aboutsummaryrefslogtreecommitdiff
path: root/ansible/plays
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/plays')
-rw-r--r--ansible/plays/danneri.yml27
-rw-r--r--ansible/plays/files/zigbee2mqtt/garasjepi/configuration.yaml43
-rw-r--r--ansible/plays/host-garasjepi.yml28
-rw-r--r--ansible/plays/host-hash.yml10
-rw-r--r--ansible/plays/host-lhn2pi.yml6
-rw-r--r--ansible/plays/host-unifi.yml18
-rw-r--r--ansible/plays/ipam-generate-dns.yml34
-rw-r--r--ansible/plays/ipam-generate-tf.yml55
-rw-r--r--ansible/plays/kjell-ct-102.yml49
-rw-r--r--ansible/plays/otelcol-contrib.yml29
-rw-r--r--ansible/plays/roa-server.yml25
-rw-r--r--ansible/plays/templates/danneri/systemd-networkd/enp1s0.network8
-rw-r--r--ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network11
-rw-r--r--ansible/plays/templates/otelcol-contrib/config.yaml65
-rw-r--r--ansible/plays/templates/roa-server/docker-compose.yml14
-rw-r--r--ansible/plays/templates/traefik-proxy.toml.j2126
-rw-r--r--ansible/plays/templates/unifi/systemd-networkd/enp1s0.network8
-rw-r--r--ansible/plays/zigbee2mqtt-backup.yml13
18 files changed, 569 insertions, 0 deletions
diff --git a/ansible/plays/danneri.yml b/ansible/plays/danneri.yml
new file mode 100644
index 0000000..6b4265a
--- /dev/null
+++ b/ansible/plays/danneri.yml
@@ -0,0 +1,27 @@
+- hosts:
+ - danneri
+ tasks:
+ - import_role:
+ name: systemd-networkd
+
+ - meta: flush_handlers
+
+ - become: yes
+ apt:
+ name:
+ - etckeeper
+ - import_role:
+ name: timezone
+
+ - become: yes
+ tags: k3s
+ copy:
+ dest: /etc/rancher/k3s/config.yaml
+ content: |
+ tls-san:
+ - "danneri.dn42.trygvis.io"
+ - "{{ ipam6.networks.lhn2_dn42.hosts.danneri }}"
+ - "2a06:2240:f00d:b500:9422:d355:95b7:f170"
+ cluster-cidr: "{{ ipam6.networks.danneri_cluster.range }}"
+ service-cidr: "{{ ipam6.networks.danneri_service.range }}"
+
diff --git a/ansible/plays/files/zigbee2mqtt/garasjepi/configuration.yaml b/ansible/plays/files/zigbee2mqtt/garasjepi/configuration.yaml
new file mode 100644
index 0000000..b0b8f5a
--- /dev/null
+++ b/ansible/plays/files/zigbee2mqtt/garasjepi/configuration.yaml
@@ -0,0 +1,43 @@
+homeassistant:
+ enabled: false
+frontend:
+ enabled: true
+mqtt:
+ base_topic: zigbee2mqtt
+ #server: mqtt://ha-kv24.dn42.trygvis.io
+ server: mqtt://192.168.10.159
+ user: z2m
+ password: zigbee2mqtt
+ version: 5
+serial:
+ port: /dev/ttyACM0
+ adapter: deconz
+advanced:
+ network_key:
+ - 107
+ - 142
+ - 62
+ - 67
+ - 150
+ - 226
+ - 182
+ - 69
+ - 47
+ - 194
+ - 244
+ - 95
+ - 73
+ - 125
+ - 135
+ - 61
+ pan_id: 43701
+ ext_pan_id:
+ - 181
+ - 224
+ - 197
+ - 29
+ - 98
+ - 176
+ - 205
+ - 241
+version: 4 \ No newline at end of file
diff --git a/ansible/plays/host-garasjepi.yml b/ansible/plays/host-garasjepi.yml
new file mode 100644
index 0000000..62b0b3d
--- /dev/null
+++ b/ansible/plays/host-garasjepi.yml
@@ -0,0 +1,28 @@
+- hosts:
+ - garasjepi
+ tasks:
+ # These first
+ - become: yes
+ apt:
+ name:
+ - etckeeper
+ - git
+
+ - become: yes
+ apt:
+ name:
+ - tmux
+ - aptitude
+
+# - import_role:
+# name: timezone
+#
+# - import_role:
+# name: systemd-networkd
+
+ - become: yes
+ apt:
+ name:
+ - docker.io
+ - tmux
+ - aptitude
diff --git a/ansible/plays/host-hash.yml b/ansible/plays/host-hash.yml
new file mode 100644
index 0000000..62b781f
--- /dev/null
+++ b/ansible/plays/host-hash.yml
@@ -0,0 +1,10 @@
+- hosts: hash
+ tasks:
+ - become: yes
+ copy:
+ dest: /etc/docker/daemon.json
+ content: |
+ {
+ "ipv6": true,
+ "fixed-cidr-v6": "{{ ipam6.networks.hash_docker_dn42.range }}"
+ }
diff --git a/ansible/plays/host-lhn2pi.yml b/ansible/plays/host-lhn2pi.yml
