18 files changed, 502 insertions, 11 deletions

diff --git a/ansible/plays/danneri.yml b/ansible/plays/danneri.yml
index 2e960ee..6b4265a 100644
--- a/ansible/plays/danneri.yml
+++ b/ansible/plays/danneri.yml
@@ -12,3 +12,16 @@
         - etckeeper
     - import_role:
         name: timezone
+
+    - become: yes
+      tags: k3s
+      copy:
+        dest: /etc/rancher/k3s/config.yaml
+        content: |
+          tls-san:
+            - "danneri.dn42.trygvis.io"
+            - "{{ ipam6.networks.lhn2_dn42.hosts.danneri }}"
+            - "2a06:2240:f00d:b500:9422:d355:95b7:f170"
+          cluster-cidr: "{{ ipam6.networks.danneri_cluster.range }}"
+          service-cidr: "{{ ipam6.networks.danneri_service.range }}"
+
diff --git a/ansible/plays/files/danneri/systemd-networkd/enp1s0.network b/ansible/plays/files/danneri/systemd-networkd/enp1s0.network
deleted file mode 100644
index 7e12c2e..0000000
--- a/ansible/plays/files/danneri/systemd-networkd/enp1s0.network
+++ /dev/null
@@ -1,6 +0,0 @@
-[Match]
-Name=enp1s0
-
-[Network]
-DHCP=yes
-IPv6AcceptRA=true
diff --git a/ansible/plays/files/zigbee2mqtt/garasjepi/configuration.yaml b/ansible/plays/files/zigbee2mqtt/garasjepi/configuration.yaml
new file mode 100644
index 0000000..b0b8f5a
--- /dev/null
+++ b/ansible/plays/files/zigbee2mqtt/garasjepi/configuration.yaml
@@ -0,0 +1,43 @@
+homeassistant:
+  enabled: false
+frontend:
+  enabled: true
+mqtt:
+  base_topic: zigbee2mqtt
+  #server: mqtt://ha-kv24.dn42.trygvis.io
+  server: mqtt://192.168.10.159
+  user: z2m
+  password: zigbee2mqtt
+  version: 5
+serial:
+  port: /dev/ttyACM0
+  adapter: deconz
+advanced:
+  network_key:
+    - 107
+    - 142
+    - 62
+    - 67
+    - 150
+    - 226
+    - 182
+    - 69
+    - 47
+    - 194
+    - 244
+    - 95
+    - 73
+    - 125
+    - 135
+    - 61
+  pan_id: 43701
+  ext_pan_id:
+    - 181
+    - 224
+    - 197
+    - 29
+    - 98
+    - 176
+    - 205
+    - 241
+version: 4
\ No newline at end of file
diff --git a/ansible/plays/host-garasjepi.yml b/ansible/plays/host-garasjepi.yml
new file mode 100644
index 0000000..62b0b3d
--- /dev/null
+++ b/ansible/plays/host-garasjepi.yml
@@ -0,0 +1,28 @@
+- hosts:
+    - garasjepi
+  tasks:
+    # These first
+    - become: yes
+      apt:
+        name:
+          - etckeeper
+          - git
+
+    - become: yes
+      apt:
+        name:
+          - tmux
+          - aptitude
+
+#    - import_role:
+#        name: timezone
+#
+#    - import_role:
+#        name: systemd-networkd
+
+    - become: yes
+      apt:
+        name:
+          - docker.io
+          - tmux
+          - aptitude
diff --git a/ansible/plays/host-hash.yml b/ansible/plays/host-hash.yml
new file mode 100644
index 0000000..62b781f
--- /dev/null
+++ b/ansible/plays/host-hash.yml
@@ -0,0 +1,10 @@
+- hosts: hash
+  tasks:
+    - become: yes
+      copy:
+        dest: /etc/docker/daemon.json
+        content: |
+          {
+            "ipv6": true,
+            "fixed-cidr-v6": "{{ ipam6.networks.hash_docker_dn42.range }}"
+          }
diff --git a/ansible/plays/host-lhn2pi.yml b/ansible/plays/host-lhn2pi.yml
new file mode 100644
index 0000000..551c3dd
--- /dev/null
+++ b/ansible/plays/host-lhn2pi.yml
@@ -0,0 +1,6 @@
+- hosts:
+    - lhn2pi
+  roles:
+    - systemd-networkd
+    - prometheus-bird-exporter
+    - prometheus-node-exporter
diff --git a/ansible/plays/host-unifi.yml b/ansible/plays/host-unifi.yml
new file mode 100644
index 0000000..41fb292
--- /dev/null
+++ b/ansible/plays/host-unifi.yml
@@ -0,0 +1,18 @@
+- hosts:
+    - unifi
+  tasks:
+    - become: yes
+      apt:
+        name:
+          - etckeeper
+
+    - import_role:
+        name: timezone
+
+    - import_role:
+        name: systemd-networkd
+
+    - become: yes
+      apt:
+        name:
+          - docker.io
diff --git a/ansible/plays/ipam-generate-dns.yml b/ansible/plays/ipam-generate-dns.yml
new file mode 100644
index 0000000..25f8087
--- /dev/null
+++ b/ansible/plays/ipam-generate-dns.yml
@@ -0,0 +1,34 @@
+- hosts: localhost
+  gather_facts: no
+  connection: local
+  vars_files:
+    - ../group_vars/all/ipam.yml
+  tasks:
+    - set_fact:
+        content: |
+          {% set hosts = [] %}
+          {% for nw_name, network in ipam6.networks.items() %}
+          {% for host, address in (network.hosts|default({})).items() %}
