Commit graph

137 commits

Author SHA1 Message Date
2d776d3246 nginx: only handle acme-challenge well-known directory in default site
Mainly so that other directories can be reverse-proxied.
2024-11-20 15:47:18 +01:00
b7fd838ca9 reverse-proxy: disable request buffering 2024-11-18 13:36:49 +01:00
cdb8fe6b66 reverse-proxy: increase proxy read timeout 2024-11-18 13:30:02 +01:00
efdb74497a reverse-proxy: increase max request size
For uploading pictures and such.
2024-11-18 12:42:36 +01:00
973ce03249 Add reverse-proxy role 2024-11-15 15:44:29 +01:00
c970c562a9 nginx: support certificates for multiple domains
Uses `tls_domains` config context property from NetBox.
2024-11-15 13:38:07 +01:00
554bf1f711 dnsmasq: drop dhcp-proxy option
Instead add firewall rules to allow direct communication from client networks.
2024-11-09 20:24:11 +01:00
46a9ff6fc0 ceph: add LE certificates
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.

Use with something like this (port 80 must be kept free for standalone
certbot renewal):

    service_type: rgw
    spec:
      rgw_frontend_port: 8080
      rgw_frontend_extra_args:
        - ssl_port=443
        - ssl_private_key=/etc/ceph/privkey.pem
        - ssl_certificate=/etc/ceph/fullchain.pem
    extra_container_args:
      - "--volume"
      - "/etc/ceph:/etc/ceph:ro"
      - "--volume"
      - "/etc/letsencrypt:/etc/letsencrypt:ro"
2024-11-08 16:38:15 +01:00
6e5de53937 doku: unoverride style for external link icons 2024-10-22 10:16:46 +02:00
ae49801579 doku: update deprecated nginx http2 directive 2024-10-22 10:16:38 +02:00
82ca6a94c1 nginx: reload server for renewed LE certificates 2024-10-22 10:02:55 +02:00
21df85e97a dnsmasq: sort ranges by network name 2024-10-21 15:35:32 +02:00
polz
2bf2eb73a7 Add role=IoT to targets 2024-09-30 15:17:41 +02:00
b818249d82 Add grafana role 2024-09-27 16:14:23 +02:00
d0f3d828df Add influxdb role 2024-09-27 16:14:10 +02:00
1f5d2f6238 facts: don’t barf on missing passwords
Not everything needs them.
2024-09-27 14:02:39 +02:00
6c817624bc alpine: disable IPv6 automatic addresses
So we have predictable addresses if we ever want to firewall
individual hosts.
2024-09-21 22:41:36 +02:00
7155c33182 dnsmasq: fix template
It used to work. Then it didn’t. Now it works again.
2024-09-20 12:36:53 +02:00
d89ed5a46b frr: use service module for reloading 2024-09-10 16:44:21 +02:00
Gašper Fele-Žorž
13009283c0 proxmox-backup add nftables template 2024-09-10 15:40:16 +02:00
Gašper Fele-Žorž
0802ac9878 proxmox-backup: fix hosts file 2024-09-10 15:10:55 +02:00
Gašper Fele-Žorž
68f0d6ba44 Add proxmox-backup 2024-09-10 15:07:30 +02:00
Gašper Fele-Žorž
add84ba1d2 proxmox-backup: set domain for ACME 2024-09-10 15:06:53 +02:00
Gašper Fele-Žorž
11a5ec85b3 proxmox-backup: add firewall 2024-09-10 14:53:46 +02:00
Gašper Fele-Žorž
f2fbd0c848 Add role proxmox-backup 2024-09-10 14:13:24 +02:00
Gašper Fele-Žorž
b5565b24fd Add RuntimeDirectory to ssh service
Fixes "Missing privilege separation directory: /var/run/sshd"
2024-09-10 14:11:35 +02:00
2e3d7d180d proxmox: set mail relay 2024-09-10 10:18:40 +02:00
9932064758 synapse: read DB password from secret store
Missed this one a while ago.
2024-09-06 16:30:51 +02:00
4fff2fac1b frr: help zebra keep track of ECMP routes on link flap
Seems that this might be resolved in frr master. Or not. For now we
import the workaround from firewall configs.
2024-09-06 15:10:54 +02:00
54240955f1 Update instructions in README
To reflect current reality.
2024-09-06 10:41:49 +02:00
Gašper Fele-Žorž
e2edd63efe proxmox: add dependency for ldap sync script
Install python3-ldap3.
2024-09-05 10:56:50 +02:00
a8b83e833b facts: only look up cluster nodes when deploying to members
And not when deploying to virtual machines running on a cluster.
2024-09-04 16:56:56 +02:00
17c8e84498 proxmox: support certificate renewals with ACME
Certificates must still be requested manually, this just sets the
domain and opens up port 80/tcp. Nothing listens there except for
certbot during renewals so that’s OK.
2024-09-04 16:54:47 +02:00
1c1dd52325 proxmox: support public services for firewall
If no allowed IPs are set for a service, allow connections from anywhere.
2024-09-04 16:44:46 +02:00
6b1d871392 alpine: don’t assume all public services are TCP either 2024-09-04 16:42:13 +02:00
ec4dcd4ffd frr: don’t use undefined variable 2024-08-28 12:43:17 +02:00
211d4bdb9a Deconsolidate network setup for proxmox and debian roles
They are just different enough to be annoying.
2024-08-28 12:43:14 +02:00
c3d1a6c4b1 proxmox: fix handling empty values in LDAP sync script
Don’t put "None" for email and such.
2024-08-20 15:08:57 +02:00
2b4a196e4d alpine: add whimsy
For what is life without it.
2024-08-16 11:48:10 +02:00
312cd8d4b3 alpine: rename network interfaces
Mostly relevant for VMs, to match the names with proxmox.
2024-08-16 11:47:38 +02:00
d5db7529dd netbox: allow registered users to view everything
And others nothing. Also clean up. Also enable topology views plugin.
2024-08-15 17:11:29 +02:00
8ba6959065 postgres: store DB password with other secrets
Let’s uncomplicate our lives. Also I’m not sure if the ~/.pgpass stuff
ever worked properly or even at all.
2024-08-15 12:58:24 +02:00
3261bc7f98 alpine: don’t hardcode nftables input rule for SSH
Instead configure it in NetBox like all other services.
2024-08-14 12:46:23 +02:00
38ff061f81 alpine: don’t set gateway for interface if the gateway is that interface 2024-08-06 15:47:05 +02:00
6e35a7462d dnsmasq: get DHCP ranges from NetBox 2024-08-05 12:07:39 +02:00
036f7c8b74 Support custom allowed_ips field for services
Like allowed_prefixes, but for single IP addresses. Currently used
just for DHCP server to allow (only) packets from relays.
2024-08-03 11:44:03 +02:00
01a27e45ce dnsmasq: add script for dynamic DNS updates 2024-08-02 12:08:32 +02:00
a3dd4eba65 alpine: don’t assume all services are TCP 2024-07-26 10:14:23 +02:00
b20e9cccff Add dnsmasq role 2024-07-26 10:13:59 +02:00
02086cdc32 synapse: enable service 2024-07-05 11:27:04 +02:00