roles/collector/README.md

@@ -1,19 +1,18 @@
 Set up metric collection with prometheus and telegraf as the SNMP proxy.
 
-Each entry in `prometheus_config` should define `name`, `hosts` and optionally `interval`. As above, `hosts` is used as a query filter.
+NetBox config context should contain the lists `prometheus_hosts` and `snmp_hosts` with job definitions. Each entry should define `name` and `nb_filter` user to query hosts from NetBox. For example:
-
-For SNMP the properties `snmp_hosts` and optional `snmp_interval` should define respectively the NetBox query filter and poll interval.
-
-For example:
 
     {
-        "prometheus_config": [
+        "prometheus_hosts": [
             {
                 "name": "classroom",
-                "hosts": "role=desktop-computer status=active location=classroom",
+                "nb_filter": "role=desktop-computer status=active location=classroom"
-                "interval": 300
             }
         ],
-        "snmp_hosts": "role=switch name__isw=sw- status=active status=staged status=planned",
+        "snmp_hosts": [
-        "snmp_interval": 300
+            {
+                "name": "switch",
+                "nb_filter": "role=switch name__isw=sw- status=active status=staged status=planned"
+            }
+        ]
     }

roles/collector/tasks/main.yml

@@ -28,7 +28,7 @@
   template:
     dest: "/etc/prometheus/conf.d/{{ item.name }}.yml"
     src: "prometheus-job.yml.j2"
-  loop: "{{ prometheus_config }}"
+  loop: "{{ prometheus_hosts }}"
   loop_control:
     label: "{{ item.name }}"
   notify: reload prometheus

roles/collector/templates/prometheus-job.yml.j2

@@ -1,14 +1,10 @@
-{% set devices = query("netbox.netbox.nb_lookup", "devices", api_filter="{{ item.hosts }}", raw_data=true)
+{% set devices = query("netbox.netbox.nb_lookup", "devices", api_filter="{{ item.nb_filter }}", raw_data=true)
     | selectattr("primary_ip")
     | map(attribute="name")
     | map("extract", hostvars) -%}
 
 scrape_configs:
   - job_name: "{{ item.name }}"
-{% if item.interval is defined %}
-    scrape_interval: {{ item.interval }}s
-    scrape_timeout: {{ item.interval // 5 }}s
-{% endif %}
     relabel_configs:
       - source_labels: [__address__]
         regex: '([^.]+).*'

roles/collector/templates/snmp.conf.j2

@@ -1,13 +1,13 @@
 [[inputs.snmp]]
-{% if snmp_interval is defined %}
+  interval = "300s"
-  interval = "{{ snmp_interval }}s"
-{% endif %}
   agent_host_tag = "source"
   agents = [
-{% for address in query("netbox.netbox.nb_lookup", "devices", api_filter=snmp_hosts, raw_data=true)
+{% for item in snmp_hosts %}
+{% for address in query("netbox.netbox.nb_lookup", "devices", api_filter=item.nb_filter, raw_data=true)
     | selectattr("primary_ip4") | map(attribute="primary_ip4.address")
-    | ipaddr("int") | sort | ipaddr("address") %}
+    | ipaddr("address") %}
     "{{ address }}",
+{% endfor %}
 {% endfor %}
   ]
   version = 3

roles/debian/tasks/main.yml

@@ -39,9 +39,8 @@
       - git
       - ifupdown2
       - rsync
-      - tmux
       - vim
-      - wget
+      - tmux
 
 # for base Debian the main interfaces file is just an include
 - name: Remove interface definitions added by installer

roles/friwall/README.md

@@ -1 +0,0 @@
-Install and configure the [FRIwall](https://git.fri.uni-lj.si/rc/friwall) web application for managing firewall nodes. For settings and operation refer to that project.

roles/friwall/tasks/main.yml

@@ -38,18 +38,17 @@
     extra_args: --user --break-system-packages --no-warn-script-location
   notify: restart uwsgi
 
-- name: Ensure setting files exist
+- name: Configure base settings
-  copy:
+  template:
-    dest: "/srv/friwall/{{ item }}.json"
+    dest: "/srv/friwall/{{ item }}"
-    content: |
+    src: "{{ item }}.j2"
-      {}
     owner: friwall
     group: friwall
     mode: 0600
     force: no
   loop:
-    - nodes
+    - nodes.json
-    - settings
+    - settings.json
   notify: restart uwsgi
 
 - name: Configure list of networks

roles/friwall/templates/interfaces.j2

@@ -0,0 +1,14 @@
+auto lo
+iface lo inet loopback
+
+{% for iface in interfaces %}
+auto {{ iface.name }}
+iface {{ iface.name }} inet static
+{% for address in iface.ip_addresses %}
+    address {{ address.address }}
+{% endfor %}
+{% if iface.custom_fields.gateway %}
+    gateway {{ iface.custom_fields.gateway.address | ipaddr('address') }}
+{% endif %}
+
+{% endfor %}

roles/friwall/templates/nodes.json.j2

@@ -0,0 +1,11 @@
+{% set nodes = query('netbox.netbox.nb_lookup', 'devices', api_filter='role=firewall', raw_data=true)
+    | selectattr('config_context') | selectattr('config_context', 'contains', 'master')
+    | selectattr('config_context.master', '==', inventory_hostname)
+    | map(attribute='name') -%}
+
+{
+{% for node in nodes %}
+  "{{ hostvars[node] | device_address | selectattr('family.value', '==', 4)
+          | map(attribute='address') | ipaddr('address') | first }}": -1{{ '' if loop.last else ',' }}
+{% endfor %}
+}

roles/friwall/templates/settings.json.j2

@@ -0,0 +1,10 @@
+{
+  "ldap_host": "{{ domain }}",
+  "ldap_user": "{{ password.ldap_user }}",
+  "ldap_pass": "{{ password.ldap_pass }}",
+  "ldap_base_dn": "{{ ldap_base_dn }}",
+  "oidc_server": "{{ password.oidc_server }}",
+  "oidc_client_id": "{{ password.oidc_client_id }}",
+  "oidc_client_secret": "{{ password.oidc_client_secret }}",
+  "wg_net": "{{ wg_net }}"
+}