foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: foo.sh:master
Branches Tags
foo.sh:master
foo.sh:actions-test
..
compare: foo.sh:actions-test
Branches Tags
foo.sh:master
foo.sh:actions-test

3 commits
master ... actions-te

Author SHA1 Message Date
Timo Makinen
dbf62bc397 Syntax changes 2023-07-20 17:45:46 +00:00
Timo Makinen
330360d977 Try renaming file 2023-07-20 17:44:11 +00:00
Timo Makinen
b11e3e57e0 Try another syntax 2023-07-20 17:42:41 +00:00
445 changed files with 2112 additions and 16484 deletions
Show stats Expand all files Collapse all files

8
.gitea/workflows/test.yml → .gitea/workflows/demo.yaml
View file

@ -1,12 +1,10 @@
---
name: tests
# yamllint disable-line rule:truthy
on:
- push
run-name: just testing
on: [push]
jobs:
lint:
name: run linter
linter:
runs-on: ubuntu-latest
steps:
- name: Checkout repository

1
.gitignore vendored
View file

@ -1,3 +1,2 @@
.*.swp
__pycache__
files/ssh/backup.pub

16
container-ports.md
View file

@ -1,16 +0,0 @@
# Ports used by container web services
| Port | Ansible role | Service name |
|------|---------------------|----------------------------|
| 8001 | kerberos_kdc | Kerberos KDC |
| 8002 | grafana | Grafana |
| 8003 | authcheck | Authentication check |
| 8004 | roundcube | Roundcube webmail |
| 8005 | php4dvd | php4dvd movie catalog |
| 8006 | scanservjs | SANE Scanner webui |
| 8007 | frigate | Network video recorder |
| 8008 | hoemeassistant | Home Assistant |
| 8009 | rocketchat | Rocket.Chat |
| 8010 | google-spell-pspell | Google Spell Check XML API |
| 8011 | ipsilon | Ipsilon Identity Provider |
| 8012 | nodered | Node Red |

1
files/ssh/backup.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdaNO9dLpI8CVx1rwGsKN45Pgiz+Btrlf2Q/nXCx4Ru root@backup02.home.foo.sh

8
group_vars/adm.yml
View file

@ -1,12 +1,8 @@
---
datadisks:
- {size: 10, type: nvme}
- {size: 10}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 80, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
sssd_allow_groups:
- sysadm
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

6
group_vars/all.yml
View file

@ -31,10 +31,8 @@ boot_url: https://boot.foo.sh
# ssh public keys for logsync user
logsync_publickeys: "{{ lookup('file', '../files/ssh/logsync.pub') }}"
# default name servers
network_dns_servers:
- 8.8.8.8
- 8.8.4.4
# ssh public keys for backup user
backup_publickeys: "{{ lookup('file', '../files/ssh/backup.pub') }}"
# hardcode this for now
ansible_datacenter: home

1
group_vars/backup.yml
View file

@ -1,4 +1,3 @@
---
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

2
group_vars/collab.yml
View file

@ -5,4 +5,4 @@ datadisks:
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

20
group_vars/dnagw.yml
View file

@ -12,32 +12,12 @@ network_vip_interfaces:
netmask: 255.255.252.0
pass: "{{ vip10_pass }}"
priority: 120
- device: vio0
vhid: 11
ipaddr: 172.20.20.11
netmask: 255.255.252.0
pass: "{{ vip11_pass }}"
priority: "{{ vip11_priority }}"
- device: vio0
vhid: 12
ipaddr: 172.20.20.12
netmask: 255.255.252.0
pass: "{{ vip12_pass }}"
priority: "{{ vip12_priority }}"
network_ether_interfaces:
- device: vio1
proto: none
unbound_zones:
- 20.172.in-addr.arpa
- home.foo.sh
# use custom firewall config
firewall_src: pf.conf.gw_home
# ifstated config
ifstated_config: ifstated-dna.conf.j2
# ssh host alaises
ssh_hostnames:
- gw.home.foo.sh

4
group_vars/fedora.yml
View file

@ -1,7 +1,7 @@
---
# default resources for new vm
dsk_size: 20
mem_size: 4096
mem_size: 2048
num_cpus: 2
# extra args for virt-install
@ -18,7 +18,7 @@ ipcmd: >-
{% endif %}
virt_install_os_args: >-
--location
https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/41/Everything/x86_64/os/
https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/38/Everything/x86_64/os/
--extra-args
"inst.ks={{ ks_file }}
console=ttyS0

8
group_vars/forgejo.yml
View file

@ -1,8 +0,0 @@
---
datadisks:
- {size: 10, type: nvme}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

3
group_vars/fsolgw.yml
View file

@ -4,9 +4,8 @@ network_vip_interfaces:
vhid: 145
ipaddr: 37.16.96.145
netmask: 255.255.255.240
ip6addr: 2a00:4cc1:6:1006::1
ip6netmask: 64
pass: "{{ vip145_pass }}"
network_dns_servers: [172.20.20.10, 172.20.21.1, 172.20.21.2]
# use custom firewall and ifstated config
firewall_src: pf.conf.gw_fsol

4
group_vars/audiobooks.yml → group_vars/gitea.yml
View file

@ -1,8 +1,8 @@
---
datadisks:
- {size: 50, type: hdd}
- {size: 10, type: hdd}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

4
group_vars/gitearunner.yml Normal file
View file

@ -0,0 +1,4 @@
---
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

5
group_vars/home.yml
View file

@ -1,5 +0,0 @@
---
network_dns_servers:
- 172.20.20.10
- 172.20.20.11
- 172.20.20.12

4
group_vars/homeassistant.yml
View file

@ -1,7 +1,7 @@
---
datadisks:
- {size: 10, type: nvme}
- {size: 10, type: hdd}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

2
group_vars/influxdb.yml
View file

@ -5,4 +5,4 @@ datadisks:
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

3
group_vars/ldap.yml
View file

@ -3,5 +3,6 @@ saslauthd_mech: ldap
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 636, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

5
group_vars/log.yml
View file

@ -1,9 +1,8 @@
---
mem_size: 512
datadisks:
- {size: 50, type: nvme}
- {size: 50}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
- {proto: tcp, port: 6514}

8
group_vars/mail.yml
View file

@ -1,7 +1,6 @@
---
datadisks:
- {size: 10, type: nvme}
mem_size: 4192
- {size: 10}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
@ -11,7 +10,4 @@ firewall_in:
- {proto: tcp, port: 465}
- {proto: tcp, port: 587}
- {proto: tcp, port: 993}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
sssd_allow_groups:
- sysadm
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

4
group_vars/minecraft.yml
View file

@ -1,9 +1,9 @@
---
mem_size: 4096
datadisks:
- {size: 100, type: nvme}
- {size: 100}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.30.0/24]}
- {proto: tcp, port: 4949, from: [172.20.30.0/24]}
- {proto: tcp, port: 25565, from: [172.20.30.0/24]}
- {proto: udp, port: 25565, from: [172.20.30.0/24]}

5
group_vars/mirror.yml
View file

@ -1,9 +1,10 @@
---
datadisks:
- {size: 1500, type: hdd}
- {size: 1000}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 873, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

1
group_vars/mongodb.yml
View file

@ -4,4 +4,3 @@ datadisks:
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 27017, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

2
group_vars/mqtt.yml
View file

@ -3,5 +3,5 @@ firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.27.0/24]}
- {proto: tcp, port: 1883, from: [172.20.27.0/24]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
- {proto: tcp, port: 8883, from: [172.20.20.0/22, 172.20.27.0/24]}

9
group_vars/nas.yml
View file

@ -2,14 +2,11 @@
mem_size: 8192
num_cpus: 2
datadisks:
- {size: 500, type: nvme}
- {size: 50, type: nvme}
- {size: 1000}
- {size: 400, type: nvme}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 2049, from: [172.20.20.0/22]}
- {proto: tcp, port: 2049, from: [172.20.30.0/24]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
sssd_allow_groups:
- root
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

25
group_vars/nms.yml
View file

@ -1,24 +1,12 @@
---
datadisks:
- {size: 10, type: nvme}
unbound_zones:
- 25.20.172.in-addr.arpa
- oob.foo.sh
dhcpd_template: dhcpd.conf.oob.j2
dhcpd_ldap_filter: >-
(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh))
- {size: 10}
network_vip_interfaces:
- device: eth0
vhid: 11
ipaddr: 172.20.20.21
netmask: 255.255.240.0
pass: "{{ vip21_pass }}"
- device: eth1
vhid: 25
ipaddr: 172.20.25.1
netmask: 255.255.255.0
netmask: 255.255.0.0
pass: "{{ vip25_pass }}"
priority: "{{ vip25_priority }}"
@ -31,10 +19,7 @@ firewall_in:
- {proto: udp, port: 123, from: [172.20.25.0/24]}
- {proto: tcp, port: 443, from: [172.20.25.0/24]}
- {proto: udp, port: 514, from: [172.20.25.0/24]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 9116, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
firewall_raw:
- "ip daddr 224.0.0.0/8 accept"
sssd_allow_groups:
- sysadm
- "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
- "-A INPUT -i eth1 -p vrrp -j ACCEPT"

