foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: foo.sh:master
Branches Tags
foo.sh:master
foo.sh:actions-test
..
compare: foo.sh:actions-test
Branches Tags
foo.sh:master
foo.sh:actions-test

3 commits
master ... actions-te

Author SHA1 Message Date
Timo Makinen
dbf62bc397 Syntax changes 2023-07-20 17:45:46 +00:00
Timo Makinen
330360d977 Try renaming file 2023-07-20 17:44:11 +00:00
Timo Makinen
b11e3e57e0 Try another syntax 2023-07-20 17:42:41 +00:00
480 changed files with 2495 additions and 17290 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.forgejo/workflows/test.yml → .gitea/workflows/demo.yaml
View file

@ -1,21 +1,21 @@
---
name: tests
# yamllint disable-line rule:truthy
on:
- push
run-name: just testing
on: [push]
jobs:
lint:
name: run linter
linter:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Install package dependencies
run: |
apt-get install \
sudo apt-get install \
ansible-lint \
jsonlint \
shellcheck \
yamllint
ln -s /usr/bin/jsonlint-php /usr/local/bin/jsonlint
- name: Run linters
run: make -C ./tests

1
.gitignore vendored
View file

@ -1,3 +1,2 @@
.*.swp
__pycache__
files/ssh/backup.pub

16
container-ports.md
View file

@ -1,16 +0,0 @@
# Ports used by container web services
| Port | Ansible role | Service name |
|------|---------------------|----------------------------|
| 8001 | kerberos_kdc | Kerberos KDC |
| 8002 | grafana | Grafana |
| 8003 | authcheck | Authentication check |
| 8004 | roundcube | Roundcube webmail |
| 8005 | php4dvd | php4dvd movie catalog |
| 8006 | scanservjs | SANE Scanner webui |
| 8007 | frigate | Network video recorder |
| 8008 | hoemeassistant | Home Assistant |
| 8009 | rocketchat | Rocket.Chat |
| 8010 | google-spell-pspell | Google Spell Check XML API |
| 8011 | ipsilon | Ipsilon Identity Provider |
| 8012 | nodered | Node Red |

1
files/ssh/backup.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdaNO9dLpI8CVx1rwGsKN45Pgiz+Btrlf2Q/nXCx4Ru root@backup02.home.foo.sh

1
files/ssh/logsync.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIlXfTeMQoYjYVXFH5qhp+YgIBM/1r+BwzME7aEOu2yE logsync@log01.home.foo.sh

42
group_vars/adm.yml
View file

@ -1,44 +1,8 @@
---
datadisks:
- {size: 10, type: nvme}
chrony_allow:
- 172.20.25.0/24
unbound_zones:
- 25.20.172.in-addr.arpa
- oob.foo.sh
dhcpd_template: dhcpd.conf.oob.j2
dhcpd_ldap_filter: >-
(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh))
unbound_config: unbound.conf.oob.j2
network_vip_interfaces:
- device: eth0
vhid: 11
ipaddr: 172.20.20.21
netmask: 255.255.240.0
pass: "{{ vip21_pass }}"
- device: eth1
vhid: 25
ipaddr: 172.20.25.1
netmask: 255.255.255.0
pass: "{{ vip25_pass }}"
priority: "{{ vip25_priority }}"
- {size: 10}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 25, from: [172.20.25.0/24]}
- {proto: tcp, port: 53, from: [172.20.25.0/24]}
- {proto: udp, port: 53, from: [172.20.25.0/24]}
- {proto: tcp, port: 80, from: [172.20.20.0/22]}
- {proto: udp, port: 123, from: [172.20.25.0/24]}
- {proto: tcp, port: 443, from: [172.20.20.0/22, 172.20.25.0/24]}
- {proto: udp, port: 514, from: [172.20.25.0/24]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 9116, from: [172.20.20.0/22]}
firewall_raw:
- "ip daddr 224.0.0.0/8 accept"
sssd_allow_groups:
- sysadm
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

12
group_vars/all.yml
View file

@ -28,13 +28,11 @@ tls_bundle: /etc/pki/tls/cert.pem
# url where installer data is located
boot_url: https://boot.foo.sh
# default name servers
network_dns_servers:
- 8.8.8.8
- 8.8.4.4
# ssh public keys for logsync user
logsync_publickeys: "{{ lookup('file', '../files/ssh/logsync.pub') }}"
# ssh public keys for backup user
backup_publickeys: "{{ lookup('file', '../files/ssh/backup.pub') }}"
# hardcode this for now
ansible_datacenter: home
# use as generic as possible python binary so delegate_to works
ansible_python_interpreter: python3

1
group_vars/backup.yml
View file

@ -1,4 +1,3 @@
---
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

2
group_vars/collab.yml
View file

@ -5,4 +5,4 @@ datadisks:
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

62
group_vars/dnagw.yml
View file

@ -1,75 +1,23 @@
---
# increase memory size
mem_size: 512
intnet: "{{ network_interfaces[0].ipaddr + '/' + network_interfaces[0].netmask }}"
intdomain: "{{ inventory_hostname.split('.')[1:] | join('.') }}"
network_vip_interfaces:
- device: vio0
vhid: 1
ipaddr: "{{ intnet | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}"
netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}"
ipaddr: 172.20.20.1
netmask: 255.255.252.0
pass: "{{ vip1_pass }}"
priority: 120
- device: vio0
vhid: 10
ipaddr: "{{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}"
netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}"
ipaddr: 172.20.20.10
netmask: 255.255.252.0
pass: "{{ vip10_pass }}"
priority: 120
- device: vio0
vhid: 11
ipaddr: "{{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}"
netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}"
pass: "{{ vip11_pass }}"
priority: "{{ vip11_priority }}"
- device: vio0
vhid: 12
ipaddr: "{{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}"
netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}"
pass: "{{ vip12_pass }}"
priority: "{{ vip12_priority }}"
network_ether_interfaces:
- device: vio1
proto: none
unbound_zones:
- 144-28.96.16.37.in-addr.arpa
- foo.sh
- >-
{% set reverse = intnet | ansible.utils.ipaddr('network') | ansible.utils.ipaddr('revdns') -%}
{% if intnet | ansible.utils.ipaddr('prefix') < 24 -%}
{{ reverse[:-1] | split('.', 2) | last -}}
{% else -%}
{{ reverse[:-1] | split('.', 1) | last -}}
{% endif -%}
- "{{ intdomain }}"
# use custom firewall config
firewall_src: pf.conf.gw_dna.j2
# unbound config
unbound_config: unbound.conf.dna.j2
# get extra hosts from ldap
dhcpd_ldap_filter: >-
(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.{{ intdomain }}))
firewall_src: pf.conf.gw_home
# ifstated config
ifstated_config: ifstated-dna.conf.j2
# ntp settings
ntpd_servers:
- time1.google.com
- time2.google.com
- time3.google.com
- time4.google.com
ntpd_constraints:
- "https://www.google.com"
ntpd_listen:
- "{{ network_interfaces[0].ipaddr }}"
# ssh host alaises
ssh_hostnames:
- "gw.{{ intdomain }}"

4
group_vars/fedora.yml
View file

@ -1,7 +1,7 @@
---
# default resources for new vm
dsk_size: 20
mem_size: 4096
mem_size: 2048
num_cpus: 2
# extra args for virt-install
@ -18,7 +18,7 @@ ipcmd: >-
{% endif %}
virt_install_os_args: >-
--location
https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/41/Everything/x86_64/os/
https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/38/Everything/x86_64/os/
--extra-args
"inst.ks={{ ks_file }}
console=ttyS0

8
group_vars/forgejo.yml
View file

@ -1,8 +0,0 @@
---
datadisks:
- {size: 10, type: nvme}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

30
group_vars/frigate.yml
View file

@ -1,30 +0,0 @@
---
mem_size: 8192
num_cpus: 2
datadisks:
- {size: 50, type: nvme}
- {size: 500, type: hdd}
network_vip_interfaces:
- device: eth1
vhid: 26
ipaddr: 172.20.26.1
netmask: 255.255.0.0
pass: "{{ vip26_pass }}"
chrony_allow:
- 172.20.26.0/24
unbound_zones:
- 26.20.172.in-addr.arpa
- cam.foo.sh
dhcpd_template: dhcpd.conf.cam.j2
dhcpd_ldap_filter: >-
(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.cam.foo.sh))
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
firewall_raw:
- "ip daddr 224.0.0.0/8 accept"

