Timotej Lazar
f10d94612f
Factor out password store retrieval
2024-07-04 15:31:57 +02:00
Timotej Lazar
973522c373
Import friwall role from network ansible scripts
...
To reuse alpine and nginx roles. Probably going to merge repos at some point.
2024-07-04 15:31:53 +02:00
Timotej Lazar
bacfc66f7c
alpine: flush some handlers
2024-07-04 14:55:09 +02:00
Timotej Lazar
92674f58a1
synapse: allow listing public rooms over federation
2024-06-25 18:08:54 +02:00
Timotej Lazar
e101493889
Add synapse role
...
For all the hipster kids.
2024-06-25 10:14:06 +02:00
Timotej Lazar
74cb31e243
netbox: factor out redis role
2024-06-25 00:52:57 +02:00
Timotej Lazar
f1f9d6fa34
alpine: configure network interfaces
2024-06-25 00:40:13 +02:00
Timotej Lazar
c42f9ae1f9
Set become_flags in ansible.cfg
...
Some users don’t have a login shell.
2024-06-24 21:39:34 +02:00
Timotej Lazar
dbdf88fe36
Set become_method in ansible.cfg
2024-06-20 20:47:00 +02:00
Timotej Lazar
2618c1c414
forgejo: enable auto registration for oauth2
2024-06-20 19:46:38 +02:00
Timotej Lazar
4b34370d5d
ceph: set NTP servers
2024-06-19 15:07:59 +02:00
Timotej Lazar
29598ef4bb
Rework service handling
...
Allow running playbooks without NetBox access. Mainly to bootstrap
NetBox itself.
Would prefer not to access network from filter plugins, so maybe do
that at some point also.
2024-06-19 13:33:32 +02:00
Timotej Lazar
38c3464279
alpine: assume one DNS name per host
...
Avoid needless complexity.
2024-06-19 13:14:51 +02:00
Timotej Lazar
393614aa79
alpine: configure unattended upgrades
2024-06-17 09:52:56 +02:00
Timotej Lazar
6a9a4142ce
forgejo: set WAL mode for sqlite
2024-06-17 09:52:36 +02:00
Timotej Lazar
25df98c97b
forgejo: configure some more options
...
Also drop leftover line.
2024-06-06 13:35:57 +02:00
Timotej Lazar
f5e9c7d6dc
alpine: add iproute2 to base packages
...
Too useful too often not to.
2024-06-05 15:40:59 +02:00
Timotej Lazar
398e41732e
alpine: set hostname
...
And configure /etc/hosts accordingly.
2024-06-05 15:40:55 +02:00
Timotej Lazar
fe6c35edf1
alpine: set up firewall
...
Get services from NetBox and enable SSH unconditionally for now.
2024-06-05 15:37:45 +02:00
Timotej Lazar
b3aff08ce3
forgejo: listen on unix socket
...
Instead of 0.0.0.0:3000. Skip installation page, and set config values
and create admin user manually.
2024-06-05 15:00:14 +02:00
Timotej Lazar
22f363d06a
Add postgres role
...
Or rather rip it out of netbox. Improve DB password handling.
2024-06-05 12:54:55 +02:00
Timotej Lazar
af9e30eb3e
Add forgejo role
...
On alpine, with OIDC auth and a podman runner.
2024-06-05 12:05:22 +02:00
Timotej Lazar
f863d87fbf
dokuwiki: remove hardcoded names
2024-05-28 13:34:34 +02:00
Timotej Lazar
cd8f20852e
dokuwiki: use common nginx role
...
Also get version from NetBox.
2024-05-28 13:23:40 +02:00
Timotej Lazar
3b246447cf
dokuwiki: find installed PHP version without running commands
...
So that it works in check mode.
2024-05-28 12:54:50 +02:00
Timotej Lazar
ce80765560
alpine: add nftables to base packages
2024-05-28 12:52:59 +02:00
Timotej Lazar
19431a827b
samba: check AD membership with net
...
Seems more reliable than adcli. Not sure how reliable any of this
actually is.
2024-05-28 12:51:44 +02:00
Timotej Lazar
c7a3513fa1
Add netbox role
...
Kinda ouroborosish if you think about it. Better don’t.
