ansible_os_family == "RedHat" @@ -65,7 +65,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/nginx.service.d/dependency.conf src: dependency.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" when: ansible_os_family == "RedHat" diff --git a/roles/nginx/site/tasks/main.yml b/roles/nginx/site/tasks/main.yml index fbb2793..fe8d61b 100644 --- a/roles/nginx/site/tasks/main.yml +++ b/roles/nginx/site/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "/srv/web/{{ site }}" state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" when: redirect is not defined and proxy is not defined @@ -12,7 +12,7 @@ ansible.builtin.template: dest: /etc/nginx/conf.d/{{ site }}.conf src: site.conf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx @@ -21,7 +21,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/{{ site }}.key" src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -35,7 +35,7 @@ ansible.builtin.copy: src: "{{ item }}" dest: "{{ tls_certs }}/{{ site }}-fullchain.crt" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml index 930a01d..b0d3ad6 100644 --- a/roles/nsd/tasks/main.yml +++ b/roles/nsd/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/{{ nsd_server }}.key" src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -17,7 +17,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/{{ nsd_server }}.crt" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -31,7 +31,7 @@ ansible.builtin.template: src: nsd.conf.j2 dest: /var/nsd/etc/nsd.conf - mode: 0640 + mode: "0640" owner: root group: _nsd notify: Restart nsd @@ -40,7 +40,7 @@ ansible.builtin.copy: dest: "/var/nsd/zones/master/{{ item | replace('/', '-') }}" src: "/srv/dns/{{ item | replace('/', '-') }}" - mode: 0640 + mode: "0640" owner: root group: _nsd tags: dns diff --git a/roles/openbgpd/tasks/main.yml b/roles/openbgpd/tasks/main.yml index 94e78fe..736ce90 100644 --- a/roles/openbgpd/tasks/main.yml +++ b/roles/openbgpd/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: /etc/bgpd.conf src: "{{ ansible_private }}/files/bgpd/bgpd.conf.{{ inventory_hostname }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart bgpd diff --git a/roles/opensmtpd/tasks/main.yml b/roles/opensmtpd/tasks/main.yml index 243a1e0..40e1891 100644 --- a/roles/opensmtpd/tasks/main.yml +++ b/roles/opensmtpd/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.template: src: smtpd.conf.j2 dest: /etc/mail/smtpd.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart opensmtpd @@ -12,7 +12,7 @@ ansible.builtin.copy: content: "{{ mail_domain }}\n" dest: /etc/mail//mailname - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart opensmtpd diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 7f1edca..84b8d2b 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /var/openvpn state: directory - mode: 0750 + mode: "0750" owner: root group: _openvpn @@ -16,7 +16,7 @@ ansible.builtin.file: path: /var/openvpn/tmp state: directory - mode: 0770 + mode: "0770" owner: _openvpn group: _openvpn @@ -24,7 +24,7 @@ ansible.builtin.file: path: /etc/openvpn state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -32,7 +32,7 @@ ansible.builtin.file: path: /etc/openvpn/keys state: directory - mode: 0700 + mode: "0700" owner: root group: "{{ ansible_wheel }}" @@ -40,7 +40,7 @@ ansible.builtin.copy: src: "{{ ansible_private }}/files/openvpn/{{ inventory_hostname }}.key" dest: /etc/openvpn/keys/tap0.key - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" @@ -48,7 +48,7 @@ ansible.builtin.copy: src: "{{ ansible_private }}/files/openvpn/{{ inventory_hostname }}.conf" dest: /etc/openvpn/tap0.conf - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" @@ -56,6 +56,6 @@ ansible.builtin.copy: src: hostname.tap0 dest: /etc/hostname.tap0 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml index 578a0d6..588dac6 100644 --- a/roles/pf/tasks/main.yml +++ b/roles/pf/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: src: "{{ firewall_src }}" dest: /etc/pf.conf - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" validate: pfctl -N -f %s @@ -14,7 +14,7 @@ ansible.builtin.template: src: pf.conf.j2 dest: /etc/pf.conf - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" validate: pfctl -N -f %s diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml index 020211e..b27715a 100644 --- a/roles/pki/tasks/main.yml +++ b/roles/pki/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.copy: src: "/srv/ca/certs/ca.crt" dest: "{{ tls_certs }}/ca.crt" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -32,7 +32,7 @@ - name: Fix private key directory permissions ansible.builtin.file: path: "{{ tls_private }}" - mode: 0750 + mode: "0750" owner: root group: hostkey when: ansible_system == "OpenBSD" @@ -41,7 +41,7 @@ ansible.builtin.copy: src: "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" dest: "{{ tls_certs }}/{{ inventory_hostname }}.crt" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -56,7 +56,7 @@ ' {{ tls_certs }}/{{ inventory_hostname }}.crt dest: /etc/ansible/facts.d/ansible_certificate.fact - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -73,7 +73,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt" content: "{{ pki_host_fullchain.stdout }}" - mode: 0640 + mode: "0640" owner: root group: "{{ ansible_wheel }}" @@ -81,6 +81,6 @@ ansible.builtin.copy: src: "/srv/ca/private/{{ inventory_hostname }}.key" dest: "{{ tls_private }}/{{ inventory_hostname }}.key" - mode: 0640 + mode: "0640" owner: root group: hostkey diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml index f574e4c..93660dd 100644 --- a/roles/podman/tasks/main.yml +++ b/roles/podman/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.copy: dest: /usr/local/share/selinux/podman-certs.pp src: podman-certs.pp - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index fe8ba2e..315ed79 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /etc/rclone state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -16,7 +16,7 @@ ansible.builtin.template: dest: /etc/rclone/rclone.conf src: rclone.conf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -24,7 +24,7 @@ ansible.builtin.file: path: /var/log/rclone state: directory - mode: 0750 + mode: "0750" owner: "{{ local_user | default('root') }}" group: "{{ local_user | default(ansible_wheel) }}" @@ -32,7 +32,7 @@ ansible.builtin.template: dest: /usr/local/bin/rclone-sync src: rclone-sync.sh.j2 - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/roles_lists/tasks/main.yml b/roles/roles_lists/tasks/main.yml index 5783bbf..049c0ef 100644 --- a/roles/roles_lists/tasks/main.yml +++ b/roles/roles_lists/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: /etc/smrsh/archiver src: archiver.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -20,7 +20,7 @@ ansible.builtin.copy: dest: /usr/local/share/selinux/sendmail-spamc.pp src: sendmail-spamc.pp - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/roundcube/tasks/main.yml b/roles/roundcube/tasks/main.yml index a3f66ec..eca261b 100644 --- a/roles/roundcube/tasks/main.yml +++ b/roles/roundcube/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/roundcube.key" src: "{{ tls_private }}/{{ inventory_hostname }}.key" - mode: 0640 + mode: "0640" owner: root group: roundcube remote_src: true @@ -23,7 +23,7 @@ ansible.builtin.file: path: /etc/roundcube state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -31,7 +31,7 @@ ansible.builtin.template: dest: /etc/roundcube/local.php src: local.php.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -39,7 +39,7 @@ ansible.builtin.template: dest: /etc/sysconfig/roundcube-container src: roundcube-container.sysconfig.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart roundcube @@ -48,7 +48,7 @@ ansible.builtin.template: dest: /etc/systemd/system/roundcube-container.service src: roundcube-container.service.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart roundcube @@ -66,7 +66,7 @@ location /roundcube/ { proxy_pass http://localhost:8004/; } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx diff --git a/roles/rpm_build/tasks/main.yml b/roles/rpm_build/tasks/main.yml index b24e952..450048b 100644 --- a/roles/rpm_build/tasks/main.yml +++ b/roles/rpm_build/tasks/main.yml @@ -14,7 +14,7 @@ state: directory owner: root group: "{{ ansible_wheel }}" - mode: 0755 + mode: "0755" with_items: - /export/rpmbuild - /export/rpmbuild/SOURCES @@ -34,6 +34,6 @@ ansible.builtin.copy: dest: /root/.rpmmacros content: "%_topdir /srv/rpmbuild\n" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/rsync/client/tasks/main.yml b/roles/rsync/client/tasks/main.yml index 1519109..32e4bdc 100644 --- a/roles/rsync/client/tasks/main.yml +++ b/roles/rsync/client/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.template: dest: /usr/local/libexec/rsync-ssl-tunnel src: rsync-ssl-tunnel.j2 - mode: 0755 + mode: "0755" owner: root group: root @@ -19,6 +19,6 @@ ansible.builtin.copy: dest: /usr/local/bin/rsync-ssl src: rsync-ssl - mode: 0755 + mode: "0755" owner: root group: root diff --git a/roles/rsync/server/tasks/main.yml b/roles/rsync/server/tasks/main.yml index 404f708..71f53fc 100644 --- a/roles/rsync/server/tasks/main.yml +++ b/roles/rsync/server/tasks/main.yml @@ -17,7 +17,7 @@ ansible.builtin.template: dest: /etc/rsyncd.conf src: rsyncd.conf.j2 - mode: 0644 + mode: "0644" owner: root group: root @@ -25,7 +25,7 @@ ansible.builtin.template: dest: /etc/stunnel/rsyncd.conf src: rsyncd-stunnel.conf.j2 - mode: 0644 + mode: "0644" owner: root group: root @@ -33,7 +33,7 @@ ansible.builtin.file: dest: /etc/systemd/system/rsyncd@.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: root @@ -41,7 +41,7 @@ ansible.builtin.copy: dest: /etc/systemd/system/rsyncd@.service.d/stunnel.conf src: systemd-stunnel.conf - mode: 0644 + mode: "0644" owner: root group: root diff --git a/roles/rsyslog/tasks/main.yml b/roles/rsyslog/tasks/main.yml index 7372753..6cb4537 100644 --- a/roles/rsyslog/tasks/main.yml +++ b/roles/rsyslog/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.copy: dest: /etc/rsyslog.d/all.log.conf content: "*.* /var/log/all.log\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart rsyslog @@ -20,7 +20,7 @@ ansible.builtin.template: dest: /etc/rsyslog.d/remote.conf src: remote.conf.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart rsyslog @@ -34,6 +34,6 @@ ansible.builtin.copy: dest: /etc/logrotate.d/syslog.all src: logrotate - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/rsyslog/tasks/udp-listen.yml b/roles/rsyslog/tasks/udp-listen.yml index cf9ac73..1585323 100644 --- a/roles/rsyslog/tasks/udp-listen.yml +++ b/roles/rsyslog/tasks/udp-listen.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: /etc/rsyslog.d/udp-listen.conf src: udp-listen.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart rsyslog diff --git a/roles/saslauthd/tasks/main.yml b/roles/saslauthd/tasks/main.yml index d0c7ce8..74023d2 100644 --- a/roles/saslauthd/tasks/main.yml +++ b/roles/saslauthd/tasks/main.yml @@ -19,7 +19,7 @@ ansible.builtin.template: dest: /etc/saslauthd.conf src: saslauthd.conf.j2 - mode: 0640 + mode: "0640" owner: root group: "{{ ansible_wheel }}" notify: Restart saslauthd diff --git a/roles/selinux/tasks/main.yml b/roles/selinux/tasks/main.yml index a99d822..a45757c 100644 --- a/roles/selinux/tasks/main.yml +++ b/roles/selinux/tasks/main.yml @@ -8,6 +8,6 @@ ansible.builtin.file: dest: /usr/local/share/selinux state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/sendmail/tasks/main.yml b/roles/sendmail/tasks/main.yml index ee11f6e..117b47c 100644 --- a/roles/sendmail/tasks/main.yml +++ b/roles/sendmail/tasks/main.yml @@ -12,7 +12,7 @@ ansible.builtin.file: path: /etc/mail/certs state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -20,7 +20,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/{{ mail_server }}.key" src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -34,7 +34,7 @@ ansible.builtin.copy: src: "{{ item }}" dest: "{{ tls_certs }}/{{ mail_server }}.crt" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout @@ -49,7 +49,7 @@ ansible.builtin.copy: src: "{{ item }}" dest: "{{ tls_certs }}/{{ mail_server }}-chain.crt" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout @@ -68,7 +68,7 @@ ansible.builtin.file: path: /export/mail state: directory - mode: 0775 + mode: "0775" owner: root group: mail setype: _default @@ -96,7 +96,7 @@ ansible.builtin.template: src: sendmail.mc.j2 dest: /etc/mail/sendmail.mc - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /bin/sh -c '/usr/bin/m4 %s > /dev/null' @@ -106,7 +106,7 @@ ansible.builtin.copy: src: "{{ ansible_private }}/files/sendmail/aliases" dest: /etc/aliases - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Update aliases diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml index 6cf95fd..412826c 100644 --- a/roles/sftpuser/tasks/main.yml +++ b/roles/sftpuser/tasks/main.yml @@ -18,7 +18,7 @@ ansible.builtin.copy: dest: "/etc/ssh/authorized_keys.{{ user }}" content: "{{ publickeys | join('\n') + '\n'}}" - mode: 0640 + mode: "0640" owner: root group: "{{ user }}" diff --git a/roles/spamassassin_clamav/tasks/main.yml b/roles/spamassassin_clamav/tasks/main.yml index 63e9e77..e8db4df 100644 --- a/roles/spamassassin_clamav/tasks/main.yml +++ b/roles/spamassassin_clamav/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: src: ClamAV.pm dest: /etc/mail/spamassassin/ClamAV.pm - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart spamassassin @@ -12,7 +12,7 @@ ansible.builtin.copy: src: clamav.cf dest: /etc/mail/spamassassin/clamav.cf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart spamassassin diff --git a/roles/spamassassin_razor/tasks/main.yml b/roles/spamassassin_razor/tasks/main.yml index b6268dc..dce1cfe 100644 --- a/roles/spamassassin_razor/tasks/main.yml +++ b/roles/spamassassin_razor/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /var/lib/razor state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" setype: _default diff --git a/roles/spamassassin_textcat/tasks/main.yml b/roles/spamassassin_textcat/tasks/main.yml index 2e3daad..08e645f 100644 --- a/roles/spamassassin_textcat/tasks/main.yml +++ b/roles/spamassassin_textcat/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.copy: dest: /etc/mail/spamassassin/textcat.pre content: "loadplugin Mail::SpamAssassin::Plugin::TextCat\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart spamassassin diff --git a/roles/ssh_known_hosts/tasks/main.yml b/roles/ssh_known_hosts/tasks/main.yml index e5caeff..31acc01 100644 --- a/roles/ssh_known_hosts/tasks/main.yml +++ b/roles/ssh_known_hosts/tasks/main.yml @@ -3,6 +3,6 @@ ansible.builtin.template: dest: /etc/ssh/ssh_known_hosts src: ssh_known_hosts.j2 - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml index dae5335..4f60e91 100644 --- a/roles/sssd/tasks/main.yml +++ b/roles/sssd/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.template: dest: /etc/sssd/sssd.conf src: sssd.conf.j2 - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart sssd diff --git a/roles/syslogd/tasks/main.yml b/roles/syslogd/tasks/main.yml index 498d76c..69170e5 100644 --- a/roles/syslogd/tasks/main.yml +++ b/roles/syslogd/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /var/log/all.log state: touch - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" when: not result.stat.exists diff --git a/roles/syslogd/tasks/server.yml b/roles/syslogd/tasks/server.yml index 2f8f90f..ca342d1 100644 --- a/roles/syslogd/tasks/server.yml +++ b/roles/syslogd/tasks/server.yml @@ -3,7 +3,7 @@ ansible.builtin.file: dest: "{{ item }}" state: directory - mode: 0750 + mode: "0750" owner: root group: "{{ ansible_wheel }}" with_items: @@ -22,7 +22,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/0.0.0.0:6514.key" src: /srv/letsencrypt/live/loghost.foo.sh/privkey.pem - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" notify: Restart syslogd @@ -32,7 +32,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/0.0.0.0:6514.crt" src: /srv/letsencrypt/live/loghost.foo.sh/fullchain.pem - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart syslogd @@ -59,7 +59,7 @@ ansible.builtin.copy: dest: /usr/local/sbin/syslog-archive src: syslog-archive.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/telegraf/tasks/main.yml b/roles/telegraf/tasks/main.yml index 068f1a4..98fed37 100644 --- a/roles/telegraf/tasks/main.yml +++ b/roles/telegraf/tasks/main.yml @@ -9,7 +9,7 @@ ansible.builtin.copy: dest: /etc/telegraf/telegraf.conf src: "{{ ansible_private }}/files/telegraf/telegraf.conf" - mode: 0640 + mode: "0640" owner: root group: _telegraf notify: Restart telegraf diff --git a/roles/tftp/tasks/main.yml b/roles/tftp/tasks/main.yml index b943c63..bae19d9 100644 --- a/roles/tftp/tasks/main.yml +++ b/roles/tftp/tasks/main.yml @@ -34,7 +34,7 @@ ansible.builtin.file: path: /export/tftpboot state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -51,7 +51,7 @@ ansible.builtin.file: path: /etc/systemd/system/tftp.service.d state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" when: ansible_service_mgr == "systemd" @@ -63,7 +63,7 @@ [Service] ExecStart= ExecStart=/usr/sbin/in.tftpd -s /srv/tftpboot -u tftpd -c -v - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart tftpd diff --git a/roles/thinlinc_server/tasks/main.yml b/roles/thinlinc_server/tasks/main.yml index 76a2b43..6455425 100644 --- a/roles/thinlinc_server/tasks/main.yml +++ b/roles/thinlinc_server/tasks/main.yml @@ -32,7 +32,7 @@ ansible.builtin.copy: dest: /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules src: 40-thinlinc-no-auth-dialogs.rules - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -59,7 +59,7 @@ ansible.builtin.copy: dest: /opt/thinlinc/etc/tlwebaccess/server.key src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -72,7 +72,7 @@ ansible.builtin.copy: dest: /opt/thinlinc/etc/tlwebaccess/server.crt src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 1f6699a..0c0ef91 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -19,7 +19,7 @@ ansible.builtin.template: dest: "{{ unbound_conf }}" src: "unbound.conf.{{ inventory_hostname }}.j2" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: "unbound-checkconf %s" diff --git a/roles/web_build/tasks/main.yml b/roles/web_build/tasks/main.yml index 6fb8ba2..d2aed36 100644 --- a/roles/web_build/tasks/main.yml +++ b/roles/web_build/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: /export/web-build state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -20,6 +20,6 @@ ansible.builtin.copy: dest: /usr/local/bin/web-sync src: web-sync.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/web_logs/tasks/main.yml b/roles/web_logs/tasks/main.yml index 04e1c7e..d554ce8 100644 --- a/roles/web_logs/tasks/main.yml +++ b/roles/web_logs/tasks/main.yml @@ -18,7 +18,7 @@ ansible.builtin.file: path: /etc/ssh/logsync state: directory - mode: 0750 + mode: "0750" owner: root group: logsync @@ -41,7 +41,7 @@ path: "{{ item }}" owner: root group: logsync - mode: 0640 + mode: "0640" with_items: - /etc/ssh/logsync/id_ed25519 - /etc/ssh/logsync/id_ed25519.pub @@ -60,7 +60,7 @@ ansible.builtin.file: path: /var/cache/sync-http-logs state: directory - mode: 0750 + mode: "0750" owner: logsync group: logsync @@ -68,7 +68,7 @@ ansible.builtin.file: path: /export/web-log state: directory - mode: 0750 + mode: "0750" owner: root group: "{{ ansible_wheel }}" diff --git a/roles/zoneminder/tasks/main.yml b/roles/zoneminder/tasks/main.yml index 8ee40c0..c8de160 100644 --- a/roles/zoneminder/tasks/main.yml +++ b/roles/zoneminder/tasks/main.yml @@ -21,7 +21,7 @@ ansible.builtin.file: path: /export/zoneminder state: directory - mode: 0750 + mode: "0750" owner: apache group: apache setype: _default @@ -39,7 +39,7 @@ ansible.builtin.template: dest: /etc/zm/conf.d/local.conf src: zm.conf - mode: 0640 + mode: "0640" owner: root group: apache notify: Restart zoneminder @@ -76,7 +76,7 @@ ansible.builtin.file: dest: /var/log/zoneminder/web_php.log state: touch - mode: 0640 + mode: "0640" owner: apache group: apache access_time: preserve @@ -104,7 +104,7 @@ ansible.builtin.copy: dest: /etc/php.d/timezone.ini content: "date.timezone=UTC\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache @@ -118,7 +118,7 @@ ssl-ca={{ tls_certs }}/ca.crt ssl-cert={{ tls_certs }}/{{ inventory_hostname }}.crt ssl-key={{ tls_private }}/{{ inventory_hostname }}.key - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" From 644fcbe63873a78e929fd353177c310c9e037eed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 12:37:46 +0000 Subject: [PATCH 064/596] Update software versions --- hosts.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index c056a2c..d7faa20 100644 --- a/hosts.yml +++ b/hosts.yml @@ -34,8 +34,9 @@ homeassistant: homeassistant_version: "2023.10.1" homeassistant_integrations: - name: electrolux_status - repo: https://github.com/mauro-midolo/homeassistant_electrolux_status.git - version: v2.12.0 + repo: >- + https://github.com/mauro-midolo/homeassistant_electrolux_status.git + version: v3.2.1 influxdb: hosts: influxdb01.home.foo.sh: @@ -87,6 +88,8 @@ print: prometheus: hosts: prometheus02.home.foo.sh: + vars: + prometheus_version: "2.45.1" proxy: hosts: proxy01.home.foo.sh: From 317622a01d0f1a3041e227040c872cea8bacdd9e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 12:44:42 +0000 Subject: [PATCH 065/596] Fix Forbidden implicit octal value from playbooks --- playbooks/adm.yml | 2 +- playbooks/collab.yml | 4 ++-- playbooks/dna-gw.yml | 20 ++++++++++---------- playbooks/fsol-gw.yml | 4 ++-- playbooks/include/deploy-kvm-guest.yml | 2 +- playbooks/nas.yml | 2 +- playbooks/nms.yml | 2 +- playbooks/print.yml | 2 +- playbooks/shell.yml | 2 +- playbooks/static.yml | 2 +- playbooks/zm.yml | 4 ++-- 11 files changed, 23 insertions(+), 23 deletions(-) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 9833c14..3daeffe 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -63,6 +63,6 @@ Host shell??.foo.sh CheckHostIP no dest: /root/.ssh/config - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/playbooks/collab.yml b/playbooks/collab.yml index 6533222..38f5b8d 100644 --- a/playbooks/collab.yml +++ b/playbooks/collab.yml @@ -38,7 +38,7 @@ ansible.builtin.copy: content: "RedirectMatch permanent \"^/$\" /collab/\n" dest: "/etc/httpd/conf.local.d/redirects.conf" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache @@ -61,7 +61,7 @@ dest: /srv/wikis/collab/htdocs/.htaccess owner: collab group: collab - mode: 0660 + mode: "0660" seuser: _default setype: _default diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 533314a..224c9a1 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -27,7 +27,7 @@ ansible.builtin.copy: dest: /etc/dhclient.conf content: "ignore domain-name-servers, domain-name;\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -53,7 +53,7 @@ ansible.builtin.file: path: /srv/tftpboot/etc state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -64,7 +64,7 @@ stty com0 115200 set tty com0 boot tftp:bsd.rd - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -73,7 +73,7 @@ url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/pxeboot" checksum: sha1:161b36d4ae3d786aa98c4836abba25f2bca8979d dest: /srv/tftpboot/pxeboot - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -82,7 +82,7 @@ url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/bsd.rd" checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021 dest: /srv/tftpboot/bsd.rd - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -91,7 +91,7 @@ url: "https://boot.foo.sh/openbsd/install.conf" checksum: sha1:f6270708dad3f759df02eefeab300d9b8670f3d4 dest: /srv/tftpboot/install.conf - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -113,7 +113,7 @@ } } } - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx @@ -122,7 +122,7 @@ ansible.builtin.copy: dest: "{{ tls_private }}/dns.home.foo.sh.key" src: "{{ item }}" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -135,7 +135,7 @@ ansible.builtin.copy: dest: "{{ tls_certs }}/dns.home.foo.sh.crt" src: "{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" with_first_found: @@ -148,7 +148,7 @@ ansible.builtin.copy: dest: "/var/unbound/db/{{ item }}" src: "/srv/dns/{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: dns diff --git a/playbooks/fsol-gw.yml b/playbooks/fsol-gw.yml index 7d6efe8..1d11432 100644 --- a/playbooks/fsol-gw.yml +++ b/playbooks/fsol-gw.yml @@ -32,14 +32,14 @@ ansible.builtin.copy: dest: /etc/dhclient.conf content: "ignore domain-name-servers, domain-name;\n" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" - name: Create pfsync interface ansible.builtin.copy: dest: /etc/hostname.pfsync0 content: "up syncdev vio1\n" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" diff --git a/playbooks/include/deploy-kvm-guest.yml b/playbooks/include/deploy-kvm-guest.yml index 4f763fd..4bdb5d1 100644 --- a/playbooks/include/deploy-kvm-guest.yml +++ b/playbooks/include/deploy-kvm-guest.yml @@ -75,7 +75,7 @@ echo '{{ root_pubkey }}' > /root/.ssh/authorized_keys %end dest: "{{ tmpdir.path }}/include.ks" - mode: 0600 + mode: "0600" owner: root group: "{{ ansible_wheel }}" delegate_to: "{{ vmhost }}" diff --git a/playbooks/nas.yml b/playbooks/nas.yml index 4d451e7..58db737 100644 --- a/playbooks/nas.yml +++ b/playbooks/nas.yml @@ -51,7 +51,7 @@ /export/roles 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ @nfsclients-rw(rw,root_squash,secure) \ @nfsclients-ro(ro,root_squash,secure) - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nfs-server diff --git a/playbooks/nms.yml b/playbooks/nms.yml index f5ac7a0..9900ec7 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -49,7 +49,7 @@ ansible.builtin.copy: dest: "/var/lib/unbound/{{ item }}" src: "/srv/dns/{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: dns diff --git a/playbooks/print.yml b/playbooks/print.yml index d434c76..1f90c63 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -29,7 +29,7 @@ ansible.builtin.copy: dest: "/var/lib/unbound/{{ item }}" src: "/srv/dns/{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: dns diff --git a/playbooks/shell.yml b/playbooks/shell.yml index d331810..1380081 100644 --- a/playbooks/shell.yml +++ b/playbooks/shell.yml @@ -98,6 +98,6 @@ content: | Host *.home.foo.sh !gw.home.foo.sh ProxyJump root@gw.home.foo.sh - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/playbooks/static.yml b/playbooks/static.yml index 25636a9..b912fbe 100644 --- a/playbooks/static.yml +++ b/playbooks/static.yml @@ -48,7 +48,7 @@ AllowOverride AuthConfig FileInfo Indexes Limit Require all granted - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache diff --git a/playbooks/zm.yml b/playbooks/zm.yml index f96065c..f4b39e8 100644 --- a/playbooks/zm.yml +++ b/playbooks/zm.yml @@ -45,7 +45,7 @@ ansible.builtin.copy: dest: "/var/lib/unbound/{{ item }}" src: "/srv/dns/{{ item }}" - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: dns @@ -80,7 +80,7 @@ AuthName "Password Required" Require valid-user - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart apache From 39fad6ed05911f1cc682a33a26d2d84d482f8bcc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 12:48:04 +0000 Subject: [PATCH 066/596] homeassistant: Style fixes --- roles/homeassistant/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 8456261..af7da3a 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -101,7 +101,7 @@ update: true version: "{{ item.version }}" notify: Restart homeassistant - with_items: "{{ homeassistant_integrations|default([]) }}" + with_items: "{{ homeassistant_integrations | default([]) }}" - name: Link extra integrations ansible.builtin.file: @@ -111,7 +111,7 @@ owner: root group: "{{ ansible_wheel }}" follow: false - with_items: "{{ homeassistant_integrations|default([]) }}" + with_items: "{{ homeassistant_integrations | default([]) }}" - name: Create service file ansible.builtin.template: From 15c612cb3b51c4db06e30be2465c1ca809598c56 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 16:17:07 +0000 Subject: [PATCH 067/596] Rename nginx/server to nginx_server --- playbooks/dna-gw.yml | 2 +- playbooks/mail.yml | 2 +- playbooks/mqtt.yml | 2 +- playbooks/nms.yml | 2 +- playbooks/ns.yml | 2 +- playbooks/proxy.yml | 58 +++++++++---------- playbooks/relay.yml | 6 +- roles/certbot/tasks/main.yml | 2 +- .../{nginx/site => nginx_site}/tasks/main.yml | 0 .../templates/git.foo.sh.conf.j2 | 0 .../templates/gw.home.foo.sh.conf.j2 | 0 .../templates/registry.foo.sh.conf.j2 | 0 .../templates/site.conf.j2 | 0 .../templates/www.foo.sh.conf.j2 | 0 14 files changed, 38 insertions(+), 38 deletions(-) rename roles/{nginx/site => nginx_site}/tasks/main.yml (100%) rename roles/{nginx/site => nginx_site}/templates/git.foo.sh.conf.j2 (100%) rename roles/{nginx/site => nginx_site}/templates/gw.home.foo.sh.conf.j2 (100%) rename roles/{nginx/site => nginx_site}/templates/registry.foo.sh.conf.j2 (100%) rename roles/{nginx/site => nginx_site}/templates/site.conf.j2 (100%) rename roles/{nginx/site => nginx_site}/templates/www.foo.sh.conf.j2 (100%) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 224c9a1..f94117c 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -17,7 +17,7 @@ - ifstated - dhcpd - nginx/server - - role: nginx/site + - role: nginx_site site: gw.home.foo.sh - tftp - websockify diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 072587d..ca0bf58 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -34,7 +34,7 @@ - autofs - dovecot - role: nginx/server - - role: nginx/site + - role: nginx_site site: "{{ mail_server }}" redirect: https://webmail.foo.sh/ - grossd diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 1a37f6e..89edf93 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -14,5 +14,5 @@ - mosquitto - telegraf - nginx/server - - role: nginx/site + - role: nginx_site site: iot.foo.sh diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 9900ec7..848ee50 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -26,7 +26,7 @@ roles: - base - nginx/server - - role: nginx/site + - role: nginx_site site: oob.foo.sh - sssd - mkhomedir diff --git a/playbooks/ns.yml b/playbooks/ns.yml index 495e358..82cca51 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -16,7 +16,7 @@ - base - nsd - role: nginx/server - - role: nginx/site + - role: nginx_site site: "{{ nsd_server }}" redirect: https://www.foo.sh/ - role: ifstated diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 104f9fe..11ef140 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -16,93 +16,93 @@ - base - ifstated - nginx/server - - role: nginx/site + - role: nginx_site site: ca.foo.sh - - role: nginx/site + - role: nginx_site site: foo.monster - - role: nginx/site + - role: nginx_site site: tuiradc.fi redirect: https://facebook.com/TuiraDC - - role: nginx/site + - role: nginx_site site: www.tuiradc.fi redirect: https://facebook.com/TuiraDC - - role: nginx/site + - role: nginx_site site: foo.sh redirect: https://www.foo.sh/ - - role: nginx/site + - role: nginx_site site: autoconfig.foo.sh - - role: nginx/site + - role: nginx_site site: boot.foo.sh ssl_config: old - - role: nginx/site + - role: nginx_site site: bitbucket.foo.sh redirect: https://bitbucket.org/tmakinen/ - - role: nginx/site + - role: nginx_site site: certbot.home.foo.sh proxy: https://certbot.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: chat.foo.sh proxy: - https://oci-node01.home.foo.sh/rocketchat/ - https://oci-node02.home.foo.sh/rocketchat/ - - role: nginx/site + - role: nginx_site site: collab.foo.sh proxy: https://collab01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: devel01.foo.sh proxy: https://devel01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: dns.home.foo.sh redirect: https://www.foo.sh/ - - role: nginx/site + - role: nginx_site site: git.foo.sh proxy: https://gitea02.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: gitea.foo.sh redirect: https://git.foo.sh/ - - role: nginx/site + - role: nginx_site site: ha.foo.sh proxy: https://homeassistant01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: id.foo.sh proxy: - https://oci-node01.home.foo.sh - https://oci-node02.home.foo.sh - - role: nginx/site + - role: nginx_site site: influxdb.foo.sh proxy: https://influxdb01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: iot.foo.sh redirect: https://www.foo.sh/ - - role: nginx/site + - role: nginx_site site: munin.foo.sh proxy: https://munin01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: mirrors.foo.sh proxy: https://mirror01.home.foo.sh/ - - role: nginx/site + - role: nginx_site site: movies.foo.sh proxy: - https://oci-node01.home.foo.sh/php4dvd/ - - role: nginx/site + - role: nginx_site site: noc.foo.sh proxy: - https://oci-node01.home.foo.sh/grafana/ - https://oci-node02.home.foo.sh/grafana/ - - role: nginx/site + - role: nginx_site site: print.foo.sh proxy: https://print01.home.foo.sh:631/ - - role: nginx/site + - role: nginx_site site: registry.foo.sh proxy: ["registry01.home.foo.sh:5000", "registry02.home.foo.sh:5000"] - - role: nginx/site + - role: nginx_site site: webmail.foo.sh proxy: - https://oci-node01.home.foo.sh/roundcube/ - - role: nginx/site + - role: nginx_site site: wpad.foo.sh - - role: nginx/site + - role: nginx_site site: www.foo.sh - - role: nginx/site + - role: nginx_site site: zm.foo.sh proxy: https://zm02.home.foo.sh/ diff --git a/playbooks/relay.yml b/playbooks/relay.yml index f6cd46d..9ed46a0 100644 --- a/playbooks/relay.yml +++ b/playbooks/relay.yml @@ -17,12 +17,12 @@ - ifstated - relayd - nginx/server - - role: nginx/site + - role: nginx_site site: ldap.foo.sh redirect: https://www.foo.sh/ - - role: nginx/site + - role: nginx_site site: ldap01.foo.sh redirect: https://www.foo.sh/ - - role: nginx/site + - role: nginx_site site: loghost.foo.sh redirect: https://www.foo.sh/ diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index b66300b..1a4cbb7 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -21,7 +21,7 @@ - name: Add certbot nginx site ansible.builtin.include_role: - name: nginx/site + name: nginx_site vars: site: certbot.home.foo.sh diff --git a/roles/nginx/site/tasks/main.yml b/roles/nginx_site/tasks/main.yml similarity index 100% rename from roles/nginx/site/tasks/main.yml rename to roles/nginx_site/tasks/main.yml diff --git a/roles/nginx/site/templates/git.foo.sh.conf.j2 b/roles/nginx_site/templates/git.foo.sh.conf.j2 similarity index 100% rename from roles/nginx/site/templates/git.foo.sh.conf.j2 rename to roles/nginx_site/templates/git.foo.sh.conf.j2 diff --git a/roles/nginx/site/templates/gw.home.foo.sh.conf.j2 b/roles/nginx_site/templates/gw.home.foo.sh.conf.j2 similarity index 100% rename from roles/nginx/site/templates/gw.home.foo.sh.conf.j2 rename to roles/nginx_site/templates/gw.home.foo.sh.conf.j2 diff --git a/roles/nginx/site/templates/registry.foo.sh.conf.j2 b/roles/nginx_site/templates/registry.foo.sh.conf.j2 similarity index 100% rename from roles/nginx/site/templates/registry.foo.sh.conf.j2 rename to roles/nginx_site/templates/registry.foo.sh.conf.j2 diff --git a/roles/nginx/site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 similarity index 100% rename from roles/nginx/site/templates/site.conf.j2 rename to roles/nginx_site/templates/site.conf.j2 diff --git a/roles/nginx/site/templates/www.foo.sh.conf.j2 b/roles/nginx_site/templates/www.foo.sh.conf.j2 similarity index 100% rename from roles/nginx/site/templates/www.foo.sh.conf.j2 rename to roles/nginx_site/templates/www.foo.sh.conf.j2 From 2119f96382f237420fc43d0ce181bd277a4fb520 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 17:14:14 +0000 Subject: [PATCH 068/596] nginx_site: Prefix all variables with role name --- playbooks/dna-gw.yml | 2 +- playbooks/mail.yml | 4 +- playbooks/mqtt.yml | 2 +- playbooks/nms.yml | 2 +- playbooks/ns.yml | 4 +- playbooks/proxy.yml | 108 ++++++++++++------------ playbooks/relay.yml | 12 +-- roles/nginx_site/tasks/main.yml | 26 +++--- roles/nginx_site/templates/site.conf.j2 | 44 +++++----- 9 files changed, 103 insertions(+), 101 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index f94117c..7e1d9d0 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -18,7 +18,7 @@ - dhcpd - nginx/server - role: nginx_site - site: gw.home.foo.sh + nginx_site_name: gw.home.foo.sh - tftp - websockify diff --git a/playbooks/mail.yml b/playbooks/mail.yml index ca0bf58..1289c52 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -35,8 +35,8 @@ - dovecot - role: nginx/server - role: nginx_site - site: "{{ mail_server }}" - redirect: https://webmail.foo.sh/ + nginx_site_name: "{{ mail_server }}" + nginx_site_redirect: https://webmail.foo.sh/ - grossd - spamassassin - spamassassin_clamav diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 89edf93..3b59540 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -15,4 +15,4 @@ - telegraf - nginx/server - role: nginx_site - site: iot.foo.sh + nginx_site_name: iot.foo.sh diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 848ee50..36bd7b8 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -27,7 +27,7 @@ - base - nginx/server - role: nginx_site - site: oob.foo.sh + nginx_site_name: oob.foo.sh - sssd - mkhomedir - tftp diff --git a/playbooks/ns.yml b/playbooks/ns.yml index 82cca51..43508a3 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -17,7 +17,7 @@ - nsd - role: nginx/server - role: nginx_site - site: "{{ nsd_server }}" - redirect: https://www.foo.sh/ + nginx_site_name: "{{ nsd_server }}" + nginx_site_redirect: https://www.foo.sh/ - role: ifstated when: "'vultr' not in group_names" diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 11ef140..72096f6 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -17,92 +17,94 @@ - ifstated - nginx/server - role: nginx_site - site: ca.foo.sh + nginx_site_name: ca.foo.sh - role: nginx_site - site: foo.monster + nginx_site_name: foo.monster - role: nginx_site - site: tuiradc.fi - redirect: https://facebook.com/TuiraDC + nginx_site_name: tuiradc.fi + nginx_site_redirect: https://facebook.com/TuiraDC - role: nginx_site - site: www.tuiradc.fi - redirect: https://facebook.com/TuiraDC + nginx_site_name: www.tuiradc.fi + nginx_site_redirect: https://facebook.com/TuiraDC - role: nginx_site - site: foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: autoconfig.foo.sh + nginx_site_name: autoconfig.foo.sh - role: nginx_site - site: boot.foo.sh - ssl_config: old + nginx_site_name: boot.foo.sh + nginx_site_ssl_config: old - role: nginx_site - site: bitbucket.foo.sh - redirect: https://bitbucket.org/tmakinen/ + nginx_site_name: bitbucket.foo.sh + nginx_site_redirect: https://bitbucket.org/tmakinen/ - role: nginx_site - site: certbot.home.foo.sh - proxy: https://certbot.home.foo.sh/ + nginx_site_name: certbot.home.foo.sh + nginx_site_proxy: https://certbot.home.foo.sh/ - role: nginx_site - site: chat.foo.sh - proxy: + nginx_site_name: chat.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/rocketchat/ - https://oci-node02.home.foo.sh/rocketchat/ - role: nginx_site - site: collab.foo.sh - proxy: https://collab01.home.foo.sh/ + nginx_site_name: collab.foo.sh + nginx_site_proxy: https://collab01.home.foo.sh/ - role: nginx_site - site: devel01.foo.sh - proxy: https://devel01.home.foo.sh/ + nginx_site_name: devel01.foo.sh + nginx_site_proxy: https://devel01.home.foo.sh/ - role: nginx_site - site: dns.home.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: dns.home.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: git.foo.sh - proxy: https://gitea02.home.foo.sh/ + nginx_site_name: git.foo.sh + nginx_site_proxy: https://gitea02.home.foo.sh/ - role: nginx_site - site: gitea.foo.sh - redirect: https://git.foo.sh/ + nginx_site_name: gitea.foo.sh + nginx_site_redirect: https://git.foo.sh/ - role: nginx_site - site: ha.foo.sh - proxy: https://homeassistant01.home.foo.sh/ + nginx_site_name: ha.foo.sh + nginx_site_proxy: https://homeassistant01.home.foo.sh/ - role: nginx_site - site: id.foo.sh - proxy: + nginx_site_name: id.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh - https://oci-node02.home.foo.sh - role: nginx_site - site: influxdb.foo.sh - proxy: https://influxdb01.home.foo.sh/ + nginx_site_name: influxdb.foo.sh + nginx_site_proxy: https://influxdb01.home.foo.sh/ - role: nginx_site - site: iot.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: iot.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: munin.foo.sh - proxy: https://munin01.home.foo.sh/ + nginx_site_name: munin.foo.sh + nginx_site_proxy: https://munin01.home.foo.sh/ - role: nginx_site - site: mirrors.foo.sh - proxy: https://mirror01.home.foo.sh/ + nginx_site_name: mirrors.foo.sh + nginx_site_proxy: https://mirror01.home.foo.sh/ - role: nginx_site - site: movies.foo.sh - proxy: + nginx_site_name: movies.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/php4dvd/ - role: nginx_site - site: noc.foo.sh - proxy: + nginx_site_name: noc.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/grafana/ - https://oci-node02.home.foo.sh/grafana/ - role: nginx_site - site: print.foo.sh - proxy: https://print01.home.foo.sh:631/ + nginx_site_name: print.foo.sh + nginx_site_proxy: https://print01.home.foo.sh:631/ - role: nginx_site - site: registry.foo.sh - proxy: ["registry01.home.foo.sh:5000", "registry02.home.foo.sh:5000"] + nginx_site_name: registry.foo.sh + nginx_site_proxy: + - "registry01.home.foo.sh:5000" + - "registry02.home.foo.sh:5000" - role: nginx_site - site: webmail.foo.sh - proxy: + nginx_site_name: webmail.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/roundcube/ - role: nginx_site - site: wpad.foo.sh + nginx_site_name: wpad.foo.sh - role: nginx_site - site: www.foo.sh + nginx_site_name: www.foo.sh - role: nginx_site - site: zm.foo.sh - proxy: https://zm02.home.foo.sh/ + nginx_site_name: zm.foo.sh + nginx_site_proxy: https://zm02.home.foo.sh/ diff --git a/playbooks/relay.yml b/playbooks/relay.yml index 9ed46a0..a7cd0b4 100644 --- a/playbooks/relay.yml +++ b/playbooks/relay.yml @@ -18,11 +18,11 @@ - relayd - nginx/server - role: nginx_site - site: ldap.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: ldap.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: ldap01.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: ldap01.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: loghost.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: loghost.foo.sh + nginx_site_redirect: https://www.foo.sh/ diff --git a/roles/nginx_site/tasks/main.yml b/roles/nginx_site/tasks/main.yml index fe8d61b..0afcf5e 100644 --- a/roles/nginx_site/tasks/main.yml +++ b/roles/nginx_site/tasks/main.yml @@ -1,47 +1,47 @@ --- -- name: "Create site data directory for {{ site }}" +- name: "Create site data directory for {{ nginx_site_name }}" ansible.builtin.file: - path: "/srv/web/{{ site }}" + path: "/srv/web/{{ nginx_site_name }}" state: directory mode: "0755" owner: root group: "{{ ansible_wheel }}" - when: redirect is not defined and proxy is not defined + when: nginx_site_redirect is not defined and nginx_site_proxy is not defined -- name: "Create site config for {{ site }}" +- name: "Create site config for {{ nginx_site_name }}" ansible.builtin.template: - dest: /etc/nginx/conf.d/{{ site }}.conf + dest: /etc/nginx/conf.d/{{ nginx_site_name }}.conf src: site.conf.j2 mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx -- name: "Copy site private key for {{ site }}" +- name: "Copy site private key for {{ nginx_site_name }}" ansible.builtin.copy: - dest: "{{ tls_private }}/{{ site }}.key" + dest: "{{ tls_private }}/{{ nginx_site_name }}.key" src: "{{ item }}" mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: - - "/srv/letsencrypt/live/{{ site }}/privkey.pem" - - "/srv/ca/private/{{ site }}.key" + - "/srv/letsencrypt/live/{{ nginx_site_name }}/privkey.pem" + - "/srv/ca/private/{{ nginx_site_name }}.key" - "/srv/ca/private/{{ inventory_hostname }}.key" tags: certificates notify: Restart nginx -- name: "Copy site certificate for {{ site }}" +- name: "Copy site certificate for {{ nginx_site_name }}" ansible.builtin.copy: src: "{{ item }}" - dest: "{{ tls_certs }}/{{ site }}-fullchain.crt" + dest: "{{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt" mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout with_first_found: - - "/srv/letsencrypt/live/{{ site }}/fullchain.pem" - - "/srv/ca/certs/hosts/{{ site }}.crt" + - "/srv/letsencrypt/live/{{ nginx_site_name }}/fullchain.pem" + - "/srv/ca/certs/hosts/{{ nginx_site_name }}.crt" - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" tags: certificates notify: Restart nginx diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index f13669c..6e4117b 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -1,6 +1,6 @@ -{% if proxy is defined and proxy is not string %} -upstream {{ site }} { -{% for item in proxy %} +{% if nginx_site_proxy is defined and nginx_site_proxy is not string %} +upstream {{ nginx_site_name }} { +{% for item in nginx_site_proxy %} {% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %} {% if item | regex_search(".*:[0-9]+$") %} server {{ item }}; @@ -13,52 +13,52 @@ upstream {{ site }} { server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ site }}; + server_name {{ nginx_site_name }}; - access_log {{ nginx_logdir }}/{{ site }}.access.log combined; - error_log {{ nginx_logdir }}/{{ site }}.error.log warn; + access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log combined; + error_log {{ nginx_logdir }}/{{ nginx_site_name }}.error.log warn; add_header Strict-Transport-Security "max-age=63072000" always; -{% if ssl_config is defined %} -{% if ssl_config == "old" %} +{% if nginx_site_ssl_config is defined %} +{% if nginx_site_ssl_config == "old" %} ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers on; {% endif %} {% endif %} - ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt; - ssl_certificate_key {{ tls_private }}/{{ site }}.key; + ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt; + ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key; -{% include "./{}.conf.j2".format(site) ignore missing %} -{% if redirect is defined %} - return 301 {{ redirect }}; -{% elif proxy is defined %} +{% include "./{}.conf.j2".format(nginx_site_name) ignore missing %} +{% if nginx_site_redirect is defined %} + return 301 {{ nginx_site_redirect }}; +{% elif nginx_site_proxy is defined %} location / { -{% if proxy is not string %} -{% set path = proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %} +{% if nginx_site_proxy is not string %} +{% set path = nginx_site_proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %} # https://trac.nginx.org/nginx/ticket/1307 proxy_ssl_verify off; - proxy_pass https://{{ site }}{{ path }}; + proxy_pass https://{{ nginx_site_name }}{{ path }}; {% else %} - proxy_pass {{ proxy }}; + proxy_pass {{ nginx_site_proxy }}; {% endif %} } {% else %} - root /srv/web/{{ site }}; + root /srv/web/{{ nginx_site_name }}; {% endif %} } server { listen 80; listen [::]:80; - server_name {{ site }}; + server_name {{ nginx_site_name }}; location /.well-known/acme-challenge/ { proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/; } location / { -{% if redirect is defined %} - return 301 {{ redirect }}; +{% if nginx_site_redirect is defined %} + return 301 {{ nginx_site_redirect }}; {% else %} return 301 https://$host$request_uri; {% endif %} From 4fb04065f9bbd4d84531cda9ebb9a7b87fecd30a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Oct 2023 15:48:51 +0000 Subject: [PATCH 069/596] nginx: Rename nginx/server to nginx --- playbooks/dna-gw.yml | 2 +- playbooks/mail.yml | 2 +- playbooks/mqtt.yml | 2 +- playbooks/nms.yml | 2 +- playbooks/ns.yml | 2 +- playbooks/proxy.yml | 2 +- playbooks/relay.yml | 2 +- playbooks/shell.yml | 4 ++-- roles/ansible_host/meta/main.yml | 2 +- roles/certbot/meta/main.yml | 2 +- roles/gitea/meta/main.yml | 2 +- roles/influxdb/meta/main.yml | 2 +- roles/nginx/{server => }/files/dependency.conf | 0 roles/nginx/{server => }/handlers/main.yml | 0 roles/nginx/{server => }/meta/main.yml | 0 roles/nginx/{server => }/tasks/main.yml | 0 roles/nginx/{server => }/templates/nginx-logrotate.sh | 0 roles/nginx/{server => }/templates/nginx.conf.j2 | 2 +- roles/nginx/{server => }/vars/OpenBSD.yml | 0 roles/nginx/{server => }/vars/RedHat.yml | 0 roles/podman/meta/main.yml | 2 +- roles/prometheus/meta/main.yml | 2 +- 22 files changed, 16 insertions(+), 16 deletions(-) rename roles/nginx/{server => }/files/dependency.conf (100%) rename roles/nginx/{server => }/handlers/main.yml (100%) rename roles/nginx/{server => }/meta/main.yml (100%) rename roles/nginx/{server => }/tasks/main.yml (100%) rename roles/nginx/{server => }/templates/nginx-logrotate.sh (100%) rename roles/nginx/{server => }/templates/nginx.conf.j2 (98%) rename roles/nginx/{server => }/vars/OpenBSD.yml (100%) rename roles/nginx/{server => }/vars/RedHat.yml (100%) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 7e1d9d0..fe74b0c 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -16,7 +16,7 @@ - base - ifstated - dhcpd - - nginx/server + - nginx - role: nginx_site nginx_site_name: gw.home.foo.sh - tftp diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 1289c52..cb72de2 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -33,7 +33,7 @@ - sssd - autofs - dovecot - - role: nginx/server + - role: nginx - role: nginx_site nginx_site_name: "{{ mail_server }}" nginx_site_redirect: https://webmail.foo.sh/ diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 3b59540..6c92d03 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -13,6 +13,6 @@ - base - mosquitto - telegraf - - nginx/server + - nginx - role: nginx_site nginx_site_name: iot.foo.sh diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 36bd7b8..e20f3e3 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -25,7 +25,7 @@ roles: - base - - nginx/server + - nginx - role: nginx_site nginx_site_name: oob.foo.sh - sssd diff --git a/playbooks/ns.yml b/playbooks/ns.yml index 43508a3..a7476ca 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -15,7 +15,7 @@ roles: - base - nsd - - role: nginx/server + - role: nginx - role: nginx_site nginx_site_name: "{{ nsd_server }}" nginx_site_redirect: https://www.foo.sh/ diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 72096f6..b1c0de0 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -15,7 +15,7 @@ roles: - base - ifstated - - nginx/server + - nginx - role: nginx_site nginx_site_name: ca.foo.sh - role: nginx_site diff --git a/playbooks/relay.yml b/playbooks/relay.yml index a7cd0b4..0d0e8b8 100644 --- a/playbooks/relay.yml +++ b/playbooks/relay.yml @@ -16,7 +16,7 @@ - base - ifstated - relayd - - nginx/server + - nginx - role: nginx_site nginx_site_name: ldap.foo.sh nginx_site_redirect: https://www.foo.sh/ diff --git a/playbooks/shell.yml b/playbooks/shell.yml index 1380081..7eee3e4 100644 --- a/playbooks/shell.yml +++ b/playbooks/shell.yml @@ -25,8 +25,8 @@ - epel_repo - foosh_repo - powertools_repo - - role: nginx/server - plaintext: true + - role: nginx + nginx_plaintext: true tasks: - name: Install extra package groups diff --git a/roles/ansible_host/meta/main.yml b/roles/ansible_host/meta/main.yml index 27b9b1f..516a2dd 100644 --- a/roles/ansible_host/meta/main.yml +++ b/roles/ansible_host/meta/main.yml @@ -2,4 +2,4 @@ dependencies: - {role: epel_repo} - {role: git} - - {role: nginx/server} + - {role: nginx} diff --git a/roles/certbot/meta/main.yml b/roles/certbot/meta/main.yml index b95ceec..954fabd 100644 --- a/roles/certbot/meta/main.yml +++ b/roles/certbot/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: nginx/server} + - {role: nginx} diff --git a/roles/gitea/meta/main.yml b/roles/gitea/meta/main.yml index f9c5d0d..d5e8ce4 100644 --- a/roles/gitea/meta/main.yml +++ b/roles/gitea/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - {role: git} - - {role: nginx/server} + - {role: nginx} diff --git a/roles/influxdb/meta/main.yml b/roles/influxdb/meta/main.yml index b95ceec..954fabd 100644 --- a/roles/influxdb/meta/main.yml +++ b/roles/influxdb/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: nginx/server} + - {role: nginx} diff --git a/roles/nginx/server/files/dependency.conf b/roles/nginx/files/dependency.conf similarity index 100% rename from roles/nginx/server/files/dependency.conf rename to roles/nginx/files/dependency.conf diff --git a/roles/nginx/server/handlers/main.yml b/roles/nginx/handlers/main.yml similarity index 100% rename from roles/nginx/server/handlers/main.yml rename to roles/nginx/handlers/main.yml diff --git a/roles/nginx/server/meta/main.yml b/roles/nginx/meta/main.yml similarity index 100% rename from roles/nginx/server/meta/main.yml rename to roles/nginx/meta/main.yml diff --git a/roles/nginx/server/tasks/main.yml b/roles/nginx/tasks/main.yml similarity index 100% rename from roles/nginx/server/tasks/main.yml rename to roles/nginx/tasks/main.yml diff --git a/roles/nginx/server/templates/nginx-logrotate.sh b/roles/nginx/templates/nginx-logrotate.sh similarity index 100% rename from roles/nginx/server/templates/nginx-logrotate.sh rename to roles/nginx/templates/nginx-logrotate.sh diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 similarity index 98% rename from roles/nginx/server/templates/nginx.conf.j2 rename to roles/nginx/templates/nginx.conf.j2 index 877fc4e..4a10039 100644 --- a/roles/nginx/server/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -28,7 +28,7 @@ http { proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; -{% if plaintext is defined %} +{% if nginx_plaintext is defined %} server { listen 80; listen [::]:80; diff --git a/roles/nginx/server/vars/OpenBSD.yml b/roles/nginx/vars/OpenBSD.yml similarity index 100% rename from roles/nginx/server/vars/OpenBSD.yml rename to roles/nginx/vars/OpenBSD.yml diff --git a/roles/nginx/server/vars/RedHat.yml b/roles/nginx/vars/RedHat.yml similarity index 100% rename from roles/nginx/server/vars/RedHat.yml rename to roles/nginx/vars/RedHat.yml diff --git a/roles/podman/meta/main.yml b/roles/podman/meta/main.yml index b95ceec..954fabd 100644 --- a/roles/podman/meta/main.yml +++ b/roles/podman/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: nginx/server} + - {role: nginx} diff --git a/roles/prometheus/meta/main.yml b/roles/prometheus/meta/main.yml index b95ceec..954fabd 100644 --- a/roles/prometheus/meta/main.yml +++ b/roles/prometheus/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: nginx/server} + - {role: nginx} From e2c59bc2207649cdcb940fcb0782dd605fb609b9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Oct 2023 16:01:08 +0000 Subject: [PATCH 070/596] keytab: Prefix variable names with keytab_ --- playbooks/adm.yml | 2 +- playbooks/collab.yml | 6 +++--- playbooks/mail.yml | 2 +- playbooks/nas.yml | 2 +- playbooks/print.yml | 4 ++-- playbooks/shell.yml | 2 +- playbooks/static.yml | 2 +- playbooks/zm.yml | 6 +++--- roles/dovecot/tasks/main.yml | 6 +++--- roles/keytab/defaults/main.yml | 4 ++-- roles/keytab/tasks/main.yml | 12 ++++++------ 11 files changed, 24 insertions(+), 24 deletions(-) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 3daeffe..f4db906 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -28,7 +28,7 @@ - ansible_host - certbot - role: keytab - principals: + keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - nfs_client - sssd diff --git a/playbooks/collab.yml b/playbooks/collab.yml index 38f5b8d..89edf92 100644 --- a/playbooks/collab.yml +++ b/playbooks/collab.yml @@ -28,9 +28,9 @@ - collab - mod_auth_gssapi - role: keytab - keytab: /etc/httpd/httpd.keytab - principals: HTTP/collab.foo.sh@FOO.SH - group: apache + keytab_path: /etc/httpd/httpd.keytab + keytab_principals: HTTP/collab.foo.sh@FOO.SH + keytab_group: apache - ldap tasks: diff --git a/playbooks/mail.yml b/playbooks/mail.yml index cb72de2..4019251 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -26,7 +26,7 @@ roles: - base - role: keytab - principals: + keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - "smtp/{{ mail_server }}@{{ kerberos_realm }}" - nfs_client diff --git a/playbooks/nas.yml b/playbooks/nas.yml index 58db737..ceffe23 100644 --- a/playbooks/nas.yml +++ b/playbooks/nas.yml @@ -38,7 +38,7 @@ - sssd - nfs_server - role: keytab - principals: "nfs/{{ inventory_hostname }}@FOO.SH" + keytab_principals: "nfs/{{ inventory_hostname }}@FOO.SH" tasks: - name: Copy exports file diff --git a/playbooks/print.yml b/playbooks/print.yml index 1f90c63..8bfea58 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -50,5 +50,5 @@ ansible.builtin.import_role: name: keytab vars: - keytab: /etc/cups/cups.keytab - principals: "HTTP/print.foo.sh@{{ kerberos_realm }}" + keytab_path: /etc/cups/cups.keytab + keytab_principals: "HTTP/print.foo.sh@{{ kerberos_realm }}" diff --git a/playbooks/shell.yml b/playbooks/shell.yml index 7eee3e4..2f031da 100644 --- a/playbooks/shell.yml +++ b/playbooks/shell.yml @@ -15,7 +15,7 @@ roles: - base - role: keytab - principals: + keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - "nfs/{{ inventory_hostname }}@{{ kerberos_realm }}" - nfs_client diff --git a/playbooks/static.yml b/playbooks/static.yml index b912fbe..8471c0a 100644 --- a/playbooks/static.yml +++ b/playbooks/static.yml @@ -15,7 +15,7 @@ roles: - base - role: keytab - principals: + keytab_principals: - "host/{{ inventory_hostname }}@FOO.SH" - "nfs/{{ inventory_hostname }}@FOO.SH" - nfs_client diff --git a/playbooks/zm.yml b/playbooks/zm.yml index f4b39e8..8dd9964 100644 --- a/playbooks/zm.yml +++ b/playbooks/zm.yml @@ -27,9 +27,9 @@ - base - mod_auth_gssapi - role: keytab - keytab: /etc/httpd/httpd.keytab - principals: HTTP/zm.foo.sh@FOO.SH - group: apache + keytab_path: /etc/httpd/httpd.keytab + keytab_principals: HTTP/zm.foo.sh@FOO.SH + keytab_group: apache tasks: - name: Run handlers to get interfaces configured diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index 3e8b002..06932b1 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -8,10 +8,10 @@ ansible.builtin.include_role: name: keytab vars: - keytab: /etc/dovecot/dovecot.keytab - principals: + keytab_path: /etc/dovecot/dovecot.keytab + keytab_principals: - "imap/{{ mail_server }}@{{ kerberos_realm }}" - group: dovecot + keytab_group: dovecot - name: Install privatekey ansible.builtin.copy: diff --git a/roles/keytab/defaults/main.yml b/roles/keytab/defaults/main.yml index 8b08f0a..e4c4ebf 100644 --- a/roles/keytab/defaults/main.yml +++ b/roles/keytab/defaults/main.yml @@ -1,3 +1,3 @@ --- -keytab: /etc/krb5.keytab -group: "{{ ansible_wheel }}" +keytab_path: /etc/krb5.keytab +keytab_group: "{{ ansible_wheel }}" diff --git a/roles/keytab/tasks/main.yml b/roles/keytab/tasks/main.yml index c4e5496..828e4fd 100644 --- a/roles/keytab/tasks/main.yml +++ b/roles/keytab/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Check if keytab exists ansible.builtin.stat: - path: "{{ keytab }}" + path: "{{ keytab_path }}" register: keytab_status check_mode: false @@ -15,7 +15,7 @@ - -k - "/tmp/{{ inventory_hostname }}.kt" - "{{ item }}" - with_items: "{{ principals }}" + with_items: "{{ keytab_principals }}" delegate_to: ldap01.home.foo.sh when: not keytab_status.stat.exists @@ -39,12 +39,12 @@ ansible.builtin.shell: >- set -o pipefail && umask 077 && - echo '{{ keytab_data.stdout }}' | base64 -d > "{{ keytab }}" + echo '{{ keytab_data.stdout }}' | base64 -d > "{{ keytab_path }}" when: not keytab_status.stat.exists - name: Check keytab permissions ansible.builtin.file: - path: "{{ keytab }}" - mode: "{% if group == ansible_wheel %}0600{% else %}0640{% endif %}" + path: "{{ keytab_path }}" + mode: "{% if keytab_group == ansible_wheel %}0600{% else %}0640{% endif %}" owner: root - group: "{{ group }}" + group: "{{ keytab_group }}" From b7a341535215c00f9b7403faf073c44d0669f9c2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Oct 2023 16:06:27 +0000 Subject: [PATCH 071/596] Rename mirror/reportmirror to reportmirror --- playbooks/mirror.yml | 10 +++++----- roles/{mirror => }/reportmirror/defaults/main.yml | 0 roles/{mirror => }/reportmirror/meta/main.yml | 0 roles/{mirror => }/reportmirror/tasks/main.yml | 0 .../reportmirror/templates/report_mirror.conf.j2 | 12 ++++++------ 5 files changed, 11 insertions(+), 11 deletions(-) rename roles/{mirror => }/reportmirror/defaults/main.yml (100%) rename roles/{mirror => }/reportmirror/meta/main.yml (100%) rename roles/{mirror => }/reportmirror/tasks/main.yml (100%) rename roles/{mirror => }/reportmirror/templates/report_mirror.conf.j2 (91%) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 4ae2bab..6ff74cf 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -27,11 +27,11 @@ - base - mirror/base - mirror/thinlinc - - role: mirror/reportmirror - mirror_hostname: mirrors.foo.sh - mirror_mirrors: [epel, fedora] - mirror_sitename: foo.sh - mirror_password: "{{ report_mirror_pass }}" + - role: reportmirror + reportmirror_hostname: mirrors.foo.sh + reportmirror_mirrors: [epel, fedora] + reportmirror_sitename: foo.sh + reportmirror_password: "{{ report_mirror_pass }}" - role: mirror/sync mirror_label: fedora-epel mirror_source: diff --git a/roles/mirror/reportmirror/defaults/main.yml b/roles/reportmirror/defaults/main.yml similarity index 100% rename from roles/mirror/reportmirror/defaults/main.yml rename to roles/reportmirror/defaults/main.yml diff --git a/roles/mirror/reportmirror/meta/main.yml b/roles/reportmirror/meta/main.yml similarity index 100% rename from roles/mirror/reportmirror/meta/main.yml rename to roles/reportmirror/meta/main.yml diff --git a/roles/mirror/reportmirror/tasks/main.yml b/roles/reportmirror/tasks/main.yml similarity index 100% rename from roles/mirror/reportmirror/tasks/main.yml rename to roles/reportmirror/tasks/main.yml diff --git a/roles/mirror/reportmirror/templates/report_mirror.conf.j2 b/roles/reportmirror/templates/report_mirror.conf.j2 similarity index 91% rename from roles/mirror/reportmirror/templates/report_mirror.conf.j2 rename to roles/reportmirror/templates/report_mirror.conf.j2 index 59d4dbb..7181a22 100644 --- a/roles/mirror/reportmirror/templates/report_mirror.conf.j2 +++ b/roles/reportmirror/templates/report_mirror.conf.j2 @@ -11,8 +11,8 @@ enabled=1 # Name and Password fields need to match the Site name and password # fields you entered for your Site in the MirrorManager database at # https://admin.fedoraproject.org/mirrormanager -name={{ mirror_sitename }} -password={{ mirror_password }} +name={{ reportmirror_sitename }} +password={{ reportmirror_password }} [host] # if enabled=0, no data about this host is sent to the database @@ -20,7 +20,7 @@ enabled=1 # Name field need to match the Host name field you entered for your # Host in the MirrorManager database at # https://admin.fedoraproject.org/mirrormanager -name={{ mirror_hostname }} +name={{ reportmirror_hostname }} # if user_active=0, no data about this category is given to the public # This can be used to toggle between serving and not serving data, # such enabled during the nighttime (when you have more idle bandwidth @@ -52,15 +52,15 @@ rsyncd=/var/log/rsyncd.log # path= is the path on your local disk to the top-level directory for this Category [Fedora Linux] -{% if "fedora" in mirror_mirrors %} +{% if "fedora" in reportmirror_mirrors %} enabled=1 {% else %} enabled=0 {% endif %} path=/srv/mrirors/fedora -[Fedora EPEL] -{% if "epel" in mirror_mirrors %} +[Fedora EPELreport] +{% if "epel" in reportmirror_mirrors %} enabled=1 {% else %} enabled=0 From affcf7f572297e5b7875053f557c538fe0cb843d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Oct 2023 16:09:11 +0000 Subject: [PATCH 072/596] Rename mirror/thinlinc to thinlinc_mirror --- playbooks/mirror.yml | 2 +- .../thinlinc => thinlinc_mirror}/files/sync-thinlinc-repo.sh | 0 roles/{mirror/thinlinc => thinlinc_mirror}/tasks/main.yml | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename roles/{mirror/thinlinc => thinlinc_mirror}/files/sync-thinlinc-repo.sh (100%) rename roles/{mirror/thinlinc => thinlinc_mirror}/tasks/main.yml (100%) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 6ff74cf..198abb7 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -26,7 +26,7 @@ roles: - base - mirror/base - - mirror/thinlinc + - thinlinc_mirror - role: reportmirror reportmirror_hostname: mirrors.foo.sh reportmirror_mirrors: [epel, fedora] diff --git a/roles/mirror/thinlinc/files/sync-thinlinc-repo.sh b/roles/thinlinc_mirror/files/sync-thinlinc-repo.sh similarity index 100% rename from roles/mirror/thinlinc/files/sync-thinlinc-repo.sh rename to roles/thinlinc_mirror/files/sync-thinlinc-repo.sh diff --git a/roles/mirror/thinlinc/tasks/main.yml b/roles/thinlinc_mirror/tasks/main.yml similarity index 100% rename from roles/mirror/thinlinc/tasks/main.yml rename to roles/thinlinc_mirror/tasks/main.yml From 8b2696de1a7557e3f56f4b6152948b2bf1d00c11 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 14 Oct 2023 16:11:59 +0000 Subject: [PATCH 073/596] reportmirror: Fix variable names from defaults --- roles/reportmirror/defaults/main.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/reportmirror/defaults/main.yml b/roles/reportmirror/defaults/main.yml index 79a2016..934a0e9 100644 --- a/roles/reportmirror/defaults/main.yml +++ b/roles/reportmirror/defaults/main.yml @@ -1,4 +1,3 @@ --- - -mirror_hostname: "{{ inventory_hostname }}" -mirror_mirrors: [] +reportmirror_hostname: "{{ inventory_hostname }}" +reportmirror_mirrors: [] From fa469574b7a0391338a0804f86662f38889c140b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Oct 2023 15:27:28 +0000 Subject: [PATCH 074/596] certbot: Fix variable name --- roles/certbot/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 1a4cbb7..2680da5 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -23,7 +23,7 @@ ansible.builtin.include_role: name: nginx_site vars: - site: certbot.home.foo.sh + nginx_site_name: certbot.home.foo.sh - name: Create certbot .well-known directory ansible.builtin.file: From c8afd02fb29f134daee1e1e8cad169c36b4d0a5c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Oct 2023 16:27:12 +0000 Subject: [PATCH 075/596] sssd: Use command instead of shell --- roles/sssd/tasks/main.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml index 4f60e91..e0410dc 100644 --- a/roles/sssd/tasks/main.yml +++ b/roles/sssd/tasks/main.yml @@ -20,9 +20,13 @@ enabled: true - name: Get current state of authselect - ansible.builtin.shell: - cmd: /usr/bin/authselect current --raw ; /bin/true + ansible.builtin.command: + argv: + - /usr/bin/authselect + - current + - --raw register: result + failed_when: false check_mode: false changed_when: false @@ -33,4 +37,6 @@ - select - sssd - --force + register: result + changed_when: result.rc == 0 when: result.stdout.split()[0] != "sssd" From 03def639d530cc042c1b970244f741c6bedb3349 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Oct 2023 16:31:15 +0000 Subject: [PATCH 076/596] sendmail: Lint fixes for command execution --- roles/sendmail/handlers/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/sendmail/handlers/main.yml b/roles/sendmail/handlers/main.yml index fb8e4f1..811e9ee 100644 --- a/roles/sendmail/handlers/main.yml +++ b/roles/sendmail/handlers/main.yml @@ -11,9 +11,13 @@ - -C - /etc/mail - all + register: result + changed_when: result.rc == 0 notify: Restart sendmail - name: Update aliases ansible.builtin.command: argv: - newaliases + register: result + changed_when: result.rc == 0 From 6e2fd356220ded129f0c1c558877df2b68525052 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 25 Oct 2023 16:22:17 +0000 Subject: [PATCH 077/596] Fix adding tape drive to backup02.home.foo.sh --- host_vars/backup02.home.foo.sh.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/host_vars/backup02.home.foo.sh.yml b/host_vars/backup02.home.foo.sh.yml index 651b34f..44d02d4 100644 --- a/host_vars/backup02.home.foo.sh.yml +++ b/host_vars/backup02.home.foo.sh.yml @@ -6,5 +6,5 @@ network_interfaces: mac: 52:54:00:ac:dc:50 datadisks: - {size: 1000} -passthrough_devices: - - "07:04.0" +virt_install_devices: + - "02:04.0" From c2603ef8d847d9801d109f724e09973824c2c33d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 28 Oct 2023 15:46:02 +0000 Subject: [PATCH 078/596] nginx_site: Allow uploading larger files to collab --- roles/nginx_site/templates/collab.foo.sh.conf.j2 | 1 + 1 file changed, 1 insertion(+) create mode 100644 roles/nginx_site/templates/collab.foo.sh.conf.j2 diff --git a/roles/nginx_site/templates/collab.foo.sh.conf.j2 b/roles/nginx_site/templates/collab.foo.sh.conf.j2 new file mode 100644 index 0000000..d338ce4 --- /dev/null +++ b/roles/nginx_site/templates/collab.foo.sh.conf.j2 @@ -0,0 +1 @@ + client_max_body_size 50m; From 8e9a7fd4fc70f0ff4741054698ed47f48d5ccc00 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 1 Nov 2023 17:22:26 +0000 Subject: [PATCH 079/596] podman: Don't force use nginx as frontend --- roles/podman/meta/main.yml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 roles/podman/meta/main.yml diff --git a/roles/podman/meta/main.yml b/roles/podman/meta/main.yml deleted file mode 100644 index 954fabd..0000000 --- a/roles/podman/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - {role: nginx} From f0656502af7c38156c177cd4baad8b3e92252f40 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 19:39:30 +0000 Subject: [PATCH 080/596] sane: Intial version of role --- roles/sane/tasks/main.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 roles/sane/tasks/main.yml diff --git a/roles/sane/tasks/main.yml b/roles/sane/tasks/main.yml new file mode 100644 index 0000000..2d707b5 --- /dev/null +++ b/roles/sane/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Install packagers + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - sane-backends + - sane-backends-daemon + +- name: Enable service + ansible.builtin.systemd: + name: saned.socket + state: started + enabled: true From 94dc909bd97da5af38a7601bfc8d1db6a405c49d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 19:39:42 +0000 Subject: [PATCH 081/596] scanservjs: Initial version of role --- roles/scanservjs/defaults/main.yml | 2 + roles/scanservjs/handlers/main.yml | 6 +++ roles/scanservjs/meta/main.yml | 4 ++ roles/scanservjs/tasks/main.yml | 38 +++++++++++++++++++ .../templates/scanservjs-container.service.j2 | 17 +++++++++ 5 files changed, 67 insertions(+) create mode 100644 roles/scanservjs/defaults/main.yml create mode 100644 roles/scanservjs/handlers/main.yml create mode 100644 roles/scanservjs/meta/main.yml create mode 100644 roles/scanservjs/tasks/main.yml create mode 100644 roles/scanservjs/templates/scanservjs-container.service.j2 diff --git a/roles/scanservjs/defaults/main.yml b/roles/scanservjs/defaults/main.yml new file mode 100644 index 0000000..efff6f8 --- /dev/null +++ b/roles/scanservjs/defaults/main.yml @@ -0,0 +1,2 @@ +--- +scanservjs_version: latest diff --git a/roles/scanservjs/handlers/main.yml b/roles/scanservjs/handlers/main.yml new file mode 100644 index 0000000..5cffd92 --- /dev/null +++ b/roles/scanservjs/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart scanservjs + ansible.builtin.systemd: + name: scanservjs-container + daemon-reload: true + state: restarted diff --git a/roles/scanservjs/meta/main.yml b/roles/scanservjs/meta/main.yml new file mode 100644 index 0000000..19b52d0 --- /dev/null +++ b/roles/scanservjs/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: apache} + - {role: podman} diff --git a/roles/scanservjs/tasks/main.yml b/roles/scanservjs/tasks/main.yml new file mode 100644 index 0000000..160cf8d --- /dev/null +++ b/roles/scanservjs/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Create group + ansible.builtin.group: + name: scanserv + +- name: Create user + ansible.builtin.user: + name: scanserv + comment: Podman Scanservjs + group: scanserv + shell: /sbin/nologin + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/scanservjs-container.service + src: scanservjs-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart scanservjs + +- name: Enable service + ansible.builtin.service: + name: scanservjs-container + state: started + enabled: true + +- name: Copy apache config + ansible.builtin.copy: + dest: /etc/httpd/conf.local.d/scanservjs-container.conf + content: | + ProxyPass /scanservjs/ http://127.0.0.1:8006/ + ProxyPassReverse /scanservjs/ http://127.0.0.1:8006/ + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart apache + diff --git a/roles/scanservjs/templates/scanservjs-container.service.j2 b/roles/scanservjs/templates/scanservjs-container.service.j2 new file mode 100644 index 0000000..3a21dee --- /dev/null +++ b/roles/scanservjs/templates/scanservjs-container.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Scanserv Container +Wants=network-online.target +After=network-online.target + +[Service] +User=scanserv +ExecStartPre=/usr/bin/podman pull docker.io/sbs20/scanservjs:{{ scanservjs_version }} +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8006:8080 \ + --name scanservjs \ + docker.io/sbs20/scanservjs:{{ scanservjs_version }} +ExecStop=/usr/bin/podman stop --ignore scanservjs +ExecStopPost=/usr/bin/podman rm -f --ignore scanservjs + +[Install] +WantedBy=multi-user.target From ae27f5cc672116b38c51c4f90b0ef6b2e565e3f0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 19:42:11 +0000 Subject: [PATCH 082/596] Add sane hosts --- group_vars/sane.yml | 5 ++++ host_vars/sane02.home.foo.sh.yml | 8 +++++++ hosts.yml | 4 ++++ playbooks/sane.yml | 40 ++++++++++++++++++++++++++++++++ site.yml | 2 ++ 5 files changed, 59 insertions(+) create mode 100644 group_vars/sane.yml create mode 100644 host_vars/sane02.home.foo.sh.yml create mode 100644 playbooks/sane.yml diff --git a/group_vars/sane.yml b/group_vars/sane.yml new file mode 100644 index 0000000..a6636ac --- /dev/null +++ b/group_vars/sane.yml @@ -0,0 +1,5 @@ +--- +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/host_vars/sane02.home.foo.sh.yml b/host_vars/sane02.home.foo.sh.yml new file mode 100644 index 0000000..2c0bdad --- /dev/null +++ b/host_vars/sane02.home.foo.sh.yml @@ -0,0 +1,8 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: "52:54:00:ac:dc:88" +virt_install_devices: + - 001.003 diff --git a/hosts.yml b/hosts.yml index d7faa20..a8c8d80 100644 --- a/hosts.yml +++ b/hosts.yml @@ -98,6 +98,9 @@ relay: hosts: relay01.home.foo.sh: relay02.home.foo.sh: +sane: + hosts: + sane02.home.foo.sh: shell: hosts: shell01.foo.sh: @@ -161,6 +164,7 @@ rocky9: mirror: mongodb: prometheus: + sane: sqldb: static: vmhost: diff --git a/playbooks/sane.yml b/playbooks/sane.yml new file mode 100644 index 0000000..03ef6db --- /dev/null +++ b/playbooks/sane.yml @@ -0,0 +1,40 @@ +--- +- name: Deploy KVM virtual machines + ansible.builtin.import_playbook: include/deploy-kvm-guest.yml + vars: + myhosts: sane + +- name: Configure instance + hosts: sane + user: root + gather_facts: true + + vars_files: + - "{{ ansible_private }}/vars.yml" + + roles: + - base + - sane + - scanservjs + - mod_auth_gssapi + - role: keytab + keytab_path: /etc/httpd/httpd.keytab + keytab_principals: HTTP/scan.foo.sh@FOO.SH + keytab_group: apache + + tasks: + - name: Require authentication for scanservjs + ansible.builtin.copy: + dest: /etc/httpd/conf.local.d/scanservjs-auth.conf + content: | + + AuthType GSSAPI + GssapiBasicAuth On + AuthName "Password Required" + Require valid-user + + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart apache + diff --git a/site.yml b/site.yml index bcceabe..a942f1d 100644 --- a/site.yml +++ b/site.yml @@ -47,6 +47,8 @@ ansible.builtin.import_playbook: playbooks/proxy.yml - name: Configure relay hosts ansible.builtin.import_playbook: playbooks/relay.yml +- name: Configure sane hosts + ansible.builtin.import.playbook: playbooks/sane.yml - name: Configure shell hosts ansible.builtin.import_playbook: playbooks/shell.yml - name: Configure sqldb hosts From 7ee84bffd99bcb54c0e0c40dc3415a120df75d5a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 19:42:39 +0000 Subject: [PATCH 083/596] Add scan.foo.sh endpoint to proxies --- playbooks/proxy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index b1c0de0..a0653cb 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -97,6 +97,10 @@ nginx_site_proxy: - "registry01.home.foo.sh:5000" - "registry02.home.foo.sh:5000" + - role: nginx_site + nginx_site_name: scan.foo.sh + nginx_site_proxy: + - https://sane02.home.foo.sh/scanservjs/ - role: nginx_site nginx_site_name: webmail.foo.sh nginx_site_proxy: From 929738af882d9af07a16506ccbfbaa4bb63a2158 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 20:36:10 +0000 Subject: [PATCH 084/596] prometheus: Use os packaged prometheus --- roles/prometheus/files/prometheus.service | 23 ------ roles/prometheus/meta/main.yml | 1 + roles/prometheus/tasks/main.yml | 78 +++++++------------- roles/prometheus/templates/prometheus.yml.j2 | 2 +- 4 files changed, 30 insertions(+), 74 deletions(-) delete mode 100644 roles/prometheus/files/prometheus.service diff --git a/roles/prometheus/files/prometheus.service b/roles/prometheus/files/prometheus.service deleted file mode 100644 index 28f8d3a..0000000 --- a/roles/prometheus/files/prometheus.service +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=Prometheus -After=network-online.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=simple -Environment="GOMAXPROCS={{ ansible_processor_vcpus|default(ansible_processor_count) }}" -User=prometheus -Group=prometheus -UMask=007 -ExecReload=/bin/kill -HUP $MAINPID -ExecStart=/usr/local/sbin/prometheus \ - --config.file=/srv/prometheus/prometheus.yml \ - --log.level=info \ - --storage.tsdb.path=/srv/prometheus/data \ - --storage.tsdb.retention.time=365d \ - --web.console.libraries=/usr/local/share/prometheus/console_libraries -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/roles/prometheus/meta/main.yml b/roles/prometheus/meta/main.yml index 954fabd..1e5084e 100644 --- a/roles/prometheus/meta/main.yml +++ b/roles/prometheus/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: + - {role: epel_repo} - {role: nginx} diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 8f9face..eb47818 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -14,43 +14,18 @@ shell: /sbin/nologin uid: 305 -- name: Extract package - ansible.builtin.unarchive: - src: >- - {{ - "https://github.com/prometheus/prometheus/releases/download/v" + - prometheus_version + "/prometheus-" + prometheus_version + - ".linux-amd64.tar.gz" - }} - dest: /usr/local/src - owner: root - group: "{{ ansible_wheel }}" - remote_src: true +- name: Install packages + ansible.builtin.package: + name: golang-github-prometheus + state: installed -- name: Copy binaries - ansible.builtin.copy: - dest: "/usr/local/sbin/{{ item }}" - src: >- - /usr/local/src/prometheus-{{ prometheus_version }}.linux-amd64/{{ item }} - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" - remote_src: true - notify: Restart prometheus - with_items: - - promtool - - prometheus - -- name: Create data directories +- name: Create data directory ansible.builtin.file: - path: "{{ item }}" + path: /export/prometheus state: directory - mode: "0750" + mode: "0770" owner: root group: prometheus - with_items: - - /export/prometheus - - /export/prometheus/node.d - name: Link data directory ansible.builtin.file: @@ -61,26 +36,38 @@ group: "{{ ansible_wheel }}" follow: false -- name: Create database directory - ansible.builtin.file: - path: /srv/prometheus/data - state: directory - mode: "0770" - owner: root - group: prometheus +- name: Configure startup options + ansible.builtin.lineinfile: + path: /etc/default/prometheus + regexp: "^ARGS=" + line: >- + ARGS="--config.file=/etc/prometheus/prometheus.yml + --log.level=info + --storage.tsdb.path=/srv/prometheus + --storage.tsdb.retention.time=365d + --web.console.libraries=/usr/local/share/prometheus/console_libraries" + notify: Restart prometheus - name: Create configuration ansible.builtin.template: - dest: /srv/prometheus/prometheus.yml + dest: /etc/prometheus/prometheus.yml src: prometheus.yml.j2 mode: "0640" owner: root group: prometheus notify: Restart prometheus +- name: Create host config directory + ansible.builtin.file: + path: /etc/prometheus/node.d + state: directory + mode: "0750" + owner: root + group: prometheus + - name: Create host configs ansible.builtin.template: - dest: "/srv/prometheus/node.d/{{ item }}.json" + dest: "/etc/prometheus/node.d/{{ item }}.json" src: node.json.j2 mode: "0640" owner: root @@ -88,15 +75,6 @@ notify: Restart prometheus with_items: "{{ groups['all'] }}" -- name: Create service file - ansible.builtin.copy: - dest: /etc/systemd/system/prometheus.service - src: prometheus.service - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart prometheus - - name: Enable service ansible.builtin.service: name: prometheus diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index 81703ee..b37ae83 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -13,4 +13,4 @@ scrape_configs: cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" file_sd_configs: - files: - - /srv/prometheus/node.d/*.json + - /etc/prometheus/node.d/*.json From f6e2e4fe240fdb746ff0bacc6670b2afd071be3d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 4 Nov 2023 20:36:46 +0000 Subject: [PATCH 085/596] No need to set prometheus version --- hosts.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index a8c8d80..4c66d4b 100644 --- a/hosts.yml +++ b/hosts.yml @@ -62,6 +62,9 @@ mongodb: mqtt: hosts: mqtt02.home.foo.sh: +mythtv: + hosts: + mythtv01.home.foo.sh: nas: hosts: nas02.home.foo.sh: @@ -88,8 +91,6 @@ print: prometheus: hosts: prometheus02.home.foo.sh: - vars: - prometheus_version: "2.45.1" proxy: hosts: proxy01.home.foo.sh: @@ -133,6 +134,7 @@ vultr: fedora: children: gitearunner: + mythtv: openbsd: children: backup: From 624ad96c8a198dc98624ce6ca8f7c45ee7e1a60c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 5 Nov 2023 18:10:21 +0000 Subject: [PATCH 086/596] Use different mirror for OpenBSD --- playbooks/mirror.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 198abb7..7559dd7 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -61,8 +61,7 @@ mirror_postcmd: python3 /usr/local/bin/report_mirror - role: mirror/sync mirror_label: openbsd - mirror_source: - "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/ftp.openbsd.org/pub/OpenBSD/" + mirror_source: "rsync://mirror.planetunix.net/OpenBSD/" mirror_rsyncoptions: - "--include=/?.?/" - "--include=/?.?/amd64/" From 42d604a9215df753abf851e455e147643b955e3b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 12 Nov 2023 15:53:15 +0000 Subject: [PATCH 087/596] nginx: Expose status page --- roles/nginx/templates/nginx.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 4a10039..85c6ecc 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -63,6 +63,10 @@ http { root /srv/web/{{ inventory_hostname }}; + location = /stub_status { + stub_status; + } + include /etc/nginx/conf.d/{{ inventory_hostname }}/*.conf; } From 5244f36adbb405bac19cfbbe480850493390b9cf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 12 Nov 2023 20:44:50 +0000 Subject: [PATCH 088/596] prometheus: Add prometheus itself to monitoring --- roles/prometheus/templates/prometheus.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index b37ae83..546d999 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -5,6 +5,11 @@ global: evaluation_interval: 1m scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - "127.0.0.1:9090" + - job_name: node scheme: https tls_config: From 7928d5fdb37a1b79204099d1d51ed0f779bcd483 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Nov 2023 16:52:15 +0000 Subject: [PATCH 089/596] Update software components --- hosts.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/hosts.yml b/hosts.yml index 4c66d4b..acf9c38 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.20.5" + gitea_version: "1.21.0" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -31,12 +31,12 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.10.1" + homeassistant_version: "2023.11.2" homeassistant_integrations: - name: electrolux_status repo: >- https://github.com/mauro-midolo/homeassistant_electrolux_status.git - version: v3.2.1 + version: v4.1.0 influxdb: hosts: influxdb01.home.foo.sh: @@ -82,9 +82,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.1.4" - rocketchat_version: "6.4.1" - roundcube_version: "1.6.3" + grafana_version: "10.2.1" + rocketchat_version: "6.4.6" + roundcube_version: "1.6.5" print: hosts: print01.home.foo.sh: From 84e42378b54baa7e0e50cc646e4804716b2ba79b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Nov 2023 15:17:09 +0000 Subject: [PATCH 090/596] mongodb: Update to version 6.0 --- roles/mongodb/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 73e2808..de1390e 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -17,10 +17,10 @@ - name: Enable repository ansible.builtin.yum_repository: name: mongodb - baseurl: https://repo.mongodb.org/yum/redhat/8/mongodb-org/5.0/x86_64 + baseurl: https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64 description: MongoDB gpgcheck: true - gpgkey: https://www.mongodb.org/static/pgp/server-5.0.asc + gpgkey: https://www.mongodb.org/static/pgp/server-6.0.asc enabled: true - name: Install packages @@ -28,8 +28,8 @@ name: "{{ item }}" state: installed with_items: + - mongodb-mongosh - mongodb-org-server - - mongodb-org-shell - name: Set SELinux file contexts on data directory community.general.sefcontext: From 5026dddb1ea1d9d627d5d4a4e5db6f2def870656 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 21 Nov 2023 09:26:06 +0000 Subject: [PATCH 091/596] Add norpool plugin to homeassistant --- hosts.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts.yml b/hosts.yml index acf9c38..4e89d6d 100644 --- a/hosts.yml +++ b/hosts.yml @@ -37,6 +37,9 @@ homeassistant: repo: >- https://github.com/mauro-midolo/homeassistant_electrolux_status.git version: v4.1.0 + - name: nordpool + repo: https://github.com/custom-components/nordpool.git + version: 0.0.14 influxdb: hosts: influxdb01.home.foo.sh: From 0eff4dd8041bc09119b61b346303e78195285cf6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Nov 2023 17:11:25 +0000 Subject: [PATCH 092/596] Update OpenBSD to 7.4 --- playbooks/dna-gw.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index fe74b0c..1714494 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -70,8 +70,8 @@ - name: Create tftp pxeboot loader for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/pxeboot" - checksum: sha1:161b36d4ae3d786aa98c4836abba25f2bca8979d + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/amd64/pxeboot" + checksum: sha1:677293059655da474ec81c45ed235b8497017e56 dest: /srv/tftpboot/pxeboot mode: "0644" owner: root @@ -79,8 +79,8 @@ - name: Create tftp ramdisk for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/bsd.rd" - checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021 + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/amd64/bsd.rd" + checksum: sha1:c0af0223ab0aa38c27fd55a2b94873345c2d88f7 dest: /srv/tftpboot/bsd.rd mode: "0644" owner: root From 023af1ae9118375bd5e11b4de4bd9480d815b473 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Nov 2023 17:11:19 +0000 Subject: [PATCH 093/596] Update oci-nodes to Rocky 9 --- hosts.yml | 2 +- roles/authcheck/tasks/main.yml | 8 ++++++++ roles/grafana/tasks/main.yml | 8 ++++++++ roles/kdc/tasks/main.yml | 8 ++++++++ roles/php4dvd/tasks/main.yml | 10 +++++++++- roles/roundcube/tasks/main.yml | 8 ++++++++ 6 files changed, 42 insertions(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index 4e89d6d..363d124 100644 --- a/hosts.yml +++ b/hosts.yml @@ -156,7 +156,6 @@ rocky8: minecraft: nas: nms: - ocinode: print: shell: zm: @@ -168,6 +167,7 @@ rocky9: ldap: mirror: mongodb: + ocinode: prometheus: sane: sqldb: diff --git a/roles/authcheck/tasks/main.yml b/roles/authcheck/tasks/main.yml index 09ef679..8ca80cf 100644 --- a/roles/authcheck/tasks/main.yml +++ b/roles/authcheck/tasks/main.yml @@ -10,6 +10,14 @@ group: authcheck shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - authcheck + creates: /var/lib/systemd/linger/authcheck + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-authcheck diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 13743dc..8180bc4 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -10,6 +10,14 @@ group: grafana shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - grafana + creates: /var/lib/systemd/linger/grafana + - name: Copy host key ansible.builtin.copy: dest: "{{ tls_private }}/grafana.key" diff --git a/roles/kdc/tasks/main.yml b/roles/kdc/tasks/main.yml index c126fcb..f7ef8eb 100644 --- a/roles/kdc/tasks/main.yml +++ b/roles/kdc/tasks/main.yml @@ -10,6 +10,14 @@ group: kdc shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - kdc + creates: /var/lib/systemd/linger/kdc + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-kdc diff --git a/roles/php4dvd/tasks/main.yml b/roles/php4dvd/tasks/main.yml index 85b1042..fc42fe8 100644 --- a/roles/php4dvd/tasks/main.yml +++ b/roles/php4dvd/tasks/main.yml @@ -7,9 +7,17 @@ ansible.builtin.user: name: php4dvd comment: Podman pphp4dvd - group: authcheck + group: php4dvd shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - php4dvd + creates: /var/lib/systemd/linger/php4dvd + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-php4dvd diff --git a/roles/roundcube/tasks/main.yml b/roles/roundcube/tasks/main.yml index eca261b..787a983 100644 --- a/roles/roundcube/tasks/main.yml +++ b/roles/roundcube/tasks/main.yml @@ -10,6 +10,14 @@ group: roundcube shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - roundcube + creates: /var/lib/systemd/linger/roundcube + - name: Copy host key ansible.builtin.copy: dest: "{{ tls_private }}/roundcube.key" From 7cf2ad1f5abf35d751537ddba2b1948cb02f64a6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Nov 2023 17:11:40 +0000 Subject: [PATCH 094/596] Fix memory size for oci-nodes --- group_vars/ocinode.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/ocinode.yml b/group_vars/ocinode.yml index d87fa04..7e132c3 100644 --- a/group_vars/ocinode.yml +++ b/group_vars/ocinode.yml @@ -1,6 +1,6 @@ --- # increase memory size -mem_size: 4192 +mem_size: 4096 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} From 0ed96a14f50dd699d977043b558927533018898f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Nov 2023 17:35:34 +0000 Subject: [PATCH 095/596] nginx_site: Serve static files from static02 --- roles/nginx_site/templates/www.foo.sh.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx_site/templates/www.foo.sh.conf.j2 b/roles/nginx_site/templates/www.foo.sh.conf.j2 index c3af36f..ad34c06 100644 --- a/roles/nginx_site/templates/www.foo.sh.conf.j2 +++ b/roles/nginx_site/templates/www.foo.sh.conf.j2 @@ -3,9 +3,9 @@ } location /roles/ { - proxy_pass https://static01.home.foo.sh/roles/; + proxy_pass https://static02.home.foo.sh/roles/; } location /~ { - proxy_pass https://static01.home.foo.sh/~; + proxy_pass https://static02.home.foo.sh/~; } From 4594bb608399834f3ae3a517ffe802115a382cf8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Nov 2023 18:15:53 +0000 Subject: [PATCH 096/596] Update Fedora to 39 --- group_vars/fedora.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/fedora.yml b/group_vars/fedora.yml index c0ed1a5..f10f398 100644 --- a/group_vars/fedora.yml +++ b/group_vars/fedora.yml @@ -18,7 +18,7 @@ ipcmd: >- {% endif %} virt_install_os_args: >- --location - https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/38/Everything/x86_64/os/ + https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/39/Everything/x86_64/os/ --extra-args "inst.ks={{ ks_file }} console=ttyS0 From ee6d3b4d52461b5f42d1c226f9d4a0eaf797c260 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Nov 2023 15:22:54 +0000 Subject: [PATCH 097/596] scanservjs: Fix sane host address --- roles/scanservjs/templates/scanservjs-container.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/scanservjs/templates/scanservjs-container.service.j2 b/roles/scanservjs/templates/scanservjs-container.service.j2 index 3a21dee..50f1306 100644 --- a/roles/scanservjs/templates/scanservjs-container.service.j2 +++ b/roles/scanservjs/templates/scanservjs-container.service.j2 @@ -8,6 +8,7 @@ User=scanserv ExecStartPre=/usr/bin/podman pull docker.io/sbs20/scanservjs:{{ scanservjs_version }} ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8006:8080 \ + --env "SANED_NET_HOSTS={{ inventory_hostname }}" \ --name scanservjs \ docker.io/sbs20/scanservjs:{{ scanservjs_version }} ExecStop=/usr/bin/podman stop --ignore scanservjs From 3fdbd62aca212cf199bce29b003479d47fd24cca Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Nov 2023 15:25:00 +0000 Subject: [PATCH 098/596] scanserv: Enable user lingering --- roles/scanservjs/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/scanservjs/tasks/main.yml b/roles/scanservjs/tasks/main.yml index 160cf8d..827faa8 100644 --- a/roles/scanservjs/tasks/main.yml +++ b/roles/scanservjs/tasks/main.yml @@ -10,6 +10,14 @@ group: scanserv shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - scanserv + creates: /var/lib/systemd/linger/scanserv + - name: Create service file ansible.builtin.template: dest: /etc/systemd/system/scanservjs-container.service From 270da668c32bef482b80433bb6be35f94ec590da Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Nov 2023 15:35:51 +0000 Subject: [PATCH 099/596] pki: Prevent OpenBSD from changing permissions --- roles/pki/files/mtree.patch | 11 +++++++++++ roles/pki/tasks/main.yml | 6 ++++++ 2 files changed, 17 insertions(+) create mode 100644 roles/pki/files/mtree.patch diff --git a/roles/pki/files/mtree.patch b/roles/pki/files/mtree.patch new file mode 100644 index 0000000..04e6e89 --- /dev/null +++ b/roles/pki/files/mtree.patch @@ -0,0 +1,11 @@ +--- 4.4BSD.dist.orig Sat Nov 25 20:29:26 2023 ++++ 4.4BSD.dist Sat Nov 25 20:29:36 2023 +@@ -105,7 +105,7 @@ + + # ./etc/ssl + ssl +- private uname=root mode=0700 ++ private uname=root mode=0750 + .. + .. + diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml index b27715a..3e20d68 100644 --- a/roles/pki/tasks/main.yml +++ b/roles/pki/tasks/main.yml @@ -29,6 +29,12 @@ ansible.builtin.set_fact: pki_cacert_hash: "{{ result.stdout }}" +- name: Patch mtree to set correct permissions on /etc/ssl/private + ansible.posix.patch: + dest: /etc/mtree/4.4BSD.dist + src: mtree.patch + when: ansible_system == "OpenBSD" + - name: Fix private key directory permissions ansible.builtin.file: path: "{{ tls_private }}" From ad187f51e35dde0b0417185b8963cac661723850 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Nov 2023 17:41:18 +0000 Subject: [PATCH 100/596] php4dvd: Use TLS for MariaDB connections --- roles/php4dvd/tasks/main.yml | 9 +++++++++ roles/php4dvd/templates/php4dvd-container.service.j2 | 3 +++ roles/php4dvd/templates/php4dvd-container.sysconfig.j2 | 3 +++ 3 files changed, 15 insertions(+) diff --git a/roles/php4dvd/tasks/main.yml b/roles/php4dvd/tasks/main.yml index fc42fe8..749a032 100644 --- a/roles/php4dvd/tasks/main.yml +++ b/roles/php4dvd/tasks/main.yml @@ -18,6 +18,15 @@ - php4dvd creates: /var/lib/systemd/linger/php4dvd +- name: Copy host key + ansible.builtin.copy: + dest: "{{ tls_private }}/php4dvd.key" + src: "{{ tls_private }}/{{ inventory_hostname }}.key" + mode: "0640" + owner: root + group: php4dvd + remote_src: true + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-php4dvd diff --git a/roles/php4dvd/templates/php4dvd-container.service.j2 b/roles/php4dvd/templates/php4dvd-container.service.j2 index 277bb16..af646cb 100644 --- a/roles/php4dvd/templates/php4dvd-container.service.j2 +++ b/roles/php4dvd/templates/php4dvd-container.service.j2 @@ -10,6 +10,9 @@ ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8005:80 \ --name php4dvd \ --env PHP4DVD_* \ + --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ + --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ + --volume={{ tls_private }}/php4dvd.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ --volume /export/volumes/php4dvd:/var/www/html/movies:rw,Z \ php4dvd:latest ExecStop=/usr/bin/podman stop --ignore php4dvd diff --git a/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 b/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 index af894b5..79c274b 100644 --- a/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 +++ b/roles/php4dvd/templates/php4dvd-container.sysconfig.j2 @@ -2,4 +2,7 @@ PHP4DVD_DB_HOST=sqldb02.home.foo.sh PHP4DVD_DB_NAME=php4dvd PHP4DVD_DB_USER=php4dvd PHP4DVD_DB_PASS={{ php4dvd_mysql_pass }} +PHP4DVD_DB_KEY=/etc/ssl/private/{{ inventory_hostname }}.key +PHP4DVD_DB_CERT=/etc/ssl/certs/{{ inventory_hostname }}.crt +PHP4DVD_DB_CACERT=/etc/ssl/certs/ca.crt PHP4DVD_USER_GUESTVIEW=true From 8c66c9a6a06aa2c5a9a41be34689347e385e0b51 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 27 Nov 2023 10:43:00 +0000 Subject: [PATCH 101/596] Update gitea to 1.21.1 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 363d124..6133caa 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.0" + gitea_version: "1.21.1" gitearunner: hosts: gitea-runner02.home.foo.sh: From a4660f69cfbea2a080cd6c5d0b080f4cc3c415bb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 5 Dec 2023 17:15:16 +0000 Subject: [PATCH 102/596] homeassistant: Add support for zigbee dongle --- .../files/99-homeassistant.rules | 1 + .../files/homeassistant-local.pp | Bin 1737 -> 1919 bytes .../files/homeassistant-local.te | 4 +++- roles/homeassistant/tasks/main.yml | 14 ++++++++++++++ .../homeassistant-container.service.j2 | 1 + 5 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 roles/homeassistant/files/99-homeassistant.rules diff --git a/roles/homeassistant/files/99-homeassistant.rules b/roles/homeassistant/files/99-homeassistant.rules new file mode 100644 index 0000000..42b1684 --- /dev/null +++ b/roles/homeassistant/files/99-homeassistant.rules @@ -0,0 +1 @@ +SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", MODE="0660", GROUP="ha" diff --git a/roles/homeassistant/files/homeassistant-local.pp b/roles/homeassistant/files/homeassistant-local.pp index e3fe854c1d94f1f172df85610e67d50138d5d1b8..e202a252d317e3d7ace4f3fe3407dabd31587479 100644 GIT binary patch delta 201 zcmX@f`=4(@1e2k|WJM-nP8J3R1`uYRcvoB^C9?>`W(4A*)Wj4J8w6M;)@e`P!Xz+p zr#2(g#;5s=jBJw|nWZNeFu5?YOn%7h4rED8c3@(G@)DS3;H;F%8Z0Uk-*8O+z#KC9 z0W-(st!x651DIJRC$LCNo&&@aSU`pxWRjmeff>jHV};29tOk=eu&7LKVD%6II}hj# OpzA;`1LMUfSs4M+#WI=z delta 132 zcmey*canEP1e1Zo~f2o23~O7#Ue7KVXuc zJe|p9GCPY0kd~Ot%;GcoHFF9O%S=Ac!ZF#M* Date: Fri, 8 Dec 2023 18:07:14 +0000 Subject: [PATCH 103/596] Add zigbee device to homeassistant --- host_vars/homeassistant01.home.foo.sh.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index fefe24f..66a2c30 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -7,4 +7,6 @@ network_interfaces: - device: eth1 vlan: 30 virt_install_devices: + - 001.004 - 001.005 + - 001.006 From a4bbc5438052bf2857988b75646dc1dd231e5e28 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 8 Dec 2023 18:07:44 +0000 Subject: [PATCH 104/596] Increase memory on sql hosts --- group_vars/sqldb.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/sqldb.yml b/group_vars/sqldb.yml index f2d2337..5848832 100644 --- a/group_vars/sqldb.yml +++ b/group_vars/sqldb.yml @@ -1,4 +1,5 @@ --- +mem_size: 4096 datadisks: - {size: 20, type: nvme} firewall_in: From c7c77fcb0ba29822a7dec67b4350bfd33b3ef611 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 8 Dec 2023 18:08:34 +0000 Subject: [PATCH 105/596] Fix typo --- site.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site.yml b/site.yml index a942f1d..ce2ad46 100644 --- a/site.yml +++ b/site.yml @@ -48,7 +48,7 @@ - name: Configure relay hosts ansible.builtin.import_playbook: playbooks/relay.yml - name: Configure sane hosts - ansible.builtin.import.playbook: playbooks/sane.yml + ansible.builtin.import_playbook: playbooks/sane.yml - name: Configure shell hosts ansible.builtin.import_playbook: playbooks/shell.yml - name: Configure sqldb hosts From 2b475bf8ce39e6daea602f0d42eb9c5043f3726e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Dec 2023 21:18:25 +0000 Subject: [PATCH 106/596] Remove mythtv hosts --- hosts.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index 6133caa..71cd418 100644 --- a/hosts.yml +++ b/hosts.yml @@ -65,9 +65,6 @@ mongodb: mqtt: hosts: mqtt02.home.foo.sh: -mythtv: - hosts: - mythtv01.home.foo.sh: nas: hosts: nas02.home.foo.sh: @@ -137,7 +134,6 @@ vultr: fedora: children: gitearunner: - mythtv: openbsd: children: backup: From 79ecf7277f78bb27410831695f319860aa9ee95d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Dec 2023 21:34:26 +0000 Subject: [PATCH 107/596] Update software versions --- hosts.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index 71cd418..f9d26fa 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.1" + gitea_version: "1.21.2" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -31,7 +31,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.11.2" + homeassistant_version: "2023.12" homeassistant_integrations: - name: electrolux_status repo: >- @@ -82,8 +82,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.2.1" - rocketchat_version: "6.4.6" + grafana_version: "10.2.2" + rocketchat_version: "6.5.0" roundcube_version: "1.6.5" print: hosts: From b04edceb13f127f06ef6a46aef94311b6973b493 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Dec 2023 15:23:32 +0000 Subject: [PATCH 108/596] homeassistant: Fix updating to new version --- roles/homeassistant/handlers/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/homeassistant/handlers/main.yml b/roles/homeassistant/handlers/main.yml index 61fb83a..36f24f6 100644 --- a/roles/homeassistant/handlers/main.yml +++ b/roles/homeassistant/handlers/main.yml @@ -1,5 +1,6 @@ --- - name: Restart homeassistant - ansible.builtin.service: + ansible.builtin.systemd_service: name: homeassistant-container state: restarted + daemon_reload: true From eead2210467b5d6981b030b3d10f98981c0b652a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Dec 2023 15:23:57 +0000 Subject: [PATCH 109/596] Update homeassistant to 2023.12.3 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index f9d26fa..990f6f4 100644 --- a/hosts.yml +++ b/hosts.yml @@ -31,7 +31,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.12" + homeassistant_version: "2023.12.3" homeassistant_integrations: - name: electrolux_status repo: >- From 89a0cbddbf125de9bc00243f40915c9cf1988d2a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 22 Dec 2023 16:05:33 +0000 Subject: [PATCH 110/596] Update gitea --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 990f6f4..d0728df 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.2" + gitea_version: "1.21.3" gitearunner: hosts: gitea-runner02.home.foo.sh: From 23d8b9bcdcca82b185d34dcde68639a7df0be974 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 22 Dec 2023 18:06:18 +0000 Subject: [PATCH 111/596] pki: Fix group from OpenBSD private dir --- roles/pki/files/mtree.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/pki/files/mtree.patch b/roles/pki/files/mtree.patch index 04e6e89..17ce41e 100644 --- a/roles/pki/files/mtree.patch +++ b/roles/pki/files/mtree.patch @@ -1,11 +1,11 @@ ---- 4.4BSD.dist.orig Sat Nov 25 20:29:26 2023 -+++ 4.4BSD.dist Sat Nov 25 20:29:36 2023 +--- 4.4BSD.dist.orig Fri Dec 22 17:31:46 2023 ++++ 4.4BSD.dist Fri Dec 22 17:32:00 2023 @@ -105,7 +105,7 @@ # ./etc/ssl ssl - private uname=root mode=0700 -+ private uname=root mode=0750 ++ private gname=hostkey uname=root mode=0750 .. .. From 2247ce1d160d44ebc1a8ade1cf5a244385b1d4b2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Jan 2024 19:15:54 +0000 Subject: [PATCH 112/596] Update softwrae versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index d0728df..6515638 100644 --- a/hosts.yml +++ b/hosts.yml @@ -31,7 +31,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2023.12.3" + homeassistant_version: "2024.1.2" homeassistant_integrations: - name: electrolux_status repo: >- @@ -82,8 +82,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.2.2" - rocketchat_version: "6.5.0" + grafana_version: "10.2.3" + rocketchat_version: "6.5.2" roundcube_version: "1.6.5" print: hosts: From e43dd2a26efd1f1d7f5808d42d6edb13969b462a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Jan 2024 23:24:26 +0000 Subject: [PATCH 113/596] Fix changed ip addressses --- group_vars/ns.yml | 4 ++-- group_vars/shell.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index 6542553..544cf9b 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -1,12 +1,12 @@ --- firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22, 81.175.130.44/32]} + - {proto: tcp, port: 22, from: [172.20.20.0/22, 62.78.229.29/32]} - {proto: tcp, port: 53} - {proto: udp, port: 53} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - {proto: tcp, port: 853} - - {proto: tcp, port: 4949, from: [172.20.20.0/22, 81.175.130.44/32]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22, 62.78.229.29/32]} firewall_raw: - pass quick proto carp diff --git a/group_vars/shell.yml b/group_vars/shell.yml index 2af3bb2..19931a2 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -9,4 +9,4 @@ firewall_in: - {proto: tcp, port: 22} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 9100, from: [81.175.130.44/32]} + - {proto: tcp, port: 9100, from: [62.78.229.29/32]} From 98d52e577aca81596c4748dadc2ea9415e20c318 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 18:35:00 +0000 Subject: [PATCH 114/596] node_exporter: Enable text collector for OpenBSD --- roles/node_exporter/tasks/main.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index 00b9898..2be0e07 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -31,6 +31,15 @@ group: "{{ ansible_wheel }}" notify: Restart node_exporter +- name: Create textfile collector directory + ansible.builtin.file: + path: /var/db/node-exporter + state: directory + mode: 0755 + owner: _nodeexporter + group: _nodeexporter + when: ansible_os_family == "OpenBSD" + - name: Modify config ansible.builtin.lineinfile: path: /etc/default/prometheus-node-exporter @@ -50,7 +59,10 @@ name: "{{ node_exporter_service }}" state: started enabled: true - arguments: --web.config.file=/etc/node_exporter/web-config.yml + arguments: >- + --web.config.file=/etc/node_exporter/web-config.yml + --collector.textfile.directory /var/db/node-exporter + notify: Restart node_exporter when: ansible_os_family == "OpenBSD" - name: Enable service From c98c7fd7bb3fa201154d5474dd070a8e6a7875c9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 18:53:36 +0000 Subject: [PATCH 115/596] node_exporter: Use documented syntax for options --- roles/node_exporter/tasks/main.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index 2be0e07..fffda67 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -45,12 +45,11 @@ path: /etc/default/prometheus-node-exporter regexp: "^ARGS=" line: >- - ARGS="--collector.filesystem.ignored-mount-points - '^/(dev|proc|sys|run/(user|credentials/systemd-.+))($|/)' - --collector.netclass.ignored-devices '^(br-|docker|veth).+$' - --collector.netdev.device-exclude '^(br-|docker|veth).+$' + ARGS="--collector.filesystem.ignored-mount-points='^/(dev|proc|sys|run/(user|credentials/systemd-.+))($|/)' + --collector.netclass.ignored-devices='^(br-|docker|veth).+$' + --collector.netdev.device-exclude='^(br-|docker|veth).+$' --web.config=/etc/node_exporter/web-config.yml - --collector.textfile.directory /var/lib/prometheus/node-exporter" + --collector.textfile.directory=/var/lib/prometheus/node-exporter" notify: Restart node_exporter when: ansible_os_family == "RedHat" @@ -61,7 +60,7 @@ enabled: true arguments: >- --web.config.file=/etc/node_exporter/web-config.yml - --collector.textfile.directory /var/db/node-exporter + --collector.textfile.directory=/var/db/node-exporter notify: Restart node_exporter when: ansible_os_family == "OpenBSD" From e5d0752812e3dc768e476c7908c53bb2af9a61e8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 20:27:11 +0000 Subject: [PATCH 116/596] node_exporter: Run textfile collectors every 10min --- .../node-exporter-run-textfile-collector.sh | 21 ++++++++++++++++++ roles/node_exporter/tasks/main.yml | 22 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100755 roles/node_exporter/files/node-exporter-run-textfile-collector.sh diff --git a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh new file mode 100755 index 0000000..2b3d297 --- /dev/null +++ b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +set -eu + +umask 022 + +if [ "$(uname -s)" = "OpenBSD" ]; then + OUTDIR="/var/db/node-exporter" +else + OUTDIR="/var/lib/prometheus/node-exporter" +fi + +for script in /usr/local/libexec/node-exporter/*; do + [ -x "$script" ] || continue + target="${OUTDIR}/$(basename "$script")" + if "$script" > "${target}.tmp" ; then + mv "${target}.tmp" "${target}.prom" + else + rm -f "${target}.tmp" + fi +done diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index fffda67..1e35c32 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -40,6 +40,28 @@ group: _nodeexporter when: ansible_os_family == "OpenBSD" +- name: Create directory for textfile collector scripts + ansible.builtin.file: + path: /usr/local/libexec/node-exporter + state: directory + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Add script for running textfile collector scripts + ansible.builtin.copy: + dest: /usr/local/sbin/node-exporter-run-textfile-collector + src: node-exporter-run-textfile-collector.sh + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Add cron job for running textfile collector scripts + ansible.builtin.cron: + name: node-exporter-run-textfile-collector + job: /usr/local/sbin/node-exporter-run-textfile-collector + minute: "*/10" + - name: Modify config ansible.builtin.lineinfile: path: /etc/default/prometheus-node-exporter From d22236f5dfcf644fbad56cf6814c9686f9f65d18 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 20:30:13 +0000 Subject: [PATCH 117/596] scanservjs: yamllint fix --- roles/scanservjs/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/scanservjs/tasks/main.yml b/roles/scanservjs/tasks/main.yml index 827faa8..9399983 100644 --- a/roles/scanservjs/tasks/main.yml +++ b/roles/scanservjs/tasks/main.yml @@ -43,4 +43,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart apache - From 5900c39b592b57a667465f518b4b84c0171f0457 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 20:30:56 +0000 Subject: [PATCH 118/596] yamllint fix --- playbooks/sane.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/sane.yml b/playbooks/sane.yml index 03ef6db..cb8101f 100644 --- a/playbooks/sane.yml +++ b/playbooks/sane.yml @@ -37,4 +37,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart apache - From adbc274797cdfd6b60b9ae2062fe9af0fdb40369 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Jan 2024 20:41:53 +0000 Subject: [PATCH 119/596] homeassistant: More robust auth command --- roles/homeassistant/files/auth-command.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/homeassistant/files/auth-command.sh b/roles/homeassistant/files/auth-command.sh index 6b2c2dc..e64ee9c 100755 --- a/roles/homeassistant/files/auth-command.sh +++ b/roles/homeassistant/files/auth-command.sh @@ -2,6 +2,12 @@ set -eu +umask 077 + +if [ -z "${username:-}" ] || [ -z "${password:-}" ]; then + exit 2 +fi + if [ "$(echo "$username" | sed -r 's/^[a-z]+$/x/')" != "x" ]; then exit 2 fi From 7a02a28d0fd4a4617c1ae8371a8703723234129d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 19:28:26 +0000 Subject: [PATCH 120/596] network: Add support for OpenBSD rdomains --- roles/network/templates/hostname.if.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/network/templates/hostname.if.j2 b/roles/network/templates/hostname.if.j2 index 0db5d8b..862640b 100644 --- a/roles/network/templates/hostname.if.j2 +++ b/roles/network/templates/hostname.if.j2 @@ -1,3 +1,6 @@ +{% if item.rdomain is defined %} +rdomain {{ item.rdomain }} +{% endif %} {% if item.proto is not defined or item.proto == 'dhcp' %} dhcp {% elif item.proto == 'static' %} From 69ebc89858b3f87b3f8d6b7e9c7fea8ce40a1833 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 19:31:06 +0000 Subject: [PATCH 121/596] openvpn: Hardcode rdomain for now --- roles/openvpn/files/hostname.tap0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/files/hostname.tap0 b/roles/openvpn/files/hostname.tap0 index cd1c353..2b44eb9 100644 --- a/roles/openvpn/files/hostname.tap0 +++ b/roles/openvpn/files/hostname.tap0 @@ -1,2 +1,2 @@ up -!