Syntax changes

Try renaming file
Try another syntax
2023-07-20 17:45:46 +00:00 · 2023-07-20 17:44:11 +00:00 · 2023-07-20 17:42:41 +00:00
480 changed files with 2495 additions and 17290 deletions
--- a/.forgejo/workflows/test.yml
+++ b/.forgejo/workflows/test.yml
@ -1,21 +1,21 @@
 ---
 name: tests
-# yamllint disable-line rule:truthy
+run-name: just testing
-on:
+on: [push]
  - push
 jobs:
-  lint:
+  linter:
    name: run linter
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2
      - name: Install package dependencies
        run: |
-          apt-get install \
+          sudo apt-get install \
            ansible-lint \
            jsonlint \
            shellcheck \
            yamllint
          ln -s /usr/bin/jsonlint-php /usr/local/bin/jsonlint
      - name: Run linters
        run: make -C ./tests
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,2 @@
 .*.swp
 __pycache__
 files/ssh/backup.pub
--- a/container-ports.md
+++ b/container-ports.md
@ -1,16 +0,0 @@
 # Ports used by container web services
 | Port | Ansible role        | Service name               |
 |------|---------------------|----------------------------|
 | 8001 | kerberos_kdc        | Kerberos KDC               |
 | 8002 | grafana             | Grafana                    |
 | 8003 | authcheck           | Authentication check       |
 | 8004 | roundcube           | Roundcube webmail          |
 | 8005 | php4dvd             | php4dvd movie catalog      |
 | 8006 | scanservjs          | SANE Scanner webui         |
 | 8007 | frigate             | Network video recorder     |
 | 8008 | hoemeassistant      | Home Assistant             |
 | 8009 | rocketchat          | Rocket.Chat                |
 | 8010 | google-spell-pspell | Google Spell Check XML API |
 | 8011 | ipsilon             | Ipsilon Identity Provider  |
 | 8012 | nodered             | Node Red                   |
--- a/files/ssh/backup.pub
+++ b/files/ssh/backup.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdaNO9dLpI8CVx1rwGsKN45Pgiz+Btrlf2Q/nXCx4Ru root@backup02.home.foo.sh
--- a/files/ssh/logsync.pub
+++ b/files/ssh/logsync.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIlXfTeMQoYjYVXFH5qhp+YgIBM/1r+BwzME7aEOu2yE logsync@log01.home.foo.sh
--- a/group_vars/adm.yml
+++ b/group_vars/adm.yml
@ -1,44 +1,8 @@
 ---
 datadisks:
-  - {size: 10, type: nvme}
+  - {size: 10}
 chrony_allow:
  - 172.20.25.0/24
 unbound_zones:
  - 25.20.172.in-addr.arpa
  - oob.foo.sh
 dhcpd_template: dhcpd.conf.oob.j2
 dhcpd_ldap_filter: >-
  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh))
 unbound_config: unbound.conf.oob.j2
 network_vip_interfaces:
  - device: eth0
    vhid: 11
    ipaddr: 172.20.20.21
    netmask: 255.255.240.0
    pass: "{{ vip21_pass }}"
  - device: eth1
    vhid: 25
    ipaddr: 172.20.25.1
    netmask: 255.255.255.0
    pass: "{{ vip25_pass }}"
    priority: "{{ vip25_priority }}"
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 25, from: [172.20.25.0/24]}
+  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 53, from: [172.20.25.0/24]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
  - {proto: udp, port: 53, from: [172.20.25.0/24]}
  - {proto: tcp, port: 80, from: [172.20.20.0/22]}
  - {proto: udp, port: 123, from: [172.20.25.0/24]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22, 172.20.25.0/24]}
  - {proto: udp, port: 514, from: [172.20.25.0/24]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9116, from: [172.20.20.0/22]}
 firewall_raw:
  - "ip daddr 224.0.0.0/8 accept"
 sssd_allow_groups:
  - sysadm
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -28,13 +28,11 @@ tls_bundle: /etc/pki/tls/cert.pem
 # url where installer data is located
 boot_url: https://boot.foo.sh
-# default name servers
+# ssh public keys for logsync user
-network_dns_servers:
+logsync_publickeys: "{{ lookup('file', '../files/ssh/logsync.pub') }}"
-  - 8.8.8.8
+
-  - 8.8.4.4
+# ssh public keys for backup user
 backup_publickeys: "{{ lookup('file', '../files/ssh/backup.pub') }}"
 # hardcode this for now
 ansible_datacenter: home
 # use as generic as possible python binary so delegate_to works
 ansible_python_interpreter: python3
--- a/group_vars/backup.yml
+++ b/group_vars/backup.yml
@ -1,4 +1,3 @@
 ---
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/collab.yml
+++ b/group_vars/collab.yml
@ -5,4 +5,4 @@ datadisks:
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
--- a/group_vars/dnagw.yml
+++ b/group_vars/dnagw.yml
@ -1,75 +1,23 @@
 ---
 # increase memory size
 mem_size: 512
 intnet: "{{ network_interfaces[0].ipaddr + '/' + network_interfaces[0].netmask }}"
 intdomain: "{{ inventory_hostname.split('.')[1:] | join('.') }}"
 network_vip_interfaces:
  - device: vio0
    vhid: 1
-    ipaddr: "{{ intnet | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}"
+    ipaddr: 172.20.20.1
-    netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}"
+    netmask: 255.255.252.0
    pass: "{{ vip1_pass }}"
    priority: 120
  - device: vio0
    vhid: 10
-    ipaddr: "{{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}"
+    ipaddr: 172.20.20.10
-    netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}"
+    netmask: 255.255.252.0
    pass: "{{ vip10_pass }}"
    priority: 120
  - device: vio0
    vhid: 11
    ipaddr: "{{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}"
    netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}"
    pass: "{{ vip11_pass }}"
    priority: "{{ vip11_priority }}"
  - device: vio0
    vhid: 12
    ipaddr: "{{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}"
    netmask: "{{ intnet | ansible.utils.ipaddr('netmask') }}"
    pass: "{{ vip12_pass }}"
    priority: "{{ vip12_priority }}"
 network_ether_interfaces:
  - device: vio1
    proto: none
 unbound_zones:
  - 144-28.96.16.37.in-addr.arpa
  - foo.sh
  - >-
    {% set reverse = intnet | ansible.utils.ipaddr('network') | ansible.utils.ipaddr('revdns') -%}
    {% if intnet | ansible.utils.ipaddr('prefix') < 24 -%}
    {{ reverse[:-1] | split('.', 2) | last -}}
    {% else -%}
    {{ reverse[:-1] | split('.', 1) | last -}}
    {% endif -%}
  - "{{ intdomain }}"
 # use custom firewall config
-firewall_src: pf.conf.gw_dna.j2
+firewall_src: pf.conf.gw_home
 # unbound config
 unbound_config: unbound.conf.dna.j2
 # get extra hosts from ldap
 dhcpd_ldap_filter: >-
  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.{{ intdomain }}))
 # ifstated config
 ifstated_config: ifstated-dna.conf.j2
 # ntp settings
 ntpd_servers:
  - time1.google.com
  - time2.google.com
  - time3.google.com
  - time4.google.com
 ntpd_constraints:
  - "https://www.google.com"
 ntpd_listen:
  - "{{ network_interfaces[0].ipaddr }}"
 # ssh host alaises
 ssh_hostnames:
  - "gw.{{ intdomain }}"
--- a/group_vars/fedora.yml
+++ b/group_vars/fedora.yml
@ -1,7 +1,7 @@
 ---
 # default resources for new vm
 dsk_size: 20
-mem_size: 4096
+mem_size: 2048
 num_cpus: 2
 # extra args for virt-install
@ -18,7 +18,7 @@ ipcmd: >-
  {% endif %}
 virt_install_os_args: >-
  --location
-  https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/41/Everything/x86_64/os/
+  https://nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/releases/38/Everything/x86_64/os/
  --extra-args
  "inst.ks={{ ks_file }}
  console=ttyS0
--- a/group_vars/forgejo.yml
+++ b/group_vars/forgejo.yml
@ -1,8 +0,0 @@
 ---
 datadisks:
  - {size: 10, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/frigate.yml
+++ b/group_vars/frigate.yml
@ -1,30 +0,0 @@
 ---
 mem_size: 8192
 num_cpus: 2
 datadisks:
  - {size: 50, type: nvme}
  - {size: 500, type: hdd}
 network_vip_interfaces:
  - device: eth1
    vhid: 26
    ipaddr: 172.20.26.1
    netmask: 255.255.0.0
    pass: "{{ vip26_pass }}"
 chrony_allow:
  - 172.20.26.0/24
 unbound_zones:
  - 26.20.172.in-addr.arpa
  - cam.foo.sh
 dhcpd_template: dhcpd.conf.cam.j2
 dhcpd_ldap_filter: >-
  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.cam.foo.sh))
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
 firewall_raw:
  - "ip daddr 224.0.0.0/8 accept"
--- a/group_vars/fsolgw.yml
+++ b/group_vars/fsolgw.yml
@ -4,10 +4,9 @@ network_vip_interfaces:
    vhid: 145
    ipaddr: 37.16.96.145
    netmask: 255.255.255.240
    ip6addr: 2a00:4cc1:6:1006::1
    ip6netmask: 64
    pass: "{{ vip145_pass }}"
 network_dns_servers: [172.20.20.10, 172.20.21.1, 172.20.21.2]
 # use custom firewall and ifstated config
-firewall_src: pf.conf.gw_fsol.j2
+firewall_src: pf.conf.gw_fsol
 ifstated_config: ifstated-fsol.conf
--- a/group_vars/audiobooks.yml
+++ b/group_vars/audiobooks.yml
@ -1,8 +1,8 @@
 ---
 datadisks:
-  - {size: 50, type: hdd}
+  - {size: 10, type: hdd}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
--- a/group_vars/gitearunner.yml