5
group_vars/ns.yml
View file

@ -1,13 +1,12 @@
---
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22, 212.149.225.204/32]}
- {proto: tcp, port: 22, from: [172.20.20.0/22, 81.175.130.44/32]}
- {proto: tcp, port: 53}
- {proto: udp, port: 53}
- {proto: tcp, port: 80}
- {proto: tcp, port: 443}
- {proto: tcp, port: 853}
- {proto: tcp, port: 9100}
- {proto: tcp, port: 9115}
- {proto: tcp, port: 4949, from: [172.20.20.0/22, 81.175.130.44/32]}
firewall_raw:
- pass quick proto carp

5
group_vars/ocinode.yml
View file

@ -1,10 +1,7 @@
---
# increase memory size
mem_size: 8192
# increase disk size to store docker images
dsk_size: 100
mem_size: 4192
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

4
group_vars/openbsd.yml
View file

@ -17,5 +17,5 @@ num_cpus: 2
# extra args for virt-install
virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso
virt_install_os_variant: openbsd7.4
virt_install_python_cmd: pkg_add -I -x python
virt_install_os_variant: openbsd7.0
virt_install_python_cmd: pkg_add python3 -I -x

16
group_vars/print.yml
View file

@ -7,20 +7,14 @@ network_vip_interfaces:
pass: "{{ vip24_pass }}"
priority: "{{ vip24_priority }}"
dhcpd_template: dhcpd.conf.print.j2
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 53, from: [172.20.24.0/24]}
- {proto: udp, port: 53, from: [172.20.24.0/24]}
- {proto: tcp, port: 631, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
firewall_raw:
- "ip daddr 224.0.0.0/8 accept"
dhcpd_template: dhcpd.conf.print.j2
dhcpd_ldap_filter: >-
(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh))
sssd_allow_groups:
- sysadm
unbound_zones:
- 24.20.172.in-addr.arpa
- print.foo.sh
- "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
- "-A INPUT -i eth1 -p vrrp -j ACCEPT"

8
group_vars/prometheus.yml
View file

@ -1,8 +0,0 @@
---
datadisks:
- {size: 100, type: nvme}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

10
group_vars/proxy.yml
View file

@ -4,6 +4,12 @@ mem_size: 1024
# use bigger disk for os as we have web site data there
dsk_size: 30
network_dns_servers:
- 172.20.20.10
- 172.20.21.7
- 172.20.21.8
network_dns_search:
- foo.sh
network_default_gateway: 37.16.96.145
network_vip_interfaces:
@ -42,4 +48,6 @@ firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 80}
- {proto: tcp, port: 443}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 636}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
- {proto: tcp, port: 6514}

7
group_vars/relay.yml
View file

@ -1,4 +1,10 @@
---
network_dns_servers:
- 172.20.20.10
- 172.20.21.7
- 172.20.21.8
network_dns_search:
- foo.sh
network_default_gateway: 37.16.96.145
network_vip_interfaces:
@ -35,4 +41,3 @@ firewall_in:
- {proto: tcp, port: 443}
- {proto: tcp, port: 636}
- {proto: tcp, port: 6514}
- {proto: tcp, port: 9100}

5
group_vars/sane.yml
View file

@ -1,5 +0,0 @@
---
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

10
group_vars/shell.yml
View file

@ -1,4 +1,6 @@
---
# beef up shell hosts
dsk_size: 40
mem_size: 8192
num_cpus: 4
@ -7,10 +9,4 @@ firewall_in:
- {proto: tcp, port: 22}
- {proto: tcp, port: 80}
- {proto: tcp, port: 443}
- {proto: tcp, port: 9100, from: [212.149.248.65/32]}
ssh_hostnames:
- shell.foo.sh
sssd_allow_groups:
- foosh
- {proto: tcp, port: 4949, from: [81.175.130.44/32]}

2
group_vars/sqldb.yml
View file

@ -1,8 +1,6 @@
---
mem_size: 4096
datadisks:
- {size: 20, type: nvme}
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 3306, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}

5
group_vars/static.yml
View file

@ -2,7 +2,4 @@
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
sssd_allow_groups:
- root
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

2
group_vars/vmhost.yml
View file

@ -1,4 +1,4 @@
---
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}

16
group_vars/frigate.yml → group_vars/zm.yml
View file

@ -1,9 +1,8 @@
---
mem_size: 8192
mem_size: 4096
num_cpus: 2
datadisks:
- {size: 50, type: nvme}
- {size: 500, type: hdd}
- {size: 500}
network_vip_interfaces:
- device: eth1
@ -12,16 +11,13 @@ network_vip_interfaces:
netmask: 255.255.0.0
pass: "{{ vip26_pass }}"
unbound_zones:
- 26.20.172.in-addr.arpa
- cam.foo.sh
zm_mysql_host: sqldb02.home.foo.sh
dhcpd_template: dhcpd.conf.cam.j2
dhcpd_ldap_filter: >-
(&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.cam.foo.sh))
firewall_in:
- {proto: tcp, port: 22, from: [172.20.20.0/22]}
- {proto: tcp, port: 443, from: [172.20.20.0/22]}
- {proto: tcp, port: 9100, from: [172.20.20.0/22]}
- {proto: tcp, port: 4949, from: [172.20.20.0/22]}
firewall_raw:
- "ip daddr 224.0.0.0/8 accept"
- "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
- "-A INPUT -i eth1 -p vrrp -j ACCEPT"

6
host_vars/audiobooks02.home.foo.sh.yml
View file

@ -1,6 +0,0 @@
---
vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:48"

4
host_vars/backup02.home.foo.sh.yml
View file

@ -6,5 +6,5 @@ network_interfaces:
mac: 52:54:00:ac:dc:50
datadisks:
- {size: 1000}
virt_install_devices:
- "02:04.0"
passthrough_devices:
- "07:04.0"

2
host_vars/dna-gw01.home.foo.sh.yml
View file

@ -10,5 +10,3 @@ network_interfaces:
- device: vio1
vlan: 103
proto: none
vip11_priority: 240
vip12_priority: 120

2
host_vars/dna-gw02.home.foo.sh.yml
View file

@ -10,5 +10,3 @@ network_interfaces:
- device: vio1
vlan: 103
proto: none
vip11_priority: 120
vip12_priority: 240

1
host_vars/fsol-gw01.home.foo.sh.yml
View file

@ -15,7 +15,6 @@ network_interfaces:
- device: vio2
vlan: 103
proto: dhcp
rdomain: 1
- device: vio3
vlan: 102
proto: none

1
host_vars/fsol-gw02.home.foo.sh.yml
View file

@ -15,7 +15,6 @@ network_interfaces:
- device: vio2
vlan: 103
proto: dhcp
rdomain: 1
- device: vio3
vlan: 102
proto: none

2
host_vars/mirror02.home.foo.sh.yml → host_vars/gitea-runner02.home.foo.sh.yml
View file

@ -3,4 +3,4 @@ vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: 52:54:00:ac:dc:14
mac: 52:54:00:ac:dc:7c

2
host_vars/forgejo02.home.foo.sh.yml → host_vars/gitea02.home.foo.sh.yml
View file

@ -3,4 +3,4 @@ vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: 52:54:00:ac:dc:80
mac: 52:54:00:ac:dc:78

6
host_vars/homeassistant01.home.foo.sh.yml
View file

@ -5,10 +5,6 @@ network_interfaces:
vlan: 20
mac: 52:54:00:ac:dc:73
- device: eth1
vlan: 27
- device: eth2
vlan: 30
virt_install_devices:
- 0b05:190e
- 10c4:ea60
- /dev/ttyUSB0
- 003.002

2
host_vars/ldap01.home.foo.sh.yml
View file

@ -5,6 +5,6 @@ network_interfaces:
vlan: 20
mac: 52:54:00:ac:dc:1f
datadisks:
- {size: 10, type: nvme}
- {size: 10}
ldap_master: true

2
host_vars/prometheus01.home.foo.sh.yml → host_vars/mirror01.home.foo.sh.yml
View file

@ -3,4 +3,4 @@ vmhost: vmhost01.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:83"
mac: 52:54:00:ac:dc:13

2
host_vars/nms02.home.foo.sh.yml
View file

@ -17,4 +17,4 @@ network_interfaces:
netmask: 255.255.255.248
proto: static
vip25_priority: 1
vip25_priority: 0

2
host_vars/oci-node01.home.foo.sh.yml
View file

@ -1,7 +1,5 @@
---
vmhost: vmhost01.home.foo.sh
datadisks:
- {size: 10, type: nvme}
network_interfaces:
- device: eth0
vlan: 20

8
host_vars/sane02.home.foo.sh.yml
View file

@ -1,8 +0,0 @@
---
vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:88"
virt_install_devices:
- 001.003