+          {{- hosts.append({'name': host, 'address': address}) -}}
+          {% endfor %}
+          {% endfor %}
+          # Generated from ansible data
+          {% for h in hosts|sort(attribute='name') %}
+
+          resource "linode_domain_record" "dn42-{{ h.name }}" {
+            domain_id   = linode_domain.root.id
+            name        = "{{ h.name }}.dn42"
+            record_type = "AAAA"
+            target      = "{{ h.address|ansible.utils.ipv6('address') }}"
+          }
+          {% endfor %}
+    - debug:
+        msg: "{{ content }}"
+      when: false
+    - name: Generating ../../terraform/dns/dn42.tf
+      register: tf
+      copy:
+        dest: ../../terraform/dns/dn42.tf
+        content: "{{ content }}"
+    - shell: terraform fmt ../../terraform/ipam6/ipam6.tf
+      when: "tf.changed"
diff --git a/ansible/plays/ipam-generate-tf.yml b/ansible/plays/ipam-generate-tf.yml
new file mode 100644
index 0000000..d9888b4
--- /dev/null
+++ b/ansible/plays/ipam-generate-tf.yml
@@ -0,0 +1,55 @@
+- hosts: localhost
+  gather_facts: no
+  connection: local
+  vars_files:
+    - ../group_vars/all/ipam.yml
+  collections:
+    - ansible.utils
+  tasks:
+    - name: Generate terraform/ipam6/ipam6.tf
+      register: tf
+      copy:
+        dest: ../../terraform/ipam6/ipam6.tf
+        content: |
+          output "networks" {
+            value = {
+          {% for name, network in ipam6.networks.items() %}
+          {% if not (network.range | ansible.utils.ipv6) %}
+          Invalid network: {{ network.range }}
+          {% endif %}
+              {{ name }} = {
+          {% if network.description|default("") %}
+                description = "{{ network.description }}"
+          {% endif %}
+                range = "{{ network.range }}"
+                address = "{{ network.range|ansible.utils.ipaddr("network") }}"
+                prefix = "{{ network.range|ansible.utils.ipaddr("prefix") }}"
+          {% set hosts = network.hosts|default({}) %}
+                hosts = {
+          {% for name, addr in hosts.items() %}
+                  {{ name }} = {
+                    address: "{{ addr|ansible.utils.ipaddr("address") }}"
+                    prefix: "{{ addr|ansible.utils.ipaddr("prefix") }}"
+                  }
+          {% endfor %}
+                }
+              }
+          {% endfor %}
+            }
+          }
+
+          output "hosts" {
+            value = {
+          {% for name, network in ipam6.networks.items() %}
+          {% set hosts = network.hosts|default({}) %}
+          {% for name, addr in hosts.items() %}
+              {{ name }} = {
+                address: "{{ addr|ansible.utils.ipaddr("address") }}"
+                prefix: "{{ addr|ansible.utils.ipaddr("prefix") }}"
+              }
+          {% endfor %}
+          {% endfor %}
+            }
+          }
+    - shell: terraform fmt ../../terraform/ipam6/ipam6.tf
+      when: "tf.changed"
diff --git a/ansible/plays/kjell-ct-102.yml b/ansible/plays/kjell-ct-102.yml
new file mode 100644
index 0000000..87b9459
--- /dev/null
+++ b/ansible/plays/kjell-ct-102.yml
@@ -0,0 +1,49 @@
+- hosts:
+    - kjell-ct-102
+  vars:
+    traefik_version: 3.4.1
+    traefik_checksum: md5:f299230ea9f247a672b187a79f2e76e6719ccbee
+    traefik_template: traefik-proxy.toml.j2
+  tasks:
+    - become: yes
+      apt:
+        name:
+          - etckeeper
+          - sudo
+      tags: packages,never
+  
+    - import_role:
+        name: timezone
+      tags: timezone,never
+  
+    - name: Load values from sops.yml
+      community.sops.load_vars:
+        name: env
+        file: ../../sops.yml
+      tags: traefik-server,never
+
+    - import_role:
+        name: traefik-server
+      vars:
+        traefik_environment:
+          LINODE_TOKEN: "{{ env.linode_token }}"
+      tags: traefik-server,never
+
+    - name: /etc/systemd/services/traefik.service
+      become: true
+      template:
+        src: "{{ traefik_template }}"
+        dest: /etc/traefik/traefik.toml
+        owner: root
+        group: root
+        mode: 0644
+      register: template
+
+    - name: systemctl restart traefik
+      become: true
+      systemd:
+        daemon_reload: true
+        unit: traefik
+        enabled: true