+++ b/group_vars/gitearunner.yml
@ -0,0 +1,4 @@
 ---
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
--- a/group_vars/home.yml
+++ b/group_vars/home.yml
@ -1,9 +0,0 @@
 ---
 network_dns_servers:
  - 172.20.20.10
  - 172.20.20.11
  - 172.20.20.12
 ntpd_servers:
  - time1.home.foo.sh
  - time2.home.foo.sh
 chrony_servers: "{{ ntpd_servers }}"
--- a/group_vars/homeassistant.yml
+++ b/group_vars/homeassistant.yml
@ -1,8 +1,7 @@
 ---
 mem_size: 4096
 datadisks:
-  - {size: 10, type: nvme}
+  - {size: 10, type: hdd}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
--- a/group_vars/influxdb.yml
+++ b/group_vars/influxdb.yml
@ -5,4 +5,4 @@ datadisks:
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
--- a/group_vars/iot.yml
+++ b/group_vars/iot.yml
@ -1,9 +0,0 @@
 ---
 network_dns_servers:
  - 172.20.27.10
  - 172.20.27.11
  - 172.20.27.12
 ntpd_servers:
  - time1.iot.foo.sh
  - time2.iot.foo.sh
 chrony_servers: "{{ ntpd_servers }}"
--- a/group_vars/lan.yml
+++ b/group_vars/lan.yml
@ -1,9 +0,0 @@
 ---
 network_dns_servers:
  - 172.20.30.10
  - 172.20.30.11
  - 172.20.30.12
 ntpd_servers:
  - time1.lan.foo.sh
  - time2.lan.foo.sh
 chrony_servers: "{{ ntpd_servers }}"
--- a/group_vars/ldap.yml
+++ b/group_vars/ldap.yml
@ -3,5 +3,6 @@ saslauthd_mech: ldap
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 636, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
--- a/group_vars/log.yml
+++ b/group_vars/log.yml
@ -1,9 +1,8 @@
 ---
 mem_size: 512
 datadisks:
-  - {size: 50, type: nvme}
+  - {size: 50}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
  - {proto: tcp, port: 6514}
--- a/group_vars/mail.yml
+++ b/group_vars/mail.yml
@ -1,7 +1,6 @@
 ---
 datadisks:
-  - {size: 10, type: nvme}
+  - {size: 10}
 mem_size: 4192
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
@ -11,7 +10,4 @@ firewall_in:
  - {proto: tcp, port: 465}
  - {proto: tcp, port: 587}
  - {proto: tcp, port: 993}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
 sssd_allow_groups:
  - sysadm
--- a/group_vars/minecraft.yml
+++ b/group_vars/minecraft.yml
@ -1,9 +1,9 @@
 ---
 mem_size: 4096
 datadisks:
-  - {size: 100, type: nvme}
+  - {size: 100}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.30.0/24]}
+  - {proto: tcp, port: 4949, from: [172.20.30.0/24]}
  - {proto: tcp, port: 25565, from: [172.20.30.0/24]}
  - {proto: udp, port: 25565, from: [172.20.30.0/24]}
--- a/group_vars/mirror.yml
+++ b/group_vars/mirror.yml
@ -1,9 +1,10 @@
 ---
 datadisks:
-  - {size: 1500, type: hdd}
+  - {size: 1000}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 873, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
--- a/group_vars/mongodb.yml
+++ b/group_vars/mongodb.yml
@ -4,4 +4,3 @@ datadisks:
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 27017, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/mqtt.yml
+++ b/group_vars/mqtt.yml
@ -3,12 +3,5 @@ firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.27.0/24]}
  - {proto: tcp, port: 1883, from: [172.20.27.0/24]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
  - {proto: tcp, port: 8883, from: [172.20.20.0/22, 172.20.27.0/24]}
 network_vip_interfaces:
  - device: vio1
    vhid: 13
    ipaddr: 172.20.27.13
    netmask: 255.255.255.0
    pass: "{{ vip13_pass }}"
--- a/group_vars/nas.yml
+++ b/group_vars/nas.yml
@ -2,14 +2,11 @@
 mem_size: 8192
 num_cpus: 2
 datadisks:
-  - {size: 500, type: hdd}
+  - {size: 1000}
-  - {size: 50, type: nvme}
+  - {size: 400, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 2049, from: [172.20.20.0/22]}
  - {proto: tcp, port: 2049, from: [172.20.30.0/24]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
 sssd_allow_groups:
  - root
--- a/group_vars/nms.yml
+++ b/group_vars/nms.yml
@ -0,0 +1,25 @@
 ---
 datadisks:
  - {size: 10}
 network_vip_interfaces:
  - device: eth1
    vhid: 25
    ipaddr: 172.20.25.1
    netmask: 255.255.0.0
    pass: "{{ vip25_pass }}"
    priority: "{{ vip25_priority }}"
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 25, from: [172.20.25.0/24]}
  - {proto: tcp, port: 53, from: [172.20.25.0/24]}
  - {proto: udp, port: 53, from: [172.20.25.0/24]}
  - {proto: udp, port: 69, from: [172.20.25.0/24]}
  - {proto: udp, port: 123, from: [172.20.25.0/24]}
  - {proto: tcp, port: 443, from: [172.20.25.0/24]}
  - {proto: udp, port: 514, from: [172.20.25.0/24]}
  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
 firewall_raw:
  - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
  - "-A INPUT -i eth1 -p vrrp -j ACCEPT"
--- a/group_vars/ns.yml
+++ b/group_vars/ns.yml
@ -1,13 +1,12 @@
 ---
 firewall_in:
-  - {proto: tcp, port: 22, from: [172.20.20.0/22, "{{ gw_home_ip }}/32"]}
+  - {proto: tcp, port: 22, from: [172.20.20.0/22, 81.175.130.44/32]}
  - {proto: tcp, port: 53}
  - {proto: udp, port: 53}
  - {proto: tcp, port: 80}
  - {proto: tcp, port: 443}
  - {proto: tcp, port: 853}
-  - {proto: tcp, port: 9100}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22, 81.175.130.44/32]}
  - {proto: tcp, port: 9115}
 firewall_raw:
  - pass quick proto carp
--- a/group_vars/ocinode.yml
+++ b/group_vars/ocinode.yml
@ -1,10 +1,7 @@
 ---
 # increase memory size
-mem_size: 8192
+mem_size: 4192
 # increase disk size to store docker images
 dsk_size: 100
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/openbsd.yml
+++ b/group_vars/openbsd.yml
@ -1,4 +1,7 @@
 ---
 # fix python path errors
 ansible_python_interpreter: "/usr/local/bin/python3"
 # we have real wheel group
 ansible_wheel: wheel
@ -14,9 +17,5 @@ num_cpus: 2
 # extra args for virt-install
 virt_install_os_args: --cdrom {{ boot_url }}/openbsd/openbsd.iso
-virt_install_os_variant: openbsd7.6
+virt_install_os_variant: openbsd7.0
-virt_install_python_cmd:
+virt_install_python_cmd: pkg_add python3 -I -x
  - pkg_add
  - -I
  - -x
  - python%3
--- a/group_vars/print.yml
+++ b/group_vars/print.yml
@ -7,20 +7,14 @@ network_vip_interfaces:
    pass: "{{ vip24_pass }}"
    priority: "{{ vip24_priority }}"
 dhcpd_template: dhcpd.conf.print.j2
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 53, from: [172.20.24.0/24]}
  - {proto: udp, port: 53, from: [172.20.24.0/24]}
  - {proto: tcp, port: 631, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
 firewall_raw:
-  - "ip daddr 224.0.0.0/8 accept"
+  - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
-
+  - "-A INPUT -i eth1 -p vrrp -j ACCEPT"
 dhcpd_template: dhcpd.conf.print.j2
 dhcpd_ldap_filter: >-
  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.print.foo.sh))
 sssd_allow_groups:
  - sysadm
 unbound_zones:
  - 24.20.172.in-addr.arpa
  - print.foo.sh
--- a/group_vars/prometheus.yml
+++ b/group_vars/prometheus.yml
@ -1,8 +0,0 @@
 ---
 datadisks:
  - {size: 100, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/proxy.yml
+++ b/group_vars/proxy.yml
@ -4,6 +4,12 @@ mem_size: 1024
 # use bigger disk for os as we have web site data there
 dsk_size: 30
 network_dns_servers:
  - 172.20.20.10
  - 172.20.21.7
  - 172.20.21.8
 network_dns_search:
  - foo.sh
 network_default_gateway: 37.16.96.145
 network_vip_interfaces:
@ -42,4 +48,6 @@ firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 80}
  - {proto: tcp, port: 443}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 636}
  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
  - {proto: tcp, port: 6514}
--- a/group_vars/relay.yml
+++ b/group_vars/relay.yml
@ -1,4 +1,10 @@
 ---
 network_dns_servers:
  - 172.20.20.10
  - 172.20.21.7
  - 172.20.21.8
 network_dns_search:
  - foo.sh
 network_default_gateway: 37.16.96.145
 network_vip_interfaces:
@ -35,4 +41,3 @@ firewall_in:
  - {proto: tcp, port: 443}
  - {proto: tcp, port: 636}
  - {proto: tcp, port: 6514}
  - {proto: tcp, port: 9100}
--- a/group_vars/rocky10.yml
+++ b/group_vars/rocky10.yml
@ -1,29 +0,0 @@
 ---
 # default resources for new vm
 dsk_size: 20
 mem_size: 2048
 num_cpus: 2
 # extra args for virt-install
 ks_file: "{{ boot_url }}/ks/rocky10.ks"
 ipcmd: >-
  {% if network_interfaces[0]['proto'] is defined %}
  {%   if network_interfaces[0]['proto'] == 'static' %}
  {%     set int=network_interfaces[0] %}
  {%     if int['ipaddr'] is defined and int['gateway'] is defined %}
  nameserver=8.8.8.8
  ip={{ int['ipaddr'] }}::{{ int['gateway'] }}:{{ int['netmask'] }}::eth0:none
  {%     endif %}
  {%   endif %}
  {% endif %}
 virt_install_os_args: >-
  --location
  https://nic.funet.fi/pub/mirrors/rockylinux.org/10/BaseOS/x86_64/os
  --extra-args
  "inst.ks={{ ks_file }}
  console=ttyS0
  net.ifnames=0
  bootdev=eth0
  inst.repo=https://nic.funet.fi/pub/mirrors/rockylinux.org/10/BaseOS/x86_64/os
  {{ ipcmd }}"
 virt_install_os_variant: rhel10-unknown
--- a/group_vars/rocky8.yml
+++ b/group_vars/rocky8.yml
@ -4,9 +4,6 @@ dsk_size: 20
 mem_size: 2048
 num_cpus: 2
