Commit graph

208 commits

Author SHA1 Message Date
9afaf49651 debian: fix interface file templating
Make it work for base Debian and Proxmox installs.
2025-08-14 14:37:36 +02:00
04c5be85c5 debian: don’t update package cache for base packages
The repositories might not yet be set up correctly at this point.
2025-08-14 14:21:15 +02:00
e28bb50a9e debian: improve proxmox detection
Assume non-proxmox debians don’t have /etc/pve so we don’t have to
depend on NetBox data.
2025-08-14 10:08:54 +02:00
246178fa5d frr: don’t BGP peer on disabled interfaces 2025-08-13 17:14:28 +02:00
011a0852bb proxmox: remove tasks done by debian role 2025-08-13 17:14:20 +02:00
ef69e31357 debian: don’t set up firewall for proxmox hosts
Also factor firewall setup into a separate task. There is no good way
to distinguish Debian and Proxmox hosts in Ansible, so we rely on the
cluster_type NetBox variable.
2025-08-13 16:37:47 +02:00
45d3e6c4ec debian: fix network interface renaming
To become one with proxmox.
2025-08-13 16:29:37 +02:00
ea1f8f88d0 proxmox: fix network interface renaming
Use systemd .link files which are "relatively futureproof" according
to https://wiki.debian.org/NetworkInterfaceNames .
2025-08-13 16:19:06 +02:00
59c1431f93 proxmox: switch to deb822 source format
Debian did, Proxmox did, now we did too. Also enable ceph repository
if ceph-version is set in config context.
2025-08-12 19:29:28 +02:00
937c75e097 ocserv: notify users about certificates about to expire 2025-08-12 10:59:02 +02:00
7bb27acd2c opensmtpd: configure root mail alias
And add a README.
2025-08-11 14:07:45 +02:00
b64a5880b9 opensmtpd: add support for Debian 2025-08-11 14:04:58 +02:00
7916ae309e opensmtpd: disable TLS for relay
Looks like someone broke it.
2025-08-11 12:46:59 +02:00
292ddbb7e7 ocserv: fix firewall config
Oops, let’s not drop everything but VPN packets in postrouting.
2025-08-11 12:26:55 +02:00
11e456cff1 ocserv: add playbook for creating client certificates 2025-08-04 16:13:30 +02:00
ec9883ca29 ocserv: reload service on certificate renewal 2025-08-01 15:20:55 +02:00
604ce177e6 apache, nginx: fix service reload on Debian
For some unfathomable reason /sbin is not in PATH when running cronjobs.
It shouldn’t hurt on Alpine.
2025-08-01 15:11:23 +02:00
0814e628c5 Add radvd role 2025-07-31 12:15:48 +02:00
7ffb1e7699 debian: enable unattended upgrades 2025-07-31 10:07:49 +02:00
polz
c64a3772ef Role za apache_openidc bi moral delovati na fresh installu 2025-07-30 17:13:19 +02:00
polz
b324daff08 Dodan role za apache 2025-07-30 17:12:38 +02:00
polz
d5b6fe1d92 Role za registrator bi moral delovati na fresh alpine installu 2025-07-30 17:11:37 +02:00
polz
57923a51ad Busybox date namesto --iso zahteva -I 2025-07-26 06:59:42 +02:00
polz
2888dd841f Merge branch 'master' of git.fri.uni-lj.si:rc/servers 2025-07-25 17:11:07 +02:00
polz
04c7efe706 Create registrator role 2025-07-25 17:09:43 +02:00
polz
168641b728 rename apache-php to apache_php 2025-07-25 17:01:03 +02:00
polz
29498edf9e Add role apache_oidc 2025-07-25 17:00:29 +02:00
polz
4ed3bc5d7f Add roles apache-php and reverse_proxy 2025-07-25 16:56:03 +02:00
458b0d02ee forgejo: disable useless landing page 2025-07-19 12:25:47 +02:00
d1cf462f64 alpine: drop hints from interface configuration
Turns out ifupdown-ng ignores "inet static" and "inet loopback" hints
on iface lines. The interface named "lo" is always used as loopback.
2025-07-16 13:07:15 +02:00
cabf831962 synapse: support server notices 2025-07-15 15:04:52 +02:00
a942662e12 alpine: create network interface include directory
So that init script doesn’t complain.
2025-07-15 14:16:10 +02:00
eb70fed7cb forgejo: make profiles public by default
Private profiles are annoying to work with so let’s make it opt-in.
2025-07-01 12:13:31 +02:00
a84f211083 nginx: reload on config change 2025-05-18 13:21:02 +02:00
d442940975 ocserv: use numeric ID instead of arbitrary USERNAME for nft chain name
Putting a @ in a name is a bad.
2025-05-16 14:26:39 +02:00
245b4a0dcd ocserv: support UDP 2025-05-16 14:26:26 +02:00
6e72987863 ocserv: only support certificate auth for clients 2025-05-16 14:10:11 +02:00
f9f899fb2e nginx: unoverride secure defaults
Both Alpine and Debian override default nginx ssl_protocols to enable
older TLS versions. Unoverride to return to secure nginx defaults.
2025-05-16 14:01:33 +02:00
bf4fd2c82d alpine: support non-VM hosts in interfaces template
Ignore OOB management interface, allow configuring loopback interface
with NetBox data, and setting MTU.
2025-05-15 14:55:43 +02:00
cbd3f1a7ea alpine: set inventory_hostname as hostname
Instead of dns_name which might not be defined and is wrong in any case.
2025-05-15 10:47:55 +02:00
a8814e6da2 facts: don’t barf on undefined platform
Oops.
2025-05-15 09:23:11 +02:00
d162f175a4 facts: get platform info from NetBox
Instead of pinging each host to see if it’s Windows. Make sure to set
the platform at least for such hosts.
2025-05-13 13:31:07 +02:00
7cbbf635a8 facts: don’t write passwords to stdout 2025-05-13 11:09:02 +02:00
e6876ff265 windows: don’t disable builtin firewall rules before setting our own
Oops.
2025-05-11 14:41:08 +02:00
e30fcf0bd4 windows: set hostname 2025-05-11 13:18:47 +02:00
66298da9c7 windows: set up firewall 2025-05-11 13:13:54 +02:00
91de26af57 Add windows role
Set up network interfaces and SSH for Windows hosts.

We can’t gather facts before we know which remote shell to use, so
first run a win_ping to determine if a given host is running Windows.
2025-05-09 17:26:07 +02:00
aa78b407c8 ocserv: disable TLS<1.2 2025-05-08 15:04:38 +02:00
a5eae03cf8 forgejo: don’t enable the testing apk repo
Alpine has forgejo in main repo now.
2025-05-08 14:14:14 +02:00
6797f65971 influxdb: fix reverse proxy
Like grafana. Also set some buffering options.
2025-05-07 14:13:04 +02:00