5
group_vars/fsolgw.yml
View file

@ -4,10 +4,9 @@ network_vip_interfaces:
vhid: 145
ipaddr: 37.16.96.145
netmask: 255.255.255.240
ip6addr: 2a00:4cc1:6:1006::1
ip6netmask: 64
pass: "{{ vip145_pass }}"
network_dns_servers: [172.20.20.10, 172.20.21.1, 172.20.21.2]
# use custom firewall and ifstated config
firewall_src: pf.conf.gw_fsol.j2
firewall_src: pf.conf.gw_fsol
ifstated_config: ifstated-fsol.conf

4
group_vars/audiobooks.yml → group_vars/gitea.yml
View file

@ -1,8 +1,8 @@
---
datadisks:
- {size: 50, type: hdd}
- {size: 10, type: hdd}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

4
group_vars/gitearunner.yml Normal file
View file

@ -0,0 +1,4 @@
---
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

9
group_vars/home.yml
View file

@ -1,9 +0,0 @@
---
network_dns_servers:
- 172.20.20.10
- 172.20.20.11
- 172.20.20.12
ntpd_servers:
- time1.home.foo.sh
- time2.home.foo.sh
chrony_servers: "{{ ntpd_servers }}"

5
group_vars/homeassistant.yml
View file

@ -1,8 +1,7 @@
---
mem_size: 4096
datadisks:
- {size: 10, type: nvme}
- {size: 10, type: hdd}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

2
group_vars/influxdb.yml
View file

@ -5,4 +5,4 @@ datadisks:
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

9
group_vars/iot.yml
View file

@ -1,9 +0,0 @@
---
network_dns_servers:
- 172.20.27.10
- 172.20.27.11
- 172.20.27.12
ntpd_servers:
- time1.iot.foo.sh
- time2.iot.foo.sh
chrony_servers: "{{ ntpd_servers }}"

9
group_vars/lan.yml
View file

@ -1,9 +0,0 @@
---
network_dns_servers:
- 172.20.30.10
- 172.20.30.11
- 172.20.30.12
ntpd_servers:
- time1.lan.foo.sh
- time2.lan.foo.sh
chrony_servers: "{{ ntpd_servers }}"

3
group_vars/ldap.yml
View file

@ -3,5 +3,6 @@ saslauthd_mech: ldap
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 636, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

5
group_vars/log.yml
View file

@ -1,9 +1,8 @@
---
mem_size: 512
datadisks:
- {size: 50, type: nvme}
- {size: 50}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
- {proto: tcp, port: 6514}

8
group_vars/mail.yml
View file

@ -1,7 +1,6 @@
---
datadisks:
- {size: 10, type: nvme}
mem_size: 4192
- {size: 10}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
@ -11,7 +10,4 @@ firewall_in:
- {proto: tcp, port: 465}
- {proto: tcp, port: 587}
- {proto: tcp, port: 993}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
sssd_allow_groups:
- sysadm
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

4
group_vars/minecraft.yml
View file

@ -1,9 +1,9 @@
---
mem_size: 4096
datadisks:
- {size: 100, type: nvme}
- {size: 100}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.30.0/24]}
- {proto: tcp, port: 4949, from: [172.20.30.0/24]}
- {proto: tcp, port: 25565, from: [172.20.30.0/24]}
- {proto: udp, port: 25565, from: [172.20.30.0/24]}

5
group_vars/mirror.yml
View file

@ -1,9 +1,10 @@
---
datadisks:
- {size: 1500, type: hdd}
- {size: 1000}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 873, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

1
group_vars/mongodb.yml
View file

@ -4,4 +4,3 @@ datadisks:
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 27017, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

9
group_vars/mqtt.yml
View file

@ -3,12 +3,5 @@ firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.27.0/24]}
- {proto: tcp, port: 1883, from: [172.20.27.0/24]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
- {proto: tcp, port: 8883, from: [172.20.20.0/22, 172.20.27.0/24]}
network_vip_interfaces:
- device: vio1
vhid: 13
ipaddr: 172.20.27.13
netmask: 255.255.255.0
pass: "{{ vip13_pass }}"

9
group_vars/nas.yml
View file

@ -2,14 +2,11 @@
mem_size: 8192
num_cpus: 2
datadisks:
- {size: 500, type: hdd}
- {size: 50, type: nvme}
- {size: 1000}
- {size: 400, type: nvme}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 2049, from: [172.20.20.0/22]}
- {proto: tcp, port: 2049, from: [172.20.30.0/24]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
sssd_allow_groups:
- root
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

25
group_vars/nms.yml Normal file
View file

@ -0,0 +1,25 @@
---
datadisks:
- {size: 10}
network_vip_interfaces:
- device: eth1
vhid: 25
ipaddr: 172.20.25.1
netmask: 255.255.0.0
pass: "{{ vip25_pass }}"
priority: "{{ vip25_priority }}"
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 25, from: [172.20.25.0/24]}
- {proto: tcp, port: 53, from: [172.20.25.0/24]}
- {proto: udp, port: 53, from: [172.20.25.0/24]}
- {proto: udp, port: 69, from: [172.20.25.0/24]}
- {proto: udp, port: 123, from: [172.20.25.0/24]}
- {proto: tcp, port: 443, from: [172.20.25.0/24]}
- {proto: udp, port: 514, from: [172.20.25.0/24]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
firewall_raw:
- "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
- "-A INPUT -i eth1 -p vrrp -j ACCEPT"

5
group_vars/ns.yml
View file

@ -1,13 +1,12 @@
---
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22, "{{ gw_home_ip }}/32"]}
- {proto: tcp, port: 22, from: [172.20.20.0/22, 81.175.130.44/32]}
- {proto: tcp, port: 53}
- {proto: udp, port: 53}
- {proto: tcp, port: 80}
- {proto: tcp, port: 443}
- {proto: tcp, port: 853}
- {proto: tcp, port: 9100}
- {proto: tcp, port: 9115}
- {proto: tcp, port: 4949, from: [172.20.20.0/22, 81.175.130.44/32]}
firewall_raw:
- pass quick proto carp

5
group_vars/ocinode.yml
View file

@ -1,10 +1,7 @@
---
# increase memory size
mem_size: 8192
# increase disk size to store docker images
dsk_size: 100
mem_size: 4192
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

11
group_vars/openbsd.yml
View file

@ -1,4 +1,7 @@
---
# fix python path errors
ansible_python_interpreter: "/usr/local/bin/python3"
# we have real wheel group
ansible_wheel: wheel
@ -14,9 +17,5 @@ num_cpus: 2
# extra args for virt-install
virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso
virt_install_os_variant: openbsd7.6
virt_install_python_cmd:
- pkg_add
- -I
- -x
- python%3
virt_install_os_variant: openbsd7.0
virt_install_python_cmd: pkg_add python3 -I -x

16
group_vars/print.yml
View file

@ -7,20 +7,14 @@ network_vip_interfaces:
pass: "{{ vip24_pass }}"
priority: "{{ vip24_priority }}"
dhcpd_template: dhcpd.conf.print.j2
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 53, from: [172.20.24.0/24]}
- {proto: udp, port: 53, from: [172.20.24.0/24]}
- {proto: tcp, port: 631, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
firewall_raw:
- "ip daddr 224.0.0.0/8 accept"
dhcpd_template: dhcpd.conf.print.j2
dhcpd_ldap_filter: >-
(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh))
sssd_allow_groups:
- sysadm
unbound_zones:
- 24.20.172.in-addr.arpa
- print.foo.sh
- "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
- "-A INPUT -i eth1 -p vrrp -j ACCEPT"

8
group_vars/prometheus.yml
View file

@ -1,8 +0,0 @@
---
datadisks:
- {size: 100, type: nvme}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

10
group_vars/proxy.yml
View file

@ -4,6 +4,12 @@ mem_size: 1024
# use bigger disk for os as we have web site data there
dsk_size: 30
network_dns_servers:
- 172.20.20.10
- 172.20.21.7
- 172.20.21.8
network_dns_search:
- foo.sh
network_default_gateway: 37.16.96.145
network_vip_interfaces:
@ -42,4 +48,6 @@ firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 80}
- {proto: tcp, port: 443}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 636}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
- {proto: tcp, port: 6514}

7
group_vars/relay.yml
View file

@ -1,4 +1,10 @@
---
network_dns_servers:
- 172.20.20.10
- 172.20.21.7
- 172.20.21.8
network_dns_search:
- foo.sh
network_default_gateway: 37.16.96.145
network_vip_interfaces:
@ -35,4 +41,3 @@ firewall_in:
- {proto: tcp, port: 443}
- {proto: tcp, port: 636}
- {proto: tcp, port: 6514}
- {proto: tcp, port: 9100}