 # el8 hosts have different python
 ansible_python_interpreter: /usr/libexec/platform-python
 # extra args for virt-install
 ks_file: "{{ boot_url }}/ks/rocky8.ks"
 ipcmd: >-
--- a/group_vars/sane.yml
+++ b/group_vars/sane.yml
@ -1,5 +0,0 @@
 ---
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/shell.yml
+++ b/group_vars/shell.yml
@ -1,4 +1,6 @@
 ---
 # beef up shell hosts
 dsk_size: 40
 mem_size: 8192
 num_cpus: 4
@ -7,10 +9,4 @@ firewall_in:
  - {proto: tcp, port: 22}
  - {proto: tcp, port: 80}
  - {proto: tcp, port: 443}
-  - {proto: tcp, port: 9100, from: [212.149.248.65/32]}
+  - {proto: tcp, port: 4949, from: [81.175.130.44/32]}
 ssh_hostnames:
  - shell.foo.sh
 sssd_allow_groups:
  - foosh
--- a/group_vars/sqldb.yml
+++ b/group_vars/sqldb.yml
@ -1,8 +1,6 @@
 ---
 mem_size: 4096
 datadisks:
  - {size: 20, type: nvme}
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 3306, from: [172.20.20.0/22]}
  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
--- a/group_vars/static.yml
+++ b/group_vars/static.yml
@ -2,7 +2,4 @@
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
 sssd_allow_groups:
  - root
--- a/group_vars/vmhost.yml
+++ b/group_vars/vmhost.yml
@ -1,9 +1,4 @@
 ---
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
 chrony_servers:
  - time1.google.com
  - time2.google.com
  - time3.google.com
  - time4.google.com
--- a/group_vars/zm.yml
+++ b/group_vars/zm.yml
@ -0,0 +1,23 @@
 ---
 mem_size: 4096
 num_cpus: 2
 datadisks:
  - {size: 500}
 network_vip_interfaces:
  - device: eth1
    vhid: 26
    ipaddr: 172.20.26.1
    netmask: 255.255.0.0
    pass: "{{ vip26_pass }}"
 zm_mysql_host: sqldb02.home.foo.sh
 dhcpd_template: dhcpd.conf.cam.j2
 firewall_in:
  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
 firewall_raw:
  - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT"
  - "-A INPUT -i eth1 -p vrrp -j ACCEPT"
--- a/host_vars/adm01.home.foo.sh.yml
+++ b/host_vars/adm01.home.foo.sh.yml
@ -4,16 +4,3 @@ network_interfaces:
  - device: eth0
    vlan: 20
    mac: "52:54:00:ac:dc:0b"
  - device: eth1
    vlan: 25
    ipaddr: 172.20.25.2
    netmask: 255.255.255.0
    proto: static
    nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
  - device: eth2
    vlan: 103
    ipaddr: 192.168.100.2
    netmask: 255.255.255.248
    proto: static
 vip25_priority: 128
--- a/host_vars/adm02.home.foo.sh.yml
+++ b/host_vars/adm02.home.foo.sh.yml
@ -4,16 +4,3 @@ network_interfaces:
  - device: eth0
    vlan: 20
    mac: "52:54:00:ac:dc:0c"
  - device: eth1
    vlan: 25
    ipaddr: 172.20.25.3
    netmask: 255.255.255.0
    proto: static
    nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
  - device: eth2
    vlan: 103
    ipaddr: 192.168.100.3
    netmask: 255.255.255.248
    proto: static
 vip25_priority: 1
--- a/host_vars/audiobooks02.home.foo.sh.yml
+++ b/host_vars/audiobooks02.home.foo.sh.yml
@ -1,6 +0,0 @@
 ---
 vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
    mac: "52:54:00:ac:dc:48"
--- a/host_vars/backup02.home.foo.sh.yml
+++ b/host_vars/backup02.home.foo.sh.yml
@ -6,5 +6,5 @@ network_interfaces:
    mac: 52:54:00:ac:dc:50
 datadisks:
  - {size: 1000}
-virt_install_devices:
+passthrough_devices:
-  - "02:04.0"
+  - "07:04.0"
--- a/host_vars/dna-gw01.home.foo.sh.yml
+++ b/host_vars/dna-gw01.home.foo.sh.yml
@ -10,5 +10,3 @@ network_interfaces:
  - device: vio1
    vlan: 103
    proto: none
 vip11_priority: 240
 vip12_priority: 120
--- a/host_vars/dna-gw02.home.foo.sh.yml
+++ b/host_vars/dna-gw02.home.foo.sh.yml
@ -10,5 +10,3 @@ network_interfaces:
  - device: vio1
    vlan: 103
    proto: none
 vip11_priority: 120
 vip12_priority: 240
--- a/host_vars/dna-gw03.lan.foo.sh.yml
+++ b/host_vars/dna-gw03.lan.foo.sh.yml
@ -1,14 +0,0 @@
 ---
 vmhost: vmhost01.home.foo.sh
 network_interfaces:
  - device: vio0
    vlan: 30
    mac: 52:54:00:ca:fe:03
    ipaddr: 172.20.30.3
    netmask: 255.255.255.0
    proto: static
  - device: vio1
    vlan: 103
    proto: none
 vip11_priority: 240
 vip12_priority: 120
--- a/host_vars/dna-gw04.lan.foo.sh.yml
+++ b/host_vars/dna-gw04.lan.foo.sh.yml
@ -1,14 +0,0 @@
 ---
 vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: vio0
    vlan: 30
    mac: 52:54:00:ca:fe:04
    ipaddr: 172.20.30.4
    netmask: 255.255.255.0
    proto: static
  - device: vio1
    vlan: 103
    proto: none
 vip11_priority: 120
 vip12_priority: 240
--- a/host_vars/dna-gw05.iot.foo.sh.yml
+++ b/host_vars/dna-gw05.iot.foo.sh.yml
@ -1,14 +0,0 @@
 ---
 vmhost: vmhost01.home.foo.sh
 network_interfaces:
  - device: vio0
    vlan: 27
    mac: 52:54:00:da:da:05
    ipaddr: 172.20.27.5
    netmask: 255.255.255.0
    proto: static
  - device: vio1
    vlan: 103
    proto: none
 vip11_priority: 240
 vip12_priority: 120
--- a/host_vars/dna-gw06.iot.foo.sh.yml
+++ b/host_vars/dna-gw06.iot.foo.sh.yml
@ -1,14 +0,0 @@
 ---
 vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: vio0
    vlan: 27
    mac: 52:54:00:da:da:06
    ipaddr: 172.20.27.6
    netmask: 255.255.255.0
    proto: static
  - device: vio1
    vlan: 103
    proto: none
 vip11_priority: 120
 vip12_priority: 240
--- a/host_vars/fsol-gw01.home.foo.sh.yml
+++ b/host_vars/fsol-gw01.home.foo.sh.yml
@ -15,7 +15,6 @@ network_interfaces:
  - device: vio2
    vlan: 103
    proto: dhcp
    rdomain: 1
  - device: vio3
    vlan: 102
    proto: none
--- a/host_vars/fsol-gw02.home.foo.sh.yml
+++ b/host_vars/fsol-gw02.home.foo.sh.yml
@ -15,7 +15,6 @@ network_interfaces:
  - device: vio2
    vlan: 103
    proto: dhcp
    rdomain: 1
  - device: vio3
    vlan: 102
    proto: none
--- a/host_vars/gitea-runner02.home.foo.sh.yml
+++ b/host_vars/gitea-runner02.home.foo.sh.yml
@ -3,4 +3,4 @@ vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
-    mac: 52:54:00:ac:dc:80
+    mac: 52:54:00:ac:dc:7c
--- a/host_vars/mirror02.home.foo.sh.yml
+++ b/host_vars/mirror02.home.foo.sh.yml
@ -3,4 +3,4 @@ vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
-    mac: 52:54:00:ac:dc:14
+    mac: 52:54:00:ac:dc:78
--- a/host_vars/homeassistant01.home.foo.sh.yml
+++ b/host_vars/homeassistant01.home.foo.sh.yml
@ -5,8 +5,6 @@ network_interfaces:
    vlan: 20
    mac: 52:54:00:ac:dc:73
  - device: eth1
-    mac: 52:54:00:da:da:15
+    vlan: 30
-    vlan: 27
+virt_install_devices:
-    ipaddr: 172.20.27.21
+  - 003.002
    netmask: 255.255.255.0
    proto: static
--- a/host_vars/ldap01.home.foo.sh.yml
+++ b/host_vars/ldap01.home.foo.sh.yml
@ -5,6 +5,6 @@ network_interfaces:
    vlan: 20
    mac: 52:54:00:ac:dc:1f
 datadisks:
-  - {size: 10, type: nvme}
+  - {size: 10}
 ldap_master: true
--- a/host_vars/prometheus01.home.foo.sh.yml
+++ b/host_vars/prometheus01.home.foo.sh.yml
@ -3,4 +3,4 @@ vmhost: vmhost01.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
-    mac: "52:54:00:ac:dc:83"
+    mac: 52:54:00:ac:dc:13
--- a/host_vars/mqtt02.home.foo.sh.yml
+++ b/host_vars/mqtt02.home.foo.sh.yml
@ -6,7 +6,6 @@ network_interfaces:
    mac: 52:54:00:ac:dc:70
  - device: vio1
    vlan: 27
-    mac: 52:54:00:da:da:16
+    ipaddr: 172.20.27.3
    ipaddr: 172.20.27.22
    netmask: 255.255.255.0
    proto: static
--- a/host_vars/nas02.home.foo.sh.yml
+++ b/host_vars/nas02.home.foo.sh.yml
@ -6,6 +6,6 @@ network_interfaces:
    mac: 52:54:00:ac:dc:34
  - device: eth1
    vlan: 30
-    ipaddr: 172.20.30.32
+    ipaddr: 172.20.30.11
    netmask: 255.255.255.0
    proto: static
--- a/host_vars/nms01.home.foo.sh.yml
+++ b/host_vars/nms01.home.foo.sh.yml
@ -0,0 +1,20 @@
 ---
 vmhost: vmhost01.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
    mac: "52:54:00:ac:dc:43"
    nameservers: []
  - device: eth1
    vlan: 25
    ipaddr: 172.20.25.2
    netmask: 255.255.255.0
    proto: static
    nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
  - device: eth2
    vlan: 103
    ipaddr: 192.168.100.2
    netmask: 255.255.255.248
    proto: static
 vip25_priority: 128
--- a/host_vars/nms02.home.foo.sh.yml
+++ b/host_vars/nms02.home.foo.sh.yml
@ -0,0 +1,20 @@
 ---
 vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
    mac: "52:54:00:ac:dc:44"
    nameservers: []
  - device: eth1
    vlan: 25
    ipaddr: 172.20.25.3
    netmask: 255.255.255.0
    proto: static
    nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
  - device: eth2
    vlan: 103
    ipaddr: 192.168.100.3
    netmask: 255.255.255.248
    proto: static
 vip25_priority: 0
--- a/host_vars/oci-node01.home.foo.sh.yml
+++ b/host_vars/oci-node01.home.foo.sh.yml
@ -1,7 +1,5 @@
 ---
 vmhost: vmhost01.home.foo.sh
 datadisks:
  - {size: 10, type: nvme}
 network_interfaces:
  - device: eth0
    vlan: 20
--- a/host_vars/sane02.home.foo.sh.yml
+++ b/host_vars/sane02.home.foo.sh.yml
@ -1,8 +0,0 @@
 ---
 vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
