f10d94612f
Factor out password store retrieval
2024-07-04 15:31:57 +02:00
973522c373
Import friwall role from network ansible scripts
...
To reuse alpine and nginx roles. Probably going to merge repos at some point.
2024-07-04 15:31:53 +02:00
bacfc66f7c
alpine: flush some handlers
2024-07-04 14:55:09 +02:00
92674f58a1
synapse: allow listing public rooms over federation
2024-06-25 18:08:54 +02:00
e101493889
Add synapse role
...
For all the hipster kids.
2024-06-25 10:14:06 +02:00
74cb31e243
netbox: factor out redis role
2024-06-25 00:52:57 +02:00
f1f9d6fa34
alpine: configure network interfaces
2024-06-25 00:40:13 +02:00
c42f9ae1f9
Set become_flags in ansible.cfg
...
Some users don’t have a login shell.
2024-06-24 21:39:34 +02:00
dbdf88fe36
Set become_method in ansible.cfg
2024-06-20 20:47:00 +02:00
2618c1c414
forgejo: enable auto registration for oauth2
2024-06-20 19:46:38 +02:00
4b34370d5d
ceph: set NTP servers
2024-06-19 15:07:59 +02:00
29598ef4bb
Rework service handling
...
Allow running playbooks without NetBox access. Mainly to bootstrap
NetBox itself.
Would prefer not to access network from filter plugins, so maybe do
that at some point also.
2024-06-19 13:33:32 +02:00
38c3464279
alpine: assume one DNS name per host
...
Avoid needless complexity.
2024-06-19 13:14:51 +02:00
393614aa79
alpine: configure unattended upgrades
2024-06-17 09:52:56 +02:00
6a9a4142ce
forgejo: set WAL mode for sqlite
2024-06-17 09:52:36 +02:00
25df98c97b
forgejo: configure some more options
...
Also drop leftover line.
2024-06-06 13:35:57 +02:00
f5e9c7d6dc
alpine: add iproute2 to base packages
...
Too useful too often not to.
2024-06-05 15:40:59 +02:00
398e41732e
alpine: set hostname
...
And configure /etc/hosts accordingly.
2024-06-05 15:40:55 +02:00
fe6c35edf1
alpine: set up firewall
...
Get services from NetBox and enable SSH unconditionally for now.
2024-06-05 15:37:45 +02:00
b3aff08ce3
forgejo: listen on unix socket
...
Instead of 0.0.0.0:3000. Skip installation page, and set config values
and create admin user manually.
2024-06-05 15:00:14 +02:00
22f363d06a
Add postgres role
...
Or rather rip it out of netbox. Improve DB password handling.
2024-06-05 12:54:55 +02:00
af9e30eb3e
Add forgejo role
...
On alpine, with OIDC auth and a podman runner.
2024-06-05 12:05:22 +02:00
f863d87fbf
dokuwiki: remove hardcoded names
2024-05-28 13:34:34 +02:00
cd8f20852e
dokuwiki: use common nginx role
...
Also get version from NetBox.
2024-05-28 13:23:40 +02:00
3b246447cf
dokuwiki: find installed PHP version without running commands
...
So that it works in check mode.
2024-05-28 12:54:50 +02:00
ce80765560
alpine: add nftables to base packages
2024-05-28 12:52:59 +02:00
19431a827b
samba: check AD membership with net
...
Seems more reliable than adcli. Not sure how reliable any of this
actually is.
2024-05-28 12:51:44 +02:00
c7a3513fa1
Add netbox role
...
Kinda ouroborosish if you think about it. Better don’t.
2024-05-28 12:32:28 +02:00
43b9010126
Add samba role
...
With sssd.
2024-05-23 15:30:28 +02:00
25bcddede1
Factor frr role from debian, ceph and proxmox
...
Consolidate base system and networking setup into debian role and BGP
configuration into frr role. Add facts role to collect data from NetBox
once to avoid many slow lookups. Also many other tweaks and cleanups.
2024-05-19 14:21:25 +02:00
c2c1fdbe40
Add alpine role
...
Base packages and SSH config, and QEMU guest agent for VMs.
2024-05-19 14:21:22 +02:00
be915dcf69
proxmox: only install firewall rules on one node
...
And let the cluster take care of distribution.
2024-05-14 12:40:33 +02:00
3f53c84865
proxmox: add LDAP user sync script
...
Since OIDC auth doesn’t support groups, get them from AD over LDAP.
Add a script to fetch user and groups, and update /etc/pve/user.cfg. The
script is only installed on one node (first alphabetically), with a cron
job to run it daily.
The script is installed for clusters with the sync-ldap context key set
to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be
present in the password store under cluster/<name>.
2024-05-14 12:04:35 +02:00
5762236ac2
ceph: fix nftables management rule
...
The mgmt VRF might not exist yet when nftables rules are loaded, so
use iifname instead of iif for dynamic interface lookup.
2024-05-09 12:30:42 +02:00
5a7fa02909
proxmox: don’t route host traffic over VNIs
...
Very bad, much slow.
2024-05-05 12:58:54 +02:00
1a4652fd87
ceph: parametrize cephadm checksum
2024-04-27 10:44:58 +02:00
a637da5c21
proxmox: set vxlan-local-tunnelip for loopback interface
...
Oops. Not sure why stuff apparently worked without it. Especially
switchd on exits which worked itself into a bit of a frenzy.
2024-04-22 13:30:35 +02:00
923d877208
proxmox: use inner L3 info for ECMP hashing
...