29
group_vars/rocky10.yml
View file

@ -1,29 +0,0 @@
---
# default resources for new vm
dsk_size: 20
mem_size: 2048
num_cpus: 2
# extra args for virt-install
ks_file: "{{ boot_url }}/ks/rocky10.ks"
ipcmd: >-
{% if network_interfaces[0]['proto'] is defined %}
{% if network_interfaces[0]['proto'] == 'static' %}
{% set int=network_interfaces[0] %}
{% if int['ipaddr'] is defined and int['gateway'] is defined %}
nameserver=8.8.8.8
ip={{ int['ipaddr'] }}::{{ int['gateway'] }}:{{ int['netmask'] }}::eth0:none
{% endif %}
{% endif %}
{% endif %}
virt_install_os_args: >-
--location
https://nic.funet.fi/pub/mirrors/rockylinux.org/10/BaseOS/x86_64/os
--extra-args
"inst.ks={{ ks_file }}
console=ttyS0
net.ifnames=0
bootdev=eth0
inst.repo=https://nic.funet.fi/pub/mirrors/rockylinux.org/10/BaseOS/x86_64/os
{{ ipcmd }}"
virt_install_os_variant: rhel10-unknown

3
group_vars/rocky8.yml
View file

@ -4,9 +4,6 @@ dsk_size: 20
mem_size: 2048
num_cpus: 2
# el8 hosts have different python
ansible_python_interpreter: /usr/libexec/platform-python
# extra args for virt-install
ks_file: "{{ boot_url }}/ks/rocky8.ks"
ipcmd: >-

5
group_vars/sane.yml
View file

@ -1,5 +0,0 @@
---
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

10
group_vars/shell.yml
View file

@ -1,4 +1,6 @@
---
# beef up shell hosts
dsk_size: 40
mem_size: 8192
num_cpus: 4
@ -7,10 +9,4 @@ firewall_in:
- {proto: tcp, port: 22}
- {proto: tcp, port: 80}
- {proto: tcp, port: 443}
- {proto: tcp, port: 9100, from: [212.149.248.65/32]}
ssh_hostnames:
- shell.foo.sh
sssd_allow_groups:
- foosh
- {proto: tcp, port: 4949, from: [81.175.130.44/32]}

2
group_vars/sqldb.yml
View file

@ -1,8 +1,6 @@
---
mem_size: 4096
datadisks:
- {size: 20, type: nvme}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 3306, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

5
group_vars/static.yml
View file

@ -2,7 +2,4 @@
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
sssd_allow_groups:
- root
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

7
group_vars/vmhost.yml
View file

@ -1,9 +1,4 @@
---
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
chrony_servers:
- time1.google.com
- time2.google.com
- time3.google.com
- time4.google.com
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

23
group_vars/zm.yml Normal file
View file

@ -0,0 +1,23 @@
---
mem_size: 4096
num_cpus: 2
datadisks:
- {size: 500}
network_vip_interfaces:
- device: eth1
vhid: 26
ipaddr: 172.20.26.1
netmask: 255.255.0.0
pass: "{{ vip26_pass }}"
zm_mysql_host: sqldb02.home.foo.sh
dhcpd_template: dhcpd.conf.cam.j2
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
firewall_raw:
- "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
- "-A INPUT -i eth1 -p vrrp -j ACCEPT"

13
host_vars/adm01.home.foo.sh.yml
View file

@ -4,16 +4,3 @@ network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:0b"
- device: eth1
vlan: 25
ipaddr: 172.20.25.2
netmask: 255.255.255.0
proto: static
nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
- device: eth2
vlan: 103
ipaddr: 192.168.100.2
netmask: 255.255.255.248
proto: static
vip25_priority: 128

13
host_vars/adm02.home.foo.sh.yml
View file

@ -4,16 +4,3 @@ network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:0c"
- device: eth1
vlan: 25
ipaddr: 172.20.25.3
netmask: 255.255.255.0
proto: static
nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
- device: eth2
vlan: 103
ipaddr: 192.168.100.3
netmask: 255.255.255.248
proto: static
vip25_priority: 1

6
host_vars/audiobooks02.home.foo.sh.yml
View file

@ -1,6 +0,0 @@
---
vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:48"

4
host_vars/backup02.home.foo.sh.yml
View file

@ -6,5 +6,5 @@ network_interfaces:
mac: 52:54:00:ac:dc:50
datadisks:
- {size: 1000}
virt_install_devices:
- "02:04.0"
passthrough_devices:
- "07:04.0"

2
host_vars/dna-gw01.home.foo.sh.yml
View file

@ -10,5 +10,3 @@ network_interfaces:
- device: vio1
vlan: 103
proto: none
vip11_priority: 240
vip12_priority: 120

2
host_vars/dna-gw02.home.foo.sh.yml
View file

@ -10,5 +10,3 @@ network_interfaces:
- device: vio1
vlan: 103
proto: none
vip11_priority: 120
vip12_priority: 240

14
host_vars/dna-gw03.lan.foo.sh.yml
View file

@ -1,14 +0,0 @@
---
vmhost: vmhost01.home.foo.sh
network_interfaces:
- device: vio0
vlan: 30
mac: 52:54:00:ca:fe:03
ipaddr: 172.20.30.3
netmask: 255.255.255.0
proto: static
- device: vio1
vlan: 103
proto: none
vip11_priority: 240
vip12_priority: 120

14
host_vars/dna-gw04.lan.foo.sh.yml
View file

@ -1,14 +0,0 @@
---
vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: vio0
vlan: 30
mac: 52:54:00:ca:fe:04
ipaddr: 172.20.30.4
netmask: 255.255.255.0
proto: static
- device: vio1
vlan: 103
proto: none
vip11_priority: 120
vip12_priority: 240

14
host_vars/dna-gw05.iot.foo.sh.yml
View file

@ -1,14 +0,0 @@
---
vmhost: vmhost01.home.foo.sh
network_interfaces:
- device: vio0
vlan: 27
mac: 52:54:00:da:da:05
ipaddr: 172.20.27.5
netmask: 255.255.255.0
proto: static
- device: vio1
vlan: 103
proto: none
vip11_priority: 240
vip12_priority: 120

14
host_vars/dna-gw06.iot.foo.sh.yml
View file

@ -1,14 +0,0 @@
---
vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: vio0
vlan: 27
mac: 52:54:00:da:da:06
ipaddr: 172.20.27.6
netmask: 255.255.255.0
proto: static
- device: vio1
vlan: 103
proto: none
vip11_priority: 120
vip12_priority: 240

1
host_vars/fsol-gw01.home.foo.sh.yml
View file

@ -15,7 +15,6 @@ network_interfaces:
- device: vio2
vlan: 103
proto: dhcp
rdomain: 1
- device: vio3
vlan: 102
proto: none

1
host_vars/fsol-gw02.home.foo.sh.yml
View file

@ -15,7 +15,6 @@ network_interfaces:
- device: vio2
vlan: 103
proto: dhcp
rdomain: 1
- device: vio3
vlan: 102
proto: none

2
host_vars/forgejo02.home.foo.sh.yml → host_vars/gitea-runner02.home.foo.sh.yml
View file

@ -3,4 +3,4 @@ vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: 52:54:00:ac:dc:80
mac: 52:54:00:ac:dc:7c

2
host_vars/mirror02.home.foo.sh.yml → host_vars/gitea02.home.foo.sh.yml
View file

@ -3,4 +3,4 @@ vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: 52:54:00:ac:dc:14
mac: 52:54:00:ac:dc:78

8
host_vars/homeassistant01.home.foo.sh.yml
View file

@ -5,8 +5,6 @@ network_interfaces:
vlan: 20
mac: 52:54:00:ac:dc:73
- device: eth1
mac: 52:54:00:da:da:15
vlan: 27
ipaddr: 172.20.27.21
netmask: 255.255.255.0
proto: static
vlan: 30
virt_install_devices:
- 003.002

2
host_vars/ldap01.home.foo.sh.yml
View file

@ -5,6 +5,6 @@ network_interfaces:
vlan: 20
mac: 52:54:00:ac:dc:1f
datadisks:
- {size: 10, type: nvme}
- {size: 10}
ldap_master: true

2
host_vars/prometheus01.home.foo.sh.yml → host_vars/mirror01.home.foo.sh.yml
View file

@ -3,4 +3,4 @@ vmhost: vmhost01.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:83"
mac: 52:54:00:ac:dc:13

3
host_vars/mqtt02.home.foo.sh.yml
View file

@ -6,7 +6,6 @@ network_interfaces:
mac: 52:54:00:ac:dc:70
- device: vio1
vlan: 27
mac: 52:54:00:da:da:16
ipaddr: 172.20.27.22
ipaddr: 172.20.27.3
netmask: 255.255.255.0
proto: static

