Commit graph

188 commits

Author SHA1 Message Date
91de26af57 Add windows role
Set up network interfaces and SSH for Windows hosts.

We can’t gather facts before we know which remote shell to use, so
first run a win_ping to determine if a given host is running Windows.
2025-05-09 17:26:07 +02:00
aa78b407c8 ocserv: disable TLS<1.2 2025-05-08 15:04:38 +02:00
a5eae03cf8 forgejo: don’t enable the testing apk repo
Alpine has forgejo in main repo now.
2025-05-08 14:14:14 +02:00
6797f65971 influxdb: fix reverse proxy
Like grafana. Also set some buffering options.
2025-05-07 14:13:04 +02:00
7f28f3a366 grafana: fix reverse proxy
Can’t get it to bind to IPv6 so use v4 explicitly.
2025-05-07 14:07:11 +02:00
39fec47f87 alpine: don’t set IPv6 gateway
Will get it from RA. Also don’t disable SLAAC for IPv4‐only interfaces.
2025-05-07 12:25:43 +02:00
fb8e0189af dokuwiki: make more readable
I think. Maybe.
2025-05-07 12:23:39 +02:00
5667b755ca netbox: secure the cookie
USI says.
2025-05-07 12:21:41 +02:00
7a82e7ca63 Limit inventory lookup to installed servers 2025-05-06 13:26:56 +02:00
4dc089e42c debian: add MOTD 2025-05-05 17:28:32 +02:00
783f1af3a5 netbox: add redis dependency 2025-04-17 18:22:10 +02:00
8e3772e475 dnsmasq: store leases in sqlite database
To avoid dnsmasq writing out the whole leasefile on each request
before replying. This gets slow on high‐latency storage.

Also tweak DNS updates a bit.
2025-04-14 16:41:24 +02:00
b6b4a16fd4 netbox: drop obsolete file 2025-04-12 20:53:00 +02:00
ade6a8e1e2 Add nginx as a role dependency where required
This is pretty much anywhere a LE certificate is needed. Similar for
nginx-php for PHP sites. Drop these roles from setup.yml.
2025-04-12 18:51:31 +02:00
cf6b682cf8 Add ocserv role
Create a self-signed CA, set up group configs, add script to allow new
connections through the firewall.

In the base debian role, drop the default nftables forward chain with
drop policy because it clashes with this. If you enable forwarding on
a debian host, make sure to configure the firewall.
2025-04-12 18:38:48 +02:00
a1c7be8184 facts: only look up prefixes and VLANs once
Not once per host.
2025-04-10 22:21:44 +02:00
d2b9b05406 setup: do base setup for all targets in one step 2025-04-10 19:30:14 +02:00
e754db5fbd Consolidate hosts template
For alpine, debian, ceph and proxmox roles.

Add the union of IPv6 LL host entries across all distros to make sure nothing croaks.
2025-04-10 18:22:41 +02:00
35427f1fbc debian: reorder tasks
Ensure network interfaces are renamed first.
2025-04-08 21:31:45 +02:00
275991c49c proxmox: check for errors when retrieving users from AD
Sometimes the created user.cfg file is empty for some reason. So add
some checking and logging and hope for resolution.
2025-04-03 18:58:44 +02:00
1a7b813dff facts: get admins’ SSH keys from password store
Also install them into root’s authorized_keys on alpine.
2025-03-26 19:14:34 +01:00
7907b6f0e5 Revert "dnsmasq: drop dhcp-proxy option"
This reverts commit 554bf1f711.

Turns out ISC dhcrelay will relay even unicast packets from clients. So
the DHCP server got both the routed and the relayed query.

This tells dnsmasq to tell clients to send everything through the relay.
Since everything now comes from the relay we can drop access from client
networks.
2025-03-19 14:49:43 +01:00
be8e47119f opensmtpd: support relaying mail 2025-02-17 15:04:59 +01:00
polz
b252e451f6 Add nsswitch config to scan 2025-02-17 14:12:18 +01:00
polz
fe646ece89 Add scan (working samba on Alpine) role 2025-02-17 13:27:40 +01:00
200f3be792 unifi: fix nginx reverse proxy headers 2025-02-17 10:18:56 +01:00
0d60aa107f Consolidate nftables setup for alpine, debian and ceph roles 2025-02-12 17:24:24 +01:00
bfda7b3236 dnsmasq: skip DNS update script when starting up 2025-02-06 09:29:48 +01:00
e95603fda9 Add unifi role
And server.
2025-02-04 14:44:02 +01:00
73555d2fd7 ansible: shut up warnings about discovered Python interpreter 2025-01-23 13:36:24 +01:00
365b5d9f67 Use IPv6 addresses for DNS servers 2025-01-23 13:25:45 +01:00
878e8ba6f9 alpine: set up resolv.conf
Same as for debian.
2025-01-23 13:22:30 +01:00
9720379c14 proxmox-backup: allow IPv6 ND on management interface
IPv6 doesn’t work otherwise.
2025-01-23 13:12:25 +01:00
0d607fe2a4 proxmox-backup: don’t modify config for default SSH instance
It is disabled anyway, so trying to reload it barfs. Worry about
deduplicating roles whenever.
2025-01-23 13:10:50 +01:00
04bfcb03fa debian: update package cache 2025-01-20 15:30:07 +01:00
45c0f25ce0 debian: disable SSH password authentication
Oops. Also do it for proxmox-backup role even though SSH in default
VRF is disabled there, so it will be easier to deduplicate these roles
when someone gets around to it.
2025-01-20 14:58:08 +01:00
446e6132c7 nginx: add support for Debian distros 2025-01-20 14:22:40 +01:00
e3862a5be6 Fix FC check in interface template
One of these days I’m gonna write a defaultattr Jinja filter and
become rich and famous.
2025-01-20 11:20:46 +01:00
efbe8d2801 Reorder hosts in setup.yml
By type / name.
2025-01-13 15:29:37 +01:00
67b9b7b268 frr: disable BFD
There were some issues with proxmox cluster losing connectivity. Since
disabling it there were no more issues.

Might have not been caused by BFD or it was just misconfigured.
2025-01-13 14:57:38 +01:00
ac52c13803 proxmox-backup: set mail relay 2025-01-07 11:19:47 +01:00
b02ebf5be3 templates: skip FC interfaces
Anything that has the WWN attribute set really. This won’t work for
VMs because this attribute is not returned for those.
2025-01-07 10:53:17 +01:00
e5b570ddad proxmox: disable password SSH authentication
Apparently it’s not needed for cluster operations.
2024-12-13 14:49:44 +01:00
c585070edc Add kanboard role and server 2024-12-06 13:08:14 +01:00
04f187a140 dokuwiki: factor out nginx-php role 2024-12-06 13:07:01 +01:00
52f8ed5a2d Rename host doku to doc 2024-12-05 10:27:15 +01:00
bc05b2a9f6 dokuwiki: support multiple domains for nginx 2024-12-05 10:26:40 +01:00
1b5a20ac8a dnsmasq: disable ping for duplicate address detection
Some things don’t reply which holds up all requests for 3 seconds.
2024-11-28 15:41:22 +01:00
ff9620ed2a ceph: allow IPv6 neighbor discovery on mgmt interface 2024-11-27 17:37:07 +01:00
0a0ce7e2a5 Add telegraf role
And enable it for ceph nodes.
2024-11-27 17:37:00 +01:00