From 2fc93e6e626067703ebbfbda9692e134e355495b Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Sat, 23 May 2026 23:46:00 +0200 Subject: [PATCH 01/35] rt1(z9 host): create host and configure networkd and nftables --- inventories/z9/host_vars/rt1.sops.yaml | 198 ++++++++++++++++++ inventories/z9/host_vars/rt1.yaml | 6 + inventories/z9/hosts.yaml | 11 + resources/z9/rt1/nftables/nftables.conf | 111 ++++++++++ .../z9/rt1/systemd_networkd/00-netlan.link | 6 + .../z9/rt1/systemd_networkd/00-netwan.link | 6 + .../rt1/systemd_networkd/10-netlan.51.netdev | 7 + .../rt1/systemd_networkd/10-netlan.52.netdev | 7 + .../rt1/systemd_networkd/10-netlan.53.netdev | 7 + .../rt1/systemd_networkd/10-netlan.54.netdev | 7 + .../rt1/systemd_networkd/10-netwan.400.netdev | 7 + .../z9/rt1/systemd_networkd/10-wg55.netdev | 90 ++++++++ .../z9/rt1/systemd_networkd/20-netlan.network | 12 ++ .../z9/rt1/systemd_networkd/20-netwan.network | 9 + .../z9/rt1/systemd_networkd/20-wg55.network | 6 + .../21-netlan.51-clients.network | 27 +++ .../systemd_networkd/21-netlan.52-iot.network | 27 +++ .../21-netlan.53-public.network | 27 +++ .../21-netlan.54-management.network | 27 +++ .../21-netwan.400-fux_uplink.network | 26 +++ .../rt1/systemd_networkd_global_config.conf | 3 + 21 files changed, 627 insertions(+) create mode 100644 inventories/z9/host_vars/rt1.sops.yaml create mode 100644 inventories/z9/host_vars/rt1.yaml create mode 100644 resources/z9/rt1/nftables/nftables.conf create mode 100644 resources/z9/rt1/systemd_networkd/00-netlan.link create mode 100644 resources/z9/rt1/systemd_networkd/00-netwan.link create mode 100644 resources/z9/rt1/systemd_networkd/10-netlan.51.netdev create mode 100644 resources/z9/rt1/systemd_networkd/10-netlan.52.netdev create mode 100644 resources/z9/rt1/systemd_networkd/10-netlan.53.netdev create mode 100644 resources/z9/rt1/systemd_networkd/10-netlan.54.netdev create mode 100644 resources/z9/rt1/systemd_networkd/10-netwan.400.netdev create mode 100644 resources/z9/rt1/systemd_networkd/10-wg55.netdev create mode 100644 resources/z9/rt1/systemd_networkd/20-netlan.network create mode 100644 resources/z9/rt1/systemd_networkd/20-netwan.network create mode 100644 resources/z9/rt1/systemd_networkd/20-wg55.network create mode 100644 resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network create mode 100644 resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network create mode 100644 resources/z9/rt1/systemd_networkd/21-netlan.53-public.network create mode 100644 resources/z9/rt1/systemd_networkd/21-netlan.54-management.network create mode 100644 resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network create mode 100644 resources/z9/rt1/systemd_networkd_global_config.conf diff --git a/inventories/z9/host_vars/rt1.sops.yaml b/inventories/z9/host_vars/rt1.sops.yaml new file mode 100644 index 0000000..f4141fd --- /dev/null +++ b/inventories/z9/host_vars/rt1.sops.yaml @@ -0,0 +1,198 @@ +secrets__secrets: + - name: ENC[AES256_GCM,data:MmqDXUKy+U67JZFmKJTGLYAJcYPClQ8M2w==,iv:/eDx++bJCzdKXYB8YipB/GB6aM421JR3sy8i5trBKxk=,tag:/zTklys9bN839iT1qOH0UQ==,type:str] + content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str] + - name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str] + content: ENC[AES256_GCM,data:lrwHaNvHkh5E94ziiQsd8ua9YvuwmhZ6iIGZS0oFnZdYKuyNh7egWOoii2o=,iv:LLRKhbiJl1GwK/SfqNdNrrJuDF17YXw3hHmuhlyI87w=,tag:DbR/a7jfy1+4yswSdYfOFA==,type:str] + - name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str] + content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str] + - name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str] + content: ENC[AES256_GCM,data:W2h5AcoT85OkekPeRkrf1m0bDdBjG/YNSbWlrcZtP7FjaPh/F+cx+J6oRRI=,iv:CLVXTqfstpIU3BX/Zdcnp9w0gWxeGDI/G1MNl6xr4ZU=,tag:yCqN4r1MV/VTWQvZ6COfIw==,type:str] + - name: ENC[AES256_GCM,data:IRwwy+WQxgQ8cDpB8HaCLpKwJj7oC87p0XOxWRo=,iv:BLXNMcigvaOeY6y4NlLPMMWQt9XFi6nodRwIYFgAAnU=,tag:OdQalmujOgrzW8oi64xMRg==,type:str] + content: ENC[AES256_GCM,data:C5oIcuEYtODsvjQZnbqbWVfP63mQzcRuh8f5rlBCyjwSq2mZiYGQe9t0T78=,iv:sITUDo9SKZTSwPfsMv4m4U0ruuVCcaxu7SUT52U4FSE=,tag:4CsSMJWQQPAIeK8DwUDBqg==,type:str] + - name: ENC[AES256_GCM,data:r0sbpjaGjezoNlyl1khy+Dly+8xbbfQZNB8om/E4/tj9lmM=,iv:MLrglBJA6BrHGmFRprlQcf5/Hqh952e5OyQQ9nPxumY=,tag:Se05kMBkSQ7TRxzij7Fo8A==,type:str] + content: ENC[AES256_GCM,data:/c1nRf1eZhbUmoQWvcj8yDaVPtyAN7Uu+S054q3C1/kXlQ7CgOe4CrMXnmk=,iv:ppar0aCKuIU3DOjwAoliZ5TOL199Z+Ffo4pCktjs0W8=,tag:nfaGutK+5KnlWBKU1MTxkQ==,type:str] + - name: ENC[AES256_GCM,data:7mwuykEqbGISOa2n+pWb6INLsHYdjyf2HxTtWpAr5xP1,iv:NMcg+L2DFtBO1nhyPid31yzLr+ZX7DUGl/WxV1MnrqU=,tag:65/BiUEI8v5oMlQqpKNDRg==,type:str] + content: ENC[AES256_GCM,data:SObbA3D/sGN5/i5ps4Zz3alygIXKbSgptFjfPHlwC8G588O+gKAkvKQwU/s=,iv:PY2vLfI3gInFeQbse49KC2/zZ9O4jeXAQ0fpP84GHHE=,tag:214Mb8hIYDkQ4+UkRWtc9w==,type:str] + - name: ENC[AES256_GCM,data:bES9O6JI4wTnuZsup9gflfaozeUDkfjVGNIFn8RnZQ==,iv:98kigM3KZIN5qXNdgfLg5WLmxzAsYCjNqVzyUPco/BI=,tag:1fwEtwQ6i9QQC3OCewN0eA==,type:str] + content: ENC[AES256_GCM,data:flO3Nb4u2WfWNVhn8k5Bgo3LmsHo2cVnLCsrz8ST9Ip7gO9FY9d27FQgphM=,iv:aiDoq+41cSjwcCZRaIPLtbltkOpc7FeuNN7swPqkHXQ=,tag:OhzcY2xKKJF2jZVRseXCFg==,type:str] + - name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str] + content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str] +sops: + lastmodified: "2026-05-23T21:19:38Z" + mac: ENC[AES256_GCM,data:Ded0VfGn8H2qGMk5LDyqF1gW8hajKc9FgvCynHPQkWkhMSdaHYbFwf//gWi2TjIO22HD5sPw1w9KAjPy53b57RwBCjXfMMq0JCPvuePLK40NC8uCAi+wr5Er0fAWz1JiaA+dowposoi6RxBtyHCaNHMDVGMLh1j+IL+pTOyi6fk=,iv:gssOMmR0DDQC4WjMVXTD/zqbQa8qlBr9ZZWF15W0WnE=,tag:DORTxQfCmpVjDjyGSNH7dw==,type:str] + pgp: + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ//bbr0oza/X6GG43ay9coZbb+0aptj3pGzQqT1ND6nsI34 + iY3IZaMZIti+j/BS5kEfmRn56WZSx6EcbSrlbiyL5NZw9R4/bGRd848rOLwMvuYO + 8Usei9jHdpHiPvKBZnZXaXGU8E27L0Y/LCxSIFOXbyHzHogjz3JmtJQsYpSC+ue6 + mIRrSAJPALrqEL+DZ2bl5UYlBIRXdtIe/jL1CFCJhULt+EjJw72T62DZK/jaNZTj + eint63+IFZSxx5e5vrAeQB+p2EDsp6c5NbDrlgQWb8/J1q/G5bG4KxBs/0hum7OW + /sSsIDb4Qb8U/axt5LduV6AkMXXsclNLQU/LbFAbBRcV8Lvh11f0U3V/UnqUdmvp + efesb5VQh1x0uWjzobxaioLEV/YYbWx8binvuJ3MBHKp6E2xj7IrBTVl0MWgjEou + ZbQDF8DvxA49xEnJyOviL2/zjnV1kXy+Q+BKZga3pr8AnBHA8Ftbsvmk6CyDEM0R + i4FAUOVa9VWiszoOaqyn1Fl02YlweFmgzuFjd3wi74Tbi6RE37rN/vBKySbnRQYl + rFUU3SQlztxd4UBAXBo6gQKTz5B4rehvKVye2mmqEE9bas/lCWAKVJ7+3+0NQdA2 + lp/X7h7DRSD2Qkd35SzxkJz7P86rd0LM1aOu87psxYavEWw6vFs2ErDkSeqDn1DU + aAEJAhDb1s+jpDUa3GvVZjoiiCyutI018jfJU1vi12PGktg4KJcXBx66R/nLItO2 + ba6o66scIiAJZ+jYymW6RbJTI7XRHJp4Cs8COhpMRQeOGwEHFGGL2rpGd3KrOLQe + 0/C6EmrJvGpl + =atNE + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA1QflAioE8i3AQf+NkUGCBrTCkkyl+iBb6P1IWLDGqAY8s20mBZ7G3plKE/J + UrIe947letj/8EA+yoN0uzjwEkh3rDLtZrOLTSgflq1GMpdVhdaTbS71fD3kghJQ + P9tz0zDQEgXHBi+2q7iRrEETx/cu7UDNkSCNvQbWvDmo8MfbSBy+VFCknfupdQxj + 9hlq4kBA0pckPCY8V7E05nDhQntS8wpXIEO1SWiSuiGg+p4yFlvNzWNfhLyEFHxL + BZHVVIU/mzyClMajjLJWjKI1LSgHXXIa28tgdrtiBZOsF+CWveYqJlRJh9NUepJI + ZSeFNhyWmnS9ZkQu5BUyb7+oRxfq2NY51T76Xbo8gNJeAZWwyr1sj1wjubuVeNMF + aU6FiynYWr3I35JRVghTMJ93CnPl+NTpWnQuHpq1bzEGe2u8BMFhgrTu2yMD23VQ + eGien6SqfEbA/wAiz9ZaUgTQH8UyHpliteZ8/SQgkw== + =UJvq + -----END PGP MESSAGE----- + fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ/+O5JOJfDp/BuBCuXDQVUgJagspQO6LZ/MLrl9qH282AMf + MdgN5M/WjbOv6WZDCMg4nfXps1XgzUEiaA/1m4PxHlMmxjEoQHAE51GMcxsXg+B1 + lM+8uJ1+js1sdDX4xsZtJpbVxJKIbPuhF7oM950oDlL2+UKhUbPlCoxeOihlkVGa + RqHJ/M74xkyKH281oRI5bllJaAroBnXVSFIvbCxA7ts/O7YJPKBowTIj62Kye9Ra + aHC11bPy2RlJCcFZJjPSdnXvzUMpfzEd6O72VUtMBBQZn/in7efutC8FwpRYuUW7 + vSofxUN5n6Mtb8A1XSMFD/nfXVc/pM6Cu7kdtHSwSKgbKKf6mrCeVgaM9xcG0t2W + 9yEtWvkdvOOSqz/vd1vkftbBWcCejX7bktfmD408CJAs1bjzz5CyrDoWcnYmbxFY + 6N4rhMDRMTe19VH2UQ4EvSjQjmmYCspnUW3/78zi5kU1ijyQy13UpbgwulU7tSGc + KKtBjPoy6mLIVl0YhnEJZWD/XPIRWyW+0s+7m70YXCWSVipvCelEE8oPWjf8PLaE + J85crlZGkSRcRO7yOP/YtB9ZnajgaF33zJU3ZWr0C/IXj2TeepZp/JUteD2H/LRf + 9YJzOFYDOFIWcdmaTzJLBEaefWcDjT6wkIf6TBqQRMLsu8JUwy9VwFcsi/d5aMXS + XgEQqSxYb1B39OR0sS1Xpw0/CFe4imBPuG3w0tOAyM3DbPWYY1kZYIRZenV1ZIOS + aRZJh086kuWgHYB76VoNzDK3QperWvHL/8CT2g3HuPiVGSrrXwxCYXk5+UXB9bQ= + =Xx91 + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DsZXvxFXTXoQSAQdA0rZTVdySF9nUiz7ZyFJgq1tojyLojGTgE4UIEJzFSTUw + 9y4kbGn1cWMpAqr+sE3WHV9p7v6kgm/XdUjXGN4DadpUbiYx6sQW2Jov6Km2EYhq + 0l4BawupjX25wi7c2yR5iGdxYS8oCYVmGgcAB3T96v8VsXpkAOYQAOOh7B9GQIxm + hB3cFQLCy2un3VvBsiKGFMA2FhZYBOuaEwP/KmWnPv0IPIRH4by6LDB0xgq8MUNz + =xoVE + -----END PGP MESSAGE----- + fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAgcGcZ3BT6lsJ8FxkMghxg5/PZLtIzNeJaEUbxN0EFhsw + uM+Lec3k9BJSUJK8GeVmesYxQh8vP6Yi/+m2LnGjHXzkQg8Bx1HJzuC/Ap36rC6N + 0l4Bxj1URTsRD4yILEA3TY4Dn9St9uOtodJcf5YdAKvmeb3Uwy//huNnA1eK7b+v + WRHcU2K+GgkSzLiRLZTc/nMrrCQ/P5HzwYHmP2rypFX7kxXlPd3K6yMZWTiSgYZd + =gZLQ + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ//YGOLOFtORNbOu+KFCtGcJBXQMy6Ej3/tePVuDi2vmqLD + 3Dz6stB9D+BmBbcgbFlDA+g7Vi6DD+zcze9wM10iuc9t9ucAuQ7B/ymSvJc4MrYn + MJFvQv5IYgWJmzXLYEFYYpmZPGG3hSHSgWIPs+574wEA/L867ktguW6ZD3ZuMn3E + yjCTeT/ZkGjuIpGqMu2/o9Wvc+RYgWlCB69D8kTHtnbFzbqEzvKU5/zte5ThchA+ + QZwFd/gk3o1G/7WOYJJ6CbBSOQaSrfm0mnb6sppNPdOAQtqHVSFVX5vX96gXsht/ + AkrvD6/2R5eNzbqRaU83cg7c5far49xoBbL6czreWY3D56yK4BJbrrg9mK7oCEfO + GaRDFFD7R4LJPfVx2xDoIQ3Hyp4E3dz4nyJx0Kg7NSEt7soOb5MnZ+04LLAiHbaT + qZr618V530uw3qaCsYcgHy+WsZXXlqXQey3A7jphi3u9Kvn9UjeegjNvpOrMk6g1 + RhGzv72G0wjZnzjTjPlzeROHaQ6RPgfpkZjEcVZNZkfAgAbB3XPgCFGKz4qvx9MP + 4eHIlBSJizLzSi519o+0i5PwrZdEf9L4RUVxgQgdJXMh1JaydVh5DOU+xomdStD5 + Maymkt8fSgYgDaS953YA2e04PrkXCH0EHZ62T9EMxreEoU3nYTmw/TGx7RfU+wzS + XgEuQkLWSToJ40/Ir3obDA246yv7J2FpmPwG4oFypkM5xe1WjlMlk90b9RBhUgXk + ylRXXLBzau6mtbPOa7LGdVyVs2DClWQo9BoK+dxEsnW+TR144O4UmZEfifJXvgQ= + =ympd + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAAshm2x7wX/9g3XJtSN0AnSeCwSHO1I4+ebLKOsB7zcXh8 + hrVO3694jQcU9L01H7jGYw4lNNzBd61/uVE5AvMq4Sqn9iH3MFNESbAEOWVV+TRf + 53JMg9C/aZfde8gHgHPaiVXlCBVEVY9CqHpUXUKDmEE7iRb5P4DuMxOmybDYZGzY + 4c5Ke1MFMkGRmAtsT1qLrT2vh+F0CX4JwpMkxCmOzSWAXbwrVOigJ35l5zM6vme4 + 5EQu9jI8FApTxVchZbr0v3UOKxp5OebqC0jGeznZNf4qb0qnsvuowY6IIw5Tl3/q + H4TLq5EUOVqTC1voIWY/gMjieiW1gtr6vASy4MvbswsZLc26YVE9IbHzAOUWDN2o + f2iQ3aZYuINvniD23XtM0TKepDXWq5eF+AJpmyP/LL8sYvSnWFD+muK3O657djEu + yGZs2EFTrkiUvhBq3apOOYiU0eOi4Aq6UeEbOsLENnQrBRXuHEm4KUSwzOitVwJ1 + ByxQTu7wzY727SOR2hzjMC0LI602WGpEQU7ech5L4uWqtMFwaBP9HnUamcofKqqt + 1vI2BevsJfQ0rtTE6GWseHt702lllTGe3RnHWc6YsMWLwUfRdBPggMW37hAPPcfO + ytbU3RJIxx4vImRtXhkI5yvbpFQrooz1zSeXWaitPE5jmmiKe9IRStLnfiq9E2TS + XgFVuQM8K0LgUYEoAipvafhnC3ohfGsM2AYd36EoaMNLeQ2ZZEiV06/Y3EWoI0iM + aqRLwyBvTuDOc5BK32nCbAgUbbPJjPhqWaoNp5ymCBV76oW613gApkzoUF+OIUU= + =KKaI + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA8YKD21h5POTLPf04KvGN93omFgkYO+Y8Kc0jM0vdqm8w + 3zYRaLsDjdh8Zd89/HhHJUfLrTp/IJ0n81sK0ZjznbXKxgkseGthMzof+L7BnPAp + 0l4BnAs9iZS4q2LZVS7ySBP89xLmF97qhK2jagMNSAwq8Afxbcw8oQAVQmeyYfxx + X59irIHjI1ugO4o1WnTN67nTQjU5msbVBs0eALrw3jobzFHRL67fS0a4Soa59LTY + =ZHIU + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAN7rRlv3dMoFOfj9eHgf+0H8521b32nWqySUdriEy6Tcw + gjuReMBpKQOgUfuhIiWkHIKNtNgMrYWiC20ESOXX5b9uYZNpqHCgHQPlX0lEeGim + 0lgBOieL7mSEq4wkWLCSv4sBAmkQA+dnugBeF+TrlqKQTZsbe/Z+jNG4ZrHRvdqi + 4I5It+uaRV9Vrul1c6H7fNreRPUd4hNyJwU7gZQ+vU2WyAmgqerxE1Wb + =gplT + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAAjWK8mU99VcnM/Ckzm+YsZFTwnz4PDAenDDdZ1OOz5IXe + tS4SQPcQlSSOuXEkFLJMmm8QVxtUC3Gh4nF7o+7OygT+0ZXOrB7jFgg10+v/KVA9 + hSlqBdsMxcC0OzBtkGyAOXOxqnTVubuHEGyGpIryHt1/lthUUZHBbjgw7P0Tw2/U + sYK5j5YbqhyBl20gyZorkTTq7pHfVXDVtpe75+ZkqbOg4S6HgW3/dl+v6N0TLfRs + GVl0fUlWIK/akGCB71zdwJs2I1qTeMTlL6v+XSUdXj0YV+5fjh3wf8qzN9geIjQK + ybxGFWDKCAgTMnqoFF5BCL23hFtnCbTtLN1wQT7/m7zpjaBKHOBXZOGXYZCMGZui + sBsUvPANgNdfOse9H2aABQvUQh8WqFw8S73GasvrZHAwEmvnXzocMJd+kUovzmQu + 9FBk5UkcgXfmxeamoP8C700vh4zI+sKz6uEW0+AuVtLlLVqlb2w21kTc+ArZW52n + HLolH5q3Wj6pKuuFCWKr6UgLFcq2w4QngB2p+UABHU3RbwXIra7prDXCUcNC5iCn + ElRFY7OZ3nbHOf9oaW/MitcfszVLyl0ueoay6qxdlIGdXKRGpqxHqqr+92INV/iz + 6CRoAsTqVq1a7ZuAaUdJPvfKVAHHEHjPwlrOc9cXvykG0iQKsRzgqiOtPiGQShnU + aAEJAhDSqCwywHDnQ7X9ZWIzPjwvqyHpEVez8zYh3vpgKpsLb9uL+JizZjV02HMe + nhiL+4o/aNjJgGJWph1uPFhU4wO4AavnNBsHbJSiL/1yTS96hdf8d+gB41yVLU3e + kBkDFLKkIBkU + =aRLd + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DKKbvh61jX5USAQdABId/P8ozRgJ4ItF1zvxp98aH+g3LZ6UGnxjYjtDxjEIw + VmyerznjOLnpz0EobXRRoot1Lo82Va64HQmXt26LG3gFY1HVp0WOnIZXa/CUoUb8 + 1GgBCQIQloFxKcgFTiRidaJfN7hSeQLleiEe3aifZUyJj8niTmBaY29t+CSoA46N + xZzX1AlxVjfmputhYdTyOYSJtGrj7otmnUN2P+55pjz4L2qCYAEKi1+ibqgpmJh/ + bETQsT6WKJ8FXA== + =Ci7L + -----END PGP MESSAGE----- + fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 + unencrypted_suffix: _unencrypted + version: 3.13.1 diff --git a/inventories/z9/host_vars/rt1.yaml b/inventories/z9/host_vars/rt1.yaml new file mode 100644 index 0000000..218f4c4 --- /dev/null +++ b/inventories/z9/host_vars/rt1.yaml @@ -0,0 +1,6 @@ +systemd_networkd__config_dir: 'resources/z9/rt1/systemd_networkd/' +systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/systemd_networkd_global_config.conf') }}" +nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/nftables.conf') }}" +ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" +ansible_pull__timer_randomized_delay_sec: 0min +unbound_access_control: [ "10.89.208.0/20" ] diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index eab3880..d4c4ff4 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -14,6 +14,9 @@ all: yate: ansible_host: yate.ccchh.net ansible_user: chaos + rt1: + ansible_host: rt1.ccchh.net + ansible_user: chaos certbot_hosts: hosts: dooris: @@ -35,6 +38,7 @@ infrastructure_authorized_keys_hosts: light: waybackproxy: yate: + rt1: nginx_hosts: hosts: dooris: @@ -46,6 +50,12 @@ ola_hosts: proxmox_vm_template_hosts: hosts: thinkcccore0: +systemd_networkd_hosts: + hosts: + rt1: +nftables_hosts: + hosts: + rt1: alloy_hosts: hosts: light: @@ -59,3 +69,4 @@ ansible_pull_hosts: yate: secrets_hosts: hosts: + rt1: diff --git a/resources/z9/rt1/nftables/nftables.conf b/resources/z9/rt1/nftables/nftables.conf new file mode 100644 index 0000000..21bfbd1 --- /dev/null +++ b/resources/z9/rt1/nftables/nftables.conf @@ -0,0 +1,111 @@ +#!/usr/sbin/nft -f + +## Variables + +# Hosts + + +# Interfaces +define if_netwan = "netwan" +define if_netlan = "netlan" +define if_wg55_management = "wg55" +define if_netwan_400_fux_uplink = "netwan.400" +define if_netlan_51_clients = "netlan.51" +define if_netlan_52_iot = "netlan.52" +define if_netlan_53_public = "netlan.53" +define if_netlan_54_management = "netlan.54" + +# Interface Groups +define wan_ifs = { $if_netwan_400_fux_uplink } +define lan_ifs = { $if_netlan_51_clients, + $if_netlan_52_iot, + $if_netlan_53_public, + $if_netlan_54_management } +define v4_exposed_ifs = { $if_netlan_53_public } +define v6_exposed_ifs = { $if_netlan_53_public } +define v4_nat_ifs = { $if_netlan_51_clients, + $if_netlan_52_iot, + $if_netlan_54_management } + + +## Rules + +table inet reverse-path-forwarding { + chain rpf-filter { + type filter hook prerouting priority mangle + 10; policy drop; + + # Only allow packets if their source address is routed via their incoming interface. + # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100 + fib saddr . mark . iif oif exists accept + } +} + +table inet host { + chain input { + type filter hook input priority filter; policy drop; + + iifname "lo" accept comment "allow loopback" + + ct state invalid drop + ct state established,related accept + + ip protocol icmp accept + # ICMPv6 + # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24 + # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped" + # Error messages that are essential to the establishment and maintenance of communications: + icmpv6 type { destination-unreachable, packet-too-big } accept + icmpv6 type { time-exceeded } accept + icmpv6 type { parameter-problem } accept + # Connectivity checking messages: + icmpv6 type { echo-request, echo-reply } accept + # Address Configuration and Router Selection messages: + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept + # Link-Local Multicast Receiver Notification messages: + icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept + # SEND Certificate Path Notification messages: + icmpv6 type { 148, 149 } accept + # Multicast Router Discovery messages: + icmpv6 type { 151, 152, 153 } accept + + # Allow SSH access. + tcp dport 22 accept comment "allow ssh access" + + # Allow WireGuard access. + udp dport 51820 accept comment "allow WireGuard access" + + # Allow DHCP server access. + iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access" + } +} + +table ip v4nat { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + + iifname { $v4_nat_ifs, $if_wg55_management } oifname $wan_ifs masquerade + } +} + +table inet forward { + chain forward { + type filter hook forward priority filter; policy drop; + + ct state invalid drop + ct state established,related accept + + # Allow internet access. + iifname { $lan_ifs, $if_wg55_management } oifname $wan_ifs accept comment "allow internet access" + + # Allow access to exposed networks from internet. + meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" + meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" + + # Allow clients and managment to most + iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "allow clients and managment to lan_ifs" + } +} diff --git a/resources/z9/rt1/systemd_networkd/00-netlan.link b/resources/z9/rt1/systemd_networkd/00-netlan.link new file mode 100644 index 0000000..c2e2470 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/00-netlan.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:72:A3:27 +Type=ether + +[Link] +Name=netlan diff --git a/resources/z9/rt1/systemd_networkd/00-netwan.link b/resources/z9/rt1/systemd_networkd/00-netwan.link new file mode 100644 index 0000000..523e18a --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/00-netwan.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:CF:65:57 +Type=ether + +[Link] +Name=netwan diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.51.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.51.netdev new file mode 100644 index 0000000..b951ecc --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-netlan.51.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=netlan.51 +Kind=vlan + +[VLAN] +Id=51 + diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.52.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.52.netdev new file mode 100644 index 0000000..1f345c7 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-netlan.52.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=netlan.52 +Kind=vlan + +[VLAN] +Id=52 + diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.53.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.53.netdev new file mode 100644 index 0000000..c6dab81 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-netlan.53.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=netlan.53 +Kind=vlan + +[VLAN] +Id=53 + diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.54.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.54.netdev new file mode 100644 index 0000000..6271e6c --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-netlan.54.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=netlan.54 +Kind=vlan + +[VLAN] +Id=54 + diff --git a/resources/z9/rt1/systemd_networkd/10-netwan.400.netdev b/resources/z9/rt1/systemd_networkd/10-netwan.400.netdev new file mode 100644 index 0000000..e0b6afc --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-netwan.400.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=netwan.400 +Kind=vlan + +[VLAN] +Id=400 + diff --git a/resources/z9/rt1/systemd_networkd/10-wg55.netdev b/resources/z9/rt1/systemd_networkd/10-wg55.netdev new file mode 100644 index 0000000..b3e41a6 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-wg55.netdev @@ -0,0 +1,90 @@ +[NetDev] +Description=Admin-Wireguard +Kind=wireguard +Name=wg55 + +[WireGuard] +ListenPort=51820 +PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_privat_key + +# WireGuard Peers + +[WireGuardPeer] +# friendly_name = stb +AllowedIPs = 10.89.214.2/32,2a07:c481:1:37::2/128 +PublicKey = vILSL4dbaC5IaTsRhJviamV18ssxWSj+qLVyowLQ214= +PersistentKeepalive = 30 + +[WireGuardPeer] +# friendly_name = fi +AllowedIPs = 10.89.214.3/32,2a07:c481:1:37::3/128 +PublicKey = UHi/if5uW2V3+8Q3R+uk6/XpRi4fPXbw7chsKI4xlkI= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_fi_psk + +[WireGuardPeer] +# friendly_name = jtbx +AllowedIPs = 10.89.214.4/32,2a07:c481:1:37::4/128 +PublicKey = NyyEqdWgScgsnTF8Zz/Om4Lc84fdFMwVtvaCmLEkUlQ= + +[WireGuardPeer] +# friendly_name = June +AllowedIPs = 10.89.214.6/32,2a07:c481:1:37::6/128 +PublicKey = 6jAEB+f9przBGxPhuvv9U9gvZDEBQNqpQSD0BoGqXQQ= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June_psk + +[WireGuardPeer] +# friendly_name = Max +AllowedIPs = 10.89.214.7/32,2a07:c481:1:37::7/128 +PublicKey = oC1hJjtlAgLX/CmbwTC+LPmd1uwluQTwsN8RaMNmHn0= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_Max_psk + +[WireGuardPeer] +# friendly_name = dario +AllowedIPs = 10.89.214.9/32,2a07:c481:1:37::9/128 +PublicKey = bYF2EGRGpEGjiKcasi/oaWoWeLsgqsF6FGaq3Z4ERww= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_dario_psk + +[WireGuardPeer] +# friendly_name = June-mobile +AllowedIPs = 10.89.214.11/32,2a07:c481:1:37::11/128 +PublicKey = 6edjXykegUgGjbkIG1aJyBlX1SgTKcqXXaSBVPHdKDc= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June-mobile_psk + +[WireGuardPeer] +# friendly_name = djerun_at_ferrum.local +AllowedIPs = 10.89.214.12/32,2a07:c481:1:37::12/128 +PublicKey = aHbdkTHhPkd+o7wWfTua9nd72aF4OVp66zGtpaoD8Fg= + +[WireGuardPeer] +# friendly_name = c6ristian +AllowedIPs = 10.89.214.13/32,2a07:c481:1:37::13/128 +PublicKey = 6ndwj3Ur6AqfUPWuyPYXIaGZs2ujJKawSQ9LEvlYzEc= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_c6ristian_psk + +[WireGuardPeer] +# friendly_name = langoor +AllowedIPs = 10.89.214.14/32,2a07:c481:1:37::14/128 +PublicKey = qTnVQlQa1m4SucFFNli/xM6QWfsdWx2baRAit7Cg8RM= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_psk + +[WireGuardPeer] +# friendly_name = langoor_home +AllowedIPs = 10.89.214.15/32,2a07:c481:1:37::15/128 +PublicKey = NeMDs2+5rHuKO5ZYXVUR76GorgdesFUnDOFECQ3RzG4= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk + +[WireGuardPeer] +# friendly_name = lilly-lillysLaptop +AllowedIPs = 10.89.214.16/32 #,2a07:c481:1:37::/128 +PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk= + +[WireGuardPeer] +# friendly_name = bitwhisker +AllowedIPs = 10.89.214.17/32,2a07:c481:1:37::a/128 +PublicKey = DvEGvQPGi+IxeRTIA72Gx3WNINcrV9HRNB1v7mHnhjA= + +[WireGuardPeer] +# friendly_name = forestcat +AllowedIPs = 10.89.214.18/32,2a07:c481:1:37::b/128 +PublicKey = PdJ7KlIeASizj0WTY87d7oSi14/MebrhRa+L8YiPoQE= + diff --git a/resources/z9/rt1/systemd_networkd/20-netlan.network b/resources/z9/rt1/systemd_networkd/20-netlan.network new file mode 100644 index 0000000..3aed715 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/20-netlan.network @@ -0,0 +1,12 @@ +[Match] +Name=netlan + +[Link] +RequiredForOnline=no + +[Network] +VLAN=netwan.51 +VLAN=netwan.52 +VLAN=netwan.53 +VLAN=netwan.54 + diff --git a/resources/z9/rt1/systemd_networkd/20-netwan.network b/resources/z9/rt1/systemd_networkd/20-netwan.network new file mode 100644 index 0000000..89a8494 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/20-netwan.network @@ -0,0 +1,9 @@ +[Match] +Name=netwan + +[Link] +RequiredForOnline=no + +[Network] +VLAN=netwan.400 + diff --git a/resources/z9/rt1/systemd_networkd/20-wg55.network b/resources/z9/rt1/systemd_networkd/20-wg55.network new file mode 100644 index 0000000..750e844 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/20-wg55.network @@ -0,0 +1,6 @@ +[Match] +Name=wg55 + +[Network] +Address=10.89.214.1/24 +Address=2a07:c481:1:37::1/64 diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network b/resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network new file mode 100644 index 0000000..5e9635f --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network @@ -0,0 +1,27 @@ +[Match] +Name=netlan.51 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=clients + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=10.89.208.1/22 + +[IPv6SendRA] +UplinkInterface=netwan.400 +EmitDomains=true +Domains=ccchh.net +Managed=true + +[IPv6Prefix] +Prefix=2a07:c481:1:33::/64 +Assign=true +Token=static:::1 + diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network b/resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network new file mode 100644 index 0000000..5b58610 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network @@ -0,0 +1,27 @@ +[Match] +Name=netlan.52 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=IoT + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=10.89.212.1/24 + +[IPv6SendRA] +UplinkInterface=netwan.400 +EmitDomains=true +Domains=ccchh.net +Managed=true + +[IPv6Prefix] +Prefix=2a07:c481:1:34::/64 +Assign=true +Token=static:::1 + diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.53-public.network b/resources/z9/rt1/systemd_networkd/21-netlan.53-public.network new file mode 100644 index 0000000..f544a5b --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/21-netlan.53-public.network @@ -0,0 +1,27 @@ +[Match] +Name=netlan.53 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=public + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=185.161.130.65/28 + +[IPv6SendRA] +UplinkInterface=netwan.400 +EmitDomains=true +Domains=ccchh.net +Managed=true + +[IPv6Prefix] +Prefix=2a07:c481:1:35::/64 +Assign=true +Token=static:::1 + diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.54-management.network b/resources/z9/rt1/systemd_networkd/21-netlan.54-management.network new file mode 100644 index 0000000..2396da0 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/21-netlan.54-management.network @@ -0,0 +1,27 @@ +[Match] +Name=netlan.54 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=Management + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=10.89.213.0/24 + +[IPv6SendRA] +UplinkInterface=netwan.400 +EmitDomains=true +Domains=ccchh.net +Managed=true + +[IPv6Prefix] +Prefix=2a07:c481:1:36::/64 +Assign=true +Token=static:::1 + diff --git a/resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network b/resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network new file mode 100644 index 0000000..1657c40 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network @@ -0,0 +1,26 @@ +[Match] +Name=netwan.400 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=fux-uplink + +DNS=185.161.128.66 +DNS=2a07:c481:0:4::2 +DNS=185.161.128.67 +DNS=2a07:c481:0:4::3 + +IPv6AcceptRA=no +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=no + +[Address] +Address=185.161.129.134/25 +Address=2a07:c481::1:2/64 + +[Route] +Gateway=185.161.129.129 +Gateway=2a07:c481::1 diff --git a/resources/z9/rt1/systemd_networkd_global_config.conf b/resources/z9/rt1/systemd_networkd_global_config.conf new file mode 100644 index 0000000..2d3d8a3 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd_global_config.conf @@ -0,0 +1,3 @@ +[Network] +IPv4Forwarding=true +IPv6Forwarding=true From bbf45e91f452c901dc317f30e43a31fa4ce9a066 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Sun, 24 May 2026 04:01:11 +0200 Subject: [PATCH 02/35] rt1(z9 host) unbound(role) kea_dhcp(role): create unbound and kea_dhcp role for rt1 - create unbound role - create kea_dhcp role - configure unbound and keadhcp on rt1(z9 host) --- inventories/z9/host_vars/rt1.yaml | 1 + inventories/z9/hosts.yaml | 7 + playbooks/deploy.yaml | 14 + resources/z9/rt1/kea_dhcp.yaml | 293 ++++++++++++++++++ resources/z9/rt1/nftables/nftables.conf | 3 + roles/kea_dhcp/defaults/main.yaml | 69 +++++ roles/kea_dhcp/handlers/main.yml | 30 ++ roles/kea_dhcp/meta/argument_specs.yaml | 125 ++++++++ roles/kea_dhcp/tasks/install_archlinux.yml | 8 + roles/kea_dhcp/tasks/install_debian.yml | 22 ++ roles/kea_dhcp/tasks/kea.yaml | 51 +++ roles/kea_dhcp/tasks/main.yml | 19 ++ roles/kea_dhcp/tasks/stork-agent.yaml | 76 +++++ .../kea_dhcp/templates/kea-ctrl-agent.conf.j2 | 20 ++ roles/kea_dhcp/templates/kea-dhcp4.conf.jinja | 27 ++ roles/kea_dhcp/templates/kea-dhcp6.conf.jinja | 27 ++ .../kea_dhcp/templates/stork-agent.env.jinja | 44 +++ roles/unbound/README.md | 19 ++ roles/unbound/defaults/main.yml | 7 + roles/unbound/files/no-resolved.resolv.conf | 1 + roles/unbound/handlers/main.yml | 27 ++ roles/unbound/tasks/main.yml | 63 ++++ roles/unbound/tasks/prometheus-exporter.yml | 17 + roles/unbound/templates/unbound.conf.j2 | 73 +++++ 24 files changed, 1043 insertions(+) create mode 100644 resources/z9/rt1/kea_dhcp.yaml create mode 100644 roles/kea_dhcp/defaults/main.yaml create mode 100644 roles/kea_dhcp/handlers/main.yml create mode 100644 roles/kea_dhcp/meta/argument_specs.yaml create mode 100644 roles/kea_dhcp/tasks/install_archlinux.yml create mode 100644 roles/kea_dhcp/tasks/install_debian.yml create mode 100644 roles/kea_dhcp/tasks/kea.yaml create mode 100644 roles/kea_dhcp/tasks/main.yml create mode 100644 roles/kea_dhcp/tasks/stork-agent.yaml create mode 100644 roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 create mode 100644 roles/kea_dhcp/templates/kea-dhcp4.conf.jinja create mode 100644 roles/kea_dhcp/templates/kea-dhcp6.conf.jinja create mode 100644 roles/kea_dhcp/templates/stork-agent.env.jinja create mode 100644 roles/unbound/README.md create mode 100644 roles/unbound/defaults/main.yml create mode 100644 roles/unbound/files/no-resolved.resolv.conf create mode 100644 roles/unbound/handlers/main.yml create mode 100644 roles/unbound/tasks/main.yml create mode 100644 roles/unbound/tasks/prometheus-exporter.yml create mode 100644 roles/unbound/templates/unbound.conf.j2 diff --git a/inventories/z9/host_vars/rt1.yaml b/inventories/z9/host_vars/rt1.yaml index 218f4c4..876776a 100644 --- a/inventories/z9/host_vars/rt1.yaml +++ b/inventories/z9/host_vars/rt1.yaml @@ -4,3 +4,4 @@ nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/ ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_randomized_delay_sec: 0min unbound_access_control: [ "10.89.208.0/20" ] +kea_dhcp__include_vars: resources/z9/rt1/kea_dhcp.yaml diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index d4c4ff4..407aa2f 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -56,11 +56,18 @@ systemd_networkd_hosts: nftables_hosts: hosts: rt1: +unbound_hosts: + hosts: + rt1: +kea_dhcp_hosts: + hosts: + rt1: alloy_hosts: hosts: light: yate: dooris: + rt1: ansible_pull_hosts: hosts: dooris: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index b7ce104..54d4098 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -27,6 +27,20 @@ tags: - nftables +- name: Ensure unbound deployment on unbound_hosts + hosts: unbound_hosts + roles: + - unbound + tags: + - unbound + +- name: Ensure kea_dhcp deployment on kea_dhcp_hosts + hosts: kea_dhcp_hosts + roles: + - kea_dhcp + tags: + - kea_dhcp + - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/resources/z9/rt1/kea_dhcp.yaml b/resources/z9/rt1/kea_dhcp.yaml new file mode 100644 index 0000000..d191881 --- /dev/null +++ b/resources/z9/rt1/kea_dhcp.yaml @@ -0,0 +1,293 @@ +kea_dhcp__dns_servers: + v4: + - 185.161.129.134 + v6: + - 2a07:c481::1:2 + +kea_dhcp__dhcp4: + enable: true + interfaces: [ "netlan.51", "netlan.52", "netlan.54" ] + control-sockets: + - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock + socket-type: unix + lease-database: + type: memfile + persist: true + option-data: + - name: "domain-name-servers" + code: 6 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}" + subnets: + - id: 1 + subnet: 10.89.208.0/22 + pools: + - pool: "10.89.208.32 - 10.89.211.250" + reservations: + - ip-address: 10.89.208.11 + hostname: beamer + hw-address: "ac:87:a3:18:9e:01" + - ip-address: 10.89.208.12 + hostname: Brother-CCCHH + hw-address: "00:80:77:04:3a:55" + - ip-address: 10.89.208.13 + hostname: muzak + hw-address: "00:11:24:5f:4f:80" + - ip-address: 10.89.208.14 + hostname: Big-Room-Beamer + hw-address: "64:d2:c4:db:08:5c" + - ip-address: 10.89.208.16 + hostname: dooris + hw-address: "bc:24:11:b3:93:9c" + - ip-address: 10.89.208.17 + hostname: hmdooris-ccu + hw-address: "bc:24:11:5f:2d:b1" + - ip-address: 10.89.208.27 + hostname: cisco-slm248p + hw-address: "00:23:eb:b0:fc:3f" + - ip-address: 10.89.208.47 + hw-address: "6c:df:fb:0b:34:21" + - ip-address: 10.89.208.48 + hw-address: "6c:df:fb:0d:91:63" + - ip-address: 10.89.209.28 + hostname: hp-color + hw-address: "3c:52:82:29:21:79" + - ip-address: 10.89.209.29 + hostname: dooris-ng + hw-address: "6c:4b:90:19:21:a1" + - ip-address: 10.89.209.166 + hostname: encoder-ccchh + hw-address: "00:4e:01:a2:40:d7" + - ip-address: 10.89.209.254 + hostname: ki10 + hw-address: "dc:a6:32:a9:ff:82" + option-data: + - name: routers, + csv-format: true + data: 10.89.208.1 + - id: 2 + subnet: 10.89.212.0/24 + pools: + - pool: "10.89.212.32 - 10.89.212.250" + reservations: + - ip-address: 10.89.212.3 + hostname: prusamk3 + hw-address: "10:9c:70:2e:59:3e" + - ip-address: 10.89.212.4 + hostname: prusamk4 + hw-address: "10:9c:70:2e:6e:f0" + - ip-address: 10.89.212.11 + hostname: Ziggy + hw-address: "44:17:93:53:65:57" + - ip-address: 10.89.212.12 + hostname: legacy + hw-address: "00:15:65:a1:ed:98" + - ip-address: 10.89.212.23 + hostname: foobarpay + hw-address: "f4:f2:6d:09:a6:73" + - ip-address: 10.89.212.24 + hostname: foobackup + hw-address: "bc:24:11:20:1a:a8" + - ip-address: 10.89.212.27 + hostname: ender3v2-sonic-pad + hw-address: "fc:ee:91:00:0e:14" + - ip-address: 10.89.212.31 + hostname: octopi + hw-address: "b8:27:eb:0f:d8:09" + - ip-address: 10.89.212.32 + hostname: 433mhz-bridge + hw-address: "0c:b8:15:fe:e3:34" + - ip-address: 10.89.212.33 + hostname: wled-kueche + hw-address: "30:ae:a4:7a:8d:a0" + - ip-address: 10.89.212.34 + hostname: wled-serverschrank + hw-address: "18:fe:34:a6:64:76" + - ip-address: 10.89.212.35 + hostname: wled-couch + hw-address: "64:b7:08:40:ab:c0" + - ip-address: 10.89.212.36 + hostname: laser + hw-address: "b8:27:eb:be:38:fa" + - ip-address: 10.89.212.37 + hostname: laser-eth + hw-address: "b8:27:eb:eb:6d:af" + - ip-address: 10.89.212.42 + hostname: t-mix + hw-address: "40:a5:ef:d9:eb:93" + - ip-address: 10.89.212.86 + hostname: fritz-fon + hw-address: "00:1f:3f:c9:e5:b2" + - ip-address: 10.89.212.211 + hostname: hauptraum-esphome + hw-address: "e8:db:84:e8:18:d2" + - ip-address: 10.89.212.212 + hostname: werkstatt-esphome + hw-address: "3c:71:bf:26:42:32" + - ip-address: 10.89.212.213 + hostname: ir-bridge-beamer + hw-address: "8c:ce:4e:51:93:dd" + - ip-address: 10.89.212.215 + hostname: pi-dmx-werkstatt + hw-address: "b8:27:eb:65:e5:31" + - ip-address: 10.89.212.227 + hostname: SIP-T46S + hw-address: "80:5e:c0:09:bf:55" + - ip-address: 10.89.212.230 + hostname: SIP-T46S + hw-address: "80:5e:c0:22:33:08" + - ip-address: 10.89.212.232 + hostname: staubi + hw-address: "b8:4d:43:98:51:2b" + - ip-address: 10.89.212.233 + hostname: staubiv2 + hw-address: "70:c9:32:82:25:b2" + - ip-address: 10.89.212.234 + hostname: AtemMini + hw-address: "7c:2e:0d:13:72:a8" + - ip-address: 10.89.212.235 + hostname: okilaser + hw-address: "2c:ff:65:22:b4:63" + - ip-address: 10.89.212.236 + hw-address: "b8:27:eb:29:bd:77" + option-data: + - name: routers, + csv-format: true + data: 10.89.212.1 + - id: 3 + subnet: 10.89.213.0/24 + pools: + - pool: "10.89.213.32 - 10.89.213.250" + reservations: + - ip-address: 10.89.213.2 + hostname: sw-rack-1 + hw-address: "F0:9F:C2:10:C3:AA" + - ip-address: 10.89.213.3 + hostname: sw-rack-2-peo + hw-address: "44:d9:e7:06:69:5d" + - ip-address: 10.89.213.4 + hostname: sw-main-1 + hw-address: "a8:9c:6c:16:df:cc" + - ip-address: 10.89.213.5 + hostname: sw-main-2 + hw-address: "a8:9c:6c:16:e8:86" + - ip-address: 10.89.213.6 + hostname: sw-shop-1 + hw-address: "C0:4A:00:FB:DA:C5" + - ip-address: 10.89.213.7 + hostname: sw-shop-2-peo + hw-address: "f4:e2:c6:bf:20:ee" + - ip-address: 10.89.213.8 + hostname: sw-shop-3-peo + hw-address: "d8:b3:70:85:72:76" + - ip-address: 10.89.213.11 + hostname: pve01 + hw-address: "38:05:25:30:80:35" + - ip-address: 10.89.213.12 + hostname: pve02 + hw-address: "b8:85:84:b1:57:b6" + - ip-address: 10.89.213.13 + hostname: pve03 + hw-address: "98:fa:9b:a2:ed:e8" + - ip-address: 10.89.213.15 + hostname: pbs + hw-address: "BC:24:11:D6:2C:81" + - ip-address: 10.89.213.21 + hostname: unifi + hw-address: "BC:24:11:25:77:60" + - ip-address: 10.89.213.22 + hostname: club-assistant + hw-address: "7a:55:61:c3:a2:89" + - ip-address: 10.89.213.23 + hostname: automation + hw-address: "f2:20:75:5a:2f:8c" + - ip-address: 10.89.213.24 + hostname: yate + hw-address: "bc:24:11:73:3e:f7" + - ip-address: 10.89.213.25 + hostname: ptouch-print-server + hw-address: "bc:24:11:f2:cf:8f" + - ip-address: 10.89.213.26 + hostname: mqtt + hw-address: "bc:24:11:48:85:73" + - ip-address: 10.89.213.27 + hostname: factorio + hw-address: "bc:24:11:a3:43:7f" + - ip-address: 10.89.213.28 + hostname: light + hw-address: "72:61:ea:e6:49:e3" + - ip-address: 10.89.213.29 + hostname: homematic + hw-address: "fe:3a:42:77:3a:be" + - ip-address: 10.89.213.30 + hostname: proxmox-backup-server + hw-address: "8a:48:dd:a3:22:40" + option-data: + - name: routers, + csv-format: true + data: 10.89.213.1 + +kea_dhcp__dhcp6: + enable: true + interfaces: [ "netlan.51", "netlan.52", "netlan.54" ] + control-sockets: + - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock + socket-type: unix + lease-database: + type: memfile + persist: true + option-data: + - name: "dns-servers" + code: 23 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}" + subnets: + - id: 1 + subnet: "2a07:c481:1:33::/64" + pools: + - pool: "2a07:c481:1:33::1:1 - 2a07:c481:1:33::FFFF:FFFF" + - id: 2 + subnet: "2a07:c481:1:34::/64" + pools: + - pool: "2a07:c481:1:34::1:1 - 2a07:c481:1:34::FFFF:FFFF" + - id: 3 + subnet: "2a07:c481:1:36::/64" + pools: + - pool: "2a07:c481:1:36::1:1 - 2a07:c481:1:36::FFFF:FFFF" + reservations: + - ip-address: "2a07:c481:1:36::2" + hostname: sw-rack-1 + hw-address: "F0:9F:C2:10:C3:AA" + - ip-address: "2a07:c481:1:36::3" + hostname: sw-rack-2-peo + hw-address: "44:d9:e7:06:69:5d" + - ip-address: "2a07:c481:1:36::4" + hostname: sw-main-1 + hw-address: "a8:9c:6c:16:df:cc" + - ip-address: "2a07:c481:1:36::5" + hostname: sw-main-2 + hw-address: "a8:9c:6c:16:e8:86" + - ip-address: "2a07:c481:1:36::6" + hostname: sw-shop-1 + hw-address: "C0:4A:00:FB:DA:C5" + - ip-address: "2a07:c481:1:36::7" + hostname: sw-shop-2-peo + hw-address: "f4:e2:c6:bf:20:ee" + - ip-address: "2a07:c481:1:36::8" + hostname: sw-shop-3-peo + hw-address: "d8:b3:70:85:72:76" + - ip-address: "2a07:c481:1:36::b" + hostname: pve01 + hw-address: "38:05:25:30:80:35" + - ip-address: "2a07:c481:1:36::c" + hostname: pve02 + hw-address: "b8:85:84:b1:57:b6" + - ip-address: "2a07:c481:1:36::d" + hostname: pve03 + hw-address: "98:fa:9b:a2:ed:e8" + - ip-address: "2a07:c481:1:36::f" + hostname: pbs + hw-address: "BC:24:11:D6:2C:81" + - ip-address: "2a07:c481:1:36::14" + hostname: unifi + hw-address: "BC:24:11:25:77:60" diff --git a/resources/z9/rt1/nftables/nftables.conf b/resources/z9/rt1/nftables/nftables.conf index 21bfbd1..842ca04 100644 --- a/resources/z9/rt1/nftables/nftables.conf +++ b/resources/z9/rt1/nftables/nftables.conf @@ -76,6 +76,9 @@ table inet host { # Allow DHCP server access. iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access" + + # Allow DNS server access from lan_ifs + iifname { $lan_ifs, $if_wg55_management } udp dport 53 accept comment "allow dns server access from lan_ifs" } } diff --git a/roles/kea_dhcp/defaults/main.yaml b/roles/kea_dhcp/defaults/main.yaml new file mode 100644 index 0000000..409f0a1 --- /dev/null +++ b/roles/kea_dhcp/defaults/main.yaml @@ -0,0 +1,69 @@ +kea_dhcp__stork_agent: + enable: false + prometheus_only: true +kea_dhcp__version_repo: "kea-3-0" +kea_dhcp__dns_servers: + v6: + - "2a07:c481:0:4::2" + - "2a07:c481:0:4::3" + v4: + - "185.161.128.66" + - "185.161.128.67" +kea_dhcp__include_vars: + +kea_dhcp__dhcp4: + enable: false + interfaces: [ ] + control-sockets: + - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock + socket-type: unix + lease-database: + type: memfile + persist: true + option-data: + - name: "domain-name-servers" + code: 6 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}" + subnets: + - id: 0 + subnet: nil + pools: + - pool: nil + reservations: + - ip-address: nil + hostname: beispiel.test + hw-address: "00:11:22:33:44:55" + option-data: + - name: nil, + code: nil, + csv-format: true + data: nil +kea_dhcp__dhcp6: + enable: false + interfaces: [ ] + lease-database: + type: memfile + persist: true + control-sockets: + - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock + socket-type: unix + option-data: + - name: "dns-servers" + code: 23 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}" + subnets: + - id: 0 + subnet: nil + pools: + - pool: nil + reservations: + - ip-address: nil + hostname: beispiel.test + hw-address: "00:11:22:33:44:55" + option-data: + - name: nil, + code: nil, + csv-format: true + data: nil diff --git a/roles/kea_dhcp/handlers/main.yml b/roles/kea_dhcp/handlers/main.yml new file mode 100644 index 0000000..5b44d6e --- /dev/null +++ b/roles/kea_dhcp/handlers/main.yml @@ -0,0 +1,30 @@ +--- +- name: Systemd.daemon_reload + become: true + ansible.builtin.systemd_service: + daemon_reload: true + +- name: Kea_dhcp4.reloaded + ansible.builtin.service: + name: kea-dhcp4 + state: restarted + enabled: true + +- name: Kea_dhcp6.reloaded + ansible.builtin.service: + name: kea-dhcp6 + state: restarted + enabled: true + +- name: Kea_ctrl.reloaded + ansible.builtin.systemd: + name: kea-ctrl-agent + state: restarted + enabled: true + +- name: Stork_agent.restarted + become: true + ansible.builtin.systemd: + name: isc-stork-agent + state: restarted + enabled: true diff --git a/roles/kea_dhcp/meta/argument_specs.yaml b/roles/kea_dhcp/meta/argument_specs.yaml new file mode 100644 index 0000000..995b838 --- /dev/null +++ b/roles/kea_dhcp/meta/argument_specs.yaml @@ -0,0 +1,125 @@ +--- +argument_specs: + main: + short_description: "Role for managing Kea DHCP server" + options: + kea_dhcp__stork_agent: + type: "dict" + description: "Configuration for Stork Agent" + options: + enable: + type: "bool" + default: false + prometheus_only: + type: "bool" + default: true + kea_dhcp__version_repo: + type: "str" + description: "Version of Kea DHCP repository to use" + default: "kea-3-0" + kea_dhcp__dns_servers: + type: "dict" + description: "Default DNS servers for DHCP clients" + options: + v6: + type: "list" + elements: "str" + v4: + type: "list" + elements: "str" + kea_dhcp__dhcp4: + type: "dict" + description: "Configuration for DHCPv4 service" + options: + enable: + type: "bool" + default: false + interfaces: + type: "list" + elements: "str" + default: [] + control-sockets: + type: "list" + elements: "dict" + lease-database: + type: "dict" + option-data: + type: "list" + elements: "dict" + subnets: + type: "list" + elements: "dict" + options: + id: + type: "int" + subnet: + type: "str" + pools: + type: "list" + elements: "dict" + options: + pool: + type: "str" + reservations: + type: "list" + elements: "dict" + options: + ip-address: + type: "str" + hostname: + type: "str" + hw-address: + type: "str" + duid: + type: "str" + option-data: + type: "list" + elements: "dict" + kea_dhcp__dhcp6: + type: "dict" + description: "Configuration for DHCPv6 service" + options: + enable: + type: "bool" + default: false + interfaces: + type: "list" + elements: "str" + default: [] + control-sockets: + type: "list" + elements: "dict" + lease-database: + type: "dict" + option-data: + type: "list" + elements: "dict" + subnets: + type: "list" + elements: "dict" + options: + id: + type: "int" + subnet: + type: "str" + pools: + type: "list" + elements: "dict" + options: + pool: + type: "str" + reservations: + type: "list" + elements: "dict" + options: + ip-address: + type: "str" + hostname: + type: "str" + hw-address: + type: "str" + duid: + type: "str" + option-data: + type: "list" + elements: "dict" diff --git a/roles/kea_dhcp/tasks/install_archlinux.yml b/roles/kea_dhcp/tasks/install_archlinux.yml new file mode 100644 index 0000000..7bdb140 --- /dev/null +++ b/roles/kea_dhcp/tasks/install_archlinux.yml @@ -0,0 +1,8 @@ +--- +- name: Install Kea on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + become: true + community.general.pacman: + name: kea + state: present + update_cache: false diff --git a/roles/kea_dhcp/tasks/install_debian.yml b/roles/kea_dhcp/tasks/install_debian.yml new file mode 100644 index 0000000..2ac2346 --- /dev/null +++ b/roles/kea_dhcp/tasks/install_debian.yml @@ -0,0 +1,22 @@ +--- +- name: Register isc-kea apt repository + become: true + register: kea_dhcp_repo + when: ansible_facts['distribution'] == "Debian" + ansible.builtin.deb822_repository: + name: "isc-{{ kea_dhcp__version_repo }}" + uris: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/deb/debian" + suites: any-version + components: main + signed_by: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/gpg.key" + +- name: Install Kea packages + become: true + when: ansible_facts['distribution'] == "Debian" + ansible.builtin.apt: + name: + - isc-kea-dhcp4 + - isc-kea-dhcp6 + - isc-kea-ctrl-agent + - isc-kea-admin + update_cache: "{{ kea_dhcp_install_repo.changed }}" diff --git a/roles/kea_dhcp/tasks/kea.yaml b/roles/kea_dhcp/tasks/kea.yaml new file mode 100644 index 0000000..a4fd3b5 --- /dev/null +++ b/roles/kea_dhcp/tasks/kea.yaml @@ -0,0 +1,51 @@ +--- +- name: Include config vars + tags: [ kea, include_vars ] + when: kea_dhcp__include_vars is not None + ansible.builtin.include_vars: + file: "{{ kea_dhcp__include_vars }}" + +- name: Deploy kea-dhcp4 configuration file + tags: [ kea, dhcp4 ] + become: true + when: kea_dhcp__dhcp4.enable + ansible.builtin.template: + src: kea-dhcp4.conf.jinja + dest: /etc/kea/kea-dhcp4.conf + backup: true + owner: root + group: kea + mode: "u=rw,g=r,o=" + validate: kea-dhcp4 -T %s + notify: + - Kea_dhcp4.reloaded + +- name: Deploy kea-dhcp6 configuration file + tags: [ kea, dhcp6 ] + become: true + when: kea_dhcp__dhcp6.enable + ansible.builtin.template: + src: kea-dhcp6.conf.jinja + dest: /etc/kea/kea-dhcp6.conf + backup: true + owner: root + group: kea + mode: "u=rw,g=r,o=" + validate: kea-dhcp6 -T %s + notify: + - Kea_dhcp6.reloaded + +- name: Copy kea-ctrl-agent configuration file + tags: [ kea, ctrl-agent ] + become: true + when: kea_dhcp__stork_agent.enable + ansible.builtin.template: + src: kea-ctrl-agent.conf.j2 + dest: /etc/kea/kea-ctrl-agent.conf + owner: root + group: kea + mode: "u=rw,g=r,o=" + validate: kea-ctrl-agent -t %s + notify: + - Kea_ctrl.reloaded + - Stork_agent.restarted diff --git a/roles/kea_dhcp/tasks/main.yml b/roles/kea_dhcp/tasks/main.yml new file mode 100644 index 0000000..a3478fa --- /dev/null +++ b/roles/kea_dhcp/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Setup Kea DHCP + tags: [kea, dhcp] + block: + - name: Install Kea on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + ansible.builtin.import_tasks: install_archlinux.yml + + - name: Install Kea on Debian + when: ansible_facts['distribution'] == "Debian" + ansible.builtin.import_tasks: install_debian.yml + + - name: Configure Kea + ansible.builtin.include_tasks: kea.yaml + +- name: Run stork-agent tasks + tags: [stork-agent, monitoring] + when: kea_dhcp__stork_agent.enable + ansible.builtin.include_tasks: stork-agent.yaml diff --git a/roles/kea_dhcp/tasks/stork-agent.yaml b/roles/kea_dhcp/tasks/stork-agent.yaml new file mode 100644 index 0000000..916760c --- /dev/null +++ b/roles/kea_dhcp/tasks/stork-agent.yaml @@ -0,0 +1,76 @@ +--- +- name: Install stork-agent + tags: [stork-agent] + block: + - name: Install stork-agent on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + tags: [stork-agent, archlinux] + block: + - name: Create stork-agent user + ansible.builtin.user: + name: stork-agent + create_home: false + home: "/var/lib/stork-agent" + shell: "/usr/bin/nologin" + system: true + groups: ["kea"] + append: true + + - name: Install stork-agent with aur_pkg_install + ansible.builtin.include_role: + name: aur_pkg_install + vars: + aur_pkg_install__pkg_name: "stork-agent" + aur_pkg_install__git_clone_url: "https://ansible:{{ secret__ansible_git_token }}@git.fux-eg.net/aur-mirror/stork-agent.git" + aur_pkg_install__git_ref: "bf96e34" + + - name: Install stork-agent on Debian + when: ansible_facts['distribution'] == "Debian" + tags: [stork-agent, debian] + block: + - name: Register isc-stork apt repository + become: true + register: "kea_dhcp_install_repo" + ansible.builtin.deb822_repository: + name: isc-stork + uris: https://dl.cloudsmith.io/public/isc/stork/deb/debian + suites: any-version + components: main + signed_by: https://dl.cloudsmith.io/public/isc/stork/gpg.key + + - name: Install isc-stork-agent + become: true + ansible.builtin.apt: + name: isc-stork-agent + update_cache: "{{ kea_dhcp_install_repo.changed }}" + + - name: Add stork-agent user to _kea group on Debian + when: ansible_facts['distribution'] == "Debian" + become: true + ansible.builtin.user: + name: stork-agent + groups: ["_kea"] + append: true + + - name: Config for stork-agent + ansible.builtin.template: + src: stork-agent.env.jinja + dest: /etc/stork/agent.env + owner: root + group: root + mode: "0660" + notify: + - Systemd_daemon_reload + - Stork_agent.restarted + + - name: Flush handlers + ansible.builtin.meta: flush_handlers + + - name: Ensure that stork kea exporter is working + ansible.builtin.uri: + url: "http://localhost:9547/metrics" + method: GET + register: kea_dhcp_stork_status_code + retries: 6 + delay: 5 + until: kea_dhcp_stork_status_code.status == 200 diff --git a/roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 b/roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 new file mode 100644 index 0000000..5ac1473 --- /dev/null +++ b/roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 @@ -0,0 +1,20 @@ +{ +"Control-agent": { + "http-host": "127.0.0.1", + "http-port": 8000, + "control-sockets": { + {% if kea_dhcp__dhcp4.enable | default(false) %} + "dhcp4": { + "socket-type": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-type'] }}", + "socket-name": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-name'] }}" + }{% if kea_dhcp__dhcp6.enable %},{% endif %} + {% endif %} + {% if kea_dhcp__dhcp6.enable | default(false) %} + "dhcp6": { + "socket-type": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-type'] }}", + "socket-name": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-name'] }}" + }, + {% endif %} + } +} +} diff --git a/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja new file mode 100644 index 0000000..78f06ae --- /dev/null +++ b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja @@ -0,0 +1,27 @@ +{ + "Dhcp4": { + "interfaces-config": { + "interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }} + }, + "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }}, + "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }}, + {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %} + "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }}, + {% endif %} + "subnet4": [ + {% for subnet in kea_dhcp__dhcp4.subnets %} + { + "id": {{ subnet.id }}, + "subnet": "{{ subnet.subnet }}", + "pools": {{ subnet.pools | to_nice_json }}, + {% if subnet.reservations is defined and subnet.reservations %} + "reservations": {{ subnet.reservations | to_nice_json }}, + {% endif %} + {% if subnet['option-data'] is defined and subnet['option-data'] %} + "option-data": {{ subnet['option-data'] | to_nice_json }} + {% endif %} + }{% if not loop.last %},{% endif %} + {% endfor %} + ] + } +} diff --git a/roles/kea_dhcp/templates/kea-dhcp6.conf.jinja b/roles/kea_dhcp/templates/kea-dhcp6.conf.jinja new file mode 100644 index 0000000..da1929a --- /dev/null +++ b/roles/kea_dhcp/templates/kea-dhcp6.conf.jinja @@ -0,0 +1,27 @@ +{ + "Dhcp6": { + "interfaces-config": { + "interfaces": {{ kea_dhcp__dhcp6.interfaces | to_nice_json }} + }, + "control-sockets": {{ kea_dhcp__dhcp6['control-sockets'] | to_nice_json }}, + "lease-database": {{ kea_dhcp__dhcp6['lease-database'] | to_nice_json }}, + {% if kea_dhcp__dhcp6['option-data'] is defined and kea_dhcp__dhcp6['option-data'] %} + "option-data": {{ kea_dhcp__dhcp6['option-data'] | to_nice_json }}, + {% endif %} + "subnet6": [ + {% for subnet in kea_dhcp__dhcp6.subnets %} + { + "id": {{ subnet.id }}, + "subnet": "{{ subnet.subnet }}", + "pools": {{ subnet.pools | to_nice_json }}, + {% if subnet.reservations is defined and subnet.reservations %} + "reservations": {{ subnet.reservations | to_nice_json }}, + {% endif %} + {% if subnet['option-data'] is defined and subnet['option-data'] %} + "option-data": {{ subnet['option-data'] | to_nice_json }} + {% endif %} + }{% if not loop.last %},{% endif %} + {% endfor %} + ] + } +} diff --git a/roles/kea_dhcp/templates/stork-agent.env.jinja b/roles/kea_dhcp/templates/stork-agent.env.jinja new file mode 100644 index 0000000..bdfa4d2 --- /dev/null +++ b/roles/kea_dhcp/templates/stork-agent.env.jinja @@ -0,0 +1,44 @@ +### the IP or hostname to listen on for incoming Stork server connections +# STORK_AGENT_HOST= + +### the TCP port to listen on for incoming Stork server connections +# STORK_AGENT_PORT=8081 + +### listen for commands from the Stork server only, but not for Prometheus requests +# STORK_AGENT_LISTEN_STORK_ONLY=true + +{% if kea_dhcp__stork_agent.prometheus_only %} +### listen for Prometheus requests only, but not for commands from the Stork server +STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true +{% endif %} + +### settings for exporting stats to Prometheus +### the IP or hostname on which the agent exports Kea statistics to Prometheus +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS= +### the port on which the agent exports Kea statistics to Prometheus +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT= +## enable or disable collecting per-subnet stats from Kea +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PER_SUBNET_STATS=true +### the IP or hostname on which the agent exports BIND 9 statistics to Prometheus +# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_ADDRESS= +### the port on which the agent exports BIND 9 statistics to Prometheus +# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_PORT= + +### Stork Server URL used by the agent to send REST commands to the server during agent registration +# STORK_AGENT_SERVER_URL= + +### skip TLS certificate verification when the Stork Agent connects +### to Kea over TLS and Kea uses self-signed certificates +# STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true + + +### Logging parameters + +### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR +STORK_LOG_LEVEL=DEBUG +### disable output colorization +# CLICOLOR=false + +### path to the hook directory +# STORK_AGENT_HOOK_DIRECTORY= + diff --git a/roles/unbound/README.md b/roles/unbound/README.md new file mode 100644 index 0000000..806b9d8 --- /dev/null +++ b/roles/unbound/README.md @@ -0,0 +1,19 @@ +# Unbound DNS resolver + +Role fora a validating, recursive, caching DNS resolver based on [Unbound](https://nlnetlabs.nl/projects/unbound/about/). +It is designed to be fast and lean and incorporates modern features based on open standards. + +- [Documentation](https://unbound.docs.nlnetlabs.nl/en/latest/) + +## Role Customization + +The following variables can be used to customize this role: + +| Variable | Type | Default | Description | +|------------------------------------------|-----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| unbound_install_prometheus_exporter | Boolean | `true` | Whether [Unbound Exporter](https://github.com/letsencrypt/unbound_exporter) should also be installed to expose resolver statistics in prometheus format. | +| unbound_bind_interfaces | List of Strings | `[0.0.0.0, ::]` | List of interface names or IP addresses on which unbound will listen for dns queries | +| unbound_enable_unbound_control | Boolean | `true` | Whether the [remote control](https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#set-up-remote-control) feature of unbound should be configured. | +| unbound_enable_dnssec | Boolean | `true` | Whether dnssec validation should be enabled | +| unbound_access_control | List of Strings | `[]` | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) | +| unbound_disable_systemd_networkd | Boolean | `true` | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver. | diff --git a/roles/unbound/defaults/main.yml b/roles/unbound/defaults/main.yml new file mode 100644 index 0000000..fa6cb24 --- /dev/null +++ b/roles/unbound/defaults/main.yml @@ -0,0 +1,7 @@ +unbound_install_prometheus_exporter: true +unbound_bind_interfaces: [ "0.0.0.0", "::" ] +unbound_disable_systemd_networkd: true +unbound_enable_unbound_control: true +unbound_enable_dnssec: true +unbound_access_control: [ ] +unbound_private_domain: [ ] diff --git a/roles/unbound/files/no-resolved.resolv.conf b/roles/unbound/files/no-resolved.resolv.conf new file mode 100644 index 0000000..bbc8559 --- /dev/null +++ b/roles/unbound/files/no-resolved.resolv.conf @@ -0,0 +1 @@ +nameserver 127.0.0.1 diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml new file mode 100644 index 0000000..e1345bf --- /dev/null +++ b/roles/unbound/handlers/main.yml @@ -0,0 +1,27 @@ +- name: unbound.restarted + tags: [ unbound, dns, dns_resolver ] + become: true + ansible.builtin.systemd: + name: unbound.service + state: restarted + +- name: unbound.reloaded + tags: [ unbound, dns, dns_resolver ] + become: true + ansible.builtin.systemd: + name: unbound.service + state: reloaded + +- name: prometheus-unbound-exporter.restarted + become: true + ansible.builtin.systemd: + name: prometheus-unbound-exporter.service + state: restarted + enabled: true + +- name: prometheus-unbound-exporter.enabled + become: true + ansible.builtin.systemd: + name: prometheus-unbound-exporter.service + enabled: true + daemon_reload: true diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000..7ed42cb --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,63 @@ +- name: unbound role main + tags: [ unbound, dns, dns_resolver ] + block: + + - name: install unbound dns resolver + become: true + ansible.builtin.package: + name: unbound + + - name: install extra dns tooling + become: true + ansible.builtin.package: + name: [ bind ] # the bind package includes tools like dig in archlinux + + - name: ensure correct directory permissions + become: true + ansible.builtin.file: + path: /etc/unbound + state: directory + mode: u=rwX,g=rX,o=rX + recurse: true + owner: unbound + group: unbound + + - name: configure unbound dns resolver + become: true + notify: unbound.restarted + ansible.builtin.template: + src: unbound.conf.j2 + dest: /etc/unbound/unbound.conf + owner: unbound + group: unbound + mode: u=rw,g=r,o=r + + - name: ensure unbound is running and enabled + become: true + ansible.builtin.systemd: + name: unbound.service + state: started + enabled: true + + - name: disable systemd-resolved + become: true + when: unbound_disable_systemd_networkd + ansible.builtin.systemd: + name: systemd-resolved.service + state: stopped + enabled: false + + - name: configure system resolver to point to local unbound + become: true + when: unbound_disable_systemd_networkd + ansible.builtin.copy: + src: no-resolved.resolv.conf + dest: /etc/resolv.conf + owner: unbound + group: unbound + mode: u=rw,g=r,o=r + + + - name: install and configure prometheus-exporter for unbound + ansible.builtin.import_tasks: prometheus-exporter.yml + when: unbound_install_prometheus_exporter diff --git a/roles/unbound/tasks/prometheus-exporter.yml b/roles/unbound/tasks/prometheus-exporter.yml new file mode 100644 index 0000000..d05b838 --- /dev/null +++ b/roles/unbound/tasks/prometheus-exporter.yml @@ -0,0 +1,17 @@ +--- +- name: install unbound prometheus exporter + become: true + ansible.builtin.package: + name: prometheus-unbound-exporter + notify: prometheus-unbound-exporter.enabled + +- name: configure unbound exporter + become: true + ansible.builtin.copy: + dest: /etc/conf.d/prometheus-unbound-exporter + content: | + UNBOUND_EXPORTER_ARGS="-unbound.ca "" -unbound.cert "" -unbound.host "unix:///run/unbound-control.sock" + owner: root + group: root + mode: '0660' + notify: prometheus-unbound-exporter.restarted diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 new file mode 100644 index 0000000..a1e310e --- /dev/null +++ b/roles/unbound/templates/unbound.conf.j2 @@ -0,0 +1,73 @@ +# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html +# unbound.conf(5) man page +server: + {% if unbound_enable_dnssec -%} + # disable chroot because unbound is the only thing running on the VM + # and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file + chroot: "" + + # location of the trust anchor file that enables DNSSEC + # this file is generated by the `unbound-anchor` command + auto-trust-anchor-file: "/etc/unbound/trusted-key.key" + {% endif -%} + + # use all CPUs + num-threads: 2 + + # more cache memory + rrset-cache-size: 60m + msg-cache-size: 30m + + # prefetch to keep the cache up to date + prefetch: yes + + # fetch the DNSKEYs earlier in the validation process, when a DS record is encountered + prefetch-key: yes + + # Faster UDP with multithreading (only on Linux). + so-reuseport: yes + + # disable special large send buffer handling and just use kernel defaults + so-sndbuf: 0 + + # send minimal amount of information to upstream servers to enhance privacy + qname-minimisation: yes + + # specify the interface to answer queries from by ip-address. + {% for i in unbound_bind_interfaces -%} + interface: "{{ i }}" + {% endfor %} + + # addresses from the IP range that are allowed to connect to the resolver + {% for i in unbound_access_control -%} + access-control: {{ i }} + {% endfor -%} + + {% for i in unbound_private_domain -%} + private-domain: {{ i }} + {% endfor -%} + + # The number of seconds between printing statistics to the log for every thread. + statistics-interval: 0 + + # Extended statistics are printed, Keeping track of more statistics takes time. + extended-statistics: yes + +remote-control: + control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} + control-interface: /run/unbound-control.sock + + +# configure some zones for which this resolver will act authoritatively +# https://www.dns.icann.org/services/axfr/ +{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %} +auth-zone: + name: "{{ i }}" + primary: "lax.xfr.dns.icann.org" + primary: "iad.xfr.dns.icann.org" + fallback-enabled: yes + for-downstream: no + for-upstream: yes + + +{% endfor %} From 3a091f7aa55d5ce1a1e4989ef82a7a986c75bd4b Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 18:31:05 +0200 Subject: [PATCH 03/35] z9-router(host): rename rt1 to z9-router --- .../{rt1.sops.yaml => z9-router.sops.yaml} | 8 ++++---- .../z9/host_vars/{rt1.yaml => z9-router.yaml} | 8 ++++---- inventories/z9/hosts.yaml | 18 +++++++++--------- resources/z9/{rt1 => z9-router}/kea_dhcp.yaml | 0 .../{rt1 => z9-router}/nftables/nftables.conf | 0 .../systemd_networkd/00-netlan.link | 0 .../systemd_networkd/00-netwan.link | 0 .../systemd_networkd/10-netlan.51.netdev | 0 .../systemd_networkd/10-netlan.52.netdev | 0 .../systemd_networkd/10-netlan.53.netdev | 0 .../systemd_networkd/10-netlan.54.netdev | 0 .../systemd_networkd/10-netwan.400.netdev | 0 .../systemd_networkd/10-wg55.netdev | 0 .../systemd_networkd/20-netlan.network | 0 .../systemd_networkd/20-netwan.network | 0 .../systemd_networkd/20-wg55.network | 0 .../21-netlan.51-clients.network | 0 .../systemd_networkd/21-netlan.52-iot.network | 0 .../21-netlan.53-public.network | 0 .../21-netlan.54-management.network | 0 .../21-netwan.400-fux_uplink.network | 0 .../systemd_networkd_global_config.conf | 0 22 files changed, 17 insertions(+), 17 deletions(-) rename inventories/z9/host_vars/{rt1.sops.yaml => z9-router.sops.yaml} (94%) rename inventories/z9/host_vars/{rt1.yaml => z9-router.yaml} (53%) rename resources/z9/{rt1 => z9-router}/kea_dhcp.yaml (100%) rename resources/z9/{rt1 => z9-router}/nftables/nftables.conf (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/00-netlan.link (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/00-netwan.link (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-netlan.51.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-netlan.52.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-netlan.53.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-netlan.54.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-netwan.400.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-wg55.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/20-netlan.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/20-netwan.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/20-wg55.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/21-netlan.51-clients.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/21-netlan.52-iot.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/21-netlan.53-public.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/21-netlan.54-management.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/21-netwan.400-fux_uplink.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd_global_config.conf (100%) diff --git a/inventories/z9/host_vars/rt1.sops.yaml b/inventories/z9/host_vars/z9-router.sops.yaml similarity index 94% rename from inventories/z9/host_vars/rt1.sops.yaml rename to inventories/z9/host_vars/z9-router.sops.yaml index f4141fd..89f18e1 100644 --- a/inventories/z9/host_vars/rt1.sops.yaml +++ b/inventories/z9/host_vars/z9-router.sops.yaml @@ -1,8 +1,8 @@ secrets__secrets: - - name: ENC[AES256_GCM,data:MmqDXUKy+U67JZFmKJTGLYAJcYPClQ8M2w==,iv:/eDx++bJCzdKXYB8YipB/GB6aM421JR3sy8i5trBKxk=,tag:/zTklys9bN839iT1qOH0UQ==,type:str] + - name: ENC[AES256_GCM,data:gt9BarzsfE/GJ5gQeelgePquW6KAgE3Exv4=,iv:IPpUQI+zkf8O+ej+ZxLFyWUOrxGGlZvmDRG0ut2cNsA=,tag:GP66MvcKyCqyKV814+uMYg==,type:str] content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str] - name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str] - content: ENC[AES256_GCM,data:lrwHaNvHkh5E94ziiQsd8ua9YvuwmhZ6iIGZS0oFnZdYKuyNh7egWOoii2o=,iv:LLRKhbiJl1GwK/SfqNdNrrJuDF17YXw3hHmuhlyI87w=,tag:DbR/a7jfy1+4yswSdYfOFA==,type:str] + content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str] - name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str] content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str] - name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str] @@ -18,8 +18,8 @@ secrets__secrets: - name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str] content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str] sops: - lastmodified: "2026-05-23T21:19:38Z" - mac: ENC[AES256_GCM,data:Ded0VfGn8H2qGMk5LDyqF1gW8hajKc9FgvCynHPQkWkhMSdaHYbFwf//gWi2TjIO22HD5sPw1w9KAjPy53b57RwBCjXfMMq0JCPvuePLK40NC8uCAi+wr5Er0fAWz1JiaA+dowposoi6RxBtyHCaNHMDVGMLh1j+IL+pTOyi6fk=,iv:gssOMmR0DDQC4WjMVXTD/zqbQa8qlBr9ZZWF15W0WnE=,tag:DORTxQfCmpVjDjyGSNH7dw==,type:str] + lastmodified: "2026-05-25T16:29:22Z" + mac: ENC[AES256_GCM,data:zxtV1xgjQuKNMvh6S8oAOxX5J6+iBRO6k3vGw3vWNlhah4Gu3S/lt+5v8lQHogz1Vyc+Zff0yMj1cn6RstDDj5AuOCljRQN0FYs0fjCo4Yrxx5sMMwcwBYquC77skEiZhRnqdXKkjiOM7EGE8qj8O3DJ29borIjm5NAsflH/qkA=,iv:7EUElg+gu8mk2Gq32JQMTf+A1+ZhZufoqt5bk4+Ca1E=,tag:XG+F/zlXizsc2B8THoXj4g==,type:str] pgp: - created_at: "2026-05-23T20:58:22Z" enc: |- diff --git a/inventories/z9/host_vars/rt1.yaml b/inventories/z9/host_vars/z9-router.yaml similarity index 53% rename from inventories/z9/host_vars/rt1.yaml rename to inventories/z9/host_vars/z9-router.yaml index 876776a..c9d2b6f 100644 --- a/inventories/z9/host_vars/rt1.yaml +++ b/inventories/z9/host_vars/z9-router.yaml @@ -1,7 +1,7 @@ -systemd_networkd__config_dir: 'resources/z9/rt1/systemd_networkd/' -systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/systemd_networkd_global_config.conf') }}" -nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/nftables.conf') }}" +systemd_networkd__config_dir: 'resources/z9/z9-router/systemd_networkd/' +systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/systemd_networkd_global_config.conf') }}" +nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/nftables/nftables.conf') }}" ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_randomized_delay_sec: 0min unbound_access_control: [ "10.89.208.0/20" ] -kea_dhcp__include_vars: resources/z9/rt1/kea_dhcp.yaml +kea_dhcp__include_vars: resources/z9/z9-router/kea_dhcp.yaml diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 407aa2f..90f2efd 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -14,8 +14,8 @@ all: yate: ansible_host: yate.ccchh.net ansible_user: chaos - rt1: - ansible_host: rt1.ccchh.net + z9-router: + ansible_host: z9-router.ccchh.net ansible_user: chaos certbot_hosts: hosts: @@ -38,7 +38,7 @@ infrastructure_authorized_keys_hosts: light: waybackproxy: yate: - rt1: + z9-router: nginx_hosts: hosts: dooris: @@ -52,22 +52,22 @@ proxmox_vm_template_hosts: thinkcccore0: systemd_networkd_hosts: hosts: - rt1: + z9-router: nftables_hosts: hosts: - rt1: + z9-router: unbound_hosts: hosts: - rt1: + z9-router: kea_dhcp_hosts: hosts: - rt1: + z9-router: alloy_hosts: hosts: light: yate: dooris: - rt1: + z9-router: ansible_pull_hosts: hosts: dooris: @@ -76,4 +76,4 @@ ansible_pull_hosts: yate: secrets_hosts: hosts: - rt1: + z9-router: diff --git a/resources/z9/rt1/kea_dhcp.yaml b/resources/z9/z9-router/kea_dhcp.yaml similarity index 100% rename from resources/z9/rt1/kea_dhcp.yaml rename to resources/z9/z9-router/kea_dhcp.yaml diff --git a/resources/z9/rt1/nftables/nftables.conf b/resources/z9/z9-router/nftables/nftables.conf similarity index 100% rename from resources/z9/rt1/nftables/nftables.conf rename to resources/z9/z9-router/nftables/nftables.conf diff --git a/resources/z9/rt1/systemd_networkd/00-netlan.link b/resources/z9/z9-router/systemd_networkd/00-netlan.link similarity index 100% rename from resources/z9/rt1/systemd_networkd/00-netlan.link rename to resources/z9/z9-router/systemd_networkd/00-netlan.link diff --git a/resources/z9/rt1/systemd_networkd/00-netwan.link b/resources/z9/z9-router/systemd_networkd/00-netwan.link similarity index 100% rename from resources/z9/rt1/systemd_networkd/00-netwan.link rename to resources/z9/z9-router/systemd_networkd/00-netwan.link diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.51.netdev b/resources/z9/z9-router/systemd_networkd/10-netlan.51.