35427f1fbc
debian: reorder tasks
...
Ensure network interfaces are renamed first.
2025-04-08 21:31:45 +02:00
275991c49c
proxmox: check for errors when retrieving users from AD
...
Sometimes the created user.cfg file is empty for some reason. So add
some checking and logging and hope for resolution.
2025-04-03 18:58:44 +02:00
1a7b813dff
facts: get admins’ SSH keys from password store
...
Also install them into root’s authorized_keys on alpine.
2025-03-26 19:14:34 +01:00
7907b6f0e5
Revert "dnsmasq: drop dhcp-proxy option"
...
This reverts commit 554bf1f711
.
Turns out ISC dhcrelay will relay even unicast packets from clients. So
the DHCP server got both the routed and the relayed query.
This tells dnsmasq to tell clients to send everything through the relay.
Since everything now comes from the relay we can drop access from client
networks.
2025-03-19 14:49:43 +01:00
be8e47119f
opensmtpd: support relaying mail
2025-02-17 15:04:59 +01:00
polz
b252e451f6
Add nsswitch config to scan
2025-02-17 14:12:18 +01:00
polz
fe646ece89
Add scan (working samba on Alpine) role
2025-02-17 13:27:40 +01:00
200f3be792
unifi: fix nginx reverse proxy headers
2025-02-17 10:18:56 +01:00
0d60aa107f
Consolidate nftables setup for alpine, debian and ceph roles
2025-02-12 17:24:24 +01:00
bfda7b3236
dnsmasq: skip DNS update script when starting up
2025-02-06 09:29:48 +01:00
e95603fda9
Add unifi role
...
And server.
2025-02-04 14:44:02 +01:00
73555d2fd7
ansible: shut up warnings about discovered Python interpreter
2025-01-23 13:36:24 +01:00
365b5d9f67
Use IPv6 addresses for DNS servers
2025-01-23 13:25:45 +01:00
878e8ba6f9
alpine: set up resolv.conf
...
Same as for debian.
2025-01-23 13:22:30 +01:00
9720379c14
proxmox-backup: allow IPv6 ND on management interface
...
IPv6 doesn’t work otherwise.
2025-01-23 13:12:25 +01:00
0d607fe2a4
proxmox-backup: don’t modify config for default SSH instance
...
It is disabled anyway, so trying to reload it barfs. Worry about
deduplicating roles whenever.
2025-01-23 13:10:50 +01:00
04bfcb03fa
debian: update package cache
2025-01-20 15:30:07 +01:00
45c0f25ce0
debian: disable SSH password authentication
...
Oops. Also do it for proxmox-backup role even though SSH in default
VRF is disabled there, so it will be easier to deduplicate these roles
when someone gets around to it.
2025-01-20 14:58:08 +01:00
446e6132c7
nginx: add support for Debian distros
2025-01-20 14:22:40 +01:00
e3862a5be6
Fix FC check in interface template
...
One of these days I’m gonna write a defaultattr Jinja filter and
become rich and famous.
2025-01-20 11:20:46 +01:00
efbe8d2801
Reorder hosts in setup.yml
...
By type / name.
2025-01-13 15:29:37 +01:00
67b9b7b268
frr: disable BFD
...
There were some issues with proxmox cluster losing connectivity. Since
disabling it there were no more issues.
Might have not been caused by BFD or it was just misconfigured.
2025-01-13 14:57:38 +01:00
ac52c13803
proxmox-backup: set mail relay
2025-01-07 11:19:47 +01:00
b02ebf5be3
templates: skip FC interfaces
...
Anything that has the WWN attribute set really. This won’t work for
VMs because this attribute is not returned for those.
2025-01-07 10:53:17 +01:00
e5b570ddad
proxmox: disable password SSH authentication
...
Apparently it’s not needed for cluster operations.
2024-12-13 14:49:44 +01:00
c585070edc
Add kanboard role and server
2024-12-06 13:08:14 +01:00
04f187a140
dokuwiki: factor out nginx-php role
2024-12-06 13:07:01 +01:00
52f8ed5a2d
Rename host doku to doc
2024-12-05 10:27:15 +01:00
bc05b2a9f6
dokuwiki: support multiple domains for nginx
2024-12-05 10:26:40 +01:00
1b5a20ac8a
dnsmasq: disable ping for duplicate address detection
...
Some things don’t reply which holds up all requests for 3 seconds.
2024-11-28 15:41:22 +01:00
ff9620ed2a
ceph: allow IPv6 neighbor discovery on mgmt interface
2024-11-27 17:37:07 +01:00
0a0ce7e2a5
Add telegraf role
...
And enable it for ceph nodes.
2024-11-27 17:37:00 +01:00
14dd446fd4
Add monitor
...
For monitoring stuff.
2024-11-27 17:31:28 +01:00
2d776d3246
nginx: only handle acme-challenge well-known directory in default site
...
Mainly so that other directories can be reverse-proxied.
2024-11-20 15:47:18 +01:00
b7fd838ca9
reverse-proxy: disable request buffering
2024-11-18 13:36:49 +01:00
cdb8fe6b66
reverse-proxy: increase proxy read timeout
2024-11-18 13:30:02 +01:00
efdb74497a
reverse-proxy: increase max request size
...
For uploading pictures and such.
2024-11-18 12:42:36 +01:00
973ce03249
Add reverse-proxy role
2024-11-15 15:44:29 +01:00
c970c562a9
nginx: support certificates for multiple domains
...
Uses `tls_domains` config context property from NetBox.
2024-11-15 13:38:07 +01:00
554bf1f711
dnsmasq: drop dhcp-proxy option
...
Instead add firewall rules to allow direct communication from client networks.
2024-11-09 20:24:11 +01:00
46a9ff6fc0
ceph: add LE certificates
...
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.
Use with something like this (port 80 must be kept free for standalone
certbot renewal):
service_type: rgw
spec:
rgw_frontend_port: 8080
rgw_frontend_extra_args:
- ssl_port=443
- ssl_private_key=/etc/ceph/privkey.pem
- ssl_certificate=/etc/ceph/fullchain.pem
extra_container_args:
- "--volume"
- "/etc/ceph:/etc/ceph:ro"
- "--volume"
- "/etc/letsencrypt:/etc/letsencrypt:ro"
2024-11-08 16:38:15 +01:00
6e5de53937
doku: unoverride style for external link icons
2024-10-22 10:16:46 +02:00
ae49801579
doku: update deprecated nginx http2 directive
2024-10-22 10:16:38 +02:00
82ca6a94c1
nginx: reload server for renewed LE certificates
2024-10-22 10:02:55 +02:00
21df85e97a
dnsmasq: sort ranges by network name
2024-10-21 15:35:32 +02:00
polz
2bf2eb73a7
Add role=IoT to targets
2024-09-30 15:17:41 +02:00
b818249d82
Add grafana role
2024-09-27 16:14:23 +02:00
d0f3d828df
Add influxdb role
2024-09-27 16:14:10 +02:00
1f5d2f6238
facts: don’t barf on missing passwords
...
Not everything needs them.
2024-09-27 14:02:39 +02:00
6c817624bc
alpine: disable IPv6 automatic addresses
...
So we have predictable addresses if we ever want to firewall
individual hosts.
2024-09-21 22:41:36 +02:00