4
host_vars/frigate02.home.foo.sh.yml → host_vars/zm02.home.foo.sh.yml
View file

@ -3,7 +3,7 @@ vmhost: vmhost02.home.foo.sh
network_interfaces:
- device: eth0
vlan: 20
mac: "52:54:00:ac:dc:8c"
mac: "52:54:00:ac:dc:4c"
nameservers: []
- device: eth1
vlan: 26
@ -11,5 +11,3 @@ network_interfaces:
netmask: 255.255.255.0
proto: static
nameservers: [172.20.26.1, 172.20.26.3]
virt_install_devices:
- 004.002

91
hosts.yml
View file

@ -3,9 +3,6 @@ adm:
hosts:
adm01.home.foo.sh:
adm02.home.foo.sh:
audiobooks:
hosts:
audiobooks02.home.foo.sh:
backup:
hosts:
backup02.home.foo.sh:
@ -16,33 +13,25 @@ dnagw:
hosts:
dna-gw01.home.foo.sh:
dna-gw02.home.foo.sh:
forgejo:
hosts:
forgejo02.home.foo.sh:
vars:
forgejo_version: "10.0.1"
frigate:
hosts:
frigate02.home.foo.sh:
vars:
frigate_version: "0.15.0"
fsolgw:
hosts:
fsol-gw01.home.foo.sh:
fsol-gw02.home.foo.sh:
gitea:
hosts:
gitea02.home.foo.sh:
vars:
gitea_version: "1.19.4"
gitearunner:
hosts:
gitea-runner02.home.foo.sh:
vars:
gitea_runner_version: "0.2.3"
homeassistant:
hosts:
homeassistant01.home.foo.sh:
vars:
homeassistant_version: "2025.3"
homeassistant_integrations:
- name: electrolux_status
repo: https://github.com/albaintor/homeassistant_electrolux_status.git
version: v2.0.9
- name: espsomfy_rts
repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git
version: v2.4.7
nodered_version: 4.0.9
homeassistant_version: "2023.7"
influxdb:
hosts:
influxdb01.home.foo.sh:
@ -56,14 +45,12 @@ log:
mail:
hosts:
mail02.home.foo.sh:
vars:
opendkim_selector: 20250101
minecraft:
hosts:
minecraft01.home.foo.sh:
mirror:
hosts:
mirror02.home.foo.sh:
mirror01.home.foo.sh:
mongodb:
hosts:
mongodb01.home.foo.sh:
@ -77,8 +64,6 @@ nms:
hosts:
nms01.home.foo.sh:
nms02.home.foo.sh:
vars:
snmp_exporter_version: "0.28.0"
ns:
hosts:
ns01.home.foo.sh:
@ -89,34 +74,20 @@ ocinode:
oci-node01.home.foo.sh:
oci-node02.home.foo.sh:
vars:
grafana_version: "11.4.2"
rocketchat_version: "7.4.0"
roundcube_version: "1.6.10"
grafana_version: "10.0.2"
rocketchat_version: "6.2.10"
roundcube_version: "1.6.1"
print:
hosts:
print01.home.foo.sh:
prometheus:
hosts:
prometheus01.home.foo.sh:
vars:
mysqld_exporter_version: "0.17.2"
nginx_exporter_version: "1.4.1"
proxy:
hosts:
proxy01.home.foo.sh:
proxy02.home.foo.sh:
redis:
hosts:
redis01.home.foo.sh:
relay:
hosts:
relay01.home.foo.sh:
relay02.home.foo.sh:
sane:
hosts:
sane02.home.foo.sh:
vars:
scanservjs_version: "v3.0.3"
shell:
hosts:
shell01.foo.sh:
@ -132,15 +103,23 @@ vmhost:
hosts:
vmhost01.home.foo.sh:
vmhost02.home.foo.sh:
zm:
hosts:
zm02.home.foo.sh:
sftpbackup:
children:
collab:
ldap:
mongodb:
sqldb:
vultr:
hosts:
atl01.vultr.foo.sh:
fedora:
children:
gitearunner:
openbsd:
children:
backup:
@ -150,31 +129,27 @@ openbsd:
mqtt:
ns:
proxy:
redis:
relay:
rocky8:
children:
collab:
rocky9:
children:
adm:
audiobooks:
forgejo:
frigate:
homeassistant:
influxdb:
ldap:
mail:
minecraft:
mirror:
mongodb:
nas:
nms:
ocinode:
print:
prometheus:
sane:
shell:
zm:
rocky9:
children:
adm:
gitea:
influxdb:
ldap:
mirror:
mongodb:
sqldb:
static:
vmhost:

78
playbooks/adm.yml
View file

@ -18,7 +18,7 @@
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,nosuid,nodev
opts: noatime,noexec,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
@ -27,15 +27,10 @@
- base
- ansible_host
- certbot
- cups
- sshca
- ssh_known_hosts
- role: keytab
keytab_principals:
principals:
- "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
- nfs_client
- role: autofs
autofs_home: false
- sssd
- mkhomedir
- rpm_build
@ -47,21 +42,15 @@
name: "{{ item }}"
state: installed
with_items:
- emacs-nox # more editors
- httpd-tools # htpasswd
- knot-utils # kdig (dns over tls)
- libvirt-client # kvm host client
- make # generic building
- mariadb # mariadb client tools
- mosquitto # mqtt reading
- nano # more editors
- nmap # check for open ports
- nsd # check dns zone files
- podman # building containers
- pylint # python linting
- python3-flake8 # python linting
- speedtest-cli # testing network speed
- ShellCheck # shell script linting
- virt-install # install kvm guests
- wget # still in backbone for downloads
- whois # read whois data
@ -74,67 +63,6 @@
Host shell??.foo.sh
CheckHostIP no
dest: /root/.ssh/config
mode: "0600"
owner: root
group: "{{ ansible_wheel }}"
- name: Clone dns repo
ansible.builtin.git:
dest: /export/dns
repo: https://adm01.home.foo.sh/dns.git
update: true
version: master
environment:
GIT_SSL_CAINFO: "{{ tls_certs }}/ca.crt"
GIT_SSL_CERT: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
GIT_SSL_KEY: "{{ tls_private }}/{{ inventory_hostname }}.key"
when: 'inventory_hostname != "adm01.home.foo.sh"'
- name: Link dns repo
ansible.builtin.file:
dest: /srv/dns
src: /export/dns
state: link
owner: root
group: "{{ ansible_wheel }}"
follow: false
- name: Add cron job to sync dns repo
ansible.builtin.cron:
name: sync dns repository
job: >-
GIT_SSL_CAINFO="{{ tls_certs }}/ca.crt"
GIT_SSL_CERT="{{ tls_certs }}/{{ inventory_hostname }}.crt"
GIT_SSL_KEY="{{ tls_private }}/{{ inventory_hostname }}.key"
git -C /srv/dns pull -q
minute: "02"
when: 'inventory_hostname != "adm01.home.foo.sh"'
- name: Links dns repo to web
ansible.builtin.file:
dest: "/srv/web/{{ inventory_hostname }}/dns.git"
src: /srv/dns/.git
state: link
owner: root
group: "{{ ansible_wheel }}"
- name: Add mqtt-tail script
ansible.builtin.copy:
dest: /usr/local/bin/mqtt-tail
content: |
#!/bin/sh
set -eu
if [ -n "${1:-}" ]; then
topic="$1"
shift
else
topic="#"
fi
if [ $# -ne 0 ]; then
echo "Usage: $(basename "$0") [topic]" 1>&2
exit 1
fi
exec mosquitto_sub -h mqtt02.home.foo.sh -v -t "$topic" \
--cafile "{{ tls_certs }}/ca.crt" \
--cert "{{ tls_certs }}/{{ inventory_hostname }}.crt" \
--key "{{ tls_private }}/{{ inventory_hostname }}.key" \
mode: "0755"
mode: 0600
owner: root
group: "{{ ansible_wheel }}"

25
playbooks/audiobooks.yml
View file

@ -1,25 +0,0 @@
---
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: audiobooks
- name: Configure instance
hosts: audiobooks
user: root
gather_facts: true
pre_tasks:
- name: Mount /export
ansible.posix.mount:
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
roles:
- base
- audiobookshelf

11
playbooks/backup.yml
View file

@ -15,7 +15,7 @@
name: /export
src: /dev/sd1a
fstype: ffs
opts: rw,softdep,noatime,noexec,nosuid,nodev
opts: rw,softdep,noatime
passno: "1"
dump: "2"
state: mounted
@ -25,10 +25,5 @@
roles:
- base
- backup_base
- backup_bitbucket
- backup_github
- role: rclone
rclone_hostgroup: sftpbackup
rclone_service: backup
- rsync_backup
- backup_server
- sftpbackup

10
playbooks/collab.yml
View file

@ -28,9 +28,9 @@
- collab
- mod_auth_gssapi
- role: keytab
keytab_path: /etc/httpd/httpd.keytab
keytab_principals: HTTP/collab.foo.sh@FOO.SH
keytab_group: apache
keytab: /etc/httpd/httpd.keytab
principals: HTTP/collab.foo.sh@FOO.SH
group: apache
- ldap
tasks:
@ -38,7 +38,7 @@
ansible.builtin.copy:
content: "RedirectMatch permanent \"^/$\" /collab/\n"
dest: "/etc/httpd/conf.local.d/redirects.conf"
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart apache
@ -61,7 +61,7 @@
dest: /srv/wikis/collab/htdocs/.htaccess
owner: collab
group: collab
mode: "0660"
mode: 0660
seuser: _default
setype: _default