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-netlan.51.netdev rename to resources/z9/z9-router/systemd_networkd/10-netlan.51.netdev diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.52.netdev b/resources/z9/z9-router/systemd_networkd/10-netlan.52.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-netlan.52.netdev rename to resources/z9/z9-router/systemd_networkd/10-netlan.52.netdev diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.53.netdev b/resources/z9/z9-router/systemd_networkd/10-netlan.53.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-netlan.53.netdev rename to resources/z9/z9-router/systemd_networkd/10-netlan.53.netdev diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.54.netdev b/resources/z9/z9-router/systemd_networkd/10-netlan.54.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-netlan.54.netdev rename to resources/z9/z9-router/systemd_networkd/10-netlan.54.netdev diff --git a/resources/z9/rt1/systemd_networkd/10-netwan.400.netdev b/resources/z9/z9-router/systemd_networkd/10-netwan.400.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-netwan.400.netdev rename to resources/z9/z9-router/systemd_networkd/10-netwan.400.netdev diff --git a/resources/z9/rt1/systemd_networkd/10-wg55.netdev b/resources/z9/z9-router/systemd_networkd/10-wg55.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-wg55.netdev rename to resources/z9/z9-router/systemd_networkd/10-wg55.netdev diff --git a/resources/z9/rt1/systemd_networkd/20-netlan.network b/resources/z9/z9-router/systemd_networkd/20-netlan.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/20-netlan.network rename to resources/z9/z9-router/systemd_networkd/20-netlan.network diff --git a/resources/z9/rt1/systemd_networkd/20-netwan.network b/resources/z9/z9-router/systemd_networkd/20-netwan.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/20-netwan.network rename to resources/z9/z9-router/systemd_networkd/20-netwan.network diff --git a/resources/z9/rt1/systemd_networkd/20-wg55.network b/resources/z9/z9-router/systemd_networkd/20-wg55.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/20-wg55.network rename to resources/z9/z9-router/systemd_networkd/20-wg55.network diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network b/resources/z9/z9-router/systemd_networkd/21-netlan.51-clients.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network rename to resources/z9/z9-router/systemd_networkd/21-netlan.51-clients.network diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network b/resources/z9/z9-router/systemd_networkd/21-netlan.52-iot.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network rename to resources/z9/z9-router/systemd_networkd/21-netlan.52-iot.network diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.53-public.network b/resources/z9/z9-router/systemd_networkd/21-netlan.53-public.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/21-netlan.53-public.network rename to resources/z9/z9-router/systemd_networkd/21-netlan.53-public.network diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.54-management.network b/resources/z9/z9-router/systemd_networkd/21-netlan.54-management.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/21-netlan.54-management.network rename to resources/z9/z9-router/systemd_networkd/21-netlan.54-management.network diff --git a/resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network b/resources/z9/z9-router/systemd_networkd/21-netwan.400-fux_uplink.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network rename to resources/z9/z9-router/systemd_networkd/21-netwan.400-fux_uplink.network diff --git a/resources/z9/rt1/systemd_networkd_global_config.conf b/resources/z9/z9-router/systemd_networkd_global_config.conf similarity index 100% rename from resources/z9/rt1/systemd_networkd_global_config.conf rename to resources/z9/z9-router/systemd_networkd_global_config.conf From 311a4114f984cfab42abe55217a65da733919a46 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 19:26:52 +0200 Subject: [PATCH 04/35] z9-router(host): add ansible pull --- .sops.yaml | 7 + inventories/z9/group_vars/all.sops.yaml | 298 ++++++++++--------- inventories/z9/host_vars/z9-router.sops.yaml | 251 ++++++++-------- inventories/z9/hosts.yaml | 1 + 4 files changed, 294 insertions(+), 263 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index b517a43..bcb30f8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -48,6 +48,7 @@ keys: - &host_light_ansible_pull_age_key age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q - &host_waybackproxy_ansible_pull_age_key age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j - &host_yate_ansible_pull_age_key age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 + - &host_z9_router_ansible_pull_age_key age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp creation_rules: ## group vars @@ -241,6 +242,12 @@ creation_rules: *admin_gpg_keys age: - *host_yate_ansible_pull_age_key + - path_regex: "inventories/z9/host_vars/z9-router\\.sops\\..+" + key_groups: + - pgp: + *admin_gpg_keys + age: + - *host_z9_router_ansible_pull_age_key # general - path_regex: ".+\\.sops\\..+" key_groups: diff --git a/inventories/z9/group_vars/all.sops.yaml b/inventories/z9/group_vars/all.sops.yaml index bc4c3f1..f5aed04 100644 --- a/inventories/z9/group_vars/all.sops.yaml +++ b/inventories/z9/group_vars/all.sops.yaml @@ -2,213 +2,225 @@ metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl msmtp__smtp_password: ENC[AES256_GCM,data:FAih8FghRYDx3QGFCjKoJ8Zq0TkeCIx4n1jTx4/sASgECqvucg==,iv:8NDn3wj/bXsbHbuce3ycJTBVWde6XAVxv4NuMUkMbIM=,tag:jeE2b0i/8JPtguLYQvdV1w==,type:str] sops: age: - - recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax - enc: | + - enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VWJQWnBhcDc3VXh3TnMy - RFljQU0vNS9iY3AvTWFraUxneHIremlDeUZvCmdzd0twWHZEdTZSbHpLbEpRRDNX - aGI4ZlczN0tFbC94TzJ4bm9aUjkwcVEKLS0tIHRGSGdkQkN6ZEVTUjl1cGhMZzVI - S2FtSktoWmF2TjZCZnNlYWpWYzQ4MzQKeK7f+UPSanQsOIXNjzZa9B5FafNFsN3W - sjssDdbNQ1OEn2CLWRVQl1umKrADuvd85fMu3gUZrycZRDCCfsBzVg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTzAzaVFSRDQwN2llbmdl + alBBVDZwTWhWUkV2L3ZLZmNDUDRyTitDaFVzCkNRTEN4ODV5ekxRVlBZT3ZIM2pj + Z0JxYUlobHZCeGxxNE9PcENkR2h2VDAKLS0tIFZiVXJHSU5naXhSSEFobVZBN1Rl + NnVDUVRyVWxlUnMydVhiQ2s0bGMzTGcKh97/UOPxrKieK5dKdGyRqCRi8Sm5UNcT + I9jLCPqX8Utt0e2EEp+ivJwFxgo7QuNCYWu6jtPCO/Zmc5Q/2tJQ9Q== -----END AGE ENCRYPTED FILE----- - - recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q - enc: | + recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax + - enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSmVEVyt3OCtvUUNqV2FR - QW5WaDBFcnZVMTV3QWdSLzhxRENCdGNaVFU0CmxqM0xIWUVCSUwvY1pBVjQ0RCtq - T0psSG84VWdpY1dYa2doeFZXd2RKNVEKLS0tIGNFeDFRYzBDN3NWcnpUSVhEWitY - RXhLRkp3ajdlNGY4R3hRcWVSUU04T0UKdprDhBpp0aMc733Wx/K7hS/nLVohvlft - N9aSQdcRoqT3/iMGu/6xdqbeq0/7a/U+6JvhYyWLkLsrzw2mlVRoIw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVUtpb0FmeUduNW9EdHJw + WEY0WllWdE8vRlVhODU1dUcxUnF3WE5mUG5vCnBQRlNkblNHbUFESXhvQ05YdGVW + UkhjdjdvclRmTk55UXRGRStXREFiVVkKLS0tIDlkMHhxVkxEK1BjV2orQUtndGc2 + Mk8rZm14SzFWTjJTanVXaE53UmViS28KQmnPfzLhgLasSuu1Aflp/JDWo1hqvYjb + BijruPUZ3NuoZ4Wuo56FLlTLrch051fI3ottzy85FfX3lRnWZ2IK8g== -----END AGE ENCRYPTED FILE----- - - recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j - enc: | + recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q + - enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWWM1WFdidkY4a2hLNm03 - TGdNNE9ZK2lvelhYQndTYy9sUzM4TkN5elRZClJwQU1qeCtwUlFzeVE2d0FSSCsz - WTdzQWZLYXpqUHcxc3VEWHZvNmZibU0KLS0tIElCTWdraXRLcHNHMjR2eDVxVCta - bHhVdFpOdDB0eUR5d2hhdWJlcmJDMjgKBbVkm7LNwnoUVrUF3NPI7d25b6tAIr1t - HelMjQU5YFM7DvRYFOlNpgO7WmddNSq3C6WYa8AZDGpsjc6GypcLVw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQSm9FZ1VmVWhadldRY0JU + c2R5d0tNMDV5U2tzbVorai91RTFyZFdUMWo0CmxLVUJYdVFUN296U3Q3MTJQM0JW + LzNTYlVVVitRYmk3azQ4VXBLWTZiZjQKLS0tIDhXdFZaK1BWVFp4M09jbk0zdGpF + dGxmUUZkQS9sMXZoeTJETGpvQW5VQ0EK9Y/trD7VhjQnqY+KryPfEv1J/D4NCWsx + CHv0R1ps6A0qoRJzS1UNxU5bLXDX1RGQiU/arhJ7LXFxHrNOdObsZQ== -----END AGE ENCRYPTED FILE----- - - recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 - enc: | + recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j + - enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTmRaRXorMzBQZWwyNFp5 - VHdUUElyd1V2dUcvQ3k2STQ0d1QyMytsRG1BCm5CVCtRWU5FVmErQWl2N3Y4QTc1 - Mnh3K01QUnk2MGpSZk1NRVJWUlhFYWMKLS0tIEFOM0pMa3RVNUppS2xOakFVM1lR - cnlBL29XQVlsL1ZCenBIYTQ3S3JxQjQKq09vbn1XOC1jIXDpv+ThFMk9k7SyYknr - MBJRBp/0PrKBo/Xk+RCSWSLjgali5Cc8KTjDTJyBG8rFzzvLIazBRg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreTY4bzJ3T1FHOVdhS05v + dG40VWdVeWRpamdqd2ttajFJUjdYVHB0ZXdVCmk0UUJuRHdsUnE3ZThNakpwY3po + b3dtWXNNSUlvbzVHcXVIclNlaVNub00KLS0tIEMwL2FYcEZ1dkZ5MFl0S3pWSWFJ + NGdXVXA4UGJIOTN4UnhoMjRYaTRNWXMKGJNomXuB5TqXZKWk3Ub/rEc69CrfYABw + bBBidbCQBrv7cnsvjsVpHHGaTwyP9Nk1ceF/gbv9fD9gZ7dwt3SA1A== -----END AGE ENCRYPTED FILE----- + recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQWhjNHlDU0RKRmdKTzh0 + M3dhOGcrc1N5SnozMHhSQWNUdERPSjRrZ3lZClBpd1lrbXY5OEVnMVgwTGl4YmUw + bWpJR0Z6RDZubG9lS1BIVnEvMWhEdlkKLS0tIFhSbVFhVnZIN2xETXlWNlh3TVVG + N1VTSWN3SEU5U2Uxc2lRUmwwaWc0L1UKfPWAEs93dF10GZdlQt3yeDltk/9Djmuh + 3ZeGLgkOjcJPXO2hFQMZoJY7a2ZRIxN5Oa8PGwuy7DEtmQ9PdP/mbg== + -----END AGE ENCRYPTED FILE----- + recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp lastmodified: "2026-05-23T22:10:20Z" mac: ENC[AES256_GCM,data:JbnKG1qyAkvFDXr2iHu+gk7nRjedmm+dEK8vBFW5YzndWE4QKoYWeaqRHBk7wdWO9kpZgU2rFiu4Be+ikotoMS8jKAcd5wWSrWtSreaZxxiD2TWMWX8HwPtETnYe0rjrEZ3kPcUj4QPyNTphfbH3ARLjthedRXNF70NDc+DIpAY=,iv:4LN3oslWUWqoY3rQNVDSmlJn1o0c8JQELzsWd5btn7Y=,tag:c8X1q9XMMUkXed93j9C6ww==,type:str] pgp: - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxK/JaB2/SdtAQ//VIMBtLL8lhncJeItw53fQW4Lia0hs84yuKLuSBucNXhy - x3LT5r21C5CZ+JnucrGPxur4clsLnDnng2CgyWhksJNknk6smQIq3ZhyBd/OJzS4 - zNGUJIbitJsDaKjTrYDCdsQ3KVcRBDMu3ow7vzeP4wnL4qU5fUuQ7S2rK6a1hfMB - eTQmn4wD/Rl+Q0AWEo2V/X8UgchwGPeuOXfju2t9+1UVE0kUJdXw/JIrGyR8XrYM - 6ZGXB3mPnlZTZjqhXVSFSSOUTRYu/0g+s/JuDLpgl8gVP+oDvSCPrB2pDNK+o2Oo - VbQbJMg6lMbIuewd0ZTTeCv/TFU9O51RtkFyxHIEW7dVelDrNkuciAG1mDUHFUUw - MHeWDjngeCzr1hj1Z78P1bvR7I2pqBQiWT+d/e50S5quNRVjtLVEjuU7r1eKiPDu - pL1lYJZZu5+uY1nWE4qeJiI1KambjP9/C+RUCF38yT1wNvxrbwsM9haXGbI3t2cU - X/RRpK5VKKKwbBqyQmkZX7xaDR13hLF2vLtdVw6L9nYVVactfnFr9HKDV95HUnhO - uevmzu+ShtAt9FMXz86dLYmBx90A2BSWxb6sKvZkG8UDY+vVT1K0gNK4kwxR9rKt - LFzCq1a3ftx3UvrNMCwaboGQZLpRtiKr0lNQvGLpH/SRDZ2HksinV16FNVuN74HS - XgG5HnRO9/lkL2Bn+ms7Q6+ki9QmC21FlLGJOBQIi+VHNVwy6J8XQlrs5NZPy6Ib - LmWIV6BdIRejCAITlVeBRBpXymdUBicPLa/VQMK2s9L3SS7MUcv+4j+vje9YR5M= - =IEFm + hQIMAxK/JaB2/SdtAQ//cayg/ELKtybgayA4z+xOUK10zQJDE/U43BcPRMrBN0+x + VLu/C96Eom/dJN62SM2QamThHu454HMZj1PjDynMUzgfVqXEg/eG45bBBweWrI65 + s0tuzLmsqpdt9TJ5t0znliL2DYS3MPfmYRNbAsYsCbQd4I0YpxdzQwTvURdzjpUG + nVBUfzfcYH1Yqq8BVtR40MKfa/DbOsJGENHtpkQ9UDAa3gwVQs0NyZRQzg5w364C + UvItYlU77ZCKPkyOQuciLn4sM5poihu3UNWp855QsDK6fZVuxPTS4Cn54cfwdOTe + rL/ZQjLcHJ7PRmZUiWR6GVNDrY55u7zhORD4b8BgrpWW4hhxpp/ENjnRmNt8jKR2 + dJ/5/uC4HBX0fM3mbfpUn19BxCk9+gFPmNUOUZ93UxpQ28l1lZxeiLBOHAw1srEs + 7ZfFrJ0osedPGHu8rVOe93DCAtb/oNxr1xvGuDK/licRkEh8t8cvuoVsVhYFjNBc + UKXIPrhvuSj69c3OiHa+u9fNZJX2XAi0oOcZqGp+sQCCgUCA15I5QiqTpalCSTKt + /Stoj9BsmlSiy8YD2XBjmzHHVxJHfl8XHcuONKc3e4UmVjKlzkzc0bI73Y6XiEvt + zRIUmWxfvAvqP/zPcMSwaZke5h7N7ywKcjM+RHB4NqRUVYlBNwIWXvi7f5BdLhrU + aAEJAhBcA//3NJxuDzlf1zoXGKOhGIwNv5/Qb1n13OKIT2s0nfbqEHgAUm+tX3gk + VKKMqFuVmq2mkAaxXWFq20VC6djTJJS1QOaNsc6x3bJ6iDtYV19Ddn/20jbmbqmn + XbCDvb50nubC + =ZByJ -----END PGP MESSAGE----- fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQEMA1QflAioE8i3AQf7BB0RdJbe8Ro2Fv4Phw+VaR0rUIuQKWOb7zf3/9YCbV2w - rICGVIx7V1vJF5R5RgSfk0RDrLN3Pfoq/7Jfkq6bMoHIVCHSFdryHfjG5Dgm49Xv - gDZ2CPAHPn15mG0Rr/67YUWsC2Jy4y6/JY478wzYu4Og9IkxkeBd6ufBFB6bTn4H - qB7B2hfkyQzA66zoxc0r2O1mchbJ3A4pVJw0v2I/sWCiZoJQKmt8ksoEK8BAQCWC - E8sozb2opRzFaUCZSNEdhz/rnbV8u5wW378kd8kHSOlWxaFZNkWUP42YQiNTkd9/ - YpxxGvwCTIpHGAYFtU7CV7QfQHzTuAOz7ZElPZsYkdJeAZCwUFO24nzwpxYS43AV - 29IHXvlKAQkjJunix0bPGcE3D6T8CUs0wXL2sUSDcvgOOQZSezRn4UNEqFCftjJ4 - Gmldo/baMO2Y054/iA0jvNmHRk6sJCY8aRYv9m5Fqg== - =n7Qb + hQEMA1QflAioE8i3AQgAm+iazJdcOXiq08MvSGMQ9/NAvrgcDav4561Hew23n4Ms + tKC5VLXf3l1f6yjhBZy6mnslYOWWdJ+X4XK0OqWkRr/t7zxEK4M6PC6g1W5hkaFU + +9DrkBLKss8atz3EhexK6GeljTuRpVWM629BtvMPBo/41eyue78TLf81vCkbUJkC + UpeB4alsETvD9Oz0ZRT8fipuXzdpGSjobOIgQa9bKwFMXXGY2fwBuKW8gVtSgbXP + mKwqvGaSdHz30BxQExmLne5ERKHOvzac2woG5tOmKPaihg8pbvuq/VjS2K0mzS5q + cbwyq/u4d5fGEFQYqMARW1aiyo3NjYk4xWDcGo5Ql9JeAdwhj3Wgm1wccULt2Hj7 + z/V1utNINoB0bPFb8ZQMmPpwAeH6nnoqjWmmoRSW0tL/EaPh5xQXdEuU+DloT5f+ + k8c2KQC+v4bh6BMUcycAeIG/h4vKsgz/Jc6BWKKD2g== + =G51B -----END PGP MESSAGE----- fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAz5uSgHG2iMJARAA4zyDJtNqK5w6QPYMyEtjuoAmva91yLA4oAU/diRpFXHx - D4UzksW8moYqmaiWblFy1HeQJFwZWrxnXeqg9B7PFOkhriIG7al4DpV2wXoCjami - DIkewGoeZjTbPNxsDVl0SbDafCARQFnQ8LNTmM2hi2X/ACg+c8mSM7eK6C3mh8yG - Bo2EsuCnIqzwzV6XbGCKnfOUh0QekWM7Jc/e3oYGSgCP2N5wb2PLVsW1220qdPvo - 8D1l5cDVj2Pgq7fnfbxZGJYSfdgJb1YweH8mjHk3gHU68AGeeSkV+VwcBGV2HObg - hKSbVWcyGAHrP1ppCNyXr5ZkBgyvdB/EjxjLqTLq7sdTnqjLLbMLgi9CCI0NuDMI - jfgMjOdaImjUvvr8lCl7dOMyp9wc6ks0bwRbfG3AMLGKWeR+un3uaDYujD0bQLqZ - m0g5mx1wHxNCJIb2ZQ6UVjDlnatTYGBnxEupqxr9PFyny0MRhaiYkuDIh4tHW3nH - xyCHN9QIO2/EktLkM4wcfhOeVgdpfvKgT+cMG9kS/yfInZ5ZAGvXznzvfNZZtKDL - fLvvF5AqYbN05c0h56WJa65tIT75P2wI6ZBncCSLqSAzyXWlZFV6UBP+5QLEkQaE - WtY8y2907OAx1v8g6vc5v5oHMqfwfWC4nuFbkoJo/ZbfvtDWq4eFZfkUKY3Au5LS - XgE/l6NTtWknF4nPYIRaibum4527ke053JdD/50eqfuRv8MFIHbRPfWE4lE6lgev - +/j0Ef9sYRu726Sv3wAgT7K6PmCFsLN1319OmjkZpBAJiNsxx9qwXyqgTpTvb34= - =Hr9J + hQIMAz5uSgHG2iMJAQ/+NjXRTghMiYErsXenuJRaWdwHZ+6DkkG8nC5b+Aigljgu + OJg5UQgYtX5W5T79uUuEh5BWKO5bMHBwDNHQC7Hn1FseYgrOxcoSYOsewlb8t2QH + fqGLLhv82nRnU0nTs8W/yvrBH/ub0kAtuko1jkPSAWnoonmeEW970iLVIF9lCVYJ + idF+DDSiic9RDpHd4Csuxdv+1Q8OcaOW1HVAUrfrKOvC17sawd1Cat2DWC8EcOVD + clNn6A91FBCTxVnxwM4j2J/NXP1JRIGnlxaa4lATQMiX8lfheu0LyEpsFZai55RC + dq20HWqPgYHiamp6eGQ+Uqe5edx6F5YX/25S2Jfrx4D5vRh0PFx6blY0kgZJp16a + ywNiMtLPh7HjOMbB1v7bcWtIDWrIhWDtyJ7axny8sMamCLCPOwPpPvdL/B5YOntm + +0wMXHXCLCaljzsa5GFIyVYj3pTY/6O0Fgkv+6ow08ndPjsViHNikufCSW0ueIFF + ehv0V2+AHhedoHChFZI/DEbGzIKVcr7JAA+GHAIWcklg7O5hss+/rr7nYxVB0A+t + Sfp5kVMInLpCPLRm2retun3zPF8+R0kN/ZrkLy02K7z4rrD8wVE5QUvSCWbpKdfS + deWIy4lp9wRXSunag1/CxqvrH3ZszlxSZPEQkC4hez+xOS//L/5QsiP52SavB9PS + XgHvkL3slXXsdnIgm3cYnHqEBf2rXLQR/ZTzusXMLEBaGCd9JB33T/Lz+TUftCUI + xxLwzFvm+dEvQ6bOB6/OvSMBIsvVzMZxaIblwZRdIYfQovEdKLCRc+F4lTqV8fE= + =1lXS -----END PGP MESSAGE----- fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DsZXvxFXTXoQSAQdAp7TsXm2MaBAh0qB3eOjtFuegcEsmtdQHsMP0rs0N/m0w - bbbzXLwq1TGL82l5Qon4NnX9Jg5gXnKydWOiKWhxCsQ0iHJ7eupJLxyfDD/kzga+ - 0l4BRUpbBFslWWa8Fb7zfNA7kslhkaQIJAmN92Yh/2NdkpmNEpMMaIrx2p2jK4Iz - mwGUQlUz4ZkK10xy+9LMaAtmLhBJgBhDTKKzw7OAsRAnASq2gXA/4wqEVgBU9BxB - =tBBK + hF4DsZXvxFXTXoQSAQdAJAr+RX2f5gW5PpXJ/WA+1qMPFjuWuDccIk1ecWzc4kEw + sNH69jVC0JL7l5RMrJTAaY0GRTMrJffoz28JxpVbUVFEpeHsd+myGCcD1jZyS1MX + 0l4BllCKEsOVnEKKxOscOIctaIw8/MDNnLSoP04JI2xVKKThor+UwUhRzg+fVwxH + uEiHsx0xA/q0HVXhTNIvIWn0CKx/4uV8JwVa9JqjSSyQVm8PBwU+UTfXMQ5VcuHv + =uxSy -----END PGP MESSAGE----- fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DerEtaFuTeewSAQdAlBZhTjLL3YPqorSXq0jet/0CXmeZeLL8inGvm/HgmgIw - aplmjWHB80err0ffZeRfcvqx9DGujpwlgoFGDxjqn4LIqoNg6YK/VfFb9pXUvIOv - 0l4B9xQ4DlaYOX1egCQUBw3KcdcnNlcEZwTOwTKn0Hg3gXp0u3TYlJFZAchw2G+l - XJjlWiwJN2gKfEG7hrtZ7MJkYJFsqMFa1aC1oWHduxU4jmdRdQqdIaQDsqkcqJc3 - =KNVY + hF4DerEtaFuTeewSAQdA2k3VLlMvCocHQ1ULFwTJKqscSb2FScq8A2I1TIdlfXAw + jWLzGphdsfHuNBEsocoixm4nKAdhjgBsud2rfYkuwxpqX2MlBr6ikpN73dXlHtt2 + 0l4BkUvmqlioN961OV7nssbeQLzb49C9Gzm5S1dQqBQVCt/7qGodTHHiQON7bYJp + +OgUaI6bKZjd9Lhm/u98dTH2cdPm1B5bUQPDzptWX5vG8euzBQxXc7OrGsTFyYME + =e/rg -----END PGP MESSAGE----- fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxjNhCKPP69fARAAhSBdgW04fKM8tAU8sC6h8/4e0Io3W/D2l6P7nZiD9WVR - 2pUqS12mlNCoRt1I2empyJ5vm1wjor34BCuSCiyfLQ1WIlBJlDro96ygpsHZGmam - tNcrgwc7y6rg4ycqUWr+H+WVZ0kw1IYYKbfAjMAJF5lQqzz+VMvET9BbmvA595MO - l/dnMColnjxxBiYBIzO7mnli+uqRHB79rM2VVlrqoT+C2s9zuPfpJfY0PJaCbbdg - BlffAMqs9m2JZdDr2r0lrN/jyLUB2d3l9NCcF6UYP6tjgZsKmHv/JxSgXLf6IklE - wolO04qgDRK7jeO2UGEniweVQNi7hqA4vkp2TskGbfVsS10PyLYKw4N19GedLS3c - ZxRGde42Fze/PrccWq8bGdOfWhPBo2/MEyqVW4lgTeCCwrFRO3UNyYcWo7cmaN1q - lz7uaV6ffqbUDJSkjkphvxnJtuX62x9Uv/wcwrJuZUarSNclQ0nQV/e5wc7SzPgM - B+GLeR4tnconDZGFq8q+KKuHe7MSx2uwiZsJIVXohcZwhkd9wk5YQBPc8i4aP0NQ - wsb+QptuM8VpCEVAwKOUjp7IRRfUyqAIlmIRDkTijmHknSmI9HZXPyCvTLoy1Szf - KDrN1MAma6b4gsru1fFnVizXQyZozl5RVZFP2Uv+ndugdvRE5sv5aevlzgaWFg3S - XgFqaFwId78UDNTrxcs4EzjHmlwg4E05G9pUqbA9zBDdCqwlD4+6CfAgQ46A6ptY - 5p2QQJ3KXgJXrtlJySq8piReyq3mpagtWZJfAazovJA/ZF4o/xs9ZIu/q3qxHSE= - =nR8y + hQIMAxjNhCKPP69fAQ//VLyOILC6lpvlq0W7NeYfUzL7KtKYXVDF7aSQ/b6Vn7Of + ggc9n40n6FkMJqknhbvSnhhlFdzVOCZkLy/hinNk+jF2POBlLbzBjCuzQSP+ZDyC + Dll2UJ/khITd+tQ4zwrFLpixr518Fgcj8NOgtljUovxR1bGIzYogpmiVFJEd0cT4 + k7ldv5WbZtB2UprhPPpNe+98BaUvuSvA9RWCogaBbuQpY2p3g9t9Zo58spOawbP4 + ccz7Pu03Esy3cenlnCt3G7gl19viIh+wHKrIXPa8dGO6TEsrRMPT0tNEs8iUJyDO + TNEgo6+yxQ2p+08EzAh0BCRwljqnPLjS/h2s2s208Z5rBOCpLY9RuoXz7JRvZ06p + gBgPFSIH12VBGjfqCB1uZIatbtLQLjOo6+UU0evM65WhKw3//tUnLrox1reoiRzO + ro4JuytP+f4PylQRsr3jOYKRKCBzoZOOPZbVEpwQeBOe9zzxDgVQqHgVDDZQzCcw + VTHCrs4XVHxPH0aRMlS4A80xbH7VncYbcbf8a6VrTpnPflv0OryWMWDqLBzmIPgM + W1Bz/hq/o6br+g4uAKjt4GTdTwWYxptA5L84aMoihpXRu0MaPhG+7MRsXpEa/+Ll + +ybl2DLpm6zm0iixkJuxwtOdQOGjqJqC/GLw/EZJTt2aO+ZUb8dLrChNmR7HJAjS + XgGBpFYao1AQqLZU3c+5B2/9/3rtOoVX1DQXhUsji5NkaHyYO8usauj9evPUf4qx + FAQRWua5/zp/cTlNWU3GknqtJ1G0g1mrkiVeBZCRxIK2Iyvyav7RALJ1jlkyW5c= + =meb0 -----END PGP MESSAGE----- fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA46L6MuPqfJqARAAjpM3MO83b2EUtzyZs66HWH6Kd60rl3QODTqs4PQm1cH5 - HdzfVJ2IDo1y+FMTMmfJov6xBqnlalNaOvg8XFAkKTUkZgUHRW/q1WXP4FywTWmP - aJV47x4dOQXQgj/i/ykMspUgsxA5049/nG1y06Wsm2agLO3KjL6KIJAx0LI28XPU - qA/NFtfNuEAv7DGS2LGz1+X1hnRYcBX/oUgpihzActWmMORD6VS7xZGcMdF2/+Ex - OCDAnwT0cBSAihBSLTmEMJ4xfmMG228nbLqm9r/gELgVIsIL5hXWz0CtxaewwLQQ - XFMm/ZV/G6bZKRJzKPOR9EcPMF7Z+nnBts9wKNlE+WA32p7zu7hjvEFZhLiDKYlN - +nFcx/rvyWB6sbFK0xn2x5MonxWNVUy58PnqGWmPi2VtXT1al1zSAoKAgg8Xdw21 - PQENtxqeUSLXXb0SZXFptMmYStwqoaFusLOCLW42DogFU246o14veDDtsS619T5G - RrszsNg543i3ra7MIm99YRXyniUaDp5VlKufPkWRexIT5YZYalOLtdLcaTTzfr7J - x4PNVOK2ddtmlKbbakvvmPWS3iBEUGMqw69dPhEdpY8yy7HJ2jpXX7TiezNqGJ9w - XqtI9RJmWrr0/zSoim0EpHDwXZhSf7YVcwTs0XCtwrXcQT6DLaZJr8cny/G1ErLS - XgEdnUqFpB1D0bacmRpfHA3PLZJd/x0QfwZ/b7gzz3f1xRfMXgnsM4iYu1S8+VAW - Dy21iVFZledWfrmuXh/PkLFftLipYK6tc0n922kFFxCn/xSP0yx9qKlNwzyduNI= - =4+Bv + hQIMA46L6MuPqfJqAQ/+NK0D10olgDK4KcArzoMtrJR7qwbrceSeKwaQGsUB1+RZ + xv6pZJ0zyw7McTuUV2I4bLYHy/TffSyJk5vLSSTGFXgHVdfKmjvm7VDEp5d2uKku + GW3Qh73quldfhd5GjO+F9V/S3rCysrNMpTmPnR5ha877FKGtc8168XRhIpe/1+mP + mvlE6h0Xizbx9myGR+ie17nHpoH+tjTtQFH640s38+xDgH6AozwWGUe/g5TdLaLJ + 8SKHyQnS8hOHQDkttvhWRbyhKa8WuGyOKSjuQ81HIv+/UPxh1fs7vovPHM8rtIyy + xGcWPzUeoKQiV2nyXUP3BqglhOhD1vokh3ejDcxwWWKuyASCSXhhvW7KMsV3Stdd + E3O1nyOi4+2I2E4TQo0NLt5mTJonPbvSn4IvV0LuatrG902UeNNZRRwQv3ZrVp6f + G2ZJ9HNSs+Tp9H8cJzBGjDBYjC6/d3GGWi7N/5G/n6C7T6W81BgO8UiQOleEDF1c + Bi6NPNeoGL8fivVGlGTHpLcpPpbYz+1ynsFs1ho4+v5bHS5w+UfvVvQC7dlDKmR0 + fUAkllcxLSnzKkpKis1HF+Gp+lSNc75/BzOeTA2gS3c8H9jMuncRolndPX1rVJA3 + mrLiQE/Mja9NaYHzUROKIHDEUOQ1ZzvpcRduggvfj6Gb2wzNdUdR5QrXnLeI2jbS + XgHO7Jr0HrHzr/+p+w89U+uH4b7onseYDiAjfLjAZpcYwkzuy7b2ZUmpLq1BjZRo + zs+rSqv4BP0Xa7LNIFrHj4OeL9ivwP7Kw/Tb36hU8DJ8xDfilx81n69Fer/cJ8Y= + =BNfm -----END PGP MESSAGE----- fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DQrf1tCqiJxoSAQdActtZQL4KWrCP8UUZa/fLeDltuNV9JjxTYiI9upoH12Qw - 6n8EBLgKKNw1Hsb40u9M5Ro7Xzbys7zwZsL5CxEgFGDBxthtcdaI/ykjU0W3poLE - 0l4BcMpLoCyxxwIn49GpFxHiv84Q9xhouSMmCTe2p3bn5zCRBnKsetVHtEti4iRF - sY9FipGcyiNHfkp8KsWeUxD/j1QUIkGODXt2RqYkO8ltA5QS3kUCPErmWYymEAEu - =RFaD + hF4DQrf1tCqiJxoSAQdA7az9ylWMB3fWHwSVRmU8Gu4Qnd6HIyMuiG46weuS/Cww + QMCknkfCG06HtMrOcroNigaj7G6FEvDm64sUkpW/ggWkHUUEMuwi5jcKIdx7XdbJ + 0l4BDGUF81uOghQUq/JqDtiYPD8IzRHMXbJmXiO+4y6DE5b1t99wBUt3C5K5H91D + U3blcYO6GROPSkVp8ZIzfnWLvyVoWInd1ZiRs19n9MN6Yf8uWfx9/3xvN2kKQyvj + =4X+A -----END PGP MESSAGE----- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DzAGzViGx4qcSAQdAoNdta1fDVjzrPWeSfKrmslkoFi86I2nWplPOli/gFXsw - 2Cx+wmejLlc61RE5sqAaQJc+0ctRezwXzBJbkuqznZ2jWPCK2A1EQ7r3Q7USCCca - 0lgB6XOo0ByOj/W4TrrGn7VmwLvEqIiWCt5zk4BEUSVc62Ffv48dcwL3hsB3HlRw - 6FXyR+2zwyEU5fuddFO4nMi8AXB6cfU6F4ugFgwn92lCgTom7IULY1D7 - =Czq/ + hF4DzAGzViGx4qcSAQdA/+jZ9/0jHioWKE2TK24OFDKjJ8futm2TP8z6Xat3uxww + DGwSznxagIkVgdTNKqAWmzGvOum8xDBqzP232CM8B/oxmwIjuIV8+FXtJuFHA/4b + 0lgBN9loSuX5uL5O4uWzPulEhqjFElrWRZXLHZn7uIWipW/7mP8CGu02wwV/lme5 + jvtJ6EjgopmHrxyaJqRk+e65gxBYKvxTQ1H1iETCUq8lOnxSBZVY5m5K + =7H6g -----END PGP MESSAGE----- fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA2pVdGTIrZI+AQ/7B7h5br3PMgum71smOTJMBfl4OaxkQAirJeG/z2fjqbAG - l9q62H1cutGKS/IYOFLE0OQaRwmHtkdTkrdmf9yIuAktcdAGAeqwnYW3LwM3t7U1 - nfZRJH5Hi4xcSVVaWHn5mX0QpxzrCye1EIjHvPRx6/bWHD5sW9qnkZAlAvEJS3/K - jdyBLLlK8AITpsX4eeVnmVLZBjbVEXPlXfFCh9PFyqrl+iyBBY9bO2aMzWldbQIr - j1551Xe1wKAOn5SJTg2Mrm5ehBKfH53HY6ubCy9acbv5ZTe6JuStseWordtRNNXY - 9eVmR3MRVoFWgK4Ccb9Qq8l+uEHRuQfG9K7dSnxQIJpHCOAQO9oi3/ykDt9Vgvo6 - WKPpvyuJpWc5Tn+WF1qhz5wDTRX6XY+cUoHkUqZXG0qMTIfMLIAFZ6MuslHU9f6J - PlY0FTnwp5/v9rK/rjXZkfIxKjQtSWZwkZCszZ0WtNVuaY3KO6KYrd9rolFFYjqn - I2xFGnTNZwh3tjG/3INoMwilOkIUNXr18k6FsPqVCAhj1Oo0iNxb3j+3pGJsH9iN - ciTLeM8MsFW9MYXG23i65a5WVXi8hMTcyqCy9GyxLeFprt2DaH2HaBahF3RIWPop - KTNsvW1aawy+lDUyr4mBy9F0TA8Z1/db3l950Gtuz5s9/7D6bbmRn72O++W1RD3S - XgE3QuksqaIh7ZGt8tVPREEHpBWmPCskh35vLoqeO1QxGxzJcjrcuNeHtOH44EEj - mHzYUydn0e1jwKZkATG23DiBCyMpcNAWmsMH45wmk0fgNLdQhuslhKLqOUDLpN0= - =Ygd+ + hQIMA2pVdGTIrZI+AQ//aZjaPgcAM6RSG6QCnYJgn8EDEhG7HDvXmb58G7VfxArr + m+K4Hc3hW0Hh/c7/bzu2QWniN1ie4apqFSvQmAIJ3zQZSyOsqhzvbmyTFRAyzpzO + lOAo/s0xMu8s5V055vC2KWnKuqb9+WtWgJPotkpOf7wQM3aqtvXKFnPa74ihjXdt + uuopRsOsZPiG8MLcqkCrTy+pd1PywrqwjKeva+mfgbM8zpypw4kwLwrljsxCThkZ + To4dH+K8oesvSeyVOKWtAwnjQsPa3Zn5CFWXNwPnn2kpjyMoNRo07xuRkfHYI4L/ + 7D8zz07XdN47kJbEj2BYjChURtbxkFbAxq+IUDgbNDW+M7VQCKZW+vOFjwmFJAlT + CCco2I3lmrVX1j9BTMRr/3aQNbY/OzOxk0qjYZGnPqV1bH4IazaDFUB8pOdmit2t + KBzDt1L26V0Ek1CpOp1dcJxneITXX1j5IqjMbl0TzyoJ9CxsSaOWfZ6XsBBSXZNZ + VnDENbBAOGcJgatjmC2qH5FCNio7vMRRncX5j82sytDRWbj/7XHENFpfXyGPIuYg + AaHyxSVegFCeRUHpzXo+qeFpNFR4407v+otVaEdxbfj6MQfMZ7tDUOde+97NNRow + tAMUOAN9yhGuEPMPr4stQUz4lHseGMX3VdpJH8UQH+BxVdJhzKg0H/+6bAmnRi/U + aAEJAhAi7DZdrKpPPkDijPKnXCPJB+IzdAJdOCsnIhZFzaiDUo+RLvP9bEpoqv4m + ZFMtiF7P7bXyeNIObCCsgKhdX0thXI9lZvv7k9M4lAbFhPS9vlmDwf25t2Nm9Um8 + 2tbINg+K23jp + =syE6 -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DKKbvh61jX5USAQdA8qtjYHoUe+GUdy3obbF+pNmvfuKQUqkMHa6V5ZXOpXAw - M/kx52Vu5xOdynB3NMBXsfTVH7KXh0f06HcehTREOkhlwVMYPcvDQQdzgJ3Xodpc - 0l4BdYtmbmk9ETTqr+wXvf+6BMYIuvyhsLLSqyWyCxJv7blQYsxsc3EAHZ4LB0ZS - /lw6gQ5lmQyvVt9PQZayt6Iku0+WMJcgrf9xykOAm3N2QrtUnr4jHV3FydvTiUwR - =snV0 + hF4DKKbvh61jX5USAQdAHw+hxKofus/fR32ThZOHfkL+8TIPvWeYnTYe5UUCC1ww + AtCE+MfZvMgRx7gUpVPcdWtch6nlFzun+r84QfPopFk4S824JFEkK8jG0scYCpy3 + 1GgBCQIQm+g/LWX0T3Do0NXrRGIuw0fiKrQiOpEhbO6a6ez/pES0zKKBdlH+scQl + +nLZoz6Mw5mkwhY6zIKsrikuQ/+sciO2fIq9tI4MR6cvD5gmVrGEjIyOZ4xgl3X9 + nX6OVR9w8cR7rA== + =voeW -----END PGP MESSAGE----- fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 unencrypted_suffix: _unencrypted diff --git a/inventories/z9/host_vars/z9-router.sops.yaml b/inventories/z9/host_vars/z9-router.sops.yaml index 89f18e1..33bd3c8 100644 --- a/inventories/z9/host_vars/z9-router.sops.yaml +++ b/inventories/z9/host_vars/z9-router.sops.yaml @@ -1,3 +1,4 @@ +ansible_pull__age_private_key: ENC[AES256_GCM,data:TlMDo9sUTYznxKOGityGLexk54mM7LU9+U4ln0YYhO5fhXXmwvySxyMLHlaKzSlpU2/mRRy/0v7AIOuRVZx5XqV8X2JJsv3/NeY=,iv:r66g2UQ663KvWyAISitbHBRaLBlJ0gB2g/TW9JiL0Ls=,tag:VEq3Fqj+t40uBo9g4Icfew==,type:str] secrets__secrets: - name: ENC[AES256_GCM,data:gt9BarzsfE/GJ5gQeelgePquW6KAgE3Exv4=,iv:IPpUQI+zkf8O+ej+ZxLFyWUOrxGGlZvmDRG0ut2cNsA=,tag:GP66MvcKyCqyKV814+uMYg==,type:str] content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str] @@ -18,180 +19,190 @@ secrets__secrets: - name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str] content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str] sops: - lastmodified: "2026-05-25T16:29:22Z" - mac: ENC[AES256_GCM,data:zxtV1xgjQuKNMvh6S8oAOxX5J6+iBRO6k3vGw3vWNlhah4Gu3S/lt+5v8lQHogz1Vyc+Zff0yMj1cn6RstDDj5AuOCljRQN0FYs0fjCo4Yrxx5sMMwcwBYquC77skEiZhRnqdXKkjiOM7EGE8qj8O3DJ29borIjm5NAsflH/qkA=,iv:7EUElg+gu8mk2Gq32JQMTf+A1+ZhZufoqt5bk4+Ca1E=,tag:XG+F/zlXizsc2B8THoXj4g==,type:str] + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxallVTFdueHBucXBVNzIx + cENqanlOOUticExzVnlERS90b2hWQ2VldUE4Cm9SVmhZejVzanRDTkJhQzhwM3BM + MGcwTEZ4YVQvdjc3clBHei93VEN5SkkKLS0tIGI3KzRPbjlNTFFBL2huYlZSVTZh + OVdXYVRkVVJwbVltSHBXRktIY3BYL2sKe+eqKzYeCUWx0KmT0+aM+TwWRj+P0Ecp + tnFHmQgnEPypIhVvZtzL7i64kL6sHizTmNhbw+hlnCztvsdEV5T0cw== + -----END AGE ENCRYPTED FILE----- + recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp + lastmodified: "2026-05-25T17:15:30Z" + mac: ENC[AES256_GCM,data:IW9eN5H2J5cnXUHlK2aD+yd2ORx+weSFKBGWd7pIolFb5txg0WlGVp8UpD4h+Tv0SJ9NkQOT6KpcXDez/L7r7xNYtmgf7AdrdGpy3IOkEYzHJ+oHUMd/aL+h5w6/RahrpxlPSrNKAC+AfpY+l0iodwQ09iuLp4YXFxRaRDGpGZw=,iv:6M7RkDN9D9Zlyq1MCRoiT4f1bd6OBZNg+C65oEuSWn4=,tag:wRsq4lt4mHVyY6ruGkYNKQ==,type:str] pgp: - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxK/JaB2/SdtAQ//bbr0oza/X6GG43ay9coZbb+0aptj3pGzQqT1ND6nsI34 - iY3IZaMZIti+j/BS5kEfmRn56WZSx6EcbSrlbiyL5NZw9R4/bGRd848rOLwMvuYO - 8Usei9jHdpHiPvKBZnZXaXGU8E27L0Y/LCxSIFOXbyHzHogjz3JmtJQsYpSC+ue6 - mIRrSAJPALrqEL+DZ2bl5UYlBIRXdtIe/jL1CFCJhULt+EjJw72T62DZK/jaNZTj - eint63+IFZSxx5e5vrAeQB+p2EDsp6c5NbDrlgQWb8/J1q/G5bG4KxBs/0hum7OW - /sSsIDb4Qb8U/axt5LduV6AkMXXsclNLQU/LbFAbBRcV8Lvh11f0U3V/UnqUdmvp - efesb5VQh1x0uWjzobxaioLEV/YYbWx8binvuJ3MBHKp6E2xj7IrBTVl0MWgjEou - ZbQDF8DvxA49xEnJyOviL2/zjnV1kXy+Q+BKZga3pr8AnBHA8Ftbsvmk6CyDEM0R - i4FAUOVa9VWiszoOaqyn1Fl02YlweFmgzuFjd3wi74Tbi6RE37rN/vBKySbnRQYl - rFUU3SQlztxd4UBAXBo6gQKTz5B4rehvKVye2mmqEE9bas/lCWAKVJ7+3+0NQdA2 - lp/X7h7DRSD2Qkd35SzxkJz7P86rd0LM1aOu87psxYavEWw6vFs2ErDkSeqDn1DU - aAEJAhDb1s+jpDUa3GvVZjoiiCyutI018jfJU1vi12PGktg4KJcXBx66R/nLItO2 - ba6o66scIiAJZ+jYymW6RbJTI7XRHJp4Cs8COhpMRQeOGwEHFGGL2rpGd3KrOLQe - 0/C6EmrJvGpl - =atNE + hQIMAxK/JaB2/SdtARAAlyJLMDlT4FLpMKaC3ygn1cfA2390Dz24lzKlHmwl5GgE + yS9bdTGMpcM8zPOQoqaoy/my3kgx2/U3q7WiCTMdUyYePAWuJFh8ZRZjw/hPpv6n + GwYgK3M2C1I9++zmZD5LlR4TaTTpr99+hctYrrp79QJddgozUzAQ44g7WvDm5VhI + bb2UVSo0MpWvLEMXHqH9YZcjkQyVg/DL+IaU1rM9pmpZxoN7+0jQY4ci1ZeHVo9e + DbYcjMazBLakjZxxdtHrqx3DjZgbYCancMy/dUKVuvDF/lN35WWSxslv14BNHljL + +/9YBDRgIr11x9j1hq241UwBW+6mSFxWF3qQ5esdR5xlLEqbm27PYGtqC4LIdzRX + ZUvdujuQ2PHCYJY/jKWSf0cdfXKEGorc1ZGOV9FNq9L+aKvfmRLWfzX4D0Hp47H2 + d3itVuA9KYOdzmk6O+8FZv/VK1042L90tOPJhrtE287KhcJ2CvfT/Az4Qot8xg3c + tXmO3cWQpigXxJPfKRPjmmLJ9nq0BnBXj5ngkVz7d8R3FR1J/+TWG0F1VU7YeW2+ + Z04RAbbKf36xUTqnaV34EDum4QLLdTMra6fPYPy0KiQYIKDcRSdHeM/hEs7JXP1c + zbUX4xuBOXl7kWYR0e3MUTzxYiQBr9BvSDY+7sGQCb+fPw+AKvFxig1grjsnZvPU + ZgEJAhAUE/ebqBa2nGimcAPn3PfeihehcmjLg7HmyWBPkHHMt/TIOztjkbGiQSC/ + jBP+rhjmFxm0WKUGM4dkh14JkMgz7DZ9fozzLfo8zN8beuSDDzX1BndTIMBQJj8P + Q/rk1NL6pg== + =UXJ9 -----END PGP MESSAGE----- fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQEMA1QflAioE8i3AQf+NkUGCBrTCkkyl+iBb6P1IWLDGqAY8s20mBZ7G3plKE/J - UrIe947letj/8EA+yoN0uzjwEkh3rDLtZrOLTSgflq1GMpdVhdaTbS71fD3kghJQ - P9tz0zDQEgXHBi+2q7iRrEETx/cu7UDNkSCNvQbWvDmo8MfbSBy+VFCknfupdQxj - 9hlq4kBA0pckPCY8V7E05nDhQntS8wpXIEO1SWiSuiGg+p4yFlvNzWNfhLyEFHxL - BZHVVIU/mzyClMajjLJWjKI1LSgHXXIa28tgdrtiBZOsF+CWveYqJlRJh9NUepJI - ZSeFNhyWmnS9ZkQu5BUyb7+oRxfq2NY51T76Xbo8gNJeAZWwyr1sj1wjubuVeNMF - aU6FiynYWr3I35JRVghTMJ93CnPl+NTpWnQuHpq1bzEGe2u8BMFhgrTu2yMD23VQ - eGien6SqfEbA/wAiz9ZaUgTQH8UyHpliteZ8/SQgkw== - =UJvq + hQEMA1QflAioE8i3AQgAg+PBxAqWTfRhxP7GxDfQBPK3d52zshP9xhutqANzszhs + nbo3nHWj/vjvHlEuD+Rr/lr9qxsE3qS4ON7FG929RoB1YFHJnQl29Xym2Q34T0Hy + Ih3dibykm0t/NE+fuxsU4iU0imtjqhqA6P0+8FNF3UeCg60brcqlrBTXM9jFqlZ2 + 9nuvk75HkM1FoHiKx837qAd+RjNNO7xKUpn+EX0l0l9tScuPqUkWNQxLrbHrcO5M + bcEC1syZHQKCiucsesS1pJ7TFWOJsnamZyaqhzANGwWdhYwGQv37bWKr6dYTCy3q + rsT2NxQK4/N9CxmP6xWeAZbX00BDhNMfEQVtTlYLgdJcAS433Hiw+DSEwGu2zvTa + pHtQlGlaoOZemNnthw0NO6JQWGhz6Bx5QqYmbrshtVKNPh87vNVV0HhL/fQ7qwLp + uCgnMi3P59r8EKDZqTSp0YGfE2bx2hpBDnyJ42A= + =rOz4 -----END PGP MESSAGE----- fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAz5uSgHG2iMJAQ/+O5JOJfDp/BuBCuXDQVUgJagspQO6LZ/MLrl9qH282AMf - MdgN5M/WjbOv6WZDCMg4nfXps1XgzUEiaA/1m4PxHlMmxjEoQHAE51GMcxsXg+B1 - lM+8uJ1+js1sdDX4xsZtJpbVxJKIbPuhF7oM950oDlL2+UKhUbPlCoxeOihlkVGa - RqHJ/M74xkyKH281oRI5bllJaAroBnXVSFIvbCxA7ts/O7YJPKBowTIj62Kye9Ra - aHC11bPy2RlJCcFZJjPSdnXvzUMpfzEd6O72VUtMBBQZn/in7efutC8FwpRYuUW7 - vSofxUN5n6Mtb8A1XSMFD/nfXVc/pM6Cu7kdtHSwSKgbKKf6mrCeVgaM9xcG0t2W - 9yEtWvkdvOOSqz/vd1vkftbBWcCejX7bktfmD408CJAs1bjzz5CyrDoWcnYmbxFY - 6N4rhMDRMTe19VH2UQ4EvSjQjmmYCspnUW3/78zi5kU1ijyQy13UpbgwulU7tSGc - KKtBjPoy6mLIVl0YhnEJZWD/XPIRWyW+0s+7m70YXCWSVipvCelEE8oPWjf8PLaE - J85crlZGkSRcRO7yOP/YtB9ZnajgaF33zJU3ZWr0C/IXj2TeepZp/JUteD2H/LRf - 9YJzOFYDOFIWcdmaTzJLBEaefWcDjT6wkIf6TBqQRMLsu8JUwy9VwFcsi/d5aMXS - XgEQqSxYb1B39OR0sS1Xpw0/CFe4imBPuG3w0tOAyM3DbPWYY1kZYIRZenV1ZIOS - aRZJh086kuWgHYB76VoNzDK3QperWvHL/8CT2g3HuPiVGSrrXwxCYXk5+UXB9bQ= - =Xx91 + hQIMAz5uSgHG2iMJAQ/7BOewbq1xQgTOruTFebugbSrodtfUlIDpCez+FZMw3Gos + uwfp6jslBKXHidsA39CRktJ40EYqygmBgcxGTvHGC94VwSl7OfCjHsyfD/93L358 + XsjpTHXBO/mOjQmJ2smhZx+q+iMLpJnq2QA8mGUI5uzPTjXD19sD9QdYdHF2p8D6 + mdpVWED2gRf/sDoN+y3c/iZvMTN2HeDCx5d/wIgl3mmoHLvWRO8pNBV3EUg3ZBiv + fc0Y7m/0KOqW1itE4yg9IoPBWJg2jYSZTkRnQMPEkKEEHNtbx6dq5tLOYUIIwOwC + 5JlL76BRoaul6ousBSHV8OWCAvS2N8OC+l0ATzk99p/h4zY7PCG7NhkKAOgYfWFa + /z5u6J6TMrmeLZjknFXepuVAzNmDU0CmuhMwZankGKq6lmsQQnHvdq8+ExGGWhfK + m6I8nPvG654md9H7Y3HusHa6y1rkf9gZp1UFzhvXQgZdvc7K5pJrhxjGUnEg6sS0 + m4daDRuNLW32PXiwoWTtTJfOQFv0t1f1eEKI9DO/O8/4fNtIvmI/8HDcdF1XzDnt + lGnyD9cZ5jKsKjGrT9DcvJhyTGWDFeBDTY+rlt52E8NbrzWUjX4J7Gyz8QRY9j7m + wRi4uaVt5KBmB8Ibo2bMTUXU3Db/0p8nCAg/89D1fP6FF4izg3GU4oD3vJyl81XS + XAH8tGT9wbjXuhomyhqemDYb0QdTRfpAznm4AS36qbeU/Tvj4M+Nm64qLpj7FFtK + aeDas4lzgeQf6/cdd5ItLlRHhlBOJEmjHVzRR4npabCWZojP8PTac1IlBgvS + =OH/y -----END PGP MESSAGE----- fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DsZXvxFXTXoQSAQdA0rZTVdySF9nUiz7ZyFJgq1tojyLojGTgE4UIEJzFSTUw - 9y4kbGn1cWMpAqr+sE3WHV9p7v6kgm/XdUjXGN4DadpUbiYx6sQW2Jov6Km2EYhq - 0l4BawupjX25wi7c2yR5iGdxYS8oCYVmGgcAB3T96v8VsXpkAOYQAOOh7B9GQIxm - hB3cFQLCy2un3VvBsiKGFMA2FhZYBOuaEwP/KmWnPv0IPIRH4by6LDB0xgq8MUNz - =xoVE + hF4DsZXvxFXTXoQSAQdAIjnFVslIKlmP0X12z6AdWNqxkpVBDFvf03ToWQEQv3Uw + 8ka0OYl32rH6UiiSE1Vve1wZ/iVvK9/il6UhTpeAt8bIiCq6gEGR9Ba5NJnm6rSG + 0lwBwzEtaARPJbbcWu7Jl+dAQ0quP6uVS55OYBuSannlaPrQ5qBuS14AtuQ3UEVz + EbcLJ0b4lGL7hgyAf2E6nuDTkPGPChAJ5H5DfrB74ZB30GcYBTzwj13+jWx/VQ== + =Hxuh -----END PGP MESSAGE----- fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DerEtaFuTeewSAQdAgcGcZ3BT6lsJ8FxkMghxg5/PZLtIzNeJaEUbxN0EFhsw - uM+Lec3k9BJSUJK8GeVmesYxQh8vP6Yi/+m2LnGjHXzkQg8Bx1HJzuC/Ap36rC6N - 0l4Bxj1URTsRD4yILEA3TY4Dn9St9uOtodJcf5YdAKvmeb3Uwy//huNnA1eK7b+v - WRHcU2K+GgkSzLiRLZTc/nMrrCQ/P5HzwYHmP2rypFX7kxXlPd3K6yMZWTiSgYZd - =gZLQ + hF4DerEtaFuTeewSAQdANsYlCeGhhqmBgnqcSuNdQBUwYKpucDrb6aR9Siyukjww + 72Gin/635k9bYXwknA1rPyTMvG00giQgjUr/QK6PSD/eGi0QOtMZLj1JRi8f5EU+ + 0lwB+MIM9+EEzHJ96ouzL3bu0e++NvRY1Qjyx1Xi43bM96eBeLZ5DAc1eTSdWizQ + EWTorcmXffkdfOQx1zrlGZo/qvfj5F706VcwX4aZwok/ASRmSeCfEXLgGLCwqQ== + =ccBm -----END PGP MESSAGE----- fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxjNhCKPP69fAQ//YGOLOFtORNbOu+KFCtGcJBXQMy6Ej3/tePVuDi2vmqLD - 3Dz6stB9D+BmBbcgbFlDA+g7Vi6DD+zcze9wM10iuc9t9ucAuQ7B/ymSvJc4MrYn - MJFvQv5IYgWJmzXLYEFYYpmZPGG3hSHSgWIPs+574wEA/L867ktguW6ZD3ZuMn3E - yjCTeT/ZkGjuIpGqMu2/o9Wvc+RYgWlCB69D8kTHtnbFzbqEzvKU5/zte5ThchA+ - QZwFd/gk3o1G/7WOYJJ6CbBSOQaSrfm0mnb6sppNPdOAQtqHVSFVX5vX96gXsht/ - AkrvD6/2R5eNzbqRaU83cg7c5far49xoBbL6czreWY3D56yK4BJbrrg9mK7oCEfO - GaRDFFD7R4LJPfVx2xDoIQ3Hyp4E3dz4nyJx0Kg7NSEt7soOb5MnZ+04LLAiHbaT - qZr618V530uw3qaCsYcgHy+WsZXXlqXQey3A7jphi3u9Kvn9UjeegjNvpOrMk6g1 - RhGzv72G0wjZnzjTjPlzeROHaQ6RPgfpkZjEcVZNZkfAgAbB3XPgCFGKz4qvx9MP - 4eHIlBSJizLzSi519o+0i5PwrZdEf9L4RUVxgQgdJXMh1JaydVh5DOU+xomdStD5 - Maymkt8fSgYgDaS953YA2e04PrkXCH0EHZ62T9EMxreEoU3nYTmw/TGx7RfU+wzS - XgEuQkLWSToJ40/Ir3obDA246yv7J2FpmPwG4oFypkM5xe1WjlMlk90b9RBhUgXk - ylRXXLBzau6mtbPOa7LGdVyVs2DClWQo9BoK+dxEsnW+TR144O4UmZEfifJXvgQ= - =ympd + hQIMAxjNhCKPP69fAQ/+IRYUQhf7zzIZy3AKAtQgyMKRINOUUqOEv6IKmNQaaQP7 + K5JXnVi2gjgBuG+2gH9iCEimIggnWxFhHerfOps+NkAI6y7kFz5hnMtOY2Qf3vxT + Hoyq4l6Yn+gG1HSLozVr9dTQPjyGOKJkm36ZKpM7gqSuLNP2ijKARzay4Chg3i+p + E1TVTVoEczrPdLg3O2fd5mi2UT1k3E4QREti0k6K4juMWqMz+5iJ5X98qCdmE1eX + L5dmW0QSUChzBVw+7NEcxeNx5WsbhWgPA5m2+bng3V8tHqAwrRUCoxn2+yabnsZB + Z0Z7TgcLk0Xnezw+BkT3bOsKgv+atE5lm2rBiRUHRDR3S04j0Ju6fJHf24CNy5ES + xMF7BE23SgmqUq0BrvdJB0ToNKYGMM0C5Xg4vGRiE61+18TiFIeC3mF9suvFFKc+ + houq6Cy7q3O5PEqEbu6t5vXAZHwL9Th+ZatIIe9jSToiZiLEOIEmiYptR009/OWq + v6ADzaAE6+i6HZ62xBYQuZFkiUrRKxYzTHFn0A10QUJrJgbWr8QjS76oKi8feEDC + BJAOwE/0aK+l46hI6mlh6rgeSy8XdOPLEnL4+1HjlshhTTiW1rE2cr0ZiTTA6UFX + UhABIUi6jiLnM13L+auulU1UZQ8wxp73okrcuu6g2bPT/l7zO9YNOCocWVPQa5vS + XAH7qrW533ttg2XAczCdALMulV2N5GHl7TbgRQBkdoBAKL+6oKfxbOZeQM2nrfZT + arytZbnjgCcy5ygnjeziRvWwLk7sysEpAQqQNRm50m2Cq+2ccedRP6zFzUhc + =4hCA -----END PGP MESSAGE----- fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA46L6MuPqfJqARAAshm2x7wX/9g3XJtSN0AnSeCwSHO1I4+ebLKOsB7zcXh8 - hrVO3694jQcU9L01H7jGYw4lNNzBd61/uVE5AvMq4Sqn9iH3MFNESbAEOWVV+TRf - 53JMg9C/aZfde8gHgHPaiVXlCBVEVY9CqHpUXUKDmEE7iRb5P4DuMxOmybDYZGzY - 4c5Ke1MFMkGRmAtsT1qLrT2vh+F0CX4JwpMkxCmOzSWAXbwrVOigJ35l5zM6vme4 - 5EQu9jI8FApTxVchZbr0v3UOKxp5OebqC0jGeznZNf4qb0qnsvuowY6IIw5Tl3/q - H4TLq5EUOVqTC1voIWY/gMjieiW1gtr6vASy4MvbswsZLc26YVE9IbHzAOUWDN2o - f2iQ3aZYuINvniD23XtM0TKepDXWq5eF+AJpmyP/LL8sYvSnWFD+muK3O657djEu - yGZs2EFTrkiUvhBq3apOOYiU0eOi4Aq6UeEbOsLENnQrBRXuHEm4KUSwzOitVwJ1 - ByxQTu7wzY727SOR2hzjMC0LI602WGpEQU7ech5L4uWqtMFwaBP9HnUamcofKqqt - 1vI2BevsJfQ0rtTE6GWseHt702lllTGe3RnHWc6YsMWLwUfRdBPggMW37hAPPcfO - ytbU3RJIxx4vImRtXhkI5yvbpFQrooz1zSeXWaitPE5jmmiKe9IRStLnfiq9E2TS - XgFVuQM8K0LgUYEoAipvafhnC3ohfGsM2AYd36EoaMNLeQ2ZZEiV06/Y3EWoI0iM - aqRLwyBvTuDOc5BK32nCbAgUbbPJjPhqWaoNp5ymCBV76oW613gApkzoUF+OIUU= - =KKaI + hQIMA46L6MuPqfJqAQ/9G5pRNmw775xCYA+foCx9rM7eLXJFl2DjaI3a/O0yVc6t + 32xtPuaHwTnP00Pbbo5Vc9QG7k0Fr3Rgy+ep1lGzeCMoHwF9xk98LspDtYZoKopE + 6/L6KLldSauRv0rPVhCQHpZFsnx1VxaJiXn9vAW17+imC9SgqLYGWyrxAtLCOOqH + N68RnTsEDquXixEs82ao0EmQXPquimJgSx+xVSF4yitYYLLLHyUL+drMNuVb9q9Y + oAIdEL1svDIieTbTKGQUqZ8Alf8f/0cqPWpEkDwYIyB/i9KDkH5Oj7uBBRtVLGxQ + VxE32wO1xpXvKgUY2PhWD2rOBVDG8dW/hyqvc1WgIeo1A6FTq34b5dGC2lmTRngB + 9mBjUd59zeOvdXLmoGwXgbjVhpgnm/5wlUeiIC3xR9MjW3znRBT6ujCaglpAdXBC + 0AIugssGcuXbP9Tj5zMVlbdi2dj6Ylc8S1Tj/OjwxHCCj6AWRqpxN5vY28RiLFGy + +eAsryzPk6UTCPIydiWwsrP+w8EhbllFxzZM+Sn+fshAHdRug+EeyT3h5V5JF+Ko + BZCrZkwYqAcVkJjEYlukjvxVFvo+T6tRMz4F4yNgjqFjneUaeLCc6RllaT696H0Y + 8+lw5rK+XpcXBZqso6vsLChRdZQJjoj9lkjRDbmhOkaRglikC6Cx+mpY1/XnGvDS + XAFWOuNKjN/xIRtaDc6tmeWsKkuqghjHiMeRqw10/kTBjniMLLJIN9ssj4HjYqC3 + CsqyHqZmrbITUMr718gX1kkAvzF/fVAXT8YshOcK7rQbiMQJCZqeBp3fY7FC + =5yPR -----END PGP MESSAGE----- fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DQrf1tCqiJxoSAQdA8YKD21h5POTLPf04KvGN93omFgkYO+Y8Kc0jM0vdqm8w - 3zYRaLsDjdh8Zd89/HhHJUfLrTp/IJ0n81sK0ZjznbXKxgkseGthMzof+L7BnPAp - 0l4BnAs9iZS4q2LZVS7ySBP89xLmF97qhK2jagMNSAwq8Afxbcw8oQAVQmeyYfxx - X59irIHjI1ugO4o1WnTN67nTQjU5msbVBs0eALrw3jobzFHRL67fS0a4Soa59LTY - =ZHIU + hF4DQrf1tCqiJxoSAQdAfLqKILCrCv2s2V7bLntk5lHI6Dc1FQlCg3LAefc8oTIw + a3UZU3OajQ1CCIhhu02JSlTKZm2z+pZKVHy+s5EgCqwAWTfPNAnyPT0ZGrhIdcah + 0lwBdg2Tq3+Nhix1ZuA/mUgcrbRBcFKlHY+IGEgOHKLJld9UPF2xEjTX6nmLyuTR + 6x+HW/7vVuc/jcFeQEmokhQw/SICVdyD7NQua4k1agLkty3hGcm1XCsfyKfj+w== + =Bxf9 -----END PGP MESSAGE----- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DzAGzViGx4qcSAQdAN7rRlv3dMoFOfj9eHgf+0H8521b32nWqySUdriEy6Tcw - gjuReMBpKQOgUfuhIiWkHIKNtNgMrYWiC20ESOXX5b9uYZNpqHCgHQPlX0lEeGim - 0lgBOieL7mSEq4wkWLCSv4sBAmkQA+dnugBeF+TrlqKQTZsbe/Z+jNG4ZrHRvdqi - 4I5It+uaRV9Vrul1c6H7fNreRPUd4hNyJwU7gZQ+vU2WyAmgqerxE1Wb - =gplT + hF4DzAGzViGx4qcSAQdAr2tfPiCpUkxFj4rgSiLf7y4iyKbsgEY87iYH3GAZTVcw + vK2YpjSVgFRoJNx9s3bFr+9UG0LFmKvDZEP83ThQizYs2I/N7MSU8ERRImshaQMH + 0lYB4At0RHC1mp8eKqhRgXenOtpfCiBACtlIdS9m1aqcU6i9Drgt86Bk/LC/HSvJ + MUOit2PP7QZVRWV6F8wAHlUFd6bdTKv9eOCZLSB6mY6DQmkp93FIMg== + =lQcB -----END PGP MESSAGE----- fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA2pVdGTIrZI+ARAAjWK8mU99VcnM/Ckzm+YsZFTwnz4PDAenDDdZ1OOz5IXe - tS4SQPcQlSSOuXEkFLJMmm8QVxtUC3Gh4nF7o+7OygT+0ZXOrB7jFgg10+v/KVA9 - hSlqBdsMxcC0OzBtkGyAOXOxqnTVubuHEGyGpIryHt1/lthUUZHBbjgw7P0Tw2/U - sYK5j5YbqhyBl20gyZorkTTq7pHfVXDVtpe75+ZkqbOg4S6HgW3/dl+v6N0TLfRs - GVl0fUlWIK/akGCB71zdwJs2I1qTeMTlL6v+XSUdXj0YV+5fjh3wf8qzN9geIjQK - ybxGFWDKCAgTMnqoFF5BCL23hFtnCbTtLN1wQT7/m7zpjaBKHOBXZOGXYZCMGZui - sBsUvPANgNdfOse9H2aABQvUQh8WqFw8S73GasvrZHAwEmvnXzocMJd+kUovzmQu - 9FBk5UkcgXfmxeamoP8C700vh4zI+sKz6uEW0+AuVtLlLVqlb2w21kTc+ArZW52n - HLolH5q3Wj6pKuuFCWKr6UgLFcq2w4QngB2p+UABHU3RbwXIra7prDXCUcNC5iCn - ElRFY7OZ3nbHOf9oaW/MitcfszVLyl0ueoay6qxdlIGdXKRGpqxHqqr+92INV/iz - 6CRoAsTqVq1a7ZuAaUdJPvfKVAHHEHjPwlrOc9cXvykG0iQKsRzgqiOtPiGQShnU - aAEJAhDSqCwywHDnQ7X9ZWIzPjwvqyHpEVez8zYh3vpgKpsLb9uL+JizZjV02HMe - nhiL+4o/aNjJgGJWph1uPFhU4wO4AavnNBsHbJSiL/1yTS96hdf8d+gB41yVLU3e - kBkDFLKkIBkU - =aRLd + hQIMA2pVdGTIrZI+ARAAjNHCArTtU9D8zw5yJzvf0KSwQoOaQWHui7AqQkvQ8mJv + 8+Vo9sb+JoSuFHQqqDbOU+VFpmc9CZ6HCJaWqO2gZVgjxrsrPgyfq795LBd6GhX5 + 6zwUH2huxv+n7XkfjN4HHJAlSj0pRyL3fyojdOdtXCTuBGbofLIBJUbuD1wro1K+ + nSHLvdBEitn8afKt5/SaatB8Prwyet6E6J4HluXFQjl+KdrRHHvXImmhNSR4yfIr + yQt2s8qapSvLhrUw9/GFXqM/jg4ZlDhPUhCAKI2Pr5PbsRMBqwdkSrDeB7MHdsU6 + tI4uyb7j8m3VMbFKNVpuluwgk47V+W/h+jtZetSR6ewYsXJjgHNmX6JX73XzR7R+ + q4EBfSAxR7ByZ/HHuumUH6BKBj8IcNJQwtEkLIZmLZ3OdFtJP3YY0esV+gEhG6K7 + m2Zl9C7axuYmvoLrqygaChmxMhMiebTPNkD/dH5Ircwl2cXfHC+bvF2WO73DTk9G + emHzrkniEtuUs+svMhT3NKM3/mpOJTiNezdH39HZADzkBwZ5Mmkfe4mbXByfRN7F + AEJWmnOcpXwXE9//sRbkRr+CGmB86raZE22wHPuk6U9IyVFJm8hJbOzFc7rwu1Eo + 0YWBCsc9dA+jH8hIKrIfXwqnfhYjTrX+oZJeK/8McOwfF7I2G9YrPAgwbokQmtLU + ZgEJAhC8ryOvXwp2kP9sv6nbXIEcwrX8lRjkEWduf6ZAWAfQ5FGBSPzR8WnZWGzN + PCxjg7utA9AHBChF1duwOV2Qr5XW8HTUGAx4fc0T0rjC862vSwf8yAY89WWJyUfk + n8qhhdw1uw== + =KgOe -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DKKbvh61jX5USAQdABId/P8ozRgJ4ItF1zvxp98aH+g3LZ6UGnxjYjtDxjEIw - VmyerznjOLnpz0EobXRRoot1Lo82Va64HQmXt26LG3gFY1HVp0WOnIZXa/CUoUb8 - 1GgBCQIQloFxKcgFTiRidaJfN7hSeQLleiEe3aifZUyJj8niTmBaY29t+CSoA46N - xZzX1AlxVjfmputhYdTyOYSJtGrj7otmnUN2P+55pjz4L2qCYAEKi1+ibqgpmJh/ - bETQsT6WKJ8FXA== - =Ci7L + hF4DKKbvh61jX5USAQdAYrtySnoCK7k4ZZIyllSAr23fozsiZb9Nf6Q+r56i3lAw + 7IxBdJc2ipMxafy1Ntq0wfAYYk7nY6Vz1XtB+ekVeYLOjDmHRnJWq/Jw0K8wLvWT + 1GYBCQIQ/0zDLdFOrMNjVPMutGVJOkpm7mbD30GpgRugzEf2NZePGtptqnP6i1t1 + izBqFRByftV1MUw1uWgTFgB8zEVDh6gG0QAYeRuu3NS9QhwR71Wlu2J4eu+VhZi7 + AKabk3T3Z00= + =A2ad -----END PGP MESSAGE----- fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 unencrypted_suffix: _unencrypted diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 90f2efd..740c7ba 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -74,6 +74,7 @@ ansible_pull_hosts: light: waybackproxy: yate: + z9-router: secrets_hosts: hosts: z9-router: From 0fef65b2c291d52bd124a8a73c125d9438a707fd Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 19:50:01 +0200 Subject: [PATCH 05/35] z9-router(host): fix some spelling and a wireguard peer address --- resources/z9/z9-router/nftables/nftables.conf | 4 ++-- resources/z9/z9-router/systemd_networkd/10-wg55.netdev | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/resources/z9/z9-router/nftables/nftables.conf b/resources/z9/z9-router/nftables/nftables.conf index 842ca04..f639689 100644 --- a/resources/z9/z9-router/nftables/nftables.conf +++ b/resources/z9/z9-router/nftables/nftables.conf @@ -108,7 +108,7 @@ table inet forward { meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" - # Allow clients and managment to most - iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "allow clients and managment to lan_ifs" + # Allow clients and management to most + iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "Allow clients and management to lan interfaces" } } diff --git a/resources/z9/z9-router/systemd_networkd/10-wg55.netdev b/resources/z9/z9-router/systemd_networkd/10-wg55.netdev index b3e41a6..f2de509 100644 --- a/resources/z9/z9-router/systemd_networkd/10-wg55.netdev +++ b/resources/z9/z9-router/systemd_networkd/10-wg55.netdev @@ -5,7 +5,7 @@ Name=wg55 [WireGuard] ListenPort=51820 -PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_privat_key +PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_private_key # WireGuard Peers @@ -75,7 +75,7 @@ PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk [WireGuardPeer] # friendly_name = lilly-lillysLaptop -AllowedIPs = 10.89.214.16/32 #,2a07:c481:1:37::/128 +AllowedIPs = 10.89.214.16/32,2a07:c481:1:37::16/128 PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk= [WireGuardPeer] From 9bff86df7fbe4ae1d2c1ade9f07a78a0bf0fc132 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 20:13:29 +0200 Subject: [PATCH 06/35] kea_dhcp(role): some fixes and removing arch part - remove tags from tasks - remove archlinux part - use debian default package for kea --- roles/kea_dhcp/defaults/main.yaml | 1 - roles/kea_dhcp/handlers/main.yml | 6 +-- roles/kea_dhcp/meta/argument_specs.yaml | 4 +- roles/kea_dhcp/tasks/install_archlinux.yml | 8 ---- roles/kea_dhcp/tasks/install_debian.yml | 39 +++++++++--------- roles/kea_dhcp/tasks/kea.yaml | 10 ++--- roles/kea_dhcp/tasks/main.yml | 6 --- roles/kea_dhcp/tasks/stork-agent.yaml | 47 +++------------------- 8 files changed, 34 insertions(+), 87 deletions(-) delete mode 100644 roles/kea_dhcp/tasks/install_archlinux.yml diff --git a/roles/kea_dhcp/defaults/main.yaml b/roles/kea_dhcp/defaults/main.yaml index 409f0a1..dc6453a 100644 --- a/roles/kea_dhcp/defaults/main.yaml +++ b/roles/kea_dhcp/defaults/main.yaml @@ -1,7 +1,6 @@ kea_dhcp__stork_agent: enable: false prometheus_only: true -kea_dhcp__version_repo: "kea-3-0" kea_dhcp__dns_servers: v6: - "2a07:c481:0:4::2" diff --git a/roles/kea_dhcp/handlers/main.yml b/roles/kea_dhcp/handlers/main.yml index 5b44d6e..d06aa1c 100644 --- a/roles/kea_dhcp/handlers/main.yml +++ b/roles/kea_dhcp/handlers/main.yml @@ -4,19 +4,19 @@ ansible.builtin.systemd_service: daemon_reload: true -- name: Kea_dhcp4.reloaded +- name: Kea_dhcp4.restarted ansible.builtin.service: name: kea-dhcp4 state: restarted enabled: true -- name: Kea_dhcp6.reloaded +- name: Kea_dhcp6.restarted ansible.builtin.service: name: kea-dhcp6 state: restarted enabled: true -- name: Kea_ctrl.reloaded +- name: Kea_ctrl.restarted ansible.builtin.systemd: name: kea-ctrl-agent state: restarted diff --git a/roles/kea_dhcp/meta/argument_specs.yaml b/roles/kea_dhcp/meta/argument_specs.yaml index 995b838..4d0d594 100644 --- a/roles/kea_dhcp/meta/argument_specs.yaml +++ b/roles/kea_dhcp/meta/argument_specs.yaml @@ -37,7 +37,7 @@ argument_specs: interfaces: type: "list" elements: "str" - default: [] + default: [ ] control-sockets: type: "list" elements: "dict" @@ -85,7 +85,7 @@ argument_specs: interfaces: type: "list" elements: "str" - default: [] + default: [ ] control-sockets: type: "list" elements: "dict" diff --git a/roles/kea_dhcp/tasks/install_archlinux.yml b/roles/kea_dhcp/tasks/install_archlinux.yml deleted file mode 100644 index 7bdb140..0000000 --- a/roles/kea_dhcp/tasks/install_archlinux.