Commit graph

68 commits

Author SHA1 Message Date
Timotej Lazar c30ec71ef2 Add synapse role
For all the hipster kids.
2024-06-25 09:49:49 +02:00
Timotej Lazar 74cb31e243 netbox: factor out redis role 2024-06-25 00:52:57 +02:00
Timotej Lazar f1f9d6fa34 alpine: configure network interfaces 2024-06-25 00:40:13 +02:00
Timotej Lazar c42f9ae1f9 Set become_flags in ansible.cfg
Some users don’t have a login shell.
2024-06-24 21:39:34 +02:00
Timotej Lazar dbdf88fe36 Set become_method in ansible.cfg 2024-06-20 20:47:00 +02:00
Timotej Lazar 2618c1c414 forgejo: enable auto registration for oauth2 2024-06-20 19:46:38 +02:00
Timotej Lazar 4b34370d5d ceph: set NTP servers 2024-06-19 15:07:59 +02:00
Timotej Lazar 29598ef4bb Rework service handling
Allow running playbooks without NetBox access. Mainly to bootstrap
NetBox itself.

Would prefer not to access network from filter plugins, so maybe do
that at some point also.
2024-06-19 13:33:32 +02:00
Timotej Lazar 38c3464279 alpine: assume one DNS name per host
Avoid needless complexity.
2024-06-19 13:14:51 +02:00
Timotej Lazar 393614aa79 alpine: configure unattended upgrades 2024-06-17 09:52:56 +02:00
Timotej Lazar 6a9a4142ce forgejo: set WAL mode for sqlite 2024-06-17 09:52:36 +02:00
Timotej Lazar 25df98c97b forgejo: configure some more options
Also drop leftover line.
2024-06-06 13:35:57 +02:00
Timotej Lazar f5e9c7d6dc alpine: add iproute2 to base packages
Too useful too often not to.
2024-06-05 15:40:59 +02:00
Timotej Lazar 398e41732e alpine: set hostname
And configure /etc/hosts accordingly.
2024-06-05 15:40:55 +02:00
Timotej Lazar fe6c35edf1 alpine: set up firewall
Get services from NetBox and enable SSH unconditionally for now.
2024-06-05 15:37:45 +02:00
Timotej Lazar b3aff08ce3 forgejo: listen on unix socket
Instead of 0.0.0.0:3000. Skip installation page, and set config values
and create admin user manually.
2024-06-05 15:00:14 +02:00
Timotej Lazar 22f363d06a Add postgres role
Or rather rip it out of netbox. Improve DB password handling.
2024-06-05 12:54:55 +02:00
Timotej Lazar af9e30eb3e Add forgejo role
On alpine, with OIDC auth and a podman runner.
2024-06-05 12:05:22 +02:00
Timotej Lazar f863d87fbf dokuwiki: remove hardcoded names 2024-05-28 13:34:34 +02:00
Timotej Lazar cd8f20852e dokuwiki: use common nginx role
Also get version from NetBox.
2024-05-28 13:23:40 +02:00
Timotej Lazar 3b246447cf dokuwiki: find installed PHP version without running commands
So that it works in check mode.
2024-05-28 12:54:50 +02:00
Timotej Lazar ce80765560 alpine: add nftables to base packages 2024-05-28 12:52:59 +02:00
Timotej Lazar 19431a827b samba: check AD membership with net
Seems more reliable than adcli. Not sure how reliable any of this
actually is.
2024-05-28 12:51:44 +02:00
Timotej Lazar c7a3513fa1 Add netbox role
Kinda ouroborosish if you think about it. Better don’t.
2024-05-28 12:32:28 +02:00
Timotej Lazar 43b9010126 Add samba role
With sssd.
2024-05-23 15:30:28 +02:00
Timotej Lazar 25bcddede1 Factor frr role from debian, ceph and proxmox
Consolidate base system and networking setup into debian role and BGP
configuration into frr role. Add facts role to collect data from NetBox
once to avoid many slow lookups. Also many other tweaks and cleanups.
2024-05-19 14:21:25 +02:00
Timotej Lazar c2c1fdbe40 Add alpine role
Base packages and SSH config, and QEMU guest agent for VMs.
2024-05-19 14:21:22 +02:00
Timotej Lazar be915dcf69 proxmox: only install firewall rules on one node
And let the cluster take care of distribution.
2024-05-14 12:40:33 +02:00
Timotej Lazar 3f53c84865 proxmox: add LDAP user sync script
Since OIDC auth doesn’t support groups, get them from AD over LDAP.