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/tap0.conf +!/sbin/route -T 1 exec /usr/local/sbin/openvpn --daemon --config /etc/openvpn/tap0.conf From cdd7e82b6a683d30d2b4da2af9596bf8dbab7a69 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 19:32:28 +0000 Subject: [PATCH 122/596] Move DNA interface to correct rdomain on fsol-gw --- host_vars/fsol-gw01.home.foo.sh.yml | 1 + host_vars/fsol-gw02.home.foo.sh.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/host_vars/fsol-gw01.home.foo.sh.yml b/host_vars/fsol-gw01.home.foo.sh.yml index 798ef20..d6e9acd 100644 --- a/host_vars/fsol-gw01.home.foo.sh.yml +++ b/host_vars/fsol-gw01.home.foo.sh.yml @@ -15,6 +15,7 @@ network_interfaces: - device: vio2 vlan: 103 proto: dhcp + rdomain: 1 - device: vio3 vlan: 102 proto: none diff --git a/host_vars/fsol-gw02.home.foo.sh.yml b/host_vars/fsol-gw02.home.foo.sh.yml index 88cce43..9b00140 100644 --- a/host_vars/fsol-gw02.home.foo.sh.yml +++ b/host_vars/fsol-gw02.home.foo.sh.yml @@ -15,6 +15,7 @@ network_interfaces: - device: vio2 vlan: 103 proto: dhcp + rdomain: 1 - device: vio3 vlan: 102 proto: none From 5a8fca650c297d38df3a09f8755a32323129b835 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 19:33:17 +0000 Subject: [PATCH 123/596] node_exporter: Force path to textfile collectors Cron ismissing sbin directories by default and /usr/local on OpenBSD so force them into path. --- .../node_exporter/files/node-exporter-run-textfile-collector.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh index 2b3d297..b8897ae 100755 --- a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh +++ b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh @@ -4,6 +4,8 @@ set -eu umask 022 +PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin" + if [ "$(uname -s)" = "OpenBSD" ]; then OUTDIR="/var/db/node-exporter" else From 3bcc12a16df1ea0255bdd7db81f2548b81efa891 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 20:41:59 +0000 Subject: [PATCH 124/596] Update homeassistant custom plugins --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 6515638..fc3ac80 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: - name: electrolux_status repo: >- https://github.com/mauro-midolo/homeassistant_electrolux_status.git - version: v4.1.0 + version: v5.0.0 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 From 93128bb624233b90b33a9b01fb526eac456188e0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Jan 2024 20:43:25 +0000 Subject: [PATCH 125/596] Update gitea --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index fc3ac80..105b411 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.3" + gitea_version: "1.21.4" gitearunner: hosts: gitea-runner02.home.foo.sh: From cb0d0a949d44310ce634fc74b9099caec083d16a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 1 Feb 2024 20:08:46 +0000 Subject: [PATCH 126/596] Update gitea --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 105b411..a1b91f0 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,7 +21,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.4" + gitea_version: "1.21.5" gitearunner: hosts: gitea-runner02.home.foo.sh: From cb7ca70d1633779c28e812ca76cd25a869159dc9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:03:29 +0000 Subject: [PATCH 127/596] frigate: Initial version of role --- roles/frigate/defaults/main.yml | 2 + roles/frigate/handlers/main.yml | 6 ++ roles/frigate/meta/main.yml | 4 + roles/frigate/tasks/main.yml | 88 +++++++++++++++++++ .../templates/frigate-container.service.j2 | 19 ++++ roles/frigate/templates/frigate.yml.j2 | 20 +++++ 6 files changed, 139 insertions(+) create mode 100644 roles/frigate/defaults/main.yml create mode 100644 roles/frigate/handlers/main.yml create mode 100644 roles/frigate/meta/main.yml create mode 100644 roles/frigate/tasks/main.yml create mode 100644 roles/frigate/templates/frigate-container.service.j2 create mode 100644 roles/frigate/templates/frigate.yml.j2 diff --git a/roles/frigate/defaults/main.yml b/roles/frigate/defaults/main.yml new file mode 100644 index 0000000..3266cf2 --- /dev/null +++ b/roles/frigate/defaults/main.yml @@ -0,0 +1,2 @@ +--- +frigate_version: stable diff --git a/roles/frigate/handlers/main.yml b/roles/frigate/handlers/main.yml new file mode 100644 index 0000000..57e67ec --- /dev/null +++ b/roles/frigate/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart frigate + ansible.builtin.systemd_service: + name: frigate-container + state: restarted + daemon_reload: true diff --git a/roles/frigate/meta/main.yml b/roles/frigate/meta/main.yml new file mode 100644 index 0000000..19b52d0 --- /dev/null +++ b/roles/frigate/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: apache} + - {role: podman} diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml new file mode 100644 index 0000000..5a13994 --- /dev/null +++ b/roles/frigate/tasks/main.yml @@ -0,0 +1,88 @@ +--- +- name: Create group + ansible.builtin.group: + name: frigate + +- name: Create user + ansible.builtin.user: + name: frigate + comment: Podman Frigate + group: frigate + shell: /sbin/nologin + +- name: Create config + ansible.builtin.template: + dest: /etc/frigate.yml + src: frigate.yml.j2 + mode: "0750" + owner: root + group: frigate + notify: Restart frigate + +- name: Fix SELinux contexts from data directory + community.general.sefcontext: + path: /export/frigate(/.*)? + setype: container_file_t + when: ansible_selinux_python_present + +- name: Create data directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0770" + owner: root + group: frigate + setype: _default + with_items: + - /export/frigate + - /export/frigate/config + - /export/frigate/media + +- name: Link data directory + ansible.builtin.file: + dest: /srv/frigate + src: /export/frigate + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/frigate-container.service + src: frigate-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart frigate + +- name: Enable service + ansible.builtin.service: + name: frigate-container + state: started + enabled: true + +- name: Copy apache config + ansible.builtin.copy: + dest: /etc/httpd/conf.local.d/frigate-container.conf + content: | + ProxyPass /frigate/ http://127.0.0.1:8007/ + ProxyPassReverse /frigate/ http://127.0.0.1:8007/ + + ProxyPass /frigate/ws ws://127.0.0.1:8007/ws + ProxyPassReverse /frigate/ws ws://127.0.0.1:8007/ws + + ProxyPass /frigate/live ws://127.0.0.1:8007/live + ProxyPassReverse /frigate/live ws://127.0.0.1:8007/live + + + RewriteEngine on + RewriteCond %{HTTP:Upgrade} =websocket [NC] + RewriteRule /(.*) ws://127.0.0.1:8007/$1 [P,L] + RewriteCond %{HTTP:Upgrade} !=websocket [NC] + RewriteRule /(.*) http://127.0.0.1:8007/$1 [P,L] + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart apache + diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2 new file mode 100644 index 0000000..186d955 --- /dev/null +++ b/roles/frigate/templates/frigate-container.service.j2 @@ -0,0 +1,19 @@ +[Unit] +Description=Frigate Container +Wants=network-online.target +After=network-online.target + +[Service] +User=frigate +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8007:5000 \ + --name frigate \ + --volume /srv/frigate/config:/config:rw \ + --volume /etc/frigate.yml:/config/config.yml:ro \ + --volume /srv/frigate/media:/media/frigate:rw \ + ghcr.io/blakeblackshear/frigate:{{ frigate_version }} +ExecStop=/usr/bin/podman stop --ignore frigate +ExecStopPost=/usr/bin/podman rm -f --ignore frigate + +[Install] +WantedBy=multi-user.target diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 new file mode 100644 index 0000000..aa283f6 --- /dev/null +++ b/roles/frigate/templates/frigate.yml.j2 @@ -0,0 +1,20 @@ +--- +mqtt: + enabled: false + +cameras: +{% for camera in cctv_cameras %} + {{ camera.name }}: + enabled: true + ffmpeg: + inputs: + - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_sub" + input_args: preset-rtsp-restream + roles: + - detect + - rtmp + - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_main" + input_args: preset-rtsp-restream + roles: + - record +{% endfor %} From a0bee46545354930e84cc80512eef0556a1d74b4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:05:16 +0000 Subject: [PATCH 128/596] Remove zm hosts --- group_vars/zm.yml | 23 --------- host_vars/zm02.home.foo.sh.yml | 13 ----- hosts.yml | 4 -- playbooks/zm.yml | 92 ---------------------------------- 4 files changed, 132 deletions(-) delete mode 100644 group_vars/zm.yml delete mode 100644 host_vars/zm02.home.foo.sh.yml delete mode 100644 playbooks/zm.yml diff --git a/group_vars/zm.yml b/group_vars/zm.yml deleted file mode 100644 index 03177dc..0000000 --- a/group_vars/zm.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -mem_size: 4096 -num_cpus: 2 -datadisks: - - {size: 500} - -network_vip_interfaces: - - device: eth1 - vhid: 26 - ipaddr: 172.20.26.1 - netmask: 255.255.0.0 - pass: "{{ vip26_pass }}" - -zm_mysql_host: sqldb02.home.foo.sh -dhcpd_template: dhcpd.conf.cam.j2 - -firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 9100, from: [172.20.20.0/22]} -firewall_raw: - - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/host_vars/zm02.home.foo.sh.yml b/host_vars/zm02.home.foo.sh.yml deleted file mode 100644 index 340464a..0000000 --- a/host_vars/zm02.home.foo.sh.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -vmhost: vmhost02.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: "52:54:00:ac:dc:4c" - nameservers: [] - - device: eth1 - vlan: 26 - ipaddr: 172.20.26.3 - netmask: 255.255.255.0 - proto: static - nameservers: [172.20.26.1, 172.20.26.3] diff --git a/hosts.yml b/hosts.yml index a1b91f0..5931786 100644 --- a/hosts.yml +++ b/hosts.yml @@ -117,9 +117,6 @@ vmhost: hosts: vmhost01.home.foo.sh: vmhost02.home.foo.sh: -zm: - hosts: - zm02.home.foo.sh: sftpbackup: children: @@ -154,7 +151,6 @@ rocky8: nms: print: shell: - zm: rocky9: children: adm: diff --git a/playbooks/zm.yml b/playbooks/zm.yml deleted file mode 100644 index 8dd9964..0000000 --- a/playbooks/zm.yml +++ /dev/null @@ -1,92 +0,0 @@ ---- -- name: Deploy KVM virtual machines - ansible.builtin.import_playbook: include/deploy-kvm-guest.yml - vars: - myhosts: zm - -- name: Configure instance - hosts: zm - user: root - gather_facts: true - - vars_files: - - "{{ ansible_private }}/vars.yml" - - pre_tasks: - - name: Mount /export - ansible.posix.mount: - name: /export - src: LABEL=/export - fstype: xfs - opts: noatime,noexec,nosuid,nodev - passno: "0" - dump: "0" - state: mounted - - roles: - - base - - mod_auth_gssapi - - role: keytab - keytab_path: /etc/httpd/httpd.keytab - keytab_principals: HTTP/zm.foo.sh@FOO.SH - keytab_group: apache - - tasks: - - name: Run handlers to get interfaces configured - ansible.builtin.meta: flush_handlers - - # TODO: this should really be fixed - - name: Put selinux in permissive state - ansible.posix.selinux: - policy: targeted - state: permissive - - - name: Copy DNS zone files - ansible.builtin.copy: - dest: "/var/lib/unbound/{{ item }}" - src: "/srv/dns/{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - tags: dns - notify: Restart unbound - with_items: - - 26.20.172.in-addr.arpa - - cam.foo.sh - - - name: Include unbound role - ansible.builtin.import_role: - name: unbound - - - name: Include dhcpd and zoneminder roles - ansible.builtin.include_role: - name: "{{ item }}" - with_items: - - dhcpd - - zoneminder - - - name: Install extra packages for debugging - ansible.builtin.package: - name: rtmpdump - state: installed - - - name: Require authentication for zoneminder - ansible.builtin.copy: - dest: /etc/httpd/conf.local.d/zoneminder-auth.conf - content: | - - AuthType GSSAPI - GssapiBasicAuth Off - AuthName "Password Required" - Require valid-user - - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart apache - - - name: Enable NTP server for cam network - ansible.builtin.lineinfile: - path: /etc/chrony.conf - regexp: "^#?allow .*" - line: "allow 172.20.26.0/24" From 7a3a385eb5ef16c22a9cd86b61ce821c0ad876d6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:07:19 +0000 Subject: [PATCH 129/596] Add frigate host --- group_vars/frigate.yml | 23 ++++++ host_vars/frigate02.home.foo.sh.yml | 13 +++ hosts.yml | 4 + playbooks/frigate.yml | 82 +++++++++++++++++++ ... => unbound.conf.frigate02.home.foo.sh.j2} | 0 5 files changed, 122 insertions(+) create mode 100644 group_vars/frigate.yml create mode 100644 host_vars/frigate02.home.foo.sh.yml create mode 100644 playbooks/frigate.yml rename roles/unbound/templates/{unbound.conf.zm02.home.foo.sh.j2 => unbound.conf.frigate02.home.foo.sh.j2} (100%) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml new file mode 100644 index 0000000..03177dc --- /dev/null +++ b/group_vars/frigate.yml @@ -0,0 +1,23 @@ +--- +mem_size: 4096 +num_cpus: 2 +datadisks: + - {size: 500} + +network_vip_interfaces: + - device: eth1 + vhid: 26 + ipaddr: 172.20.26.1 + netmask: 255.255.0.0 + pass: "{{ vip26_pass }}" + +zm_mysql_host: sqldb02.home.foo.sh +dhcpd_template: dhcpd.conf.cam.j2 + +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} +firewall_raw: + - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" + - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/host_vars/frigate02.home.foo.sh.yml b/host_vars/frigate02.home.foo.sh.yml new file mode 100644 index 0000000..cc597b3 --- /dev/null +++ b/host_vars/frigate02.home.foo.sh.yml @@ -0,0 +1,13 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: "52:54:00:ac:dc:8c" + nameservers: [] + - device: eth1 + vlan: 26 + ipaddr: 172.20.26.3 + netmask: 255.255.255.0 + proto: static + nameservers: [172.20.26.1, 172.20.26.3] diff --git a/hosts.yml b/hosts.yml index 5931786..2317395 100644 --- a/hosts.yml +++ b/hosts.yml @@ -13,6 +13,9 @@ dnagw: hosts: dna-gw01.home.foo.sh: dna-gw02.home.foo.sh: +frigate: + hosts: + frigate02.home.foo.sh: fsolgw: hosts: fsol-gw01.home.foo.sh: @@ -144,6 +147,7 @@ openbsd: rocky8: children: collab: + frigate: homeassistant: mail: minecraft: diff --git a/playbooks/frigate.yml b/playbooks/frigate.yml new file mode 100644 index 0000000..9da0eb3 --- /dev/null +++ b/playbooks/frigate.yml @@ -0,0 +1,82 @@ +--- +- name: Deploy KVM virtual machines + ansible.builtin.import_playbook: include/deploy-kvm-guest.yml + vars: + myhosts: frigate + +- name: Configure instance + hosts: frigate + user: root + gather_facts: true + + vars_files: + - "{{ ansible_private }}/vars.yml" + + pre_tasks: + - name: Mount /export + ansible.posix.mount: + name: /export + src: LABEL=/export + fstype: xfs + opts: noatime,noexec,nosuid,nodev + passno: "0" + dump: "0" + state: mounted + + roles: + - base + - mod_auth_gssapi + - role: keytab + keytab_path: /etc/httpd/httpd.keytab + keytab_principals: HTTP/cctv.foo.sh@FOO.SH + keytab_group: apache + + tasks: + - name: Run handlers to get interfaces configured + ansible.builtin.meta: flush_handlers + + - name: Copy DNS zone files + ansible.builtin.copy: + dest: "/var/lib/unbound/{{ item }}" + src: "/srv/dns/{{ item }}" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + tags: dns + notify: Restart unbound + with_items: + - 26.20.172.in-addr.arpa + - cam.foo.sh + + - name: Include unbound role + ansible.builtin.import_role: + name: unbound + + - name: Include dhcpd role + ansible.builtin.include_role: + name: dhcpd + + - name: Include frigate role + ansible.builtin.include_role: + name: frigate + + - name: Require authentication for frigate + ansible.builtin.copy: + dest: /etc/httpd/conf.local.d/frigate-auth.conf + content: | + + AuthType GSSAPI + GssapiBasicAuth On + AuthName "Password Required" + Require valid-user + + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart apache + + - name: Enable NTP server for cam network + ansible.builtin.lineinfile: + path: /etc/chrony.conf + regexp: "^#?allow .*" + line: "allow 172.20.26.0/24" diff --git a/roles/unbound/templates/unbound.conf.zm02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 similarity index 100% rename from roles/unbound/templates/unbound.conf.zm02.home.foo.sh.j2 rename to roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 From 2da1995a73063229af3822aa09bc152f09f58b57 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:07:55 +0000 Subject: [PATCH 130/596] Remove zm web site and add cctv --- playbooks/proxy.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index a0653cb..d01e85c 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -37,6 +37,9 @@ - role: nginx_site nginx_site_name: bitbucket.foo.sh nginx_site_redirect: https://bitbucket.org/tmakinen/ + - role: nginx_site + nginx_site_name: cctv.foo.sh + nginx_site_proxy: https://frigate02.home.foo.sh/frigate/ - role: nginx_site nginx_site_name: certbot.home.foo.sh nginx_site_proxy: https://certbot.home.foo.sh/ @@ -74,9 +77,6 @@ - role: nginx_site nginx_site_name: iot.foo.sh nginx_site_redirect: https://www.foo.sh/ - - role: nginx_site - nginx_site_name: munin.foo.sh - nginx_site_proxy: https://munin01.home.foo.sh/ - role: nginx_site nginx_site_name: mirrors.foo.sh nginx_site_proxy: https://mirror01.home.foo.sh/ @@ -109,6 +109,3 @@ nginx_site_name: wpad.foo.sh - role: nginx_site nginx_site_name: www.foo.sh - - role: nginx_site - nginx_site_name: zm.foo.sh - nginx_site_proxy: https://zm02.home.foo.sh/ From 04ff09e3bf3aa59340930ce256291fbe2c54236c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:08:23 +0000 Subject: [PATCH 131/596] pf: Fix changed ip address --- roles/pf/files/pf.conf.gw_home | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 9dd3095..42dbe63 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -43,7 +43,7 @@ antispoof for vio1 pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 81.175.155.142/32 to self port ssh +pass in quick on $ext_if proto tcp from 89.166.9.218/32 to self port ssh # node_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From 8242f1112501fb5487bd3553d261282ea3fffa66 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 4 Feb 2024 17:09:07 +0000 Subject: [PATCH 132/596] Sync site.yml --- site.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site.yml b/site.yml index ce2ad46..a231b55 100644 --- a/site.yml +++ b/site.yml @@ -7,6 +7,8 @@ ansible.builtin.import_playbook: playbooks/collab.yml - name: Configure dna-gw hosts ansible.builtin.import_playbook: playbooks/dna-gw.yml +- name: Configure frigate hosts + ansible.builtin.import_playbook: playbooks/frigate.yml - name: Configure fsol-gw hosts ansible.builtin.import_playbook: playbooks/fsol-gw.yml - name: Configure gitea-runner hosts @@ -57,5 +59,3 @@ ansible.builtin.import_playbook: playbooks/static.yml - name: Configure vmhost hosts ansible.builtin.import_playbook: playbooks/vmhost.yml -- name: Configure zm hosts - ansible.builtin.import_playbook: playbooks/zm.yml From e1604ce1933f60daec18e284d1e8c1ce63aa3b56 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 9 Feb 2024 12:12:01 +0000 Subject: [PATCH 133/596] frigate: Add USB Coral detector --- host_vars/frigate02.home.foo.sh.yml | 2 ++ roles/frigate/files/99-frigate.rules | 1 + roles/frigate/tasks/main.yml | 14 ++++++++++++++ .../frigate/templates/frigate-container.service.j2 | 1 + roles/frigate/templates/frigate.yml.j2 | 5 +++++ 5 files changed, 23 insertions(+) create mode 100644 roles/frigate/files/99-frigate.rules diff --git a/host_vars/frigate02.home.foo.sh.yml b/host_vars/frigate02.home.foo.sh.yml index cc597b3..0705564 100644 --- a/host_vars/frigate02.home.foo.sh.yml +++ b/host_vars/frigate02.home.foo.sh.yml @@ -11,3 +11,5 @@ network_interfaces: netmask: 255.255.255.0 proto: static nameservers: [172.20.26.1, 172.20.26.3] +virt_install_devices: + - 004.003 diff --git a/roles/frigate/files/99-frigate.rules b/roles/frigate/files/99-frigate.rules new file mode 100644 index 0000000..f22efc5 --- /dev/null +++ b/roles/frigate/files/99-frigate.rules @@ -0,0 +1 @@ +SUBSYSTEM=="tty", ATTRS{idVendor}=="1a6e", ATTRS{idProduct}=="089a", MODE="0660", GROUP="frigate" diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index 5a13994..a5a4439 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -10,6 +10,20 @@ group: frigate shell: /sbin/nologin +- name: Allow podman to use devices + ansible.posix.seboolean: + name: container_use_devices + state: true + persistent: true + +- name: Allow frigate to connect specific devices + ansible.builtin.copy: + dest: /etc/udev/rules.d/99-frigate.rules + src: 99-frigate.rules + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + - name: Create config ansible.builtin.template: dest: /etc/frigate.yml diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2 index 186d955..edb295e 100644 --- a/roles/frigate/templates/frigate-container.service.j2 +++ b/roles/frigate/templates/frigate-container.service.j2 @@ -11,6 +11,7 @@ ExecStart=/usr/bin/podman run \ --volume /srv/frigate/config:/config:rw \ --volume /etc/frigate.yml:/config/config.yml:ro \ --volume /srv/frigate/media:/media/frigate:rw \ + --volume /dev/bus/usb:/dev/bus/usb:rw \ ghcr.io/blakeblackshear/frigate:{{ frigate_version }} ExecStop=/usr/bin/podman stop --ignore frigate ExecStopPost=/usr/bin/podman rm -f --ignore frigate diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index aa283f6..d04353b 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -2,6 +2,11 @@ mqtt: enabled: false +detectors: + coral: + type: edgetpu + device: usb + cameras: {% for camera in cctv_cameras %} {{ camera.name }}: From 470010aa0ab88aba998d35568fa1032b07de68b3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 9 Feb 2024 16:37:38 +0000 Subject: [PATCH 134/596] udev: Add dummy role to support reloading rules --- roles/udev/handlers/main.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 roles/udev/handlers/main.yml diff --git a/roles/udev/handlers/main.yml b/roles/udev/handlers/main.yml new file mode 100644 index 0000000..46fb293 --- /dev/null +++ b/roles/udev/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: Reload udev rules + ansible.builtin.command: + argv: + - udevadm + - control + - --reload-rules + notify: Trigger udev rules + +- name: Trigger udev rules + ansible.builtin.command: + argv: + - udevadm + - trigger From c91568cd7e782d1e6493eba8aee3f4bb51b494ce Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 9 Feb 2024 16:38:34 +0000 Subject: [PATCH 135/596] frigate: Fix using Coral devices for detection --- host_vars/frigate02.home.foo.sh.yml | 2 +- roles/frigate/files/99-frigate.rules | 3 ++- roles/frigate/meta/main.yml | 1 + roles/frigate/tasks/main.yml | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/host_vars/frigate02.home.foo.sh.yml b/host_vars/frigate02.home.foo.sh.yml index 0705564..f8de6b1 100644 --- a/host_vars/frigate02.home.foo.sh.yml +++ b/host_vars/frigate02.home.foo.sh.yml @@ -12,4 +12,4 @@ network_interfaces: proto: static nameservers: [172.20.26.1, 172.20.26.3] virt_install_devices: - - 004.003 + - 004.004 diff --git a/roles/frigate/files/99-frigate.rules b/roles/frigate/files/99-frigate.rules index f22efc5..9d5516e 100644 --- a/roles/frigate/files/99-frigate.rules +++ b/roles/frigate/files/99-frigate.rules @@ -1 +1,2 @@ -SUBSYSTEM=="tty", ATTRS{idVendor}=="1a6e", ATTRS{idProduct}=="089a", MODE="0660", GROUP="frigate" +SUBSYSTEM=="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="9302", MODE="0660", GROUP="frigate" +SUBSYSTEM=="usb", ATTRS{idVendor}=="1a6e", ATTRS{idProduct}=="089a", MODE="0660", GROUP="frigate" diff --git a/roles/frigate/meta/main.yml b/roles/frigate/meta/main.yml index 19b52d0..9699a03 100644 --- a/roles/frigate/meta/main.yml +++ b/roles/frigate/meta/main.yml @@ -2,3 +2,4 @@ dependencies: - {role: apache} - {role: podman} + - {role: udev} diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index a5a4439..acc781e 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -23,6 +23,7 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + notify: Reload udev rules - name: Create config ansible.builtin.template: From 2eb65f713f4c6378b5c205fb7e94f707132590eb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 17:34:31 +0000 Subject: [PATCH 136/596] routeros_firmware: Initial version of role --- playbooks/nms.yml | 1 + .../files/download-routeros-firmware.sh | 40 +++++++++++++++++++ roles/routeros_firmware/tasks/main.yml | 39 ++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 roles/routeros_firmware/files/download-routeros-firmware.sh create mode 100644 roles/routeros_firmware/tasks/main.yml diff --git a/playbooks/nms.yml b/playbooks/nms.yml index e20f3e3..7979440 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -31,6 +31,7 @@ - sssd - mkhomedir - tftp + - routeros_firmware tasks: - name: Enable UDP rsyslog server diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh new file mode 100644 index 0000000..4347526 --- /dev/null +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +set -eu + +umask 022 + +cd /srv/web/oob.foo.sh/routeros + +verbose=false +if [ "${1:-}" = "-v" ]; then + verbose=true + shift +fi + +if [ $# -gt 0 ]; then + echo "Usage: $(basename "$0") [-v]" 1>&2 + exit 1 +fi + +packageurl="$(curl -sSf "https://mikrotik.com/download" | \ + sed -n 's/.*.*/\1/p')" +packagename="$(basename "$packageurl")" +if [ -f "$packagename" ]; then + "$verbose" && echo "Already up to date" + exit 0 +fi + +checksum="$(curl -sSf "https://mikrotik.com/download" | \ + sed -n 's/.*routeros-[0-9\.]*-arm\.npk<\/td>.*SHA256<\/td>\(.*\)<\/td>.*/\1/p')" + +echo "Downloading new package '${packagename}'" +trap 'rm -f -- "${packagename}.tmp"' EXIT +curl -sSf -o "${packagename}.tmp" "$packageurl" + +if [ "$(sha256sum "${packagename}.tmp" | cut -d " " -f 1)" != "$checksum" ]; then + echo "ERR: Checksum check failed, not saving package" 1>&2 + exit 1 +fi + +mv "${packagename}.tmp" "$packagename" diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros_firmware/tasks/main.yml new file mode 100644 index 0000000..a9fbc97 --- /dev/null +++ b/roles/routeros_firmware/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Create download directory + ansible.builtin.file: + path: /srv/web/oob.foo.sh/routeros + state: directory + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Install README.md + ansible.builtin.copy: + dest: /srv/web/oob.foo.sh/routeros/README.md + content: | + ## Update + + ``` + /system package update print + /tool fetch url=https://oob.foo.sh/routeros/routeros-7.13.4-arm.npk + /system reboot + /system package update print + ``` + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + +- name: Install download script + ansible.builtin.copy: + dest: /usr/local/bin/download-routeros-firmware + src: download-routeros-firmware.sh + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Install cron job + ansible.builtin.cron: + name: download-routeros-firmware + job: /usr/local/bin/download-routeros-firmware + hour: "05" + minute: "25" From 11c8da0558158693a347b134bc5435cdda08cd7a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 18:59:48 +0000 Subject: [PATCH 137/596] node_exporter: More restrictive tls configuration --- roles/node_exporter/templates/web-config.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/node_exporter/templates/web-config.yml.j2 b/roles/node_exporter/templates/web-config.yml.j2 index 01c911f..edc7ca3 100644 --- a/roles/node_exporter/templates/web-config.yml.j2 +++ b/roles/node_exporter/templates/web-config.yml.j2 @@ -4,3 +4,9 @@ tls_server_config: cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt client_ca_file: {{ tls_certs }}/ca.crt client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: + - prometheus01.home.foo.sh + - prometheus02.home.foo.sh + - prometheus03.home.foo.sh + - prometheus04.home.foo.sh + min_version: TLS13 From 47ee78221f650db0a3fcdea6a1c96b9898f1d00f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 19:21:05 +0000 Subject: [PATCH 138/596] node_exporter: Remove allowed sans option Some of our node_exporter versions are too old and don't support allowed sans option. --- roles/node_exporter/templates/web-config.yml.j2 | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/node_exporter/templates/web-config.yml.j2 b/roles/node_exporter/templates/web-config.yml.j2 index edc7ca3..07cdaf3 100644 --- a/roles/node_exporter/templates/web-config.yml.j2 +++ b/roles/node_exporter/templates/web-config.yml.j2 @@ -4,9 +4,4 @@ tls_server_config: cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt client_ca_file: {{ tls_certs }}/ca.crt client_auth_type: RequireAndVerifyClientCert - client_allowed_sans: - - prometheus01.home.foo.sh - - prometheus02.home.foo.sh - - prometheus03.home.foo.sh - - prometheus04.home.foo.sh min_version: TLS13 From 8a7159c0c4d33227b63f66fae421bd972d91ce26 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 21:55:24 +0000 Subject: [PATCH 139/596] snmp_exporter: Initial version of role --- roles/snmp_exporter/defaults/main.yml | 2 + .../snmp_exporter/files/snmp_exporter.service | 14 +++ roles/snmp_exporter/handlers/main.yml | 6 ++ roles/snmp_exporter/tasks/main.yml | 100 ++++++++++++++++++ .../snmp_exporter/templates/web-config.yml.j2 | 12 +++ 5 files changed, 134 insertions(+) create mode 100644 roles/snmp_exporter/defaults/main.yml create mode 100644 roles/snmp_exporter/files/snmp_exporter.service create mode 100644 roles/snmp_exporter/handlers/main.yml create mode 100644 roles/snmp_exporter/tasks/main.yml create mode 100644 roles/snmp_exporter/templates/web-config.yml.j2 diff --git a/roles/snmp_exporter/defaults/main.yml b/roles/snmp_exporter/defaults/main.yml new file mode 100644 index 0000000..de468b0 --- /dev/null +++ b/roles/snmp_exporter/defaults/main.yml @@ -0,0 +1,2 @@ +--- +snmp_exporter_pkg: "snmp_exporter-{{ snmp_exporter_version }}.linux-amd64" diff --git a/roles/snmp_exporter/files/snmp_exporter.service b/roles/snmp_exporter/files/snmp_exporter.service new file mode 100644 index 0000000..f96318e --- /dev/null +++ b/roles/snmp_exporter/files/snmp_exporter.service @@ -0,0 +1,14 @@ +[Unit] +Description=Prometheus SNMP Exporter +After=syslog.target +After=network.target + +[Service] +Type=simple +User=snmp +Group=snmp +ExecStart=/usr/local/bin/snmp_exporter --config.file=/etc/snmp_exporter/snmp.yml --web.config.file=/etc/snmp_exporter/web-config.yml +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/snmp_exporter/handlers/main.yml b/roles/snmp_exporter/handlers/main.yml new file mode 100644 index 0000000..13fdec5 --- /dev/null +++ b/roles/snmp_exporter/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart snmp_exporter + ansible.builtin.systemd: + name: snmp_exporter + daemon_reload: true + state: restarted diff --git a/roles/snmp_exporter/tasks/main.yml b/roles/snmp_exporter/tasks/main.yml new file mode 100644 index 0000000..e3a6e9f --- /dev/null +++ b/roles/snmp_exporter/tasks/main.yml @@ -0,0 +1,100 @@ +--- +- name: Create group + ansible.builtin.group: + name: snmp + +- name: Create user + ansible.builtin.user: + name: snmp + comment: Prometheus SNMP Exporter + group: snmp + create_home: false + home: /var/empty + shell: /sbin/nologin + +- name: Download package + ansible.builtin.get_url: + url: "https://github.com/prometheus/snmp_exporter/releases/download/v{{ snmp_exporter_version }}/{{ snmp_exporter_pkg }}.tar.gz" + dest: "/usr/local/src/{{ snmp_exporter_pkg }}.tar.gz" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + +- name: Extract package + ansible.builtin.unarchive: + src: "/usr/local/src/{{ snmp_exporter_pkg }}.tar.gz" + dest: /usr/local/src + owner: root + group: "{{ ansible_wheel }}" + creates: "/usr/local/src/{{ snmp_exporter_pkg }}" + remote_src: true + +- name: Copy binary + ansible.builtin.copy: + dest: /usr/local/bin/snmp_exporter + src: "/usr/local/src/{{ snmp_exporter_pkg }}/snmp_exporter" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + notify: Restart snmp_exporter + +- name: Create config directory + ansible.builtin.file: + path: /etc/snmp_exporter + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Copy TLS private key + ansible.builtin.copy: + src: "/srv/ca/private/nms.home.foo.sh.key" + dest: "{{ tls_private }}/nms.home.foo.sh.key" + mode: "0640" + owner: root + group: snmp + notify: Restart snmp_exporter + +- name: Copy TLS certificate + ansible.builtin.copy: + src: "/srv/ca/certs/hosts/nms.home.foo.sh.crt" + dest: "{{ tls_certs }}/nms.home.foo.sh.crt" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart snmp_exporter + +- name: Create web-config + ansible.builtin.template: + dest: /etc/snmp_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart snmp_exporter + +- name: Copy config + ansible.builtin.copy: + src: "/usr/local/src/{{ snmp_exporter_pkg }}/snmp.yml" + dest: /etc/snmp_exporter/snmp.yml + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + notify: Restart snmp_exporter + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/snmp_exporter.service + src: snmp_exporter.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart snmp_exporter + +- name: Enable service + ansible.builtin.service: + name: snmp_exporter + state: started + enabled: true diff --git a/roles/snmp_exporter/templates/web-config.yml.j2 b/roles/snmp_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..b88b84e --- /dev/null +++ b/roles/snmp_exporter/templates/web-config.yml.j2 @@ -0,0 +1,12 @@ +--- +tls_server_config: + key_file: {{ tls_private }}/nms.home.foo.sh.key + cert_file: {{ tls_certs }}/nms.home.foo.sh.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: + - prometheus01.home.foo.sh + - prometheus02.home.foo.sh + - prometheus03.home.foo.sh + - prometheus04.home.foo.sh + min_version: TLS13 From c826d36d0d87b4dfab24dcbe56eb2bf2a3a4e5da Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 21:57:36 +0000 Subject: [PATCH 140/596] Add snmp_exporter to nms hosts --- group_vars/nms.yml | 6 ++++++ playbooks/nms.yml | 1 + 2 files changed, 7 insertions(+) diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 3ebd807..42b35f2 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -3,6 +3,11 @@ datadisks: - {size: 10, type: nvme} network_vip_interfaces: + - device: eth0 + vhid: 11 + ipaddr: 172.20.20.11 + netmask: 255.255.240.0 + pass: "{{ vip11_pass }}" - device: eth1 vhid: 25 ipaddr: 172.20.25.1 @@ -20,6 +25,7 @@ firewall_in: - {proto: tcp, port: 443, from: [172.20.25.0/24]} - {proto: udp, port: 514, from: [172.20.25.0/24]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + - {proto: tcp, port: 9116, from: [172.20.20.0/22]} firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 7979440..9aa9d4b 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -32,6 +32,7 @@ - mkhomedir - tftp - routeros_firmware + - snmp_exporter tasks: - name: Enable UDP rsyslog server From d88de75b883c588833b9c2d84b09be7ec0d58d9a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 10 Feb 2024 21:57:55 +0000 Subject: [PATCH 141/596] Set snmp_exporter version --- hosts.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts.yml b/hosts.yml index 2317395..8fb7bd0 100644 --- a/hosts.yml +++ b/hosts.yml @@ -75,6 +75,8 @@ nms: hosts: nms01.home.foo.sh: nms02.home.foo.sh: + vars: + snmp_exporter_version: "0.25.0" ns: hosts: ns01.home.foo.sh: From 4e5fb25a7a3b450eb4c41a28e44de07a593efde3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 11 Feb 2024 16:28:55 +0000 Subject: [PATCH 142/596] Exclude unused architectures from epel mirror --- playbooks/mirror.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index 7559dd7..ea6ed1f 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -37,8 +37,11 @@ mirror_source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/epel" mirror_rsyncoptions: - - "--exclude=SRPMS" - "--exclude=debug" + - "--exclude=testing" + - "--exclude=ppc64le" + - "--exclude=s390x" + - "--exclude=source" - "--delete-excluded" mirror_postcmd: python3 /usr/local/bin/report_mirror - role: mirror/sync From cdc505274d8c66a9c4f6a03aff0e52b1e4ebca0d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 16:38:28 +0000 Subject: [PATCH 143/596] zoneminder: Remove deprecated role --- roles/zoneminder/defaults/main.yml | 4 - roles/zoneminder/handlers/main.yml | 5 -- roles/zoneminder/meta/main.yml | 4 - roles/zoneminder/tasks/main.yml | 129 ----------------------------- roles/zoneminder/templates/zm.conf | 13 --- 5 files changed, 155 deletions(-) delete mode 100644 roles/zoneminder/defaults/main.yml delete mode 100644 roles/zoneminder/handlers/main.yml delete mode 100644 roles/zoneminder/meta/main.yml delete mode 100644 roles/zoneminder/tasks/main.yml delete mode 100644 roles/zoneminder/templates/zm.conf diff --git a/roles/zoneminder/defaults/main.yml b/roles/zoneminder/defaults/main.yml deleted file mode 100644 index a4bf72a..0000000 --- a/roles/zoneminder/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -zm_mysql_host: localhost -zm_mysql_db: zm -zm_mysql_user: zmuser diff --git a/roles/zoneminder/handlers/main.yml b/roles/zoneminder/handlers/main.yml deleted file mode 100644 index d34c003..0000000 --- a/roles/zoneminder/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart zoneminder - ansible.builtin.service: - name: zoneminder - state: restarted diff --git a/roles/zoneminder/meta/main.yml b/roles/zoneminder/meta/main.yml deleted file mode 100644 index 39b2859..0000000 --- a/roles/zoneminder/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - {role: apache} - - {role: rpmfusion_free_repo} diff --git a/roles/zoneminder/tasks/main.yml b/roles/zoneminder/tasks/main.yml deleted file mode 100644 index c8de160..0000000 --- a/roles/zoneminder/tasks/main.yml +++ /dev/null @@ -1,129 +0,0 @@ ---- -- name: Fix SELinux contexts from cache directory - community.general.sefcontext: - path: "/var/cache/zoneminder(/.*)?" - setype: httpd_cache_t - -- name: Install packages - ansible.builtin.package: - name: "{{ item }}" - state: installed - with_items: - - mariadb - - zoneminder-httpd - -- name: Fix SELinux contexts from data directory - community.general.sefcontext: - path: "/export/zoneminder(/.*)?" - setype: zoneminder_var_lib_t - -- name: Create data directory - ansible.builtin.file: - path: /export/zoneminder - state: directory - mode: "0750" - owner: apache - group: apache - setype: _default - -- name: Link data directory - ansible.builtin.file: - dest: /srv/zoneminder - src: /export/zoneminder - state: link - owner: root - group: "{{ ansible_wheel }}" - follow: false - -- name: Create config - ansible.builtin.template: - dest: /etc/zm/conf.d/local.conf - src: zm.conf - mode: "0640" - owner: root - group: apache - notify: Restart zoneminder - -- name: Remove mariadb depency from unit file - ansible.builtin.shell: - cmd: >- - sed -e 's/mariadb\.service//' /lib/systemd/system/zoneminder.service - > /etc/systemd/system/zoneminder.service - creates: /etc/systemd/system/zoneminder.service - warn: false - notify: Restart zoneminder - when: zm_mysql_host != "localhost" - -- name: Allow zoneminder to read host private key - ansible.builtin.user: - name: apache - groups: hostkey - append: true - notify: Restart zoneminder - when: zm_mysql_host != "localhost" - -- name: Loosen SELinux settings - ansible.posix.seboolean: - name: "{{ item }}" - state: true - persistent: true - with_items: - - domain_can_mmap_files - - nis_enabled - -# selinux doesn't allow create this -- name: Create stub web log - ansible.builtin.file: - dest: /var/log/zoneminder/web_php.log - state: touch - mode: "0640" - owner: apache - group: apache - access_time: preserve - modification_time: preserve - -- name: Link apache config - ansible.builtin.file: - dest: /etc/httpd/conf.local.d/zm.conf - src: /etc/zm/www/zoneminder.httpd.conf - state: link - owner: root - group: "{{ ansible_wheel }}" - notify: Restart apache - -- name: Link apache php config - ansible.builtin.file: - dest: /etc/httpd/conf.local.d/php.conf - src: /etc/httpd/conf.d/php.conf - state: link - owner: root - group: "{{ ansible_wheel }}" - notify: Restart apache - -- name: Configure zoneminder timezone - ansible.builtin.copy: - dest: /etc/php.d/timezone.ini - content: "date.timezone=UTC\n" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart apache - -# required for database updates to work -- name: Configure mysql client to use ssl - ansible.builtin.copy: - dest: /root/.my.cnf - content: | - [client] - ssl-ca={{ tls_certs }}/ca.crt - ssl-cert={{ tls_certs }}/{{ inventory_hostname }}.crt - ssl-key={{ tls_private }}/{{ inventory_hostname }}.key - mode: "0600" - owner: root - group: "{{ ansible_wheel }}" - -- name: Enable service - ansible.builtin.service: - name: zoneminder - state: started - enabled: true diff --git a/roles/zoneminder/templates/zm.conf b/roles/zoneminder/templates/zm.conf deleted file mode 100644 index 9e29854..0000000 --- a/roles/zoneminder/templates/zm.conf +++ /dev/null @@ -1,13 +0,0 @@ -# {{ ansible_managed }} - -ZM_DIR_EVENTS=/srv/zoneminder - -ZM_DB_HOST={{ zm_mysql_host }} -ZM_DB_NAME={{ zm_mysql_db}} -ZM_DB_USER={{ zm_mysql_user }} -ZM_DB_PASS={{ zm_mysql_pass }} -{% if zm_mysql_host != "localhost" %} -ZM_DB_SSL_CA_CERT={{ tls_certs }}/ca.crt -ZM_DB_SSL_CLIENT_KEY={{ tls_private }}/{{ inventory_hostname }}.key -ZM_DB_SSL_CLIENT_CERT={{ tls_certs }}/{{ inventory_hostname }}.crt -{% endif %} From 31d00d0b9d94d5ad999293759573d5f07ff6dcf9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:01:25 +0000 Subject: [PATCH 144/596] kvm_host: Move os disks to dedicated disk --- playbooks/include/deploy-kvm-guest.yml | 2 +- playbooks/vmhost.yml | 10 ++++++++++ roles/kvm_host/tasks/main.yml | 2 ++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/playbooks/include/deploy-kvm-guest.yml b/playbooks/include/deploy-kvm-guest.yml index 4bdb5d1..3b72157 100644 --- a/playbooks/include/deploy-kvm-guest.yml +++ b/playbooks/include/deploy-kvm-guest.yml @@ -9,7 +9,7 @@ char: "{{ 'bcdefghijklmnopqrstuvwxyz'|list }}" console_log: "/var/log/libvirt/qemu/{{ inventory_hostname }}.console.log" - os_disk_image: "/srv/libvirt/ssd/{{ inventory_hostname }}.a.img" + os_disk_image: "/srv/libvirt/os/{{ inventory_hostname }}.a.img" dsk_opts: bus=virtio,cache=none,device=disk,format=raw,sparse=no inject: >- diff --git a/playbooks/vmhost.yml b/playbooks/vmhost.yml index 66a3139..f01b865 100644 --- a/playbooks/vmhost.yml +++ b/playbooks/vmhost.yml @@ -26,6 +26,15 @@ passno: "0" dump: "0" state: mounted + - name: Mount /export/libvirt/os + ansible.posix.mount: + name: /export/libvirt/os + src: LABEL=os + fstype: xfs + opts: noatime,noexec,nosuid,nodev + passno: "0" + dump: "0" + state: mounted - name: Mount /export/libvirt/ssd ansible.posix.mount: name: /export/libvirt/ssd @@ -35,6 +44,7 @@ passno: "0" dump: "0" state: mounted + when: inventory_hostname == "vmhost01.home.foo.sh" roles: - base diff --git a/roles/kvm_host/tasks/main.yml b/roles/kvm_host/tasks/main.yml index 1b1748a..6ed94d4 100644 --- a/roles/kvm_host/tasks/main.yml +++ b/roles/kvm_host/tasks/main.yml @@ -35,7 +35,9 @@ with_items: - /export/libvirt - /export/libvirt/hdd + - /export/libvirt/nvme - /export/libvirt/ssd + - /export/libvirt/os - name: Link data directory ansible.builtin.file: From bf10bc5c6c64b90399c3a6fad5beef38b141adb7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:02:01 +0000 Subject: [PATCH 145/596] shelly_firmware: Initial version of role --- playbooks/mqtt.yml | 1 + .../files/download-shelly-firmware.sh | 26 +++++++++++++++++ roles/shelly_firmware/tasks/main.yml | 28 +++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 roles/shelly_firmware/files/download-shelly-firmware.sh create mode 100644 roles/shelly_firmware/tasks/main.yml diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 6c92d03..5b29de0 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -16,3 +16,4 @@ - nginx - role: nginx_site nginx_site_name: iot.foo.sh + - shelly_firmware diff --git a/roles/shelly_firmware/files/download-shelly-firmware.sh b/roles/shelly_firmware/files/download-shelly-firmware.sh new file mode 100644 index 0000000..608b156 --- /dev/null +++ b/roles/shelly_firmware/files/download-shelly-firmware.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +set -eu + +umask 022 + +cd /srv/web/iot.foo.sh/shelly + +PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" + +URL="http://archive.shelly-tools.de/" + +for _prod in $(curl -sSf "${URL}/archive.php" | jq -r '.[].type') ; do + _ver="$(curl -sSf "${URL}/archive.php?type=${_prod}" | jq -r \ + 'max_by(.version[1:] | split(".") | map(try tonumber catch 0)) .version')" + _name="$(curl -sSf "${URL}/archive.php?type=${_prod}" | jq -r \ + 'limit(1; .[].file)')" + if [ ! -f "${_prod}.${_ver}.zip" ]; then + echo "New firmware for ${_prod} (version ${_ver})" + curl -sSf -o "${_prod}.${_ver}.zip" "${URL}/version/${_ver}/${_name}" + if [ -h "$_name" ]; then + rm -f "$_name" + fi + ln -s "${_prod}.${_ver}.zip" "$_name" + fi +done diff --git a/roles/shelly_firmware/tasks/main.yml b/roles/shelly_firmware/tasks/main.yml new file mode 100644 index 0000000..2d1dd3a --- /dev/null +++ b/roles/shelly_firmware/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Install dependencies + ansible.builtin.package: + name: jq + state: installed + +- name: Create download directory + ansible.builtin.file: + path: /srv/web/iot.foo.sh/shelly + state: directory + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Install download script + ansible.builtin.copy: + dest: /usr/local/bin/download-shelly-firmware + src: download-shelly-firmware.sh + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + +- name: Install cron job + ansible.builtin.cron: + name: download-shelly-firmware + job: /usr/local/bin/download-shelly-firmware + hour: "05" + minute: 20 From 09b2156d782c451f784fbd7e8238447169c8b868 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:02:30 +0000 Subject: [PATCH 146/596] Fix Coral USB port --- host_vars/frigate02.home.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/frigate02.home.foo.sh.yml b/host_vars/frigate02.home.foo.sh.yml index f8de6b1..1f47a47 100644 --- a/host_vars/frigate02.home.foo.sh.yml +++ b/host_vars/frigate02.home.foo.sh.yml @@ -12,4 +12,4 @@ network_interfaces: proto: static nameservers: [172.20.26.1, 172.20.26.3] virt_install_devices: - - 004.004 + - 004.002 From 8136e107580bc7d124d6bbf9dd1021d3eb737ce3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:02:59 +0000 Subject: [PATCH 147/596] prometheus: Add snmp exporter Mostly hardcoded for now --- roles/prometheus/templates/prometheus.yml.j2 | 21 ++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index 546d999..e4a4956 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -10,6 +10,27 @@ scrape_configs: - targets: - "127.0.0.1:9090" + - job_name: snmp + scheme: https + tls_config: + ca_file: "{{ tls_certs }}/ca.crt" + key_file: "{{ tls_private }}/{{ inventory_hostname }}.key" + cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + static_configs: + - targets: + - 172.20.25.102 + metrics_path: /snmp + params: + auth: [public_v2] + module: [if_mib] + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: nms.home.foo.sh:9116 + - job_name: node scheme: https tls_config: From 1ff48427751f7091709598e046a325ecfb66b145 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:03:35 +0000 Subject: [PATCH 148/596] friage: Store recordings for 7 days --- roles/frigate/templates/frigate.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index d04353b..715272d 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -7,6 +7,12 @@ detectors: type: edgetpu device: usb +record: + enabled: true + retain: + days: 7 + mode: motion + cameras: {% for camera in cctv_cameras %} {{ camera.name }}: From f141ca0af95cde960272a2f38da6219e33d076ce Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 20:03:54 +0000 Subject: [PATCH 149/596] Disable syncing logs for now --- playbooks/log.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/log.yml b/playbooks/log.yml index 13bfd5d..5ea13da 100644 --- a/playbooks/log.yml +++ b/playbooks/log.yml @@ -25,7 +25,7 @@ roles: - base - - web_logs + #- web_logs tasks: - name: Install extra packages From 7f7532ccde010c646b61f8eed4d037ea0f04e236 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 13 Feb 2024 21:20:31 +0000 Subject: [PATCH 150/596] homeassistant: Reload udev rules after change --- roles/homeassistant/meta/main.yml | 1 + roles/homeassistant/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/homeassistant/meta/main.yml b/roles/homeassistant/meta/main.yml index 305b1b2..34c289c 100644 --- a/roles/homeassistant/meta/main.yml +++ b/roles/homeassistant/meta/main.yml @@ -2,3 +2,4 @@ dependencies: - {role: nginx} - {role: podman} + - {role: udev} diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 46fb256..4d6e1bb 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -68,6 +68,7 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + notify: Reload udev rules - name: Create config directory ansible.builtin.file: From 1e55576ba341ccf2fe9f165bc09108070b9e55a3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 14 Feb 2024 17:40:43 +0000 Subject: [PATCH 151/596] Fix typo --- playbooks/print.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/print.yml b/playbooks/print.yml index 8bfea58..3a22ad2 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -33,7 +33,7 @@ owner: root group: "{{ ansible_wheel }}" tags: dns - notify: restart unbound + notify: Restart unbound with_items: - 24.20.172.in-addr.arpa - print.foo.sh From 58a90d692be3bfaa42652f4416693d63494688c6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 14 Feb 2024 18:47:19 +0000 Subject: [PATCH 152/596] grafana: Force ipv4 connection from proxy --- roles/grafana/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 8180bc4..4b59f21 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -66,7 +66,7 @@ content: | location /grafana/ { proxy_set_header Host noc.foo.sh; - proxy_pass http://localhost:8002/; + proxy_pass http://127.0.0.1:8002/; } mode: "0644" owner: root From bf8c5532cb24ef9d29fc11c4d9c800f3d07fe1b4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 14 Feb 2024 18:47:44 +0000 Subject: [PATCH 153/596] Fix usb device ports for homeassistant host --- host_vars/homeassistant01.home.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index 66a2c30..f5803cf 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -7,6 +7,6 @@ network_interfaces: - device: eth1 vlan: 30 virt_install_devices: - - 001.004 + - 001.002 - 001.005 - 001.006 From caf6b54774b5fd554b54b1339aaf4cf18fae8ac7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 14 Feb 2024 21:03:35 +0000 Subject: [PATCH 154/596] dovecot: Require TLS 1.3 --- roles/dovecot/templates/local.conf.j2 | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/roles/dovecot/templates/local.conf.j2 b/roles/dovecot/templates/local.conf.j2 index 730072b..51ce026 100644 --- a/roles/dovecot/templates/local.conf.j2 +++ b/roles/dovecot/templates/local.conf.j2 @@ -1,13 +1,11 @@ -# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.8&config=intermediate&openssl=1.1.1g&guideline=5.6 +# generated 2024-02-14, Mozilla Guideline v5.7, Dovecot 2.3.16, OpenSSL 1.1.1, modern configuration +# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.16&config=modern&openssl=1.1.1&guideline=5.7 ssl = required ssl_cert = <{{ tls_certs }}/{{ mail_server }}-fullchain.crt ssl_key = <{{ tls_private }}/{{ mail_server }}.key -ssl_dh = <{{ tls_certs }}/ffdhe3072.pem - -ssl_min_protocol = TLSv1.2 -ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +ssl_min_protocol = TLSv1.3 ssl_prefer_server_ciphers = no # kerberos From e21e372dc44788b9ddd041628f542524abbef662 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 Feb 2024 07:57:59 +0000 Subject: [PATCH 155/596] fwupd: First version of role --- roles/fwupd/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 roles/fwupd/tasks/main.yml diff --git a/roles/fwupd/tasks/main.yml b/roles/fwupd/tasks/main.yml new file mode 100644 index 0000000..5e71293 --- /dev/null +++ b/roles/fwupd/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Install packages + ansible.builtin.package: + name: fwupd + state: installed + +- name: Enable LVFS + ansible.builtin.lineinfile: + path: /etc/fwupd/remotes.d/lvfs.conf + regexp: "^Enabled=.*" + line: "Enabled=true" From 641e66237e63294a009764ef25de0b36191d6f3c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 Feb 2024 07:58:18 +0000 Subject: [PATCH 156/596] Add some scanning/testing tools to adm hosts --- playbooks/adm.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index f4db906..75a6cda 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -47,10 +47,12 @@ - libvirt-client # kvm host client - make # generic building - mariadb # mariadb client tools + - nmap # check for open ports - nsd # check dns zone files - podman # building containers - pylint # python linting - python3-flake8 # python linting + - speedtest-cli # testing network speed - virt-install # install kvm guests - wget # still in backbone for downloads - whois # read whois data From e39fc8c9927880bc032c6d62c70981119ed3da76 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 Feb 2024 07:58:41 +0000 Subject: [PATCH 157/596] base: Install fwupd on physical linux hosts --- roles/base/tasks/RedHat.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 9f11e18..50e0397 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -87,6 +87,12 @@ - vim-enhanced # working vi :) - xterm # resize +- name: Install roles for physical hardware + ansible.builtin.include_role: + name: fwupd + when: + - ansible_virtualization_role == "host" + - name: Install packages for physical hardware ansible.builtin.package: name: "{{ item }}" From 31c8b7aa6a4e57cffd2c6fe8e1f7ca837a23639c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 16 Feb 2024 12:02:57 +0000 Subject: [PATCH 158/596] node_exporter: Add physical host disk monitoring --- roles/node_exporter/files/md_info.sh | 59 ++++++++ roles/node_exporter/files/smartmon.sh | 204 ++++++++++++++++++++++++++ roles/node_exporter/tasks/main.yml | 14 ++ 3 files changed, 277 insertions(+) create mode 100755 roles/node_exporter/files/md_info.sh create mode 100755 roles/node_exporter/files/smartmon.sh diff --git a/roles/node_exporter/files/md_info.sh b/roles/node_exporter/files/md_info.sh new file mode 100755 index 0000000..bf72d1b --- /dev/null +++ b/roles/node_exporter/files/md_info.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash + +set -eu + +for MD_DEVICE in /dev/md/*; do + if [ -b "$MD_DEVICE" ]; then + # Subshell to avoid eval'd variables from leaking between iterations + ( + # Resolve symlink to discover device, e.g. /dev/md127 + MD_DEVICE_NUM=$(readlink -f "${MD_DEVICE}") + + # Remove /dev/ prefix + MD_DEVICE_NUM=${MD_DEVICE_NUM#/dev/} + MD_DEVICE=${MD_DEVICE#/dev/md/} + + # Query sysfs for info about md device + SYSFS_BASE="/sys/devices/virtual/block/${MD_DEVICE_NUM}/md" + MD_LAYOUT=$(cat "${SYSFS_BASE}/layout") + MD_LEVEL=$(cat "${SYSFS_BASE}/level") + MD_METADATA_VERSION=$(cat "${SYSFS_BASE}/metadata_version") + MD_NUM_RAID_DISKS=$(cat "${SYSFS_BASE}/raid_disks") + + # Remove 'raid' prefix from RAID level + MD_LEVEL=${MD_LEVEL#raid} + + # Output disk metrics + for RAID_DISK in "${SYSFS_BASE}"/rd[0-9]*; do + DISK=$(readlink -f "${RAID_DISK}/block") + DISK_DEVICE=$(basename "${DISK}") + RAID_DISK_DEVICE=$(basename "${RAID_DISK}") + RAID_DISK_INDEX=${RAID_DISK_DEVICE#rd} + RAID_DISK_STATE=$(cat "${RAID_DISK}/state") + + DISK_SET="" + # Determine disk set using logic from mdadm: https://github.com/neilbrown/mdadm/commit/2c096ebe4b + if [[ ${RAID_DISK_STATE} == "in_sync" && ${MD_LEVEL} == 10 && $((MD_LAYOUT & ~0x1ffff)) ]]; then + NEAR_COPIES=$((MD_LAYOUT & 0xff)) + FAR_COPIES=$(((MD_LAYOUT >> 8) & 0xff)) + COPIES=$((NEAR_COPIES * FAR_COPIES)) + + if [[ $((MD_NUM_RAID_DISKS % COPIES == 0)) && $((COPIES <= 26)) ]]; then + DISK_SET=$((RAID_DISK_INDEX % COPIES)) + fi + fi + + echo -n "node_md_disk_info{disk_device=\"${DISK_DEVICE}\", md_device=\"${MD_DEVICE_NUM}\"" + if [[ -n ${DISK_SET} ]]; then + SET_LETTERS=({A..Z}) + echo -n ", md_set=\"${SET_LETTERS[${DISK_SET}]}\"" + fi + echo "} 1" + done + + # Output RAID array metrics + # NOTE: Metadata version is a label rather than a separate metric because the version can be a string + echo "node_md_info{md_device=\"${MD_DEVICE_NUM}\", md_name=\"${MD_DEVICE}\", raid_level=\"${MD_LEVEL}\", md_metadata_version=\"${MD_METADATA_VERSION}\"} 1" + ) + fi +done diff --git a/roles/node_exporter/files/smartmon.sh b/roles/node_exporter/files/smartmon.sh new file mode 100755 index 0000000..c20a850 --- /dev/null +++ b/roles/node_exporter/files/smartmon.sh @@ -0,0 +1,204 @@ +#!/usr/bin/env bash +# +# Script informed by the collectd monitoring script for smartmontools (using smartctl) +# by Samuel B. (c) 2012 +# source at: http://devel.dob.sk/collectd-scripts/ + +# TODO: This probably needs to be a little more complex. The raw numbers can have more +# data in them than you'd think. +# http://arstechnica.com/civis/viewtopic.php?p=22062211 + +# Formatting done via shfmt -i 2 +# https://github.com/mvdan/sh + +# Ensure predictable numeric / date formats, etc. +export LC_ALL=C + +parse_smartctl_attributes_awk="$( + cat <<'SMARTCTLAWK' +$1 ~ /^ *[0-9]+$/ && $2 ~ /^[a-zA-Z0-9_-]+$/ { + gsub(/-/, "_"); + printf "%s_value{%s,smart_id=\"%s\"} %d\n", $2, labels, $1, $4 + printf "%s_worst{%s,smart_id=\"%s\"} %d\n", $2, labels, $1, $5 + printf "%s_threshold{%s,smart_id=\"%s\"} %d\n", $2, labels, $1, $6 + printf "%s_raw_value{%s,smart_id=\"%s\"} %e\n", $2, labels, $1, $10 +} +SMARTCTLAWK +)" + +smartmon_attrs="$( + cat <<'SMARTMONATTRS' +airflow_temperature_cel +command_timeout +current_pending_sector +end_to_end_error +erase_fail_count +g_sense_error_rate +hardware_ecc_recovered +host_reads_32mib +host_reads_mib +host_writes_32mib +host_writes_mib +load_cycle_count +media_wearout_indicator +nand_writes_1gib +offline_uncorrectable +power_cycle_count +power_on_hours +program_fail_cnt_total +program_fail_count +raw_read_error_rate +reallocated_event_count +reallocated_sector_ct +reported_uncorrect +runtime_bad_block +sata_downshift_count +seek_error_rate +spin_retry_count +spin_up_time +start_stop_count +temperature_case +temperature_celsius +temperature_internal +total_lbas_read +total_lbas_written +udma_crc_error_count +unsafe_shutdown_count +unused_rsvd_blk_cnt_tot +wear_leveling_count +workld_host_reads_perc +workld_media_wear_indic +workload_minutes +SMARTMONATTRS +)" +smartmon_attrs="$(echo "${smartmon_attrs}" | xargs | tr ' ' '|')" + +parse_smartctl_attributes() { + local disk="$1" + local disk_type="$2" + local labels="disk=\"${disk}\",type=\"${disk_type}\"" + sed 's/^ \+//g' | + awk -v labels="${labels}" "${parse_smartctl_attributes_awk}" 2>/dev/null | + tr '[:upper:]' '[:lower:]' | + grep -E "(${smartmon_attrs})" +} + +parse_smartctl_scsi_attributes() { + local disk="$1" + local disk_type="$2" + local labels="disk=\"${disk}\",type=\"${disk_type}\"" + while read -r line; do + attr_type="$(echo "${line}" | tr '=' ':' | cut -f1 -d: | sed 's/^ \+//g' | tr ' ' '_')" + attr_value="$(echo "${line}" | tr '=' ':' | cut -f2 -d: | sed 's/^ \+//g')" + case "${attr_type}" in + number_of_hours_powered_up_) power_on="$(echo "${attr_value}" | awk '{ printf "%e\n", $1 }')" ;; + Current_Drive_Temperature) temp_cel="$(echo "${attr_value}" | cut -f1 -d' ' | awk '{ printf "%e\n", $1 }')" ;; + Blocks_sent_to_initiator_) lbas_read="$(echo "${attr_value}" | awk '{ printf "%e\n", $1 }')" ;; + Blocks_received_from_initiator_) lbas_written="$(echo "${attr_value}" | awk '{ printf "%e\n", $1 }')" ;; + Accumulated_start-stop_cycles) power_cycle="$(echo "${attr_value}" | awk '{ printf "%e\n", $1 }')" ;; + Elements_in_grown_defect_list) grown_defects="$(echo "${attr_value}" | awk '{ printf "%e\n", $1 }')" ;; + esac + done + [ -n "$power_on" ] && echo "power_on_hours_raw_value{${labels},smart_id=\"9\"} ${power_on}" + [ -n "$temp_cel" ] && echo "temperature_celsius_raw_value{${labels},smart_id=\"194\"} ${temp_cel}" + [ -n "$lbas_read" ] && echo "total_lbas_read_raw_value{${labels},smart_id=\"242\"} ${lbas_read}" + [ -n "$lbas_written" ] && echo "total_lbas_written_raw_value{${labels},smart_id=\"241\"} ${lbas_written}" + [ -n "$power_cycle" ] && echo "power_cycle_count_raw_value{${labels},smart_id=\"12\"} ${power_cycle}" + [ -n "$grown_defects" ] && echo "grown_defects_count_raw_value{${labels},smart_id=\"-1\"} ${grown_defects}" +} + +parse_smartctl_info() { + local -i smart_available=0 smart_enabled=0 smart_healthy= + local disk="$1" disk_type="$2" + local model_family='' device_model='' serial_number='' fw_version='' vendor='' product='' revision='' lun_id='' + while read -r line; do + info_type="$(echo "${line}" | cut -f1 -d: | tr ' ' '_')" + info_value="$(echo "${line}" | cut -f2- -d: | sed 's/^ \+//g' | sed 's/"/\\"/')" + case "${info_type}" in + Model_Family) model_family="${info_value}" ;; + Device_Model) device_model="${info_value}" ;; + Serial_Number|Serial_number) serial_number="${info_value}" ;; + Firmware_Version) fw_version="${info_value}" ;; + Vendor) vendor="${info_value}" ;; + Product) product="${info_value}" ;; + Revision) revision="${info_value}" ;; + Logical_Unit_id) lun_id="${info_value}" ;; + esac + if [[ "${info_type}" == 'SMART_support_is' ]]; then + case "${info_value:0:7}" in + Enabled) smart_available=1; smart_enabled=1 ;; + Availab) smart_available=1; smart_enabled=0 ;; + Unavail) smart_available=0; smart_enabled=0 ;; + esac + fi + if [[ "${info_type}" == 'SMART_overall-health_self-assessment_test_result' ]]; then + case "${info_value:0:6}" in + PASSED) smart_healthy=1 ;; + *) smart_healthy=0 ;; + esac + elif [[ "${info_type}" == 'SMART_Health_Status' ]]; then + case "${info_value:0:2}" in + OK) smart_healthy=1 ;; + *) smart_healthy=0 ;; + esac + fi + done + echo "device_info{disk=\"${disk}\",type=\"${disk_type}\",vendor=\"${vendor}\",product=\"${product}\",revision=\"${revision}\",lun_id=\"${lun_id}\",model_family=\"${model_family}\",device_model=\"${device_model}\",serial_number=\"${serial_number}\",firmware_version=\"${fw_version}\"} 1" + echo "device_smart_available{disk=\"${disk}\",type=\"${disk_type}\"} ${smart_available}" + echo "device_smart_enabled{disk=\"${disk}\",type=\"${disk_type}\"} ${smart_enabled}" + [[ "${smart_healthy}" != "" ]] && echo "device_smart_healthy{disk=\"${disk}\",type=\"${disk_type}\"} ${smart_healthy}" +} + +output_format_awk="$( + cat <<'OUTPUTAWK' +BEGIN { v = "" } +v != $1 { + print "# HELP smartmon_" $1 " SMART metric " $1; + print "# TYPE smartmon_" $1 " gauge"; + v = $1 +} +{print "smartmon_" $0} +OUTPUTAWK +)" + +format_output() { + sort | + awk -F'{' "${output_format_awk}" +} + +smartctl_version="$(/usr/sbin/smartctl -V | head -n1 | awk '$1 == "smartctl" {print $2}')" + +echo "smartctl_version{version=\"${smartctl_version}\"} 1" | format_output + +if [[ "$(expr "${smartctl_version}" : '\([0-9]*\)\..*')" -lt 6 ]]; then + exit +fi + +device_list="$(/usr/sbin/smartctl --scan-open | awk '/^\/dev/{print $1 "|" $3}')" + +for device in ${device_list}; do + disk="$(echo "${device}" | cut -f1 -d'|')" + type="$(echo "${device}" | cut -f2 -d'|')" + active=1 + echo "smartctl_run{disk=\"${disk}\",type=\"${type}\"}" "$(TZ=UTC date '+%s')" + # Check if the device is in a low-power mode + /usr/sbin/smartctl -n standby -d "${type}" "${disk}" > /dev/null || active=0 + echo "device_active{disk=\"${disk}\",type=\"${type}\"}" "${active}" + # Skip further metrics to prevent the disk from spinning up + test ${active} -eq 0 && continue + # Get the SMART information and health + /usr/sbin/smartctl -i -H -d "${type}" "${disk}" | parse_smartctl_info "${disk}" "${type}" + # Get the SMART attributes + case ${type} in + sat) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_attributes "${disk}" "${type}" ;; + sat+megaraid*) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_attributes "${disk}" "${type}" ;; + scsi) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_scsi_attributes "${disk}" "${type}" ;; + megaraid*) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_scsi_attributes "${disk}" "${type}" ;; + nvme*) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_scsi_attributes "${disk}" "${type}" ;; + usbprolific) /usr/sbin/smartctl -A -d "${type}" "${disk}" | parse_smartctl_attributes "${disk}" "${type}" ;; + *) + (>&2 echo "disk type is not sat, scsi, nvme or megaraid but ${type}") + exit + ;; + esac +done | format_output diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index 1e35c32..395e624 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -75,6 +75,20 @@ notify: Restart node_exporter when: ansible_os_family == "RedHat" +- name: Install disk and raid monitoring scripts + ansible.builtin.copy: + dest: "/usr/local/libexec/node-exporter/{{ item }}" + src: "{{ item }}" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + with_items: + - md_info.sh + - smartmon.sh + when: + - ansible_virtualization_role == "host" + - ansible_os_family == "RedHat" + - name: Enable service ansible.builtin.service: name: "{{ node_exporter_service }}" From 5751c77b8fcaefe54f8243f06c628cab211a91b2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 17 Feb 2024 17:21:29 +0000 Subject: [PATCH 159/596] mariadb: Enable query log --- roles/mariadb/files/local.cnf | 4 ++++ roles/mariadb/tasks/main.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 roles/mariadb/files/local.cnf diff --git a/roles/mariadb/files/local.cnf b/roles/mariadb/files/local.cnf new file mode 100644 index 0000000..cedabc6 --- /dev/null +++ b/roles/mariadb/files/local.cnf @@ -0,0 +1,4 @@ +[mariadb] +innodb_file_per_table = ON +general_log +general_log_file = /var/log/mariadb/mariadb-query.log diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 3746dd1..af5cea7 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -64,7 +64,7 @@ - name: Create local configuration ansible.builtin.copy: dest: /etc/my.cnf.d/local.cnf - content: "[mariadb]\ninnodb_file_per_table=ON\n" + src: local.cnf mode: "0644" owner: root group: "{{ ansible_wheel }}" From 8bc5793d705aef70c5b9f276728f191697809c84 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 17 Feb 2024 17:58:32 +0000 Subject: [PATCH 160/596] mysqld_exporter: Initial version of role --- roles/mysqld_exporter/defaults/main.yml | 2 + .../files/mysqld_exporter.service | 14 ++++ roles/mysqld_exporter/handlers/main.yml | 6 ++ roles/mysqld_exporter/meta/main.yml | 3 + roles/mysqld_exporter/tasks/main.yml | 83 +++++++++++++++++++ roles/mysqld_exporter/templates/my.cnf.j2 | 6 ++ .../templates/web-config.yml.j2 | 11 +++ 7 files changed, 125 insertions(+) create mode 100644 roles/mysqld_exporter/defaults/main.yml create mode 100644 roles/mysqld_exporter/files/mysqld_exporter.service create mode 100644 roles/mysqld_exporter/handlers/main.yml create mode 100644 roles/mysqld_exporter/meta/main.yml create mode 100644 roles/mysqld_exporter/tasks/main.yml create mode 100644 roles/mysqld_exporter/templates/my.cnf.j2 create mode 100644 roles/mysqld_exporter/templates/web-config.yml.j2 diff --git a/roles/mysqld_exporter/defaults/main.yml b/roles/mysqld_exporter/defaults/main.yml new file mode 100644 index 0000000..77a7507 --- /dev/null +++ b/roles/mysqld_exporter/defaults/main.yml @@ -0,0 +1,2 @@ +--- +mysqld_exporter_pkg: "mysqld_exporter-{{ mysqld_exporter_version }}.linux-amd64" diff --git a/roles/mysqld_exporter/files/mysqld_exporter.service b/roles/mysqld_exporter/files/mysqld_exporter.service new file mode 100644 index 0000000..c623707 --- /dev/null +++ b/roles/mysqld_exporter/files/mysqld_exporter.service @@ -0,0 +1,14 @@ +[Unit] +Description=Prometheus MySQL Exporter +After=syslog.target +After=network.target + +[Service] +Type=simple +User=mysqld_exporter +Group=mysqld_exporter +ExecStart=/usr/local/bin/mysqld_exporter --config.my-cnf=/etc/mysqld_exporter/my.cnf --web.config.file=/etc/mysqld_exporter/web-config.yml +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/mysqld_exporter/handlers/main.yml b/roles/mysqld_exporter/handlers/main.yml new file mode 100644 index 0000000..855013c --- /dev/null +++ b/roles/mysqld_exporter/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart mysqld_exporter + ansible.builtin.systemd: + name: mysqld_exporter + daemon_reload: true + state: restarted diff --git a/roles/mysqld_exporter/meta/main.yml b/roles/mysqld_exporter/meta/main.yml new file mode 100644 index 0000000..9978a00 --- /dev/null +++ b/roles/mysqld_exporter/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: pki} diff --git a/roles/mysqld_exporter/tasks/main.yml b/roles/mysqld_exporter/tasks/main.yml new file mode 100644 index 0000000..e69ce1c --- /dev/null +++ b/roles/mysqld_exporter/tasks/main.yml @@ -0,0 +1,83 @@ +--- +- name: Create group + ansible.builtin.group: + name: mysqld_exporter + system: true + +- name: Create user + ansible.builtin.user: + name: mysqld_exporter + comment: Prometheus MySQL Exporter + group: mysqld_exporter + groups: hostkey + create_home: false + home: /var/empty + shell: /sbin/nologin + system: true + +- name: Download package + ansible.builtin.get_url: + url: "https://github.com/prometheus/mysqld_exporter/releases/download/v{{ mysqld_exporter_version }}/{{ mysqld_exporter_pkg }}.tar.gz" + dest: "/usr/local/src/{{ mysqld_exporter_pkg }}.tar.gz" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + +- name: Extract package + ansible.builtin.unarchive: + src: "/usr/local/src/{{ mysqld_exporter_pkg }}.tar.gz" + dest: /usr/local/src + owner: root + group: "{{ ansible_wheel }}" + creates: "/usr/local/src/{{ mysqld_exporter_pkg }}" + remote_src: true + +- name: Copy binary + ansible.builtin.copy: + dest: /usr/local/bin/mysqld_exporter + src: "/usr/local/src/{{ mysqld_exporter_pkg }}/mysqld_exporter" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + +- name: Create config directory + ansible.builtin.file: + path: /etc/mysqld_exporter + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create web-config + ansible.builtin.template: + dest: /etc/mysqld_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart mysqld_exporter + +- name: Create credentials config + ansible.builtin.template: + dest: /etc/mysqld_exporter/my.cnf + src: my.cnf.j2 + mode: "0640" + owner: root + group: mysqld_exporter + notify: Restart mysqld_exporter + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/mysqld_exporter.service + src: mysqld_exporter.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart mysqld_exporter + +- name: Enable service + ansible.builtin.service: + name: mysqld_exporter + state: started + enabled: true diff --git a/roles/mysqld_exporter/templates/my.cnf.j2 b/roles/mysqld_exporter/templates/my.cnf.j2 new file mode 100644 index 0000000..2627e84 --- /dev/null +++ b/roles/mysqld_exporter/templates/my.cnf.j2 @@ -0,0 +1,6 @@ +[client] +user = mysqld_exporter +password = {{ mysqld_exporter_pass }} +ssl-cert = {{ tls_certs }}/{{ inventory_hostname }}.crt +ssl-key = {{ tls_private }}/{{ inventory_hostname }}.key +ssl-ca = {{ tls_certs }}/ca.crt diff --git a/roles/mysqld_exporter/templates/web-config.yml.j2 b/roles/mysqld_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..626169b --- /dev/null +++ b/roles/mysqld_exporter/templates/web-config.yml.j2 @@ -0,0 +1,11 @@ +tls_server_config: + key_file: {{ tls_private }}/{{ inventory_hostname }}.key + cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: + - prometheus01.home.foo.sh + - prometheus02.home.foo.sh + - prometheus03.home.foo.sh + - prometheus04.home.foo.sh + min_version: TLS13 From 1f3e76e4f6f99ca134fc1eadd9ddb02343b82b9d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 17 Feb 2024 17:59:16 +0000 Subject: [PATCH 161/596] Enable mysqld_exporter for prometheus hosts --- hosts.yml | 2 ++ playbooks/prometheus.yml | 1 + roles/prometheus/templates/prometheus.yml.j2 | 19 +++++++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/hosts.yml b/hosts.yml index 8fb7bd0..7e8fc7c 100644 --- a/hosts.yml +++ b/hosts.yml @@ -96,6 +96,8 @@ print: prometheus: hosts: prometheus02.home.foo.sh: + vars: + mysqld_exporter_version: "0.15.1" proxy: hosts: proxy01.home.foo.sh: diff --git a/playbooks/prometheus.yml b/playbooks/prometheus.yml index bec40ff..856b0a3 100644 --- a/playbooks/prometheus.yml +++ b/playbooks/prometheus.yml @@ -26,3 +26,4 @@ roles: - base - prometheus + - mysqld_exporter diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index e4a4956..49520f9 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -10,6 +10,25 @@ scrape_configs: - targets: - "127.0.0.1:9090" + - job_name: mysqld + scheme: https + tls_config: + ca_file: "{{ tls_certs }}/ca.crt" + key_file: "{{ tls_private }}/{{ inventory_hostname }}.key" + cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + static_configs: + - targets: +{% for host in groups['sqldb'] %} + - {{ host }}:3306 +{% endfor %} + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: {{ inventory_hostname }}:9104 + - job_name: snmp scheme: https tls_config: From fc5d1579166a9902853859d3b148fd0a3a042ff1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 18 Feb 2024 19:00:30 +0000 Subject: [PATCH 162/596] Use new repo for homeassistant electrolux --- hosts.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 7e8fc7c..f70fd05 100644 --- a/hosts.yml +++ b/hosts.yml @@ -37,9 +37,8 @@ homeassistant: homeassistant_version: "2024.1.2" homeassistant_integrations: - name: electrolux_status - repo: >- - https://github.com/mauro-midolo/homeassistant_electrolux_status.git - version: v5.0.0 + repo: https://github.com/albaintor/homeassistant_electrolux_status.git + version: v1.0.12 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 From f42793670811b1e28e03acad86f9cced30376ceb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 18 Feb 2024 19:30:32 +0000 Subject: [PATCH 163/596] Update software versions --- hosts.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index f70fd05..f817260 100644 --- a/hosts.yml +++ b/hosts.yml @@ -34,7 +34,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.1.2" + homeassistant_version: "2024.2" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git @@ -86,9 +86,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.2.3" - rocketchat_version: "6.5.2" - roundcube_version: "1.6.5" + grafana_version: "10.2.4" + rocketchat_version: "6.6.0" + roundcube_version: "1.6.6" print: hosts: print01.home.foo.sh: From 04575b20ee71b8c3dcb5a08494f2a9c063cf9527 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 23 Feb 2024 05:52:17 +0000 Subject: [PATCH 164/596] Update gitea to 1.21.6 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index f817260..0b19d7f 100644 --- a/hosts.yml +++ b/hosts.yml @@ -24,7 +24,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.5" + gitea_version: "1.21.6" gitearunner: hosts: gitea-runner02.home.foo.sh: From a632b3efbf44ee8d2ed3a1e8e5bd68bb7be0cabc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 23 Feb 2024 05:53:10 +0000 Subject: [PATCH 165/596] mariadb: Add query log rotation --- roles/mariadb/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index af5cea7..746da67 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -136,6 +136,14 @@ hour: "0" minute: "30" +- name: Add logrotate job for query log + ansible.builtin.copy: + dest: /etc/logrotate.d/mariadb-querylog + src: mariadb-querylog.logrotate + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + - name: Copy script to check timezone data ansible.builtin.copy: dest: /usr/local/sbin/mysql_tzinfo_check From 171aa216d6294b272067ced7ca8beba3c1f9eb51 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 23 Feb 2024 05:53:34 +0000 Subject: [PATCH 166/596] mariadb: Add missing logrotate file --- roles/mariadb/files/mariadb-querylog.logrotate | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 roles/mariadb/files/mariadb-querylog.logrotate diff --git a/roles/mariadb/files/mariadb-querylog.logrotate b/roles/mariadb/files/mariadb-querylog.logrotate new file mode 100644 index 0000000..70002a1 --- /dev/null +++ b/roles/mariadb/files/mariadb-querylog.logrotate @@ -0,0 +1,17 @@ +/var/log/mariadb/mariadb-query.log { + create 600 mysql mysql + su mysql mysql + notifempty + daily + rotate 3 + missingok + compress + sharedscripts + postrotate + # just if mariadbd is really running + if [ -e /run/mariadb/mariadb.pid ] + then + kill -1 $( Date: Fri, 1 Mar 2024 12:32:53 +0000 Subject: [PATCH 167/596] sendmail: Fix EHLO message address --- roles/sendmail/templates/sendmail.mc.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/sendmail/templates/sendmail.mc.j2 b/roles/sendmail/templates/sendmail.mc.j2 index c0d9b08..2662045 100644 --- a/roles/sendmail/templates/sendmail.mc.j2 +++ b/roles/sendmail/templates/sendmail.mc.j2 @@ -60,6 +60,7 @@ FEATURE(`accept_unresolvable_domains')dnl dnl # define(`confMATCH_GECOS')dnl define(`confDOMAIN_NAME', `{{ mail_domain }}')dnl +define(`confHELO_NAME', `mail.{{ mail_domain }}')dnl define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirpathSafe,GroupWritableIncludeFile,GroupWritableIncludeFileSafe')dnl dnl # MAIL_FILTER(`grossd', `S=inet:5523@localhost, T=C:10m;R:5m') From 6c661f75b86ad21c736de10981e9fca425047a11 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 1 Mar 2024 18:38:01 +0000 Subject: [PATCH 168/596] nsd: Validate zone files during copy --- roles/nsd/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml index b0d3ad6..da21b4f 100644 --- a/roles/nsd/tasks/main.yml +++ b/roles/nsd/tasks/main.yml @@ -43,6 +43,7 @@ mode: "0640" owner: root group: _nsd + validate: "nsd-checkzone '{{ item }}' '%s'" tags: dns notify: Restart nsd with_items: "{{ nsd_zones }}" From 546f091e9195fbd9940ce94c2e51356ff402efe1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 2 Mar 2024 19:00:44 +0000 Subject: [PATCH 169/596] opendkim: Initial version of role --- roles/opendkim/defaults/main.yml | 2 + roles/opendkim/files/keystore.Makefile | 28 +++++++++ roles/opendkim/handlers/main.yml | 5 ++ roles/opendkim/tasks/main.yml | 85 ++++++++++++++++++++++++++ 4 files changed, 120 insertions(+) create mode 100644 roles/opendkim/defaults/main.yml create mode 100644 roles/opendkim/files/keystore.Makefile create mode 100644 roles/opendkim/handlers/main.yml create mode 100644 roles/opendkim/tasks/main.yml diff --git a/roles/opendkim/defaults/main.yml b/roles/opendkim/defaults/main.yml new file mode 100644 index 0000000..ae208c6 --- /dev/null +++ b/roles/opendkim/defaults/main.yml @@ -0,0 +1,2 @@ +--- +opendkim_selector: default diff --git a/roles/opendkim/files/keystore.Makefile b/roles/opendkim/files/keystore.Makefile new file mode 100644 index 0000000..1a04593 --- /dev/null +++ b/roles/opendkim/files/keystore.Makefile @@ -0,0 +1,28 @@ +TARGETS := $(shell { \ + if [ $$(date +%m) -lt 6 ]; then \ + echo "$$(date +%Y)0101.key $$(date +%Y)0601.key" ; \ + else \ + echo "$$(date +%Y)0601.key $$(($$(date +%Y) + 1))0101.key" ; \ + fi \ + }) + +all: $(TARGETS) + +%.key: + @set -eu ; \ + openssl genrsa -out "$@" 2048 ; \ + chgrp opendkim "$@" ; \ + chmod 0640 "$@" ; \ + echo ; \ + data="$$(printf "v=DKIM1; k=rsa; p=%s" \ + "$$(openssl rsa -in "$@" -pubout -outform der 2>/dev/null | openssl base64 -A)")" ; \ + pos=0 ; \ + printf "%s._domainkey\tIN\tTXT\t" "$$(echo "$@" | cut -d. -f1)" ; \ + while true ; do \ + printf "\"%s\"" \ + "$$(echo "$$data" | cut -c $$((pos + 1))-$$((pos + 254)))" ; \ + pos="$$((pos + 254))" ; \ + [ $${#data} -gt $$pos ] || break ; \ + printf " " ; \ + done ; \ + echo diff --git a/roles/opendkim/handlers/main.yml b/roles/opendkim/handlers/main.yml new file mode 100644 index 0000000..e98da1b --- /dev/null +++ b/roles/opendkim/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart opendkim + ansible.builtin.service: + name: opendkim + state: restarted diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml new file mode 100644 index 0000000..7c1001a --- /dev/null +++ b/roles/opendkim/tasks/main.yml @@ -0,0 +1,85 @@ +--- +- name: Install packages + ansible.builtin.package: + name: opendkim + state: installed + +- name: Fix SELinux contexts from keystore + community.general.sefcontext: + path: "/export/dkim(/.*)?" + setype: etc_t + +- name: Create keystore + ansible.builtin.file: + path: /export/dkim + state: directory + mode: "0710" + owner: root + group: opendkim + setype: _default + +- name: Link keystore + ansible.builtin.file: + dest: /srv/dkim + src: /export/dkim + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Add keystore Makefile + ansible.builtin.copy: + dest: /srv/dkim/Makefile + src: keystore.Makefile + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + setype: _default + +- name: Set selector + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?Selector\s' + line: "Selector\t{{ opendkim_selector }}" + notify: Restart opendkim + +- name: Set key file path + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?KeyFile\s' + line: "KeyFile\t/srv/dkim/{{ opendkim_selector }}.key" + notify: Restart opendkim + +- name: Enable signing and verifying messages + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?Mode\s' + line: "Mode\tsv" + notify: Restart opendkim + +- name: Configure signing domains + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?Domain\s' + line: "Domain\t{{ mail_domain }}" + notify: Restart opendkim + +- name: Configure report address + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?ReportAddress\s' + line: "ReportAddress\tpostmaster@{{ mail_domain }}" + notify: Restart opendkim + +- name: Don't add DKIM-Filter header + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?SoftwareHeader\s' + line: "SoftwareHeader\tno" + notify: Restart opendkim + +- name: Enable service + ansible.builtin.service: + name: opendkim + state: started + enabled: true From 55a9a77e71ad0790b62ec5c0ae4980b231d1d303 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 2 Mar 2024 19:00:59 +0000 Subject: [PATCH 170/596] sendmail: Add opendkim filter --- roles/sendmail/templates/sendmail.mc.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/sendmail/templates/sendmail.mc.j2 b/roles/sendmail/templates/sendmail.mc.j2 index 2662045..ad31555 100644 --- a/roles/sendmail/templates/sendmail.mc.j2 +++ b/roles/sendmail/templates/sendmail.mc.j2 @@ -64,6 +64,7 @@ define(`confHELO_NAME', `mail.{{ mail_domain }}')dnl define(`confDONT_BLAME_SENDMAIL', `GroupWritableDirpathSafe,GroupWritableIncludeFile,GroupWritableIncludeFileSafe')dnl dnl # MAIL_FILTER(`grossd', `S=inet:5523@localhost, T=C:10m;R:5m') +INPUT_MAIL_FILTER(`opendkim', `S=local:/run/opendkim/opendkim.sock') dnl MAILER(smtp)dnl MAILER(procmail)dnl From a81b15edcdf0b7fc803ca18f70a6f5224a2a499b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 2 Mar 2024 19:01:12 +0000 Subject: [PATCH 171/596] Enable opendkim for mail servers --- playbooks/mail.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 4019251..686ed79 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -38,6 +38,8 @@ nginx_site_name: "{{ mail_server }}" nginx_site_redirect: https://webmail.foo.sh/ - grossd + - role: opendkim + opendkim_selector: 20240101 - spamassassin - spamassassin_clamav - spamassassin_ixhash From 427fbd9fc4363bd6d44461823782d8a394ec6598 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 4 Mar 2024 15:34:58 +0000 Subject: [PATCH 172/596] Add mta-sts.foo.sh virtual host --- playbooks/proxy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index d01e85c..0a0ed17 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -84,6 +84,8 @@ nginx_site_name: movies.foo.sh nginx_site_proxy: - https://oci-node01.home.foo.sh/php4dvd/ + - role: nginx_site + nginx_site_name: mta-sts.foo.sh - role: nginx_site nginx_site_name: noc.foo.sh nginx_site_proxy: From 3288f9ec5840282f69fcbf566041fc3e789423b5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 7 Mar 2024 07:17:17 +0000 Subject: [PATCH 173/596] routeros_firmware: Fix parsing mikrotik web page --- roles/routeros_firmware/files/download-routeros-firmware.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index 4347526..e6a0b65 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -18,7 +18,11 @@ if [ $# -gt 0 ]; then fi packageurl="$(curl -sSf "https://mikrotik.com/download" | \ - sed -n 's/.*.*/\1/p')" + sed -n 's/.* ].*/\1/p')" +if [ -z "$packageurl" ]; then + echo "ERR: Got empty package URL, exiting" 1>&2 + exit 1 +fi packagename="$(basename "$packageurl")" if [ -f "$packagename" ]; then "$verbose" && echo "Already up to date" From 778f8e99d7c656af38084415c221b177ae47944d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Mar 2024 18:39:38 +0000 Subject: [PATCH 174/596] Update softwrae versions --- hosts.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index 0b19d7f..1aae5c9 100644 --- a/hosts.yml +++ b/hosts.yml @@ -16,6 +16,8 @@ dnagw: frigate: hosts: frigate02.home.foo.sh: + vars: + frigate_version: "0.13.2" fsolgw: hosts: fsol-gw01.home.foo.sh: @@ -24,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.6" + gitea_version: "1.21.7" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -34,11 +36,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.2" + homeassistant_version: "2024.3" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v1.0.12 + version: v1.0.15 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 @@ -86,8 +88,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.2.4" - rocketchat_version: "6.6.0" + grafana_version: "10.3.4" + rocketchat_version: "6.6.3" roundcube_version: "1.6.6" print: hosts: From 7c9727c6a6223d2ec29afb09a0d6fa8916996a6b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 12 Mar 2024 18:41:50 +0000 Subject: [PATCH 175/596] sendmail: Add automatic ca certificate updates --- roles/sendmail/files/update-sendmail-certs.sh | 25 +++++++++++++++++++ roles/sendmail/handlers/main.yml | 8 ++++++ roles/sendmail/meta/main.yml | 2 +- roles/sendmail/tasks/main.yml | 16 ++++++++++++ 4 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 roles/sendmail/files/update-sendmail-certs.sh diff --git a/roles/sendmail/files/update-sendmail-certs.sh b/roles/sendmail/files/update-sendmail-certs.sh new file mode 100644 index 0000000..0e0bbc9 --- /dev/null +++ b/roles/sendmail/files/update-sendmail-certs.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -eu +umask 022 + +tmpdir="$(mktemp -d -p /etc/mail)" +trap 'rm -rf "$tmpdir"' EXIT +chmod 0755 "$tmpdir" + +awk '{ + if ($0 == "-----BEGIN CERTIFICATE-----") cert="" + else if ($0 == "-----END CERTIFICATE-----") print cert + else cert=cert$0 +}' /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca.crt | while read -r CERT; do + echo "$CERT" | base64 -d | openssl x509 -inform DER > \ + "${tmpdir}/$(echo "$CERT" | base64 -d | openssl x509 -inform DER -hash -noout).0" +done + +if ! diff -q "$tmpdir" "/etc/mail/certs" > /dev/null 2>&1 ; then + rm -rf /etc/mail/certs + mv "$tmpdir" /etc/mail/certs + exit 0 +fi + +exit 1 diff --git a/roles/sendmail/handlers/main.yml b/roles/sendmail/handlers/main.yml index 811e9ee..3c47d7f 100644 --- a/roles/sendmail/handlers/main.yml +++ b/roles/sendmail/handlers/main.yml @@ -21,3 +21,11 @@ - newaliases register: result changed_when: result.rc == 0 + +- name: Update sendmail root certs + ansible.builtin.command: + argv: + - update-sendmail-certs + register: result + failed_when: false + changed_when: result.rc == 0 diff --git a/roles/sendmail/meta/main.yml b/roles/sendmail/meta/main.yml index 4dc7ba0..ad8bde3 100644 --- a/roles/sendmail/meta/main.yml +++ b/roles/sendmail/meta/main.yml @@ -1,5 +1,5 @@ --- - dependencies: - {role: dhparams} + - {role: pki} - {role: saslauthd} diff --git a/roles/sendmail/tasks/main.yml b/roles/sendmail/tasks/main.yml index 117b47c..c247eed 100644 --- a/roles/sendmail/tasks/main.yml +++ b/roles/sendmail/tasks/main.yml @@ -16,6 +16,22 @@ owner: root group: "{{ ansible_wheel }}" +- name: Add script to update root certs + ansible.builtin.copy: + dest: /usr/local/sbin/update-sendmail-certs + src: update-sendmail-certs.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Update sendmail root certs + +- name: Add cronjob to update root certs + ansible.builtin.cron: + name: update-sendmail-certs + job: /usr/local/sbin/update-sendmail-certs + hour: "05" + minute: "30" + - name: Copy private key ansible.builtin.copy: dest: "{{ tls_private }}/{{ mail_server }}.key" From ec3b486e7c22c3da3f50547b2794a62fef831a90 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 18:46:40 +0000 Subject: [PATCH 176/596] collab: Fix extra newline from graphviz repo conf --- roles/collab/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/collab/tasks/main.yml b/roles/collab/tasks/main.yml index 9af4c7b..6a51371 100644 --- a/roles/collab/tasks/main.yml +++ b/roles/collab/tasks/main.yml @@ -2,7 +2,7 @@ - name: Add graphviz repository ansible.builtin.yum_repository: name: graphviz - baseurl: > + baseurl: >- {{ "https://www2.graphviz.org" + "/Packages/stable/centos/$releasever/os/$basearch/" From dfe1ea7db334133eb17f7a7e7cbb88bd99b46f4d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 19:33:26 +0000 Subject: [PATCH 177/596] Set scanservjs version --- hosts.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts.yml b/hosts.yml index 1aae5c9..41bcf57 100644 --- a/hosts.yml +++ b/hosts.yml @@ -110,6 +110,8 @@ relay: sane: hosts: sane02.home.foo.sh: + vars: + scanservjs_version: "v3.0.3" shell: hosts: shell01.foo.sh: From 0a0074873244186e6df5311d1f8bc5a31cb4d9ed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 19:33:40 +0000 Subject: [PATCH 178/596] Update software subrepo --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 270b14c..2c232f1 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 270b14ce153c3cf80de744d8d4128f2506a7e3d0 +Subproject commit 2c232f1654ea87f26c2248a1ff18b925f5c96c18 From 7229b6bad7d5ff5ff27f57bf86c400f152063595 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 19:51:35 +0000 Subject: [PATCH 179/596] pki: Fix running ansible with check option --- roles/pki/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml index 3e20d68..c6aac08 100644 --- a/roles/pki/tasks/main.yml +++ b/roles/pki/tasks/main.yml @@ -73,6 +73,7 @@ - "{{ tls_certs }}/{{ inventory_hostname }}.crt" - "{{ tls_certs }}/ca.crt" changed_when: false + check_mode: false register: pki_host_fullchain - name: Copy full chain certificate file From cb3961001956f91a2b65993f6d21916b3a715562 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 20:17:19 +0000 Subject: [PATCH 180/596] ldap_server: Fix running role in check mode --- roles/ldap_server/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 1e1389e..3d9a76e 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -168,6 +168,7 @@ delegate_to: localhost register: result changed_when: false + check_mode: false tags: certificates - name: Link server chain certificate From b229c177183b146596475e9f3127f0495e10fd58 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 20:17:31 +0000 Subject: [PATCH 181/596] pki: Store local CA hash even in check mode --- roles/pki/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml index c6aac08..90d160e 100644 --- a/roles/pki/tasks/main.yml +++ b/roles/pki/tasks/main.yml @@ -24,6 +24,7 @@ delegate_to: localhost register: result changed_when: false + check_mode: false - name: Store ca certificate hash ansible.builtin.set_fact: From 525565073bd971d4e121bd0a21e4d9233026a397 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:00:17 +0000 Subject: [PATCH 182/596] mongodb: Fix running role in check mode --- roles/mongodb/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index de1390e..f7d5747 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -61,6 +61,7 @@ - "{{ tls_certs }}/{{ inventory_hostname }}.crt" - "{{ tls_private }}/{{ inventory_hostname }}.key" changed_when: false + check_mode: false register: mongodb_cert_key - name: Create combined certificate/private key file From a3de09e2f2395b553d13b6527777f306239ffd90 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:10:36 +0000 Subject: [PATCH 183/596] mongodb: Don't hardcode os release version --- roles/mongodb/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index f7d5747..d1dafa9 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -17,7 +17,8 @@ - name: Enable repository ansible.builtin.yum_repository: name: mongodb - baseurl: https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64 + baseurl: >- + https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/6.0/x86_64 description: MongoDB gpgcheck: true gpgkey: https://www.mongodb.org/static/pgp/server-6.0.asc From ead2775c41d11ba8655f806c3b1a0c64976dbca2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:16:29 +0000 Subject: [PATCH 184/596] shelly_firmware: Fix lint errors --- roles/shelly_firmware/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/shelly_firmware/tasks/main.yml b/roles/shelly_firmware/tasks/main.yml index 2d1dd3a..db0e0ea 100644 --- a/roles/shelly_firmware/tasks/main.yml +++ b/roles/shelly_firmware/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /srv/web/iot.foo.sh/shelly state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -16,7 +16,7 @@ ansible.builtin.copy: dest: /usr/local/bin/download-shelly-firmware src: download-shelly-firmware.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" From 6bef2b01654c6c5fb19dc5f54733f87ad16e111f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:18:09 +0000 Subject: [PATCH 185/596] routeros_firmware: Fix lint errors --- roles/routeros_firmware/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros_firmware/tasks/main.yml index a9fbc97..39d244b 100644 --- a/roles/routeros_firmware/tasks/main.yml +++ b/roles/routeros_firmware/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: /srv/web/oob.foo.sh/routeros state: directory - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" @@ -19,7 +19,7 @@ /system reboot /system package update print ``` - mode: 0644 + mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -27,7 +27,7 @@ ansible.builtin.copy: dest: /usr/local/bin/download-routeros-firmware src: download-routeros-firmware.sh - mode: 0755 + mode: "0755" owner: root group: "{{ ansible_wheel }}" From cbe78a3bd0ee8c7cc0898ac46238c352698cb85c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:24:21 +0000 Subject: [PATCH 186/596] frigate: Fix lint errors --- roles/frigate/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index acc781e..7f5e321 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -100,4 +100,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart apache - From 7ba39e01c7560ad344dc1d205d9e8db5189e097e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 13 Mar 2024 21:25:55 +0000 Subject: [PATCH 187/596] Remove unnecessary comments --- playbooks/log.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/log.yml b/playbooks/log.yml index 5ea13da..2c7fcf4 100644 --- a/playbooks/log.yml +++ b/playbooks/log.yml @@ -25,7 +25,6 @@ roles: - base - #- web_logs tasks: - name: Install extra packages From cd1f83bb681deeef43537c941a2a942d64abf544 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 15:27:57 +0000 Subject: [PATCH 188/596] Add list of reserved ports by containers --- container-ports.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 container-ports.md diff --git a/container-ports.md b/container-ports.md new file mode 100644 index 0000000..9782749 --- /dev/null +++ b/container-ports.md @@ -0,0 +1,11 @@ +# Ports used by container web services + +Port | Ansible role | Service name +-----|--------------------------------------- +8001 | kerberos_kdc | Kerberos KDC +8002 | grafana | Grafana +8003 | authcheck | Authentication check +8004 | roundcube | Roundcube webmail +8005 | php4dvd | php4dvd movie catalog +8006 | scanservjs | SANE Scanner webui +8007 | frigate | Network video recorder From 6e58bc2a60d2d3df2b6c92836c1d59b03227561a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 15:30:26 +0000 Subject: [PATCH 189/596] Reformat table --- container-ports.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/container-ports.md b/container-ports.md index 9782749..3506ce0 100644 --- a/container-ports.md +++ b/container-ports.md @@ -1,11 +1,11 @@ # Ports used by container web services -Port | Ansible role | Service name ------|--------------------------------------- -8001 | kerberos_kdc | Kerberos KDC -8002 | grafana | Grafana -8003 | authcheck | Authentication check -8004 | roundcube | Roundcube webmail -8005 | php4dvd | php4dvd movie catalog -8006 | scanservjs | SANE Scanner webui -8007 | frigate | Network video recorder +| Port | Ansible role | Service name | +|------|---------------------------------------- +| 8001 | kerberos_kdc | Kerberos KDC | +| 8002 | grafana | Grafana | +| 8003 | authcheck | Authentication check | +| 8004 | roundcube | Roundcube webmail | +| 8005 | php4dvd | php4dvd movie catalog | +| 8006 | scanservjs | SANE Scanner webui | +| 8007 | frigate | Network video recorder | From 8465cf1d8b27bf50cf37842aa61dff46ee92c52d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 15:33:09 +0000 Subject: [PATCH 190/596] Try to fix table formatting again --- container-ports.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-ports.md b/container-ports.md index 3506ce0..3efb0cd 100644 --- a/container-ports.md +++ b/container-ports.md @@ -1,7 +1,7 @@ # Ports used by container web services | Port | Ansible role | Service name | -|------|---------------------------------------- +|------|--------------|------------------------| | 8001 | kerberos_kdc | Kerberos KDC | | 8002 | grafana | Grafana | | 8003 | authcheck | Authentication check | From eba736f107ae411a461049d2da61191352b00f60 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 15:38:00 +0000 Subject: [PATCH 191/596] Convert user.list to markdown --- user.list | 18 ------------------ users.md | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 18 deletions(-) delete mode 100644 user.list create mode 100644 users.md diff --git a/user.list b/user.list deleted file mode 100644 index 6e27844..0000000 --- a/user.list +++ /dev/null @@ -1,18 +0,0 @@ - -This file lists all users and groups that have reserved uid/gid and are -created using ansible rules. If a user/group pair is created, they share -the same uid/gid. If a user is member of a system group, leave the group -entry empty. If only a group is created, leave the user entry empty. - -id user group notes -------------------------------------------------------------------------------- -301 influxdb influxdb -302 mongod mongod -303 gitea gitea -305 prometheus prometheus -1001 mirror mirror -1002 certbot certbot -1003 collab collab -1004 docker docker docker registry -1005 backup backup -1007 minecraft minecraft diff --git a/users.md b/users.md new file mode 100644 index 0000000..48a6c2b --- /dev/null +++ b/users.md @@ -0,0 +1,19 @@ +# List of reserved UID and GID numbers + +This file lists all users and groups that have reserved uid/gid and are +created using ansible rules. If a user/group pair is created, they share +the same uid/gid. If a user is member of a system group, leave the group +entry empty. If only a group is created, leave the user entry empty. + +| id | user | group | notes | +|------|------------|------------|-----------------| +| 301 | influxdb | influxdb | | +| 302 | mongod | mongod | | +| 303 | gitea | gitea | | +| 305 | prometheus | prometheus | | +| 1001 | mirror | mirror | | +| 1002 | certbot | certbot | | +| 1003 | collab | collab | | +| 1004 | docker | docker | docker registry | +| 1005 | backup | backup | | +| 1007 | minecraft | minecraft | | From 8df5271accb6feedc57e640c4708d9330e10b703 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 15:58:23 +0000 Subject: [PATCH 192/596] mongodb: Fix mongo client cmd for mongo 6.0 --- roles/mongodb/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index d1dafa9..71ad3ce 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -111,7 +111,7 @@ ansible.builtin.lineinfile: path: /root/.bashrc line: > - alias mongo='mongo + alias mongosh='mongosh --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem --tlsCAFile {{ tls_certs }}/ca.crt --tls mongodb://{{ inventory_hostname }}/' From 7489a0c89531e93b7bf5887541c82b9f6638ec55 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Mar 2024 17:16:16 +0000 Subject: [PATCH 193/596] homeassistant: Move container to different port --- container-ports.md | 19 ++++++++++--------- roles/homeassistant/tasks/main.yml | 2 +- .../homeassistant-container.service.j2 | 2 +- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/container-ports.md b/container-ports.md index 3efb0cd..3fc1018 100644 --- a/container-ports.md +++ b/container-ports.md @@ -1,11 +1,12 @@ # Ports used by container web services -| Port | Ansible role | Service name | -|------|--------------|------------------------| -| 8001 | kerberos_kdc | Kerberos KDC | -| 8002 | grafana | Grafana | -| 8003 | authcheck | Authentication check | -| 8004 | roundcube | Roundcube webmail | -| 8005 | php4dvd | php4dvd movie catalog | -| 8006 | scanservjs | SANE Scanner webui | -| 8007 | frigate | Network video recorder | +| Port | Ansible role | Service name | +|------|----------------|------------------------| +| 8001 | kerberos_kdc | Kerberos KDC | +| 8002 | grafana | Grafana | +| 8003 | authcheck | Authentication check | +| 8004 | roundcube | Roundcube webmail | +| 8005 | php4dvd | php4dvd movie catalog | +| 8006 | scanservjs | SANE Scanner webui | +| 8007 | frigate | Network video recorder | +| 8008 | hoemeassistant | Home Assistant | diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 4d6e1bb..2a510a0 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -148,7 +148,7 @@ dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/homeassistant.conf" content: | location / { - proxy_pass http://127.0.0.1:8001; + proxy_pass http://127.0.0.1:8008; } mode: "0644" owner: root diff --git a/roles/homeassistant/templates/homeassistant-container.service.j2 b/roles/homeassistant/templates/homeassistant-container.service.j2 index 28d325e..9f14fa7 100644 --- a/roles/homeassistant/templates/homeassistant-container.service.j2 +++ b/roles/homeassistant/templates/homeassistant-container.service.j2 @@ -6,7 +6,7 @@ After=network-online.target [Service] User=ha ExecStart=/usr/bin/podman run \ - --rm -p 127.0.0.1:8001:8123 \ + --rm -p 127.0.0.1:8008:8123 \ --name homeassistant \ --env TZ=Europe/Helsinki \ --userns keep-id \ From 1f10474860222d46bd8d1ac84ea931025af491c5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 16 Mar 2024 16:13:56 +0000 Subject: [PATCH 194/596] mongosh: Use startup params and enable replset --- roles/mongodb/tasks/main.yml | 43 +++++++++++++++++++------- roles/mongodb/templates/mongod.conf.j2 | 2 +- 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 71ad3ce..41c12a2 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -82,20 +82,39 @@ owner: root group: "{{ ansible_wheel }}" +- name: Create configuration directory + ansible.builtin.file: + path: /etc/mongod + state: directory + mode: 0750 + owner: root + group: mongod + +- name: Copy keyfile + ansible.builtin.copy: + dest: /etc/mongod/mongod.key + src: "{{ ansible_private }}/files/mongod/mongod.key" + mode: "0400" + owner: mongod + group: mongod + notify: Restart mongod + - name: Configure startup options ansible.builtin.copy: dest: /etc/sysconfig/mongod content: | - OPTIONS="-f /etc/mongod.conf --logRotate reopen" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart mongod - -- name: Create configuration - ansible.builtin.template: - dest: /etc/mongod.conf - src: mongod.conf.j2 + OPTIONS="-f /etc/mongod.conf \ + --auth \ + --bind_ip_all \ + --dbpath /srv/mongodb \ + --keyFile /etc/mongod/mongod.key \ + --logRotate reopen \ + --nounixsocket + --replSet rs0 \ + --tlsMode requireTLS \ + --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem + --tlsCAFile {{ tls_certs }}/ca.crt + --tlsDisabledProtocols TLS1_0,TLS1_1,TLS1_2" mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -114,5 +133,7 @@ alias mongosh='mongosh --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem --tlsCAFile {{ tls_certs }}/ca.crt + --username root + --password {{ mongodb_root_password }} --tls mongodb://{{ inventory_hostname }}/' - regexp: ^alias mongo=.* + regexp: ^alias mongosh=.* diff --git a/roles/mongodb/templates/mongod.conf.j2 b/roles/mongodb/templates/mongod.conf.j2 index a05d000..dd90429 100644 --- a/roles/mongodb/templates/mongod.conf.j2 +++ b/roles/mongodb/templates/mongod.conf.j2 @@ -19,5 +19,5 @@ net: bindIpAll: true tls: mode: requireTLS - certificateKeyFile: /etc/pki/tls/private/mongodb.pem + certificateKeyFile: {{ tls_private }}/mongodb.pem CAFile: {{ tls_certs }}/ca.crt From 1952f5f96e4132735fac9064601a4544a88f85ef Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 16 Mar 2024 18:00:27 +0000 Subject: [PATCH 195/596] rocketchat: First version of role --- container-ports.md | 1 + playbooks/oci-node.yml | 1 + roles/rocketchat/defaults/main.yml | 2 + roles/rocketchat/handlers/main.yml | 6 ++ roles/rocketchat/meta/main.yml | 3 + roles/rocketchat/tasks/main.yml | 74 +++++++++++++++++++ .../templates/rocketchat-container.service.j2 | 21 ++++++ .../rocketchat-container.sysconfig.j2 | 3 + 8 files changed, 111 insertions(+) create mode 100644 roles/rocketchat/defaults/main.yml create mode 100644 roles/rocketchat/handlers/main.yml create mode 100644 roles/rocketchat/meta/main.yml create mode 100644 roles/rocketchat/tasks/main.yml create mode 100644 roles/rocketchat/templates/rocketchat-container.service.j2 create mode 100644 roles/rocketchat/templates/rocketchat-container.sysconfig.j2 diff --git a/container-ports.md b/container-ports.md index 3fc1018..63429e3 100644 --- a/container-ports.md +++ b/container-ports.md @@ -10,3 +10,4 @@ | 8006 | scanservjs | SANE Scanner webui | | 8007 | frigate | Network video recorder | | 8008 | hoemeassistant | Home Assistant | +| 8009 | rocketchat | Rocket.Chat | diff --git a/playbooks/oci-node.yml b/playbooks/oci-node.yml index 5d2a8c7..77c57fd 100644 --- a/playbooks/oci-node.yml +++ b/playbooks/oci-node.yml @@ -33,3 +33,4 @@ when: ansible_fqdn == 'oci-node01.home.foo.sh' - role: roundcube when: ansible_fqdn == 'oci-node01.home.foo.sh' + - rocketchat diff --git a/roles/rocketchat/defaults/main.yml b/roles/rocketchat/defaults/main.yml new file mode 100644 index 0000000..6b40b0a --- /dev/null +++ b/roles/rocketchat/defaults/main.yml @@ -0,0 +1,2 @@ +--- +rocketchat_versin: default diff --git a/roles/rocketchat/handlers/main.yml b/roles/rocketchat/handlers/main.yml new file mode 100644 index 0000000..93b2616 --- /dev/null +++ b/roles/rocketchat/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart rocketchat + ansible.builtin.systemd: + name: rocketchat-container + daemon_reload: true + state: restarted diff --git a/roles/rocketchat/meta/main.yml b/roles/rocketchat/meta/main.yml new file mode 100644 index 0000000..700494e --- /dev/null +++ b/roles/rocketchat/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: podman} diff --git a/roles/rocketchat/tasks/main.yml b/roles/rocketchat/tasks/main.yml new file mode 100644 index 0000000..07fd33a --- /dev/null +++ b/roles/rocketchat/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: Create group + ansible.builtin.group: + name: rocketchat + +- name: Create user + ansible.builtin.user: + name: rocketchat + comment: Podman Rocket.Chat + group: rocketchat + shell: /sbin/nologin + +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - rocketchat + creates: /var/lib/systemd/linger/rocketchat + +- name: Generate combined certificate/private key file contents + ansible.builtin.command: + argv: + - /bin/cat + - "{{ tls_certs }}/{{ inventory_hostname }}.crt" + - "{{ tls_private }}/{{ inventory_hostname }}.key" + changed_when: false + check_mode: false + register: rocketchat_cert_key + +- name: Create combined certificate/private key file + ansible.builtin.copy: + dest: "{{ tls_private }}/rocketchat.pem" + content: "{{ rocketchat_cert_key.stdout }}" + mode: "0640" + owner: root + group: rocketchat + notify: Restart rocketchat + +- name: Create service config + ansible.builtin.template: + dest: /etc/sysconfig/rocketchat-container + src: rocketchat-container.sysconfig.j2 + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart rocketchat + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/rocketchat-container.service + src: rocketchat-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart rocketchat + +- name: Enable service + ansible.builtin.service: + name: rocketchat-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: /etc/nginx/conf.d/{{ inventory_hostname }}/rocketchat-container.conf + content: | + location /rocketchat/ { + proxy_pass http://127.0.0.1:8008/; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx diff --git a/roles/rocketchat/templates/rocketchat-container.service.j2 b/roles/rocketchat/templates/rocketchat-container.service.j2 new file mode 100644 index 0000000..acbb866 --- /dev/null +++ b/roles/rocketchat/templates/rocketchat-container.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=Rocket.Chat Container +Wants=network-online.target +After=network-online.target + +[Service] +User=rocketchat +EnvironmentFile=/etc/sysconfig/rocketchat-container +ExecStartPre=/usr/bin/podman pull docker.io/rocketchat/rocket.chat:{{ rocketchat_version }}-alpine +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8008:3000 \ + --name rocketchat \ + --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ + --volume={{ tls_private }}/rocketchat.pem:/etc/ssl/private/rocketchat.pem:ro \ + --env ROOT_URL --env MONGO_URL --env MONGO_OPLOG_URL \ + docker.io/rocketchat/rocket.chat:{{ rocketchat_version }}-alpine +ExecStop=/usr/bin/podman stop --ignore rocketchat +ExecStopPost=/usr/bin/podman rm -f --ignore rocketchat + +[Install] +WantedBy=multi-user.target diff --git a/roles/rocketchat/templates/rocketchat-container.sysconfig.j2 b/roles/rocketchat/templates/rocketchat-container.sysconfig.j2 new file mode 100644 index 0000000..e023f32 --- /dev/null +++ b/roles/rocketchat/templates/rocketchat-container.sysconfig.j2 @@ -0,0 +1,3 @@ +ROOT_URL="https://chat.foo.sh/" +MONGO_URL="mongodb://rocketchat:{{ rocketchat_mongodb_pass }}@mongodb01.home.foo.sh:27017/rocketchat?tls=true&tlscafile=/etc/ssl/certs/ca.crt&tlscertificatekeyfile=/etc/ssl/private/rocketchat.pem" +MONGO_OPLOG_URL="mongodb://mongodb01.home.foo.sh:27017/local" From 92ca4fcba40b90adfddb3822003c0226ebdb4069 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:32:14 +0000 Subject: [PATCH 196/596] nginx_exporter First version of role --- roles/nginx_exporter/defaults/main.yml | 2 + roles/nginx_exporter/handlers/main.yml | 6 ++ roles/nginx_exporter/tasks/main.yml | 83 +++++++++++++++++++ .../templates/nginx_exporter.service.j2 | 23 +++++ .../templates/web-config.yml.j2 | 11 +++ 5 files changed, 125 insertions(+) create mode 100644 roles/nginx_exporter/defaults/main.yml create mode 100644 roles/nginx_exporter/handlers/main.yml create mode 100644 roles/nginx_exporter/tasks/main.yml create mode 100644 roles/nginx_exporter/templates/nginx_exporter.service.j2 create mode 100644 roles/nginx_exporter/templates/web-config.yml.j2 diff --git a/roles/nginx_exporter/defaults/main.yml b/roles/nginx_exporter/defaults/main.yml new file mode 100644 index 0000000..863f6d4 --- /dev/null +++ b/roles/nginx_exporter/defaults/main.yml @@ -0,0 +1,2 @@ +--- +nginx_exporter_pkg: "nginx-prometheus-exporter_{{ nginx_exporter_version }}_linux_amd64" diff --git a/roles/nginx_exporter/handlers/main.yml b/roles/nginx_exporter/handlers/main.yml new file mode 100644 index 0000000..690f1c7 --- /dev/null +++ b/roles/nginx_exporter/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart nginx_exporter + ansible.builtin.systemd: + name: nginx_exporter + daemon_reload: true + state: restarted diff --git a/roles/nginx_exporter/tasks/main.yml b/roles/nginx_exporter/tasks/main.yml new file mode 100644 index 0000000..1c94615 --- /dev/null +++ b/roles/nginx_exporter/tasks/main.yml @@ -0,0 +1,83 @@ +--- +- name: Create group + ansible.builtin.group: + name: nginx_exporter + system: true + +- name: Create user + ansible.builtin.user: + name: nginx_exporter + comment: Prometheus NGINX Exporter + group: nginx_exporter + groups: hostkey + create_home: false + home: /var/empty + shell: /sbin/nologin + system: true + +- name: Download package + ansible.builtin.get_url: + url: https://github.com/nginxinc/nginx-prometheus-exporter/releases/download/v{{ nginx_exporter_version }}/{{ nginx_exporter_pkg }}.tar.gz + dest: "/usr/local/src/{{ nginx_exporter_pkg }}.tar.gz" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create directory for extracing package + ansible.builtin.file: + path: "/usr/local/src/{{ nginx_exporter_pkg }}" + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Extract nginx_exporter + ansible.builtin.unarchive: + src: "/usr/local/src/{{ nginx_exporter_pkg }}.tar.gz" + dest: "/usr/local/src/{{ nginx_exporter_pkg }}" + owner: root + group: "{{ ansible_wheel }}" + creates: "/usr/local/src/{{ nginx_exporter_pkg }}/nginx-prometheus-exporter" + remote_src: true + +- name: Copy binary + ansible.builtin.copy: + dest: "/usr/local/bin/nginx_exporter" + src: "/usr/local/src/{{ nginx_exporter_pkg }}/nginx-prometheus-exporter" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + notify: Restart nginx_exporter + +- name: Create config directory + ansible.builtin.file: + path: /etc/nginx_exporter + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create web-config + ansible.builtin.template: + dest: /etc/nginx_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx_exporter + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/nginx_exporter.service + src: nginx_exporter.