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Install Kea on Archlinux - when: ansible_facts['distribution'] == "Archlinux" - become: true - community.general.pacman: - name: kea - state: present - update_cache: false diff --git a/roles/kea_dhcp/tasks/install_debian.yml b/roles/kea_dhcp/tasks/install_debian.yml index 2ac2346..f897ddb 100644 --- a/roles/kea_dhcp/tasks/install_debian.yml +++ b/roles/kea_dhcp/tasks/install_debian.yml @@ -1,22 +1,25 @@ --- -- name: Register isc-kea apt repository - become: true - register: kea_dhcp_repo - when: ansible_facts['distribution'] == "Debian" - ansible.builtin.deb822_repository: - name: "isc-{{ kea_dhcp__version_repo }}" - uris: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/deb/debian" - suites: any-version - components: main - signed_by: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/gpg.key" - - name: Install Kea packages become: true when: ansible_facts['distribution'] == "Debian" - ansible.builtin.apt: - name: - - isc-kea-dhcp4 - - isc-kea-dhcp6 - - isc-kea-ctrl-agent - - isc-kea-admin - update_cache: "{{ kea_dhcp_install_repo.changed }}" + block: + - name: Install Kea dhcp4 + when: kea_dhcp__dhcp4.enable + ansible.builtin.apt: + name: + - isc-kea-dhcp4 + - name: Install Kea dhcp6 + when: kea_dhcp__dhcp6.enable + ansible.builtin.apt: + name: + - isc-kea-dhcp6 + - name: Install Kea ctrl agent + when: kea_dhcp__stork_agent.enable + ansible.builtin.apt: + name: + - isc-kea-ctrl-agent + - name: Install Kea admin + when: kea_dhcp__stork_agent.enable + ansible.builtin.apt: + name: + - isc-kea-admin diff --git a/roles/kea_dhcp/tasks/kea.yaml b/roles/kea_dhcp/tasks/kea.yaml index a4fd3b5..116c7dd 100644 --- a/roles/kea_dhcp/tasks/kea.yaml +++ b/roles/kea_dhcp/tasks/kea.yaml @@ -1,12 +1,10 @@ --- - name: Include config vars - tags: [ kea, include_vars ] when: kea_dhcp__include_vars is not None ansible.builtin.include_vars: file: "{{ kea_dhcp__include_vars }}" - name: Deploy kea-dhcp4 configuration file - tags: [ kea, dhcp4 ] become: true when: kea_dhcp__dhcp4.enable ansible.builtin.template: @@ -18,10 +16,9 @@ mode: "u=rw,g=r,o=" validate: kea-dhcp4 -T %s notify: - - Kea_dhcp4.reloaded + - Kea_dhcp4.restarted - name: Deploy kea-dhcp6 configuration file - tags: [ kea, dhcp6 ] become: true when: kea_dhcp__dhcp6.enable ansible.builtin.template: @@ -33,10 +30,9 @@ mode: "u=rw,g=r,o=" validate: kea-dhcp6 -T %s notify: - - Kea_dhcp6.reloaded + - Kea_dhcp6.restarted - name: Copy kea-ctrl-agent configuration file - tags: [ kea, ctrl-agent ] become: true when: kea_dhcp__stork_agent.enable ansible.builtin.template: @@ -47,5 +43,5 @@ mode: "u=rw,g=r,o=" validate: kea-ctrl-agent -t %s notify: - - Kea_ctrl.reloaded + - Kea_ctrl.restarted - Stork_agent.restarted diff --git a/roles/kea_dhcp/tasks/main.yml b/roles/kea_dhcp/tasks/main.yml index a3478fa..6fced08 100644 --- a/roles/kea_dhcp/tasks/main.yml +++ b/roles/kea_dhcp/tasks/main.yml @@ -1,11 +1,6 @@ --- - name: Setup Kea DHCP - tags: [kea, dhcp] block: - - name: Install Kea on Archlinux - when: ansible_facts['distribution'] == "Archlinux" - ansible.builtin.import_tasks: install_archlinux.yml - - name: Install Kea on Debian when: ansible_facts['distribution'] == "Debian" ansible.builtin.import_tasks: install_debian.yml @@ -14,6 +9,5 @@ ansible.builtin.include_tasks: kea.yaml - name: Run stork-agent tasks - tags: [stork-agent, monitoring] when: kea_dhcp__stork_agent.enable ansible.builtin.include_tasks: stork-agent.yaml diff --git a/roles/kea_dhcp/tasks/stork-agent.yaml b/roles/kea_dhcp/tasks/stork-agent.yaml index 916760c..0e777d4 100644 --- a/roles/kea_dhcp/tasks/stork-agent.yaml +++ b/roles/kea_dhcp/tasks/stork-agent.yaml @@ -1,55 +1,18 @@ --- - name: Install stork-agent - tags: [stork-agent] block: - - name: Install stork-agent on Archlinux - when: ansible_facts['distribution'] == "Archlinux" - tags: [stork-agent, archlinux] - block: - - name: Create stork-agent user - ansible.builtin.user: - name: stork-agent - create_home: false - home: "/var/lib/stork-agent" - shell: "/usr/bin/nologin" - system: true - groups: ["kea"] - append: true - - - name: Install stork-agent with aur_pkg_install - ansible.builtin.include_role: - name: aur_pkg_install - vars: - aur_pkg_install__pkg_name: "stork-agent" - aur_pkg_install__git_clone_url: "https://ansible:{{ secret__ansible_git_token }}@git.fux-eg.net/aur-mirror/stork-agent.git" - aur_pkg_install__git_ref: "bf96e34" - - - name: Install stork-agent on Debian + - name: Install isc-stork-agent when: ansible_facts['distribution'] == "Debian" - tags: [stork-agent, debian] - block: - - name: Register isc-stork apt repository - become: true - register: "kea_dhcp_install_repo" - ansible.builtin.deb822_repository: - name: isc-stork - uris: https://dl.cloudsmith.io/public/isc/stork/deb/debian - suites: any-version - components: main - signed_by: https://dl.cloudsmith.io/public/isc/stork/gpg.key - - - name: Install isc-stork-agent - become: true - ansible.builtin.apt: - name: isc-stork-agent - update_cache: "{{ kea_dhcp_install_repo.changed }}" + become: true + ansible.builtin.apt: + name: isc-stork-agent - name: Add stork-agent user to _kea group on Debian when: ansible_facts['distribution'] == "Debian" become: true ansible.builtin.user: name: stork-agent - groups: ["_kea"] + groups: [ "_kea" ] append: true - name: Config for stork-agent From 2798e9e01c7ae58938ae9601ffeadddd60a0b4d2 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 21:18:56 +0200 Subject: [PATCH 07/35] kea_dhcp(role): add README.md --- roles/kea_dhcp/README.md | 102 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 roles/kea_dhcp/README.md diff --git a/roles/kea_dhcp/README.md b/roles/kea_dhcp/README.md new file mode 100644 index 0000000..4071943 --- /dev/null +++ b/roles/kea_dhcp/README.md @@ -0,0 +1,102 @@ +# Role `kea_dhcp` + +Install and manage kea dhcp. + +## Supported Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +None. + +## Optional Arguments + +- `kea_dhcp__stork_agent.enable`: Enable Kea DHCP stork agent. + Defaults to `false`. +- `kea_dhcp__stork_agent.prometheus_only`: Only enable the prometheus endpoint in stork agent. + Defaults to `true`. +- `kea_dhcp__dns_servers.v4`: List of IPv4 DNS Servers in DHCP response. + Defaults to FUX DNS Servers. +- `kea_dhcp__dns_servers.v6`: List of IPv6 DNS Servers in DHCP response. + Defaults to FUX DNS Servers. +- `kea_dhcp__include_vars`: Path to YAML File to separately load VARs for Kea config templating. +- `kea_dhcp__dhcp4.enable`: Enable Kea DHCP4 Service. + Defaults to `false`. +- `kea_dhcp__dhcp4.interfaces`: List of interfaces the DHCP4 Server should listen to and serve. + Defaults to the empty list (`[ ]`). +- `kea_dhcp__dhcp4.control-sockets`: List of Kea DHCP4 control sockets. + Defaults to the list with one entry (see below). +- `kea_dhcp__dhcp4.control-sockets.*.socket-name`: Control socket name. + Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-name: /var/run/kea-dhcp4-ctrl-agent.sock`. +- `kea_dhcp__dhcp4.control-sockets.*.socket-type`: Control socket type. + Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-type: unix`. +- `kea_dhcp__dhcp4.lease-database.type`: Type of lease database. + Defaults to `memfile`. +- `kea_dhcp__dhcp4.lease-database.persist`: Persist the lease database. + Defaults to `true`. +- `kea_dhcp__dhcp4.option-data`: List of DHCP4 Options. + Defaults to a list with one entry (see below). +- `kea_dhcp__dhcp4.option-data.*.name`: Name of DHCP4 Option. + Defaults to `kea_dhcp__dhcp4.option-data.0.name: "domain-name-servers"`. +- `kea_dhcp__dhcp4.option-data.*.code`: DHCP4 Option code. + Defaults to `kea_dhcp__dhcp4.option-data.0.code: 6`. +- `kea_dhcp__dhcp4.option-data.*.csv-format`: DHCP4 Option as csv format. + Defaults to `kea_dhcp__dhcp4.option-data.0.csv-format: true`. +- `kea_dhcp__dhcp4.option-data.*.data`: DHCP4 Option data. + Defaults to `kea_dhcp__dhcp4.option-data.0.data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"`. +- `kea_dhcp__dhcp4.subnets`: List of subnets the DHCP4 server should manage. + Defaults to the empty list (`[ ]`). +- `kea_dhcp__dhcp4.subnets.*.id`: ID of interface (starts with 1). +- `kea_dhcp__dhcp4.subnets.*.subnet`: Subnet on interface. +- `kea_dhcp__dhcp4.subnets.*.pools`: List of DHCP pools in subnet. +- `kea_dhcp__dhcp4.subnets.*.pools.*.pool`: DHCP pool in range format. +- `kea_dhcp__dhcp4.subnets.*.reservations`: List of DHCP lease reservations. +- `kea_dhcp__dhcp4.subnets.*.reservations.*.ip-address`: IP address of reservation. +- `kea_dhcp__dhcp4.subnets.*.reservations.*.hostname`: Hostname of reservation. +- `kea_dhcp__dhcp4.subnets.*.reservations.*.hw-address`: Hardware address of reservation. +- `kea_dhcp__dhcp4.subnets.*.option-data`: List of DHCP lease reservations. +- `kea_dhcp__dhcp4.subnets.*.option-data.*.name`: Name of DHCP4 Option. +- `kea_dhcp__dhcp4.subnets.*.option-data.*.code`: DHCP4 Option code. +- `kea_dhcp__dhcp4.subnets.*.option-data.*.csv-format`: DHCP4 Option as csv format. +- `kea_dhcp__dhcp4.subnets.*.option-data.*.data`: DHCP4 Option data. +- `kea_dhcp__dhcp6.enable`: Enable Kea DHCP6 Service. + Defaults to `false`. +- `kea_dhcp__dhcp6.interfaces`: List of interfaces the DHCP6 Server should listen to and serve. + Defaults to the empty list (`[ ]`). +- `kea_dhcp__dhcp6.control-sockets`: List of Kea DHCP6 control sockets. + Defaults to the list with one entry (see below). +- `kea_dhcp__dhcp6.control-sockets.*.socket-name`: Control socket name. + Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-name: /var/run/kea-dhcp6-ctrl-agent.sock`. +- `kea_dhcp__dhcp6.control-sockets.*.socket-type`: Control socket type. + Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-type: unix`. +- `kea_dhcp__dhcp6.lease-database.type`: Type of lease database. + Defaults to `memfile`. +- `kea_dhcp__dhcp6.lease-database.persist`: Persist the lease database. + Defaults to `true`. +- `kea_dhcp__dhcp6.option-data`: List of DHCP6 Options. + Defaults to a list with one entry (see below). +- `kea_dhcp__dhcp6.option-data.*.name`: Name of DHCP6 Option. + Defaults to `kea_dhcp__dhcp6.option-data.0.name: "domain-name-servers"`. +- `kea_dhcp__dhcp6.option-data.*.code`: DHCP6 Option code. + Defaults to `kea_dhcp__dhcp6.option-data.0.code: 6`. +- `kea_dhcp__dhcp6.option-data.*.csv-format`: DHCP6 Option as csv format. + Defaults to `kea_dhcp__dhcp6.option-data.0.csv-format: true`. +- `kea_dhcp__dhcp6.option-data.*.data`: DHCP6 Option data. + Defaults to `kea_dhcp__dhcp6.option-data.0.data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"`. +- `kea_dhcp__dhcp6.subnets`: List of subnets the DHCP6 server should manage. + Defaults to the empty list (`[ ]`). +- `kea_dhcp__dhcp6.subnets.*.id`: ID of interface (starts with 1). +- `kea_dhcp__dhcp6.subnets.*.subnet`: Subnet on interface. +- `kea_dhcp__dhcp6.subnets.*.pools`: List of DHCP pools in subnet. +- `kea_dhcp__dhcp6.subnets.*.pools.*.pool`: DHCP pool in range format. +- `kea_dhcp__dhcp6.subnets.*.reservations`: List of DHCP lease reservations. +- `kea_dhcp__dhcp6.subnets.*.reservations.*.ip-address`: IP address of reservation. +- `kea_dhcp__dhcp6.subnets.*.reservations.*.hostname`: Hostname of reservation. +- `kea_dhcp__dhcp6.subnets.*.reservations.*.hw-address`: Hardware address of reservation. +- `kea_dhcp__dhcp6.subnets.*.option-data`: List of DHCP lease reservations. +- `kea_dhcp__dhcp6.subnets.*.option-data.*.name`: Name of DHCP6 Option. +- `kea_dhcp__dhcp6.subnets.*.option-data.*.code`: DHCP6 Option code. +- `kea_dhcp__dhcp6.subnets.*.option-data.*.csv-format`: DHCP6 Option as csv format. +- `kea_dhcp__dhcp6.subnets.*.option-data.*.data`: DHCP6 Option data. + From 09a4869ac11feeb31a97aae61e13f83479757849 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 21:27:25 +0200 Subject: [PATCH 08/35] kea_dhcp(role): fix indentation in template --- roles/kea_dhcp/templates/kea-dhcp4.conf.jinja | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja index 78f06ae..fa7cfd5 100644 --- a/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja +++ b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja @@ -3,12 +3,12 @@ "interfaces-config": { "interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }} }, - "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }}, - "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }}, - {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %} - "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }}, - {% endif %} - "subnet4": [ + "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }}, + "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }}, + {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %} + "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }}, + {% endif %} + "subnet4": [ {% for subnet in kea_dhcp__dhcp4.subnets %} { "id": {{ subnet.id }}, From a19262eae0476a3c7bca25a644f25dc597d7bacb Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 08:37:40 +0200 Subject: [PATCH 09/35] kea_dhcp(role): make stork-agent.env smaller and add link to documentation --- roles/kea_dhcp/README.md | 2 +- .../kea_dhcp/templates/stork-agent.env.jinja | 30 ++----------------- 2 files changed, 4 insertions(+), 28 deletions(-) diff --git a/roles/kea_dhcp/README.md b/roles/kea_dhcp/README.md index 4071943..9938cf9 100644 --- a/roles/kea_dhcp/README.md +++ b/roles/kea_dhcp/README.md @@ -1,6 +1,6 @@ # Role `kea_dhcp` -Install and manage kea dhcp. +Install and manage Kea DHCP and [Stork Agent](https://stork.readthedocs.io/en/latest/man/stork-agent.8.html). ## Supported Distributions diff --git a/roles/kea_dhcp/templates/stork-agent.env.jinja b/roles/kea_dhcp/templates/stork-agent.env.jinja index bdfa4d2..75250b0 100644 --- a/roles/kea_dhcp/templates/stork-agent.env.jinja +++ b/roles/kea_dhcp/templates/stork-agent.env.jinja @@ -1,11 +1,6 @@ -### the IP or hostname to listen on for incoming Stork server connections -# STORK_AGENT_HOST= +### Stork Agent env file +### (created and managed by ansible kea_dhcp role) -### the TCP port to listen on for incoming Stork server connections -# STORK_AGENT_PORT=8081 - -### listen for commands from the Stork server only, but not for Prometheus requests -# STORK_AGENT_LISTEN_STORK_ONLY=true {% if kea_dhcp__stork_agent.prometheus_only %} ### listen for Prometheus requests only, but not for commands from the Stork server @@ -14,31 +9,12 @@ STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true ### settings for exporting stats to Prometheus ### the IP or hostname on which the agent exports Kea statistics to Prometheus -# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS= +STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS=localhost ### the port on which the agent exports Kea statistics to Prometheus # STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT= -## enable or disable collecting per-subnet stats from Kea -# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PER_SUBNET_STATS=true -### the IP or hostname on which the agent exports BIND 9 statistics to Prometheus -# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_ADDRESS= -### the port on which the agent exports BIND 9 statistics to Prometheus -# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_PORT= - -### Stork Server URL used by the agent to send REST commands to the server during agent registration -# STORK_AGENT_SERVER_URL= - -### skip TLS certificate verification when the Stork Agent connects -### to Kea over TLS and Kea uses self-signed certificates -# STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true - ### Logging parameters ### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR STORK_LOG_LEVEL=DEBUG -### disable output colorization -# CLICOLOR=false - -### path to the hook directory -# STORK_AGENT_HOOK_DIRECTORY= From 0a74ac02c21d35bc58a0d9bc48c54efcc08133fe Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:06:52 +0200 Subject: [PATCH 10/35] unbound(role): use existing deploy_systemd_resolved_config role and some reordering --- inventories/z9/hosts.yaml | 3 +++ roles/unbound/handlers/main.yml | 7 ------ roles/unbound/tasks/main.yml | 24 +++---------------- roles/unbound/tasks/prometheus-exporter.yml | 8 ++++++- .../vars/deploy_systemd_resolved_config.yaml | 9 +++++++ 5 files changed, 22 insertions(+), 29 deletions(-) create mode 100644 roles/unbound/vars/deploy_systemd_resolved_config.yaml diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 740c7ba..39fa97b 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -17,6 +17,9 @@ all: z9-router: ansible_host: z9-router.ccchh.net ansible_user: chaos +base_config_hosts: + hosts: + z9-router: certbot_hosts: hosts: dooris: diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml index e1345bf..222e8c5 100644 --- a/roles/unbound/handlers/main.yml +++ b/roles/unbound/handlers/main.yml @@ -18,10 +18,3 @@ name: prometheus-unbound-exporter.service state: restarted enabled: true - -- name: prometheus-unbound-exporter.enabled - become: true - ansible.builtin.systemd: - name: prometheus-unbound-exporter.service - enabled: true - daemon_reload: true diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 7ed42cb..eb88f93 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -7,11 +7,6 @@ ansible.builtin.package: name: unbound - - name: install extra dns tooling - become: true - ansible.builtin.package: - name: [ bind ] # the bind package includes tools like dig in archlinux - - name: ensure correct directory permissions become: true ansible.builtin.file: @@ -40,23 +35,10 @@ enabled: true - name: disable systemd-resolved - become: true when: unbound_disable_systemd_networkd - ansible.builtin.systemd: - name: systemd-resolved.service - state: stopped - enabled: false - - - name: configure system resolver to point to local unbound - become: true - when: unbound_disable_systemd_networkd - ansible.builtin.copy: - src: no-resolved.resolv.conf - dest: /etc/resolv.conf - owner: unbound - group: unbound - mode: u=rw,g=r,o=r - + ansible.builtin.include_role: + name: deploy_systemd_resolved_config + vars_from: deploy_systemd_resolved_config - name: install and configure prometheus-exporter for unbound ansible.builtin.import_tasks: prometheus-exporter.yml diff --git a/roles/unbound/tasks/prometheus-exporter.yml b/roles/unbound/tasks/prometheus-exporter.yml index d05b838..b794e07 100644 --- a/roles/unbound/tasks/prometheus-exporter.yml +++ b/roles/unbound/tasks/prometheus-exporter.yml @@ -3,7 +3,13 @@ become: true ansible.builtin.package: name: prometheus-unbound-exporter - notify: prometheus-unbound-exporter.enabled + +- name: enable unbound prometheus exporter + become: true + ansible.builtin.systemd: + name: prometheus-unbound-exporter.service + enabled: true + daemon_reload: true - name: configure unbound exporter become: true diff --git a/roles/unbound/vars/deploy_systemd_resolved_config.yaml b/roles/unbound/vars/deploy_systemd_resolved_config.yaml new file mode 100644 index 0000000..0da57c1 --- /dev/null +++ b/roles/unbound/vars/deploy_systemd_resolved_config.yaml @@ -0,0 +1,9 @@ +--- +deploy_systemd_resolved_config__enable: false +deploy_systemd_resolved_config__dns: + - 127.0.0.1 +deploy_systemd_resolved_config__fallback_dns: # Fux DNS Server + - 185.161.128.66 + - 2a07:c481:0:4::2 + - 185.161.128.67 + - 2a07:c481:0:4::3 From 84b1fa70cec9e7bea03e8b916707062431acd411 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:08:11 +0200 Subject: [PATCH 11/35] unbound(role): add FIXME note to unbound prometheus exporter install --- roles/unbound/tasks/prometheus-exporter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/unbound/tasks/prometheus-exporter.yml b/roles/unbound/tasks/prometheus-exporter.yml index b794e07..fba5090 100644 --- a/roles/unbound/tasks/prometheus-exporter.yml +++ b/roles/unbound/tasks/prometheus-exporter.yml @@ -1,5 +1,5 @@ --- -- name: install unbound prometheus exporter +- name: install unbound prometheus exporter # FIXME: there is no prometheus-unbound-exporter in debian .deb exists in https://github.com/letsencrypt/unbound_exporter/releases/tag/v0.6.0 become: true ansible.builtin.package: name: prometheus-unbound-exporter From bb127d13754e6f1f9438b174f4ccee71c0eb08f9 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:09:50 +0200 Subject: [PATCH 12/35] unbound(role): remove tags inside role --- roles/unbound/handlers/main.yml | 2 -- roles/unbound/tasks/main.yml | 1 - 2 files changed, 3 deletions(-) diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml index 222e8c5..09af699 100644 --- a/roles/unbound/handlers/main.yml +++ b/roles/unbound/handlers/main.yml @@ -1,12 +1,10 @@ - name: unbound.restarted - tags: [ unbound, dns, dns_resolver ] become: true ansible.builtin.systemd: name: unbound.service state: restarted - name: unbound.reloaded - tags: [ unbound, dns, dns_resolver ] become: true ansible.builtin.systemd: name: unbound.service diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index eb88f93..a4a6896 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -1,5 +1,4 @@ - name: unbound role main - tags: [ unbound, dns, dns_resolver ] block: - name: install unbound dns resolver From 960315d1826fabcc8441ce14f648fc268ac0db22 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:19:42 +0200 Subject: [PATCH 13/35] unbound(role): reformat config template and use all vcpus --- roles/unbound/templates/unbound.conf.j2 | 75 ++++++++++++------------- 1 file changed, 35 insertions(+), 40 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index a1e310e..96aa9cd 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -1,22 +1,18 @@ # ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html # unbound.conf(5) man page server: - {% if unbound_enable_dnssec -%} - # disable chroot because unbound is the only thing running on the VM - # and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file - chroot: "" - - # location of the trust anchor file that enables DNSSEC - # this file is generated by the `unbound-anchor` command - auto-trust-anchor-file: "/etc/unbound/trusted-key.key" - {% endif -%} + {% if unbound_enable_dnssec -%} + # location of the trust anchor file that enables DNSSEC + # this file is generated by the `unbound-anchor` command + auto-trust-anchor-file: "/etc/unbound/trusted-key.key" + {% endif -%} # use all CPUs - num-threads: 2 + num-threads: {{ ansible_facts['processor_vcpus'] }} # more cache memory - rrset-cache-size: 60m - msg-cache-size: 30m + rrset-cache-size: 60m + msg-cache-size: 30m # prefetch to keep the cache up to date prefetch: yes @@ -25,49 +21,48 @@ server: prefetch-key: yes # Faster UDP with multithreading (only on Linux). - so-reuseport: yes + so-reuseport: yes # disable special large send buffer handling and just use kernel defaults - so-sndbuf: 0 + so-sndbuf: 0 - # send minimal amount of information to upstream servers to enhance privacy - qname-minimisation: yes + # send minimal amount of information to upstream servers to enhance privacy + qname-minimisation: yes - # specify the interface to answer queries from by ip-address. - {% for i in unbound_bind_interfaces -%} - interface: "{{ i }}" - {% endfor %} + # specify the interface to answer queries from by ip-address. + {% for i in unbound_bind_interfaces -%} + interface: "{{ i }}" + {% endfor %} - # addresses from the IP range that are allowed to connect to the resolver - {% for i in unbound_access_control -%} - access-control: {{ i }} - {% endfor -%} + # addresses from the IP range that are allowed to connect to the resolver + {% for i in unbound_access_control -%} + access-control: {{ i }} + {% endfor -%} - {% for i in unbound_private_domain -%} - private-domain: {{ i }} - {% endfor -%} + {% for i in unbound_private_domain -%} + private-domain: {{ i }} + {% endfor -%} - # The number of seconds between printing statistics to the log for every thread. - statistics-interval: 0 + # The number of seconds between printing statistics to the log for every thread. + statistics-interval: 0 - # Extended statistics are printed, Keeping track of more statistics takes time. - extended-statistics: yes + # Extended statistics are printed, Keeping track of more statistics takes time. + extended-statistics: yes remote-control: - control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} - control-interface: /run/unbound-control.sock + control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} + control-interface: /run/unbound-control.sock # configure some zones for which this resolver will act authoritatively # https://www.dns.icann.org/services/axfr/ {% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %} auth-zone: - name: "{{ i }}" - primary: "lax.xfr.dns.icann.org" - primary: "iad.xfr.dns.icann.org" - fallback-enabled: yes - for-downstream: no - for-upstream: yes - + name: "{{ i }}" + primary: "lax.xfr.dns.icann.org" + primary: "iad.xfr.dns.icann.org" + fallback-enabled: yes + for-downstream: no + for-upstream: yes {% endfor %} From c051fc63378cc7942b6ca0cd0f97181e4d5cb661 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:30:35 +0200 Subject: [PATCH 14/35] unbound(role): make unbound thread number configurable --- roles/unbound/README.md | 1 + roles/unbound/templates/unbound.conf.j2 | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/unbound/README.md b/roles/unbound/README.md index 806b9d8..c44805b 100644 --- a/roles/unbound/README.md +++ b/roles/unbound/README.md @@ -17,3 +17,4 @@ The following variables can be used to customize this role: | unbound_enable_dnssec | Boolean | `true` | Whether dnssec validation should be enabled | | unbound_access_control | List of Strings | `[]` | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) | | unbound_disable_systemd_networkd | Boolean | `true` | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver. | +| unbound_thread_count | Integer | Max vCPU Count | The number of threads unbound uses | diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index 96aa9cd..d9b612c 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -7,8 +7,8 @@ server: auto-trust-anchor-file: "/etc/unbound/trusted-key.key" {% endif -%} - # use all CPUs - num-threads: {{ ansible_facts['processor_vcpus'] }} + # num of threads + num-threads: {{ unbound_thread_count | default(ansible_facts['processor_vcpus']) }} # more cache memory rrset-cache-size: 60m From 57ae1456a07bbbaefddb9772af7ee36be5388722 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:43:56 +0200 Subject: [PATCH 15/35] unbound(role): move resolvd vars to task --- roles/unbound/tasks/main.yml | 5 ++++- roles/unbound/vars/deploy_systemd_resolved_config.yaml | 9 --------- 2 files changed, 4 insertions(+), 10 deletions(-) delete mode 100644 roles/unbound/vars/deploy_systemd_resolved_config.yaml diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index a4a6896..3b038c6 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -37,7 +37,10 @@ when: unbound_disable_systemd_networkd ansible.builtin.include_role: name: deploy_systemd_resolved_config - vars_from: deploy_systemd_resolved_config + vars: + deploy_systemd_resolved_config__enable: false + deploy_systemd_resolved_config__dns: + - 127.0.0.1 - name: install and configure prometheus-exporter for unbound ansible.builtin.import_tasks: prometheus-exporter.yml diff --git a/roles/unbound/vars/deploy_systemd_resolved_config.yaml b/roles/unbound/vars/deploy_systemd_resolved_config.yaml deleted file mode 100644 index 0da57c1..0000000 --- a/roles/unbound/vars/deploy_systemd_resolved_config.