new file mode 100644
index 0000000..551c3dd
--- /dev/null
+++ b/ansible/plays/host-lhn2pi.yml
@@ -0,0 +1,6 @@
+- hosts:
+ - lhn2pi
+ roles:
+ - systemd-networkd
+ - prometheus-bird-exporter
+ - prometheus-node-exporter
diff --git a/ansible/plays/host-unifi.yml b/ansible/plays/host-unifi.yml
new file mode 100644
index 0000000..41fb292
--- /dev/null
+++ b/ansible/plays/host-unifi.yml
@@ -0,0 +1,18 @@
+- hosts:
+ - unifi
+ tasks:
+ - become: yes
+ apt:
+ name:
+ - etckeeper
+
+ - import_role:
+ name: timezone
+
+ - import_role:
+ name: systemd-networkd
+
+ - become: yes
+ apt:
+ name:
+ - docker.io
diff --git a/ansible/plays/ipam-generate-dns.yml b/ansible/plays/ipam-generate-dns.yml
new file mode 100644
index 0000000..25f8087
--- /dev/null
+++ b/ansible/plays/ipam-generate-dns.yml
@@ -0,0 +1,34 @@
+- hosts: localhost
+ gather_facts: no
+ connection: local
+ vars_files:
+ - ../group_vars/all/ipam.yml
+ tasks:
+ - set_fact:
+ content: |
+ {% set hosts = [] %}
+ {% for nw_name, network in ipam6.networks.items() %}
+ {% for host, address in (network.hosts|default({})).items() %}
+ {{- hosts.append({'name': host, 'address': address}) -}}
+ {% endfor %}
+ {% endfor %}
+ # Generated from ansible data
+ {% for h in hosts|sort(attribute='name') %}
+
+ resource "linode_domain_record" "dn42-{{ h.name }}" {
+ domain_id = linode_domain.root.id
+ name = "{{ h.name }}.dn42"
+ record_type = "AAAA"
+ target = "{{ h.address|ansible.utils.ipv6('address') }}"
+ }
+ {% endfor %}
+ - debug:
+ msg: "{{ content }}"
+ when: false
+ - name: Generating ../../terraform/dns/dn42.tf
+ register: tf
+ copy:
+ dest: ../../terraform/dns/dn42.tf
+ content: "{{ content }}"
+ - shell: terraform fmt ../../terraform/ipam6/ipam6.tf
+ when: "tf.changed"
diff --git a/ansible/plays/ipam-generate-tf.yml b/ansible/plays/ipam-generate-tf.yml
new file mode 100644
index 0000000..d9888b4
--- /dev/null
+++ b/ansible/plays/ipam-generate-tf.yml
@@ -0,0 +1,55 @@
+- hosts: localhost
+ gather_facts: no
+ connection: local
+ vars_files:
+ - ../group_vars/all/ipam.yml
+ collections:
+ - ansible.utils
+ tasks:
+ - name: Generate terraform/ipam6/ipam6.tf
+ register: tf
+ copy:
+ dest: ../../terraform/ipam6/ipam6.tf
+ content: |
+ output "networks" {
+ value = {
+ {% for name, network in ipam6.networks.items() %}
+ {% if not (network.range | ansible.utils.ipv6) %}
+ Invalid network: {{ network.range }}
+ {% endif %}
+ {{ name }} = {
+ {% if network.description|default("") %}
+ description = "{{ network.description }}"
+ {% endif %}
+ range = "{{ network.range }}"
+ address = "{{ network.range|ansible.utils.ipaddr("network") }}"
+ prefix = "{{ network.range|ansible.utils.ipaddr("prefix") }}"
+ {% set hosts = network.hosts|default({}) %}
+ hosts = {
+ {% for name, addr in hosts.items() %}
+ {{ name }} = {
+ address: "{{ addr|ansible.utils.ipaddr("address") }}"
+ prefix: "{{ addr|ansible.utils.ipaddr("prefix") }}"
+ }
+ {% endfor %}
+ }
+ }
+ {% endfor %}
+ }
+ }
+
+ output "hosts" {
+ value = {
+ {% for name, network in ipam6.networks.items() %}
+ {% set hosts = network.hosts|default({}) %}
+ {% for name, addr in hosts.items() %}
+ {{ name }} = {
+ address: "{{ addr|ansible.utils.ipaddr("address") }}"
+ prefix: "{{ addr|ansible.utils.ipaddr("prefix") }}"
+ }
+ {% endfor %}
+ {% endfor %}
+ }
+ }
+ - shell: terraform fmt ../../terraform/ipam6/ipam6.tf
+ when: "tf.changed"
diff --git a/ansible/plays/kjell-ct-102.yml b/ansible/plays/kjell-ct-102.yml
new file mode 100644
index 0000000..87b9459
--- /dev/null
+++ b/ansible/plays/kjell-ct-102.yml