2
host_vars/nas02.home.foo.sh.yml
View file

@ -6,6 +6,6 @@ network_interfaces:
mac: 52:54:00:ac:dc:34
- device: eth1
vlan: 30
ipaddr: 172.20.30.32
ipaddr: 172.20.30.11
netmask: 255.255.255.0
proto: static

20
host_vars/nms01.home.foo.sh.yml Normal file
View file

@ -0,0 +1,20 @@
---
vmhost: vmhost01.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:43"
nameservers: []
- device: eth1
vlan: 25
ipaddr: 172.20.25.2
netmask: 255.255.255.0
proto: static
nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
- device: eth2
vlan: 103
ipaddr: 192.168.100.2
netmask: 255.255.255.248
proto: static
vip25_priority: 128

20
host_vars/nms02.home.foo.sh.yml Normal file
View file

@ -0,0 +1,20 @@
---
vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:44"
nameservers: []
- device: eth1
vlan: 25
ipaddr: 172.20.25.3
netmask: 255.255.255.0
proto: static
nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
- device: eth2
vlan: 103
ipaddr: 192.168.100.3
netmask: 255.255.255.248
proto: static
vip25_priority: 0

2
host_vars/oci-node01.home.foo.sh.yml
View file

@ -1,7 +1,5 @@
---
vmhost: vmhost01.home.foo.sh
datadisks:
- {size: 10, type: nvme}
network_interfaces:
- device: eth0
vlan: 20

8
host_vars/sane02.home.foo.sh.yml
View file

@ -1,8 +0,0 @@
---
vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:88"
virt_install_devices:
- 001.003

2
host_vars/shell01.foo.sh.yml
View file

@ -12,5 +12,5 @@ network_interfaces:
ipaddr: 172.20.30.21
netmask: 255.255.255.0
proto: static
nameservers: [172.20.30.10, 172.20.30.11, 172.20.30.12]
nameservers: [172.20.30.2]
ip6addr: none

2
host_vars/shell02.foo.sh.yml
View file

@ -12,5 +12,5 @@ network_interfaces:
ipaddr: 172.20.30.22
netmask: 255.255.255.0
proto: static
nameservers: [172.20.30.10, 172.20.30.11, 172.20.30.12]
nameservers: [172.20.30.2]
ip6addr: none

4
host_vars/frigate02.home.foo.sh.yml → host_vars/zm02.home.foo.sh.yml
View file

@ -3,7 +3,7 @@ vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:8c"
mac: "52:54:00:ac:dc:4c"
nameservers: []
- device: eth1
vlan: 26
@ -11,5 +11,3 @@ network_interfaces:
netmask: 255.255.255.0
proto: static
nameservers: [172.20.26.1, 172.20.26.3]
virt_install_devices:
- 004.002

117
hosts.yml
View file

@ -3,11 +3,6 @@ adm:
hosts:
adm01.home.foo.sh:
adm02.home.foo.sh:
vars:
snmp_exporter_version: "0.29.0"
audiobooks:
hosts:
audiobooks02.home.foo.sh:
backup:
hosts:
backup02.home.foo.sh:
@ -15,52 +10,28 @@ collab:
hosts:
collab01.home.foo.sh:
dnagw:
children:
dnagw_home:
hosts:
dna-gw01.home.foo.sh:
dna-gw02.home.foo.sh:
dnagw_lan:
hosts:
dna-gw03.lan.foo.sh:
dna-gw04.lan.foo.sh:
vars:
ssh_jumphost: gw.lan.foo.sh
ansible_ssh_common_args: "{{ ('-J root@' + ssh_jumphost) | default(undef) }}"
dnagw_iot:
hosts:
dna-gw05.iot.foo.sh:
dna-gw06.iot.foo.sh:
vars:
ssh_jumphost: gw.iot.foo.sh
ansible_ssh_common_args: "{{ ('-J root@' + ssh_jumphost) | default(undef) }}"
forgejo:
hosts:
forgejo02.home.foo.sh:
vars:
forgejo_version: "11.0.3"
frigate:
hosts:
frigate02.home.foo.sh:
vars:
frigate_version: "0.15.1"
dna-gw01.home.foo.sh:
dna-gw02.home.foo.sh:
fsolgw:
hosts:
fsol-gw01.home.foo.sh:
fsol-gw02.home.foo.sh:
gitea:
hosts:
gitea02.home.foo.sh:
vars:
gitea_version: "1.19.4"
gitearunner:
hosts:
gitea-runner02.home.foo.sh:
vars:
gitea_runner_version: "0.2.3"
homeassistant:
hosts:
homeassistant01.home.foo.sh:
vars:
homeassistant_version: "2025.7.1"
homeassistant_integrations:
- name: electrolux_status
repo: https://github.com/albaintor/homeassistant_electrolux_status.git
version: v2.2.0
- name: espsomfy_rts
repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git
version: v2.4.7
nodered_version: 4.0.9
homeassistant_version: "2023.7"
influxdb:
hosts:
influxdb01.home.foo.sh:
@ -74,14 +45,12 @@ log:
mail:
hosts:
mail02.home.foo.sh:
vars:
opendkim_selector: 20250601
minecraft:
hosts:
minecraft01.home.foo.sh:
mirror:
hosts:
mirror02.home.foo.sh:
mirror01.home.foo.sh:
mongodb:
hosts:
mongodb01.home.foo.sh:
@ -91,6 +60,10 @@ mqtt:
nas:
hosts:
nas02.home.foo.sh:
nms:
hosts:
nms01.home.foo.sh:
nms02.home.foo.sh:
ns:
hosts:
ns01.home.foo.sh:
@ -101,35 +74,20 @@ ocinode:
oci-node01.home.foo.sh:
oci-node02.home.foo.sh:
vars:
grafana_version: "12.0.2"
phpldapadmin_version: "2.2.1"
rocketchat_version: "7.8.0"
roundcube_version: "1.6.11"
grafana_version: "10.0.2"
rocketchat_version: "6.2.10"
roundcube_version: "1.6.1"
print:
hosts:
print01.home.foo.sh:
prometheus:
hosts:
prometheus01.home.foo.sh:
vars:
mysqld_exporter_version: "0.17.2"
nginx_exporter_version: "1.4.2"
proxy:
hosts:
proxy01.home.foo.sh:
proxy02.home.foo.sh:
redis:
hosts:
redis01.home.foo.sh:
relay:
hosts:
relay01.home.foo.sh:
relay02.home.foo.sh:
sane:
hosts:
sane02.home.foo.sh:
vars:
scanservjs_version: "v3.0.3"
shell:
hosts:
shell01.foo.sh:
@ -145,15 +103,23 @@ vmhost:
hosts:
vmhost01.home.foo.sh:
vmhost02.home.foo.sh:
zm:
hosts:
zm02.home.foo.sh:
sftpbackup:
children:
collab:
ldap:
mongodb:
sqldb:
vultr:
hosts:
atl01.vultr.foo.sh:
fedora:
children:
gitearunner:
openbsd:
children:
backup:
@ -163,30 +129,27 @@ openbsd:
mqtt:
ns:
proxy:
redis:
relay:
rocky8:
children:
collab:
homeassistant:
mail:
minecraft:
nas:
nms:
ocinode:
print:
shell:
zm:
rocky9:
children:
adm:
audiobooks:
forgejo:
frigate:
homeassistant:
gitea:
influxdb:
ldap:
mail:
minecraft:
mirror:
mongodb:
nas:
ocinode:
print:
prometheus:
sane:
shell:
sqldb:
static:
vmhost:

120
playbooks/adm.yml
View file

@ -18,7 +18,7 @@
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,nosuid,nodev
opts: noatime,noexec,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
@ -27,71 +27,30 @@
- base
- ansible_host
- certbot
- cups
- nginx
- role: nginx_site
nginx_site_name: oob.foo.sh
nginx_site_plaintest: false
- sshca
- ssh_known_hosts
- role: keytab
keytab_principals:
principals:
- "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
- nfs_client
- role: autofs
autofs_home: false
- sssd
- mkhomedir
- aten_pdu
- routeros
- rpm_build
- snmp_exporter
- web_build
tasks:
- name: Run handlers to get interfaces configured
ansible.builtin.meta: flush_handlers
- name: Enable UDP rsyslog server
ansible.builtin.import_role:
name: rsyslog
tasks_from: udp-listen
- name: Enable postfix mail relay
ansible.builtin.import_role:
name: postfix
tasks_from: relay
vars:
relay_domains: [foo.sh]
- name: Import unbound role
ansible.builtin.import_role:
name: unbound
- name: Import dhcpd role
ansible.builtin.import_role:
name: dhcpd
- name: Install packages
ansible.builtin.package:
name: "{{ item }}"
state: installed
with_items:
- emacs-nox # more editors
- httpd-tools # htpasswd
- knot-utils # kdig (dns over tls)
- libvirt-client # kvm host client
- make # generic building
- mariadb # mariadb client tools
- mosquitto # mqtt reading
- nano # more editors
- nmap # check for open ports
- nsd # check dns zone files
- podman # building containers
- pylint # python linting
- python3-flake8 # python linting
- speedtest-cli # testing network speed
- ShellCheck # shell script linting
- virt-install # install kvm guests
- wget # still in backbone for downloads
- whois # read whois data
@ -104,79 +63,6 @@
Host shell??.foo.sh
CheckHostIP no
dest: /root/.ssh/config
mode: "0600"
owner: root
group: "{{ ansible_wheel }}"
- name: Configure jumphosts
ansible.builtin.copy:
dest: /etc/ssh/ssh_config.d/jumphost.conf
content: |
Host *.iot.foo.sh !gw.iot.foo.sh
ProxyJump gw.iot.foo.sh
Host *.lan.foo.sh !gw.lan.foo.sh
ProxyJump gw.lan.foo.sh
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
- name: Clone dns repo
ansible.builtin.git:
dest: /export/dns
repo: https://adm01.home.foo.sh/dns.git
update: true
version: master
environment:
GIT_SSL_CAINFO: "{{ tls_certs }}/ca.crt"
GIT_SSL_CERT: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
GIT_SSL_KEY: "{{ tls_private }}/{{ inventory_hostname }}.key"
when: 'inventory_hostname != "adm01.home.foo.sh"'
- name: Link dns repo
ansible.builtin.file:
dest: /srv/dns
src: /export/dns
state: link
owner: root
group: "{{ ansible_wheel }}"
follow: false
- name: Add cron job to sync dns repo
ansible.builtin.cron:
name: sync dns repository
job: >-
GIT_SSL_CAINFO="{{ tls_certs }}/ca.crt"
GIT_SSL_CERT="{{ tls_certs }}/{{ inventory_hostname }}.crt"
GIT_SSL_KEY="{{ tls_private }}/{{ inventory_hostname }}.key"
git -C /srv/dns pull -q
minute: "02"
when: 'inventory_hostname != "adm01.home.foo.sh"'
- name: Links dns repo to web
ansible.builtin.file:
dest: "/srv/web/{{ inventory_hostname }}/dns.git"
src: /srv/dns/.git
state: link
owner: root
group: "{{ ansible_wheel }}"
- name: Add mqtt-tail script
ansible.builtin.copy:
dest: /usr/local/bin/mqtt-tail
content: |
#!/bin/sh
set -eu
if [ -n "${1:-}" ]; then
topic="$1"
shift
else
topic="#"
fi
if [ $# -ne 0 ]; then
echo "Usage: $(basename "$0") [topic]" 1>&2
exit 1
fi
exec mosquitto_sub -h mqtt02.home.foo.sh -v -t "$topic" \
--cafile "{{ tls_certs }}/ca.crt" \
--cert "{{ tls_certs }}/{{ inventory_hostname }}.crt" \
--key "{{ tls_private }}/{{ inventory_hostname }}.key" \
mode: "0755"
mode: 0600
owner: root
group: "{{ ansible_wheel }}"

25
playbooks/audiobooks.yml
View file

@ -1,25 +0,0 @@
---
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: audiobooks
- name: Configure instance
hosts: audiobooks
user: root
gather_facts: true
pre_tasks:
- name: Mount /export
ansible.posix.mount:
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
roles:
- base
- audiobookshelf

11
playbooks/backup.yml
View file

@ -15,7 +15,7 @@
name: /export
src: /dev/sd1a
fstype: ffs
opts: rw,softdep,noatime,noexec,nosuid,nodev
opts: rw,softdep,noatime
passno: "1"
dump: "2"
state: mounted
@ -25,10 +25,5 @@
roles:
- base
- backup_base
- backup_bitbucket
- backup_github
- role: rclone
rclone_hostgroup: sftpbackup
rclone_service: backup
- rsync_backup
- backup_server
- sftpbackup

10
playbooks/collab.yml
View file

@ -28,9 +28,9 @@
- collab
- mod_auth_gssapi
- role: keytab
keytab_path: /etc/httpd/httpd.keytab
keytab_principals: HTTP/collab.foo.sh@FOO.SH
keytab_group: apache
keytab: /etc/httpd/httpd.keytab
principals: HTTP/collab.foo.sh@FOO.SH
group: apache
- ldap
tasks:
@ -38,7 +38,7 @@
ansible.builtin.copy:
content: "RedirectMatch permanent \"^/$\" /collab/\n"
dest: "/etc/httpd/conf.local.d/redirects.conf"
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart apache
@ -61,7 +61,7 @@
dest: /srv/wikis/collab/htdocs/.htaccess
owner: collab
group: collab
mode: "0660"
mode: 0660
seuser: _default
setype: _default

127
playbooks/dna-gw.yml
View file

@ -14,17 +14,29 @@
roles:
- base
- ifstated
- dhcpd
- nginx
- role: nginx_site
nginx_site_name: gw.home.foo.sh
nginx_site_verify_client: true
when: "'gw.home.foo.sh' in ssh_hostnames"
- nginx/server
- role: nginx/site
site: gw.home.foo.sh
- tftp
- role: websockify
when: "'gw.home.foo.sh' in ssh_hostnames"
- websockify
tasks:
- name: Use configured dns servers and domain name
ansible.builtin.copy:
dest: /etc/dhclient.conf
content: "ignore domain-name-servers, domain-name;\n"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
- name: Disable resolvd
ansible.builtin.service:
name: resolvd
state: stopped
enabled: false
- name: Enable ip forwarding
ansible.posix.sysctl:
name: "{{ item }}"
@ -37,41 +49,114 @@
- name: Run handlers to get interfaces configured
ansible.builtin.meta: flush_handlers
- name: Import ifstated role
ansible.builtin.import_role:
name: ifstated
- name: Create tftp boot directories
ansible.builtin.file:
path: /srv/tftpboot/etc
state: directory
mode: 0755
owner: root
group: "{{ ansible_wheel }}"
- name: Create tftp boot config for OpenBSD installs
ansible.builtin.copy:
dest: /srv/tftpboot/etc/boot.conf
content: |
stty com0 115200
set tty com0
boot tftp:bsd.rd
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
- name: Create tftp pxeboot loader for OpenBSD installs
ansible.builtin.get_url:
url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/pxeboot"
checksum: sha1:161b36d4ae3d786aa98c4836abba25f2bca8979d
dest: /srv/tftpboot/pxeboot
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
- name: Create tftp ramdisk for OpenBSD installs
ansible.builtin.get_url:
url: "https://ftp.eu.openbsd.org/pub/OpenBSD//7.3/amd64/bsd.rd"
checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021
dest: /srv/tftpboot/bsd.rd
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
- name: Create install.conf for OpenBSD installs
ansible.builtin.get_url:
url: "https://boot.foo.sh/openbsd/install.conf"
checksum: sha1:f6270708dad3f759df02eefeab300d9b8670f3d4
dest: /srv/tftpboot/install.conf
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
- name: Copy custom to allow plaint http access with internal IP
ansible.builtin.copy:
dest: /etc/nginx/conf.d/172.20.20.1.conf
content: |
server {
listen 172.20.20.10:80;
server_name 172.20.20.10;
access_log /var/www/logs/172.20.20.10.access.log combined;
error_log /var/www/logs/172.20.20.10.error.log warn;
location / {
location /install.conf {
alias /srv/tftpboot/install.conf;
}
location / {
deny all;
}
}
}
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart nginx
- name: Copy DNS private key
ansible.builtin.copy:
dest: "{{ tls_private }}/dns.{{ intdomain }}.key"
dest: "{{ tls_private }}/dns.home.foo.sh.key"
src: "{{ item }}"
mode: "0600"
mode: 0600
owner: root
group: "{{ ansible_wheel }}"
with_first_found:
- "/srv/letsencrypt/live/dns.{{ intdomain }}/privkey.pem"
- /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
- "/srv/ca/private/{{ inventory_hostname }}.key"
tags: certificates
notify: Restart unbound
- name: Copy DNS certificate and ca cert
ansible.builtin.copy:
dest: "{{ tls_certs }}/dns.{{ intdomain }}.crt"
dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
src: "{{ item }}"
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
with_first_found:
- "/srv/letsencrypt/live/dns.{{ intdomain }}/fullchain.pem"
- /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
- "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
tags: certificates
notify: Restart unbound
- name: Copy DNS zone files
ansible.builtin.copy:
dest: "/var/unbound/db/{{ item }}"
src: "/srv/dns/{{ item }}"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
tags: dns
notify: Restart unbound
with_items:
- 20.172.in-addr.arpa
- home.foo.sh
- name: Import unbound role
ansible.builtin.import_role:
name: unbound
- name: Import unbound_exporter role
ansible.builtin.import_role:
name: unbound_exporter
when: "'gw.home.foo.sh' in ssh_hostnames"