I’m sure I saw fib_multipath_hash_policy=2 (or =1 from last commit)
actually working once, but cannot reproduce. Maybe revisit this at
some point.
2024-04-08 08:49:16 +02:00
f404922d6b
proxmox: use L4 info for ECMP hashing
...
This should make VXLAN-encapsulated traffic multipath.
2024-04-05 10:28:15 +02:00
8be55c2bde
ceph: set up firewall
...
Still need to drop the hardcoded allowed set.
2024-04-05 06:12:58 +02:00
e7f9132571
proxmox: set up firewall
...
Firewall policy is set in NetBox as cluster services¹. For Proxmox we
have to manually allow communication between nodes when using L3,
since the default management ipset does not get populated correctly.
We also need to open VTEP communication between nodes, which the
default rules don’t. We allow all inter-node traffic, as SSH without
passwords must be permitted anyway.
This also adds some helper filters that are spectacularly annoying to
implement purely in templates.
¹ There is actually no such thing as as a cluster service (yet?), so
instead we create a fake VM for the cluster, define services for it,
and then add the same services to a custom field on the cluster.
Alternative would be to tie services to a specific node, but that
could be problematic if that node is replaced.
2024-04-05 06:00:50 +02:00
179547beff
debian: only advertise local routes
...
Also of course.
2024-04-04 10:53:01 +02:00
2095494531
proxmox: only advertise local routes
...
Of course.
2024-04-04 10:17:58 +02:00
14439048fa
proxmox: set datacenter defaults for frr
2024-03-22 18:51:29 +01:00
0c063a017b
ceph: allow some ICMP
2024-03-14 14:34:44 +01:00
ce7903e43a
ceph: improve cluster setup
...
Remove separate NetBox lookups. Explicitly allow connections between
cluster nodes. Tigthen temporary allowed IPv6 ranges.
2024-03-01 08:45:51 +01:00
0af8474e52
proxmox: consolidate interface templates
2024-02-26 16:52:01 +01:00
fbfdc83ee5
proxmox: use multiple non-VLAN-aware bridges
...
The Proxmox SDN feature does not play nice with our FRR and VXLAN setup.
With a single bridge we can’t have interface aliases. So use a bridge
for each VLAN. Actually don’t even have VLANs, just bridges mainlined
into VXLAN tunnels.
Read the list of VLANs carried by Proxmox nodes from a custom field on
the cluster in NetBox. Remove the vmbr0 device from individual nodes.
2024-02-20 16:43:47 +01:00
c1344e8f59
dokuwiki: upgrade to latest
2024-02-20 16:01:51 +01:00
90b55d8e8d
doku: tweak fonts and stuff
2024-02-20 11:05:59 +01:00
cc10b4b265
dokuwiki: upgrade to latest
2024-02-06 19:50:25 +01:00
02f778604c
Add dokuwiki role
...
For an Alpine Linux VM.
2024-01-20 19:00:41 +01:00
c395fe22c7
ceph: allow connections from more addresses
...
Should unhardcode this at some point.
2024-01-17 19:19:55 +01:00
d399fc0a24
proxmox: simplify interface setup tasks
2023-11-20 14:13:46 +01:00
5038411af3
Add ceph role
...
Just prepares the servers, all management is then done through cephadm.
2023-11-20 13:04:11 +01:00
2d89cd730c
proxmox: get all data from netbox
2023-11-20 12:56:34 +01:00
62a3dc5121
proxmox: fix SFTP in management VRF
2023-11-20 12:55:52 +01:00
eed2308609
debian: get all data from netbox
2023-11-18 19:44:52 +01:00
d334e9aafa
debian: allow overriding release
2023-11-18 19:44:00 +01:00
5cca841e6b
debian: allow sftp over management ssh
2023-11-18 19:42:33 +01:00
5da50c14f9
debian: run a separate sshd in mgmt VRF
...
Leave the default sshd alone. If ssh is not necessary in default VRF,
another role should disable it.
2023-10-25 13:06:57 +02:00
c9479cc786
proxmox: set hostname
2023-10-20 09:05:54 +02:00
68efa7adcf
proxmox: simplify bridge definition
2023-10-19 10:18:50 +02:00
0c1cc14e01
proxmox: add initial support for L2 VXLAN
...
I heard we like L2 so I put some L2 in our L3 so we can L2 as we L3 on L2.
2023-10-18 15:02:36 +02:00
ce2d0f3cd4
proxmox: add interfaces for fabric links
...
Same as debian.
2023-10-05 12:43:35 +02:00
a324da076b
Consolidate interface setup for debian and proxmox roles
2023-07-20 13:46:13 +02:00
63ab087645
debian: get inventory data from netbox
...
Set standardized interface names (mgmt0… for L2 management interfaces
and lan0… for L3 data interfaces speaking BGP). ASN is stored as a
custom field in netbox but that might change.
2023-07-20 13:24:51 +02:00
2330edf479
proxmox: standardize interface names and set up management VRF
...
No idea how badly this clashes with GUI configuration.
2023-07-17 16:39:40 +02:00
aae782a66b
Add role to set up base Proxmox server
2023-07-14 16:12:03 +02:00
db310ba716
debian: take it easy with the reboots
2023-06-05 17:52:25 +02:00
7c209a7c5c
debian: set hostname
2023-06-05 17:52:20 +02:00
8dd2476238
Add role to set up base Debian server
...
With sshd in separate management VRF and FRR to announce routes to
self over unnumbered BGP.
2023-06-01 17:22:26 +02:00
