bacfc66f7c
alpine: flush some handlers
2024-07-04 14:55:09 +02:00
92674f58a1
synapse: allow listing public rooms over federation
2024-06-25 18:08:54 +02:00
e101493889
Add synapse role
...
For all the hipster kids.
2024-06-25 10:14:06 +02:00
74cb31e243
netbox: factor out redis role
2024-06-25 00:52:57 +02:00
f1f9d6fa34
alpine: configure network interfaces
2024-06-25 00:40:13 +02:00
c42f9ae1f9
Set become_flags in ansible.cfg
...
Some users don’t have a login shell.
2024-06-24 21:39:34 +02:00
dbdf88fe36
Set become_method in ansible.cfg
2024-06-20 20:47:00 +02:00
2618c1c414
forgejo: enable auto registration for oauth2
2024-06-20 19:46:38 +02:00
4b34370d5d
ceph: set NTP servers
2024-06-19 15:07:59 +02:00
29598ef4bb
Rework service handling
...
Allow running playbooks without NetBox access. Mainly to bootstrap
NetBox itself.
Would prefer not to access network from filter plugins, so maybe do
that at some point also.
2024-06-19 13:33:32 +02:00
38c3464279
alpine: assume one DNS name per host
...
Avoid needless complexity.
2024-06-19 13:14:51 +02:00
393614aa79
alpine: configure unattended upgrades
2024-06-17 09:52:56 +02:00
6a9a4142ce
forgejo: set WAL mode for sqlite
2024-06-17 09:52:36 +02:00
25df98c97b
forgejo: configure some more options
...
Also drop leftover line.
2024-06-06 13:35:57 +02:00
f5e9c7d6dc
alpine: add iproute2 to base packages
...
Too useful too often not to.
2024-06-05 15:40:59 +02:00
398e41732e
alpine: set hostname
...
And configure /etc/hosts accordingly.
2024-06-05 15:40:55 +02:00
fe6c35edf1
alpine: set up firewall
...
Get services from NetBox and enable SSH unconditionally for now.
2024-06-05 15:37:45 +02:00
b3aff08ce3
forgejo: listen on unix socket
...
Instead of 0.0.0.0:3000. Skip installation page, and set config values
and create admin user manually.
2024-06-05 15:00:14 +02:00
22f363d06a
Add postgres role
...
Or rather rip it out of netbox. Improve DB password handling.
2024-06-05 12:54:55 +02:00
af9e30eb3e
Add forgejo role
...
On alpine, with OIDC auth and a podman runner.
2024-06-05 12:05:22 +02:00
f863d87fbf
dokuwiki: remove hardcoded names
2024-05-28 13:34:34 +02:00
cd8f20852e
dokuwiki: use common nginx role
...
Also get version from NetBox.
2024-05-28 13:23:40 +02:00
3b246447cf
dokuwiki: find installed PHP version without running commands
...
So that it works in check mode.
2024-05-28 12:54:50 +02:00
ce80765560
alpine: add nftables to base packages
2024-05-28 12:52:59 +02:00
19431a827b
samba: check AD membership with net
...
Seems more reliable than adcli. Not sure how reliable any of this
actually is.
2024-05-28 12:51:44 +02:00
c7a3513fa1
Add netbox role
...
Kinda ouroborosish if you think about it. Better don’t.
2024-05-28 12:32:28 +02:00
43b9010126
Add samba role
...
With sssd.
2024-05-23 15:30:28 +02:00
0907870142
Unlicense
2024-05-19 14:31:43 +02:00
4dd8c25975
Drop unneeded setting from README
2024-05-19 14:22:41 +02:00
25bcddede1
Factor frr role from debian, ceph and proxmox
...
Consolidate base system and networking setup into debian role and BGP
configuration into frr role. Add facts role to collect data from NetBox
once to avoid many slow lookups. Also many other tweaks and cleanups.