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx_exporter + +- name: Enable service + ansible.builtin.service: + name: nginx_exporter + state: started + enabled: true diff --git a/roles/nginx_exporter/templates/nginx_exporter.service.j2 b/roles/nginx_exporter/templates/nginx_exporter.service.j2 new file mode 100644 index 0000000..d9356ca --- /dev/null +++ b/roles/nginx_exporter/templates/nginx_exporter.service.j2 @@ -0,0 +1,23 @@ +[Unit] +Description=Prometheus NGINX Exporter +After=syslog.target +After=network.target + +[Service] +Type=simple +User=nginx_exporter +Group=nginx_exporter +#Environment="SCRAPE_URI={% for host in groups['proxy'] -%}https://{{ host }}/stub_status {% endfor %}" +ExecStart=/usr/local/bin/nginx_exporter \ + --web.config.file=/etc/nginx_exporter/web-config.yml \ +{% for host in groups['proxy'] %} + --nginx.scrape-uri=https://{{ host }}/stub_status \ +{% endfor %} + --nginx.ssl-ca-cert={{ tls_certs }}/ca.crt \ + --nginx.ssl-client-cert={{ tls_certs }}/{{ inventory_hostname }}.crt \ + --nginx.ssl-client-key={{ tls_private }}/{{ inventory_hostname }}.key + +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/nginx_exporter/templates/web-config.yml.j2 b/roles/nginx_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..03e5466 --- /dev/null +++ b/roles/nginx_exporter/templates/web-config.yml.j2 @@ -0,0 +1,11 @@ +--- +tls_server_config: + key_file: {{ tls_private }}/{{ inventory_hostname }}.key + cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: +{% for host in groups['prometheus'] %} + - {{ host }} +{% endfor %} + min_version: TLS13 From 6e4cbe8b4007bc299b1b53391e3e49ba939bbe86 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:44:04 +0000 Subject: [PATCH 197/596] nginx_exporter: Remove empty line --- roles/nginx_exporter/templates/nginx_exporter.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/nginx_exporter/templates/nginx_exporter.service.j2 b/roles/nginx_exporter/templates/nginx_exporter.service.j2 index d9356ca..133f770 100644 --- a/roles/nginx_exporter/templates/nginx_exporter.service.j2 +++ b/roles/nginx_exporter/templates/nginx_exporter.service.j2 @@ -16,7 +16,6 @@ ExecStart=/usr/local/bin/nginx_exporter \ --nginx.ssl-ca-cert={{ tls_certs }}/ca.crt \ --nginx.ssl-client-cert={{ tls_certs }}/{{ inventory_hostname }}.crt \ --nginx.ssl-client-key={{ tls_private }}/{{ inventory_hostname }}.key - Restart=always [Install] From a7432b2208ae471101732b15123715451fe42052 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:44:43 +0000 Subject: [PATCH 198/596] Add nginx_exporter to prometheus servers --- hosts.yml | 1 + playbooks/prometheus.yml | 1 + roles/prometheus/templates/prometheus.yml.j2 | 10 ++++++++++ 3 files changed, 12 insertions(+) diff --git a/hosts.yml b/hosts.yml index 41bcf57..f211541 100644 --- a/hosts.yml +++ b/hosts.yml @@ -99,6 +99,7 @@ prometheus: prometheus02.home.foo.sh: vars: mysqld_exporter_version: "0.15.1" + nginx_exporter_version: "1.1.0" proxy: hosts: proxy01.home.foo.sh: diff --git a/playbooks/prometheus.yml b/playbooks/prometheus.yml index 856b0a3..cef9acf 100644 --- a/playbooks/prometheus.yml +++ b/playbooks/prometheus.yml @@ -27,3 +27,4 @@ - base - prometheus - mysqld_exporter + - nginx_exporter diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index 49520f9..ee9c9cb 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -29,6 +29,16 @@ scrape_configs: - target_label: __address__ replacement: {{ inventory_hostname }}:9104 + - job_name: nginx + scheme: https + tls_config: + ca_file: "{{ tls_certs }}/ca.crt" + key_file: "{{ tls_private }}/{{ inventory_hostname }}.key" + cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + static_configs: + - targets: + - {{ inventory_hostname }}:9113 + - job_name: snmp scheme: https tls_config: From 7f5a66e6c81d82d73611ac3857ea5a3f1e23a080 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:45:56 +0000 Subject: [PATCH 199/596] nginx_exporter: Remove unused test lines --- roles/nginx_exporter/templates/nginx_exporter.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/nginx_exporter/templates/nginx_exporter.service.j2 b/roles/nginx_exporter/templates/nginx_exporter.service.j2 index 133f770..bf1eb12 100644 --- a/roles/nginx_exporter/templates/nginx_exporter.service.j2 +++ b/roles/nginx_exporter/templates/nginx_exporter.service.j2 @@ -7,7 +7,6 @@ After=network.target Type=simple User=nginx_exporter Group=nginx_exporter -#Environment="SCRAPE_URI={% for host in groups['proxy'] -%}https://{{ host }}/stub_status {% endfor %}" ExecStart=/usr/local/bin/nginx_exporter \ --web.config.file=/etc/nginx_exporter/web-config.yml \ {% for host in groups['proxy'] %} From 122e27518b18358f57f67b5626b131cb28fcc734 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:47:41 +0000 Subject: [PATCH 200/596] snmp_exporter: Don't hardcode prometheus servers --- roles/snmp_exporter/templates/web-config.yml.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/snmp_exporter/templates/web-config.yml.j2 b/roles/snmp_exporter/templates/web-config.yml.j2 index b88b84e..eb60f11 100644 --- a/roles/snmp_exporter/templates/web-config.yml.j2 +++ b/roles/snmp_exporter/templates/web-config.yml.j2 @@ -5,8 +5,7 @@ tls_server_config: client_ca_file: {{ tls_certs }}/ca.crt client_auth_type: RequireAndVerifyClientCert client_allowed_sans: - - prometheus01.home.foo.sh - - prometheus02.home.foo.sh - - prometheus03.home.foo.sh - - prometheus04.home.foo.sh +{% for host in groups['prometheus'] %} + - {{ host }} +{% endfor %} min_version: TLS13 From 0618cde4d10fccfa8afae9f1c03d3bbebfb23b3d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 20 Mar 2024 20:48:07 +0000 Subject: [PATCH 201/596] mysqld_exporter: Don't hardcode prometheus servers --- roles/mysqld_exporter/templates/web-config.yml.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/mysqld_exporter/templates/web-config.yml.j2 b/roles/mysqld_exporter/templates/web-config.yml.j2 index 626169b..25b4d05 100644 --- a/roles/mysqld_exporter/templates/web-config.yml.j2 +++ b/roles/mysqld_exporter/templates/web-config.yml.j2 @@ -4,8 +4,7 @@ tls_server_config: client_ca_file: {{ tls_certs }}/ca.crt client_auth_type: RequireAndVerifyClientCert client_allowed_sans: - - prometheus01.home.foo.sh - - prometheus02.home.foo.sh - - prometheus03.home.foo.sh - - prometheus04.home.foo.sh +{% for host in groups['prometheus'] %} + - {{ host }} +{% endfor %} min_version: TLS13 From 917674bac86108bcff5991e461d2390dedcdb613 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 18:19:00 +0000 Subject: [PATCH 202/596] sshca: First version of role --- playbooks/adm.yml | 1 + roles/sshca/files/signcert.sh | 26 +++++++++++++++++++++++++ roles/sshca/tasks/main.yml | 36 +++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100755 roles/sshca/files/signcert.sh create mode 100644 roles/sshca/tasks/main.yml diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 75a6cda..2219ed5 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -27,6 +27,7 @@ - base - ansible_host - certbot + - sshca - role: keytab keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" diff --git a/roles/sshca/files/signcert.sh b/roles/sshca/files/signcert.sh new file mode 100755 index 0000000..3d237dd --- /dev/null +++ b/roles/sshca/files/signcert.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +set -eu + +umask 022 + +if [ $# -ne 1 ]; then + echo "Usage: $(basename "$0") " 1>&2 + exit 1 +fi + +_basedir="/srv/sshca" +_name="$1" + +if ! echo "$_name" | grep -Eq '.foo.sh$'; then + echo "ERROR: Only '*.foo.sh' certificates are allowed" 1>&2 + exit 1 +fi + +if [ ! -f "/srv/ansible/facts/${_name}" ]; then + echo "ERROR: Cannot find host '${_name}'" 1>&2 + exit 1 +fi + +ssh-keygen -s "${_basedir}/ca/ca" -I "$_name" -n "$_name" -V -5m:+365d -h \ + "${_basedir}/pubkeys/${_name}.pub" diff --git a/roles/sshca/tasks/main.yml b/roles/sshca/tasks/main.yml new file mode 100644 index 0000000..403c94a --- /dev/null +++ b/roles/sshca/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: Create datadirectories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + with_items: + - /export/sshca + - /export/sshca/pubkeys + +- name: Create CA directory + ansible.builtin.file: + path: "/export/ssh/ca" + state: directory + mode: "0700" + owner: root + group: "{{ ansible_wheel }}" + +- name: Link datadirectory + ansible.builtin.file: + dest: /srv/sshca + src: /export/sshca + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Copy signing script + ansible.builtin.copy: + dest: /srv/sshca/signcert.sh + src: signcert.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" From df2573a650ae3b81ae957a6d7c7430ddaba25d25 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 18:28:23 +0000 Subject: [PATCH 203/596] sshd: Fix crypto configs for el8 systems --- roles/sshd/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index ff28d65..a90c594 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -28,8 +28,8 @@ line: "CRYPTO_POLICY=" notify: Restart sshd when: - - ansible_distribution == "CentOS" - - ansible_distribution_version is version_compare("8", ">=") + - ansible_distribution == "Rocky" + - ansible_distribution_version | int == 8 - name: Tighten ssh kex algorithm ansible.builtin.lineinfile: From 7ce6d5892321c36be7798076adc83b92a0799e03 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 19:18:30 +0000 Subject: [PATCH 204/596] sshd_cert: First version of role --- roles/base/tasks/main.yml | 1 + roles/sshd_cert/meta/main.yml | 3 +++ roles/sshd_cert/tasks/main.yml | 43 ++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 roles/sshd_cert/meta/main.yml create mode 100644 roles/sshd_cert/tasks/main.yml diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index d7d7820..03f630d 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -48,6 +48,7 @@ - pki - psacct - sshd + - sshd_cert - node_exporter loop_control: loop_var: role diff --git a/roles/sshd_cert/meta/main.yml b/roles/sshd_cert/meta/main.yml new file mode 100644 index 0000000..bc03e65 --- /dev/null +++ b/roles/sshd_cert/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: sshd} diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml new file mode 100644 index 0000000..4852748 --- /dev/null +++ b/roles/sshd_cert/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: Copy public key for signing + ansible.builtin.fetch: + src: /etc/ssh/ssh_host_ed25519_key.pub + dest: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" + flat: true + +- name: Sign key + ansible.builtin.command: + argv: + - ssh-keygen + - -s + - /srv/sshca/ca/ca + - -I + - "{{ inventory_hostname }}" + - -h + - -n + - "{{ inventory_hostname }}" + - -V + - -1h:+365d + - -z + - "{{ ansible_date_time.epoch }}" + - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" + creates: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub" + delegate_to: localhost + +- name: Install certificate + ansible.builtin.copy: + dest: /etc/ssh/ssh_host_ed25519_key-cert.pub + src: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart sshd + +- name: Enable host certificate + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + line: HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub + regexp: "^(# )?HostCertificate .*" + insertafter: "^HostKey .*" + validate: "sshd -t -f %s" + notify: Restart sshd From b1c3597fa974eb8b65f34d55af9237922fab0933 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 19:51:32 +0000 Subject: [PATCH 205/596] ssh_known_hosts: Use ssh certificate authority --- roles/ssh_known_hosts/templates/ssh_known_hosts.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 b/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 index d6fc971..6019166 100644 --- a/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 +++ b/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 @@ -1,5 +1,5 @@ -{% for host, vars in hostvars|dictsort %} -{% if vars["ansible_ssh_host_key_ed25519_public"] is defined %} -{{ host }} ssh-ed25519 {{ vars["ansible_ssh_host_key_ed25519_public"] }} -{% endif %} +{% set keys = lookup('fileglob', '/srv/sshca/ca/*.pub', wantlist=True) %} +{% for key in keys %} +{% set data = lookup('ansible.builtin.file', key) | split() %} +@cert-authority *.foo.sh {{ data[0:2] | join(' ') }} {% endfor %} From 365d0af6a6b6f48ee415759daf745f324758f525 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 19:54:57 +0000 Subject: [PATCH 206/596] Add global ssh_known_hosts to adm hosts --- playbooks/adm.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 2219ed5..2f99193 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -28,6 +28,7 @@ - ansible_host - certbot - sshca + - ssh_known_hosts - role: keytab keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" From 55aed1a36dd16d0e3883afa31e73a93f5edb81f3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 20:29:53 +0000 Subject: [PATCH 207/596] sshd_cert: Add support for aliases in certificate --- roles/sshd_cert/defaults/main.yml | 2 ++ roles/sshd_cert/tasks/main.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 roles/sshd_cert/defaults/main.yml diff --git a/roles/sshd_cert/defaults/main.yml b/roles/sshd_cert/defaults/main.yml new file mode 100644 index 0000000..79b179b --- /dev/null +++ b/roles/sshd_cert/defaults/main.yml @@ -0,0 +1,2 @@ +--- +sshd_cert_hostnames: "{{ ssh_hostnames | default([]) + [inventory_hostname] }}" diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index 4852748..fea0499 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -15,7 +15,7 @@ - "{{ inventory_hostname }}" - -h - -n - - "{{ inventory_hostname }}" + - "{{ sshd_cert_hostnames | join(',') }}" - -V - -1h:+365d - -z From 61e8ebdd203fd9de5eb1b86d3056d0bc2470a828 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 23 Mar 2024 21:33:13 +0000 Subject: [PATCH 208/596] sshd_cert: Sign if pubkey is newer than cert --- roles/sshd_cert/tasks/main.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index fea0499..28aa96d 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -5,6 +5,22 @@ dest: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" flat: true +- name: Check status of public key + ansible.builtin.stat: + path: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" + changed_when: false + failed_when: false + check_mode: false + register: sshd_cert_pubkey + +- name: Check status of certificate + ansible.builtin.stat: + path: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub" + changed_when: false + failed_when: false + check_mode: false + register: sshd_cert_status + - name: Sign key ansible.builtin.command: argv: @@ -21,7 +37,7 @@ - -z - "{{ ansible_date_time.epoch }}" - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" - creates: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub" + when: not sshd_cert_status.stat.exists or sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int delegate_to: localhost - name: Install certificate From 5f4f8e35aa58111fb5135c8f7e0e4054718c3645 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 11:55:08 +0000 Subject: [PATCH 209/596] sshd_cert: Fix checking certificate status --- roles/sshd_cert/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index 28aa96d..c564aab 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -11,6 +11,7 @@ changed_when: false failed_when: false check_mode: false + delegate_to: localhost register: sshd_cert_pubkey - name: Check status of certificate @@ -19,6 +20,7 @@ changed_when: false failed_when: false check_mode: false + delegate_to: localhost register: sshd_cert_status - name: Sign key From 315d89c750a059695921a1e5cd15d61c1eacfe20 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 11:55:27 +0000 Subject: [PATCH 210/596] Add ssh host aliases for shell and dna-gw hosts --- group_vars/dnagw.yml | 4 ++++ group_vars/shell.yml | 3 +++ 2 files changed, 7 insertions(+) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index 9b2bacc..f224e9f 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -21,3 +21,7 @@ firewall_src: pf.conf.gw_home # ifstated config ifstated_config: ifstated-dna.conf.j2 + +# ssh host alaises +ssh_hostnames: + - gw.home.foo.sh diff --git a/group_vars/shell.yml b/group_vars/shell.yml index 19931a2..202b4dc 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -10,3 +10,6 @@ firewall_in: - {proto: tcp, port: 80} - {proto: tcp, port: 443} - {proto: tcp, port: 9100, from: [62.78.229.29/32]} + +ssh_hostnames: + - shell.foo.sh From d8cf025fbe4bf875761040c4cb6d45c5faf4448b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 18:23:46 +0000 Subject: [PATCH 211/596] sshd_cert: Fix lint errors --- roles/sshd_cert/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index c564aab..8d5e841 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -39,7 +39,9 @@ - -z - "{{ ansible_date_time.epoch }}" - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" - when: not sshd_cert_status.stat.exists or sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int + when: > + not sshd_cert_status.stat.exists or + sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int delegate_to: localhost - name: Install certificate From ea8db3ab6be9b6ec4e412f662e1479df2fc65fdf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 18:52:31 +0000 Subject: [PATCH 212/596] nginx_exporter: Lint fixes --- roles/nginx_exporter/defaults/main.yml | 3 ++- roles/nginx_exporter/tasks/main.yml | 7 ++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/nginx_exporter/defaults/main.yml b/roles/nginx_exporter/defaults/main.yml index 863f6d4..6f214a3 100644 --- a/roles/nginx_exporter/defaults/main.yml +++ b/roles/nginx_exporter/defaults/main.yml @@ -1,2 +1,3 @@ --- -nginx_exporter_pkg: "nginx-prometheus-exporter_{{ nginx_exporter_version }}_linux_amd64" +nginx_exporter_pkg: >- + nginx-prometheus-exporter_{{ nginx_exporter_version }}_linux_amd64 diff --git a/roles/nginx_exporter/tasks/main.yml b/roles/nginx_exporter/tasks/main.yml index 1c94615..8d445ed 100644 --- a/roles/nginx_exporter/tasks/main.yml +++ b/roles/nginx_exporter/tasks/main.yml @@ -17,7 +17,12 @@ - name: Download package ansible.builtin.get_url: - url: https://github.com/nginxinc/nginx-prometheus-exporter/releases/download/v{{ nginx_exporter_version }}/{{ nginx_exporter_pkg }}.tar.gz + url: >- + {{ + "https://github.com/nginxinc/nginx-prometheus-exporter/releases/" + + "download/v" + nginx_exporter_version + "/" + nginx_exporter_pkg + + ".tar.gz" + }} dest: "/usr/local/src/{{ nginx_exporter_pkg }}.tar.gz" mode: "0644" owner: root From 5aa57c8358aff980fc8191f983ef9e64b254ca70 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 18:56:19 +0000 Subject: [PATCH 213/596] snmp_exporter: Lint fixes --- roles/snmp_exporter/tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/snmp_exporter/tasks/main.yml b/roles/snmp_exporter/tasks/main.yml index e3a6e9f..57a557b 100644 --- a/roles/snmp_exporter/tasks/main.yml +++ b/roles/snmp_exporter/tasks/main.yml @@ -14,7 +14,11 @@ - name: Download package ansible.builtin.get_url: - url: "https://github.com/prometheus/snmp_exporter/releases/download/v{{ snmp_exporter_version }}/{{ snmp_exporter_pkg }}.tar.gz" + url: >- + {{ + "https://github.com/prometheus/snmp_exporter/releases/download/v" + + snmp_exporter_version + "/" + snmp_exporter_pkg + ".tar.gz" + }} dest: "/usr/local/src/{{ snmp_exporter_pkg }}.tar.gz" mode: "0644" owner: root From 433a9114dfd24727c821410ab9e3af6d8164ff38 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 18:58:52 +0000 Subject: [PATCH 214/596] mysql_exporter: Lint fixes --- roles/mysqld_exporter/tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/mysqld_exporter/tasks/main.yml b/roles/mysqld_exporter/tasks/main.yml index e69ce1c..1c08cf4 100644 --- a/roles/mysqld_exporter/tasks/main.yml +++ b/roles/mysqld_exporter/tasks/main.yml @@ -17,7 +17,11 @@ - name: Download package ansible.builtin.get_url: - url: "https://github.com/prometheus/mysqld_exporter/releases/download/v{{ mysqld_exporter_version }}/{{ mysqld_exporter_pkg }}.tar.gz" + url: >- + {{ + "https://github.com/prometheus/mysqld_exporter/releases/download/v" + + mysqld_exporter_version + "/" + mysqld_exporter_pkg + ".tar.gz" + }} dest: "/usr/local/src/{{ mysqld_exporter_pkg }}.tar.gz" mode: "0644" owner: root From 6d3b1e15382b54210f17e8a73062211b5b77d1cf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 19:04:41 +0000 Subject: [PATCH 215/596] tests: Use new naming for tests 0*.sh - Tests for ansible yaml files 1*.sh - Tests for shell scripts --- tests/{03-shellcheck.sh => 11-shellcheck.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/{03-shellcheck.sh => 11-shellcheck.sh} (100%) diff --git a/tests/03-shellcheck.sh b/tests/11-shellcheck.sh similarity index 100% rename from tests/03-shellcheck.sh rename to tests/11-shellcheck.sh From 604ae205541936ea01dca94c5694b4561c454efc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 24 Mar 2024 19:24:28 +0000 Subject: [PATCH 216/596] mongodb: Lint fixes --- roles/mongodb/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 41c12a2..828356c 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -86,7 +86,7 @@ ansible.builtin.file: path: /etc/mongod state: directory - mode: 0750 + mode: "0750" owner: root group: mongod From 50f02e85acec3b11a0ad6c516691c76cb3b2c638 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 30 Mar 2024 13:55:20 +0000 Subject: [PATCH 217/596] routeros_firmware: Give error if checksum fetch fails --- roles/routeros_firmware/files/download-routeros-firmware.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index e6a0b65..8f199f0 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -31,6 +31,10 @@ fi checksum="$(curl -sSf "https://mikrotik.com/download" | \ sed -n 's/.*routeros-[0-9\.]*-arm\.npk<\/td>.*SHA256<\/td>\(.*\)<\/td>.*/\1/p')" +if [ -z "$checksum" ]; then + echo "ERR: Failed to determine package checksum" 1>&2 + exit 1 +fi echo "Downloading new package '${packagename}'" trap 'rm -f -- "${packagename}.tmp"' EXIT From 583b106d39ab04a294e6e1a2a9709afe2f401b25 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 2 Apr 2024 16:47:49 +0000 Subject: [PATCH 218/596] nginx_site: Add more strict headers to collab --- roles/nginx_site/templates/collab.foo.sh.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/nginx_site/templates/collab.foo.sh.conf.j2 b/roles/nginx_site/templates/collab.foo.sh.conf.j2 index d338ce4..93e1c8b 100644 --- a/roles/nginx_site/templates/collab.foo.sh.conf.j2 +++ b/roles/nginx_site/templates/collab.foo.sh.conf.j2 @@ -1 +1,6 @@ client_max_body_size 50m; + + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"; + add_header Referrer-Policy "no-referrer"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; From e57cd06891ee0b4deed6ce59749e70e31038db63 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 2 Apr 2024 18:01:02 +0000 Subject: [PATCH 219/596] nginx_site: Add security headers for movies.foo.sh --- roles/nginx_site/templates/movies.foo.sh.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 roles/nginx_site/templates/movies.foo.sh.conf.j2 diff --git a/roles/nginx_site/templates/movies.foo.sh.conf.j2 b/roles/nginx_site/templates/movies.foo.sh.conf.j2 new file mode 100644 index 0000000..760e07b --- /dev/null +++ b/roles/nginx_site/templates/movies.foo.sh.conf.j2 @@ -0,0 +1,5 @@ + add_header Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com"; + add_header Referrer-Policy "no-referrer"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + From e2fb4921957e254dde454c084a0e868b8383eff9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 6 Apr 2024 18:27:35 +0000 Subject: [PATCH 220/596] routeros_firmware: Fix download for new html --- .../files/download-routeros-firmware.sh | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index 8f199f0..4691f9e 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -17,8 +17,19 @@ if [ $# -gt 0 ]; then exit 1 fi -packageurl="$(curl -sSf "https://mikrotik.com/download" | \ - sed -n 's/.* ].*/\1/p')" +packageinfo=$(curl -sSf "https://mikrotik.com/download" | awk -F '"' ' + { + if (!url && $0 ~ /routeros-[0-9\.]+-arm.npk/) { + url=$2 + } else if (!found && url && $0 ~ /data-checksum-sha256/) { + print url " " $6 + found = 1 + } + } + ') + +packageurl="$(echo "$packageinfo" | cut -d " " -f 1)" +checksum="$(echo "$packageinfo" | cut -d " " -f 2)" if [ -z "$packageurl" ]; then echo "ERR: Got empty package URL, exiting" 1>&2 exit 1 @@ -29,8 +40,6 @@ if [ -f "$packagename" ]; then exit 0 fi -checksum="$(curl -sSf "https://mikrotik.com/download" | \ - sed -n 's/.*routeros-[0-9\.]*-arm\.npk<\/td>.*SHA256<\/td>\(.*\)<\/td>.*/\1/p')" if [ -z "$checksum" ]; then echo "ERR: Failed to determine package checksum" 1>&2 exit 1 From 7496125098640351398825e7cce571b7d27e2784 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 6 Apr 2024 18:30:53 +0000 Subject: [PATCH 221/596] routeros_firmware: Show changelog after download --- roles/routeros_firmware/files/download-routeros-firmware.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index 4691f9e..b6784bc 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -55,3 +55,8 @@ if [ "$(sha256sum "${packagename}.tmp" | cut -d " " -f 1)" != "$checksum" ]; the fi mv "${packagename}.tmp" "$packagename" + +echo +curl -sSf "https://cdn.mikrotik.com/routeros/$(echo "$packagename" | cut -d "-" -f 2)/CHANGELOG" +echo +echo From 0d72e9e92031c3f1780c210e29c38dbe3eb49539 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 13:38:21 +0000 Subject: [PATCH 222/596] backup_bitbucket: New role --- .../files/backup-bitbucket.sh | 24 ++++++++++++++ roles/backup_bitbucket/meta/main.yml | 3 ++ roles/backup_bitbucket/tasks/main.yml | 32 +++++++++++++++++++ 3 files changed, 59 insertions(+) create mode 100644 roles/backup_bitbucket/files/backup-bitbucket.sh create mode 100644 roles/backup_bitbucket/meta/main.yml create mode 100644 roles/backup_bitbucket/tasks/main.yml diff --git a/roles/backup_bitbucket/files/backup-bitbucket.sh b/roles/backup_bitbucket/files/backup-bitbucket.sh new file mode 100644 index 0000000..a97097e --- /dev/null +++ b/roles/backup_bitbucket/files/backup-bitbucket.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +USERS="tmakinen" + +set -eu +umask 027 + +cd /srv/backup/bitbucket.org + +for _user in $USERS ; do + curl -sSf "https://api.bitbucket.org/2.0/repositories/${_user}" | \ + jq -r '.values | .[] | [.name, .scm] | @tsv' | \ + while read -r _repo _scm + do + [ "$_scm" = "git" ] || continue + _url="https://bitbucket.org/${_user}/${_repo}" + _gitdir="${_user}/${_repo}" + if [ ! -d "$_gitdir" ]; then + mkdir -p "$_gitdir" + git --git-dir="$_gitdir" init --quiet --bare + fi + git --git-dir="$_gitdir" fetch --quiet --force --prune --tags "$_url" "refs/heads/*:refs/heads/*" + done +done diff --git a/roles/backup_bitbucket/meta/main.yml b/roles/backup_bitbucket/meta/main.yml new file mode 100644 index 0000000..9eea2ce --- /dev/null +++ b/roles/backup_bitbucket/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: backup_server} diff --git a/roles/backup_bitbucket/tasks/main.yml b/roles/backup_bitbucket/tasks/main.yml new file mode 100644 index 0000000..d41605a --- /dev/null +++ b/roles/backup_bitbucket/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Install dependencies + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - git + - jq + +- name: Create backup directory + ansible.builtin.file: + path: /srv/backup/bitbucket.org + state: directory + mode: "0770" + owner: root + group: backup + +- name: Copy backup script + ansible.builtin.copy: + dest: /usr/local/sbin/backup-bitbucket + src: backup-bitbucket.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Add cron job + ansible.builtin.cron: + name: bitbucket-backup + job: /usr/local/sbin/backup-bitbucket + hour: "03" + minute: "10" + user: backup From 1520f8dabffda36dfacc0432ebdaf117e7260831 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 13:42:32 +0000 Subject: [PATCH 223/596] backup_server: Move bitbucket backup to own role --- roles/backup_server/files/backup-bitbucket.py | 51 ------------------- roles/backup_server/tasks/main.yml | 29 +---------- 2 files changed, 1 insertion(+), 79 deletions(-) delete mode 100644 roles/backup_server/files/backup-bitbucket.py diff --git a/roles/backup_server/files/backup-bitbucket.py b/roles/backup_server/files/backup-bitbucket.py deleted file mode 100644 index 15cb651..0000000 --- a/roles/backup_server/files/backup-bitbucket.py +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env python3 - -import os -import json -from subprocess import call -from urllib.request import urlopen - -USERS = ["tmakinen"] -BACKUPDIR = "/srv/backup/bitbucket.org" - - -def repolist(username): - f = urlopen(f"https://api.bitbucket.org/2.0/repositories/{username}") - data = json.load(f) - f.close() - - for repo in data["values"]: - yield ( - { - "name": repo["name"], - "scm": repo["scm"], - "wiki": repo["has_wiki"], - "issues": repo["has_issues"], - } - ) - - -def gitbackup(destination, repo): - if not os.path.exists(destination): - os.makedirs(destination) - call(["git", "clone", "--quiet", repo, destination]) - else: - os.chdir(destination) - call(["git", f"--git-dir={destination}/.git", "pull", "--quiet"]) - - -if __name__ == "__main__": - for user in USERS: - for repo in repolist(user): - if repo["scm"] == "git": - gitbackup( - f"{BACKUPDIR}/{user}/{repo['name']}", - f"https://bitbucket.org/{user}/{repo['name']}.git", - ) - if repo["wiki"]: - gitbackup( - f"{BACKUPDIR}/{user}/{repo['name']}-wiki", - f"https://bitbucket.org/{user}/{repo['name']}.git/wiki", - ) - else: - raise NotImplementedError("{repo['scm']} repositories not supported") diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_server/tasks/main.yml index b952d09..5308e82 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_server/tasks/main.yml @@ -1,11 +1,8 @@ --- - name: Install packages ansible.builtin.package: - name: "{{ item }}" + name: rclone state: installed - with_items: - - git - - rclone - name: Create backup group ansible.builtin.group: @@ -38,27 +35,3 @@ owner: root group: "{{ ansible_wheel }}" follow: false - -- name: Create Bitbucket backup directory - ansible.builtin.file: - path: /export/backup/bitbucket.org - state: directory - mode: "0775" - owner: root - group: backup - -- name: Install Bitbucket backup script - ansible.builtin.copy: - dest: /usr/local/sbin/backup-bitbucket - src: backup-bitbucket.py - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" - -- name: Add Bitbucket backup cron job - ansible.builtin.cron: - name: bitbucket-backup - job: /usr/local/sbin/backup-bitbucket - hour: "03" - minute: "10" - user: backup From 1a3e1dbeeb108f92d5e2a205fd1df2f6c80e9d7a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 13:43:07 +0000 Subject: [PATCH 224/596] Add bitbucket backups --- playbooks/backup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/backup.yml b/playbooks/backup.yml index 3973aab..e3e8ec0 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -26,4 +26,5 @@ roles: - base - backup_server + - backup_bitbucket - sftpbackup From 8752c363918bc42084dda7966b3f2d15a8689329 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 14:09:00 +0000 Subject: [PATCH 225/596] backup_server: Move data to new UID/GID --- roles/backup_server/tasks/main.yml | 4 ++-- users.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_server/tasks/main.yml index 5308e82..94caf61 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_server/tasks/main.yml @@ -7,7 +7,7 @@ - name: Create backup group ansible.builtin.group: name: backup - gid: 1005 + gid: 306 - name: Create backup user ansible.builtin.user: @@ -17,7 +17,7 @@ group: backup home: /var/empty shell: /bin/sh - uid: 1005 + uid: 306 - name: Create backup directory ansible.builtin.file: diff --git a/users.md b/users.md index 48a6c2b..d0ca8d9 100644 --- a/users.md +++ b/users.md @@ -11,9 +11,9 @@ entry empty. If only a group is created, leave the user entry empty. | 302 | mongod | mongod | | | 303 | gitea | gitea | | | 305 | prometheus | prometheus | | +| 306 | backup | backup | | | 1001 | mirror | mirror | | | 1002 | certbot | certbot | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | -| 1005 | backup | backup | | | 1007 | minecraft | minecraft | | From 5cd6edc1b1531005dd916c8d68c9a522129bc408 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 14:09:24 +0000 Subject: [PATCH 226/596] Update to OpenBSD 7.5 --- playbooks/dna-gw.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 1714494..f9672d0 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -70,8 +70,8 @@ - name: Create tftp pxeboot loader for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/amd64/pxeboot" - checksum: sha1:677293059655da474ec81c45ed235b8497017e56 + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.5/amd64/pxeboot" + checksum: sha1:187d24bc9fddf2b032540017cec375051fc65afc dest: /srv/tftpboot/pxeboot mode: "0644" owner: root @@ -79,8 +79,8 @@ - name: Create tftp ramdisk for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/amd64/bsd.rd" - checksum: sha1:c0af0223ab0aa38c27fd55a2b94873345c2d88f7 + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.5/amd64/bsd.rd" + checksum: sha1:4362ec59d407f369be4840002cbc6942015afd8c dest: /srv/tftpboot/bsd.rd mode: "0644" owner: root From febee5c72e0894847579c7aae2a58f95640009a9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 14:35:04 +0000 Subject: [PATCH 227/596] backup_github: New role --- roles/backup_github/files/backup-github.sh | 22 +++++++++++++++ roles/backup_github/meta/main.yml | 3 ++ roles/backup_github/tasks/main.yml | 32 ++++++++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100755 roles/backup_github/files/backup-github.sh create mode 100644 roles/backup_github/meta/main.yml create mode 100644 roles/backup_github/tasks/main.yml diff --git a/roles/backup_github/files/backup-github.sh b/roles/backup_github/files/backup-github.sh new file mode 100755 index 0000000..6d2c598 --- /dev/null +++ b/roles/backup_github/files/backup-github.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +ORGS="foo-sh" + +set -eu +umask 027 + +cd /srv/backup/github.com + +for _org in $ORGS ; do + curl -sSf "https://api.github.com/orgs/foo-sh/repos" | jq -r '.[] | .name' | \ + while read -r _repo + do + _url="https://github.com/${_org}/${_repo}.git" + _gitdir="${_org}/${_repo}" + if [ ! -d "$_gitdir" ]; then + mkdir -p "$_gitdir" + git --git-dir="$_gitdir" init --quiet --bare + fi + git --git-dir="$_gitdir" fetch --quiet --force --prune --tags "$_url" "refs/heads/*:refs/heads/*" + done +done diff --git a/roles/backup_github/meta/main.yml b/roles/backup_github/meta/main.yml new file mode 100644 index 0000000..9eea2ce --- /dev/null +++ b/roles/backup_github/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: backup_server} diff --git a/roles/backup_github/tasks/main.yml b/roles/backup_github/tasks/main.yml new file mode 100644 index 0000000..6d6ffdc --- /dev/null +++ b/roles/backup_github/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Install dependencies + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - git + - jq + +- name: Create backup directory + ansible.builtin.file: + path: /srv/backup/github.com + state: directory + mode: "0770" + owner: root + group: backup + +- name: Copy backup script + ansible.builtin.copy: + dest: /usr/local/sbin/backup-github + src: backup-github.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Add cron job + ansible.builtin.cron: + name: github-backup + job: /usr/local/sbin/backup-github + hour: "03" + minute: "20" + user: backup From cd8e979ded29f21289236b6c4ed7288c1b774941 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 14:35:26 +0000 Subject: [PATCH 228/596] Add github backups --- playbooks/backup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/backup.yml b/playbooks/backup.yml index e3e8ec0..bb1d261 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -27,4 +27,5 @@ - base - backup_server - backup_bitbucket + - backup_github - sftpbackup From f3293d4b05d563c491434342f9c823557bb990bc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 16:15:38 +0000 Subject: [PATCH 229/596] rclone: Don't use template for backup script --- .../{templates/rclone-sync.sh.j2 => files/rclone-sync.sh} | 4 ++-- roles/rclone/meta/main.yml | 3 +++ roles/rclone/tasks/main.yml | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) rename roles/rclone/{templates/rclone-sync.sh.j2 => files/rclone-sync.sh} (95%) create mode 100644 roles/rclone/meta/main.yml diff --git a/roles/rclone/templates/rclone-sync.sh.j2 b/roles/rclone/files/rclone-sync.sh similarity index 95% rename from roles/rclone/templates/rclone-sync.sh.j2 rename to roles/rclone/files/rclone-sync.sh index a7aadb6..def667c 100755 --- a/roles/rclone/templates/rclone-sync.sh.j2 +++ b/roles/rclone/files/rclone-sync.sh @@ -1,9 +1,9 @@ #!/bin/sh -set -u +set -eu umask 027 -TARGET="{{ destination }}" +TARGET="/srv/backup" CONFIG="/etc/rclone/rclone.conf" LOGDIR="/var/log/rclone" RCLONE="/usr/local/bin/rclone" diff --git a/roles/rclone/meta/main.yml b/roles/rclone/meta/main.yml new file mode 100644 index 0000000..9eea2ce --- /dev/null +++ b/roles/rclone/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: backup_server} diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index 315ed79..9700039 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -29,9 +29,9 @@ group: "{{ local_user | default(ansible_wheel) }}" - name: Copy rclone sync script - ansible.builtin.template: + ansible.builtin.copy: dest: /usr/local/bin/rclone-sync - src: rclone-sync.sh.j2 + src: rclone-sync.sh mode: "0755" owner: root group: "{{ ansible_wheel }}" From 5dc08701b2ae5a620ada8bd593fc6daa02c03396 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 16:31:06 +0000 Subject: [PATCH 230/596] backup_server: Allow backup user to write --- roles/backup_server/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_server/tasks/main.yml index 94caf61..18d8222 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_server/tasks/main.yml @@ -23,9 +23,9 @@ ansible.builtin.file: path: /export/backup state: directory - mode: "0755" + mode: "0770" owner: root - group: "{{ ansible_wheel }}" + group: backup - name: Link backup directory ansible.builtin.file: From 0a724359dcf946202e7c97a12e83f4f5b171a3ed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:21:41 +0000 Subject: [PATCH 231/596] rclone: Add ssh key generation and run as backup --- roles/rclone/tasks/main.yml | 49 +++++++++++++++++++++------ roles/rclone/templates/rclone.conf.j2 | 2 +- 2 files changed, 39 insertions(+), 12 deletions(-) diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index 9700039..1019fb7 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -8,25 +8,55 @@ ansible.builtin.file: path: /etc/rclone state: directory - mode: "0755" + mode: "0750" owner: root - group: "{{ ansible_wheel }}" + group: backup - name: Create host config ansible.builtin.template: dest: /etc/rclone/rclone.conf src: rclone.conf.j2 - mode: "0644" + mode: "0640" owner: root - group: "{{ ansible_wheel }}" + group: backup + +- name: Create ssh keys + ansible.builtin.command: + argv: + - ssh-keygen + - -t + - ed25519 + - -C + - "backup@{{ inventory_hostname }}" + - -N + - "" + - -f + - /etc/rclone/id_ed25519 + creates: /etc/rclone/id_ed25519 + +- name: Fix ssh key permissions + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: backup + mode: "0640" + with_items: + - /etc/rclone/id_ed25519 + - /etc/rclone/id_ed25519.pub + +- name: Fetch ssh public key + ansible.builtin.fetch: + src: /etc/rclone/id_ed25519.pub + dest: ../files/ssh/backup.pub + flat: true - name: Create log directory ansible.builtin.file: path: /var/log/rclone state: directory mode: "0750" - owner: "{{ local_user | default('root') }}" - group: "{{ local_user | default(ansible_wheel) }}" + owner: backup + group: backup - name: Copy rclone sync script ansible.builtin.copy: @@ -40,16 +70,13 @@ ansible.builtin.cron: name: MAILTO env: true - user: "{{ local_user }}" + user: backup value: root - when: - - local_user is defined - - local_user != "root" - name: Add rclone sync cron job ansible.builtin.cron: name: rclone-sync - user: "{{ local_user | default('root') }}" + user: backup hour: "3" minute: "{{ 60 | random(seed=inventory_hostname) }}" job: /usr/local/bin/rclone-sync diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index 9389314..440fcc6 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -5,6 +5,6 @@ type = sftp host = {{ host }} user = {{ remote_user }} -key_file = {{ private_key | default('~/.ssh/id_ed25519') }} +key_file = /etc/rclone/id_ed25519 known_hosts_file = /etc/ssh/ssh_known_hosts {% endfor %} From 646aada779dd249b1ae58c5a650a3b98d3ac6e2e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:22:58 +0000 Subject: [PATCH 232/596] sftpuser: Read ssh key from correct place --- group_vars/all.yml | 3 --- roles/sftpuser/tasks/main.yml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 39ac197..4814110 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -31,8 +31,5 @@ boot_url: https://boot.foo.sh # ssh public keys for logsync user logsync_publickeys: "{{ lookup('file', '../files/ssh/logsync.pub') }}" -# ssh public keys for backup user -backup_publickeys: "{{ lookup('file', '../files/ssh/backup.pub') }}" - # hardcode this for now ansible_datacenter: home diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml index 412826c..4821c6c 100644 --- a/roles/sftpuser/tasks/main.yml +++ b/roles/sftpuser/tasks/main.yml @@ -17,7 +17,7 @@ - name: "Create authorized_keys for {{ user }}" ansible.builtin.copy: dest: "/etc/ssh/authorized_keys.{{ user }}" - content: "{{ publickeys | join('\n') + '\n'}}" + src: ../files/ssh/backup.pub mode: "0640" owner: root group: "{{ user }}" From 4d127f05e76b666f6f9f5376e9437cd3df236fb9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:24:06 +0000 Subject: [PATCH 233/596] Don't include backup ssh key in git --- .gitignore | 1 + files/ssh/backup.pub | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 files/ssh/backup.pub diff --git a/.gitignore b/.gitignore index d513b9e..afb6b4c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .*.swp __pycache__ +files/ssh/backup.pub diff --git a/files/ssh/backup.pub b/files/ssh/backup.pub deleted file mode 100644 index 336fbc7..0000000 --- a/files/ssh/backup.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdaNO9dLpI8CVx1rwGsKN45Pgiz+Btrlf2Q/nXCx4Ru root@backup02.home.foo.sh From d050c5c723d1679fca28d09bf7f1f56ac4c451e4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:36:56 +0000 Subject: [PATCH 234/596] sftpbackup: Remove wrapper role --- playbooks/backup.yml | 2 +- roles/sftpbackup/files/backup-sftp.sh | 29 --------------------------- roles/sftpbackup/meta/main.yml | 3 --- roles/sftpbackup/tasks/main.yml | 9 --------- 4 files changed, 1 insertion(+), 42 deletions(-) delete mode 100644 roles/sftpbackup/files/backup-sftp.sh delete mode 100644 roles/sftpbackup/meta/main.yml delete mode 100644 roles/sftpbackup/tasks/main.yml diff --git a/playbooks/backup.yml b/playbooks/backup.yml index bb1d261..91230bc 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -28,4 +28,4 @@ - backup_server - backup_bitbucket - backup_github - - sftpbackup + - rclone diff --git a/roles/sftpbackup/files/backup-sftp.sh b/roles/sftpbackup/files/backup-sftp.sh deleted file mode 100644 index 0dcc172..0000000 --- a/roles/sftpbackup/files/backup-sftp.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -set -u -umas 077 - -TARGET="/export/backup" -CONFIG="/etc/rclone/rclone.conf" -LOGDIR="/var/log/rclone" -RCLONE="/usr/local/bin/rclone" - -timestamp="$(date %Y%m%d)" - -if [ ! -d "$TARGET" ]; then - echo "ERR: Destination directory '${TARGET}' does not exist" 1>&2 - exit 1 -fi - -for host in $("$RCLONE" --config "$CONFIG" listremotes | tr -d ":") ; do - fqdn="$("$RCLONE" --config "$CONFIG" config show "$host" | \ - awk '{ if ($1 == "host") print $3 }')" - if [ ! -d "${TARGET}/${fqdn}" ]; then - mkdir "${TARGET}/${fqdn}" - fi - log="${LOGDIR}/${fqdn}.${timestamp}.log" - if ! "$RCLONE" --config "$CONFIG" --log-file "$log" --log-level INFO \ - sync "${host}:/" "${TARGET}/${fqdn}/"; then - cat "$log" - fi -done diff --git a/roles/sftpbackup/meta/main.yml b/roles/sftpbackup/meta/main.yml deleted file mode 100644 index 61cc3ce..0000000 --- a/roles/sftpbackup/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - {role: ssh_known_hosts} diff --git a/roles/sftpbackup/tasks/main.yml b/roles/sftpbackup/tasks/main.yml deleted file mode 100644 index e131de3..0000000 --- a/roles/sftpbackup/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Import rclone role - ansible.builtin.import_role: - name: rclone - vars: - hostgroup: sftpbackup - remote_user: backup - destination: /export/backup - private_key: /root/.ssh/id_ed25519 From 567691c3c4fc2bc6c97032194da4f5335a87845b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:37:46 +0000 Subject: [PATCH 235/596] rclone: Use hardcoded user on remote host --- roles/rclone/templates/rclone.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index 440fcc6..8324411 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -4,7 +4,7 @@ [{{ host.split('.')[0] }}] type = sftp host = {{ host }} -user = {{ remote_user }} +user = backup key_file = /etc/rclone/id_ed25519 known_hosts_file = /etc/ssh/ssh_known_hosts {% endfor %} From 8ef3592786b9ed20bc219a9958ebf3f0aef891b1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:38:03 +0000 Subject: [PATCH 236/596] sftpuser: Hardcode username --- roles/sftpuser/tasks/main.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml index 4821c6c..be66266 100644 --- a/roles/sftpuser/tasks/main.yml +++ b/roles/sftpuser/tasks/main.yml @@ -1,35 +1,35 @@ --- -- name: "Create group {{ user }}" +- name: Create group ansible.builtin.group: - name: "{{ user }}" + name: backup system: true -- name: "Create user {{ user }}" +- name: Create user ansible.builtin.user: - name: "{{ user }}" - comment: "Service {{ user }}" + name: backup + comment: Service backup createhome: false - group: "{{ user }}" + group: backup home: /var/empty shell: /sbin/nologin system: true -- name: "Create authorized_keys for {{ user }}" +- name: Create authorized_keys ansible.builtin.copy: - dest: "/etc/ssh/authorized_keys.{{ user }}" + dest: /etc/ssh/authorized_keys.backup src: ../files/ssh/backup.pub mode: "0640" owner: root - group: "{{ user }}" + group: backup - name: Configure sshd chroot ansible.builtin.blockinfile: path: /etc/ssh/sshd_config block: | - Match User {{ user }} + Match User backup ChrootDirectory {{ chroot }} ForceCommand internal-sftp - AuthorizedKeysFile /etc/ssh/authorized_keys.{{ user }} - marker: "# {mark} ANSIBLE MANAGED BLOCK (user {{ user }})" + AuthorizedKeysFile /etc/ssh/authorized_keys.backup + marker: "# {mark} ANSIBLE MANAGED BLOCK (user backup)" validate: "sshd -t -f %s" notify: Restart sshd From 9cb17a88c72d7c10c9da9bd4dcbe37dc961b75cc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:42:57 +0000 Subject: [PATCH 237/596] rclone: Hardcode hostgroup for sftp backups --- roles/rclone/templates/rclone.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index 8324411..ac601cd 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -{% for host in groups[hostgroup] %} +{% for host in groups['sftpbackup'] %} [{{ host.split('.')[0] }}] type = sftp From 29c989711c015bf5c01076c4edb5b1d9c27f06ef Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 17:57:05 +0000 Subject: [PATCH 238/596] sftpuser: Prefix variables correctly --- roles/collab/tasks/main.yml | 4 +--- roles/ldap_server/tasks/main.yml | 4 +--- roles/mariadb/tasks/main.yml | 4 +--- roles/sftpuser/tasks/main.yml | 2 +- 4 files changed, 4 insertions(+), 10 deletions(-) diff --git a/roles/collab/tasks/main.yml b/roles/collab/tasks/main.yml index 6a51371..64c43b9 100644 --- a/roles/collab/tasks/main.yml +++ b/roles/collab/tasks/main.yml @@ -274,9 +274,7 @@ ansible.builtin.import_role: name: sftpuser vars: - chroot: /srv/wikis/collab - user: backup - publickeys: "{{ backup_publickeys }}" + sftpuser_chroot: /srv/wikis/collab - name: Add backup user to collab group ansible.builtin.user: diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 3d9a76e..c36a8ad 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -59,9 +59,7 @@ ansible.builtin.import_role: name: sftpuser vars: - chroot: /srv/backup - user: backup - publickeys: "{{ backup_publickeys }}" + sftpuser_chroot: /srv/backup - name: Create backup directory ansible.builtin.file: diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 746da67..13e67cb 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -100,9 +100,7 @@ ansible.builtin.import_role: name: sftpuser vars: - chroot: /srv/backup - user: backup - publickeys: "{{ backup_publickeys }}" + sftpuser_chroot: /srv/backup - name: Create backup directory ansible.builtin.file: diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml index be66266..e6ef7ab 100644 --- a/roles/sftpuser/tasks/main.yml +++ b/roles/sftpuser/tasks/main.yml @@ -27,7 +27,7 @@ path: /etc/ssh/sshd_config block: | Match User backup - ChrootDirectory {{ chroot }} + ChrootDirectory {{ sftpuser_chroot }} ForceCommand internal-sftp AuthorizedKeysFile /etc/ssh/authorized_keys.backup marker: "# {mark} ANSIBLE MANAGED BLOCK (user backup)" From 5ba21ae4bf71095788fb653658ca25d5116255be Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 18:02:14 +0000 Subject: [PATCH 239/596] sftpuser: Set default chroot path --- roles/ldap_server/tasks/main.yml | 2 -- roles/mariadb/tasks/main.yml | 2 -- roles/sftpuser/defaults/main.yml | 2 ++ 3 files changed, 2 insertions(+), 4 deletions(-) create mode 100644 roles/sftpuser/defaults/main.yml diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index c36a8ad..5602d60 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -58,8 +58,6 @@ - name: Import sftpuser role ansible.builtin.import_role: name: sftpuser - vars: - sftpuser_chroot: /srv/backup - name: Create backup directory ansible.builtin.file: diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 13e67cb..00894d6 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -99,8 +99,6 @@ - name: Import sftpuser role ansible.builtin.import_role: name: sftpuser - vars: - sftpuser_chroot: /srv/backup - name: Create backup directory ansible.builtin.file: diff --git a/roles/sftpuser/defaults/main.yml b/roles/sftpuser/defaults/main.yml new file mode 100644 index 0000000..0634078 --- /dev/null +++ b/roles/sftpuser/defaults/main.yml @@ -0,0 +1,2 @@ +--- +sftpuser_chroot: /srv/backup From 8cd80becd79f8e0f987d5163de6a57e383ae881a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 18:06:06 +0000 Subject: [PATCH 240/596] rclone: Don't randomize cron job start time --- roles/rclone/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index 1019fb7..eaf6bee 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -78,5 +78,5 @@ name: rclone-sync user: backup hour: "3" - minute: "{{ 60 | random(seed=inventory_hostname) }}" + minute: "00" job: /usr/local/bin/rclone-sync From f512d8e83e5d323274895968b068e145e2e6fa4b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 7 Apr 2024 18:15:33 +0000 Subject: [PATCH 241/596] rclone: Include ssh_known_hosts role --- roles/rclone/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rclone/meta/main.yml b/roles/rclone/meta/main.yml index 9eea2ce..107754b 100644 --- a/roles/rclone/meta/main.yml +++ b/roles/rclone/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: - {role: backup_server} + - {role: ssh_known_hosts} From 9309a901e310584c11748b31bed37766d52eeed1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Apr 2024 19:51:56 +0000 Subject: [PATCH 242/596] Monthly software updates --- hosts.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index f211541..50aa429 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.7" + gitea_version: "1.21.10" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -36,11 +36,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.3" + homeassistant_version: "2024.4" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v1.0.15 + version: v1.0.17 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 @@ -88,8 +88,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.3.4" - rocketchat_version: "6.6.3" + grafana_version: "10.4.1" + rocketchat_version: "6.7.0" roundcube_version: "1.6.6" print: hosts: From 4ae88c17a022fbd328cd2adab2769ba2d6abb87e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Apr 2024 19:52:36 +0000 Subject: [PATCH 243/596] dhcpd: Hotfix broken ISC DHCPd for OpenBSD --- roles/dhcpd/tasks/main.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/dhcpd/tasks/main.yml b/roles/dhcpd/tasks/main.yml index 7ec173e..4b81ae3 100644 --- a/roles/dhcpd/tasks/main.yml +++ b/roles/dhcpd/tasks/main.yml @@ -17,9 +17,19 @@ # validate: "dhcpd -t -cf %s" notify: Restart dhcpd +- name: Create leases file + ansible.builtin.copy: + dest: /var/db/isc-dhcpd/dhcpd.leases + content: "" + mode: "0644" + owner: _isc-dhcp + group: _isc-dhcp + force: false + when: ansible_os_family == "OpenBSD" + - name: Enable service ansible.builtin.service: name: "{{ dhcpd_service }}" state: started enabled: true - arguments: "-user _isc-dhcp -group _isc-dhcp vio0" + arguments: "-lf /var/db/isc-dhcpd/dhcpd.leases -user _isc-dhcp -group _isc-dhcp vio0" From a275cadcbdffddaa4192e2821cacd8e093a8edd2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 13 Apr 2024 18:43:56 +0000 Subject: [PATCH 244/596] roundcube: Store uploads to databse --- roles/roundcube/templates/local.php.j2 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/roundcube/templates/local.php.j2 b/roles/roundcube/templates/local.php.j2 index 2935f09..ea54a4b 100644 --- a/roles/roundcube/templates/local.php.j2 +++ b/roles/roundcube/templates/local.php.j2 @@ -3,4 +3,11 @@ $config["domain"] = "{{ mail_domain }}"; $config["product_name"] = "foo.sh - Webmail"; +$config["plugins"] = array( + "database_attachments", +); + +$config['database_attachments_cache'] = 'db'; +$config['database_attachments_cache_ttl'] = 12 * 60 * 60; + ?> From f08c478bf6f36a545c0303ff6f40e7e3c9783799 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 13 Apr 2024 18:47:40 +0000 Subject: [PATCH 245/596] Run roundcube on all oci-node instances --- playbooks/oci-node.yml | 3 +-- playbooks/proxy.yml | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/oci-node.yml b/playbooks/oci-node.yml index 77c57fd..2c70ab9 100644 --- a/playbooks/oci-node.yml +++ b/playbooks/oci-node.yml @@ -29,8 +29,7 @@ - authcheck - grafana - kdc + - roundcube - role: php4dvd when: ansible_fqdn == 'oci-node01.home.foo.sh' - - role: roundcube - when: ansible_fqdn == 'oci-node01.home.foo.sh' - rocketchat diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 0a0ed17..f204c5e 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -107,6 +107,7 @@ nginx_site_name: webmail.foo.sh nginx_site_proxy: - https://oci-node01.home.foo.sh/roundcube/ + - https://oci-node02.home.foo.sh/roundcube/ - role: nginx_site nginx_site_name: wpad.foo.sh - role: nginx_site From 80b7a7c97fcfa0e6e4f13550ab92bfb1fc99995d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 13 Apr 2024 20:20:58 +0000 Subject: [PATCH 246/596] google_spell_pspell: Initial version of role --- container-ports.md | 23 ++++---- .../google-spell-pspell-container.service | 16 ++++++ roles/google_spell_pspell/handlers/main.yml | 18 +++++++ roles/google_spell_pspell/meta/main.yml | 5 ++ roles/google_spell_pspell/tasks/main.yml | 54 +++++++++++++++++++ 5 files changed, 105 insertions(+), 11 deletions(-) create mode 100644 roles/google_spell_pspell/files/google-spell-pspell-container.service create mode 100644 roles/google_spell_pspell/handlers/main.yml create mode 100644 roles/google_spell_pspell/meta/main.yml create mode 100644 roles/google_spell_pspell/tasks/main.yml diff --git a/container-ports.md b/container-ports.md index 63429e3..39a8bec 100644 --- a/container-ports.md +++ b/container-ports.md @@ -1,13 +1,14 @@ # Ports used by container web services -| Port | Ansible role | Service name | -|------|----------------|------------------------| -| 8001 | kerberos_kdc | Kerberos KDC | -| 8002 | grafana | Grafana | -| 8003 | authcheck | Authentication check | -| 8004 | roundcube | Roundcube webmail | -| 8005 | php4dvd | php4dvd movie catalog | -| 8006 | scanservjs | SANE Scanner webui | -| 8007 | frigate | Network video recorder | -| 8008 | hoemeassistant | Home Assistant | -| 8009 | rocketchat | Rocket.Chat | +| Port | Ansible role | Service name | +|------|---------------------|----------------------------| +| 8001 | kerberos_kdc | Kerberos KDC | +| 8002 | grafana | Grafana | +| 8003 | authcheck | Authentication check | +| 8004 | roundcube | Roundcube webmail | +| 8005 | php4dvd | php4dvd movie catalog | +| 8006 | scanservjs | SANE Scanner webui | +| 8007 | frigate | Network video recorder | +| 8008 | hoemeassistant | Home Assistant | +| 8009 | rocketchat | Rocket.Chat | +| 8010 | google-spell-pspell | Google Spell Check XML API | diff --git a/roles/google_spell_pspell/files/google-spell-pspell-container.service b/roles/google_spell_pspell/files/google-spell-pspell-container.service new file mode 100644 index 0000000..705ff29 --- /dev/null +++ b/roles/google_spell_pspell/files/google-spell-pspell-container.service @@ -0,0 +1,16 @@ +[Unit] +Description=google-spell-pspell Container +Wants=network-online.target +After=network-online.target + +[Service] +User=pspell +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8010:80 \ + --name google-spell-pspell \ + google-spell-pspell:latest +ExecStop=/usr/bin/podman stop --ignore google-spell-pspell +ExecStopPost=/usr/bin/podman rm -f --ignore google-spell-pspell + +[Install] +WantedBy=multi-user.target diff --git a/roles/google_spell_pspell/handlers/main.yml b/roles/google_spell_pspell/handlers/main.yml new file mode 100644 index 0000000..c6f29db --- /dev/null +++ b/roles/google_spell_pspell/handlers/main.yml @@ -0,0 +1,18 @@ +--- +- name: Rebuild google-spell-pspell-container + ansible.builtin.command: + argv: + - podman + - build + - -t + - google-spell-pspell + - /usr/local/src/docker-google-spell-pspell + become: true + become_user: pspell + notify: Restart google-spell-pspell-container + +- name: Restart google-spell-pspell-container + ansible.builtin.service: + name: google-spell-pspell-container + daemon_reload: true + state: restarted diff --git a/roles/google_spell_pspell/meta/main.yml b/roles/google_spell_pspell/meta/main.yml new file mode 100644 index 0000000..b8e2a3e --- /dev/null +++ b/roles/google_spell_pspell/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - {role: git} + - {role: nginx} + - {role: podman} diff --git a/roles/google_spell_pspell/tasks/main.yml b/roles/google_spell_pspell/tasks/main.yml new file mode 100644 index 0000000..2fe09ee --- /dev/null +++ b/roles/google_spell_pspell/tasks/main.yml @@ -0,0 +1,54 @@ +--- +- name: Create group + ansible.builtin.group: + name: pspell + +- name: Create user + ansible.builtin.user: + name: pspell + comment: Podman google-spell-pspell + group: pspell + shell: /sbin/nologin + +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - pspell + creates: /var/lib/systemd/linger/pspell + +- name: Get container source + ansible.builtin.git: + dest: /usr/local/src/docker-google-spell-pspell + repo: https://github.com/foo-sh/docker-google-spell-pspell.git + update: true + version: main + notify: Rebuild google-spell-pspell-container + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/google-spell-pspell-container.service + src: google-spell-pspell-container.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart google-spell-pspell-container + +- name: Enable service + ansible.builtin.service: + name: google-spell-pspell-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/google-spell-pspell.conf" + content: | + location /tbproxy/spell { + proxy_pass http://127.0.0.1:8010/; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx From 518e522a50860c5fb1e425d0f72716cad260ff64 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 16 Apr 2024 07:15:42 +0000 Subject: [PATCH 247/596] Update gitea to latest version --- hosts.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 50aa429..b894fbe 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.10" + gitea_version: "1.21.11" gitearunner: hosts: gitea-runner02.home.foo.sh: @@ -104,6 +104,9 @@ proxy: hosts: proxy01.home.foo.sh: proxy02.home.foo.sh: +redis: + hosts: + redis01.home.foo.sh: relay: hosts: relay01.home.foo.sh: @@ -151,6 +154,7 @@ openbsd: mqtt: ns: proxy: + redis: relay: rocky8: children: From d7527a8a6ffa8019701d91f67d161db388bdeeac Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 18 Apr 2024 09:27:01 +0000 Subject: [PATCH 248/596] rclone: Fix config directory permissions --- roles/rclone/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index eaf6bee..13facd4 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -8,7 +8,7 @@ ansible.builtin.file: path: /etc/rclone state: directory - mode: "0750" + mode: "0770" owner: root group: backup From 191e322e9e0c32de52579ee856b584d360c9ac14 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 20 Apr 2024 15:18:30 +0000 Subject: [PATCH 249/596] Remove tftp daemon from nms hosts --- playbooks/nms.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 9aa9d4b..3c73d5f 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -30,7 +30,6 @@ nginx_site_name: oob.foo.sh - sssd - mkhomedir - - tftp - routeros_firmware - snmp_exporter From b2da9de4d6335f3b7a5fb559e82f2dba3c55ff3d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 23 Apr 2024 07:19:30 +0000 Subject: [PATCH 250/596] syslogd: Fix local logging on servers --- roles/syslogd/tasks/server.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/syslogd/tasks/server.yml b/roles/syslogd/tasks/server.yml index ca342d1..cfd8e92 100644 --- a/roles/syslogd/tasks/server.yml +++ b/roles/syslogd/tasks/server.yml @@ -46,7 +46,7 @@ # everything goes to archive *.* /srv/log/all.log # only local goes to the standard logs - +{{ inventory_hostname }} + +{{ ansible_hostname }} marker: "# {mark} ANSIBLE MANAGED BLOCK (syslogd)" notify: Restart syslogd From 885c01ebaa2f1a5283ba4a97fef46c3086542a0c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 23 Apr 2024 15:30:22 +0000 Subject: [PATCH 251/596] mongodb: Limit max connections to database --- roles/mongodb/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 828356c..329e17d 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -111,6 +111,7 @@ --logRotate reopen \ --nounixsocket --replSet rs0 \ + --maxConns 16384 \ --tlsMode requireTLS \ --tlsCertificateKeyFile {{ tls_private }}/mongodb.pem --tlsCAFile {{ tls_certs }}/ca.crt From 8c93ba043d35a496b63a2d3d36f91ea70269d9d0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Apr 2024 05:19:19 +0000 Subject: [PATCH 252/596] Drop aarch64 architecture from epel mirror --- playbooks/mirror.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index ea6ed1f..d363ba8 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -39,6 +39,7 @@ mirror_rsyncoptions: - "--exclude=debug" - "--exclude=testing" + - "--exclude=aarch64" - "--exclude=ppc64le" - "--exclude=s390x" - "--exclude=source" From cdbd70ec1df1a73f90acc5cf91ead417107329a8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 15:52:59 +0000 Subject: [PATCH 253/596] Update homeassistant --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index b894fbe..dcb70ae 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.4" + homeassistant_version: "2024.5" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git From 2329b5d5e63867ab37dee7498bedb9935cfd62d9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 18:22:06 +0000 Subject: [PATCH 254/596] Increase memory for log hosts --- group_vars/log.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/log.yml b/group_vars/log.yml index 00882e3..f7c44ba 100644 --- a/group_vars/log.yml +++ b/group_vars/log.yml @@ -1,4 +1,5 @@ --- +mem_size: 512 datadisks: - {size: 50, type: nvme} From 3b2c2a453eb437d1045fa49bf808e199e7622a99 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 18:23:21 +0000 Subject: [PATCH 255/596] unbound: Add support for copying zone files --- group_vars/dnagw.yml | 4 ++++ group_vars/frigate.yml | 4 +++- group_vars/nms.yml | 4 ++++ group_vars/print.yml | 4 ++++ playbooks/dna-gw.yml | 13 ------------- playbooks/frigate.yml | 13 ------------- playbooks/nms.yml | 13 ------------- playbooks/print.yml | 13 ------------- roles/unbound/tasks/main.yml | 11 +++++++++++ roles/unbound/vars/OpenBSD.yml | 1 + roles/unbound/vars/RedHat.yml | 1 + 11 files changed, 28 insertions(+), 53 deletions(-) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index f224e9f..3bffd50 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -16,6 +16,10 @@ network_ether_interfaces: - device: vio1 proto: none +unbound_zones: + - 20.172.in-addr.arpa + - home.foo.sh + # use custom firewall config firewall_src: pf.conf.gw_home diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index 03177dc..7a7df80 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -11,7 +11,9 @@ network_vip_interfaces: netmask: 255.255.0.0 pass: "{{ vip26_pass }}" -zm_mysql_host: sqldb02.home.foo.sh +unbound_zones: + - 26.20.172.in-addr.arpa + - cam.foo.sh dhcpd_template: dhcpd.conf.cam.j2 firewall_in: diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 42b35f2..4278cfd 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -2,6 +2,10 @@ datadisks: - {size: 10, type: nvme} +unbound_zones: + - 25.20.172.in-addr.arpa + - oob.foo.sh + network_vip_interfaces: - device: eth0 vhid: 11 diff --git a/group_vars/print.yml b/group_vars/print.yml index 2dbeb2c..469cb94 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -9,6 +9,10 @@ network_vip_interfaces: dhcpd_template: dhcpd.conf.print.j2 +unbound_zones: + - 24.20.172.in-addr.arpa + - print.foo.sh + firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 53, from: [172.20.24.0/24]} diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index f9672d0..360d7be 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -144,19 +144,6 @@ tags: certificates notify: Restart unbound - - name: Copy DNS zone files - ansible.builtin.copy: - dest: "/var/unbound/db/{{ item }}" - src: "/srv/dns/{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - tags: dns - notify: Restart unbound - with_items: - - 20.172.in-addr.arpa - - home.foo.sh - - name: Import unbound role ansible.builtin.import_role: name: unbound diff --git a/playbooks/frigate.yml b/playbooks/frigate.yml index 9da0eb3..2b37b1c 100644 --- a/playbooks/frigate.yml +++ b/playbooks/frigate.yml @@ -35,19 +35,6 @@ - name: Run handlers to get interfaces configured ansible.builtin.meta: flush_handlers - - name: Copy DNS zone files - ansible.builtin.copy: - dest: "/var/lib/unbound/{{ item }}" - src: "/srv/dns/{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - tags: dns - notify: Restart unbound - with_items: - - 26.20.172.in-addr.arpa - - cam.foo.sh - - name: Include unbound role ansible.builtin.import_role: name: unbound diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 3c73d5f..c557d36 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -46,19 +46,6 @@ vars: relay_domains: [foo.sh] - - name: Copy DNS zone files - ansible.builtin.copy: - dest: "/var/lib/unbound/{{ item }}" - src: "/srv/dns/{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - tags: dns - notify: Restart unbound - with_items: - - 25.20.172.in-addr.arpa - - oob.foo.sh - - name: Import unbound role ansible.builtin.import_role: name: unbound diff --git a/playbooks/print.yml b/playbooks/print.yml index 3a22ad2..baa33c8 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -25,19 +25,6 @@ ansible.builtin.import_role: name: dhcpd - - name: Copy DNS zone files - ansible.builtin.copy: - dest: "/var/lib/unbound/{{ item }}" - src: "/srv/dns/{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - tags: dns - notify: Restart unbound - with_items: - - 24.20.172.in-addr.arpa - - print.foo.sh - - name: Install unbound role ansible.builtin.import_role: name: unbound diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 0c0ef91..5ec99fb 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -15,6 +15,17 @@ creates: "{{ unbound_control_key }}" notify: Restart unbound +- name: Copy zone files + ansible.builtin.copy: + dest: "{{ unbound_zonedir }}/{{ item }}" + src: "/srv/dns/{{ item }}" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + with_items: "{{ unbound_zones }}" + notify: Restart unbound + when: unbound_zones is defined + - name: Copy config ansible.builtin.template: dest: "{{ unbound_conf }}" diff --git a/roles/unbound/vars/OpenBSD.yml b/roles/unbound/vars/OpenBSD.yml index 4ce4313..c952c8a 100644 --- a/roles/unbound/vars/OpenBSD.yml +++ b/roles/unbound/vars/OpenBSD.yml @@ -1,3 +1,4 @@ --- unbound_conf: /var/unbound/etc/unbound.conf unbound_control_key: /var/unbound/etc/unbound_control.key +unbound_zonedir: /var/unbound/db diff --git a/roles/unbound/vars/RedHat.yml b/roles/unbound/vars/RedHat.yml index 48bfadd..a15473b 100644 --- a/roles/unbound/vars/RedHat.yml +++ b/roles/unbound/vars/RedHat.yml @@ -1,3 +1,4 @@ --- unbound_conf: /etc/unbound/unbound.conf unbound_control_key: /etc/unbound/unbound_control.key +unbound_zonedir: /var/lib/unbound From fd495036f248dbc5131e342fc99e25b48c0acb60 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 18:42:42 +0000 Subject: [PATCH 256/596] unbound: Don't hardcode zones --- .../templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 9 ++++----- .../templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 9 ++++----- .../templates/unbound.conf.frigate02.home.foo.sh.j2 | 9 ++++----- .../unbound/templates/unbound.conf.nms01.home.foo.sh.j2 | 9 ++++----- .../templates/unbound.conf.print01.home.foo.sh.j2 | 9 ++++----- 5 files changed, 20 insertions(+), 25 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 7977574..97db90b 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -26,9 +26,8 @@ remote-control: control-enable: yes control-interface: /var/run/unbound.sock +{% for zone in unbound_zones %} auth-zone: - name: "home.foo.sh" - zonefile: "/var/unbound/db/home.foo.sh" -auth-zone: - name: "20.172.in-addr.arpa" - zonefile: "/var/unbound/db/20.172.in-addr.arpa" + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index c7090c2..59d99d8 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -26,9 +26,8 @@ remote-control: control-enable: yes control-interface: /var/run/unbound.sock +{% for zone in unbound_zones %} auth-zone: - name: "home.foo.sh" - zonefile: "/var/unbound/db/home.foo.sh" -auth-zone: - name: "20.172.in-addr.arpa" - zonefile: "/var/unbound/db/20.172.in-addr.arpa" + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} diff --git a/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 index a4d3f59..4fa13e5 100644 --- a/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 @@ -30,9 +30,8 @@ forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh +{% for zone in unbound_zones %} auth-zone: - name: "cam.foo.sh" - zonefile: "/var/lib/unbound/cam.foo.sh" -auth-zone: - name: "26.20.172.in-addr.arpa" - zonefile: "/var/lib/unbound/26.20.172.in-addr.arpa" + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} diff --git a/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 index a842fcd..5812def 100644 --- a/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 @@ -30,9 +30,8 @@ forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh +{% for zone in unbound_zones %} auth-zone: - name: "oob.foo.sh" - zonefile: "/var/lib/unbound/oob.foo.sh" -auth-zone: - name: "25.20.172.in-addr.arpa" - zonefile: "/var/lib/unbound/25.20.172.in-addr.arpa" + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} diff --git a/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 index 4799b50..46a4ab4 100644 --- a/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 @@ -30,9 +30,8 @@ forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh +{% for zone in unbound_zones %} auth-zone: - name: "print.foo.sh" - zonefile: "/var/lib/unbound/print.foo.sh" -auth-zone: - name: "24.20.172.in-addr.arpa" - zonefile: "/var/lib/unbound/24.20.172.in-addr.arpa" + name: "{{ zone }}" + zonefile: "{{ unbound_zonedir }}/{{ zone }}" +{% endfor %} From eb1b324c8d44e29088b58062f1b530cc0d0fdb35 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 19:42:35 +0000 Subject: [PATCH 257/596] network: Add support for NetworkManager --- roles/network/tasks/RedHat.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/roles/network/tasks/RedHat.yml b/roles/network/tasks/RedHat.yml index 7c04aa3..96e3734 100644 --- a/roles/network/tasks/RedHat.yml +++ b/roles/network/tasks/RedHat.yml @@ -18,8 +18,24 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + # notify: Reload network manager connections + with_items: "{{ network_interfaces }}" + when: + - ansible_distribution != "Fedora" + - ansible_distribution_major_version | int <= 8 + +- name: Create ethernet interface configurations + ansible.builtin.template: + src: nmconnection.j2 + dest: "/etc/NetworkManager/system-connections/{{ item.device }}.nmconnection" + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" notify: Reload network manager connections with_items: "{{ network_interfaces }}" + when: >- + ansible_distribution == "Fedora" or + ansible_distribution_major_version | int >= 9 - name: Install keepalived ansible.builtin.package: From ce46c5fb90bac5c195a6d35465e33bb10aeb6dc0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 9 May 2024 20:08:34 +0000 Subject: [PATCH 258/596] Remove sshscan and sslscan from nms hosts --- playbooks/nms.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index c557d36..d3eeea7 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -65,7 +65,5 @@ - net-snmp-utils - nmap - rcs - - scanssh - - sslscan - unzip - wget From 7c7b632fc882b719d417bf91abde6532b082eb50 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 00:17:50 +0000 Subject: [PATCH 259/596] network: Add missing template --- roles/network/templates/nmconnection.j2 | 42 +++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 roles/network/templates/nmconnection.j2 diff --git a/roles/network/templates/nmconnection.j2 b/roles/network/templates/nmconnection.j2 new file mode 100644 index 0000000..3e7797d --- /dev/null +++ b/roles/network/templates/nmconnection.j2 @@ -0,0 +1,42 @@ +[connection] +id={{ item.device }} +{% for line in interface_uuid.stdout_lines %} +{% if line.split()[0] == item.device %} +uuid={{ line.split()[1] }} +{% elif line.split()[2] == item.device %} +uuid={{ line.split()[1] }} +{% endif %} +{% endfor %} +type=ethernet +interface-name={{ item.device }} + +[ethernet] + +[ipv4] +{% if item.proto is not defined or item.proto == 'dhcp' %} +method=auto +{% elif item.proto == 'static' %} +method=manual +address1={{ item.ipaddr }}/{{ item.netmask }} +{% if item.gateway is defined %} +gateway={{ item.gateway }} +{% endif %} +{% elif item.proto == 'none' %} +method=disabled +{% endif %} +{% if item.nameservers is defined %} +dns={% for name in item.nameservers %}{{ name }};{% endfor %} +{% endif %} + +[ipv6] +addr-gen-mode=eui64 +{% if item.ip6addr is not defined or item.ip6addr == 'none' %} +method=disabled +{% elif item.ip6addr == 'auto' %} +method=auto +{% else %} +method=manual +address1={{ item.ip6addr }} +{% endif %} + +[proxy] From 2ac737061316ee9b07a08b22550b1a7f795e7b38 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 00:25:24 +0000 Subject: [PATCH 260/596] network: Fix empty nameserver list --- roles/network/templates/nmconnection.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/network/templates/nmconnection.j2 b/roles/network/templates/nmconnection.j2 index 3e7797d..2dc1ef9 100644 --- a/roles/network/templates/nmconnection.j2 +++ b/roles/network/templates/nmconnection.j2 @@ -24,7 +24,7 @@ gateway={{ item.gateway }} {% elif item.proto == 'none' %} method=disabled {% endif %} -{% if item.nameservers is defined %} +{% if item.nameservers is defined and item.nameservers != [] %} dns={% for name in item.nameservers %}{{ name }};{% endfor %} {% endif %} From 8aa7a8aaa2f6ea2baf3b001df4fb0d7407442e2b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 01:08:04 +0000 Subject: [PATCH 261/596] network: Fix setting DNS server priorities --- roles/network/templates/nmconnection.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/network/templates/nmconnection.j2 b/roles/network/templates/nmconnection.j2 index 2dc1ef9..867c357 100644 --- a/roles/network/templates/nmconnection.j2 +++ b/roles/network/templates/nmconnection.j2 @@ -26,6 +26,8 @@ method=disabled {% endif %} {% if item.nameservers is defined and item.nameservers != [] %} dns={% for name in item.nameservers %}{{ name }};{% endfor %} + +dns-priority=-10 {% endif %} [ipv6] From e35f425d077f42295a207067304671fd0158f04b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 01:46:28 +0000 Subject: [PATCH 262/596] Update bunch of hosts to rocky linux 9 --- hosts.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index dcb70ae..7b77ec4 100644 --- a/hosts.yml +++ b/hosts.yml @@ -159,23 +159,23 @@ openbsd: rocky8: children: collab: - frigate: - homeassistant: mail: - minecraft: nas: - nms: - print: shell: rocky9: children: adm: + frigate: gitea: + homeassistant: influxdb: ldap: + minecraft: mirror: mongodb: + nms: ocinode: + print: prometheus: sane: sqldb: From 42fddcc2781825635d1e683eda83b873f5992d9a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 15:12:03 +0000 Subject: [PATCH 263/596] nginx: Enable nginx 1.24 module for EL9 --- roles/nginx/tasks/main.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 03e8151..3c2af48 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -14,7 +14,22 @@ notify: Restart nginx when: - ansible_os_family == "RedHat" - - ansible_distribution_major_version | int >= 8 + - ansible_distribution_major_version | int == 8 + - ansible_distribution != "Fedora" + +- name: Enable nginx:124 module + ansible.builtin.command: + argv: + - dnf + - module + - -y + - enable + - nginx:1.22 + creates: /etc/dnf/modules.d/nginx.module + notify: Restart nginx + when: + - ansible_os_family == "RedHat" + - ansible_distribution_major_version | int >= 9 - ansible_distribution != "Fedora" - name: Install packages From 2a750a57f362f82ec79ed29bbe90caff17b51873 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 15:14:53 +0000 Subject: [PATCH 264/596] nginx_site: Add support for disabling plain text --- roles/nginx_site/defaults/main.yml | 2 ++ roles/nginx_site/templates/site.conf.j2 | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 roles/nginx_site/defaults/main.yml diff --git a/roles/nginx_site/defaults/main.yml b/roles/nginx_site/defaults/main.yml new file mode 100644 index 0000000..2296dbc --- /dev/null +++ b/roles/nginx_site/defaults/main.yml @@ -0,0 +1,2 @@ +--- +nginx_site_plaintext: true diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index 6e4117b..f3af053 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -48,6 +48,7 @@ server { root /srv/web/{{ nginx_site_name }}; {% endif %} } +{% if nginx_site_plaintext %} server { listen 80; @@ -64,3 +65,4 @@ server { {% endif %} } } +{% endif %} From 91f1fe3fbc026255c1d2cdc4b428a1e712aeeb8e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 15:15:41 +0000 Subject: [PATCH 265/596] Don't enable plain text web server on nms hosts --- playbooks/nms.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index d3eeea7..e4d523e 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -28,6 +28,7 @@ - nginx - role: nginx_site nginx_site_name: oob.foo.sh + nginx_site_plaintext: false - sssd - mkhomedir - routeros_firmware From c06d3cdc7e48870bf0f3024c926a32669d4861de Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 16:14:33 +0000 Subject: [PATCH 266/596] nginx: Fix typo --- roles/nginx/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 3c2af48..14e5d2a 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -24,7 +24,7 @@ - module - -y - enable - - nginx:1.22 + - nginx:1.24 creates: /etc/dnf/modules.d/nginx.module notify: Restart nginx when: From da371980aaf0f47c31bbe33eaa6dcbbe9040631d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2024 16:22:42 +0000 Subject: [PATCH 267/596] nginx: Fix crash on el9 with plain text http --- roles/nginx/templates/nginx.conf.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 85c6ecc..80f7786 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -10,13 +10,6 @@ events { http { access_log {{ nginx_logdir }}/access.log combined; - proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt; - proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key; - proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt; - proxy_ssl_protocols TLSv1.2 TLSv1.3; - proxy_ssl_server_name on; - proxy_ssl_verify on; - map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -42,6 +35,13 @@ http { } } {% else %} + proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt; + proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key; + proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt; + proxy_ssl_protocols TLSv1.2 TLSv1.3; + proxy_ssl_server_name on; + proxy_ssl_verify on; + ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; From f4b34de6c4e120ba9f1bb2dc1e718252a0067c80 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 09:03:22 +0000 Subject: [PATCH 268/596] Continue el9 upgrades --- hosts.yml | 4 ++-- playbooks/shell.yml | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index 7b77ec4..c1c5339 100644 --- a/hosts.yml +++ b/hosts.yml @@ -160,8 +160,6 @@ rocky8: children: collab: mail: - nas: - shell: rocky9: children: adm: @@ -173,11 +171,13 @@ rocky9: minecraft: mirror: mongodb: + nas: nms: ocinode: print: prometheus: sane: + shell: sqldb: static: vmhost: diff --git a/playbooks/shell.yml b/playbooks/shell.yml index 2f031da..9b4b060 100644 --- a/playbooks/shell.yml +++ b/playbooks/shell.yml @@ -24,7 +24,6 @@ - thinlinc_server - epel_repo - foosh_repo - - powertools_repo - role: nginx nginx_plaintext: true @@ -63,6 +62,7 @@ - pandoc - php-cli - python3-netaddr + - python3-requests - rcs - rpmlint - syslinux @@ -71,7 +71,6 @@ - tmux - whois - wireshark - - wkhtmltopdf - yamllint - zsh loop_control: From e20873cbd3ba1922e7c439b414eb37350a52003d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 17:29:29 +0000 Subject: [PATCH 269/596] network: Set netmask in correct format --- roles/network/templates/nmconnection.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/network/templates/nmconnection.j2 b/roles/network/templates/nmconnection.j2 index 867c357..4a27ddb 100644 --- a/roles/network/templates/nmconnection.j2 +++ b/roles/network/templates/nmconnection.j2 @@ -17,7 +17,7 @@ interface-name={{ item.device }} method=auto {% elif item.proto == 'static' %} method=manual -address1={{ item.ipaddr }}/{{ item.netmask }} +address1={{ item.ipaddr }}/{{ (item.ipaddr + '/' + item.netmask) | ansible.utils.ipaddr('prefix') }} {% if item.gateway is defined %} gateway={{ item.gateway }} {% endif %} From a25cd83e947fd53dca56f1020d07d9604add69ed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:00:51 +0000 Subject: [PATCH 270/596] Revert "nginx: Fix crash on el9 with plain text http" This reverts commit da371980aaf0f47c31bbe33eaa6dcbbe9040631d. --- roles/nginx/templates/nginx.conf.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 80f7786..85c6ecc 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -10,6 +10,13 @@ events { http { access_log {{ nginx_logdir }}/access.log combined; + proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt; + proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key; + proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt; + proxy_ssl_protocols TLSv1.2 TLSv1.3; + proxy_ssl_server_name on; + proxy_ssl_verify on; + map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -35,13 +42,6 @@ http { } } {% else %} - proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt; - proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key; - proxy_ssl_trusted_certificate {{ tls_certs }}/ca.crt; - proxy_ssl_protocols TLSv1.2 TLSv1.3; - proxy_ssl_server_name on; - proxy_ssl_verify on; - ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; From a2fe24955b3ba61f3a9fb3863a4437dad7f1c1c3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:01:13 +0000 Subject: [PATCH 271/596] nginx_site: Use plain http for certbot --- roles/nginx_site/templates/site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index f3af053..fc70329 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -55,7 +55,7 @@ server { listen [::]:80; server_name {{ nginx_site_name }}; location /.well-known/acme-challenge/ { - proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/; + proxy_pass http://certbot.home.foo.sh/.well-known/acme-challenge/; } location / { {% if nginx_site_redirect is defined %} From 96f28d63ccfe47e8ccb92557b8fdb25968df1caa Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:01:37 +0000 Subject: [PATCH 272/596] grossd: Fix install on EL9 --- roles/grossd/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/grossd/meta/main.yml b/roles/grossd/meta/main.yml index 7ae8670..50b8afb 100644 --- a/roles/grossd/meta/main.yml +++ b/roles/grossd/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: + - {role: crb_repo} - {role: foosh_repo} From d0f814475327d17feccbf76911d4c4d834ecabc7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:03:14 +0000 Subject: [PATCH 273/596] Convert mail hosts to Rocky Linux 9 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index c1c5339..eb80242 100644 --- a/hosts.yml +++ b/hosts.yml @@ -159,7 +159,6 @@ openbsd: rocky8: children: collab: - mail: rocky9: children: adm: @@ -168,6 +167,7 @@ rocky9: homeassistant: influxdb: ldap: + mail: minecraft: mirror: mongodb: From ce72d0d17a81e27a3559a4a974e9a5fc80e2fb90 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:13:04 +0000 Subject: [PATCH 274/596] nginx_site: Fix certbot virtual host --- roles/nginx_site/templates/site.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index fc70329..eaf21e4 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -54,6 +54,7 @@ server { listen 80; listen [::]:80; server_name {{ nginx_site_name }}; +{% if nginx_site_name != 'certbot.home.foo.sh' %} location /.well-known/acme-challenge/ { proxy_pass http://certbot.home.foo.sh/.well-known/acme-challenge/; } @@ -64,5 +65,8 @@ server { return 301 https://$host$request_uri; {% endif %} } +{% else %} + root /srv/web/{{ nginx_site_name }}; +{% endif %} } {% endif %} From eb4a2fa842d177f4db4113089d301e28389f958c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:13:29 +0000 Subject: [PATCH 275/596] Open port 80 from adm hosts for certbot --- group_vars/adm.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/adm.yml b/group_vars/adm.yml index e80e98c..0a9a22a 100644 --- a/group_vars/adm.yml +++ b/group_vars/adm.yml @@ -4,5 +4,6 @@ datadisks: firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 80, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} From 62463860e4f18fa848de4d68c32ca4706af9ee3f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:17:23 +0000 Subject: [PATCH 276/596] rclone: Fix extra spaces --- roles/rclone/templates/rclone.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index ac601cd..222ebf1 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -6,5 +6,5 @@ type = sftp host = {{ host }} user = backup key_file = /etc/rclone/id_ed25519 -known_hosts_file = /etc/ssh/ssh_known_hosts +known_hosts_file = /etc/ssh/ssh_known_hosts {% endfor %} From 5fd1b776bed26973f7c93a1bb964b09584b10b07 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 11 May 2024 19:27:13 +0000 Subject: [PATCH 277/596] rclone: Disable checksumming --- roles/rclone/templates/rclone.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index 222ebf1..99e1d3e 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -5,6 +5,7 @@ type = sftp host = {{ host }} user = backup +shell_type = none key_file = /etc/rclone/id_ed25519 known_hosts_file = /etc/ssh/ssh_known_hosts {% endfor %} From 2d7113f6e680e74387de3212005c4ee398464e77 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 May 2024 19:29:41 +0000 Subject: [PATCH 278/596] Update software versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index eb80242..3e6f577 100644 --- a/hosts.yml +++ b/hosts.yml @@ -77,7 +77,7 @@ nms: nms01.home.foo.sh: nms02.home.foo.sh: vars: - snmp_exporter_version: "0.25.0" + snmp_exporter_version: "0.26.0" ns: hosts: ns01.home.foo.sh: @@ -88,8 +88,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "10.4.1" - rocketchat_version: "6.7.0" + grafana_version: "11.0.0" + rocketchat_version: "6.8.0" roundcube_version: "1.6.6" print: hosts: From bb8b48626310ba641d149e618689e112b39c54d7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 May 2024 19:54:43 +0000 Subject: [PATCH 279/596] Increase os disk size for oci-nodes --- group_vars/ocinode.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/ocinode.yml b/group_vars/ocinode.yml index 7e132c3..7f06eb1 100644 --- a/group_vars/ocinode.yml +++ b/group_vars/ocinode.yml @@ -1,6 +1,8 @@ --- # increase memory size mem_size: 4096 +# increase disk size to store docker images +dsk_size: 50 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} From dc2a6f57889a43581195032d6df3a08487eb0539 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Jun 2024 19:29:38 +0000 Subject: [PATCH 280/596] blackbox_exporter: Initial version of role --- roles/blackbox_exporter/files/blackbox.yml | 17 ++++++++ roles/blackbox_exporter/handlers/main.yml | 5 +++ roles/blackbox_exporter/tasks/main.yml | 39 +++++++++++++++++++ .../templates/web-config.yml.j2 | 11 ++++++ 4 files changed, 72 insertions(+) create mode 100644 roles/blackbox_exporter/files/blackbox.yml create mode 100644 roles/blackbox_exporter/handlers/main.yml create mode 100644 roles/blackbox_exporter/tasks/main.yml create mode 100644 roles/blackbox_exporter/templates/web-config.yml.j2 diff --git a/roles/blackbox_exporter/files/blackbox.yml b/roles/blackbox_exporter/files/blackbox.yml new file mode 100644 index 0000000..9152489 --- /dev/null +++ b/roles/blackbox_exporter/files/blackbox.yml @@ -0,0 +1,17 @@ +--- +modules: + http: + prober: http + http: + valid_status_codes: + - 200 + - 401 + - 403 + ssh: + prober: tcp + tcp: + query_response: + - expect: "^SSH-2.0-" + - send: "SSH-2.0-blackbox-ssh-check" + tcp: + prober: tcp diff --git a/roles/blackbox_exporter/handlers/main.yml b/roles/blackbox_exporter/handlers/main.yml new file mode 100644 index 0000000..34e0f2d --- /dev/null +++ b/roles/blackbox_exporter/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart blackbox_exporter + ansible.builtin.service: + name: blackbox_exporter + state: restarted diff --git a/roles/blackbox_exporter/tasks/main.yml b/roles/blackbox_exporter/tasks/main.yml new file mode 100644 index 0000000..b3e2410 --- /dev/null +++ b/roles/blackbox_exporter/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Install packages + ansible.builtin.package: + name: blackbox_exporter + state: installed + +- name: Add user to hostkey group + ansible.builtin.user: + name: _blackboxexporter + groups: hostkey + append: true + notify: Restart blackbox_exporter + +- name: Create main config + ansible.builtin.copy: + dest: /etc/blackbox_exporter/blackbox.yml + src: blackbox.yml + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart blackbox_exporter + +- name: Create web-config + ansible.builtin.template: + dest: /etc/blackbox_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart blackbox_exporter + +- name: Enable service + ansible.builtin.service: + name: blackbox_exporter + state: started + arguments: > + --config.file=/etc/blackbox_exporter/blackbox.yml + --web.config.file=/etc/blackbox_exporter/web-config.yml + enabled: true diff --git a/roles/blackbox_exporter/templates/web-config.yml.j2 b/roles/blackbox_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..03e5466 --- /dev/null +++ b/roles/blackbox_exporter/templates/web-config.yml.j2 @@ -0,0 +1,11 @@ +--- +tls_server_config: + key_file: {{ tls_private }}/{{ inventory_hostname }}.key + cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: +{% for host in groups['prometheus'] %} + - {{ host }} +{% endfor %} + min_version: TLS13 From 20d91ff1b001260b136758a6ea0ac5eadb55f170 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Jun 2024 19:30:05 +0000 Subject: [PATCH 281/596] Add blackbox_exporter to external ns host --- group_vars/ns.yml | 3 ++- playbooks/ns.yml | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index 544cf9b..79a23ca 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -6,7 +6,8 @@ firewall_in: - {proto: tcp, port: 80} - {proto: tcp, port: 443} - {proto: tcp, port: 853} - - {proto: tcp, port: 9100, from: [172.20.20.0/22, 62.78.229.29/32]} + - {proto: tcp, port: 9100} + - {proto: tcp, port: 9115} firewall_raw: - pass quick proto carp diff --git a/playbooks/ns.yml b/playbooks/ns.yml index a7476ca..b4e6dbf 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -21,3 +21,5 @@ nginx_site_redirect: https://www.foo.sh/ - role: ifstated when: "'vultr' not in group_names" + - role: blackbox_exporter + when: "inventory_hostname == 'atl01.vultr.foo.sh'" From 9f69d421f2b7eea4a63d8e29184a2f90eb7da8f9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Jun 2024 19:31:40 +0000 Subject: [PATCH 282/596] frigate: Store events for 1 month --- roles/frigate/templates/frigate.yml.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index 715272d..7ceb0c7 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -12,6 +12,10 @@ record: retain: days: 7 mode: motion + events: + retain: + default: 30 + mode: motion cameras: {% for camera in cctv_cameras %} From c08a8158f72a7cca4c7198930b7df4f8220342a4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 11 Jun 2024 16:48:25 +0000 Subject: [PATCH 283/596] Update software versions --- hosts.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts.yml b/hosts.yml index 3e6f577..fac3b7e 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.5" + homeassistant_version: "2024.6" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git @@ -89,8 +89,8 @@ ocinode: oci-node02.home.foo.sh: vars: grafana_version: "11.0.0" - rocketchat_version: "6.8.0" - roundcube_version: "1.6.6" + rocketchat_version: "6.9.0" + roundcube_version: "1.6.7" print: hosts: print01.home.foo.sh: @@ -99,7 +99,7 @@ prometheus: prometheus02.home.foo.sh: vars: mysqld_exporter_version: "0.15.1" - nginx_exporter_version: "1.1.0" + nginx_exporter_version: "1.2.0" proxy: hosts: proxy01.home.foo.sh: From 1b9b9962a795e8b16eb7a3308bade2a2380e9577 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 12 Jun 2024 13:27:49 +0000 Subject: [PATCH 284/596] base: Set LC_TIME correctly to get 24h clock --- roles/base/tasks/RedHat.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 50e0397..992c088 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -124,6 +124,27 @@ dest: /etc/GREP_COLORS state: absent +- name: Check date format + ansible.builtin.shell: + cmd: | + set -o pipefail + localectl status | grep -E '^\s+LC_TIME=C.UTF-8$' + executable: /bin/bash + register: locale_check + changed_when: false + failed_when: false + check_mode: false + +- name: Set date format to use 24 hour clock + ansible.builtin.command: + argv: + - localectl + - set-locale + - LC_TIME=C.UTF-8 + register: result + changed_when: result.rc == 0 + when: locale_check.rc != 0 + - name: Store date and time for bash history ansible.builtin.copy: dest: /etc/profile.d/history.sh From 66c25d20b8571e29460a46e8d67984d4944ffb05 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 15 Jun 2024 20:57:58 +0000 Subject: [PATCH 285/596] nginx_site: Disable support for custom tls config --- roles/nginx_site/templates/site.conf.j2 | 7 ------- 1 file changed, 7 deletions(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index eaf21e4..afc3dae 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -20,13 +20,6 @@ server { add_header Strict-Transport-Security "max-age=63072000" always; -{% if nginx_site_ssl_config is defined %} -{% if nginx_site_ssl_config == "old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; -{% endif %} -{% endif %} ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt; ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key; From 023257ae558c96cc57d2a84546bb9f77ea215739 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 15 Jun 2024 20:59:01 +0000 Subject: [PATCH 286/596] Remove unneeded option --- playbooks/proxy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index f204c5e..daa19be 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -33,7 +33,6 @@ nginx_site_name: autoconfig.foo.sh - role: nginx_site nginx_site_name: boot.foo.sh - nginx_site_ssl_config: old - role: nginx_site nginx_site_name: bitbucket.foo.sh nginx_site_redirect: https://bitbucket.org/tmakinen/ From 813146b1062aec75a40aa7d44d273d18191f0b27 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 16 Jun 2024 20:48:31 +0000 Subject: [PATCH 287/596] minecraft: Change uid and gid --- roles/minecraft/tasks/main.yml | 4 ++-- users.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/minecraft/tasks/main.yml b/roles/minecraft/tasks/main.yml index db2e66e..50961a4 100644 --- a/roles/minecraft/tasks/main.yml +++ b/roles/minecraft/tasks/main.yml @@ -7,13 +7,13 @@ - name: Create group ansible.builtin.group: name: minecraft - gid: 1007 + gid: 307 - name: Create user ansible.builtin.user: name: minecraft comment: Service Minecraft - uid: 1007 + uid: 307 group: minecraft create_home: false home: /var/empty diff --git a/users.md b/users.md index d0ca8d9..c6f02a5 100644 --- a/users.md +++ b/users.md @@ -12,8 +12,8 @@ entry empty. If only a group is created, leave the user entry empty. | 303 | gitea | gitea | | | 305 | prometheus | prometheus | | | 306 | backup | backup | | +| 307 | minecraft | minecraft | | | 1001 | mirror | mirror | | | 1002 | certbot | certbot | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | -| 1007 | minecraft | minecraft | | From 8ef5f5b18e36f4cbf1d6bfbe5300c31e47c2ce1e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 18 Jun 2024 16:38:45 +0000 Subject: [PATCH 288/596] Rotate dkim keys --- playbooks/mail.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 686ed79..1b86873 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -39,7 +39,7 @@ nginx_site_redirect: https://webmail.foo.sh/ - grossd - role: opendkim - opendkim_selector: 20240101 + opendkim_selector: 20240601 - spamassassin - spamassassin_clamav - spamassassin_ixhash From 750b3bab7d320e49c7355ef480d7857e99c44c21 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jun 2024 15:14:44 +0000 Subject: [PATCH 289/596] ldap_server: Store backups for 30 days --- roles/ldap_server/files/ldap-backup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ldap_server/files/ldap-backup.sh b/roles/ldap_server/files/ldap-backup.sh index 7942743..d6a95d4 100755 --- a/roles/ldap_server/files/ldap-backup.sh +++ b/roles/ldap_server/files/ldap-backup.sh @@ -12,7 +12,7 @@ if [ "$(whoami)" != "root" ]; then fi BACKUPDIR="/srv/backup" -BACKUPAGE="7" +BACKUPAGE="30" DATE="$(date '+%Y-%m-%d')" From 0eeed22092a7ed48f50120ad13d9fa4833d39f03 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jun 2024 15:17:39 +0000 Subject: [PATCH 290/596] ldap_server: Style fixes for backup script --- roles/ldap_server/files/ldap-backup.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/roles/ldap_server/files/ldap-backup.sh b/roles/ldap_server/files/ldap-backup.sh index d6a95d4..2e84891 100755 --- a/roles/ldap_server/files/ldap-backup.sh +++ b/roles/ldap_server/files/ldap-backup.sh @@ -16,19 +16,20 @@ BACKUPAGE="30" DATE="$(date '+%Y-%m-%d')" +cd "$BACKUPDIR" + ldapsearch -LLL -x -H ldapi:// -s base -b 'cn=Databases,cn=Monitor' \ '(objectClass=*)' namingContexts | \ sed -n 's/^namingContexts: \(.*\)/\1/p' | while read -r db ; do - [ "${db}" = "cn=config" ] && continue - if ! slapcat -f /etc/openldap/slapd.conf -b "${db}" 2> /dev/null | \ - gzip > "${BACKUPDIR}/${db}.${DATE}.gz" ; then + [ "$db" = "cn=config" ] && continue + if ! slapcat -f /etc/openldap/slapd.conf -b "$db" 2> /dev/null | \ + gzip > "${db}.${DATE}.gz" + then echo "ERR: Failed to backup database ${db}" 1>&2 continue fi chgrp backup "${BACKUPDIR}/${db}.${DATE}.gz" done -cd ${BACKUPDIR} && { - find . -xdev -depth -mindepth 1 -maxdepth 1 -type f -mtime +${BACKUPAGE} \ - -name '*.gz' -execdir rm -f -- {} \; -} +find . -xdev -depth -mindepth 1 -maxdepth 1 -type f -mtime +${BACKUPAGE} \ + -name '*.gz' -execdir rm -f -- {} \; From 6dd5cfa68113d6d76d2e41bdf43d3e569ebfcebc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Jun 2024 15:20:02 +0000 Subject: [PATCH 291/596] mariadb: Style fixes and store 30 days of backups --- roles/mariadb/files/mariadb-backup.sh | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/roles/mariadb/files/mariadb-backup.sh b/roles/mariadb/files/mariadb-backup.sh index e2181bb..b2ac7cb 100755 --- a/roles/mariadb/files/mariadb-backup.sh +++ b/roles/mariadb/files/mariadb-backup.sh @@ -4,23 +4,16 @@ set -eu umask 027 -DESTDIR="/export/backup" +DESTDIR="/srv/backup" DATE="$(date +%Y-%m-%d)" -if [ ! -d "$DESTDIR" ]; then - echo "ERR: MariaDB backup directory [${DESTDIR}] does not exist" 1>&2 - exit 1 -fi +cd "$DESTDIR" +find . -xdev -mindepth 2 -maxdepth 2 -type f -mtime +30 \ + -execdir rm -f -- {} \; +find . -xdev -depth -mindepth 1 -maxdepth 1 -type d -empty \ + -execdir rmdir -- {} \; -cd "$DESTDIR" && { - find . -xdev -mindepth 2 -maxdepth 2 -type f -mtime +7 \ - -execdir rm -f -- {} \; - find . -xdev -depth -mindepth 1 -maxdepth 1 -type d -empty \ - -execdir rmdir -- {} \; -} - -DESTDIR="${DESTDIR}/${DATE}" -mkdir "$DESTDIR" +mkdir "$DATE" for db in $(mysql -e "show databases" -s) ; do case "$db" in @@ -28,5 +21,5 @@ for db in $(mysql -e "show databases" -s) ; do continue ;; esac - mysqldump -E --add-drop-table "$db" | gzip > "${DESTDIR}/${db}.${DATE}.gz" + mysqldump -E --add-drop-table "$db" | gzip > "${DATE}/${db}.${DATE}.gz" done From 195d9c3b035b313bb28e433bc82d49705f6a0a74 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 18:11:04 +0000 Subject: [PATCH 292/596] backup_base: Rename role --- roles/{backup_server => backup_base}/tasks/main.yml | 5 ----- 1 file changed, 5 deletions(-) rename roles/{backup_server => backup_base}/tasks/main.yml (87%) diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_base/tasks/main.yml similarity index 87% rename from roles/backup_server/tasks/main.yml rename to roles/backup_base/tasks/main.yml index 18d8222..e87400a 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_base/tasks/main.yml @@ -1,9 +1,4 @@ --- -- name: Install packages - ansible.builtin.package: - name: rclone - state: installed - - name: Create backup group ansible.builtin.group: name: backup From e233860b7bd445f4a5cf12811ef5a79998365772 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 18:51:49 +0000 Subject: [PATCH 293/596] mongodb: Add database backups --- roles/mongodb/meta/main.yml | 4 +++ roles/mongodb/tasks/main.yml | 17 ++++++++++++ roles/mongodb/templates/mongodb-backup.sh.j2 | 28 ++++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 roles/mongodb/meta/main.yml create mode 100755 roles/mongodb/templates/mongodb-backup.sh.j2 diff --git a/roles/mongodb/meta/main.yml b/roles/mongodb/meta/main.yml new file mode 100644 index 0000000..683bc95 --- /dev/null +++ b/roles/mongodb/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: backup_base} + diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 329e17d..582b32c 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -29,6 +29,7 @@ name: "{{ item }}" state: installed with_items: + - mongodb-database-tools - mongodb-mongosh - mongodb-org-server @@ -127,6 +128,22 @@ state: started enabled: true +- name: Copy backup script + ansible.builtin.template: + dest: /usr/local/sbin/mongodb-backup + src: mongodb-backup.sh.j2 + mode: "0700" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create backup cron job + ansible.builtin.cron: + name: mongodb-backup + job: /usr/local/sbin/mongodb-backup + hour: "0" + minute: "20" + user: root + - name: Create mongo alias cmd for root ansible.builtin.lineinfile: path: /root/.bashrc diff --git a/roles/mongodb/templates/mongodb-backup.sh.j2 b/roles/mongodb/templates/mongodb-backup.sh.j2 new file mode 100755 index 0000000..2cca05a --- /dev/null +++ b/roles/mongodb/templates/mongodb-backup.sh.j2 @@ -0,0 +1,28 @@ +#!/bin/sh + +set -eu + +umask 027 + +DESTDIR="/srv/backup" +DATE="$(date +%Y-%m-%d)" + +cd "$DESTDIR" +find . -xdev -mindepth 2 -maxdepth 2 -type f -mtime +30 \ + -execdir rm -f -- {} \; +find . -xdev -depth -mindepth 1 -maxdepth 1 -type d -empty \ + -execdir rmdir -- {} \; + +mkdir -m 2750 "$DATE" +chgrp backup "$DATE" + +mongodump \ + --sslPEMKeyFile=/etc/pki/tls/private/mongodb.pem \ + --sslCAFile=/etc/pki/tls/certs/ca.crt \ + --ssl \ + --username=backup \ + --password="{{ mongodb_backup_password }}" \ + --gzip \ + --out="${DATE}" \ + --quiet \ + --uri="mongodb://$(hostname -f)/" From 788c9fa45345280bc8b7601951eecdef38146d18 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:09:20 +0000 Subject: [PATCH 294/596] backup_base: Add sftp ssh config when needed --- roles/backup_base/tasks/main.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/roles/backup_base/tasks/main.yml b/roles/backup_base/tasks/main.yml index e87400a..9a28a8f 100644 --- a/roles/backup_base/tasks/main.yml +++ b/roles/backup_base/tasks/main.yml @@ -30,3 +30,25 @@ owner: root group: "{{ ansible_wheel }}" follow: false + +- name: Create authorized_keys + ansible.builtin.copy: + dest: /etc/ssh/authorized_keys.backup + src: ../files/ssh/backup.pub + mode: "0640" + owner: root + group: backup + when: "'sftpbackup' in group_names" + +- name: Configure sshd chroot + ansible.builtin.blockinfile: + path: /etc/ssh/sshd_config + block: | + Match User backup + ChrootDirectory /srv/backup + ForceCommand internal-sftp + AuthorizedKeysFile /etc/ssh/authorized_keys.backup + marker: "# {mark} ANSIBLE MANAGED BLOCK (user backup)" + validate: "sshd -t -f %s" + when: "'sftpbackup' in group_names" + notify: Restart sshd From 5e5ebf937c18173b53e6313c3bc0fdf393449683 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:09:43 +0000 Subject: [PATCH 295/596] backup_base: More restrictive permissions --- roles/backup_base/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/backup_base/tasks/main.yml b/roles/backup_base/tasks/main.yml index 9a28a8f..3d842b6 100644 --- a/roles/backup_base/tasks/main.yml +++ b/roles/backup_base/tasks/main.yml @@ -18,7 +18,7 @@ ansible.builtin.file: path: /export/backup state: directory - mode: "0770" + mode: "0750" owner: root group: backup From db996daf14b0e7a832125bb8479ba670bad3cf97 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:10:18 +0000 Subject: [PATCH 296/596] rclone: Migrate to use backup_base role --- roles/rclone/meta/main.yml | 2 +- roles/rclone/tasks/main.yml | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/rclone/meta/main.yml b/roles/rclone/meta/main.yml index 107754b..a6cb84e 100644 --- a/roles/rclone/meta/main.yml +++ b/roles/rclone/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - - {role: backup_server} + - {role: backup_base} - {role: ssh_known_hosts} diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index 13facd4..335d66e 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -58,6 +58,15 @@ owner: backup group: backup +- name: Create backup directories + ansible.builtin.file: + path: "/srv/backup/{{ item }}" + state: directory + mode: "0770" + owner: root + group: backup + with_items: "{{ groups['sftpbackup'] }}" + - name: Copy rclone sync script ansible.builtin.copy: dest: /usr/local/bin/rclone-sync From 1534104bf49c71dc19428aadaccfd13aa086f101 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:10:42 +0000 Subject: [PATCH 297/596] Migrate from backup_server to backup_base --- roles/backup_bitbucket/meta/main.yml | 2 +- roles/backup_github/meta/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/backup_bitbucket/meta/main.yml b/roles/backup_bitbucket/meta/main.yml index 9eea2ce..f178512 100644 --- a/roles/backup_bitbucket/meta/main.yml +++ b/roles/backup_bitbucket/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: backup_server} + - {role: backup_base} diff --git a/roles/backup_github/meta/main.yml b/roles/backup_github/meta/main.yml index 9eea2ce..f178512 100644 --- a/roles/backup_github/meta/main.yml +++ b/roles/backup_github/meta/main.yml @@ -1,3 +1,3 @@ --- dependencies: - - {role: backup_server} + - {role: backup_base} From b692084f16aa0d7f3e7bd9f7416a0ad88658e772 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:11:36 +0000 Subject: [PATCH 298/596] Add mongodb hosts to sftp backups --- hosts.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts.yml b/hosts.yml index fac3b7e..7eb5c70 100644 --- a/hosts.yml +++ b/hosts.yml @@ -136,6 +136,7 @@ sftpbackup: children: collab: ldap: + mongodb: sqldb: vultr: From 849b4ab88740c5fd70af189618777f49cd54ca36 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:25:04 +0000 Subject: [PATCH 299/596] mariadb: Migrate to use backup_base --- roles/mariadb/files/mariadb-backup.sh | 3 ++- roles/mariadb/meta/main.yml | 4 ++++ roles/mariadb/tasks/main.yml | 21 --------------------- 3 files changed, 6 insertions(+), 22 deletions(-) create mode 100644 roles/mariadb/meta/main.yml diff --git a/roles/mariadb/files/mariadb-backup.sh b/roles/mariadb/files/mariadb-backup.sh index b2ac7cb..9a4a354 100755 --- a/roles/mariadb/files/mariadb-backup.sh +++ b/roles/mariadb/files/mariadb-backup.sh @@ -13,7 +13,8 @@ find . -xdev -mindepth 2 -maxdepth 2 -type f -mtime +30 \ find . -xdev -depth -mindepth 1 -maxdepth 1 -type d -empty \ -execdir rmdir -- {} \; -mkdir "$DATE" +mkdir -m 2770 "$DATE" +chgrp backup "$DATE" for db in $(mysql -e "show databases" -s) ; do case "$db" in diff --git a/roles/mariadb/meta/main.yml b/roles/mariadb/meta/main.yml new file mode 100644 index 0000000..683bc95 --- /dev/null +++ b/roles/mariadb/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: backup_base} + diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 00894d6..b2a9ca9 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -96,27 +96,6 @@ group: "{{ ansible_wheel }}" when: mariadb_root_password is defined -- name: Import sftpuser role - ansible.builtin.import_role: - name: sftpuser - -- name: Create backup directory - ansible.builtin.file: - path: /export/backup - state: directory - mode: "02750" - owner: root - group: backup - -- name: Link backup directory - ansible.builtin.file: - path: /srv/backup - src: /export/backup - state: link - owner: root - group: "{{ ansible_wheel }}" - follow: false - - name: Copy backup script ansible.builtin.copy: dest: /usr/local/sbin/mariadb-backup From e60c786b76c3e69c297c4041d181fc03a6a544f0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:25:22 +0000 Subject: [PATCH 300/596] ldap_server: Migrate to use backup_base --- roles/ldap_server/meta/main.yml | 1 + roles/ldap_server/tasks/main.yml | 22 ---------------------- 2 files changed, 1 insertion(+), 22 deletions(-) diff --git a/roles/ldap_server/meta/main.yml b/roles/ldap_server/meta/main.yml index e59e67d..84aca43 100644 --- a/roles/ldap_server/meta/main.yml +++ b/roles/ldap_server/meta/main.yml @@ -1,5 +1,6 @@ --- dependencies: + - {role: backup_base} - {role: kerberos} - {role: ldap} - {role: saslauthd} diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 5602d60..9669610 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -55,28 +55,6 @@ follow: false when: ldap_datadir != "/srv/ldap" -- name: Import sftpuser role - ansible.builtin.import_role: - name: sftpuser - -- name: Create backup directory - ansible.builtin.file: - path: "{{ ldap_backupdir }}" - state: directory - mode: "0750" - owner: root - group: backup - -- name: Link backup directory - ansible.builtin.file: - path: /srv/backup - src: /export/backup - state: link - owner: root - group: "{{ ansible_wheel }}" - follow: false - when: ldap_backupdir != "/srv/backup" - - name: Copy backup script ansible.builtin.copy: dest: /usr/local/sbin/ldap-backup From 3127ddf841c0e8ba4816bd2d8828d6bb11d169c3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:30:33 +0000 Subject: [PATCH 301/596] Disable sftp backups from collab hosts --- hosts.