    mac: "52:54:00:ac:dc:88"
 virt_install_devices:
  - 001.003
--- a/host_vars/shell01.foo.sh.yml
+++ b/host_vars/shell01.foo.sh.yml
@ -12,5 +12,5 @@ network_interfaces:
    ipaddr: 172.20.30.21
    netmask: 255.255.255.0
    proto: static
-    nameservers: [172.20.30.10, 172.20.30.11, 172.20.30.12]
+    nameservers: [172.20.30.2]
    ip6addr: none
--- a/host_vars/shell02.foo.sh.yml
+++ b/host_vars/shell02.foo.sh.yml
@ -12,5 +12,5 @@ network_interfaces:
    ipaddr: 172.20.30.22
    netmask: 255.255.255.0
    proto: static
-    nameservers: [172.20.30.10, 172.20.30.11, 172.20.30.12]
+    nameservers: [172.20.30.2]
    ip6addr: none
--- a/host_vars/frigate02.home.foo.sh.yml
+++ b/host_vars/frigate02.home.foo.sh.yml
@ -3,7 +3,7 @@ vmhost: vmhost02.home.foo.sh
 network_interfaces:
  - device: eth0
    vlan: 20
-    mac: "52:54:00:ac:dc:8c"
+    mac: "52:54:00:ac:dc:4c"
    nameservers: []
  - device: eth1
    vlan: 26
@ -11,5 +11,3 @@ network_interfaces:
    netmask: 255.255.255.0
    proto: static
    nameservers: [172.20.26.1, 172.20.26.3]
 virt_install_devices:
  - 004.002
--- a/hosts.yml
+++ b/hosts.yml
@ -3,11 +3,6 @@ adm:
  hosts:
    adm01.home.foo.sh:
    adm02.home.foo.sh:
  vars:
    snmp_exporter_version: "0.29.0"
 audiobooks:
  hosts:
    audiobooks02.home.foo.sh:
 backup:
  hosts:
    backup02.home.foo.sh:
@ -15,52 +10,28 @@ collab:
  hosts:
    collab01.home.foo.sh:
 dnagw:
  children:
    dnagw_home:
      hosts:
        dna-gw01.home.foo.sh:
        dna-gw02.home.foo.sh:
    dnagw_lan:
      hosts:
        dna-gw03.lan.foo.sh:
        dna-gw04.lan.foo.sh:
      vars:
        ssh_jumphost: gw.lan.foo.sh
        ansible_ssh_common_args: "{{ ('-J root@' + ssh_jumphost) | default(undef) }}"
    dnagw_iot:
      hosts:
        dna-gw05.iot.foo.sh:
        dna-gw06.iot.foo.sh:
      vars:
        ssh_jumphost: gw.iot.foo.sh
        ansible_ssh_common_args: "{{ ('-J root@' + ssh_jumphost) | default(undef) }}"
 forgejo:
  hosts:
-    forgejo02.home.foo.sh:
+    dna-gw01.home.foo.sh:
-  vars:
+    dna-gw02.home.foo.sh:
    forgejo_version: "11.0.3"
 frigate:
  hosts:
    frigate02.home.foo.sh:
  vars:
    frigate_version: "0.15.1"
 fsolgw:
  hosts:
    fsol-gw01.home.foo.sh:
    fsol-gw02.home.foo.sh:
 gitea:
  hosts:
    gitea02.home.foo.sh:
  vars:
    gitea_version: "1.19.4"
 gitearunner:
  hosts:
    gitea-runner02.home.foo.sh:
  vars:
    gitea_runner_version: "0.2.3"
 homeassistant:
  hosts:
    homeassistant01.home.foo.sh:
  vars:
-    homeassistant_version: "2025.7.1"
+    homeassistant_version: "2023.7"
    homeassistant_integrations:
      - name: electrolux_status
        repo: https://github.com/albaintor/homeassistant_electrolux_status.git
        version: v2.2.0
      - name: espsomfy_rts
        repo: https://github.com/rstrouse/ESPSomfy-RTS-HA.git
        version: v2.4.7
    nodered_version: 4.0.9
 influxdb:
  hosts:
    influxdb01.home.foo.sh:
@ -74,14 +45,12 @@ log:
 mail:
  hosts:
    mail02.home.foo.sh:
  vars:
    opendkim_selector: 20250601
 minecraft:
  hosts:
    minecraft01.home.foo.sh:
 mirror:
  hosts:
-    mirror02.home.foo.sh:
+    mirror01.home.foo.sh:
 mongodb:
  hosts:
    mongodb01.home.foo.sh:
@ -91,6 +60,10 @@ mqtt:
 nas:
  hosts:
    nas02.home.foo.sh:
 nms:
  hosts:
    nms01.home.foo.sh:
    nms02.home.foo.sh:
 ns:
  hosts:
    ns01.home.foo.sh:
@ -101,35 +74,20 @@ ocinode:
    oci-node01.home.foo.sh:
    oci-node02.home.foo.sh:
  vars:
-    grafana_version: "12.0.2"
+    grafana_version: "10.0.2"
-    phpldapadmin_version: "2.2.1"
+    rocketchat_version: "6.2.10"
-    rocketchat_version: "7.8.0"
+    roundcube_version: "1.6.1"
    roundcube_version: "1.6.11"
 print:
  hosts:
    print01.home.foo.sh:
 prometheus:
  hosts:
    prometheus01.home.foo.sh:
  vars:
    mysqld_exporter_version: "0.17.2"
    nginx_exporter_version: "1.4.2"
 proxy:
  hosts:
    proxy01.home.foo.sh:
    proxy02.home.foo.sh:
 redis:
  hosts:
    redis01.home.foo.sh:
 relay:
  hosts:
    relay01.home.foo.sh:
    relay02.home.foo.sh:
 sane:
  hosts:
    sane02.home.foo.sh:
  vars:
    scanservjs_version: "v3.0.3"
 shell:
  hosts:
    shell01.foo.sh:
@ -145,15 +103,23 @@ vmhost:
  hosts:
    vmhost01.home.foo.sh:
    vmhost02.home.foo.sh:
 zm:
  hosts:
    zm02.home.foo.sh:
 sftpbackup:
  children:
    collab:
    ldap:
    mongodb:
    sqldb:
 vultr:
  hosts:
    atl01.vultr.foo.sh:
 fedora:
  children:
    gitearunner:
 openbsd:
  children:
    backup:
@ -163,30 +129,27 @@ openbsd:
    mqtt:
    ns:
    proxy:
    redis:
    relay:
 rocky8:
  children:
    collab:
    homeassistant:
    mail:
    minecraft:
    nas:
    nms:
    ocinode:
    print:
    shell:
    zm:
 rocky9:
  children:
    adm:
-    audiobooks:
+    gitea:
    forgejo:
    frigate:
    homeassistant:
    influxdb:
    ldap:
    mail:
    minecraft:
    mirror:
    mongodb:
    nas:
    ocinode:
    print:
    prometheus:
    sane:
    shell:
    sqldb:
    static:
    vmhost:
--- a/playbooks/adm.yml
+++ b/playbooks/adm.yml
@ -18,7 +18,7 @@
        name: /export
        src: LABEL=/export
        fstype: xfs
-        opts: noatime,nosuid,nodev
+        opts: noatime,noexec,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
@ -27,71 +27,30 @@
    - base
    - ansible_host
    - certbot
    - cups
    - nginx
    - role: nginx_site
      nginx_site_name: oob.foo.sh
      nginx_site_plaintest: false
    - sshca
    - ssh_known_hosts
    - role: keytab
-      keytab_principals:
+      principals:
        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
    - nfs_client
    - role: autofs
      autofs_home: false
    - sssd
    - mkhomedir
    - aten_pdu
    - routeros
    - rpm_build
    - snmp_exporter
    - web_build
  tasks:
    - name: Run handlers to get interfaces configured
      ansible.builtin.meta: flush_handlers
    - name: Enable UDP rsyslog server
      ansible.builtin.import_role:
        name: rsyslog
        tasks_from: udp-listen
    - name: Enable postfix mail relay
      ansible.builtin.import_role:
        name: postfix
        tasks_from: relay
      vars:
        relay_domains: [foo.sh]
    - name: Import unbound role
      ansible.builtin.import_role:
        name: unbound
    - name: Import dhcpd role
      ansible.builtin.import_role:
        name: dhcpd
    - name: Install packages
      ansible.builtin.package:
        name: "{{ item }}"
        state: installed
      with_items:
        - emacs-nox           # more editors
        - httpd-tools         # htpasswd
        - knot-utils          # kdig (dns over tls)
        - libvirt-client      # kvm host client
        - make                # generic building
        - mariadb             # mariadb client tools
        - mosquitto           # mqtt reading
        - nano                # more editors
        - nmap                # check for open ports
        - nsd                 # check dns zone files
        - podman              # building containers
        - pylint              # python linting
        - python3-flake8      # python linting
        - speedtest-cli       # testing network speed
        - ShellCheck          # shell script linting
        - virt-install        # install kvm guests
        - wget                # still in backbone for downloads
        - whois               # read whois data
@ -104,79 +63,6 @@
          Host shell??.foo.sh
            CheckHostIP no
        dest: /root/.ssh/config
-        mode: "0600"
+        mode: 0600
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Configure jumphosts
      ansible.builtin.copy:
        dest: /etc/ssh/ssh_config.d/jumphost.conf
        content: |
          Host *.iot.foo.sh !gw.iot.foo.sh
            ProxyJump gw.iot.foo.sh
          Host *.lan.foo.sh !gw.lan.foo.sh
            ProxyJump gw.lan.foo.sh
        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Clone dns repo
      ansible.builtin.git:
        dest: /export/dns
        repo: https://adm01.home.foo.sh/dns.git
        update: true
        version: master
      environment:
        GIT_SSL_CAINFO: "{{ tls_certs }}/ca.crt"
        GIT_SSL_CERT: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
        GIT_SSL_KEY: "{{ tls_private }}/{{ inventory_hostname }}.key"
      when: 'inventory_hostname != "adm01.home.foo.sh"'
    - name: Link dns repo
      ansible.builtin.file:
        dest: /srv/dns
        src: /export/dns
        state: link
        owner: root
        group: "{{ ansible_wheel }}"
        follow: false
    - name: Add cron job to sync dns repo
      ansible.builtin.cron:
        name: sync dns repository
        job: >-
          GIT_SSL_CAINFO="{{ tls_certs }}/ca.crt"
          GIT_SSL_CERT="{{ tls_certs }}/{{ inventory_hostname }}.crt"