2024-05-19 14:21:25 +02:00
256dae2955
Add .gitignore
2024-05-19 14:21:25 +02:00
c2c1fdbe40
Add alpine role
...
Base packages and SSH config, and QEMU guest agent for VMs.
2024-05-19 14:21:22 +02:00
be915dcf69
proxmox: only install firewall rules on one node
...
And let the cluster take care of distribution.
2024-05-14 12:40:33 +02:00
3f53c84865
proxmox: add LDAP user sync script
...
Since OIDC auth doesn’t support groups, get them from AD over LDAP.
Add a script to fetch user and groups, and update /etc/pve/user.cfg. The
script is only installed on one node (first alphabetically), with a cron
job to run it daily.
The script is installed for clusters with the sync-ldap context key set
to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be
present in the password store under cluster/<name>.
2024-05-14 12:04:35 +02:00
5762236ac2
ceph: fix nftables management rule
...
The mgmt VRF might not exist yet when nftables rules are loaded, so
use iifname instead of iif for dynamic interface lookup.
2024-05-09 12:30:42 +02:00
5a7fa02909
proxmox: don’t route host traffic over VNIs
...
Very bad, much slow.
2024-05-05 12:58:54 +02:00
05d3f82caf
Set default inventory
2024-04-27 11:02:31 +02:00
1a4652fd87
ceph: parametrize cephadm checksum
2024-04-27 10:44:58 +02:00
a637da5c21
proxmox: set vxlan-local-tunnelip for loopback interface
...
Oops. Not sure why stuff apparently worked without it. Especially
switchd on exits which worked itself into a bit of a frenzy.
2024-04-22 13:30:35 +02:00
923d877208
proxmox: use inner L3 info for ECMP hashing
...
I’m sure I saw fib_multipath_hash_policy=2 (or =1 from last commit)
actually working once, but cannot reproduce. Maybe revisit this at
some point.
2024-04-08 08:49:16 +02:00
f404922d6b
proxmox: use L4 info for ECMP hashing
...
This should make VXLAN-encapsulated traffic multipath.
2024-04-05 10:28:15 +02:00
8be55c2bde
ceph: set up firewall
...
Still need to drop the hardcoded allowed set.
2024-04-05 06:12:58 +02:00
e7f9132571
proxmox: set up firewall
...
Firewall policy is set in NetBox as cluster services¹. For Proxmox we
have to manually allow communication between nodes when using L3,
since the default management ipset does not get populated correctly.
We also need to open VTEP communication between nodes, which the
default rules don’t. We allow all inter-node traffic, as SSH without
passwords must be permitted anyway.
This also adds some helper filters that are spectacularly annoying to
implement purely in templates.
¹ There is actually no such thing as as a cluster service (yet?), so
instead we create a fake VM for the cluster, define services for it,
and then add the same services to a custom field on the cluster.
Alternative would be to tie services to a specific node, but that
could be problematic if that node is replaced.
2024-04-05 06:00:50 +02:00
179547beff
debian: only advertise local routes
...
Also of course.
2024-04-04 10:53:01 +02:00
2095494531
proxmox: only advertise local routes
...
Of course.
2024-04-04 10:17:58 +02:00
14439048fa
proxmox: set datacenter defaults for frr
2024-03-22 18:51:29 +01:00
0c063a017b
ceph: allow some ICMP
2024-03-14 14:34:44 +01:00
ce7903e43a
ceph: improve cluster setup
...
Remove separate NetBox lookups. Explicitly allow connections between
cluster nodes. Tigthen temporary allowed IPv6 ranges.
2024-03-01 08:45:51 +01:00
0af8474e52
proxmox: consolidate interface templates
2024-02-26 16:52:01 +01:00
7b4cb8f579
Add udev rules for renaming all interfaces with defined MAC address
...
Gonna include BMC and such but shouldn’t hurt. Allows us to use
different interface names where sensible.
2024-02-26 13:26:05 +01:00