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 7eb5c70..0102176 100644 --- a/hosts.yml +++ b/hosts.yml @@ -134,7 +134,6 @@ vmhost: sftpbackup: children: - collab: ldap: mongodb: sqldb: From c9e8ec6d7c5f255680414e598b3bb3dd3ba98c78 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:32:05 +0000 Subject: [PATCH 302/596] mongodb: Remove unused config --- roles/mongodb/templates/mongod.conf.j2 | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 roles/mongodb/templates/mongod.conf.j2 diff --git a/roles/mongodb/templates/mongod.conf.j2 b/roles/mongodb/templates/mongod.conf.j2 deleted file mode 100644 index dd90429..0000000 --- a/roles/mongodb/templates/mongod.conf.j2 +++ /dev/null @@ -1,23 +0,0 @@ - -systemLog: - destination: file - logAppend: true - path: /var/log/mongodb/mongod.log - -storage: - dbPath: /srv/mongodb - journal: - enabled: true - -processManagement: - fork: true - pidFilePath: /var/run/mongodb/mongod.pid - timeZoneInfo: /usr/share/zoneinfo - -net: - port: 27017 - bindIpAll: true - tls: - mode: requireTLS - certificateKeyFile: {{ tls_private }}/mongodb.pem - CAFile: {{ tls_certs }}/ca.crt From de94e75549366c5050e44f6af1249324303e928b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 22 Jun 2024 19:32:50 +0000 Subject: [PATCH 303/596] sftpuser: Remove unused role --- roles/sftpuser/defaults/main.yml | 2 -- roles/sftpuser/meta/main.yml | 3 --- roles/sftpuser/tasks/main.yml | 35 -------------------------------- 3 files changed, 40 deletions(-) delete mode 100644 roles/sftpuser/defaults/main.yml delete mode 100644 roles/sftpuser/meta/main.yml delete mode 100644 roles/sftpuser/tasks/main.yml diff --git a/roles/sftpuser/defaults/main.yml b/roles/sftpuser/defaults/main.yml deleted file mode 100644 index 0634078..0000000 --- a/roles/sftpuser/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -sftpuser_chroot: /srv/backup diff --git a/roles/sftpuser/meta/main.yml b/roles/sftpuser/meta/main.yml deleted file mode 100644 index bc03e65..0000000 --- a/roles/sftpuser/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - {role: sshd} diff --git a/roles/sftpuser/tasks/main.yml b/roles/sftpuser/tasks/main.yml deleted file mode 100644 index e6ef7ab..0000000 --- a/roles/sftpuser/tasks/main.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -- name: Create group - ansible.builtin.group: - name: backup - system: true - -- name: Create user - ansible.builtin.user: - name: backup - comment: Service backup - createhome: false - group: backup - home: /var/empty - shell: /sbin/nologin - system: true - -- name: Create authorized_keys - ansible.builtin.copy: - dest: /etc/ssh/authorized_keys.backup - src: ../files/ssh/backup.pub - mode: "0640" - owner: root - group: backup - -- name: Configure sshd chroot - ansible.builtin.blockinfile: - path: /etc/ssh/sshd_config - block: | - Match User backup - ChrootDirectory {{ sftpuser_chroot }} - ForceCommand internal-sftp - AuthorizedKeysFile /etc/ssh/authorized_keys.backup - marker: "# {mark} ANSIBLE MANAGED BLOCK (user backup)" - validate: "sshd -t -f %s" - notify: Restart sshd From 71c5229adb5d80ebbb3a1ddc6767c85710c5ff6b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 23 Jun 2024 18:13:42 +0000 Subject: [PATCH 304/596] Re-organize disks for nas hosts --- group_vars/nas.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/nas.yml b/group_vars/nas.yml index 3cb95e1..18f29d9 100644 --- a/group_vars/nas.yml +++ b/group_vars/nas.yml @@ -2,8 +2,8 @@ mem_size: 8192 num_cpus: 2 datadisks: - - {size: 1000} - - {size: 400, type: nvme} + - {size: 500, type: nvme} + - {size: 50, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} From 13e602a76d296cd0f82d58cce1a61be024faebff Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 24 Jun 2024 15:37:16 +0000 Subject: [PATCH 305/596] Update software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 2c232f1..56a7d07 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 2c232f1654ea87f26c2248a1ff18b925f5c96c18 +Subproject commit 56a7d070924ab4e515020a0422653ffc4ab34131 From acf2853223f58e1881a1c72b76a05677f4791428 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 25 Jun 2024 16:13:35 +0000 Subject: [PATCH 306/596] frigate: Don't store plaintext passwords in config --- roles/frigate/tasks/main.yml | 9 +++++++++ roles/frigate/templates/frigate-container.service.j2 | 3 ++- roles/frigate/templates/frigate-container.sysconfig.j2 | 3 +++ roles/frigate/templates/frigate.yml.j2 | 4 ++-- 4 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 roles/frigate/templates/frigate-container.sysconfig.j2 diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index 7f5e321..a897972 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -71,6 +71,15 @@ group: "{{ ansible_wheel }}" notify: Restart frigate +- name: Create environment config for service + ansible.builtin.template: + dest: /etc/sysconfig/frigate-container + src: frigate-container.sysconfig.j2 + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart frigate + - name: Enable service ansible.builtin.service: name: frigate-container diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2 index edb295e..e835cf6 100644 --- a/roles/frigate/templates/frigate-container.service.j2 +++ b/roles/frigate/templates/frigate-container.service.j2 @@ -5,6 +5,7 @@ After=network-online.target [Service] User=frigate +EnvironmentFile=/etc/sysconfig/frigate-container ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8007:5000 \ --name frigate \ @@ -12,7 +13,7 @@ ExecStart=/usr/bin/podman run \ --volume /etc/frigate.yml:/config/config.yml:ro \ --volume /srv/frigate/media:/media/frigate:rw \ --volume /dev/bus/usb:/dev/bus/usb:rw \ - ghcr.io/blakeblackshear/frigate:{{ frigate_version }} + --env=FRIGATE_* ghcr.io/blakeblackshear/frigate:{{ frigate_version }} ExecStop=/usr/bin/podman stop --ignore frigate ExecStopPost=/usr/bin/podman rm -f --ignore frigate diff --git a/roles/frigate/templates/frigate-container.sysconfig.j2 b/roles/frigate/templates/frigate-container.sysconfig.j2 new file mode 100644 index 0000000..c6b07ef --- /dev/null +++ b/roles/frigate/templates/frigate-container.sysconfig.j2 @@ -0,0 +1,3 @@ +{% for camera in cctv_cameras %} +FRIGATE_{{ camera.name | upper }}_PASS="{{ camera.pass }}" +{% endfor %} diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index 7ceb0c7..433dfa0 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -23,12 +23,12 @@ cameras: enabled: true ffmpeg: inputs: - - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_sub" + - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_sub" input_args: preset-rtsp-restream roles: - detect - rtmp - - path: "rtsp://viewer:{{ camera.pass }}@{{ camera.addr}}/h264Preview_01_main" + - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_main" input_args: preset-rtsp-restream roles: - record From 9982ee43868acc537ae73ed9c3cbadcf99876843 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 25 Jun 2024 16:56:46 +0000 Subject: [PATCH 307/596] frigate: Enable user lingering --- roles/frigate/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index a897972..1a8d430 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -10,6 +10,14 @@ group: frigate shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - frigate + creates: /var/lib/systemd/linger/frigate + - name: Allow podman to use devices ansible.posix.seboolean: name: container_use_devices From a92d72034ee10680d5aef3989ee23ca5db212606 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 26 Jun 2024 14:55:28 +0000 Subject: [PATCH 308/596] Move mirror host to vmhost02 --- group_vars/mirror.yml | 3 +-- host_vars/mirror01.home.foo.sh.yml | 6 ------ host_vars/mirror02.home.foo.sh.yml | 6 ++++++ hosts.yml | 2 +- playbooks/proxy.yml | 2 +- 5 files changed, 9 insertions(+), 10 deletions(-) delete mode 100644 host_vars/mirror01.home.foo.sh.yml create mode 100644 host_vars/mirror02.home.foo.sh.yml diff --git a/group_vars/mirror.yml b/group_vars/mirror.yml index 9515b80..c21d751 100644 --- a/group_vars/mirror.yml +++ b/group_vars/mirror.yml @@ -1,7 +1,6 @@ --- - datadisks: - - {size: 1000} + - {size: 1500, type: hdd} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/host_vars/mirror01.home.foo.sh.yml b/host_vars/mirror01.home.foo.sh.yml deleted file mode 100644 index bc25b7a..0000000 --- a/host_vars/mirror01.home.foo.sh.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -vmhost: vmhost01.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: 52:54:00:ac:dc:13 diff --git a/host_vars/mirror02.home.foo.sh.yml b/host_vars/mirror02.home.foo.sh.yml new file mode 100644 index 0000000..d8c639e --- /dev/null +++ b/host_vars/mirror02.home.foo.sh.yml @@ -0,0 +1,6 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: 52:54:00:ac:dc:14 diff --git a/hosts.yml b/hosts.yml index 0102176..0fc2ef0 100644 --- a/hosts.yml +++ b/hosts.yml @@ -62,7 +62,7 @@ minecraft: minecraft01.home.foo.sh: mirror: hosts: - mirror01.home.foo.sh: + mirror02.home.foo.sh: mongodb: hosts: mongodb01.home.foo.sh: diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index daa19be..65ce5e3 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -78,7 +78,7 @@ nginx_site_redirect: https://www.foo.sh/ - role: nginx_site nginx_site_name: mirrors.foo.sh - nginx_site_proxy: https://mirror01.home.foo.sh/ + nginx_site_proxy: https://mirror02.home.foo.sh/ - role: nginx_site nginx_site_name: movies.foo.sh nginx_site_proxy: From 991a129f28d4a482f87437e4f8f15bff9069935b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 26 Jun 2024 15:45:41 +0000 Subject: [PATCH 309/596] Move prometheus host to vmhost01 --- group_vars/prometheus.yml | 2 +- host_vars/prometheus01.home.foo.sh.yml | 6 ++++++ host_vars/prometheus02.home.foo.sh.yml | 6 ------ hosts.yml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) create mode 100644 host_vars/prometheus01.home.foo.sh.yml delete mode 100644 host_vars/prometheus02.home.foo.sh.yml diff --git a/group_vars/prometheus.yml b/group_vars/prometheus.yml index e80e98c..be5bea6 100644 --- a/group_vars/prometheus.yml +++ b/group_vars/prometheus.yml @@ -1,6 +1,6 @@ --- datadisks: - - {size: 10, type: nvme} + - {size: 100, type: nvme} firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/host_vars/prometheus01.home.foo.sh.yml b/host_vars/prometheus01.home.foo.sh.yml new file mode 100644 index 0000000..e88cf8b --- /dev/null +++ b/host_vars/prometheus01.home.foo.sh.yml @@ -0,0 +1,6 @@ +--- +vmhost: vmhost01.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: "52:54:00:ac:dc:83" diff --git a/host_vars/prometheus02.home.foo.sh.yml b/host_vars/prometheus02.home.foo.sh.yml deleted file mode 100644 index 6c7cc03..0000000 --- a/host_vars/prometheus02.home.foo.sh.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -vmhost: vmhost02.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: "52:54:00:ac:dc:84" diff --git a/hosts.yml b/hosts.yml index 0fc2ef0..c8efeaf 100644 --- a/hosts.yml +++ b/hosts.yml @@ -96,7 +96,7 @@ print: print01.home.foo.sh: prometheus: hosts: - prometheus02.home.foo.sh: + prometheus01.home.foo.sh: vars: mysqld_exporter_version: "0.15.1" nginx_exporter_version: "1.2.0" From be4f2cfce51d1f5e5c2287903c8c89865b239cf3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 28 Jun 2024 14:30:25 +0000 Subject: [PATCH 310/596] Update rocketchat --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index c8efeaf..48bdd35 100644 --- a/hosts.yml +++ b/hosts.yml @@ -89,7 +89,7 @@ ocinode: oci-node02.home.foo.sh: vars: grafana_version: "11.0.0" - rocketchat_version: "6.9.0" + rocketchat_version: "6.9.3" roundcube_version: "1.6.7" print: hosts: From ed5bc5028b49742c101617a6e65728f4df2e4985 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 28 Jun 2024 14:30:49 +0000 Subject: [PATCH 311/596] collab: Disable sftp backups --- roles/collab/tasks/main.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/roles/collab/tasks/main.yml b/roles/collab/tasks/main.yml index 64c43b9..6de89a0 100644 --- a/roles/collab/tasks/main.yml +++ b/roles/collab/tasks/main.yml @@ -269,15 +269,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart apache - -- name: Import sftpuser role - ansible.builtin.import_role: - name: sftpuser - vars: - sftpuser_chroot: /srv/wikis/collab - -- name: Add backup user to collab group - ansible.builtin.user: - name: backup - groups: collab - append: true From 8ad160b0464196033c680b2804d42683df28891c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 28 Jun 2024 15:22:17 +0000 Subject: [PATCH 312/596] nginx_site: Fix certbot virtual host --- roles/nginx_site/templates/site.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index afc3dae..ecc4f64 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -47,7 +47,9 @@ server { listen 80; listen [::]:80; server_name {{ nginx_site_name }}; -{% if nginx_site_name != 'certbot.home.foo.sh' %} +{% if nginx_site_name == 'certbot.home.foo.sh' and 'proxy' not in groups %} + root /srv/web/{{ nginx_site_name }}; +{% else %} location /.well-known/acme-challenge/ { proxy_pass http://certbot.home.foo.sh/.well-known/acme-challenge/; } @@ -58,8 +60,6 @@ server { return 301 https://$host$request_uri; {% endif %} } -{% else %} - root /srv/web/{{ nginx_site_name }}; {% endif %} } {% endif %} From c7606378f2d4178e392d1221675826dc2a2b95b6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 28 Jun 2024 15:22:49 +0000 Subject: [PATCH 313/596] nginx: Fix certbot proxy config --- roles/nginx/templates/nginx.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 85c6ecc..0a503cc 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -35,7 +35,7 @@ http { server_name {{ inventory_hostname }}; location /.well-known/acme-challenge/ { - proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/; + proxy_pass http://certbot.home.foo.sh/.well-known/acme-challenge/; } location / { return 301 https://$host$request_uri; From 7ac216baf84b2163db36742a0088fa53ce32e419 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Jul 2024 20:35:13 +0000 Subject: [PATCH 314/596] Update software versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 48bdd35..75d126c 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,11 +36,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.6" + homeassistant_version: "2024.7" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v1.0.17 + version: v1.0.18 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 @@ -88,7 +88,7 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.0.0" + grafana_version: "11.1.0" rocketchat_version: "6.9.3" roundcube_version: "1.6.7" print: From d747f3a1508823e2664428a39fc1e4386835f70e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 11 Jul 2024 07:40:44 +0000 Subject: [PATCH 315/596] thinlinc_mirror: Print changelog after download --- roles/thinlinc_mirror/files/sync-thinlinc-repo.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/thinlinc_mirror/files/sync-thinlinc-repo.sh b/roles/thinlinc_mirror/files/sync-thinlinc-repo.sh index fc0d3d2..f510f8f 100755 --- a/roles/thinlinc_mirror/files/sync-thinlinc-repo.sh +++ b/roles/thinlinc_mirror/files/sync-thinlinc-repo.sh @@ -47,4 +47,6 @@ if [ ! -f "${REPODIR}/${PKGNAME}" ]; then echo "Updating repository metadata:" createrepo_c "${REPODIR}" echo "" + + unzip -p "$tmpfile" "*release-notes-*.txt" fi From 78485bc490529e5a7f21cfee4b3bdc8896a8b2dd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 27 Aug 2024 15:56:52 +0000 Subject: [PATCH 316/596] Change OpenBSD mirror source --- playbooks/mirror.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/mirror.yml b/playbooks/mirror.yml index d363ba8..8be9d04 100644 --- a/playbooks/mirror.yml +++ b/playbooks/mirror.yml @@ -65,7 +65,7 @@ mirror_postcmd: python3 /usr/local/bin/report_mirror - role: mirror/sync mirror_label: openbsd - mirror_source: "rsync://mirror.planetunix.net/OpenBSD/" + mirror_source: "rsync://ftp.nluug.nl/openbsd/" mirror_rsyncoptions: - "--include=/?.?/" - "--include=/?.?/amd64/" From 884e276aae9e32d2e88d28e88b341870e81640b5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 9 Sep 2024 19:49:15 +0000 Subject: [PATCH 317/596] Update software versions --- hosts.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/hosts.yml b/hosts.yml index 75d126c..1fbbf09 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,11 +36,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.7" + homeassistant_version: "2024.9" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v1.0.18 + version: v1.0.19 - name: nordpool repo: https://github.com/custom-components/nordpool.git version: 0.0.14 @@ -88,9 +88,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.1.0" - rocketchat_version: "6.9.3" - roundcube_version: "1.6.7" + grafana_version: "11.2.0" + rocketchat_version: "6.12.0" + roundcube_version: "1.6.9" print: hosts: print01.home.foo.sh: @@ -99,7 +99,7 @@ prometheus: prometheus01.home.foo.sh: vars: mysqld_exporter_version: "0.15.1" - nginx_exporter_version: "1.2.0" + nginx_exporter_version: "1.3.0" proxy: hosts: proxy01.home.foo.sh: From 264594636f279bd11fd8ecf221c48727510bc335 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 10 Sep 2024 20:10:13 +0000 Subject: [PATCH 318/596] frigate: Update to 0.14.1 version --- hosts.yml | 2 +- roles/frigate/templates/frigate.yml.j2 | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index 1fbbf09..8794ec5 100644 --- a/hosts.yml +++ b/hosts.yml @@ -17,7 +17,7 @@ frigate: hosts: frigate02.home.foo.sh: vars: - frigate_version: "0.13.2" + frigate_version: "0.14.1" fsolgw: hosts: fsol-gw01.home.foo.sh: diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index 433dfa0..7f98235 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -27,7 +27,6 @@ cameras: input_args: preset-rtsp-restream roles: - detect - - rtmp - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_main" input_args: preset-rtsp-restream roles: From c4db933785959563120a1428a208f8ee1b6c20f9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 11 Sep 2024 07:36:47 +0000 Subject: [PATCH 319/596] node_exporter: Fix model name for nvme disks --- roles/node_exporter/files/smartmon.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/node_exporter/files/smartmon.sh b/roles/node_exporter/files/smartmon.sh index c20a850..4cefec5 100755 --- a/roles/node_exporter/files/smartmon.sh +++ b/roles/node_exporter/files/smartmon.sh @@ -116,7 +116,7 @@ parse_smartctl_info() { info_value="$(echo "${line}" | cut -f2- -d: | sed 's/^ \+//g' | sed 's/"/\\"/')" case "${info_type}" in Model_Family) model_family="${info_value}" ;; - Device_Model) device_model="${info_value}" ;; + Device_Model|Model_Number) device_model="${info_value}" ;; Serial_Number|Serial_number) serial_number="${info_value}" ;; Firmware_Version) fw_version="${info_value}" ;; Vendor) vendor="${info_value}" ;; From 7643d02c5e96bfae34c785a7daa967a58a0ff828 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 28 Sep 2024 15:02:42 +0000 Subject: [PATCH 320/596] homeassistant: Enable ha user lingering --- roles/homeassistant/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 2a510a0..1f1c11a 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -10,6 +10,14 @@ group: ha shell: /sbin/nologin +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - ha + creates: /var/lib/systemd/linger/ha + - name: Install dependencies ansible.builtin.package: name: "{{ item }}" From bd8ae569f264fdc6d869d1a5acb717c4506bd0d3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 28 Sep 2024 15:03:01 +0000 Subject: [PATCH 321/596] Remove nordpool plugin from homeassistant --- hosts.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 8794ec5..26a3f1b 100644 --- a/hosts.yml +++ b/hosts.yml @@ -41,9 +41,6 @@ homeassistant: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git version: v1.0.19 - - name: nordpool - repo: https://github.com/custom-components/nordpool.git - version: 0.0.14 influxdb: hosts: influxdb01.home.foo.sh: From f8cbdb29a14d1d9ee89ae7e9e2fa054851bd24a7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 8 Oct 2024 19:09:03 +0000 Subject: [PATCH 322/596] Update changed dynamic ip addresses --- group_vars/ns.yml | 2 +- group_vars/shell.yml | 2 +- roles/pf/files/pf.conf.gw_home | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index 79a23ca..d22952f 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -1,6 +1,6 @@ --- firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22, 62.78.229.29/32]} + - {proto: tcp, port: 22, from: [172.20.20.0/22, 62.78.229.26/32]} - {proto: tcp, port: 53} - {proto: udp, port: 53} - {proto: tcp, port: 80} diff --git a/group_vars/shell.yml b/group_vars/shell.yml index 202b4dc..55e4a34 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -9,7 +9,7 @@ firewall_in: - {proto: tcp, port: 22} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 9100, from: [62.78.229.29/32]} + - {proto: tcp, port: 9100, from: [62.78.229.26/32]} ssh_hostnames: - shell.foo.sh diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 42dbe63..8a91465 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -43,7 +43,7 @@ antispoof for vio1 pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 89.166.9.218/32 to self port ssh +pass in quick on $ext_if proto tcp from 62.78.229.19/32 to self port ssh # node_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From 8cef5964ba668161d93a4b8d95ce17cb7fa8e59e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 11 Oct 2024 15:24:54 +0000 Subject: [PATCH 323/596] Update OpenBSD installs to 7.6 --- group_vars/openbsd.yml | 2 +- playbooks/dna-gw.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/group_vars/openbsd.yml b/group_vars/openbsd.yml index 51337c9..d1da74f 100644 --- a/group_vars/openbsd.yml +++ b/group_vars/openbsd.yml @@ -17,5 +17,5 @@ num_cpus: 2 # extra args for virt-install virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso -virt_install_os_variant: openbsd7.0 +virt_install_os_variant: openbsd7.4 virt_install_python_cmd: pkg_add python3 -I -x diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 360d7be..8663ef0 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -70,8 +70,8 @@ - name: Create tftp pxeboot loader for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.5/amd64/pxeboot" - checksum: sha1:187d24bc9fddf2b032540017cec375051fc65afc + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/pxeboot" + checksum: sha1:c696836c1e6cc67c6c31f6ceb5daaaa4ec0632b7 dest: /srv/tftpboot/pxeboot mode: "0644" owner: root @@ -79,8 +79,8 @@ - name: Create tftp ramdisk for OpenBSD installs ansible.builtin.get_url: - url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.5/amd64/bsd.rd" - checksum: sha1:4362ec59d407f369be4840002cbc6942015afd8c + url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/bsd.rd" + checksum: sha1:f690655c768ec9ef208188921ac53634a9233aca dest: /srv/tftpboot/bsd.rd mode: "0644" owner: root From 84f85491457831626fd9d629fd12454dd3901470 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 11 Oct 2024 15:37:00 +0000 Subject: [PATCH 324/596] Fix python install for OpenBSD --- group_vars/openbsd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/openbsd.yml b/group_vars/openbsd.yml index d1da74f..2695e29 100644 --- a/group_vars/openbsd.yml +++ b/group_vars/openbsd.yml @@ -18,4 +18,4 @@ num_cpus: 2 # extra args for virt-install virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso virt_install_os_variant: openbsd7.4 -virt_install_python_cmd: pkg_add python3 -I -x +virt_install_python_cmd: pkg_add -I -x python From 119ecd3e0a7df6176a32808ce594deba827f8898 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 15:19:48 +0000 Subject: [PATCH 325/596] Spinning disks only on vmhost02 --- playbooks/vmhost.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/vmhost.yml b/playbooks/vmhost.yml index f01b865..9572856 100644 --- a/playbooks/vmhost.yml +++ b/playbooks/vmhost.yml @@ -17,6 +17,7 @@ passno: "0" dump: "0" state: mounted + when: inventory_hostname == "vmhost02.home.foo.sh" - name: Mount /export/libvirt/nvme ansible.posix.mount: name: /export/libvirt/nvme From e9c9f0a47caa27b650e27097ca95f5a1e71c2451 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 15:20:19 +0000 Subject: [PATCH 326/596] Add iot interface to homeassistant hosts --- host_vars/homeassistant01.home.foo.sh.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index f5803cf..922e502 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -5,6 +5,8 @@ network_interfaces: vlan: 20 mac: 52:54:00:ac:dc:73 - device: eth1 + vlan: 27 + - device: eth2 vlan: 30 virt_install_devices: - 001.002 From b5224f77331856c7cc5a16cd8e2f74bb251f568b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 16:46:22 +0000 Subject: [PATCH 327/596] Add ipv6 address to gateway hosts --- group_vars/fsolgw.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/fsolgw.yml b/group_vars/fsolgw.yml index fc3b312..f45c486 100644 --- a/group_vars/fsolgw.yml +++ b/group_vars/fsolgw.yml @@ -4,6 +4,8 @@ network_vip_interfaces: vhid: 145 ipaddr: 37.16.96.145 netmask: 255.255.255.240 + ip6addr: 2a00:4cc1:6:1006::1 + ip6netmask: 64 pass: "{{ vip145_pass }}" network_dns_servers: [172.20.20.10, 172.20.21.1, 172.20.21.2] From 13840dd12ae525460bc5a0077553535ce476b715 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 17:02:49 +0000 Subject: [PATCH 328/596] dhcpd: Fix leases file for OpenBSD 7.6 --- roles/dhcpd/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/dhcpd/tasks/main.yml b/roles/dhcpd/tasks/main.yml index 4b81ae3..8722f27 100644 --- a/roles/dhcpd/tasks/main.yml +++ b/roles/dhcpd/tasks/main.yml @@ -19,7 +19,7 @@ - name: Create leases file ansible.builtin.copy: - dest: /var/db/isc-dhcpd/dhcpd.leases + dest: /var/db/isc-dhcp/dhcpd.leases content: "" mode: "0644" owner: _isc-dhcp @@ -32,4 +32,4 @@ name: "{{ dhcpd_service }}" state: started enabled: true - arguments: "-lf /var/db/isc-dhcpd/dhcpd.leases -user _isc-dhcp -group _isc-dhcp vio0" + arguments: "-user _isc-dhcp -group _isc-dhcp vio0" From 58bde398c0aeb093c1abee9c220b7c0cecd5ee7c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 18:09:09 +0000 Subject: [PATCH 329/596] unbound: Use Google as external resolver --- .../unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 7 ++++++- .../unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 97db90b..4fb2134 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -8,7 +8,7 @@ server: tls-service-key: {{ tls_private }}/dns.home.foo.sh.key tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt - tls-cert-bundle: {{ tls_certs }}/ca.crt + tls-cert-bundle: {{ tls_bundle }} access-control: 127.0.0.0/8 allow access-control: ::1 allow @@ -26,6 +26,11 @@ remote-control: control-enable: yes control-interface: /var/run/unbound.sock +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: 8.8.8.8@853#dns.google + {% for zone in unbound_zones %} auth-zone: name: "{{ zone }}" diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index 59d99d8..22e579c 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -8,7 +8,7 @@ server: tls-service-key: {{ tls_private }}/dns.home.foo.sh.key tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt - tls-cert-bundle: {{ tls_certs }}/ca.crt + tls-cert-bundle: {{ tls_bundle }} access-control: 127.0.0.0/8 allow access-control: ::1 allow @@ -26,6 +26,11 @@ remote-control: control-enable: yes control-interface: /var/run/unbound.sock +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: 8.8.8.8@853#dns.google + {% for zone in unbound_zones %} auth-zone: name: "{{ zone }}" From aaeae7002a1470c56b8c83af8bda8601698aa81f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 18:57:26 +0000 Subject: [PATCH 330/596] Add ssh public host keys to vmhosts --- playbooks/vmhost.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/vmhost.yml b/playbooks/vmhost.yml index 9572856..3d545f9 100644 --- a/playbooks/vmhost.yml +++ b/playbooks/vmhost.yml @@ -50,3 +50,4 @@ roles: - base - kvm_host + - ssh_known_hosts From 4b27e6c3165159936b248f6a7bb2229a022b7664 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 19:42:38 +0000 Subject: [PATCH 331/596] ifstated: Fix dna-gw config for OpenBSD 7.6 --- roles/ifstated/templates/ifstated-dna.conf.j2 | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/roles/ifstated/templates/ifstated-dna.conf.j2 b/roles/ifstated/templates/ifstated-dna.conf.j2 index 7fcbd5f..ed794f3 100644 --- a/roles/ifstated/templates/ifstated-dna.conf.j2 +++ b/roles/ifstated/templates/ifstated-dna.conf.j2 @@ -17,10 +17,9 @@ state master { init { # spoof mac to keep dhcp lease in sync with both gw's run "/sbin/ifconfig vio1 lladdr {{ gw_home_mac }} up" - # flush routes and run dhclient and dhcpcd + # flush routes and renew lease run "/sbin/route -qn flush" - run "/sbin/dhclient vio1" - #run "/sbin/rcctl restart dhcpcd > /dev/null" + run "/usr/sbin/dhcpleasectl vio1" # reset firewall rules run "sleep 5 ; pfctl -f /etc/pf.conf" } @@ -31,8 +30,6 @@ state master { state backup { init { - # kill dhclient (TODO: better command for this) - run "pkill -9 dhclient" # bring down interface and reset mac run "/sbin/ifconfig vio1 delete lladdr {{ gw_home_mac }} down" # flush routes and fix default route From e617040bfd33f10dc315c3de9cf2f9dcd7a05cff Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 19:43:37 +0000 Subject: [PATCH 332/596] Fix dhcp client configs for OpenBSD 7.6 --- playbooks/dna-gw.yml | 7 +++++-- playbooks/fsol-gw.yml | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 8663ef0..71ef499 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -25,8 +25,11 @@ tasks: - name: Use configured dns servers and domain name ansible.builtin.copy: - dest: /etc/dhclient.conf - content: "ignore domain-name-servers, domain-name;\n" + dest: /etc/dhcpleased.conf + content: | + interface vio1 { + ignore dns + } mode: "0644" owner: root group: "{{ ansible_wheel }}" diff --git a/playbooks/fsol-gw.yml b/playbooks/fsol-gw.yml index 1d11432..1dd8747 100644 --- a/playbooks/fsol-gw.yml +++ b/playbooks/fsol-gw.yml @@ -30,8 +30,11 @@ - net.inet6.ip6.forwarding - name: Manually set DNS servers ansible.builtin.copy: - dest: /etc/dhclient.conf - content: "ignore domain-name-servers, domain-name;\n" + dest: /etc/dhcpleased.conf + content: | + interface vio2 { + ignore dns + } mode: "0644" owner: root group: "{{ ansible_wheel }}" From 4eddc7498c450d1eea466a9c2b20f18cf1e2ee48 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 20:19:55 +0000 Subject: [PATCH 333/596] Remove ssd storage from vmhost01 --- playbooks/vmhost.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/playbooks/vmhost.yml b/playbooks/vmhost.yml index 3d545f9..3869f1c 100644 --- a/playbooks/vmhost.yml +++ b/playbooks/vmhost.yml @@ -36,16 +36,6 @@ passno: "0" dump: "0" state: mounted - - name: Mount /export/libvirt/ssd - ansible.posix.mount: - name: /export/libvirt/ssd - src: LABEL=ssd - fstype: xfs - opts: noatime,noexec,nosuid,nodev - passno: "0" - dump: "0" - state: mounted - when: inventory_hostname == "vmhost01.home.foo.sh" roles: - base From 04be788c0908e7d76a6135280514e738b0b04e95 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 12 Oct 2024 20:23:41 +0000 Subject: [PATCH 334/596] Add more memory to frigate hosts --- group_vars/frigate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index 7a7df80..8111625 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -1,5 +1,5 @@ --- -mem_size: 4096 +mem_size: 8192 num_cpus: 2 datadisks: - {size: 500} From 68114937c665668a80c987b89b05fcb3954950e5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 13 Oct 2024 15:27:34 +0000 Subject: [PATCH 335/596] Update software versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 26a3f1b..ef41725 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.9" + homeassistant_version: "2024.10" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git @@ -85,8 +85,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.2.0" - rocketchat_version: "6.12.0" + grafana_version: "11.2.2" + rocketchat_version: "6.13.0" roundcube_version: "1.6.9" print: hosts: From b0ca80f4c2fc5ffe19b1e6c734ff11784e7393b5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 14 Oct 2024 22:10:02 +0000 Subject: [PATCH 336/596] Update homeassistant electorlux status plugin --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index ef41725..3d1c998 100644 --- a/hosts.yml +++ b/hosts.yml @@ -40,7 +40,7 @@ homeassistant: homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v1.0.19 + version: v2.0.0 influxdb: hosts: influxdb01.home.foo.sh: From b16dcb832951f837db9190867049d2ec6c0d9612 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Oct 2024 17:08:09 +0000 Subject: [PATCH 337/596] nginx_site: Fix certbot proxy --- roles/nginx_site/templates/site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index ecc4f64..a967023 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -51,7 +51,7 @@ server { root /srv/web/{{ nginx_site_name }}; {% else %} location /.well-known/acme-challenge/ { - proxy_pass http://certbot.home.foo.sh/.well-known/acme-challenge/; + proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/; } location / { {% if nginx_site_redirect is defined %} From 0a0d966d084f09671fb4e2e245d7b9deb5e662df Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Oct 2024 17:09:14 +0000 Subject: [PATCH 338/596] certbot: Change certbot user UID/GID --- roles/certbot/tasks/main.yml | 4 ++-- users.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 2680da5..189b36b 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -7,7 +7,7 @@ - name: Create certbot group ansible.builtin.group: name: certbot - gid: 1002 + gid: 307 - name: Create certbot user ansible.builtin.user: @@ -17,7 +17,7 @@ group: certbot home: /var/empty shell: /sbin/nologin - uid: 1002 + uid: 307 - name: Add certbot nginx site ansible.builtin.include_role: diff --git a/users.md b/users.md index c6f02a5..1854978 100644 --- a/users.md +++ b/users.md @@ -13,7 +13,7 @@ entry empty. If only a group is created, leave the user entry empty. | 305 | prometheus | prometheus | | | 306 | backup | backup | | | 307 | minecraft | minecraft | | +| 308 | certbot | certbot | | | 1001 | mirror | mirror | | -| 1002 | certbot | certbot | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | From 78319d29b54ba50a670467bf7ac91f2973f1a0b7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Oct 2024 18:24:16 +0000 Subject: [PATCH 339/596] frigate: Increase shm size --- roles/frigate/templates/frigate-container.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2 index e835cf6..3d5a507 100644 --- a/roles/frigate/templates/frigate-container.service.j2 +++ b/roles/frigate/templates/frigate-container.service.j2 @@ -13,6 +13,7 @@ ExecStart=/usr/bin/podman run \ --volume /etc/frigate.yml:/config/config.yml:ro \ --volume /srv/frigate/media:/media/frigate:rw \ --volume /dev/bus/usb:/dev/bus/usb:rw \ + --shm-size 1024M \ --env=FRIGATE_* ghcr.io/blakeblackshear/frigate:{{ frigate_version }} ExecStop=/usr/bin/podman stop --ignore frigate ExecStopPost=/usr/bin/podman rm -f --ignore frigate From 5865d0da5c450b54c91fabf8fb96011604d674c4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Oct 2024 18:24:34 +0000 Subject: [PATCH 340/596] frigate: Split data into two disks (hdd + nvme) --- group_vars/frigate.yml | 3 ++- playbooks/frigate.yml | 15 +++++++++------ roles/frigate/tasks/main.yml | 10 +++++++++- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index 8111625..48bed7f 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -2,7 +2,8 @@ mem_size: 8192 num_cpus: 2 datadisks: - - {size: 500} + - {size: 50, type: nvme} + - {size: 500, type: hdd} network_vip_interfaces: - device: eth1 diff --git a/playbooks/frigate.yml b/playbooks/frigate.yml index 2b37b1c..83bc482 100644 --- a/playbooks/frigate.yml +++ b/playbooks/frigate.yml @@ -13,15 +13,18 @@ - "{{ ansible_private }}/vars.yml" pre_tasks: - - name: Mount /export + - name: Mount datadirectories ansible.posix.mount: - name: /export - src: LABEL=/export + name: "/export/frigate/{{ item }}" + src: "LABEL={{ item }}" fstype: xfs opts: noatime,noexec,nosuid,nodev passno: "0" dump: "0" state: mounted + with_items: + - config + - media roles: - base @@ -32,13 +35,13 @@ keytab_group: apache tasks: - - name: Run handlers to get interfaces configured - ansible.builtin.meta: flush_handlers - - name: Include unbound role ansible.builtin.import_role: name: unbound + - name: Run handlers to get interfaces configured + ansible.builtin.meta: flush_handlers + - name: Include dhcpd role ansible.builtin.include_role: name: dhcpd diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index 1a8d430..a52e7d2 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -48,6 +48,15 @@ setype: container_file_t when: ansible_selinux_python_present +- name: Create base directory + ansible.builtin.file: + path: /export/frigate + state: directory + mode: "0755" + owner: root + group: root + setype: _default + - name: Create data directories ansible.builtin.file: path: "{{ item }}" @@ -57,7 +66,6 @@ group: frigate setype: _default with_items: - - /export/frigate - /export/frigate/config - /export/frigate/media From 4f408bac9d119bd8fa5569a54709c614997332ca Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 21 Oct 2024 05:17:12 +0000 Subject: [PATCH 341/596] mongodb: Fix removing old backups --- roles/mongodb/templates/mongodb-backup.sh.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mongodb/templates/mongodb-backup.sh.j2 b/roles/mongodb/templates/mongodb-backup.sh.j2 index 2cca05a..fc415e8 100755 --- a/roles/mongodb/templates/mongodb-backup.sh.j2 +++ b/roles/mongodb/templates/mongodb-backup.sh.j2 @@ -8,9 +8,9 @@ DESTDIR="/srv/backup" DATE="$(date +%Y-%m-%d)" cd "$DESTDIR" -find . -xdev -mindepth 2 -maxdepth 2 -type f -mtime +30 \ +find . -xdev -mindepth 3 -maxdepth 3 -type f -mtime +30 \ -execdir rm -f -- {} \; -find . -xdev -depth -mindepth 1 -maxdepth 1 -type d -empty \ +find . -xdev -depth -mindepth 1 -maxdepth 2 -type d -empty \ -execdir rmdir -- {} \; mkdir -m 2750 "$DATE" From 2a4af75d53c63f72b01e9547cdaeb23440f19513 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Nov 2024 17:58:47 +0000 Subject: [PATCH 342/596] mysqld_exporter: Restart service after update --- roles/mysqld_exporter/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mysqld_exporter/tasks/main.yml b/roles/mysqld_exporter/tasks/main.yml index 1c08cf4..d8722d1 100644 --- a/roles/mysqld_exporter/tasks/main.yml +++ b/roles/mysqld_exporter/tasks/main.yml @@ -44,6 +44,7 @@ owner: root group: "{{ ansible_wheel }}" remote_src: true + notify: Restart mysqld_exporter - name: Create config directory ansible.builtin.file: From ff42297fad11dc2856d90863e31851c542eee266 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Nov 2024 17:59:16 +0000 Subject: [PATCH 343/596] rocketchat: No alpine version of 7.0.0 and newer --- roles/rocketchat/templates/rocketchat-container.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/rocketchat/templates/rocketchat-container.service.j2 b/roles/rocketchat/templates/rocketchat-container.service.j2 index acbb866..16f511a 100644 --- a/roles/rocketchat/templates/rocketchat-container.service.j2 +++ b/roles/rocketchat/templates/rocketchat-container.service.j2 @@ -6,14 +6,14 @@ After=network-online.target [Service] User=rocketchat EnvironmentFile=/etc/sysconfig/rocketchat-container -ExecStartPre=/usr/bin/podman pull docker.io/rocketchat/rocket.chat:{{ rocketchat_version }}-alpine +ExecStartPre=/usr/bin/podman pull docker.io/rocketchat/rocket.chat:{{ rocketchat_version }} ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8008:3000 \ --name rocketchat \ --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ --volume={{ tls_private }}/rocketchat.pem:/etc/ssl/private/rocketchat.pem:ro \ --env ROOT_URL --env MONGO_URL --env MONGO_OPLOG_URL \ - docker.io/rocketchat/rocket.chat:{{ rocketchat_version }}-alpine + docker.io/rocketchat/rocket.chat:{{ rocketchat_version }} ExecStop=/usr/bin/podman stop --ignore rocketchat ExecStopPost=/usr/bin/podman rm -f --ignore rocketchat From 76c7a2a5114e19fde6cdba852ffe3dd63eaf5592 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 15 Nov 2024 18:00:53 +0000 Subject: [PATCH 344/596] Update software versions --- hosts.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index 3d1c998..59f1046 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,11 +36,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.10" + homeassistant_version: "2024.11" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v2.0.0 + version: v2.0.9 influxdb: hosts: influxdb01.home.foo.sh: @@ -85,8 +85,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.2.2" - rocketchat_version: "6.13.0" + grafana_version: "11.3.0" + rocketchat_version: "7.0.0" roundcube_version: "1.6.9" print: hosts: @@ -95,7 +95,7 @@ prometheus: hosts: prometheus01.home.foo.sh: vars: - mysqld_exporter_version: "0.15.1" + mysqld_exporter_version: "0.16.0" nginx_exporter_version: "1.3.0" proxy: hosts: From 2c63423a9a095ae0d338a4be974d0099d4cd124d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 26 Nov 2024 07:57:21 +0000 Subject: [PATCH 345/596] Update gitea version --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 59f1046..eff12ed 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.21.11" + gitea_version: "1.22.4" gitearunner: hosts: gitea-runner02.home.foo.sh: From 773dff1aa9031191454af44904abbfaf9d6c1df6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 26 Nov 2024 13:03:33 +0000 Subject: [PATCH 346/596] Update changed ip addresses --- group_vars/ns.yml | 2 +- group_vars/shell.yml | 2 +- roles/pf/files/pf.conf.gw_home | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index d22952f..5a6101f 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -1,6 +1,6 @@ --- firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22, 62.78.229.26/32]} + - {proto: tcp, port: 22, from: [172.20.20.0/22, 212.149.248.65/32]} - {proto: tcp, port: 53} - {proto: udp, port: 53} - {proto: tcp, port: 80} diff --git a/group_vars/shell.yml b/group_vars/shell.yml index 55e4a34..f61151a 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -9,7 +9,7 @@ firewall_in: - {proto: tcp, port: 22} - {proto: tcp, port: 80} - {proto: tcp, port: 443} - - {proto: tcp, port: 9100, from: [62.78.229.26/32]} + - {proto: tcp, port: 9100, from: [212.149.248.65/32]} ssh_hostnames: - shell.foo.sh diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 8a91465..8fe7df5 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -43,7 +43,7 @@ antispoof for vio1 pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 62.78.229.19/32 to self port ssh +pass in quick on $ext_if proto tcp from 89.27.104.10/32 to self port ssh # node_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From 8c042d5ba867d71e10eb60e80ce18bed131f1941 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 27 Nov 2024 15:18:44 +0000 Subject: [PATCH 347/596] ssh_known_hosts: Move under ansible-software repo --- roles/ssh_known_hosts/tasks/main.yml | 8 -------- roles/ssh_known_hosts/templates/ssh_known_hosts.j2 | 5 ----- 2 files changed, 13 deletions(-) delete mode 100644 roles/ssh_known_hosts/tasks/main.yml delete mode 100644 roles/ssh_known_hosts/templates/ssh_known_hosts.j2 diff --git a/roles/ssh_known_hosts/tasks/main.yml b/roles/ssh_known_hosts/tasks/main.yml deleted file mode 100644 index 31acc01..0000000 --- a/roles/ssh_known_hosts/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Create SSH known_hosts - ansible.builtin.template: - dest: /etc/ssh/ssh_known_hosts - src: ssh_known_hosts.j2 - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" diff --git a/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 b/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 deleted file mode 100644 index 6019166..0000000 --- a/roles/ssh_known_hosts/templates/ssh_known_hosts.j2 +++ /dev/null @@ -1,5 +0,0 @@ -{% set keys = lookup('fileglob', '/srv/sshca/ca/*.pub', wantlist=True) %} -{% for key in keys %} -{% set data = lookup('ansible.builtin.file', key) | split() %} -@cert-authority *.foo.sh {{ data[0:2] | join(' ') }} -{% endfor %} From 7e062a95927e57b4f601b2045a3eae514a60da11 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 27 Nov 2024 15:23:08 +0000 Subject: [PATCH 348/596] Update ansible-software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 56a7d07..0929d28 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 56a7d070924ab4e515020a0422653ffc4ab34131 +Subproject commit 0929d284c80241068902dbc0bef5feaa6e1667f4 From b62ef003925eb0fe4b486faffc4ac1debc9798aa Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 28 Nov 2024 13:18:04 +0000 Subject: [PATCH 349/596] mirror: Update mirror user UID/GID --- roles/mirror/base/tasks/main.yml | 4 ++-- users.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/mirror/base/tasks/main.yml b/roles/mirror/base/tasks/main.yml index 66ec50a..ef230e0 100644 --- a/roles/mirror/base/tasks/main.yml +++ b/roles/mirror/base/tasks/main.yml @@ -7,7 +7,7 @@ - name: Create mirror group ansible.builtin.group: name: mirror - gid: 1001 + gid: 309 - name: Create mirror user ansible.builtin.user: @@ -17,7 +17,7 @@ group: mirror home: /var/empty shell: /sbin/nologin - uid: 1001 + uid: 309 - name: Create data directory ansible.builtin.file: diff --git a/users.md b/users.md index 1854978..7e006e4 100644 --- a/users.md +++ b/users.md @@ -14,6 +14,7 @@ entry empty. If only a group is created, leave the user entry empty. | 306 | backup | backup | | | 307 | minecraft | minecraft | | | 308 | certbot | certbot | | +| 309 | mirror | mirror | | | 1001 | mirror | mirror | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | From d11b2a17e3717d1a83c486a4d582b95cc3a914df Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 29 Nov 2024 07:24:41 +0000 Subject: [PATCH 350/596] rsyslog: Use FQDN when remote logging is used --- roles/rsyslog/templates/remote.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/rsyslog/templates/remote.conf.j2 b/roles/rsyslog/templates/remote.conf.j2 index f93141b..767b9b5 100644 --- a/roles/rsyslog/templates/remote.conf.j2 +++ b/roles/rsyslog/templates/remote.conf.j2 @@ -1,3 +1,6 @@ +# Log with FQDN +global(LocalHostName="{{ inventory_hostname }}") + # Certificates global(DefaultNetstreamDriverCAFile="{{ tls_bundle }}" DefaultNetstreamDriverCertFile="{{ tls_certs }}/{{ inventory_hostname }}.crt" From fff2153a8a738545416b3ff778d5640370f70f45 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 1 Dec 2024 17:10:57 +0000 Subject: [PATCH 351/596] pf: Fix changed ip addresses --- roles/pf/files/pf.conf.gw_home | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 8fe7df5..077b457 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -39,11 +39,11 @@ antispoof for lo0 antispoof for vio0 antispoof for vio1 -# admin connection (internal, fsol and arc office) +# admin connection (internal, arcsec office, dmz, lan) pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 89.27.104.10/32 to self port ssh +pass in quick on $ext_if proto tcp from 212.149.228.253/32 to self port ssh # node_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From 72de1a5478551631747f577acba96a7f6c972ccc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 2 Dec 2024 21:35:31 +0000 Subject: [PATCH 352/596] lm_sensors: Moved to ansible-software repo --- roles/lm_sensors/handlers/main.yml | 8 -------- roles/lm_sensors/tasks/main.yml | 12 ------------ 2 files changed, 20 deletions(-) delete mode 100644 roles/lm_sensors/handlers/main.yml delete mode 100644 roles/lm_sensors/tasks/main.yml diff --git a/roles/lm_sensors/handlers/main.yml b/roles/lm_sensors/handlers/main.yml deleted file mode 100644 index ea6cb47..0000000 --- a/roles/lm_sensors/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Run sensors-detect - ansible.builtin.shell: "cat /dev/null | sensors-detect" - -- name: Restart lm_sensors - ansible.builtin.service: - name: lm_sensors - state: restarted diff --git a/roles/lm_sensors/tasks/main.yml b/roles/lm_sensors/tasks/main.yml deleted file mode 100644 index 9231b53..0000000 --- a/roles/lm_sensors/tasks/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Install packages - ansible.builtin.package: - name: lm_sensors - state: installed - notify: Run sensors-detect - -- name: Enable service - ansible.builtin.service: - name: lm_sensors - state: started - enabled: true From 3b1c65ad82e249db1a04842c69472270a536d738 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 2 Dec 2024 21:35:53 +0000 Subject: [PATCH 353/596] Update software subrepo --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 0929d28..0696900 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 0929d284c80241068902dbc0bef5feaa6e1667f4 +Subproject commit 069690089424d86455399a8cf2363f8354cd0738 From 205b82f1d832210a88d62f7206ec099290bd498e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 4 Dec 2024 17:13:03 +0000 Subject: [PATCH 354/596] Update software versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index eff12ed..b8e121b 100644 --- a/hosts.yml +++ b/hosts.yml @@ -85,8 +85,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.3.0" - rocketchat_version: "7.0.0" + grafana_version: "11.3.1" + rocketchat_version: "7.1.0" roundcube_version: "1.6.9" print: hosts: @@ -96,7 +96,7 @@ prometheus: prometheus01.home.foo.sh: vars: mysqld_exporter_version: "0.16.0" - nginx_exporter_version: "1.3.0" + nginx_exporter_version: "1.4.0" proxy: hosts: proxy01.home.foo.sh: From 770d6a74d3d3b6d602475b11bc8d8c734eae4211 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 6 Dec 2024 10:10:46 +0000 Subject: [PATCH 355/596] mirror: Refactoring sync-mirrors script --- .../files/{sync-mirrors => sync-mirrors.sh} | 93 +++++++++---------- roles/mirror/base/tasks/main.yml | 2 +- 2 files changed, 46 insertions(+), 49 deletions(-) rename roles/mirror/base/files/{sync-mirrors => sync-mirrors.sh} (55%) diff --git a/roles/mirror/base/files/sync-mirrors b/roles/mirror/base/files/sync-mirrors.sh similarity index 55% rename from roles/mirror/base/files/sync-mirrors rename to roles/mirror/base/files/sync-mirrors.sh index ef6100e..609857a 100755 --- a/roles/mirror/base/files/sync-mirrors +++ b/roles/mirror/base/files/sync-mirrors.sh @@ -1,4 +1,7 @@ -#!/bin/bash +#!/bin/sh + +set -eu +umask 022 LOCKFILE="/var/run/sync-mirrors/lockfile" LOGFILE="/var/log/sync-mirrors/sync-mirrors-$(date +%Y%m%d%H%M%S).log" @@ -9,30 +12,35 @@ usage() { echo " $(basename "$0") -l" 1>&2 } -logmsg() { - [ "${VERBOSE}" -eq 1 ] && echo "$1" - echo "$(date '+%Y/%m/%d %H:%M:%S') [$$] $1" >> "${LOGFILE}" +list_mirrors() { + for f in "$CONFDIR"/*.conf ; do + basename "$f" ".conf" + done } -if [ -d ${CONFDIR} ]; then - MIRRORLIST="$(find ${CONFDIR}/ -name \*.conf | while read -r f ; \ - do basename "${f}" | sed -e 's/\.conf$//' ; done)" - if [ "${MIRRORLIST}" = "" ]; then - echo "ERR: No configured mirrors found" 1>&2 - exit 1 - fi -else +logmsg() { + "$VERBOSE" && echo "$1" + echo "$(date '+%Y/%m/%d %H:%M:%S') [$$] $1" >> "$LOGFILE" +} + +logstream() { + while read -r line; do + logmsg "$line" + done +} + +if [ ! -d "$CONFDIR" ]; then echo "ERR: Config directory [${CONFDIR}] missing" 1>&2 exit 1 fi -VERBOSE=0 +VERBOSE=false NOOP="" EXTRA_OPTS="" while getopts "vhln" c ; do case $c in v) - VERBOSE=1 + VERBOSE=true EXTRA_OPTS="${EXTRA_OPTS} -v --progress" ;; h) @@ -41,9 +49,7 @@ while getopts "vhln" c ; do ;; l) echo "Available mirrors:" - for name in ${MIRRORLIST} ; do - echo " ${name}" - done + list_mirrors | sed -e 's/^/ /' exit 0 ;; n) @@ -59,17 +65,19 @@ done shift "$((OPTIND - 1))" -if [ $# -gt 0 ]; then +if [ $# -eq 0 ]; then + set -- $(list_mirrors) + if [ $# -eq 0 ]; then + echo "ERR: No configured mirrors found" 1>&2 + exit 1 + fi +else for mirror in "$@" ; do if [ ! -f "${CONFDIR}/$1.conf" ]; then echo "ERR: No mirror named [$1]" 1>&2 exit 1 fi - SYNC="${MIRRORS} $1" - shift done -else - SYNC="${MIRRORLIST}" fi if [ "$(whoami)" != "mirror" ]; then @@ -77,52 +85,41 @@ if [ "$(whoami)" != "mirror" ]; then exit 1 fi -umask 022 - -if [ -f "${LOCKFILE}" ]; then - if kill -0 "$(cat ${LOCKFILE})" ; then - STARTED=" ($(stat --format='%y' ${LOCKFILE}))" +if [ -f "$LOCKFILE" ]; then + if kill -0 "$(cat $LOCKFILE)" ; then + STARTED=" ($(stat --format='%y' $LOCKFILE))" echo "ERR: Lockfile exists${STARTED}, exiting" 1>&2 exit 1 else echo "WARN: Removing stale lock file..." 1>&2 - rm -f "${LOCKFILE}" + rm -f "$LOCKFILE" fi fi -trap 'rm -f ${LOCKFILE}' INT TERM EXIT -echo "$$" > "${LOCKFILE}" +trap 'rm -f $LOCKFILE' INT TERM EXIT +echo "$$" > "$LOCKFILE" -for mirror in ${SYNC} ; do +for mirror in "$@" ; do POSTCMD="" SRC="" RSYNCOPTS="" + # shellcheck source=/dev/null . "${CONFDIR}/${mirror}.conf" - if [ "${SRC}" = "" ]; then + if [ "$SRC" = "" ]; then echo "ERR: No SRC set for mirror ${mirror} ..." 1>&2 exit 1 fi logmsg "Starting ${mirror} sync${NOOP}..." - rsync -aH -4 ${EXTRA_OPTS} --numeric-ids --delete --delete-delay \ - --delay-updates --no-motd ${RSYNCOPTS} --log-file="${LOGFILE}" \ - --exclude=.~tmp~/ "${SRC}" "/srv/mirrors/${mirror}/" + rsync -aH -4 $EXTRA_OPTS --numeric-ids --delete --delete-delay \ + --delay-updates --no-motd $RSYNCOPTS --log-file="$LOGFILE" \ + --exclude=.~tmp~/ "$SRC" "/srv/mirrors/${mirror}/" STATUS=$? - if [ ${STATUS} -ne 0 ]; then + if [ $STATUS -ne 0 ]; then echo "WARN: Encountered errors on ${mirror} sync, see ${LOGFILE} for details" 1>&2 fi logmsg "Finished ${mirror} sync with exit status ${STATUS}${NOOP} ..." - if [ "${POSTCMD}" != "" ]; then + if [ "$POSTCMD" != "" ]; then logmsg "Running post for ${mirror} ..." - if [ "${VERBOSE}" -eq 1 ]; then - ${POSTCMD} 2>&1 | tee >( \ - awk "{ print strftime(\"%Y/%m/%d %H:%M:%S\") \" [$$] \" \$0 }" \ - >> "${LOGFILE}" ) - else - ${POSTCMD} 2>&1 | \ - awk "{ print strftime(\"%Y/%m/%d %H:%M:%S\") \" [$$] \" \$0 }" \ - >> "${LOGFILE}" - fi + $POSTCMD 2>&1 | logstream logmsg "Finished post for ${mirror} ..." fi done - -rm -f "${LOCKFILE}" diff --git a/roles/mirror/base/tasks/main.yml b/roles/mirror/base/tasks/main.yml index ef230e0..c28f54b 100644 --- a/roles/mirror/base/tasks/main.yml +++ b/roles/mirror/base/tasks/main.yml @@ -70,7 +70,7 @@ - name: Copy mirroring script ansible.builtin.copy: dest: /usr/local/bin/sync-mirrors - src: sync-mirrors + src: sync-mirrors.sh mode: "0755" owner: root group: root From 0be436e8b0106e2ff77503cf79281adf0405ddaa Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 6 Dec 2024 10:15:14 +0000 Subject: [PATCH 356/596] mirror: Fix tabs to spaces --- roles/mirror/base/files/sync-mirrors.sh | 32 ++++++++++++------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/mirror/base/files/sync-mirrors.sh b/roles/mirror/base/files/sync-mirrors.sh index 609857a..2dba204 100755 --- a/roles/mirror/base/files/sync-mirrors.sh +++ b/roles/mirror/base/files/sync-mirrors.sh @@ -39,19 +39,19 @@ NOOP="" EXTRA_OPTS="" while getopts "vhln" c ; do case $c in - v) - VERBOSE=true - EXTRA_OPTS="${EXTRA_OPTS} -v --progress" - ;; - h) - usage - exit 1 - ;; - l) - echo "Available mirrors:" - list_mirrors | sed -e 's/^/ /' - exit 0 - ;; + v) + VERBOSE=true + EXTRA_OPTS="${EXTRA_OPTS} -v --progress" + ;; + h) + usage + exit 0 + ;; + l) + echo "Available mirrors:" + list_mirrors | sed -e 's/^/ /' + exit 0 + ;; n) NOOP=" (DRY RUN)" EXTRA_OPTS="${EXTRA_OPTS} -n" @@ -87,11 +87,11 @@ fi if [ -f "$LOCKFILE" ]; then if kill -0 "$(cat $LOCKFILE)" ; then - STARTED=" ($(stat --format='%y' $LOCKFILE))" + STARTED=" ($(stat --format='%y' $LOCKFILE))" echo "ERR: Lockfile exists${STARTED}, exiting" 1>&2 exit 1 else - echo "WARN: Removing stale lock file..." 1>&2 + echo "WARN: Removing stale lock file..." 1>&2 rm -f "$LOCKFILE" fi fi @@ -119,7 +119,7 @@ for mirror in "$@" ; do logmsg "Finished ${mirror} sync with exit status ${STATUS}${NOOP} ..." if [ "$POSTCMD" != "" ]; then logmsg "Running post for ${mirror} ..." - $POSTCMD 2>&1 | logstream + $POSTCMD 2>&1 | logstream logmsg "Finished post for ${mirror} ..." fi done From fb3608fa6ee495c0e8e5e0c28e30de79b19729fa Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:44:30 +0000 Subject: [PATCH 357/596] ipsilon: Initial version of role --- roles/ipsilon/handlers/main.yml | 18 +++++ roles/ipsilon/meta/main.yml | 5 ++ roles/ipsilon/tasks/main.yml | 74 +++++++++++++++++++ .../templates/ipsilon-container.service.j2 | 21 ++++++ .../templates/ipsilon-container.sysconfig.j2 | 10 +++ 5 files changed, 128 insertions(+) create mode 100644 roles/ipsilon/handlers/main.yml create mode 100644 roles/ipsilon/meta/main.yml create mode 100644 roles/ipsilon/tasks/main.yml create mode 100644 roles/ipsilon/templates/ipsilon-container.service.j2 create mode 100644 roles/ipsilon/templates/ipsilon-container.sysconfig.j2 diff --git a/roles/ipsilon/handlers/main.yml b/roles/ipsilon/handlers/main.yml new file mode 100644 index 0000000..072010a --- /dev/null +++ b/roles/ipsilon/handlers/main.yml @@ -0,0 +1,18 @@ +--- +- name: Rebuild ipsilon-container + ansible.builtin.command: + argv: + - podman + - build + - -t + - ipsilon + - /usr/local/src/docker-ipsilon + become: true + become_user: ipsilon + notify: Restart ipsilon-container + +- name: Restart ipsilon-container + ansible.builtin.systemd: + name: ipsilon-container + daemon_reload: true + state: restarted diff --git a/roles/ipsilon/meta/main.yml b/roles/ipsilon/meta/main.yml new file mode 100644 index 0000000..b8e2a3e --- /dev/null +++ b/roles/ipsilon/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - {role: git} + - {role: nginx} + - {role: podman} diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml new file mode 100644 index 0000000..deadb3d --- /dev/null +++ b/roles/ipsilon/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: Create group + ansible.builtin.group: + name: ipsilon + +- name: Create user + ansible.builtin.user: + name: ipsilon + comment: Podman Ipsilon + group: ipsilon + shell: /sbin/nologin + +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - ipsilon + creates: /var/lib/systemd/linger/ipsilon + +- name: Copy host key + ansible.builtin.copy: + dest: "{{ tls_private }}/ipsilon.key" + src: "{{ tls_private }}/{{ inventory_hostname }}.key" + mode: "0640" + owner: root + group: ipsilon + remote_src: true + +- name: Get container source + ansible.builtin.git: + dest: /usr/local/src/docker-ipsilon + repo: https://github.com/foo-sh/docker-ipsilon.git + update: true + version: master + notify: Rebuild ipsilon-container + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/ipsilon-container.service + src: ipsilon-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart ipsilon-container + +- name: Create service config + ansible.builtin.template: + dest: /etc/sysconfig/ipsilon-container + src: ipsilon-container.sysconfig.j2 + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart ipsilon-container + +- name: Enable service + ansible.builtin.service: + name: ipsilon-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/ipsilon-container.conf" + content: | + location /ipsilon { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host idp.foo.sh; + proxy_pass http://127.0.0.1:8011/; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2 new file mode 100644 index 0000000..0560343 --- /dev/null +++ b/roles/ipsilon/templates/ipsilon-container.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=Ipsilon Container +Wants=network-online.target +After=network-online.target + +[Service] +User=ipsilon +EnvironmentFile=/etc/sysconfig/ipsilon-container +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8011:80 \ + --name ipsilon \ + --env LDAP_* --env IPSILON_*\ + --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ + --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ + --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ + ipsilon:latest +ExecStop=/usr/bin/podman stop --ignore ipsilon +ExecStopPost=/usr/bin/podman rm -f --ignore ipsilon + +[Install] +WantedBy=multi-user.target diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 new file mode 100644 index 0000000..6d0b562 --- /dev/null +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -0,0 +1,10 @@ +LDAP_BASEDN="{{ ldap_basedn }}" +IPSILON_DB_USER="ipsilon" +IPSILON_DB_PASS="jFmMGUXsQgOuW9FE5ABX" +IPSILON_DB_HOST="sqldb02.home.foo.sh" +IPSILON_DB_USERPREFS="ipsilon" +IPSILON_DB_TRANSACTIONS="ipsilon" +IPSILON_DB_SESSIONS="ipsilon" +IPSILON_DB_CA="/etc/ssl/certs/ca.crt" +IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" +IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt" From 215823b6b2087e245899ae8a817d35cfcaeaccb0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:45:17 +0000 Subject: [PATCH 358/596] Add ipsilon vhost and related services --- playbooks/oci-node.yml | 1 + playbooks/proxy.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/playbooks/oci-node.yml b/playbooks/oci-node.yml index 2c70ab9..d67e62f 100644 --- a/playbooks/oci-node.yml +++ b/playbooks/oci-node.yml @@ -28,6 +28,7 @@ - base - authcheck - grafana + - ipsilon - kdc - roundcube - role: php4dvd diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 65ce5e3..3d03d9a 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -70,6 +70,9 @@ nginx_site_proxy: - https://oci-node01.home.foo.sh - https://oci-node02.home.foo.sh + - role: nginx_site + nginx_site_name: idp.foo.sh + nginx_site_proxy: https://oci-node01.home.foo.sh/ipsilon/ - role: nginx_site nginx_site_name: influxdb.foo.sh nginx_site_proxy: https://influxdb01.home.foo.sh/ From 54775e72e90558b9d9e11d7e63077ba2f8b268eb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:45:53 +0000 Subject: [PATCH 359/596] ipsilon: Reserve port for container --- container-ports.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-ports.md b/container-ports.md index 39a8bec..7c6aa6e 100644 --- a/container-ports.md +++ b/container-ports.md @@ -11,4 +11,4 @@ | 8007 | frigate | Network video recorder | | 8008 | hoemeassistant | Home Assistant | | 8009 | rocketchat | Rocket.Chat | -| 8010 | google-spell-pspell | Google Spell Check XML API | +| 8011 | ipsilon | Ipsilon Identity Provider | From afdec531ddbeb52f08a83f4d541dd140b5ede391 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:47:54 +0000 Subject: [PATCH 360/596] Revert "ipsilon: Reserve port for container" This reverts commit 54775e72e90558b9d9e11d7e63077ba2f8b268eb. --- container-ports.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-ports.md b/container-ports.md index 7c6aa6e..39a8bec 100644 --- a/container-ports.md +++ b/container-ports.md @@ -11,4 +11,4 @@ | 8007 | frigate | Network video recorder | | 8008 | hoemeassistant | Home Assistant | | 8009 | rocketchat | Rocket.Chat | -| 8011 | ipsilon | Ipsilon Identity Provider | +| 8010 | google-spell-pspell | Google Spell Check XML API | From 58c7f89448aa56dd1b6103687da9169933fe54c0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:48:13 +0000 Subject: [PATCH 361/596] Reserve port for ipsilon container --- container-ports.md | 1 + 1 file changed, 1 insertion(+) diff --git a/container-ports.md b/container-ports.md index 39a8bec..30b7205 100644 --- a/container-ports.md +++ b/container-ports.md @@ -12,3 +12,4 @@ | 8008 | hoemeassistant | Home Assistant | | 8009 | rocketchat | Rocket.Chat | | 8010 | google-spell-pspell | Google Spell Check XML API | +| 8011 | ipsilon | Ipsilon Identity Provider | From 0c06d1b6517d7832382b4cf07e1b4c615da95cec Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 11:49:04 +0000 Subject: [PATCH 362/596] Remove old mirror user --- users.md | 1 - 1 file changed, 1 deletion(-) diff --git a/users.md b/users.md index 7e006e4..dfd38ea 100644 --- a/users.md +++ b/users.md @@ -15,6 +15,5 @@ entry empty. If only a group is created, leave the user entry empty. | 307 | minecraft | minecraft | | | 308 | certbot | certbot | | | 309 | mirror | mirror | | -| 1001 | mirror | mirror | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | From 11ddc0397a0a14f65bfdacd1d4ddba375c7a3997 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 14:04:59 +0000 Subject: [PATCH 363/596] Increase oci-node memory and disk --- group_vars/ocinode.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/ocinode.yml b/group_vars/ocinode.yml index 7f06eb1..d66dfb6 100644 --- a/group_vars/ocinode.yml +++ b/group_vars/ocinode.yml @@ -1,8 +1,8 @@ --- # increase memory size -mem_size: 4096 +mem_size: 8192 # increase disk size to store docker images -dsk_size: 50 +dsk_size: 100 firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} From 6e72234b1db96440c58f662736848982c7dd734d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 15:24:41 +0000 Subject: [PATCH 364/596] nginx_site: Add load balance method config option --- roles/nginx_site/templates/site.conf.j2 | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index a967023..13a3ec7 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -1,13 +1,16 @@ {% if nginx_site_proxy is defined and nginx_site_proxy is not string %} upstream {{ nginx_site_name }} { -{% for item in nginx_site_proxy %} -{% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %} -{% if item | regex_search(".*:[0-9]+$") %} +{% if nginx_site_load_balance_method is defined %} + {{ nginx_site_load_balance_method }}; +{% endif %} +{% for item in nginx_site_proxy %} +{% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %} +{% if item | regex_search(".*:[0-9]+$") %} server {{ item }}; -{% else %} +{% else %} server {{ item }}:443; -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} } {% endif %} server { From 4775bb8947896e47a014cbee2e1b62f06924e4cb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 15:25:10 +0000 Subject: [PATCH 365/596] Use session persistence for webmail backends --- playbooks/proxy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 3d03d9a..89f7a53 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -107,6 +107,7 @@ - https://sane02.home.foo.sh/scanservjs/ - role: nginx_site nginx_site_name: webmail.foo.sh + nginx_site_load_balance_method: ip_hash nginx_site_proxy: - https://oci-node01.home.foo.sh/roundcube/ - https://oci-node02.home.foo.sh/roundcube/ From b1d5d2c7f2b2477e375a9776cd325bf6924dd004 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 15:56:59 +0000 Subject: [PATCH 366/596] collab: Change collab user uid/gid --- roles/collab/tasks/main.yml | 4 ++-- users.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/collab/tasks/main.yml b/roles/collab/tasks/main.yml index 6de89a0..b3df48d 100644 --- a/roles/collab/tasks/main.yml +++ b/roles/collab/tasks/main.yml @@ -99,13 +99,13 @@ - name: Create group collab ansible.builtin.group: name: collab - gid: 1003 + gid: 310 - name: Create user collab ansible.builtin.user: name: collab comment: Service Collab - uid: 1003 + uid: 310 group: collab home: /var/lib/collab shell: /sbin/nologin diff --git a/users.md b/users.md index dfd38ea..0b8fc08 100644 --- a/users.md +++ b/users.md @@ -15,5 +15,6 @@ entry empty. If only a group is created, leave the user entry empty. | 307 | minecraft | minecraft | | | 308 | certbot | certbot | | | 309 | mirror | mirror | | +| 310 | collab | collab | | | 1003 | collab | collab | | | 1004 | docker | docker | docker registry | From 381a7bd2269f843d81638ddfe4d87c5c77037c10 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 15:57:29 +0000 Subject: [PATCH 367/596] Remove old collab user --- users.md | 1 - 1 file changed, 1 deletion(-) diff --git a/users.md b/users.md index 0b8fc08..fdc2aa7 100644 --- a/users.md +++ b/users.md @@ -16,5 +16,4 @@ entry empty. If only a group is created, leave the user entry empty. | 308 | certbot | certbot | | | 309 | mirror | mirror | | | 310 | collab | collab | | -| 1003 | collab | collab | | | 1004 | docker | docker | docker registry | From 856f5b286ca4099f309cc22268f48911be227246 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 7 Dec 2024 15:59:12 +0000 Subject: [PATCH 368/596] docker_distribution Change service user uid/gid --- roles/docker_distribution/tasks/main.yml | 4 ++-- users.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/docker_distribution/tasks/main.yml b/roles/docker_distribution/tasks/main.yml index a224c13..cf85697 100644 --- a/roles/docker_distribution/tasks/main.yml +++ b/roles/docker_distribution/tasks/main.yml @@ -7,7 +7,7 @@ - name: Create docker group ansible.builtin.group: name: docker - gid: 1004 + gid: 311 - name: Create docker user ansible.builtin.user: @@ -18,7 +18,7 @@ groups: hostkey home: /var/empty shell: /sbin/nologin - uid: 1004 + uid: 311 - name: Create unit file drop-in directory ansible.builtin.file: diff --git a/users.md b/users.md index fdc2aa7..132c84e 100644 --- a/users.md +++ b/users.md @@ -16,4 +16,4 @@ entry empty. If only a group is created, leave the user entry empty. | 308 | certbot | certbot | | | 309 | mirror | mirror | | | 310 | collab | collab | | -| 1004 | docker | docker | docker registry | +| 311 | docker | docker | docker registry | From 2bf1320e3c6d59ab5b6660350da212d0a82fdfc1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 8 Dec 2024 09:50:59 +0000 Subject: [PATCH 369/596] ipsilon: Use default database names --- roles/ipsilon/templates/ipsilon-container.sysconfig.j2 | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 index 6d0b562..fcfb7a5 100644 --- a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -2,9 +2,6 @@ LDAP_BASEDN="{{ ldap_basedn }}" IPSILON_DB_USER="ipsilon" IPSILON_DB_PASS="jFmMGUXsQgOuW9FE5ABX" IPSILON_DB_HOST="sqldb02.home.foo.sh" -IPSILON_DB_USERPREFS="ipsilon" -IPSILON_DB_TRANSACTIONS="ipsilon" -IPSILON_DB_SESSIONS="ipsilon" IPSILON_DB_CA="/etc/ssl/certs/ca.crt" IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt" From e5e2604a68dfb05e8c26829c76df28b04dccd472 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 9 Dec 2024 22:45:00 +0000 Subject: [PATCH 370/596] docker: No need to set max user namespaces --- roles/docker/tasks/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index a831262..cc4b9b1 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -12,12 +12,6 @@ name: docker-ce state: installed -- name: Enable user namespaces - ansible.posix.sysctl: - name: user.max_user_namespaces - value: "10240" - sysctl_file: /etc/sysctl.d/00-docker.conf - - name: Create config directory ansible.builtin.file: path: /etc/docker From ac765ed6f267cc69c9aa09ba86a381d33c433a9b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 12 Dec 2024 07:12:49 +0000 Subject: [PATCH 371/596] Update gitea to latest version --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index b8e121b..057dbc6 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.22.4" + gitea_version: "1.22.5" gitearunner: hosts: gitea-runner02.home.foo.sh: From 2f6ca52acd73d2acfb4cf94daab13cced75c7c2c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Dec 2024 09:40:36 +0000 Subject: [PATCH 372/596] Update gitea (security fix) --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 057dbc6..a627b9a 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.22.5" + gitea_version: "1.22.6" gitearunner: hosts: gitea-runner02.home.foo.sh: From 8a3e283c27b72f057e6e5041b47126f2f89f845f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 13:48:18 +0000 Subject: [PATCH 373/596] scanservjs: Allow service to connect host --- roles/scanservjs/templates/scanservjs-container.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/scanservjs/templates/scanservjs-container.service.j2 b/roles/scanservjs/templates/scanservjs-container.service.j2 index 50f1306..157cb4f 100644 --- a/roles/scanservjs/templates/scanservjs-container.service.j2 +++ b/roles/scanservjs/templates/scanservjs-container.service.j2 @@ -8,6 +8,7 @@ User=scanserv ExecStartPre=/usr/bin/podman pull docker.io/sbs20/scanservjs:{{ scanservjs_version }} ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8006:8080 \ + --network slirp4netns:allow_host_loopback=true \ --env "SANED_NET_HOSTS={{ inventory_hostname }}" \ --name scanservjs \ docker.io/sbs20/scanservjs:{{ scanservjs_version }} From 7089f389997032072da02188146557ceb2c2ea5b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 21:24:28 +0000 Subject: [PATCH 374/596] cups_server: Fix authentication and authorization --- roles/cups_server/tasks/main.yml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml index 5b98c24..9b4bcc3 100644 --- a/roles/cups_server/tasks/main.yml +++ b/roles/cups_server/tasks/main.yml @@ -15,7 +15,9 @@ - name: Configure cups keytab location ansible.builtin.copy: dest: /etc/systemd/system/cups.service.d/keytab.conf - content: "[Service]\nEnvironment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab\n" + content: | + [Service] + Environment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab mode: "0644" owner: root group: "{{ ansible_wheel }}" @@ -38,7 +40,7 @@ ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf line: "SSLListen 631" - insertafter: "Listen /var/run/cups/cups.sock" + insertafter: "^Listen .*.sock" notify: Restart cups - name: Require tls 1.3 @@ -94,10 +96,18 @@ - name: Disable unauthenticated access from cups ansible.builtin.blockinfile: path: /etc/cups/cupsd.conf - insertafter: "^" - block: | - AuthType Default - Require user @foosh + marker: "{mark}" + marker_begin: "" + marker_end: "" + block: |2 + AuthType Default + Require group foosh + Order deny,allow + + + AuthType Default + Require group sysadm + Order deny,allow notify: Restart cups - name: Configure cups admin group From 31473548e1fb491b84f80a39d6f061c09e135640 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 21:36:12 +0000 Subject: [PATCH 375/596] dovecot: Update TLS configurations --- roles/dovecot/templates/local.conf.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/dovecot/templates/local.conf.j2 b/roles/dovecot/templates/local.conf.j2 index 51ce026..6276c88 100644 --- a/roles/dovecot/templates/local.conf.j2 +++ b/roles/dovecot/templates/local.conf.j2 @@ -1,5 +1,5 @@ -# generated 2024-02-14, Mozilla Guideline v5.7, Dovecot 2.3.16, OpenSSL 1.1.1, modern configuration -# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.16&config=modern&openssl=1.1.1&guideline=5.7 +# generated 2024-12-15, Mozilla Guideline v5.7, Dovecot 2.3.16, OpenSSL 3.2.2, modern config +# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.16&config=modern&openssl=3.2.2&guideline=5.7 ssl = required ssl_cert = <{{ tls_certs }}/{{ mail_server }}-fullchain.crt @@ -7,6 +7,7 @@ ssl_key = <{{ tls_private }}/{{ mail_server }}.key ssl_min_protocol = TLSv1.3 ssl_prefer_server_ciphers = no +ssl_curve_list = X25519:prime256v1:secp384r1 # kerberos auth_gssapi_hostname = "$ALL" From a64d1b0fa7dda959528ad2d4cf497ca40092bd7d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 21:40:55 +0000 Subject: [PATCH 376/596] mariadb: Require TLSv3 connections --- roles/mariadb/templates/tls.cnf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mariadb/templates/tls.cnf.j2 b/roles/mariadb/templates/tls.cnf.j2 index e193b3f..7aebd43 100644 --- a/roles/mariadb/templates/tls.cnf.j2 +++ b/roles/mariadb/templates/tls.cnf.j2 @@ -2,3 +2,4 @@ ssl-cert = {{ tls_certs }}/{{ inventory_hostname }}.crt ssl-key = {{ tls_private }}/{{ inventory_hostname }}.key ssl-ca = {{ tls_certs }}/ca.crt +tls_version = TLSv1.3 From da76cec8622227a683f2fbdc632e565d68add0a2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 22:36:45 +0000 Subject: [PATCH 377/596] Fix install ordering --- playbooks/print.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/print.yml b/playbooks/print.yml index baa33c8..6b5e6d1 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -18,6 +18,10 @@ - mkhomedir tasks: + - name: Install unbound role + ansible.builtin.import_role: + name: unbound + - name: Run handlers to get interfaces configured ansible.builtin.meta: flush_handlers @@ -25,10 +29,6 @@ ansible.builtin.import_role: name: dhcpd - - name: Install unbound role - ansible.builtin.import_role: - name: unbound - - name: Install cups_server role ansible.builtin.import_role: name: cups_server From 6b24643f62faf209ef87599c72d568efae9cc3c6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 23:28:44 +0000 Subject: [PATCH 378/596] mariadb: Fix yaml lint errors --- roles/mariadb/meta/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/mariadb/meta/main.yml b/roles/mariadb/meta/main.yml index 683bc95..f178512 100644 --- a/roles/mariadb/meta/main.yml +++ b/roles/mariadb/meta/main.yml @@ -1,4 +1,3 @@ --- dependencies: - {role: backup_base} - From ab066a81b76d58cb2b2764932ae57228c77fdbf5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 15 Dec 2024 23:30:24 +0000 Subject: [PATCH 379/596] mongodb: Fix yamllint tests --- roles/mongodb/meta/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/mongodb/meta/main.yml b/roles/mongodb/meta/main.yml index 683bc95..f178512 100644 --- a/roles/mongodb/meta/main.yml +++ b/roles/mongodb/meta/main.yml @@ -1,4 +1,3 @@ --- dependencies: - {role: backup_base} - From e630255364f26950d8eea45f35864a8850e7f306 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Dec 2024 23:09:52 +0000 Subject: [PATCH 380/596] sshca: Fix incorrect path --- roles/sshca/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/sshca/tasks/main.yml b/roles/sshca/tasks/main.yml index 403c94a..2a604b6 100644 --- a/roles/sshca/tasks/main.yml +++ b/roles/sshca/tasks/main.yml @@ -12,7 +12,7 @@ - name: Create CA directory ansible.builtin.file: - path: "/export/ssh/ca" + path: "/export/sshca/ca" state: directory mode: "0700" owner: root From 5f38645fee53599b4a1f65b2b8c81d1d6f7224fb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Dec 2024 23:10:14 +0000 Subject: [PATCH 381/596] sshca: Add genkey.sh script --- roles/sshca/files/genkey.sh | 28 ++++++++++++++++++++++++++++ roles/sshca/tasks/main.yml | 8 ++++++++ 2 files changed, 36 insertions(+) create mode 100755 roles/sshca/files/genkey.sh diff --git a/roles/sshca/files/genkey.sh b/roles/sshca/files/genkey.sh new file mode 100755 index 0000000..29bd3ed --- /dev/null +++ b/roles/sshca/files/genkey.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +set -eu + +if [ $# -ne 1 ]; then + echo "Usage: $(basename "$0") " 1>&2 + exit +fi + +cd /srv/sshca/ca + +year="$1" +if [ "$year" -eq "$year" ] 2> /dev/null; then + if [ "$year" -lt "$(date +%Y)" ]; then + echo "ERROR: Invalid year \"${year}\", time in the past" 1>&2 + exit 1 + fi +else + echo "ERROR: Invalid year \"${year}\"" 1>&2 + exit 1 +fi + +if [ -f "ca.${year}" ]; then + echo "ERROR: Key \"${year}\" already exists" 1>&2 + exit 1 +fi + +ssh-keygen -t ed25519 -f "/srv/sshca/ca/ca.${year}" -C "foo.sh - SSH CA ${year}" diff --git a/roles/sshca/tasks/main.yml b/roles/sshca/tasks/main.yml index 2a604b6..d55c742 100644 --- a/roles/sshca/tasks/main.yml +++ b/roles/sshca/tasks/main.yml @@ -27,6 +27,14 @@ group: "{{ ansible_wheel }}" follow: false +- name: Copy key generation script + ansible.builtin.copy: + dest: /srv/sshca/ca/genkey.sh + src: genkey.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + - name: Copy signing script ansible.builtin.copy: dest: /srv/sshca/signcert.sh From f4cc662c1a123b949c545a8a3bed5df0492c9cbd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Dec 2024 23:17:32 +0000 Subject: [PATCH 382/596] Update software subrepo --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 0696900..bbe8e4f 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 069690089424d86455399a8cf2363f8354cd0738 +Subproject commit bbe8e4f819fd748e41ff1938fc7ae0c20aa3d33b From ba7086f3b17920bc277f6cca463a105f0c1e71d3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Dec 2024 23:42:08 +0000 Subject: [PATCH 383/596] sshd_cert: Use correct CA cert for signing --- roles/sshd_cert/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index 8d5e841..30e52c5 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -23,12 +23,12 @@ delegate_to: localhost register: sshd_cert_status -- name: Sign key +- name: Sign certificate ansible.builtin.command: argv: - ssh-keygen - -s - - /srv/sshca/ca/ca + - "/srv/sshca/ca/ca.{{ ansible_date_time['year'] }}" - -I - "{{ inventory_hostname }}" - -h From 70629e547e92e411542efaafc8e941d51c24ce71 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 16 Dec 2024 23:50:28 +0000 Subject: [PATCH 384/596] sshca: Remove unused signcert script --- roles/sshca/files/signcert.sh | 26 -------------------------- roles/sshca/tasks/main.yml | 8 -------- 2 files changed, 34 deletions(-) delete mode 100755 roles/sshca/files/signcert.sh diff --git a/roles/sshca/files/signcert.sh b/roles/sshca/files/signcert.sh deleted file mode 100755 index 3d237dd..0000000 --- a/roles/sshca/files/signcert.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -set -eu - -umask 022 - -if [ $# -ne 1 ]; then - echo "Usage: $(basename "$0") " 1>&2 - exit 1 -fi - -_basedir="/srv/sshca" -_name="$1" - -if ! echo "$_name" | grep -Eq '.foo.sh$'; then - echo "ERROR: Only '*.foo.sh' certificates are allowed" 1>&2 - exit 1 -fi - -if [ ! -f "/srv/ansible/facts/${_name}" ]; then - echo "ERROR: Cannot find host '${_name}'" 1>&2 - exit 1 -fi - -ssh-keygen -s "${_basedir}/ca/ca" -I "$_name" -n "$_name" -V -5m:+365d -h \ - "${_basedir}/pubkeys/${_name}.pub" diff --git a/roles/sshca/tasks/main.yml b/roles/sshca/tasks/main.yml index d55c742..41edb8b 100644 --- a/roles/sshca/tasks/main.yml +++ b/roles/sshca/tasks/main.yml @@ -34,11 +34,3 @@ mode: "0755" owner: root group: "{{ ansible_wheel }}" - -- name: Copy signing script - ansible.builtin.copy: - dest: /srv/sshca/signcert.sh - src: signcert.sh - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" From e9752c560a7f66c5dd093b5ec57062f7058f283f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 00:23:31 +0000 Subject: [PATCH 385/596] kvm_host: Add script for checking orphaned vm data --- roles/kvm_host/files/check-orphaned-vm.sh | 24 +++++++++++++++++++++++ roles/kvm_host/tasks/main.yml | 15 ++++++++++++++ 2 files changed, 39 insertions(+) create mode 100755 roles/kvm_host/files/check-orphaned-vm.sh diff --git a/roles/kvm_host/files/check-orphaned-vm.sh b/roles/kvm_host/files/check-orphaned-vm.sh new file mode 100755 index 0000000..43954e1 --- /dev/null +++ b/roles/kvm_host/files/check-orphaned-vm.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +set -eu + +# check that all vm's are in ldap +virsh list --all --name | while read -r vm ; do + [ "$vm" = "" ] && continue + if ! ldapsearch -LLL "(&(cn=${vm})(objectClass=device))" dn 2> /dev/null | \ + grep -qE "^dn: cn=${vm},ou=Hosts," + then + echo "WARNING: Host \"${vm}\" registered in KVM but not in LDAP" 1>62 + fi +done + +# check that all disks have owner +for dir in /srv/libvirt/{hdd,nvme,os,ssd} ; do + [ -d "$dir" ] || continue + find "$dir" -name \*.img | while read -r image ; do + vm="$(basename "$image" ".img" | sed -e 's/\.[a-z]$//')" + if ! virsh dominfo "$vm" > /dev/null 2>&1 ; then + echo "WARNING: Orphaned disk image \"${image}\" found" 1>&2 + fi + done +done diff --git a/roles/kvm_host/tasks/main.yml b/roles/kvm_host/tasks/main.yml index 6ed94d4..78ea78e 100644 --- a/roles/kvm_host/tasks/main.yml +++ b/roles/kvm_host/tasks/main.yml @@ -53,3 +53,18 @@ name: libvirtd state: started enabled: true + +- name: Install script for checking orphaned vm's + ansible.builtin.copy: + dest: /usr/local/bin/check-orphaned-vm + src: check-orphaned-vm.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Add cronjob to check orphaned vm's + ansible.builtin.cron: + name: check-orphaned-vm + hour: "5" + minute: "5" + job: /usr/local/bin/check-orphaned-vm From e51363ed8a0dd466e9102d8a97016f280832ceed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 00:24:41 +0000 Subject: [PATCH 386/596] kvm_host: Add LDAP client as dependency --- roles/kvm_host/meta/main.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 roles/kvm_host/meta/main.yml diff --git a/roles/kvm_host/meta/main.yml b/roles/kvm_host/meta/main.yml new file mode 100644 index 0000000..d2f9d51 --- /dev/null +++ b/roles/kvm_host/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: ldap} From 050eee3f235888ebc7d691e27be3dbea477270dd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 15:46:56 +0000 Subject: [PATCH 387/596] base: More el7 cleanups mainly yum -> dnf --- roles/base/tasks/RedHat.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 992c088..a8b8ac4 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -103,7 +103,7 @@ when: - ansible_virtualization_role == "host" -- name: Install el7/el8 packages +- name: Install packages (el8 and older) ansible.builtin.package: name: "{{ item }}" state: installed @@ -111,7 +111,7 @@ - mailx when: ansible_distribution_major_version|int <= 8 -- name: Install el9 packages +- name: Install packages (el9 and newer) ansible.builtin.package: name: "{{ item }}" state: installed @@ -153,10 +153,10 @@ owner: root group: "{{ ansible_wheel }}" -- name: Cron job for downloading yum updates +- name: Cron job for downloading updates ansible.builtin.cron: - name: yum-downloadonly + name: dnf-downloadonly user: root hour: "3" minute: "{{ 59 | random(seed=inventory_hostname) }}" - job: "yum -d 0 -e 0 -y --downloadonly update > /dev/null" + job: "dnf -d 0 -e 0 -y --downloadonly update > /dev/null" From 8f4cc595424e24c6546f53a102704c82472c4b48 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 15:53:31 +0000 Subject: [PATCH 388/596] autofs: Add option which NFS mounts to enable --- roles/autofs/defaults/main.yml | 3 +++ roles/autofs/templates/auto.master.j2 | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 roles/autofs/defaults/main.yml diff --git a/roles/autofs/defaults/main.yml b/roles/autofs/defaults/main.yml new file mode 100644 index 0000000..404004a --- /dev/null +++ b/roles/autofs/defaults/main.yml @@ -0,0 +1,3 @@ +--- +autofs_home: true +autofs_roles: true diff --git a/roles/autofs/templates/auto.master.j2 b/roles/autofs/templates/auto.master.j2 index ee9e28f..bec2b4b 100644 --- a/roles/autofs/templates/auto.master.j2 +++ b/roles/autofs/templates/auto.master.j2 @@ -1,2 +1,6 @@ +{% if autofs_home %} /home ldap:///ou=People,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576 +{% endif %} +{% if autofs_roles %} /roles ldap:///ou=Groups,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576 --ghost +{% endif %} From 0cc512ca9a3a4df4492bf3fa6111c613ce9deeba Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 15:54:46 +0000 Subject: [PATCH 389/596] Allow server network hosts to use NFS with krb5 --- playbooks/nas.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/playbooks/nas.yml b/playbooks/nas.yml index ceffe23..f7372ae 100644 --- a/playbooks/nas.yml +++ b/playbooks/nas.yml @@ -45,10 +45,12 @@ ansible.builtin.copy: dest: /etc/exports content: | - /export/home 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ + /export/home 172.20.20.0/22(rw,root_squash,secure,sec=krb5p) \ + 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ @nfsclients-rw(rw,root_squash,secure) \ @nfsclients-ro(ro,root_squash,secure) - /export/roles 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ + /export/roles 172.20.20.0/22(rw,root_squash,secure,sec=krb5p) \ + 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ @nfsclients-rw(rw,root_squash,secure) \ @nfsclients-ro(ro,root_squash,secure) mode: "0644" From 9d6418ca71e3f3dce8d7e8828da8adb28a3629e6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 15:56:30 +0000 Subject: [PATCH 390/596] Mount role directories to adm hosts --- playbooks/adm.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 2f99193..8bea617 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -33,6 +33,8 @@ keytab_principals: - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - nfs_client + - role: autofs + autofs_home: false - sssd - mkhomedir - rpm_build From 121687ad7c1e0667e07c6f58f5e8094081da131a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 18:14:42 +0000 Subject: [PATCH 391/596] tlshd: First version of role --- roles/tlshd/handlers/main.yml | 5 +++++ roles/tlshd/tasks/main.yml | 30 +++++++++++++++++++++++++++++ roles/tlshd/templates/tlshd.conf.j2 | 16 +++++++++++++++ 3 files changed, 51 insertions(+) create mode 100644 roles/tlshd/handlers/main.yml create mode 100644 roles/tlshd/tasks/main.yml create mode 100644 roles/tlshd/templates/tlshd.conf.j2 diff --git a/roles/tlshd/handlers/main.yml b/roles/tlshd/handlers/main.yml new file mode 100644 index 0000000..ed0f6fd --- /dev/null +++ b/roles/tlshd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart tlshd + ansible.builtin.service: + name: tlshd + state: restarted diff --git a/roles/tlshd/tasks/main.yml b/roles/tlshd/tasks/main.yml new file mode 100644 index 0000000..7105884 --- /dev/null +++ b/roles/tlshd/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Install packages + ansible.builtin.package: + name: ktls-utils + +- name: Configure tlshd + ansible.builtin.template: + dest: /etc/tlshd.conf + src: tlshd.conf.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart tlshd + +- name: Configure tlshd private key + ansible.builtin.copy: + dest: "{{ tls_private }}/tlshd.key" + src: "{{ tls_private }}/{{ inventory_hostname }}.key" + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + tags: certificates + notify: Restart tlshd + +- name: Enable tlshd services + ansible.builtin.service: + name: tlshd + state: started + enabled: true diff --git a/roles/tlshd/templates/tlshd.conf.j2 b/roles/tlshd/templates/tlshd.conf.j2 new file mode 100644 index 0000000..5063216 --- /dev/null +++ b/roles/tlshd/templates/tlshd.conf.j2 @@ -0,0 +1,16 @@ +[debug] +loglevel=0 +tls=0 +nl=0 + +[authenticate] + +[authenticate.client] +x509.truststore = {{ tls_certs }}/ca.crt +x509.certificate = {{ tls_certs }}/{{ inventory_hostname }}.crt +x509.private_key = {{ tls_private }}/tlshd.key + +[authenticate.server] +x509.truststore = {{ tls_certs }}/ca.crt +x509.certificate = {{ tls_certs }}/{{ inventory_hostname }}.crt +x509.private_key = {{ tls_private }}/tlshd.key From d6e857fd84facb6c5ebb6216f87d651e70987718 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 18:15:15 +0000 Subject: [PATCH 392/596] nfs_client: Add support for RPC-with-TLS --- roles/nfs_client/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nfs_client/meta/main.yml b/roles/nfs_client/meta/main.yml index 14a902c..b5c17d7 100644 --- a/roles/nfs_client/meta/main.yml +++ b/roles/nfs_client/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: - {role: kerberos} + - {role: tlshd} From 1e2e45551ecb6cacd86fea30177cf4a25ec19df6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 20:14:02 +0000 Subject: [PATCH 393/596] autofs: Require TLS authentication for NFS mounts --- roles/autofs/templates/auto.master.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/autofs/templates/auto.master.j2 b/roles/autofs/templates/auto.master.j2 index bec2b4b..53c7637 100644 --- a/roles/autofs/templates/auto.master.j2 +++ b/roles/autofs/templates/auto.master.j2 @@ -1,6 +1,6 @@ {% if autofs_home %} -/home ldap:///ou=People,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576 +/home ldap:///ou=People,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls {% endif %} {% if autofs_roles %} -/roles ldap:///ou=Groups,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576 --ghost +/roles ldap:///ou=Groups,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls --ghost {% endif %} From 112ad23a66698735e2fcbdc5bcbb9227497b4fed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 20:15:20 +0000 Subject: [PATCH 394/596] nfs_server: Move configs to include file --- roles/nfs_server/files/local.conf | 7 +++++++ roles/nfs_server/tasks/main.yml | 30 ++++++++++++++---------------- 2 files changed, 21 insertions(+), 16 deletions(-) create mode 100644 roles/nfs_server/files/local.conf diff --git a/roles/nfs_server/files/local.conf b/roles/nfs_server/files/local.conf new file mode 100644 index 0000000..b5085c3 --- /dev/null +++ b/roles/nfs_server/files/local.conf @@ -0,0 +1,7 @@ +[mountd] +debug="auth,general" + +[nfsd] +udp=n +tcp=y +vers3=n diff --git a/roles/nfs_server/tasks/main.yml b/roles/nfs_server/tasks/main.yml index c73f100..c2ca5fd 100644 --- a/roles/nfs_server/tasks/main.yml +++ b/roles/nfs_server/tasks/main.yml @@ -1,21 +1,19 @@ --- -- name: Disable NFS versions 2 and 3 - ansible.builtin.lineinfile: - path: /etc/nfs.conf - line: "{{ item }}=n" - regexp: '^(#\s*)?{{ item }}=.*' - with_items: - - vers2 - - vers3 - notify: Restart nfs-server +- name: Create config directory + ansible.builtin.file: + path: /etc/nfs.conf.d + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" -- name: Disable NFS over UDP - ansible.builtin.lineinfile: - path: /etc/nfs.conf - line: "udp=n" - regexp: '^(#\s*)?udp=.*' - insertbefore: vers2=n - notify: Restart nfs-server +- name: Create local config + ansible.builtin.copy: + dest: /etc/nfs.conf.d/local.conf + src: local.conf + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" - name: Install home/role autocreate scripts ansible.builtin.copy: From 9fd303c4adaa537f80e4ca2b84f32ed8ff450047 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 20:16:02 +0000 Subject: [PATCH 395/596] nfs_server: Move exports file under roles --- playbooks/nas.yml | 18 ------------------ roles/nfs_server/files/exports | 6 ++++++ roles/nfs_server/tasks/main.yml | 9 +++++++++ 3 files changed, 15 insertions(+), 18 deletions(-) create mode 100644 roles/nfs_server/files/exports diff --git a/playbooks/nas.yml b/playbooks/nas.yml index f7372ae..cb65fe3 100644 --- a/playbooks/nas.yml +++ b/playbooks/nas.yml @@ -39,21 +39,3 @@ - nfs_server - role: keytab keytab_principals: "nfs/{{ inventory_hostname }}@FOO.SH" - - tasks: - - name: Copy exports file - ansible.builtin.copy: - dest: /etc/exports - content: | - /export/home 172.20.20.0/22(rw,root_squash,secure,sec=krb5p) \ - 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ - @nfsclients-rw(rw,root_squash,secure) \ - @nfsclients-ro(ro,root_squash,secure) - /export/roles 172.20.20.0/22(rw,root_squash,secure,sec=krb5p) \ - 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \ - @nfsclients-rw(rw,root_squash,secure) \ - @nfsclients-ro(ro,root_squash,secure) - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart nfs-server diff --git a/roles/nfs_server/files/exports b/roles/nfs_server/files/exports new file mode 100644 index 0000000..51916e7 --- /dev/null +++ b/roles/nfs_server/files/exports @@ -0,0 +1,6 @@ +/export/home @nfsclients-rw(rw,root_squash,secure,xprtsec=mtls,sec=sys) \ + @nfsclients-ro(ro,root_squash,secure,xprtsec=mtls,sec=sys) \ + @nfsclients-krb(rw,root_squash,secure,xprtsec=mtls,sec=krb5p) +/export/roles @nfsclients-rw(rw,root_squash,secure,xprtsec=mtls,sec=sys) \ + @nfsclients-ro(ro,root_squash,secure,xprtsec=mtls,sec=sys) \ + @nfsclients-krb(rw,root_squash,secure,xprtsec=mtls,sec=krb5p) diff --git a/roles/nfs_server/tasks/main.yml b/roles/nfs_server/tasks/main.yml index c2ca5fd..8ac57b1 100644 --- a/roles/nfs_server/tasks/main.yml +++ b/roles/nfs_server/tasks/main.yml @@ -15,6 +15,15 @@ owner: root group: "{{ ansible_wheel }}" +- name: Create exports + ansible.builtin.copy: + dest: /etc/exports + src: exports + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nfs-server + - name: Install home/role autocreate scripts ansible.builtin.copy: dest: "/usr/local/sbin/{{ item }}" From c534d83e04a78aed681905882da99481e058ab22 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 20:27:52 +0000 Subject: [PATCH 396/596] Add roles mount to nms hosts --- playbooks/nms.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index e4d523e..61de5ee 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -29,6 +29,12 @@ - role: nginx_site nginx_site_name: oob.foo.sh nginx_site_plaintext: false + - role: keytab + keytab_principals: + - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" + - nfs_client + - role: autofs + autofs_home: false - sssd - mkhomedir - routeros_firmware From 1bab94601963279fe1c3a4a4542bdcbeb270b46b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 21:57:26 +0000 Subject: [PATCH 397/596] ipsilon: Move db password to secrets --- roles/ipsilon/templates/ipsilon-container.sysconfig.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 index fcfb7a5..1f76bc0 100644 --- a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -1,6 +1,6 @@ LDAP_BASEDN="{{ ldap_basedn }}" IPSILON_DB_USER="ipsilon" -IPSILON_DB_PASS="jFmMGUXsQgOuW9FE5ABX" +IPSILON_DB_PASS="{{ ipsilon_mysql_pass }}" IPSILON_DB_HOST="sqldb02.home.foo.sh" IPSILON_DB_CA="/etc/ssl/certs/ca.crt" IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" From 46c41d2d776a5eed87f52eb0ac81e8c2b870df62 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 22:00:21 +0000 Subject: [PATCH 398/596] ipsilon: Add OIDC key --- roles/ipsilon/tasks/main.yml | 9 +++++++++ roles/ipsilon/templates/ipsilon-container.service.j2 | 1 + roles/ipsilon/templates/ipsilon-container.sysconfig.j2 | 3 +++ 3 files changed, 13 insertions(+) diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index deadb3d..b02b9df 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -27,6 +27,15 @@ group: ipsilon remote_src: true +- name: Copy OIDC key + ansible.builtin.copy: + dest: "{{ tls_private }}/openidc.key" + src: "{{ ansible_private }}/files/ipsilon/openidc.key" + mode: "0640" + owner: root + group: ipsilon + notify: Restart ipsilon-container + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-ipsilon diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2 index 0560343..74bc2b0 100644 --- a/roles/ipsilon/templates/ipsilon-container.service.j2 +++ b/roles/ipsilon/templates/ipsilon-container.service.j2 @@ -13,6 +13,7 @@ ExecStart=/usr/bin/podman run \ --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ + --volume={{ tls_private }}/openidc.key:/etc/ipsilon/openidc.key:ro \ ipsilon:latest ExecStop=/usr/bin/podman stop --ignore ipsilon ExecStopPost=/usr/bin/podman rm -f --ignore ipsilon diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 index 1f76bc0..7a4ba72 100644 --- a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -5,3 +5,6 @@ IPSILON_DB_HOST="sqldb02.home.foo.sh" IPSILON_DB_CA="/etc/ssl/certs/ca.crt" IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt" +IPSILON_HOSTNAME="idp.foo.sh" +IPSILON_OPENIDC_KEYID="{{ ipsilon_openidc_keyid }}" +IPSILON_OPENIDC_SALT="{{ ipsilon_openidc_salt }}" From 3efe44b50bed4c5972c8050c08a80022cf1aa27a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 22:32:25 +0000 Subject: [PATCH 399/596] rsync_backup: Initial version of role --- roles/rsync_backup/files/backup-daily.sh | 150 +++++++++++++++++++++++ roles/rsync_backup/meta/main.yml | 4 + roles/rsync_backup/tasks/main.yml | 52 ++++++++ 3 files changed, 206 insertions(+) create mode 100755 roles/rsync_backup/files/backup-daily.sh create mode 100644 roles/rsync_backup/meta/main.yml create mode 100644 roles/rsync_backup/tasks/main.yml diff --git a/roles/rsync_backup/files/backup-daily.sh b/roles/rsync_backup/files/backup-daily.sh new file mode 100755 index 0000000..4840732 --- /dev/null +++ b/roles/rsync_backup/files/backup-daily.sh @@ -0,0 +1,150 @@ +#!/bin/sh + +set -eu + +umask 077 + +ROTATED=30 + +CONFDIR="/etc/rsync-backup" +DESTDIR="/srv/backup" +LOGDIR="/var/log/rsync-backup" +RUNDIR="/var/run/rsync-backup" + +find_rotated() { + # sort dailys from oldest to newest, daily.7 daily.6 daily.5 ... + find "$1" -mindepth 1 -maxdepth 1 -type d -name "daily.*" | sort -V -r +} + +rotate_dirs() { + for host in "$@"; do + # rotate dailys starting from oldest + if [ ! -d "${DESTDIR}/${host}" ]; then + continue + fi + find_rotated "${DESTDIR}/${host}" | while read -r dir; do + ext="${dir##*.}" + next="${dir%.*}.$((ext+1))" + mv "$dir" "$next" + done + done + # compress logs over 1 day old + find "$LOGDIR" -type f -name '*.log' -mtime +1 -execdir gzip -f {} ';' +} + +prune_dirs() { + for host in "$@"; do + # remove oldest dailys + find_rotated "${DESTDIR}/${host}" | while read -r dir ; do + num="$(basename "$dir" | sed -e 's/^daily.//')" + if [ "$num" -gt $ROTATED ]; then + rm -rf "$dir" + fi + done + done + # remove logs over ROTATED*2 days old + find "$LOGDIR" -type f -name '*.log.gz' -mtime +$((ROTATED*2)) -delete +} + +rsync_pull() { + dirs="" + opts="" + host="$1" + conf="${CONFDIR}/${host}.conf" + if [ -s "$conf" ] && [ -x "$conf" ]; then + # shellcheck source=/dev/null + . "$conf" || return + else + echo "skipped: ${1}" 1>&2 + return + fi + + lockdir="${RUNDIR}/${host}.lock" + mkdir -m 0755 "$lockdir" || return + + if [ "$host" = "$(hostname)" ]; then + # skip ssh for localhost + set -- $dirs + else + set -- $(for d in $dirs; do echo "${host}:${d}" ; done) + fi + + base="${DESTDIR}/${host}" + if [ ! -d "$base" ]; then + mkdir -m 0700 "$base" || return + fi + dest="${base}/daily.0" + last="${base}/daily.1" + if [ ! -d "$dest" ]; then + mkdir -m 0700 "$dest" || return + fi + if [ -d "$last" ]; then + # hardlink unchanged files to previous daily + opts="--ignore-existing --link-dest=${last}" + fi + + logfile="${LOGDIR}/${host}.$(date +%Y%m%d-%H%M%S).log" + if ! /usr/local/bin/rsync \ + -e "ssh -o BatchMode=yes -i ${CONFDIR}/id_ed25519" \ + -Raqxz --no-devices $opts \ + --log-file="$logfile" \ + "$@" "$dest" + then + echo "rsync log: ${logfile}" 1>&2 + fi + rmdir "$lockdir" +} + +if [ ! -d "$DESTDIR" ]; then + echo "ERROR: ${DESTDIR} does not exist" 1>&2 + exit 1 +fi + +if [ ! -d "$LOGDIR" ]; then + echo "ERROR: ${LOGDIR} does not exist" 1>&2 + exit 1 +fi + +if [ ! -d "$RUNDIR" ]; then + mkdir -m 0755 "$RUNDIR" +fi + +ALL=false +PRUNE=false +ROTATE=false +while getopts "apr" OPT; do + case "$OPT" in + a) + ALL=true + ;; + p) + PRUNE=true + ;; + r) + ROTATE=true + ;; + *) + echo "Usage: $(basename "$0") [-apr] [host ...]" 1>&2 + exit 1 + ;; + esac +done +shift $((OPTIND-1)) + +mkdir -m 0755 "${RUNDIR}/daily.lock" +trap 'rmdir "${RUNDIR}/daily.lock"' EXIT + +if [ $ALL ]; then + for conf in "${CONFDIR}"/*.conf ; do + host="$(basename "$conf" ".conf")" + set -- "$host" "$@" + done +fi + +$ROTATE && rotate_dirs "$@" + +for host in "$@" ; do + rsync_pull "$host" +done + +$PRUNE && prune_dirs "$@" diff --git a/roles/rsync_backup/meta/main.yml b/roles/rsync_backup/meta/main.yml new file mode 100644 index 0000000..a6cb84e --- /dev/null +++ b/roles/rsync_backup/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: backup_base} + - {role: ssh_known_hosts} diff --git a/roles/rsync_backup/tasks/main.yml b/roles/rsync_backup/tasks/main.yml new file mode 100644 index 0000000..7562bb0 --- /dev/null +++ b/roles/rsync_backup/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: Copy backup script + ansible.builtin.copy: + dest: /usr/local/sbin/backup-daily + src: backup-daily.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create config directory + ansible.builtin.file: + path: /etc/rsync-backup + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create logdir + ansible.builtin.file: + path: /var/log/rsync-backup + state: directory + mode: "0700" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create ssh keys + ansible.builtin.command: + argv: + - ssh-keygen + - -t + - ed25519 + - -C + - "root@{{ inventory_hostname }}" + - -N + - "" + - -f + - /etc/rsync-backup/id_ed25519 + creates: /etc/rsync-backup/id_ed25519 + +- name: Fetch ssh public key + ansible.builtin.fetch: + src: /etc/rsync-backup/id_ed25519.pub + dest: ../files/ssh/rsync-backup.pub + flat: true + +- name: Install cron job + ansible.builtin.cron: + name: daily rsync backup + job: /usr/local/sbin/backup-daily -a -p -r + hour: "00" + minute: "30" + From 9babcce554f5a9fbca7e3dcf9bf01b6e143099f1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 17 Dec 2024 22:32:57 +0000 Subject: [PATCH 400/596] Enable rsync backups --- playbooks/backup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/backup.yml b/playbooks/backup.yml index 91230bc..cf58b10 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -25,7 +25,7 @@ roles: - base - - backup_server - backup_bitbucket - backup_github - rclone + - rsync_backup From 10d87f35d564939ab49c6981074735d012b81df1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 20 Dec 2024 16:33:07 +0000 Subject: [PATCH 401/596] mosquitto: Use only TLSv3 --- roles/mosquitto/templates/mosquitto.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index f0bc82a..8d81ed2 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -15,3 +15,4 @@ protocol websockets certfile {{ tls_certs }}/{{ inventory_hostname }}.crt keyfile {{ tls_private }}/{{ inventory_hostname }}.key cafile {{ tls_certs }}/ca.crt +tls_version tlsv1.3 From 4756acbaf0ec52377ddcebe243e5ae709c0936d7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 20 Dec 2024 17:39:10 +0000 Subject: [PATCH 402/596] mosquitto: Fix warnings about config file perms --- roles/mosquitto/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index 5e29a25..2d09f14 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -39,8 +39,8 @@ ansible.builtin.copy: dest: /etc/mosquitto/acl.conf src: "{{ ansible_private }}/files/mosquitto/acl.conf" - mode: "0640" - owner: root + mode: "0400" + owner: _mosquitto group: _mosquitto notify: Restart mosquitto @@ -48,8 +48,8 @@ ansible.builtin.copy: dest: /etc/mosquitto/passwd src: "{{ ansible_private }}/files/mosquitto/passwd" - mode: "0640" - owner: root + mode: "0400" + owner: _mosquitto group: _mosquitto notify: Restart mosquitto From 8dd1e61c3bd693a58677c9423929a8051754c084 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 20 Dec 2024 18:06:14 +0000 Subject: [PATCH 403/596] ansible_host: Fix for python 3.12 clients --- roles/ansible_host/files/urls.py.patch | 86 ++++++++++++++++++++++++++ roles/ansible_host/tasks/main.yml | 5 ++ 2 files changed, 91 insertions(+) create mode 100644 roles/ansible_host/files/urls.py.patch diff --git a/roles/ansible_host/files/urls.py.patch b/roles/ansible_host/files/urls.py.patch new file mode 100644 index 0000000..ee1dda4 --- /dev/null +++ b/roles/ansible_host/files/urls.py.patch @@ -0,0 +1,86 @@ +--- ./urls.py.orig 2024-03-27 18:55:18.077213253 +0000 ++++ urls.py 2024-03-27 18:21:07.613270952 +0000 +@@ -535,15 +535,18 @@ + UnixHTTPSConnection = None + if hasattr(httplib, 'HTTPSConnection') and hasattr(urllib_request, 'HTTPSHandler'): + class CustomHTTPSConnection(httplib.HTTPSConnection): # type: ignore[no-redef] +- def __init__(self, *args, **kwargs): ++ def __init__(self, client_cert=None, client_key=None, *args, **kwargs): + httplib.HTTPSConnection.__init__(self, *args, **kwargs) + self.context = None + if HAS_SSLCONTEXT: + self.context = self._context + elif HAS_URLLIB3_PYOPENSSLCONTEXT: + self.context = self._context = PyOpenSSLContext(PROTOCOL) +- if self.context and self.cert_file: +- self.context.load_cert_chain(self.cert_file, self.key_file) ++ ++ self._client_cert = client_cert ++ self._client_key = client_key ++ if self.context and self._client_cert: ++ self.context.load_cert_chain(self._client_cert, self._client_key) + + def connect(self): + "Connect to a host on a given (SSL) port." +@@ -564,10 +567,10 @@ + if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT: + self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname) + elif HAS_URLLIB3_SSL_WRAP_SOCKET: +- self.sock = ssl_wrap_socket(sock, keyfile=self.key_file, cert_reqs=ssl.CERT_NONE, # pylint: disable=used-before-assignment +- certfile=self.cert_file, ssl_version=PROTOCOL, server_hostname=server_hostname) ++ self.sock = ssl_wrap_socket(sock, keyfile=self._client_key, cert_reqs=ssl.CERT_NONE, # pylint: disable=used-before-assignment ++ certfile=self._client_cert, ssl_version=PROTOCOL, server_hostname=server_hostname) + else: +- self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, certfile=self.cert_file, ssl_version=PROTOCOL) ++ self.sock = ssl.wrap_socket(sock, keyfile=self._client_key, certfile=self._client_cert, ssl_version=PROTOCOL) + + class CustomHTTPSHandler(urllib_request.HTTPSHandler): # type: ignore[no-redef] + +@@ -602,10 +605,6 @@ + return self.do_open(self._build_https_connection, req) + + def _build_https_connection(self, host, **kwargs): +- kwargs.update({ +- 'cert_file': self.client_cert, +- 'key_file': self.client_key, +- }) + try: + kwargs['context'] = self._context + except AttributeError: +@@ -613,7 +612,7 @@ + if self._unix_socket: + return UnixHTTPSConnection(self._unix_socket)(host, **kwargs) + if not HAS_SSLCONTEXT: +- return CustomHTTPSConnection(host, **kwargs) ++ return CustomHTTPSConnection(host, client_cert=self.client_cert, client_key=self.client_key, **kwargs) + return httplib.HTTPSConnection(host, **kwargs) + + @contextmanager +@@ -979,7 +978,7 @@ + pass + + +-def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True): ++def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True, client_cert=None, client_key=None): + if ciphers is None: + ciphers = [] + +@@ -1006,6 +1005,9 @@ + if ciphers: + context.set_ciphers(':'.join(map(to_native, ciphers))) + ++ if client_cert: ++ context.load_cert_chain(client_cert, keyfile=client_key) ++ + return context + + +@@ -1514,6 +1516,8 @@ + cadata=cadata, + ciphers=ciphers, + validate_certs=validate_certs, ++ client_cert=client_cert, ++ client_key=client_key, + ) + handlers.append(HTTPSClientAuthHandler(client_cert=client_cert, + client_key=client_key, diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index b13d9f3..15e4728 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -10,6 +10,11 @@ - python3.11-dns # required for lookup('dig', 'hostname') - python3.11-netaddr # required by iptables role +- name: Patch ansible to support python 3.12 clients + ansible.posix.patch: + src: urls.py.patch + dest: /usr/lib/python3.9/site-packages/ansible/module_utils/urls.py + - name: Create private directory and force permissions ansible.builtin.file: path: /export/private From 82a91857d05f251070e3dfc7938edd0b5230eb7f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 20 Dec 2024 18:06:45 +0000 Subject: [PATCH 404/596] ansible_host: Fix python dependencies for ansible --- roles/ansible_host/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index 15e4728..812a779 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -7,8 +7,8 @@ - ansible - ansible-collection-ansible-posix - ansible-collection-community-general - - python3.11-dns # required for lookup('dig', 'hostname') - - python3.11-netaddr # required by iptables role + - python3.9-dns # required for lookup('dig', 'hostname') + - python3.9-netaddr # required by iptables role - name: Patch ansible to support python 3.12 clients ansible.posix.patch: From ad85a0c46b4a20c7f7fbcc9353e616364d1ee004 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Dec 2024 16:41:18 +0000 Subject: [PATCH 405/596] ansible_host: Fix installing ansible patch --- roles/ansible_host/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index 812a779..bc8f455 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -7,6 +7,7 @@ - ansible - ansible-collection-ansible-posix - ansible-collection-community-general + - patch # needed in next step - python3.9-dns # required for lookup('dig', 'hostname') - python3.9-netaddr # required by iptables role From 2dd0fb75c9bf741bc8a5b041ae17ae9fa01aa011 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Dec 2024 17:41:03 +0000 Subject: [PATCH 406/596] autofs: Mount volumes with noatime --- roles/autofs/templates/auto.master.