          GIT_SSL_KEY="{{ tls_private }}/{{ inventory_hostname }}.key"
          git -C /srv/dns pull -q
        minute: "02"
      when: 'inventory_hostname != "adm01.home.foo.sh"'
    - name: Links dns repo to web
      ansible.builtin.file:
        dest: "/srv/web/{{ inventory_hostname }}/dns.git"
        src: /srv/dns/.git
        state: link
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Add mqtt-tail script
      ansible.builtin.copy:
        dest: /usr/local/bin/mqtt-tail
        content: |
          #!/bin/sh
          set -eu
          if [ -n "${1:-}" ]; then
              topic="$1"
              shift
          else
              topic="#"
          fi
          if [ $# -ne 0 ]; then
              echo "Usage: $(basename "$0") [topic]" 1>&2
              exit 1
          fi
          exec mosquitto_sub -h mqtt02.home.foo.sh -v -t "$topic" \
              --cafile "{{ tls_certs }}/ca.crt" \
              --cert "{{ tls_certs }}/{{ inventory_hostname }}.crt" \
              --key "{{ tls_private }}/{{ inventory_hostname }}.key" \
        mode: "0755"
        owner: root
        group: "{{ ansible_wheel }}"
--- a/playbooks/audiobooks.yml
+++ b/playbooks/audiobooks.yml
@ -1,25 +0,0 @@
 ---
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: audiobooks
 - name: Configure instance
  hosts: audiobooks
  user: root
  gather_facts: true
  pre_tasks:
    - name: Mount /export
      ansible.posix.mount:
        name: /export
        src: LABEL=/export
        fstype: xfs
        opts: noatime,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
  roles:
    - base
    - audiobookshelf
--- a/playbooks/backup.yml
+++ b/playbooks/backup.yml
@ -15,7 +15,7 @@
        name: /export
        src: /dev/sd1a
        fstype: ffs
-        opts: rw,softdep,noatime,noexec,nosuid,nodev
+        opts: rw,softdep,noatime
        passno: "1"
        dump: "2"
        state: mounted
@ -25,10 +25,5 @@
  roles:
    - base
-    - backup_base
+    - backup_server
-    - backup_bitbucket
+    - sftpbackup
    - backup_github
    - role: rclone
      rclone_hostgroup: sftpbackup
      rclone_service: backup
    - rsync_backup
--- a/playbooks/collab.yml
+++ b/playbooks/collab.yml
@ -28,9 +28,9 @@
    - collab
    - mod_auth_gssapi
    - role: keytab
-      keytab_path: /etc/httpd/httpd.keytab
+      keytab: /etc/httpd/httpd.keytab
-      keytab_principals: HTTP/collab.foo.sh@FOO.SH
+      principals: HTTP/collab.foo.sh@FOO.SH
-      keytab_group: apache
+      group: apache
    - ldap
  tasks:
@ -38,7 +38,7 @@
      ansible.builtin.copy:
        content: "RedirectMatch permanent \"^/$\" /collab/\n"
        dest: "/etc/httpd/conf.local.d/redirects.conf"
-        mode: "0644"
+        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart apache
@ -61,7 +61,7 @@
        dest: /srv/wikis/collab/htdocs/.htaccess
        owner: collab
        group: collab
-        mode: "0660"
+        mode: 0660
        seuser: _default
        setype: _default
--- a/playbooks/dna-gw.yml
+++ b/playbooks/dna-gw.yml
@ -14,17 +14,29 @@
  roles:
    - base
    - ifstated
    - dhcpd
-    - nginx
+    - nginx/server
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: gw.home.foo.sh
+      site: gw.home.foo.sh
      nginx_site_verify_client: true
      when: "'gw.home.foo.sh' in ssh_hostnames"
    - tftp
-    - role: websockify
+    - websockify
      when: "'gw.home.foo.sh' in ssh_hostnames"
  tasks:
    - name: Use configured dns servers and domain name
      ansible.builtin.copy:
        dest: /etc/dhclient.conf
        content: "ignore domain-name-servers, domain-name;\n"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Disable resolvd
      ansible.builtin.service:
        name: resolvd
        state: stopped
        enabled: false
    - name: Enable ip forwarding
      ansible.posix.sysctl:
        name: "{{ item }}"
@ -37,41 +49,114 @@
    - name: Run handlers to get interfaces configured
      ansible.builtin.meta: flush_handlers
-    - name: Import ifstated role
+    - name: Create tftp boot directories
-      ansible.builtin.import_role:
+      ansible.builtin.file:
-        name: ifstated
+        path: /srv/tftpboot/etc
        state: directory
        mode: 0755
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Create tftp boot config for OpenBSD installs
      ansible.builtin.copy:
        dest: /srv/tftpboot/etc/boot.conf
        content: |
          stty com0 115200
          set tty com0
          boot tftp:bsd.rd
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Create tftp pxeboot loader for OpenBSD installs
      ansible.builtin.get_url:
        url: "https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/amd64/pxeboot"
        checksum: sha1:161b36d4ae3d786aa98c4836abba25f2bca8979d
        dest: /srv/tftpboot/pxeboot
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Create tftp ramdisk for OpenBSD installs
      ansible.builtin.get_url:
        url: "https://ftp.eu.openbsd.org/pub/OpenBSD//7.3/amd64/bsd.rd"
        checksum: sha1:72b46ad8e97b2082d145a739264e818dcd154021
        dest: /srv/tftpboot/bsd.rd
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Create install.conf for OpenBSD installs
      ansible.builtin.get_url:
        url: "https://boot.foo.sh/openbsd/install.conf"
        checksum: sha1:f6270708dad3f759df02eefeab300d9b8670f3d4
        dest: /srv/tftpboot/install.conf
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Copy custom to allow plaint http access with internal IP
      ansible.builtin.copy:
        dest: /etc/nginx/conf.d/172.20.20.1.conf
        content: |
          server {
            listen 172.20.20.10:80;
            server_name 172.20.20.10;
            access_log /var/www/logs/172.20.20.10.access.log combined;
            error_log /var/www/logs/172.20.20.10.error.log warn;
            location / {
              location /install.conf {
                alias /srv/tftpboot/install.conf;
              }
              location / {
                deny all;
              }
            }
          }
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart nginx
    - name: Copy DNS private key
      ansible.builtin.copy:
-        dest: "{{ tls_private }}/dns.{{ intdomain }}.key"
+        dest: "{{ tls_private }}/dns.home.foo.sh.key"
        src: "{{ item }}"
-        mode: "0600"
+        mode: 0600
        owner: root
        group: "{{ ansible_wheel }}"
      with_first_found:
-        - "/srv/letsencrypt/live/dns.{{ intdomain }}/privkey.pem"
+        - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
        - "/srv/ca/private/{{ inventory_hostname }}.key"
      tags: certificates
      notify: Restart unbound
    - name: Copy DNS certificate and ca cert
      ansible.builtin.copy:
-        dest: "{{ tls_certs }}/dns.{{ intdomain }}.crt"
+        dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
        src: "{{ item }}"
-        mode: "0644"
+        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      with_first_found:
-        - "/srv/letsencrypt/live/dns.{{ intdomain }}/fullchain.pem"
+        - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
        - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
      tags: certificates
      notify: Restart unbound
    - name: Copy DNS zone files
      ansible.builtin.copy:
        dest: "/var/unbound/db/{{ item }}"
        src: "/srv/dns/{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      tags: dns
      notify: Restart unbound
      with_items:
        - 20.172.in-addr.arpa
        - home.foo.sh
    - name: Import unbound role
      ansible.builtin.import_role:
        name: unbound
    - name: Import unbound_exporter role
      ansible.builtin.import_role:
        name: unbound_exporter
      when: "'gw.home.foo.sh' in ssh_hostnames"
--- a/playbooks/frigate.yml
+++ b/playbooks/frigate.yml
@ -1,66 +0,0 @@
 ---
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: frigate
 - name: Configure instance
  hosts: frigate
  user: root
  gather_facts: true
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  pre_tasks:
    - name: Mount datadirectories
      ansible.posix.mount:
        name: "/export/frigate/{{ item }}"
        src: "LABEL={{ item }}"
        fstype: xfs
        opts: noatime,noexec,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
      with_items:
        - config
        - media
  roles:
    - base
    - mod_auth_gssapi
    - role: keytab
      keytab_path: /etc/httpd/httpd.keytab
      keytab_principals: HTTP/cctv.foo.sh@FOO.SH
      keytab_group: apache
  tasks:
    - name: Include unbound role
      ansible.builtin.import_role:
        name: unbound
    - name: Run handlers to get interfaces configured
      ansible.builtin.meta: flush_handlers
