Commit graph

115 commits

Author SHA1 Message Date
Gašper Fele-Žorž add84ba1d2 proxmox-backup: set domain for ACME 2024-09-10 15:06:53 +02:00
Gašper Fele-Žorž 11a5ec85b3 proxmox-backup: add firewall 2024-09-10 14:53:46 +02:00
Gašper Fele-Žorž f2fbd0c848 Add role proxmox-backup 2024-09-10 14:13:24 +02:00
Gašper Fele-Žorž b5565b24fd Add RuntimeDirectory to ssh service
Fixes "Missing privilege separation directory: /var/run/sshd"
2024-09-10 14:11:35 +02:00
Timotej Lazar 2e3d7d180d proxmox: set mail relay 2024-09-10 10:18:40 +02:00
Timotej Lazar 9932064758 synapse: read DB password from secret store
Missed this one a while ago.
2024-09-06 16:30:51 +02:00
Timotej Lazar 4fff2fac1b frr: help zebra keep track of ECMP routes on link flap
Seems that this might be resolved in frr master. Or not. For now we
import the workaround from firewall configs.
2024-09-06 15:10:54 +02:00
Timotej Lazar 54240955f1 Update instructions in README
To reflect current reality.
2024-09-06 10:41:49 +02:00
Gašper Fele-Žorž e2edd63efe proxmox: add dependency for ldap sync script
Install python3-ldap3.
2024-09-05 10:56:50 +02:00
Timotej Lazar a8b83e833b facts: only look up cluster nodes when deploying to members
And not when deploying to virtual machines running on a cluster.
2024-09-04 16:56:56 +02:00
Timotej Lazar 17c8e84498 proxmox: support certificate renewals with ACME
Certificates must still be requested manually, this just sets the
domain and opens up port 80/tcp. Nothing listens there except for
certbot during renewals so that’s OK.
2024-09-04 16:54:47 +02:00
Timotej Lazar 1c1dd52325 proxmox: support public services for firewall
If no allowed IPs are set for a service, allow connections from anywhere.
2024-09-04 16:44:46 +02:00
Timotej Lazar 6b1d871392 alpine: don’t assume all public services are TCP either 2024-09-04 16:42:13 +02:00
Timotej Lazar ec4dcd4ffd frr: don’t use undefined variable 2024-08-28 12:43:17 +02:00
Timotej Lazar 211d4bdb9a Deconsolidate network setup for proxmox and debian roles
They are just different enough to be annoying.
2024-08-28 12:43:14 +02:00
Timotej Lazar c3d1a6c4b1 proxmox: fix handling empty values in LDAP sync script
Don’t put "None" for email and such.
2024-08-20 15:08:57 +02:00
Timotej Lazar 2b4a196e4d alpine: add whimsy
For what is life without it.
2024-08-16 11:48:10 +02:00
Timotej Lazar 312cd8d4b3 alpine: rename network interfaces
Mostly relevant for VMs, to match the names with proxmox.
2024-08-16 11:47:38 +02:00
Timotej Lazar d5db7529dd netbox: allow registered users to view everything
And others nothing. Also clean up. Also enable topology views plugin.
2024-08-15 17:11:29 +02:00
Timotej Lazar 8ba6959065 postgres: store DB password with other secrets
Let’s uncomplicate our lives. Also I’m not sure if the ~/.pgpass stuff
ever worked properly or even at all.
2024-08-15 12:58:24 +02:00
Timotej Lazar 3261bc7f98 alpine: don’t hardcode nftables input rule for SSH
Instead configure it in NetBox like all other services.
2024-08-14 12:46:23 +02:00
Timotej Lazar 38ff061f81 alpine: don’t set gateway for interface if the gateway is that interface 2024-08-06 15:47:05 +02:00
Timotej Lazar 6e35a7462d dnsmasq: get DHCP ranges from NetBox 2024-08-05 12:07:39 +02:00
Timotej Lazar 036f7c8b74 Support custom allowed_ips field for services
Like allowed_prefixes, but for single IP addresses. Currently used
just for DHCP server to allow (only) packets from relays.
2024-08-03 11:44:03 +02:00
Timotej Lazar 01a27e45ce dnsmasq: add script for dynamic DNS updates 2024-08-02 12:08:32 +02:00
Timotej Lazar a3dd4eba65 alpine: don’t assume all services are TCP 2024-07-26 10:14:23 +02:00
Timotej Lazar b20e9cccff Add dnsmasq role 2024-07-26 10:13:59 +02:00
Timotej Lazar 02086cdc32 synapse: enable service 2024-07-05 11:27:04 +02:00
Timotej Lazar 3e55bf9774 dokuwiki: add missing handler 2024-07-05 11:04:28 +02:00
Timotej Lazar e17b5c1b2d friwall: add missing notify 2024-07-05 11:04:01 +02:00
Timotej Lazar f10d94612f Factor out password store retrieval 2024-07-04 15:31:57 +02:00
Timotej Lazar 973522c373 Import friwall role from network ansible scripts
To reuse alpine and nginx roles. Probably going to merge repos at some point.
2024-07-04 15:31:53 +02:00
Timotej Lazar bacfc66f7c alpine: flush some handlers 2024-07-04 14:55:09 +02:00
Timotej Lazar 92674f58a1 synapse: allow listing public rooms over federation 2024-06-25 18:08:54 +02:00
Timotej Lazar e101493889 Add synapse role
For all the hipster kids.
2024-06-25 10:14:06 +02:00
Timotej Lazar 74cb31e243 netbox: factor out redis role 2024-06-25 00:52:57 +02:00
Timotej Lazar f1f9d6fa34 alpine: configure network interfaces 2024-06-25 00:40:13 +02:00
Timotej Lazar c42f9ae1f9 Set become_flags in ansible.cfg
Some users don’t have a login shell.
2024-06-24 21:39:34 +02:00
Timotej Lazar dbdf88fe36 Set become_method in ansible.cfg 2024-06-20 20:47:00 +02:00
Timotej Lazar 2618c1c414 forgejo: enable auto registration for oauth2 2024-06-20 19:46:38 +02:00
Timotej Lazar 4b34370d5d ceph: set NTP servers 2024-06-19 15:07:59 +02:00
Timotej Lazar 29598ef4bb Rework service handling
Allow running playbooks without NetBox access. Mainly to bootstrap
NetBox itself.

Would prefer not to access network from filter plugins, so maybe do
that at some point also.
2024-06-19 13:33:32 +02:00
Timotej Lazar 38c3464279 alpine: assume one DNS name per host
Avoid needless complexity.
2024-06-19 13:14:51 +02:00
Timotej Lazar 393614aa79 alpine: configure unattended upgrades 2024-06-17 09:52:56 +02:00
Timotej Lazar 6a9a4142ce forgejo: set WAL mode for sqlite 2024-06-17 09:52:36 +02:00
Timotej Lazar 25df98c97b forgejo: configure some more options
Also drop leftover line.
2024-06-06 13:35:57 +02:00
Timotej Lazar f5e9c7d6dc alpine: add iproute2 to base packages
Too useful too often not to.
2024-06-05 15:40:59 +02:00
Timotej Lazar 398e41732e alpine: set hostname
And configure /etc/hosts accordingly.
2024-06-05 15:40:55 +02:00
Timotej Lazar fe6c35edf1 alpine: set up firewall
Get services from NetBox and enable SSH unconditionally for now.
2024-06-05 15:37:45 +02:00
Timotej Lazar b3aff08ce3 forgejo: listen on unix socket
Instead of 0.0.0.0:3000. Skip installation page, and set config values
and create admin user manually.
2024-06-05 15:00:14 +02:00