rc/servers
5
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
178 commits 1 branch 0 tags 740 KiB
Commit graph

178 commits

This branch
This branch
All branches
Author SHA1 Message Date
Timotej Lazar
783f1af3a5 netbox: add redis dependency 2025-04-17 18:22:10 +02:00
Timotej Lazar
8e3772e475 dnsmasq: store leases in sqlite database 
To avoid dnsmasq writing out the whole leasefile on each request
before replying. This gets slow on high‐latency storage.

Also tweak DNS updates a bit.
 2025-04-14 16:41:24 +02:00
Timotej Lazar
b6b4a16fd4 netbox: drop obsolete file 2025-04-12 20:53:00 +02:00
Timotej Lazar
ade6a8e1e2 Add nginx as a role dependency where required 
This is pretty much anywhere a LE certificate is needed. Similar for
nginx-php for PHP sites. Drop these roles from setup.yml.
 2025-04-12 18:51:31 +02:00
Timotej Lazar
cf6b682cf8 Add ocserv role 
Create a self-signed CA, set up group configs, add script to allow new
connections through the firewall.

In the base debian role, drop the default nftables forward chain with
drop policy because it clashes with this. If you enable forwarding on
a debian host, make sure to configure the firewall.
 2025-04-12 18:38:48 +02:00
Timotej Lazar
a1c7be8184 facts: only look up prefixes and VLANs once 
Not once per host.
 2025-04-10 22:21:44 +02:00
Timotej Lazar
d2b9b05406 setup: do base setup for all targets in one step 2025-04-10 19:30:14 +02:00
Timotej Lazar
e754db5fbd Consolidate hosts template 
For alpine, debian, ceph and proxmox roles.

Add the union of IPv6 LL host entries across all distros to make sure nothing croaks.
 2025-04-10 18:22:41 +02:00
Timotej Lazar
35427f1fbc debian: reorder tasks 
Ensure network interfaces are renamed first.
 2025-04-08 21:31:45 +02:00
Timotej Lazar
275991c49c proxmox: check for errors when retrieving users from AD 
Sometimes the created user.cfg file is empty for some reason. So add
some checking and logging and hope for resolution.
 2025-04-03 18:58:44 +02:00
Timotej Lazar
1a7b813dff facts: get admins’ SSH keys from password store 
Also install them into root’s authorized_keys on alpine.
 2025-03-26 19:14:34 +01:00
Timotej Lazar
7907b6f0e5 Revert "dnsmasq: drop dhcp-proxy option" 
This reverts commit 554bf1f711.

Turns out ISC dhcrelay will relay even unicast packets from clients. So
the DHCP server got both the routed and the relayed query.

This tells dnsmasq to tell clients to send everything through the relay.
Since everything now comes from the relay we can drop access from client
networks.
 2025-03-19 14:49:43 +01:00
Timotej Lazar
be8e47119f opensmtpd: support relaying mail 2025-02-17 15:04:59 +01:00
polz
b252e451f6 Add nsswitch config to scan 2025-02-17 14:12:18 +01:00
polz
fe646ece89 Add scan (working samba on Alpine) role 2025-02-17 13:27:40 +01:00
Timotej Lazar
200f3be792 unifi: fix nginx reverse proxy headers 2025-02-17 10:18:56 +01:00
Timotej Lazar
0d60aa107f Consolidate nftables setup for alpine, debian and ceph roles 2025-02-12 17:24:24 +01:00
Timotej Lazar
bfda7b3236 dnsmasq: skip DNS update script when starting up 2025-02-06 09:29:48 +01:00
Timotej Lazar
e95603fda9 Add unifi role 
And server.
 2025-02-04 14:44:02 +01:00
Timotej Lazar
73555d2fd7 ansible: shut up warnings about discovered Python interpreter 2025-01-23 13:36:24 +01:00
Timotej Lazar
365b5d9f67 Use IPv6 addresses for DNS servers 2025-01-23 13:25:45 +01:00
Timotej Lazar
878e8ba6f9 alpine: set up resolv.conf 
Same as for debian.
 2025-01-23 13:22:30 +01:00
Timotej Lazar
9720379c14 proxmox-backup: allow IPv6 ND on management interface 
IPv6 doesn’t work otherwise.
 2025-01-23 13:12:25 +01:00
Timotej Lazar
0d607fe2a4 proxmox-backup: don’t modify config for default SSH instance 
It is disabled anyway, so trying to reload it barfs. Worry about
deduplicating roles whenever.
 2025-01-23 13:10:50 +01:00
Timotej Lazar
04bfcb03fa debian: update package cache 2025-01-20 15:30:07 +01:00
Timotej Lazar
45c0f25ce0 debian: disable SSH password authentication 
Oops. Also do it for proxmox-backup role even though SSH in default
VRF is disabled there, so it will be easier to deduplicate these roles
when someone gets around to it.
 2025-01-20 14:58:08 +01:00
Timotej Lazar
446e6132c7 nginx: add support for Debian distros 2025-01-20 14:22:40 +01:00
Timotej Lazar
e3862a5be6 Fix FC check in interface template 
One of these days I’m gonna write a defaultattr Jinja filter and
become rich and famous.
 2025-01-20 11:20:46 +01:00
Timotej Lazar
efbe8d2801 Reorder hosts in setup.yml 
By type / name.
 2025-01-13 15:29:37 +01:00
Timotej Lazar
67b9b7b268 frr: disable BFD 
There were some issues with proxmox cluster losing connectivity. Since
disabling it there were no more issues.