122
playbooks/dna-gw.yml
View file

@ -14,14 +14,29 @@
roles:
- base
- ifstated
- dhcpd
- nginx
- role: nginx_site
nginx_site_name: gw.home.foo.sh
- nginx/server
- role: nginx/site
site: gw.home.foo.sh
- tftp
- websockify
tasks:
- name: Use configured dns servers and domain name
ansible.builtin.copy:
dest: /etc/dhclient.conf
content: "ignore domain-name-servers, domain-name;\n"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
- name: Disable resolvd
ansible.builtin.service:
name: resolvd
state: stopped
enabled: false
- name: Enable ip forwarding
ansible.posix.sysctl:
name: "{{ item }}"
@ -34,49 +49,11 @@
- name: Run handlers to get interfaces configured
ansible.builtin.meta: flush_handlers
- name: Import ifstated role
ansible.builtin.import_role:
name: ifstated
- name: Copy DNS private key
ansible.builtin.copy:
dest: "{{ tls_private }}/dns.home.foo.sh.key"
src: "{{ item }}"
mode: "0600"
owner: root
group: "{{ ansible_wheel }}"
with_first_found:
- /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
- "/srv/ca/private/{{ inventory_hostname }}.key"
tags: certificates
notify: Restart unbound
- name: Copy DNS certificate and ca cert
ansible.builtin.copy:
dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
src: "{{ item }}"
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
with_first_found:
- /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
- "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
tags: certificates
notify: Restart unbound
- name: Import unbound role
ansible.builtin.import_role:
name: unbound
- name: Import unbound_exporter role
ansible.builtin.import_role:
name: unbound_exporter
- name: Create tftp boot directories
ansible.builtin.file:
path: /srv/tftpboot/etc
state: directory
mode: "0755"
mode: 0755
owner: root
group: "{{ ansible_wheel }}"
@ -87,25 +64,25 @@
stty com0 115200
set tty com0
boot tftp:bsd.rd
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
- name: Create tftp pxeboot loader for OpenBSD installs
ansible.builtin.get_url:
url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/pxeboot"
checksum: sha1:c696836c1e6cc67c6c31f6ceb5daaaa4ec0632b7
url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/pxeboot"
checksum: sha1:161b36d4ae3d786aa98c4836abba25f2bca8979d
dest: /srv/tftpboot/pxeboot
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
- name: Create tftp ramdisk for OpenBSD installs
ansible.builtin.get_url:
url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/amd64/bsd.rd"
checksum: sha1:f690655c768ec9ef208188921ac53634a9233aca
url: "https://ftp.eu.openbsd.org/pub/OpenBSD//7.3/amd64/bsd.rd"
checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021
dest: /srv/tftpboot/bsd.rd
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
@ -114,7 +91,7 @@
url: "https://boot.foo.sh/openbsd/install.conf"
checksum: sha1:f6270708dad3f759df02eefeab300d9b8670f3d4
dest: /srv/tftpboot/install.conf
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
@ -136,7 +113,50 @@
}
}
}
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart nginx
- name: Copy DNS private key
ansible.builtin.copy:
dest: "{{ tls_private }}/dns.home.foo.sh.key"
src: "{{ item }}"
mode: 0600
owner: root
group: "{{ ansible_wheel }}"
with_first_found:
- /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
- "/srv/ca/private/{{ inventory_hostname }}.key"
tags: certificates
notify: Restart unbound
- name: Copy DNS certificate and ca cert
ansible.builtin.copy:
dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
src: "{{ item }}"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
with_first_found:
- /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
- "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
tags: certificates
notify: Restart unbound
- name: Copy DNS zone files
ansible.builtin.copy:
dest: "/var/unbound/db/{{ item }}"
src: "/srv/dns/{{ item }}"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
tags: dns
notify: Restart unbound
with_items:
- 20.172.in-addr.arpa
- home.foo.sh
- name: Import unbound role
ansible.builtin.import_role:
name: unbound

18
playbooks/fsol-gw.yml
View file

@ -12,6 +12,13 @@
vars_files:
- "{{ ansible_private }}/vars.yml"
pre_tasks:
- name: Disable resolvd service
ansible.builtin.service:
name: resolvd
state: stopped
enabled: false
tasks:
- name: Enable IP forwarding
ansible.posix.sysctl:
@ -23,19 +30,16 @@
- net.inet6.ip6.forwarding
- name: Manually set DNS servers
ansible.builtin.copy:
dest: /etc/dhcpleased.conf
content: |
interface vio2 {
ignore dns
}
mode: "0644"
dest: /etc/dhclient.conf
content: "ignore domain-name-servers, domain-name;\n"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
- name: Create pfsync interface
ansible.builtin.copy:
dest: /etc/hostname.pfsync0
content: "up syncdev vio1\n"
mode: "0600"
mode: 0600
owner: root
group: "{{ ansible_wheel }}"

14
playbooks/gitea-runner.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: gitearunner
- name: Configure instance
hosts: gitearunner
user: root
gather_facts: true
roles:
- base
- gitea_runner

6
playbooks/forgejo.yml → playbooks/gitea.yml
View file

@ -2,10 +2,10 @@
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: forgejo
myhosts: gitea
- name: Configure instance
hosts: forgejo
hosts: gitea
user: root
gather_facts: true
@ -25,4 +25,4 @@
roles:
- base
- forgejo
- gitea

4
playbooks/homeassistant.yml
View file

@ -9,9 +9,6 @@
user: root
gather_facts: true
vars_files:
- "{{ ansible_private }}/vars.yml"
pre_tasks:
- name: Mount /export
ansible.posix.mount:
@ -27,4 +24,3 @@
- base
- ldap
- homeassistant
- nodered

8
playbooks/include/deploy-kvm-guest.yml
View file

@ -9,7 +9,7 @@
char: "{{ 'bcdefghijklmnopqrstuvwxyz'|list }}"
console_log: "/var/log/libvirt/qemu/{{ inventory_hostname }}.console.log"
os_disk_image: "/srv/libvirt/os/{{ inventory_hostname }}.a.img"
os_disk_image: "/srv/libvirt/ssd/{{ inventory_hostname }}.a.img"
dsk_opts: bus=virtio,cache=none,device=disk,format=raw,sparse=no
inject: >-
@ -75,7 +75,7 @@
echo '{{ root_pubkey }}' > /root/.ssh/authorized_keys
%end
dest: "{{ tmpdir.path }}/include.ks"
mode: "0600"
mode: 0600
owner: root
group: "{{ ansible_wheel }}"
delegate_to: "{{ vmhost }}"
@ -99,11 +99,7 @@
{% endif -%}
{% if virt_install_devices is defined -%}
{% for dev in virt_install_devices -%}
{% if dev | regex_search('^/dev/tty') -%}
--serial dev,path={{ dev }}
{% else -%}
--hostdev {{ dev }} \
{% endif -%}
{% endfor -%}
{% else -%}
--controller usb,model=none \

8
playbooks/ldap.yml
View file

@ -19,7 +19,7 @@
passno: "0"
dump: "0"
state: mounted
when: ldap_master
when: ldap_master is defined
vars_files:
- "{{ ansible_private }}/vars.yml"
@ -28,8 +28,8 @@
- base
- ldap_server
- role: kadmin
when: ldap_master
when: ldap_master is defined
- role: ldap_netdb
when: ldap_master
when: ldap_master is defined
- role: ldap_gravatar
when: ldap_master
when: ldap_master is defined

2
playbooks/log.yml
View file

@ -15,7 +15,7 @@
name: /export
src: /dev/sd1a
fstype: ffs
opts: rw,softdep,noatime,noexec,nosuid,nodev
opts: rw,softdep,noatime
passno: "1"
dump: "2"
state: mounted

11
playbooks/mail.yml
View file

@ -26,19 +26,18 @@
roles:
- base
- role: keytab
keytab_principals:
principals:
- "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
- "smtp/{{ mail_server }}@{{ kerberos_realm }}"
- nfs_client
- sssd
- autofs
- dovecot
- role: nginx
- role: nginx_site
nginx_site_name: "{{ mail_server }}"
nginx_site_redirect: https://webmail.foo.sh/
- role: nginx/server
- role: nginx/site
site: "{{ mail_server }}"
redirect: https://webmail.foo.sh/
- grossd
- opendkim
- spamassassin
- spamassassin_clamav
- spamassassin_ixhash

23
playbooks/manual/check-updates.yml
View file

@ -1,23 +0,0 @@
---
- hosts: all
gather_facts: true
tasks:
- name: Check updates (Linux)
ansible.builtin.command:
argv:
- dnf
- -q
- check-update
register: result
changed_when: result.rc == 100
failed_when: result.rc not in [0, 100]
when: ansible_os_family == "RedHat"
- name: Check updates (OpenBSD)
ansible.builtin.command:
argv:
- syspatch
- -c
register: result
changed_when: result.stdout != ""
when: ansible_os_family == "OpenBSD"