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -deploy_systemd_resolved_config__enable: false -deploy_systemd_resolved_config__dns: - - 127.0.0.1 -deploy_systemd_resolved_config__fallback_dns: # Fux DNS Server - - 185.161.128.66 - - 2a07:c481:0:4::2 - - 185.161.128.67 - - 2a07:c481:0:4::3 From a72accca201aff89b2bf95d72ed4e9551a4a2377 Mon Sep 17 00:00:00 2001 From: forestcat-admin Date: Wed, 27 May 2026 20:49:07 +0200 Subject: [PATCH 16/35] Add documentation style outline (#97) Reviewed-on: https://git.hamburg.ccc.de/CCCHH/ansible-infra/pulls/97 Reviewed-by: lilly --- .../documentation-structure.md | 103 +++++++++++++++++- docs/guides/writing-documentation.md | 2 +- mkdocs.yml | 1 + 3 files changed, 99 insertions(+), 7 deletions(-) diff --git a/docs/concepts-and-configurations/documentation-structure.md b/docs/concepts-and-configurations/documentation-structure.md index 0ca89d3..f5f4a21 100644 --- a/docs/concepts-and-configurations/documentation-structure.md +++ b/docs/concepts-and-configurations/documentation-structure.md @@ -5,12 +5,103 @@ summary: >- How our documentation is organized and what we do to balance ease of writing and understanding. --- -!!! info "ToDo" +!!! info "Info" - This section needs updating + If you're looking for a hands-on approach on how documentation is to be written you can find a [guide](../guides/writing-documentation.md) explaining the process. If you're unsure how to start you can find [templates](../guides/writing-documentation.md#3-addedit-your-markdown-file) there aswell. -- Docs should be english -- Guides are for step-by-step things - - Guides always have a "Goal" explicitly formulated -- Concepts and Configuration aim to make readers understand something in detail +## General Rules +These rules are general formatting and writing decisions that apply to every document. Their goal is to provide a concise style across the whole documentation to keep the text easy to follow. +- All documents written in this project should be written in **english** to maximize the compatability across readers. +- The documentation structure is intended to be followed, while not being **enforced** to keep a low entry barier for documentation authors. +- Use features like _Admonitions_ given by markdown and the theme whenever they can help by increasing the readability and outlining important parts. For instructions on how to use these theme specific features please refer down to the [MkDocs shadcn](https://asiffer.github.io/mkdocs-shadcn/) documentation. + +## Defining a Document Scope +The scope for a document should be set to define responsibility and set boundaries to where that document applies. Especially lining out which services are affected by it. It **does not** need to be defined explicitly in the text, but should be kept in mind while writing. + +!!! note "Example" + + The scope for this document is aiming to convey the base concepts on how to structure concepts and configurations in this documentation. To provide high readability and a project wide concise structure that authors and readers can rely on. + +We generally distinguish between concepts, configurations and guides in this documentation. Their separation should be clarified with folowing list: + +- **Concept:** A concept includes an abstract definition about a specific structure while not going into implementation details. It is a document intending to further abstract the understanding of structure. It can also go into detail about _why_ we do things a certain way. +- **Configuration:** A configuration can be a follow up of a concept, explaining the specific implementation in a given environment. +- **Guide:** A guide is a step-by-step hands-on instruction for the reader to follow along. It can reference concepts and configurations. The important difference to the other two document types is that guides are goal oriented. Understanding how things work is secondary to achieving a specific thing. + + +## Structuring Concepts + +!!! note "Goal" + + The goal for a concept is to provide the reader with a structured detailed explanation about an abstract concept, conveying why this concept was choosen and how it is intended to be used. + +### Describing the Concept +This section is a summary to give the reader a quick overview about the concept answering following questions: + +- What is this concept about? +- Why is this concept needed? +- What does this concept do? + +### Explaining the Concept +This section should be an in depth explanation about the concept, explaining the concept as detailed as needed for the reader to be able to transfer it into an implementation. The usage of graphs and diagrams is advised when they can help the reader understand the concept better. + +### Referencing additional Sources +This section should include sources to other documentations, concepts and hand-on guides which the reader can look up to futher explore the defined concept. + + +## Structuring Configurations + +!!! note "Goal" + + A configuration document is intended to provide the reader with examples and best practices for configuring a specific item. It focuses on the technical implementation rather than an abstract concept. + +### Describing the Configuration +This section should give the reader a quick overview which configuration files are being described. + +### Providing the Configuration +Here the author should provide configuration sections or full templates. The configurations don't have to be fully complete, they're rather a more structured view on which options are important and what to watch out for. + +### Discussing Authors Thoughts +A discussion why the author choose which configuration options and what to watch out for. Best practices should be taught here. This section can also link to outside sources. + +### Referencing Documentation +Here the author should provide upstream documentation which includes configuration options and further explanations why and how they are used. + + +## Structuring Guides + +!!! note "Goal" + + A guide intends to provide a hands-on approach to the reader which they can follow step-by-step to archive the guides defined goal. A good example for a guide can be found at [Writing Documentation](../guides/writing-documentation.md). + +### Defining the Goal +A guide should always have a goal defined in the beginning, using the _Admonition_ for a success box is highly advised. An example for a goal box is shown below: + +/// tab | Source + +```markdown +!!! success "Goal" + How to setup, write its baseline documentation in ansible, and deploy a service. +``` + +/// + +/// tab | Rendered + +!!! success "Goal" + How to setup, write its baseline documentation in ansible, and deploy a service. + +/// + +### Instructing the Reader +A guide should always have numbered instruction steps which are easy to follow. Important notices and information should written in _Admonitions_ as direct notices from the author to the reader. Dangerous steps or options should use a `danger` Admonition. + +### Closing Up +While this section is optional, a guide should be finished with steps and facts that can be checked by the reader to ensure that the guide worked as intended and all steps are completed correctly. + +## References +Here you can find useful documentation regarding writing documentation: + +- [MkDocs](https://www.mkdocs.org/user-guide/): This is the official mkdocs documentation, although it mostly explains configuring the mkdocs instance rather than explaining the usage. +- [MkDocs shadcn](https://asiffer.github.io/mkdocs-shadcn/): This is our theme for MkDocs which has its own syntax and quircks which can help writing more readable documentation diff --git a/docs/guides/writing-documentation.md b/docs/guides/writing-documentation.md index fd2681f..15fe254 100644 --- a/docs/guides/writing-documentation.md +++ b/docs/guides/writing-documentation.md @@ -38,7 +38,7 @@ Once you have cloned the repository, you can just edit a file in the [`docs/`](h ```shell uv venv uv pip install -r docs_requirements.txt - mkdocs serve + uv run mkdocs serve ``` When adding new content, you can use one of the templates below to get started: diff --git a/mkdocs.yml b/mkdocs.yml index 0ae452d..8158c75 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -9,6 +9,7 @@ markdown_extensions: - attr_list - codehilite - pymdownx.blocks.details + - pymdownx.blocks.tab - pymdownx.superfences: css_class: codehilite From fa598c72fcd60005c007bc24ef6caeb93fa57584 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Mon, 1 Jun 2026 21:15:31 +0200 Subject: [PATCH 17/35] Add opensourcetorrents --- .../z9/host_vars/opensourcetorrents.sops.yaml | 180 ++++++++++++++++++ .../z9/host_vars/opensourcetorrents.yaml | 1 + inventories/z9/hosts.yaml | 5 +- .../chaosknoten/auth-dns/zones/ccchh.net.zone | 8 + 4 files changed, 192 insertions(+), 2 deletions(-) create mode 100644 inventories/z9/host_vars/opensourcetorrents.sops.yaml create mode 100644 inventories/z9/host_vars/opensourcetorrents.yaml diff --git a/inventories/z9/host_vars/opensourcetorrents.sops.yaml b/inventories/z9/host_vars/opensourcetorrents.sops.yaml new file mode 100644 index 0000000..1be8403 --- /dev/null +++ b/inventories/z9/host_vars/opensourcetorrents.sops.yaml @@ -0,0 +1,180 @@ +ansible_pull__age_private_key: ENC[AES256_GCM,data:QB0xpxP8pLfE2ExpCRD4joQzoEcbQZTiVEJbX3t9GyFEseZUtnUCO0ysFUc6hRs2BC9hoPXz6k/dZ0vNkniBmqcN5zTofZ8bg94=,iv:3NVVsae+pgbriTNzgT6rGCEzJjw368WgAKfQCi2qsmQ=,tag:AQSIxJCZOZ8dtlvcu4WMuw==,type:str] +sops: + lastmodified: "2026-06-01T19:05:50Z" + mac: ENC[AES256_GCM,data:ms4yaDEY/2DxC56rxagBRgfkHuy2/AGhZ0om3+gTVfG8/1p7v+qWXuWrNlDjefjhLKVCaf5yl749JZIjs8PP6rTKyTcteqVfoKwx+CFaEA9OmPOaENBV8Kpy2Rrkw8J4UBBKSoTKGFDAGtyysmqbS8eqDuEpb/TbfbbybJUNfe4=,iv:g4IHNmQELptweaqRE7P3LlBTwV+7jt6AfrPowzuziv4=,tag:YkBnOJA5IN1xDhI+umYSow==,type:str] + pgp: + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ//RL0kbXLXSfPux7TjkM/BzqbuQa/XMmPhMPLSawLjLMHa + +lAA6aSpHfX/seNQiLrS0mpXZFzvnPKgxacPx+vLAYGe46u+OXpthrKTStm2URNs + njTkuzCH8yQskaSyQKV3wPjOYTFWGOBAv7bFHenep9DIy5uwGDgYqR//fSP0nQwX + oCdegmWcymct/xhXzK+jcIbvgjD4Xfoc0Gt+IYUYF/FEZisZCRHhK5okt7uhxjcl + 39qCVipK1ofWRt3vXkNaL4ySUEB0i03yotB7eX82wuGt7/ZdpZ9NLRLfrL+DwR4j + QrO0uGBrqya9d46Ftx2wz0eF5aZOLZwe6oBVBRSq4jQ2WPF/NLzEIuFl2cRrk941 + 4L7ZWf8RfYtbicDXhRThef5D43ZF/kYZRzX/oTpAzUInD+VYPo5j0b9mjQLf50jg + jGc/jDl8PpfG8Rrx1XZJLiplSZ508ZzuRb0yr5ZEt5oB7sYW+WzI4q8HulY2lLrp + S5TIeKtyhJGbZAJSgQFJXxSI2K7ZJJcqCvMccOgTNpbWvLlChgtRnSaDkgNhV6Ox + 22C2IVg/8/90j4oDkTN6EWJcyBB3cSyfgyeDIIFiJdglX7J5w2IieMquWBUvitmg + ThIboVjDbKaDrJTRR9AxW7pDgtwJ9QtQmUcCUQS7jVRAdKpcYswuGaBuOvsAuYzU + aAEJAhBb1CFfTj/ZXcRYbr8b7viH1k/Rr0gOH1iWz6lGIJsLysEz/eieCdUzwXWF + zBW5zC5DiycUXGpD3uuEG8aF8w4alZR1ojrI8+J+Oq18j0tvjL3yRANSw/ADuDg5 + n2kmm+LeZkP2 + =GTgt + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA1QflAioE8i3AQf/XGTsK3l2dEjTmsBP/+F8Y21l0cIJNEUhsFeoAdbciWcC + LFeCeCnwVdMog6ZcJvhAZKghTYzm2/wfuolMLdSsci4yYM7G+cqZLxtBGrczUgvo + HRd4YbL/PY28SM9S37RhlT6KS8rbE9IzYiZDWHXvIDb4CCrmNrfZDUBthj+nbKI0 + vxy5N1ZtrKKalAx1C4pL3zdxJD+2gV/4bzbl9gIs/tfNxj9zdlHORiWh+VT9YGwS + 9S4atPuwVtGNjALj3ynGqTNAsjSTW/LNpITQO3NQP7TapdoJYfXyzQlq9e9eKn+F + eTer+RwxbkQVFhAf2ta6LARaIZuxbb2TXAs56Pot79JeAeGhN+rRrgzuSsPLzvsA + ffppf7aUTSyZhTR/w2XC0kJoq9a3RzxhvgxGH9ChoWi0Rww8CYNqOjs6wRNHoZEq + nIcKELugMRe+HOvxauhlKUS7PbkIyzWA8OUxp+KGdQ== + =bbYE + -----END PGP MESSAGE----- + fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJARAAl+rfH2BzDc/DaciHospFYIGG1ZKIIXcLks/owL5gyTpE + xDJB+tC/GIrSPTqFZbpjtz1PmBEvJAwqdb5hTz0oux8X4xEHHwenmF1meBuyffX/ + UrkNtog0hVhyV07XNpY0iVCbhKhskLf70jteZx5PZEobtE4aggp3MKRM5SSLmAsF + WL1bIucY/NBFsmNK8zc3GF7i9EqD2WtSKjGjaxLReJSUZB5+qdTe8vFo6bL+AHuh + yW2F3M6k5BMA8oJd6l2az29kbXAhjZS1eQX9WoVCYB2I8BHLSeM5XNkPShgCBcLK + DnNtUhSgKb6kcqJe63K3GwzNyzOVzzVrLP6TLk7kOoQgTocG+QlCJE5fVtynOCx6 + sqiJfRpHWbNgWyfrlKtXmPgGP9vYTRUm/DhJKhuPNJi1zcEizVSXpApjaBvdFyzC + /e5+RZdv/CM4hN10ZYB559zuhM1eQCCI9jrd8QJYfr4cZpNG8SrRpLSBoXzisULc + 1OKFpsaC/wCAHz6YKORmHDR1DC6ZvOtUL+bZ1cvU9kT5y8MlAyzWhz0jI8dk5CgV + 4r4w3yC0sF4cwIR/fWkHfS2bBecdcAuy0mxS9LxxR8JZgXOyemprHw5qenyCEn3+ + orTBbz0Y9CkIe+zfwmReqjBhKiwKKxcuEVXpUS6pEOoRyJj3VgRPohNX1bnem7DS + XgHliClcpKnUTIqt/XSQgfMyRSZkMEjNFQ8MFKBc+jM5L9/ePqOmNfli7tM8bbxt + y01x1AzFpQoMTrH6XtWHou2l8g9xqKwMnDjfFv3wXxaoabaZO0ZCP+KJjIzFWNA= + =0dtX + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DsZXvxFXTXoQSAQdAePJugVBFUtTJdt/Wm9/fEKLNhviCY8Hs2vrMfGk0UlYw + l6MV4EgwcL2G3kiUAkpFgyRQKFRTIdTMxqNy/zwjPQy1OZ+GvNGTCYO3Ig9bQcdq + 0l4BjFXvf7siDLCF4B6+eaPRh6vCe1CL5Iz1+W9aaQtE+g8lsBMpSrHPrFPJIxgm + HM3Vla/58ncOAwKo15jCPW9fzR++wd4rs66dcQK6dclyfFfufSjmt2h5BPAUgHJZ + =hMBT + -----END PGP MESSAGE----- + fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAfG8vQNNlmvwPwvfgF1RQeLVakfatgGmCqo5sYgajky8w + VZoBn11zJgV8eeQHDdyKd61CPgNiWKbRSklpV3M8DUUSARFkjqAQSAnHv1gFxw+C + 0l4BPThpjiQfWRH4CONZ3gg+d2iBpnpsw5pRZecK7usf3NvIEnn6fjkYTxQ6NpwV + Gijvov5TpDIg+6WexebxAV1BOXC37mBUjLWh65ii3f8Y75poOgnFstf9Q/czh2Qm + =dQPL + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ//bBlTr4MlEDG/ebgtlD/ZMwLLLqshKwPj1Xrxww/oiDdd + TtyhJwxpXIarDjqFCAk7XRww+tdzOJsqDoL6QWeAT/hZSj9UpSmIKCYT2lZfuOfc + r1V1hyGJ+mj+8k3kDwrOIH2g2VhUQBQHzf7yDWdQYGO2+6lvjznWdYhqCir7mCCv + RAQYyM/TvQ8uQCEnzfge0+7iqXDlGLVG+gUg5gRkhl3sXYGgEZk48fQz+yIjoUXh + e+awrgatGxCGEuLUKqV/d+Yo7HDF8fmR0R3SfHzOU7X5MNa/5XLK8ebKe7c+zoJH + 0GBFecnH7AJS69ZpO7+Lw7IpwLTnK0wEeytFTLwV4EGxIM4LC9wDPlSAsPD4eUzH + TyFnPV148n5EsK7DktJzKYal/AUVrHMNKmUk9S/dD5pjm3/FAyHUKwi8BJnOyLyn + q98RJwY5mBlaQk8MVrbm/S+bSk0isK2gOj8nlU7PN2H5b9c5PP6gEMcRSTeKoWhr + uGtSJR/9tQ6BXMIZ6LXgy7Kc1rqwaINe0fMjozjAtAHGF/ir8D9YHpvjktG3K6tP + 11SX4TUQmEudWFG6faGPZB6YN8vuCPIFvYJ5atm3eimq6AL84YPxJcUmN3om+rS+ + oOQy+578A8wFqo6gsxMKnnAYgm876AM95dTZ61uaT3zRce4DxWjd/ZwsVhjpUWTS + XgFPsrLiDnvTQh/Pl4/92vVAZSgnZX/iK92BtBYOgxJRKudO1v5BEjYLZ79pptsB + WxWDwCXxVsVuSn+WRaKZG1YGIMWXgxuh8xeXY+Jonr04XJjI5xvSwc7QleqJyWs= + =0Zep + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqAQ/+M1k47rFaIxpZSyQTNTZFtYiAhFrd7wNd9scG9jv7VGZr + s2/ZTkKeYfUloSt9ADOvWL13odQA0UCtDHfbPlmbwNZi4sSuzFO7GAhXn8zeAnzl + QY3FbgOlARJBZgpJc3kWdWfsFBfrtUcrGeUOo7H4rp6LsALi6ZFSvfrtTgbqxsG8 + j6K8VtPODXFrHoZ6d8rPWYbccw8DU/yu8k5l+TX8p1LB0ZX3/Vuic6eq3BvaJwQ9 + WWIC52lq6WF5vTSsRlKsF8Wx0MT6cwE40QejlXvshBk2q4WxRE6EAWb/QRKG2zO6 + 0qYYKyBMf3wvG+xRibOxj9wjcKFZM9TK9GMd0nBENCdEbmd61EmSkKZ20GoyAHzb + YvDYmZaApO2KmR69XPBRMdfUYuVcIx6IRr1NbHOxRK8tDp+cmaTjFMpjJ5dQooAG + bICV9sBF0FsNPFtAUpQJt/DBEsYh+TzMDiXcYhJqXCXZfT5PKQJuKXUoFmuPXjlf + Xamndl7hzTBWV78MntslcxvoFLmaVcnqxJ4sMHFWw4uUxLfiJr9tsBuG5mDDobbV + Ut9elfKRN8kZDhPERjbsLOBLy96q6lZHw5p/LLWzhzGpusSUpbjym1TZHRuGgw2A + hvRYvxMddjVFnUYzZQ1nfiiPpfAboCi+izcDX/Z9lHizPwo1pgiJN3BozXqw3sHS + XgHIo9t0UErZXJBY4XgIYj1ZSxEcW68fWqvvWkzfapMXaD1bGqGYB5E0aYfnSEON + 1knp9pUxz4J+Ji4iSj/xIdEu/P2PA4zC01mR+NzIP/BOvKXh+Jv+aIjQPKEa3DE= + =kAEV + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdAEwmCynNMa+f2381le1p/R0Y+xFNicd+FuZIKQFuBHXAw + g8sG+4zBlfpTvC1nGrmISCh9pLU0GBGdkBj7H4tzTaOCFzUlGJ0/8YE+z59vMqGb + 0l4B33k2zuTEv4o72mU3oUDbSR+GIIRrwkZP56OLYWD6cyxams0bYtPJPXIPLRgr + GqsaD7maL48YU0buIXgAqM/qLcGe4nASGbKDw/kfYYItpLY1qDtfa/HVa5UKN2gn + =r4IJ + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAN+NvSDt9JdoluBcood/rBQqjrFc2+SYdAfaUW2qo0GAw + +fWK4SOysY4vCvbv3o0IgLaSOoFFL4+une9pN9LT8LAu8TWB1BcrAgEXY4k0CWsN + 0lgBKY5bpmJG/UYXX3fAnxVsJly22j8Twv9DqmWKNZZjC7A0Nr2hUZe/ju0wZMIH + /DrztZaEiL8wopwFuwYH8BDWqxy1fBNROYwfWpN+JATUQ15xMFxywFG6 + =e2Sg + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+AQ/+KopAvH5xiQB82eguBeCcenEkKMay/nOFaJjBQEkDJsaT + 1Bsw0Oj2raq1Z89MoOpzyxT1DiP8EaaBQAVn/A43oz8Fh5qQZ4dQSR4JhbiCdyEb + QNxE7WwcpCfcfE41SptrUscf1eMBSyu0nti4CwtZCcd06Sp9w31xwGhX4IqyMqgd + cTlxk7PDDnn5m3tuFTVJ6xfwY0JcdDQk0qIY+91hrJobfMPAtI3IooZFRV2rNAAr + BU5xECQ6xWniOzoU94tP2CiyCum6pdAvJNdyHJJfuBi/0wlJqJvG45uzp2FAxtuI + 6DhQDk4YQcB7cVetiA4DgO7cychJHlmt/AqNLRCuPwmQUb8cRcFyfKkzUs4ECPwj + PalACOTDJYy2j8/cYnj0g15ec7JJRBEeMT5MNoh+TzQPyTibMlKqWwvjxQpBXwbH + qhoHrwAQZazZgobHtxAgaV5mbeOXZ5Ex099fsIGKNE4lBgWSSIy+nhBCCKE2Rk5U + soNZger/FKyp1wm8yjSBR1kRUZJ1vZlH+CwRZabiRznkUOZqp7oSDu9rJDz7qj4K + z9TTxdGvWktY6D5NjbqhwydKxOi5V4anaDGpUU7UN4zZFoMDq2SPOQ1lMnGsivnL + bsOv6Aw9N4T/BbkNklov4Re78in5gLW2F8tZuWDivzFrRYbBUhoc4FePu9I9omjU + aAEJAhCzKn6cD31zTqUO9EF4CYQ6c1JI9Rpc6BMbOUw7/yk1Za8LXwsMAVZ5W5S6 + XAb2m30YyZTz5qTKDdPfp0g085PUIDd5i3FNOF+7KAOsHo6VYGwEEElDk+hqCxRW + X08L3B92wiCV + =09xQ + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + - created_at: "2026-06-01T19:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DKKbvh61jX5USAQdAhQVLiF0+IM+jl18Og/DVWRLd2FuGmFZE1XrT5hNFRVEw + 59z7hX9diyHbK6KGx2ef6By09bICq7EenpqSf9WOUBwnMWWNyDjFRxI7SCmYpGAO + 1GgBCQIQDb/vnYH+8CLl2NsFUndXX6QnUaXpyb8RqC7fBFd1bj79VmYGAz2F/A+i + KV5FPdekeH/HIe9Mhwdu2vUUmKXgDJ+cuEyrmlMd5xCZp0jIE7ImBSgxVMmd4stc + eDcrp4EFzYXnBA== + =/qaN + -----END PGP MESSAGE----- + fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 + unencrypted_suffix: _unencrypted + version: 3.12.2 diff --git a/inventories/z9/host_vars/opensourcetorrents.yaml b/inventories/z9/host_vars/opensourcetorrents.yaml new file mode 100644 index 0000000..6bcc86d --- /dev/null +++ b/inventories/z9/host_vars/opensourcetorrents.yaml @@ -0,0 +1 @@ +# add /etc/transmission-remote/settings.json here diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index eab3880..0c6e16d 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -6,8 +6,9 @@ all: light: ansible_host: light.z9.ccchh.net ansible_user: chaos - thinkcccore0: - ansible_host: thinkcccore0.z9.ccchh.net + opensourcetorrents: + ansible_host: opensourcetorrents.ccchh.net + ansible_user: chaos waybackproxy: ansible_host: waybackproxy.ccchh.net ansible_user: chaos diff --git a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone index 0360f81..7a2aafd 100644 --- a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone +++ b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone @@ -62,3 +62,11 @@ xr18 A 172.31.200.21 ;_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de. ;yate A 10.31.208.12 ;staubiv2 A 10.31.210.233 + + +; +; Public Club Services +; + +opensourcetorrents A 185.161.130.67 + AAAA 2a07:c481:1:35::42 From 7b48f1ebe762772a1eee1c8190e9e9461caf8d1f Mon Sep 17 00:00:00 2001 From: June Date: Thu, 4 Jun 2026 00:39:07 +0200 Subject: [PATCH 18/35] status(host): fix auth-dns ccchh.net check by moving to new entry Check entry for pve01 instead of no longer present entry for club-assistant for the auth-dns ccchh.net check. --- .../status/docker_compose/config/services-chaosknoten.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml index ab426bc..aea633a 100644 --- a/resources/external/status/docker_compose/config/services-chaosknoten.yaml +++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml @@ -75,11 +75,11 @@ endpoints: conditions: - "[DNS_RCODE] == NOERROR" - - name: auth-dns (club-assistant.ccchh.net) + - name: auth-dns (pve01.ccchh.net) url: "auth-dns.hamburg.ccc.de" <<: *services_chaosknoten_defaults dns: - query-name: "club-assistant.ccchh.net" + query-name: "pve01.ccchh.net" query-type: "AAAA" conditions: - "[DNS_RCODE] == NOERROR" From fa6e28059497d2595d184f51e423606d687a56b1 Mon Sep 17 00:00:00 2001 From: June Date: Thu, 4 Jun 2026 00:54:55 +0200 Subject: [PATCH 19/35] www2/www3(host): remove hosts as they got removed --- inventories/chaosknoten/host_vars/www2.yaml | 4 - inventories/chaosknoten/hosts.yaml | 18 ----- .../chaosknoten/www2/nginx/diday.org.conf | 80 ------------------- 3 files changed, 102 deletions(-) delete mode 100644 inventories/chaosknoten/host_vars/www2.yaml delete mode 100644 resources/chaosknoten/www2/nginx/diday.org.conf diff --git a/inventories/chaosknoten/host_vars/www2.yaml b/inventories/chaosknoten/host_vars/www2.yaml deleted file mode 100644 index 0a8071a..0000000 --- a/inventories/chaosknoten/host_vars/www2.yaml +++ /dev/null @@ -1,4 +0,0 @@ -nginx__version_spec: "" -nginx__configurations: - - name: diday.org - content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/www2/nginx/diday.org.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 1c3f84e..4e968c2 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -90,14 +90,6 @@ all: ansible_host: acmedns.hosts.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de - www2: - ansible_host: www2.hosts.hamburg.ccc.de - ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de - www3: - ansible_host: www3.hosts.hamburg.ccc.de - ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de auth-dns: ansible_host: auth-dns.hamburg.ccc.de ansible_user: chaos @@ -129,8 +121,6 @@ base_config_hosts: renovate: spaceapiccc: mjolnir: - www2: - www3: auth-dns: systemd_networkd_hosts: hosts: @@ -178,8 +168,6 @@ nginx_hosts: ntfy: sunders: spaceapiccc: - www2: - www3: public_reverse_proxy_hosts: hosts: public-reverse-proxy: @@ -222,8 +210,6 @@ alloy_hosts: router: sunders: spaceapiccc: - www2: - www3: auth-dns: infrastructure_authorized_keys_hosts: hosts: @@ -246,8 +232,6 @@ infrastructure_authorized_keys_hosts: renovate: spaceapiccc: mjolnir: - www2: - www3: auth-dns: lists: wiki_hosts: @@ -283,8 +267,6 @@ ansible_pull_hosts: ntfy: spaceapiccc: mjolnir: - # www2: - # www3: auth-dns: msmtp_hosts: hosts: diff --git a/resources/chaosknoten/www2/nginx/diday.org.conf b/resources/chaosknoten/www2/nginx/diday.org.conf deleted file mode 100644 index 8cc655c..0000000 --- a/resources/chaosknoten/www2/nginx/diday.org.conf +++ /dev/null @@ -1,80 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; - - server_name diday.org; - - # use our router as resolver - resolver 10.31.208.1; - - # configure the ngx_http_realip_module to set $remote_addr and $remote_port to the - # information passed through from public-reverse-proxy.hamburg.ccc.de via proxy-protocol - set_real_ip_from 2a00:14b0:4200:3000:125::1; - real_ip_header proxy_protocol; - - # configure tls trustchain - ssl_certificate /dev/null; - ssl_certificate_key /dev/null; - ssl_trusted_certificate /dev/null; - - # - # configure site - # - root /var/www/diday.org; - error_page 404 /404.html; - index index.html; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - - # return a redirect based on the map loaded from the webroot - if ($did_redirect_target ~ ^301:(.*)$) { - return 301 $1; - } - if ($did_redirect_target ~ ^302:(.