    - name: Include dhcpd role
      ansible.builtin.include_role:
        name: dhcpd
    - name: Include frigate role
      ansible.builtin.include_role:
        name: frigate
    - name: Require authentication for frigate
      ansible.builtin.copy:
        dest: /etc/httpd/conf.local.d/frigate-auth.conf
        content: |
          <Location /frigate>
            AuthType        GSSAPI
            GssapiBasicAuth On
            AuthName        "Password Required"
            Require         valid-user
          </Location>
        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart apache
--- a/playbooks/fsol-gw.yml
+++ b/playbooks/fsol-gw.yml
@ -12,6 +12,13 @@
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  pre_tasks:
    - name: Disable resolvd service
      ansible.builtin.service:
        name: resolvd
        state: stopped
        enabled: false
  tasks:
    - name: Enable IP forwarding
      ansible.posix.sysctl:
@ -23,19 +30,16 @@
        - net.inet6.ip6.forwarding
    - name: Manually set DNS servers
      ansible.builtin.copy:
-        dest: /etc/dhcpleased.conf
+        dest: /etc/dhclient.conf
-        content: |
+        content: "ignore domain-name-servers, domain-name;\n"
-          interface vio2 {
+        mode: 0644
            ignore dns
          }
        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
    - name: Create pfsync interface
      ansible.builtin.copy:
        dest: /etc/hostname.pfsync0
        content: "up syncdev vio1\n"
-        mode: "0600"
+        mode: 0600
        owner: root
        group: "{{ ansible_wheel }}"
--- a/playbooks/gitea-runner.yml
+++ b/playbooks/gitea-runner.yml
@ -0,0 +1,14 @@
 ---
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: gitearunner
 - name: Configure instance
  hosts: gitearunner
  user: root
  gather_facts: true
  roles:
    - base
    - gitea_runner
--- a/playbooks/forgejo.yml
+++ b/playbooks/forgejo.yml
@ -2,10 +2,10 @@
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
-    myhosts: forgejo
+    myhosts: gitea
 - name: Configure instance
-  hosts: forgejo
+  hosts: gitea
  user: root
  gather_facts: true
@ -25,4 +25,4 @@
  roles:
    - base
-    - forgejo
+    - gitea
--- a/playbooks/homeassistant.yml
+++ b/playbooks/homeassistant.yml
@ -9,9 +9,6 @@
  user: root
  gather_facts: true
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  pre_tasks:
    - name: Mount /export
      ansible.posix.mount:
--- a/playbooks/include/deploy-kvm-guest.yml
+++ b/playbooks/include/deploy-kvm-guest.yml
@ -9,7 +9,7 @@
    char: "{{ 'bcdefghijklmnopqrstuvwxyz'|list }}"
    console_log: "/var/log/libvirt/qemu/{{ inventory_hostname }}.console.log"
-    os_disk_image: "/srv/libvirt/os/{{ inventory_hostname }}.a.img"
+    os_disk_image: "/srv/libvirt/ssd/{{ inventory_hostname }}.a.img"
    dsk_opts: bus=virtio,cache=none,device=disk,format=raw,sparse=no
    inject: >-
@ -75,7 +75,7 @@
          echo '{{ root_pubkey }}' > /root/.ssh/authorized_keys
          %end
        dest: "{{ tmpdir.path }}/include.ks"
-        mode: "0600"
+        mode: 0600
        owner: root
        group: "{{ ansible_wheel }}"
      delegate_to: "{{ vmhost }}"
@ -99,11 +99,7 @@
          {% endif -%}
          {% if virt_install_devices is defined -%}
          {%   for dev in virt_install_devices -%}
          {%     if dev | regex_search('^/dev/tty') -%}
          --serial dev,path={{ dev }}
          {%     else -%}
          --hostdev {{ dev }} \
          {%     endif -%}
          {%   endfor -%}
          {% else -%}
          --controller usb,model=none \
@ -146,7 +142,7 @@
        port: 22
        state: started
        timeout: 1200
-      delegate_to: "{{ ssh_jumphost | default('localhost') }}"
+      delegate_to: localhost
      when: inventory_hostname not in result.list_vms
    - name: Get SSH public keys from new host
@ -156,7 +152,7 @@
          - -t
          - ed25519
          - "{{ inventory_hostname }}"
-      delegate_to: "{{ ssh_jumphost | default('localhost') }}"
+      delegate_to: localhost
      register: hostkeys
      when: inventory_hostname not in result.list_vms
@ -165,15 +161,17 @@
        path: /root/.ssh/known_hosts
        key: "{{ item }}"
        host: "{{ inventory_hostname }}"
-      with_items: "{{ hostkeys.stdout.splitlines() | reject('match', '^#.*') }}"
+      with_items: "{{ hostkeys.stdout.splitlines() }}"
      delegate_to: localhost
      when: inventory_hostname not in result.list_vms
    - name: Install python if required
-      ansible.builtin.raw: >-
+      ansible.builtin.command:
-        {{ virt_install_python_cmd | map('quote') | join(' ') }}
+        argv:
-      args:
+          - ssh
-        executable: /bin/sh
+          - "{{ inventory_hostname }}"
          - "{{ virt_install_python_cmd }}"
      delegate_to: localhost
      when:
        - inventory_hostname not in result.list_vms
        - virt_install_python_cmd is defined
--- a/playbooks/ldap.yml
+++ b/playbooks/ldap.yml
@ -19,7 +19,7 @@
        passno: "0"
        dump: "0"
        state: mounted
-      when: ldap_master
+      when: ldap_master is defined
  vars_files:
    - "{{ ansible_private }}/vars.yml"
@ -28,8 +28,8 @@
    - base
    - ldap_server
    - role: kadmin
-      when: ldap_master
+      when: ldap_master is defined
    - role: ldap_netdb
-      when: ldap_master
+      when: ldap_master is defined
    - role: ldap_gravatar
-      when: ldap_master
+      when: ldap_master is defined
--- a/playbooks/log.yml
+++ b/playbooks/log.yml
@ -15,7 +15,7 @@
        name: /export
        src: /dev/sd1a
        fstype: ffs
-        opts: rw,softdep,noatime,noexec,nosuid,nodev
+        opts: rw,softdep,noatime
        passno: "1"
        dump: "2"
        state: mounted
--- a/playbooks/mail.yml
+++ b/playbooks/mail.yml
@ -26,19 +26,18 @@
  roles:
    - base
    - role: keytab
-      keytab_principals:
+      principals:
        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
        - "smtp/{{ mail_server }}@{{ kerberos_realm }}"
    - nfs_client
    - sssd
    - autofs
    - dovecot
-    - role: nginx
+    - role: nginx/server
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: "{{ mail_server }}"
+      site: "{{ mail_server }}"
-      nginx_site_redirect: https://webmail.foo.sh/
+      redirect: https://webmail.foo.sh/
    - grossd
    - opendkim
    - spamassassin
    - spamassassin_clamav
    - spamassassin_ixhash
--- a/playbooks/manual/check-updates.yml
+++ b/playbooks/manual/check-updates.yml
@ -1,23 +0,0 @@
 ---
 - hosts: all
  gather_facts: true
  tasks:
    - name: Check updates (Linux)
      ansible.builtin.command:
        argv:
          - dnf
          - -q
          - check-update
      register: result
      changed_when: result.rc == 100
      failed_when: result.rc not in [0, 100]
      when: ansible_os_family == "RedHat"
    - name: Check updates (OpenBSD)
      ansible.builtin.command:
        argv:
          - syspatch
          - -c
      register: result
      changed_when: result.stdout != ""
      when: ansible_os_family == "OpenBSD"
--- a/playbooks/minecraft.yml
+++ b/playbooks/minecraft.yml
@ -15,7 +15,7 @@
        name: /export
        src: LABEL=/export
        fstype: xfs
-        opts: noatime,noexec,nosuid,nodev
+        opts: noatime
        passno: "0"
        dump: "0"
        state: mounted
--- a/playbooks/mirror.yml
+++ b/playbooks/mirror.yml
@ -26,30 +26,26 @@
  roles:
    - base
    - mirror/base
-    - thinlinc_mirror
+    - mirror/thinlinc
-    - role: reportmirror
+    - role: mirror/reportmirror
-      reportmirror_hostname: mirrors.foo.sh
+      hostname: mirrors.foo.sh
-      reportmirror_mirrors: [epel, fedora]
+      mirrors: [epel, fedora]
-      reportmirror_sitename: foo.sh
+      sitename: foo.sh
-      reportmirror_password: "{{ report_mirror_pass }}"
+      password: "{{ report_mirror_pass }}"
    - role: mirror/sync
-      mirror_label: fedora-epel
+      label: fedora-epel
-      mirror_source:
+      source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
-        "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/epel"
+       fedora.redhat.com/pub/epel"
-      mirror_rsyncoptions:
+      rsyncoptions:
        - "--exclude=SRPMS"
        - "--exclude=debug"
        - "--exclude=testing"
        - "--exclude=aarch64"
        - "--exclude=ppc64le"
        - "--exclude=s390x"
        - "--exclude=source"
        - "--delete-excluded"
-      mirror_postcmd: python3 /usr/local/bin/report_mirror
+      postcmd: python3 /usr/local/bin/report_mirror
    - role: mirror/sync
-      mirror_label: fedora
+      label: fedora
-      mirror_source:
+      source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
