8ba6959065
postgres: store DB password with other secrets
...
Let’s uncomplicate our lives. Also I’m not sure if the ~/.pgpass stuff
ever worked properly or even at all.
2024-08-15 12:58:24 +02:00
3261bc7f98
alpine: don’t hardcode nftables input rule for SSH
...
Instead configure it in NetBox like all other services.
2024-08-14 12:46:23 +02:00
38ff061f81
alpine: don’t set gateway for interface if the gateway is that interface
2024-08-06 15:47:05 +02:00
6e35a7462d
dnsmasq: get DHCP ranges from NetBox
2024-08-05 12:07:39 +02:00
036f7c8b74
Support custom allowed_ips field for services
...
Like allowed_prefixes, but for single IP addresses. Currently used
just for DHCP server to allow (only) packets from relays.
2024-08-03 11:44:03 +02:00
01a27e45ce
dnsmasq: add script for dynamic DNS updates
2024-08-02 12:08:32 +02:00
a3dd4eba65
alpine: don’t assume all services are TCP
2024-07-26 10:14:23 +02:00
b20e9cccff
Add dnsmasq role
2024-07-26 10:13:59 +02:00
02086cdc32
synapse: enable service
2024-07-05 11:27:04 +02:00
3e55bf9774
dokuwiki: add missing handler
2024-07-05 11:04:28 +02:00
e17b5c1b2d
friwall: add missing notify
2024-07-05 11:04:01 +02:00
f10d94612f
Factor out password store retrieval
2024-07-04 15:31:57 +02:00
973522c373
Import friwall role from network ansible scripts
...
To reuse alpine and nginx roles. Probably going to merge repos at some point.
2024-07-04 15:31:53 +02:00
bacfc66f7c
alpine: flush some handlers
2024-07-04 14:55:09 +02:00
92674f58a1
synapse: allow listing public rooms over federation
2024-06-25 18:08:54 +02:00
e101493889
Add synapse role
...
For all the hipster kids.
2024-06-25 10:14:06 +02:00
74cb31e243
netbox: factor out redis role
2024-06-25 00:52:57 +02:00
f1f9d6fa34
alpine: configure network interfaces
2024-06-25 00:40:13 +02:00
c42f9ae1f9
Set become_flags in ansible.cfg
...
Some users don’t have a login shell.
2024-06-24 21:39:34 +02:00
dbdf88fe36
Set become_method in ansible.cfg
2024-06-20 20:47:00 +02:00
2618c1c414
forgejo: enable auto registration for oauth2
2024-06-20 19:46:38 +02:00
4b34370d5d
ceph: set NTP servers
2024-06-19 15:07:59 +02:00
29598ef4bb
Rework service handling
...
Allow running playbooks without NetBox access. Mainly to bootstrap
NetBox itself.
Would prefer not to access network from filter plugins, so maybe do
that at some point also.
2024-06-19 13:33:32 +02:00
38c3464279
alpine: assume one DNS name per host
...
Avoid needless complexity.
2024-06-19 13:14:51 +02:00
393614aa79
alpine: configure unattended upgrades
2024-06-17 09:52:56 +02:00
6a9a4142ce
forgejo: set WAL mode for sqlite
2024-06-17 09:52:36 +02:00
25df98c97b
forgejo: configure some more options
...
Also drop leftover line.
2024-06-06 13:35:57 +02:00
f5e9c7d6dc
alpine: add iproute2 to base packages
...
Too useful too often not to.
2024-06-05 15:40:59 +02:00
398e41732e
alpine: set hostname
...
And configure /etc/hosts accordingly.
2024-06-05 15:40:55 +02:00
fe6c35edf1
alpine: set up firewall
...
Get services from NetBox and enable SSH unconditionally for now.
2024-06-05 15:37:45 +02:00
b3aff08ce3
forgejo: listen on unix socket
...
Instead of 0.0.0.0:3000. Skip installation page, and set config values
and create admin user manually.
2024-06-05 15:00:14 +02:00
22f363d06a
Add postgres role
...
Or rather rip it out of netbox. Improve DB password handling.
2024-06-05 12:54:55 +02:00
af9e30eb3e
Add forgejo role
...
On alpine, with OIDC auth and a podman runner.
2024-06-05 12:05:22 +02:00
f863d87fbf
dokuwiki: remove hardcoded names
2024-05-28 13:34:34 +02:00
cd8f20852e
dokuwiki: use common nginx role
...
Also get version from NetBox.
2024-05-28 13:23:40 +02:00
3b246447cf
dokuwiki: find installed PHP version without running commands
...
So that it works in check mode.
2024-05-28 12:54:50 +02:00
ce80765560
alpine: add nftables to base packages
2024-05-28 12:52:59 +02:00
19431a827b
samba: check AD membership with net
...
Seems more reliable than adcli. Not sure how reliable any of this
actually is.
2024-05-28 12:51:44 +02:00
c7a3513fa1
Add netbox role
...
Kinda ouroborosish if you think about it. Better don’t.
2024-05-28 12:32:28 +02:00
43b9010126
Add samba role
...
With sssd.
2024-05-23 15:30:28 +02:00
25bcddede1
Factor frr role from debian, ceph and proxmox
...
Consolidate base system and networking setup into debian role and BGP
configuration into frr role. Add facts role to collect data from NetBox
once to avoid many slow lookups. Also many other tweaks and cleanups.
2024-05-19 14:21:25 +02:00
c2c1fdbe40
Add alpine role
...
Base packages and SSH config, and QEMU guest agent for VMs.
2024-05-19 14:21:22 +02:00
be915dcf69
proxmox: only install firewall rules on one node
...
And let the cluster take care of distribution.
2024-05-14 12:40:33 +02:00
3f53c84865
proxmox: add LDAP user sync script
...
Since OIDC auth doesn’t support groups, get them from AD over LDAP.
Add a script to fetch user and groups, and update /etc/pve/user.cfg. The
script is only installed on one node (first alphabetically), with a cron
job to run it daily.
The script is installed for clusters with the sync-ldap context key set
to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be
present in the password store under cluster/<name>.
2024-05-14 12:04:35 +02:00
5762236ac2
ceph: fix nftables management rule
...
The mgmt VRF might not exist yet when nftables rules are loaded, so
use iifname instead of iif for dynamic interface lookup.
2024-05-09 12:30:42 +02:00
5a7fa02909
proxmox: don’t route host traffic over VNIs
...
Very bad, much slow.
2024-05-05 12:58:54 +02:00
1a4652fd87
ceph: parametrize cephadm checksum
2024-04-27 10:44:58 +02:00
a637da5c21
proxmox: set vxlan-local-tunnelip for loopback interface
...
Oops. Not sure why stuff apparently worked without it. Especially
switchd on exits which worked itself into a bit of a frenzy.
2024-04-22 13:30:35 +02:00
923d877208
proxmox: use inner L3 info for ECMP hashing
...
I’m sure I saw fib_multipath_hash_policy=2 (or =1 from last commit)
actually working once, but cannot reproduce. Maybe revisit this at
some point.
2024-04-08 08:49:16 +02:00
f404922d6b
proxmox: use L4 info for ECMP hashing
...
This should make VXLAN-encapsulated traffic multipath.
2024-04-05 10:28:15 +02:00