66
playbooks/frigate.yml
View file

@ -1,66 +0,0 @@
---
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: frigate
- name: Configure instance
hosts: frigate
user: root
gather_facts: true
vars_files:
- "{{ ansible_private }}/vars.yml"
pre_tasks:
- name: Mount datadirectories
ansible.posix.mount:
name: "/export/frigate/{{ item }}"
src: "LABEL={{ item }}"
fstype: xfs
opts: noatime,noexec,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
with_items:
- config
- media
roles:
- base
- mod_auth_gssapi
- role: keytab
keytab_path: /etc/httpd/httpd.keytab
keytab_principals: HTTP/cctv.foo.sh@FOO.SH
keytab_group: apache
tasks:
- name: Include unbound role
ansible.builtin.import_role:
name: unbound
- name: Run handlers to get interfaces configured
ansible.builtin.meta: flush_handlers
- name: Include dhcpd role
ansible.builtin.include_role:
name: dhcpd
- name: Include frigate role
ansible.builtin.include_role:
name: frigate
- name: Require authentication for frigate
ansible.builtin.copy:
dest: /etc/httpd/conf.local.d/frigate-auth.conf
content: |
<Location /frigate>
AuthType GSSAPI
GssapiBasicAuth On
AuthName "Password Required"
Require valid-user
</Location>
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
notify: Restart apache

18
playbooks/fsol-gw.yml
View file

@ -12,6 +12,13 @@
vars_files:
- "{{ ansible_private }}/vars.yml"
pre_tasks:
- name: Disable resolvd service
ansible.builtin.service:
name: resolvd
state: stopped
enabled: false
tasks:
- name: Enable IP forwarding
ansible.posix.sysctl:
@ -23,19 +30,16 @@
- net.inet6.ip6.forwarding
- name: Manually set DNS servers
ansible.builtin.copy:
dest: /etc/dhcpleased.conf
content: |
interface vio2 {
ignore dns
}
mode: "0644"
dest: /etc/dhclient.conf
content: "ignore domain-name-servers, domain-name;\n"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
- name: Create pfsync interface
ansible.builtin.copy:
dest: /etc/hostname.pfsync0
content: "up syncdev vio1\n"
mode: "0600"
mode: 0600
owner: root
group: "{{ ansible_wheel }}"

14
playbooks/gitea-runner.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: gitearunner
- name: Configure instance
hosts: gitearunner
user: root
gather_facts: true
roles:
- base
- gitea_runner

6
playbooks/forgejo.yml → playbooks/gitea.yml
View file

@ -2,10 +2,10 @@
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: forgejo
myhosts: gitea
- name: Configure instance
hosts: forgejo
hosts: gitea
user: root
gather_facts: true
@ -25,4 +25,4 @@
roles:
- base
- forgejo
- gitea

3
playbooks/homeassistant.yml
View file

@ -9,9 +9,6 @@
user: root
gather_facts: true
vars_files:
- "{{ ansible_private }}/vars.yml"
pre_tasks:
- name: Mount /export
ansible.posix.mount:

24
playbooks/include/deploy-kvm-guest.yml
View file

@ -9,7 +9,7 @@
char: "{{ 'bcdefghijklmnopqrstuvwxyz'|list }}"
console_log: "/var/log/libvirt/qemu/{{ inventory_hostname }}.console.log"
os_disk_image: "/srv/libvirt/os/{{ inventory_hostname }}.a.img"
os_disk_image: "/srv/libvirt/ssd/{{ inventory_hostname }}.a.img"
dsk_opts: bus=virtio,cache=none,device=disk,format=raw,sparse=no
inject: >-
@ -75,7 +75,7 @@
echo '{{ root_pubkey }}' > /root/.ssh/authorized_keys
%end
dest: "{{ tmpdir.path }}/include.ks"
mode: "0600"
mode: 0600
owner: root
group: "{{ ansible_wheel }}"
delegate_to: "{{ vmhost }}"
@ -99,11 +99,7 @@
{% endif -%}
{% if virt_install_devices is defined -%}
{% for dev in virt_install_devices -%}
{% if dev | regex_search('^/dev/tty') -%}
--serial dev,path={{ dev }}
{% else -%}
--hostdev {{ dev }} \
{% endif -%}
{% endfor -%}
{% else -%}
--controller usb,model=none \
@ -146,7 +142,7 @@
port: 22
state: started
timeout: 1200
delegate_to: "{{ ssh_jumphost | default('localhost') }}"
delegate_to: localhost
when: inventory_hostname not in result.list_vms
- name: Get SSH public keys from new host
@ -156,7 +152,7 @@
- -t
- ed25519
- "{{ inventory_hostname }}"
delegate_to: "{{ ssh_jumphost | default('localhost') }}"
delegate_to: localhost
register: hostkeys
when: inventory_hostname not in result.list_vms
@ -165,15 +161,17 @@
path: /root/.ssh/known_hosts
key: "{{ item }}"
host: "{{ inventory_hostname }}"
with_items: "{{ hostkeys.stdout.splitlines() | reject('match', '^#.*') }}"
with_items: "{{ hostkeys.stdout.splitlines() }}"
delegate_to: localhost
when: inventory_hostname not in result.list_vms
- name: Install python if required
ansible.builtin.raw: >-
{{ virt_install_python_cmd | map('quote') | join(' ') }}
args:
executable: /bin/sh
ansible.builtin.command:
argv:
- ssh
- "{{ inventory_hostname }}"
- "{{ virt_install_python_cmd }}"
delegate_to: localhost
when:
- inventory_hostname not in result.list_vms
- virt_install_python_cmd is defined

8
playbooks/ldap.yml
View file

@ -19,7 +19,7 @@
passno: "0"
dump: "0"
state: mounted
when: ldap_master
when: ldap_master is defined
vars_files:
- "{{ ansible_private }}/vars.yml"
@ -28,8 +28,8 @@
- base
- ldap_server
- role: kadmin
when: ldap_master
when: ldap_master is defined
- role: ldap_netdb
when: ldap_master
when: ldap_master is defined
- role: ldap_gravatar
when: ldap_master
when: ldap_master is defined

2
playbooks/log.yml
View file

@ -15,7 +15,7 @@
name: /export
src: /dev/sd1a
fstype: ffs
opts: rw,softdep,noatime,noexec,nosuid,nodev
opts: rw,softdep,noatime
passno: "1"
dump: "2"
state: mounted

11
playbooks/mail.yml
View file

@ -26,19 +26,18 @@
roles:
- base
- role: keytab
keytab_principals:
principals:
- "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
- "smtp/{{ mail_server }}@{{ kerberos_realm }}"
- nfs_client
- sssd
- autofs
- dovecot
- role: nginx
- role: nginx_site
nginx_site_name: "{{ mail_server }}"
nginx_site_redirect: https://webmail.foo.sh/
- role: nginx/server
- role: nginx/site
site: "{{ mail_server }}"
redirect: https://webmail.foo.sh/
- grossd
- opendkim
- spamassassin
- spamassassin_clamav
- spamassassin_ixhash

23
playbooks/manual/check-updates.yml
View file

@ -1,23 +0,0 @@
---
- hosts: all
gather_facts: true
tasks:
- name: Check updates (Linux)
ansible.builtin.command:
argv:
- dnf
- -q
- check-update
register: result
changed_when: result.rc == 100
failed_when: result.rc not in [0, 100]
when: ansible_os_family == "RedHat"
- name: Check updates (OpenBSD)
ansible.builtin.command:
argv:
- syspatch
- -c
register: result
changed_when: result.stdout != ""
when: ansible_os_family == "OpenBSD"

2
playbooks/minecraft.yml
View file

@ -15,7 +15,7 @@
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,noexec,nosuid,nodev
opts: noatime
passno: "0"
dump: "0"
state: mounted