2
playbooks/minecraft.yml
View file

@ -15,7 +15,7 @@
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,noexec,nosuid,nodev
opts: noatime
passno: "0"
dump: "0"
state: mounted

45
playbooks/mirror.yml
View file

@ -26,30 +26,26 @@
roles:
- base
- mirror/base
- thinlinc_mirror
- role: reportmirror
reportmirror_hostname: mirrors.foo.sh
reportmirror_mirrors: [epel, fedora]
reportmirror_sitename: foo.sh
reportmirror_password: "{{ report_mirror_pass }}"
- mirror/thinlinc
- role: mirror/reportmirror
hostname: mirrors.foo.sh
mirrors: [epel, fedora]
sitename: foo.sh
password: "{{ report_mirror_pass }}"
- role: mirror/sync
mirror_label: fedora-epel
mirror_source:
"rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/epel"
mirror_rsyncoptions:
label: fedora-epel
source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
fedora.redhat.com/pub/epel"
rsyncoptions:
- "--exclude=SRPMS"
- "--exclude=debug"
- "--exclude=testing"
- "--exclude=aarch64"
- "--exclude=ppc64le"
- "--exclude=s390x"
- "--exclude=source"
- "--delete-excluded"
mirror_postcmd: python3 /usr/local/bin/report_mirror
postcmd: python3 /usr/local/bin/report_mirror
- role: mirror/sync
mirror_label: fedora
mirror_source:
"rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/fedora/linux/"
mirror_rsyncoptions:
label: fedora
source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
fedora.redhat.com/pub/fedora/linux/"
rsyncoptions:
- "--exclude=/atomic"
- "--exclude=/development"
- "--exclude=/releases/test"
@ -62,11 +58,12 @@
- "--exclude=armhfp"
- "--exclude=debug"
- "--delete-excluded"
mirror_postcmd: python3 /usr/local/bin/report_mirror
postcmd: python3 /usr/local/bin/report_mirror
- role: mirror/sync
mirror_label: openbsd
mirror_source: "rsync://ftp.nluug.nl/openbsd/"
mirror_rsyncoptions:
label: openbsd
source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
ftp.openbsd.org/pub/OpenBSD/"
rsyncoptions:
- "--include=/?.?/"
- "--include=/?.?/amd64/"
- "--include=/?.?/amd64/*"

11
playbooks/mqtt.yml
View file

@ -9,15 +9,10 @@
user: root
gather_facts: true
vars_files:
- "{{ ansible_private }}/vars.yml"
roles:
- base
- mosquitto
- ha_mqtt_configd
- telegraf
- nginx
- role: nginx_site
nginx_site_name: iot.foo.sh
- shelly_firmware
- nginx/server
- role: nginx/site
site: iot.foo.sh

22
playbooks/nas.yml
View file

@ -18,7 +18,7 @@
name: /export/home
src: LABEL=home
fstype: xfs
opts: noatime,nodev
opts: noatime
passno: "0"
dump: "0"
state: mounted
@ -27,7 +27,7 @@
name: /export/roles
src: LABEL=roles
fstype: xfs
opts: noatime,nodev
opts: noatime
passno: "0"
dump: "0"
state: mounted
@ -38,4 +38,20 @@
- sssd
- nfs_server
- role: keytab
keytab_principals: "nfs/{{ inventory_hostname }}@FOO.SH"
principals: "nfs/{{ inventory_hostname }}@FOO.SH"
tasks:
- name: Copy exports file
ansible.builtin.copy:
dest: /etc/exports
content: |
/export/home 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \
@nfsclients-rw(rw,root_squash,secure) \
@nfsclients-ro(ro,root_squash,secure)
/export/roles 172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \
@nfsclients-rw(rw,root_squash,secure) \
@nfsclients-ro(ro,root_squash,secure)
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart nfs-server

49
playbooks/nms.yml
View file

@ -25,22 +25,12 @@
roles:
- base
- cups
- nginx
- role: nginx_site
nginx_site_name: oob.foo.sh
nginx_site_plaintext: false
- role: keytab
keytab_principals:
- "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
- nfs_client
- role: autofs
autofs_home: false
- nginx/server
- role: nginx/site
site: oob.foo.sh
- sssd
- mkhomedir
- aten_pdu
- routeros
- snmp_exporter
- tftp
tasks:
- name: Enable UDP rsyslog server
@ -55,14 +45,23 @@
vars:
relay_domains: [foo.sh]
- name: Copy DNS zone files
ansible.builtin.copy:
dest: "/var/lib/unbound/{{ item }}"
src: "/srv/dns/{{ item }}"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
tags: dns
notify: Restart unbound
with_items:
- 25.20.172.in-addr.arpa
- oob.foo.sh
- name: Import unbound role
ansible.builtin.import_role:
name: unbound
- name: Import dhcpd role
ansible.builtin.import_role:
name: dhcpd
# convert this to role for restart support
- name: Enable NTP server for oob network
ansible.builtin.lineinfile:
@ -75,18 +74,10 @@
name: "{{ item }}"
state: installed
with_items:
- net-snmp-utils
- nmap
- rcs
- scanssh
- sslscan
- unzip
- wget
- name: Create sw-backup script
ansible.builtin.copy:
dest: /usr/local/bin/sw-backup
content: |
#!/bin/sh
set -eu
ssh "admin@${1}" /export > "/srv/backup/${1}.rsc"
mode: "0755"
owner: root
group: "{{ ansible_wheel }}"

12
playbooks/ns.yml
View file

@ -2,7 +2,7 @@
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: ns:!atl01.vultr.foo.sh
myhosts: ns:!vultr
- name: Configure instance
hosts: ns
@ -15,11 +15,9 @@
roles:
- base
- nsd
- role: nginx
- role: nginx_site
nginx_site_name: "{{ nsd_server }}"
nginx_site_redirect: https://www.foo.sh/
- role: nginx/server
- role: nginx/site
site: "{{ nsd_server }}"
redirect: https://www.foo.sh/
- role: ifstated
when: "'vultr' not in group_names"
- role: blackbox_exporter
when: "inventory_hostname == 'atl01.vultr.foo.sh'"

16
playbooks/oci-node.yml
View file

@ -12,25 +12,9 @@
vars_files:
- "{{ ansible_private }}/vars.yml"
pre_tasks:
- name: Mount /export
ansible.posix.mount:
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,noexec,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
when: ansible_fqdn == 'oci-node01.home.foo.sh'
roles:
- base
- authcheck
- grafana
- ipsilon
- kdc
- roundcube
- role: php4dvd
when: ansible_fqdn == 'oci-node01.home.foo.sh'
- rocketchat

37
playbooks/print.yml
View file

@ -14,17 +14,10 @@
roles:
- base
- role: keytab
keytab_principals:
- "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
- sssd
- mkhomedir
tasks:
- name: Install unbound role
ansible.builtin.import_role:
name: unbound
- name: Run handlers to get interfaces configured
ansible.builtin.meta: flush_handlers
@ -32,20 +25,30 @@
ansible.builtin.import_role:
name: dhcpd
- name: Copy DNS zone files
ansible.builtin.copy:
dest: "/var/lib/unbound/{{ item }}"
src: "/srv/dns/{{ item }}"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
tags: dns
notify: restart unbound
with_items:
- 24.20.172.in-addr.arpa
- print.foo.sh
- name: Install unbound role
ansible.builtin.import_role:
name: unbound
- name: Install cups_server role
ansible.builtin.import_role:
name: cups_server
- name: Install keytab for CUPS
ansible.builtin.include_role:
ansible.builtin.import_role:
name: keytab
vars:
keytab_path: /etc/cups/cups.keytab
keytab_principals: "HTTP/print.foo.sh@{{ kerberos_realm }}"
- name: Enable postfix mail relay
ansible.builtin.import_role:
name: postfix
tasks_from: relay
vars:
relay_domains: [foo.sh]
keytab: /etc/cups/cups.keytab
principals: "HTTP/print.foo.sh@{{ kerberos_realm }}"

30
playbooks/prometheus.yml
View file

@ -1,30 +0,0 @@
---
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: prometheus
- name: Configure instance
hosts: prometheus
user: root
gather_facts: true
vars_files:
- "{{ ansible_private }}/vars.yml"
pre_tasks:
- name: Mount /export
ansible.posix.mount:
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,noexec,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
roles:
- base
- prometheus
- mysqld_exporter
- nginx_exporter