2024-05-28 12:32:28 +02:00
Timotej Lazar
43b9010126
Add samba role
...
With sssd.
2024-05-23 15:30:28 +02:00
Timotej Lazar
25bcddede1
Factor frr role from debian, ceph and proxmox
...
Consolidate base system and networking setup into debian role and BGP
configuration into frr role. Add facts role to collect data from NetBox
once to avoid many slow lookups. Also many other tweaks and cleanups.
2024-05-19 14:21:25 +02:00
Timotej Lazar
c2c1fdbe40
Add alpine role
...
Base packages and SSH config, and QEMU guest agent for VMs.
2024-05-19 14:21:22 +02:00
Timotej Lazar
be915dcf69
proxmox: only install firewall rules on one node
...
And let the cluster take care of distribution.
2024-05-14 12:40:33 +02:00
Timotej Lazar
3f53c84865
proxmox: add LDAP user sync script
...
Since OIDC auth doesn’t support groups, get them from AD over LDAP.
Add a script to fetch user and groups, and update /etc/pve/user.cfg. The
script is only installed on one node (first alphabetically), with a cron
job to run it daily.
The script is installed for clusters with the sync-ldap context key set
to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be
present in the password store under cluster/<name>.
2024-05-14 12:04:35 +02:00
Timotej Lazar
5762236ac2
ceph: fix nftables management rule
...
The mgmt VRF might not exist yet when nftables rules are loaded, so
use iifname instead of iif for dynamic interface lookup.
2024-05-09 12:30:42 +02:00
Timotej Lazar
5a7fa02909
proxmox: don’t route host traffic over VNIs
...
Very bad, much slow.
2024-05-05 12:58:54 +02:00
Timotej Lazar
1a4652fd87
ceph: parametrize cephadm checksum
2024-04-27 10:44:58 +02:00
Timotej Lazar
a637da5c21
proxmox: set vxlan-local-tunnelip for loopback interface
...
Oops. Not sure why stuff apparently worked without it. Especially
switchd on exits which worked itself into a bit of a frenzy.
2024-04-22 13:30:35 +02:00
Timotej Lazar
923d877208
proxmox: use inner L3 info for ECMP hashing
...
I’m sure I saw fib_multipath_hash_policy=2 (or =1 from last commit)
actually working once, but cannot reproduce. Maybe revisit this at
some point.
2024-04-08 08:49:16 +02:00
Timotej Lazar
f404922d6b
proxmox: use L4 info for ECMP hashing
...
This should make VXLAN-encapsulated traffic multipath.
2024-04-05 10:28:15 +02:00
Timotej Lazar
8be55c2bde
ceph: set up firewall
...
Still need to drop the hardcoded allowed set.
2024-04-05 06:12:58 +02:00
Timotej Lazar
e7f9132571
proxmox: set up firewall
...
Firewall policy is set in NetBox as cluster services¹. For Proxmox we
have to manually allow communication between nodes when using L3,
since the default management ipset does not get populated correctly.
We also need to open VTEP communication between nodes, which the
default rules don’t. We allow all inter-node traffic, as SSH without
passwords must be permitted anyway.
This also adds some helper filters that are spectacularly annoying to
implement purely in templates.
¹ There is actually no such thing as as a cluster service (yet?), so
instead we create a fake VM for the cluster, define services for it,
and then add the same services to a custom field on the cluster.
Alternative would be to tie services to a specific node, but that
could be problematic if that node is replaced.
2024-04-05 06:00:50 +02:00
Timotej Lazar
179547beff
debian: only advertise local routes
...
Also of course.
2024-04-04 10:53:01 +02:00
Timotej Lazar
2095494531
proxmox: only advertise local routes
...
Of course.
2024-04-04 10:17:58 +02:00
Timotej Lazar
14439048fa
proxmox: set datacenter defaults for frr
2024-03-22 18:51:29 +01:00
Timotej Lazar
0c063a017b
ceph: allow some ICMP
2024-03-14 14:34:44 +01:00
Timotej Lazar
ce7903e43a
ceph: improve cluster setup
...
Remove separate NetBox lookups. Explicitly allow connections between
cluster nodes. Tigthen temporary allowed IPv6 ranges.