45
playbooks/mirror.yml
View file

@ -26,30 +26,26 @@
roles:
- base
- mirror/base
- thinlinc_mirror
- role: reportmirror
reportmirror_hostname: mirrors.foo.sh
reportmirror_mirrors: [epel, fedora]
reportmirror_sitename: foo.sh
reportmirror_password: "{{ report_mirror_pass }}"
- mirror/thinlinc
- role: mirror/reportmirror
hostname: mirrors.foo.sh
mirrors: [epel, fedora]
sitename: foo.sh
password: "{{ report_mirror_pass }}"
- role: mirror/sync
mirror_label: fedora-epel
mirror_source:
"rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/epel"
mirror_rsyncoptions:
label: fedora-epel
source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
fedora.redhat.com/pub/epel"
rsyncoptions:
- "--exclude=SRPMS"
- "--exclude=debug"
- "--exclude=testing"
- "--exclude=aarch64"
- "--exclude=ppc64le"
- "--exclude=s390x"
- "--exclude=source"
- "--delete-excluded"
mirror_postcmd: python3 /usr/local/bin/report_mirror
postcmd: python3 /usr/local/bin/report_mirror
- role: mirror/sync
mirror_label: fedora
mirror_source:
"rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/fedora/linux/"
mirror_rsyncoptions:
label: fedora
source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
fedora.redhat.com/pub/fedora/linux/"
rsyncoptions:
- "--exclude=/atomic"
- "--exclude=/development"
- "--exclude=/releases/test"
@ -62,11 +58,12 @@
- "--exclude=armhfp"
- "--exclude=debug"
- "--delete-excluded"
mirror_postcmd: python3 /usr/local/bin/report_mirror
postcmd: python3 /usr/local/bin/report_mirror
- role: mirror/sync
mirror_label: openbsd
mirror_source: "rsync://ftp.nluug.nl/openbsd/"
mirror_rsyncoptions:
label: openbsd
source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
ftp.openbsd.org/pub/OpenBSD/"
rsyncoptions:
- "--include=/?.?/"
- "--include=/?.?/amd64/"
- "--include=/?.?/amd64/*"

18
playbooks/mqtt.yml
View file

@ -9,22 +9,10 @@
user: root
gather_facts: true
vars_files:
- "{{ ansible_private }}/vars.yml"
roles:
- base
- mosquitto
- telegraf
- nginx
- role: nginx_site
nginx_site_name: iot.foo.sh
- shelly_firmware
tasks:
- name: Run handlers to get interfaces
ansible.builtin.meta: flush_handlers
- name: Import ha_mqtt_configd role
ansible.builtin.import_role:
name: ha_mqtt_configd
- nginx/server
- role: nginx/site
site: iot.foo.sh

22
playbooks/nas.yml
View file

@ -18,7 +18,7 @@
name: /export/home
src: LABEL=home
fstype: xfs
opts: noatime,nodev
opts: noatime
passno: "0"
dump: "0"
state: mounted
@ -27,7 +27,7 @@
name: /export/roles
src: LABEL=roles
fstype: xfs
opts: noatime,nodev
opts: noatime
passno: "0"
dump: "0"
state: mounted
@ -38,4 +38,20 @@
- sssd
- nfs_server
- role: keytab
keytab_principals: "nfs/{{ inventory_hostname }}@FOO.SH"
principals: "nfs/{{ inventory_hostname }}@FOO.SH"
tasks:
- name: Copy exports file
ansible.builtin.copy:
dest: /etc/exports
content: |
/export/home 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \
@nfsclients-rw(rw,root_squash,secure) \
@nfsclients-ro(ro,root_squash,secure)
/export/roles 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \
@nfsclients-rw(rw,root_squash,secure) \
@nfsclients-ro(ro,root_squash,secure)
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart nfs-server

83
playbooks/nms.yml Normal file
View file

@ -0,0 +1,83 @@
---
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: nms
- name: Configure instance
hosts: nms
user: root
gather_facts: true
pre_tasks:
- name: Mount /export
ansible.posix.mount:
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,noexec,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
vars_files:
- "{{ ansible_private }}/vars.yml"
roles:
- base
- nginx/server
- role: nginx/site
site: oob.foo.sh
- sssd
- mkhomedir
- tftp
tasks:
- name: Enable UDP rsyslog server
ansible.builtin.import_role:
name: rsyslog
tasks_from: udp-listen
- name: Enable postfix mail relay
ansible.builtin.import_role:
name: postfix
tasks_from: relay
vars:
relay_domains: [foo.sh]
- name: Copy DNS zone files
ansible.builtin.copy:
dest: "/var/lib/unbound/{{ item }}"
src: "/srv/dns/{{ item }}"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
tags: dns
notify: Restart unbound
with_items:
- 25.20.172.in-addr.arpa
- oob.foo.sh
- name: Import unbound role
ansible.builtin.import_role:
name: unbound
# convert this to role for restart support
- name: Enable NTP server for oob network
ansible.builtin.lineinfile:
path: /etc/chrony.conf
regexp: "^#?allow .*"
line: "allow 172.20.25.0/24"
- name: Install extra packages
ansible.builtin.package:
name: "{{ item }}"
state: installed
with_items:
- net-snmp-utils
- nmap
- rcs
- scanssh
- sslscan
- unzip
- wget

21
playbooks/ns.yml
View file

@ -2,7 +2,7 @@
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: ns:!atl01.vultr.foo.sh
myhosts: ns:!vultr
- name: Configure instance
hosts: ns
@ -15,18 +15,9 @@
roles:
- base
- nsd
- role: nginx
- role: nginx_site
nginx_site_name: "{{ nsd_server }}"
nginx_site_redirect: https://www.foo.sh/
- role: blackbox_exporter
when: "inventory_hostname == 'atl01.vultr.foo.sh'"
tasks:
- name: Run handlers to get interfaces configured
ansible.builtin.meta: flush_handlers
- name: Import ifstated role
ansible.builtin.import_role:
name: ifstated
- role: nginx/server
- role: nginx/site
site: "{{ nsd_server }}"
redirect: https://www.foo.sh/
- role: ifstated
when: "'vultr' not in group_names"

16
playbooks/oci-node.yml
View file

@ -12,25 +12,9 @@
vars_files:
- "{{ ansible_private }}/vars.yml"
pre_tasks:
- name: Mount /export
ansible.posix.mount:
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,noexec,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
when: ansible_fqdn == 'oci-node01.home.foo.sh'
roles:
- base
- authcheck
- grafana
- ipsilon
- kdc
- roundcube
- role: php4dvd
when: ansible_fqdn == 'oci-node01.home.foo.sh'
- rocketchat

37
playbooks/print.yml
View file

@ -14,17 +14,10 @@
roles:
- base
- role: keytab
keytab_principals:
- "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
- sssd
- mkhomedir
tasks:
- name: Install unbound role
ansible.builtin.import_role:
name: unbound
- name: Run handlers to get interfaces configured
ansible.builtin.meta: flush_handlers
@ -32,20 +25,30 @@
ansible.builtin.import_role:
name: dhcpd
- name: Copy DNS zone files
ansible.builtin.copy:
dest: "/var/lib/unbound/{{ item }}"
src: "/srv/dns/{{ item }}"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
tags: dns
notify: restart unbound
with_items:
- 24.20.172.in-addr.arpa
- print.foo.sh
- name: Install unbound role
ansible.builtin.import_role:
name: unbound
- name: Install cups_server role
ansible.builtin.import_role:
name: cups_server
- name: Install keytab for CUPS
ansible.builtin.include_role:
ansible.builtin.import_role:
name: keytab
vars:
keytab_path: /etc/cups/cups.keytab
keytab_principals: "HTTP/print.foo.sh@{{ kerberos_realm }}"
- name: Enable postfix mail relay
ansible.builtin.import_role:
name: postfix
tasks_from: relay
vars:
relay_domains: [foo.sh]
keytab: /etc/cups/cups.keytab
principals: "HTTP/print.foo.sh@{{ kerberos_realm }}"

30
playbooks/prometheus.yml
View file

@ -1,30 +0,0 @@
---
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: prometheus
- name: Configure instance
hosts: prometheus
user: root
gather_facts: true
vars_files:
- "{{ ansible_private }}/vars.yml"
pre_tasks:
- name: Mount /export
ansible.posix.mount:
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,noexec,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
roles:
- base
- prometheus
- mysqld_exporter
- nginx_exporter