186
playbooks/proxy.yml
View file

@ -15,116 +15,90 @@
roles:
- base
- ifstated
- nginx
- nginx_logsync
- role: nginx_site
nginx_site_name: ca.foo.sh
- role: nginx_site
nginx_site_name: foo.monster
- role: nginx_site
nginx_site_name: tuiradc.fi
nginx_site_redirect: https://facebook.com/TuiraDC
- role: nginx_site
nginx_site_name: www.tuiradc.fi
nginx_site_redirect: https://facebook.com/TuiraDC
- role: nginx_site
nginx_site_name: foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: apps.foo.sh
nginx_site_load_balance_method: ip_hash
nginx_site_proxy:
- https://oci-node01.home.foo.sh
- https://oci-node02.home.foo.sh
- role: nginx_site
nginx_site_name: audiobooks.foo.sh
nginx_site_proxy: https://audiobooks02.home.foo.sh/
- role: nginx_site
nginx_site_name: autoconfig.foo.sh
- role: nginx_site
nginx_site_name: boot.foo.sh
- role: nginx_site
nginx_site_name: bitbucket.foo.sh
nginx_site_redirect: https://bitbucket.org/tmakinen/
- role: nginx_site
nginx_site_name: cctv.foo.sh
nginx_site_proxy: https://frigate02.home.foo.sh/frigate/
- role: nginx_site
nginx_site_name: certbot.home.foo.sh
nginx_site_proxy: https://certbot.home.foo.sh/
- role: nginx_site
nginx_site_name: chat.foo.sh
nginx_site_proxy:
- nginx/server
- role: nginx/site
site: ca.foo.sh
- role: nginx/site
site: foo.monster
- role: nginx/site
site: tuiradc.fi
redirect: https://facebook.com/TuiraDC
- role: nginx/site
site: www.tuiradc.fi
redirect: https://facebook.com/TuiraDC
- role: nginx/site
site: foo.sh
redirect: https://www.foo.sh/
- role: nginx/site
site: autoconfig.foo.sh
- role: nginx/site
site: boot.foo.sh
ssl_config: old
- role: nginx/site
site: bitbucket.foo.sh
redirect: https://bitbucket.org/tmakinen/
- role: nginx/site
site: certbot.home.foo.sh
proxy: https://certbot.home.foo.sh/
- role: nginx/site
site: chat.foo.sh
proxy:
- https://oci-node01.home.foo.sh/rocketchat/
- https://oci-node02.home.foo.sh/rocketchat/
- role: nginx_site
nginx_site_name: collab.foo.sh
nginx_site_proxy: https://collab01.home.foo.sh/
- role: nginx_site
nginx_site_name: devel01.foo.sh
nginx_site_proxy: https://devel01.home.foo.sh/
- role: nginx_site
nginx_site_name: dns.home.foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: forgejo.foo.sh
nginx_site_redirect: https://git.foo.sh/
- role: nginx_site
nginx_site_name: git.foo.sh
nginx_site_proxy: https://forgejo02.home.foo.sh/
- role: nginx_site
nginx_site_name: gitea.foo.sh
nginx_site_redirect: https://git.foo.sh/
- role: nginx_site
nginx_site_name: ha.foo.sh
nginx_site_proxy: https://homeassistant01.home.foo.sh/
- role: nginx_site
nginx_site_name: id.foo.sh
nginx_site_proxy:
- role: nginx/site
site: collab.foo.sh
proxy: https://collab01.home.foo.sh/
- role: nginx/site
site: devel01.foo.sh
proxy: https://devel01.home.foo.sh/
- role: nginx/site
site: dns.home.foo.sh
redirect: https://www.foo.sh/
- role: nginx/site
site: git.foo.sh
proxy: https://gitea02.home.foo.sh/
- role: nginx/site
site: gitea.foo.sh
redirect: https://git.foo.sh/
- role: nginx/site
site: ha.foo.sh
proxy: https://homeassistant01.home.foo.sh/
- role: nginx/site
site: id.foo.sh
proxy:
- https://oci-node01.home.foo.sh
- https://oci-node02.home.foo.sh
- role: nginx_site
nginx_site_name: idp.foo.sh
nginx_site_proxy: https://oci-node01.home.foo.sh/ipsilon/
- role: nginx_site
nginx_site_name: influxdb.foo.sh
nginx_site_proxy: https://influxdb01.home.foo.sh/
- role: nginx_site
nginx_site_name: iot.foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: mirrors.foo.sh
nginx_site_proxy: https://mirror02.home.foo.sh/
- role: nginx_site
nginx_site_name: movies.foo.sh
nginx_site_proxy:
- https://oci-node01.home.foo.sh/php4dvd/
- role: nginx_site
nginx_site_name: mta-sts.foo.sh
- role: nginx_site
nginx_site_name: noc.foo.sh
nginx_site_proxy:
- role: nginx/site
site: influxdb.foo.sh
proxy: https://influxdb01.home.foo.sh/
- role: nginx/site
site: iot.foo.sh
redirect: https://www.foo.sh/
- role: nginx/site
site: munin.foo.sh
proxy: https://munin01.home.foo.sh/
- role: nginx/site
site: mirrors.foo.sh
proxy: https://mirror01.home.foo.sh/
- role: nginx/site
site: noc.foo.sh
proxy:
- https://oci-node01.home.foo.sh/grafana/
- https://oci-node02.home.foo.sh/grafana/
- role: nginx_site
nginx_site_name: print.foo.sh
nginx_site_proxy: https://print01.home.foo.sh:631/
- role: nginx_site
nginx_site_name: registry.foo.sh
nginx_site_proxy:
- "registry01.home.foo.sh:5000"
- "registry02.home.foo.sh:5000"
- role: nginx_site
nginx_site_name: scan.foo.sh
nginx_site_proxy:
- https://sane02.home.foo.sh/scanservjs/
- role: nginx_site
nginx_site_name: webmail.foo.sh
nginx_site_load_balance_method: ip_hash
nginx_site_proxy:
- role: nginx/site
site: print.foo.sh
proxy: https://print01.home.foo.sh:631/
- role: nginx/site
site: registry.foo.sh
proxy: ["registry01.home.foo.sh:5000", "registry02.home.foo.sh:5000"]
- role: nginx/site
site: webmail.foo.sh
proxy:
- https://oci-node01.home.foo.sh/roundcube/
- https://oci-node02.home.foo.sh/roundcube/
- role: nginx_site
nginx_site_name: wpad.foo.sh
- role: nginx_site
nginx_site_name: www.foo.sh
- role: nginx/site
site: wpad.foo.sh
- role: nginx/site
site: www.foo.sh
- role: nginx/site
site: zm.foo.sh
proxy: https://zm02.home.foo.sh/

20
playbooks/relay.yml
View file

@ -16,13 +16,13 @@
- base
- ifstated
- relayd
- nginx
- role: nginx_site
nginx_site_name: ldap.foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: ldap01.foo.sh
nginx_site_redirect: https://www.foo.sh/
- role: nginx_site
nginx_site_name: loghost.foo.sh
nginx_site_redirect: https://www.foo.sh/
- nginx/server
- role: nginx/site
site: ldap.foo.sh
redirect: https://www.foo.sh/
- role: nginx/site
site: ldap01.foo.sh
redirect: https://www.foo.sh/
- role: nginx/site
site: loghost.foo.sh
redirect: https://www.foo.sh/

39
playbooks/sane.yml
View file

@ -1,39 +0,0 @@
---
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: sane
- name: Configure instance
hosts: sane
user: root
gather_facts: true
vars_files:
- "{{ ansible_private }}/vars.yml"
roles:
- base
- sane
- scanservjs
- mod_auth_gssapi
- role: keytab
keytab_path: /etc/httpd/httpd.keytab
keytab_principals: HTTP/scan.foo.sh@FOO.SH
keytab_group: apache
tasks:
- name: Require authentication for scanservjs
ansible.builtin.copy:
dest: /etc/httpd/conf.local.d/scanservjs-auth.conf
content: |
<Location /scanservjs>
AuthType GSSAPI
GssapiBasicAuth On
AuthName "Password Required"
Require valid-user
</Location>
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
notify: Restart apache

11
playbooks/shell.yml
View file

@ -15,7 +15,7 @@
roles:
- base
- role: keytab
keytab_principals:
principals:
- "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
- "nfs/{{ inventory_hostname }}@{{ kerberos_realm }}"
- nfs_client
@ -24,8 +24,9 @@
- thinlinc_server
- epel_repo
- foosh_repo
- role: nginx
nginx_plaintext: true
- powertools_repo
- role: nginx/server
plaintext: true
tasks:
- name: Install extra package groups
@ -62,7 +63,6 @@
- pandoc
- php-cli
- python3-netaddr
- python3-requests
- rcs
- rpmlint
- syslinux
@ -71,6 +71,7 @@
- tmux
- whois
- wireshark
- wkhtmltopdf
- yamllint
- zsh
loop_control:
@ -97,6 +98,6 @@
content: |
Host *.home.foo.sh !gw.home.foo.sh
ProxyJump root@gw.home.foo.sh
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"

4
playbooks/static.yml
View file

@ -15,7 +15,7 @@
roles:
- base
- role: keytab
keytab_principals:
principals:
- "host/{{ inventory_hostname }}@FOO.SH"
- "nfs/{{ inventory_hostname }}@FOO.SH"
- nfs_client
@ -48,7 +48,7 @@
AllowOverride AuthConfig FileInfo Indexes Limit
Require all granted
</Directory>
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart apache