+        state: restarted
+      when: template.changed
diff --git a/ansible/plays/lhn2pi.yml b/ansible/plays/lhn2pi.yml
deleted file mode 100644
index 614b926..0000000
--- a/ansible/plays/lhn2pi.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-- hosts:
-    - lhn2pi
-  roles:
-    - systemd-networkd
diff --git a/ansible/plays/otelcol-contrib.yml b/ansible/plays/otelcol-contrib.yml
new file mode 100644
index 0000000..f667337
--- /dev/null
+++ b/ansible/plays/otelcol-contrib.yml
@@ -0,0 +1,29 @@
+- hosts:
+    - coregonus
+    - hash
+    - knot
+  tasks:
+
+    # otelcol-contrib.deb needs to be installed first
+    # adduser otelcol-contrib systemd-journal
+
+    - name: /etc/otelcol-contrib/config.yaml
+      become: yes
+      template:
+        src: otelcol-contrib/config.yaml
+        dest: /etc/otelcol-contrib/config.yaml
+      notify: systemctl restart otelcol-contrib
+
+    - name: mkdir /var/lib/otelcol/file_storage
+      become: yes
+      file:
+        path: /var/lib/otelcol/file_storage
+        owner: otelcol-contrib
+      notify: systemctl restart otelcol-contrib
+
+  handlers:
+    - name: systemctl restart otelcol-contrib
+      become: yes
+      systemd:
+        service: otelcol-contrib
+        state: restarted
diff --git a/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network b/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network
index a4c84ee..b38116c 100644
--- a/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network
+++ b/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network
@@ -5,4 +5,4 @@ Name=enp1s0
 DHCP=ipv4
 
 [IPv6AcceptRA]
-Token=static:{{ ipam6.networks.coregonus_dn42.hosts.danneri }}
+Token=static:{{ ipam6.networks.lhn2_dn42.hosts.danneri }}
diff --git a/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network b/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network
index f17b3f9..853556d 100644
--- a/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network
+++ b/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network
@@ -5,3 +5,7 @@ Name=eth0
 DHCP=ipv4
 Address={{ ipam6.networks.lhn2_dn42.hosts.lhn2pi }}
 # IPv6Forwarding=yes # needs newer systemd
+
+# Disables the automatic activation of DHCPv6 from RA packets
+[IPv6AcceptRA]
+DHCPv6Client=no
diff --git a/ansible/plays/templates/otelcol-contrib/config.yaml b/ansible/plays/templates/otelcol-contrib/config.yaml
new file mode 100644
index 0000000..671dbaa
--- /dev/null
+++ b/ansible/plays/templates/otelcol-contrib/config.yaml
@@ -0,0 +1,65 @@
+receivers:
+  journald:
+    priority: debug
+
+exporters:
+  debug:
+    verbosity: detailed
+
+  nop:
+
+  otlphttp/hash:
+    endpoint: https://loki.trygvis.io/otlp
+
+extensions:
+  file_storage/journald:
+
+processors:
+  batch: {}
+
+  transform/severity_parse:
+    log_statements:
+      - context: log
+        statements:
+          - set(resource.attributes["service.namespace"], "systemd")
+          - set(resource.attributes["service.name"], body["_SYSTEMD_UNIT"])
+          - set(resource.attributes["systemd_unit"], body["_SYSTEMD_UNIT"])
+          - set(resource.attributes["systemd_slice"], body["_SYSTEMD_SLICE"])
+          - set(resource.attributes["node"], body["_HOSTNAME"])
+
+          - set(severity_number, SEVERITY_NUMBER_TRACE) where body["PRIORITY"] == "7"
+          - set(severity_text, "debug") where body["PRIORITY"] == "7"
+          - set(severity_number, SEVERITY_NUMBER_DEBUG) where body["PRIORITY"] == "6"
+          - set(severity_text, "info") where body["PRIORITY"] == "6"
+          - set(severity_number, SEVERITY_NUMBER_INFO) where body["PRIORITY"] == "5"
+          - set(severity_text, "notice") where body["PRIORITY"] == "5"
+          - set(severity_number, SEVERITY_NUMBER_WARN) where body["PRIORITY"] == "4"
+          - set(severity_text, "warning") where body["PRIORITY"] == "4"
+          - set(severity_number, SEVERITY_NUMBER_ERROR) where body["PRIORITY"] == "3"
+          - set(severity_text, "err") where body["PRIORITY"] == "3"
+          - set(severity_number, SEVERITY_NUMBER_FATAL) where body["PRIORITY"] == "2"
+          - set(severity_text, "crit") where body["PRIORITY"] == "2"
+          - set(severity_number, SEVERITY_NUMBER_FATAL) where body["PRIORITY"] == "1"
+          - set(severity_text, "alert") where body["PRIORITY"] == "1"