-        "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/fedora.redhat.com/pub/fedora/linux/"
+       fedora.redhat.com/pub/fedora/linux/"
-      mirror_rsyncoptions:
+      rsyncoptions:
        - "--exclude=/atomic"
        - "--exclude=/development"
        - "--exclude=/releases/test"
@ -62,11 +58,12 @@
        - "--exclude=armhfp"
        - "--exclude=debug"
        - "--delete-excluded"
-      mirror_postcmd: python3 /usr/local/bin/report_mirror
+      postcmd: python3 /usr/local/bin/report_mirror
    - role: mirror/sync
-      mirror_label: openbsd
+      label: openbsd
-      mirror_source: "rsync://ftp.nluug.nl/openbsd/"
+      source: "rsync://rsync.nic.funet.fi/ftp/pub/mirrors/\
-      mirror_rsyncoptions:
+        ftp.openbsd.org/pub/OpenBSD/"
      rsyncoptions:
        - "--include=/?.?/"
        - "--include=/?.?/amd64/"
        - "--include=/?.?/amd64/*"
--- a/playbooks/mqtt.yml
+++ b/playbooks/mqtt.yml
@ -9,22 +9,10 @@
  user: root
  gather_facts: true
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  roles:
    - base
    - mosquitto
    - telegraf
-    - nginx
+    - nginx/server
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: iot.foo.sh
+      site: iot.foo.sh
    - shelly_firmware
  tasks:
    - name: Run handlers to get interfaces
      ansible.builtin.meta: flush_handlers
    - name: Import ha_mqtt_configd role
      ansible.builtin.import_role:
        name: ha_mqtt_configd
--- a/playbooks/nas.yml
+++ b/playbooks/nas.yml
@ -18,7 +18,7 @@
        name: /export/home
        src: LABEL=home
        fstype: xfs
-        opts: noatime,nodev
+        opts: noatime
        passno: "0"
        dump: "0"
        state: mounted
@ -27,7 +27,7 @@
        name: /export/roles
        src: LABEL=roles
        fstype: xfs
-        opts: noatime,nodev
+        opts: noatime
        passno: "0"
        dump: "0"
        state: mounted
@ -38,4 +38,20 @@
    - sssd
    - nfs_server
    - role: keytab
-      keytab_principals: "nfs/{{ inventory_hostname }}@FOO.SH"
+      principals: "nfs/{{ inventory_hostname }}@FOO.SH"
  tasks:
    - name: Copy exports file
      ansible.builtin.copy:
        dest: /etc/exports
        content: |
          /export/home   172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \
                         @nfsclients-rw(rw,root_squash,secure) \
                         @nfsclients-ro(ro,root_squash,secure)
          /export/roles  172.20.30.0/24(rw,root_squash,secure,sec=krb5p) \
                         @nfsclients-rw(rw,root_squash,secure) \
                         @nfsclients-ro(ro,root_squash,secure)
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart nfs-server
--- a/playbooks/nms.yml
+++ b/playbooks/nms.yml
@ -0,0 +1,83 @@
 ---
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: nms
 - name: Configure instance
  hosts: nms
  user: root
  gather_facts: true
  pre_tasks:
    - name: Mount /export
      ansible.posix.mount:
        name: /export
        src: LABEL=/export
        fstype: xfs
        opts: noatime,noexec,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  roles:
    - base
    - nginx/server
    - role: nginx/site
      site: oob.foo.sh
    - sssd
    - mkhomedir
    - tftp
  tasks:
    - name: Enable UDP rsyslog server
      ansible.builtin.import_role:
        name: rsyslog
        tasks_from: udp-listen
    - name: Enable postfix mail relay
      ansible.builtin.import_role:
        name: postfix
        tasks_from: relay
      vars:
        relay_domains: [foo.sh]
    - name: Copy DNS zone files
      ansible.builtin.copy:
        dest: "/var/lib/unbound/{{ item }}"
        src: "/srv/dns/{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      tags: dns
      notify: Restart unbound
      with_items:
        - 25.20.172.in-addr.arpa
        - oob.foo.sh
    - name: Import unbound role
      ansible.builtin.import_role:
        name: unbound
    # convert this to role for restart support
    - name: Enable NTP server for oob network
      ansible.builtin.lineinfile:
        path: /etc/chrony.conf
        regexp: "^#?allow .*"
        line: "allow 172.20.25.0/24"
    - name: Install extra packages
      ansible.builtin.package:
        name: "{{ item }}"
        state: installed
      with_items:
        - net-snmp-utils
        - nmap
        - rcs
        - scanssh
        - sslscan
        - unzip
        - wget
--- a/playbooks/ns.yml
+++ b/playbooks/ns.yml
@ -2,7 +2,7 @@
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
-    myhosts: ns:!atl01.vultr.foo.sh
+    myhosts: ns:!vultr
 - name: Configure instance
  hosts: ns
@ -15,18 +15,9 @@
  roles:
    - base
    - nsd
-    - role: nginx
+    - role: nginx/server
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: "{{ nsd_server }}"
+      site: "{{ nsd_server }}"
-      nginx_site_redirect: https://www.foo.sh/
+      redirect: https://www.foo.sh/
-    - role: blackbox_exporter
+    - role: ifstated
      when: "inventory_hostname == 'atl01.vultr.foo.sh'"
  tasks:
    - name: Run handlers to get interfaces configured
      ansible.builtin.meta: flush_handlers
    - name: Import ifstated role
      ansible.builtin.import_role:
        name: ifstated
      when: "'vultr' not in group_names"
--- a/playbooks/oci-node.yml
+++ b/playbooks/oci-node.yml
@ -12,25 +12,9 @@
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  pre_tasks:
    - name: Mount /export
      ansible.posix.mount:
        name: /export
        src: LABEL=/export
        fstype: xfs
        opts: noatime,noexec,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
      when: ansible_fqdn == 'oci-node01.home.foo.sh'
  roles:
    - base
    - authcheck
    - grafana
    - ipsilon
    - kdc
    - roundcube
    - role: php4dvd
      when: ansible_fqdn == 'oci-node01.home.foo.sh'
    - rocketchat
--- a/playbooks/print.yml
+++ b/playbooks/print.yml
@ -14,17 +14,10 @@
  roles:
    - base
    - role: keytab
      keytab_principals:
        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
    - sssd
    - mkhomedir
  tasks:
    - name: Install unbound role
      ansible.builtin.import_role:
        name: unbound
    - name: Run handlers to get interfaces configured
      ansible.builtin.meta: flush_handlers
@ -32,20 +25,30 @@
      ansible.builtin.import_role:
        name: dhcpd
    - name: Copy DNS zone files
      ansible.builtin.copy:
        dest: "/var/lib/unbound/{{ item }}"
        src: "/srv/dns/{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      tags: dns
      notify: restart unbound
      with_items:
        - 24.20.172.in-addr.arpa
        - print.foo.sh
    - name: Install unbound role
      ansible.builtin.import_role:
        name: unbound
    - name: Install cups_server role
      ansible.builtin.import_role:
        name: cups_server
    - name: Install keytab for CUPS
-      ansible.builtin.include_role:
+      ansible.builtin.import_role:
        name: keytab
      vars:
-        keytab_path: /etc/cups/cups.keytab
+        keytab: /etc/cups/cups.keytab
-        keytab_principals: "HTTP/print.foo.sh@{{ kerberos_realm }}"
+        principals: "HTTP/print.foo.sh@{{ kerberos_realm }}"
    - name: Enable postfix mail relay
      ansible.builtin.import_role:
        name: postfix
        tasks_from: relay
      vars:
        relay_domains: [foo.sh]
--- a/playbooks/prometheus.yml
+++ b/playbooks/prometheus.yml
@ -1,30 +0,0 @@
 ---
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: prometheus
 - name: Configure instance
  hosts: prometheus
  user: root
  gather_facts: true
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  pre_tasks:
    - name: Mount /export
      ansible.posix.mount:
        name: /export
        src: LABEL=/export
        fstype: xfs
        opts: noatime,noexec,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted
  roles:
    - base
    - prometheus
    - mysqld_exporter
    - nginx_exporter
--- a/playbooks/proxy.yml
+++ b/playbooks/proxy.yml
@ -15,119 +15,90 @@
  roles:
    - base
    - ifstated
-    - nginx
+    - nginx/server
-    - nginx_logsync
+    - role: nginx/site
-    - role: nginx_site
+      site: ca.foo.sh
-      nginx_site_name: ca.foo.sh
+    - role: nginx/site
-    - role: nginx_site
+      site: foo.monster
-      nginx_site_name: foo.monster
+    - role: nginx/site
-    - role: nginx_site
+      site: tuiradc.fi
-      nginx_site_name: tuiradc.fi
+      redirect: https://facebook.com/TuiraDC
-      nginx_site_redirect: https://facebook.com/TuiraDC
+    - role: nginx/site
-    - role: nginx_site
+      site: www.tuiradc.fi
-      nginx_site_name: www.tuiradc.fi
+      redirect: https://facebook.com/TuiraDC
-      nginx_site_redirect: https://facebook.com/TuiraDC
+    - role: nginx/site
-    - role: nginx_site