Might have not been caused by BFD or it was just misconfigured.
 2025-01-13 14:57:38 +01:00
Timotej Lazar
ac52c13803 proxmox-backup: set mail relay 2025-01-07 11:19:47 +01:00
Timotej Lazar
b02ebf5be3 templates: skip FC interfaces 
Anything that has the WWN attribute set really. This won’t work for
VMs because this attribute is not returned for those.
 2025-01-07 10:53:17 +01:00
Timotej Lazar
e5b570ddad proxmox: disable password SSH authentication 
Apparently it’s not needed for cluster operations.
 2024-12-13 14:49:44 +01:00
Timotej Lazar
c585070edc Add kanboard role and server 2024-12-06 13:08:14 +01:00
Timotej Lazar
04f187a140 dokuwiki: factor out nginx-php role 2024-12-06 13:07:01 +01:00
Timotej Lazar
52f8ed5a2d Rename host doku to doc 2024-12-05 10:27:15 +01:00
Timotej Lazar
bc05b2a9f6 dokuwiki: support multiple domains for nginx 2024-12-05 10:26:40 +01:00
Timotej Lazar
1b5a20ac8a dnsmasq: disable ping for duplicate address detection 
Some things don’t reply which holds up all requests for 3 seconds.
 2024-11-28 15:41:22 +01:00
Timotej Lazar
ff9620ed2a ceph: allow IPv6 neighbor discovery on mgmt interface 2024-11-27 17:37:07 +01:00
Timotej Lazar
0a0ce7e2a5 Add telegraf role 
And enable it for ceph nodes.
 2024-11-27 17:37:00 +01:00
Timotej Lazar
14dd446fd4 Add monitor 
For monitoring stuff.
 2024-11-27 17:31:28 +01:00
Timotej Lazar
2d776d3246 nginx: only handle acme-challenge well-known directory in default site 
Mainly so that other directories can be reverse-proxied.
 2024-11-20 15:47:18 +01:00
Timotej Lazar
b7fd838ca9 reverse-proxy: disable request buffering 2024-11-18 13:36:49 +01:00
Timotej Lazar
cdb8fe6b66 reverse-proxy: increase proxy read timeout 2024-11-18 13:30:02 +01:00
Timotej Lazar
efdb74497a reverse-proxy: increase max request size 
For uploading pictures and such.
 2024-11-18 12:42:36 +01:00
Timotej Lazar
973ce03249 Add reverse-proxy role 2024-11-15 15:44:29 +01:00
Timotej Lazar
c970c562a9 nginx: support certificates for multiple domains 
Uses `tls_domains` config context property from NetBox.
 2024-11-15 13:38:07 +01:00
Timotej Lazar
554bf1f711 dnsmasq: drop dhcp-proxy option 
Instead add firewall rules to allow direct communication from client networks.
 2024-11-09 20:24:11 +01:00
Timotej Lazar
46a9ff6fc0 ceph: add LE certificates 
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.

Use with something like this (port 80 must be kept free for standalone
certbot renewal):

    service_type: rgw
    spec:
      rgw_frontend_port: 8080
      rgw_frontend_extra_args:
        - ssl_port=443
        - ssl_private_key=/etc/ceph/privkey.pem
        - ssl_certificate=/etc/ceph/fullchain.pem
    extra_container_args:
      - "--volume"
      - "/etc/ceph:/etc/ceph:ro"
      - "--volume"
      - "/etc/letsencrypt:/etc/letsencrypt:ro"
 2024-11-08 16:38:15 +01:00
Timotej Lazar
6e5de53937 doku: unoverride style for external link icons 2024-10-22 10:16:46 +02:00