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/autofs/templates/auto.master.j2 b/roles/autofs/templates/auto.master.j2 index 53c7637..4087487 100644 --- a/roles/autofs/templates/auto.master.j2 +++ b/roles/autofs/templates/auto.master.j2 @@ -1,6 +1,6 @@ {% if autofs_home %} -/home ldap:///ou=People,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls +/home ldap:///ou=People,{{ ldap_basedn }} rw,noatime,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls {% endif %} {% if autofs_roles %} -/roles ldap:///ou=Groups,{{ ldap_basedn }} rw,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls --ghost +/roles ldap:///ou=Groups,{{ ldap_basedn }} rw,noatime,nosuid,nodev,rsize=1048576,wsize=1048576,xprtsec=mtls --ghost {% endif %} From cfcdb4e935868bc3bcde7051ba80fc4f17516766 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 21 Dec 2024 18:57:44 +0000 Subject: [PATCH 407/596] thinlinc_server: Fixes for thinlinc 4.18 release --- roles/thinlinc_server/files/tl-setup.local.sh | 28 ++++++++++--------- roles/thinlinc_server/tasks/main.yml | 7 ----- 2 files changed, 15 insertions(+), 20 deletions(-) diff --git a/roles/thinlinc_server/files/tl-setup.local.sh b/roles/thinlinc_server/files/tl-setup.local.sh index 118350e..acd3b39 100755 --- a/roles/thinlinc_server/files/tl-setup.local.sh +++ b/roles/thinlinc_server/files/tl-setup.local.sh @@ -3,22 +3,24 @@ set -eu cat < /root/tl-setup.answer -install-pygtk=yes -email-address=adm@foo.sh -setup-selinux=yes -setup-nearest=no -server-type=master -setup-firewall=no -install-python-ldap=no -setup-apparmor=no -missing-answer=ask -install-nfs=no -setup-thinlocal=no -install-sshd=no -tlwebadm-password=$(dd if=/dev/urandom count=1 2> /dev/null | base64 | tail -n 1 | cut -c 1-20) accept-eula=yes +server-type=master migrate-conf=old install-required-libs=yes +install-nfs=no +install-sshd=no +install-gtk=yes +install-python-ldap=no +agent-hostname-choice=manual +manual-agent-hostname=$(hostname -f) +email-address=adm@foo.sh +tlwebadm-password=$(dd if=/dev/urandom count=1 2> /dev/null | base64 | tail -n 1 | cut -c 1-20) +setup-thinlocal=no +setup-nearest=no +setup-firewall=no +setup-selinux=yes +setup-apparmor=no +missing-answer=abort EOF /opt/thinlinc/sbin/tl-setup -a /root/tl-setup.answer diff --git a/roles/thinlinc_server/tasks/main.yml b/roles/thinlinc_server/tasks/main.yml index 6455425..19eca7e 100644 --- a/roles/thinlinc_server/tasks/main.yml +++ b/roles/thinlinc_server/tasks/main.yml @@ -48,13 +48,6 @@ regexp: "^show_intro=.*" line: show_intro=false -- name: Configure vsmagent hostname - ansible.builtin.lineinfile: - path: /opt/thinlinc/etc/conf.d/vsmagent.hconf - regexp: "^agent_hostname=.*" - line: "agent_hostname={{ inventory_hostname }}" - notify: Restart vsmagent - - name: Copy private key ansible.builtin.copy: dest: /opt/thinlinc/etc/tlwebaccess/server.key From 81252de1452362705ab06c332b6da4c2e34c9547 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 22 Dec 2024 18:22:19 +0000 Subject: [PATCH 408/596] homeassistant: Convert auth command to python --- roles/homeassistant/files/auth-command.py | 25 +++++++++++++++++++++++ roles/homeassistant/files/auth-command.sh | 18 ---------------- roles/homeassistant/tasks/main.yml | 4 ++-- 3 files changed, 27 insertions(+), 20 deletions(-) create mode 100755 roles/homeassistant/files/auth-command.py delete mode 100755 roles/homeassistant/files/auth-command.sh diff --git a/roles/homeassistant/files/auth-command.py b/roles/homeassistant/files/auth-command.py new file mode 100755 index 0000000..02fff52 --- /dev/null +++ b/roles/homeassistant/files/auth-command.py @@ -0,0 +1,25 @@ +#!/usr/bin/env python3 + +import os +import re +import sys +import requests + +username = os.environ.get("username") +password = os.environ.get("password") + +if username is None or password is None: + sys.exit(2) +if not re.search(r"^[a-z]+$", username): + sys.exit(2) + +resp = requests.post( + "https://id.foo.sh/authcheck", + json={"username": username, "password": password, "group": "foosh"}, +) +if resp.status_code != 200: + sys.exit(2) + +print("name = {}".format(resp.json()["name"])) +print("group = system-users") +print("local_only = false") diff --git a/roles/homeassistant/files/auth-command.sh b/roles/homeassistant/files/auth-command.sh deleted file mode 100755 index e64ee9c..0000000 --- a/roles/homeassistant/files/auth-command.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -set -eu - -umask 077 - -if [ -z "${username:-}" ] || [ -z "${password:-}" ]; then - exit 2 -fi - -if [ "$(echo "$username" | sed -r 's/^[a-z]+$/x/')" != "x" ]; then - exit 2 -fi - -curl -sf -X POST -H "Content-Type: application/json" -d @- \ - https://id.foo.sh/authcheck < Date: Mon, 23 Dec 2024 07:40:34 +0000 Subject: [PATCH 409/596] Add shell script linting tools to adm hosts --- playbooks/adm.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 8bea617..5900555 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -57,6 +57,7 @@ - pylint # python linting - python3-flake8 # python linting - speedtest-cli # testing network speed + - ShellCheck # shell script linting - virt-install # install kvm guests - wget # still in backbone for downloads - whois # read whois data From 0a861b0b8ef87e0a92f3de7dbd075fb10583bfb3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 08:05:57 +0000 Subject: [PATCH 410/596] mosquitto: Fix connections using TLS --- roles/mosquitto/templates/mosquitto.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index 8d81ed2..e228124 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -9,7 +9,7 @@ protocol mqtt # listen to mqtt over websockets listener 8883 -protocol websockets +protocol mqtt # tls options certfile {{ tls_certs }}/{{ inventory_hostname }}.crt From 0adad8fa18c1e7c8a6c672bfc26c1ca4b4eac5a6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 09:14:29 +0000 Subject: [PATCH 411/596] frigate: Temporary kludge to fix startup errors --- roles/frigate/handlers/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/frigate/handlers/main.yml b/roles/frigate/handlers/main.yml index 57e67ec..0eac148 100644 --- a/roles/frigate/handlers/main.yml +++ b/roles/frigate/handlers/main.yml @@ -1,5 +1,11 @@ --- - name: Restart frigate + ansible.builtin.file: + path: /srv/frigate/media/clips/preview_restart_cache + state: absent + notify: Restart frigate service + +- name: Restart frigate service ansible.builtin.systemd_service: name: frigate-container state: restarted From aa4b46465c1d93cc598486ab5b7753ccd672216b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 09:47:01 +0000 Subject: [PATCH 412/596] mosquitto: Configure TLS listener authorization --- roles/mosquitto/tasks/main.yml | 11 ++++++++++- roles/mosquitto/templates/mosquitto.conf.j2 | 15 ++++++++++----- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index 2d09f14..6343432 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -35,7 +35,7 @@ group: _mosquitto notify: Restart mosquitto -- name: Copy acl file +- name: Copy acl file for plaintext server ansible.builtin.copy: dest: /etc/mosquitto/acl.conf src: "{{ ansible_private }}/files/mosquitto/acl.conf" @@ -44,6 +44,15 @@ group: _mosquitto notify: Restart mosquitto +- name: Copy acl file for tls server + ansible.builtin.copy: + dest: /etc/mosquitto/acl-tls.conf + src: "{{ ansible_private }}/files/mosquitto/acl-tls.conf" + mode: "0400" + owner: _mosquitto + group: _mosquitto + notify: Restart mosquitto + - name: Copy passwd file ansible.builtin.copy: dest: /etc/mosquitto/passwd diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index e228124..ffad7dd 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -1,18 +1,23 @@ -# authentication -acl_file /etc/mosquitto/acl.conf -password_file /etc/mosquitto/passwd -allow_anonymous false +# use different settings for plaintext and tls listeners +per_listener_settings true # listen to mqtt listener 1883 protocol mqtt +acl_file /etc/mosquitto/acl.conf +password_file /etc/mosquitto/passwd +allow_anonymous false + # listen to mqtt over websockets listener 8883 protocol mqtt -# tls options certfile {{ tls_certs }}/{{ inventory_hostname }}.crt keyfile {{ tls_private }}/{{ inventory_hostname }}.key cafile {{ tls_certs }}/ca.crt tls_version tlsv1.3 + +acl_file /etc/mosquitto/acl-tls.conf +require_certificate true +use_identity_as_username true From 990d3ed1764b8e659b0e2aafb14b5d101b99de69 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 09:47:47 +0000 Subject: [PATCH 413/596] frigate: More robust restart --- roles/frigate/handlers/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/frigate/handlers/main.yml b/roles/frigate/handlers/main.yml index 0eac148..9b0555a 100644 --- a/roles/frigate/handlers/main.yml +++ b/roles/frigate/handlers/main.yml @@ -1,11 +1,11 @@ --- -- name: Restart frigate +- name: Clear preview restart cache ansible.builtin.file: path: /srv/frigate/media/clips/preview_restart_cache state: absent - notify: Restart frigate service + listen: Restart frigate -- name: Restart frigate service +- name: Restart frigate ansible.builtin.systemd_service: name: frigate-container state: restarted From 504cb33a9492d7c62c4895e31adbe8b19403b442 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 09:48:15 +0000 Subject: [PATCH 414/596] frigate: Enable MQTT support --- roles/frigate/tasks/main.yml | 10 ++++++++++ roles/frigate/templates/frigate-container.service.j2 | 3 +++ roles/frigate/templates/frigate.yml.j2 | 9 ++++++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index a52e7d2..bc539d7 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -33,6 +33,16 @@ group: "{{ ansible_wheel }}" notify: Reload udev rules +- name: Copy host key + ansible.builtin.copy: + dest: "{{ tls_private }}/frigate.key" + src: "{{ tls_private }}/{{ inventory_hostname }}.key" + mode: "0640" + owner: root + group: frigate + remote_src: true + notify: Restart frigate + - name: Create config ansible.builtin.template: dest: /etc/frigate.yml diff --git a/roles/frigate/templates/frigate-container.service.j2 b/roles/frigate/templates/frigate-container.service.j2 index 3d5a507..8766bb6 100644 --- a/roles/frigate/templates/frigate-container.service.j2 +++ b/roles/frigate/templates/frigate-container.service.j2 @@ -9,6 +9,9 @@ EnvironmentFile=/etc/sysconfig/frigate-container ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8007:5000 \ --name frigate \ + --volume {{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ + --volume {{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ + --volume {{ tls_private }}/frigate.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ --volume /srv/frigate/config:/config:rw \ --volume /etc/frigate.yml:/config/config.yml:ro \ --volume /srv/frigate/media:/media/frigate:rw \ diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index 7f98235..b1045d6 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -1,6 +1,13 @@ --- mqtt: - enabled: false + enabled: true + host: mqtt02.home.foo.sh + port: 8883 + topic_prefix: frigate/{{ inventory_hostname }} + client_id: {{ inventory_hostname }} + tls_ca_certs: /etc/ssl/certs/ca.crt + tls_client_cert: /etc/ssl/certs/{{ inventory_hostname }}.crt + tls_client_key: /etc/ssl/private/{{ inventory_hostname }}.key detectors: coral: From 649cf7b22d3887675256cb778f9675c2bbbec3ed Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 09:59:36 +0000 Subject: [PATCH 415/596] telegraf: Allow telegraf to read hostkey --- roles/telegraf/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/telegraf/tasks/main.yml b/roles/telegraf/tasks/main.yml index 98fed37..8cd7022 100644 --- a/roles/telegraf/tasks/main.yml +++ b/roles/telegraf/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Add telegraf to hostkey group + ansible.builtin.user: + name: _telegraf + groups: hostkey - name: Install packages ansible.builtin.package: From 84daad7b79d2be016150ee17bf237830269043e1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 10:10:48 +0000 Subject: [PATCH 416/596] mosquitto: Move acl files to repo --- roles/mosquitto/files/acl-tls.conf | 4 ++++ roles/mosquitto/files/acl.conf | 4 ++++ roles/mosquitto/tasks/main.yml | 4 ++-- 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 roles/mosquitto/files/acl-tls.conf create mode 100644 roles/mosquitto/files/acl.conf diff --git a/roles/mosquitto/files/acl-tls.conf b/roles/mosquitto/files/acl-tls.conf new file mode 100644 index 0000000..b41e9b2 --- /dev/null +++ b/roles/mosquitto/files/acl-tls.conf @@ -0,0 +1,4 @@ +pattern read # + +user frigate*.home.foo.sh +pattern readwrite frigate/%u/# diff --git a/roles/mosquitto/files/acl.conf b/roles/mosquitto/files/acl.conf new file mode 100644 index 0000000..5bb8e0a --- /dev/null +++ b/roles/mosquitto/files/acl.conf @@ -0,0 +1,4 @@ +topic deny # + +user shellyplug-s-* +pattern write shellies/%u/# diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index 6343432..a4bbc4f 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -38,7 +38,7 @@ - name: Copy acl file for plaintext server ansible.builtin.copy: dest: /etc/mosquitto/acl.conf - src: "{{ ansible_private }}/files/mosquitto/acl.conf" + src: acl.conf mode: "0400" owner: _mosquitto group: _mosquitto @@ -47,7 +47,7 @@ - name: Copy acl file for tls server ansible.builtin.copy: dest: /etc/mosquitto/acl-tls.conf - src: "{{ ansible_private }}/files/mosquitto/acl-tls.conf" + src: acl-tls.conf mode: "0400" owner: _mosquitto group: _mosquitto From e9372af0aadfde88d442fe57c800c79bee95a34a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 20:10:30 +0000 Subject: [PATCH 417/596] mosquitto: Allow shelly door/window writes --- roles/mosquitto/files/acl.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/mosquitto/files/acl.conf b/roles/mosquitto/files/acl.conf index 5bb8e0a..aa76e34 100644 --- a/roles/mosquitto/files/acl.conf +++ b/roles/mosquitto/files/acl.conf @@ -2,3 +2,6 @@ topic deny # user shellyplug-s-* pattern write shellies/%u/# + +user shellydw2-* +pattern write shellies/%u/# From a0f7145f9cb41b4cb0934754eaab15b2aac93805 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 23 Dec 2024 22:04:55 +0000 Subject: [PATCH 418/596] Add DNS repo sync to adm hosts --- playbooks/adm.yml | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 5900555..272dbdf 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -18,7 +18,7 @@ name: /export src: LABEL=/export fstype: xfs - opts: noatime,noexec,nosuid,nodev + opts: noatime,nosuid,nodev passno: "0" dump: "0" state: mounted @@ -73,3 +73,40 @@ mode: "0600" owner: root group: "{{ ansible_wheel }}" + + - name: Clone dns repo + ansible.builtin.git: + dest: /export/dns + repo: https://adm01.home.foo.sh/dns.git + update: true + version: master + environment: + GIT_SSL_CAINFO: "{{ tls_certs }}/ca.crt" + GIT_SSL_CERT: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + GIT_SSL_KEY: "{{ tls_private }}/{{ inventory_hostname }}.key" + when: 'inventory_hostname != "adm01.home.foo.sh"' + - name: Link dns repo + ansible.builtin.file: + dest: /srv/dns + src: /export/dns + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + - name: Add cron job to sync dns repo + ansible.builtin.cron: + name: sync dns repository + job: >- + GIT_SSL_CAINFO="{{ tls_certs }}/ca.crt" + GIT_SSL_CERT="{{ tls_certs }}/{{ inventory_hostname }}.crt" + GIT_SSL_KEY="{{ tls_private }}/{{ inventory_hostname }}.key" + git -C /srv/dns pull -q + minute: "02" + when: 'inventory_hostname != "adm01.home.foo.sh"' + - name: Links dns repo to web + ansible.builtin.file: + dest: "/srv/web/{{ inventory_hostname }}/dns.git" + src: /srv/dns/.git + state: link + owner: root + group: "{{ ansible_wheel }}" From 10f47b45e0a25033a768d526a5f73af2c047727a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 25 Dec 2024 07:50:34 +0000 Subject: [PATCH 419/596] syslogd: Don't run sync for every write in all.log --- roles/syslogd/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/syslogd/tasks/main.yml b/roles/syslogd/tasks/main.yml index 69170e5..723afd3 100644 --- a/roles/syslogd/tasks/main.yml +++ b/roles/syslogd/tasks/main.yml @@ -16,7 +16,8 @@ - name: Enable all.log ansible.builtin.lineinfile: path: /etc/syslog.conf - line: "*.* /var/log/all.log" + line: "*.* -/var/log/all.log" + regexp: '^\*\.\*\s.*\/var\/log\/all\.log' notify: Restart syslogd - name: Enable all.log rotation From f88606022718b00124ff6e98cdcdd971ad555db5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 25 Dec 2024 08:09:35 +0000 Subject: [PATCH 420/596] base: Add hdparm to physical hosts --- roles/base/tasks/RedHat.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index a8b8ac4..81ef9e9 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -98,6 +98,7 @@ name: "{{ item }}" state: installed with_items: + - hdparm - pciutils - powertop when: From a855e1fcaa9684b26757bf06d5ae1fd5a3905034 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 25 Dec 2024 08:32:26 +0000 Subject: [PATCH 421/596] Harmonize disk mount options --- playbooks/backup.yml | 2 +- playbooks/log.yml | 2 +- playbooks/minecraft.yml | 2 +- playbooks/nas.yml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/playbooks/backup.yml b/playbooks/backup.yml index cf58b10..c677db0 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -15,7 +15,7 @@ name: /export src: /dev/sd1a fstype: ffs - opts: rw,softdep,noatime + opts: rw,softdep,noatime,noexec,nosuid,nodev passno: "1" dump: "2" state: mounted diff --git a/playbooks/log.yml b/playbooks/log.yml index 2c7fcf4..c63276a 100644 --- a/playbooks/log.yml +++ b/playbooks/log.yml @@ -15,7 +15,7 @@ name: /export src: /dev/sd1a fstype: ffs - opts: rw,softdep,noatime + opts: rw,softdep,noatime,noexec,nosuid,nodev passno: "1" dump: "2" state: mounted diff --git a/playbooks/minecraft.yml b/playbooks/minecraft.yml index 9a88509..48b237c 100644 --- a/playbooks/minecraft.yml +++ b/playbooks/minecraft.yml @@ -15,7 +15,7 @@ name: /export src: LABEL=/export fstype: xfs - opts: noatime + opts: noatime,noexec,nosuid,nodev passno: "0" dump: "0" state: mounted diff --git a/playbooks/nas.yml b/playbooks/nas.yml index cb65fe3..22c11f2 100644 --- a/playbooks/nas.yml +++ b/playbooks/nas.yml @@ -18,7 +18,7 @@ name: /export/home src: LABEL=home fstype: xfs - opts: noatime + opts: noatime,nodev passno: "0" dump: "0" state: mounted @@ -27,7 +27,7 @@ name: /export/roles src: LABEL=roles fstype: xfs - opts: noatime + opts: noatime,nodev passno: "0" dump: "0" state: mounted From 22ef6bbc0af8d466e412862c064d382591054625 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 26 Dec 2024 13:35:34 +0000 Subject: [PATCH 422/596] nodered: Initial version of role --- roles/nodered/defaults/main.yml | 2 + roles/nodered/handlers/main.yml | 6 ++ roles/nodered/meta/main.yml | 4 + roles/nodered/tasks/main.yml | 79 +++++++++++++++++++ .../templates/nodered-container.service.j2 | 18 +++++ 5 files changed, 109 insertions(+) create mode 100644 roles/nodered/defaults/main.yml create mode 100644 roles/nodered/handlers/main.yml create mode 100644 roles/nodered/meta/main.yml create mode 100644 roles/nodered/tasks/main.yml create mode 100644 roles/nodered/templates/nodered-container.service.j2 diff --git a/roles/nodered/defaults/main.yml b/roles/nodered/defaults/main.yml new file mode 100644 index 0000000..bf68f6d --- /dev/null +++ b/roles/nodered/defaults/main.yml @@ -0,0 +1,2 @@ +--- +nodered_version: latest diff --git a/roles/nodered/handlers/main.yml b/roles/nodered/handlers/main.yml new file mode 100644 index 0000000..073db56 --- /dev/null +++ b/roles/nodered/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart nodered + ansible.builtin.systemd_service: + name: nodered-container + state: restarted + daemon_reload: true diff --git a/roles/nodered/meta/main.yml b/roles/nodered/meta/main.yml new file mode 100644 index 0000000..305b1b2 --- /dev/null +++ b/roles/nodered/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: nginx} + - {role: podman} diff --git a/roles/nodered/tasks/main.yml b/roles/nodered/tasks/main.yml new file mode 100644 index 0000000..77ee8f0 --- /dev/null +++ b/roles/nodered/tasks/main.yml @@ -0,0 +1,79 @@ +--- +- name: Create group + ansible.builtin.group: + name: nodered + +- name: Create user + ansible.builtin.user: + name: nodered + comment: Podman NodeRed + group: nodered + shell: /sbin/nologin + +- name: Enable user lingering + ansible.builtin.command: + argv: + - loginctl + - enable-linger + - nodered + creates: /var/lib/systemd/linger/nodered + +- name: Fix SELinux contexts from config directory + community.general.sefcontext: + path: /export/nodered(/.*)? + setype: container_file_t + when: ansible_selinux_python_present + +- name: Get subgid number + ansible.builtin.command: + argv: + - awk + - "-F:" + - '{ if ($1 == "nodered") print $2 + 999 }' + - /etc/subgid + register: subgid + +- name: Create config directory + ansible.builtin.file: + path: /export/nodered + state: directory + mode: "0770" + owner: root + group: "{{ subgid.stdout }}" + setype: _default + +- name: Link config directory + ansible.builtin.file: + dest: /srv/nodered + src: /export/nodered + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Create service file + ansible.builtin.template: + dest: /etc/systemd/system/nodered-container.service + src: nodered-container.service.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nodered + +- name: Enable service + ansible.builtin.service: + name: nodered-container + state: started + enabled: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/nodered.conf" + content: | + location /nodered/ { + proxy_pass http://127.0.0.1:8012; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx diff --git a/roles/nodered/templates/nodered-container.service.j2 b/roles/nodered/templates/nodered-container.service.j2 new file mode 100644 index 0000000..fa188a7 --- /dev/null +++ b/roles/nodered/templates/nodered-container.service.j2 @@ -0,0 +1,18 @@ +[Unit] +Description=NodeRed Container +Wants=network-online.target +After=network-online.target + +[Service] +User=nodered +ExecStart=/usr/bin/podman run \ + --rm -p 127.0.0.1:8012:1880 \ + --name nodered \ + --env TZ=Europe/Helsinki \ + --volume /srv/nodered:/data:rw \ + docker.io/nodered/node-red:{{ nodered_version }} +ExecStop=/usr/bin/podman stop --ignore nodered +ExecStopPost=/usr/bin/podman rm -f --ignore nodered + +[Install] +WantedBy=multi-user.target From 2153bd8452b019eb25d5f33228dd88b8129ddc83 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 26 Dec 2024 14:19:46 +0000 Subject: [PATCH 423/596] nodered: Fix nginx proxy config --- roles/nodered/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nodered/tasks/main.yml b/roles/nodered/tasks/main.yml index 77ee8f0..f256833 100644 --- a/roles/nodered/tasks/main.yml +++ b/roles/nodered/tasks/main.yml @@ -68,10 +68,10 @@ - name: Copy nginx config ansible.builtin.copy: - dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/nodered.conf" + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/00-nodered.conf" content: | location /nodered/ { - proxy_pass http://127.0.0.1:8012; + proxy_pass http://127.0.0.1:8012/; } mode: "0644" owner: root From fd0e1bc0289797bea0af5269aa0295b719222e12 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 26 Dec 2024 14:20:04 +0000 Subject: [PATCH 424/596] Reserve port for nodered container --- container-ports.md | 1 + 1 file changed, 1 insertion(+) diff --git a/container-ports.md b/container-ports.md index 30b7205..25fcc97 100644 --- a/container-ports.md +++ b/container-ports.md @@ -13,3 +13,4 @@ | 8009 | rocketchat | Rocket.Chat | | 8010 | google-spell-pspell | Google Spell Check XML API | | 8011 | ipsilon | Ipsilon Identity Provider | +| 8012 | nodered | Node Red | From ad5cf29b12b821d4d4b443342535fbb56383f169 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 26 Dec 2024 14:20:22 +0000 Subject: [PATCH 425/596] nodered: Don't report changes when finding subgid --- roles/nodered/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nodered/tasks/main.yml b/roles/nodered/tasks/main.yml index f256833..011e6f3 100644 --- a/roles/nodered/tasks/main.yml +++ b/roles/nodered/tasks/main.yml @@ -31,6 +31,7 @@ - "-F:" - '{ if ($1 == "nodered") print $2 + 999 }' - /etc/subgid + changed_when: false register: subgid - name: Create config directory From a8841252d1b9ec01127c0cc8124ab54e37e74d9b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 26 Dec 2024 14:55:17 +0000 Subject: [PATCH 426/596] Revert "syslogd: Don't run sync for every write in all.log" This reverts commit 10f47b45e0a25033a768d526a5f73af2c047727a. --- roles/syslogd/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/syslogd/tasks/main.yml b/roles/syslogd/tasks/main.yml index 723afd3..69170e5 100644 --- a/roles/syslogd/tasks/main.yml +++ b/roles/syslogd/tasks/main.yml @@ -16,8 +16,7 @@ - name: Enable all.log ansible.builtin.lineinfile: path: /etc/syslog.conf - line: "*.* -/var/log/all.log" - regexp: '^\*\.\*\s.*\/var\/log\/all\.log' + line: "*.* /var/log/all.log" notify: Restart syslogd - name: Enable all.log rotation From 7ee2572e04b3834e26429eae2cd43047d8454ee8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 27 Dec 2024 15:10:40 +0000 Subject: [PATCH 427/596] mosquitto: Refactor mqtt infra --- roles/mosquitto/files/mosquitto_tls.ksh | 10 +++ roles/mosquitto/handlers/main.yml | 5 ++ roles/mosquitto/tasks/main.yml | 78 +++++++++++++++---- .../acl-tls.conf.j2} | 3 + .../mosquitto/templates/mosquitto-tls.conf.j2 | 11 +++ roles/mosquitto/templates/mosquitto.conf.j2 | 23 ++---- 6 files changed, 99 insertions(+), 31 deletions(-) create mode 100644 roles/mosquitto/files/mosquitto_tls.ksh rename roles/mosquitto/{files/acl-tls.conf => templates/acl-tls.conf.j2} (59%) create mode 100644 roles/mosquitto/templates/mosquitto-tls.conf.j2 diff --git a/roles/mosquitto/files/mosquitto_tls.ksh b/roles/mosquitto/files/mosquitto_tls.ksh new file mode 100644 index 0000000..9481c35 --- /dev/null +++ b/roles/mosquitto/files/mosquitto_tls.ksh @@ -0,0 +1,10 @@ +#!/bin/ksh + +# shellcheck disable=SC2034 +daemon="/usr/local/sbin/mosquitto -d" +daemon_flags="-c /etc/mosquitto-tls/mosquitto.conf" + +# shellcheck source=/dev/null +. /etc/rc.d/rc.subr + +rc_cmd "$1" diff --git a/roles/mosquitto/handlers/main.yml b/roles/mosquitto/handlers/main.yml index 7e1bb2c..268abc3 100644 --- a/roles/mosquitto/handlers/main.yml +++ b/roles/mosquitto/handlers/main.yml @@ -3,3 +3,8 @@ ansible.builtin.service: name: mosquitto state: restarted + +- name: Restart mosquitto-tls + ansible.builtin.service: + name: mosquitto_tls + state: restarted diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index a4bbc4f..d405371 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -9,15 +9,21 @@ name: _mosquitto groups: hostkey append: true - notify: Restart mosquitto + notify: + - Restart mosquitto + - Restart mosquitto-tls -- name: Create include directory for config +- name: Create config directories ansible.builtin.file: - path: /etc/mosquitto/conf.d + path: "{{ item }}" state: directory mode: "0750" owner: root group: _mosquitto + with_items: + - /etc/mosquitto/conf.d + - /etc/mosquitto-tls + - /etc/mosquitto-tls/conf.d - name: Include extra configs ansible.builtin.lineinfile: @@ -26,7 +32,7 @@ regexp: "^#?include_dir( .*)?$" notify: Restart mosquitto -- name: Create custom config +- name: Create custom config for plaintext server ansible.builtin.template: dest: /etc/mosquitto/conf.d/local.conf src: mosquitto.conf.j2 @@ -44,16 +50,7 @@ group: _mosquitto notify: Restart mosquitto -- name: Copy acl file for tls server - ansible.builtin.copy: - dest: /etc/mosquitto/acl-tls.conf - src: acl-tls.conf - mode: "0400" - owner: _mosquitto - group: _mosquitto - notify: Restart mosquitto - -- name: Copy passwd file +- name: Copy passwd file for plaintext server ansible.builtin.copy: dest: /etc/mosquitto/passwd src: "{{ ansible_private }}/files/mosquitto/passwd" @@ -62,8 +59,57 @@ group: _mosquitto notify: Restart mosquitto -- name: Enable service +- name: Create default config for tls server + ansible.builtin.command: + argv: + - sed + - "s|^include_dir .*|include_dir /etc/mosquitto-tls/conf.d|" + - /etc/mosquitto/mosquitto.conf + changed_when: false + register: result + +- name: Write default config for tls server + ansible.builtin.copy: + dest: /etc/mosquitto-tls/mosquitto.conf + content: "{{ result.stdout }}\n" + mode: "0640" + owner: root + group: _mosquitto + remote_src: true + notify: Restart mosquitto-tls + +- name: Create custom config for tls server + ansible.builtin.template: + dest: /etc/mosquitto-tls/conf.d/local.conf + src: mosquitto-tls.conf.j2 + mode: "0640" + owner: root + group: _mosquitto + notify: Restart mosquitto-tls + +- name: Create acl file for tls server + ansible.builtin.template: + dest: /etc/mosquitto-tls/acl.conf + src: acl-tls.conf.j2 + mode: "0400" + owner: _mosquitto + group: _mosquitto + notify: Restart mosquitto-tls + +- name: Create mosquitto-tls control script + ansible.builtin.copy: + dest: /etc/rc.d/mosquitto_tls + src: mosquitto_tls.ksh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart mosquitto-tls + +- name: Enable services ansible.builtin.service: - name: mosquitto + name: "{{ item }}" enabled: true state: started + with_items: + - mosquitto + - mosquitto_tls diff --git a/roles/mosquitto/files/acl-tls.conf b/roles/mosquitto/templates/acl-tls.conf.j2 similarity index 59% rename from roles/mosquitto/files/acl-tls.conf rename to roles/mosquitto/templates/acl-tls.conf.j2 index b41e9b2..b7eed5c 100644 --- a/roles/mosquitto/files/acl-tls.conf +++ b/roles/mosquitto/templates/acl-tls.conf.j2 @@ -1,4 +1,7 @@ pattern read # +user {{ inventory_hostname }} +topic readwrite # + user frigate*.home.foo.sh pattern readwrite frigate/%u/# diff --git a/roles/mosquitto/templates/mosquitto-tls.conf.j2 b/roles/mosquitto/templates/mosquitto-tls.conf.j2 new file mode 100644 index 0000000..7cf1712 --- /dev/null +++ b/roles/mosquitto/templates/mosquitto-tls.conf.j2 @@ -0,0 +1,11 @@ +listener 8883 +protocol mqtt + +certfile {{ tls_certs }}/{{ inventory_hostname }}.crt +keyfile {{ tls_private }}/{{ inventory_hostname }}.key +cafile {{ tls_certs }}/ca.crt +tls_version tlsv1.3 + +acl_file /etc/mosquitto-tls/acl.conf +require_certificate true +use_identity_as_username true diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index ffad7dd..917467e 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -1,7 +1,3 @@ -# use different settings for plaintext and tls listeners -per_listener_settings true - -# listen to mqtt listener 1883 protocol mqtt @@ -9,15 +5,12 @@ acl_file /etc/mosquitto/acl.conf password_file /etc/mosquitto/passwd allow_anonymous false -# listen to mqtt over websockets -listener 8883 -protocol mqtt +connection tls-bridge +address {{ inventory_hostname }}:8883 +bridge_cafile {{ tls_certs }}/ca.crt +bridge_certfile {{ tls_certs }}/{{ inventory_hostname }}.crt +bridge_keyfile {{ tls_private }}/{{ inventory_hostname }}.key -certfile {{ tls_certs }}/{{ inventory_hostname }}.crt -keyfile {{ tls_private }}/{{ inventory_hostname }}.key -cafile {{ tls_certs }}/ca.crt -tls_version tlsv1.3 - -acl_file /etc/mosquitto/acl-tls.conf -require_certificate true -use_identity_as_username true +{% for shelly in shellies %} +topic # out 0 shellies/{{ shelly['name'] }}/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/ +{% endfor %} From eb1478abcb726fe740b32900a7821d297de84b48 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 27 Dec 2024 15:11:43 +0000 Subject: [PATCH 428/596] Inlucde secrets into mqtt playbook --- playbooks/mqtt.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 5b29de0..d67c977 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -9,6 +9,9 @@ user: root gather_facts: true + vars_files: + - "{{ ansible_private }}/vars.yml" + roles: - base - mosquitto From 47157118e7870e0c42ad945006109deb1d50c61b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 27 Dec 2024 15:12:48 +0000 Subject: [PATCH 429/596] telegraf: Move config into repository --- roles/telegraf/tasks/main.yml | 6 ++-- roles/telegraf/templates/telegraf.conf.j2 | 36 +++++++++++++++++++++++ 2 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 roles/telegraf/templates/telegraf.conf.j2 diff --git a/roles/telegraf/tasks/main.yml b/roles/telegraf/tasks/main.yml index 8cd7022..d1ab303 100644 --- a/roles/telegraf/tasks/main.yml +++ b/roles/telegraf/tasks/main.yml @@ -9,10 +9,10 @@ name: telegraf state: installed -- name: Copy config - ansible.builtin.copy: +- name: Create config + ansible.builtin.template: dest: /etc/telegraf/telegraf.conf - src: "{{ ansible_private }}/files/telegraf/telegraf.conf" + src: telegraf.conf.j2 mode: "0640" owner: root group: _telegraf diff --git a/roles/telegraf/templates/telegraf.conf.j2 b/roles/telegraf/templates/telegraf.conf.j2 new file mode 100644 index 0000000..2f1056e --- /dev/null +++ b/roles/telegraf/templates/telegraf.conf.j2 @@ -0,0 +1,36 @@ +[[outputs.influxdb_v2]] + urls = ["https://influxdb.foo.sh:443"] + token = "{{ influxdb_token }}" + organization = "foo.sh" + bucket = "sensordata" + +[[inputs.mqtt_consumer]] + servers = ["ssl://{{ inventory_hostname }}:8883"] + tls_ca = "{{ tls_certs }}/ca.crt" + tls_cert = "{{ tls_certs }}/{{ inventory_hostname }}.crt" + tls_key = "{{ tls_private }}/{{ inventory_hostname }}.key" + topics = [ + "+/+/+/relay/0/power", + "+/+/+/temperature", + "+/+/+/sensor/battery", + "+/+/+/sensor/lux", + "+/+/+/sensor/state", + "+/+/+/sensor/temperature", + ] + data_type = "float" + data_format = "value" + + [[inputs.mqtt_consumer.topic_parsing]] + topic = "+/+/+/relay/0/power" + tags = "location/room/device/_/_/_" + measurement = "_/_/_/_/_/measurement" + + [[inputs.mqtt_consumer.topic_parsing]] + topic = "+/+/+/temperature" + tags = "location/room/device/_" + measurement = "_/_/_/temperature" + + [[inputs.mqtt_consumer.topic_parsing]] + topic = "+/+/+/sensor/+" + tags = "location/room/device/_/_" + measurement = "_/_/_/_/measurement" From 68965cd57ff5620ba827bb0aad734e32b7d54e96 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 27 Dec 2024 15:13:20 +0000 Subject: [PATCH 430/596] Add nodered to homeassistant hosts --- playbooks/homeassistant.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/homeassistant.yml b/playbooks/homeassistant.yml index 965d818..cbe61cc 100644 --- a/playbooks/homeassistant.yml +++ b/playbooks/homeassistant.yml @@ -24,3 +24,4 @@ - base - ldap - homeassistant + - nodered From e3d702ecafbb9e71ffde844760aa9d98c924ed94 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 29 Dec 2024 17:22:46 +0000 Subject: [PATCH 431/596] Update homeassistant --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index a627b9a..0cf86c4 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.11" + homeassistant_version: "2024.12" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git From 85c882043c98412d1ab2b0aa118e2e4ba467bbcc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 29 Dec 2024 17:42:29 +0000 Subject: [PATCH 432/596] ipsilon: Finish up openidc config --- roles/ipsilon/tasks/main.yml | 45 +++++++++++++++++++ .../templates/ipsilon-container.service.j2 | 1 + 2 files changed, 46 insertions(+) diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index b02b9df..86414ee 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -36,6 +36,51 @@ group: ipsilon notify: Restart ipsilon-container +- name: Fix SELinux contexts from config directory + community.general.sefcontext: + path: /etc/ipsilon(/.*)? + setype: container_file_t + when: ansible_selinux_python_present + +- name: Get subuid number + ansible.builtin.command: + argv: + - awk + - "-F:" + - '{ if ($1 == "ipsilon") print $2 + 899 }' + - /etc/subuid + changed_when: false + register: subuid + +- name: Get subgid number + ansible.builtin.command: + argv: + - awk + - "-F:" + - '{ if ($1 == "ipsilon") print $2 + 899 }' + - /etc/subgid + changed_when: false + register: subgid + +- name: Create config directory + ansible.builtin.file: + path: /etc/ipsilon + state: directory + mode: "0750" + owner: root + group: ipsilon + setype: _default + +- name: Copy OIDC static config + ansible.builtin.copy: + dest: /etc/ipsilon/openidc-static.conf + src: "{{ ansible_private }}/files/ipsilon/openidc-static.conf" + mode: "0600" + owner: "{{ subuid.stdout }}" + group: "{{ subgid.stdout }}" + setype: _default + notify: Restart ipsilon-container + - name: Get container source ansible.builtin.git: dest: /usr/local/src/docker-ipsilon diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2 index 74bc2b0..d3fe6bf 100644 --- a/roles/ipsilon/templates/ipsilon-container.service.j2 +++ b/roles/ipsilon/templates/ipsilon-container.service.j2 @@ -14,6 +14,7 @@ ExecStart=/usr/bin/podman run \ --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ --volume={{ tls_private }}/openidc.key:/etc/ipsilon/openidc.key:ro \ + --volume=/etc/ipsilon/openidc-static.conf:/etc/ipsilon/root/openidc-static.conf:rw \ ipsilon:latest ExecStop=/usr/bin/podman stop --ignore ipsilon ExecStopPost=/usr/bin/podman rm -f --ignore ipsilon From ba98d5223bf297221dd5e0c3c4f7e51b32e73960 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 29 Dec 2024 18:48:12 +0000 Subject: [PATCH 433/596] ipsilon: Convert oidc config to template --- roles/ipsilon/tasks/main.yml | 6 ++--- .../ipsilon/templates/openidc-static.conf.j2 | 26 +++++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 roles/ipsilon/templates/openidc-static.conf.j2 diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index 86414ee..c82bcd1 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -71,10 +71,10 @@ group: ipsilon setype: _default -- name: Copy OIDC static config - ansible.builtin.copy: +- name: Create OIDC static config + ansible.builtin.template: dest: /etc/ipsilon/openidc-static.conf - src: "{{ ansible_private }}/files/ipsilon/openidc-static.conf" + src: openidc-static.conf.j2 mode: "0600" owner: "{{ subuid.stdout }}" group: "{{ subgid.stdout }}" diff --git a/roles/ipsilon/templates/openidc-static.conf.j2 b/roles/ipsilon/templates/openidc-static.conf.j2 new file mode 100644 index 0000000..a200a3a --- /dev/null +++ b/roles/ipsilon/templates/openidc-static.conf.j2 @@ -0,0 +1,26 @@ +[client] +{% for client in openidc_clients %} +{{ client["name"] }} application_type="web" +{{ client["name"] }} client_id=null +{{ client["name"] }} client_id_issued_at=0 +{{ client["name"] }} client_name="{{ client["name"] }}" +{{ client["name"] }} client_secret="{{ client["client_secret"] }}" +{{ client["name"] }} client_secret_expires_at=0 +{{ client["name"] }} client_uri="{{ client["client_uri"] }}" +{{ client["name"] }} contacts=["adm@foo.sh"] +{{ client["name"] }} grant_types=["authorization_code"] +{{ client["name"] }} id_token_signed_response_alg="RS256" +{{ client["name"] }} ipsilon_internal={"type": "static", "client_id": "{{ client["name"] }}", "trusted": true} +{{ client["name"] }} jwks=null +{{ client["name"] }} jwks_uri=null +{{ client["name"] }} logo_uri=null +{{ client["name"] }} policy_uri=null +{{ client["name"] }} redirect_uris=["{{ client["redirect_uri"] }}"] +{{ client["name"] }} request_uris=[] +{{ client["name"] }} require_auth_time=null +{{ client["name"] }} response_types=["code"] +{{ client["name"] }} subject_type="pairwise" +{{ client["name"] }} sector_identifier_uri=null +{{ client["name"] }} token_endpoint_auth_method="client_secret_post" +{{ client["name"] }} tos_uri=null +{% endfor %} From 868041257d350372bf586c700843aec857dbc052 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 3 Jan 2025 17:13:30 +0000 Subject: [PATCH 434/596] Move DKIM key selector to host inventory --- hosts.yml | 2 ++ playbooks/mail.yml | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index 0cf86c4..4d4c106 100644 --- a/hosts.yml +++ b/hosts.yml @@ -54,6 +54,8 @@ log: mail: hosts: mail02.home.foo.sh: + vars: + opendkim_selector: 20240601 minecraft: hosts: minecraft01.home.foo.sh: diff --git a/playbooks/mail.yml b/playbooks/mail.yml index 1b86873..c3c8041 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -38,8 +38,7 @@ nginx_site_name: "{{ mail_server }}" nginx_site_redirect: https://webmail.foo.sh/ - grossd - - role: opendkim - opendkim_selector: 20240601 + - opendkim - spamassassin - spamassassin_clamav - spamassassin_ixhash From 9d5d05e713422a2d1d4c363b8eae35534e362b4c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 3 Jan 2025 17:16:50 +0000 Subject: [PATCH 435/596] Rotate DKIM keys --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 4d4c106..c3e929f 100644 --- a/hosts.yml +++ b/hosts.yml @@ -55,7 +55,7 @@ mail: hosts: mail02.home.foo.sh: vars: - opendkim_selector: 20240601 + opendkim_selector: 20250101 minecraft: hosts: minecraft01.home.foo.sh: From 29e747db4201c34e3b29459a2a7cbeacf6e205fd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:24:29 +0000 Subject: [PATCH 436/596] nsd: Don't listen to localhost interface --- roles/nsd/templates/nsd.conf.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/nsd/templates/nsd.conf.j2 b/roles/nsd/templates/nsd.conf.j2 index 60251c1..9e8afec 100644 --- a/roles/nsd/templates/nsd.conf.j2 +++ b/roles/nsd/templates/nsd.conf.j2 @@ -7,10 +7,10 @@ server: server-count: {{ ansible_processor_count }} verbosity: 2 - interface: ::0@53 - interface: 0.0.0.0@53 - interface: ::0@853 - interface: 0.0.0.0@853 +{% for ip in ansible_all_ipv4_addresses + ansible_all_ipv6_addresses %} + interface: {{ ip }}@53 + interface: {{ ip }}@853 +{% endfor %} tls-service-key: {{ tls_private }}/{{ nsd_server }}.key tls-service-pem: {{ tls_certs }}/{{ nsd_server }}.crt From cc0a16e3ee656e96883a905ec565d6ecf02bf882 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:24:59 +0000 Subject: [PATCH 437/596] unbound: Don't listen to localhost on dna-gw hosts --- roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 2 -- roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 2 -- 2 files changed, 4 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 4fb2134..e3dc5b6 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -1,7 +1,5 @@ server: - interface: 127.0.0.1 - interface: ::1 interface: 172.20.20.10@53 interface: 172.20.20.10@853 interface: 172.20.21.1@53 diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index 22e579c..4607459 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -1,7 +1,5 @@ server: - interface: 127.0.0.1 - interface: ::1 interface: 172.20.20.10@53 interface: 172.20.20.10@853 interface: 172.20.21.2@53 From e02e45c8a68c80a95b53b20708faa28453914964 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:26:24 +0000 Subject: [PATCH 438/596] Only use lb dns server for relay and proxy hosts --- group_vars/proxy.yml | 4 ---- group_vars/relay.yml | 4 ---- 2 files changed, 8 deletions(-) diff --git a/group_vars/proxy.yml b/group_vars/proxy.yml index ec6b4a8..bb5decb 100644 --- a/group_vars/proxy.yml +++ b/group_vars/proxy.yml @@ -6,10 +6,6 @@ dsk_size: 30 network_dns_servers: - 172.20.20.10 - - 172.20.21.7 - - 172.20.21.8 -network_dns_search: - - foo.sh network_default_gateway: 37.16.96.145 network_vip_interfaces: diff --git a/group_vars/relay.yml b/group_vars/relay.yml index f65b541..622e743 100644 --- a/group_vars/relay.yml +++ b/group_vars/relay.yml @@ -1,10 +1,6 @@ --- network_dns_servers: - 172.20.20.10 - - 172.20.21.7 - - 172.20.21.8 -network_dns_search: - - foo.sh network_default_gateway: 37.16.96.145 network_vip_interfaces: From 9696f406cebcb797d89d51fa00f73a439c9e7e3b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:27:55 +0000 Subject: [PATCH 439/596] unwind: Initial version of role --- roles/unwind/handlers/main.yml | 5 +++++ roles/unwind/tasks/main.yml | 15 +++++++++++++++ roles/unwind/templates/unwind.conf.j2 | 10 ++++++++++ 3 files changed, 30 insertions(+) create mode 100644 roles/unwind/handlers/main.yml create mode 100644 roles/unwind/tasks/main.yml create mode 100644 roles/unwind/templates/unwind.conf.j2 diff --git a/roles/unwind/handlers/main.yml b/roles/unwind/handlers/main.yml new file mode 100644 index 0000000..05d7492 --- /dev/null +++ b/roles/unwind/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart unwind + ansible.builtin.service: + name: unwind + state: restarted diff --git a/roles/unwind/tasks/main.yml b/roles/unwind/tasks/main.yml new file mode 100644 index 0000000..3c2e9a6 --- /dev/null +++ b/roles/unwind/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Copy config + ansible.builtin.template: + dest: /etc/unwind.conf + src: unwind.conf.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart unwind + +- name: Enable service + ansible.builtin.service: + name: unwind + state: started + enabled: true diff --git a/roles/unwind/templates/unwind.conf.j2 b/roles/unwind/templates/unwind.conf.j2 new file mode 100644 index 0000000..2a704ce --- /dev/null +++ b/roles/unwind/templates/unwind.conf.j2 @@ -0,0 +1,10 @@ +{% if network_dns_servers is defined %} +forwarder { +{% for addr in network_dns_servers %} + {{ addr }} port 853 authentication name "{{ lookup('community.general.dig', addr + '/PTR')[:-1] }}" DoT +{% endfor %} +} +preference { DoT } +{% else %} +preference { oDoT-autoconf } +{% endif %} From a1db16b329b7002bc2af33c55409d9c3247496e0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:28:11 +0000 Subject: [PATCH 440/596] base: Configure OpenBSD DNS using unwind --- roles/base/tasks/OpenBSD.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/OpenBSD.yml b/roles/base/tasks/OpenBSD.yml index 84c90af..b8ca184 100644 --- a/roles/base/tasks/OpenBSD.yml +++ b/roles/base/tasks/OpenBSD.yml @@ -64,5 +64,6 @@ - opensmtpd - pf - syslogd + - unwind loop_control: loop_var: role From fa7402a8eb6464201bc0520325594fc9bd7c2695 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 20:28:29 +0000 Subject: [PATCH 441/596] network: Don't use static resolv.conf for OpenBSD --- roles/network/tasks/main.yml | 9 --------- roles/network/templates/resolv.conf.j2 | 6 ------ 2 files changed, 15 deletions(-) delete mode 100644 roles/network/templates/resolv.conf.j2 diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml index e1be7c5..83d8005 100644 --- a/roles/network/tasks/main.yml +++ b/roles/network/tasks/main.yml @@ -1,12 +1,3 @@ --- - name: Include OS spcific tasks ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml" - -- name: Create resolv.conf - ansible.builtin.template: - src: resolv.conf.j2 - dest: /etc/resolv.conf - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - when: network_dns_servers is defined diff --git a/roles/network/templates/resolv.conf.j2 b/roles/network/templates/resolv.conf.j2 deleted file mode 100644 index 0e8f587..0000000 --- a/roles/network/templates/resolv.conf.j2 +++ /dev/null @@ -1,6 +0,0 @@ -{% if network_dns_search is defined %} -search {{ network_dns_search|join(' ') }} -{% endif %} -{% for addr in network_dns_servers %} -nameserver {{ addr }} -{% endfor %} From 9a5cd91532b5382acb314005c1c6932fc59720f1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 6 Jan 2025 21:02:55 +0000 Subject: [PATCH 442/596] base: Make sure python dnf bindings are installed --- roles/base/tasks/RedHat.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index 81ef9e9..d0dbbd9 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -3,6 +3,25 @@ ansible.builtin.hostname: name: "{{ inventory_hostname }}" +- name: Check if dnf python bindings are installed + ansible.builtin.command: + argv: + - rpm + - "-q" + - python3-dnf + register: result + failed_when: false + changed_when: false + +- name: Install dnf python bindings + ansible.builtin.command: + argv: + - dnf + - install + - "-y" + - python3-dnf + when: result.rc != 0 + - name: Install OS specific roles for physical hardware ansible.builtin.include_role: name: cpupower From d9c5d73889f2bc983fdcda8c6088cb786d00adf8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 7 Jan 2025 00:10:33 +0000 Subject: [PATCH 443/596] Update Fedora installer to version 41 --- group_vars/fedora.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/fedora.yml b/group_vars/fedora.yml index f10f398..1f7eeea 100644 --- a/group_vars/fedora.yml +++ b/group_vars/fedora.yml @@ -1,7 +1,7 @@ --- # default resources for new vm dsk_size: 20 -mem_size: 2048 +mem_size: 4096 num_cpus: 2 # extra args for virt-install @@ -18,7 +18,7 @@ ipcmd: >- {% endif %} virt_install_os_args: >- --location - https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/39/Everything/x86_64/os/ + https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/41/Everything/x86_64/os/ --extra-args "inst.ks={{ ks_file }} console=ttyS0 From fff5b5a43138bb689f86cab1773d8494628d04cf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 7 Jan 2025 00:11:15 +0000 Subject: [PATCH 444/596] node_exporter: Drop os specific var files --- roles/node_exporter/handlers/main.yml | 7 ++++++- roles/node_exporter/tasks/main.yml | 21 ++++++++++++++------- roles/node_exporter/vars/OpenBSD.yml | 4 ---- roles/node_exporter/vars/RedHat.yml | 4 ---- 4 files changed, 20 insertions(+), 16 deletions(-) delete mode 100644 roles/node_exporter/vars/OpenBSD.yml delete mode 100644 roles/node_exporter/vars/RedHat.yml diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml index 5018dae..5bfbd16 100644 --- a/roles/node_exporter/handlers/main.yml +++ b/roles/node_exporter/handlers/main.yml @@ -1,5 +1,10 @@ --- - name: Restart node_exporter ansible.builtin.service: - name: "{{ node_exporter_service }}" + name: >- + {% if ansible_distribution == "OpenBSD" -%} + {{ "node_exporter" -}} + {% else -%} + {{ "prometheus-node-exporter" -}} + {% endif -%} state: restarted diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index 395e624..a873906 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -1,15 +1,22 @@ --- -- name: Include OS-specific variables - ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" - - name: Install packages ansible.builtin.package: - name: "{{ node_exporter_package }}" + name: >- + {% if ansible_distribution in ["Fedora", "OpenBSD"] -%} + {{ "node_exporter" -}} + {% else -%} + {{ "golang-github-prometheus-node-exporter" -}} + {% endif -%} state: installed - name: Allow prometheus user to read private key ansible.builtin.user: - name: "{{ node_exporter_user }}" + name: >- + {% if ansible_distribution == "OpenBSD" -%} + {{ "_nodeexporter" -}} + {% else -%} + {{ "prometheus" -}} + {% endif -%} groups: hostkey append: true notify: Restart node_exporter @@ -91,7 +98,7 @@ - name: Enable service ansible.builtin.service: - name: "{{ node_exporter_service }}" + name: node_exporter state: started enabled: true arguments: >- @@ -102,7 +109,7 @@ - name: Enable service ansible.builtin.service: - name: "{{ node_exporter_service }}" + name: prometheus-node-exporter state: started enabled: true when: ansible_os_family == "RedHat" diff --git a/roles/node_exporter/vars/OpenBSD.yml b/roles/node_exporter/vars/OpenBSD.yml deleted file mode 100644 index 170fb93..0000000 --- a/roles/node_exporter/vars/OpenBSD.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -node_exporter_package: node_exporter -node_exporter_service: node_exporter -node_exporter_user: _nodeexporter diff --git a/roles/node_exporter/vars/RedHat.yml b/roles/node_exporter/vars/RedHat.yml deleted file mode 100644 index 0a6f1b2..0000000 --- a/roles/node_exporter/vars/RedHat.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -node_exporter_package: golang-github-prometheus-node-exporter -node_exporter_service: prometheus-node-exporter -node_exporter_user: prometheus From b576f18c93d2df0ac5270b07ac4d08f5734928b2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 Jan 2025 06:37:17 +0000 Subject: [PATCH 445/596] base: Simplify daily dnf download cron job --- roles/base/tasks/RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index d0dbbd9..bc514fe 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -179,4 +179,4 @@ user: root hour: "3" minute: "{{ 59 | random(seed=inventory_hostname) }}" - job: "dnf -d 0 -e 0 -y --downloadonly update > /dev/null" + job: "dnf-3 -q -y update --downloadonly" From 1bc3805dedf3c547a67fa920bdfe3a7dccdd3e58 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 Jan 2025 07:30:32 +0000 Subject: [PATCH 446/596] node_exporter: Fix startup options for Fedora --- roles/node_exporter/tasks/main.yml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index a873906..afb5e76 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -69,7 +69,7 @@ job: /usr/local/sbin/node-exporter-run-textfile-collector minute: "*/10" -- name: Modify config +- name: Modify config (pre 1.5.0) ansible.builtin.lineinfile: path: /etc/default/prometheus-node-exporter regexp: "^ARGS=" @@ -80,7 +80,23 @@ --web.config=/etc/node_exporter/web-config.yml --collector.textfile.directory=/var/lib/prometheus/node-exporter" notify: Restart node_exporter - when: ansible_os_family == "RedHat" + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Fedora" + +- name: Modify config + ansible.builtin.lineinfile: + path: /etc/default/prometheus-node-exporter + regexp: "^ARGS=" + line: >- + ARGS="--collector.filesystem.ignored-mount-points='^/(dev|proc|sys|run/(user|credentials/systemd-.+))($|/)' + --collector.netclass.ignored-devices='^(br-|docker|veth).+$' + --collector.netdev.device-exclude='^(br-|docker|veth).+$' + --web.config.file=/etc/node_exporter/web-config.yml + --collector.textfile.directory=/var/lib/prometheus/node-exporter" + notify: Restart node_exporter + when: + - ansible_distribution == "Fedora" - name: Install disk and raid monitoring scripts ansible.builtin.copy: From 7b6edbfe441982fd158800c8ec9309edf6920152 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 18:43:44 +0000 Subject: [PATCH 447/596] Add check-updates script --- playbooks/manual/check-updates.yml | 23 +++++++++++++++++++++++ scripts/check-updates | 16 ++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 playbooks/manual/check-updates.yml create mode 100755 scripts/check-updates diff --git a/playbooks/manual/check-updates.yml b/playbooks/manual/check-updates.yml new file mode 100644 index 0000000..1045eb0 --- /dev/null +++ b/playbooks/manual/check-updates.yml @@ -0,0 +1,23 @@ +--- +- hosts: all + gather_facts: true + tasks: + - name: Check updates (Linux) + ansible.builtin.command: + argv: + - dnf + - -q + - check-update + register: result + changed_when: result.rc == 100 + failed_when: result.rc not in [0, 100] + when: ansible_os_family == "RedHat" + + - name: Check updates (OpenBSD) + ansible.builtin.command: + argv: + - syspatch + - -c + register: result + changed_when: result.stdout != "" + when: ansible_os_family == "OpenBSD" diff --git a/scripts/check-updates b/scripts/check-updates new file mode 100755 index 0000000..5a00e56 --- /dev/null +++ b/scripts/check-updates @@ -0,0 +1,16 @@ +#!/bin/sh + +set -eu + +if [ $# -eq 1 ]; then + limit="$1" +elif [ $# -ne 0 ]; then + echo "Usage: $(basename "$0") [hostname]" 1>&2 + exit 1 +else + limit="all" +fi + +cd "$(dirname "$0")/.." + +ansible-playbook playbooks/manual/check-updates.yml -l "$limit" From f0c66b63f3597c44668c1290e471ddc0dc24e022 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 18:54:34 +0000 Subject: [PATCH 448/596] unwind: Validate config before restart --- roles/unwind/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/unwind/tasks/main.yml b/roles/unwind/tasks/main.yml index 3c2e9a6..99dd212 100644 --- a/roles/unwind/tasks/main.yml +++ b/roles/unwind/tasks/main.yml @@ -6,6 +6,7 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + validate: "unwind -n -f %s" notify: Restart unwind - name: Enable service From 0579a2076885111222cd947bee118709cdee9cf3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 18:55:04 +0000 Subject: [PATCH 449/596] Manually set nameservers for hosts in Vultr cloud --- group_vars/vultr.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 group_vars/vultr.yml diff --git a/group_vars/vultr.yml b/group_vars/vultr.yml new file mode 100644 index 0000000..af46a03 --- /dev/null +++ b/group_vars/vultr.yml @@ -0,0 +1,4 @@ +--- +network_dns_servers: + - 8.8.8.8 + - 9.9.9.9 From ec4812a15735a4f9260639e9f4938aa89ee4b494 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 20:04:17 +0000 Subject: [PATCH 450/596] Add group based on domainname if found --- hosts.yml | 4 ---- playbooks/ns.yml | 2 +- roles/base/tasks/main.yml | 6 ++++++ 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/hosts.yml b/hosts.yml index c3e929f..c142740 100644 --- a/hosts.yml +++ b/hosts.yml @@ -137,10 +137,6 @@ sftpbackup: mongodb: sqldb: -vultr: - hosts: - atl01.vultr.foo.sh: - fedora: children: gitearunner: diff --git a/playbooks/ns.yml b/playbooks/ns.yml index b4e6dbf..4642197 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -2,7 +2,7 @@ - name: Deploy KVM virtual machines ansible.builtin.import_playbook: include/deploy-kvm-guest.yml vars: - myhosts: ns:!vultr + myhosts: ns:!atl01.vultr.foo.sh - name: Configure instance hosts: ns diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 03f630d..5e3e14b 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: Group by domainname + ansible.builtin.group_by: + key: "{{ inventory_hostname.split('.')[1] }}" + changed_when: false + when: inventory_hostname | split('.') | length == 4 + - name: Setup ansible custom facts ansible.builtin.file: dest: "{{ item }}" From 8a9fd29c72c61ac3f7eca1ba43387972069efc0d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 21:26:29 +0000 Subject: [PATCH 451/596] unbound: Refactor variables --- roles/unbound/tasks/main.yml | 4 ++-- roles/unbound/vars/OpenBSD.yml | 6 +++--- roles/unbound/vars/RedHat.yml | 3 +-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 5ec99fb..a64720b 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -12,7 +12,7 @@ ansible.builtin.command: argv: - unbound-control-setup - creates: "{{ unbound_control_key }}" + creates: "{{ unbound_confdir }}/unbound_control.key" notify: Restart unbound - name: Copy zone files @@ -28,7 +28,7 @@ - name: Copy config ansible.builtin.template: - dest: "{{ unbound_conf }}" + dest: "{{ unbound_confdir }}/unbound.conf" src: "unbound.conf.{{ inventory_hostname }}.j2" mode: "0644" owner: root diff --git a/roles/unbound/vars/OpenBSD.yml b/roles/unbound/vars/OpenBSD.yml index c952c8a..5f41acd 100644 --- a/roles/unbound/vars/OpenBSD.yml +++ b/roles/unbound/vars/OpenBSD.yml @@ -1,4 +1,4 @@ --- -unbound_conf: /var/unbound/etc/unbound.conf -unbound_control_key: /var/unbound/etc/unbound_control.key -unbound_zonedir: /var/unbound/db +unbound_chroot: /var/unbound +unbound_confdir: "{{ unbound_chroot }}/etc" +unbound_zonedir: "{{ unbound_chroot }}/db" diff --git a/roles/unbound/vars/RedHat.yml b/roles/unbound/vars/RedHat.yml index a15473b..816739c 100644 --- a/roles/unbound/vars/RedHat.yml +++ b/roles/unbound/vars/RedHat.yml @@ -1,4 +1,3 @@ --- -unbound_conf: /etc/unbound/unbound.conf -unbound_control_key: /etc/unbound/unbound_control.key +unbound_confdir: /etc/unbound unbound_zonedir: /var/lib/unbound From f6a8776a6ea58c3fe8f1f14318ad5eb61f596db6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 15 Jan 2025 23:45:54 +0000 Subject: [PATCH 452/596] systemd_resolved: Initial version of role --- roles/systemd_resolved/handlers/main.yml | 5 ++++ roles/systemd_resolved/tasks/main.yml | 28 +++++++++++++++++++ .../systemd_resolved/templates/local.conf.j2 | 4 +++ 3 files changed, 37 insertions(+) create mode 100644 roles/systemd_resolved/handlers/main.yml create mode 100644 roles/systemd_resolved/tasks/main.yml create mode 100644 roles/systemd_resolved/templates/local.conf.j2 diff --git a/roles/systemd_resolved/handlers/main.yml b/roles/systemd_resolved/handlers/main.yml new file mode 100644 index 0000000..0bbce3d --- /dev/null +++ b/roles/systemd_resolved/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart systemd-resolved + ansible.builtin.service: + name: systemd-resolved + state: restarted diff --git a/roles/systemd_resolved/tasks/main.yml b/roles/systemd_resolved/tasks/main.yml new file mode 100644 index 0000000..43371a6 --- /dev/null +++ b/roles/systemd_resolved/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Install packages + ansible.builtin.package: + name: systemd-resolved + state: installed + +- name: Create config directory + ansible.builtin.file: + path: /etc/systemd/resolved.conf.d + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create config + ansible.builtin.template: + dest: /etc/systemd/resolved.conf.d/local.conf + src: local.conf.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart systemd-resolved + +- name: Enable service + ansible.builtin.service: + name: systemd-resolved + state: started + enabled: true diff --git a/roles/systemd_resolved/templates/local.conf.j2 b/roles/systemd_resolved/templates/local.conf.j2 new file mode 100644 index 0000000..23d7dc6 --- /dev/null +++ b/roles/systemd_resolved/templates/local.conf.j2 @@ -0,0 +1,4 @@ +[Resolve] +DNS={% for addr in network_dns_servers %}{{ addr }}#{{ lookup('community.general.dig', addr + '/PTR')[:-1] }} {% endfor %} + +DNSOverTLS=yes From 974595756cbf81d5eb7f35f18d9ed4778bc0c7e4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 18:33:23 +0000 Subject: [PATCH 453/596] unbound: Add backup DNS server to external resolve --- roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 2 +- roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index e3dc5b6..1479483 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -1,4 +1,3 @@ - server: interface: 172.20.20.10@53 interface: 172.20.20.10@853 @@ -28,6 +27,7 @@ forward-zone: name: "." forward-tls-upstream: yes forward-addr: 8.8.8.8@853#dns.google + forward-addr: 8.8.4.4@853#dns.google {% for zone in unbound_zones %} auth-zone: diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index 4607459..c2f67ef 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -1,4 +1,3 @@ - server: interface: 172.20.20.10@53 interface: 172.20.20.10@853 @@ -28,6 +27,7 @@ forward-zone: name: "." forward-tls-upstream: yes forward-addr: 8.8.8.8@853#dns.google + forward-addr: 8.8.4.4@853#dns.google {% for zone in unbound_zones %} auth-zone: From 231fe0103a296a7d7a25bb2757f1cc906015807a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 18:47:04 +0000 Subject: [PATCH 454/596] unbound: Optimize CPU core usage --- .../unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 7 +++++++ .../unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 1479483..9cd96f8 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -1,4 +1,11 @@ server: + # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ + num-threads: {{ ansible_processor_cores }} + msg-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + rrset-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + interface: 172.20.20.10@53 interface: 172.20.20.10@853 interface: 172.20.21.1@53 diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index c2f67ef..de8a3d4 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -1,4 +1,11 @@ server: + # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ + num-threads: {{ ansible_processor_cores }} + msg-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + rrset-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }} + interface: 172.20.20.10@53 interface: 172.20.20.10@853 interface: 172.20.21.2@53 From 4739a3758df86df147ead2065b8a860520e3d5ac Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 18:54:43 +0000 Subject: [PATCH 455/596] node_exporter: Don't create home on user modify --- roles/node_exporter/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml index afb5e76..f1c0968 100644 --- a/roles/node_exporter/tasks/main.yml +++ b/roles/node_exporter/tasks/main.yml @@ -19,6 +19,7 @@ {% endif -%} groups: hostkey append: true + create_home: false notify: Restart node_exporter - name: Create config directory From 86551d6dec61267854ef058feaae9e9d0996ba88 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 18:55:59 +0000 Subject: [PATCH 456/596] Move nms.home.foo.sh to new address --- group_vars/nms.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 4278cfd..4bdca2a 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -9,7 +9,7 @@ unbound_zones: network_vip_interfaces: - device: eth0 vhid: 11 - ipaddr: 172.20.20.11 + ipaddr: 172.20.20.21 netmask: 255.255.240.0 pass: "{{ vip11_pass }}" - device: eth1 From 107a2cd48b5c274d103c1e360f99c7efa4f513d3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 19:12:59 +0000 Subject: [PATCH 457/596] Use correct password for virtual IP interface --- group_vars/nms.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 4bdca2a..bdfe2a9 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -11,7 +11,7 @@ network_vip_interfaces: vhid: 11 ipaddr: 172.20.20.21 netmask: 255.255.240.0 - pass: "{{ vip11_pass }}" + pass: "{{ vip21_pass }}" - device: eth1 vhid: 25 ipaddr: 172.20.25.1 From d4bfc7586fe31e40b15f187cb5069b8730fbb24e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 18 Jan 2025 19:14:08 +0000 Subject: [PATCH 458/596] unbound: Add better failover config --- group_vars/dnagw.yml | 12 ++++++++++++ host_vars/dna-gw01.home.foo.sh.yml | 2 ++ host_vars/dna-gw02.home.foo.sh.yml | 2 ++ .../templates/unbound.conf.dna-gw01.home.foo.sh.j2 | 4 ++++ .../templates/unbound.conf.dna-gw02.home.foo.sh.j2 | 4 ++++ 5 files changed, 24 insertions(+) diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml index 3bffd50..fe380e8 100644 --- a/group_vars/dnagw.yml +++ b/group_vars/dnagw.yml @@ -12,6 +12,18 @@ network_vip_interfaces: netmask: 255.255.252.0 pass: "{{ vip10_pass }}" priority: 120 + - device: vio0 + vhid: 11 + ipaddr: 172.20.20.11 + netmask: 255.255.252.0 + pass: "{{ vip11_pass }}" + priority: "{{ vip11_priority }}" + - device: vio0 + vhid: 12 + ipaddr: 172.20.20.12 + netmask: 255.255.252.0 + pass: "{{ vip12_pass }}" + priority: "{{ vip12_priority }}" network_ether_interfaces: - device: vio1 proto: none diff --git a/host_vars/dna-gw01.home.foo.sh.yml b/host_vars/dna-gw01.home.foo.sh.yml index d7c25b9..481ae6c 100644 --- a/host_vars/dna-gw01.home.foo.sh.yml +++ b/host_vars/dna-gw01.home.foo.sh.yml @@ -10,3 +10,5 @@ network_interfaces: - device: vio1 vlan: 103 proto: none +vip11_priority: 240 +vip12_priority: 120 diff --git a/host_vars/dna-gw02.home.foo.sh.yml b/host_vars/dna-gw02.home.foo.sh.yml index fae4c34..d9977c7 100644 --- a/host_vars/dna-gw02.home.foo.sh.yml +++ b/host_vars/dna-gw02.home.foo.sh.yml @@ -10,3 +10,5 @@ network_interfaces: - device: vio1 vlan: 103 proto: none +vip11_priority: 120 +vip12_priority: 240 diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 index 9cd96f8..4765817 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 @@ -8,6 +8,10 @@ server: interface: 172.20.20.10@53 interface: 172.20.20.10@853 + interface: 172.20.20.11@53 + interface: 172.20.20.11@853 + interface: 172.20.20.12@53 + interface: 172.20.20.12@853 interface: 172.20.21.1@53 tls-service-key: {{ tls_private }}/dns.home.foo.sh.key diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 index de8a3d4..c08d855 100644 --- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 @@ -8,6 +8,10 @@ server: interface: 172.20.20.10@53 interface: 172.20.20.10@853 + interface: 172.20.20.11@53 + interface: 172.20.20.11@853 + interface: 172.20.20.12@53 + interface: 172.20.20.12@853 interface: 172.20.21.2@53 tls-service-key: {{ tls_private }}/dns.home.foo.sh.key From ae491f8977a9802bb6624c8b87e14b58298488eb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 16:15:24 +0000 Subject: [PATCH 459/596] unbound_exporter: Initial version of role --- roles/unbound_exporter/handlers/main.yml | 5 +++ roles/unbound_exporter/tasks/main.yml | 36 +++++++++++++++++++ .../templates/web-config.yml.j2 | 11 ++++++ 3 files changed, 52 insertions(+) create mode 100644 roles/unbound_exporter/handlers/main.yml create mode 100644 roles/unbound_exporter/tasks/main.yml create mode 100644 roles/unbound_exporter/templates/web-config.yml.j2 diff --git a/roles/unbound_exporter/handlers/main.yml b/roles/unbound_exporter/handlers/main.yml new file mode 100644 index 0000000..bfbf5bf --- /dev/null +++ b/roles/unbound_exporter/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart unbound_exporter + ansible.builtin.service: + name: unbound_exporter + state: restarted diff --git a/roles/unbound_exporter/tasks/main.yml b/roles/unbound_exporter/tasks/main.yml new file mode 100644 index 0000000..d8936f3 --- /dev/null +++ b/roles/unbound_exporter/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: Install packages + ansible.builtin.package: + name: unbound_exporter + state: installed + +- name: Add user to hostkey group + ansible.builtin.user: + name: _unboundexporter + groups: hostkey + append: true + create_home: false + notify: Restart unbound_exporter + +- name: Create config directory + ansible.builtin.file: + path: /etc/unbound_exporter + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Create web-config + ansible.builtin.template: + dest: /etc/unbound_exporter/web-config.yml + src: web-config.yml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart unbound_exporter + +- name: Enable service + ansible.builtin.service: + name: unbound_exporter + state: started + enabled: true diff --git a/roles/unbound_exporter/templates/web-config.yml.j2 b/roles/unbound_exporter/templates/web-config.yml.j2 new file mode 100644 index 0000000..03e5466 --- /dev/null +++ b/roles/unbound_exporter/templates/web-config.yml.j2 @@ -0,0 +1,11 @@ +--- +tls_server_config: + key_file: {{ tls_private }}/{{ inventory_hostname }}.key + cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt + client_ca_file: {{ tls_certs }}/ca.crt + client_auth_type: RequireAndVerifyClientCert + client_allowed_sans: +{% for host in groups['prometheus'] %} + - {{ host }} +{% endfor %} + min_version: TLS13 From 271eb09669c359cf2f0aaef28065fce2a7385829 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 16:15:42 +0000 Subject: [PATCH 460/596] pf: Open unbound_exporter port for dna-gw hosts --- roles/pf/files/pf.conf.gw_home | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 077b457..981f783 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -45,8 +45,9 @@ pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh pass in quick on $ext_if proto tcp from 212.149.228.253/32 to self port ssh -# node_exporter from internal network +# node_exporter and unbound_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 +pass in quick on $int_if proto tcp from $int_net to self port 9167 # allow dns queries from internal net pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain From 964e841c1df100022a8088f585a1de1f56c1622a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 17:51:18 +0000 Subject: [PATCH 461/596] unbound_exporter: Add TLS support Currently unbound_exporter doesn't support TLS connections so proxy connections through stunnel. --- roles/unbound_exporter/handlers/main.yml | 5 +++ roles/unbound_exporter/tasks/main.yml | 36 +++++++++++++++---- .../templates/web-config.yml.j2 | 11 ------ 3 files changed, 35 insertions(+), 17 deletions(-) delete mode 100644 roles/unbound_exporter/templates/web-config.yml.j2 diff --git a/roles/unbound_exporter/handlers/main.yml b/roles/unbound_exporter/handlers/main.yml index bfbf5bf..2cd8d99 100644 --- a/roles/unbound_exporter/handlers/main.yml +++ b/roles/unbound_exporter/handlers/main.yml @@ -3,3 +3,8 @@ ansible.builtin.service: name: unbound_exporter state: restarted + +- name: Restart unbound_exporter_stunnel + ansible.builtin.service: + name: unbound_exporter_stunnel + state: restarted diff --git a/roles/unbound_exporter/tasks/main.yml b/roles/unbound_exporter/tasks/main.yml index d8936f3..b194422 100644 --- a/roles/unbound_exporter/tasks/main.yml +++ b/roles/unbound_exporter/tasks/main.yml @@ -1,8 +1,11 @@ --- - name: Install packages ansible.builtin.package: - name: unbound_exporter + name: "{{ item }}" state: installed + with_items: + - stunnel + - unbound_exporter - name: Add user to hostkey group ansible.builtin.user: @@ -10,7 +13,7 @@ groups: hostkey append: true create_home: false - notify: Restart unbound_exporter + notify: Restart unbound_exporter_stunnel - name: Create config directory ansible.builtin.file: @@ -20,17 +23,38 @@ owner: root group: "{{ ansible_wheel }}" -- name: Create web-config +- name: Create stunnel config ansible.builtin.template: - dest: /etc/unbound_exporter/web-config.yml - src: web-config.yml.j2 + dest: /etc/unbound_exporter/stunnel.conf + src: stunnel.conf.j2 mode: "0644" owner: root group: "{{ ansible_wheel }}" - notify: Restart unbound_exporter + notify: Restart unbound_exporter_stunnel - name: Enable service ansible.builtin.service: name: unbound_exporter state: started enabled: true + arguments: >- + -unbound.ca + -unbound.cert + -unbound.host unix:///var/run/unbound.sock + -web.listen-address 127.0.0.1:9167 + notify: Restart unbound_exporter + +- name: Create stunnel service config + ansible.builtin.copy: + dest: /etc/rc.d/unbound_exporter_stunnel + src: unbound_exporter_stunnel.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart unbound_exporter_stunnel + +- name: Enable stunnel service + ansible.builtin.service: + name: unbound_exporter_stunnel + state: started + enabled: true diff --git a/roles/unbound_exporter/templates/web-config.yml.j2 b/roles/unbound_exporter/templates/web-config.yml.j2 deleted file mode 100644 index 03e5466..0000000 --- a/roles/unbound_exporter/templates/web-config.yml.j2 +++ /dev/null @@ -1,11 +0,0 @@ ---- -tls_server_config: - key_file: {{ tls_private }}/{{ inventory_hostname }}.key - cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt - client_ca_file: {{ tls_certs }}/ca.crt - client_auth_type: RequireAndVerifyClientCert - client_allowed_sans: -{% for host in groups['prometheus'] %} - - {{ host }} -{% endfor %} - min_version: TLS13 From e1dd03e85930aafdd2480436e001fd2bcd25109a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 18:21:33 +0000 Subject: [PATCH 462/596] Add unbound_exporter to dna-gw hosts --- playbooks/dna-gw.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 71ef499..7a8e99b 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -150,3 +150,7 @@ - name: Import unbound role ansible.builtin.import_role: name: unbound + + - name: Import unbound_exporter role + ansible.builtin.import_role: + name: unbound_exporter From cdd1495f0cdbe0e404c4a1cc868755982c0d3a7c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 18:40:49 +0000 Subject: [PATCH 463/596] dhcpd: Fix DNS server addresses --- roles/dhcpd/templates/dhcpd.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 index 063a27f..7b41b05 100644 --- a/roles/dhcpd/templates/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -52,7 +52,7 @@ shared-network FOOSH { option routers 172.20.20.1; option domain-name "home.foo.sh"; - option domain-name-servers 172.20.20.10, 172.20.21.1, 172.20.21.2; + option domain-name-servers 172.20.20.10, 172.20.20.11, 172.20.20.12; use-host-decl-names on; } From c8bbd563b45b40aff50a82529896b644e8da2ecd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 19 Jan 2025 21:18:10 +0000 Subject: [PATCH 464/596] base: Use systemd-resolved for Fedora hosts --- roles/base/tasks/RedHat.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index bc514fe..0e477a1 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -37,6 +37,11 @@ loop_control: loop_var: role +- name: Install systemd-resolved + ansible.builtin.include_role: + name: systemd_resolved + when: ansible_distribution == "Fedora" + - name: Install firewall ansible.builtin.include_role: name: iptables From 7a6e4e596f3634c1c768b1950b42b630552fbe0c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 23 Jan 2025 05:53:44 +0000 Subject: [PATCH 465/596] nginx: Use custom log format --- roles/nginx/templates/nginx.conf.j2 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 0a503cc..b6733d2 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -8,7 +8,10 @@ events { } http { - access_log {{ nginx_logdir }}/access.log combined; + log_format custom '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ($request_time)'; + access_log {{ nginx_logdir }}/access.log custom; proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt; proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key; From c3497c2440951432409b35bd3dfe4333e3c0cde5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 23 Jan 2025 05:54:23 +0000 Subject: [PATCH 466/596] nginx_site: Enable custom log format --- roles/nginx_site/templates/site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index 13a3ec7..ca54573 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -18,7 +18,7 @@ server { listen [::]:443 ssl http2; server_name {{ nginx_site_name }}; - access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log combined; + access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log custom; error_log {{ nginx_logdir }}/{{ nginx_site_name }}.error.log warn; add_header Strict-Transport-Security "max-age=63072000" always; From 338f4e2f0d3f7bacc816d19cccd303182da8e3d7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 11:41:49 +0000 Subject: [PATCH 467/596] rclone: Make role more modular --- roles/rclone/files/rclone-sync.sh | 12 +++++-- roles/rclone/meta/main.yml | 1 - roles/rclone/tasks/main.yml | 52 +++++++++++++++------------ roles/rclone/templates/rclone.conf.j2 | 6 ++-- 4 files changed, 42 insertions(+), 29 deletions(-) diff --git a/roles/rclone/files/rclone-sync.sh b/roles/rclone/files/rclone-sync.sh index def667c..83ecfb2 100755 --- a/roles/rclone/files/rclone-sync.sh +++ b/roles/rclone/files/rclone-sync.sh @@ -3,13 +3,19 @@ set -eu umask 027 -TARGET="/srv/backup" -CONFIG="/etc/rclone/rclone.conf" -LOGDIR="/var/log/rclone" +SERVICE="$(whoami)" + +TARGET="/srv/${SERVICE}" +CONFIG="/etc/rclone/${SERVICE}.conf" +LOGDIR="/var/log/rclone/${SERVICE}" RCLONE="/usr/local/bin/rclone" timestamp="$(date +%Y%m%d%H%M%S)" +if [ ! -f "$CONFIG" ]; then + echo "ERR: Config file '${CONFIG}' does not exist" 1>&2 + exit 1 +fi if [ ! -d "$TARGET" ]; then echo "ERR: Destination directory '${TARGET}' does not exist" 1>&2 exit 1 diff --git a/roles/rclone/meta/main.yml b/roles/rclone/meta/main.yml index a6cb84e..61cc3ce 100644 --- a/roles/rclone/meta/main.yml +++ b/roles/rclone/meta/main.yml @@ -1,4 +1,3 @@ --- dependencies: - - {role: backup_base} - {role: ssh_known_hosts} diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml index 335d66e..455de9b 100644 --- a/roles/rclone/tasks/main.yml +++ b/roles/rclone/tasks/main.yml @@ -8,17 +8,17 @@ ansible.builtin.file: path: /etc/rclone state: directory - mode: "0770" + mode: "0755" owner: root - group: backup + group: "{{ ansible_wheel }}" - name: Create host config ansible.builtin.template: - dest: /etc/rclone/rclone.conf + dest: "/etc/rclone/{{ rclone_service }}.conf" src: rclone.conf.j2 mode: "0640" owner: root - group: backup + group: "{{ rclone_service }}" - name: Create ssh keys ansible.builtin.command: @@ -27,45 +27,53 @@ - -t - ed25519 - -C - - "backup@{{ inventory_hostname }}" + - "{{ rclone_service }}@{{ inventory_hostname }}" - -N - "" - -f - - /etc/rclone/id_ed25519 - creates: /etc/rclone/id_ed25519 + - "/etc/rclone/ssh_{{ rclone_service }}_ed25519_key" + creates: "/etc/rclone/ssh_{{ rclone_service }}_ed25519_key" - name: Fix ssh key permissions ansible.builtin.file: path: "{{ item }}" owner: root - group: backup + group: "{{ rclone_service }}" mode: "0640" with_items: - - /etc/rclone/id_ed25519 - - /etc/rclone/id_ed25519.pub + - "/etc/rclone/ssh_{{ rclone_service }}_ed25519_key" + - "/etc/rclone/ssh_{{ rclone_service }}_ed25519_key.pub" - name: Fetch ssh public key ansible.builtin.fetch: - src: /etc/rclone/id_ed25519.pub - dest: ../files/ssh/backup.pub + src: "/etc/rclone/ssh_{{ rclone_service }}_ed25519_key.pub" + dest: "../files/ssh/{{ rclone_service }}.pub" flat: true -- name: Create log directory +- name: Create base log directory ansible.builtin.file: path: /var/log/rclone state: directory - mode: "0750" - owner: backup - group: backup + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" -- name: Create backup directories +- name: Create log directory ansible.builtin.file: - path: "/srv/backup/{{ item }}" + path: "/var/log/rclone/{{ rclone_service }}" + state: directory + mode: "0750" + owner: "{{ rclone_service }}" + group: "{{ rclone_service }}" + +- name: Create data directories + ansible.builtin.file: + path: "/srv/{{ rclone_service }}/{{ item }}" state: directory mode: "0770" owner: root - group: backup - with_items: "{{ groups['sftpbackup'] }}" + group: "{{ rclone_service }}" + with_items: "{{ groups[rclone_hostgroup | default(rclone_service)] }}" - name: Copy rclone sync script ansible.builtin.copy: @@ -79,13 +87,13 @@ ansible.builtin.cron: name: MAILTO env: true - user: backup + user: "{{ rclone_service }}" value: root - name: Add rclone sync cron job ansible.builtin.cron: name: rclone-sync - user: backup + user: "{{ rclone_service }}" hour: "3" minute: "00" job: /usr/local/bin/rclone-sync diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 index 99e1d3e..bc4f312 100644 --- a/roles/rclone/templates/rclone.conf.j2 +++ b/roles/rclone/templates/rclone.conf.j2 @@ -1,11 +1,11 @@ # {{ ansible_managed }} -{% for host in groups['sftpbackup'] %} +{% for host in groups[rclone_hostgroup | default(rclone_service)] %} [{{ host.split('.')[0] }}] type = sftp host = {{ host }} -user = backup +user = {{ rclone_service }} shell_type = none -key_file = /etc/rclone/id_ed25519 +key_file = /etc/rclone/ssh_{{ rclone_service }}_ed25519_key known_hosts_file = /etc/ssh/ssh_known_hosts {% endfor %} From af5655e131518c6a52297c15f88bdd9a74c17eb6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:19:18 +0000 Subject: [PATCH 468/596] rclone: Remove logs older than 30 days --- roles/rclone/files/rclone-sync.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/rclone/files/rclone-sync.sh b/roles/rclone/files/rclone-sync.sh index 83ecfb2..40323ce 100755 --- a/roles/rclone/files/rclone-sync.sh +++ b/roles/rclone/files/rclone-sync.sh @@ -33,3 +33,5 @@ for host in $("$RCLONE" --config "$CONFIG" listremotes | tr -d ":") ; do cat "$log" fi done + +find "$LOGDIR" -type f -name "*.log" -mtime +30 -delete From b6131534f68b8a237a9a8ae281bc7f57ffbf3115 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:47:18 +0000 Subject: [PATCH 469/596] nginx_logsync: Initial version of role --- roles/nginx_logsync/tasks/main.yml | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 roles/nginx_logsync/tasks/main.yml diff --git a/roles/nginx_logsync/tasks/main.yml b/roles/nginx_logsync/tasks/main.yml new file mode 100644 index 0000000..0d7c9ff --- /dev/null +++ b/roles/nginx_logsync/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: Create group + ansible.builtin.group: + name: logsync + system: true + +- name: Create user + ansible.builtin.user: + name: logsync + comment: Service logsync + create_home: false + group: logsync + home: /var/empty + shell: /sbin/nologin + +- name: Create authorized_keys + ansible.builtin.copy: + dest: /etc/ssh/authorized_keys.logsync + src: ../files/ssh/logsync.pub + mode: "0640" + owner: root + group: logsync + +- name: Configure sshd chroot + ansible.builtin.blockinfile: + path: /etc/ssh/sshd_config + block: | + Match User logsync + ChrootDirectory /var/www/logs + ForceCommand internal-sftp + AuthorizedKeysFile /etc/ssh/authorized_keys.logsync + marker: "# {mark} ANSIBLE MANAGED BLOCK (user logsync)" + validate: "sshd -t -f %s" + notify: Restart sshd From d0d9f3430a0393836032ace55552622c4db2fa9e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:47:51 +0000 Subject: [PATCH 470/596] web_logs: Refactor role completely --- roles/web_logs/meta/main.yml | 3 -- roles/web_logs/tasks/main.yml | 70 +++---------------------- roles/web_logs/templates/rclone.conf.j2 | 10 ---- users.md | 1 + 4 files changed, 8 insertions(+), 76 deletions(-) delete mode 100644 roles/web_logs/meta/main.yml delete mode 100644 roles/web_logs/templates/rclone.conf.j2 diff --git a/roles/web_logs/meta/main.yml b/roles/web_logs/meta/main.yml deleted file mode 100644 index 61cc3ce..0000000 --- a/roles/web_logs/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - {role: ssh_known_hosts} diff --git a/roles/web_logs/tasks/main.yml b/roles/web_logs/tasks/main.yml index d554ce8..0cb63fb 100644 --- a/roles/web_logs/tasks/main.yml +++ b/roles/web_logs/tasks/main.yml @@ -2,6 +2,7 @@ - name: Create logsync group ansible.builtin.group: name: logsync + gid: 312 system: true - name: Create logsync user @@ -11,72 +12,15 @@ createhome: false group: logsync home: /var/empty - shell: /sbin/nologin + shell: /bin/sh system: true + uid: 312 -- name: Create logsync ssh key directory - ansible.builtin.file: - path: /etc/ssh/logsync - state: directory - mode: "0750" - owner: root - group: logsync - -- name: Create logsync ssh keys - ansible.builtin.command: - argv: - - ssh-keygen - - -t - - ed25519 - - -C - - "logsync@{{ inventory_hostname }}" - - -N - - "" - - -f - - /etc/ssh/logsync/id_ed25519 - creates: /etc/ssh/logsync/id_ed25519 - -- name: Fix logsync ssh key permissions - ansible.builtin.file: - path: "{{ item }}" - owner: root - group: logsync - mode: "0640" - with_items: - - /etc/ssh/logsync/id_ed25519 - - /etc/ssh/logsync/id_ed25519.pub - -- name: Import rclone role - ansible.builtin.import_role: +- name: Include rclone role + ansible.builtin.include_role: name: rclone vars: - local_user: logsync - remote_user: logsync - hostgroup: webservers - destination: /var/cache/sync-http-logs - private_key: /etc/ssh/logsync/id_ed25519 + rclone_hostgroup: proxy + rclone_service: logsync -- name: Create cache directory - ansible.builtin.file: - path: /var/cache/sync-http-logs - state: directory - mode: "0750" - owner: logsync - group: logsync -- name: Create log directory - ansible.builtin.file: - path: /export/web-log - state: directory - mode: "0750" - owner: root - group: "{{ ansible_wheel }}" - -- name: Link data directory - ansible.builtin.file: - dest: /srv/web-log - src: /export/web-log - state: link - owner: root - group: "{{ ansible_wheel }}" - follow: false diff --git a/roles/web_logs/templates/rclone.conf.j2 b/roles/web_logs/templates/rclone.conf.j2 deleted file mode 100644 index 34524ec..0000000 --- a/roles/web_logs/templates/rclone.conf.j2 +++ /dev/null @@ -1,10 +0,0 @@ -# {{ ansible_managed }} -{% for host in groups['webservers'] %} - -[{{ host.split('.')[0] }}] -type = sftp -host = {{ host }} -user = logsync -key_file = ~/.ssh/id_ed25519 -known_hosts_file = /etc/ssh/ssh_known_hosts -{% endfor %} diff --git a/users.md b/users.md index 132c84e..70e9176 100644 --- a/users.md +++ b/users.md @@ -17,3 +17,4 @@ entry empty. If only a group is created, leave the user entry empty. | 309 | mirror | mirror | | | 310 | collab | collab | | | 311 | docker | docker | docker registry | +| 312 | logsync | logsync | nginx log sync | From 74a517f94211feb48c6f537d5e3573e627b485de Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:48:36 +0000 Subject: [PATCH 471/596] unbound_exporter: Initial version of role --- .../files/unbound_exporter_stunnel.sh | 10 ++++++++ .../templates/stunnel.conf.j2 | 23 +++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100755 roles/unbound_exporter/files/unbound_exporter_stunnel.sh create mode 100644 roles/unbound_exporter/templates/stunnel.conf.j2 diff --git a/roles/unbound_exporter/files/unbound_exporter_stunnel.sh b/roles/unbound_exporter/files/unbound_exporter_stunnel.sh new file mode 100755 index 0000000..8328224 --- /dev/null +++ b/roles/unbound_exporter/files/unbound_exporter_stunnel.sh @@ -0,0 +1,10 @@ +#!/bin/ksh + +daemon="/usr/local/sbin/stunnel" +daemon_flags="/etc/unbound_exporter/stunnel.conf" + +. /etc/rc.d/rc.subr + +rc_reload=NO + +rc_cmd $1 diff --git a/roles/unbound_exporter/templates/stunnel.conf.j2 b/roles/unbound_exporter/templates/stunnel.conf.j2 new file mode 100644 index 0000000..8f4aab4 --- /dev/null +++ b/roles/unbound_exporter/templates/stunnel.conf.j2 @@ -0,0 +1,23 @@ +setuid = _unboundexporter +setgid = _unboundexporter + +sslVersionMin = TLSv1.3 +ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 +curves = X25519:prime256v1:secp384r1 + +key = {{ tls_private }}/{{ inventory_hostname }}.key +cert = {{ tls_certs }}/{{ inventory_hostname }}.crt + +verify = 2 +CAfile = {{ tls_certs }}/ca.crt + +syslog = yes + +[unbound_exporter] +{% for ip in ansible_all_ipv4_addresses %} +accept = {{ ip }}:9167 +{% endfor %} +connect = 127.0.0.1:9167 +{% for host in groups['prometheus'] %} +checkHost = {{ host }} +{% endfor %} From 53f30103b32289a3416a91b79b42df0f8fd6aa77 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:49:07 +0000 Subject: [PATCH 472/596] prometheus: Add unbound_exporter targets --- roles/prometheus/templates/prometheus.yml.j2 | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 index ee9c9cb..74aa03f 100644 --- a/roles/prometheus/templates/prometheus.yml.j2 +++ b/roles/prometheus/templates/prometheus.yml.j2 @@ -60,6 +60,17 @@ scrape_configs: - target_label: __address__ replacement: nms.home.foo.sh:9116 + - job_name: unbound + scheme: https + tls_config: + ca_file: "{{ tls_certs }}/ca.crt" + key_file: "{{ tls_private }}/{{ inventory_hostname }}.key" + cert_file: "{{ tls_certs }}/{{ inventory_hostname }}.crt" + static_configs: + - targets: + - dna-gw01.home.foo.sh:9167 + - dna-gw02.home.foo.sh:9167 + - job_name: node scheme: https tls_config: From b116d3e2c013d7d25cf0f0d29afcab86737c0a97 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:49:40 +0000 Subject: [PATCH 473/596] Convert backup hosts to use new rclone role --- playbooks/backup.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/backup.yml b/playbooks/backup.yml index c677db0..3712638 100644 --- a/playbooks/backup.yml +++ b/playbooks/backup.yml @@ -25,7 +25,10 @@ roles: - base + - backup_base - backup_bitbucket - backup_github - - rclone + - role: rclone + rclone_hostgroup: sftpbackup + rclone_service: backup - rsync_backup From 8b7d8da733a386f393dbd0b3863f1603b6e9aba3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:50:20 +0000 Subject: [PATCH 474/596] Add web_logs role to log hosts --- playbooks/log.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/log.yml b/playbooks/log.yml index c63276a..50caf5f 100644 --- a/playbooks/log.yml +++ b/playbooks/log.yml @@ -25,6 +25,7 @@ roles: - base + - web_logs tasks: - name: Install extra packages From ec405bb1c0534d6968403225b6344c599af11765 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 12:50:46 +0000 Subject: [PATCH 475/596] Add nginx_logsync role to proxy servers --- playbooks/proxy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 89f7a53..7780db6 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -16,6 +16,7 @@ - base - ifstated - nginx + - nginx_logsync - role: nginx_site nginx_site_name: ca.foo.sh - role: nginx_site From 8742d750a3c43e71ef94bcc2a6d6495a08ea9468 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 15:24:38 +0000 Subject: [PATCH 476/596] nginx: Remove RHEL8 support --- roles/nginx/tasks/main.yml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 14e5d2a..9158ee5 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -2,21 +2,6 @@ - name: Include OS-specific variables ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" -- name: Enable nginx:122 module - ansible.builtin.command: - argv: - - dnf - - module - - -y - - enable - - nginx:1.22 - creates: /etc/dnf/modules.d/nginx.module - notify: Restart nginx - when: - - ansible_os_family == "RedHat" - - ansible_distribution_major_version | int == 8 - - ansible_distribution != "Fedora" - - name: Enable nginx:124 module ansible.builtin.command: argv: From fa42610bff9a2fd64e18924c0dde31ce95427f2a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 15:46:24 +0000 Subject: [PATCH 477/596] Add more editors to adm hosts --- playbooks/adm.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 272dbdf..06d5894 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -46,11 +46,13 @@ name: "{{ item }}" state: installed with_items: + - emacs-nox # more editors - httpd-tools # htpasswd - knot-utils # kdig (dns over tls) - libvirt-client # kvm host client - make # generic building - mariadb # mariadb client tools + - nano # more editors - nmap # check for open ports - nsd # check dns zone files - podman # building containers From 34daaee91e869b1f9f3db8f865bfab3012362d39 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 16:12:47 +0000 Subject: [PATCH 478/596] syslogd: Fix whitespaces from newsyslog config --- roles/syslogd/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/syslogd/tasks/main.yml b/roles/syslogd/tasks/main.yml index 69170e5..cd005bc 100644 --- a/roles/syslogd/tasks/main.yml +++ b/roles/syslogd/tasks/main.yml @@ -24,7 +24,7 @@ path: /etc/newsyslog.conf regexp: "^/var/log/all.log.*" line: |- - /var/log/all.log root:{{ ansible_wheel }} 640 7 * $D0 Z + /var/log/all.log root:{{ ansible_wheel }} 640 7 * $D0 Z - name: Configure certificates for remote logging ansible.builtin.service: From a5dafee6cb48e1c00f6ff39d04dd3bd31622daa8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 16:13:24 +0000 Subject: [PATCH 479/596] nginx: Fix newsyslog config on OpenBSD --- roles/nginx/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 9158ee5..4a2f2c9 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -70,6 +70,17 @@ group: "{{ ansible_wheel }}" when: ansible_os_family == "RedHat" +- name: Fix rotating access.log + ansible.builtin.lineinfile: + path: /etc/newsyslog.conf + regexp: "^{{ item }}\\s" + line: |- + {{ '{:<40}'.format(item) }}644 7 250 * Z /var/run/nginx.pid + with_items: + - /var/www/logs/access.log + - /var/www/logs/error.log + when: ansible_system == "OpenBSD" + - name: Enable nginx service ansible.builtin.service: name: nginx From 1a71f92138fb1e3c6647c00125c362619c1d1807 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 16:18:44 +0000 Subject: [PATCH 480/596] web_logs: Create data directories --- roles/web_logs/tasks/main.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/roles/web_logs/tasks/main.yml b/roles/web_logs/tasks/main.yml index 0cb63fb..a9742f7 100644 --- a/roles/web_logs/tasks/main.yml +++ b/roles/web_logs/tasks/main.yml @@ -23,4 +23,19 @@ rclone_hostgroup: proxy rclone_service: logsync +- name: Create data directory + ansible.builtin.file: + path: /export/web-log + state: directory + mode: "0750" + owner: root + group: "{{ ansible_wheel }}" +- name: Link data directory + ansible.builtin.file: + path: /srv/web-log + src: /export/web-log + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false From 0e570efebd84a885b1aa41d8591c47b9783afae2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 24 Jan 2025 16:26:14 +0000 Subject: [PATCH 481/596] nginx: Rotate logs daily on OpenBSD --- roles/nginx/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 4a2f2c9..0461f73 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -75,7 +75,7 @@ path: /etc/newsyslog.conf regexp: "^{{ item }}\\s" line: |- - {{ '{:<40}'.format(item) }}644 7 250 * Z /var/run/nginx.pid + {{ '{:<40}'.format(item) }}644 7 * $D0 Z /var/run/nginx.pid with_items: - /var/www/logs/access.log - /var/www/logs/error.log From d0699117bc851c1aef8ebe775a6354e2607a98da Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Jan 2025 18:33:59 +0000 Subject: [PATCH 482/596] Update homeassistant --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index c142740..bc70c20 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2024.12" + homeassistant_version: "2025.1" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git From a0a70e4289b8c67b9c731ea9a670a5b3d7788c94 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 25 Jan 2025 18:57:17 +0000 Subject: [PATCH 483/596] Add ESPSomfy plugin to homeassistant --- hosts.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts.yml b/hosts.yml index bc70c20..0603e62 100644 --- a/hosts.yml +++ b/hosts.yml @@ -41,6 +41,9 @@ homeassistant: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git version: v2.0.9 + - name: espsomfy_rts + repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git + version: v2.4.7 influxdb: hosts: influxdb01.home.foo.sh: From 11e094eeda5fb901a1237726c0f548f7c41e93b6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Jan 2025 21:20:19 +0000 Subject: [PATCH 484/596] Fix nodered version --- hosts.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts.yml b/hosts.yml index 0603e62..e9d66be 100644 --- a/hosts.yml +++ b/hosts.yml @@ -44,6 +44,7 @@ homeassistant: - name: espsomfy_rts repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git version: v2.4.7 + nodered_version: 4.0.8 influxdb: hosts: influxdb01.home.foo.sh: From 8b90b85b8fefe4a5837e392542fb98767d58bab6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Mon, 27 Jan 2025 04:43:43 +0000 Subject: [PATCH 485/596] blackbox_exporter: Don't create home directory --- roles/blackbox_exporter/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/blackbox_exporter/tasks/main.yml b/roles/blackbox_exporter/tasks/main.yml index b3e2410..ade2edd 100644 --- a/roles/blackbox_exporter/tasks/main.yml +++ b/roles/blackbox_exporter/tasks/main.yml @@ -9,6 +9,7 @@ name: _blackboxexporter groups: hostkey append: true + create_home: false notify: Restart blackbox_exporter - name: Create main config From ec1b8cb9e6609aae5c60bcd9089bcbae369e6480 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 28 Jan 2025 15:13:10 +0000 Subject: [PATCH 486/596] homeassistant: Run service as non root user --- .../files/99-homeassistant.rules | 2 +- .../files/homeassistant-docker-venv.patch | 139 ++++++++++++++++++ roles/homeassistant/tasks/main.yml | 56 ++++++- .../homeassistant-container.service.j2 | 6 +- 4 files changed, 193 insertions(+), 10 deletions(-) create mode 100644 roles/homeassistant/files/homeassistant-docker-venv.patch diff --git a/roles/homeassistant/files/99-homeassistant.rules b/roles/homeassistant/files/99-homeassistant.rules index 42b1684..04728a9 100644 --- a/roles/homeassistant/files/99-homeassistant.rules +++ b/roles/homeassistant/files/99-homeassistant.rules @@ -1 +1 @@ -SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", MODE="0660", GROUP="ha" +SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", MODE="0660", GROUP="homeassistant" diff --git a/roles/homeassistant/files/homeassistant-docker-venv.patch b/roles/homeassistant/files/homeassistant-docker-venv.patch new file mode 100644 index 0000000..60eac58 --- /dev/null +++ b/roles/homeassistant/files/homeassistant-docker-venv.patch @@ -0,0 +1,139 @@ +--- run.orig 2025-01-28 08:45:53.981024625 +0000 ++++ run 2025-01-28 08:45:38.177986885 +0000 +@@ -21,49 +21,52 @@ + # Create user + # + +-# Some HA commands seem to fail if we don't have an actual user. +-# ie: shell_command would return error code 255 +-bashio::log.info "Creating user $USER with $PUID:$PGID" +- +-deluser "$USER" >/dev/null 2>&1 || true +-delgroup "$GROUP" >/dev/null 2>&1 || true +- +-# Re-use existing group (can't delgroup a group that is in use) +-group="$(getent group "$PGID" | cut -d: -f1 || true)" +-if [ -z "$group" ]; then +- addgroup -g "$PGID" "$GROUP" +-else +- bashio::log.notice "Re-using existing group with gid $PGID: $group" +- GROUP="$group" +-fi +- +-# Replace existing user (ensures correct shell and primary group) +-user="$(getent passwd "$PUID" | cut -d: -f1 || true)" +-if [ -n "$user" ]; then +- bashio::log.notice "Replacing existing user with uid $PUID: $user" +- deluser "$user" +-fi +-adduser -G "$GROUP" -D -u "$PUID" "$USER" ++if [ "$(whoami)" != "homeassistant" ]; then + +-if [ -n "${EXTRA_GID:-}" ]; then +- bashio::log.info "Resolving supplementary GIDs: $EXTRA_GID" +- supplementary_groups=() +- +- for gid in $EXTRA_GID; do +- group="$(getent group "$gid" | cut -d: -f1 || true)" +- +- if [ -z "$group" ]; then +- group="$USER-$gid" +- addgroup -g "$gid" "$group" +- fi ++ # Some HA commands seem to fail if we don't have an actual user. ++ # ie: shell_command would return error code 255 ++ bashio::log.info "Creating user $USER with $PUID:$PGID" ++ ++ deluser "$USER" >/dev/null 2>&1 || true ++ delgroup "$GROUP" >/dev/null 2>&1 || true ++ ++ # Re-use existing group (can't delgroup a group that is in use) ++ group="$(getent group "$PGID" | cut -d: -f1 || true)" ++ if [ -z "$group" ]; then ++ addgroup -g "$PGID" "$GROUP" ++ else ++ bashio::log.notice "Re-using existing group with gid $PGID: $group" ++ GROUP="$group" ++ fi + +- supplementary_groups+=( "$group" ) +- done ++ # Replace existing user (ensures correct shell and primary group) ++ user="$(getent passwd "$PUID" | cut -d: -f1 || true)" ++ if [ -n "$user" ]; then ++ bashio::log.notice "Replacing existing user with uid $PUID: $user" ++ deluser "$user" ++ fi ++ adduser -G "$GROUP" -D -u "$PUID" "$USER" + +- bashio::log.info "Appending supplementary groups: ${supplementary_groups[*]}" +- for group in "${supplementary_groups[@]}"; do +- addgroup "$USER" "$group" +- done ++ if [ -n "${EXTRA_GID:-}" ]; then ++ bashio::log.info "Resolving supplementary GIDs: $EXTRA_GID" ++ supplementary_groups=() ++ ++ for gid in $EXTRA_GID; do ++ group="$(getent group "$gid" | cut -d: -f1 || true)" ++ ++ if [ -z "$group" ]; then ++ group="$USER-$gid" ++ addgroup -g "$gid" "$group" ++ fi ++ ++ supplementary_groups+=( "$group" ) ++ done ++ ++ bashio::log.info "Appending supplementary groups: ${supplementary_groups[*]}" ++ for group in "${supplementary_groups[@]}"; do ++ addgroup "$USER" "$group" ++ done ++ fi + fi + + # +@@ -82,8 +85,12 @@ + # + + bashio::log.info "Initializing venv in $VENV_PATH" +-su "$USER" \ +- -c "python3 -m venv --system-site-packages '$VENV_PATH'" ++if [ "$(whoami)" = "homeassistant" ]; then ++ python3 -m venv --system-site-package "$VENV_PATH" ++else ++ su "$USER" \ ++ -c "python3 -m venv --system-site-packages '$VENV_PATH'" ++fi + + # + # Fix permissions +@@ -104,8 +111,12 @@ + export UV_SYSTEM_PYTHON=false + + bashio::log.info "Installing uv into venv" +-uv --version && su "$USER" \ +- -c "uv pip freeze --system|grep ^uv=|xargs uv pip install" ++if [ "$(whoami)" = "homeassistant" ]; then ++ uv --version && uv pip freeze --system|grep ^uv=|xargs uv pip install ++else ++ uv --version && su "$USER" \ ++ -c "uv pip freeze --system|grep ^uv=|xargs uv pip install" ++fi + + bashio::log.info "Setting new \$HOME" + HOME="$( getent passwd "$USER" | cut -d: -f6 )" +@@ -122,6 +133,10 @@ + fi + + bashio::log.info "Starting homeassistant" +-exec \ +- s6-setuidgid "$USER" \ +- python3 -m homeassistant --config "$CONFIG_PATH" ++if [ "$(whoami)" = "homeassistant" ]; then ++ exec python3 -m homeassistant --config "$CONFIG_PATH" ++else ++ exec \ ++ s6-setuidgid "$USER" \ ++ python3 -m homeassistant --config "$CONFIG_PATH" ++fi diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index c11dfcb..ab6bc4f 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -1,13 +1,13 @@ --- - name: Create group ansible.builtin.group: - name: ha + name: homeassistant - name: Create user ansible.builtin.user: - name: ha + name: homeassistant comment: Podman HomeAssistant - group: ha + group: homeassistant shell: /sbin/nologin - name: Enable user lingering @@ -15,8 +15,8 @@ argv: - loginctl - enable-linger - - ha - creates: /var/lib/systemd/linger/ha + - homeassistant + creates: /var/lib/systemd/linger/homeassistant - name: Install dependencies ansible.builtin.package: @@ -25,6 +25,46 @@ with_items: - bluez - git + - patch + +- name: Get venv support for container + ansible.builtin.git: + dest: /usr/local/src/homeassistant-docker-venv + repo: https://github.com/tribut/homeassistant-docker-venv.git + update: true + version: master + register: git_result + +- name: Create venv support directory + ansible.builtin.file: + path: /usr/local/libexec/homeassistant-docker-venv + state: directory + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Check if venv support script exists + ansible.builtin.stat: + path: /usr/local/libexec/homeassistant-docker-venv/run + changed_when: false + register: stat_result + +- name: Copy venv support script + ansible.builtin.copy: + dest: /usr/local/libexec/homeassistant-docker-venv/run + src: /usr/local/src/homeassistant-docker-venv/run + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + remote_src: true + when: not stat_result.stat.exists or git_result.changed + +# https://github.com/home-assistant/core/issues/128214 +- name: Patch venv support script + ansible.posix.patch: + dest: /usr/local/libexec/homeassistant-docker-venv/run + src: homeassistant-docker-venv.patch + notify: Restart homeassistant - name: Enable bluetooth services ansible.builtin.service: @@ -69,7 +109,7 @@ state: true persistent: true -- name: Allow ha to connect specific devices +- name: Allow homeassistant to connect specific devices ansible.builtin.copy: dest: /etc/udev/rules.d/99-homeassistant.rules src: 99-homeassistant.rules @@ -83,8 +123,8 @@ path: /export/homeassistant state: directory mode: "0700" - owner: ha - group: ha + owner: homeassistant + group: homeassistant setype: _default - name: Link config directory diff --git a/roles/homeassistant/templates/homeassistant-container.service.j2 b/roles/homeassistant/templates/homeassistant-container.service.j2 index 9f14fa7..a22c105 100644 --- a/roles/homeassistant/templates/homeassistant-container.service.j2 +++ b/roles/homeassistant/templates/homeassistant-container.service.j2 @@ -4,15 +4,19 @@ Wants=network-online.target After=network-online.target [Service] -User=ha +User=homeassistant ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8008:8123 \ --name homeassistant \ + --env PGID=1000 \ + --env PUID=1000 \ --env TZ=Europe/Helsinki \ + --env UMASK=007 \ --userns keep-id \ --device /dev/ttyUSB0 \ --volume /run/dbus:/run/dbus:ro \ --volume /srv/homeassistant:/config:rw \ + --volume /usr/local/libexec/homeassistant-docker-venv/run:/etc/services.d/home-assistant/run:ro \ docker.io/homeassistant/home-assistant:{{ homeassistant_version }} ExecStop=/usr/bin/podman stop --ignore homeassistant ExecStopPost=/usr/bin/podman rm -f --ignore homeassistant From e2fdee682d9b9701efa04af039f23278d002ba15 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 29 Jan 2025 23:30:44 +0000 Subject: [PATCH 487/596] homeassistant: Automatically add shellies to mqtt --- roles/homeassistant/tasks/main.yml | 10 ++++++++++ roles/homeassistant/templates/mqtt.yaml.j2 | 13 +++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 roles/homeassistant/templates/mqtt.yaml.j2 diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index ab6bc4f..d76b79d 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -145,6 +145,16 @@ group: "{{ ansible_wheel }}" setype: _default +- name: Create mqtt config file + ansible.builtin.template: + dest: /srv/homeassistant/mqtt.yaml + src: mqtt.yaml.j2 + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + setype: _default + notify: Restart homeassistant + - name: Create directories for custom integrations ansible.builtin.file: path: "{{ item }}" diff --git a/roles/homeassistant/templates/mqtt.yaml.j2 b/roles/homeassistant/templates/mqtt.yaml.j2 new file mode 100644 index 0000000..8d70762 --- /dev/null +++ b/roles/homeassistant/templates/mqtt.yaml.j2 @@ -0,0 +1,13 @@ +--- +sensor: +{% for shelly in shellies | selectattr("name", "match", "^shellyplug-s-") | list %} + - name: Power Usage + state_topic: home/{{ shelly["room"] }}/{{ shelly["device"] }}/relay/0/power + unique_id: {{ shelly["name"] }} + unit_of_measurement: W + device: + name: {{ shelly["device"] | capitalize }} + suggested_area: {{ shelly["room"] | replace("_", " ") | capitalize }} + identifiers: + - {{ shelly["name"] }} +{% endfor %} From 04b98d5b7f3971e3c31279f0603a61c0f6945a7d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 29 Jan 2025 23:31:20 +0000 Subject: [PATCH 488/596] homeassistant: Add yamllint to check configs --- roles/homeassistant/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index d76b79d..3e368d1 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -26,6 +26,7 @@ - bluez - git - patch + - yamllint - name: Get venv support for container ansible.builtin.git: From d9b6c2d27ffe37200148c5b430ca2c9890224614 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 12:30:33 +0000 Subject: [PATCH 489/596] nginx: Add custom logrotate script for OpenBSD --- roles/nginx/tasks/main.yml | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 0461f73..a397adf 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -70,15 +70,28 @@ group: "{{ ansible_wheel }}" when: ansible_os_family == "RedHat" -- name: Fix rotating access.log - ansible.builtin.lineinfile: +- name: Disable web logs from newsyslog + ansible.builtin.replace: path: /etc/newsyslog.conf - regexp: "^{{ item }}\\s" - line: |- - {{ '{:<40}'.format(item) }}644 7 * $D0 Z /var/run/nginx.pid - with_items: - - /var/www/logs/access.log - - /var/www/logs/error.log + regexp: "^/var/www/logs/" + replace: "#/var/www/logs/" + when: ansible_system == "OpenBSD" + +- name: Install logrotate script + ansible.builtin.copy: + dest: /usr/local/bin/nginx-logrotate + src: nginx-logrotate.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + when: ansible_system == "OpenBSD" + +- name: Add logrotate cron job + ansible.builtin.cron: + name: nginx-logrotate + hour: "0" + minute: "0" + job: /usr/local/bin/nginx-logrotate when: ansible_system == "OpenBSD" - name: Enable nginx service From ee6fbb48c7d65c92d16455db363e1f1363189da5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 12:31:29 +0000 Subject: [PATCH 490/596] routeros_firmware: Move README to own file --- roles/routeros_firmware/files/README.md | 16 ++++++++++++++++ roles/routeros_firmware/tasks/main.yml | 10 +--------- 2 files changed, 17 insertions(+), 9 deletions(-) create mode 100644 roles/routeros_firmware/files/README.md diff --git a/roles/routeros_firmware/files/README.md b/roles/routeros_firmware/files/README.md new file mode 100644 index 0000000..91fed9c --- /dev/null +++ b/roles/routeros_firmware/files/README.md @@ -0,0 +1,16 @@ +# Mikrotik Routeros Cheat Sheet + +## Update + +``` +/system package update print +/tool fetch url=https://oob.foo.sh/routeros/routeros-7.13.4-arm.npk +/system reboot +/system package update print +``` + +## Change port vlan + +``` +/interface/bridge/port/set [find where bridge=bridge and interface=ether1] pvid=30 +``` diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros_firmware/tasks/main.yml index 39d244b..248abde 100644 --- a/roles/routeros_firmware/tasks/main.yml +++ b/roles/routeros_firmware/tasks/main.yml @@ -10,15 +10,7 @@ - name: Install README.md ansible.builtin.copy: dest: /srv/web/oob.foo.sh/routeros/README.md - content: | - ## Update - - ``` - /system package update print - /tool fetch url=https://oob.foo.sh/routeros/routeros-7.13.4-arm.npk - /system reboot - /system package update print - ``` + src: README.md mode: "0644" owner: root group: "{{ ansible_wheel }}" From 943ad5ef8b45a3465d165ec93492336bc8d9c701 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 12:31:58 +0000 Subject: [PATCH 491/596] Add switch config backup script to nms hosts --- playbooks/nms.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 61de5ee..8232a67 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -74,3 +74,14 @@ - rcs - unzip - wget + + - name: Create sw-backup script + ansible.builtin.copy: + dest: /usr/local/bin/sw-backup + content: | + #!/bin/sh + set -eu + ssh "admin@{$1}" /export > "/srv/backup/${1}.rsc" + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" From 11fbb4a7209c92f8c9f7442b8514558c4c48d818 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 12:32:49 +0000 Subject: [PATCH 492/596] nginx: Add missing logrotate script --- roles/nginx/files/nginx-logrotate.sh | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100755 roles/nginx/files/nginx-logrotate.sh diff --git a/roles/nginx/files/nginx-logrotate.sh b/roles/nginx/files/nginx-logrotate.sh new file mode 100755 index 0000000..8fe8338 --- /dev/null +++ b/roles/nginx/files/nginx-logrotate.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +set -eu + +cd /var/www/logs + +find_rotated() { + find . -mindepth 1 -maxdepth 1 -type f -name "${1}.*" | sort -V -r +} + +for log in *.log ; do + find_rotated "$log" | while read -r name; do + ext="${name##*.}" + next="${name%.*}.$((ext+1))" + mv "$name" "$next" + done + mv "$log" "${log}.1" + touch "$log" + + find_rotated "$log" | while read -r name; do + num="$(echo "$name" | awk -F. '{ print $NF }')" + if [ "$num" -gt 7 ]; then + rm -f "$log" + fi + done +done + +kill -USR1 "$(cat /var/run/nginx.pid)" From 20626d18d5f937318d4297e51fef709f37e37548 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 16:56:35 +0000 Subject: [PATCH 493/596] Allow serial port passthrough to virtual machines --- playbooks/include/deploy-kvm-guest.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/include/deploy-kvm-guest.yml b/playbooks/include/deploy-kvm-guest.yml index 3b72157..5464cd5 100644 --- a/playbooks/include/deploy-kvm-guest.yml +++ b/playbooks/include/deploy-kvm-guest.yml @@ -99,7 +99,11 @@ {% endif -%} {% if virt_install_devices is defined -%} {% for dev in virt_install_devices -%} + {% if dev | regex_search('^/dev/tty') -%} + --serial dev,path={{ dev }} + {% else -%} --hostdev {{ dev }} \ + {% endif -%} {% endfor -%} {% else -%} --controller usb,model=none \ From 5a4a6de8be30ef165ede3b86ea7d983be053b2b9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 16:57:17 +0000 Subject: [PATCH 494/596] Use device id's for passthrough --- host_vars/homeassistant01.home.foo.sh.