*)$) { - return 302 $1; - } - - # deny access to the redirects config file - location = /nginx-redirects.conf { - deny all; - return 404; - } - - # dynamically redirect the user to the language they prefer - location = / { - set $lang "de"; - if ($http_accept_language ~* "^en") { - set $lang "en"; - } - return 302 /$lang/; - } - - # configure decap-cms content-type and caching rules - location = /admin/cms.js { - expires -1; - add_header Cache-Control "no-store"; - } - location = /admin/config.yml { - expires -1; - add_header Cache-Control "no-store"; - types { } - default_type text/yaml; - } - - # configure asset caching - location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ { - expires 1y; - add_header Cache-Control "public, immutable"; - } - - # we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews - location /admin/src/ { - log_not_found off; - return 404; - } - - location / { - try_files $uri $uri/ =404; - } -} - From 3a09c107b93d9816f103353105c0fe4900beea58 Mon Sep 17 00:00:00 2001 From: lilly Date: Sat, 6 Jun 2026 14:58:56 +0200 Subject: [PATCH 20/35] knot: use explicit ansible_facts reference --- roles/knot/templates/netplan-disable-ra.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/knot/templates/netplan-disable-ra.yaml b/roles/knot/templates/netplan-disable-ra.yaml index 505fba2..af7fd8d 100644 --- a/roles/knot/templates/netplan-disable-ra.yaml +++ b/roles/knot/templates/netplan-disable-ra.yaml @@ -1,7 +1,7 @@ # {{ ansible_managed }} network: ethernets: - {%- for i_iface_name in ansible_interfaces -%} + {%- for i_iface_name in ansible_facts["interfaces"] -%} {%- if i_iface_name != "lo" -%} {%- set i_iface = ansible_facts[i_iface_name] %} From 8ca5d82d390cb7b7dd04370bc9ae59b76ffb877d Mon Sep 17 00:00:00 2001 From: lilly Date: Sat, 6 Jun 2026 14:58:56 +0200 Subject: [PATCH 21/35] knot: fix templating inconsistency in netplan config --- roles/knot/templates/netplan-disable-ra.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/knot/templates/netplan-disable-ra.yaml b/roles/knot/templates/netplan-disable-ra.yaml index af7fd8d..bad31a5 100644 --- a/roles/knot/templates/netplan-disable-ra.yaml +++ b/roles/knot/templates/netplan-disable-ra.yaml @@ -11,4 +11,3 @@ network: accept-ra: false {% endif %} {% endfor %} - From 66e009507020a14de75882cff089a5ef3b77d99c Mon Sep 17 00:00:00 2001 From: lilly Date: Sat, 6 Jun 2026 14:58:56 +0200 Subject: [PATCH 22/35] add zone diday.org. to authoritative DNS --- .../chaosknoten/host_vars/auth-dns.yaml | 5 +++ .../chaosknoten/auth-dns/zones/diday.org.zone | 45 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 resources/chaosknoten/auth-dns/zones/diday.org.zone diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index c94a9e7..8c0404e 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -42,6 +42,11 @@ knot__zones: notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de", "ns2.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone') }}" + - domain: "diday.org." + catalog_member: "hamburg.ccc.de.catalog." + notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/diday.org.zone') }}" + - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de", "ns2.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" diff --git a/resources/chaosknoten/auth-dns/zones/diday.org.zone b/resources/chaosknoten/auth-dns/zones/diday.org.zone new file mode 100644 index 0000000..18e3efb --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/diday.org.zone @@ -0,0 +1,45 @@ +$TTL 3600 ; 1 minutes +@ SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 1 ; serial (overwritten by knot automatically) + 10800 ; refresh + 3600 ; retry + 3600000 ; expire + 86400 ; minimum/negative ttl + ) + +@ NS auth-dns.hamburg.ccc.de. +@ NS ns.vie.ccc.de. + + + +; +; Main Site +; +*.diday.org. A 212.12.48.125 +*.diday.org. AAAA 2a00:14b0:4200:3000:125::1 +diday.org. A 212.12.48.125 +diday.org. AAAA 2a00:14b0:4200:3000:125::1 +diday.org. TXT "google-site-verification=pJq0LANnNJlkIflKgwbBOOt8GLuU5ywlW6RXhtPwdmE" + +; +; Mail Setup +; +diday.org. MX 10 cow.hamburg.ccc.de. +diday.org. TXT "v=spf1 mx ip4:212.12.51.133 ip6:2a00:14b0:f000:23:51:133:0:1 ip4:212.12.48.122 ip6:2a00:14b0:4200:3000:122::1 -all" +_dmarc.diday.org. TXT "v=DMARC1; p=none" +dkim._domainkey.diday.org. TXT "v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2YlBjR5oNm7eDeMXmQF6Izx1A17+vBHNapHlV2Rlj3N4Cjo9kSn0y8rlrqkASUKszDgToGrh1vkHhtYN6EE5QS5iVVSnXcWPiHnBzrxK4OmhVZZtrgGsM17pq9udAEEapc371dQQsL3WhXOvilGGSIQ9u5VDlc+y/ApXi79J6DHSf66t0JUU1e8vLn8ZI8hcXe3nsHXqbW4ot24rk8EvaugsK40jbhqxZ+BrJTBq/iP8w5RsF6KdYjTaqPfr/D4dbvUU6fc8jLyy3OWZgSkkOmv7m0UdbOm2Kk6c+1hNjQJZVEhQrpGrpAcjE37/v8ZNbQMgaasiugH6ElnKb13ZQIDAQAB +" + +events.diday.org. A 91.98.167.209 +events.diday.org. AAAA 2a01:4f8:c2c:44b::1 +termine.diday.org. CNAME events.diday.org. + + +; +; Local Delegation or sub-sites +; +darmstadt.diday.org. DS 60883 14 2 351d5314bd499060db6de802dc06104cc9ef54ce91c783def8d20e2e9cd99b99 +darmstadt.diday.org. DS 60883 14 4 4dc93f94c226ecdbb0adbae32064c5ff9a52e9be80973a2ff99218e7bc5af19ab50d9f13f552f1a7900f781fbd7e8205 +darmstadt.diday.org. NS jerry.hax404.de. +darmstadt.diday.org. NS summer.hax404.de. + From 5f94d7f284ce81657e0ef87346ff842effb63d67 Mon Sep 17 00:00:00 2001 From: lilly Date: Sat, 6 Jun 2026 16:26:47 +0200 Subject: [PATCH 23/35] remove ns-intern.hamburg.ccc.de from notify targets of our domains --- inventories/chaosknoten/host_vars/auth-dns.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index 8c0404e..41b11ae 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -19,34 +19,34 @@ knot__catalog_zones: knot__zones: - domain: "hh.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone') }}" - domain: "ccchh.net." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/ccchh.net.zone') }}" - domain: "hamburg.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone') }}" - domain: "eh20.easterhegg.eu." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone') }}" - domain: "eh22.easterhegg.eu." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone') }}" - domain: "diday.org." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/diday.org.zone') }}" - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" From 04305a11241f0d2f2fdb42b6f1b2812c34a218a9 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 8 Jun 2026 21:34:13 +0200 Subject: [PATCH 24/35] keycloak: update to 26.6.0 --- resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index d239bb4..8db3526 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -22,7 +22,7 @@ services: keycloak: - image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.5.7 + image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.6.0 pull_policy: always restart: unless-stopped command: start --optimized From 471012928ad69320aa890bd9232e322ae1b396bb Mon Sep 17 00:00:00 2001 From: lilly Date: Sun, 7 Jun 2026 18:31:05 +0200 Subject: [PATCH 25/35] auth-dns: configure nameserver secondary solely to erfadns.ber.ccc.de --- .../chaosknoten/host_vars/auth-dns.yaml | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index 41b11ae..8d0538e 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -5,12 +5,8 @@ alloy_config_additional: "{{ lookup('ansible.builtin.template', 'resources/chaos knot__dnssec_key_id: "auth-dns.hamburg.ccc.de-1" knot__remotes: - - id: ns-intern.hamburg.ccc.de - address: [ "2a00:14b0:f000:23::53", "172.31.17.53" ] - - id: ns.vie.ccc.de - address: [ "2a02:1b8:10:31::228", "146.255.57.228" ] - - id: ns2.vie.ccc.de - address: [ "2a02:8000:1000:102::188", "185.106.84.188" ] + - id: erfadns.ber.ccc.de + address: [ "2a02:8000:1000:101::196", "185.106.84.196" ] knot__catalog_zones: - domain: "hamburg.ccc.de.catalog." @@ -19,34 +15,34 @@ knot__catalog_zones: knot__zones: - domain: "hh.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone') }}" - domain: "ccchh.net." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/ccchh.net.zone') }}" - domain: "hamburg.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone') }}" - domain: "eh20.easterhegg.eu." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone') }}" - domain: "eh22.easterhegg.eu." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone') }}" - domain: "diday.org." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/diday.org.zone') }}" - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns.vie.ccc.de", "ns2.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" From 389b87113b5170e8149442c9e4f20d5962af1419 Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 9 Jun 2026 10:59:44 +0200 Subject: [PATCH 26/35] auth-dns: update NS records of all zone files The current set is auth-dns.hamburg.ccc.de in addition to the newly created erfadns.ber.ccc.de See https://zammad.hamburg.ccc.de/#ticket/zoom/1738 for details. --- .../zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone | 4 ++-- resources/chaosknoten/auth-dns/zones/ccchh.net.zone | 2 +- resources/chaosknoten/auth-dns/zones/diday.org.zone | 2 +- resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone | 4 ++-- resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone | 4 ++-- resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone | 4 ++-- resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone | 4 ++-- 7 files changed, 12 insertions(+), 12 deletions(-) diff --git a/resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone index e06c4a2..9db7051 100644 --- a/resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone +++ b/resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -7,8 +7,8 @@ $TTL 7200 3600000 86400 ) - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. +@ NS auth-dns.hamburg.ccc.de. +@ NS erfadns.ber.ccc.de. ; ccchh firewall / tunnelendpunkte: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR fwhh.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone index 7a2aafd..2a69ea8 100644 --- a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone +++ b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone @@ -8,7 +8,7 @@ $TTL 60 ; 1 minutes ) @ NS auth-dns.hamburg.ccc.de. -@ NS ns.vie.ccc.de. +@ NS erfadns.ber.ccc.de. ; diff --git a/resources/chaosknoten/auth-dns/zones/diday.org.zone b/resources/chaosknoten/auth-dns/zones/diday.org.zone index 18e3efb..2aeefcf 100644 --- a/resources/chaosknoten/auth-dns/zones/diday.org.zone +++ b/resources/chaosknoten/auth-dns/zones/diday.org.zone @@ -8,7 +8,7 @@ $TTL 3600 ; 1 minutes ) @ NS auth-dns.hamburg.ccc.de. -@ NS ns.vie.ccc.de. +@ NS erfadns.ber.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone b/resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone index 2820b68..5879c18 100644 --- a/resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone +++ b/resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone @@ -7,8 +7,8 @@ $TTL 7200 3600000 86400 ) - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. +@ NS auth-dns.hamburg.ccc.de. +@ NS erfadns.ber.ccc.de. IN MX 5 nomail.ccc.de. ;IN MX 10 local-mail.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone b/resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone index 32d9d04..a34c183 100644 --- a/resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone +++ b/resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone @@ -7,8 +7,8 @@ $TTL 600 3600000 86400 ) - IN NS auth-dns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. +@ NS auth-dns.hamburg.ccc.de. +@ NS erfadns.ber.ccc.de. IN A 212.12.48.125 IN AAAA 2a00:14b0:4200:3000:125::1 diff --git a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone index 8c30fb4..33f8a31 100644 --- a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone +++ b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone @@ -14,8 +14,8 @@ $TTL 7200 3600000 86400 ) - IN NS ns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. +@ NS auth-dns.hamburg.ccc.de. +@ NS erfadns.ber.ccc.de. $TTL 60 IN MX 10 cow.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone index 35794ba..41b7f26 100644 --- a/resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone +++ b/resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone @@ -15,8 +15,8 @@ $TTL 7200 3600000 86400 ) - IN NS ns.hamburg.ccc.de. - IN NS ns.vie.ccc.de. +@ NS auth-dns.hamburg.ccc.de. +@ NS erfadns.ber.ccc.de. IN MX 5 nomail.ccc.de. ; IN MX 10 local-mail.hamburg.ccc.de. From ec9275cf462d7a1da667f3ec3c8d2bc32188b244 Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 9 Jun 2026 21:00:50 +0200 Subject: [PATCH 27/35] add ueberwachungsfrei-kundgebung.hamburg.ccc.de domain --- resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone | 1 + 1 file changed, 1 insertion(+) diff --git a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone index 33f8a31..b911d6c 100644 --- a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone +++ b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone @@ -289,6 +289,7 @@ cpuccc IN CNAME public-reverse-proxy did IN CNAME public-reverse-proxy infra-docs IN CNAME public-reverse-proxy staging.infra-docs IN CNAME public-reverse-proxy +ueberwachungsfrei-kundgebung IN CNAME public-reverse-proxy auth.acmedns IN NS acmedns.hosts.hamburg.ccc.de. From b283089b0642a3654870e098f44058d9b82d1a90 Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 9 Jun 2026 21:27:13 +0200 Subject: [PATCH 28/35] readd ns.vie.ccc.de to our zones because zones are not delegated yet --- inventories/chaosknoten/host_vars/auth-dns.yaml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index 8d0538e..01fadbc 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -7,6 +7,8 @@ knot__dnssec_key_id: "auth-dns.hamburg.ccc.de-1" knot__remotes: - id: erfadns.ber.ccc.de address: [ "2a02:8000:1000:101::196", "185.106.84.196" ] + - id: ns.vie.ccc.de + address: [ "2a02:1b8:10:31::228", "146.255.57.228" ] knot__catalog_zones: - domain: "hamburg.ccc.de.catalog." @@ -15,34 +17,34 @@ knot__catalog_zones: knot__zones: - domain: "hh.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "erfadns.ber.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone') }}" - domain: "ccchh.net." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "erfadns.ber.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/ccchh.net.zone') }}" - domain: "hamburg.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "erfadns.ber.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone') }}" - domain: "eh20.easterhegg.eu." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "erfadns.ber.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone') }}" - domain: "eh22.easterhegg.eu." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "erfadns.ber.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone') }}" - domain: "diday.org." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "erfadns.ber.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/diday.org.zone') }}" - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "erfadns.ber.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" From 931afac7e067c6d9d1dd5bfd4ff4f4ea4567ea38 Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 9 Jun 2026 21:27:13 +0200 Subject: [PATCH 29/35] add ueberwachungsfrei-kundgebung site --- .../chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf | 1 + resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 304072b..a7ae7f0 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -87,6 +87,7 @@ map $host $upstream_acme_challenge_host { staging.docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:31820; infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; staging.infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; + ueberwachungsfrei-kundgebung.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 5e89aa9..3f61267 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -110,6 +110,7 @@ stream { staging.docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:8443; infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; staging.infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; + ueberwachungsfrei-kundgebung.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; } server { From 6d922b7c8b295a5c85f119ccfb46cbc7be151267 Mon Sep 17 00:00:00 2001 From: lilly Date: Wed, 10 Jun 2026 13:11:55 +0200 Subject: [PATCH 30/35] dns: also notify erfadns.ber.ccc.de for catalog zone changes --- inventories/chaosknoten/host_vars/auth-dns.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index 01fadbc..9b94479 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -12,7 +12,7 @@ knot__remotes: knot__catalog_zones: - domain: "hamburg.ccc.de.catalog." - notify_targets: [ "ns.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] knot__zones: - domain: "hh.ccc.de." From 431aaefb3644c74f3bbf5e19f727c64a87c53934 Mon Sep 17 00:00:00 2001 From: lilly Date: Wed, 10 Jun 2026 16:05:51 +0200 Subject: [PATCH 31/35] dns: remove ns.vie.ccc.de from already migrated zones --- inventories/chaosknoten/host_vars/auth-dns.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index 9b94479..7d220bc 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -12,12 +12,12 @@ knot__remotes: knot__catalog_zones: - domain: "hamburg.ccc.de.catalog." - notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] knot__zones: - domain: "hh.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone') }}" - domain: "ccchh.net." @@ -27,7 +27,7 @@ knot__zones: - domain: "hamburg.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone') }}" - domain: "eh20.easterhegg.eu." @@ -46,5 +46,5 @@ knot__zones: content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/diday.org.zone') }}" - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "erfadns.ber.ccc.de", "ns.vie.ccc.de" ] + notify_targets: [ "erfadns.ber.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" From 57d2a94990459ff045820d436f6aabfb87fb0084 Mon Sep 17 00:00:00 2001 From: lilly Date: Wed, 10 Jun 2026 16:17:18 +0200 Subject: [PATCH 32/35] dns: fix syntax error in diday.org zone --- resources/chaosknoten/auth-dns/zones/diday.org.zone | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/resources/chaosknoten/auth-dns/zones/diday.org.zone b/resources/chaosknoten/auth-dns/zones/diday.org.zone index 2aeefcf..bf93208 100644 --- a/resources/chaosknoten/auth-dns/zones/diday.org.zone +++ b/resources/chaosknoten/auth-dns/zones/diday.org.zone @@ -1,4 +1,4 @@ -$TTL 3600 ; 1 minutes +$TTL 3600 @ SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( 1 ; serial (overwritten by knot automatically) 10800 ; refresh @@ -27,8 +27,7 @@ diday.org. TXT "google-site-verification=pJq0LANnNJlkIflK diday.org. MX 10 cow.hamburg.ccc.de. diday.org. TXT "v=spf1 mx ip4:212.12.51.133 ip6:2a00:14b0:f000:23:51:133:0:1 ip4:212.12.48.122 ip6:2a00:14b0:4200:3000:122::1 -all" _dmarc.diday.org. TXT "v=DMARC1; p=none" -dkim._domainkey.diday.org. TXT "v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2YlBjR5oNm7eDeMXmQF6Izx1A17+vBHNapHlV2Rlj3N4Cjo9kSn0y8rlrqkASUKszDgToGrh1vkHhtYN6EE5QS5iVVSnXcWPiHnBzrxK4OmhVZZtrgGsM17pq9udAEEapc371dQQsL3WhXOvilGGSIQ9u5VDlc+y/ApXi79J6DHSf66t0JUU1e8vLn8ZI8hcXe3nsHXqbW4ot24rk8EvaugsK40jbhqxZ+BrJTBq/iP8w5RsF6KdYjTaqPfr/D4dbvUU6fc8jLyy3OWZgSkkOmv7m0UdbOm2Kk6c+1hNjQJZVEhQrpGrpAcjE37/v8ZNbQMgaasiugH6ElnKb13ZQIDAQAB -" +dkim._domainkey.diday.org. TXT "v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2YlBjR5oNm7eDeMXmQF6Izx1A17+vBHNapHlV2Rlj3N4Cjo9kSn0y8rlrqkASUKszDgToGrh1vkHhtYN6EE5QS5iVVSnXcWPiHnBzrxK4OmhVZZtrgGsM17pq9udAEEapc371dQQsL3WhXOvilGGSIQ9u5VDlc+y/ApXi79J6DHSf66t0JUU1e8vLn8ZI8hcXe3nsHXqbW4ot24rk8EvaugsK40jbhqxZ+BrJTBq/iP8w5RsF6KdYjTaqPfr/D4dbvUU6fc8jLyy3OWZgSkkOmv7m0UdbOm2Kk6c+1hNjQJZVEhQrpGrpAcjE37/v8ZNbQMgaasiugH6ElnKb13ZQIDAQAB" events.diday.org. A 91.98.167.209 events.diday.org. AAAA 2a01:4f8:c2c:44b::1 From 5973de0959242cc5832c361616c5848d002aa6f8 Mon Sep 17 00:00:00 2001 From: lilly Date: Wed, 10 Jun 2026 16:17:18 +0200 Subject: [PATCH 33/35] dns: validate zone files before apply in knot role --- roles/knot/tasks/02-configure.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/knot/tasks/02-configure.yaml b/roles/knot/tasks/02-configure.yaml index a2a8e55..e79143f 100644 --- a/roles/knot/tasks/02-configure.yaml +++ b/roles/knot/tasks/02-configure.yaml @@ -33,6 +33,7 @@ owner: knot group: knot mode: u=rw,g=r + validate: "kzonecheck -v -o '{{ item.domain }}' %s" # this seems weird but hear me out: # if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements From 75b7e8032133b4f791c73bc0398eff151d916226 Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 11 Jun 2026 14:40:09 +0200 Subject: [PATCH 34/35] migrate uberwachungsfrei kundgebung to own domain --- resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone | 1 - .../public-reverse-proxy/nginx/acme_challenge.conf | 4 +++- resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf | 4 +++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone index b911d6c..33f8a31 100644 --- a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone +++ b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone @@ -289,7 +289,6 @@ cpuccc IN CNAME public-reverse-proxy did IN CNAME public-reverse-proxy infra-docs IN CNAME public-reverse-proxy staging.infra-docs IN CNAME public-reverse-proxy -ueberwachungsfrei-kundgebung IN CNAME public-reverse-proxy auth.acmedns IN NS acmedns.hosts.hamburg.ccc.de. diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index a7ae7f0..6e309a2 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -87,7 +87,9 @@ map $host $upstream_acme_challenge_host { staging.docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:31820; infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; staging.infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; - ueberwachungsfrei-kundgebung.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:31820; + ueberwachungsfrei.eu public-web-static.hosts.hamburg.ccc.de:31820; + überwachungsfrei.eu public-web-static.hosts.hamburg.ccc.de:31820; + xn--berwachungsfrei-yvb.eu public-web-static.hosts.hamburg.ccc.de:31820; default ""; } diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 3f61267..5c57f0d 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -110,7 +110,9 @@ stream { staging.docs.c3voc.de public-web-static.hosts.hamburg.ccc.de:8443; infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; staging.infra-docs.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; - ueberwachungsfrei-kundgebung.hamburg.ccc.de public-web-static.hosts.hamburg.ccc.de:8443; + ueberwachungsfrei.eu public-web-static.hosts.hamburg.ccc.de:8443; + überwachungsfrei.eu public-web-static.hosts.hamburg.ccc.de:8443; + xn--berwachungsfrei-yvb.eu public-web-static.hosts.hamburg.ccc.de:8443; } server { From 5f7b0c9449cfe4d7e6c43b88e732ced324e81c9b Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Mon, 15 Jun 2026 19:07:17 +0200 Subject: [PATCH 35/35] Adjust to content change --- resources/external/status/docker_compose/config/websites.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/external/status/docker_compose/config/websites.yaml b/resources/external/status/docker_compose/config/websites.yaml index 7ac34a2..e4cbc8d 100644 --- a/resources/external/status/docker_compose/config/websites.yaml +++ b/resources/external/status/docker_compose/config/websites.yaml @@ -124,7 +124,7 @@ endpoints: conditions: - "[STATUS] == 200" - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)" + - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg:*)" - name: spaceapi.ccc.de url: "https://spaceapi.ccc.de"