rc/servers
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects 1 Releases Wiki Activity
162 commits 1 branch 0 tags 372 KiB
Commit graph

138 commits

Author SHA1 Message Date
Timotej Lazar 0d60aa107f Consolidate nftables setup for alpine, debian and ceph roles 2025-02-12 17:24:24 +01:00
Timotej Lazar bfda7b3236 dnsmasq: skip DNS update script when starting up 2025-02-06 09:29:48 +01:00
Timotej Lazar e95603fda9 Add unifi role 
And server.
 2025-02-04 14:44:02 +01:00
Timotej Lazar 878e8ba6f9 alpine: set up resolv.conf 
Same as for debian.
 2025-01-23 13:22:30 +01:00
Timotej Lazar 9720379c14 proxmox-backup: allow IPv6 ND on management interface 
IPv6 doesn’t work otherwise.
 2025-01-23 13:12:25 +01:00
Timotej Lazar 0d607fe2a4 proxmox-backup: don’t modify config for default SSH instance 
It is disabled anyway, so trying to reload it barfs. Worry about
deduplicating roles whenever.
 2025-01-23 13:10:50 +01:00
Timotej Lazar 04bfcb03fa debian: update package cache 2025-01-20 15:30:07 +01:00
Timotej Lazar 45c0f25ce0 debian: disable SSH password authentication 
Oops. Also do it for proxmox-backup role even though SSH in default
VRF is disabled there, so it will be easier to deduplicate these roles
when someone gets around to it.
 2025-01-20 14:58:08 +01:00
Timotej Lazar 446e6132c7 nginx: add support for Debian distros 2025-01-20 14:22:40 +01:00
Timotej Lazar 67b9b7b268 frr: disable BFD 
There were some issues with proxmox cluster losing connectivity. Since
disabling it there were no more issues.

Might have not been caused by BFD or it was just misconfigured.
 2025-01-13 14:57:38 +01:00
Timotej Lazar ac52c13803 proxmox-backup: set mail relay 2025-01-07 11:19:47 +01:00
Timotej Lazar e5b570ddad proxmox: disable password SSH authentication 
Apparently it’s not needed for cluster operations.
 2024-12-13 14:49:44 +01:00
Timotej Lazar c585070edc Add kanboard role and server 2024-12-06 13:08:14 +01:00
Timotej Lazar 04f187a140 dokuwiki: factor out nginx-php role 2024-12-06 13:07:01 +01:00
Timotej Lazar bc05b2a9f6 dokuwiki: support multiple domains for nginx 2024-12-05 10:26:40 +01:00
Timotej Lazar 1b5a20ac8a dnsmasq: disable ping for duplicate address detection 
Some things don’t reply which holds up all requests for 3 seconds.
 2024-11-28 15:41:22 +01:00
Timotej Lazar ff9620ed2a ceph: allow IPv6 neighbor discovery on mgmt interface 2024-11-27 17:37:07 +01:00
Timotej Lazar 0a0ce7e2a5 Add telegraf role 
And enable it for ceph nodes.
 2024-11-27 17:37:00 +01:00
Timotej Lazar 2d776d3246 nginx: only handle acme-challenge well-known directory in default site 
Mainly so that other directories can be reverse-proxied.
 2024-11-20 15:47:18 +01:00
Timotej Lazar b7fd838ca9 reverse-proxy: disable request buffering 2024-11-18 13:36:49 +01:00
Timotej Lazar cdb8fe6b66 reverse-proxy: increase proxy read timeout 2024-11-18 13:30:02 +01:00
Timotej Lazar efdb74497a reverse-proxy: increase max request size 
For uploading pictures and such.
 2024-11-18 12:42:36 +01:00
Timotej Lazar 973ce03249 Add reverse-proxy role 2024-11-15 15:44:29 +01:00
Timotej Lazar c970c562a9 nginx: support certificates for multiple domains 
Uses `tls_domains` config context property from NetBox.
 2024-11-15 13:38:07 +01:00
Timotej Lazar 554bf1f711 dnsmasq: drop dhcp-proxy option 
Instead add firewall rules to allow direct communication from client networks.
 2024-11-09 20:24:11 +01:00
Timotej Lazar 46a9ff6fc0 ceph: add LE certificates 
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.