Add a script to fetch user and groups, and update /etc/pve/user.cfg. The
script is only installed on one node (first alphabetically), with a cron
job to run it daily.

The script is installed for clusters with the sync-ldap context key set
to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be
present in the password store under cluster/<name>.
2024-05-14 12:04:35 +02:00
Timotej Lazar 5762236ac2 ceph: fix nftables management rule
The mgmt VRF might not exist yet when nftables rules are loaded, so
use iifname instead of iif for dynamic interface lookup.
2024-05-09 12:30:42 +02:00
Timotej Lazar 5a7fa02909 proxmox: don’t route host traffic over VNIs
Very bad, much slow.
2024-05-05 12:58:54 +02:00
Timotej Lazar 1a4652fd87 ceph: parametrize cephadm checksum 2024-04-27 10:44:58 +02:00
Timotej Lazar a637da5c21 proxmox: set vxlan-local-tunnelip for loopback interface
Oops. Not sure why stuff apparently worked without it. Especially
switchd on exits which worked itself into a bit of a frenzy.
2024-04-22 13:30:35 +02:00
Timotej Lazar 923d877208 proxmox: use inner L3 info for ECMP hashing
I’m sure I saw fib_multipath_hash_policy=2 (or =1 from last commit)
actually working once, but cannot reproduce. Maybe revisit this at
some point.
2024-04-08 08:49:16 +02:00
Timotej Lazar f404922d6b proxmox: use L4 info for ECMP hashing
This should make VXLAN-encapsulated traffic multipath.
2024-04-05 10:28:15 +02:00
Timotej Lazar 8be55c2bde ceph: set up firewall
Still need to drop the hardcoded allowed set.
2024-04-05 06:12:58 +02:00
Timotej Lazar e7f9132571 proxmox: set up firewall
Firewall policy is set in NetBox as cluster services¹. For Proxmox we
have to manually allow communication between nodes when using L3,
since the default management ipset does not get populated correctly.
We also need to open VTEP communication between nodes, which the
default rules don’t. We allow all inter-node traffic, as SSH without
passwords must be permitted anyway.

This also adds some helper filters that are spectacularly annoying to
implement purely in templates.

¹ There is actually no such thing as as a cluster service (yet?), so
instead we create a fake VM for the cluster, define services for it,
and then add the same services to a custom field on the cluster.
Alternative would be to tie services to a specific node, but that
could be problematic if that node is replaced.
2024-04-05 06:00:50 +02:00
Timotej Lazar 179547beff debian: only advertise local routes
Also of course.
2024-04-04 10:53:01 +02:00
Timotej Lazar 2095494531 proxmox: only advertise local routes
Of course.
2024-04-04 10:17:58 +02:00
Timotej Lazar 14439048fa proxmox: set datacenter defaults for frr 2024-03-22 18:51:29 +01:00
Timotej Lazar 0c063a017b ceph: allow some ICMP 2024-03-14 14:34:44 +01:00
Timotej Lazar ce7903e43a ceph: improve cluster setup
Remove separate NetBox lookups. Explicitly allow connections between
cluster nodes. Tigthen temporary allowed IPv6 ranges.
2024-03-01 08:45:51 +01:00
Timotej Lazar 0af8474e52 proxmox: consolidate interface templates 2024-02-26 16:52:01 +01:00
Timotej Lazar fbfdc83ee5 proxmox: use multiple non-VLAN-aware bridges
The Proxmox SDN feature does not play nice with our FRR and VXLAN setup.
With a single bridge we can’t have interface aliases. So use a bridge
for each VLAN. Actually don’t even have VLANs, just bridges mainlined
into VXLAN tunnels.

Read the list of VLANs carried by Proxmox nodes from a custom field on
the cluster in NetBox. Remove the vmbr0 device from individual nodes.
2024-02-20 16:43:47 +01:00
Timotej Lazar c1344e8f59 dokuwiki: upgrade to latest 2024-02-20 16:01:51 +01:00
Timotej Lazar 90b55d8e8d doku: tweak fonts and stuff 2024-02-20 11:05:59 +01:00
Timotej Lazar cc10b4b265 dokuwiki: upgrade to latest 2024-02-06 19:50:25 +01:00
Timotej Lazar 02f778604c Add dokuwiki role
For an Alpine Linux VM.
2024-01-20 19:00:41 +01:00
Timotej Lazar c395fe22c7 ceph: allow connections from more addresses
Should unhardcode this at some point.
2024-01-17 19:19:55 +01:00
Timotej Lazar d399fc0a24 proxmox: simplify interface setup tasks 2023-11-20 14:13:46 +01:00