8
playbooks/vmhost.yml
View file

@ -17,7 +17,6 @@
passno: "0"
dump: "0"
state: mounted
when: inventory_hostname == "vmhost02.home.foo.sh"
- name: Mount /export/libvirt/nvme
ansible.posix.mount:
name: /export/libvirt/nvme
@ -27,10 +26,10 @@
passno: "0"
dump: "0"
state: mounted
- name: Mount /export/libvirt/os
- name: Mount /export/libvirt/ssd
ansible.posix.mount:
name: /export/libvirt/os
src: LABEL=os
name: /export/libvirt/ssd
src: LABEL=ssd
fstype: xfs
opts: noatime,noexec,nosuid,nodev
passno: "0"
@ -40,4 +39,3 @@
roles:
- base
- kvm_host
- ssh_known_hosts

68
playbooks/frigate.yml → playbooks/zm.yml
View file

@ -2,10 +2,10 @@
- name: Deploy KVM virtual machines
ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
vars:
myhosts: frigate
myhosts: zm
- name: Configure instance
hosts: frigate
hosts: zm
user: root
gather_facts: true
@ -13,54 +13,74 @@
- "{{ ansible_private }}/vars.yml"
pre_tasks:
- name: Mount datadirectories
- name: Mount /export
ansible.posix.mount:
name: "/export/frigate/{{ item }}"
src: "LABEL={{ item }}"
name: /export
src: LABEL=/export
fstype: xfs
opts: noatime,noexec,nosuid,nodev
passno: "0"
dump: "0"
state: mounted
with_items:
- config
- media
roles:
- base
- mod_auth_gssapi
- role: keytab
keytab_path: /etc/httpd/httpd.keytab
keytab_principals: HTTP/cctv.foo.sh@FOO.SH
keytab_group: apache
keytab: /etc/httpd/httpd.keytab
principals: HTTP/zm.foo.sh@FOO.SH
group: apache
tasks:
- name: Run handlers to get interfaces configured
ansible.builtin.meta: flush_handlers
# TODO: this should really be fixed
- name: Put selinux in permissive state
ansible.posix.selinux:
policy: targeted
state: permissive
- name: Copy DNS zone files
ansible.builtin.copy:
dest: "/var/lib/unbound/{{ item }}"
src: "/srv/dns/{{ item }}"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
tags: dns
notify: Restart unbound
with_items:
- 26.20.172.in-addr.arpa
- cam.foo.sh
- name: Include unbound role
ansible.builtin.import_role:
name: unbound
- name: Run handlers to get interfaces configured
ansible.builtin.meta: flush_handlers
- name: Include dhcpd role
- name: Include dhcpd and zoneminder roles
ansible.builtin.include_role:
name: dhcpd
name: "{{ item }}"
with_items:
- dhcpd
- zoneminder
- name: Include frigate role
ansible.builtin.include_role:
name: frigate
- name: Install extra packages for debugging
ansible.builtin.package:
name: rtmpdump
state: installed
- name: Require authentication for frigate
- name: Require authentication for zoneminder
ansible.builtin.copy:
dest: /etc/httpd/conf.local.d/frigate-auth.conf
dest: /etc/httpd/conf.local.d/zoneminder-auth.conf
content: |
<Location /frigate>
<Location /zm>
AuthType GSSAPI
GssapiBasicAuth On
GssapiBasicAuth Off
AuthName "Password Required"
Require valid-user
</Location>
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart apache

86
roles/ansible_host/files/urls.py.patch
View file

@ -1,86 +0,0 @@
--- ./urls.py.orig 2024-03-27 18:55:18.077213253 +0000
+++ urls.py 2024-03-27 18:21:07.613270952 +0000
@@ -535,15 +535,18 @@
UnixHTTPSConnection = None
if hasattr(httplib, 'HTTPSConnection') and hasattr(urllib_request, 'HTTPSHandler'):
class CustomHTTPSConnection(httplib.HTTPSConnection): # type: ignore[no-redef]
- def __init__(self, *args, **kwargs):
+ def __init__(self, client_cert=None, client_key=None, *args, **kwargs):
httplib.HTTPSConnection.__init__(self, *args, **kwargs)
self.context = None
if HAS_SSLCONTEXT:
self.context = self._context
elif HAS_URLLIB3_PYOPENSSLCONTEXT:
self.context = self._context = PyOpenSSLContext(PROTOCOL)
- if self.context and self.cert_file:
- self.context.load_cert_chain(self.cert_file, self.key_file)
+
+ self._client_cert = client_cert
+ self._client_key = client_key
+ if self.context and self._client_cert:
+ self.context.load_cert_chain(self._client_cert, self._client_key)
def connect(self):
"Connect to a host on a given (SSL) port."
@@ -564,10 +567,10 @@
if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT:
self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname)
elif HAS_URLLIB3_SSL_WRAP_SOCKET:
- self.sock = ssl_wrap_socket(sock, keyfile=self.key_file, cert_reqs=ssl.CERT_NONE, # pylint: disable=used-before-assignment
- certfile=self.cert_file, ssl_version=PROTOCOL, server_hostname=server_hostname)
+ self.sock = ssl_wrap_socket(sock, keyfile=self._client_key, cert_reqs=ssl.CERT_NONE, # pylint: disable=used-before-assignment
+ certfile=self._client_cert, ssl_version=PROTOCOL, server_hostname=server_hostname)
else:
- self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, certfile=self.cert_file, ssl_version=PROTOCOL)
+ self.sock = ssl.wrap_socket(sock, keyfile=self._client_key, certfile=self._client_cert, ssl_version=PROTOCOL)
class CustomHTTPSHandler(urllib_request.HTTPSHandler): # type: ignore[no-redef]
@@ -602,10 +605,6 @@
return self.do_open(self._build_https_connection, req)
def _build_https_connection(self, host, **kwargs):
- kwargs.update({
- 'cert_file': self.client_cert,
- 'key_file': self.client_key,
- })
try:
kwargs['context'] = self._context
except AttributeError:
@@ -613,7 +612,7 @@
if self._unix_socket:
return UnixHTTPSConnection(self._unix_socket)(host, **kwargs)
if not HAS_SSLCONTEXT:
- return CustomHTTPSConnection(host, **kwargs)
+ return CustomHTTPSConnection(host, client_cert=self.client_cert, client_key=self.client_key, **kwargs)
return httplib.HTTPSConnection(host, **kwargs)
@contextmanager
@@ -979,7 +978,7 @@
pass
-def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True):
+def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True, client_cert=None, client_key=None):
if ciphers is None:
ciphers = []
@@ -1006,6 +1005,9 @@
if ciphers:
context.set_ciphers(':'.join(map(to_native, ciphers)))
+ if client_cert:
+ context.load_cert_chain(client_cert, keyfile=client_key)
+
return context
@@ -1514,6 +1516,8 @@
cadata=cadata,
ciphers=ciphers,
validate_certs=validate_certs,
+ client_cert=client_cert,
+ client_key=client_key,
)
handlers.append(HTTPSClientAuthHandler(client_cert=client_cert,
client_key=client_key,

2
roles/ansible_host/meta/main.yml
View file

@ -2,4 +2,4 @@
dependencies:
- {role: epel_repo}
- {role: git}
- {role: nginx}
- {role: nginx/server}

37
roles/ansible_host/tasks/main.yml
View file

@ -7,22 +7,35 @@
- ansible
- ansible-collection-ansible-posix
- ansible-collection-community-general
- patch # needed in next step
- python3.9-dns # required for lookup('dig', 'hostname')
- python3.9-ldap # required for ldap modules
- python3.9-netaddr # required by iptables role
- python3.11-dns # required for lookup('dig', 'hostname')
- python3-netaddr # required by iptables role
- name: Patch ansible to support python 3.12 clients
ansible.posix.patch:
src: urls.py.patch
dest: /usr/lib/python3.9/site-packages/ansible/module_utils/urls.py
- name: Create python3.11 lib directories
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: 0755
owner: root
group: "{{ ansible_wheel }}"
with_items:
- /usr/local/lib/python3.11
- /usr/local/lib/python3.11/site-packages
- name: Kludge to add netaddr to python3.11 until package is released
ansible.builtin.copy:
dest: /usr/local/lib/python3.11/site-packages/netaddr
src: /usr/lib/python3.9/site-packages/netaddr
mode: preserve
owner: root
group: "{{ ansible_wheel }}"
remote_src: true
- name: Create private directory and force permissions
ansible.builtin.file:
path: /export/private
owner: root
group: root
mode: "0700"
mode: 0700
state: directory
- name: Link private directory
@ -42,7 +55,7 @@
- name: Clone ansible repository
ansible.builtin.git:
dest: /srv/ansible
repo: https://git.foo.sh/foo.sh/ansible.git
repo: https://git.foo.sh/ansible.git
update: false
version: master
@ -59,7 +72,7 @@
ansible.builtin.copy:
src: nginx.conf
dest: /etc/nginx/conf.d/{{ inventory_hostname }}/ansible.conf
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart nginx
@ -70,4 +83,4 @@
src: root-bashrc.sh
owner: root
group: "{{ ansible_wheel }}"
mode: "0600"
mode: 0600