Use with something like this (port 80 must be kept free for standalone
certbot renewal):

    service_type: rgw
    spec:
      rgw_frontend_port: 8080
      rgw_frontend_extra_args:
        - ssl_port=443
        - ssl_private_key=/etc/ceph/privkey.pem
        - ssl_certificate=/etc/ceph/fullchain.pem
    extra_container_args:
      - "--volume"
      - "/etc/ceph:/etc/ceph:ro"
      - "--volume"
      - "/etc/letsencrypt:/etc/letsencrypt:ro"
 2024-11-08 16:38:15 +01:00
Timotej Lazar 6e5de53937 doku: unoverride style for external link icons 2024-10-22 10:16:46 +02:00
Timotej Lazar ae49801579 doku: update deprecated nginx http2 directive 2024-10-22 10:16:38 +02:00
Timotej Lazar 82ca6a94c1 nginx: reload server for renewed LE certificates 2024-10-22 10:02:55 +02:00
Timotej Lazar 21df85e97a dnsmasq: sort ranges by network name 2024-10-21 15:35:32 +02:00
Timotej Lazar b818249d82 Add grafana role 2024-09-27 16:14:23 +02:00
Timotej Lazar d0f3d828df Add influxdb role 2024-09-27 16:14:10 +02:00
Timotej Lazar 1f5d2f6238 facts: don’t barf on missing passwords 
Not everything needs them.
 2024-09-27 14:02:39 +02:00
Timotej Lazar 6c817624bc alpine: disable IPv6 automatic addresses 
So we have predictable addresses if we ever want to firewall
individual hosts.
 2024-09-21 22:41:36 +02:00
Timotej Lazar 7155c33182 dnsmasq: fix template 
It used to work. Then it didn’t. Now it works again.
 2024-09-20 12:36:53 +02:00
Timotej Lazar d89ed5a46b frr: use service module for reloading 2024-09-10 16:44:21 +02:00
Gašper Fele-Žorž 13009283c0 proxmox-backup add nftables template 2024-09-10 15:40:16 +02:00
Gašper Fele-Žorž 0802ac9878 proxmox-backup: fix hosts file 2024-09-10 15:10:55 +02:00
Gašper Fele-Žorž add84ba1d2 proxmox-backup: set domain for ACME 2024-09-10 15:06:53 +02:00
Gašper Fele-Žorž 11a5ec85b3 proxmox-backup: add firewall 2024-09-10 14:53:46 +02:00
Gašper Fele-Žorž f2fbd0c848 Add role proxmox-backup 2024-09-10 14:13:24 +02:00
Timotej Lazar 2e3d7d180d proxmox: set mail relay 2024-09-10 10:18:40 +02:00
Timotej Lazar 9932064758 synapse: read DB password from secret store 
Missed this one a while ago.
 2024-09-06 16:30:51 +02:00
Timotej Lazar 4fff2fac1b frr: help zebra keep track of ECMP routes on link flap 
Seems that this might be resolved in frr master. Or not. For now we
import the workaround from firewall configs.
 2024-09-06 15:10:54 +02:00
Gašper Fele-Žorž e2edd63efe proxmox: add dependency for ldap sync script 
Install python3-ldap3.
 2024-09-05 10:56:50 +02:00
Timotej Lazar a8b83e833b facts: only look up cluster nodes when deploying to members 
And not when deploying to virtual machines running on a cluster.
 2024-09-04 16:56:56 +02:00
Timotej Lazar 17c8e84498 proxmox: support certificate renewals with ACME 
Certificates must still be requested manually, this just sets the
domain and opens up port 80/tcp. Nothing listens there except for
certbot during renewals so that’s OK.
 2024-09-04 16:54:47 +02:00
Timotej Lazar 1c1dd52325 proxmox: support public services for firewall 
If no allowed IPs are set for a service, allow connections from anywhere.
 2024-09-04 16:44:46 +02:00
Timotej Lazar 6b1d871392 alpine: don’t assume all public services are TCP either 2024-09-04 16:42:13 +02:00
Timotej Lazar ec4dcd4ffd frr: don’t use undefined variable 2024-08-28 12:43:17 +02:00