Timotej Lazar
d5db7529dd
netbox: allow registered users to view everything
...
And others nothing. Also clean up. Also enable topology views plugin.
2024-08-15 17:11:29 +02:00
Timotej Lazar
8ba6959065
postgres: store DB password with other secrets
...
Let’s uncomplicate our lives. Also I’m not sure if the ~/.pgpass stuff
ever worked properly or even at all.
2024-08-15 12:58:24 +02:00
Timotej Lazar
3261bc7f98
alpine: don’t hardcode nftables input rule for SSH
...
Instead configure it in NetBox like all other services.
2024-08-14 12:46:23 +02:00
Timotej Lazar
38ff061f81
alpine: don’t set gateway for interface if the gateway is that interface
2024-08-06 15:47:05 +02:00
Timotej Lazar
6e35a7462d
dnsmasq: get DHCP ranges from NetBox
2024-08-05 12:07:39 +02:00
Timotej Lazar
036f7c8b74
Support custom allowed_ips field for services
...
Like allowed_prefixes, but for single IP addresses. Currently used
just for DHCP server to allow (only) packets from relays.
2024-08-03 11:44:03 +02:00
Timotej Lazar
01a27e45ce
dnsmasq: add script for dynamic DNS updates
2024-08-02 12:08:32 +02:00
Timotej Lazar
a3dd4eba65
alpine: don’t assume all services are TCP
2024-07-26 10:14:23 +02:00
Timotej Lazar
b20e9cccff
Add dnsmasq role
2024-07-26 10:13:59 +02:00
Timotej Lazar
02086cdc32
synapse: enable service
2024-07-05 11:27:04 +02:00
Timotej Lazar
3e55bf9774
dokuwiki: add missing handler
2024-07-05 11:04:28 +02:00
Timotej Lazar
e17b5c1b2d
friwall: add missing notify
2024-07-05 11:04:01 +02:00
Timotej Lazar
f10d94612f
Factor out password store retrieval
2024-07-04 15:31:57 +02:00
Timotej Lazar
973522c373
Import friwall role from network ansible scripts
...
To reuse alpine and nginx roles. Probably going to merge repos at some point.
2024-07-04 15:31:53 +02:00
Timotej Lazar
bacfc66f7c
alpine: flush some handlers
2024-07-04 14:55:09 +02:00
Timotej Lazar
92674f58a1
synapse: allow listing public rooms over federation
2024-06-25 18:08:54 +02:00
Timotej Lazar
e101493889
Add synapse role
...
For all the hipster kids.
2024-06-25 10:14:06 +02:00
Timotej Lazar
74cb31e243
netbox: factor out redis role
2024-06-25 00:52:57 +02:00
Timotej Lazar
f1f9d6fa34
alpine: configure network interfaces
2024-06-25 00:40:13 +02:00
Timotej Lazar
c42f9ae1f9
Set become_flags in ansible.cfg
...
Some users don’t have a login shell.
2024-06-24 21:39:34 +02:00
Timotej Lazar
dbdf88fe36
Set become_method in ansible.cfg
2024-06-20 20:47:00 +02:00
Timotej Lazar
2618c1c414
forgejo: enable auto registration for oauth2
2024-06-20 19:46:38 +02:00
Timotej Lazar
4b34370d5d
ceph: set NTP servers
2024-06-19 15:07:59 +02:00
Timotej Lazar
29598ef4bb
Rework service handling
...
Allow running playbooks without NetBox access. Mainly to bootstrap
NetBox itself.
Would prefer not to access network from filter plugins, so maybe do
that at some point also.
2024-06-19 13:33:32 +02:00
Timotej Lazar
38c3464279
alpine: assume one DNS name per host
...
Avoid needless complexity.
2024-06-19 13:14:51 +02:00
Timotej Lazar
393614aa79
alpine: configure unattended upgrades
2024-06-17 09:52:56 +02:00
Timotej Lazar
6a9a4142ce
forgejo: set WAL mode for sqlite
2024-06-17 09:52:36 +02:00
Timotej Lazar
25df98c97b
forgejo: configure some more options
...
Also drop leftover line.
2024-06-06 13:35:57 +02:00
Timotej Lazar
f5e9c7d6dc
alpine: add iproute2 to base packages
...