@@ -0,0 +1,49 @@
+- hosts:
+ - kjell-ct-102
+ vars:
+ traefik_version: 3.4.1
+ traefik_checksum: md5:f299230ea9f247a672b187a79f2e76e6719ccbee
+ traefik_template: traefik-proxy.toml.j2
+ tasks:
+ - become: yes
+ apt:
+ name:
+ - etckeeper
+ - sudo
+ tags: packages,never
+
+ - import_role:
+ name: timezone
+ tags: timezone,never
+
+ - name: Load values from sops.yml
+ community.sops.load_vars:
+ name: env
+ file: ../../sops.yml
+ tags: traefik-server,never
+
+ - import_role:
+ name: traefik-server
+ vars:
+ traefik_environment:
+ LINODE_TOKEN: "{{ env.linode_token }}"
+ tags: traefik-server,never
+
+ - name: /etc/systemd/services/traefik.service
+ become: true
+ template:
+ src: "{{ traefik_template }}"
+ dest: /etc/traefik/traefik.toml
+ owner: root
+ group: root
+ mode: 0644
+ register: template
+
+ - name: systemctl restart traefik
+ become: true
+ systemd:
+ daemon_reload: true
+ unit: traefik
+ enabled: true
+ state: restarted
+ when: template.changed
diff --git a/ansible/plays/otelcol-contrib.yml b/ansible/plays/otelcol-contrib.yml
new file mode 100644
index 0000000..f667337
--- /dev/null
+++ b/ansible/plays/otelcol-contrib.yml
@@ -0,0 +1,29 @@
+- hosts:
+ - coregonus
+ - hash
+ - knot
+ tasks:
+
+ # otelcol-contrib.deb needs to be installed first
+ # adduser otelcol-contrib systemd-journal
+
+ - name: /etc/otelcol-contrib/config.yaml
+ become: yes
+ template:
+ src: otelcol-contrib/config.yaml
+ dest: /etc/otelcol-contrib/config.yaml
+ notify: systemctl restart otelcol-contrib
+
+ - name: mkdir /var/lib/otelcol/file_storage
+ become: yes
+ file:
+ path: /var/lib/otelcol/file_storage
+ owner: otelcol-contrib
+ notify: systemctl restart otelcol-contrib
+
+ handlers:
+ - name: systemctl restart otelcol-contrib
+ become: yes
+ systemd:
+ service: otelcol-contrib
+ state: restarted
diff --git a/ansible/plays/roa-server.yml b/ansible/plays/roa-server.yml
new file mode 100644
index 0000000..c662640
--- /dev/null
+++ b/ansible/plays/roa-server.yml
@@ -0,0 +1,25 @@
+- hosts:
+ - hash
+ tasks:
+ - name: mkdir /etc/docker-service/roa-server
+ become: true
+ file:
+ path: /etc/docker-service/roa-server
+ state: directory
+ mode: 0700
+ - name: Install /etc/docker-service/roa-server/private.pem
+ become: true
+ copy:
+ dest: /etc/docker-service/roa-server/private.pem
+ content: "{{ roa_server.private }}"
+ owner: root
+ group: root
+ mode: 0444
+
+ - import_role:
+ name: docker-service
+ vars:
+ service: roa-server
+ template: templates/roa-server/docker-compose.yml
+# systemd_enabled: no
+# systemd_state: stopped
diff --git a/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network b/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network
new file mode 100644
index 0000000..b38116c
--- /dev/null
+++ b/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network
@@ -0,0 +1,8 @@
+[Match]
+Name=enp1s0
+
+[Network]
+DHCP=ipv4
+
+[IPv6AcceptRA]
+Token=static:{{ ipam6.networks.lhn2_dn42.hosts.danneri }}
diff --git a/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network b/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network
new file mode 100644
index 0000000..853556d
--- /dev/null
+++ b/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network
@@ -0,0 +1,11 @@
+[Match]
+Name=eth0
+
+[Network]
+DHCP=ipv4
+Address={{ ipam6.networks.lhn2_dn42.hosts.lhn2pi }}
+# IPv6Forwarding=yes # needs newer systemd
+
+# Disables the automatic activation of DHCPv6 from RA packets
+[IPv6AcceptRA]
+DHCPv6Client=no
diff --git a/ansible/plays/templates/otelcol-contrib/config.yaml b/ansible/plays/templates/otelcol-contrib/config.yaml