6
roles/apache/tasks/main.yml
View file

@ -40,7 +40,7 @@
ansible.builtin.file:
state: directory
path: "{{ item }}"
mode: "0755"
mode: 0755
owner: root
group: "{{ ansible_wheel }}"
seuser: _default
@ -54,7 +54,7 @@
ansible.builtin.template:
src: ssl.conf.j2
dest: /etc/httpd/conf.local.d/ssl.conf
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart apache
@ -63,7 +63,7 @@
ansible.builtin.template:
src: site.conf.j2
dest: "/etc/httpd/conf.local.d/{{ inventory_hostname }}.conf"
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart apache

5065
roles/aten_pdu/files/ATEN-PE-CFG_str_1.3.128.mib
View file

File diff suppressed because it is too large Load diff

93
roles/aten_pdu/files/aten-mqtt-publish.sh
View file

@ -1,93 +0,0 @@
#!/bin/sh
set -eu
umask 077
community="public"
if [ "${1:-}" = "-n" ]; then
_noop=true
else
_noop=false
fi
mqtt_send() {
topic="$1"
value="$2"
tlsdir="$(openssl version -d | sed -e 's/^OPENSSLDIR: "\(.\+\)"$/\1/')"
mosquitto_pub -h mqtt02.home.foo.sh -t "$topic" -m "$value" \
--cafile "${tlsdir}/certs/ca.crt" \
--key "${tlsdir}/private/$(hostname -f).key" \
--cert "${tlsdir}/certs/$(hostname -f).crt"
}
snmp_get() {
host="$1"
key="$2"
snmpget -v 1 -c "$community" "$host" -Oqv -m ATEN-PE-CFG "$key" | tr -d '"'
}
# only run script if first vrrp interface is in master state
for state in /run/keepalived/*.state ; do
if [ "$(cat "$state")" != "MASTER" ]; then
exit 0
fi
break
done
ldapsearch -Q -LLL "(&(objectClass=device)(description=Aten PE*))" cn l | awk '
{
if ($1 == "cn:") {
cn = $2
}
if ($1 == "l:") {
l = substr($0, 3)
}
if ($0 == "" && cn != "" && l != "") {
print cn l
cn = ""
l = ""
}
}
' | while read -r name location
do
snmpwalk -v 1 -c "$community" "$name" -Oq \
-m ATEN-PE-CFG ATEN-PE-CFG::outletName | while read -r port device
do
port="$(echo "$port" | cut -d '.' -f 2)"
device="$(echo "$device" | tr -d '"')"
case "$device" in
"N/A"|"00 "|"unused")
continue
;;
esac
if device_name="$(ldapsearch -Q -LLL \
"(&(objectClass=device)(cn=${device}.*))" cn | awk "
{
if (\$1 == \"cn:\") {
if (name) {
exit 1
}
name=\$2
}
} END {
if (!name) {
exit 1
}
print name
}
")" ; then
device="$device_name"
fi
for key in Current Power Voltage ; do
topic="home/${location}/${device}/$(echo "$key" | tr '[:upper:]' '[:lower:]')"
value="$(snmp_get "$name" "ATEN-PE-CFG::outlet${key}.${port}")"
if $_noop ; then
echo "${topic} -> ${value}"
else
mqtt_send "$topic" "$value"
fi
done
done
done

3
roles/aten_pdu/meta/main.yml
View file

@ -1,3 +0,0 @@
---
dependencies:
- {role: ldap}

31
roles/aten_pdu/tasks/main.yml
View file

@ -1,31 +0,0 @@
---
- name: Install packages
ansible.builtin.package:
name: "{{ item }}"
state: installed
with_items:
- mosquitto
- net-snmp-utils
# https://www.aten.com/eu/en/products/power-distribution-&-racks/rack-pdu/pe8108/
- name: Install custom mib
ansible.builtin.copy:
dest: /usr/share/snmp/mibs/ATEN-PE-CFG.txt
src: ATEN-PE-CFG_str_1.3.128.mib
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
- name: Install mqtt publish script
ansible.builtin.copy:
dest: /usr/local/bin/aten-mqtt-publish
src: aten-mqtt-publish.sh
mode: "0755"
owner: root
group: "{{ ansible_wheel }}"
- name: Add mqtt publish cron job
ansible.builtin.cron:
name: aten-mqtt-publish
job: /usr/local/bin/aten-mqtt-publish
minute: "*/5"

4
roles/audiobookshelf/files/audiobookshelf.default
View file

@ -1,4 +0,0 @@
METADATA_PATH=/srv/audiobookshelf/metadata
CONFIG_PATH=/srv/audiobookshelf/config
PORT=13378
HOST=127.0.0.1

30
roles/audiobookshelf/files/meta.md
View file

@ -1,30 +0,0 @@
= Preparing files for upload =
== Filenames ==
Filenames should always contain track number (and optionally disc number) with leading zeros first and subtitle after that. Few exmaples:
```
01. Luku.mp3
01. Osa.mp3
CD 1 - 01.mp3
```
Directory should also contain `cover.jpg` with book cover picture and `desc.txt` containing book description.
== Metadata (id3 tags) ==
First clear old tags then set new ones:
```
id3v2 -D "01. Osa.mp3"
id3v2 \
--TPE1 "Douglas Adams" \
--TALB "$(echo 'Linnunradan käsikirja liftareille' | iconv -f utf-8 -t iso-8859-1)" \
--TCOM "$(echo 'Heikki Kinnunen,Pekka Autiovuori,Yrjö Järvinen,Martti Järvinen,Esa Saario,Kauko Helavirta,Aila Svedberg' | iconv -f utf-8 -t iso-8859-1)" \
--TLAN "fi" \
--TPUB "Yleisradio" \
--TYER 1984 \
--genre "Science Fiction/Fiction/Humor" \
"01. Osa.mp3"
```

5
roles/audiobookshelf/handlers/main.yml
View file

@ -1,5 +0,0 @@
---
- name: Restart audiobookshelf
ansible.builtin.service:
name: audiobookshelf
state: restarted

3
roles/audiobookshelf/meta/main.yml
View file

@ -1,3 +0,0 @@
---
dependencies:
- {role: nginx}

90
roles/audiobookshelf/tasks/main.yml
View file

@ -1,90 +0,0 @@
---
- name: Enable repository
ansible.builtin.yum_repository:
name: audiobookshelf
baseurl: https://raw.githubusercontent.com/lkiesow/audiobookshelf-rpm/el$releasever/
description: Audiobookshelf el$releasever repository
gpgcheck: true
gpgkey: https://raw.githubusercontent.com/lkiesow/audiobookshelf-rpm/main/audiobookshelf-rpm.key
enabled: true
- name: Install packcages
ansible.builtin.package:
name: audiobookshelf
state: present
- name: Create data directories
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0770"
owner: root
group: audiobookshelf
with_items:
- /export/audiobookshelf
- /export/audiobookshelf/audiobooks
- /export/audiobookshelf/config
- /export/audiobookshelf/metadata
- /export/audiobookshelf/podcasts
- /export/audiobookshelf/radioplays
- name: Link data directory
ansible.builtin.file:
dest: /srv/audiobookshelf
src: /export/audiobookshelf
state: link
owner: root
group: "{{ ansible_wheel }}"
follow: false
- name: Copy naming instructions
ansible.builtin.copy:
dest: /srv/audiobookshelf/audiobooks/README.md
src: meta.md
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
- name: Copy service config
ansible.builtin.copy:
dest: /etc/default/audiobookshelf
src: audiobookshelf.default
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
notify: Restart audiobookshelf
- name: Enable service
ansible.builtin.service:
name: audiobookshelf
state: started
enabled: true
- name: Allow nginx to connect audiobookshelf
ansible.posix.seboolean:
name: httpd_can_network_connect
state: true
persistent: true
- name: Copy nginx config
ansible.builtin.copy:
dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/audiobookshelf.conf"
content: |
location / {
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host audiobooks.foo.sh;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:13378/;
location /audiobookshelf/api/upload {
# increase size to allow uploads
client_max_body_size 10g;
proxy_pass http://127.0.0.1:13378/api/upload;
}
}
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
notify: Restart nginx

14
roles/authcheck/tasks/main.yml
View file

@ -10,19 +10,11 @@
group: authcheck
shell: /sbin/nologin
- name: Enable user lingering
ansible.builtin.command:
argv:
- loginctl
- enable-linger
- authcheck
creates: /var/lib/systemd/linger/authcheck
- name: Get container source
ansible.builtin.git:
dest: /usr/local/src/docker-authcheck
repo: https://github.com/foo-sh/docker-authcheck.git
update: true
update: false
version: main
notify: Rebuild authcheck-container
@ -30,7 +22,7 @@
ansible.builtin.template:
dest: /etc/systemd/system/authcheck-container.service
src: authcheck-container.service.j2
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
@ -47,7 +39,7 @@
location /authcheck {
proxy_pass http://127.0.0.1:8003/;
}
mode: "0644"
mode: 0644
owner: root
group: "{{ ansible_wheel }}"
notify: Restart nginx

3
roles/autofs/defaults/main.yml
View file

@ -1,3 +0,0 @@
---
autofs_home: true
autofs_roles: true

Some files were not shown because too many files have changed in this diff Show more