2d776d3246
nginx: only handle acme-challenge well-known directory in default site
...
Mainly so that other directories can be reverse-proxied.
2024-11-20 15:47:18 +01:00
b7fd838ca9
reverse-proxy: disable request buffering
2024-11-18 13:36:49 +01:00
cdb8fe6b66
reverse-proxy: increase proxy read timeout
2024-11-18 13:30:02 +01:00
efdb74497a
reverse-proxy: increase max request size
...
For uploading pictures and such.
2024-11-18 12:42:36 +01:00
973ce03249
Add reverse-proxy role
2024-11-15 15:44:29 +01:00
c970c562a9
nginx: support certificates for multiple domains
...
Uses `tls_domains` config context property from NetBox.
2024-11-15 13:38:07 +01:00
554bf1f711
dnsmasq: drop dhcp-proxy option
...
Instead add firewall rules to allow direct communication from client networks.
2024-11-09 20:24:11 +01:00
46a9ff6fc0
ceph: add LE certificates
...
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.
Use with something like this (port 80 must be kept free for standalone
certbot renewal):
service_type: rgw
spec:
rgw_frontend_port: 8080
rgw_frontend_extra_args:
- ssl_port=443
- ssl_private_key=/etc/ceph/privkey.pem
- ssl_certificate=/etc/ceph/fullchain.pem
extra_container_args:
- "--volume"
- "/etc/ceph:/etc/ceph:ro"
- "--volume"
- "/etc/letsencrypt:/etc/letsencrypt:ro"
2024-11-08 16:38:15 +01:00
6e5de53937
doku: unoverride style for external link icons
2024-10-22 10:16:46 +02:00
ae49801579
doku: update deprecated nginx http2 directive
2024-10-22 10:16:38 +02:00
82ca6a94c1
nginx: reload server for renewed LE certificates
2024-10-22 10:02:55 +02:00
21df85e97a
dnsmasq: sort ranges by network name
2024-10-21 15:35:32 +02:00
polz
2bf2eb73a7
Add role=IoT to targets
2024-09-30 15:17:41 +02:00
b818249d82
Add grafana role
2024-09-27 16:14:23 +02:00
d0f3d828df
Add influxdb role
2024-09-27 16:14:10 +02:00
1f5d2f6238
facts: don’t barf on missing passwords
...
Not everything needs them.
2024-09-27 14:02:39 +02:00
6c817624bc
alpine: disable IPv6 automatic addresses
...
So we have predictable addresses if we ever want to firewall
individual hosts.
2024-09-21 22:41:36 +02:00
7155c33182
dnsmasq: fix template
...
It used to work. Then it didn’t. Now it works again.
2024-09-20 12:36:53 +02:00
d89ed5a46b
frr: use service module for reloading
2024-09-10 16:44:21 +02:00
Gašper Fele-Žorž
13009283c0
proxmox-backup add nftables template
2024-09-10 15:40:16 +02:00
Gašper Fele-Žorž
0802ac9878
proxmox-backup: fix hosts file
2024-09-10 15:10:55 +02:00
Gašper Fele-Žorž
68f0d6ba44
Add proxmox-backup
2024-09-10 15:07:30 +02:00
Gašper Fele-Žorž
add84ba1d2
proxmox-backup: set domain for ACME
2024-09-10 15:06:53 +02:00
Gašper Fele-Žorž
11a5ec85b3
proxmox-backup: add firewall
2024-09-10 14:53:46 +02:00
Gašper Fele-Žorž
f2fbd0c848
Add role proxmox-backup
2024-09-10 14:13:24 +02:00
Gašper Fele-Žorž
b5565b24fd
Add RuntimeDirectory to ssh service
...
Fixes "Missing privilege separation directory: /var/run/sshd"
2024-09-10 14:11:35 +02:00
2e3d7d180d
proxmox: set mail relay
2024-09-10 10:18:40 +02:00
9932064758
synapse: read DB password from secret store
...
Missed this one a while ago.
2024-09-06 16:30:51 +02:00
4fff2fac1b
frr: help zebra keep track of ECMP routes on link flap
...
Seems that this might be resolved in frr master. Or not. For now we
import the workaround from firewall configs.
2024-09-06 15:10:54 +02:00
54240955f1
Update instructions in README
...
To reflect current reality.
2024-09-06 10:41:49 +02:00
Gašper Fele-Žorž
e2edd63efe
proxmox: add dependency for ldap sync script
...
Install python3-ldap3.
2024-09-05 10:56:50 +02:00
a8b83e833b
facts: only look up cluster nodes when deploying to members
...
And not when deploying to virtual machines running on a cluster.
2024-09-04 16:56:56 +02:00
17c8e84498
proxmox: support certificate renewals with ACME
...
Certificates must still be requested manually, this just sets the
domain and opens up port 80/tcp. Nothing listens there except for
certbot during renewals so that’s OK.
2024-09-04 16:54:47 +02:00
1c1dd52325
proxmox: support public services for firewall
...
If no allowed IPs are set for a service, allow connections from anywhere.
2024-09-04 16:44:46 +02:00
6b1d871392
alpine: don’t assume all public services are TCP either
2024-09-04 16:42:13 +02:00
ec4dcd4ffd
frr: don’t use undefined variable
2024-08-28 12:43:17 +02:00
211d4bdb9a
Deconsolidate network setup for proxmox and debian roles
...
They are just different enough to be annoying.
2024-08-28 12:43:14 +02:00
c3d1a6c4b1
proxmox: fix handling empty values in LDAP sync script
...
Don’t put "None" for email and such.
2024-08-20 15:08:57 +02:00
2b4a196e4d
alpine: add whimsy
...
For what is life without it.
2024-08-16 11:48:10 +02:00
312cd8d4b3
alpine: rename network interfaces
...
Mostly relevant for VMs, to match the names with proxmox.
2024-08-16 11:47:38 +02:00
d5db7529dd
netbox: allow registered users to view everything
...
And others nothing. Also clean up. Also enable topology views plugin.
2024-08-15 17:11:29 +02:00
8ba6959065
postgres: store DB password with other secrets
...
Let’s uncomplicate our lives. Also I’m not sure if the ~/.pgpass stuff
ever worked properly or even at all.
2024-08-15 12:58:24 +02:00
3261bc7f98
alpine: don’t hardcode nftables input rule for SSH
...
Instead configure it in NetBox like all other services.
2024-08-14 12:46:23 +02:00
38ff061f81
alpine: don’t set gateway for interface if the gateway is that interface
2024-08-06 15:47:05 +02:00
6e35a7462d
dnsmasq: get DHCP ranges from NetBox
2024-08-05 12:07:39 +02:00
036f7c8b74
Support custom allowed_ips field for services
...
Like allowed_prefixes, but for single IP addresses. Currently used
just for DHCP server to allow (only) packets from relays.
2024-08-03 11:44:03 +02:00
01a27e45ce
dnsmasq: add script for dynamic DNS updates
2024-08-02 12:08:32 +02:00
a3dd4eba65
alpine: don’t assume all services are TCP
2024-07-26 10:14:23 +02:00
b20e9cccff
Add dnsmasq role
2024-07-26 10:13:59 +02:00
02086cdc32
synapse: enable service
2024-07-05 11:27:04 +02:00