Too useful too often not to.
2024-06-05 15:40:59 +02:00
Timotej Lazar
398e41732e
alpine: set hostname
...
And configure /etc/hosts accordingly.
2024-06-05 15:40:55 +02:00
Timotej Lazar
fe6c35edf1
alpine: set up firewall
...
Get services from NetBox and enable SSH unconditionally for now.
2024-06-05 15:37:45 +02:00
Timotej Lazar
b3aff08ce3
forgejo: listen on unix socket
...
Instead of 0.0.0.0:3000. Skip installation page, and set config values
and create admin user manually.
2024-06-05 15:00:14 +02:00
Timotej Lazar
22f363d06a
Add postgres role
...
Or rather rip it out of netbox. Improve DB password handling.
2024-06-05 12:54:55 +02:00
Timotej Lazar
af9e30eb3e
Add forgejo role
...
On alpine, with OIDC auth and a podman runner.
2024-06-05 12:05:22 +02:00
Timotej Lazar
f863d87fbf
dokuwiki: remove hardcoded names
2024-05-28 13:34:34 +02:00
Timotej Lazar
cd8f20852e
dokuwiki: use common nginx role
...
Also get version from NetBox.
2024-05-28 13:23:40 +02:00
Timotej Lazar
3b246447cf
dokuwiki: find installed PHP version without running commands
...
So that it works in check mode.
2024-05-28 12:54:50 +02:00
Timotej Lazar
ce80765560
alpine: add nftables to base packages
2024-05-28 12:52:59 +02:00
Timotej Lazar
19431a827b
samba: check AD membership with net
...
Seems more reliable than adcli. Not sure how reliable any of this
actually is.
2024-05-28 12:51:44 +02:00
Timotej Lazar
c7a3513fa1
Add netbox role
...
Kinda ouroborosish if you think about it. Better don’t.
2024-05-28 12:32:28 +02:00
Timotej Lazar
43b9010126
Add samba role
...
With sssd.
2024-05-23 15:30:28 +02:00
Timotej Lazar
25bcddede1
Factor frr role from debian, ceph and proxmox
...
Consolidate base system and networking setup into debian role and BGP
configuration into frr role. Add facts role to collect data from NetBox
once to avoid many slow lookups. Also many other tweaks and cleanups.
2024-05-19 14:21:25 +02:00
Timotej Lazar
c2c1fdbe40
Add alpine role
...
Base packages and SSH config, and QEMU guest agent for VMs.
2024-05-19 14:21:22 +02:00
Timotej Lazar
be915dcf69
proxmox: only install firewall rules on one node
...
And let the cluster take care of distribution.
2024-05-14 12:40:33 +02:00
Timotej Lazar
3f53c84865
proxmox: add LDAP user sync script
...
Since OIDC auth doesn’t support groups, get them from AD over LDAP.
Add a script to fetch user and groups, and update /etc/pve/user.cfg. The
script is only installed on one node (first alphabetically), with a cron
job to run it daily.
The script is installed for clusters with the sync-ldap context key set
to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be
present in the password store under cluster/<name>.
2024-05-14 12:04:35 +02:00
Timotej Lazar
5762236ac2
ceph: fix nftables management rule
...
The mgmt VRF might not exist yet when nftables rules are loaded, so
use iifname instead of iif for dynamic interface lookup.
2024-05-09 12:30:42 +02:00
Timotej Lazar
5a7fa02909
proxmox: don’t route host traffic over VNIs
...
Very bad, much slow.
2024-05-05 12:58:54 +02:00
Timotej Lazar
1a4652fd87
ceph: parametrize cephadm checksum
2024-04-27 10:44:58 +02:00
Timotej Lazar
a637da5c21
proxmox: set vxlan-local-tunnelip for loopback interface
...
Oops. Not sure why stuff apparently worked without it. Especially
switchd on exits which worked itself into a bit of a frenzy.
2024-04-22 13:30:35 +02:00
Timotej Lazar
923d877208
proxmox: use inner L3 info for ECMP hashing
...
I’m sure I saw fib_multipath_hash_policy=2 (or =1 from last commit)
actually working once, but cannot reproduce. Maybe revisit this at
some point.
2024-04-08 08:49:16 +02:00