189
playbooks/proxy.yml
View file

@ -15,119 +15,90 @@
roles:
- base
- ifstated
- nginx
- nginx_logsync
- role: nginx_site
nginx_site_name: ca.foo.sh
- role: nginx_site
nginx_site_name: foo.monster
- role: nginx_site
nginx_site_name: tuiradc.fi
nginx_site_redirect: https://facebook.com/TuiraDC
- role: nginx_site
nginx_site_name: www.tuiradc.fi
nginx_site_redirect: https://facebook.com/TuiraDC
- role: nginx_site
nginx_site_name: foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: apps.foo.sh
nginx_site_load_balance_method: ip_hash
nginx_site_proxy:
- https://oci-node01.home.foo.sh
- https://oci-node02.home.foo.sh
- role: nginx_site
nginx_site_name: audiobooks.foo.sh
nginx_site_proxy: https://audiobooks02.home.foo.sh/
- role: nginx_site
nginx_site_name: autoconfig.foo.sh
- role: nginx_site
nginx_site_name: boot.foo.sh
- role: nginx_site
nginx_site_name: bitbucket.foo.sh
nginx_site_redirect: https://bitbucket.org/tmakinen/
- role: nginx_site
nginx_site_name: cctv.foo.sh
nginx_site_proxy: https://frigate02.home.foo.sh/frigate/
- role: nginx_site
nginx_site_name: certbot.home.foo.sh
nginx_site_proxy: https://certbot.home.foo.sh/
- role: nginx_site
nginx_site_name: chat.foo.sh
nginx_site_proxy:
- nginx/server
- role: nginx/site
site: ca.foo.sh
- role: nginx/site
site: foo.monster
- role: nginx/site
site: tuiradc.fi
redirect: https://facebook.com/TuiraDC
- role: nginx/site
site: www.tuiradc.fi
redirect: https://facebook.com/TuiraDC
- role: nginx/site
site: foo.sh
redirect: https://www.foo.sh/
- role: nginx/site
site: autoconfig.foo.sh
- role: nginx/site
site: boot.foo.sh
ssl_config: old
- role: nginx/site
site: bitbucket.foo.sh
redirect: https://bitbucket.org/tmakinen/
- role: nginx/site
site: certbot.home.foo.sh
proxy: https://certbot.home.foo.sh/
- role: nginx/site
site: chat.foo.sh
proxy:
- https://oci-node01.home.foo.sh/rocketchat/
- https://oci-node02.home.foo.sh/rocketchat/
- role: nginx_site
nginx_site_name: collab.foo.sh
nginx_site_proxy: https://collab01.home.foo.sh/
- role: nginx_site
nginx_site_name: devel01.foo.sh
nginx_site_proxy: https://devel01.home.foo.sh/
- role: nginx_site
nginx_site_name: dns.home.foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: dns.iot.foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: dns.lan.foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: forgejo.foo.sh
nginx_site_redirect: https://git.foo.sh/
- role: nginx_site
nginx_site_name: git.foo.sh
nginx_site_proxy: https://forgejo02.home.foo.sh/
- role: nginx_site
nginx_site_name: ha.foo.sh
nginx_site_proxy: https://homeassistant01.home.foo.sh/
- role: nginx_site
nginx_site_name: id.foo.sh
nginx_site_proxy:
- role: nginx/site
site: collab.foo.sh
proxy: https://collab01.home.foo.sh/
- role: nginx/site
site: devel01.foo.sh
proxy: https://devel01.home.foo.sh/
- role: nginx/site
site: dns.home.foo.sh
redirect: https://www.foo.sh/
- role: nginx/site
site: git.foo.sh
proxy: https://gitea02.home.foo.sh/
- role: nginx/site
site: gitea.foo.sh
redirect: https://git.foo.sh/
- role: nginx/site
site: ha.foo.sh
proxy: https://homeassistant01.home.foo.sh/
- role: nginx/site
site: id.foo.sh
proxy:
- https://oci-node01.home.foo.sh
- https://oci-node02.home.foo.sh
- role: nginx_site
nginx_site_name: idp.foo.sh
nginx_site_proxy: https://oci-node01.home.foo.sh/ipsilon/
- role: nginx_site
nginx_site_name: influxdb.foo.sh
nginx_site_proxy: https://influxdb01.home.foo.sh/
- role: nginx_site
nginx_site_name: iot.foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: mirrors.foo.sh
nginx_site_proxy: https://mirror02.home.foo.sh/
- role: nginx_site
nginx_site_name: movies.foo.sh
nginx_site_proxy:
- https://oci-node01.home.foo.sh/php4dvd/
- role: nginx_site
nginx_site_name: mta-sts.foo.sh
- role: nginx_site
nginx_site_name: noc.foo.sh
nginx_site_proxy:
- role: nginx/site
site: influxdb.foo.sh
proxy: https://influxdb01.home.foo.sh/
- role: nginx/site
site: iot.foo.sh
redirect: https://www.foo.sh/
- role: nginx/site
site: munin.foo.sh
proxy: https://munin01.home.foo.sh/
- role: nginx/site
site: mirrors.foo.sh
proxy: https://mirror01.home.foo.sh/
- role: nginx/site
site: noc.foo.sh
proxy:
- https://oci-node01.home.foo.sh/grafana/
- https://oci-node02.home.foo.sh/grafana/
- role: nginx_site
nginx_site_name: print.foo.sh
nginx_site_proxy: https://print01.home.foo.sh:631/
- role: nginx_site
nginx_site_name: registry.foo.sh
nginx_site_proxy:
- "registry01.home.foo.sh:5000"
- "registry02.home.foo.sh:5000"
- role: nginx_site
nginx_site_name: scan.foo.sh
nginx_site_proxy:
- https://sane02.home.foo.sh/scanservjs/
- role: nginx_site
nginx_site_name: webmail.foo.sh
nginx_site_load_balance_method: ip_hash
nginx_site_proxy:
- role: nginx/site
site: print.foo.sh
proxy: https://print01.home.foo.sh:631/
- role: nginx/site
site: registry.foo.sh
proxy: ["registry01.home.foo.sh:5000", "registry02.home.foo.sh:5000"]
- role: nginx/site
site: webmail.foo.sh
proxy:
- https://oci-node01.home.foo.sh/roundcube/
- https://oci-node02.home.foo.sh/roundcube/
- role: nginx_site
nginx_site_name: wpad.foo.sh
- role: nginx_site
nginx_site_name: www.foo.sh
- role: nginx/site
site: wpad.foo.sh
- role: nginx/site
site: www.foo.sh
- role: nginx/site
site: zm.foo.sh
proxy: https://zm02.home.foo.sh/

20
playbooks/relay.yml
View file

@ -16,13 +16,13 @@
- base
- ifstated
- relayd
- nginx
- role: nginx_site
nginx_site_name: ldap.foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: ldap01.foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: loghost.foo.sh
nginx_site_redirect: https://www.foo.sh/
- nginx/server
- role: nginx/site
site: ldap.foo.sh
redirect: https://www.foo.sh/
- role: nginx/site
site: ldap01.foo.sh
redirect: https://www.foo.sh/
- role: nginx/site
site: loghost.foo.sh
redirect: https://www.foo.sh/

39
playbooks/sane.yml
View file

@ -1,39 +0,0 @@
---
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: sane
- name: Configure instance
hosts: sane
user: root
gather_facts: true
vars_files:
- "{{ ansible_private }}/vars.yml"
roles:
- base
- sane
- scanservjs
- mod_auth_gssapi
- role: keytab
keytab_path: /etc/httpd/httpd.keytab
keytab_principals: HTTP/scan.foo.sh@FOO.SH
keytab_group: apache
tasks:
- name: Require authentication for scanservjs
ansible.builtin.copy:
dest: /etc/httpd/conf.local.d/scanservjs-auth.conf
content: |
<Location /scanservjs>
AuthType GSSAPI
GssapiBasicAuth On
AuthName "Password Required"
Require valid-user
</Location>
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
notify: Restart apache

12
playbooks/shell.yml
View file

@ -15,7 +15,7 @@
roles:
- base
- role: keytab
keytab_principals:
principals:
- "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
- "nfs/{{ inventory_hostname }}@{{ kerberos_realm }}"
- nfs_client
@ -24,8 +24,9 @@
- thinlinc_server
- epel_repo
- foosh_repo
- role: nginx
nginx_plaintext: true
- powertools_repo
- role: nginx/server
plaintext: true
tasks:
- name: Install extra package groups
@ -62,7 +63,6 @@
- pandoc
- php-cli
- python3-netaddr
- python3-requests
- rcs
- rpmlint
- syslinux
@ -71,6 +71,7 @@
- tmux
- whois
- wireshark
- wkhtmltopdf
- yamllint
- zsh
loop_control:
@ -87,7 +88,6 @@
- lynx
- mutt
- opencollab
- ssh_known_hosts
- thunderbird
loop_control:
loop_var: role
@ -98,6 +98,6 @@
content: |
Host *.home.foo.sh !gw.home.foo.sh
ProxyJump root@gw.home.foo.sh
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"

Some files were not shown because too many files have changed in this diff Show more