polz
168641b728
rename apache-php to apache_php
2025-07-25 17:01:03 +02:00
polz
29498edf9e
Add role apache_oidc
2025-07-25 17:00:29 +02:00
polz
4ed3bc5d7f
Add roles apache-php and reverse_proxy
2025-07-25 16:56:03 +02:00
458b0d02ee
forgejo: disable useless landing page
2025-07-19 12:25:47 +02:00
d1cf462f64
alpine: drop hints from interface configuration
...
Turns out ifupdown-ng ignores "inet static" and "inet loopback" hints
on iface lines. The interface named "lo" is always used as loopback.
2025-07-16 13:07:15 +02:00
cabf831962
synapse: support server notices
2025-07-15 15:04:52 +02:00
a942662e12
alpine: create network interface include directory
...
So that init script doesn’t complain.
2025-07-15 14:16:10 +02:00
eb70fed7cb
forgejo: make profiles public by default
...
Private profiles are annoying to work with so let’s make it opt-in.
2025-07-01 12:13:31 +02:00
a84f211083
nginx: reload on config change
2025-05-18 13:21:02 +02:00
d442940975
ocserv: use numeric ID instead of arbitrary USERNAME for nft chain name
...
Putting a @ in a name is a bad.
2025-05-16 14:26:39 +02:00
245b4a0dcd
ocserv: support UDP
2025-05-16 14:26:26 +02:00
6e72987863
ocserv: only support certificate auth for clients
2025-05-16 14:10:11 +02:00
f9f899fb2e
nginx: unoverride secure defaults
...
Both Alpine and Debian override default nginx ssl_protocols to enable
older TLS versions. Unoverride to return to secure nginx defaults.
2025-05-16 14:01:33 +02:00
bf4fd2c82d
alpine: support non-VM hosts in interfaces template
...
Ignore OOB management interface, allow configuring loopback interface
with NetBox data, and setting MTU.
2025-05-15 14:55:43 +02:00
cbd3f1a7ea
alpine: set inventory_hostname as hostname
...
Instead of dns_name which might not be defined and is wrong in any case.
2025-05-15 10:47:55 +02:00
a8814e6da2
facts: don’t barf on undefined platform
...
Oops.
2025-05-15 09:23:11 +02:00
d162f175a4
facts: get platform info from NetBox
...
Instead of pinging each host to see if it’s Windows. Make sure to set
the platform at least for such hosts.
2025-05-13 13:31:07 +02:00
7cbbf635a8
facts: don’t write passwords to stdout
2025-05-13 11:09:02 +02:00
e6876ff265
windows: don’t disable builtin firewall rules before setting our own
...
Oops.
2025-05-11 14:41:08 +02:00
e30fcf0bd4
windows: set hostname
2025-05-11 13:18:47 +02:00
66298da9c7
windows: set up firewall
2025-05-11 13:13:54 +02:00
91de26af57
Add windows role
...
Set up network interfaces and SSH for Windows hosts.
We can’t gather facts before we know which remote shell to use, so
first run a win_ping to determine if a given host is running Windows.
2025-05-09 17:26:07 +02:00
aa78b407c8
ocserv: disable TLS<1.2
2025-05-08 15:04:38 +02:00
a5eae03cf8
forgejo: don’t enable the testing apk repo
...
Alpine has forgejo in main repo now.
2025-05-08 14:14:14 +02:00
6797f65971
influxdb: fix reverse proxy
...
Like grafana. Also set some buffering options.
2025-05-07 14:13:04 +02:00
7f28f3a366
grafana: fix reverse proxy
...
Can’t get it to bind to IPv6 so use v4 explicitly.
2025-05-07 14:07:11 +02:00
39fec47f87
alpine: don’t set IPv6 gateway
...
Will get it from RA. Also don’t disable SLAAC for IPv4‐only interfaces.
2025-05-07 12:25:43 +02:00
fb8e0189af
dokuwiki: make more readable
...
I think. Maybe.
2025-05-07 12:23:39 +02:00
5667b755ca
netbox: secure the cookie
...
USI says.
2025-05-07 12:21:41 +02:00
4dc089e42c
debian: add MOTD
2025-05-05 17:28:32 +02:00
783f1af3a5
netbox: add redis dependency
2025-04-17 18:22:10 +02:00
8e3772e475
dnsmasq: store leases in sqlite database
...
To avoid dnsmasq writing out the whole leasefile on each request
before replying. This gets slow on high‐latency storage.
Also tweak DNS updates a bit.
2025-04-14 16:41:24 +02:00
b6b4a16fd4
netbox: drop obsolete file
2025-04-12 20:53:00 +02:00
ade6a8e1e2
Add nginx as a role dependency where required
...
This is pretty much anywhere a LE certificate is needed. Similar for
nginx-php for PHP sites. Drop these roles from setup.yml.
2025-04-12 18:51:31 +02:00
cf6b682cf8
Add ocserv role
...
Create a self-signed CA, set up group configs, add script to allow new
connections through the firewall.
In the base debian role, drop the default nftables forward chain with
drop policy because it clashes with this. If you enable forwarding on
a debian host, make sure to configure the firewall.
2025-04-12 18:38:48 +02:00
a1c7be8184
facts: only look up prefixes and VLANs once
...
Not once per host.
2025-04-10 22:21:44 +02:00
e754db5fbd
Consolidate hosts template
...
For alpine, debian, ceph and proxmox roles.
Add the union of IPv6 LL host entries across all distros to make sure nothing croaks.
2025-04-10 18:22:41 +02:00
35427f1fbc
debian: reorder tasks
...
Ensure network interfaces are renamed first.
2025-04-08 21:31:45 +02:00
275991c49c
proxmox: check for errors when retrieving users from AD
...
Sometimes the created user.cfg file is empty for some reason. So add
some checking and logging and hope for resolution.
2025-04-03 18:58:44 +02:00
1a7b813dff
facts: get admins’ SSH keys from password store
...
Also install them into root’s authorized_keys on alpine.
2025-03-26 19:14:34 +01:00
7907b6f0e5
Revert "dnsmasq: drop dhcp-proxy option"
...
This reverts commit 554bf1f711
2025-03-19 14:49:43 +01:00
be8e47119f
opensmtpd: support relaying mail
2025-02-17 15:04:59 +01:00
polz
b252e451f6
Add nsswitch config to scan
2025-02-17 14:12:18 +01:00
polz
fe646ece89
Add scan (working samba on Alpine) role
2025-02-17 13:27:40 +01:00
200f3be792
unifi: fix nginx reverse proxy headers
2025-02-17 10:18:56 +01:00
0d60aa107f
Consolidate nftables setup for alpine, debian and ceph roles
2025-02-12 17:24:24 +01:00
bfda7b3236
dnsmasq: skip DNS update script when starting up
2025-02-06 09:29:48 +01:00
e95603fda9
Add unifi role
...
And server.
2025-02-04 14:44:02 +01:00
878e8ba6f9
alpine: set up resolv.conf
...
Same as for debian.
2025-01-23 13:22:30 +01:00
9720379c14
proxmox-backup: allow IPv6 ND on management interface
...
IPv6 doesn’t work otherwise.
2025-01-23 13:12:25 +01:00