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index 922e502..b2ab0ee 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -9,6 +9,6 @@ network_interfaces: - device: eth2 vlan: 30 virt_install_devices: - - 001.002 - - 001.005 - - 001.006 + - 0b05:190e + - 10c4:ea60 + - /dev/ttyUSB8 From 5832a1208446354465140ba465f0ab874163b4c3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 16:58:18 +0000 Subject: [PATCH 495/596] Pass secrets to homeassistant playbook --- playbooks/homeassistant.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/homeassistant.yml b/playbooks/homeassistant.yml index cbe61cc..1baf203 100644 --- a/playbooks/homeassistant.yml +++ b/playbooks/homeassistant.yml @@ -9,6 +9,9 @@ user: root gather_facts: true + vars_files: + - "{{ ansible_private }}/vars.yml" + pre_tasks: - name: Mount /export ansible.posix.mount: From 27fbb3eca61614f2682d216060370ba0acd34ec2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 18:06:40 +0000 Subject: [PATCH 496/596] Update software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index bbe8e4f..2f00235 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit bbe8e4f819fd748e41ff1938fc7ae0c20aa3d33b +Subproject commit 2f00235a10cbd03324e3f21cbdebbf0b2f9ca1e5 From ad625d47d61b4de9ca6c3351672dd2d9f715010c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 18:20:47 +0000 Subject: [PATCH 497/596] rsync_backup: Fix yamllint errors --- roles/rsync_backup/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/rsync_backup/tasks/main.yml b/roles/rsync_backup/tasks/main.yml index 7562bb0..d0cfa26 100644 --- a/roles/rsync_backup/tasks/main.yml +++ b/roles/rsync_backup/tasks/main.yml @@ -49,4 +49,3 @@ job: /usr/local/sbin/backup-daily -a -p -r hour: "00" minute: "30" - From f0b1b064db853b572d35762a77094019fd6db95c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 19:13:32 +0000 Subject: [PATCH 498/596] mkhomedir: Convert shell to command --- roles/mkhomedir/tasks/main.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/mkhomedir/tasks/main.yml b/roles/mkhomedir/tasks/main.yml index eac4cc3..7ec1627 100644 --- a/roles/mkhomedir/tasks/main.yml +++ b/roles/mkhomedir/tasks/main.yml @@ -5,11 +5,15 @@ state: installed - name: Get current state of authselect - ansible.builtin.shell: - cmd: /usr/bin/authselect current --raw ; /bin/true + ansible.builtin.command: + argv: + - /usr/bin/authselect + - current + - "--raw" register: result check_mode: false changed_when: false + failed_when: result.rc not in [0, 2] - name: Enable mkhomedir ansible.builtin.command: From 243574e4150b24d1585960b7410bb7a4196ff9bd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 19:17:45 +0000 Subject: [PATCH 499/596] sssd: Better error handling --- roles/sssd/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml index e0410dc..1ce5a2a 100644 --- a/roles/sssd/tasks/main.yml +++ b/roles/sssd/tasks/main.yml @@ -26,9 +26,9 @@ - current - --raw register: result - failed_when: false check_mode: false changed_when: false + failed_when: result.rc not in [0, 2] - name: Switch authselect to use sssd ansible.builtin.command: From 872115a9a98f9dc7f66d0813d6e34f32b7b9a0e4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 19:32:52 +0000 Subject: [PATCH 500/596] keytab: Don't use hardcoded tempfile --- roles/keytab/tasks/main.yml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/roles/keytab/tasks/main.yml b/roles/keytab/tasks/main.yml index 828e4fd..d41a2e3 100644 --- a/roles/keytab/tasks/main.yml +++ b/roles/keytab/tasks/main.yml @@ -5,6 +5,21 @@ register: keytab_status check_mode: false +- name: Create temporary file + ansible.builtin.tempfile: + state: file + register: tempfile + when: not keytab_status.stat.exists + +- name: Initialize keytab + ansible.builtin.copy: + dest: tempfile.path + content: "\\0005\\0002\\c" + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + when: not keytab_status.stat.exists + - name: Add principal to keytab ansible.builtin.command: argv: @@ -13,7 +28,7 @@ - host=ldaps://ldap01.foo.sh - ktadd - -k - - "/tmp/{{ inventory_hostname }}.kt" + - "{{ tempfile.path }}" - "{{ item }}" with_items: "{{ keytab_principals }}" delegate_to: ldap01.home.foo.sh @@ -23,14 +38,14 @@ ansible.builtin.command: argv: - base64 - - "/tmp/{{ inventory_hostname }}.kt" + - "{{ tempfile.path }}" register: keytab_data delegate_to: ldap01.home.foo.sh when: not keytab_status.stat.exists - name: Delete temporary file ansible.builtin.file: - path: "/tmp/{{ inventory_hostname }}.kt" + path: "{{ tempfile.path }}" state: absent delegate_to: ldap01.home.foo.sh when: not keytab_status.stat.exists From 981b954682becf06559760349a08670bf57aefca Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 30 Jan 2025 20:05:47 +0000 Subject: [PATCH 501/596] keytab: Try make code cleaner --- roles/keytab/files/empty.keytab | 1 + roles/keytab/tasks/main.yml | 78 ++++++++++++++++----------------- 2 files changed, 38 insertions(+), 41 deletions(-) create mode 100644 roles/keytab/files/empty.keytab diff --git a/roles/keytab/files/empty.keytab b/roles/keytab/files/empty.keytab new file mode 100644 index 0000000..2e2a96a --- /dev/null +++ b/roles/keytab/files/empty.keytab @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/roles/keytab/tasks/main.yml b/roles/keytab/tasks/main.yml index d41a2e3..ef83269 100644 --- a/roles/keytab/tasks/main.yml +++ b/roles/keytab/tasks/main.yml @@ -5,50 +5,46 @@ register: keytab_status check_mode: false -- name: Create temporary file - ansible.builtin.tempfile: - state: file - register: tempfile - when: not keytab_status.stat.exists +- name: Create keytab + block: + - name: Create temporary file + ansible.builtin.tempfile: + state: file + register: tempfile -- name: Initialize keytab - ansible.builtin.copy: - dest: tempfile.path - content: "\\0005\\0002\\c" - mode: "0600" - owner: root - group: "{{ ansible_wheel }}" - when: not keytab_status.stat.exists + - name: Initialize keytab + ansible.builtin.copy: + dest: "{{ tempfile.path }}" + src: empty.keytab + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" -- name: Add principal to keytab - ansible.builtin.command: - argv: - - kadmin.local - - -x - - host=ldaps://ldap01.foo.sh - - ktadd - - -k - - "{{ tempfile.path }}" - - "{{ item }}" - with_items: "{{ keytab_principals }}" + - name: Add principal to keytab + ansible.builtin.command: + argv: + - kadmin.local + - -x + - host=ldaps://ldap01.foo.sh + - ktadd + - -k + - "{{ tempfile.path }}" + - "{{ item }}" + with_items: "{{ keytab_principals }}" + + - name: Get keytab + ansible.builtin.command: + argv: + - base64 + - "{{ tempfile.path }}" + register: keytab_data + + - name: Delete temporary file + ansible.builtin.file: + path: "{{ tempfile.path }}" + state: absent + when: not keytab_status.stat.exists delegate_to: ldap01.home.foo.sh - when: not keytab_status.stat.exists - -- name: Get keytab - ansible.builtin.command: - argv: - - base64 - - "{{ tempfile.path }}" - register: keytab_data - delegate_to: ldap01.home.foo.sh - when: not keytab_status.stat.exists - -- name: Delete temporary file - ansible.builtin.file: - path: "{{ tempfile.path }}" - state: absent - delegate_to: ldap01.home.foo.sh - when: not keytab_status.stat.exists - name: Deploy keytab file ansible.builtin.shell: >- From 139ef2183c86692ac0ee07adf0aac69b8f23705a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 15:51:35 +0000 Subject: [PATCH 502/596] Fix typo from sw-backup script --- playbooks/nms.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 8232a67..e0ce461 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -81,7 +81,7 @@ content: | #!/bin/sh set -eu - ssh "admin@{$1}" /export > "/srv/backup/${1}.rsc" + ssh "admin@${1}" /export > "/srv/backup/${1}.rsc" mode: "0755" owner: root group: "{{ ansible_wheel }}" From eaead4bc7f3fbc57afa7e3e5b3a1abbb781098fd Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 16:16:26 +0000 Subject: [PATCH 503/596] Allow kerberos logins to print hosts --- playbooks/print.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/print.yml b/playbooks/print.yml index 6b5e6d1..518f424 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -14,6 +14,9 @@ roles: - base + - role: keytab + keytab_principals: + - "host/{{ inventory_hostname }}@{{ kerberos_realm }}" - sssd - mkhomedir @@ -34,7 +37,7 @@ name: cups_server - name: Install keytab for CUPS - ansible.builtin.import_role: + ansible.builtin.include_role: name: keytab vars: keytab_path: /etc/cups/cups.keytab From 71a69af472fcee16de221039f7f6d3e5f149455a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 16:42:02 +0000 Subject: [PATCH 504/596] sssd: Sort and group config options --- roles/sssd/templates/sssd.conf.j2 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2 index 82aa6b1..6aed734 100644 --- a/roles/sssd/templates/sssd.conf.j2 +++ b/roles/sssd/templates/sssd.conf.j2 @@ -8,11 +8,11 @@ domains = {{ kerberos_realm }} [pam] [domain/{{ kerberos_realm }}] -id_provider = ldap -auth_provider = krb5 -chpass_provider = ldap autofs_provider = none sudo_provider = none + +id_provider = ldap +chpass_provider = ldap ldap_uri = ldaps://{{ ldap_server[0] }} ldap_search_base = {{ ldap_basedn }} ldap_schema = rfc2307bis @@ -25,4 +25,6 @@ ldap_sasl_mech = EXTERNAL ldap_tls_cacert = {{ tls_bundle }} ldap_tls_cert = {{ tls_certs }}/{{ inventory_hostname }}.crt ldap_tls_key = {{ tls_private }}/{{ inventory_hostname }}.key + +auth_provider = krb5 krb5_realm = {{ kerberos_realm }} From 2c423fc0cafe4d2c2cd04774aebfc6ec63a45cd2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 16:42:23 +0000 Subject: [PATCH 505/596] sssd: Allow limiting access by groups --- roles/sssd/templates/sssd.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2 index 6aed734..38e7cf8 100644 --- a/roles/sssd/templates/sssd.conf.j2 +++ b/roles/sssd/templates/sssd.conf.j2 @@ -28,3 +28,8 @@ ldap_tls_key = {{ tls_private }}/{{ inventory_hostname }}.key auth_provider = krb5 krb5_realm = {{ kerberos_realm }} +{% if sssd_allow_groups is defined %} + +access_provider = simple +simple_allow_groups = {{ sssd_allow_groups | join(',') }} +{% endif %} From dc9a3a072530f67af655c966b7c30c93aed04932 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 17:01:03 +0000 Subject: [PATCH 506/596] Limit access to hosts that have sssd running --- group_vars/adm.yml | 3 +++ group_vars/mail.yml | 4 ++++ group_vars/nas.yml | 3 +++ group_vars/nms.yml | 3 +++ group_vars/print.yml | 3 +++ group_vars/shell.yml | 5 +++-- group_vars/static.yml | 3 +++ 7 files changed, 22 insertions(+), 2 deletions(-) diff --git a/group_vars/adm.yml b/group_vars/adm.yml index 0a9a22a..a06d51b 100644 --- a/group_vars/adm.yml +++ b/group_vars/adm.yml @@ -7,3 +7,6 @@ firewall_in: - {proto: tcp, port: 80, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - sysadm diff --git a/group_vars/mail.yml b/group_vars/mail.yml index ebf99cb..4de52d0 100644 --- a/group_vars/mail.yml +++ b/group_vars/mail.yml @@ -2,6 +2,7 @@ datadisks: - {size: 10, type: nvme} mem_size: 4192 + firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 25} @@ -11,3 +12,6 @@ firewall_in: - {proto: tcp, port: 587} - {proto: tcp, port: 993} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - sysadm diff --git a/group_vars/nas.yml b/group_vars/nas.yml index 18f29d9..5dac726 100644 --- a/group_vars/nas.yml +++ b/group_vars/nas.yml @@ -10,3 +10,6 @@ firewall_in: - {proto: tcp, port: 2049, from: [172.20.20.0/22]} - {proto: tcp, port: 2049, from: [172.20.30.0/24]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - root diff --git a/group_vars/nms.yml b/group_vars/nms.yml index bdfe2a9..b05d9f0 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -33,3 +33,6 @@ firewall_in: firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + +sssd_allow_groups: + - sysadm diff --git a/group_vars/print.yml b/group_vars/print.yml index 469cb94..27c7c02 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -22,3 +22,6 @@ firewall_in: firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + +sssd_allow_groups: + - sysadm diff --git a/group_vars/shell.yml b/group_vars/shell.yml index f61151a..6300cab 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -1,6 +1,4 @@ --- - -# beef up shell hosts dsk_size: 40 mem_size: 8192 num_cpus: 4 @@ -13,3 +11,6 @@ firewall_in: ssh_hostnames: - shell.foo.sh + +sssd_allow_groups: + - foosh diff --git a/group_vars/static.yml b/group_vars/static.yml index a6636ac..f211563 100644 --- a/group_vars/static.yml +++ b/group_vars/static.yml @@ -3,3 +3,6 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - root From 20f1af0ee44f0e7422084d5238771f4ec8eaa359 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 18:03:18 +0000 Subject: [PATCH 507/596] ansible_host: Add support for LDAP queries --- roles/ansible_host/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index bc8f455..171debe 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -9,6 +9,7 @@ - ansible-collection-community-general - patch # needed in next step - python3.9-dns # required for lookup('dig', 'hostname') + - python3.9-ldap # required for ldap modules - python3.9-netaddr # required by iptables role - name: Patch ansible to support python 3.12 clients From 0530194ac03cdeb37a0e5e60e22704ccde922bd5 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 18:56:03 +0000 Subject: [PATCH 508/596] base: Add ansible_server fact --- roles/base/tasks/main.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 5e3e14b..7fc1e5a 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -5,6 +5,20 @@ changed_when: false when: inventory_hostname | split('.') | length == 4 +- name: Get ansible server name + ansible.builtin.command: + argv: + - hostname + - -f + changed_when: false + delegate_to: localhost + register: result + +- name: Store ansible server name + ansible.builtin.set_fact: + ansible_server: "{{ result.stdout }}" + cacheable: false + - name: Setup ansible custom facts ansible.builtin.file: dest: "{{ item }}" From 45557e0bc156fed5eea29212166d6d2d1c8fbfbc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 19:11:09 +0000 Subject: [PATCH 509/596] dhcpd: Add support for reading host data from LDAP --- roles/dhcpd/tasks/main.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/roles/dhcpd/tasks/main.yml b/roles/dhcpd/tasks/main.yml index 8722f27..134b4ed 100644 --- a/roles/dhcpd/tasks/main.yml +++ b/roles/dhcpd/tasks/main.yml @@ -7,6 +7,24 @@ name: "{{ dhcpd_package }}" state: installed +- name: Get host data from LDAP + community.general.ldap_search: + attrs: + - cn + - ipHostNumber + - macAddress + client_cert: >- + {{ hostvars[ansible_server]['tls_certs'] + '/' + ansible_server }}.crt + client_key: >- + {{ hostvars[ansible_server]['tls_private'] + '/' + ansible_server }}.key + dn: "{{ dhcpd_ldap_basedn | default(ldap_basedn) }}" + filter: "{{ dhcpd_ldap_filter }}" + scope: subordinate + server_uri: "ldaps://{{ ldap_server[0] }}" + delegate_to: localhost + register: ldap_hosts + when: dhcpd_ldap_filter is defined + - name: Create config ansible.builtin.template: dest: "{{ dhcpd_config }}" From a935deb439f0a56e3423e3e73d0680bbb455122c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 19:12:06 +0000 Subject: [PATCH 510/596] dhcpd: Read printers from LDAP --- group_vars/print.yml | 1 + roles/dhcpd/templates/dhcpd.conf.print.j2 | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/group_vars/print.yml b/group_vars/print.yml index 27c7c02..71357fb 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -23,5 +23,6 @@ firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" +dhcpd_ldap_filter: "(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh))" sssd_allow_groups: - sysadm diff --git a/roles/dhcpd/templates/dhcpd.conf.print.j2 b/roles/dhcpd/templates/dhcpd.conf.print.j2 index ca0ab35..da5c2e7 100644 --- a/roles/dhcpd/templates/dhcpd.conf.print.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.print.j2 @@ -29,10 +29,12 @@ shared-network PRINTNET { use-host-decl-names on; } - host hp1.print.foo.sh { - option host-name "hp1.print.foo.sh"; - hardware ethernet 00:15:99:22:79:46; - fixed-address 172.20.24.101; +{% for host in ldap_hosts.results %} + host {{ host['cn'] }} { + option host-name "{{ host['cn'] }}"; + hardware ethernet {{ host['macAddress'] }}; + fixed-address {{ host['ipHostNumber'] }}; } +{% endfor %} } From 07a6e1b1245e87280ccdaf8befee7176fd11812a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 19:15:12 +0000 Subject: [PATCH 511/596] Fix yamllint errors --- group_vars/print.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/print.yml b/group_vars/print.yml index 71357fb..8ee8cd3 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -23,6 +23,7 @@ firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" -dhcpd_ldap_filter: "(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh))" +dhcpd_ldap_filter: >- + (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh)) sssd_allow_groups: - sysadm From 3328152314f1ef2f77897b7606acc8c70f3066f9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 15:17:41 +0000 Subject: [PATCH 512/596] rocketchat: Update to 7.3.0 --- hosts.yml | 2 +- roles/rocketchat/tasks/main.yml | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/hosts.yml b/hosts.yml index e9d66be..5c9c473 100644 --- a/hosts.yml +++ b/hosts.yml @@ -92,7 +92,7 @@ ocinode: oci-node02.home.foo.sh: vars: grafana_version: "11.3.1" - rocketchat_version: "7.1.0" + rocketchat_version: "7.3.0" roundcube_version: "1.6.9" print: hosts: diff --git a/roles/rocketchat/tasks/main.yml b/roles/rocketchat/tasks/main.yml index 07fd33a..da102d0 100644 --- a/roles/rocketchat/tasks/main.yml +++ b/roles/rocketchat/tasks/main.yml @@ -28,13 +28,23 @@ check_mode: false register: rocketchat_cert_key +- name: Get rocketchat subgid value + ansible.builtin.command: + argv: + - sed + - -n + - 's/^rocketchat:\([0-9]\+\):[0-9]\+$/\1/p' + - /etc/subuid + changed_when: false + register: result + - name: Create combined certificate/private key file ansible.builtin.copy: dest: "{{ tls_private }}/rocketchat.pem" content: "{{ rocketchat_cert_key.stdout }}" mode: "0640" owner: root - group: rocketchat + group: "{{ result.stdout | int + 65532 }}" notify: Restart rocketchat - name: Create service config From 13eed061245f8ccb4b8245cc503c93f6d1b04fbf Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 16:33:37 +0000 Subject: [PATCH 513/596] cups_server: Fix sharing options --- .../files/cups-ppd/Samsung_ML-3051ND.ppd | 219 ++++++++++++++++++ roles/cups_server/tasks/main.yml | 19 +- 2 files changed, 236 insertions(+), 2 deletions(-) create mode 100644 roles/cups_server/files/cups-ppd/Samsung_ML-3051ND.ppd diff --git a/roles/cups_server/files/cups-ppd/Samsung_ML-3051ND.ppd b/roles/cups_server/files/cups-ppd/Samsung_ML-3051ND.ppd new file mode 100644 index 0000000..2e13ae2 --- /dev/null +++ b/roles/cups_server/files/cups-ppd/Samsung_ML-3051ND.ppd @@ -0,0 +1,219 @@ +*PPD-Adobe: "4.3" +*% +*% For information on using this, and to obtain the required backend +*% script, consult http://www.openprinting.org/ +*% +*% This file is published under the GNU General Public License +*% +*% PPD-O-MATIC (4.0.0 or newer) generated this PPD file. It is for use with +*% all programs and environments which use PPD files for dealing with +*% printer capability information. The printer must be configured with the +*% "foomatic-rip" backend filter script of Foomatic 4.0.0 or newer. This +*% file and "foomatic-rip" work together to support PPD-controlled printer +*% driver option access with all supported printer drivers and printing +*% spoolers. +*% +*% To save this file on your disk, wait until the download has completed +*% (the animation of the browser logo must stop) and then use the +*% "Save as..." command in the "File" menu of your browser or in the +*% pop-up manu when you click on this document with the right mouse button. +*% DO NOT cut and paste this file into an editor with your mouse. This can +*% introduce additional line breaks which lead to unexpected results. +*% +*% You may save this file as 'Samsung-ML-3051ND-Postscript.ppd' +*% +*% +*FormatVersion: "4.3" +*FileVersion: "1.1" +*LanguageVersion: English +*LanguageEncoding: ISOLatin1 +*PCFileName: "POSTSCRI.PPD" +*Manufacturer: "Samsung" +*Product: "(ML-3051ND)" +*cupsVersion: 1.0 +*cupsManualCopies: True +*cupsModelNumber: 2 +*cupsFilter: "application/vnd.cups-postscript 100 foomatic-rip" +*cupsFilter: "application/vnd.cups-pdf 0 foomatic-rip" +*%pprRIP: foomatic-rip other +*ModelName: "Samsung ML-3051ND" +*ShortNickName: "Samsung ML-3051ND Postscript" +*NickName: "Samsung ML-3051ND Foomatic/Postscript (recommended)" +*PSVersion: "(3010.000) 550" +*PSVersion: "(3010.000) 651" +*PSVersion: "(3010.000) 652" +*PSVersion: "(3010.000) 653" +*PSVersion: "(3010.000) 704" +*PSVersion: "(3010.000) 705" +*PSVersion: "(3010.000) 800" +*PSVersion: "(3010.000) 815" +*PSVersion: "(3010.000) 850" +*PSVersion: "(3010.000) 860" +*PSVersion: "(3010.000) 861" +*PSVersion: "(3010.000) 862" +*PSVersion: "(3010.000) 863" +*PSVersion: "(3010.000) 864" +*PSVersion: "(3010.000) 870" +*LanguageLevel: "3" +*ColorDevice: False +*DefaultColorSpace: Gray +*FileSystem: False +*Throughput: "1" +*LandscapeOrientation: Plus90 +*TTRasterizer: Type42 +*1284DeviceID: "MFG:Samsung;MDL:ML-3051ND;DRV:DPostscript,R1,M0,TP;" + +*driverName Postscript: "" +*driverType P/PostScript: "" +*driverUrl: "http://partners.adobe.com/public/developer/ps/index_specs.html" +*driverObsolete: False +*driverManufacturerSupplied: False + + + + +*HWMargins: 18 36 18 36 +*VariablePaperSize: True +*MaxMediaWidth: 100000 +*MaxMediaHeight: 100000 +*NonUIOrderDependency: 100 AnySetup *CustomPageSize +*CustomPageSize True: "pop pop pop +<>setpagedevice" +*End +*ParamCustomPageSize Width: 1 points 36 100000 +*ParamCustomPageSize Height: 2 points 36 100000 +*ParamCustomPageSize Orientation: 3 int 0 0 +*ParamCustomPageSize WidthOffset: 4 points 0 0 +*ParamCustomPageSize HeightOffset: 5 points 0 0 + +*FoomaticIDs: Samsung-ML-3051ND Postscript +*FoomaticRIPCommandLine: "cat%A%B%Z" +*FoomaticRIPNoPageAccounting: True + +*OpenGroup: General/General + +*OpenUI *PageSize/Page Size: PickOne +*OrderDependency: 100 AnySetup *PageSize +*DefaultPageSize: Letter +*PageSize Letter/US Letter: "<>setpagedevice" +*PageSize A4/A4: "<>setpagedevice" +*PageSize 11x17/11x17: "<>setpagedevice" +*PageSize A3/A3: "<>setpagedevice" +*PageSize A5/A5: "<>setpagedevice" +*PageSize B5/B5 (JIS): "<>setpagedevice" +*PageSize Env10/Envelope #10: "<>setpagedevice" +*PageSize EnvC5/Envelope C5: "<>setpagedevice" +*PageSize EnvDL/Envelope DL: "<>setpagedevice" +*PageSize EnvISOB5/Envelope B5: "<>setpagedevice" +*PageSize EnvMonarch/Envelope Monarch: "<>setpagedevice" +*PageSize Executive/Executive: "<>setpagedevice" +*PageSize Legal/US Legal: "<>setpagedevice" +*CloseUI: *PageSize + +*OpenUI *PageRegion: PickOne +*OrderDependency: 100 AnySetup *PageRegion +*DefaultPageRegion: Letter +*PageRegion Letter/US Letter: "<>setpagedevice" +*PageRegion A4/A4: "<>setpagedevice" +*PageRegion 11x17/11x17: "<>setpagedevice" +*PageRegion A3/A3: "<>setpagedevice" +*PageRegion A5/A5: "<>setpagedevice" +*PageRegion B5/B5 (JIS): "<>setpagedevice" +*PageRegion Env10/Envelope #10: "<>setpagedevice" +*PageRegion EnvC5/Envelope C5: "<>setpagedevice" +*PageRegion EnvDL/Envelope DL: "<>setpagedevice" +*PageRegion EnvISOB5/Envelope B5: "<>setpagedevice" +*PageRegion EnvMonarch/Envelope Monarch: "<>setpagedevice" +*PageRegion Executive/Executive: "<>setpagedevice" +*PageRegion Legal/US Legal: "<>setpagedevice" +*CloseUI: *PageRegion + +*DefaultImageableArea: Letter +*ImageableArea Letter/US Letter: "18 36 594 756" +*ImageableArea A4/A4: "18 36 577 806" +*ImageableArea 11x17/11x17: "18 36 774 1188" +*ImageableArea A3/A3: "18 36 824 1155" +*ImageableArea A5/A5: "18 36 403 559" +*ImageableArea B5/B5 (JIS): "18 36 498 693" +*ImageableArea Env10/Envelope #10: "18 36 279 648" +*ImageableArea EnvC5/Envelope C5: "18 36 441 613" +*ImageableArea EnvDL/Envelope DL: "18 36 294 588" +*ImageableArea EnvISOB5/Envelope B5: "18 36 481 673" +*ImageableArea EnvMonarch/Envelope Monarch: "18 36 261 504" +*ImageableArea Executive/Executive: "18 36 504 720" +*ImageableArea Legal/US Legal: "18 36 594 972" + +*DefaultPaperDimension: Letter +*PaperDimension Letter/US Letter: "612 792" +*PaperDimension A4/A4: "595 842" +*PaperDimension 11x17/11x17: "792 1224" +*PaperDimension A3/A3: "842 1191" +*PaperDimension A5/A5: "421 595" +*PaperDimension B5/B5 (JIS): "516 729" +*PaperDimension Env10/Envelope #10: "297 684" +*PaperDimension EnvC5/Envelope C5: "459 649" +*PaperDimension EnvDL/Envelope DL: "312 624" +*PaperDimension EnvISOB5/Envelope B5: "499 709" +*PaperDimension EnvMonarch/Envelope Monarch: "279 540" +*PaperDimension Executive/Executive: "522 756" +*PaperDimension Legal/US Legal: "612 1008" + +*OpenUI *Duplex/Double-Sided Printing: PickOne +*OrderDependency: 130 AnySetup *Duplex +*DefaultDuplex: None +*Duplex DuplexNoTumble/Long Edge (Standard): "<>setpagedevice" +*Duplex DuplexTumble/Short Edge (Flip): "<>setpagedevice" +*Duplex None/Off: "<>setpagedevice" +*CloseUI: *Duplex + +*OpenUI *Resolution/Resolution: PickOne +*OrderDependency: 90 AnySetup *Resolution +*DefaultResolution: 600x600dpi +*Resolution 150x150dpi/150x150 DPI: "<>setpagedevice" +*Resolution 300x300dpi/300x300 DPI: "<>setpagedevice" +*Resolution 600x600dpi/600x600 DPI: "<>setpagedevice" +*Resolution 1200x1200dpi/1200x1200 DPI: "<>setpagedevice" +*CloseUI: *Resolution + +*CloseGroup: General + + +*% Generic boilerplate PPD stuff as standard PostScript fonts and so on + +*DefaultFont: Courier +*Font AvantGarde-Book: Standard "(001.006S)" Standard ROM +*Font AvantGarde-BookOblique: Standard "(001.006S)" Standard ROM +*Font AvantGarde-Demi: Standard "(001.007S)" Standard ROM +*Font AvantGarde-DemiOblique: Standard "(001.007S)" Standard ROM +*Font Bookman-Demi: Standard "(001.004S)" Standard ROM +*Font Bookman-DemiItalic: Standard "(001.004S)" Standard ROM +*Font Bookman-Light: Standard "(001.004S)" Standard ROM +*Font Bookman-LightItalic: Standard "(001.004S)" Standard ROM +*Font Courier: Standard "(002.004S)" Standard ROM +*Font Courier-Bold: Standard "(002.004S)" Standard ROM +*Font Courier-BoldOblique: Standard "(002.004S)" Standard ROM +*Font Courier-Oblique: Standard "(002.004S)" Standard ROM +*Font Helvetica: Standard "(001.006S)" Standard ROM +*Font Helvetica-Bold: Standard "(001.007S)" Standard ROM +*Font Helvetica-BoldOblique: Standard "(001.007S)" Standard ROM +*Font Helvetica-Narrow: Standard "(001.006S)" Standard ROM +*Font Helvetica-Narrow-Bold: Standard "(001.007S)" Standard ROM +*Font Helvetica-Narrow-BoldOblique: Standard "(001.007S)" Standard ROM +*Font Helvetica-Narrow-Oblique: Standard "(001.006S)" Standard ROM +*Font Helvetica-Oblique: Standard "(001.006S)" Standard ROM +*Font NewCenturySchlbk-Bold: Standard "(001.009S)" Standard ROM +*Font NewCenturySchlbk-BoldItalic: Standard "(001.007S)" Standard ROM +*Font NewCenturySchlbk-Italic: Standard "(001.006S)" Standard ROM +*Font NewCenturySchlbk-Roman: Standard "(001.007S)" Standard ROM +*Font Palatino-Bold: Standard "(001.005S)" Standard ROM +*Font Palatino-BoldItalic: Standard "(001.005S)" Standard ROM +*Font Palatino-Italic: Standard "(001.005S)" Standard ROM +*Font Palatino-Roman: Standard "(001.005S)" Standard ROM +*Font Symbol: Special "(001.007S)" Special ROM +*Font Times-Bold: Standard "(001.007S)" Standard ROM +*Font Times-BoldItalic: Standard "(001.009S)" Standard ROM +*Font Times-Italic: Standard "(001.007S)" Standard ROM +*Font Times-Roman: Standard "(001.007S)" Standard ROM +*Font ZapfChancery-MediumItalic: Standard "(001.007S)" Standard ROM +*Font ZapfDingbats: Special "(001.004S)" Standard ROM + diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml index 9b4bcc3..1c44960 100644 --- a/roles/cups_server/tasks/main.yml +++ b/roles/cups_server/tasks/main.yml @@ -36,6 +36,13 @@ line: "#Listen 631" notify: Restart cups +- name: Share printers + ansible.builtin.lineinfile: + path: /etc/cups/cupsd.conf + line: "Port 631" + insertbefore: "^Listen .*.sock" + notify: Restart cups + - name: Set ssl listen port ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf @@ -86,11 +93,11 @@ force: true notify: Restart cups -- name: Disable printer advertising +- name: Enable printer sharing ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf regexp: "^Browsing .*" - line: "Browsing No" + line: "Browsing Yes" notify: Restart cups - name: Disable unauthenticated access from cups @@ -147,3 +154,11 @@ name: cups enabled: true state: started + +- name: Copy ppd files + ansible.builtin.copy: + dest: /usr/local/share/cups-ppd/ + src: cups-ppd/ + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" From 12cb205ff52bfb7c239584640884624bbe15cb95 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 16:38:01 +0000 Subject: [PATCH 514/596] Update software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 2f00235..f650a93 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 2f00235a10cbd03324e3f21cbdebbf0b2f9ca1e5 +Subproject commit f650a934cd4494f909c58f5d22a0ee89544679e7 From 2468b1ffcd804507f382cd1d3c6b90993a79037d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 16:52:37 +0000 Subject: [PATCH 515/596] Update software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index f650a93..4e49fa0 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit f650a934cd4494f909c58f5d22a0ee89544679e7 +Subproject commit 4e49fa062a7fe4145c9d4cd3b3f79428e101b3f4 From 56d15d0cf161920d2c16ad7962ca5d869e66bef8 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 17:19:43 +0000 Subject: [PATCH 516/596] Update software submodule --- software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software b/software index 4e49fa0..b9a2d06 160000 --- a/software +++ b/software @@ -1 +1 @@ -Subproject commit 4e49fa062a7fe4145c9d4cd3b3f79428e101b3f4 +Subproject commit b9a2d06df00afafcc47403cc5334c64c7fa2f594 From 34624667dced4a6062dc9c24f6fef6772a77a251 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 17:24:07 +0000 Subject: [PATCH 517/596] Add printing support to adm and nms hosts --- playbooks/adm.yml | 1 + playbooks/nms.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 06d5894..69cfb42 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -27,6 +27,7 @@ - base - ansible_host - certbot + - cups - sshca - ssh_known_hosts - role: keytab diff --git a/playbooks/nms.yml b/playbooks/nms.yml index e0ce461..856e221 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -25,6 +25,7 @@ roles: - base + - cups - nginx - role: nginx_site nginx_site_name: oob.foo.sh From a7290490609e407a3ae1a83d63ad6e5913a6ec81 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 18:36:49 +0000 Subject: [PATCH 518/596] cups_server: Configure printers from LDAP No modify supported just add and delete. --- roles/cups_server/tasks/main.yml | 80 ++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/roles/cups_server/tasks/main.yml b/roles/cups_server/tasks/main.yml index 1c44960..849543c 100644 --- a/roles/cups_server/tasks/main.yml +++ b/roles/cups_server/tasks/main.yml @@ -162,3 +162,83 @@ mode: "0644" owner: root group: "{{ ansible_wheel }}" + +- name: Get printers from LDAP + community.general.ldap_search: + attrs: + - cn + - description + - l + client_cert: >- + {{ hostvars[ansible_server]['tls_certs'] + '/' + ansible_server }}.crt + client_key: >- + {{ hostvars[ansible_server]['tls_private'] + '/' + ansible_server }}.key + dn: "{{ ldap_basedn }}" + filter: "(&(objectClass=device)(cn=*.print.foo.sh))" + scope: subordinate + server_uri: "ldaps://{{ ldap_server[0] }}" + delegate_to: localhost + register: printers + +- name: Get printers list + ansible.builtin.command: + argv: + - lpstat + - -e + changed_when: false + register: result + +- name: Add printers + ansible.builtin.command: + argv: + - lpadmin + - -D + - "{{ item.description }}" + - -i + - >- + {{ + '/usr/local/share/cups-ppd/' + + item.description | regex_replace(' ', '_') + + '.ppd' + }} + - -L + - "{{ item.l }}" + - -o + - media=a4 + - -o + - cupsSNMPSupplies=true + - -o + - printer-error-policy=abort-job + - -o + - printer-is-shared=true + - -v + - "http://{{ item.cn }}:631" + - -p + - "{{ item.cn | split('.') | first }}" + - -E + with_items: >- + {{ + printers.results | rejectattr( + 'cn', + 'in', + result.stdout_lines | map('regex_replace', '$', '.print.foo.sh' + ) | list) | list + }} + +- name: Remove printers + ansible.builtin.command: + argv: + - lpadmin + - -x + - "{{ item }}" + with_items: >- + {{ + result.stdout_lines | reject( + 'in', + printers.results | map(attribute='cn') | map( + 'regex_replace', + '.print.foo.sh$', + '' + ) | list + ) | list + }} From 4325511f350ef1a334e1a4e41e265b49b825031e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 19:00:41 +0000 Subject: [PATCH 519/596] Sort and group variables --- group_vars/print.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/group_vars/print.yml b/group_vars/print.yml index 8ee8cd3..ede482a 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -7,12 +7,6 @@ network_vip_interfaces: pass: "{{ vip24_pass }}" priority: "{{ vip24_priority }}" -dhcpd_template: dhcpd.conf.print.j2 - -unbound_zones: - - 24.20.172.in-addr.arpa - - print.foo.sh - firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 53, from: [172.20.24.0/24]} @@ -23,7 +17,11 @@ firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" +dhcpd_template: dhcpd.conf.print.j2 dhcpd_ldap_filter: >- (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh)) sssd_allow_groups: - sysadm +unbound_zones: + - 24.20.172.in-addr.arpa + - print.foo.sh From dff8b4d72b5618beec28d6c2a4189da41add98f3 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Feb 2025 19:01:12 +0000 Subject: [PATCH 520/596] Add mail relay to print hosts --- playbooks/print.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/playbooks/print.yml b/playbooks/print.yml index 518f424..733aa88 100644 --- a/playbooks/print.yml +++ b/playbooks/print.yml @@ -42,3 +42,10 @@ vars: keytab_path: /etc/cups/cups.keytab keytab_principals: "HTTP/print.foo.sh@{{ kerberos_realm }}" + + - name: Enable postfix mail relay + ansible.builtin.import_role: + name: postfix + tasks_from: relay + vars: + relay_domains: [foo.sh] From db91fe6345fc3f78e82ceb752f35f251be5c7cbb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:18:47 +0000 Subject: [PATCH 521/596] base: Refactor export mount fact --- roles/base/files/export.fact.sh | 9 +++++++++ roles/base/tasks/main.yml | 8 +------- 2 files changed, 10 insertions(+), 7 deletions(-) create mode 100755 roles/base/files/export.fact.sh diff --git a/roles/base/files/export.fact.sh b/roles/base/files/export.fact.sh new file mode 100755 index 0000000..1f3075e --- /dev/null +++ b/roles/base/files/export.fact.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +set -eu + +if mount | grep -qE "on /export" ; then + echo "true" +else + echo "false" +fi diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 7fc1e5a..cf661ed 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -33,13 +33,7 @@ - name: Add ansible_export fact ansible.builtin.copy: dest: /etc/ansible/facts.d/export.fact - content: | - #!/bin/sh - if [ -d /export ]; then - echo "true" - else - echo "false" - fi + src: export.fact.sh mode: "0755" owner: root group: "{{ ansible_wheel }}" From d2fb048b7deb8352549b62f42cc8c3aed72c2862 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:19:38 +0000 Subject: [PATCH 522/596] backup_base: Fix data directory path --- roles/backup_base/tasks/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/backup_base/tasks/main.yml b/roles/backup_base/tasks/main.yml index 3d842b6..cb10097 100644 --- a/roles/backup_base/tasks/main.yml +++ b/roles/backup_base/tasks/main.yml @@ -16,7 +16,7 @@ - name: Create backup directory ansible.builtin.file: - path: /export/backup + path: "{{ backup_datadir }}" state: directory mode: "0750" owner: root @@ -25,11 +25,12 @@ - name: Link backup directory ansible.builtin.file: dest: /srv/backup - src: /export/backup + src: "{{ backup_datadir }}" state: link owner: root group: "{{ ansible_wheel }}" follow: false + when: backup_datadir != "/srv/backup" - name: Create authorized_keys ansible.builtin.copy: From b3ebfa71e722b2a992b7a4c8428a8e298cb6faae Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:21:26 +0000 Subject: [PATCH 523/596] ldap_server: Refactor variables --- roles/ldap_server/defaults/main.yml | 1 + roles/ldap_server/tasks/main.yml | 2 +- roles/ldap_server/templates/slapd.conf.j2 | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml index 3454578..0563395 100644 --- a/roles/ldap_server/defaults/main.yml +++ b/roles/ldap_server/defaults/main.yml @@ -5,3 +5,4 @@ ldap_datadir: >- {% if ansible_local['export'] %}/export{% else %}/srv{% endif %}/ldap ldap_backupdir: >- {% if ansible_local['export'] -%}/export{% else -%}/srv{% endif -%}/backup +ldap_master: false diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 9669610..834ac03 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -48,7 +48,7 @@ - name: Link LDAP data directory ansible.builtin.file: path: /srv/ldap - src: /export/ldap + src: "{{ ldap_datadir }}" state: link owner: root group: root diff --git a/roles/ldap_server/templates/slapd.conf.j2 b/roles/ldap_server/templates/slapd.conf.j2 index 903639c..7ec559c 100644 --- a/roles/ldap_server/templates/slapd.conf.j2 +++ b/roles/ldap_server/templates/slapd.conf.j2 @@ -88,7 +88,7 @@ memberof-memberof-ad memberOf # access without access to clear text data directory /srv/ldap -{% if ldap_master is not defined %} +{% if not ldap_master %} # replication syncrepl rid={{ 999 | random(seed=inventory_hostname) }} provider=ldaps://ldap01.foo.sh From 1ae9d88346021914681c3d41e3cde2c8cbd8d342 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:21:59 +0000 Subject: [PATCH 524/596] ldap_server: Allow everyone to read root object --- roles/ldap_server/templates/slapd.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/ldap_server/templates/slapd.conf.j2 b/roles/ldap_server/templates/slapd.conf.j2 index 7ec559c..98efbea 100644 --- a/roles/ldap_server/templates/slapd.conf.j2 +++ b/roles/ldap_server/templates/slapd.conf.j2 @@ -139,6 +139,10 @@ authz-regexp "uid=([^.]\+),cn=login,cn=auth" "ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))" +# allow everyone to read root object +access to dn.base={{ ldap_basedn }} + by * read + # require authentication for authenticated users that don't match above access to * by dn.children="cn=peercred,cn=external,cn=auth" auth From eaf1b3ffb909b039c5cb8d24c23248923379defe Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:24:20 +0000 Subject: [PATCH 525/596] backup_base: Add missing defaults file --- roles/backup_base/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 roles/backup_base/defaults/main.yml diff --git a/roles/backup_base/defaults/main.yml b/roles/backup_base/defaults/main.yml new file mode 100644 index 0000000..2a14dc3 --- /dev/null +++ b/roles/backup_base/defaults/main.yml @@ -0,0 +1,3 @@ +--- +backup_datadir: >- + {% if ansible_local['export'] %}/export{% else %}/srv{% endif %}/backup From 5fdeef32e8378fe3b1919574f6ddd9a511eabb01 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:39:26 +0000 Subject: [PATCH 526/596] Add apps.foo.sh virtual host --- playbooks/proxy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 7780db6..f5b232d 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -30,6 +30,12 @@ - role: nginx_site nginx_site_name: foo.sh nginx_site_redirect: https://www.foo.sh/ + - role: nginx_site + nginx_site_name: apps.foo.sh + nginx_site_load_balance_method: ip_hash + nginx_site_proxy: + - https://oci-node01.home.foo.sh + - https://oci-node02.home.foo.sh - role: nginx_site nginx_site_name: autoconfig.foo.sh - role: nginx_site From a226b1d5601c344d759e8714f03b53a7c0070bf2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:41:45 +0000 Subject: [PATCH 527/596] Fix ldap_master variable handling --- playbooks/ldap.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/ldap.yml b/playbooks/ldap.yml index 7379a52..6c97c98 100644 --- a/playbooks/ldap.yml +++ b/playbooks/ldap.yml @@ -19,7 +19,7 @@ passno: "0" dump: "0" state: mounted - when: ldap_master is defined + when: ldap_master vars_files: - "{{ ansible_private }}/vars.yml" @@ -28,8 +28,8 @@ - base - ldap_server - role: kadmin - when: ldap_master is defined + when: ldap_master - role: ldap_netdb - when: ldap_master is defined + when: ldap_master - role: ldap_gravatar - when: ldap_master is defined + when: ldap_master From 80ac346c4e64168840d8e5ca85ba68f69f3230a7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 2 Feb 2025 15:42:09 +0000 Subject: [PATCH 528/596] nginx: Fix removing old logs --- roles/nginx/files/nginx-logrotate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/files/nginx-logrotate.sh b/roles/nginx/files/nginx-logrotate.sh index 8fe8338..b7fc0cf 100755 --- a/roles/nginx/files/nginx-logrotate.sh +++ b/roles/nginx/files/nginx-logrotate.sh @@ -20,7 +20,7 @@ for log in *.log ; do find_rotated "$log" | while read -r name; do num="$(echo "$name" | awk -F. '{ print $NF }')" if [ "$num" -gt 7 ]; then - rm -f "$log" + rm -f "${log}.${num}" fi done done From 39e504dd61c89901da35f5a9bc242761e7b5db3d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Feb 2025 07:52:21 +0000 Subject: [PATCH 529/596] Update gitea to 1.23.3 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 5c9c473..8ccb647 100644 --- a/hosts.yml +++ b/hosts.yml @@ -26,7 +26,7 @@ gitea: hosts: gitea02.home.foo.sh: vars: - gitea_version: "1.22.6" + gitea_version: "1.23.3" gitearunner: hosts: gitea-runner02.home.foo.sh: From 423cafe98d84ef80ee4e7672042a84c7d906b36d Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 7 Feb 2025 07:25:45 +0000 Subject: [PATCH 530/596] routeros_firmware: Use dedicated user for download --- roles/routeros_firmware/tasks/main.yml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros_firmware/tasks/main.yml index 248abde..024b37d 100644 --- a/roles/routeros_firmware/tasks/main.yml +++ b/roles/routeros_firmware/tasks/main.yml @@ -1,11 +1,26 @@ --- +- name: Create group + ansible.builtin.group: + name: routeros + system: true + +- name: Create user + ansible.builtin.user: + name: routeros + comment: RouterOS Downloader + group: routeros + create_home: false + home: /var/empty + shell: /sbin/nologin + system: true + - name: Create download directory ansible.builtin.file: path: /srv/web/oob.foo.sh/routeros state: directory - mode: "0755" + mode: "0775" owner: root - group: "{{ ansible_wheel }}" + group: routeros - name: Install README.md ansible.builtin.copy: @@ -27,5 +42,6 @@ ansible.builtin.cron: name: download-routeros-firmware job: /usr/local/bin/download-routeros-firmware + user: routeros hour: "05" minute: "25" From 821e783702686f533fc39fd9c374ee7136c73ac0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 8 Feb 2025 17:25:34 +0000 Subject: [PATCH 531/596] Update DNA gw IP's --- group_vars/ns.yml | 2 +- roles/pf/files/pf.conf.gw_home | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/ns.yml b/group_vars/ns.yml index 5a6101f..2a284b1 100644 --- a/group_vars/ns.yml +++ b/group_vars/ns.yml @@ -1,6 +1,6 @@ --- firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22, 212.149.248.65/32]} + - {proto: tcp, port: 22, from: [172.20.20.0/22, 212.149.225.204/32]} - {proto: tcp, port: 53} - {proto: udp, port: 53} - {proto: tcp, port: 80} diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home index 981f783..3f211fb 100644 --- a/roles/pf/files/pf.conf.gw_home +++ b/roles/pf/files/pf.conf.gw_home @@ -43,7 +43,7 @@ antispoof for vio1 pass in quick on $int_if proto tcp from $int_net to self port ssh pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh -pass in quick on $ext_if proto tcp from 212.149.228.253/32 to self port ssh +pass in quick on $ext_if proto tcp from 212.149.225.198/32 to self port ssh # node_exporter and unbound_exporter from internal network pass in quick on $int_if proto tcp from $int_net to self port 9100 From f3d9e52f7e51f3f267deb28edc5d41b6829508cc Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 15 Feb 2025 17:16:17 +0000 Subject: [PATCH 532/596] Fix install order on dna-gw hosts --- playbooks/dna-gw.yml | 90 +++++++++++++++++++------------------------- 1 file changed, 38 insertions(+), 52 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index 7a8e99b..17cb310 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -14,7 +14,6 @@ roles: - base - - ifstated - dhcpd - nginx - role: nginx_site @@ -23,23 +22,6 @@ - websockify tasks: - - name: Use configured dns servers and domain name - ansible.builtin.copy: - dest: /etc/dhcpleased.conf - content: | - interface vio1 { - ignore dns - } - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - - - name: Disable resolvd - ansible.builtin.service: - name: resolvd - state: stopped - enabled: false - - name: Enable ip forwarding ansible.posix.sysctl: name: "{{ item }}" @@ -52,6 +34,44 @@ - name: Run handlers to get interfaces configured ansible.builtin.meta: flush_handlers + - name: Import ifstated role + ansible.builtin.import_role: + name: ifstated + + - name: Copy DNS private key + ansible.builtin.copy: + dest: "{{ tls_private }}/dns.home.foo.sh.key" + src: "{{ item }}" + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + with_first_found: + - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem + - "/srv/ca/private/{{ inventory_hostname }}.key" + tags: certificates + notify: Restart unbound + + - name: Copy DNS certificate and ca cert + ansible.builtin.copy: + dest: "{{ tls_certs }}/dns.home.foo.sh.crt" + src: "{{ item }}" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + with_first_found: + - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem + - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" + tags: certificates + notify: Restart unbound + + - name: Import unbound role + ansible.builtin.import_role: + name: unbound + + - name: Import unbound_exporter role + ansible.builtin.import_role: + name: unbound_exporter + - name: Create tftp boot directories ansible.builtin.file: path: /srv/tftpboot/etc @@ -120,37 +140,3 @@ owner: root group: "{{ ansible_wheel }}" notify: Restart nginx - - - name: Copy DNS private key - ansible.builtin.copy: - dest: "{{ tls_private }}/dns.home.foo.sh.key" - src: "{{ item }}" - mode: "0600" - owner: root - group: "{{ ansible_wheel }}" - with_first_found: - - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem - - "/srv/ca/private/{{ inventory_hostname }}.key" - tags: certificates - notify: Restart unbound - - - name: Copy DNS certificate and ca cert - ansible.builtin.copy: - dest: "{{ tls_certs }}/dns.home.foo.sh.crt" - src: "{{ item }}" - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - with_first_found: - - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem - - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" - tags: certificates - notify: Restart unbound - - - name: Import unbound role - ansible.builtin.import_role: - name: unbound - - - name: Import unbound_exporter role - ansible.builtin.import_role: - name: unbound_exporter From cc7698436f7548a51e7bde7602d7be0e50ef1b46 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 16 Feb 2025 16:24:20 +0000 Subject: [PATCH 533/596] Update frigate to 0.15.0 --- hosts.yml | 2 +- roles/frigate/templates/frigate.yml.j2 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 8ccb647..49408cd 100644 --- a/hosts.yml +++ b/hosts.yml @@ -17,7 +17,7 @@ frigate: hosts: frigate02.home.foo.sh: vars: - frigate_version: "0.14.1" + frigate_version: "0.15.0" fsolgw: hosts: fsol-gw01.home.foo.sh: diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index b1045d6..08c83f7 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -19,9 +19,9 @@ record: retain: days: 7 mode: motion - events: + detections: retain: - default: 30 + days: 30 mode: motion cameras: From b6f4b8cd51aa05239591a968985807f3bc53d746 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 16 Feb 2025 17:02:14 +0000 Subject: [PATCH 534/596] Update software versions --- hosts.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hosts.yml b/hosts.yml index 49408cd..c11e15b 100644 --- a/hosts.yml +++ b/hosts.yml @@ -36,7 +36,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2025.1" + homeassistant_version: "2025.2" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git @@ -44,7 +44,7 @@ homeassistant: - name: espsomfy_rts repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git version: v2.4.7 - nodered_version: 4.0.8 + nodered_version: 4.0.9 influxdb: hosts: influxdb01.home.foo.sh: @@ -80,7 +80,7 @@ nms: nms01.home.foo.sh: nms02.home.foo.sh: vars: - snmp_exporter_version: "0.26.0" + snmp_exporter_version: "0.28.0" ns: hosts: ns01.home.foo.sh: @@ -91,9 +91,9 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.3.1" - rocketchat_version: "7.3.0" - roundcube_version: "1.6.9" + grafana_version: "11.4.1" + rocketchat_version: "7.3.1" + roundcube_version: "1.6.10" print: hosts: print01.home.foo.sh: @@ -102,7 +102,7 @@ prometheus: prometheus01.home.foo.sh: vars: mysqld_exporter_version: "0.16.0" - nginx_exporter_version: "1.4.0" + nginx_exporter_version: "1.4.1" proxy: hosts: proxy01.home.foo.sh: From 5c7bb11c0c27825c630bb1829a36baf3aa4bdfe4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 16 Feb 2025 18:49:50 +0000 Subject: [PATCH 535/596] frigate: Fix config file permissions --- roles/frigate/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index bc539d7..8189acd 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -47,7 +47,7 @@ ansible.builtin.template: dest: /etc/frigate.yml src: frigate.yml.j2 - mode: "0750" + mode: "0640" owner: root group: frigate notify: Restart frigate From 57e43b1396dcc326ac2ef98425d9db41d1c4fb3a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Feb 2025 21:11:08 +0000 Subject: [PATCH 536/596] systemd_resolved: Don't use dns from connections --- roles/systemd_resolved/files/resolved.conf | 2 ++ roles/systemd_resolved/handlers/main.yml | 5 +++++ roles/systemd_resolved/tasks/main.yml | 9 +++++++++ 3 files changed, 16 insertions(+) create mode 100644 roles/systemd_resolved/files/resolved.conf diff --git a/roles/systemd_resolved/files/resolved.conf b/roles/systemd_resolved/files/resolved.conf new file mode 100644 index 0000000..e4d2629 --- /dev/null +++ b/roles/systemd_resolved/files/resolved.conf @@ -0,0 +1,2 @@ +[global-dns-domain-*] +servers=127.0.0.53 diff --git a/roles/systemd_resolved/handlers/main.yml b/roles/systemd_resolved/handlers/main.yml index 0bbce3d..dd37621 100644 --- a/roles/systemd_resolved/handlers/main.yml +++ b/roles/systemd_resolved/handlers/main.yml @@ -3,3 +3,8 @@ ansible.builtin.service: name: systemd-resolved state: restarted + +- name: Restart NetworkManager + ansible.builtin.service: + name: NetworkManager + state: restarted diff --git a/roles/systemd_resolved/tasks/main.yml b/roles/systemd_resolved/tasks/main.yml index 43371a6..bb690d6 100644 --- a/roles/systemd_resolved/tasks/main.yml +++ b/roles/systemd_resolved/tasks/main.yml @@ -21,6 +21,15 @@ group: "{{ ansible_wheel }}" notify: Restart systemd-resolved +- name: Do not use connection specific DNS servers + ansible.builtin.copy: + dest: /etc/NetworkManager/conf.d/resolved.conf + src: resolved.conf + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart NetworkManager + - name: Enable service ansible.builtin.service: name: systemd-resolved From 21e0c495935d799d358ddd03672727e8454452a9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Feb 2025 21:51:08 +0000 Subject: [PATCH 537/596] No need to disable resolvd after moving to unwind --- playbooks/fsol-gw.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/playbooks/fsol-gw.yml b/playbooks/fsol-gw.yml index 1dd8747..639bd27 100644 --- a/playbooks/fsol-gw.yml +++ b/playbooks/fsol-gw.yml @@ -12,13 +12,6 @@ vars_files: - "{{ ansible_private }}/vars.yml" - pre_tasks: - - name: Disable resolvd service - ansible.builtin.service: - name: resolvd - state: stopped - enabled: false - tasks: - name: Enable IP forwarding ansible.posix.sysctl: From 6cba945cb8684736b1478383768f52b294968810 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Feb 2025 21:52:58 +0000 Subject: [PATCH 538/596] Move to static DNS servers and use DoT This now affects only Fedora and OpenBSD hosts --- group_vars/all.yml | 5 +++++ group_vars/fsolgw.yml | 1 - group_vars/home.yml | 5 +++++ group_vars/proxy.yml | 2 -- group_vars/relay.yml | 2 -- group_vars/vultr.yml | 4 ---- 6 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 group_vars/home.yml delete mode 100644 group_vars/vultr.yml diff --git a/group_vars/all.yml b/group_vars/all.yml index 4814110..13c4354 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -31,5 +31,10 @@ boot_url: https://boot.foo.sh # ssh public keys for logsync user logsync_publickeys: "{{ lookup('file', '../files/ssh/logsync.pub') }}" +# default name servers +network_dns_servers: + - 8.8.8.8 + - 8.8.4.4 + # hardcode this for now ansible_datacenter: home diff --git a/group_vars/fsolgw.yml b/group_vars/fsolgw.yml index f45c486..6012a52 100644 --- a/group_vars/fsolgw.yml +++ b/group_vars/fsolgw.yml @@ -7,7 +7,6 @@ network_vip_interfaces: ip6addr: 2a00:4cc1:6:1006::1 ip6netmask: 64 pass: "{{ vip145_pass }}" -network_dns_servers: [172.20.20.10, 172.20.21.1, 172.20.21.2] # use custom firewall and ifstated config firewall_src: pf.conf.gw_fsol diff --git a/group_vars/home.yml b/group_vars/home.yml new file mode 100644 index 0000000..d8558c0 --- /dev/null +++ b/group_vars/home.yml @@ -0,0 +1,5 @@ +--- +network_dns_servers: + - 172.20.20.10 + - 172.20.20.11 + - 172.20.20.12 diff --git a/group_vars/proxy.yml b/group_vars/proxy.yml index bb5decb..ea7cba9 100644 --- a/group_vars/proxy.yml +++ b/group_vars/proxy.yml @@ -4,8 +4,6 @@ mem_size: 1024 # use bigger disk for os as we have web site data there dsk_size: 30 -network_dns_servers: - - 172.20.20.10 network_default_gateway: 37.16.96.145 network_vip_interfaces: diff --git a/group_vars/relay.yml b/group_vars/relay.yml index 622e743..a52f0b5 100644 --- a/group_vars/relay.yml +++ b/group_vars/relay.yml @@ -1,6 +1,4 @@ --- -network_dns_servers: - - 172.20.20.10 network_default_gateway: 37.16.96.145 network_vip_interfaces: diff --git a/group_vars/vultr.yml b/group_vars/vultr.yml deleted file mode 100644 index af46a03..0000000 --- a/group_vars/vultr.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -network_dns_servers: - - 8.8.8.8 - - 9.9.9.9 From d4d11508bcd3da59582136dcd405a54dc38e6a44 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 20 Feb 2025 22:15:04 +0000 Subject: [PATCH 539/596] systemd_resolved: Remove double spaces --- roles/systemd_resolved/templates/local.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/systemd_resolved/templates/local.conf.j2 b/roles/systemd_resolved/templates/local.conf.j2 index 23d7dc6..7d8e03d 100644 --- a/roles/systemd_resolved/templates/local.conf.j2 +++ b/roles/systemd_resolved/templates/local.conf.j2 @@ -1,4 +1,4 @@ [Resolve] -DNS={% for addr in network_dns_servers %}{{ addr }}#{{ lookup('community.general.dig', addr + '/PTR')[:-1] }} {% endfor %} +DNS={% for addr in network_dns_servers %}{{ addr }}#{{ lookup('community.general.dig', addr + '/PTR')[:-1] }} {% endfor %} DNSOverTLS=yes From 5f412a50c5f3b2e768c10492690ef787cc97d742 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Feb 2025 15:46:57 +0000 Subject: [PATCH 540/596] unbound: Use multiple local forwarders --- roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 | 2 ++ roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 | 2 ++ roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 | 2 ++ 3 files changed, 6 insertions(+) diff --git a/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 index 4fa13e5..3f51925 100644 --- a/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.frigate02.home.foo.sh.j2 @@ -29,6 +29,8 @@ remote-control: forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh + forward-addr: 172.20.20.11@853#dns.home.foo.sh + forward-addr: 172.20.20.12@853#dns.home.foo.sh {% for zone in unbound_zones %} auth-zone: diff --git a/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 index 5812def..c29a61c 100644 --- a/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2 @@ -29,6 +29,8 @@ remote-control: forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh + forward-addr: 172.20.20.11@853#dns.home.foo.sh + forward-addr: 172.20.20.12@853#dns.home.foo.sh {% for zone in unbound_zones %} auth-zone: diff --git a/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 index 46a4ab4..481064f 100644 --- a/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 +++ b/roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2 @@ -29,6 +29,8 @@ remote-control: forward-zone: name: "." forward-addr: 172.20.20.10@853#dns.home.foo.sh + forward-addr: 172.20.20.11@853#dns.home.foo.sh + forward-addr: 172.20.20.12@853#dns.home.foo.sh {% for zone in unbound_zones %} auth-zone: From a793f59a33a721ec12ab6275a9f3af7876dfa19c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Mar 2025 19:09:07 +0000 Subject: [PATCH 541/596] ipsilon: Fix configuration --- roles/ipsilon/README.md | 28 +++++++++++++++++++ .../templates/ipsilon-container.service.j2 | 6 ++-- .../templates/ipsilon-container.sysconfig.j2 | 7 +++-- .../ipsilon/templates/openidc-static.conf.j2 | 4 +-- 4 files changed, 37 insertions(+), 8 deletions(-) create mode 100644 roles/ipsilon/README.md diff --git a/roles/ipsilon/README.md b/roles/ipsilon/README.md new file mode 100644 index 0000000..5e29d18 --- /dev/null +++ b/roles/ipsilon/README.md @@ -0,0 +1,28 @@ +== Creating openidc key == + +Create two rsa keys: +``` +openssl genrsa -out signing.key 4096 +openssl genrsa -out encryption.key 4096 +``` + +Create JWK keys: +``` +python3 -c ' +from datetime import datetime +from jwcrypto.jwk import JWK, JWKSet +keyset = JWKSet() +date = datetime.now().strftime("%Y%m%d") +with open("./signing.key", "r") as key: + jwkkey = JWK.from_pem(key.read().encode("UTF-8")) + jwkkey.update(use="sig") + jwkkey.update(kid=f"{date}-sig") + keyset.add(jwkkey) +with open("./encryption.key", "r") as key: + jwkkey = JWK.from_pem(key.read().encode("UTF-8")) + jwkkey.update(use="enc") + jwkkey.update(kid=f"{date}-enc") + keyset.add(jwkkey) +print(keyset.export()) +' +``` diff --git a/roles/ipsilon/templates/ipsilon-container.service.j2 b/roles/ipsilon/templates/ipsilon-container.service.j2 index d3fe6bf..2c08f94 100644 --- a/roles/ipsilon/templates/ipsilon-container.service.j2 +++ b/roles/ipsilon/templates/ipsilon-container.service.j2 @@ -10,9 +10,9 @@ ExecStart=/usr/bin/podman run \ --rm -p 127.0.0.1:8011:80 \ --name ipsilon \ --env LDAP_* --env IPSILON_*\ - --volume={{ tls_certs }}/ca.crt:/etc/ssl/certs/ca.crt:ro \ - --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/ssl/certs/{{ inventory_hostname }}.crt:ro \ - --volume={{ tls_private }}/ipsilon.key:/etc/ssl/private/{{ inventory_hostname }}.key:ro \ + --volume={{ tls_certs }}/ca.crt:/etc/pki/tls/certs/ca.crt:ro \ + --volume={{ tls_certs }}/{{ inventory_hostname }}.crt:/etc/pki/tls/certs/{{ inventory_hostname }}.crt:ro \ + --volume={{ tls_private }}/ipsilon.key:/etc/pki/tls/private/{{ inventory_hostname }}.key:ro \ --volume={{ tls_private }}/openidc.key:/etc/ipsilon/openidc.key:ro \ --volume=/etc/ipsilon/openidc-static.conf:/etc/ipsilon/root/openidc-static.conf:rw \ ipsilon:latest diff --git a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 index 7a4ba72..4150eaf 100644 --- a/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 +++ b/roles/ipsilon/templates/ipsilon-container.sysconfig.j2 @@ -1,10 +1,11 @@ LDAP_BASEDN="{{ ldap_basedn }}" +LDAP_BINDPW="{{ ipsilon_ldap_pass }}" IPSILON_DB_USER="ipsilon" IPSILON_DB_PASS="{{ ipsilon_mysql_pass }}" IPSILON_DB_HOST="sqldb02.home.foo.sh" -IPSILON_DB_CA="/etc/ssl/certs/ca.crt" -IPSILON_DB_KEY="/etc/ssl/private/{{ inventory_hostname }}.key" -IPSILON_DB_CERT="/etc/ssl/certs/{{ inventory_hostname}}.crt" +IPSILON_DB_CA="{{ tls_certs }}/ca.crt" +IPSILON_DB_KEY="{{ tls_private }}/{{ inventory_hostname }}.key" +IPSILON_DB_CERT="{{ tls_certs }}/{{ inventory_hostname}}.crt" IPSILON_HOSTNAME="idp.foo.sh" IPSILON_OPENIDC_KEYID="{{ ipsilon_openidc_keyid }}" IPSILON_OPENIDC_SALT="{{ ipsilon_openidc_salt }}" diff --git a/roles/ipsilon/templates/openidc-static.conf.j2 b/roles/ipsilon/templates/openidc-static.conf.j2 index a200a3a..f6bb88d 100644 --- a/roles/ipsilon/templates/openidc-static.conf.j2 +++ b/roles/ipsilon/templates/openidc-static.conf.j2 @@ -15,12 +15,12 @@ {{ client["name"] }} jwks_uri=null {{ client["name"] }} logo_uri=null {{ client["name"] }} policy_uri=null -{{ client["name"] }} redirect_uris=["{{ client["redirect_uri"] }}"] +{{ client["name"] }} redirect_uris={{ client["redirect_uris"] | ansible.builtin.to_json }} {{ client["name"] }} request_uris=[] {{ client["name"] }} require_auth_time=null {{ client["name"] }} response_types=["code"] {{ client["name"] }} subject_type="pairwise" {{ client["name"] }} sector_identifier_uri=null -{{ client["name"] }} token_endpoint_auth_method="client_secret_post" +{{ client["name"] }} token_endpoint_auth_method="{{ client["token_endpoint_auth_method"] | default("client_secret_post") }}" {{ client["name"] }} tos_uri=null {% endfor %} From 4c7c0e3261259d7450ae3faab237083bcefc3a34 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Mar 2025 19:10:16 +0000 Subject: [PATCH 542/596] audiobookshelf: Initial version of role --- .../files/audiobookshelf.default | 4 + roles/audiobookshelf/files/meta.md | 30 +++++++ roles/audiobookshelf/handlers/main.yml | 5 ++ roles/audiobookshelf/meta/main.yml | 3 + roles/audiobookshelf/tasks/main.yml | 90 +++++++++++++++++++ 5 files changed, 132 insertions(+) create mode 100644 roles/audiobookshelf/files/audiobookshelf.default create mode 100644 roles/audiobookshelf/files/meta.md create mode 100644 roles/audiobookshelf/handlers/main.yml create mode 100644 roles/audiobookshelf/meta/main.yml create mode 100644 roles/audiobookshelf/tasks/main.yml diff --git a/roles/audiobookshelf/files/audiobookshelf.default b/roles/audiobookshelf/files/audiobookshelf.default new file mode 100644 index 0000000..4b553f5 --- /dev/null +++ b/roles/audiobookshelf/files/audiobookshelf.default @@ -0,0 +1,4 @@ +METADATA_PATH=/srv/audiobookshelf/metadata +CONFIG_PATH=/srv/audiobookshelf/config +PORT=13378 +HOST=127.0.0.1 diff --git a/roles/audiobookshelf/files/meta.md b/roles/audiobookshelf/files/meta.md new file mode 100644 index 0000000..5e22e02 --- /dev/null +++ b/roles/audiobookshelf/files/meta.md @@ -0,0 +1,30 @@ += Preparing files for upload = + +== Filenames == + +Filenames should always contain track number (and optionally disc number) with leading zeros first and subtitle after that. Few exmaples: + +``` +01. Luku.mp3 +01. Osa.mp3 +CD 1 - 01.mp3 +``` + +Directory should also contain `cover.jpg` with book cover picture and `desc.txt` containing book description. + +== Metadata (id3 tags) == + +First clear old tags then set new ones: + +``` +id3v2 -D "01. Osa.mp3" +id3v2 \ + --TPE1 "Douglas Adams" \ + --TALB "$(echo 'Linnunradan käsikirja liftareille' | iconv -f utf-8 -t iso-8859-1)" \ + --TCOM "$(echo 'Heikki Kinnunen,Pekka Autiovuori,Yrjö Järvinen,Martti Järvinen,Esa Saario,Kauko Helavirta,Aila Svedberg' | iconv -f utf-8 -t iso-8859-1)" \ + --TLAN "fi" \ + --TPUB "Yleisradio" \ + --TYER 1984 \ + --genre "Science Fiction/Fiction/Humor" \ + "01. Osa.mp3" +``` diff --git a/roles/audiobookshelf/handlers/main.yml b/roles/audiobookshelf/handlers/main.yml new file mode 100644 index 0000000..fd2df00 --- /dev/null +++ b/roles/audiobookshelf/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart audiobookshelf + ansible.builtin.service: + name: audiobookshelf + state: restarted diff --git a/roles/audiobookshelf/meta/main.yml b/roles/audiobookshelf/meta/main.yml new file mode 100644 index 0000000..954fabd --- /dev/null +++ b/roles/audiobookshelf/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: nginx} diff --git a/roles/audiobookshelf/tasks/main.yml b/roles/audiobookshelf/tasks/main.yml new file mode 100644 index 0000000..1bc2f99 --- /dev/null +++ b/roles/audiobookshelf/tasks/main.yml @@ -0,0 +1,90 @@ +--- +- name: Enable repository + ansible.builtin.yum_repository: + name: audiobookshelf + baseurl: https://raw.githubusercontent.com/lkiesow/audiobookshelf-rpm/el$releasever/ + description: Audiobookshelf el$releasever repository + gpgcheck: true + gpgkey: https://raw.githubusercontent.com/lkiesow/audiobookshelf-rpm/main/audiobookshelf-rpm.key + enabled: true + +- name: Install packcages + ansible.builtin.package: + name: audiobookshelf + state: present + +- name: Create data directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0770" + owner: root + group: audiobookshelf + with_items: + - /export/audiobookshelf + - /export/audiobookshelf/audiobooks + - /export/audiobookshelf/config + - /export/audiobookshelf/metadata + - /export/audiobookshelf/podcasts + - /export/audiobookshelf/radioplays + +- name: Link data directory + ansible.builtin.file: + dest: /srv/audiobookshelf + src: /export/audiobookshelf + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Copy naming instructions + ansible.builtin.copy: + dest: /srv/audiobookshelf/audiobooks/README.md + src: meta.md + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + +- name: Copy service config + ansible.builtin.copy: + dest: /etc/default/audiobookshelf + src: audiobookshelf.default + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart audiobookshelf + +- name: Enable service + ansible.builtin.service: + name: audiobookshelf + state: started + enabled: true + +- name: Allow nginx to connect audiobookshelf + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/audiobookshelf.conf" + content: | + location / { + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host audiobooks.foo.sh; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_pass http://127.0.0.1:13378/; + location /audiobookshelf/api/upload { + # increase size to allow uploads + client_max_body_size 10g; + proxy_pass http://127.0.0.1:13378/api/upload; + } + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx From ae7ec4680f164a40d530a263f4eab0310ea0c87f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Mar 2025 19:11:33 +0000 Subject: [PATCH 543/596] Add audiobook hosts --- group_vars/audiobooks.yml | 8 ++++++++ host_vars/audiobooks02.home.foo.sh.yml | 6 ++++++ hosts.yml | 4 ++++ playbooks/audiobooks.yml | 25 +++++++++++++++++++++++++ 4 files changed, 43 insertions(+) create mode 100644 group_vars/audiobooks.yml create mode 100644 host_vars/audiobooks02.home.foo.sh.yml create mode 100644 playbooks/audiobooks.yml diff --git a/group_vars/audiobooks.yml b/group_vars/audiobooks.yml new file mode 100644 index 0000000..4fcc30e --- /dev/null +++ b/group_vars/audiobooks.yml @@ -0,0 +1,8 @@ +--- +datadisks: + - {size: 50, type: hdd} + +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/host_vars/audiobooks02.home.foo.sh.yml b/host_vars/audiobooks02.home.foo.sh.yml new file mode 100644 index 0000000..d6cf2c6 --- /dev/null +++ b/host_vars/audiobooks02.home.foo.sh.yml @@ -0,0 +1,6 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: "52:54:00:ac:dc:48" diff --git a/hosts.yml b/hosts.yml index c11e15b..429fe68 100644 --- a/hosts.yml +++ b/hosts.yml @@ -3,6 +3,9 @@ adm: hosts: adm01.home.foo.sh: adm02.home.foo.sh: +audiobooks: + hosts: + audiobooks02.home.foo.sh: backup: hosts: backup02.home.foo.sh: @@ -161,6 +164,7 @@ rocky8: rocky9: children: adm: + audiobooks: frigate: gitea: homeassistant: diff --git a/playbooks/audiobooks.yml b/playbooks/audiobooks.yml new file mode 100644 index 0000000..3d8ce19 --- /dev/null +++ b/playbooks/audiobooks.yml @@ -0,0 +1,25 @@ +--- +- name: Deploy KVM virtual machines + ansible.builtin.import_playbook: include/deploy-kvm-guest.yml + vars: + myhosts: audiobooks + +- name: Configure instance + hosts: audiobooks + user: root + gather_facts: true + + pre_tasks: + - name: Mount /export + ansible.posix.mount: + name: /export + src: LABEL=/export + fstype: xfs + opts: noatime,nosuid,nodev + passno: "0" + dump: "0" + state: mounted + + roles: + - base + - audiobookshelf From bbe61d4180ea8c7ed9c5563bb831edb82e90dd06 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 1 Mar 2025 19:12:10 +0000 Subject: [PATCH 544/596] Add audiobooks.foo.sh virtual host --- playbooks/proxy.yml | 3 +++ roles/nginx_site/templates/audiobooks.foo.sh.conf.j2 | 3 +++ 2 files changed, 6 insertions(+) create mode 100644 roles/nginx_site/templates/audiobooks.foo.sh.conf.j2 diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index f5b232d..1968633 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -36,6 +36,9 @@ nginx_site_proxy: - https://oci-node01.home.foo.sh - https://oci-node02.home.foo.sh + - role: nginx_site + nginx_site_name: audiobooks.foo.sh + nginx_site_proxy: https://audiobooks02.home.foo.sh/ - role: nginx_site nginx_site_name: autoconfig.foo.sh - role: nginx_site diff --git a/roles/nginx_site/templates/audiobooks.foo.sh.conf.j2 b/roles/nginx_site/templates/audiobooks.foo.sh.conf.j2 new file mode 100644 index 0000000..e838c5f --- /dev/null +++ b/roles/nginx_site/templates/audiobooks.foo.sh.conf.j2 @@ -0,0 +1,3 @@ + # this should be changed to only affect uploads + client_max_body_size 10g; + From 4031afdbdbf3a6c77e4b5b805fc7fd0347b5cda2 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 5 Mar 2025 17:29:25 +0000 Subject: [PATCH 545/596] Update rockechat version to 7.4.0 --- hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts.yml b/hosts.yml index 429fe68..3a69313 100644 --- a/hosts.yml +++ b/hosts.yml @@ -95,7 +95,7 @@ ocinode: oci-node02.home.foo.sh: vars: grafana_version: "11.4.1" - rocketchat_version: "7.3.1" + rocketchat_version: "7.4.0" roundcube_version: "1.6.10" print: hosts: From c479b7fcea2fc9184420d4b935f59d2f0df321ac Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:22:39 +0000 Subject: [PATCH 546/596] forgejo: Initial version of role --- roles/forgejo/defaults/main.yml | 7 ++ roles/forgejo/files/forgejo.service | 16 +++++ roles/forgejo/handlers/main.yml | 5 ++ roles/forgejo/meta/main.yml | 4 ++ roles/forgejo/tasks/main.yml | 107 ++++++++++++++++++++++++++++ roles/forgejo/templates/app.ini.j2 | 78 ++++++++++++++++++++ 6 files changed, 217 insertions(+) create mode 100644 roles/forgejo/defaults/main.yml create mode 100644 roles/forgejo/files/forgejo.service create mode 100644 roles/forgejo/handlers/main.yml create mode 100644 roles/forgejo/meta/main.yml create mode 100644 roles/forgejo/tasks/main.yml create mode 100644 roles/forgejo/templates/app.ini.j2 diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml new file mode 100644 index 0000000..848f7a1 --- /dev/null +++ b/roles/forgejo/defaults/main.yml @@ -0,0 +1,7 @@ +--- +forgejo_url: >- + {{ + "https://codeberg.org/forgejo/forgejo/releases/download/v" + + forgejo_version + "/forgejo-" + forgejo_version + "-" + + ansible_system | lower + "-amd64" + }} diff --git a/roles/forgejo/files/forgejo.service b/roles/forgejo/files/forgejo.service new file mode 100644 index 0000000..289ccdc --- /dev/null +++ b/roles/forgejo/files/forgejo.service @@ -0,0 +1,16 @@ +[Unit] +Description=Forgejo (Beyond coding. We forge.) +After=syslog.target +After=network.target + +[Service] +Type=simple +User=forgejo +Group=forgejo +WorkingDirectory=/srv/forgejo +ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini +Restart=always +Environment=HOME=/srv/forgejo FORGEJO_WORK_DIR=/srv/forgejo + +[Install] +WantedBy=multi-user.target diff --git a/roles/forgejo/handlers/main.yml b/roles/forgejo/handlers/main.yml new file mode 100644 index 0000000..4b650b4 --- /dev/null +++ b/roles/forgejo/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart forgejo + ansible.builtin.service: + name: forgejo + state: restarted diff --git a/roles/forgejo/meta/main.yml b/roles/forgejo/meta/main.yml new file mode 100644 index 0000000..d5e8ce4 --- /dev/null +++ b/roles/forgejo/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: git} + - {role: nginx} diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml new file mode 100644 index 0000000..4b8c6f2 --- /dev/null +++ b/roles/forgejo/tasks/main.yml @@ -0,0 +1,107 @@ +--- +- name: Install dependencies + ansible.builtin.package: + name: git-lfs + state: installed + +- name: Download binary + ansible.builtin.get_url: + url: "{{ forgejo_url }}" + checksum: "sha256:{{ forgejo_url }}.sha256" + dest: /usr/local/bin/forgejo + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart forgejo + +- name: Create group + ansible.builtin.group: + name: forgejo + gid: 303 + +- name: Create user + ansible.builtin.user: + name: forgejo + comment: Service Forgejo + createhome: false + group: forgejo + home: /var/empty + shell: /sbin/nologin + uid: 303 + +- name: Create config directory + ansible.builtin.file: + path: /etc/forgejo + state: directory + mode: "0750" + owner: root + group: forgejo + +- name: Create config + ansible.builtin.template: + dest: /etc/forgejo/app.ini + src: app.ini.j2 + mode: "0640" + owner: root + group: forgejo + notify: Restart forgejo + +- name: Create data directory + ansible.builtin.file: + path: /export/forgejo + state: directory + mode: "0750" + owner: forgejo + group: forgejo + +- name: Link data directory + ansible.builtin.file: + path: /srv/forgejo + state: link + src: /export/forgejo + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/forgejo.service + src: forgejo.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart forgejo + +- name: Enable service + ansible.builtin.service: + name: forgejo + state: started + enabled: true + +- name: Allow nginx to connect forgejo + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/forgejo.conf" + content: | + client_max_body_size 100m; + location / { + proxy_pass http://127.0.0.1:3000; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx + +- name: Add forgejo alias for root + ansible.builtin.blockinfile: + path: /root/.bashrc + block: | + # run forgejo as forgejo user + alias forgejo='sudo -u forgejo HOME=/srv/forgejo \ + GITEA_WORK_DIR=/srv/forgejo \ + /usr/local/bin/forgejo -c /etc/forgejo/app.ini' diff --git a/roles/forgejo/templates/app.ini.j2 b/roles/forgejo/templates/app.ini.j2 new file mode 100644 index 0000000..2355cb3 --- /dev/null +++ b/roles/forgejo/templates/app.ini.j2 @@ -0,0 +1,78 @@ +APP_NAME = foo.sh - GIT +RUN_USER = forgejo +RUN_MODE = prod + +[database] +DB_TYPE = mysql +HOST = sqldb02.home.foo.sh +NAME = forgejo +USER = forgejo +PASSWD = {{ forgejo_mysql_pass }} +SCHEMA = +SSL_MODE = true +CHARSET = utf8 +PATH = /srv/forgejo/data/forgejo.db +LOG_SQL = false + +[repository] +ROOT = /srv/forgejo/data/forgejo-repositories + +[server] +SSH_DOMAIN = localhost +DOMAIN = git.foo.sh +HTTP_ADDR = 127.0.0.1 +HTTP_PORT = 3000 +ROOT_URL = https://git.foo.sh/ +DISABLE_SSH = true +SSH_PORT = 22 +LFS_START_SERVER = true +LFS_JWT_SECRET = {{ forgejo_lfs_jwt_secret }} +OFFLINE_MODE = false + +[lfs] +PATH = /srv/forgejo/data/lfs + +[mailer] +ENABLED = false + +[service] +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +DISABLE_REGISTRATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.localhost + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[session] +PROVIDER = file + +[log] +MODE = console +LEVEL = info + +[repository.pull-request] +DEFAULT_MERGE_STYLE = merge + +[repository.signing] +DEFAULT_TRUST_MODEL = committer + +[security] +INSTALL_LOCK = true +INTERNAL_TOKEN = {{ forgejo_internal_token }} +PASSWORD_HASH_ALGO = pbkdf2 +REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 +REVERSE_PROXY_LIMIT = 1 + +[actions] +ENABLED = true + +[oauth2] +JWT_SECRET = {{ gitea_oauth_jwt_secret }} From 9a5f632ce40331f4e64aa40fbfe178714788f1b0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:27:23 +0000 Subject: [PATCH 547/596] Add forgejo hosts --- group_vars/forgejo.yml | 8 ++++++++ host_vars/forgejo02.home.foo.sh.yml | 6 ++++++ hosts.yml | 6 ++++++ playbooks/forgejo.yml | 28 ++++++++++++++++++++++++++++ 4 files changed, 48 insertions(+) create mode 100644 group_vars/forgejo.yml create mode 100644 host_vars/forgejo02.home.foo.sh.yml create mode 100644 playbooks/forgejo.yml diff --git a/group_vars/forgejo.yml b/group_vars/forgejo.yml new file mode 100644 index 0000000..e80e98c --- /dev/null +++ b/group_vars/forgejo.yml @@ -0,0 +1,8 @@ +--- +datadisks: + - {size: 10, type: nvme} + +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} + - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/host_vars/forgejo02.home.foo.sh.yml b/host_vars/forgejo02.home.foo.sh.yml new file mode 100644 index 0000000..72e305b --- /dev/null +++ b/host_vars/forgejo02.home.foo.sh.yml @@ -0,0 +1,6 @@ +--- +vmhost: vmhost02.home.foo.sh +network_interfaces: + - device: eth0 + vlan: 20 + mac: 52:54:00:ac:dc:80 diff --git a/hosts.yml b/hosts.yml index 3a69313..517e1a1 100644 --- a/hosts.yml +++ b/hosts.yml @@ -16,6 +16,11 @@ dnagw: hosts: dna-gw01.home.foo.sh: dna-gw02.home.foo.sh: +forgejo: + hosts: + forgejo02.home.foo.sh: + vars: + forgejo_version: "10.0.1" frigate: hosts: frigate02.home.foo.sh: @@ -165,6 +170,7 @@ rocky9: children: adm: audiobooks: + forgejo: frigate: gitea: homeassistant: diff --git a/playbooks/forgejo.yml b/playbooks/forgejo.yml new file mode 100644 index 0000000..ab0ac1b --- /dev/null +++ b/playbooks/forgejo.yml @@ -0,0 +1,28 @@ +--- +- name: Deploy KVM virtual machines + ansible.builtin.import_playbook: include/deploy-kvm-guest.yml + vars: + myhosts: forgejo + +- name: Configure instance + hosts: forgejo + user: root + gather_facts: true + + vars_files: + - "{{ ansible_private }}/vars.yml" + + pre_tasks: + - name: Mount /export + ansible.posix.mount: + name: /export + src: LABEL=/export + fstype: xfs + opts: noatime,noexec,nosuid,nodev + passno: "0" + dump: "0" + state: mounted + + roles: + - base + - forgejo From b02af6f9e6bfe5ad667642c512239e175a365cf6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:29:04 +0000 Subject: [PATCH 548/596] Remove gitea hosts --- group_vars/gitea.yml | 8 ------- group_vars/gitearunner.yml | 4 ---- host_vars/gitea-runner02.home.foo.sh.yml | 6 ----- host_vars/gitea02.home.foo.sh.yml | 6 ----- hosts.yml | 12 ---------- playbooks/gitea-runner.yml | 14 ------------ playbooks/gitea.yml | 28 ------------------------ 7 files changed, 78 deletions(-) delete mode 100644 group_vars/gitea.yml delete mode 100644 group_vars/gitearunner.yml delete mode 100644 host_vars/gitea-runner02.home.foo.sh.yml delete mode 100644 host_vars/gitea02.home.foo.sh.yml delete mode 100644 playbooks/gitea-runner.yml delete mode 100644 playbooks/gitea.yml diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml deleted file mode 100644 index e80e98c..0000000 --- a/group_vars/gitea.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -datadisks: - - {size: 10, type: nvme} - -firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 443, from: [172.20.20.0/22]} - - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/group_vars/gitearunner.yml b/group_vars/gitearunner.yml deleted file mode 100644 index 0b7f509..0000000 --- a/group_vars/gitearunner.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -firewall_in: - - {proto: tcp, port: 22, from: [172.20.20.0/22]} - - {proto: tcp, port: 9100, from: [172.20.20.0/22]} diff --git a/host_vars/gitea-runner02.home.foo.sh.yml b/host_vars/gitea-runner02.home.foo.sh.yml deleted file mode 100644 index 617957c..0000000 --- a/host_vars/gitea-runner02.home.foo.sh.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -vmhost: vmhost02.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: 52:54:00:ac:dc:7c diff --git a/host_vars/gitea02.home.foo.sh.yml b/host_vars/gitea02.home.foo.sh.yml deleted file mode 100644 index 56bb5fa..0000000 --- a/host_vars/gitea02.home.foo.sh.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -vmhost: vmhost02.home.foo.sh -network_interfaces: - - device: eth0 - vlan: 20 - mac: 52:54:00:ac:dc:78 diff --git a/hosts.yml b/hosts.yml index 517e1a1..75013c2 100644 --- a/hosts.yml +++ b/hosts.yml @@ -30,16 +30,6 @@ fsolgw: hosts: fsol-gw01.home.foo.sh: fsol-gw02.home.foo.sh: -gitea: - hosts: - gitea02.home.foo.sh: - vars: - gitea_version: "1.23.3" -gitearunner: - hosts: - gitea-runner02.home.foo.sh: - vars: - gitea_runner_version: "0.2.6" homeassistant: hosts: homeassistant01.home.foo.sh: @@ -151,7 +141,6 @@ sftpbackup: fedora: children: - gitearunner: openbsd: children: backup: @@ -172,7 +161,6 @@ rocky9: audiobooks: forgejo: frigate: - gitea: homeassistant: influxdb: ldap: diff --git a/playbooks/gitea-runner.yml b/playbooks/gitea-runner.yml deleted file mode 100644 index c87211c..0000000 --- a/playbooks/gitea-runner.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Deploy KVM virtual machines - ansible.builtin.import_playbook: include/deploy-kvm-guest.yml - vars: - myhosts: gitearunner - -- name: Configure instance - hosts: gitearunner - user: root - gather_facts: true - - roles: - - base - - gitea_runner diff --git a/playbooks/gitea.yml b/playbooks/gitea.yml deleted file mode 100644 index 72fec32..0000000 --- a/playbooks/gitea.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: Deploy KVM virtual machines - ansible.builtin.import_playbook: include/deploy-kvm-guest.yml - vars: - myhosts: gitea - -- name: Configure instance - hosts: gitea - user: root - gather_facts: true - - vars_files: - - "{{ ansible_private }}/vars.yml" - - pre_tasks: - - name: Mount /export - ansible.posix.mount: - name: /export - src: LABEL=/export - fstype: xfs - opts: noatime,noexec,nosuid,nodev - passno: "0" - dump: "0" - state: mounted - - roles: - - base - - gitea From ba2770c69679c1bd90992fa03f14bec3f16371c7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:29:39 +0000 Subject: [PATCH 549/596] Remove obsolete gitea roles --- roles/gitea/defaults/main.yml | 6 -- roles/gitea/files/gitea.service | 16 ---- roles/gitea/handlers/main.yml | 5 - roles/gitea/meta/main.yml | 4 - roles/gitea/tasks/main.yml | 101 -------------------- roles/gitea/templates/app.ini.j2 | 80 ---------------- roles/gitea_runner/defaults/main.yml | 2 - roles/gitea_runner/files/act_runner.service | 14 --- roles/gitea_runner/files/config.yml | 50 ---------- roles/gitea_runner/handlers/main.yml | 5 - roles/gitea_runner/meta/main.yml | 4 - roles/gitea_runner/tasks/main.yml | 85 ---------------- 12 files changed, 372 deletions(-) delete mode 100644 roles/gitea/defaults/main.yml delete mode 100644 roles/gitea/files/gitea.service delete mode 100644 roles/gitea/handlers/main.yml delete mode 100644 roles/gitea/meta/main.yml delete mode 100644 roles/gitea/tasks/main.yml delete mode 100644 roles/gitea/templates/app.ini.j2 delete mode 100644 roles/gitea_runner/defaults/main.yml delete mode 100644 roles/gitea_runner/files/act_runner.service delete mode 100644 roles/gitea_runner/files/config.yml delete mode 100644 roles/gitea_runner/handlers/main.yml delete mode 100644 roles/gitea_runner/meta/main.yml delete mode 100644 roles/gitea_runner/tasks/main.yml diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml deleted file mode 100644 index 8581431..0000000 --- a/roles/gitea/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -gitea_url: >- - {{ - "https://dl.gitea.com/gitea/" + gitea_version + "/gitea-" + - gitea_version + "-" + ansible_system | lower + "-amd64" - }} diff --git a/roles/gitea/files/gitea.service b/roles/gitea/files/gitea.service deleted file mode 100644 index 0dfec4a..0000000 --- a/roles/gitea/files/gitea.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Gitea (Git with a cup of tea) -After=syslog.target -After=network.target - -[Service] -Type=simple -User=gitea -Group=gitea -WorkingDirectory=/srv/gitea -ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini -Restart=always -Environment=HOME=/srv/gitea GITEA_WORK_DIR=/srv/gitea - -[Install] -WantedBy=multi-user.target diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml deleted file mode 100644 index a8e19c4..0000000 --- a/roles/gitea/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart gitea - ansible.builtin.service: - name: gitea - state: restarted diff --git a/roles/gitea/meta/main.yml b/roles/gitea/meta/main.yml deleted file mode 100644 index d5e8ce4..0000000 --- a/roles/gitea/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - {role: git} - - {role: nginx} diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml deleted file mode 100644 index 2eafa5e..0000000 --- a/roles/gitea/tasks/main.yml +++ /dev/null @@ -1,101 +0,0 @@ ---- -- name: Download binary - ansible.builtin.get_url: - url: "{{ gitea_url }}" - checksum: "sha256:{{ gitea_url }}.sha256" - dest: /usr/local/bin/gitea - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart gitea - -- name: Create group - ansible.builtin.group: - name: gitea - gid: 303 - -- name: Create user - ansible.builtin.user: - name: gitea - comment: Service Gitea - createhome: false - group: gitea - home: /var/empty - shell: /sbin/nologin - uid: 303 - -- name: Create config directory - ansible.builtin.file: - path: /etc/gitea - state: directory - mode: "0750" - owner: root - group: gitea - -- name: Create config - ansible.builtin.template: - dest: /etc/gitea/app.ini - src: app.ini.j2 - mode: "0640" - owner: root - group: gitea - notify: Restart gitea - -- name: Create data directory - ansible.builtin.file: - path: /export/gitea - state: directory - mode: "0750" - owner: gitea - group: gitea - -- name: Link data directory - ansible.builtin.file: - path: /srv/gitea - state: link - src: /export/gitea - owner: root - group: "{{ ansible_wheel }}" - follow: false - -- name: Create service file - ansible.builtin.copy: - dest: /etc/systemd/system/gitea.service - src: gitea.service - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart gitea - -- name: Enable service - ansible.builtin.service: - name: gitea - state: started - enabled: true - -- name: Allow nginx to connect gitea - ansible.posix.seboolean: - name: httpd_can_network_connect - state: true - persistent: true - -- name: Copy nginx config - ansible.builtin.copy: - dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/gitea.conf" - content: | - client_max_body_size 100m; - location / { - proxy_pass http://127.0.0.1:3000; - } - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart nginx - -- name: Add gitea alias for root - ansible.builtin.blockinfile: - path: /root/.bashrc - block: | - # run gitea as gitea user - alias gitea='sudo -u gitea HOME=/srv/gitea GITEA_WORK_DIR=/srv/gitea \ - /usr/local/bin/gitea -c /etc/gitea/app.ini' diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 deleted file mode 100644 index 3a797b9..0000000 --- a/roles/gitea/templates/app.ini.j2 +++ /dev/null @@ -1,80 +0,0 @@ -APP_NAME = foo.sh - GIT -RUN_USER = gitea -RUN_MODE = prod - -[database] -DB_TYPE = mysql -HOST = sqldb02.home.foo.sh -NAME = gitea -USER = gitea -PASSWD = {{ gitea_mysql_pass }} -SCHEMA = -SSL_MODE = true -CHARSET = utf8 -PATH = /srv/gitea/data/gitea.db -LOG_SQL = false - -[repository] -ROOT = /srv/gitea/data/gitea-repositories - -[server] -SSH_DOMAIN = localhost -DOMAIN = git.foo.sh -HTTP_ADDR = 127.0.0.1 -HTTP_PORT = 3000 -ROOT_URL = https://git.foo.sh/ -DISABLE_SSH = true -SSH_PORT = 22 -LFS_START_SERVER = true -LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }} -OFFLINE_MODE = false - -[lfs] -PATH = /srv/gitea/data/lfs - -[mailer] -ENABLED = false - -[service] -REGISTER_EMAIL_CONFIRM = false -ENABLE_NOTIFY_MAIL = false -DISABLE_REGISTRATION = true -ALLOW_ONLY_EXTERNAL_REGISTRATION = false -ENABLE_CAPTCHA = false -REQUIRE_SIGNIN_VIEW = false -DEFAULT_KEEP_EMAIL_PRIVATE = false -DEFAULT_ALLOW_CREATE_ORGANIZATION = true -DEFAULT_ENABLE_TIMETRACKING = true -NO_REPLY_ADDRESS = noreply.localhost - -[openid] -ENABLE_OPENID_SIGNIN = false -ENABLE_OPENID_SIGNUP = false - -[session] -PROVIDER = file - -[log] -MODE = console -LEVEL = info -ROOT_PATH = /srv/gitea/log -ROUTER = console - -[repository.pull-request] -DEFAULT_MERGE_STYLE = merge - -[repository.signing] -DEFAULT_TRUST_MODEL = committer - -[security] -INSTALL_LOCK = true -INTERNAL_TOKEN = {{ gitea_internal_token }} -PASSWORD_HASH_ALGO = pbkdf2 -REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 -REVERSE_PROXY_LIMIT = 1 - -[actions] -ENABLED = true - -[oauth2] -JWT_SECRET = {{ gitea_oauth_jwt_secret }} diff --git a/roles/gitea_runner/defaults/main.yml b/roles/gitea_runner/defaults/main.yml deleted file mode 100644 index bb9e11e..0000000 --- a/roles/gitea_runner/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -gitea_runner_version: main diff --git a/roles/gitea_runner/files/act_runner.service b/roles/gitea_runner/files/act_runner.service deleted file mode 100644 index 1533c88..0000000 --- a/roles/gitea_runner/files/act_runner.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Act Runner for Gitea -After=syslog.target -After=network.target - -[Service] -User=act_runner -Group=act_runner -WorkingDirectory=/var/lib/act_runner -Environment=HOME=/var/lib/act_runner -ExecStart=/usr/local/bin/act_runner daemon -c /var/lib/act_runner/config.yml - -[Install] -WantedBy=multi-user.target diff --git a/roles/gitea_runner/files/config.yml b/roles/gitea_runner/files/config.yml deleted file mode 100644 index 641665f..0000000 --- a/roles/gitea_runner/files/config.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -log: - # The level of logging, can be trace, debug, info, warn, error, fatal - level: info - -runner: - # Where to store the registration result. - file: .runner - # Execute how many tasks concurrently at the same time. - capacity: 1 - # Extra environment variables to run jobs from a file. - # It will be ignored if it's empty or the file doesn't exist. - env_file: .env - # The timeout for a job to be finished. - # Please note that the Gitea instance also has a timeout (3h by default) - # for the job. So the job could be stopped by the Gitea instance if it's - # timeout is shorter than this. - timeout: 3h - # Whether skip verifying the TLS certificate of the Gitea instance. - insecure: false - # The timeout for fetching the job from the Gitea instance. - fetch_timeout: 5s - # The interval for fetching the job from the Gitea instance. - fetch_interval: 2s - -cache: - # Enable cache server to use actions/cache. - enabled: true - # The directory to store the cache data. - # If it's empty, the cache data will be stored in $HOME/.cache/actcache. - dir: "" - # The host of the cache server. - # It's not for the address to listen, but the address to connect from job - # containers. So 0.0.0.0 is a bad choice, leave it empty to detect - # automatically. - host: "" - # The port of the cache server. - # 0 means to use a random available port. - port: 0 - -container: - # Which network to use for the job containers. Could be bridge, host, none, - # or the name of a custom network. - network: bridge - # Whether to use privileged mode or not when launching task containers - # (privileged mode is required for Docker-in-Docker). - privileged: false - # And other options to be used when the container is started - # (eg, --add-host=my.gitea.url:host-gateway). - options: diff --git a/roles/gitea_runner/handlers/main.yml b/roles/gitea_runner/handlers/main.yml deleted file mode 100644 index 3f4dbfd..0000000 --- a/roles/gitea_runner/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart act_runner - ansible.builtin.service: - name: act_runner - state: restarted diff --git a/roles/gitea_runner/meta/main.yml b/roles/gitea_runner/meta/main.yml deleted file mode 100644 index 4dfd1ac..0000000 --- a/roles/gitea_runner/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - {role: docker} - - {role: git} diff --git a/roles/gitea_runner/tasks/main.yml b/roles/gitea_runner/tasks/main.yml deleted file mode 100644 index d8eac04..0000000 --- a/roles/gitea_runner/tasks/main.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -- name: Create group - ansible.builtin.group: - name: act_runner - system: true - -- name: Create user - ansible.builtin.user: - name: act_runner - system: true - comment: Gitea act_runner - create_home: false - home: /var/empty - group: act_runner - groups: - - docker - shell: /sbin/nologin - -- name: Install dependencies - ansible.builtin.package: - name: golang - state: installed - -- name: Download binary - ansible.builtin.get_url: - url: > - {{ - "https://gitea.com/gitea/act_runner/releases/download/v" + - gitea_runner_version + "/act_runner-" + gitea_runner_version + - "-" + ansible_system | lower + "-amd64" - }} - dest: /usr/local/bin/act_runner - mode: "0755" - owner: root - group: "{{ ansible_wheel }}" - notify: Restart act_runner - -- name: Create config directory - ansible.builtin.file: - path: /var/lib/act_runner - state: directory - mode: "0750" - owner: root - group: act_runner - -- name: Copy config file - ansible.builtin.copy: - dest: /var/lib/act_runner/.runner - src: "/srv/private/files/act_runner/{{ inventory_hostname }}.conf" - mode: "0640" - owner: root - group: act_runner - notify: Restart act_runner - -- name: Copy config file - ansible.builtin.copy: - dest: /var/lib/act_runner/config.yml - src: config.yml - mode: "0640" - owner: root - group: act_runner - notify: Restart act_runner - -- name: Create cache directory - ansible.builtin.file: - path: /var/lib/act_runner/.cache - state: directory - mode: "0770" - owner: root - group: act_runner - notify: Restart act_runner - -- name: Copy unit file - ansible.builtin.copy: - dest: /etc/systemd/system/act_runner.service - src: act_runner.service - mode: "0644" - owner: root - group: root - -- name: Enable service - ansible.builtin.service: - name: act_runner - state: started - enabled: true From 5bed0838005a706fb81a69db175a78f0512ac6d4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:30:25 +0000 Subject: [PATCH 550/596] Migrate gitea user to forgejo --- users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users.md b/users.md index 70e9176..7601659 100644 --- a/users.md +++ b/users.md @@ -9,7 +9,7 @@ entry empty. If only a group is created, leave the user entry empty. |------|------------|------------|-----------------| | 301 | influxdb | influxdb | | | 302 | mongod | mongod | | -| 303 | gitea | gitea | | +| 303 | forgejo | forgejo | | | 305 | prometheus | prometheus | | | 306 | backup | backup | | | 307 | minecraft | minecraft | | From 36947f349b4128566c099a9080eec38c234aa109 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:31:01 +0000 Subject: [PATCH 551/596] Migrate from gitea to forgejo --- playbooks/proxy.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 1968633..da8b9b7 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -66,9 +66,12 @@ - role: nginx_site nginx_site_name: dns.home.foo.sh nginx_site_redirect: https://www.foo.sh/ + - role: nginx_site + nginx_site_name: forgejo.foo.sh + nginx_site_redirect: https://git.foo.sh/ - role: nginx_site nginx_site_name: git.foo.sh - nginx_site_proxy: https://gitea02.home.foo.sh/ + nginx_site_proxy: https://forgejo02.home.foo.sh/ - role: nginx_site nginx_site_name: gitea.foo.sh nginx_site_redirect: https://git.foo.sh/ From 020b2afa0d9ca166c85002bbccadbc7b9060ed05 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:31:26 +0000 Subject: [PATCH 552/596] forgejo: Use correct variable for jwk key --- roles/forgejo/templates/app.ini.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/forgejo/templates/app.ini.j2 b/roles/forgejo/templates/app.ini.j2 index 2355cb3..a8a7716 100644 --- a/roles/forgejo/templates/app.ini.j2 +++ b/roles/forgejo/templates/app.ini.j2 @@ -75,4 +75,4 @@ REVERSE_PROXY_LIMIT = 1 ENABLED = true [oauth2] -JWT_SECRET = {{ gitea_oauth_jwt_secret }} +JWT_SECRET = {{ forgejo_oauth_jwt_secret }} From cf87333ef89fcb643a549b706e5f5196dbb0a9b4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 6 Mar 2025 19:31:56 +0000 Subject: [PATCH 553/596] Update site.yml --- site.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/site.yml b/site.yml index a231b55..bee03dd 100644 --- a/site.yml +++ b/site.yml @@ -1,20 +1,20 @@ --- - name: Configure adm hosts ansible.builtin.import_playbook: playbooks/adm.yml +- name: Configure audiobooks hosts + ansible.builtin.import_playbook: playbooks/audiobooks.yml - name: Configure backup hosts ansible.builtin.import_playbook: playbooks/backup.yml - name: Configure collab hosts ansible.builtin.import_playbook: playbooks/collab.yml - name: Configure dna-gw hosts ansible.builtin.import_playbook: playbooks/dna-gw.yml +- name: Configure forgejo hosts + ansible.builtin.import_playbook: playbooks/forgejo.yml - name: Configure frigate hosts ansible.builtin.import_playbook: playbooks/frigate.yml - name: Configure fsol-gw hosts ansible.builtin.import_playbook: playbooks/fsol-gw.yml -- name: Configure gitea-runner hosts - ansible.builtin.import_playbook: playbooks/gitea-runner.yml -- name: Configure gitea hosts - ansible.builtin.import_playbook: playbooks/gitea.yml - name: Configure homeassistant hosts ansible.builtin.import_playbook: playbooks/homeassistant.yml - name: Configure influxdb hosts From ffe43b8498f757f3110d8008c6b5c019ccc247eb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 8 Mar 2025 20:59:48 +0000 Subject: [PATCH 554/596] web_logs: Add script to combine log files --- roles/web_logs/files/combine-logs.py | 70 ++++++++++++++++++++++++++++ roles/web_logs/tasks/main.yml | 8 ++++ 2 files changed, 78 insertions(+) create mode 100644 roles/web_logs/files/combine-logs.py diff --git a/roles/web_logs/files/combine-logs.py b/roles/web_logs/files/combine-logs.py new file mode 100644 index 0000000..e7044fa --- /dev/null +++ b/roles/web_logs/files/combine-logs.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 + +import argparse +import datetime +import os +import sys + +from time import mktime + + +def read_line(log, date=None): + while True: + line = log["fp"].readline().strip() + if not line: + raise EOFError + time = datetime.datetime.strptime( + " ".join(line.split()[3:5]), "[%d/%b/%Y:%H:%M:%S +0000]" + ) + if date is not None and time.strftime("%Y-%m-%d") != date: + continue + log["time"] = time + log["line"] = line + log["linenum"] += 1 + break + + +def combine_logs(logfiles, date=None): + logs = [] + for logfile in logfiles: + if os.stat(logfile).st_size == 0: + continue + logs.append( + {"fp": open(logfile, "r"), "line": None, "linenum": 0, "time": None} + ) + try: + read_line(logs[-1], date) + except EOFError: + del logs[-1] + + while True: + if len(logs) == 0: + break + logs = sorted(logs, key=lambda x: x["time"]) + print(logs[0]["line"]) + try: + read_line(logs[0], date) + except EOFError: + del logs[0] + + +def date_now(): + return datetime.datetime.now() + + +if __name__ == "__main__": + try: + parser = argparse.ArgumentParser() + parser.add_argument("-d", "--date", default=None) + parser.add_argument("logfiles", nargs="+") + args = parser.parse_args() + if args.date is not None: + if args.date == "today": + date = date_now().strftime("%Y-%m-%d") + elif args.date == "yesterday": + date = (date_now() - datetime.timedelta(days=1)).strftime("%Y-%m-%d") + else: + date = args.date + combine_logs(args.logfiles, date=date) + except KeyboardInterrupt: + sys.ext(1) diff --git a/roles/web_logs/tasks/main.yml b/roles/web_logs/tasks/main.yml index a9742f7..27bf8ab 100644 --- a/roles/web_logs/tasks/main.yml +++ b/roles/web_logs/tasks/main.yml @@ -39,3 +39,11 @@ owner: root group: "{{ ansible_wheel }}" follow: false + +- name: Copy log combiner + ansible.builtin.copy: + dest: /usr/local/bin/combine-logs + src: combine-logs.py + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" From 1aaf78c3ab531a6f22edb57e317b1d654d307c2f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 11 Mar 2025 20:45:32 +0000 Subject: [PATCH 555/596] Update software versions --- hosts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts.yml b/hosts.yml index 75013c2..73a073d 100644 --- a/hosts.yml +++ b/hosts.yml @@ -34,7 +34,7 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2025.2" + homeassistant_version: "2025.3" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git @@ -89,7 +89,7 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.4.1" + grafana_version: "11.4.2" rocketchat_version: "7.4.0" roundcube_version: "1.6.10" print: @@ -99,7 +99,7 @@ prometheus: hosts: prometheus01.home.foo.sh: vars: - mysqld_exporter_version: "0.16.0" + mysqld_exporter_version: "0.17.2" nginx_exporter_version: "1.4.1" proxy: hosts: From c2a39ecc56c21b41f41f832e04b3f1665d2566d9 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 2 Apr 2025 21:47:47 +0000 Subject: [PATCH 556/596] Add dhcpd to nms hosts --- group_vars/nms.yml | 3 ++ playbooks/nms.yml | 4 +++ roles/dhcpd/templates/dhcpd.conf.oob.j2 | 40 +++++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 roles/dhcpd/templates/dhcpd.conf.oob.j2 diff --git a/group_vars/nms.yml b/group_vars/nms.yml index b05d9f0..1f2f050 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -5,6 +5,9 @@ datadisks: unbound_zones: - 25.20.172.in-addr.arpa - oob.foo.sh +dhcpd_template: dhcpd.conf.oob.j2 +dhcpd_ldap_filter: >- + (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh)) network_vip_interfaces: - device: eth0 diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 856e221..969b6a5 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -58,6 +58,10 @@ ansible.builtin.import_role: name: unbound + - name: Import dhcpd role + ansible.builtin.import_role: + name: dhcpd + # convert this to role for restart support - name: Enable NTP server for oob network ansible.builtin.lineinfile: diff --git a/roles/dhcpd/templates/dhcpd.conf.oob.j2 b/roles/dhcpd/templates/dhcpd.conf.oob.j2 new file mode 100644 index 0000000..b1a9034 --- /dev/null +++ b/roles/dhcpd/templates/dhcpd.conf.oob.j2 @@ -0,0 +1,40 @@ + +authorative; +ddns-update-style none; + +# logging +on commit { + log(info, + concat("Client ", + binary-to-ascii(16, 8, ":", substring(hardware, 1, 6)), + " requests ", + binary-to-ascii(16, 8, ":", option dhcp-parameter-request-list), + " - ", + pick-first-value(option vendor-class-identifier, "no vendor-id"), + " - ", + pick-first-value(option user-class, "no user-class")) + ); +} + +shared-network OOBNET { + + subnet 172.20.25.0 netmask 255.255.255.0 { + default-lease-time 86400; + max-lease-time 604800; + option subnet-mask 255.255.255.0; + option broadcast-address 172.20.25.255; + + option domain-name "oob.foo.sh"; + option domain-name-servers 172.20.25.1, 172.20.25.2, 172.20.25.3; + use-host-decl-names on; + } + +{% for host in ldap_hosts.results %} + host {{ host['cn'] }} { + option host-name "{{ host['cn'] }}"; + hardware ethernet {{ host['macAddress'] }}; + fixed-address {{ host['ipHostNumber'] }}; + } +{% endfor %} + +} From b6bceb64a41e32068cd58d5c1183ecb47497a4e7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 4 Apr 2025 05:29:19 +0000 Subject: [PATCH 557/596] node_exporter: Use real tempfile --- .../files/node-exporter-run-textfile-collector.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh index b8897ae..7a6d1a0 100755 --- a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh +++ b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh @@ -15,9 +15,10 @@ fi for script in /usr/local/libexec/node-exporter/*; do [ -x "$script" ] || continue target="${OUTDIR}/$(basename "$script")" - if "$script" > "${target}.tmp" ; then - mv "${target}.tmp" "${target}.prom" + tmpfile="$(mktemp -p "$OUTDIR")" + if "$script" > "$tmpfile" ; then + mv "$tmpfile" "$target" else - rm -f "${target}.tmp" + rm -f "$tmpfile" fi done From 56ed9010ac8c61707096a30c0ba8bff0df67a4e0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 4 Apr 2025 05:46:33 +0000 Subject: [PATCH 558/596] node_exporter: Add verbose option --- .../node-exporter-run-textfile-collector.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh index 7a6d1a0..97dd14c 100755 --- a/roles/node_exporter/files/node-exporter-run-textfile-collector.sh +++ b/roles/node_exporter/files/node-exporter-run-textfile-collector.sh @@ -6,19 +6,35 @@ umask 022 PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin" +if [ "${1:-}" = "-v" ]; then + shift + VERBOSE=true +else + VERBOSE=false +fi + +if [ -n "${1:-}" ]; then + echo "Usage: $(basename "$0") [-v]" 1>&2 + exit 1 +fi + if [ "$(uname -s)" = "OpenBSD" ]; then OUTDIR="/var/db/node-exporter" else OUTDIR="/var/lib/prometheus/node-exporter" fi +"$VERBOSE" && echo "Using output directory '${OUTDIR}'" for script in /usr/local/libexec/node-exporter/*; do [ -x "$script" ] || continue + "$VERBOSE" && echo "Processing script '${script}'" target="${OUTDIR}/$(basename "$script")" tmpfile="$(mktemp -p "$OUTDIR")" if "$script" > "$tmpfile" ; then + "$VERBOSE" && echo " Success, updating stats" mv "$tmpfile" "$target" else + "$VERBOSE" && echo " Failure, skipping stats update" rm -f "$tmpfile" fi done From d282b132ab9909101345551fb5eb08f85c45085c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 4 Apr 2025 07:58:33 +0000 Subject: [PATCH 559/596] routeros_firmware: Fix tabs to spaces --- roles/routeros_firmware/files/download-routeros-firmware.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index b6784bc..1cdbd53 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -23,7 +23,7 @@ packageinfo=$(curl -sSf "https://mikrotik.com/download" | awk -F '"' ' url=$2 } else if (!found && url && $0 ~ /data-checksum-sha256/) { print url " " $6 - found = 1 + found = 1 } } ') From 776b562abe9f6cacfebf687e8b570dce04b60704 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 4 Apr 2025 16:01:43 +0000 Subject: [PATCH 560/596] routeros_firmware: Use real tmpfile --- .../files/download-routeros-firmware.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh index 1cdbd53..96260ca 100644 --- a/roles/routeros_firmware/files/download-routeros-firmware.sh +++ b/roles/routeros_firmware/files/download-routeros-firmware.sh @@ -46,15 +46,16 @@ if [ -z "$checksum" ]; then fi echo "Downloading new package '${packagename}'" -trap 'rm -f -- "${packagename}.tmp"' EXIT -curl -sSf -o "${packagename}.tmp" "$packageurl" +tmpfile="$(mktemp -p .)" +trap 'rm -f -- "$tmpfile"' EXIT +curl -sSf -o "$tmpfile" "$packageurl" -if [ "$(sha256sum "${packagename}.tmp" | cut -d " " -f 1)" != "$checksum" ]; then +if [ "$(sha256sum "$tmpfile" | cut -d " " -f 1)" != "$checksum" ]; then echo "ERR: Checksum check failed, not saving package" 1>&2 exit 1 fi -mv "${packagename}.tmp" "$packagename" +mv "$tmpfile" "$packagename" echo curl -sSf "https://cdn.mikrotik.com/routeros/$(echo "$packagename" | cut -d "-" -f 2)/CHANGELOG" From 95c66d976fe9b61e74ec9b2aac61b3aa10eb2b56 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 16:35:24 +0000 Subject: [PATCH 561/596] Add mqtt-tail script to adm hosts --- playbooks/adm.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/playbooks/adm.yml b/playbooks/adm.yml index 69cfb42..3c2bd6c 100644 --- a/playbooks/adm.yml +++ b/playbooks/adm.yml @@ -53,6 +53,7 @@ - libvirt-client # kvm host client - make # generic building - mariadb # mariadb client tools + - mosquitto # mqtt reading - nano # more editors - nmap # check for open ports - nsd # check dns zone files @@ -113,3 +114,27 @@ state: link owner: root group: "{{ ansible_wheel }}" + + - name: Add mqtt-tail script + ansible.builtin.copy: + dest: /usr/local/bin/mqtt-tail + content: | + #!/bin/sh + set -eu + if [ -n "${1:-}" ]; then + topic="$1" + shift + else + topic="#" + fi + if [ $# -ne 0 ]; then + echo "Usage: $(basename "$0") [topic]" 1>&2 + exit 1 + fi + exec mosquitto_sub -h mqtt02.home.foo.sh -v -t "$topic" \ + --cafile "{{ tls_certs }}/ca.crt" \ + --cert "{{ tls_certs }}/{{ inventory_hostname }}.crt" \ + --key "{{ tls_private }}/{{ inventory_hostname }}.key" \ + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" From d6cc79dcb3dcc18398f011c482bd00bf7ba0ea5b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 17:37:56 +0000 Subject: [PATCH 562/596] Refactor mqtt topics for shelly plugs --- roles/homeassistant/templates/mqtt.yaml.j2 | 2 +- roles/mosquitto/templates/mosquitto.conf.j2 | 5 +++++ roles/telegraf/templates/telegraf.conf.j2 | 8 ++++---- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/roles/homeassistant/templates/mqtt.yaml.j2 b/roles/homeassistant/templates/mqtt.yaml.j2 index 8d70762..c0b7ac3 100644 --- a/roles/homeassistant/templates/mqtt.yaml.j2 +++ b/roles/homeassistant/templates/mqtt.yaml.j2 @@ -2,7 +2,7 @@ sensor: {% for shelly in shellies | selectattr("name", "match", "^shellyplug-s-") | list %} - name: Power Usage - state_topic: home/{{ shelly["room"] }}/{{ shelly["device"] }}/relay/0/power + state_topic: home/{{ shelly["room"] }}/{{ shelly["device"] }}/power unique_id: {{ shelly["name"] }} unit_of_measurement: W device: diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index 917467e..4232fba 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -12,5 +12,10 @@ bridge_certfile {{ tls_certs }}/{{ inventory_hostname }}.crt bridge_keyfile {{ tls_private }}/{{ inventory_hostname }}.key {% for shelly in shellies %} +{% if shelly['name'] | regex_search("^shellyplug-s-") %} +topic power out 0 shellies/{{ shelly['name'] }}/relay/0/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/ +topic temperature out 0 shellies/{{ shelly['name'] }}/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/ +{% else %} topic # out 0 shellies/{{ shelly['name'] }}/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/ +{% endif %} {% endfor %} diff --git a/roles/telegraf/templates/telegraf.conf.j2 b/roles/telegraf/templates/telegraf.conf.j2 index 2f1056e..07b71ba 100644 --- a/roles/telegraf/templates/telegraf.conf.j2 +++ b/roles/telegraf/templates/telegraf.conf.j2 @@ -10,7 +10,7 @@ tls_cert = "{{ tls_certs }}/{{ inventory_hostname }}.crt" tls_key = "{{ tls_private }}/{{ inventory_hostname }}.key" topics = [ - "+/+/+/relay/0/power", + "+/+/+/power", "+/+/+/temperature", "+/+/+/sensor/battery", "+/+/+/sensor/lux", @@ -21,9 +21,9 @@ data_format = "value" [[inputs.mqtt_consumer.topic_parsing]] - topic = "+/+/+/relay/0/power" - tags = "location/room/device/_/_/_" - measurement = "_/_/_/_/_/measurement" + topic = "+/+/+/power" + tags = "location/room/device/_" + measurement = "_/_/_/power" [[inputs.mqtt_consumer.topic_parsing]] topic = "+/+/+/temperature" From 043104f062b92aaf33c0734cd0c29c62fbd15483 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 18:48:16 +0000 Subject: [PATCH 563/596] network: Write keepalived interface status to file --- roles/network/files/keepalived-notify.sh | 7 ++++ roles/network/handlers/main.yml | 7 ++++ roles/network/tasks/RedHat.yml | 44 ++++++++++++++++++++++ roles/network/templates/keepalived.conf.j2 | 3 +- 4 files changed, 60 insertions(+), 1 deletion(-) create mode 100755 roles/network/files/keepalived-notify.sh diff --git a/roles/network/files/keepalived-notify.sh b/roles/network/files/keepalived-notify.sh new file mode 100755 index 0000000..bd709f9 --- /dev/null +++ b/roles/network/files/keepalived-notify.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +set -eu + +umask 022 + +echo "$3" > "/run/keepalived/${2}.state" diff --git a/roles/network/handlers/main.yml b/roles/network/handlers/main.yml index 290312a..945ccb9 100644 --- a/roles/network/handlers/main.yml +++ b/roles/network/handlers/main.yml @@ -12,6 +12,13 @@ - c - reload +- name: Refresh keepalived run directory + ansible.builtin.command: + argv: + - systemd-tmpfiles + - --create + - /etc/tmpfiles.d/keepalived.conf + - name: Restart keepalived ansible.builtin.service: name: keepalived diff --git a/roles/network/tasks/RedHat.yml b/roles/network/tasks/RedHat.yml index 96e3734..92b38c9 100644 --- a/roles/network/tasks/RedHat.yml +++ b/roles/network/tasks/RedHat.yml @@ -45,6 +45,50 @@ - network_vip_interfaces is defined - network_vip_interfaces != [] +- name: Create keepalived group + ansible.builtin.group: + name: keepalived + system: true + when: + - network_vip_interfaces is defined + - network_vip_interfaces != [] + +- name: Create keepalived user + ansible.builtin.user: + name: keepalived + comment: Service keepalived + createhome: false + group: keepalived + home: /var/empty + shell: /sbin/nologin + system: true + when: + - network_vip_interfaces is defined + - network_vip_interfaces != [] + +- name: Create run directory + ansible.builtin.copy: + dest: /etc/tmpfiles.d/keepalived.conf + content: "d /run/keepalived 755 keepalived keepalived" + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Refresh keepalived run directory + when: + - network_vip_interfaces is defined + - network_vip_interfaces != [] + +- name: Copy keepalived notify script + ansible.builtin.copy: + dest: /usr/local/libexec/keepalived-notify + src: keepalived-notify.