new file mode 100644
index 0000000..671dbaa
--- /dev/null
+++ b/ansible/plays/templates/otelcol-contrib/config.yaml
@@ -0,0 +1,65 @@
+receivers:
+ journald:
+ priority: debug
+
+exporters:
+ debug:
+ verbosity: detailed
+
+ nop:
+
+ otlphttp/hash:
+ endpoint: https://loki.trygvis.io/otlp
+
+extensions:
+ file_storage/journald:
+
+processors:
+ batch: {}
+
+ transform/severity_parse:
+ log_statements:
+ - context: log
+ statements:
+ - set(resource.attributes["service.namespace"], "systemd")
+ - set(resource.attributes["service.name"], body["_SYSTEMD_UNIT"])
+ - set(resource.attributes["systemd_unit"], body["_SYSTEMD_UNIT"])
+ - set(resource.attributes["systemd_slice"], body["_SYSTEMD_SLICE"])
+ - set(resource.attributes["node"], body["_HOSTNAME"])
+
+ - set(severity_number, SEVERITY_NUMBER_TRACE) where body["PRIORITY"] == "7"
+ - set(severity_text, "debug") where body["PRIORITY"] == "7"
+ - set(severity_number, SEVERITY_NUMBER_DEBUG) where body["PRIORITY"] == "6"
+ - set(severity_text, "info") where body["PRIORITY"] == "6"
+ - set(severity_number, SEVERITY_NUMBER_INFO) where body["PRIORITY"] == "5"
+ - set(severity_text, "notice") where body["PRIORITY"] == "5"
+ - set(severity_number, SEVERITY_NUMBER_WARN) where body["PRIORITY"] == "4"
+ - set(severity_text, "warning") where body["PRIORITY"] == "4"
+ - set(severity_number, SEVERITY_NUMBER_ERROR) where body["PRIORITY"] == "3"
+ - set(severity_text, "err") where body["PRIORITY"] == "3"
+ - set(severity_number, SEVERITY_NUMBER_FATAL) where body["PRIORITY"] == "2"
+ - set(severity_text, "crit") where body["PRIORITY"] == "2"
+ - set(severity_number, SEVERITY_NUMBER_FATAL) where body["PRIORITY"] == "1"
+ - set(severity_text, "alert") where body["PRIORITY"] == "1"
+ - set(severity_number, SEVERITY_NUMBER_FATAL) where body["PRIORITY"] == "0"
+ - set(severity_text, "emerg") where body["PRIORITY"] == "0"
+
+ - set(body, body["MESSAGE"])
+
+service:
+# telemetry:
+# logs:
+# level: debug
+ extensions:
+ - file_storage/journald
+ pipelines:
+ logs:
+ receivers:
+ - journald
+ processors:
+ - transform/severity_parse
+ - batch
+ exporters:
+# - debug
+# - nop
+ - otlphttp/hash
diff --git a/ansible/plays/templates/roa-server/docker-compose.yml b/ansible/plays/templates/roa-server/docker-compose.yml
new file mode 100644
index 0000000..c11933c
--- /dev/null
+++ b/ansible/plays/templates/roa-server/docker-compose.yml
@@ -0,0 +1,14 @@
+version: "3"
+services:
+ stayrtr:
+ image: rpki/stayrtr:latest # no tagged images are available :(
+ volumes:
+ - /etc/docker-service/roa-server/id_ecdsa:/id_ecdsa:ro
+ ports:
+ - 8022:8022
+ command:
+ - -bind=
+ - -ssh.bind=:8022
+ - -ssh.key=/id_ecdsa
+ - -checktime=false
+ - -cache=https://dn42.burble.com/roa/dn42_roa_46.json
diff --git a/ansible/plays/templates/traefik-proxy.toml.j2 b/ansible/plays/templates/traefik-proxy.toml.j2
new file mode 100644
index 0000000..d538664
--- /dev/null
+++ b/ansible/plays/templates/traefik-proxy.toml.j2
@@ -0,0 +1,126 @@
+[global]
+ checkNewVersion = true
+ sendAnonymousUsage = false
+
+################################################################
+# Entrypoints configuration
+################################################################
+
+[entryPoints]
+# [entryPoints.web]
+# address = ":80"
+
+ [entryPoints.websecure]
+ address = ":443"
+
+ [entryPoints.websecure.http.tls]
+ certResolver = "linode"
+
+[log]
+
+ # Log level
+ #
+ # Optional
+ # Default: "ERROR"
+ #
+ level = "DEBUG"
+
+ # Sets the filepath for the traefik log. If not specified, stdout will be used.
