To avoid dnsmasq writing out the whole leasefile on each request
before replying. This gets slow on high‐latency storage.
Also tweak DNS updates a bit.
Create a self-signed CA, set up group configs, add script to allow new
connections through the firewall.
In the base debian role, drop the default nftables forward chain with
drop policy because it clashes with this. If you enable forwarding on
a debian host, make sure to configure the firewall.
This reverts commit 554bf1f711.
Turns out ISC dhcrelay will relay even unicast packets from clients. So
the DHCP server got both the routed and the relayed query.
This tells dnsmasq to tell clients to send everything through the relay.
Since everything now comes from the relay we can drop access from client
networks.
Oops. Also do it for proxmox-backup role even though SSH in default
VRF is disabled there, so it will be easier to deduplicate these roles
when someone gets around to it.
There were some issues with proxmox cluster losing connectivity. Since
disabling it there were no more issues.
Might have not been caused by BFD or it was just misconfigured.
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.
Use with something like this (port 80 must be kept free for standalone
certbot renewal):
service_type: rgw
spec:
rgw_frontend_port: 8080
rgw_frontend_extra_args:
- ssl_port=443
- ssl_private_key=/etc/ceph/privkey.pem
- ssl_certificate=/etc/ceph/fullchain.pem
extra_container_args:
- "--volume"
- "/etc/ceph:/etc/ceph:ro"
- "--volume"
- "/etc/letsencrypt:/etc/letsencrypt:ro"