+      site: foo.sh
-      nginx_site_name: foo.sh
+      redirect: https://www.foo.sh/
-      nginx_site_redirect: https://www.foo.sh/
+    - role: nginx/site
-    - role: nginx_site
+      site: autoconfig.foo.sh
-      nginx_site_name: apps.foo.sh
+    - role: nginx/site
-      nginx_site_load_balance_method: ip_hash
+      site: boot.foo.sh
-      nginx_site_proxy:
+      ssl_config: old
-        - https://oci-node01.home.foo.sh
+    - role: nginx/site
-        - https://oci-node02.home.foo.sh
+      site: bitbucket.foo.sh
-    - role: nginx_site
+      redirect: https://bitbucket.org/tmakinen/
-      nginx_site_name: audiobooks.foo.sh
+    - role: nginx/site
-      nginx_site_proxy: https://audiobooks02.home.foo.sh/
+      site: certbot.home.foo.sh
-    - role: nginx_site
+      proxy: https://certbot.home.foo.sh/
-      nginx_site_name: autoconfig.foo.sh
+    - role: nginx/site
-    - role: nginx_site
+      site: chat.foo.sh
-      nginx_site_name: boot.foo.sh
+      proxy:
    - role: nginx_site
      nginx_site_name: bitbucket.foo.sh
      nginx_site_redirect: https://bitbucket.org/tmakinen/
    - role: nginx_site
      nginx_site_name: cctv.foo.sh
      nginx_site_proxy: https://frigate02.home.foo.sh/frigate/
    - role: nginx_site
      nginx_site_name: certbot.home.foo.sh
      nginx_site_proxy: https://certbot.home.foo.sh/
    - role: nginx_site
      nginx_site_name: chat.foo.sh
      nginx_site_proxy:
        - https://oci-node01.home.foo.sh/rocketchat/
        - https://oci-node02.home.foo.sh/rocketchat/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: collab.foo.sh
+      site: collab.foo.sh
-      nginx_site_proxy: https://collab01.home.foo.sh/
+      proxy: https://collab01.home.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: devel01.foo.sh
+      site: devel01.foo.sh
-      nginx_site_proxy: https://devel01.home.foo.sh/
+      proxy: https://devel01.home.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: dns.home.foo.sh
+      site: dns.home.foo.sh
-      nginx_site_redirect: https://www.foo.sh/
+      redirect: https://www.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: dns.iot.foo.sh
+      site: git.foo.sh
-      nginx_site_redirect: https://www.foo.sh/
+      proxy: https://gitea02.home.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: dns.lan.foo.sh
+      site: gitea.foo.sh
-      nginx_site_redirect: https://www.foo.sh/
+      redirect: https://git.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: forgejo.foo.sh
+      site: ha.foo.sh
-      nginx_site_redirect: https://git.foo.sh/
+      proxy: https://homeassistant01.home.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: git.foo.sh
+      site: id.foo.sh
-      nginx_site_proxy: https://forgejo02.home.foo.sh/
+      proxy:
    - role: nginx_site
      nginx_site_name: ha.foo.sh
      nginx_site_proxy: https://homeassistant01.home.foo.sh/
    - role: nginx_site
      nginx_site_name: id.foo.sh
      nginx_site_proxy:
        - https://oci-node01.home.foo.sh
        - https://oci-node02.home.foo.sh
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: idp.foo.sh
+      site: influxdb.foo.sh
-      nginx_site_proxy: https://oci-node01.home.foo.sh/ipsilon/
+      proxy: https://influxdb01.home.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: influxdb.foo.sh
+      site: iot.foo.sh
-      nginx_site_proxy: https://influxdb01.home.foo.sh/
+      redirect: https://www.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: iot.foo.sh
+      site: munin.foo.sh
-      nginx_site_redirect: https://www.foo.sh/
+      proxy: https://munin01.home.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: mirrors.foo.sh
+      site: mirrors.foo.sh
-      nginx_site_proxy: https://mirror02.home.foo.sh/
+      proxy: https://mirror01.home.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: movies.foo.sh
+      site: noc.foo.sh
-      nginx_site_proxy:
+      proxy:
        - https://oci-node01.home.foo.sh/php4dvd/
    - role: nginx_site
      nginx_site_name: mta-sts.foo.sh
    - role: nginx_site
      nginx_site_name: noc.foo.sh
      nginx_site_proxy:
        - https://oci-node01.home.foo.sh/grafana/
        - https://oci-node02.home.foo.sh/grafana/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: print.foo.sh
+      site: print.foo.sh
-      nginx_site_proxy: https://print01.home.foo.sh:631/
+      proxy: https://print01.home.foo.sh:631/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: registry.foo.sh
+      site: registry.foo.sh
-      nginx_site_proxy:
+      proxy: ["registry01.home.foo.sh:5000", "registry02.home.foo.sh:5000"]
-        - "registry01.home.foo.sh:5000"
+    - role: nginx/site
-        - "registry02.home.foo.sh:5000"
+      site: webmail.foo.sh
-    - role: nginx_site
+      proxy:
      nginx_site_name: scan.foo.sh
      nginx_site_proxy:
        - https://sane02.home.foo.sh/scanservjs/
    - role: nginx_site
      nginx_site_name: webmail.foo.sh
      nginx_site_load_balance_method: ip_hash
      nginx_site_proxy:
        - https://oci-node01.home.foo.sh/roundcube/
-        - https://oci-node02.home.foo.sh/roundcube/
+    - role: nginx/site
-    - role: nginx_site
+      site: wpad.foo.sh
-      nginx_site_name: wpad.foo.sh
+    - role: nginx/site
-    - role: nginx_site
+      site: www.foo.sh
-      nginx_site_name: www.foo.sh
+    - role: nginx/site
      site: zm.foo.sh
      proxy: https://zm02.home.foo.sh/
--- a/playbooks/relay.yml
+++ b/playbooks/relay.yml
@ -16,13 +16,13 @@
    - base
    - ifstated
    - relayd
-    - nginx
+    - nginx/server
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: ldap.foo.sh
+      site: ldap.foo.sh
-      nginx_site_redirect: https://www.foo.sh/
+      redirect: https://www.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: ldap01.foo.sh
+      site: ldap01.foo.sh
-      nginx_site_redirect: https://www.foo.sh/
+      redirect: https://www.foo.sh/
-    - role: nginx_site
+    - role: nginx/site
-      nginx_site_name: loghost.foo.sh
+      site: loghost.foo.sh
-      nginx_site_redirect: https://www.foo.sh/
+      redirect: https://www.foo.sh/
--- a/playbooks/sane.yml
+++ b/playbooks/sane.yml
@ -1,39 +0,0 @@
 ---
 - name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: sane
 - name: Configure instance
  hosts: sane
  user: root
  gather_facts: true
  vars_files:
    - "{{ ansible_private }}/vars.yml"
  roles:
    - base
    - sane
    - scanservjs
    - mod_auth_gssapi
    - role: keytab
      keytab_path: /etc/httpd/httpd.keytab
      keytab_principals: HTTP/scan.foo.sh@FOO.SH
      keytab_group: apache
  tasks:
    - name: Require authentication for scanservjs
      ansible.builtin.copy:
        dest: /etc/httpd/conf.local.d/scanservjs-auth.conf
        content: |
          <Location /scanservjs>
            AuthType        GSSAPI
            GssapiBasicAuth On
            AuthName        "Password Required"
            Require         valid-user
          </Location>
        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
      notify: Restart apache
--- a/playbooks/shell.yml
+++ b/playbooks/shell.yml
@ -15,7 +15,7 @@
  roles:
    - base
    - role: keytab
-      keytab_principals:
+      principals:
        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
        - "nfs/{{ inventory_hostname }}@{{ kerberos_realm }}"
    - nfs_client
@ -24,8 +24,9 @@
    - thinlinc_server
    - epel_repo
    - foosh_repo
-    - role: nginx
+    - powertools_repo
-      nginx_plaintext: true
+    - role: nginx/server
      plaintext: true
  tasks:
    - name: Install extra package groups
@ -62,7 +63,6 @@
        - pandoc
        - php-cli
        - python3-netaddr
        - python3-requests
        - rcs
        - rpmlint
        - syslinux
@ -71,6 +71,7 @@
        - tmux
        - whois
        - wireshark
        - wkhtmltopdf
        - yamllint
        - zsh
      loop_control:
@ -87,7 +88,6 @@
        - lynx
        - mutt
        - opencollab
        - ssh_known_hosts
        - thunderbird
      loop_control:
        loop_var: role
@ -98,6 +98,6 @@
        content: |
          Host *.home.foo.sh !gw.home.foo.sh
            ProxyJump root@gw.home.foo.sh
-        mode: "0644"
+        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Timo Makinen	dbf62bc397	Syntax changes	2023-07-20 17:45:46 +00:00
Timo Makinen	330360d977	Try renaming file	2023-07-20 17:44:11 +00:00
Timo Makinen	b11e3e57e0	Try another syntax	2023-07-20 17:42:41 +00:00
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdaNO9dLpI8CVx1rwGsKN45Pgiz+Btrlf2Q/nXCx4Ru root@backup02.home.foo.sh`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIlXfTeMQoYjYVXFH5qhp+YgIBM/1r+BwzME7aEOu2yE logsync@log01.home.foo.sh`