91de26af57
Add windows role
...
Set up network interfaces and SSH for Windows hosts.
We can’t gather facts before we know which remote shell to use, so
first run a win_ping to determine if a given host is running Windows.
2025-05-09 17:26:07 +02:00
aa78b407c8
ocserv: disable TLS<1.2
2025-05-08 15:04:38 +02:00
a5eae03cf8
forgejo: don’t enable the testing apk repo
...
Alpine has forgejo in main repo now.
2025-05-08 14:14:14 +02:00
6797f65971
influxdb: fix reverse proxy
...
Like grafana. Also set some buffering options.
2025-05-07 14:13:04 +02:00
7f28f3a366
grafana: fix reverse proxy
...
Can’t get it to bind to IPv6 so use v4 explicitly.
2025-05-07 14:07:11 +02:00
39fec47f87
alpine: don’t set IPv6 gateway
...
Will get it from RA. Also don’t disable SLAAC for IPv4‐only interfaces.
2025-05-07 12:25:43 +02:00
fb8e0189af
dokuwiki: make more readable
...
I think. Maybe.
2025-05-07 12:23:39 +02:00
5667b755ca
netbox: secure the cookie
...
USI says.
2025-05-07 12:21:41 +02:00
7a82e7ca63
Limit inventory lookup to installed servers
2025-05-06 13:26:56 +02:00
4dc089e42c
debian: add MOTD
2025-05-05 17:28:32 +02:00
783f1af3a5
netbox: add redis dependency
2025-04-17 18:22:10 +02:00
8e3772e475
dnsmasq: store leases in sqlite database
...
To avoid dnsmasq writing out the whole leasefile on each request
before replying. This gets slow on high‐latency storage.
Also tweak DNS updates a bit.
2025-04-14 16:41:24 +02:00
b6b4a16fd4
netbox: drop obsolete file
2025-04-12 20:53:00 +02:00
ade6a8e1e2
Add nginx as a role dependency where required
...
This is pretty much anywhere a LE certificate is needed. Similar for
nginx-php for PHP sites. Drop these roles from setup.yml.
2025-04-12 18:51:31 +02:00
cf6b682cf8
Add ocserv role
...
Create a self-signed CA, set up group configs, add script to allow new
connections through the firewall.
In the base debian role, drop the default nftables forward chain with
drop policy because it clashes with this. If you enable forwarding on
a debian host, make sure to configure the firewall.
2025-04-12 18:38:48 +02:00
a1c7be8184
facts: only look up prefixes and VLANs once
...
Not once per host.
2025-04-10 22:21:44 +02:00
d2b9b05406
setup: do base setup for all targets in one step
2025-04-10 19:30:14 +02:00
e754db5fbd
Consolidate hosts template
...
For alpine, debian, ceph and proxmox roles.
Add the union of IPv6 LL host entries across all distros to make sure nothing croaks.
2025-04-10 18:22:41 +02:00
35427f1fbc
debian: reorder tasks
...
Ensure network interfaces are renamed first.
2025-04-08 21:31:45 +02:00
275991c49c
proxmox: check for errors when retrieving users from AD
...
Sometimes the created user.cfg file is empty for some reason. So add
some checking and logging and hope for resolution.
2025-04-03 18:58:44 +02:00
1a7b813dff
facts: get admins’ SSH keys from password store
...
Also install them into root’s authorized_keys on alpine.
2025-03-26 19:14:34 +01:00
7907b6f0e5
Revert "dnsmasq: drop dhcp-proxy option"
...
This reverts commit 554bf1f711
.
Turns out ISC dhcrelay will relay even unicast packets from clients. So
the DHCP server got both the routed and the relayed query.
This tells dnsmasq to tell clients to send everything through the relay.
Since everything now comes from the relay we can drop access from client
networks.
2025-03-19 14:49:43 +01:00
be8e47119f
opensmtpd: support relaying mail
2025-02-17 15:04:59 +01:00
polz
b252e451f6
Add nsswitch config to scan
2025-02-17 14:12:18 +01:00
polz
fe646ece89
Add scan (working samba on Alpine) role
2025-02-17 13:27:40 +01:00
200f3be792
unifi: fix nginx reverse proxy headers
2025-02-17 10:18:56 +01:00
0d60aa107f
Consolidate nftables setup for alpine, debian and ceph roles
2025-02-12 17:24:24 +01:00
bfda7b3236
dnsmasq: skip DNS update script when starting up
2025-02-06 09:29:48 +01:00
e95603fda9
Add unifi role
...
And server.
2025-02-04 14:44:02 +01:00
73555d2fd7
ansible: shut up warnings about discovered Python interpreter
2025-01-23 13:36:24 +01:00
365b5d9f67
Use IPv6 addresses for DNS servers
2025-01-23 13:25:45 +01:00
878e8ba6f9
alpine: set up resolv.conf
...
Same as for debian.
2025-01-23 13:22:30 +01:00
9720379c14
proxmox-backup: allow IPv6 ND on management interface
...
IPv6 doesn’t work otherwise.
2025-01-23 13:12:25 +01:00
0d607fe2a4
proxmox-backup: don’t modify config for default SSH instance
...
It is disabled anyway, so trying to reload it barfs. Worry about
deduplicating roles whenever.
2025-01-23 13:10:50 +01:00
04bfcb03fa
debian: update package cache
2025-01-20 15:30:07 +01:00
45c0f25ce0
debian: disable SSH password authentication
...
Oops. Also do it for proxmox-backup role even though SSH in default
VRF is disabled there, so it will be easier to deduplicate these roles
when someone gets around to it.
2025-01-20 14:58:08 +01:00
446e6132c7
nginx: add support for Debian distros
2025-01-20 14:22:40 +01:00
e3862a5be6
Fix FC check in interface template
...
One of these days I’m gonna write a defaultattr Jinja filter and
become rich and famous.
2025-01-20 11:20:46 +01:00
efbe8d2801
Reorder hosts in setup.yml
...
By type / name.
2025-01-13 15:29:37 +01:00
67b9b7b268
frr: disable BFD
...
There were some issues with proxmox cluster losing connectivity. Since
disabling it there were no more issues.
Might have not been caused by BFD or it was just misconfigured.
2025-01-13 14:57:38 +01:00
ac52c13803
proxmox-backup: set mail relay
2025-01-07 11:19:47 +01:00
b02ebf5be3
templates: skip FC interfaces
...
Anything that has the WWN attribute set really. This won’t work for
VMs because this attribute is not returned for those.
2025-01-07 10:53:17 +01:00
e5b570ddad
proxmox: disable password SSH authentication
...
Apparently it’s not needed for cluster operations.
2024-12-13 14:49:44 +01:00
c585070edc
Add kanboard role and server
2024-12-06 13:08:14 +01:00
04f187a140
dokuwiki: factor out nginx-php role
2024-12-06 13:07:01 +01:00
52f8ed5a2d
Rename host doku to doc
2024-12-05 10:27:15 +01:00
bc05b2a9f6
dokuwiki: support multiple domains for nginx
2024-12-05 10:26:40 +01:00
1b5a20ac8a
dnsmasq: disable ping for duplicate address detection
...
Some things don’t reply which holds up all requests for 3 seconds.
2024-11-28 15:41:22 +01:00
ff9620ed2a
ceph: allow IPv6 neighbor discovery on mgmt interface
2024-11-27 17:37:07 +01:00
0a0ce7e2a5
Add telegraf role
...
And enable it for ceph nodes.
2024-11-27 17:37:00 +01:00