+          - set(severity_number, SEVERITY_NUMBER_FATAL) where body["PRIORITY"] == "0"
+          - set(severity_text, "emerg") where body["PRIORITY"] == "0"
+
+          - set(body, body["MESSAGE"])
+
+service:
+#  telemetry:
+#    logs:
+#      level: debug
+  extensions:
+    - file_storage/journald
+  pipelines:
+    logs:
+      receivers:
+        - journald
+      processors: 
+        - transform/severity_parse
+        - batch
+      exporters:
+#        - debug
+#        - nop
+        - otlphttp/hash
diff --git a/ansible/plays/templates/traefik-proxy.toml.j2 b/ansible/plays/templates/traefik-proxy.toml.j2
new file mode 100644
index 0000000..d538664
--- /dev/null
+++ b/ansible/plays/templates/traefik-proxy.toml.j2
@@ -0,0 +1,126 @@
+[global]
+  checkNewVersion = true
+  sendAnonymousUsage = false
+
+################################################################
+# Entrypoints configuration
+################################################################
+
+[entryPoints]
+#  [entryPoints.web]
+#    address = ":80"
+
+  [entryPoints.websecure]
+    address = ":443"
+
+    [entryPoints.websecure.http.tls]
+      certResolver = "linode"
+
+[log]
+
+  # Log level
+  #
+  # Optional
+  # Default: "ERROR"
+  #
+  level = "DEBUG"
+
+  # Sets the filepath for the traefik log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+  # filePath = "log/traefik.log"
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+  # format = "json"
+
+################################################################
+# Access logs configuration
+################################################################
+
+# Enable access logs
+# By default it will write to stdout and produce logs in the textual
+# Common Log Format (CLF), extended with additional fields.
+#
+# Optional
+#
+# [accessLog]
+
+  # Sets the file path for the access log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+  # filePath = "/path/to/log/log.txt"
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+  # format = "json"
+
+################################################################
+# API and dashboard configuration
+################################################################
+
+# Enable API and dashboard
+[api]
+
+  # Enable the API in insecure mode
+  #
+  # Optional
+  # Default: false
+  #
+  # insecure = true
+
+  # Enabled Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  # dashboard = false
+
+################################################################
+# Ping configuration
+################################################################
+
+# Enable ping
+[ping]
+
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  # entryPoint = "traefik"
+
+
+[certificatesResolvers.linode.acme]
+  email = "root@trygvis.io"
+  storage = "acme.json"
+  [certificatesResolvers.linode.acme.dnsChallenge]
+    provider = "linode"
+    delayBeforeCheck = 1
+
+[http]
+[http.routers]
+  [http.routers.junk]
+  rule = "Host(`junk.dn42.trygvis.io`)"
+  service = "netbox"
+
+  [http.routers.junk.tls]
+    certResolver = "linode"
+
+  [http.services]
+    # Define how to reach an existing service on our infrastructure
+    [http.services.netbox.loadBalancer]
+      [[http.services.netbox.loadBalancer.servers]]
+        url = "http://[fdb1:4242:3538:2005:be24:11ff:febb:5c7f]:8080"
diff --git a/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network b/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network
new file mode 100644
index 0000000..251bf45
--- /dev/null
+++ b/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network
@@ -0,0 +1,8 @@
+[Match] 
+Name=enp1s0
+
+[Network]
+DHCP=ipv4
+
+[IPv6AcceptRA]
+Token=static:{{ ipam6.networks.lhn2_dn42.hosts.unifi }}
diff --git a/ansible/plays/zigbee2mqtt-backup.yml b/ansible/plays/zigbee2mqtt-backup.yml
new file mode 100644
index 0000000..331045b
--- /dev/null
+++ b/ansible/plays/zigbee2mqtt-backup.yml
@@ -0,0 +1,13 @@
+- hosts:
+    - zigbee2mqtt
+  tasks:
+    - become: yes
+      register: config
+      shell:
+        cmd: |
+          mp=$(docker volume inspect zigbee2mqtt --format '{{"{{.Mountpoint}}"}}')
+          cat $mp/configuration.yaml
+    - copy:
+        content: "{{ config.stdout }}"
+        dest: files/zigbee2mqtt/{{ ansible_hostname }}/configuration.yaml
+      delegate_to: localhost