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + when: + - network_vip_interfaces is defined + - network_vip_interfaces != [] + - name: Create keepalived config ansible.builtin.template: dest: /etc/keepalived/keepalived.conf diff --git a/roles/network/templates/keepalived.conf.j2 b/roles/network/templates/keepalived.conf.j2 index 83c873b..af8f792 100644 --- a/roles/network/templates/keepalived.conf.j2 +++ b/roles/network/templates/keepalived.conf.j2 @@ -1,7 +1,7 @@ ! {{ ansible_managed }} global_defs { - + script_user keepalived } {% for vip in network_vip_interfaces %} @@ -18,5 +18,6 @@ vrrp_instance VI_{{ vip.vhid }} { virtual_ipaddress { {{ vip.ipaddr }} } + notify /usr/local/libexec/keepalived-notify } {% endfor %} From a7860a01049e81f7fcc036cc6ac96de2ff27939e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 19:29:52 +0000 Subject: [PATCH 564/596] network: Enable keepalived script security --- roles/network/templates/keepalived.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/network/templates/keepalived.conf.j2 b/roles/network/templates/keepalived.conf.j2 index af8f792..639eb3d 100644 --- a/roles/network/templates/keepalived.conf.j2 +++ b/roles/network/templates/keepalived.conf.j2 @@ -1,6 +1,7 @@ ! {{ ansible_managed }} global_defs { + enable_script_security script_user keepalived } From 46a15fb9cea2e05acbc516c33c38db16fd52f939 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 19:51:35 +0000 Subject: [PATCH 565/596] nftables: Validate config before applying --- roles/nftables/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml index 85a6424..5069a93 100644 --- a/roles/nftables/tasks/main.yml +++ b/roles/nftables/tasks/main.yml @@ -16,6 +16,7 @@ mode: "0600" owner: root group: "{{ ansible_wheel }}" + validate: "nft -c -f %s" notify: Reload nftables - name: Enable service From ededecd1670f6ffc7dbc488087372bca7b388aa6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 19:51:54 +0000 Subject: [PATCH 566/596] nftables: Fix support for raw rules --- roles/nftables/templates/nftables.conf.j2 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/nftables/templates/nftables.conf.j2 b/roles/nftables/templates/nftables.conf.j2 index 44f153c..067285c 100644 --- a/roles/nftables/templates/nftables.conf.j2 +++ b/roles/nftables/templates/nftables.conf.j2 @@ -8,6 +8,11 @@ table ip filter { ct state vmap { established : accept, related : accept } ip protocol icmp accept iifname lo accept +{% if firewall_raw is defined %} +{% for rule in firewall_raw %} + {{ rule }} +{% endfor %} +{% endif %} {% for rule in firewall_in %} {% if rule.from is defined %} {% for from in rule.from %} @@ -35,6 +40,11 @@ table ip6 filter { type filter hook input priority 0; policy accept ct state vmap { established : accept, related : accept } ip6 nexthdr icmpv6 accept +{% if firewall_raw6 is defined %} +{% for rule in firewall_raw6 %} + {{ rule }} +{% endfor %} +{% endif %} {% for rule in firewall_in %} {% if rule.from is defined %} {% for from in rule.from %} From 5cedf628c853b7352e8926086f3e240fd8ba3226 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 19:53:39 +0000 Subject: [PATCH 567/596] Fix firewall rules on nms hosts for VRRP --- group_vars/nms.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/nms.yml b/group_vars/nms.yml index 1f2f050..cf78647 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -34,8 +34,7 @@ firewall_in: - {proto: tcp, port: 9100, from: [172.20.20.0/22]} - {proto: tcp, port: 9116, from: [172.20.20.0/22]} firewall_raw: - - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + - "ip daddr 224.0.0.0/8 accept" sssd_allow_groups: - sysadm From 4772b948fad74f88d2920d6133ea33bad7d3def6 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 5 Apr 2025 20:06:34 +0000 Subject: [PATCH 568/596] Fix vrrp priority from nms02 host --- host_vars/nms02.home.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/nms02.home.foo.sh.yml b/host_vars/nms02.home.foo.sh.yml index 4e1a686..cb1b86b 100644 --- a/host_vars/nms02.home.foo.sh.yml +++ b/host_vars/nms02.home.foo.sh.yml @@ -17,4 +17,4 @@ network_interfaces: netmask: 255.255.255.248 proto: static -vip25_priority: 0 +vip25_priority: 1 From bfa41678221626df95f1214f495ea510fbf78b93 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 6 Apr 2025 15:16:27 +0000 Subject: [PATCH 569/596] network: Fix keepalived ip address config --- roles/network/templates/keepalived.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/network/templates/keepalived.conf.j2 b/roles/network/templates/keepalived.conf.j2 index 639eb3d..c68642d 100644 --- a/roles/network/templates/keepalived.conf.j2 +++ b/roles/network/templates/keepalived.conf.j2 @@ -17,7 +17,7 @@ vrrp_instance VI_{{ vip.vhid }} { auth_pass {{ vip.pass }} } virtual_ipaddress { - {{ vip.ipaddr }} + {{ vip.ipaddr }}/{{ (vip.ipaddr + '/' + vip.netmask) | ansible.utils.ipaddr('prefix') }} } notify /usr/local/libexec/keepalived-notify } From 2b8b9f69f71c86d46c429e2a5e578e04c7ad867b Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 6 Apr 2025 16:38:30 +0000 Subject: [PATCH 570/596] Fix netmask from virtual ip on nms hosts --- group_vars/nms.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/nms.yml b/group_vars/nms.yml index cf78647..bd86e46 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -18,7 +18,7 @@ network_vip_interfaces: - device: eth1 vhid: 25 ipaddr: 172.20.25.1 - netmask: 255.255.0.0 + netmask: 255.255.255.0 pass: "{{ vip25_pass }}" priority: "{{ vip25_priority }}" From 211e04ae992e5230de38cd599fed1f3c0dd70aad Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 6 Apr 2025 16:44:30 +0000 Subject: [PATCH 571/596] aten_pdu: First version of role --- .../files/ATEN-PE-CFG_str_1.3.128.mib | 5065 +++++++++++++++++ roles/aten_pdu/files/aten-mqtt-publish.sh | 54 + roles/aten_pdu/meta/main.yml | 3 + roles/aten_pdu/tasks/main.yml | 31 + 4 files changed, 5153 insertions(+) create mode 100644 roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib create mode 100644 roles/aten_pdu/files/aten-mqtt-publish.sh create mode 100644 roles/aten_pdu/meta/main.yml create mode 100644 roles/aten_pdu/tasks/main.yml diff --git a/roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib b/roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib new file mode 100644 index 0000000..d3f0ae6 --- /dev/null +++ b/roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib @@ -0,0 +1,5065 @@ + -- MIB version: 1.3.128 + + -- MIB release note + -- | date | MIB version | note + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 12/06/2021 | 1.3.128 | New dry contact sensor type: water leakage sensor + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 11/25/2020 | 1.3.127 | Add new OID: communityLock and passwordLock for California passes law + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 12/30/2019 | 1.3.126 | Add new OID: outletAlwaysON + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 06/22/2016 | 1.3.125 | delete OID: outletRemoteAccessLock , add OID: outletLocalAccessLock & outletSequentialReboot + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 04/28/2016 | 1.3.124 | Modify the string length in the description of outletName from 0~15 into 0~48 + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 04/06/2016 | 1.3.123 | Modify minimum environmental humidity range from 15% into 10% + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 02/22/2016 | 1.3.122 | Relocate OID: outletRemoteAccessLock + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 02/03/2016 | 1.3.121 | Add new OID: outletRemoteAccessLock + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 12/29/2015 | 1.1.119 | Add new OID: smtpPort + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 07/31/2015 | 1.1.118 | Add new OID: popPriorityList + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 07/13/2015 | 1.1.117 | Add Two dry contact & hide door sensor info + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 02/11/2015 | 1.1.116 | Syntax modification of POP modes + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 12/02/2014 | 1.1.115 | Wording modification + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 10/22/2014 | 1.1.114 | Add get/set function for new POP feature + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 07/28/2014 | 1.1.113 | Modify and unify responses of empty and not-support measurement values + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 10/31/2013 | 1.1.112 | updated mib to pass smilint level 3 + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 10/03/2013 | 1.1.111 | updated mib to pass smilint level 3 + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 08/09/2013 | 1.1.110 | Add outlet init mode + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 07/17/2013 | 1.1.109 | Add CAP Priority Settings + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 07/05/2013 | 1.1.108 | Add Description and change some Syntax of oids + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 05/23/2013 | 1.1.107 | Change "usrEnable" order from 40 to 47 in "UsrListEntry" + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 05/21/2013 | 1.1.106 | Hide CAP function + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 05/14/2013 | 1.1.105 | Modify Power Threshold Description + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 05/07/2013 | 1.1.104 | Add CAP Function OID + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 04/26/2013 | 1.1.103 | Add Door Sensor Type OID + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 04/24/2013 | 1.1.102 | Modify Status Description of Door Sensor + -- -------------------------------------------------------------------------------------------------------------------------- + -- | 02/20/2013 | 1.1.101 | + -- -------------------------------------------------------------------------------------------------------------------------- + + -- ATEN International Co., Ltd. + -- This file defines the mib struct of Management in PE series + -- We attach this mib node on enterprises.aten.atenProducts.overip.poweroverip.pe subtree + + +ATEN-PE-CFG DEFINITIONS ::= BEGIN + + IMPORTS + enterprises, IpAddress, Gauge, TimeTicks FROM RFC1155-SMI + enterprises FROM RFC1155-SMI + DisplayString FROM RFC1213-MIB + OBJECT-TYPE FROM RFC-1212 + TRAP-TYPE FROM RFC-1215 + MODULE-IDENTITY, + NOTIFICATION-TYPE FROM SNMPv2-SMI + KeyChange FROM SNMP-USER-BASED-SM-MIB + TEXTUAL-CONVENTION FROM SNMPv2-TC; + + + + aten MODULE-IDENTITY + LAST-UPDATED "201310311110Z" + ORGANIZATION "ATEN" + CONTACT-INFO "Aten, Inc." + DESCRIPTION + "ATEN PE MIB" + REVISION "201310311110Z" + DESCRIPTION + "updated mib to pass smilint level 3" + ::= { enterprises 21317 } + + + atenProducts OBJECT IDENTIFIER ::= { aten 1 } + overip OBJECT IDENTIFIER ::= { atenProducts 3 } + poweroverip OBJECT IDENTIFIER ::= { overip 2} + pe OBJECT IDENTIFIER ::= {poweroverip 2} + userManagement OBJECT IDENTIFIER ::= { pe 1 } + control OBJECT IDENTIFIER ::= { pe 2 } + device OBJECT IDENTIFIER ::= { control 1 } + pop OBJECT IDENTIFIER ::= { device 17 } + cap OBJECT IDENTIFIER ::= { device 18 } + outlet OBJECT IDENTIFIER ::= { control 2 } + bank OBJECT IDENTIFIER ::= { control 3 } +deviceManagement OBJECT IDENTIFIER ::= { pe 3 } + config OBJECT IDENTIFIER ::= { deviceManagement 4 } + dashBoard OBJECT IDENTIFIER ::= { config 4 } + servicePorts OBJECT IDENTIFIER ::= { config 5 } + ipv4config OBJECT IDENTIFIER ::= { config 6 } + eventNotification OBJECT IDENTIFIER ::= { config 7 } + devicesnmp OBJECT IDENTIFIER ::= { eventNotification 1 } + syslog OBJECT IDENTIFIER ::= { eventNotification 2 } + smtp OBJECT IDENTIFIER ::= { eventNotification 3 } + configurationNotification OBJECT IDENTIFIER ::= { eventNotification 9 } + + + dateTime OBJECT IDENTIFIER ::= { config 8 } + timeZone OBJECT IDENTIFIER ::= { dateTime 1 } + manualInput OBJECT IDENTIFIER ::= { dateTime 2 } + networkTime OBJECT IDENTIFIER ::= { dateTime 3 } + + devicesecurity OBJECT IDENTIFIER ::= { deviceManagement 5 } + loginFailures OBJECT IDENTIFIER ::= { devicesecurity 1 } + workingMode OBJECT IDENTIFIER ::= { devicesecurity 2 } + accountPolicy OBJECT IDENTIFIER ::= { devicesecurity 3 } + loginRestriction OBJECT IDENTIFIER ::= { devicesecurity 4 } + ipFilter OBJECT IDENTIFIER ::= { loginRestriction 2 } + macFilter OBJECT IDENTIFIER ::= { loginRestriction 3 } + authentication OBJECT IDENTIFIER ::= { devicesecurity 5 } + radius OBJECT IDENTIFIER ::= { authentication 1 } +--deviceLock OBJECT IDENTIFIER ::= { pe 4 } +--CPM OBJECT IDENTIFIER ::= { pe 7 } +-- CPMDevice OBJECT IDENTIFIER ::= { CPM 9 } +-- Sensor OBJECT IDENTIFIER ::= { CPM 10 } +-- EnergySensor OBJECT IDENTIFIER ::= { CPM 11 } + + +--SNMPv3UsmAuthPrivProtocol ::= TEXTUAL-CONVENTION +-- STATUS current +-- DESCRIPTION +-- "This textual convention enumerates the authentication and privledge +-- protocol for USM configuration. +-- " +-- SYNTAX INTEGER +-- { +-- hmacMD5Auth(2), +-- hmacSHAAuth(3) +-- desPrivProtocol(5), +-- aesPrivProtocol(6) +-- } + +-- Device Control +modelName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Indicate PE device model name." + ::= { device 1 } + +deviceName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The name of PE device. + string length: 1~39 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { device 2 } + +deviceValueTable OBJECT-TYPE + SYNTAX SEQUENCE OF DeviceValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device value table. This table displays device's current, voltage, power and + power dissipation. + " + ::= { device 3 } + +deviceValueEntry OBJECT-TYPE + SYNTAX DeviceValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single deviceValue entry containing device info." + INDEX { deviceValueIndex } + ::= { deviceValueTable 1 } + +DeviceValueEntry ::= + SEQUENCE { + deviceValueIndex + INTEGER, + deviceCurrent + DisplayString, + deviceVoltage + DisplayString, + devicePower + DisplayString, + devicePowerDissipation + DisplayString, + inputMaxVoltage + INTEGER, + inputMaxCurrent + INTEGER, + powerCapacity + INTEGER, + devicePowerFactor + DisplayString + } + +deviceValueIndex OBJECT-TYPE + SYNTAX INTEGER (1) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of deviceValue." + ::= { deviceValueEntry 1 } +deviceCurrent OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device electric current value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { deviceValueEntry 2 } +deviceVoltage OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device voltage value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { deviceValueEntry 3 } +devicePower OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device power value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { deviceValueEntry 4 } + +devicePowerDissipation OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device power dissipation value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { deviceValueEntry 5 } + +inputMaxVoltage OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device input Voltage value. unit:(V) + If the device does not support this OID, we show value 0. + " + ::= { deviceValueEntry 6 } + +inputMaxCurrent OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device input Current value. unit:(A) + If the device does not support this OID, we show value 0." + ::= { deviceValueEntry 7 } + +powerCapacity OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device power Capacity value.unit:(VA) + If the device does not support this OID, we show value 0." + ::= { deviceValueEntry 8 } + +devicePowerFactor OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Device power Factor value. + If the device does not support this OID, it returns: not-support." + ::= { deviceValueEntry 9 } + +sensorValueTable OBJECT-TYPE + SYNTAX SEQUENCE OF SensorValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device's sensor value table. This table displays sensor's temperature, humidity and + pressure. + " + ::= { device 4 } + +sensorValueEntry OBJECT-TYPE + SYNTAX SensorValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single device's sensor value entry containing device info." + INDEX { sensorValueIndex } + ::= { sensorValueTable 1 } + +SensorValueEntry ::= + SEQUENCE { + sensorValueIndex + INTEGER, + sensorTemperature + DisplayString, + sensorHumidity + DisplayString, + sensorPressure + DisplayString, + sensorProperty + INTEGER + } + +sensorValueIndex OBJECT-TYPE + SYNTAX INTEGER (1..6) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of sensor number." + ::= { sensorValueEntry 1 } +sensorTemperature OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Sensor's Temperature value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { sensorValueEntry 2 } +sensorHumidity OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Sensor's Humidity value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { sensorValueEntry 3 } +sensorPressure OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Sensor's Pressure value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { sensorValueEntry 4 } + +sensorProperty OBJECT-TYPE + SYNTAX INTEGER { intake(1), exhaust(2), floor(3) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Sensor's Property." + ::= { sensorValueEntry 5 } + +deviceOutletStatusTable OBJECT-TYPE + SYNTAX SEQUENCE OF DeviceOutletStatusEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device outlet status value table." + ::= { device 5 } + +deviceOutletStatusEntry OBJECT-TYPE + SYNTAX DeviceOutletStatusEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single deviceOutletStatus entry containing device info." + INDEX { deviceOutletStatusIndex } + ::= { deviceOutletStatusTable 1 } + +DeviceOutletStatusEntry ::= + SEQUENCE { + deviceOutletStatusIndex + INTEGER, + displayOutletStatus + INTEGER + + } + +deviceOutletStatusIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of deviceOutletStatus" + ::= { deviceOutletStatusEntry 1 } +displayOutletStatus OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), fault(4), noauth(5), not-support(6), pop(7) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Display outlet status." + ::= { deviceOutletStatusEntry 2 } + + +deviceConfigTable OBJECT-TYPE + SYNTAX SEQUENCE OF DeviceConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device configuration table" + ::= { device 6 } + +deviceConfigEntry OBJECT-TYPE + SYNTAX DeviceConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single deviceConfig entry containing device info." + INDEX { deviceConfigIndex } + ::= { deviceConfigTable 1 } + +DeviceConfigEntry ::= + SEQUENCE { + deviceConfigIndex + INTEGER, + deviceMinCurMT + INTEGER, + deviceMaxCurMT + INTEGER, + + deviceMinVolMT + INTEGER, + deviceMaxVolMT + INTEGER, + deviceMinPMT + INTEGER, + deviceMaxPMT + INTEGER, + + --deviceMinPDMT + --INTEGER, + deviceMaxPDMT + INTEGER + --deviceCurFlu + -- INTEGER, + --deviceVolFlu + -- INTEGER, + --devicePFlu + -- INTEGER + --devicePDFlu + --INTEGER + } + +deviceConfigIndex OBJECT-TYPE + SYNTAX INTEGER (1) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of deviceConfig" + ::= { deviceConfigEntry 1 } +deviceMinCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device minimum electric current measurement threshold. + Example: range 0.0~32.0 represents 0~320. + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 2 } +deviceMaxCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device maximum electric current measurement threshold. + Example: range 0.0~32.0 represents 0~320 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 3 } + +deviceMinVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device minimum voltage measurement threshold. + Exapmple: range 90.0~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 4 } + +deviceMaxVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device maximum voltage measurement threshold. + Example: range 90.0~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 5 } + +deviceMinPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device minimum power measurement threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 6 } + +deviceMaxPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device maximum power measurement threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 7 } + +--deviceCurFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display device electric current fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceConfigEntry 9 } + +--deviceVolFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display device voltage fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceConfigEntry 10 } + +--devicePFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display device power fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceConfigEntry 11 } + +--deviceMinPDMT OBJECT-TYPE + --SYNTAX INTEGER (0..2000) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set device minimum power dissipation measurement threshold." + --::= { deviceConfigEntry 8 } +deviceMaxPDMT OBJECT-TYPE + SYNTAX INTEGER (0..999990 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device maximum power dissipation measurement threshold. + Example: range 0.0 ~ 99999.0 represents 0~999990 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceConfigEntry 8 } +--devicePDFlu OBJECT-TYPE + --SYNTAX INTEGER (0..2000) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display device power dissipation fluctuation threshold." + --::= { deviceConfigEntry 13 } + + +deviceSensorTresholdTable OBJECT-TYPE + SYNTAX SEQUENCE OF DeviceSensorTresholdEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device environment value table" + ::= { device 7 } + +deviceSensorTresholdEntry OBJECT-TYPE + SYNTAX DeviceSensorTresholdEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device's sensor Environment entry containing sensor info." + INDEX { deviceSensorTresholdIndex } + ::= { deviceSensorTresholdTable 1 } + +DeviceSensorTresholdEntry ::= + SEQUENCE { + deviceSensorTresholdIndex + INTEGER, + sensorMinTempMT + INTEGER, + sensorMaxTempMT + INTEGER, + + sensorMinHumMT + INTEGER, + sensorMaxHumMT + INTEGER, + sensorMinPressMT + INTEGER, + sensorMaxPressMT + INTEGER + --sensorTempFlu + --INTEGER, + --sensorHumFlu + --INTEGER, + --sensorPressFlu + --INTEGER + } + +deviceSensorTresholdIndex OBJECT-TYPE + SYNTAX INTEGER (1..6) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of sensor number" + ::= { deviceSensorTresholdEntry 1 } + +sensorMinTempMT OBJECT-TYPE + SYNTAX INTEGER (-200..600 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor minimum temperature measurement threshold. + Example: range -20.0 ~ 60.0 represents -200~600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 2 } +sensorMaxTempMT OBJECT-TYPE + SYNTAX INTEGER (-200..600 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor maximum temperature measurement threshold. + Example: range -20.0 ~ 60.0 represents -200~600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 3 } + +sensorMinHumMT OBJECT-TYPE + SYNTAX INTEGER (100..950 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor minimum humidity measurement threshold. + Example: range 10.0 ~ 95.0 represents 100~950 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 4 } +sensorMaxHumMT OBJECT-TYPE + SYNTAX INTEGER (100..950 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor maximum humidity measurement threshold. + Example: range 10.0 ~ 95.0 represents 100~950 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 5 } + +sensorMinPressMT OBJECT-TYPE + SYNTAX INTEGER (-2500..2500 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor minimum pressure measurement threshold. + Example: range -250.0 ~ 250.0 represents -2500 ~ 2500 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 6 } + +sensorMaxPressMT OBJECT-TYPE + SYNTAX INTEGER (-2500..2500 | -3000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set sensor maximum pressure measurement threshold. + Example: range -250.0 ~ 250.0 represents -2500 ~ 2500 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { deviceSensorTresholdEntry 7 } + +--sensorTempFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display sensor temperature fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceEnvironmentEntry 8 } + +--sensorHumFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display sensor humidity fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceEnvironmentEntry 9 } + + +--sensorPressFlu OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display sensor pressure fluctuation threshold. + -- Fluctuation Range = (MaxThreshold-MinThreshold)/2 x10 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { deviceEnvironmentEntry 10 } + +deviceOutletControl OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), nostatus(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This function is used for all outlet ports control. + Set off(1) to turn off for all outlet ports. + Set on(2) to turn on for all outlet ports. + Get this object always return nostatus(3), because there is no device status. + + " + ::= { device 8 } + +deviceOutletReboot OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This function is used for all outlet ports to reboot. + Only when outlet status is ON can do outlet reboot action to all ports. + Set yes(2) to reboot all outlet ports. + Get this object always return no(1). + " + ::= { device 9 } + +switchable OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2), mix(3)} + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " Outlet is switchable or not." + ::= { device 10 } + +perportreading OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " Outlet is per-port reading or not." + ::= { device 11 } + +sensornumber OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " Sensor number." + ::= { device 12 } + +outletnumber OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " Outlet number." + ::= { device 13 } + +banknumber OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " Bank number." + ::= { device 14 } + +--chainnumber OBJECT-TYPE + --SYNTAX INTEGER + --MAX-ACCESS read-only + --STATUS current + --DESCRIPTION + -- " The slave device number." + --::= { device 15 } + +dryContactTable OBJECT-TYPE + SYNTAX SEQUENCE OF DryContactEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Device's Dry Contact table." + ::= { device 15 } + +dryContactEntry OBJECT-TYPE + SYNTAX DryContactEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single device's dry contact value entry containing device info." + INDEX { dryContactIndex } + ::= { dryContactTable 1 } + +DryContactEntry ::= + SEQUENCE { + dryContactIndex + INTEGER, + dryContactStatus + INTEGER, + dryContactType + INTEGER + } + +dryContactIndex OBJECT-TYPE + SYNTAX INTEGER (1..2) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of dry contact number." + ::= { dryContactEntry 1 } + +dryContactStatus OBJECT-TYPE + SYNTAX INTEGER { normal(0), alert(1), not-attached(2), not-support(10) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Display dry contact status." + ::= { dryContactEntry 2 } + +dryContactType OBJECT-TYPE + SYNTAX INTEGER { notinstalled(0), photo(1), inductiveproximity(2), reed(3), waterleakage(4), not-support(10) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Dry contact Type Selection" + ::= { dryContactEntry 3 } + +-- +-- pop +enablePOPmode OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Enable/Disable POP mode." + ::= { pop 1 } + +popThreshold OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " (-1)means default value same as Bank Max Current 16 A. + + Example: range 0.0~32.0 represents 0~320 + You can define the POP threshold or set as default(-1) value." + ::= { pop 2 } + +enableOutletPOPmode OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2), not-support(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Enable/Disable Outlet POP mode." + ::= { pop 3 } + +enableLIFOPOPmode OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2), not-support(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Enable/Disable LIFO POP mode." + ::= { pop 4 } + +enablePriorityPOPmode OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2), not-support(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Enable/Disable Priority POP mode." + ::= { pop 5 } + +popPriorityList OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Indicate Outlets' power OFF priorities under Priority POP mode. + Outlet Separator ',' + Bank Separator '#' + Assign each priority in each bank by Outlet index or zero (indicate N/A) with separators in ascendant order. + e.g. for model PE8324 ( Bank1: outlet 1 ~ 16, Bank2: outlet 17 ~ 24 ) + If you want to assign priority 2, 5 of Bank 1 with Outlet 14, 3, + and priority 2, 6, 8 with of Bank 2 with Outlet 17, 23, 24 and left the rest with N/A, + please type: 0,14,0,0,3,0,0,0,0,0,0,0,0,0,0,0#0,17,0,0,0,23,0,24 + " + ::= { pop 6} + +-- CAP +enableCAPmode OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Enable/Disable CAP mode." + ::= { cap 1 } + +outletCAPTable OBJECT-TYPE + SYNTAX SEQUENCE OF OutletCAPEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Outlet CAP table" + ::= { cap 2 } + +outletCAPEntry OBJECT-TYPE + SYNTAX OutletCAPEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Outlet CAP entry containing CAP info." + INDEX { outletCAPIndex } + ::= { outletCAPTable 1 } + +OutletCAPEntry ::= + SEQUENCE { + outletCAPIndex + INTEGER, + outletCAPPriority + INTEGER + } + +outletCAPIndex OBJECT-TYPE + SYNTAX INTEGER (1..40) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of outlet's CAP configuration" + ::= { outletCAPEntry 1 } + +outletCAPPriority OBJECT-TYPE + SYNTAX INTEGER (0..99) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the CAP Priority of outlet. + Priority 0 means this outlet does not support this OID." + ::= { outletCAPEntry 2 } +-- ontlet control init mode + +outletInitMode OBJECT-TYPE + SYNTAX INTEGER {no-delaytime(1), delaytime(2), not-support(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "choose outlet init mode you want." + ::= { device 19 } + +-- outlet sequential reboot by crystal +outletSequentialReboot OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2), not-support(3) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This function is used to enable or disable all outlet ports to sequential reboot. + " + ::= { device 20 } + + +-- integer value + +--deviceIntegerValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF DeviceIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Device value table. This table displays device's current, voltage, power and +-- power dissipation. +-- " +-- ::= { device 99 } + +--deviceIntegerValueEntry OBJECT-TYPE +-- SYNTAX DeviceIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single deviceValue entry containing device info." +-- INDEX { deviceIntegerValueIndex } +-- ::= { deviceIntegerValueTable 1 } + +--DeviceIntegerValueEntry ::= +-- SEQUENCE { +-- deviceIntegerValueIndex +-- INTEGER, +-- deviceIntegerCurrent +-- INTEGER, +-- deviceIntegerVoltage +-- INTEGER, +-- deviceIntegerPower +-- INTEGER, +-- deviceIntegerPowerDissipation +-- INTEGER + --inputMaxVoltage + -- INTEGER, + --inputMaxCurrent + -- INTEGER, + --powerCapacity + -- INTEGER + --devicePowerFactor + -- INTEGER +-- } + +--deviceIntegerValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1) +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Index of deviceValue." +-- ::= { deviceIntegerValueEntry 1 } + +--deviceIntegerCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device electric current value. +-- This value indicates that 1,000 times. +-- " +-- ::= { deviceIntegerValueEntry 2 } + +--deviceIntegerVoltage OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device voltage value. +-- This value indicates that 1,000 times +-- " +-- ::= { deviceIntegerValueEntry 3 } + +--deviceIntegerPower OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power value. +-- This value indicates that 1,000 times. +-- " +-- ::= { deviceIntegerValueEntry 4 } + +--deviceIntegerPowerDissipation OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power dissipation value. +-- This value indicates that 1,000 times +-- " +-- ::= { deviceIntegerValueEntry 5 } + +--inputMaxVoltage OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device input Voltage value. unit:(V)" +-- ::= { deviceValueEntry 6 } + +--inputMaxCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device input Current value. unit:(A)" +-- ::= { deviceValueEntry 7 } + +--powerCapacity OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power Capacity value.unit:(VA)" +-- ::= { deviceValueEntry 8 } + +--devicePowerFactor OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power Factor value." +-- ::= { deviceValueEntry 9 } +-- + +--sensorIntegerValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF SensorIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Device's sensor value table. This table displays sensor's temperature, humidity and +-- pressure. +-- " +-- ::= { device 100 } + +--sensorIntegerValueEntry OBJECT-TYPE +-- SYNTAX SensorIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single device's sensor value entry containing device info." +-- INDEX { sensorIntegerValueIndex } +-- ::= { sensorIntegerValueTable 1 } + +--SensorIntegerValueEntry ::= +-- SEQUENCE { +-- sensorIntegerValueIndex +-- INTEGER, +-- sensorIntegerTemperature +-- INTEGER, +-- sensorIntegerHumidity +-- INTEGER, +-- sensorIntegerPressure +-- INTEGER + --sensorIntegerProperty + -- INTEGER +-- } + +--sensorIntegerValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..6) +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Index of sensor number." +-- ::= { sensorIntegerValueEntry 1 } + +--sensorIntegerTemperature OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Sensor's Temperature value. +-- This value indicates that 1,000 times. +-- Value -300000 represents empty value." +-- ::= { sensorIntegerValueEntry 2 } + +--sensorIntegerHumidity OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Sensor's Humidity value. +-- This value indicates that 1,000 times. +-- Value -300000 represents empty value." +-- ::= { sensorIntegerValueEntry 3 } + +--sensorIntegerPressure OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Sensor's Pressure value. +-- This value indicates that 1,000 times. +-- Value -300000 represents empty value." +-- ::= { sensorIntegerValueEntry 4 } + +--sensorIntegerProperty OBJECT-TYPE +-- SYNTAX INTEGER { intake(1), exhaust(2), floor(3) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Sensor's Property." +-- ::= { sensorIntegerValueEntry 5 } + +-- Device Control End + +-- Outlet Control +outletValueTable OBJECT-TYPE + SYNTAX SEQUENCE OF OutletValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Display total outlet value table" + ::= { outlet 1 } + +outletValueEntry OBJECT-TYPE + SYNTAX OutletValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single outletValue entry containing outlet info." + INDEX { outletValueIndex } + ::= { outletValueTable 1 } + +OutletValueEntry ::= + SEQUENCE { + outletValueIndex + INTEGER, + outletCurrent + DisplayString, + outletVoltage + DisplayString, + outletPower + DisplayString, + outletPowerDissipation + DisplayString, + outletMaxCurrent + INTEGER, + outletPowerFactor + DisplayString + } + +outletValueIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of outlet number" + ::= { outletValueEntry 1 } +outletCurrent OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet electric current value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { outletValueEntry 2 } +outletVoltage OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet voltage value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { outletValueEntry 3 } +outletPower OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet power value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { outletValueEntry 4 } +outletPowerDissipation OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet power dissipation value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { outletValueEntry 5 } + +outletMaxCurrent OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet Max Current value. unit: (A). + If the device does not support this OID, we show value 0. + " + ::= { outletValueEntry 6 } + +outletPowerFactor OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outlet Power Factor value. + If the device does not support this OID, it returns: not-support." + ::= { outletValueEntry 7 } + +outlet1Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 1 status. Can't set pending status." + ::= { outlet 2 } + +outlet2Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 2 status. Can't set pending status." + ::= { outlet 3 } +outlet3Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 3 status. Can't set pending status." + ::= { outlet 4 } +outlet4Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 4 status. Can't set pending status." + ::= { outlet 5 } +outlet5Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 5 status. Can't set pending status." + ::= { outlet 6 } +outlet6Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 6 status. Can't set pending status." + ::= { outlet 7 } +outlet7Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 7 status. Can't set pending status." + ::= { outlet 8 } +outlet8Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 8 status. Can't set pending status." + ::= { outlet 9 } + +outlet9Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 9 status. Can't set pending status." + ::= { outlet 11 } + +outlet10Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 10 status. Can't set pending status." + ::= { outlet 12 } + +outlet11Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 11 status. Can't set pending status." + ::= { outlet 13 } + +outlet12Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 12 status. Can't set pending status." + ::= { outlet 14 } + +outlet13Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 13 status. Can't set pending status." + ::= { outlet 15 } + +outlet14Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 14 status. Can't set pending status." + ::= { outlet 16 } + +outlet15Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 15 status. Can't set pending status." + ::= { outlet 17 } + +outlet16Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 16 status. Can't set pending status." + ::= { outlet 18 } + +outlet17Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 17 status. Can't set pending status." + ::= { outlet 19 } + +outlet18Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 18 status. Can't set pending status." + ::= { outlet 20 } + +outlet19Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 19 status. Can't set pending status." + ::= { outlet 21 } + +outlet20Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 20 status. Can't set pending status." + ::= { outlet 22 } + +outlet21Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 21 status. Can't set pending status." + ::= { outlet 23 } + +outlet22Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 22 status. Can't set pending status." + ::= { outlet 24 } + +outlet23Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 23 status. Can't set pending status." + ::= { outlet 25 } + +outlet24Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 24 status. Can't set pending status." + ::= { outlet 26 } + +outlet25Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 25 status. Can't set pending status." + ::= { outlet 27 } + +outlet26Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 26 status. Can't set pending status." + ::= { outlet 28 } + +outlet27Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 27 status. Can't set pending status." + ::= { outlet 29 } + +outlet28Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 28 status. Can't set pending status." + ::= { outlet 30 } + +outlet29Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 29 status. Can't set pending status." + ::= { outlet 31 } + +outlet30Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 30 status. Can't set pending status." + ::= { outlet 32 } + +outlet31Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 31 status. Can't set pending status." + ::= { outlet 33 } + +outlet32Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 32 status. Can't set pending status." + ::= { outlet 34 } + +outlet33Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 33 status. Can't set pending status." + ::= { outlet 35 } + + +outlet34Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 34 status. Can't set pending status." + ::= { outlet 36 } + +outlet35Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 35 status. Can't set pending status." + ::= { outlet 37 } + +outlet36Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 36 status. Can't set pending status." + ::= { outlet 38 } + +outlet37Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 37 status. Can't set pending status." + ::= { outlet 39 } + +outlet38Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 38 status. Can't set pending status." + ::= { outlet 40 } + +outlet39Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 39 status. Can't set pending status." + ::= { outlet 41 } + +outlet40Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 40 status. Can't set pending status." + ::= { outlet 42 } + +outlet41Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 41 status. Can't set pending status." + ::= { outlet 43 } + +outlet42Status OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), pending(3), reboot(4), fault(5), noauth(6), not-support(7), pop(8)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display and control outlet 42 status. Can't set pending status." + ::= { outlet 44 } + +-- + +outletSwitchableTable OBJECT-TYPE + SYNTAX SEQUENCE OF OutletSwitchableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + " + " + ::= { outlet 70 } + +outletSwitchableEntry OBJECT-TYPE + SYNTAX OutletSwitchableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "" + INDEX { outletSwitchableIndex } + ::= { outletSwitchableTable 1 } + + OutletSwitchableEntry ::= + SEQUENCE { + outletSwitchableIndex + INTEGER, + outletSwitchable + INTEGER + + } + +outletSwitchableIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of outlet number. + " + ::= { outletSwitchableEntry 1 } + +outletSwitchable OBJECT-TYPE + SYNTAX INTEGER {no(1), yes(2) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " + " + ::= { outletSwitchableEntry 2 } + + +--outlet integer value + +--outletIntegerValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF OutletIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Display total outlet value table" +-- ::= { outlet 99 } + +--outletIntegerValueEntry OBJECT-TYPE +-- SYNTAX OutletIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single outletValue entry containing outlet info." +-- INDEX { outletIntegerValueIndex } +-- ::= { outletIntegerValueTable 1 } + +--OutletIntegerValueEntry ::= +-- SEQUENCE { +-- outletIntegerValueIndex +-- INTEGER, +-- outletIntegerCurrent +-- INTEGER, +-- outletIntegerVoltage +-- INTEGER, +-- outletIntegerPower +-- INTEGER, +-- outletIntegerPowerDissipation +-- INTEGER +-- } + +--outletIntegerValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..30) +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Index of outlet number. +-- " +-- ::= { outletIntegerValueEntry 1 } + +--outletIntegerCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Outlet electric current value. +-- This value indicates that 1,000 times. +-- " +-- ::= { outletIntegerValueEntry 2 } + +--outletIntegerVoltage OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Outlet voltage value. +-- This value indicates that 1,000 times. +-- " +-- ::= { outletIntegerValueEntry 3 } + +--outletIntegerPower OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Outlet power value. +-- This value indicates that 1,000 times." +-- ::= { outletIntegerValueEntry 4 } + +--outletIntegerPowerDissipation OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Outlet power dissipation value. +-- This value indicates that 1,000 times." +-- ::= { outletIntegerValueEntry 5 } + + + + + +outletConfigTable OBJECT-TYPE + SYNTAX SEQUENCE OF OutletConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Outlet configuration table" + ::= { outlet 10 } + +outletConfigEntry OBJECT-TYPE + SYNTAX OutletConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Outlet Config entry containing outlet info." + INDEX { outletConfigIndex } + ::= { outletConfigTable 1 } + +OutletConfigEntry ::= + SEQUENCE { + outletConfigIndex + INTEGER, + outletName + DisplayString, + outletConfirmation + INTEGER, + outletOnDelayTime + INTEGER, + outletOffDelayTime + INTEGER, + outletShutdownMethod + INTEGER, + outletMAC + DisplayString, + outletMinCurMT + INTEGER, + outletMaxCurMT + INTEGER, + outletMinVolMT + INTEGER, + outletMaxVolMT + INTEGER, + outletMinPMT + INTEGER, + outletMaxPMT + INTEGER, + outletMaxPDMT + INTEGER, + outletLocalAccessLock + INTEGER +-- outletAlwaysON +-- INTEGER + } + +outletConfigIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of outlet number" + ::= { outletConfigEntry 1 } +outletName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the name of outlet. + If the device does not support this OID, we show n/a. + string length: 0~48 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { outletConfigEntry 2 } +outletConfirmation OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) , noauth(3), not-support(4)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the confirmation of outlet." + ::= { outletConfigEntry 3 } +outletOnDelayTime OBJECT-TYPE + SYNTAX INTEGER (0..999 | -1) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the ON delay time of outlet. + When this model does not support the OID, we show value -1. " + ::= { outletConfigEntry 4 } +outletOffDelayTime OBJECT-TYPE + SYNTAX INTEGER (0..999 | -1) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the OFF delay time of outlet. + When this model does not support the OID, we show value -1. " + ::= { outletConfigEntry 5 } +outletShutdownMethod OBJECT-TYPE + SYNTAX INTEGER { kill-the-power(1), wake-on-lan(2), after-ac-back(3), not-support(4)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the shutdown mehtod of outlet." + ::= { outletConfigEntry 6 } +outletMAC OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the MAC address of ShutdownMethod. + If the device does not support this OID, we show n/a. + string length: 12 + " + ::= { outletConfigEntry 7 } +outletMinCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum electric current measurment threshold. + Example: range 0.0 ~16.0 rerpresnts 0~160 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 8 } +outletMaxCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum electric current measurment threshold. + Example: range 0.0 ~16.0 represents 0~160 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 9 } + +outletMinVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum voltage measurment threshold. + Example: range 90.0 ~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 10 } +outletMaxVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum voltage measurment threshold. + Example: range 90.0 ~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 11 } + +outletMinPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum power measurment threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 12 } +outletMaxPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum power measurment threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 13 } + +outletMaxPDMT OBJECT-TYPE + SYNTAX INTEGER (0..999990 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum power dissipation measurment threshold. + Example: range 0.0 ~ 99999.0 represents 0~999990 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { outletConfigEntry 14 } + +outletLocalAccessLock OBJECT-TYPE + SYNTAX INTEGER {unlocked(1), locked(2), not-support(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Whether local access of Outlet is locked by remote or not." + ::= { outletConfigEntry 15} + +--outletAlwaysON OBJECT-TYPE +-- SYNTAX INTEGER {no(1), yes(2), not-support(3)} +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Whether the outlet is always ON or not." +-- ::= { outletConfigEntry 16 } + +-- Outlet Control End +-- Bank control +breakerStatusTable OBJECT-TYPE + SYNTAX SEQUENCE OF BreakerStatusEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Display total bank value table" + ::= { bank 1 } + +breakerStatusEntry OBJECT-TYPE + SYNTAX BreakerStatusEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single bankValue entry containing bank info." + INDEX { breakerStatusIndex } + ::= { breakerStatusTable 1 } + +BreakerStatusEntry ::= + SEQUENCE { + breakerStatusIndex + INTEGER, + breakerStatus + INTEGER + } + +breakerStatusIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of breaker number." + ::= { breakerStatusEntry 1 } + +breakerStatus OBJECT-TYPE + SYNTAX INTEGER { off(1), on(2), not-support(3)} + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Breaker status." + ::= { breakerStatusEntry 2 } + + +bankValueTable OBJECT-TYPE + SYNTAX SEQUENCE OF BankValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Display total bank value table" + ::= { bank 2 } + +bankValueEntry OBJECT-TYPE + SYNTAX BankValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single bankValue entry containing bank info." + INDEX { bankValueIndex } + ::= { bankValueTable 1 } + +BankValueEntry ::= + SEQUENCE { + bankValueIndex + INTEGER, + bankCurrent + DisplayString, + bankVoltage + DisplayString, + bankPower + DisplayString, + bankPowerDissipation + DisplayString, + bankMaxCurrent + INTEGER, + bankAttachStatus + INTEGER, + bankPowerFactor + DisplayString + } + +bankValueIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of bank number" + ::= { bankValueEntry 1 } +bankCurrent OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Bank electric current value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { bankValueEntry 2 } +bankVoltage OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Bank voltage value. + We put this OID to write access type for user to set the reference voltage on EC1000 model. + And the setting should be the numbers. You can set 0 to clear the setting. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { bankValueEntry 3 } + +bankPower OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Bank power value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { bankValueEntry 4 } + +bankPowerDissipation OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Bank power dissipation value. + If this measurement value is not available, it returns: N/A. + If the device does not support this OID, it returns: not-support." + ::= { bankValueEntry 5 } + + +bankMaxCurrent OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Bank Max Current value. unit: (A) + EC1000:0A~320A + " + ::= { bankValueEntry 6 } + +bankAttachStatus OBJECT-TYPE + SYNTAX INTEGER { noattached(1), attached(2), error(3), noexisted(4) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The status of Energy sensor Bank attached status." + ::= { bankValueEntry 7 } + +bankPowerFactor OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Bank Power Factor value. + If the device does not support this OID, it returns: not-support." + ::= { bankValueEntry 8 } + +bankConfigTable OBJECT-TYPE + SYNTAX SEQUENCE OF BankConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Bank configuration table" + ::= { bank 3 } + +bankConfigEntry OBJECT-TYPE + SYNTAX BankConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Bank Config entry containing Bank info." + INDEX { bankConfigIndex } + ::= { bankConfigTable 1 } + +BankConfigEntry ::= + SEQUENCE { + bankConfigIndex + INTEGER, + bankName + DisplayString, + bankMinCurMT + INTEGER, + bankMaxCurMT + INTEGER, + + bankMinVolMT + INTEGER, + bankMaxVolMT + INTEGER, + + bankMinPMT + INTEGER, + bankMaxPMT + INTEGER, + --outletMinPDMT + --INTEGER, + bankMaxPDMT + INTEGER + --outletCurFlu + --INTEGER, + --outletVolFlu + --INTEGER, + --outletPFlu + --INTEGER + --outletPDFlu + --INTEGER + } + +bankConfigIndex OBJECT-TYPE + SYNTAX INTEGER (1..30) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of bank number" + ::= { bankConfigEntry 1 } + +bankName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the name of bank. + When this model does not support the OID, we show n/a. + string length: 0~15 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { bankConfigEntry 2 } + + +bankMinCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum electric current measurment threshold. + Example: range 0.0 ~16.0 rerpresnts 0~160 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 3 } + +bankMaxCurMT OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum electric current measurment threshold. + Example: range 0.0 ~16.0 represents 0~160 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 4} + +bankMinVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum voltage measurment threshold. + Example: range 90.0 ~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 5 } +bankMaxVolMT OBJECT-TYPE + SYNTAX INTEGER (900..2600 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum voltage measurment threshold. + Example: range 90.0 ~260.0 represents 900~2600 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 6 } + +bankMinPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999| -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet minimum power measurment threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 7 } +bankMaxPMT OBJECT-TYPE + SYNTAX INTEGER (0..99999 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum power measurment threshold. + Example: range 0.0 ~ 9999.9 represents 0~99999 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 8 } + +--outletMinPDMT OBJECT-TYPE + --SYNTAX INTEGER (0..100) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the outlet minimum power dissipation measurment threshold ." + --::= { outletConfigEntry 14 } + +bankMaxPDMT OBJECT-TYPE + SYNTAX INTEGER (0..999990 | -3000 | -2000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the outlet maximum power dissipation measurment threshold. + Example: range 0.0 ~ 99999.0 represents 0~999990 + NOTICE: Minimum threshold should be smaller than maximum threshold. + Empty value: -3000. + If the device does not support this OID, it returns value -2000000." + ::= { bankConfigEntry 9 } + + +bankControlTable OBJECT-TYPE + SYNTAX SEQUENCE OF BankControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Bank Control table" + ::= { bank 4 } + +bankControlEntry OBJECT-TYPE + SYNTAX BankControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Bank control entry." + INDEX { bankControlIndex } + ::= { bankControlTable 1 } + +BankControlEntry ::= + SEQUENCE { + bankControlIndex + INTEGER, + bankControlStatus + INTEGER + } + +bankControlIndex OBJECT-TYPE + SYNTAX INTEGER (1..4) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of bank number" + ::= { bankControlEntry 1 } + +bankControlStatus OBJECT-TYPE + SYNTAX INTEGER {off(1), on(2), reboot(3), nostatus(4), not-support(5)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This function is used for outlet control of bank. + Set off(1) to turn off for outlet control of bank. + Set on(2) to turn on for all outlet control of bank. + Set reboot(3) to turn on for outlet control of bank. + Get this object always return nostatus(3), because there is no bank status. + " + ::= { bankControlEntry 2 } + +-- Bank control End + + +--bankIntegerValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF BankIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Display total bank value table" +-- ::= { bank 99 } + +--bankIntegerValueEntry OBJECT-TYPE +-- SYNTAX BankIntegerValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single bankValue entry containing bank info." +-- INDEX { bankIntegerValueIndex } +-- ::= { bankIntegerValueTable 1 } + +--BankIntegerValueEntry ::= +-- SEQUENCE { +-- bankIntegerValueIndex +-- INTEGER, +-- bankIntegerCurrent +-- INTEGER, +-- bankIntegerVoltage +-- INTEGER, +-- bankIntegerPower +-- INTEGER, +-- bankIntegerPowerDissipation +-- INTEGER + --bankIntegerMaxCurrent + -- INTEGER, + --bankIntegerAttachStatus + -- INTEGER, + --bankIntegerPowerFactor + --INTEGER +-- } + +--bankIntegerValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..30) +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Index of bank number. +-- " +-- ::= { bankIntegerValueEntry 1 } + +--bankIntegerCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Bank electric current value. +-- This value indicates that 1,000 times." +-- ::= { bankIntegerValueEntry 2 } +--bankIntegerVoltage OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Bank voltage value. +-- This value indicates that 1,000 times." +-- ::= { bankIntegerValueEntry 3 } + +--bankIntegerPower OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Bank power value. +-- This value indicates that 1,000 times." +-- ::= { bankIntegerValueEntry 4 } + +--bankIntegerPowerDissipation OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Bank power dissipation value. +-- This value indicates that 1,000 times." +-- ::= { bankIntegerValueEntry 5 } + + +--bankMaxCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "The Bank Max Current value. unit: (A) +-- EC1000:0A~320A +-- " +-- ::= { bankValueEntry 6 } + +--bankAttachStatus OBJECT-TYPE +-- SYNTAX INTEGER { noattached(1), attached(2), error(3) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "The status of Energy sensor Bank attached status." +-- ::= { bankValueEntry 7 } + +--bankPowerFactor OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Bank Power Factor value" +-- ::= { bankValueEntry 8 } + + + +-- Device Management +deviceMAC OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Display device MAC address." + ::= { config 1 } + +deviceIPv4 OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Display device IP address." + ::= { config 2 } + +deviceFWversion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Display device FW version." + ::= { config 3 } + +-- dashboard settings +dashboardRow OBJECT-TYPE + SYNTAX INTEGER (1..26) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device's dashboard row number." + ::= { dashBoard 1 } + +dashboardColumn OBJECT-TYPE + SYNTAX INTEGER (1..26) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device's dashboard column number." + ::= { dashBoard 2 } + +dashboardRackName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set device's dashboard rack name. + string length: 1~32 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { dashBoard 3 } + +httpPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the HTTP port of PE device." + ::= { servicePorts 1 } + +httpsPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the HTTPs port of PE device." + ::= { servicePorts 2 } + +httpsOnlyEnable OBJECT-TYPE + SYNTAX INTEGER {yes(1), no(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Enable to use Webpage HTTPs only or disable to use Webpage HTTP/HTTPs" + ::= { servicePorts 3 } + + + +staticIPEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set IPv4 address automatically or not" + ::= { ipv4config 1 } +fixedIPv4 OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set fixed IPv4 address" + ::= { ipv4config 2 } +subnetMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set subnet mask address" + ::= { ipv4config 3 } +gateway OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set gateway address" + ::= { ipv4config 4 } +staticDNSEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set DNS address automatically or not" + ::= { ipv4config 5 } +dnsPreferIPv4 OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set prefer DNS address" + ::= { ipv4config 6 } +dnsAlternateIPv4 OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set alternate DNS address" + ::= { ipv4config 7 } + +trapEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Indicates if this trap entry is enabled or not. + You should set the username/auth-password/priv-password first, when choosing snmpv3. + You should set the community string first, when choosing snmpv1/v2c." + ::= { devicesnmp 1 } + +trapVersion OBJECT-TYPE + SYNTAX INTEGER { v1(1), v2c(2), v3(3)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " Choose SNMP Trap version to send trap. + You should set the username/auth-password/priv-password first, when choosing snmpv3. + You should set the community string first, when choosing snmpv1/v2c." + ::= { devicesnmp 2 } + +snmpTrapTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpTrapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "PE SNMP agent trap setup table. If users want to use trap, + they must set enable trap, ip and community first." + ::= { devicesnmp 3 } + +snmpTrapEntry OBJECT-TYPE + SYNTAX SnmpTrapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Single trap entry containing trap receiver info." + INDEX { trapReceiverNumber } + ::= { snmpTrapTable 1 } + +SnmpTrapEntry ::= + SEQUENCE { + trapReceiverNumber + INTEGER, + --trapEnabled + --INTEGER, + trapReceiverIPAddress + IpAddress, + --trapCommunity + --DisplayString, + trapPort + INTEGER, + trapCommunity + DisplayString, + trapUsername + DisplayString, + trapAuthpassword + DisplayString, + trapPrivpassword + DisplayString + } + +trapReceiverNumber OBJECT-TYPE + SYNTAX INTEGER (1..2) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Index of trap receiver" + ::= { snmpTrapEntry 1 } + + + +trapReceiverIPAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Trap receiver IP address" + ::= { snmpTrapEntry 2 } + + +trapPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "NMS trap port to be used by agent to send trap" + ::= { snmpTrapEntry 3 } + +trapCommunity OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..20)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "If use SNMPv1/v2c to receive trap should set this Community string. + MAX string length: 20 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { snmpTrapEntry 4 } +trapUsername OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..20)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "If use SNMPv3 to receive trap should set this string. + NOTE: Input string as /empty to set this object to NULL. + MAX string length: 20 + " + ::= { snmpTrapEntry 5 } +trapAuthpassword OBJECT-TYPE + SYNTAX DisplayString (SIZE (8..20)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "If use SNMPv3 to receive trap should set this string. + MAX string length: 20 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { snmpTrapEntry 6 } +trapPrivpassword OBJECT-TYPE + SYNTAX DisplayString (SIZE (8..20)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "If use SNMPv3 to receive trap should set this string. + MAX string length: 20 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { snmpTrapEntry 7 } + + +--privacypassword OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "SNMPv3 privacy password to be used by agent to send trap +-- string length: 8~20 +-- " +-- ::= { devicesnmp 4 } + +--engineID OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "EngineID" +-- ::= { devicesnmp 5 } +--engineBoot OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "EngineBoot" +-- ::= { devicesnmp 6 } +--engineTime OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "EngineTime" +-- ::= { devicesnmp 7 } +--engineMaxMSG OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "EngineMaxMSG" +-- ::= { devicesnmp 8 } +sysLogServerEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set syslog server address automatically or not" + ::= { syslog 1 } +sysLogServerIPv4 OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set syslog server address" + ::= { syslog 2 } +sysLogServerPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set syslog server port" + ::= { syslog 3 } + +smtpServerEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set SMTP server enable status." + ::= { smtp 1 } +smtpServerName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a SMTP server name. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { smtp 2 } +smtpAuthEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set authentication of SMTP server." + ::= { smtp 3 } +smtpAccountName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a user's name of SMTP server. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { smtp 4 } +smtpAccountPwd OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a user's password of SMTP server. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { smtp 5 } +smtpMailFrom OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a mail of SMTP server. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { smtp 6 } +smtpMailTo OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a mail of SMTP server. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { smtp 7 } +smtpPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set SMTP server port" + ::= { smtp 8 } + +-- + +configurationNotifyEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " " + ::= { configurationNotification 1 } + +configurationNotifyTrapMSG NOTIFICATION-TYPE + STATUS current + --OBJECTS { customTrapMSG } + DESCRIPTION " " + ::= { configurationNotification 2 } + + +-- +timeZoneSetting OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set the time zone of PE device. + (0) [GMT-12:00] Eniwetok Kwajalein + (1) [GMT-11:00] Midway Island Samoa + (2) [GMT-10:00] Hawaii + (3) [GMT-09:00] Alaska + (4) [GMT-08:00] Pacific Time (US & Canada); Tijuana + (5) [GMT-07:00] Mountain Time (US & Canada) + (6) [GMT-07:00] Arizona + (7) [GMT-06:00] Central Time (US & Canada) + (8) [GMT-06:00] Mexico City + (9) [GMT-06:00] Saskatchewan + (10)[GMT-06:00] Central America + (11)[GMT-05:00] Eastern Time (US & Canada) + (12)[GMT-05:00] Indiana (East) + (13)[GMT-05:00] Bogota Lima Quito + (14)[GMT-04:00] Atlantic Time (Canada) + (15)[GMT-04:00] Caracas La Paz + (16)[GMT-04:00] Santiago + (17)[GMT-03:30] Newfoundland + (18)[GMT-03:00] Buenos Aires Georgetown + (19)[GMT-03:00] Brasilia + (20)[GMT-03:00] Greenland + (21)[GMT-02:00] Mid-Atlantic + (22)[GMT-01:00] Azores + (23)[GMT-01:00] Cape Verde Is + (24)[GMT] Casablanca Monrovia + (25)[GMT] Greenwich Mean Time: Dublin Edinburgh Lisbon London + (26)[GMT+01:00] Amsterdam Copenhagen Madrid Paris Vilnius + (27)[GMT+01:00] West Central Africa + (28)[GMT+01:00] Belgrade Sarajevo Skopje Sofija Zagreb + (29)[GMT+01:00] Bratislava Budapest Ljubljana Prague Warsaw + (30)[GMT+01:00] Brussels Berlin Bern Rome Stockholm Vienna + (31)[GMT+02:00] Cairo + (32)[GMT+02:00] Harare Pretoria + (33)[GMT+02:00] Jerusalem + (34)[GMT+02:00] Bucharest + (35)[GMT+02:00] Helsinki Riga Tallinn + (36)[GMT+02:00] Athens Istanbul Minsk + (37)[GMT+03:00] Kuwait Riyadh + (38)[GMT+03:00] Nairobi + (39)[GMT+03:00] Baghdad + (40)[GMT+03:00] Moscow St. Petersburg Volgograd + (41)[GMT+03:30] Tehran + (42)[GMT+04:00] Abu Dhabi Muscat + (43)[GMT+04:00] Baku Tbilisi Yerevan + (44)[GMT+04:30] Kabul + (45)[GMT+05:00] Islamabad Karachi Tashkent + (46)[GMT+05:00] Ekaterinburg + (47)[GMT+05:30] Calcutta Chennai Mumbai New Delhi + (48)[GMT+05:45] Kathmandu + (49)[GMT+06:00] Astana Dhaka + (50)[GMT+06:00] Sri Jayawardenepura + (51)[GMT+06:00] Almaty Novosibirsk + (52)[GMT+06:30] Rangoon + (53)[GMT+07:00] Bangkok Hanoi Jakarta + (54)[GMT+07:00] Krasnoyarsk + (55)[GMT+08:00] Beijing Chongqing Hong Kong Urumqi + (56)[GMT+08:00] Perth + (57)[GMT+08:00] Kuala Lumpur Singapore + (58)[GMT+08:00] Taipei + (59)[GMT+08:00] Irkutsk Ulaan Bataar + (60)[GMT+09:00] Osaka Sapporo Tokyo + (61)[GMT+09:00] Seoul + (62)[GMT+09:00] Yakutsk + (63)[GMT+09:30] Darwin + (64)[GMT+09:30] Adelaide + (65)[GMT+10:00] Canberra Melbourne Sydney + (66)[GMT+10:00] Brisbane + (67)[GMT+10:00] Guam Port Moresby + (68)[GMT+10:00] Hobart + (69)[GMT+10:00] Vladivostok + (70)[GMT+11:00] Magadan Solomon Is New Caledonia + (71)[GMT+12:00] Fiji Kamchatka Marshall Is. + (72)[GMT+12:00] Auckland Wellington + (73)[GMT+13:00] Nuku'alofa + " + ::= { timeZone 1 } + +dstEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set daylight savings time ." + ::= { timeZone 2 } + +dateSetting OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set date in a manual way.(This is Greenwich Mean Time, GMT) + string length: 10 + This value format must match the following form: + YYYY-MM-DD + ex. 2011-01-01 + Note: range of year: 2000-2099 + range of month: 01-12 + range of day: 01-31 + " + ::= { manualInput 1 } + +timeSetting OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set time in a manual way.(This is Greenwich Mean Time, GMT) + string length: 8 + This value format must match the following form: + HH:MM:SS + ex. 02:02:02 + Note: range of hour: 00-24 + range of minute: 00-60 + range of second: 00-60 + + " + ::= { manualInput 2 } + +--syncWithPC OBJECT-TYPE +-- SYNTAX INTEGER { no(1), yes(2) } +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set date time useing sync PC way." +-- ::= { manualInput 3 } + +autoAdjustEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set date time useing auto adjustment way." + ::= { networkTime 1 } + +preferNTP OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set prefer NTP server. + AU | ntp1.cs.mu.OZ.AU(0), + AU | ntp0.cs.mu.OZ.AU(1), + BE | ntp2.oma.be(2), + BE | ntp1.oma.be(3), + BR | ntps1.pads.ufrj.br(4), + CH | swisstime.ethz.ch(5), + CL | ntp.shoa.cl(6), + CZ | ntp.nic.cz(7), + DE | ntp.stairweb.de(8), + DE | ntps1-0.cs.tu-berlin.de(9), + DE | ptbtime1.ptb.de(10), + DE | ntp1.fau.de(11), + DE | ptbtime2.ptb.de(12), + DE | time1.one4vision.de(13), + DE | rustime01.rus.uni-stuttgart.de(14), + DE | ntp.probe-networks.de(15), + DE | ntp2.fau.de(16), + ES | hora.roa.es(17), + HK | stdtime.gov.hk(18), + IE | ntp-galway.hea.net(19), + IT | ntp1.inrim.it(20), + IT | ntp2.inrim.it(21), + JP | clock.tl.fukuoka-u.ac.jp(22), + JP | ntp.nict.jp(23), + JP | clock.nc.fukuoka-u.ac.jp(24), + KR | ntp.xbsd.kr(25), + MX | cronos.cenam.mx(26), + NL | ntp0.nl.uu.net(27), + NL | ntp1.nl.uu.net(28), + NL | ntp.remco.org(29), + NL | ntp0.nl.net(30), + PL | vega.cbk.poznan.pl(31), + PL | ntp.ntp-servers.com(32), + RO | ntp3.usv.ro(33), + RO | ntp2.usv.ro(34), + RU | ntp1.vniiftri.ru; ntp1.imvp.ru(35), + RU | ntp2.vniiftri.ru; ntp2.imvp.ru(36), + SE | ntp1.mmo.netnod.se(37), + SE | ntp1.sth.netnod.se(38), + SE | ntp2.mmo.netnod.se(39), + SE | ntp2.sth.netnod.se(40), + SE | time2.stupi.se(41), + SE | ntp1.sp.se(42), + SE | timehost.lysator.liu.se(43), + SI | ntp.mostovna.com(44), + US CA | timekeeper.isi.edu(45), + US CA | clock.sjc.he.net(46), + US CA | nist1.symmetricom.com(47), + US CA | clock.via.net(48), + US CA | nist1.aol-ca.truetime.com(49), + US CA | clock.isc.org(50), + US CA | clepsydra.dec.com(51), + US CA | gps.layer42.net(52), + US CA | time.no-such-agency.net(53), + US CA | nist1-sj.WiTime.net(54), + US CA | clock.fmt.he.net(55), + US CO | time-b.timefreq.bldrdoc.gov(56), + US CO | time-a.timefreq.bldrdoc.gov(57), + US CO | utcnist.colorado.edu(58), + US CO | time-c.timefreq.bldrdoc.gov(59), + US DE | rackety.udel.edu(60), + US DE | mizbeaver.udel.edu(61), + US GA | nist1.columbiacountyga.gov(62), + US IL | ntp.your.org(63), + US MA | bonehed.lcs.mit.edu(64), + US MA | time.keneli.org(65), + US MA | ntp0.broad.mit.edu(66), + US MD | time-a.nist.gov(67), + US MD | time-b.nist.gov(68), + US MI | nist.netservicesgroup.com(69), + US NY | nist1-ny.WiTime.net(70), + US NY | clock.nyc.he.net(71), + US UT | time.xmission.com(72), + US VA | nist1-dc.WiTime.net(73), + US VA | nist1.aol-va.truetime.com(74), + US WA | time-nw.nist.gov(75), + FR | utp.univ-lyon1.fr(76), + FR | ntp-sop.inria.fr(77), + FR | ntp.tuxfamily.net(78), + UK | bear.zoo.bt.co.uk(79) + " + ::= { networkTime 2 } + +preferServerIPenable OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Enable or disable prefer custom server IP." + ::= { networkTime 3 } + +preferNTPIp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set prefer NTP server IP." + ::= { networkTime 4 } + +alternateNtpEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set date time using alternate NTP server." + ::= { networkTime 5 } + +alternateNtp OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set alternative NTP server. + AU | ntp1.cs.mu.OZ.AU(0), + AU | ntp0.cs.mu.OZ.AU(1), + BE | ntp2.oma.be(2), + BE | ntp1.oma.be(3), + BR | ntps1.pads.ufrj.br(4), + CH | swisstime.ethz.ch(5), + CL | ntp.shoa.cl(6), + CZ | ntp.nic.cz(7), + DE | ntp.stairweb.de(8), + DE | ntps1-0.cs.tu-berlin.de(9), + DE | ptbtime1.ptb.de(10), + DE | ntp1.fau.de(11), + DE | ptbtime2.ptb.de(12), + DE | time1.one4vision.de(13), + DE | rustime01.rus.uni-stuttgart.de(14), + DE | ntp.probe-networks.de(15), + DE | ntp2.fau.de(16), + ES | hora.roa.es(17), + HK | stdtime.gov.hk(18), + IE | ntp-galway.hea.net(19), + IT | ntp1.inrim.it(20), + IT | ntp2.inrim.it(21), + JP | clock.tl.fukuoka-u.ac.jp(22), + JP | ntp.nict.jp(23), + JP | clock.nc.fukuoka-u.ac.jp(24), + KR | ntp.xbsd.kr(25), + MX | cronos.cenam.mx(26), + NL | ntp0.nl.uu.net(27), + NL | ntp1.nl.uu.net(28), + NL | ntp.remco.org(29), + NL | ntp0.nl.net(30), + PL | vega.cbk.poznan.pl(31), + PL | ntp.ntp-servers.com(32), + RO | ntp3.usv.ro(33), + RO | ntp2.usv.ro(34), + RU | ntp1.vniiftri.ru; ntp1.imvp.ru(35), + RU | ntp2.vniiftri.ru; ntp2.imvp.ru(36), + SE | ntp1.mmo.netnod.se(37), + SE | ntp1.sth.netnod.se(38), + SE | ntp2.mmo.netnod.se(39), + SE | ntp2.sth.netnod.se(40), + SE | time2.stupi.se(41), + SE | ntp1.sp.se(42), + SE | timehost.lysator.liu.se(43), + SI | ntp.mostovna.com(44), + US CA | timekeeper.isi.edu(45), + US CA | clock.sjc.he.net(46), + US CA | nist1.symmetricom.com(47), + US CA | clock.via.net(48), + US CA | nist1.aol-ca.truetime.com(49), + US CA | clock.isc.org(50), + US CA | clepsydra.dec.com(51), + US CA | gps.layer42.net(52), + US CA | time.no-such-agency.net(53), + US CA | nist1-sj.WiTime.net(54), + US CA | clock.fmt.he.net(55), + US CO | time-b.timefreq.bldrdoc.gov(56), + US CO | time-a.timefreq.bldrdoc.gov(57), + US CO | utcnist.colorado.edu(58), + US CO | time-c.timefreq.bldrdoc.gov(59), + US DE | rackety.udel.edu(60), + US DE | mizbeaver.udel.edu(61), + US GA | nist1.columbiacountyga.gov(62), + US IL | ntp.your.org(63), + US MA | bonehed.lcs.mit.edu(64), + US MA | time.keneli.org(65), + US MA | ntp0.broad.mit.edu(66), + US MD | time-a.nist.gov(67), + US MD | time-b.nist.gov(68), + US MI | nist.netservicesgroup.com(69), + US NY | nist1-ny.WiTime.net(70), + US NY | clock.nyc.he.net(71), + US UT | time.xmission.com(72), + US VA | nist1-dc.WiTime.net(73), + US VA | nist1.aol-va.truetime.com(74), + US WA | time-nw.nist.gov(75), + FR | utp.univ-lyon1.fr(76), + FR | ntp-sop.inria.fr(77), + FR | ntp.tuxfamily.net(78), + UK | bear.zoo.bt.co.uk(79) + " + ::= { networkTime 6 } + +alternateServerIPenable OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Enable or disable alternate custom server IP." + ::= { networkTime 7 } + +alternateNtpIp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set alternative NTP server IP." + ::= { networkTime 8 } + +adjustTimeEveryDays OBJECT-TYPE + SYNTAX INTEGER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set frequency of adjustment in days." + ::= { networkTime 9 } + +--adjustTimeNow OBJECT-TYPE + --SYNTAX INTEGER { no(1), yes(2) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Adjust time using NTP server." + --::= { networkTime 8 } + +loginAllowTimes OBJECT-TYPE + SYNTAX INTEGER (1..99) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set time of login faliure." + ::= { loginFailures 1 } + +loginTimeOut OBJECT-TYPE + SYNTAX INTEGER (1..240) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set login time out." + ::= { loginFailures 2 } + +icmpEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of ICMP." + ::= { workingMode 1 } + +--multiUserEnabled OBJECT-TYPE + --SYNTAX INTEGER { no(1), yes(2) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set status of multi-user operation." + --::= { workingMode 2 } + +--browserEnabled OBJECT-TYPE + --SYNTAX INTEGER { no(1), yes(2) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set status of browser." + --::= { workingMode 3 } + +minUserNameLen OBJECT-TYPE + SYNTAX INTEGER (1..16) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set minimum length of user name." + ::= { accountPolicy 1 } + +minUserPwdLen OBJECT-TYPE + SYNTAX INTEGER (1..16) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set minimum length of user password. + " + ::= { accountPolicy 2 } + +upperCaseEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set one upper case rule in user password." + ::= { accountPolicy 3 } + +lowerCaseEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set one lower case rule in user password." + ::= { accountPolicy 4 } + +numberEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set one number rule in user password." + ::= { accountPolicy 5 } + +disableDuplicateLogin OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of disabled duplicate login rule." + ::= { accountPolicy 6 } + +loginString OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set a login string. + string length: 0~32 + NOTE: Input string as /empty to set this object to NULL. + " + ::= { loginRestriction 1 } + +ipFilterEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of ip filter." + ::= { ipFilter 1 } + +ipFilterRule OBJECT-TYPE + SYNTAX INTEGER { include(1), exclude(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of ip filter rule." + ::= { ipFilter 2 } + +ipFilterTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpFilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of restricted ip." + ::= { ipFilter 3 } + +ipFilterEntry OBJECT-TYPE + SYNTAX IpFilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Status and parameter values for a PE's restricted IP." + INDEX { ipFilterIndex } + ::= { ipFilterTable 1 } + +IpFilterEntry ::= + SEQUENCE { + ipFilterIndex + INTEGER, + ipFilterFrom + IpAddress, + ipFilterTo + IpAddress + } + +ipFilterIndex OBJECT-TYPE + SYNTAX INTEGER (1..5) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of index for the ip filter. + " + ::= { ipFilterEntry 1 } + +ipFilterFrom OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A set of restricted ip. + ex. 192.168.0.1 + + Note: Users must follow in order to set the ip address. + Note: To clear the settings to set the ip 0.0.0.0 + " + ::= { ipFilterEntry 2 } + +ipFilterTo OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A set of restricted ip. + ex. 192.168.0.255 + + Note: Users must follow in order to set the ip address. + Note: To clear the settings to set the ip 0.0.0.0 + " + ::= { ipFilterEntry 3 } + +macFilterEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of mac filter." + ::= { macFilter 1 } + +macFilterRule OBJECT-TYPE + SYNTAX INTEGER { include(1), exclude(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of mac filter rule." + ::= { macFilter 2 } + +macFilterTable OBJECT-TYPE + SYNTAX SEQUENCE OF MacFilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of restricted mac." + ::= { macFilter 3 } + +macFilterEntry OBJECT-TYPE + SYNTAX MacFilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Status and parameter values for a PE's restricted MAC." + INDEX { macFilterIndex } + ::= { macFilterTable 1 } + +MacFilterEntry ::= + SEQUENCE { + macFilterIndex + INTEGER, + macFilterSet + DisplayString + } + +macFilterIndex OBJECT-TYPE + SYNTAX INTEGER (1..5) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of index for the mac filter. + " + ::= { macFilterEntry 1 } + +macFilterSet OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A set of restricted mac. + string length: 12 + ex. 004854655511 + + Note: Users must follow in order to set the MAC address. + Note: To clear the settings to set the MAC 000000000000 + " + ::= { macFilterEntry 2 } + +--LocalAuth OBJECT-TYPE + --SYNTAX INTEGER { no(1), yes(2) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set status of disable local authentication." + --::= { authentication 1 } + +radiusEnabled OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set status of RADIUS server." + ::= { radius 1 } + +preferRadiusIp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set prefer RADIUS server IP." + ::= { radius 2 } + +preferRadiusPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set prefer RADIUS server port." + ::= { radius 3 } + +alternateRadiusIp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set alternative RADIUS server IP." + ::= { radius 4 } + +alternateRadiusPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set alternative RADIUS server port." + ::= { radius 5 } + +radiusTimeOut OBJECT-TYPE + SYNTAX INTEGER (1..60) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set time out of authentication using RADIUS server. + The unit is sec. + " + ::= { radius 6 } + +radiusRetry OBJECT-TYPE + SYNTAX INTEGER (0..10) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set retry times of authentication using RADIUS server." + ::= { radius 7 } + +radiusSecret OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set shared secret of RADIUS server. + string length: 6~15 + At least 6 characters. + NOTE: Input string as /empty to set this object to NULL. + " + ::= { radius 8 } + +-- Device Management End + +-- User Management +usrListTable OBJECT-TYPE + SYNTAX SEQUENCE OF UsrListEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of user. The number of user is + given by the value of usrcfgNumber." + ::= { userManagement 1 } + +usrListEntry OBJECT-TYPE + SYNTAX UsrListEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Status and parameter values for a pe8208 user." + INDEX { usrIndex } + ::= { usrListTable 1 } + +UsrListEntry ::= + SEQUENCE { + usrIndex + INTEGER, + usrType + INTEGER, + usrName + DisplayString, + usrPassword + DisplayString, + usrPort1Auth + INTEGER, + usrPort2Auth + INTEGER, + usrPort3Auth + INTEGER, + usrPort4Auth + INTEGER, + usrPort5Auth + INTEGER, + usrPort6Auth + INTEGER, + usrPort7Auth + INTEGER, + usrPort8Auth + INTEGER, + + usrPort9Auth + INTEGER, + usrPort10Auth + INTEGER, + usrPort11Auth + INTEGER, + usrPort12Auth + INTEGER, + usrPort13Auth + INTEGER, + usrPort14Auth + INTEGER, + usrPort15Auth + INTEGER, + usrPort16Auth + INTEGER, + usrPort17Auth + INTEGER, + usrPort18Auth + INTEGER, + usrPort19Auth + INTEGER, + usrPort20Auth + INTEGER, + usrPort21Auth + INTEGER, + usrPort22Auth + INTEGER, + usrPort23Auth + INTEGER, + usrPort24Auth + INTEGER, + usrPort25Auth + INTEGER, + usrPort26Auth + INTEGER, + usrPort27Auth + INTEGER, + usrPort28Auth + INTEGER, + usrPort29Auth + INTEGER, + usrPort30Auth + INTEGER, + usrPort31Auth + INTEGER, + usrPort32Auth + INTEGER, + usrPort33Auth + INTEGER, + usrPort34Auth + INTEGER, + usrPort35Auth + INTEGER, + usrPort36Auth + INTEGER, + usrPort37Auth + INTEGER, + usrPort38Auth + INTEGER, + usrPort39Auth + INTEGER, + usrPort40Auth + INTEGER, + usrPort41Auth + INTEGER, + usrPort42Auth + INTEGER, + usrEnable + INTEGER + } + +usrIndex OBJECT-TYPE + SYNTAX INTEGER (1..9) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of usrIndex for the user. We have 1 administrator and 8 users. + The index 9 will be the administrator. + " + ::= { usrListEntry 1 } + +usrType OBJECT-TYPE + SYNTAX INTEGER { administrator(1), user(2)} + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The user's type." + ::= { usrListEntry 2 } + +usrName OBJECT-TYPE + SYNTAX DisplayString (SIZE (1..16)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A textual string containing name of the user. + string length: 1~16 + " + ::= { usrListEntry 3 } + +usrPassword OBJECT-TYPE + SYNTAX DisplayString (SIZE (1..16)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A textual string containing password of the user. + string length: 1~16 + " + ::= { usrListEntry 4 } + +usrPort1Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 1 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 5 } +usrPort2Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 2 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 6 } +usrPort3Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 3 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 7 } +usrPort4Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 4 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 8 } +usrPort5Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 5 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 9 } +usrPort6Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Dispaly or set this user's outlet 6 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 10 } +usrPort7Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 7 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 11 } +usrPort8Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 8 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 12 } +usrEnable OBJECT-TYPE + SYNTAX INTEGER { disable(1), enable(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user is enable or not" + ::= { usrListEntry 47 } + +usrPort9Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 9 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 13 } + +usrPort10Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 10 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 14 } + +usrPort11Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 11 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 15 } + +usrPort12Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 12 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 16 } + +usrPort13Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 13 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 17 } + + +usrPort14Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 14 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 18 } + +usrPort15Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 15 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 19 } + +usrPort16Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 16 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 20 } + +usrPort17Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 17 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 21 } + +usrPort18Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 18 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 22 } + +usrPort19Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 19 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 23 } + +usrPort20Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 20 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 24 } + +usrPort21Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 21 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 25 } + +usrPort22Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 22 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 26 } + +usrPort23Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 23 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 27 } + +usrPort24Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 24 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 28 } + +usrPort25Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 25 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 29 } + +usrPort26Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 26 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 30 } + +usrPort27Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 27 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 31 } +usrPort28Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 28 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 32 } + +usrPort29Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 29 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 33 } + +usrPort30Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 30 authority. + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 34 } + +usrPort31Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 31 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 35 } + +usrPort32Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 32 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 36 } + +usrPort33Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 33 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 37 } + +usrPort34Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 34 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 38 } + +usrPort35Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 35 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 39 } + +usrPort36Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 36 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 40 } + +usrPort37Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 37 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 41 } + +usrPort38Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 38 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 42 } + +usrPort39Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 39 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 43 } + +usrPort40Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 40 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 44 } + +usrPort41Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 41 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 45 } + +usrPort42Auth OBJECT-TYPE + SYNTAX INTEGER { disable(1), view(2), modify(3), not-support(4) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Display or set this user's outlet 42 authority + Port in the pe of series represents outlet. + Port in the Energy monitor of series represents a bank or a pdu." + ::= { usrListEntry 46 } + +-- User Management End + +-- DeviceLock +--communityLock OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Change SNMPV1 or SNMPV2 community for California passes law. +-- Please follow the format as readcommunity||writecommunity" +-- ::= { deviceLock 1 } + +--passwordLock OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Change SNMPV3 password for California passes law. +-- Please follow the format as authpassword||privpassword" +-- ::= { deviceLock 2 } +-- DeviceLock End + +-- SNMPv3 USM Settings +--snmpv3UsmUserTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF Snmpv3UsmUserEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION "This table is used to configure PE SNMPv3 USM. +-- To get the SNMPv3 access, One need to configure security +-- name,authentication,auth password,priv protocol and priv +-- password. +-- " +-- ::= { snmp 2 } + +--snmpv3UsmUserEntry OBJECT-TYPE +-- SYNTAX Snmpv3UsmUserEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION "A user configured for the User-based +-- Security Model. +-- " +-- INDEX { usmIndex } +-- ::= { snmpv3UsmUserTable 1 } + +--Snmpv3UsmUserEntry ::= SEQUENCE { +-- usmIndex INTEGER, +-- usmSecurityName SnmpAdminString, +-- smAuthProtocol SNMPv3UsmAuthPrivProtocol, +-- usmPrivPassword SnmpAdminString +-- } + +--usmIndex OBJECT-TYPE +-- SYNTAX INTEGER (1) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION "Usm configuration index. " +-- ::= { snmpv3UsmUserEntry 1 } + + +--usmSecurityName OBJECT-TYPE +-- SYNTAX SnmpAdminString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION "A human readable string representing the user in +-- Security Model independent format. + +-- The default transformation of the User-based Security +-- Model dependent security ID to the securityName and +-- vice versa is the identity function so that the +-- securityName is the same as the userName. +-- " +-- ::= { snmpv3UsmUserEntry 2 } + + +--usmKeyAlgorithm OBJECT-TYPE +-- SYNTAX SNMPv3UsmAuthPrivProtocol +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION " +-- If usmAuthProtocol == HMACMD5Auth , supports MD5 AuthKey and PrivKey +-- If usmAuthProtocol == HMACSHAAuth, supports SHA AuthKey and PrivKey +-- " +-- ::= { snmpv3UsmUserEntry 3 } + +--usmPrivProtocol OBJECT-TYPE +-- SYNTAX SNMPv3UsmAuthPrivProtocol +-- MAX-ACCESS read-only + -- STATUS current + -- DESCRIPTION " A privacy protocol to provide encryption and decryption +-- SNMPv3 pdu. + -- " + -- ::= { snmpv3UsmUserEntry 4 } + +--usmPrivPassword OBJECT-TYPE +-- SYNTAX SnmpAdminString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION "An user's privacy password, Associated protocol +-- and a secret key is used to establish a connection +-- for the snmp agent and manager commnucation. +-- " +-- ::= { snmpv3UsmUserEntry 4 } + + +-- SNMPv3 Target MIB + +--snmpv3TargetTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF Snmpv3TargetEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION + -- "A table of SNMP target information to be used + -- in the generation of SNMP trap messages." + -- ::= { snmp 3 } + +--snmpv3TargetEntry OBJECT-TYPE +-- SYNTAX Snmpv3TargetEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "A set of SNMP target information. +-- " +-- INDEX { snmpv3TargetIndex } +-- ::= { snmpv3TargetTable 1 } + +--Snmpv3TargetEntry ::= SEQUENCE { +-- snmpv3TargetIndex INTEGER, +-- snmpv3TargetMPModel SnmpMessageProcessingModel, +-- snmpv3TargetSecurityModel SnmpSecurityModel, + -- snmpv3TargetSecurityName SnmpAdminString +--} +--snmpv3TargetIndex OBJECT-TYPE + -- SYNTAX INTEGER(1) + -- MAX-ACCESS not-accessible + -- STATUS current + -- DESCRIPTION + -- "The locally arbitrary, but unique identifier associated + -- with this snmpv3TargetEntry." + -- ::= { snmpv3TargetEntry 1 } + +--snmpv3TargetMPModel OBJECT-TYPE + -- SYNTAX SnmpMessageProcessingModel + -- MAX-ACCESS read-only + -- STATUS current + -- DESCRIPTION + -- "The Message Processing Model to be used when generating + -- SNMP messages using this entry." + -- ::= { snmpv3TargetEntry 2 } + +--snmpv3TargetSecurityModel OBJECT-TYPE + -- SYNTAX SnmpSecurityModel (1..2147483647) + -- MAX-ACCESS read-only + -- STATUS current + -- DESCRIPTION + -- "The Security Model to be used when generating SNMP + -- messages using this entry. An implementation may + -- choose to return an inconsistentValue error if an + -- attempt is made to set this variable to a value + -- for a security model which the implementation does + -- not support." + -- ::= { snmpv3TargetEntry 3 } + +--snmpv3TargetSecurityName OBJECT-TYPE + -- SYNTAX SnmpAdminString + -- MAX-ACCESS read-only + -- STATUS current + -- DESCRIPTION + -- "The securityName which identifies the Principal on + -- whose behalf SNMP messages will be generated using + -- this entry." + -- ::= { snmpv3TargetEntry 4 } + +--snmpv3TargetSecurityLevel OBJECT-TYPE + -- SYNTAX SnmpSecurityLevel + -- MAX-ACCESS read-only + -- STATUS current + -- DESCRIPTION + -- "The Level of Security to be used when generating + -- SNMP messages using this entry." + -- ::= { snmpv3TargetEntry 5 } + +-- Custom Trap Message + +customTrapMSG NOTIFICATION-TYPE + STATUS current + --OBJECTS { customTrapMSG } + DESCRIPTION "Display custom trap message." + ::= { pe 5 } + +rebootDevice OBJECT-TYPE + SYNTAX INTEGER { no(1), yes(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION "Reboot PE Device" + ::= { pe 6 } +-- CPM +--modelName OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Indicate CPM device model name." +-- ::= { CPM 1 } + +--cpmName OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "The name of CPM device. +-- string length: 1~39 +-- NOTE: Input string as /empty to set this object to NULL. +-- " +-- ::= { CPM 2 } + +--cpmswitchable OBJECT-TYPE +-- SYNTAX INTEGER { no(1), yes(2) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- " Switchable or not. " +-- ::= { CPM 3 } + +--cpmPDUreading OBJECT-TYPE +-- SYNTAX INTEGER { no(1), yes(2) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- " CPM is per-PDU reading or not." +-- ::= { CPM 4 } + +--cpmSensornumber OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- " CPM's Sensor number." +-- ::= { CPM 5 } + +--cpmOutletnumber OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- " CPM's Outlet number." +-- ::= { CPM 6 } + +--cpmbreaker OBJECT-TYPE + --SYNTAX INTEGER { off(1), on(2) } + --MAX-ACCESS read-only + --STATUS current + --DESCRIPTION + -- "CPM's breaker status." + --::= { CPM 7 } + +-- Device +--cpmdeviceValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmDeviceValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Device value table. This table displays device's current. +-- " +-- ::= { CPMDevice 1 } + +--cpmdeviceValueEntry OBJECT-TYPE +-- SYNTAX cpmDeviceValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single deviceValue entry containing device info." +-- INDEX { cpmdeviceValueIndex } +-- ::= { cpmdeviceValueTable 1 } + +--cpmDeviceValueEntry ::= +-- SEQUENCE { +-- cpmdeviceValueIndex +-- INTEGER, +-- cpmdeviceCurrent +-- DisplayString, + --cpmdeviceVoltage + -- DisplayString, + --cpmdevicePower + -- DisplayString, + --cpmdevicePowerDissipation + -- DisplayString, + --cpminputMaxVoltage + -- INTEGER, +-- cpminputMaxCurrent +-- INTEGER + --cpmpowerCapacity + -- INTEGER + +-- } + +--cpmdeviceValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of device Value." +-- ::= { cpmdeviceValueEntry 1 } + +--cpmdeviceCurrent OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device electric current value. +-- " +-- ::= { cpmdeviceValueEntry 2 } + +--cpmdeviceVoltage OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device voltage value." +-- ::= { cpmdeviceValueEntry 3 } +--cpmdevicePower OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power value." +-- ::= { cpmdeviceValueEntry 4 } + +--cpmdevicePowerDissipation OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power dissipation value." +-- ::= { cpmdeviceValueEntry 5 } + +--cpminputMaxVoltage OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device input Voltage value. unit:(V)" +-- ::= { cpmdeviceValueEntry 6 } + +--cpminputMaxCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device input Current value. unit:(A)" +-- ::= { cpmdeviceValueEntry 7 } + +--cpmpowerCapacity OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "Device power Capacity value.unit:(VA)" +-- ::= { cpmdeviceValueEntry 8 } + +--cpmdeviceConfigTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmDeviceConfigEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Device configuration table" +-- ::= { CPMDevice 2 } + +--cpmdeviceConfigEntry OBJECT-TYPE +-- SYNTAX cpmDeviceConfigEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Single deviceConfig entry containing device info." +-- INDEX { cpmdeviceConfigIndex } +-- ::= { cpmdeviceConfigTable 1 } + +--cpmDeviceConfigEntry ::= +-- SEQUENCE { +-- cpmdeviceConfigIndex +-- INTEGER, + --cpmdeviceMinCurMT + -- INTEGER, +-- cpmdeviceMaxCurMT +-- INTEGER + --cpmdeviceMinVolMT + -- INTEGER, + --cpmdeviceMaxVolMT + -- INTEGER, +-- } + +--cpmdeviceConfigIndex OBJECT-TYPE +-- SYNTAX INTEGER (1) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of deviceConfig" +-- ::= { cpmdeviceConfigEntry 1 } + +--cpmdeviceMinCurMT OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set device minimum electric current measurement threshold. +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. +-- range:0.0~32.0 represents:0~320 +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmdeviceConfigEntry 2 } + +--cpmdeviceMaxCurMT OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set device maximum electric current measurement threshold. +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. +-- Example: range 0.0~32.0 represents: 0~320 + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmdeviceConfigEntry 3 } + +--cpmdeviceMinVolMT OBJECT-TYPE +-- SYNTAX INTEGER (900..2600 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set device minimum voltage measurement threshold. +-- range:90.0~260.0 represents:900~2600 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmdeviceConfigEntry 4 } + +--cpmdeviceMaxVolMT OBJECT-TYPE +-- SYNTAX INTEGER (900..2600 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set device maximum voltage measurement threshold. +-- range:90.0~260.0 represents:900~2600 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmdeviceConfigEntry 5 } + + + +-- Sensor +--cpmSensorValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmSensorValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's sensor value table. This table displays sensor's temperature, humidity and +-- pressure. +-- " +-- ::= { Sensor 1 } + +--cpmSensorValueEntry OBJECT-TYPE +-- SYNTAX cpmSensorValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's sensor value entry containing Sensor info." +-- INDEX { cpmSensorValueIndex } +-- ::= { cpmSensorValueTable 1 } + +--cpmSensorValueEntry ::= +-- SEQUENCE { +-- cpmSensorValueIndex +-- INTEGER, +-- cpmSensorTemperature +-- DisplayString, +-- cpmSensorHumidity +-- DisplayString, +-- cpmSensorPressure +-- DisplayString, +-- cpmSensorProperty +-- INTEGER +-- } + +--cpmSensorValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..4) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of CPM's Sensor number." +-- ::= { cpmSensorValueEntry 1 } + +--cpmSensorTemperature OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's Sensor Temperature value." +-- ::= { cpmSensorValueEntry 2 } + +--cpmSensorHumidity OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's Sensor Humidity value." +-- ::= { cpmSensorValueEntry 3 } + +--cpmSensorPressure OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's Sensor Pressure value." +-- ::= { cpmSensorValueEntry 4 } + +--cpmSensorProperty OBJECT-TYPE +-- SYNTAX INTEGER { intake(1), exhaust(2) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's Sensor Property." +-- ::= { cpmSensorValueEntry 5 } + +--cpmSensorThresholdTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmSensorThresholdEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's Sensor value table" +-- ::= { Sensor 2 } + +--cpmSensorThresholdEntry OBJECT-TYPE +-- SYNTAX cpmSensorThresholdEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's sensor threshold entry containing sensor info." +-- INDEX { cpmSensorThresholdIndex } +-- ::= { cpmSensorThresholdTable 1 } + +--cpmSensorThresholdEntry ::= +-- SEQUENCE { +-- cpmSensorThresholdIndex +-- INTEGER, +-- cpmsensorMinTempMT +-- INTEGER, +-- cpmsensorMaxTempMT +-- INTEGER, + +-- cpmsensorMinHumMT +-- INTEGER, +-- cpmsensorMaxHumMT +-- INTEGER, +-- cpmsensorMinPressMT +-- INTEGER, +-- cpmsensorMaxPressMT +-- INTEGER + --sensorTempFlu + --INTEGER, + --sensorHumFlu + --INTEGER, + --sensorPressFlu + --INTEGER +-- } + +--cpmSensorThresholdIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..4) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of CPM's sensor number" +-- ::= { cpmSensorThresholdEntry 1 } + +--cpmsensorMinTempMT OBJECT-TYPE +-- SYNTAX INTEGER (-200..600 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor minimum temperature measurement threshold. +-- Example: range 0.0 ~ 60.0 represents 0~600 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold. +-- " +-- ::= { cpmSensorThresholdEntry 2 } + +--cpmsensorMaxTempMT OBJECT-TYPE +-- SYNTAX INTEGER (-200..600 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor maximum temperature measurement threshold. +-- Example: range 0.0 ~ 60.0 represents 0~600 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmSensorThresholdEntry 3 } + +--cpmsensorMinHumMT OBJECT-TYPE +-- SYNTAX INTEGER (150..950 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor minimum humidity measurement threshold. +-- Example: range 15.0 ~ 95.0 represents 150~950 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmSensorThresholdEntry 4 } +--cpmsensorMaxHumMT OBJECT-TYPE +-- SYNTAX INTEGER (150..950 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor maximum humidity measurement threshold. +-- Example: range 15.0 ~ 95.0 represents 150~950 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmSensorThresholdEntry 5 } + +--cpmsensorMinPressMT OBJECT-TYPE +-- SYNTAX INTEGER (-2500..2500 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor minimum pressure measurement threshold. +-- Example: range -250.0 ~ 250.0 represents -2500 ~ 2500 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmSensorThresholdEntry 6 } + +--cpmsensorMaxPressMT OBJECT-TYPE +-- SYNTAX INTEGER (-2500..2500 | -3000) +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set sensor maximum pressure measurement threshold. +-- Example: range -250.0 ~ 250.0 represents -2500 ~ 2500 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmSensorThresholdEntry 7 } + + +-- pdu + +--cpmPDUValueTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmPDUValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Display the PDU's current value of CPM" +-- ::= { EnergySensor 1 } + +--cpmPDUValueEntry OBJECT-TYPE +-- SYNTAX cpmPDUValueEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's monitor pdu Value entry containing outlet info." +-- INDEX { cpmPDUValueIndex } +-- ::= { cpmPDUValueTable 1 } + +--cpmPDUValueEntry ::= +-- SEQUENCE { +-- cpmPDUValueIndex +-- INTEGER, +-- cpmPDUCurrent +-- DisplayString, + --cpmPDUVoltage + -- DisplayString, + --cpmPDUPower + -- DisplayString, + --cpmPDUPowerDissipation + -- DisplayString, +-- cpmPDUMaxCurrent +-- INTEGER +-- } + +--cpmPDUValueIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..4) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of PDU number" +-- ::= { cpmPDUValueEntry 1 } + +--cpmPDUCurrent OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's monitor PDU electric current value" +-- ::= { cpmPDUValueEntry 2 } + +--cpmPDUVoltage OBJECT-TYPE + --SYNTAX DisplayString + --MAX-ACCESS read-only + --STATUS current + --DESCRIPTION + -- "CPM's monitor PDU voltage value" + --::= { cpmPDUValueEntry 3 } + +--cpmPDUPower OBJECT-TYPE + --SYNTAX DisplayString + --MAX-ACCESS read-only + --STATUS current + --DESCRIPTION + -- "CPM's monitor PDU power value" + --::= { cpmPDUValueEntry 4 } + +--cpmPDUPowerDissipation OBJECT-TYPE + --SYNTAX DisplayString + --MAX-ACCESS read-only + --STATUS current + --DESCRIPTION + -- "CPM's monitor PDU power dissipation value" + --::= { cpmPDUValueEntry 5 } + +--cpmPDUMaxCurrent OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "CPM's monitor PDU Max Current value. unit: (A)" +-- ::= { cpmPDUValueEntry 6 } + +--cpmBankStatus OBJECT-TYPE +-- SYNTAX INTEGER { noattached(1), attached(2) } +-- MAX-ACCESS read-only +-- STATUS current +-- DESCRIPTION +-- "The status CPM device Bank status." +-- ::= { cpmPDUValueEntry 7 } + + +--cpmPDUConfigTable OBJECT-TYPE +-- SYNTAX SEQUENCE OF cpmPDUConfigEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's monitor PDU configuration table" +-- ::= { EnergySensor 2 } + +--cpmPDUConfigEntry OBJECT-TYPE +-- SYNTAX cpmPDUConfigEntry +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "CPM's monitor PDU config entry containing PDU info." +-- INDEX { cpmPDUConfigIndex } +-- ::= { cpmPDUConfigTable 1 } + +--cpmPDUConfigEntry ::= +-- SEQUENCE { +-- cpmPDUConfigIndex +-- INTEGER, +-- cpmPDUName +-- DisplayString, + --cpmPDUConfirmation + -- INTEGER, + --cpmPDUOnDelayTime + -- INTEGER, + --cpmPDUOffDelayTime + -- INTEGER, + --cpmPDUShutdownMethod + -- INTEGER, + --cpmPDUMAC + -- DisplayString, + --cpmPDUMinCurMT + -- INTEGER, +-- cpmPDUMaxCurMT +-- INTEGER + + --cpmPDUMinVolMT + -- INTEGER, + --cpmPDUMaxVolMT + -- INTEGER, + + +-- } + +--cpmPDUConfigIndex OBJECT-TYPE +-- SYNTAX INTEGER (1..4) +-- MAX-ACCESS not-accessible +-- STATUS current +-- DESCRIPTION +-- "Index of PDU number" +-- ::= { cpmPDUConfigEntry 1 } + +--cpmPDUName OBJECT-TYPE +-- SYNTAX DisplayString +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set the name of pdu. +-- string length: 0~15 +-- NOTE: Input string as /empty to set this object to NULL. +-- " +-- ::= { cpmPDUConfigEntry 2 } + +--cpmPDUConfirmation OBJECT-TYPE + --SYNTAX INTEGER { no(1), yes(2) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the confirmation of outlet." + --::= { cpmPDUConfigEntry 3 } + +--cpmPDUOnDelayTime OBJECT-TYPE + --SYNTAX INTEGER (0..999) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the ON delay time of outlet." + --::= { cpmPDUConfigEntry 4 } + +--cpmPDUOffDelayTime OBJECT-TYPE + --SYNTAX INTEGER (0..999) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the OFF delay time of outlet." + --::= { cpmPDUConfigEntry 5 } + +--cpmPDUShutdownMethod OBJECT-TYPE + --SYNTAX INTEGER { kill-the-power(1), wake-on-lan(2), after-ac-back(3) } + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the shutdown mehtod of outlet." + --::= { cpmPDUConfigEntry 6 } + +--cpmPDUMAC OBJECT-TYPE + --SYNTAX DisplayString + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the MAC address of ShutdownMethod. + -- string length: 12 + -- " + --::= { cpmPDUConfigEntry 7 } + +--cpmPDUMinCurMT OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set the PDU minimum electric current measurment threshold. +-- Range:0.0 ~16.0 rerpresnts 0~160 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. +-- +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmPDUConfigEntry 3 } + +--cpmPDUMaxCurMT OBJECT-TYPE +-- SYNTAX INTEGER +-- MAX-ACCESS read-write +-- STATUS current +-- DESCRIPTION +-- "Display or set the PDU maximum electric current measurment threshold. +-- Example: range 0.0 ~16.0 represents 0~160 +-- When this value is -3000,it indicate this is NULL. +-- When set this value to -3000, indicate set this object as NULL. + +-- NOTICE:Minimum threshold should be setted smaller than Maxima threshold +-- " +-- ::= { cpmPDUConfigEntry 4 } + +--cpmPDUMinVolMT OBJECT-TYPE + --SYNTAX INTEGER (900..2600) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the outlet minimum voltage measurment threshold. + -- Range:90.0 ~260.0 represents 900~2600 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { cpmPDUConfigEntry 10 } + +--cpmPDUMaxVolMT OBJECT-TYPE + --SYNTAX INTEGER (900..2600) + --MAX-ACCESS read-write + --STATUS current + --DESCRIPTION + -- "Display or set the outlet maximum voltage measurment threshold. + -- Range:90.0 ~260.0 represents 900~2600 + -- When this value is -3000,it indicate this is NULL. + -- When set this value to -3000, indicate set this object as NULL. + -- NOTICE:Minimum threshold should be setted smaller than Maxima threshold + -- " + --::= { cpmPDUConfigEntry 11 } + + +END diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh new file mode 100644 index 0000000..5b486c6 --- /dev/null +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +set -eu +umask 077 + +community="public" + +mqtt_send() { + topic="$1" + value="$2" + + tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')" + mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \ + --cafile "${tlsdir}/certs/ca.crt" \ + --key "${tlsdir}/private/$(hostname -f).key" \ + --cert "${tlsdir}/certs/$(hostname -f).crt" +} + +snmp_get() { + host="$1" + key="$2" + snmpget -v 1 -c "$community" "$host" -Oqv -m ATEN-PE-CFG "$key" | tr -d '"' +} + +# only run script if first vrrp interface is in master state +for state in /run/keepalived/*.state ; do + if [ "$(cat "$state")" != "MASTER" ]; then + exit 0 + fi + break +done + +ldapsearch -Q -LLL "(&(objectClass=device)(description=Aten PE*))" cn | \ + awk '{ if ($1 == "cn:") print $2 }' | while read -r name +do + location="$(snmp_get "$name" RFC1213-MIB::sysLocation.0 | \ + tr '[:upper:]' '[:lower:]' | tr ' ' '_')" + snmpwalk -v 1 -c "$community" "$name" -Oq \ + -m ATEN-PE-CFG ATEN-PE-CFG::outletName | while read -r port device + do + port="$(echo "$port" | cut -d '.' -f 2)" + device="$(echo "$device" | tr -d '"')" + case "$device" in + "N/A"|"00 "|"unused") + continue + ;; + esac + for key in Current Power Voltage ; do + topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')" + value="$(snmp_get "$name" "ATEN-PE-CFG::outlet${key}.${port}")" + mqtt_send "$topic" "$value" + done + done +done diff --git a/roles/aten_pdu/meta/main.yml b/roles/aten_pdu/meta/main.yml new file mode 100644 index 0000000..d2f9d51 --- /dev/null +++ b/roles/aten_pdu/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: ldap} diff --git a/roles/aten_pdu/tasks/main.yml b/roles/aten_pdu/tasks/main.yml new file mode 100644 index 0000000..8bb9112 --- /dev/null +++ b/roles/aten_pdu/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: Install packages + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - mosquitto + - net-snmp-utils + +# https://www.aten.com/eu/en/products/power-distribution-&-racks/rack-pdu/pe8108/ +- name: Install custom mib + ansible.builtin.copy: + dest: /usr/share/snmp/mibs/ATEN-PE-CFG.txt + src: ATEN-PE-CFG_str_1.3.128.mib + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + +- name: Install mqtt publish script + ansible.builtin.copy: + dest: /usr/local/bin/aten-mqtt-publish + src: aten-mqtt-publish.