diff --git a/.ansible-lint b/.ansible-lint index e750c57..8264714 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,6 +1,7 @@ skip_list: - "yaml[line-length]" - "name[casing]" + - "yaml[brackets]" exclude_paths: - .forgejo/ diff --git a/.sops.yaml b/.sops.yaml index bcb30f8..b517a43 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -48,7 +48,6 @@ keys: - &host_light_ansible_pull_age_key age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q - &host_waybackproxy_ansible_pull_age_key age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j - &host_yate_ansible_pull_age_key age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 - - &host_z9_router_ansible_pull_age_key age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp creation_rules: ## group vars @@ -242,12 +241,6 @@ creation_rules: *admin_gpg_keys age: - *host_yate_ansible_pull_age_key - - path_regex: "inventories/z9/host_vars/z9-router\\.sops\\..+" - key_groups: - - pgp: - *admin_gpg_keys - age: - - *host_z9_router_ansible_pull_age_key # general - path_regex: ".+\\.sops\\..+" key_groups: diff --git a/inventories/z9/group_vars/all.sops.yaml b/inventories/z9/group_vars/all.sops.yaml index f5aed04..bc4c3f1 100644 --- a/inventories/z9/group_vars/all.sops.yaml +++ b/inventories/z9/group_vars/all.sops.yaml @@ -2,225 +2,213 @@ metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl msmtp__smtp_password: ENC[AES256_GCM,data:FAih8FghRYDx3QGFCjKoJ8Zq0TkeCIx4n1jTx4/sASgECqvucg==,iv:8NDn3wj/bXsbHbuce3ycJTBVWde6XAVxv4NuMUkMbIM=,tag:jeE2b0i/8JPtguLYQvdV1w==,type:str] sops: age: - - enc: | + - recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax + enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTzAzaVFSRDQwN2llbmdl - alBBVDZwTWhWUkV2L3ZLZmNDUDRyTitDaFVzCkNRTEN4ODV5ekxRVlBZT3ZIM2pj - Z0JxYUlobHZCeGxxNE9PcENkR2h2VDAKLS0tIFZiVXJHSU5naXhSSEFobVZBN1Rl - NnVDUVRyVWxlUnMydVhiQ2s0bGMzTGcKh97/UOPxrKieK5dKdGyRqCRi8Sm5UNcT - I9jLCPqX8Utt0e2EEp+ivJwFxgo7QuNCYWu6jtPCO/Zmc5Q/2tJQ9Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VWJQWnBhcDc3VXh3TnMy + RFljQU0vNS9iY3AvTWFraUxneHIremlDeUZvCmdzd0twWHZEdTZSbHpLbEpRRDNX + aGI4ZlczN0tFbC94TzJ4bm9aUjkwcVEKLS0tIHRGSGdkQkN6ZEVTUjl1cGhMZzVI + S2FtSktoWmF2TjZCZnNlYWpWYzQ4MzQKeK7f+UPSanQsOIXNjzZa9B5FafNFsN3W + sjssDdbNQ1OEn2CLWRVQl1umKrADuvd85fMu3gUZrycZRDCCfsBzVg== -----END AGE ENCRYPTED FILE----- - recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax - - enc: | + - recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q + enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVUtpb0FmeUduNW9EdHJw - WEY0WllWdE8vRlVhODU1dUcxUnF3WE5mUG5vCnBQRlNkblNHbUFESXhvQ05YdGVW - UkhjdjdvclRmTk55UXRGRStXREFiVVkKLS0tIDlkMHhxVkxEK1BjV2orQUtndGc2 - Mk8rZm14SzFWTjJTanVXaE53UmViS28KQmnPfzLhgLasSuu1Aflp/JDWo1hqvYjb - BijruPUZ3NuoZ4Wuo56FLlTLrch051fI3ottzy85FfX3lRnWZ2IK8g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSmVEVyt3OCtvUUNqV2FR + QW5WaDBFcnZVMTV3QWdSLzhxRENCdGNaVFU0CmxqM0xIWUVCSUwvY1pBVjQ0RCtq + T0psSG84VWdpY1dYa2doeFZXd2RKNVEKLS0tIGNFeDFRYzBDN3NWcnpUSVhEWitY + RXhLRkp3ajdlNGY4R3hRcWVSUU04T0UKdprDhBpp0aMc733Wx/K7hS/nLVohvlft + N9aSQdcRoqT3/iMGu/6xdqbeq0/7a/U+6JvhYyWLkLsrzw2mlVRoIw== -----END AGE ENCRYPTED FILE----- - recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q - - enc: | + - recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j + enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQSm9FZ1VmVWhadldRY0JU - c2R5d0tNMDV5U2tzbVorai91RTFyZFdUMWo0CmxLVUJYdVFUN296U3Q3MTJQM0JW - LzNTYlVVVitRYmk3azQ4VXBLWTZiZjQKLS0tIDhXdFZaK1BWVFp4M09jbk0zdGpF - dGxmUUZkQS9sMXZoeTJETGpvQW5VQ0EK9Y/trD7VhjQnqY+KryPfEv1J/D4NCWsx - CHv0R1ps6A0qoRJzS1UNxU5bLXDX1RGQiU/arhJ7LXFxHrNOdObsZQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWWM1WFdidkY4a2hLNm03 + TGdNNE9ZK2lvelhYQndTYy9sUzM4TkN5elRZClJwQU1qeCtwUlFzeVE2d0FSSCsz + WTdzQWZLYXpqUHcxc3VEWHZvNmZibU0KLS0tIElCTWdraXRLcHNHMjR2eDVxVCta + bHhVdFpOdDB0eUR5d2hhdWJlcmJDMjgKBbVkm7LNwnoUVrUF3NPI7d25b6tAIr1t + HelMjQU5YFM7DvRYFOlNpgO7WmddNSq3C6WYa8AZDGpsjc6GypcLVw== -----END AGE ENCRYPTED FILE----- - recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j - - enc: | + - recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 + enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreTY4bzJ3T1FHOVdhS05v - dG40VWdVeWRpamdqd2ttajFJUjdYVHB0ZXdVCmk0UUJuRHdsUnE3ZThNakpwY3po - b3dtWXNNSUlvbzVHcXVIclNlaVNub00KLS0tIEMwL2FYcEZ1dkZ5MFl0S3pWSWFJ - NGdXVXA4UGJIOTN4UnhoMjRYaTRNWXMKGJNomXuB5TqXZKWk3Ub/rEc69CrfYABw - bBBidbCQBrv7cnsvjsVpHHGaTwyP9Nk1ceF/gbv9fD9gZ7dwt3SA1A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTmRaRXorMzBQZWwyNFp5 + VHdUUElyd1V2dUcvQ3k2STQ0d1QyMytsRG1BCm5CVCtRWU5FVmErQWl2N3Y4QTc1 + Mnh3K01QUnk2MGpSZk1NRVJWUlhFYWMKLS0tIEFOM0pMa3RVNUppS2xOakFVM1lR + cnlBL29XQVlsL1ZCenBIYTQ3S3JxQjQKq09vbn1XOC1jIXDpv+ThFMk9k7SyYknr + MBJRBp/0PrKBo/Xk+RCSWSLjgali5Cc8KTjDTJyBG8rFzzvLIazBRg== -----END AGE ENCRYPTED FILE----- - recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQWhjNHlDU0RKRmdKTzh0 - M3dhOGcrc1N5SnozMHhSQWNUdERPSjRrZ3lZClBpd1lrbXY5OEVnMVgwTGl4YmUw - bWpJR0Z6RDZubG9lS1BIVnEvMWhEdlkKLS0tIFhSbVFhVnZIN2xETXlWNlh3TVVG - N1VTSWN3SEU5U2Uxc2lRUmwwaWc0L1UKfPWAEs93dF10GZdlQt3yeDltk/9Djmuh - 3ZeGLgkOjcJPXO2hFQMZoJY7a2ZRIxN5Oa8PGwuy7DEtmQ9PdP/mbg== - -----END AGE ENCRYPTED FILE----- - recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp lastmodified: "2026-05-23T22:10:20Z" mac: ENC[AES256_GCM,data:JbnKG1qyAkvFDXr2iHu+gk7nRjedmm+dEK8vBFW5YzndWE4QKoYWeaqRHBk7wdWO9kpZgU2rFiu4Be+ikotoMS8jKAcd5wWSrWtSreaZxxiD2TWMWX8HwPtETnYe0rjrEZ3kPcUj4QPyNTphfbH3ARLjthedRXNF70NDc+DIpAY=,iv:4LN3oslWUWqoY3rQNVDSmlJn1o0c8JQELzsWd5btn7Y=,tag:c8X1q9XMMUkXed93j9C6ww==,type:str] pgp: - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxK/JaB2/SdtAQ//cayg/ELKtybgayA4z+xOUK10zQJDE/U43BcPRMrBN0+x - VLu/C96Eom/dJN62SM2QamThHu454HMZj1PjDynMUzgfVqXEg/eG45bBBweWrI65 - s0tuzLmsqpdt9TJ5t0znliL2DYS3MPfmYRNbAsYsCbQd4I0YpxdzQwTvURdzjpUG - nVBUfzfcYH1Yqq8BVtR40MKfa/DbOsJGENHtpkQ9UDAa3gwVQs0NyZRQzg5w364C - UvItYlU77ZCKPkyOQuciLn4sM5poihu3UNWp855QsDK6fZVuxPTS4Cn54cfwdOTe - rL/ZQjLcHJ7PRmZUiWR6GVNDrY55u7zhORD4b8BgrpWW4hhxpp/ENjnRmNt8jKR2 - dJ/5/uC4HBX0fM3mbfpUn19BxCk9+gFPmNUOUZ93UxpQ28l1lZxeiLBOHAw1srEs - 