a84f211083
nginx: reload on config change
2025-05-18 13:21:02 +02:00
d442940975
ocserv: use numeric ID instead of arbitrary USERNAME for nft chain name
...
Putting a @ in a name is a bad.
2025-05-16 14:26:39 +02:00
245b4a0dcd
ocserv: support UDP
2025-05-16 14:26:26 +02:00
6e72987863
ocserv: only support certificate auth for clients
2025-05-16 14:10:11 +02:00
f9f899fb2e
nginx: unoverride secure defaults
...
Both Alpine and Debian override default nginx ssl_protocols to enable
older TLS versions. Unoverride to return to secure nginx defaults.
2025-05-16 14:01:33 +02:00
bf4fd2c82d
alpine: support non-VM hosts in interfaces template
...
Ignore OOB management interface, allow configuring loopback interface
with NetBox data, and setting MTU.
2025-05-15 14:55:43 +02:00
cbd3f1a7ea
alpine: set inventory_hostname as hostname
...
Instead of dns_name which might not be defined and is wrong in any case.
2025-05-15 10:47:55 +02:00
a8814e6da2
facts: don’t barf on undefined platform
...
Oops.
2025-05-15 09:23:11 +02:00
d162f175a4
facts: get platform info from NetBox
...
Instead of pinging each host to see if it’s Windows. Make sure to set
the platform at least for such hosts.
2025-05-13 13:31:07 +02:00
7cbbf635a8
facts: don’t write passwords to stdout
2025-05-13 11:09:02 +02:00
e6876ff265
windows: don’t disable builtin firewall rules before setting our own
...
Oops.
2025-05-11 14:41:08 +02:00
e30fcf0bd4
windows: set hostname
2025-05-11 13:18:47 +02:00
66298da9c7
windows: set up firewall
2025-05-11 13:13:54 +02:00
91de26af57
Add windows role
...
Set up network interfaces and SSH for Windows hosts.
We can’t gather facts before we know which remote shell to use, so
first run a win_ping to determine if a given host is running Windows.
2025-05-09 17:26:07 +02:00
aa78b407c8
ocserv: disable TLS<1.2
2025-05-08 15:04:38 +02:00
a5eae03cf8
forgejo: don’t enable the testing apk repo
...
Alpine has forgejo in main repo now.
2025-05-08 14:14:14 +02:00
6797f65971
influxdb: fix reverse proxy
...
Like grafana. Also set some buffering options.
2025-05-07 14:13:04 +02:00
7f28f3a366
grafana: fix reverse proxy
...
Can’t get it to bind to IPv6 so use v4 explicitly.
2025-05-07 14:07:11 +02:00
39fec47f87
alpine: don’t set IPv6 gateway
...
Will get it from RA. Also don’t disable SLAAC for IPv4‐only interfaces.
2025-05-07 12:25:43 +02:00
fb8e0189af
dokuwiki: make more readable
...
I think. Maybe.
2025-05-07 12:23:39 +02:00
5667b755ca
netbox: secure the cookie
...
USI says.
2025-05-07 12:21:41 +02:00
7a82e7ca63
Limit inventory lookup to installed servers
2025-05-06 13:26:56 +02:00
4dc089e42c
debian: add MOTD
2025-05-05 17:28:32 +02:00
783f1af3a5
netbox: add redis dependency
2025-04-17 18:22:10 +02:00
8e3772e475
dnsmasq: store leases in sqlite database
...
To avoid dnsmasq writing out the whole leasefile on each request
before replying. This gets slow on high‐latency storage.
Also tweak DNS updates a bit.
2025-04-14 16:41:24 +02:00
b6b4a16fd4
netbox: drop obsolete file
2025-04-12 20:53:00 +02:00
ade6a8e1e2
Add nginx as a role dependency where required
...
This is pretty much anywhere a LE certificate is needed. Similar for
nginx-php for PHP sites. Drop these roles from setup.yml.
2025-04-12 18:51:31 +02:00
cf6b682cf8
Add ocserv role
...
Create a self-signed CA, set up group configs, add script to allow new
connections through the firewall.
In the base debian role, drop the default nftables forward chain with
drop policy because it clashes with this. If you enable forwarding on
a debian host, make sure to configure the firewall.
2025-04-12 18:38:48 +02:00
a1c7be8184
facts: only look up prefixes and VLANs once
...
Not once per host.
2025-04-10 22:21:44 +02:00
d2b9b05406
setup: do base setup for all targets in one step
2025-04-10 19:30:14 +02:00
e754db5fbd
Consolidate hosts template
...
For alpine, debian, ceph and proxmox roles.
Add the union of IPv6 LL host entries across all distros to make sure nothing croaks.
2025-04-10 18:22:41 +02:00
35427f1fbc
debian: reorder tasks
...
Ensure network interfaces are renamed first.
2025-04-08 21:31:45 +02:00
275991c49c
proxmox: check for errors when retrieving users from AD
...
Sometimes the created user.cfg file is empty for some reason. So add
some checking and logging and hope for resolution.
2025-04-03 18:58:44 +02:00
1a7b813dff
facts: get admins’ SSH keys from password store
...
Also install them into root’s authorized_keys on alpine.
2025-03-26 19:14:34 +01:00
7907b6f0e5
Revert "dnsmasq: drop dhcp-proxy option"
...
This reverts commit 554bf1f711
2025-03-19 14:49:43 +01:00
be8e47119f
opensmtpd: support relaying mail
2025-02-17 15:04:59 +01:00
polz
b252e451f6
Add nsswitch config to scan
2025-02-17 14:12:18 +01:00
polz
fe646ece89
Add scan (working samba on Alpine) role
2025-02-17 13:27:40 +01:00
200f3be792
unifi: fix nginx reverse proxy headers
2025-02-17 10:18:56 +01:00
0d60aa107f
Consolidate nftables setup for alpine, debian and ceph roles
2025-02-12 17:24:24 +01:00
bfda7b3236
dnsmasq: skip DNS update script when starting up
2025-02-06 09:29:48 +01:00
e95603fda9
Add unifi role
...
And server.
2025-02-04 14:44:02 +01:00
73555d2fd7
ansible: shut up warnings about discovered Python interpreter
2025-01-23 13:36:24 +01:00
365b5d9f67
Use IPv6 addresses for DNS servers
2025-01-23 13:25:45 +01:00
878e8ba6f9
alpine: set up resolv.conf
...
Same as for debian.
2025-01-23 13:22:30 +01:00
9720379c14
proxmox-backup: allow IPv6 ND on management interface
...
IPv6 doesn’t work otherwise.
2025-01-23 13:12:25 +01:00
0d607fe2a4
proxmox-backup: don’t modify config for default SSH instance
...
It is disabled anyway, so trying to reload it barfs. Worry about
deduplicating roles whenever.
2025-01-23 13:10:50 +01:00
04bfcb03fa
debian: update package cache
2025-01-20 15:30:07 +01:00
45c0f25ce0
debian: disable SSH password authentication
...
Oops. Also do it for proxmox-backup role even though SSH in default
VRF is disabled there, so it will be easier to deduplicate these roles
when someone gets around to it.
2025-01-20 14:58:08 +01:00
446e6132c7
nginx: add support for Debian distros
2025-01-20 14:22:40 +01:00