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Add mqtt publish cron job + ansible.builtin.cron: + name: aten-mqtt-publish + job: /usr/local/bin/aten-mqtt-publish + minute: "*/5" From 4c9a7dbcfb2e6fae81ba4ac76f1a11bef7a6fe2c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 6 Apr 2025 16:44:47 +0000 Subject: [PATCH 572/596] Add aten_pdu role to nms hosts --- playbooks/nms.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 969b6a5..075054c 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -38,6 +38,7 @@ autofs_home: false - sssd - mkhomedir + - aten_pdu - routeros_firmware - snmp_exporter @@ -74,7 +75,6 @@ name: "{{ item }}" state: installed with_items: - - net-snmp-utils - nmap - rcs - unzip From f114a2d5d973445ae1801a9099f0400e7b6867cb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 6 Apr 2025 17:32:32 +0000 Subject: [PATCH 573/596] routeros: Rename role --- playbooks/nms.yml | 2 +- roles/{routeros_firmware => routeros}/files/README.md | 0 .../files/download-routeros-firmware.sh | 0 roles/{routeros_firmware => routeros}/tasks/main.yml | 0 4 files changed, 1 insertion(+), 1 deletion(-) rename roles/{routeros_firmware => routeros}/files/README.md (100%) rename roles/{routeros_firmware => routeros}/files/download-routeros-firmware.sh (100%) rename roles/{routeros_firmware => routeros}/tasks/main.yml (100%) diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 075054c..f326b55 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -39,7 +39,7 @@ - sssd - mkhomedir - aten_pdu - - routeros_firmware + - routeros - snmp_exporter tasks: diff --git a/roles/routeros_firmware/files/README.md b/roles/routeros/files/README.md similarity index 100% rename from roles/routeros_firmware/files/README.md rename to roles/routeros/files/README.md diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros/files/download-routeros-firmware.sh similarity index 100% rename from roles/routeros_firmware/files/download-routeros-firmware.sh rename to roles/routeros/files/download-routeros-firmware.sh diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros/tasks/main.yml similarity index 100% rename from roles/routeros_firmware/tasks/main.yml rename to roles/routeros/tasks/main.yml From 2fedbd505bcb6f7362864666ca87b08e07e38315 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 18:55:58 +0000 Subject: [PATCH 574/596] ha_mqtt_configd: Initial version of role --- .../ha_mqtt_configd/files/ha_mqtt_configd.py | 70 +++++++++++++++++++ .../ha_mqtt_configd/files/ha_mqtt_configd.rc | 12 ++++ roles/ha_mqtt_configd/handlers/main.yml | 5 ++ roles/ha_mqtt_configd/tasks/main.yml | 45 ++++++++++++ 4 files changed, 132 insertions(+) create mode 100755 roles/ha_mqtt_configd/files/ha_mqtt_configd.py create mode 100755 roles/ha_mqtt_configd/files/ha_mqtt_configd.rc create mode 100644 roles/ha_mqtt_configd/handlers/main.yml create mode 100644 roles/ha_mqtt_configd/tasks/main.yml diff --git a/roles/ha_mqtt_configd/files/ha_mqtt_configd.py b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py new file mode 100755 index 0000000..3cff8c1 --- /dev/null +++ b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 + +import hashlib +import json +import paho.mqtt.client as mqtt +import socket +import ssl +import syslog +import time + +notify = {} + + +def on_message(client, userdata, msg): + if not msg.topic in notify: + syslog.syslog(syslog.LOG_INFO, f"Publish config for {msg.topic}") + elif notify[msg.topic] < time.monotonic() - 600: + syslog.syslog(syslog.LOG_INFO, f"Refresh config for {msg.topic}") + else: + return + topic = msg.topic.split("/") + uniqueid = hashlib.md5(msg.topic.encode()).hexdigest() + config = { + "dev": { + "name": topic[2].capitalize(), + "suggested_area": topic[1].capitalize(), + "identifiers": [ + uniqueid, + ], + }, + "name": "Power Usage", + "state_topic": msg.topic, + "unit_of_measurement": "W", + "unique_id": uniqueid, + } + client.publish( + topic=f"homeassistant/sensor/{uniqueid}/config", payload=json.dumps(config) + ) + notify[msg.topic] = time.monotonic() + + +def connect(hostname): + client = mqtt.Client(protocol=mqtt.MQTTv5) + client.tls_set( + certfile=f"/etc/ssl/{socket.gethostname()}.crt", + keyfile=f"/etc/ssl/private/{socket.gethostname()}.key", + ca_certs="/etc/ssl/ca.crt", + cert_reqs=ssl.CERT_REQUIRED, + ) + client.on_message = on_message + client.connect(hostname, 8883) + syslog.syslog(syslog.LOG_INFO, f"Connected to MQTT broker {hostname}") + return client + + +def main(): + syslog.openlog( + "ha_mqtt_configd", logoption=syslog.LOG_PID, facility=syslog.LOG_DAEMON + ) + client = connect(socket.gethostname()) + try: + client.subscribe("home/+/+/power") + client.loop_forever() + except KeyboardInterrupt: + client.disconnect() + syslog.closelog() + + +if __name__ == "__main__": + main() diff --git a/roles/ha_mqtt_configd/files/ha_mqtt_configd.rc b/roles/ha_mqtt_configd/files/ha_mqtt_configd.rc new file mode 100755 index 0000000..dc63988 --- /dev/null +++ b/roles/ha_mqtt_configd/files/ha_mqtt_configd.rc @@ -0,0 +1,12 @@ +#!/bin/ksh + +daemon="/usr/local/sbin/ha_mqtt_configd" +daemon_user="ha-mqtt" + +. /etc/rc.d/rc.subr + +rc_bg=YES +rc_reload=NO +pexp="python3 /usr/local/sbin/ha_mqtt_configd" + +rc_cmd $1 diff --git a/roles/ha_mqtt_configd/handlers/main.yml b/roles/ha_mqtt_configd/handlers/main.yml new file mode 100644 index 0000000..79a2cc5 --- /dev/null +++ b/roles/ha_mqtt_configd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart ha_mqtt_configd + ansible.builtin.service: + name: ha_mqtt_configd + state: restarted diff --git a/roles/ha_mqtt_configd/tasks/main.yml b/roles/ha_mqtt_configd/tasks/main.yml new file mode 100644 index 0000000..0757fa8 --- /dev/null +++ b/roles/ha_mqtt_configd/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: Install packages + ansible.builtin.package: + name: py3-paho-mqtt + state: installed + +- name: Create group + ansible.builtin.group: + name: ha-mqtt + system: true + +- name: Create user + ansible.builtin.user: + name: ha-mqtt + comment: ha-mqtt-configd + group: ha-mqtt + groups: hostkey + create_home: false + home: /var/empty + shell: /sbin/nologin + system: true + +- name: Copy daemon + ansible.builtin.copy: + dest: /usr/local/sbin/ha_mqtt_configd + src: ha_mqtt_configd.py + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart ha_mqtt_configd + +- name: Copy startup script + ansible.builtin.copy: + dest: /etc/rc.d/ha_mqtt_configd + src: ha_mqtt_configd.rc + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart ha_mqtt_configd + +- name: Enable service + ansible.builtin.service: + name: ha_mqtt_configd + state: started + enabled: true From bb572040ef13539a3617e7ad0288ff2104328e30 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 18:56:27 +0000 Subject: [PATCH 575/596] Add ha_mqtt_configd to mqtt hosts --- playbooks/mqtt.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index d67c977..8a5c0b7 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -15,6 +15,7 @@ roles: - base - mosquitto + - ha_mqtt_configd - telegraf - nginx - role: nginx_site From ed4debd59de1eb184ffa22cb668048d91ddf30b7 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 19:12:46 +0000 Subject: [PATCH 576/596] ha_mqtt_configd: Add icon for power measurements --- roles/ha_mqtt_configd/files/ha_mqtt_configd.py | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ha_mqtt_configd/files/ha_mqtt_configd.py b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py index 3cff8c1..b5d2c03 100755 --- a/roles/ha_mqtt_configd/files/ha_mqtt_configd.py +++ b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py @@ -28,6 +28,7 @@ def on_message(client, userdata, msg): uniqueid, ], }, + "icon": "mdi:lightning-bolt", "name": "Power Usage", "state_topic": msg.topic, "unit_of_measurement": "W", From ae59e21a2e56afe5b709e14e931036ee5d403783 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 19:14:07 +0000 Subject: [PATCH 577/596] homeassistant: Disable manual mqtt configuration --- roles/homeassistant/tasks/main.yml | 10 ---------- roles/homeassistant/templates/mqtt.yaml.j2 | 13 ------------- 2 files changed, 23 deletions(-) delete mode 100644 roles/homeassistant/templates/mqtt.yaml.j2 diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 3e368d1..746b312 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -146,16 +146,6 @@ group: "{{ ansible_wheel }}" setype: _default -- name: Create mqtt config file - ansible.builtin.template: - dest: /srv/homeassistant/mqtt.yaml - src: mqtt.yaml.j2 - mode: "0644" - owner: root - group: "{{ ansible_wheel }}" - setype: _default - notify: Restart homeassistant - - name: Create directories for custom integrations ansible.builtin.file: path: "{{ item }}" diff --git a/roles/homeassistant/templates/mqtt.yaml.j2 b/roles/homeassistant/templates/mqtt.yaml.j2 deleted file mode 100644 index c0b7ac3..0000000 --- a/roles/homeassistant/templates/mqtt.yaml.j2 +++ /dev/null @@ -1,13 +0,0 @@ ---- -sensor: -{% for shelly in shellies | selectattr("name", "match", "^shellyplug-s-") | list %} - - name: Power Usage - state_topic: home/{{ shelly["room"] }}/{{ shelly["device"] }}/power - unique_id: {{ shelly["name"] }} - unit_of_measurement: W - device: - name: {{ shelly["device"] | capitalize }} - suggested_area: {{ shelly["room"] | replace("_", " ") | capitalize }} - identifiers: - - {{ shelly["name"] }} -{% endfor %} From e7902763598ef11e252e702ac6c27778a9bcde15 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 19:20:02 +0000 Subject: [PATCH 578/596] routeros: Add script to publish poe power to mqtt --- roles/routeros/files/mikrotik.mib | 4159 +++++++++++++++++ .../files/routeros-poe-mqtt-publish.sh | 54 + roles/routeros/meta/main.yml | 3 + roles/routeros/tasks/main.yml | 32 +- 4 files changed, 4247 insertions(+), 1 deletion(-) create mode 100644 roles/routeros/files/mikrotik.mib create mode 100644 roles/routeros/files/routeros-poe-mqtt-publish.sh create mode 100644 roles/routeros/meta/main.yml diff --git a/roles/routeros/files/mikrotik.mib b/roles/routeros/files/mikrotik.mib new file mode 100644 index 0000000..d640b4a --- /dev/null +++ b/roles/routeros/files/mikrotik.mib @@ -0,0 +1,4159 @@ +MIKROTIK-MIB DEFINITIONS ::= BEGIN + +IMPORTS +InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB +MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32, Gauge32, IpAddress, +Counter64, enterprises, NOTIFICATION-TYPE, TimeTicks FROM SNMPv2-SMI +TEXTUAL-CONVENTION, DisplayString, MacAddress, TruthValue, DateAndTime FROM SNMPv2-TC +OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF; + +mikrotikExperimentalModule MODULE-IDENTITY + LAST-UPDATED "202502050000Z" + ORGANIZATION "MikroTik" + CONTACT-INFO "support@mikrotik.com" + DESCRIPTION "" + REVISION "202502050000Z" + DESCRIPTION "" + ::= { mikrotik 1 } + +mikrotik OBJECT IDENTIFIER ::= { enterprises 14988 } +mtXMetaInfo OBJECT IDENTIFIER ::= { mikrotikExperimentalModule 2 } +mtXRouterOsGroups OBJECT IDENTIFIER ::= { mtXMetaInfo 1 } + +mtXRouterOs OBJECT IDENTIFIER ::= { mikrotikExperimentalModule 1 } +mtxrWireless OBJECT IDENTIFIER ::= { mtXRouterOs 1 } +mtxrQueues OBJECT IDENTIFIER ::= { mtXRouterOs 2 } +mtxrHealth OBJECT IDENTIFIER ::= { mtXRouterOs 3 } +mtxrLicense OBJECT IDENTIFIER ::= { mtXRouterOs 4 } +mtxrHotspot OBJECT IDENTIFIER ::= { mtXRouterOs 5 } +mtxrDHCP OBJECT IDENTIFIER ::= { mtXRouterOs 6 } +mtxrSystem OBJECT IDENTIFIER ::= { mtXRouterOs 7 } +mtxrScripts OBJECT IDENTIFIER ::= { mtXRouterOs 8 } +mtxrTraps OBJECT IDENTIFIER ::= { mtXRouterOs 9 } +mtxrNstremeDual OBJECT IDENTIFIER ::= { mtXRouterOs 10 } +mtxrNeighbor OBJECT IDENTIFIER ::= { mtXRouterOs 11 } +mtxrGps OBJECT IDENTIFIER ::= { mtXRouterOs 12 } +mtxrWirelessModem OBJECT IDENTIFIER ::= { mtXRouterOs 13 } +mtxrInterfaceStats OBJECT IDENTIFIER ::= { mtXRouterOs 14 } +mtxrPOE OBJECT IDENTIFIER ::= { mtXRouterOs 15 } +mtxrLTEModem OBJECT IDENTIFIER ::= { mtXRouterOs 16 } +mtxrPartition OBJECT IDENTIFIER ::= { mtXRouterOs 17 } +mtxrScriptRun OBJECT IDENTIFIER ::= { mtXRouterOs 18 } +mtxrOptical OBJECT IDENTIFIER ::= { mtXRouterOs 19 } +mtxrIPSec OBJECT IDENTIFIER ::= { mtXRouterOs 20 } +mtxrWifi OBJECT IDENTIFIER ::= { mtXRouterOs 21 } + +ObjectIndex ::= TEXTUAL-CONVENTION + DISPLAY-HINT "x" + STATUS current + DESCRIPTION "Internal " + SYNTAX Integer32 (0..2147483647) +-- Note that actually in RouterOs index values can be in range 0..4294967294, +-- this can sometimes make them negative. Any of the following syntaxes would +-- be more appropriate, but since Integer32 is used for InterfaceIndex in +-- IF-MIB, where it can also take negative values in RouterOs, it is used +-- here for consistency. +-- Also note that ObjectIndex value is not related to item numbers that are +-- used by console and shown by console print command. +-- +-- SYNTAX Integer32 (-2147483648..2147483647) +-- SYNTAX Unsigned32 (0..4294967295) + +HexInt ::= TEXTUAL-CONVENTION + DISPLAY-HINT "x" + STATUS current + DESCRIPTION "Hex" + SYNTAX Integer32 (-2147483648..2147483647) + +Voltage ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-1" + STATUS current + DESCRIPTION "" + SYNTAX Integer32 (-2147483648..2147483647) + +Temperature ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-1" + STATUS current + DESCRIPTION "" + SYNTAX Integer32 (-2147483648..2147483647) + +Power ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-1" + STATUS current + DESCRIPTION "" + SYNTAX Integer32 (-2147483648..2147483647) + +GDiv100 ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-2" + STATUS current + DESCRIPTION "/100" + SYNTAX Gauge32 + +GDiv1000 ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-3" + STATUS current + DESCRIPTION "/1000" + SYNTAX Gauge32 + +IDiv1000 ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d-3" + STATUS current + DESCRIPTION "/1000" + SYNTAX Integer32 (-2147483648..2147483647) + +BoolValue ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Boolean value." + SYNTAX INTEGER { false(0), true(1) } + +IsakmpCookie ::= TEXTUAL-CONVENTION + DISPLAY-HINT "16a" + STATUS current + DESCRIPTION "ISAKMP cookie string" + SYNTAX OCTET STRING (SIZE (16)) + +-- WIRELESS ******************************************************************** + +mtxrWlStatTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlStatEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 1 } + +mtxrWlStatEntry OBJECT-TYPE + SYNTAX MtxrWlStatEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Wireless station mode interface" + INDEX { mtxrWlStatIndex } + ::= { mtxrWlStatTable 1 } + +MtxrWlStatEntry ::= SEQUENCE { + mtxrWlStatIndex ObjectIndex, + mtxrWlStatTxRate Gauge32, + mtxrWlStatRxRate Gauge32, + mtxrWlStatStrength Integer32, + mtxrWlStatSsid DisplayString, + mtxrWlStatBssid MacAddress, + mtxrWlStatFreq Integer32, + mtxrWlStatBand DisplayString, + mtxrWlStatTxCCQ Counter32, + mtxrWlStatRxCCQ Counter32 +} + +mtxrWlStatIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 1 } + +mtxrWlStatTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlStatEntry 2 } + +mtxrWlStatRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlStatEntry 3 } + +mtxrWlStatStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrWlStatEntry 4 } + +mtxrWlStatSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 5 } + +mtxrWlStatBssid OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 6 } + +mtxrWlStatFreq OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "megahertz" + ::= { mtxrWlStatEntry 7 } + +mtxrWlStatBand OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 8 } + +mtxrWlStatTxCCQ OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 9 } + +mtxrWlStatRxCCQ OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlStatEntry 10 } + +-- WlRtabTable +mtxrWlRtabTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlRtabEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 2 } + +mtxrWlRtabEntry OBJECT-TYPE + SYNTAX MtxrWlRtabEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Wireless registration table. It is indexed by remote + mac-address and local interface index" + INDEX { mtxrWlRtabAddr, mtxrWlRtabIface } + ::= { mtxrWlRtabTable 1 } + +MtxrWlRtabEntry ::= SEQUENCE { + mtxrWlRtabAddr MacAddress, + mtxrWlRtabIface ObjectIndex, + mtxrWlRtabStrength Integer32, + mtxrWlRtabTxBytes Counter32, + mtxrWlRtabRxBytes Counter32, + mtxrWlRtabTxPackets Counter32, + mtxrWlRtabRxPackets Counter32, + mtxrWlRtabTxRate Gauge32, + mtxrWlRtabRxRate Gauge32, + mtxrWlRtabRouterOSVersion DisplayString, + mtxrWlRtabUptime TimeTicks, + mtxrWlRtabSignalToNoise Integer32, + mtxrWlRtabTxStrengthCh0 Integer32, + mtxrWlRtabRxStrengthCh0 Integer32, + mtxrWlRtabTxStrengthCh1 Integer32, + mtxrWlRtabRxStrengthCh1 Integer32, + mtxrWlRtabTxStrengthCh2 Integer32, + mtxrWlRtabRxStrengthCh2 Integer32, + mtxrWlRtabTxStrength Integer32, + mtxrWlRtabRadioName DisplayString +} + +mtxrWlRtabAddr OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 1 } + +mtxrWlRtabIface OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 2 } + +mtxrWlRtabStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrWlRtabEntry 3 } + +mtxrWlRtabTxBytes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 4 } + +mtxrWlRtabRxBytes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 5 } + +mtxrWlRtabTxPackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 6 } + +mtxrWlRtabRxPackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 7 } + +mtxrWlRtabTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlRtabEntry 8 } + +mtxrWlRtabRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlRtabEntry 9 } + +mtxrWlRtabRouterOSVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "RouterOS version" + ::= { mtxrWlRtabEntry 10 } + +mtxrWlRtabUptime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION "uptime" + ::= { mtxrWlRtabEntry 11 } + +mtxrWlRtabSignalToNoise OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Measured in dB, if value does not exist it is indicated with 0" + ::= { mtxrWlRtabEntry 12 } + +mtxrWlRtabTxStrengthCh0 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 13 } + +mtxrWlRtabRxStrengthCh0 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 14 } + +mtxrWlRtabTxStrengthCh1 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 15 } + +mtxrWlRtabRxStrengthCh1 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 16 } + +mtxrWlRtabTxStrengthCh2 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 17 } + +mtxrWlRtabRxStrengthCh2 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 18 } + +mtxrWlRtabTxStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 19 } + +mtxrWlRtabRadioName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlRtabEntry 20 } + +mtxrWlRtabEntryCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Wireless registration table entry count" + ::= { mtxrWireless 4 } + +mtxrWlApTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlApEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 3 } + +mtxrWlApEntry OBJECT-TYPE + SYNTAX MtxrWlApEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Wireless access point mode interface" + INDEX { mtxrWlApIndex } + ::= { mtxrWlApTable 1 } + +MtxrWlApEntry ::= SEQUENCE { + mtxrWlApIndex ObjectIndex, + mtxrWlApTxRate Gauge32, + mtxrWlApRxRate Gauge32, + mtxrWlApSsid DisplayString, + mtxrWlApBssid MacAddress, + mtxrWlApClientCount Counter32, + mtxrWlApFreq Integer32, + mtxrWlApBand DisplayString, + mtxrWlApNoiseFloor Integer32, + mtxrWlApOverallTxCCQ Counter32, + mtxrWlApAuthClientCount Counter32 +} + +mtxrWlApIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 1 } + +mtxrWlApTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlApEntry 2 } + +mtxrWlApRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlApEntry 3 } + +mtxrWlApSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 4 } + +mtxrWlApBssid OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 5 } + +mtxrWlApClientCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 6 } + +mtxrWlApFreq OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "megahertz" + ::= { mtxrWlApEntry 7 } + +mtxrWlApBand OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 8 } + +mtxrWlApNoiseFloor OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 9 } + +mtxrWlApOverallTxCCQ OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 10 } + +mtxrWlApAuthClientCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlApEntry 11 } + +mtxrWlCMRtabTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlCMRtabEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 5 } + +mtxrWlCMRtabEntry OBJECT-TYPE + SYNTAX MtxrWlCMRtabEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Wireless CAPSMAN registration table. It is indexed by remote + mac-address and local interface index" + INDEX { mtxrWlCMRtabAddr, mtxrWlCMRtabIface } + ::= { mtxrWlCMRtabTable 1 } + +MtxrWlCMRtabEntry ::= SEQUENCE { + mtxrWlCMRtabAddr MacAddress, + mtxrWlCMRtabIface ObjectIndex, + mtxrWlCMRtabUptime TimeTicks, + mtxrWlCMRtabTxBytes Counter32, + mtxrWlCMRtabRxBytes Counter32, + mtxrWlCMRtabTxPackets Counter32, + mtxrWlCMRtabRxPackets Counter32, + mtxrWlCMRtabTxRate Gauge32, + mtxrWlCMRtabRxRate Gauge32, + mtxrWlCMRtabTxStrength Integer32, + mtxrWlCMRtabRxStrength Integer32, + mtxrWlCMRtabSsid DisplayString, + mtxrWlCMRtabEapIdent DisplayString +} + +mtxrWlCMRtabAddr OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 1 } + -- should not be accessible in SMIv2 + +mtxrWlCMRtabIface OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 2 } + +mtxrWlCMRtabUptime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION "uptime" + ::= { mtxrWlCMRtabEntry 3 } + +mtxrWlCMRtabTxBytes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 4 } + +mtxrWlCMRtabRxBytes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 5 } + +mtxrWlCMRtabTxPackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 6 } + +mtxrWlCMRtabRxPackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 7 } + +mtxrWlCMRtabTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlCMRtabEntry 8 } + +mtxrWlCMRtabRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrWlCMRtabEntry 9 } + +mtxrWlCMRtabTxStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 10 } + +mtxrWlCMRtabRxStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 11 } + +mtxrWlCMRtabSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 12 } + +mtxrWlCMRtabEapIdent OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRtabEntry 13 } + +mtxrWlCMRtabEntryCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Wireless CAPSMAN registration table entry count" + ::= { mtxrWireless 6 } + +mtxrWlCMREntryCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Wireless CAPSMAN remote-cap entry count" + ::= { mtxrWireless 10 } + +mtxrWlCMTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlCMEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 7 } + +mtxrWlCMEntry OBJECT-TYPE + SYNTAX MtxrWlCMEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "CAPS-MAN mode interface" + INDEX { mtxrWlCMIndex } + ::= { mtxrWlCMTable 1 } + +MtxrWlCMEntry ::= SEQUENCE { + mtxrWlCMIndex ObjectIndex, + mtxrWlCMRegClientCount Counter32, + mtxrWlCMAuthClientCount Counter32, + mtxrWlCMState DisplayString, + mtxrWlCMChannel DisplayString +} + +mtxrWlCMIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMEntry 1 } + +mtxrWlCMRegClientCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMEntry 2 } + +mtxrWlCMAuthClientCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMEntry 3 } + +mtxrWlCMState OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMEntry 4 } + +mtxrWlCMChannel OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "for master only" + ::= { mtxrWlCMEntry 5 } + +-- +mtxrWlCMRemoteTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWlCMRemoteEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 11 } + +mtxrWlCMRemoteEntry OBJECT-TYPE + SYNTAX MtxrWlCMRemoteEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "CAPSMAN remote-cap list" + INDEX { mtxrWlCMRemoteIndex } + ::= { mtxrWlCMRemoteTable 1 } + +MtxrWlCMRemoteEntry ::= SEQUENCE { + mtxrWlCMRemoteIndex ObjectIndex, + mtxrWlCMRemoteName DisplayString, + mtxrWlCMRemoteState DisplayString, + mtxrWlCMRemoteAddress DisplayString, + mtxrWlCMRemoteRadios Counter32 +} + +mtxrWlCMRemoteIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRemoteEntry 1 } + +mtxrWlCMRemoteName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRemoteEntry 2 } + +mtxrWlCMRemoteState OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRemoteEntry 3 } + +mtxrWlCMRemoteAddress OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRemoteEntry 4 } + +mtxrWlCMRemoteRadios OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWlCMRemoteEntry 5 } + +-- W60G +mtxrWl60GTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWl60GEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 8 } + +mtxrWl60GEntry OBJECT-TYPE + SYNTAX MtxrWl60GEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "W60G interface" + INDEX { mtxrWl60GIndex } + ::= { mtxrWl60GTable 1 } + +MtxrWl60GEntry ::= SEQUENCE { + mtxrWl60GIndex ObjectIndex, + mtxrWl60GMode INTEGER, + mtxrWl60GSsid DisplayString, + mtxrWl60GConnected BoolValue, + mtxrWl60GRemote MacAddress, + mtxrWl60GFreq Integer32, + mtxrWl60GMcs Integer32, + mtxrWl60GSignal Integer32, + mtxrWl60GTxSector Integer32, + mtxrWl60GTxSectorInfo DisplayString, + mtxrWl60GRssi Integer32, + mtxrWl60GPhyRate Gauge32 +} + +mtxrWl60GIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 1 } + +mtxrWl60GMode OBJECT-TYPE + SYNTAX INTEGER { + apBridge(0), + stationBridge(1), + sniff(2), + bridge(3) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 2 } + +mtxrWl60GSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 3 } + +mtxrWl60GConnected OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 4 } + +mtxrWl60GRemote OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 5 } + +mtxrWl60GFreq OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Mhz" + ::= { mtxrWl60GEntry 6 } + +mtxrWl60GMcs OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 7 } + +mtxrWl60GSignal OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 8 } + +mtxrWl60GTxSector OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 9 } + +mtxrWl60GTxSectorInfo OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 11 } + +mtxrWl60GRssi OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 12 } + +mtxrWl60GPhyRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GEntry 13 } + +-- W60GSta +mtxrWl60GStaTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWl60GStaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWireless 9 } + +mtxrWl60GStaEntry OBJECT-TYPE + SYNTAX MtxrWl60GStaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "W60G stations" + INDEX { mtxrWl60GStaIndex } + ::= { mtxrWl60GStaTable 1 } + +MtxrWl60GStaEntry ::= SEQUENCE { + mtxrWl60GStaIndex ObjectIndex, + mtxrWl60GStaConnected BoolValue, + mtxrWl60GStaRemote MacAddress, + mtxrWl60GStaMcs Integer32, + mtxrWl60GStaSignal Integer32, + mtxrWl60GStaTxSector Integer32, + mtxrWl60GStaPhyRate Gauge32, + mtxrWl60GStaRssi Integer32, + mtxrWl60GStaDistance Integer32 +} + +mtxrWl60GStaIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 1 } + +mtxrWl60GStaConnected OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 2 } + +mtxrWl60GStaRemote OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 3 } + +mtxrWl60GStaMcs OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 4 } + +mtxrWl60GStaSignal OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 5 } + +mtxrWl60GStaTxSector OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 6 } + +mtxrWl60GStaPhyRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Mbits per second" + ::= { mtxrWl60GStaEntry 8 } + +mtxrWl60GStaRssi OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrWl60GStaEntry 9 } + +mtxrWl60GStaDistance OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "meters" + ::= { mtxrWl60GStaEntry 10 } + + +mtxrWirelessGroup OBJECT-GROUP OBJECTS { + mtxrWlStatTxRate, + mtxrWlStatRxRate, + mtxrWlStatStrength, + mtxrWlStatSsid, + mtxrWlStatBssid, + mtxrWlStatFreq, + mtxrWlStatBand, + mtxrWlStatTxCCQ, + mtxrWlStatRxCCQ, + mtxrWlRtabStrength, + mtxrWlRtabTxBytes, + mtxrWlRtabRxBytes, + mtxrWlRtabTxPackets, + mtxrWlRtabRxPackets, + mtxrWlRtabTxRate, + mtxrWlRtabRxRate, + mtxrWlRtabEntryCount, + mtxrWlRtabRouterOSVersion, + mtxrWlRtabUptime, + mtxrWlRtabSignalToNoise, + mtxrWlRtabTxStrengthCh0, + mtxrWlRtabRxStrengthCh0, + mtxrWlRtabTxStrengthCh1, + mtxrWlRtabRxStrengthCh1, + mtxrWlRtabTxStrengthCh2, + mtxrWlRtabRxStrengthCh2, + mtxrWlRtabTxStrength, + mtxrWlRtabRadioName, + mtxrWlApTxRate, + mtxrWlApRxRate, + mtxrWlApSsid, + mtxrWlApBssid, + mtxrWlApClientCount, + mtxrWlApBand, + mtxrWlApFreq, + mtxrWlApNoiseFloor, + mtxrWlApOverallTxCCQ, + mtxrWlApAuthClientCount, + mtxrWlCMRtabAddr, + mtxrWlCMRtabTxBytes, + mtxrWlCMRtabRxBytes, + mtxrWlCMRtabTxPackets, + mtxrWlCMRtabRxPackets, + mtxrWlCMRtabTxRate, + mtxrWlCMRtabRxRate, + mtxrWlCMRtabUptime, + mtxrWlCMRtabTxStrength, + mtxrWlCMRtabRxStrength, + mtxrWlCMRtabSsid, + mtxrWlCMRtabEntryCount, + mtxrWlCMREntryCount, + mtxrWlCMRegClientCount, + mtxrWlCMAuthClientCount, + mtxrWl60GMode, + mtxrWl60GSsid, + mtxrWl60GConnected, + mtxrWl60GRemote, + mtxrWl60GFreq, + mtxrWl60GMcs, + mtxrWl60GSignal, + mtxrWl60GTxSector, + mtxrWl60GTxSectorInfo, + mtxrWl60GRssi, + mtxrWl60GPhyRate, + mtxrWl60GStaConnected, + mtxrWl60GStaRemote, + mtxrWl60GStaMcs, + mtxrWl60GStaSignal, + mtxrWl60GStaTxSector + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 1 } + +-- QUEUES ******************************************************************** + +mtxrQueueSimpleTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrQueueSimpleEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrQueues 1 } + +mtxrQueueSimpleEntry OBJECT-TYPE + SYNTAX MtxrQueueSimpleEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Simple queue" + INDEX { mtxrQueueSimpleIndex } + ::= { mtxrQueueSimpleTable 1 } + +MtxrQueueSimpleEntry ::= SEQUENCE { + mtxrQueueSimpleIndex ObjectIndex, + mtxrQueueSimpleName DisplayString, + mtxrQueueSimpleSrcAddr IpAddress, + mtxrQueueSimpleSrcMask IpAddress, + mtxrQueueSimpleDstAddr IpAddress, + mtxrQueueSimpleDstMask IpAddress, + mtxrQueueSimpleIface ObjectIndex, + mtxrQueueSimpleBytesIn Counter64, + mtxrQueueSimpleBytesOut Counter64, + mtxrQueueSimplePacketsIn Counter32, + mtxrQueueSimplePacketsOut Counter32, + mtxrQueueSimplePCQQueuesIn Counter32, + mtxrQueueSimplePCQQueuesOut Counter32, + mtxrQueueSimpleDroppedIn Counter32, + mtxrQueueSimpleDroppedOut Counter32 +} + +mtxrQueueSimpleIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 1 } + +mtxrQueueSimpleName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 2 } + +mtxrQueueSimpleSrcAddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 3 } + +mtxrQueueSimpleSrcMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 4 } + +mtxrQueueSimpleDstAddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 5 } + +mtxrQueueSimpleDstMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 6 } + +mtxrQueueSimpleIface OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION "interface index" + ::= { mtxrQueueSimpleEntry 7 } + +mtxrQueueSimpleBytesIn OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 8 } + +mtxrQueueSimpleBytesOut OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 9 } + +mtxrQueueSimplePacketsIn OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 10 } + +mtxrQueueSimplePacketsOut OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 11 } + +mtxrQueueSimplePCQQueuesIn OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 12 } + +mtxrQueueSimplePCQQueuesOut OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 13 } + +mtxrQueueSimpleDroppedIn OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 14 } + +mtxrQueueSimpleDroppedOut OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueSimpleEntry 15 } + +mtxrQueueTreeTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrQueueTreeEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrQueues 2 } + +mtxrQueueTreeEntry OBJECT-TYPE + SYNTAX MtxrQueueTreeEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Tree queue" + INDEX { mtxrQueueTreeIndex } + ::= { mtxrQueueTreeTable 1 } + +MtxrQueueTreeEntry ::= SEQUENCE { + mtxrQueueTreeIndex ObjectIndex, + mtxrQueueTreeName DisplayString, + mtxrQueueTreeFlow DisplayString, + mtxrQueueTreeParentIndex ObjectIndex, + mtxrQueueTreeBytes Counter32, + mtxrQueueTreePackets Counter32, + mtxrQueueTreeHCBytes Counter64, + mtxrQueueTreePCQQueues Counter32, + mtxrQueueTreeDropped Counter32 +} + +mtxrQueueTreeIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 1 } + +mtxrQueueTreeName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 2 } + +mtxrQueueTreeFlow OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "flowmark" + ::= { mtxrQueueTreeEntry 3 } + +mtxrQueueTreeParentIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION "index of parent tree queue or parent interface" + ::= { mtxrQueueTreeEntry 4 } + +mtxrQueueTreeBytes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 5 } + +mtxrQueueTreePackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 6 } + +mtxrQueueTreeHCBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 7 } + +mtxrQueueTreePCQQueues OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 8 } + +mtxrQueueTreeDropped OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrQueueTreeEntry 9 } + +mtxrQueueGroup OBJECT-GROUP OBJECTS { + mtxrQueueSimpleName, mtxrQueueSimpleSrcAddr, mtxrQueueSimpleSrcMask, + mtxrQueueSimpleDstAddr, mtxrQueueSimpleDstMask, mtxrQueueSimpleIface, + mtxrQueueSimpleBytesIn, mtxrQueueSimpleBytesOut, + mtxrQueueSimplePacketsIn, mtxrQueueSimplePacketsOut, mtxrQueueTreeName, + mtxrQueueSimplePCQQueuesIn, + mtxrQueueSimplePCQQueuesOut, + mtxrQueueSimpleDroppedIn, + mtxrQueueSimpleDroppedOut, + mtxrQueueTreeFlow, mtxrQueueTreeParentIndex, mtxrQueueTreeBytes, + mtxrQueueTreePackets, + mtxrQueueTreeHCBytes, + mtxrQueueTreePCQQueues, + mtxrQueueTreeDropped + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 2 } + +-- HEALTH ******************************************************************** + +mtxrHlCoreVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "core voltage" + ::= { mtxrHealth 1 } + +mtxrHlThreeDotThreeVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "3.3V voltage" + ::= { mtxrHealth 2 } + +mtxrHlFiveVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "5V voltage" + ::= { mtxrHealth 3 } + +mtxrHlTwelveVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "12V voltage" + ::= { mtxrHealth 4 } + +mtxrHlSensorTemperature OBJECT-TYPE + SYNTAX Temperature + MAX-ACCESS read-only + STATUS current + DESCRIPTION "temperature at sensor chip" + ::= { mtxrHealth 5 } + +mtxrHlCpuTemperature OBJECT-TYPE + SYNTAX Temperature + MAX-ACCESS read-only + STATUS current + DESCRIPTION "temperature near cpu" + ::= { mtxrHealth 6 } + +mtxrHlBoardTemperature OBJECT-TYPE + SYNTAX Temperature + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 7 } + +mtxrHlVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 8 } + +mtxrHlActiveFan OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 9 } + +mtxrHlTemperature OBJECT-TYPE + SYNTAX Temperature + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 10 } + +mtxrHlProcessorTemperature OBJECT-TYPE + SYNTAX Temperature + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 11 } + +mtxrHlPower OBJECT-TYPE + SYNTAX Power + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Watts" + ::= { mtxrHealth 12 } + +mtxrHlCurrent OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "mA" + ::= { mtxrHealth 13 } + +mtxrHlProcessorFrequency OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Mhz" + ::= { mtxrHealth 14 } + +mtxrHlPowerSupplyState OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "PSU state ok" + ::= { mtxrHealth 15 } + +mtxrHlBackupPowerSupplyState OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "backup PSU state ok" + ::= { mtxrHealth 16 } + +mtxrHlFanSpeed1 OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "rpm" + ::= { mtxrHealth 17 } + +mtxrHlFanSpeed2 OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "rpm" + ::= { mtxrHealth 18 } + +mtxrAlarmSocketStatus OBJECT-TYPE + SYNTAX INTEGER { + inactive(0), + active(1) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Alarm socket status" + ::= { mtxrHealth 19 } + +mtxrGaugeTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrGaugeTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrHealth 100 } + +mtxrGaugeTableEntry OBJECT-TYPE + SYNTAX MtxrGaugeTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrGaugeIndex } + ::= { mtxrGaugeTable 1 } + +MtxrGaugeTableEntry ::= SEQUENCE { + mtxrGaugeIndex ObjectIndex, + mtxrGaugeName DisplayString, + mtxrGaugeValue Integer32, + mtxrGaugeUnit INTEGER +} + +mtxrGaugeIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrGaugeTableEntry 1 } + +mtxrGaugeName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrGaugeTableEntry 2 } + +mtxrGaugeValue OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrGaugeTableEntry 3 } + +mtxrGaugeUnit OBJECT-TYPE + SYNTAX INTEGER { + celsius(1), + rpm(2), + dV(3), + dA(4), + dW(5), + status(6) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "units" + ::= { mtxrGaugeTableEntry 4 } + +mtxrHealthGroup OBJECT-GROUP OBJECTS { + mtxrHlCoreVoltage, mtxrHlThreeDotThreeVoltage, mtxrHlFiveVoltage, + mtxrHlTwelveVoltage, mtxrHlSensorTemperature, mtxrHlCpuTemperature, + mtxrHlBoardTemperature, mtxrHlVoltage, mtxrHlActiveFan, + mtxrHlTemperature, mtxrHlProcessorTemperature, + mtxrHlCurrent, mtxrHlPower, + mtxrHlProcessorFrequency, + mtxrHlPowerSupplyState, mtxrHlBackupPowerSupplyState, + mtxrHlFanSpeed1, mtxrHlFanSpeed2, mtxrAlarmSocketStatus, + mtxrGaugeName, mtxrGaugeValue, mtxrGaugeUnit + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 3 } + +-- LICENSE ******************************************************************** + +mtxrLicSoftwareId OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "software id" + ::= { mtxrLicense 1 } + +mtxrLicUpgrUntil OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION "current key allows upgrading until this date" + ::= { mtxrLicense 2 } + +mtxrLicLevel OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "current key level" + ::= { mtxrLicense 3 } + +mtxrLicVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "software version" + ::= { mtxrLicense 4 } + +mtxrLicUpgradableTo OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "upgradable to" + ::= { mtxrLicense 5 } + +mtxrLincenseGroup OBJECT-GROUP OBJECTS { + mtxrLicSoftwareId, mtxrLicUpgrUntil, mtxrLicLevel, mtxrLicVersion, mtxrLicUpgradableTo + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 4 } + +-- HOTSPOT *************************************************************** + +mtxrHotspotActiveUsersTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrHotspotActiveUsersTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrHotspot 1 } + +mtxrHotspotActiveUsersTableEntry OBJECT-TYPE + SYNTAX MtxrHotspotActiveUsersTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrHotspotActiveUserIndex } + ::= { mtxrHotspotActiveUsersTable 1 } + +MtxrHotspotActiveUsersTableEntry ::= SEQUENCE { + mtxrHotspotActiveUserIndex ObjectIndex, + mtxrHotspotActiveUserServerID Integer32, + mtxrHotspotActiveUserName DisplayString, + mtxrHotspotActiveUserDomain DisplayString, + mtxrHotspotActiveUserIP IpAddress, + mtxrHotspotActiveUserMAC MacAddress, + mtxrHotspotActiveUserConnectTime Integer32, + mtxrHotspotActiveUserValidTillTime Integer32, + mtxrHotspotActiveUserIdleStartTime Integer32, + mtxrHotspotActiveUserIdleTimeout Integer32, + mtxrHotspotActiveUserPingTimeout Integer32, + mtxrHotspotActiveUserBytesIn Counter64, + mtxrHotspotActiveUserBytesOut Counter64, + mtxrHotspotActiveUserPacketsIn Counter64, + mtxrHotspotActiveUserPacketsOut Counter64, + mtxrHotspotActiveUserLimitBytesIn Counter64, + mtxrHotspotActiveUserLimitBytesOut Counter64, + mtxrHotspotActiveUserAdvertStatus Integer32, + mtxrHotspotActiveUserRadius Integer32, + mtxrHotspotActiveUserBlockedByAdvert Integer32 +} + +mtxrHotspotActiveUserIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 1 } + +mtxrHotspotActiveUserServerID OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 2 } + +mtxrHotspotActiveUserName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 3 } + +mtxrHotspotActiveUserDomain OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 4 } + +mtxrHotspotActiveUserIP OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 5 } + +mtxrHotspotActiveUserMAC OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 6 } + +mtxrHotspotActiveUserConnectTime OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 7 } + +mtxrHotspotActiveUserValidTillTime OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 8 } + +mtxrHotspotActiveUserIdleStartTime OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 9 } + +mtxrHotspotActiveUserIdleTimeout OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 10 } + +mtxrHotspotActiveUserPingTimeout OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 11 } + +mtxrHotspotActiveUserBytesIn OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 12 } + +mtxrHotspotActiveUserBytesOut OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 13 } + +mtxrHotspotActiveUserPacketsIn OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 14 } + +mtxrHotspotActiveUserPacketsOut OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 15 } + +mtxrHotspotActiveUserLimitBytesIn OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 16 } + +mtxrHotspotActiveUserLimitBytesOut OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 17 } + +mtxrHotspotActiveUserAdvertStatus OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 18 } + +mtxrHotspotActiveUserRadius OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 19 } + +mtxrHotspotActiveUserBlockedByAdvert OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrHotspotActiveUsersTableEntry 20 } + +mtxrHotspotActiveUserGroup OBJECT-GROUP OBJECTS { + mtxrHotspotActiveUserServerID, + mtxrHotspotActiveUserName, + mtxrHotspotActiveUserDomain, + mtxrHotspotActiveUserIP, + mtxrHotspotActiveUserMAC, + mtxrHotspotActiveUserConnectTime, + mtxrHotspotActiveUserValidTillTime, + mtxrHotspotActiveUserIdleStartTime, + mtxrHotspotActiveUserIdleTimeout, + mtxrHotspotActiveUserPingTimeout, + mtxrHotspotActiveUserBytesIn, + mtxrHotspotActiveUserBytesOut, + mtxrHotspotActiveUserPacketsIn, + mtxrHotspotActiveUserPacketsOut, + mtxrHotspotActiveUserLimitBytesIn, + mtxrHotspotActiveUserLimitBytesOut, + mtxrHotspotActiveUserAdvertStatus, + mtxrHotspotActiveUserRadius, + mtxrHotspotActiveUserBlockedByAdvert + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 5 } + +-- DHCP ******************************************************************** + +mtxrDHCPLeaseCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrDHCP 1 } + +mtxrDHCPGroup OBJECT-GROUP OBJECTS { + mtxrDHCPLeaseCount + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 12 } + +-- SYSTEM ******************************************************************** + +mtxrSystemReboot OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION "set non zero to reboot" + ::= { mtxrSystem 1 } + +mtxrUSBPowerReset OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION "switches off usb power for specified amout of seconds" + ::= { mtxrSystem 2 } + +mtxrSerialNumber OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "RouterBOARD serial number" + ::= { mtxrSystem 3 } + +mtxrFirmwareVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Current firmware version" + ::= { mtxrSystem 4 } + +mtxrNote OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "note" + ::= { mtxrSystem 5 } + +mtxrBuildTime OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "build time" + ::= { mtxrSystem 6 } + +mtxrFirmwareUpgradeVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Upgrade firmware version" + ::= { mtxrSystem 7 } + +mtxrDisplayName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "display name" + ::= { mtxrSystem 8 } + +mtxrBoardName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "board name" + ::= { mtxrSystem 9 } + +mtxrSystemGroup OBJECT-GROUP OBJECTS { + mtxrSystemReboot, + mtxrUSBPowerReset, + mtxrSerialNumber, + mtxrFirmwareVersion, + mtxrNote, + mtxrBuildTime, + mtxrFirmwareUpgradeVersion, + mtxrBoardName + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 13 } + +-- SCRIPTS ******************************************************************** + +mtxrScriptTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrScriptTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrScripts 1 } + +mtxrScriptTableEntry OBJECT-TYPE + SYNTAX MtxrScriptTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrScriptIndex } + ::= { mtxrScriptTable 1 } + +MtxrScriptTableEntry ::= SEQUENCE { + mtxrScriptIndex ObjectIndex, + mtxrScriptName DisplayString, + mtxrScriptRunCmd Integer32 +} + +mtxrScriptIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrScriptTableEntry 1 } + +mtxrScriptName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrScriptTableEntry 2 } + +mtxrScriptRunCmd OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION "set non zero to run" + ::= { mtxrScriptTableEntry 3 } + +mtxrScriptGroup OBJECT-GROUP OBJECTS { + mtxrScriptName, mtxrScriptRunCmd + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 8 } + +-- SCRIPT RUN ***************************************************************** + +mtxrScriptRunTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrScriptRunTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "invisible to getnext, accesible only with get request and write premission" + ::= { mtxrScriptRun 1 } + +mtxrScriptRunTableEntry OBJECT-TYPE + SYNTAX MtxrScriptRunTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrScriptRunIndex } + ::= { mtxrScriptRunTable 1 } + +MtxrScriptRunTableEntry ::= SEQUENCE { + mtxrScriptRunIndex ObjectIndex, + mtxrScriptRunOutput DisplayString +} + +mtxrScriptRunIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrScriptRunTableEntry 1 } + +mtxrScriptRunOutput OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "this oid on get request will run script and return it's output" + ::= { mtxrScriptRunTableEntry 2 } + +mtxrScriptRunGroup OBJECT-GROUP OBJECTS { + mtxrScriptRunOutput + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 21 } + +-- Dual Nstreme *************************************************************** + +mtxrDnStatTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrDnStatEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrNstremeDual 1 } + +mtxrDnStatEntry OBJECT-TYPE + SYNTAX MtxrDnStatEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Nstreme Dual interface" + INDEX { mtxrDnStatIndex } + ::= { mtxrDnStatTable 1 } + +MtxrDnStatEntry ::= SEQUENCE { + mtxrDnStatIndex ObjectIndex, + mtxrDnStatTxRate Gauge32, + mtxrDnStatRxRate Gauge32, + mtxrDnStatTxStrength Integer32, + mtxrDnStatRxStrength Integer32, + mtxrDnConnected Integer32 +} + +mtxrDnStatIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrDnStatEntry 1 } + +mtxrDnStatTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrDnStatEntry 2 } + +mtxrDnStatRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "bits per second" + ::= { mtxrDnStatEntry 3 } + +mtxrDnStatTxStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrDnStatEntry 4 } + +mtxrDnStatRxStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrDnStatEntry 5 } + +mtxrDnConnected OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "0 - not connected, connected otherwise" + ::= { mtxrDnStatEntry 6 } + +mtxrNstremeDualGroup OBJECT-GROUP OBJECTS { + mtxrDnStatTxRate, mtxrDnStatRxRate, + mtxrDnStatTxStrength, mtxrDnStatRxStrength, mtxrDnConnected + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 10 } + +-- NEIGHBOR ******************************************************************* + +mtxrNeighborTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrNeighborTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrNeighbor 1 } + +mtxrNeighborTableEntry OBJECT-TYPE + SYNTAX MtxrNeighborTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrNeighborIndex } + ::= { mtxrNeighborTable 1 } + +MtxrNeighborTableEntry ::= SEQUENCE { + mtxrNeighborIndex ObjectIndex, + mtxrNeighborIpAddress IpAddress, + mtxrNeighborMacAddress MacAddress, + mtxrNeighborVersion DisplayString, + mtxrNeighborPlatform DisplayString, + mtxrNeighborIdentity DisplayString, + mtxrNeighborSoftwareID DisplayString, + mtxrNeighborInterfaceID ObjectIndex +} + +mtxrNeighborIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 1 } + +mtxrNeighborIpAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 2 } + +mtxrNeighborMacAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 3 } + +mtxrNeighborVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 4 } + +mtxrNeighborPlatform OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 5 } + +mtxrNeighborIdentity OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 6 } + +mtxrNeighborSoftwareID OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 7 } + +mtxrNeighborInterfaceID OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrNeighborTableEntry 8 } + +mtxrNeighborGroup OBJECT-GROUP OBJECTS { + mtxrNeighborIpAddress, + mtxrNeighborMacAddress, + mtxrNeighborVersion, + mtxrNeighborPlatform, + mtxrNeighborIdentity, + mtxrNeighborSoftwareID, + mtxrNeighborInterfaceID + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 11 } + +-- GPS ************************************************************************ + +mtxrDate OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "UNIX time" + ::= { mtxrGps 1 } + +mtxrLongtitude OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "longtitude" + ::= { mtxrGps 2 } + +mtxrLatitude OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "latitude" + ::= { mtxrGps 3 } + +mtxrAltitude OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "altitude" + ::= { mtxrGps 4 } + +mtxrSpeed OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "speed" + ::= { mtxrGps 5 } + +mtxrSattelites OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "visible sattelite count" + ::= { mtxrGps 6 } + +mtxrValid OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "is the data valid" + ::= { mtxrGps 7 } + +mtxrGPSGroup OBJECT-GROUP OBJECTS { + mtxrDate, + mtxrLongtitude, + mtxrLatitude, + mtxrAltitude, + mtxrSpeed, + mtxrSattelites, + mtxrValid + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 15 } + +-- Wireless Modem ************************************************************ + +mtxrWirelessModemSignalStrength OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "signal strength in dBm (if first ppp-client modem supports)" + ::= { mtxrWirelessModem 1 } + +mtxrWirelessModemSignalECIO OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "signal EC/IO in dB (if first ppp-client modem supports)" + ::= { mtxrWirelessModem 2 } + +mtxrWirelessModemManufacturer OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Modem manufacturer name" + ::= { mtxrWirelessModem 3 } + +mtxrWirelessModemModel OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Modem model name" + ::= { mtxrWirelessModem 4 } + +mtxrWirelessModemRevision OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Modem firmware revision" + ::= { mtxrWirelessModem 5 } + +mtxrWirelessModemIMEI OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Modem serial number" + ::= { mtxrWirelessModem 6 } + +mtxrWirelessModemIMSI OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "International mobile subscriber identity" + ::= { mtxrWirelessModem 7 } + +mtxrWirelessModemAccessTechnology OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Access technology" + ::= { mtxrWirelessModem 8 } + +mtxrWirelessModemFrameErrorRate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Signal frame error rate" + ::= { mtxrWirelessModem 9 } + +mtxrWirelessModemRSRP OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Reference Signal Receive Power" + ::= { mtxrWirelessModem 10 } + +mtxrWirelessModemRSRQ OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Reference Signal Received Quality" + ::= { mtxrWirelessModem 11 } + +mtxrWirelessModemSINR OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Signal-to-Interference-plus-Noise Ratio" + ::= { mtxrWirelessModem 12 } + +mtxrWirelessModemGroup OBJECT-GROUP OBJECTS { + mtxrWirelessModemSignalStrength, + mtxrWirelessModemSignalECIO, + mtxrWirelessModemManufacturer, + mtxrWirelessModemModel, + mtxrWirelessModemRevision, + mtxrWirelessModemIMEI, + mtxrWirelessModemIMSI, + mtxrWirelessModemAccessTechnology, + mtxrWirelessModemFrameErrorRate, + mtxrWirelessModemRSRP, + mtxrWirelessModemRSRQ, + mtxrWirelessModemSINR + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 16 } + +-- Interface Stats ************************************************************ + +mtxrInterfaceStatsTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrInterfaceStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Extended interface statistics. + Some interfaces may have only parts of this table + with unavailable values set to zero." + ::= { mtxrInterfaceStats 1 } + +mtxrInterfaceStatsEntry OBJECT-TYPE + SYNTAX MtxrInterfaceStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrInterfaceStatsIndex } + ::= { mtxrInterfaceStatsTable 1 } + +MtxrInterfaceStatsEntry ::= SEQUENCE { + mtxrInterfaceStatsIndex ObjectIndex, + mtxrInterfaceStatsName DisplayString, + + mtxrInterfaceStatsDriverRxBytes Counter64, + mtxrInterfaceStatsDriverRxPackets Counter64, + mtxrInterfaceStatsDriverTxBytes Counter64, + mtxrInterfaceStatsDriverTxPackets Counter64, + + mtxrInterfaceStatsTxRx64 Counter64, + mtxrInterfaceStatsTxRx65To127 Counter64, + mtxrInterfaceStatsTxRx128To255 Counter64, + mtxrInterfaceStatsTxRx256To511 Counter64, + mtxrInterfaceStatsTxRx512To1023 Counter64, + mtxrInterfaceStatsTxRx1024To1518 Counter64, + mtxrInterfaceStatsTxRx1519ToMax Counter64, + + mtxrInterfaceStatsRxBytes Counter64, + mtxrInterfaceStatsRxPackets Counter64, + mtxrInterfaceStatsRxTooShort Counter64, + mtxrInterfaceStatsRx64 Counter64, + mtxrInterfaceStatsRx65To127 Counter64, + mtxrInterfaceStatsRx128To255 Counter64, + mtxrInterfaceStatsRx256To511 Counter64, + mtxrInterfaceStatsRx512To1023 Counter64, + mtxrInterfaceStatsRx1024To1518 Counter64, + mtxrInterfaceStatsRx1519ToMax Counter64, + mtxrInterfaceStatsRxTooLong Counter64, + mtxrInterfaceStatsRxBroadcast Counter64, + mtxrInterfaceStatsRxPause Counter64, + mtxrInterfaceStatsRxMulticast Counter64, + mtxrInterfaceStatsRxFCSError Counter64, + mtxrInterfaceStatsRxAlignError Counter64, + mtxrInterfaceStatsRxFragment Counter64, + mtxrInterfaceStatsRxOverflow Counter64, + mtxrInterfaceStatsRxControl Counter64, + mtxrInterfaceStatsRxUnknownOp Counter64, + mtxrInterfaceStatsRxLengthError Counter64, + mtxrInterfaceStatsRxCodeError Counter64, + mtxrInterfaceStatsRxCarrierError Counter64, + mtxrInterfaceStatsRxJabber Counter64, + mtxrInterfaceStatsRxDrop Counter64, + + mtxrInterfaceStatsTxBytes Counter64, + mtxrInterfaceStatsTxPackets Counter64, + mtxrInterfaceStatsTxTooShort Counter64, + mtxrInterfaceStatsTx64 Counter64, + mtxrInterfaceStatsTx65To127 Counter64, + mtxrInterfaceStatsTx128To255 Counter64, + mtxrInterfaceStatsTx256To511 Counter64, + mtxrInterfaceStatsTx512To1023 Counter64, + mtxrInterfaceStatsTx1024To1518 Counter64, + mtxrInterfaceStatsTx1519ToMax Counter64, + mtxrInterfaceStatsTxTooLong Counter64, + mtxrInterfaceStatsTxBroadcast Counter64, + mtxrInterfaceStatsTxPause Counter64, + mtxrInterfaceStatsTxMulticast Counter64, + mtxrInterfaceStatsTxUnderrun Counter64, + mtxrInterfaceStatsTxCollision Counter64, + mtxrInterfaceStatsTxExcessiveCollision Counter64, + mtxrInterfaceStatsTxMultipleCollision Counter64, + mtxrInterfaceStatsTxSingleCollision Counter64, + mtxrInterfaceStatsTxExcessiveDeferred Counter64, + mtxrInterfaceStatsTxDeferred Counter64, + mtxrInterfaceStatsTxLateCollision Counter64, + mtxrInterfaceStatsTxTotalCollision Counter64, + mtxrInterfaceStatsTxPauseHonored Counter64, + mtxrInterfaceStatsTxDrop Counter64, + mtxrInterfaceStatsTxJabber Counter64, + mtxrInterfaceStatsTxFCSError Counter64, + mtxrInterfaceStatsTxControl Counter64, + mtxrInterfaceStatsTxFragment Counter64, + mtxrInterfaceStatsLinkDowns Counter32, + mtxrInterfaceStatsTxRx1024ToMax Counter64 +} + +mtxrInterfaceStatsIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 1 } + +mtxrInterfaceStatsName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 2 } + +mtxrInterfaceStatsDriverRxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 11 } + +mtxrInterfaceStatsDriverRxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 12 } + +mtxrInterfaceStatsDriverTxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 13 } + +mtxrInterfaceStatsDriverTxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 14 } + +mtxrInterfaceStatsTxRx64 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 15 } + +mtxrInterfaceStatsTxRx65To127 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 16 } + +mtxrInterfaceStatsTxRx128To255 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 17 } + +mtxrInterfaceStatsTxRx256To511 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 18 } + +mtxrInterfaceStatsTxRx512To1023 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 19 } + +mtxrInterfaceStatsTxRx1024To1518 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 20 } + +mtxrInterfaceStatsTxRx1519ToMax OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 21 } + +mtxrInterfaceStatsRxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 31 } + +mtxrInterfaceStatsRxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 32 } + +mtxrInterfaceStatsRxTooShort OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 33 } + +mtxrInterfaceStatsRx64 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 34 } + +mtxrInterfaceStatsRx65To127 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 35 } + +mtxrInterfaceStatsRx128To255 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 36 } + +mtxrInterfaceStatsRx256To511 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 37 } + +mtxrInterfaceStatsRx512To1023 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 38 } + +mtxrInterfaceStatsRx1024To1518 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 39 } + +mtxrInterfaceStatsRx1519ToMax OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 40 } + +mtxrInterfaceStatsRxTooLong OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 41 } + +mtxrInterfaceStatsRxBroadcast OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 42 } + +mtxrInterfaceStatsRxPause OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 43 } + +mtxrInterfaceStatsRxMulticast OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 44 } + +mtxrInterfaceStatsRxFCSError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 45 } + +mtxrInterfaceStatsRxAlignError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 46 } + +mtxrInterfaceStatsRxFragment OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 47 } + +mtxrInterfaceStatsRxOverflow OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 48 } + +mtxrInterfaceStatsRxControl OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 49 } + +mtxrInterfaceStatsRxUnknownOp OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 50 } + +mtxrInterfaceStatsRxLengthError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 51 } + +mtxrInterfaceStatsRxCodeError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 52 } + +mtxrInterfaceStatsRxCarrierError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 53 } + +mtxrInterfaceStatsRxJabber OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 54 } + +mtxrInterfaceStatsRxDrop OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 55 } + +mtxrInterfaceStatsTxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 61 } + +mtxrInterfaceStatsTxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 62 } + +mtxrInterfaceStatsTxTooShort OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 63 } + +mtxrInterfaceStatsTx64 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 64 } + +mtxrInterfaceStatsTx65To127 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 65 } + +mtxrInterfaceStatsTx128To255 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 66 } + +mtxrInterfaceStatsTx256To511 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 67 } + +mtxrInterfaceStatsTx512To1023 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 68 } + +mtxrInterfaceStatsTx1024To1518 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 69 } + +mtxrInterfaceStatsTx1519ToMax OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 70 } + +mtxrInterfaceStatsTxTooLong OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 71 } + +mtxrInterfaceStatsTxBroadcast OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 72 } + +mtxrInterfaceStatsTxPause OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 73 } + +mtxrInterfaceStatsTxMulticast OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 74 } + +mtxrInterfaceStatsTxUnderrun OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 75 } + +mtxrInterfaceStatsTxCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 76 } + +mtxrInterfaceStatsTxExcessiveCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 77 } + +mtxrInterfaceStatsTxMultipleCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 78 } + +mtxrInterfaceStatsTxSingleCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 79 } + +mtxrInterfaceStatsTxExcessiveDeferred OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 80 } + +mtxrInterfaceStatsTxDeferred OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 81 } + +mtxrInterfaceStatsTxLateCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 82 } + +mtxrInterfaceStatsTxTotalCollision OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 83 } + +mtxrInterfaceStatsTxPauseHonored OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 84 } + +mtxrInterfaceStatsTxDrop OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 85 } + +mtxrInterfaceStatsTxJabber OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 86 } + +mtxrInterfaceStatsTxFCSError OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 87 } + +mtxrInterfaceStatsTxControl OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 88 } + +mtxrInterfaceStatsTxFragment OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 89 } + +mtxrInterfaceStatsLinkDowns OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 90 } + +mtxrInterfaceStatsTxRx1024ToMax OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrInterfaceStatsEntry 91 } + +mtxrInterfaceStatsGroup OBJECT-GROUP OBJECTS { + mtxrInterfaceStatsName, + mtxrInterfaceStatsDriverRxBytes, + mtxrInterfaceStatsDriverRxPackets, + mtxrInterfaceStatsDriverTxBytes, + mtxrInterfaceStatsDriverTxPackets, + + mtxrInterfaceStatsTxRx64, + mtxrInterfaceStatsTxRx65To127, + mtxrInterfaceStatsTxRx128To255, + mtxrInterfaceStatsTxRx256To511, + mtxrInterfaceStatsTxRx512To1023, + mtxrInterfaceStatsTxRx1024To1518, + mtxrInterfaceStatsTxRx1519ToMax, + + mtxrInterfaceStatsRxBytes, + mtxrInterfaceStatsRxPackets, + mtxrInterfaceStatsRxTooShort, + mtxrInterfaceStatsRx64, + mtxrInterfaceStatsRx65To127, + mtxrInterfaceStatsRx128To255, + mtxrInterfaceStatsRx256To511, + mtxrInterfaceStatsRx512To1023, + mtxrInterfaceStatsRx1024To1518, + mtxrInterfaceStatsRx1519ToMax, + mtxrInterfaceStatsRxTooLong, + mtxrInterfaceStatsRxBroadcast, + mtxrInterfaceStatsRxPause, + mtxrInterfaceStatsRxMulticast, + mtxrInterfaceStatsRxFCSError, + mtxrInterfaceStatsRxAlignError, + mtxrInterfaceStatsRxFragment, + mtxrInterfaceStatsRxOverflow, + mtxrInterfaceStatsRxControl, + mtxrInterfaceStatsRxUnknownOp, + mtxrInterfaceStatsRxLengthError, + mtxrInterfaceStatsRxCodeError, + mtxrInterfaceStatsRxCarrierError, + mtxrInterfaceStatsRxJabber, + mtxrInterfaceStatsRxDrop, + + mtxrInterfaceStatsTxBytes, + mtxrInterfaceStatsTxPackets, + mtxrInterfaceStatsTxTooShort, + mtxrInterfaceStatsTx64, + mtxrInterfaceStatsTx65To127, + mtxrInterfaceStatsTx128To255, + mtxrInterfaceStatsTx256To511, + mtxrInterfaceStatsTx512To1023, + mtxrInterfaceStatsTx1024To1518, + mtxrInterfaceStatsTx1519ToMax, + mtxrInterfaceStatsTxTooLong, + mtxrInterfaceStatsTxBroadcast, + mtxrInterfaceStatsTxPause, + mtxrInterfaceStatsTxMulticast, + mtxrInterfaceStatsTxUnderrun, + mtxrInterfaceStatsTxCollision, + mtxrInterfaceStatsTxExcessiveCollision, + mtxrInterfaceStatsTxMultipleCollision, + mtxrInterfaceStatsTxSingleCollision, + mtxrInterfaceStatsTxExcessiveDeferred, + mtxrInterfaceStatsTxDeferred, + mtxrInterfaceStatsTxLateCollision, + mtxrInterfaceStatsTxTotalCollision, + mtxrInterfaceStatsTxPauseHonored, + mtxrInterfaceStatsTxDrop, + mtxrInterfaceStatsTxJabber, + mtxrInterfaceStatsTxFCSError, + mtxrInterfaceStatsTxControl, + mtxrInterfaceStatsTxFragment, + mtxrInterfaceStatsLinkDowns, + mtxrInterfaceStatsTxRx1024ToMax + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 17 } + +-- POE ************************************************************************ + +mtxrPOETable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrPOEEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Power Over Ethernet" + ::= { mtxrPOE 1 } + +mtxrPOEEntry OBJECT-TYPE + SYNTAX MtxrPOEEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrPOEInterfaceIndex } + ::= { mtxrPOETable 1 } + +MtxrPOEEntry ::= SEQUENCE { + mtxrPOEInterfaceIndex ObjectIndex, + mtxrPOEName DisplayString, + mtxrPOEStatus INTEGER, + mtxrPOEVoltage Voltage, + mtxrPOECurrent Integer32, + mtxrPOEPower Power +} + +mtxrPOEInterfaceIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrPOEEntry 1 } + +mtxrPOEName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPOEEntry 2 } + +mtxrPOEStatus OBJECT-TYPE + SYNTAX INTEGER { + disabled(1), + waitingForLoad(2), + poweredOn(3), + overload(4), + shortCircuit(5), + voltageTooLow(6), + currentTooLow(7), + powerReset(8), + voltageTooHigh(9), + controllerError(10), + controllerUpgrade(11), + poeInDetected(12), + noValidPsu(13), + controllerInit(14), + lowVoltageTooLow(15) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPOEEntry 3 } + +mtxrPOEVoltage OBJECT-TYPE + SYNTAX Voltage + MAX-ACCESS read-only + STATUS current + DESCRIPTION "V" + ::= { mtxrPOEEntry 4 } + +mtxrPOECurrent OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "mA" + ::= { mtxrPOEEntry 5 } + +mtxrPOEPower OBJECT-TYPE + SYNTAX Power + MAX-ACCESS read-only + STATUS current + DESCRIPTION "W" + ::= { mtxrPOEEntry 6 } + +mtxrPOEGroup OBJECT-GROUP OBJECTS { + mtxrPOEName, + mtxrPOEStatus, + mtxrPOEVoltage, + mtxrPOECurrent, + mtxrPOEPower + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 18 } + +-- LTE Modem ************************************************************ + +mtxrLTEModemTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrLTEModemEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "LTE Modems" + ::= { mtxrLTEModem 1 } + +mtxrLTEModemEntry OBJECT-TYPE + SYNTAX MtxrLTEModemEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrLTEModemInterfaceIndex } + ::= { mtxrLTEModemTable 1 } + +MtxrLTEModemEntry ::= SEQUENCE { + mtxrLTEModemInterfaceIndex ObjectIndex, + mtxrLTEModemSignalRSSI Integer32, + mtxrLTEModemSignalRSRQ Integer32, + mtxrLTEModemSignalRSRP Integer32, + mtxrLTEModemCellId HexInt, + mtxrLTEModemAccessTechnology INTEGER, + mtxrLTEModemSignalSINR Integer32, + mtxrLTEModemEnbId Integer32, + mtxrLTEModemSectorId Integer32, + mtxrLTEModemLac Integer32, + mtxrLTEModemIMEI DisplayString, + mtxrLTEModemIMSI DisplayString, + mtxrLTEModemUICC DisplayString, + mtxrLTEModemRAT DisplayString +} + +mtxrLTEModemInterfaceIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 1 } + +mtxrLTEModemSignalRSSI OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrLTEModemEntry 2 } + +mtxrLTEModemSignalRSRQ OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dB" + ::= { mtxrLTEModemEntry 3 } + +mtxrLTEModemSignalRSRP OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dBm" + ::= { mtxrLTEModemEntry 4 } + +mtxrLTEModemCellId OBJECT-TYPE + SYNTAX HexInt + MAX-ACCESS read-only + STATUS current + DESCRIPTION "current cell ID" + ::= { mtxrLTEModemEntry 5 } + +mtxrLTEModemAccessTechnology OBJECT-TYPE + SYNTAX INTEGER { + unknown(-1), + gsmcompact(0), + gsm(1), + utran(2), + egprs(3), + hsdpa(4), + hsupa(5), + hsdpahsupa(6), + eutran(7), + nr-sa(11), + nr-nsa(13) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "as reported by +CREG" + ::= { mtxrLTEModemEntry 6 } + +mtxrLTEModemSignalSINR OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dB" + ::= { mtxrLTEModemEntry 7 } + +mtxrLTEModemEnbId OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 8 } + +mtxrLTEModemSectorId OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 9 } + +mtxrLTEModemLac OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 10 } + +mtxrLTEModemIMEI OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 11 } + +mtxrLTEModemIMSI OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 12 } + +mtxrLTEModemUICC OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 13 } + +mtxrLTEModemRAT OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrLTEModemEntry 14 } + +mtxrLTEModemGroup OBJECT-GROUP OBJECTS { + mtxrLTEModemSignalRSSI, + mtxrLTEModemSignalRSRQ, + mtxrLTEModemSignalRSRP, + mtxrLTEModemCellId, + mtxrLTEModemAccessTechnology, + mtxrLTEModemSignalSINR, + mtxrLTEModemEnbId, + mtxrLTEModemSectorId, + mtxrLTEModemLac, + mtxrLTEModemIMEI, + mtxrLTEModemIMSI, + mtxrLTEModemUICC, + mtxrLTEModemRAT + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 19 } + +-- Partition ************************************************************ + +mtxrPartitionTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrPartitionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "system partitions" + ::= { mtxrPartition 1 } + +mtxrPartitionEntry OBJECT-TYPE + SYNTAX MtxrPartitionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrPartitionIndex } + ::= { mtxrPartitionTable 1 } + +MtxrPartitionEntry ::= SEQUENCE { + mtxrPartitionIndex ObjectIndex, + mtxrPartitionName DisplayString, + mtxrPartitionSize Integer32, + mtxrPartitionVersion DisplayString, + mtxrPartitionActive BoolValue, + mtxrPartitionRunning BoolValue +} + +mtxrPartitionIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrPartitionEntry 1 } + +mtxrPartitionName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPartitionEntry 2 } + +mtxrPartitionSize OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "MB" + ::= { mtxrPartitionEntry 3 } + +mtxrPartitionVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPartitionEntry 4 } + +mtxrPartitionActive OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPartitionEntry 5 } + +mtxrPartitionRunning OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrPartitionEntry 6 } + +mtxrPartitionGroup OBJECT-GROUP OBJECTS { + mtxrPartitionName, + mtxrPartitionSize, + mtxrPartitionVersion, + mtxrPartitionActive, + mtxrPartitionRunning + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 20 } + +-- OPTICAL ***************************************************************** + +mtxrOpticalTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrOpticalTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "SFP and GPON information" + ::= { mtxrOptical 1 } + +mtxrOpticalTableEntry OBJECT-TYPE + SYNTAX MtxrOpticalTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { mtxrOpticalIndex } + ::= { mtxrOpticalTable 1 } + +MtxrOpticalTableEntry ::= SEQUENCE { + mtxrOpticalIndex ObjectIndex, + mtxrOpticalName DisplayString, + mtxrOpticalRxLoss BoolValue, + mtxrOpticalTxFault BoolValue, + mtxrOpticalWavelength GDiv100, + mtxrOpticalTemperature Gauge32, + mtxrOpticalSupplyVoltage GDiv1000, + mtxrOpticalTxBiasCurrent Gauge32, + mtxrOpticalTxPower IDiv1000, + mtxrOpticalRxPower IDiv1000, + mtxrOpticalVendorName DisplayString, + mtxrOpticalVendorSerial DisplayString + +} + +mtxrOpticalGroup OBJECT-GROUP OBJECTS { + mtxrOpticalName, + mtxrOpticalRxLoss, + mtxrOpticalTxFault, + mtxrOpticalWavelength, + mtxrOpticalTemperature, + mtxrOpticalSupplyVoltage, + mtxrOpticalTxBiasCurrent, + mtxrOpticalTxPower, + mtxrOpticalRxPower, + mtxrOpticalVendorName, + mtxrOpticalVendorSerial + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 6 } + +mtxrOpticalIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 1 } + +mtxrOpticalName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 2 } + +mtxrOpticalRxLoss OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 3 } + +mtxrOpticalTxFault OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 4 } + +mtxrOpticalWavelength OBJECT-TYPE + SYNTAX GDiv100 + UNITS "nm" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 5 } + +mtxrOpticalTemperature OBJECT-TYPE + SYNTAX Gauge32 + UNITS "C" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 6 } + +mtxrOpticalSupplyVoltage OBJECT-TYPE + SYNTAX GDiv1000 + UNITS "V" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 7 } + +mtxrOpticalTxBiasCurrent OBJECT-TYPE + SYNTAX Gauge32 + UNITS "mA" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 8 } + +mtxrOpticalTxPower OBJECT-TYPE + SYNTAX IDiv1000 + UNITS "dBm" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 9 } + +mtxrOpticalRxPower OBJECT-TYPE + SYNTAX IDiv1000 + UNITS "dBm" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 10 } + +mtxrOpticalVendorName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 11 } + +mtxrOpticalVendorSerial OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrOpticalTableEntry 12 } + +-- IPSec ***************************************************************** + +mtxrIkeSACount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "IKE SA count" + ::= { mtxrIPSec 1 } + +mtxrIkeSATable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrIkeSATableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "IKE SA table" + ::= { mtxrIPSec 2 } + +mtxrIkeSATableEntry OBJECT-TYPE + SYNTAX MtxrIkeSATableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + INDEX { + mtxrIkeSAIndex + } + ::= { mtxrIkeSATable 1 } + +MtxrIkeSATableEntry ::= SEQUENCE { + mtxrIkeSAIndex ObjectIndex, + mtxrIkeSAInitiatorCookie IsakmpCookie, + mtxrIkeSAResponderCookie IsakmpCookie, + mtxrIkeSAResponder BoolValue, + mtxrIkeSANatt BoolValue, + mtxrIkeSAVersion Gauge32, + mtxrIkeSAState INTEGER, + mtxrIkeSAUptime TimeTicks, + mtxrIkeSASeen TimeTicks, + mtxrIkeSAIdentity DisplayString, + mtxrIkeSAPh2Count Gauge32, + mtxrIkeSALocalAddressType InetAddressType, + mtxrIkeSALocalAddress InetAddress, + mtxrIkeSALocalPort InetPortNumber, + mtxrIkeSAPeerAddressType InetAddressType, + mtxrIkeSAPeerAddress InetAddress, + mtxrIkeSAPeerPort InetPortNumber, + mtxrIkeSADynamicAddressType InetAddressType, + mtxrIkeSADynamicAddress InetAddress, + mtxrIkeSATxBytes Counter64, + mtxrIkeSARxBytes Counter64, + mtxrIkeSATxPackets Counter64, + mtxrIkeSARxPackets Counter64 +} + +mtxrIkeSAGroup OBJECT-GROUP OBJECTS { + mtxrIkeSACount, + mtxrIkeSAInitiatorCookie, + mtxrIkeSAResponderCookie, + mtxrIkeSAResponder, + mtxrIkeSANatt, + mtxrIkeSAVersion, + mtxrIkeSAState, + mtxrIkeSAUptime, + mtxrIkeSASeen, + mtxrIkeSAIdentity, + mtxrIkeSAPh2Count, + mtxrIkeSALocalAddressType, + mtxrIkeSALocalAddress, + mtxrIkeSALocalPort, + mtxrIkeSAPeerAddressType, + mtxrIkeSAPeerAddress, + mtxrIkeSAPeerPort, + mtxrIkeSADynamicAddressType, + mtxrIkeSADynamicAddress, + mtxrIkeSATxBytes, + mtxrIkeSARxBytes, + mtxrIkeSATxPackets, + mtxrIkeSARxPackets + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 7 } + +mtxrIkeSAIndex OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 1 } + +mtxrIkeSAInitiatorCookie OBJECT-TYPE + SYNTAX IsakmpCookie + MAX-ACCESS read-only + STATUS current + DESCRIPTION "initiator SPI" + ::= { mtxrIkeSATableEntry 2 } + +mtxrIkeSAResponderCookie OBJECT-TYPE + SYNTAX IsakmpCookie + MAX-ACCESS read-only + STATUS current + DESCRIPTION "responder SPI" + ::= { mtxrIkeSATableEntry 3 } + +mtxrIkeSAResponder OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "IKE side" + ::= { mtxrIkeSATableEntry 4 } + +mtxrIkeSANatt OBJECT-TYPE + SYNTAX BoolValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "NAT is detected" + ::= { mtxrIkeSATableEntry 5 } + +mtxrIkeSAVersion OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "protocol version" + ::= { mtxrIkeSATableEntry 6 } + +mtxrIkeSAState OBJECT-TYPE + SYNTAX INTEGER { + exchange(1), + established(2), + expired(3), + eap(4) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 7 } + +mtxrIkeSAUptime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 8 } + +mtxrIkeSASeen OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION "time elapsed since last valid IKE packet" + ::= { mtxrIkeSATableEntry 9 } + +mtxrIkeSAIdentity OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "peer identity" + ::= { mtxrIkeSATableEntry 10 } + +mtxrIkeSAPh2Count OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "total ph2 SA pairs" + ::= { mtxrIkeSATableEntry 11 } + +mtxrIkeSALocalAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 12 } + +mtxrIkeSALocalAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 13 } + +mtxrIkeSALocalPort OBJECT-TYPE + SYNTAX InetPortNumber + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 14 } + +mtxrIkeSAPeerAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 15 } + +mtxrIkeSAPeerAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 16 } + +mtxrIkeSAPeerPort OBJECT-TYPE + SYNTAX InetPortNumber + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 17 } + +mtxrIkeSADynamicAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION "" + ::= { mtxrIkeSATableEntry 18 } + +mtxrIkeSADynamicAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "dynamic address allocated by mode config" + ::= { mtxrIkeSATableEntry 19 } + +mtxrIkeSATxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "ph2 SA tx bytes" + ::= { mtxrIkeSATableEntry 20 } + +mtxrIkeSARxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "ph2 SA rx bytes" + ::= { mtxrIkeSATableEntry 21 } + +mtxrIkeSATxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "ph2 SA tx packets" + ::= { mtxrIkeSATableEntry 22 } + +mtxrIkeSARxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "ph2 SA rx packets" + ::= { mtxrIkeSATableEntry 23 } + +mtxrWifiCapsman OBJECT IDENTIFIER ::= { mtxrWifi 1 } + +mtxrWifiCapsmanEnabled OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Indicates whether the Capsman is enabled." + ::= { mtxrWifiCapsman 1 } + +mtxrWifiCapsmanInterfaces OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "List of interfaces associated with Capsman." + ::= { mtxrWifiCapsman 2 } + +mtxrWifiCapsmanCACertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The CA certificate used by Capsman." + ::= { mtxrWifiCapsman 3 } + +mtxrWifiCapsmanCertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The local certificate used by Capsman." + ::= { mtxrWifiCapsman 4 } + +mtxrWifiCapsmanRequirePeerCertificate OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Whether a peer certificate is required." + ::= { mtxrWifiCapsman 5 } + +mtxrWifiCapsmanPackagePath OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Path to the Capsman package directory." + ::= { mtxrWifiCapsman 6 } + +mtxrWifiCapsmanUpgradePolicy OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Capsman upgrade policy." + ::= { mtxrWifiCapsman 7 } + +mtxrWifiCapsmanGeneratedCaCertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Automatically generated CA certificate." + ::= { mtxrWifiCapsman 8 } + +mtxrWifiCapsmanGeneratedCertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Automatically generated local certificate." + ::= { mtxrWifiCapsman 9 } + +mtxrWifiCap OBJECT IDENTIFIER ::= { mtxrWifi 2 } + +mtxrCapEnabled OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Indicates whether the CAP is enabled." + ::= { mtxrWifiCap 1 } + +mtxrCapInterfaces OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "List of interfaces used by the CAP." + ::= { mtxrWifiCap 2 } + +mtxrCapCertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The local certificate used by the CAP." + ::= { mtxrWifiCap 3 } + +mtxrCapCapsManAddresses OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Addresses of associated CapsMan controllers." + ::= { mtxrWifiCap 4 } + +mtxrCapCapsManNames OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Names of associated CapsMan controllers." + ::= { mtxrWifiCap 5 } + +mtxrCapCapsManCertificateCommonNames OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Common names of CapsMan certificates." + ::= { mtxrWifiCap 6 } + +mtxrCapLockToCapsMan OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Indicates if the CAP is locked to a specific CapsMan." + ::= { mtxrWifiCap 7 } + +mtxrCapSlavesStatic OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Indicates if CAP slaves are set to static mode." + ::= { mtxrWifiCap 8 } + +mtxrCapSlavesDatapath OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Datapath configuration of CAP slaves." + ::= { mtxrWifiCap 9 } + +mtxrCapRequestedCertificate OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Requested certificate for the CAP." + ::= { mtxrWifiCap 10 } + +mtxrCapLockedCapsManCommonName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Locked CapsMan common name." + ::= { mtxrWifiCap 11 } + +mtxrCapCurrentCapsManAddress OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Current CapsMan address being used." + ::= { mtxrWifiCap 12 } + +mtxrCapCurrentCapsManIdentity OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Current identity of the connected CapsMan." + ::= { mtxrWifiCap 13 } + +-- Remote Caps ************************************************* + +mtxrRemoteCapTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWifiRemoteCapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWifi 3 } + +mtxrWifiRemoteCapEntry OBJECT-TYPE + SYNTAX MtxrWifiRemoteCapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Entry containing remote CAP statistics" + INDEX { mtxrRemoteCapId } + ::= { mtxrRemoteCapTable 1 } + +MtxrWifiRemoteCapEntry ::= SEQUENCE { + mtxrRemoteCapId ObjectIndex, + mtxrRemoteCapAddress DisplayString, + mtxrRemoteCapIdentity DisplayString, + mtxrRemoteCapBoardName DisplayString, + mtxrRemoteCapSerial DisplayString, + mtxrRemoteCapVersion DisplayString, + mtxrRemoteCapBaseMac MacAddress, + mtxrRemoteCapCommonName DisplayString, + mtxrRemoteCapState DisplayString +} + +mtxrRemoteCapId OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "ID of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 1 } + +mtxrRemoteCapAddress OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "IP address of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 2 } + +mtxrRemoteCapIdentity OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Identity name of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 3 } + +mtxrRemoteCapBoardName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Board name of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 4 } + +mtxrRemoteCapSerial OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Serial number of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 5 } + +mtxrRemoteCapVersion OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "RouterOS version of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 6 } + +mtxrRemoteCapBaseMac OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Base MAC address of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 7 } + +mtxrRemoteCapCommonName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Certificate common name of the remote CAP." + ::= { mtxrWifiRemoteCapEntry 8 } + +mtxrRemoteCapState OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "State of the remote CAP (e.g., connected, disconnected)." + ::= { mtxrWifiRemoteCapEntry 9 } + +-- Wifi Registration Table ************************************************* + +mtxrWifiRegistrationTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWifiRegistrationTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWifi 4 } + +mtxrWifiRegistrationTableEntry OBJECT-TYPE + SYNTAX MtxrWifiRegistrationTableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Entry containing wifi registration statistics" + INDEX { mtxrWifiRegistrationMacAddress, mtxrWifiRegistrationInterface } + ::= { mtxrWifiRegistrationTable 1 } + +MtxrWifiRegistrationTableEntry ::= SEQUENCE { + mtxrWifiRegistrationMacAddress MacAddress, + mtxrWifiRegistrationInterface ObjectIndex, + mtxrWifiRegistrationSsid DisplayString, + mtxrWifiRegistrationUptime TimeTicks, + mtxrWifiRegistrationLastActivity Integer32, + mtxrWifiRegistrationSignal Integer32, + mtxrWifiRegistrationAuthType DisplayString, + mtxrWifiRegistrationBand DisplayString, + mtxrWifiRegistrationTxRate Gauge32, + mtxrWifiRegistrationRxRate Gauge32, + mtxrWifiRegistrationTxPackets Counter64, + mtxrWifiRegistrationRxPackets Counter64, + mtxrWifiRegistrationTxBytes Counter64, + mtxrWifiRegistrationRxBytes Counter64, + mtxrWifiRegistrationTxBitsPerSecond Integer32, + mtxrWifiRegistrationRxBitsPerSecond Integer32, + mtxrWifiRegistrationVlanId Integer32, + mtxrWifiRegistrationAuthorized TruthValue +} + +mtxrWifiRegistrationMacAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION "MAC address of the registered device." + ::= { mtxrWifiRegistrationTableEntry 1 } + +mtxrWifiRegistrationInterface OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Interface id of the registered device." + ::= { mtxrWifiRegistrationTableEntry 2 } + +mtxrWifiRegistrationSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "SSID of the connected access point." + ::= { mtxrWifiRegistrationTableEntry 3 } + +mtxrWifiRegistrationUptime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Uptime of the registered connection." + ::= { mtxrWifiRegistrationTableEntry 4 } + +mtxrWifiRegistrationLastActivity OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Time since the last activity of the registered device." + ::= { mtxrWifiRegistrationTableEntry 5 } + +mtxrWifiRegistrationSignal OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Signal strength of the registered device." + ::= { mtxrWifiRegistrationTableEntry 6 } + +mtxrWifiRegistrationAuthType OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Authentication type used by the registered device." + ::= { mtxrWifiRegistrationTableEntry 7 } + +mtxrWifiRegistrationBand OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Wireless band used by the registered device." + ::= { mtxrWifiRegistrationTableEntry 8 } + +mtxrWifiRegistrationTxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Transmission rate of the registered device." + ::= { mtxrWifiRegistrationTableEntry 9 } + +mtxrWifiRegistrationRxRate OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Reception rate of the registered device." + ::= { mtxrWifiRegistrationTableEntry 10 } + +mtxrWifiRegistrationTxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Number of transmitted packets." + ::= { mtxrWifiRegistrationTableEntry 11 } + +mtxrWifiRegistrationRxPackets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Number of received packets." + ::= { mtxrWifiRegistrationTableEntry 12 } + +mtxrWifiRegistrationTxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Number of transmitted bytes." + ::= { mtxrWifiRegistrationTableEntry 13 } + +mtxrWifiRegistrationRxBytes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Number of received bytes." + ::= {mtxrWifiRegistrationTableEntry 14 } + +mtxrWifiRegistrationTxBitsPerSecond OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Transmission rate in bits per second." + ::= { mtxrWifiRegistrationTableEntry 15 } + +mtxrWifiRegistrationRxBitsPerSecond OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Reception rate in bits per second." + ::= { mtxrWifiRegistrationTableEntry 16 } + +mtxrWifiRegistrationVlanId OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "VLAN ID of the registered device." + ::= { mtxrWifiRegistrationTableEntry 17 } + +mtxrWifiRegistrationAuthorized OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Indicates whether the device is authorized." + ::= { mtxrWifiRegistrationTableEntry 18 } + +-- Wifi Interfaces *********************************************** + +mtxrWifiInterfaces OBJECT-TYPE + SYNTAX SEQUENCE OF MtxrWifiInterfacesEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "" + ::= { mtxrWifi 5 } + +mtxrWifiInterfacesEntry OBJECT-TYPE + SYNTAX MtxrWifiInterfacesEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "An entry representing WiFi interface" + INDEX { mtxrWifiInterfacesId } + ::= { mtxrWifiInterfaces 1 } + +MtxrWifiInterfacesEntry ::= SEQUENCE { + mtxrWifiInterfacesId ObjectIndex, + mtxrWifiInterfacesName DisplayString, + mtxrWifiInterfacesSsid DisplayString, + mtxrWifiInterfacesFreq DisplayString +} + +mtxrWifiInterfacesId OBJECT-TYPE + SYNTAX ObjectIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Unique identifier for each WiFi interface" + ::= { mtxrWifiInterfacesEntry 1 } + +mtxrWifiInterfacesName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Name of the WiFi interface" + ::= { mtxrWifiInterfacesEntry 2 } + +mtxrWifiInterfacesSsid OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "SSID associated with the WiFi interface" + ::= { mtxrWifiInterfacesEntry 3 } + +mtxrWifiInterfacesFreq OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "Frequency used by the WiFi interface" + ::= { mtxrWifiInterfacesEntry 4 } + +-- TRAPS ********************************************************************** + +mtxrNotifications OBJECT IDENTIFIER ::= { mtxrTraps 0 } + +mtxrTrap NOTIFICATION-TYPE + STATUS current + DESCRIPTION "Mikrotik trap OID" + ::= { mtxrNotifications 1 } + +mtxrTemperatureException NOTIFICATION-TYPE + STATUS current + DESCRIPTION "Mikrotik CPU temperature exception trap" + ::= { mtxrNotifications 2 } + +mtxrTrapGroup NOTIFICATION-GROUP NOTIFICATIONS { + mtxrTrap, + mtxrTemperatureException + } + STATUS current + DESCRIPTION "" + ::= { mtXRouterOsGroups 14 } + +-- *************************************************************************** + +END + diff --git a/roles/routeros/files/routeros-poe-mqtt-publish.sh b/roles/routeros/files/routeros-poe-mqtt-publish.sh new file mode 100644 index 0000000..1b5afd5 --- /dev/null +++ b/roles/routeros/files/routeros-poe-mqtt-publish.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +set -eu +umask 077 + +community="public" + +mqtt_send() { + topic="$1" + value="$2" + + tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')" + mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \ + --cafile "${tlsdir}/certs/ca.crt" \ + --key "${tlsdir}/private/$(hostname -f).key" \ + --cert "${tlsdir}/certs/$(hostname -f).crt" +} + +snmp_get() { + host="$1" + key="$2" + snmpget -v 1 -c "$community" "$host" -Oqv -m MIKROTIK-MIB "$key" | tr -d '"' +} + +# only run script if first vrrp interface is in master state +for state in /run/keepalived/*.state ; do + if [ "$(cat "$state")" != "MASTER" ]; then + exit 0 + fi + break +done + +ldapsearch -Q -LLL "(&(objectClass=device)(description=MikroTik *))" cn | \ + awk '{ if ($1 == "cn:") print $2 }' | while read -r name +do + snmpwalk -v 1 -c "$community" "$name" -Oq -m MIKROTIK-MIB \ + MIKROTIK-MIB::mtxrPOEStatus | while read -r port status + do + port="$(echo "$port" | cut -d "." -f 2)" + [ "$status" = "poweredOn" ] || continue + + device="$(snmp_get "$name" "SNMPv2-SMI::mib-2.31.1.1.1.18.${port}")" + [ -z "$device" ] && continue + location="$(ldapsearch -Q -LLL "(&(objectClass=device)(cn=${device}))" l | \ + sed -n 's/^l: \(.\+\)/\1/p' | tr '[:upper:]' '[:lower:]' | tr ' ' '_')" + [ -z "$location" ] && continue + + for key in Current Power Voltage ; do + topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')" + value="$(snmp_get "$name" "MIKROTIK-MIB::mtxrPOE${key}.${port}")" + mqtt_send "$topic" "$value" + done + done +done diff --git a/roles/routeros/meta/main.yml b/roles/routeros/meta/main.yml new file mode 100644 index 0000000..d2f9d51 --- /dev/null +++ b/roles/routeros/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - {role: ldap} diff --git a/roles/routeros/tasks/main.yml b/roles/routeros/tasks/main.yml index 024b37d..8f73b67 100644 --- a/roles/routeros/tasks/main.yml +++ b/roles/routeros/tasks/main.yml @@ -1,4 +1,20 @@ --- +- name: Install packages + ansible.builtin.package: + name: "{{ item }}" + state: installed + with_items: + - mosquitto + - net-snmp-utils + +- name: Install routeros mib + ansible.builtin.copy: + dest: /usr/share/snmp/mibs/MIKROTIK-MIB.txt + src: mikrotik.mib + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + - name: Create group ansible.builtin.group: name: routeros @@ -38,10 +54,24 @@ owner: root group: "{{ ansible_wheel }}" -- name: Install cron job +- name: Install download cron job ansible.builtin.cron: name: download-routeros-firmware job: /usr/local/bin/download-routeros-firmware user: routeros hour: "05" minute: "25" + +- name: Install mqtt publish script + ansible.builtin.copy: + dest: /usr/local/bin/routeros-poe-mqtt-publish + src: routeros-poe-mqtt-publish.sh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + +- name: Install mqtt publish cron job + ansible.builtin.cron: + name: routeros-poe-mqtt-publish + job: /usr/local/bin/routeros-poe-mqtt-publish + minute: "*/5" From 48beb781b356542e01f204b2cf279ebce4b76728 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 19:25:02 +0000 Subject: [PATCH 579/596] mosquitto: Allow nms hosts to write mqtt messages --- roles/mosquitto/templates/acl-tls.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/mosquitto/templates/acl-tls.conf.j2 b/roles/mosquitto/templates/acl-tls.conf.j2 index b7eed5c..7422313 100644 --- a/roles/mosquitto/templates/acl-tls.conf.j2 +++ b/roles/mosquitto/templates/acl-tls.conf.j2 @@ -3,5 +3,8 @@ pattern read # user {{ inventory_hostname }} topic readwrite # +user nms*.home.foo.sh +pattern readwrite # + user frigate*.home.foo.sh pattern readwrite frigate/%u/# From d4d68dc962815a88690c262bf51e9fd480d04f3a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 19:29:38 +0000 Subject: [PATCH 580/596] sshd_cert: Renew cert if it's close to expire --- roles/sshd_cert/tasks/main.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml index 30e52c5..964696e 100644 --- a/roles/sshd_cert/tasks/main.yml +++ b/roles/sshd_cert/tasks/main.yml @@ -23,6 +23,20 @@ delegate_to: localhost register: sshd_cert_status +- name: Get certificate info + ansible.builtin.command: + argv: + - ssh-keygen + - -L + - -f + - "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub" + changed_when: false + failed_when: false + check_mode: false + when: sshd_cert_status.stat.exists + delegate_to: localhost + register: sshd_cert_info + - name: Sign certificate ansible.builtin.command: argv: @@ -41,7 +55,11 @@ - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub" when: > not sshd_cert_status.stat.exists or - sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int + sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int or + ( + sshd_cert_info.stdout_lines | select('match', '^[ ]*Valid: ') | + first | split() | last | to_datetime('%Y-%m-%dT%H:%M:%S') + ).strftime('%s') | int < ansible_date_time.epoch | int + 2592000 delegate_to: localhost - name: Install certificate From 20c91fad847158d41d1790503ad003747bfd6697 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 20:02:30 +0000 Subject: [PATCH 581/596] aten_pdu: Add noop mode to mqtt publish script --- roles/aten_pdu/files/aten-mqtt-publish.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index 5b486c6..7dcfcaa 100644 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -5,6 +5,12 @@ umask 077 community="public" +if [ "${1:-}" = "-n" ]; then + _noop=true +else + _noop=false +fi + mqtt_send() { topic="$1" value="$2" @@ -48,7 +54,11 @@ do for key in Current Power Voltage ; do topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')" value="$(snmp_get "$name" "ATEN-PE-CFG::outlet${key}.${port}")" - mqtt_send "$topic" "$value" + if $_noop ; then + echo "${topic} -> ${value}" + else + mqtt_send "$topic" "$value" + fi done done done From 190a377076613e947c83640a5413c76e7c5eda92 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 19 Apr 2025 20:05:48 +0000 Subject: [PATCH 582/596] aten_pdu: Try to get full hosntname for mqtt pub --- roles/aten_pdu/files/aten-mqtt-publish.sh | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index 7dcfcaa..1d6d49a 100644 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -51,7 +51,24 @@ do continue ;; esac - for key in Current Power Voltage ; do + if device_name="$(ldapsearch -Q -LLL cn="${device}.*" cn | awk " + { + if (\$1 == \"cn:\") { + if (name) { + exit 1 + } + name=\$2 + } + } END { + if (!name) { + exit 1 + } + print name + } + ")" ; then + device="$device_name" + fi + for key in Current Power Voltage ; do topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')" value="$(snmp_get "$name" "ATEN-PE-CFG::outlet${key}.${port}")" if $_noop ; then From c820614f44ece7aca11044639f77e87816078774 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 14:22:39 +0000 Subject: [PATCH 583/596] aten_pdu: Get PDU location from LDAP --- roles/aten_pdu/files/aten-mqtt-publish.sh | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index 1d6d49a..13432a0 100644 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -36,11 +36,22 @@ for state in /run/keepalived/*.state ; do break done -ldapsearch -Q -LLL "(&(objectClass=device)(description=Aten PE*))" cn | \ - awk '{ if ($1 == "cn:") print $2 }' | while read -r name +ldapsearch -Q -LLL "(&(objectClass=device)(description=Aten PE*))" cn l | awk ' + { + if ($1 == "cn:") { + cn = $2 + } + if ($1 == "l:") { + l = substr($0, 3) + } + if ($0 == "" && cn != "" && l != "") { + print cn l + cn = "" + l = "" + } + } + ' | while read -r name location do - location="$(snmp_get "$name" RFC1213-MIB::sysLocation.0 | \ - tr '[:upper:]' '[:lower:]' | tr ' ' '_')" snmpwalk -v 1 -c "$community" "$name" -Oq \ -m ATEN-PE-CFG ATEN-PE-CFG::outletName | while read -r port device do From b1481de12cb14bf3e05d152844225ad06bcfc30e Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 14:28:26 +0000 Subject: [PATCH 584/596] ha_mqtt_configd: Fix underscore handling in topics --- roles/ha_mqtt_configd/files/ha_mqtt_configd.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ha_mqtt_configd/files/ha_mqtt_configd.py b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py index b5d2c03..bc1c3e7 100755 --- a/roles/ha_mqtt_configd/files/ha_mqtt_configd.py +++ b/roles/ha_mqtt_configd/files/ha_mqtt_configd.py @@ -23,7 +23,7 @@ def on_message(client, userdata, msg): config = { "dev": { "name": topic[2].capitalize(), - "suggested_area": topic[1].capitalize(), + "suggested_area": topic[1].capitalize().replace("_", " "), "identifiers": [ uniqueid, ], From 2ef627998f0be5c6b84bd23541a6a41f9ae65c5a Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 15:02:21 +0000 Subject: [PATCH 585/596] aten_pdu: Use more strict LDAP query --- roles/aten_pdu/files/aten-mqtt-publish.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index 13432a0..ba81c93 100644 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -62,7 +62,8 @@ do continue ;; esac - if device_name="$(ldapsearch -Q -LLL cn="${device}.*" cn | awk " + if device_name="$(ldapsearch -Q -LLL \ + "(&(objectClass=device)(cn=${device}.*))" cn | awk " { if (\$1 == \"cn:\") { if (name) { From d4e9c308e25dfcb78d1393f0f2a4848eb0aadcd0 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 15:02:52 +0000 Subject: [PATCH 586/596] aten_pdu: Fix script permissions --- roles/aten_pdu/files/aten-mqtt-publish.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 roles/aten_pdu/files/aten-mqtt-publish.sh diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh old mode 100644 new mode 100755 From e6fe9af993e85aa0dd8bfc1ae5d402313cbce8ca Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 15:04:10 +0000 Subject: [PATCH 587/596] aten_pdu: Fix tabs to spaces --- roles/aten_pdu/files/aten-mqtt-publish.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aten_pdu/files/aten-mqtt-publish.sh b/roles/aten_pdu/files/aten-mqtt-publish.sh index ba81c93..60803fa 100755 --- a/roles/aten_pdu/files/aten-mqtt-publish.sh +++ b/roles/aten_pdu/files/aten-mqtt-publish.sh @@ -62,7 +62,7 @@ do continue ;; esac - if device_name="$(ldapsearch -Q -LLL \ + if device_name="$(ldapsearch -Q -LLL \ "(&(objectClass=device)(cn=${device}.*))" cn | awk " { if (\$1 == \"cn:\") { From c95c7d1308afabd13f2f27749902bfe10c83b9b4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 16:12:35 +0000 Subject: [PATCH 588/596] Fix custom firewall rules on frigate hosts --- group_vars/frigate.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index 48bed7f..f22e3ef 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -22,5 +22,4 @@ firewall_in: - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} firewall_raw: - - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + - "ip daddr 224.0.0.0/8 accept" From c88f8e6374bdb03c2fbffe107b85564a3c9b6be4 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 16:21:25 +0000 Subject: [PATCH 589/596] Get IP cameras from LDAP --- group_vars/frigate.yml | 2 ++ roles/dhcpd/templates/dhcpd.conf.cam.j2 | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml index f22e3ef..81a93e1 100644 --- a/group_vars/frigate.yml +++ b/group_vars/frigate.yml @@ -16,6 +16,8 @@ unbound_zones: - 26.20.172.in-addr.arpa - cam.foo.sh dhcpd_template: dhcpd.conf.cam.j2 +dhcpd_ldap_filter: >- + (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.cam.foo.sh)) firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} diff --git a/roles/dhcpd/templates/dhcpd.conf.cam.j2 b/roles/dhcpd/templates/dhcpd.conf.cam.j2 index edddc1a..54eff12 100644 --- a/roles/dhcpd/templates/dhcpd.conf.cam.j2 +++ b/roles/dhcpd/templates/dhcpd.conf.cam.j2 @@ -29,10 +29,12 @@ shared-network CAMNET { use-host-decl-names on; } - host ipcam01.cam.foo.sh { - option host-name "ipcam01.cam.foo.sh"; - hardware ethernet ec:71:db:6e:bc:0f; - fixed-address 172.20.26.101; +{% for host in ldap_hosts.results %} + host {{ host['cn'] }} { + option host-name "{{ host['cn'] }}"; + hardware ethernet {{ host['macAddress'] }}; + fixed-address {{ host['ipHostNumber'] }}; } +{% endfor %} } From ec8ae902ed90f89a3d0de598462b4798f88d2b54 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 20 Apr 2025 16:52:23 +0000 Subject: [PATCH 590/596] frigate: Get cameras from LDAP --- roles/frigate/tasks/main.yml | 16 ++++++++++++++++ .../templates/frigate-container.sysconfig.j2 | 4 ++-- roles/frigate/templates/frigate.yml.j2 | 8 ++++---- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/roles/frigate/tasks/main.yml b/roles/frigate/tasks/main.yml index 8189acd..7401e1f 100644 --- a/roles/frigate/tasks/main.yml +++ b/roles/frigate/tasks/main.yml @@ -43,6 +43,22 @@ remote_src: true notify: Restart frigate +- name: Get cameras from LDAP + community.general.ldap_search: + attrs: + - cn + - l + client_cert: >- + {{ hostvars[ansible_server]['tls_certs'] + '/' + ansible_server }}.crt + client_key: >- + {{ hostvars[ansible_server]['tls_private'] + '/' + ansible_server }}.key + dn: "{{ ldap_basedn }}" + filter: (&(objectClass=ipHost)(cn=ipcam*.cam.foo.sh)) + scope: subordinate + server_uri: "ldaps://{{ ldap_server[0] }}" + delegate_to: localhost + register: ldap_cams + - name: Create config ansible.builtin.template: dest: /etc/frigate.yml diff --git a/roles/frigate/templates/frigate-container.sysconfig.j2 b/roles/frigate/templates/frigate-container.sysconfig.j2 index c6b07ef..1f9f038 100644 --- a/roles/frigate/templates/frigate-container.sysconfig.j2 +++ b/roles/frigate/templates/frigate-container.sysconfig.j2 @@ -1,3 +1,3 @@ -{% for camera in cctv_cameras %} -FRIGATE_{{ camera.name | upper }}_PASS="{{ camera.pass }}" +{% for camera in ldap_cams.results %} +FRIGATE_{{ camera['l'] | upper }}_PASS="{{ cctv_cameras[camera['cn']] }}" {% endfor %} diff --git a/roles/frigate/templates/frigate.yml.j2 b/roles/frigate/templates/frigate.yml.j2 index 08c83f7..c269f6d 100644 --- a/roles/frigate/templates/frigate.yml.j2 +++ b/roles/frigate/templates/frigate.yml.j2 @@ -25,16 +25,16 @@ record: mode: motion cameras: -{% for camera in cctv_cameras %} - {{ camera.name }}: +{% for camera in ldap_cams.results %} + {{ camera['l'] }}: enabled: true ffmpeg: inputs: - - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_sub" + - path: "rtsp://viewer:{FRIGATE_{{ camera['l'] | upper }}_PASS}@{{ camera['cn'] }}/h264Preview_01_sub" input_args: preset-rtsp-restream roles: - detect - - path: "rtsp://viewer:{FRIGATE_{{ camera.name | upper }}_PASS}@{{ camera.addr}}/h264Preview_01_main" + - path: "rtsp://viewer:{FRIGATE_{{ camera['l'] | upper }}_PASS}@{{ camera['cn'] }}/h264Preview_01_main" input_args: preset-rtsp-restream roles: - record From 1ff80f9171dfa985f42b54ebca0a2a40d9af3452 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 22 Apr 2025 17:28:14 +0000 Subject: [PATCH 591/596] Fix serial port number from homeassistant hosts --- host_vars/homeassistant01.home.foo.sh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/homeassistant01.home.foo.sh.yml b/host_vars/homeassistant01.home.foo.sh.yml index b2ab0ee..e952693 100644 --- a/host_vars/homeassistant01.home.foo.sh.yml +++ b/host_vars/homeassistant01.home.foo.sh.yml @@ -11,4 +11,4 @@ network_interfaces: virt_install_devices: - 0b05:190e - 10c4:ea60 - - /dev/ttyUSB8 + - /dev/ttyUSB0 From 14c718942999c05a8af04b1f8dc46f32d3e2d6c1 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 22 Apr 2025 17:55:35 +0000 Subject: [PATCH 592/596] Fix custom firewall rules for print hosts --- group_vars/print.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/print.yml b/group_vars/print.yml index ede482a..fc2e3fb 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -14,8 +14,7 @@ firewall_in: - {proto: tcp, port: 631, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} firewall_raw: - - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + - "ip daddr 224.0.0.0/8 accept" dhcpd_template: dhcpd.conf.print.j2 dhcpd_ldap_filter: >- From 8c6974f856918718699a515a50a96fb787c30962 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Apr 2025 18:16:52 +0000 Subject: [PATCH 593/596] Update software versions --- hosts.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hosts.yml b/hosts.yml index 73a073d..4c3f054 100644 --- a/hosts.yml +++ b/hosts.yml @@ -20,12 +20,12 @@ forgejo: hosts: forgejo02.home.foo.sh: vars: - forgejo_version: "10.0.1" + forgejo_version: "11.0.0" frigate: hosts: frigate02.home.foo.sh: vars: - frigate_version: "0.15.0" + frigate_version: "0.15.1" fsolgw: hosts: fsol-gw01.home.foo.sh: @@ -34,11 +34,11 @@ homeassistant: hosts: homeassistant01.home.foo.sh: vars: - homeassistant_version: "2025.3" + homeassistant_version: "2025.4" homeassistant_integrations: - name: electrolux_status repo: https://github.com/albaintor/homeassistant_electrolux_status.git - version: v2.0.9 + version: v2.0.10 - name: espsomfy_rts repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git version: v2.4.7 @@ -78,7 +78,7 @@ nms: nms01.home.foo.sh: nms02.home.foo.sh: vars: - snmp_exporter_version: "0.28.0" + snmp_exporter_version: "0.29.0" ns: hosts: ns01.home.foo.sh: @@ -89,8 +89,8 @@ ocinode: oci-node01.home.foo.sh: oci-node02.home.foo.sh: vars: - grafana_version: "11.4.2" - rocketchat_version: "7.4.0" + grafana_version: "11.6.1" + rocketchat_version: "7.5.1" roundcube_version: "1.6.10" print: hosts: From 894f69f82f2cff5505e63c9c8915fbff7178f014 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Apr 2025 20:04:49 +0000 Subject: [PATCH 594/596] routeros: Add force option to mqtt publish script --- roles/routeros/files/routeros-poe-mqtt-publish.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/roles/routeros/files/routeros-poe-mqtt-publish.sh b/roles/routeros/files/routeros-poe-mqtt-publish.sh index 1b5afd5..d622f2a 100644 --- a/roles/routeros/files/routeros-poe-mqtt-publish.sh +++ b/roles/routeros/files/routeros-poe-mqtt-publish.sh @@ -23,12 +23,14 @@ snmp_get() { } # only run script if first vrrp interface is in master state -for state in /run/keepalived/*.state ; do - if [ "$(cat "$state")" != "MASTER" ]; then - exit 0 - fi - break -done +if [ "${1:-}" != "-f" ]; then + for state in /run/keepalived/*.state ; do + if [ "$(cat "$state")" != "MASTER" ]; then + exit 0 + fi + break + done +fi ldapsearch -Q -LLL "(&(objectClass=device)(description=MikroTik *))" cn | \ awk '{ if ($1 == "cn:") print $2 }' | while read -r name From 3a21dbfa35b32c6cec4fbe7867a7905096bbb249 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Apr 2025 20:33:23 +0000 Subject: [PATCH 595/596] routeros: Don't run mqtt publish script as root --- roles/routeros/files/README.md | 6 ++++++ .../files/routeros-poe-mqtt-publish.sh | 18 +++++++++++------- roles/routeros/tasks/main.yml | 2 ++ 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/roles/routeros/files/README.md b/roles/routeros/files/README.md index 91fed9c..9e5cc1e 100644 --- a/roles/routeros/files/README.md +++ b/roles/routeros/files/README.md @@ -14,3 +14,9 @@ ``` /interface/bridge/port/set [find where bridge=bridge and interface=ether1] pvid=30 ``` + +## Add name to port + +``` +/interface/ethernet/set [ find default-name=ether20 ] comment="name" +``` diff --git a/roles/routeros/files/routeros-poe-mqtt-publish.sh b/roles/routeros/files/routeros-poe-mqtt-publish.sh index d622f2a..4395ba0 100644 --- a/roles/routeros/files/routeros-poe-mqtt-publish.sh +++ b/roles/routeros/files/routeros-poe-mqtt-publish.sh @@ -4,16 +4,19 @@ set -eu umask 077 community="public" +tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')" +cafile="${tlsdir}/certs/ca.crt" +keyfile="${tlsdir}/private/$(hostname -f).key" +certfile="${tlsdir}/certs/$(hostname -f).crt" + +export LDAPTLS_KEY="$keyfile" +export LDAPTLS_CERT="$certfile" mqtt_send() { topic="$1" value="$2" - - tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')" mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \ - --cafile "${tlsdir}/certs/ca.crt" \ - --key "${tlsdir}/private/$(hostname -f).key" \ - --cert "${tlsdir}/certs/$(hostname -f).crt" + --cafile "$cafile" --key "$keyfile" --cert "$certfile" } snmp_get() { @@ -32,7 +35,7 @@ if [ "${1:-}" != "-f" ]; then done fi -ldapsearch -Q -LLL "(&(objectClass=device)(description=MikroTik *))" cn | \ +ldapsearch -Q -LLL -Y EXTERNAL "(&(objectClass=device)(description=MikroTik *))" cn | \ awk '{ if ($1 == "cn:") print $2 }' | while read -r name do snmpwalk -v 1 -c "$community" "$name" -Oq -m MIKROTIK-MIB \ @@ -43,7 +46,8 @@ do device="$(snmp_get "$name" "SNMPv2-SMI::mib-2.31.1.1.1.18.${port}")" [ -z "$device" ] && continue - location="$(ldapsearch -Q -LLL "(&(objectClass=device)(cn=${device}))" l | \ + location="$(ldapsearch -Q -LLL -Y EXTERNAL \ + "(&(objectClass=device)(cn=${device}))" l | \ sed -n 's/^l: \(.\+\)/\1/p' | tr '[:upper:]' '[:lower:]' | tr ' ' '_')" [ -z "$location" ] && continue diff --git a/roles/routeros/tasks/main.yml b/roles/routeros/tasks/main.yml index 8f73b67..f9693ad 100644 --- a/roles/routeros/tasks/main.yml +++ b/roles/routeros/tasks/main.yml @@ -25,6 +25,7 @@ name: routeros comment: RouterOS Downloader group: routeros + groups: hostkey create_home: false home: /var/empty shell: /sbin/nologin @@ -74,4 +75,5 @@ ansible.builtin.cron: name: routeros-poe-mqtt-publish job: /usr/local/bin/routeros-poe-mqtt-publish + user: routeros minute: "*/5" From b96bf22b92c31efc7d9791e0b7b9007efd574455 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 26 Apr 2025 20:34:05 +0000 Subject: [PATCH 596/596] routeros: Fix script permissions --- roles/routeros/files/download-routeros-firmware.sh | 0 roles/routeros/files/routeros-poe-mqtt-publish.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 roles/routeros/files/download-routeros-firmware.sh mode change 100644 => 100755 roles/routeros/files/routeros-poe-mqtt-publish.sh diff --git a/roles/routeros/files/download-routeros-firmware.sh b/roles/routeros/files/download-routeros-firmware.sh old mode 100644 new mode 100755 diff --git a/roles/routeros/files/routeros-poe-mqtt-publish.sh b/roles/routeros/files/routeros-poe-mqtt-publish.sh old mode 100644 new mode 100755