a5eae03cf8
forgejo: don’t enable the testing apk repo
...
Alpine has forgejo in main repo now.
2025-05-08 14:14:14 +02:00
6797f65971
influxdb: fix reverse proxy
...
Like grafana. Also set some buffering options.
2025-05-07 14:13:04 +02:00
7f28f3a366
grafana: fix reverse proxy
...
Can’t get it to bind to IPv6 so use v4 explicitly.
2025-05-07 14:07:11 +02:00
39fec47f87
alpine: don’t set IPv6 gateway
...
Will get it from RA. Also don’t disable SLAAC for IPv4‐only interfaces.
2025-05-07 12:25:43 +02:00
fb8e0189af
dokuwiki: make more readable
...
I think. Maybe.
2025-05-07 12:23:39 +02:00
5667b755ca
netbox: secure the cookie
...
USI says.
2025-05-07 12:21:41 +02:00
4dc089e42c
debian: add MOTD
2025-05-05 17:28:32 +02:00
783f1af3a5
netbox: add redis dependency
2025-04-17 18:22:10 +02:00
8e3772e475
dnsmasq: store leases in sqlite database
...
To avoid dnsmasq writing out the whole leasefile on each request
before replying. This gets slow on high‐latency storage.
Also tweak DNS updates a bit.
2025-04-14 16:41:24 +02:00
b6b4a16fd4
netbox: drop obsolete file
2025-04-12 20:53:00 +02:00
ade6a8e1e2
Add nginx as a role dependency where required
...
This is pretty much anywhere a LE certificate is needed. Similar for
nginx-php for PHP sites. Drop these roles from setup.yml.
2025-04-12 18:51:31 +02:00
cf6b682cf8
Add ocserv role
...
Create a self-signed CA, set up group configs, add script to allow new
connections through the firewall.
In the base debian role, drop the default nftables forward chain with
drop policy because it clashes with this. If you enable forwarding on
a debian host, make sure to configure the firewall.
2025-04-12 18:38:48 +02:00
a1c7be8184
facts: only look up prefixes and VLANs once
...
Not once per host.
2025-04-10 22:21:44 +02:00
e754db5fbd
Consolidate hosts template
...
For alpine, debian, ceph and proxmox roles.
Add the union of IPv6 LL host entries across all distros to make sure nothing croaks.
2025-04-10 18:22:41 +02:00
35427f1fbc
debian: reorder tasks
...
Ensure network interfaces are renamed first.
2025-04-08 21:31:45 +02:00
275991c49c
proxmox: check for errors when retrieving users from AD
...
Sometimes the created user.cfg file is empty for some reason. So add
some checking and logging and hope for resolution.
2025-04-03 18:58:44 +02:00
1a7b813dff
facts: get admins’ SSH keys from password store
...
Also install them into root’s authorized_keys on alpine.
2025-03-26 19:14:34 +01:00
7907b6f0e5
Revert "dnsmasq: drop dhcp-proxy option"
...
This reverts commit 554bf1f711
2025-03-19 14:49:43 +01:00
be8e47119f
opensmtpd: support relaying mail
2025-02-17 15:04:59 +01:00
polz
b252e451f6
Add nsswitch config to scan
2025-02-17 14:12:18 +01:00
polz
fe646ece89
Add scan (working samba on Alpine) role
2025-02-17 13:27:40 +01:00
200f3be792
unifi: fix nginx reverse proxy headers
2025-02-17 10:18:56 +01:00
0d60aa107f
Consolidate nftables setup for alpine, debian and ceph roles
2025-02-12 17:24:24 +01:00
bfda7b3236
dnsmasq: skip DNS update script when starting up
2025-02-06 09:29:48 +01:00
e95603fda9
Add unifi role
...
And server.
2025-02-04 14:44:02 +01:00
878e8ba6f9
alpine: set up resolv.conf
...
Same as for debian.
2025-01-23 13:22:30 +01:00
9720379c14
proxmox-backup: allow IPv6 ND on management interface
...
IPv6 doesn’t work otherwise.
2025-01-23 13:12:25 +01:00
0d607fe2a4
proxmox-backup: don’t modify config for default SSH instance
...
It is disabled anyway, so trying to reload it barfs. Worry about
deduplicating roles whenever.
2025-01-23 13:10:50 +01:00
04bfcb03fa
debian: update package cache
2025-01-20 15:30:07 +01:00
45c0f25ce0
debian: disable SSH password authentication
...
Oops. Also do it for proxmox-backup role even though SSH in default
VRF is disabled there, so it will be easier to deduplicate these roles
when someone gets around to it.
2025-01-20 14:58:08 +01:00
446e6132c7
nginx: add support for Debian distros
2025-01-20 14:22:40 +01:00
67b9b7b268
frr: disable BFD
...
There were some issues with proxmox cluster losing connectivity. Since
disabling it there were no more issues.
Might have not been caused by BFD or it was just misconfigured.
2025-01-13 14:57:38 +01:00
ac52c13803
proxmox-backup: set mail relay
2025-01-07 11:19:47 +01:00
e5b570ddad
proxmox: disable password SSH authentication
...
Apparently it’s not needed for cluster operations.
2024-12-13 14:49:44 +01:00
c585070edc
Add kanboard role and server
2024-12-06 13:08:14 +01:00
04f187a140
dokuwiki: factor out nginx-php role
2024-12-06 13:07:01 +01:00
bc05b2a9f6
dokuwiki: support multiple domains for nginx
2024-12-05 10:26:40 +01:00
1b5a20ac8a
dnsmasq: disable ping for duplicate address detection
...
Some things don’t reply which holds up all requests for 3 seconds.
2024-11-28 15:41:22 +01:00
ff9620ed2a
ceph: allow IPv6 neighbor discovery on mgmt interface
2024-11-27 17:37:07 +01:00
0a0ce7e2a5
Add telegraf role
...
And enable it for ceph nodes.
2024-11-27 17:37:00 +01:00
2d776d3246
nginx: only handle acme-challenge well-known directory in default site
...
Mainly so that other directories can be reverse-proxied.
2024-11-20 15:47:18 +01:00
b7fd838ca9
reverse-proxy: disable request buffering
2024-11-18 13:36:49 +01:00
cdb8fe6b66
reverse-proxy: increase proxy read timeout
2024-11-18 13:30:02 +01:00
efdb74497a
reverse-proxy: increase max request size
...
For uploading pictures and such.
2024-11-18 12:42:36 +01:00
973ce03249
Add reverse-proxy role
2024-11-15 15:44:29 +01:00
c970c562a9
nginx: support certificates for multiple domains
...
Uses `tls_domains` config context property from NetBox.
2024-11-15 13:38:07 +01:00
554bf1f711
dnsmasq: drop dhcp-proxy option
...
Instead add firewall rules to allow direct communication from client networks.
2024-11-09 20:24:11 +01:00
46a9ff6fc0
ceph: add LE certificates
...
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.
Use with something like this (port 80 must be kept free for standalone
certbot renewal):
service_type: rgw
spec:
rgw_frontend_port: 8080
rgw_frontend_extra_args:
- ssl_port=443
- ssl_private_key=/etc/ceph/privkey.pem
- ssl_certificate=/etc/ceph/fullchain.pem
extra_container_args:
- "--volume"
- "/etc/ceph:/etc/ceph:ro"
- "--volume"
- "/etc/letsencrypt:/etc/letsencrypt:ro"
2024-11-08 16:38:15 +01:00
6e5de53937
doku: unoverride style for external link icons
2024-10-22 10:16:46 +02:00
ae49801579
doku: update deprecated nginx http2 directive
2024-10-22 10:16:38 +02:00