2024-03-01 08:45:51 +01:00
Timotej Lazar
0af8474e52
proxmox: consolidate interface templates
2024-02-26 16:52:01 +01:00
Timotej Lazar
fbfdc83ee5
proxmox: use multiple non-VLAN-aware bridges
...
The Proxmox SDN feature does not play nice with our FRR and VXLAN setup.
With a single bridge we can’t have interface aliases. So use a bridge
for each VLAN. Actually don’t even have VLANs, just bridges mainlined
into VXLAN tunnels.
Read the list of VLANs carried by Proxmox nodes from a custom field on
the cluster in NetBox. Remove the vmbr0 device from individual nodes.
2024-02-20 16:43:47 +01:00
Timotej Lazar
c1344e8f59
dokuwiki: upgrade to latest
2024-02-20 16:01:51 +01:00
Timotej Lazar
90b55d8e8d
doku: tweak fonts and stuff
2024-02-20 11:05:59 +01:00
Timotej Lazar
cc10b4b265
dokuwiki: upgrade to latest
2024-02-06 19:50:25 +01:00
Timotej Lazar
02f778604c
Add dokuwiki role
...
For an Alpine Linux VM.
2024-01-20 19:00:41 +01:00
Timotej Lazar
c395fe22c7
ceph: allow connections from more addresses
...
Should unhardcode this at some point.
2024-01-17 19:19:55 +01:00
Timotej Lazar
d399fc0a24
proxmox: simplify interface setup tasks
2023-11-20 14:13:46 +01:00
Timotej Lazar
5038411af3
Add ceph role
...
Just prepares the servers, all management is then done through cephadm.
2023-11-20 13:04:11 +01:00
Timotej Lazar
2d89cd730c
proxmox: get all data from netbox
2023-11-20 12:56:34 +01:00
Timotej Lazar
62a3dc5121
proxmox: fix SFTP in management VRF
2023-11-20 12:55:52 +01:00
Timotej Lazar
eed2308609
debian: get all data from netbox
2023-11-18 19:44:52 +01:00
Timotej Lazar
d334e9aafa
debian: allow overriding release
2023-11-18 19:44:00 +01:00
Timotej Lazar
5cca841e6b
debian: allow sftp over management ssh
2023-11-18 19:42:33 +01:00
Timotej Lazar
5da50c14f9
debian: run a separate sshd in mgmt VRF
...
Leave the default sshd alone. If ssh is not necessary in default VRF,
another role should disable it.
2023-10-25 13:06:57 +02:00
Timotej Lazar
c9479cc786
proxmox: set hostname
2023-10-20 09:05:54 +02:00
Timotej Lazar
68efa7adcf
proxmox: simplify bridge definition
2023-10-19 10:18:50 +02:00
Timotej Lazar
0c1cc14e01
proxmox: add initial support for L2 VXLAN
...
I heard we like L2 so I put some L2 in our L3 so we can L2 as we L3 on L2.
2023-10-18 15:02:36 +02:00
Timotej Lazar
ce2d0f3cd4
proxmox: add interfaces for fabric links
...
Same as debian.
2023-10-05 12:43:35 +02:00
Timotej Lazar
a324da076b
Consolidate interface setup for debian and proxmox roles
2023-07-20 13:46:13 +02:00
Timotej Lazar
63ab087645
debian: get inventory data from netbox
...
Set standardized interface names (mgmt0… for L2 management interfaces
and lan0… for L3 data interfaces speaking BGP). ASN is stored as a
custom field in netbox but that might change.
2023-07-20 13:24:51 +02:00
Timotej Lazar
2330edf479
proxmox: standardize interface names and set up management VRF
...
No idea how badly this clashes with GUI configuration.
2023-07-17 16:39:40 +02:00
Timotej Lazar
aae782a66b
Add role to set up base Proxmox server
2023-07-14 16:12:03 +02:00
Timotej Lazar
db310ba716
debian: take it easy with the reboots
2023-06-05 17:52:25 +02:00
Timotej Lazar
7c209a7c5c
debian: set hostname
2023-06-05 17:52:20 +02:00
Timotej Lazar
8dd2476238
Add role to set up base Debian server
...
With sshd in separate management VRF and FRR to announce routes to
self over unnumbered BGP.
2023-06-01 17:22:26 +02:00