+ # Intermediate directories are created if necessary.
+ #
+ # Optional
+ # Default: os.Stdout
+ #
+ # filePath = "log/traefik.log"
+
+ # Format is either "json" or "common".
+ #
+ # Optional
+ # Default: "common"
+ #
+ # format = "json"
+
+################################################################
+# Access logs configuration
+################################################################
+
+# Enable access logs
+# By default it will write to stdout and produce logs in the textual
+# Common Log Format (CLF), extended with additional fields.
+#
+# Optional
+#
+# [accessLog]
+
+ # Sets the file path for the access log. If not specified, stdout will be used.
+ # Intermediate directories are created if necessary.
+ #
+ # Optional
+ # Default: os.Stdout
+ #
+ # filePath = "/path/to/log/log.txt"
+
+ # Format is either "json" or "common".
+ #
+ # Optional
+ # Default: "common"
+ #
+ # format = "json"
+
+################################################################
+# API and dashboard configuration
+################################################################
+
+# Enable API and dashboard
+[api]
+
+ # Enable the API in insecure mode
+ #
+ # Optional
+ # Default: false
+ #
+ # insecure = true
+
+ # Enabled Dashboard
+ #
+ # Optional
+ # Default: true
+ #
+ # dashboard = false
+
+################################################################
+# Ping configuration
+################################################################
+
+# Enable ping
+[ping]
+
+ # Name of the related entry point
+ #
+ # Optional
+ # Default: "traefik"
+ #
+ # entryPoint = "traefik"
+
+
+[certificatesResolvers.linode.acme]
+ email = "root@trygvis.io"
+ storage = "acme.json"
+ [certificatesResolvers.linode.acme.dnsChallenge]
+ provider = "linode"
+ delayBeforeCheck = 1
+
+[http]
+[http.routers]
+ [http.routers.junk]
+ rule = "Host(`junk.dn42.trygvis.io`)"
+ service = "netbox"
+
+ [http.routers.junk.tls]
+ certResolver = "linode"
+
+ [http.services]
+ # Define how to reach an existing service on our infrastructure
+ [http.services.netbox.loadBalancer]
+ [[http.services.netbox.loadBalancer.servers]]
+ url = "http://[fdb1:4242:3538:2005:be24:11ff:febb:5c7f]:8080"
diff --git a/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network b/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network
new file mode 100644
index 0000000..251bf45
--- /dev/null
+++ b/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network
@@ -0,0 +1,8 @@
+[Match]
+Name=enp1s0
+
+[Network]
+DHCP=ipv4
+
+[IPv6AcceptRA]
+Token=static:{{ ipam6.networks.lhn2_dn42.hosts.unifi }}
diff --git a/ansible/plays/zigbee2mqtt-backup.yml b/ansible/plays/zigbee2mqtt-backup.yml
new file mode 100644
index 0000000..331045b
--- /dev/null
+++ b/ansible/plays/zigbee2mqtt-backup.yml
@@ -0,0 +1,13 @@
+- hosts:
+ - zigbee2mqtt
+ tasks:
+ - become: yes
+ register: config
+ shell:
+ cmd: |
+ mp=$(docker volume inspect zigbee2mqtt --format '{{"{{.Mountpoint}}"}}')
+ cat $mp/configuration.yaml
+ - copy:
+ content: "{{ config.stdout }}"
+ dest: files/zigbee2mqtt/{{ ansible_hostname }}/configuration.yaml
+ delegate_to: localhost
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-01 08:09:22 +0000