e3862a5be6
Fix FC check in interface template
...
One of these days I’m gonna write a defaultattr Jinja filter and
become rich and famous.
2025-01-20 11:20:46 +01:00
efbe8d2801
Reorder hosts in setup.yml
...
By type / name.
2025-01-13 15:29:37 +01:00
67b9b7b268
frr: disable BFD
...
There were some issues with proxmox cluster losing connectivity. Since
disabling it there were no more issues.
Might have not been caused by BFD or it was just misconfigured.
2025-01-13 14:57:38 +01:00
ac52c13803
proxmox-backup: set mail relay
2025-01-07 11:19:47 +01:00
b02ebf5be3
templates: skip FC interfaces
...
Anything that has the WWN attribute set really. This won’t work for
VMs because this attribute is not returned for those.
2025-01-07 10:53:17 +01:00
e5b570ddad
proxmox: disable password SSH authentication
...
Apparently it’s not needed for cluster operations.
2024-12-13 14:49:44 +01:00
c585070edc
Add kanboard role and server
2024-12-06 13:08:14 +01:00
04f187a140
dokuwiki: factor out nginx-php role
2024-12-06 13:07:01 +01:00
52f8ed5a2d
Rename host doku to doc
2024-12-05 10:27:15 +01:00
bc05b2a9f6
dokuwiki: support multiple domains for nginx
2024-12-05 10:26:40 +01:00
1b5a20ac8a
dnsmasq: disable ping for duplicate address detection
...
Some things don’t reply which holds up all requests for 3 seconds.
2024-11-28 15:41:22 +01:00
ff9620ed2a
ceph: allow IPv6 neighbor discovery on mgmt interface
2024-11-27 17:37:07 +01:00
0a0ce7e2a5
Add telegraf role
...
And enable it for ceph nodes.
2024-11-27 17:37:00 +01:00
14dd446fd4
Add monitor
...
For monitoring stuff.
2024-11-27 17:31:28 +01:00
2d776d3246
nginx: only handle acme-challenge well-known directory in default site
...
Mainly so that other directories can be reverse-proxied.
2024-11-20 15:47:18 +01:00
b7fd838ca9
reverse-proxy: disable request buffering
2024-11-18 13:36:49 +01:00
cdb8fe6b66
reverse-proxy: increase proxy read timeout
2024-11-18 13:30:02 +01:00
efdb74497a
reverse-proxy: increase max request size
...
For uploading pictures and such.
2024-11-18 12:42:36 +01:00
973ce03249
Add reverse-proxy role
2024-11-15 15:44:29 +01:00
c970c562a9
nginx: support certificates for multiple domains
...
Uses `tls_domains` config context property from NetBox.
2024-11-15 13:38:07 +01:00
554bf1f711
dnsmasq: drop dhcp-proxy option
...
Instead add firewall rules to allow direct communication from client networks.
2024-11-09 20:24:11 +01:00
46a9ff6fc0
ceph: add LE certificates
...
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.
Use with something like this (port 80 must be kept free for standalone
certbot renewal):
service_type: rgw
spec:
rgw_frontend_port: 8080
rgw_frontend_extra_args:
- ssl_port=443
- ssl_private_key=/etc/ceph/privkey.pem
- ssl_certificate=/etc/ceph/fullchain.pem
extra_container_args:
- "--volume"
- "/etc/ceph:/etc/ceph:ro"
- "--volume"
- "/etc/letsencrypt:/etc/letsencrypt:ro"
2024-11-08 16:38:15 +01:00
6e5de53937
doku: unoverride style for external link icons
2024-10-22 10:16:46 +02:00
ae49801579
doku: update deprecated nginx http2 directive
2024-10-22 10:16:38 +02:00
82ca6a94c1
nginx: reload server for renewed LE certificates
2024-10-22 10:02:55 +02:00
21df85e97a
dnsmasq: sort ranges by network name
2024-10-21 15:35:32 +02:00
polz
2bf2eb73a7
Add role=IoT to targets
2024-09-30 15:17:41 +02:00
b818249d82
Add grafana role
2024-09-27 16:14:23 +02:00
d0f3d828df
Add influxdb role
2024-09-27 16:14:10 +02:00
1f5d2f6238
facts: don’t barf on missing passwords
...
Not everything needs them.
2024-09-27 14:02:39 +02:00
6c817624bc
alpine: disable IPv6 automatic addresses
...
So we have predictable addresses if we ever want to firewall
individual hosts.
2024-09-21 22:41:36 +02:00
7155c33182
dnsmasq: fix template
...
It used to work. Then it didn’t. Now it works again.
2024-09-20 12:36:53 +02:00
d89ed5a46b
frr: use service module for reloading
2024-09-10 16:44:21 +02:00
Gašper Fele-Žorž
13009283c0
proxmox-backup add nftables template
2024-09-10 15:40:16 +02:00
Gašper Fele-Žorž
0802ac9878
proxmox-backup: fix hosts file
2024-09-10 15:10:55 +02:00
Gašper Fele-Žorž
68f0d6ba44
Add proxmox-backup
2024-09-10 15:07:30 +02:00
Gašper Fele-Žorž
add84ba1d2
proxmox-backup: set domain for ACME
2024-09-10 15:06:53 +02:00
Gašper Fele-Žorž
11a5ec85b3
proxmox-backup: add firewall
2024-09-10 14:53:46 +02:00
Gašper Fele-Žorž
f2fbd0c848
Add role proxmox-backup
2024-09-10 14:13:24 +02:00
Gašper Fele-Žorž
b5565b24fd
Add RuntimeDirectory to ssh service
...
Fixes "Missing privilege separation directory: /var/run/sshd"
2024-09-10 14:11:35 +02:00
2e3d7d180d
proxmox: set mail relay
2024-09-10 10:18:40 +02:00
9932064758
synapse: read DB password from secret store
...
Missed this one a while ago.
2024-09-06 16:30:51 +02:00
4fff2fac1b
frr: help zebra keep track of ECMP routes on link flap
...
Seems that this might be resolved in frr master. Or not. For now we
import the workaround from firewall configs.
2024-09-06 15:10:54 +02:00
54240955f1
Update instructions in README
...
To reflect current reality.
2024-09-06 10:41:49 +02:00
Gašper Fele-Žorž
e2edd63efe
proxmox: add dependency for ldap sync script
...
Install python3-ldap3.
2024-09-05 10:56:50 +02:00
a8b83e833b
facts: only look up cluster nodes when deploying to members
...
And not when deploying to virtual machines running on a cluster.
2024-09-04 16:56:56 +02:00
17c8e84498
proxmox: support certificate renewals with ACME
...
Certificates must still be requested manually, this just sets the
domain and opens up port 80/tcp. Nothing listens there except for
certbot during renewals so that’s OK.
2024-09-04 16:54:47 +02:00
1c1dd52325
proxmox: support public services for firewall
...
If no allowed IPs are set for a service, allow connections from anywhere.
2024-09-04 16:44:46 +02:00
6b1d871392
alpine: don’t assume all public services are TCP either
2024-09-04 16:42:13 +02:00
ec4dcd4ffd
frr: don’t use undefined variable
2024-08-28 12:43:17 +02:00