7ZfFrJ0osedPGHu8rVOe93DCAtb/oNxr1xvGuDK/licRkEh8t8cvuoVsVhYFjNBc - UKXIPrhvuSj69c3OiHa+u9fNZJX2XAi0oOcZqGp+sQCCgUCA15I5QiqTpalCSTKt - /Stoj9BsmlSiy8YD2XBjmzHHVxJHfl8XHcuONKc3e4UmVjKlzkzc0bI73Y6XiEvt - zRIUmWxfvAvqP/zPcMSwaZke5h7N7ywKcjM+RHB4NqRUVYlBNwIWXvi7f5BdLhrU - aAEJAhBcA//3NJxuDzlf1zoXGKOhGIwNv5/Qb1n13OKIT2s0nfbqEHgAUm+tX3gk - VKKMqFuVmq2mkAaxXWFq20VC6djTJJS1QOaNsc6x3bJ6iDtYV19Ddn/20jbmbqmn - XbCDvb50nubC - =ZByJ + hQIMAxK/JaB2/SdtAQ//VIMBtLL8lhncJeItw53fQW4Lia0hs84yuKLuSBucNXhy + x3LT5r21C5CZ+JnucrGPxur4clsLnDnng2CgyWhksJNknk6smQIq3ZhyBd/OJzS4 + zNGUJIbitJsDaKjTrYDCdsQ3KVcRBDMu3ow7vzeP4wnL4qU5fUuQ7S2rK6a1hfMB + eTQmn4wD/Rl+Q0AWEo2V/X8UgchwGPeuOXfju2t9+1UVE0kUJdXw/JIrGyR8XrYM + 6ZGXB3mPnlZTZjqhXVSFSSOUTRYu/0g+s/JuDLpgl8gVP+oDvSCPrB2pDNK+o2Oo + VbQbJMg6lMbIuewd0ZTTeCv/TFU9O51RtkFyxHIEW7dVelDrNkuciAG1mDUHFUUw + MHeWDjngeCzr1hj1Z78P1bvR7I2pqBQiWT+d/e50S5quNRVjtLVEjuU7r1eKiPDu + pL1lYJZZu5+uY1nWE4qeJiI1KambjP9/C+RUCF38yT1wNvxrbwsM9haXGbI3t2cU + X/RRpK5VKKKwbBqyQmkZX7xaDR13hLF2vLtdVw6L9nYVVactfnFr9HKDV95HUnhO + uevmzu+ShtAt9FMXz86dLYmBx90A2BSWxb6sKvZkG8UDY+vVT1K0gNK4kwxR9rKt + LFzCq1a3ftx3UvrNMCwaboGQZLpRtiKr0lNQvGLpH/SRDZ2HksinV16FNVuN74HS + XgG5HnRO9/lkL2Bn+ms7Q6+ki9QmC21FlLGJOBQIi+VHNVwy6J8XQlrs5NZPy6Ib + LmWIV6BdIRejCAITlVeBRBpXymdUBicPLa/VQMK2s9L3SS7MUcv+4j+vje9YR5M= + =IEFm -----END PGP MESSAGE----- fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQEMA1QflAioE8i3AQgAm+iazJdcOXiq08MvSGMQ9/NAvrgcDav4561Hew23n4Ms - tKC5VLXf3l1f6yjhBZy6mnslYOWWdJ+X4XK0OqWkRr/t7zxEK4M6PC6g1W5hkaFU - +9DrkBLKss8atz3EhexK6GeljTuRpVWM629BtvMPBo/41eyue78TLf81vCkbUJkC - UpeB4alsETvD9Oz0ZRT8fipuXzdpGSjobOIgQa9bKwFMXXGY2fwBuKW8gVtSgbXP - mKwqvGaSdHz30BxQExmLne5ERKHOvzac2woG5tOmKPaihg8pbvuq/VjS2K0mzS5q - cbwyq/u4d5fGEFQYqMARW1aiyo3NjYk4xWDcGo5Ql9JeAdwhj3Wgm1wccULt2Hj7 - z/V1utNINoB0bPFb8ZQMmPpwAeH6nnoqjWmmoRSW0tL/EaPh5xQXdEuU+DloT5f+ - k8c2KQC+v4bh6BMUcycAeIG/h4vKsgz/Jc6BWKKD2g== - =G51B + hQEMA1QflAioE8i3AQf7BB0RdJbe8Ro2Fv4Phw+VaR0rUIuQKWOb7zf3/9YCbV2w + rICGVIx7V1vJF5R5RgSfk0RDrLN3Pfoq/7Jfkq6bMoHIVCHSFdryHfjG5Dgm49Xv + gDZ2CPAHPn15mG0Rr/67YUWsC2Jy4y6/JY478wzYu4Og9IkxkeBd6ufBFB6bTn4H + qB7B2hfkyQzA66zoxc0r2O1mchbJ3A4pVJw0v2I/sWCiZoJQKmt8ksoEK8BAQCWC + E8sozb2opRzFaUCZSNEdhz/rnbV8u5wW378kd8kHSOlWxaFZNkWUP42YQiNTkd9/ + YpxxGvwCTIpHGAYFtU7CV7QfQHzTuAOz7ZElPZsYkdJeAZCwUFO24nzwpxYS43AV + 29IHXvlKAQkjJunix0bPGcE3D6T8CUs0wXL2sUSDcvgOOQZSezRn4UNEqFCftjJ4 + Gmldo/baMO2Y054/iA0jvNmHRk6sJCY8aRYv9m5Fqg== + =n7Qb -----END PGP MESSAGE----- fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAz5uSgHG2iMJAQ/+NjXRTghMiYErsXenuJRaWdwHZ+6DkkG8nC5b+Aigljgu - OJg5UQgYtX5W5T79uUuEh5BWKO5bMHBwDNHQC7Hn1FseYgrOxcoSYOsewlb8t2QH - fqGLLhv82nRnU0nTs8W/yvrBH/ub0kAtuko1jkPSAWnoonmeEW970iLVIF9lCVYJ - idF+DDSiic9RDpHd4Csuxdv+1Q8OcaOW1HVAUrfrKOvC17sawd1Cat2DWC8EcOVD - clNn6A91FBCTxVnxwM4j2J/NXP1JRIGnlxaa4lATQMiX8lfheu0LyEpsFZai55RC - dq20HWqPgYHiamp6eGQ+Uqe5edx6F5YX/25S2Jfrx4D5vRh0PFx6blY0kgZJp16a - ywNiMtLPh7HjOMbB1v7bcWtIDWrIhWDtyJ7axny8sMamCLCPOwPpPvdL/B5YOntm - +0wMXHXCLCaljzsa5GFIyVYj3pTY/6O0Fgkv+6ow08ndPjsViHNikufCSW0ueIFF - ehv0V2+AHhedoHChFZI/DEbGzIKVcr7JAA+GHAIWcklg7O5hss+/rr7nYxVB0A+t - Sfp5kVMInLpCPLRm2retun3zPF8+R0kN/ZrkLy02K7z4rrD8wVE5QUvSCWbpKdfS - deWIy4lp9wRXSunag1/CxqvrH3ZszlxSZPEQkC4hez+xOS//L/5QsiP52SavB9PS - XgHvkL3slXXsdnIgm3cYnHqEBf2rXLQR/ZTzusXMLEBaGCd9JB33T/Lz+TUftCUI - xxLwzFvm+dEvQ6bOB6/OvSMBIsvVzMZxaIblwZRdIYfQovEdKLCRc+F4lTqV8fE= - =1lXS + hQIMAz5uSgHG2iMJARAA4zyDJtNqK5w6QPYMyEtjuoAmva91yLA4oAU/diRpFXHx + D4UzksW8moYqmaiWblFy1HeQJFwZWrxnXeqg9B7PFOkhriIG7al4DpV2wXoCjami + DIkewGoeZjTbPNxsDVl0SbDafCARQFnQ8LNTmM2hi2X/ACg+c8mSM7eK6C3mh8yG + Bo2EsuCnIqzwzV6XbGCKnfOUh0QekWM7Jc/e3oYGSgCP2N5wb2PLVsW1220qdPvo + 8D1l5cDVj2Pgq7fnfbxZGJYSfdgJb1YweH8mjHk3gHU68AGeeSkV+VwcBGV2HObg + hKSbVWcyGAHrP1ppCNyXr5ZkBgyvdB/EjxjLqTLq7sdTnqjLLbMLgi9CCI0NuDMI + jfgMjOdaImjUvvr8lCl7dOMyp9wc6ks0bwRbfG3AMLGKWeR+un3uaDYujD0bQLqZ + m0g5mx1wHxNCJIb2ZQ6UVjDlnatTYGBnxEupqxr9PFyny0MRhaiYkuDIh4tHW3nH + xyCHN9QIO2/EktLkM4wcfhOeVgdpfvKgT+cMG9kS/yfInZ5ZAGvXznzvfNZZtKDL + fLvvF5AqYbN05c0h56WJa65tIT75P2wI6ZBncCSLqSAzyXWlZFV6UBP+5QLEkQaE + WtY8y2907OAx1v8g6vc5v5oHMqfwfWC4nuFbkoJo/ZbfvtDWq4eFZfkUKY3Au5LS + XgE/l6NTtWknF4nPYIRaibum4527ke053JdD/50eqfuRv8MFIHbRPfWE4lE6lgev + +/j0Ef9sYRu726Sv3wAgT7K6PmCFsLN1319OmjkZpBAJiNsxx9qwXyqgTpTvb34= + =Hr9J -----END PGP MESSAGE----- fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DsZXvxFXTXoQSAQdAJAr+RX2f5gW5PpXJ/WA+1qMPFjuWuDccIk1ecWzc4kEw - sNH69jVC0JL7l5RMrJTAaY0GRTMrJffoz28JxpVbUVFEpeHsd+myGCcD1jZyS1MX - 0l4BllCKEsOVnEKKxOscOIctaIw8/MDNnLSoP04JI2xVKKThor+UwUhRzg+fVwxH - uEiHsx0xA/q0HVXhTNIvIWn0CKx/4uV8JwVa9JqjSSyQVm8PBwU+UTfXMQ5VcuHv - =uxSy + hF4DsZXvxFXTXoQSAQdAp7TsXm2MaBAh0qB3eOjtFuegcEsmtdQHsMP0rs0N/m0w + bbbzXLwq1TGL82l5Qon4NnX9Jg5gXnKydWOiKWhxCsQ0iHJ7eupJLxyfDD/kzga+ + 0l4BRUpbBFslWWa8Fb7zfNA7kslhkaQIJAmN92Yh/2NdkpmNEpMMaIrx2p2jK4Iz + mwGUQlUz4ZkK10xy+9LMaAtmLhBJgBhDTKKzw7OAsRAnASq2gXA/4wqEVgBU9BxB + =tBBK -----END PGP MESSAGE----- fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DerEtaFuTeewSAQdA2k3VLlMvCocHQ1ULFwTJKqscSb2FScq8A2I1TIdlfXAw - jWLzGphdsfHuNBEsocoixm4nKAdhjgBsud2rfYkuwxpqX2MlBr6ikpN73dXlHtt2 - 0l4BkUvmqlioN961OV7nssbeQLzb49C9Gzm5S1dQqBQVCt/7qGodTHHiQON7bYJp - +OgUaI6bKZjd9Lhm/u98dTH2cdPm1B5bUQPDzptWX5vG8euzBQxXc7OrGsTFyYME - =e/rg + hF4DerEtaFuTeewSAQdAlBZhTjLL3YPqorSXq0jet/0CXmeZeLL8inGvm/HgmgIw + aplmjWHB80err0ffZeRfcvqx9DGujpwlgoFGDxjqn4LIqoNg6YK/VfFb9pXUvIOv + 0l4B9xQ4DlaYOX1egCQUBw3KcdcnNlcEZwTOwTKn0Hg3gXp0u3TYlJFZAchw2G+l + XJjlWiwJN2gKfEG7hrtZ7MJkYJFsqMFa1aC1oWHduxU4jmdRdQqdIaQDsqkcqJc3 + =KNVY -----END PGP MESSAGE----- fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxjNhCKPP69fAQ//VLyOILC6lpvlq0W7NeYfUzL7KtKYXVDF7aSQ/b6Vn7Of - ggc9n40n6FkMJqknhbvSnhhlFdzVOCZkLy/hinNk+jF2POBlLbzBjCuzQSP+ZDyC - Dll2UJ/khITd+tQ4zwrFLpixr518Fgcj8NOgtljUovxR1bGIzYogpmiVFJEd0cT4 - k7ldv5WbZtB2UprhPPpNe+98BaUvuSvA9RWCogaBbuQpY2p3g9t9Zo58spOawbP4 - ccz7Pu03Esy3cenlnCt3G7gl19viIh+wHKrIXPa8dGO6TEsrRMPT0tNEs8iUJyDO - TNEgo6+yxQ2p+08EzAh0BCRwljqnPLjS/h2s2s208Z5rBOCpLY9RuoXz7JRvZ06p - gBgPFSIH12VBGjfqCB1uZIatbtLQLjOo6+UU0evM65WhKw3//tUnLrox1reoiRzO - ro4JuytP+f4PylQRsr3jOYKRKCBzoZOOPZbVEpwQeBOe9zzxDgVQqHgVDDZQzCcw - VTHCrs4XVHxPH0aRMlS4A80xbH7VncYbcbf8a6VrTpnPflv0OryWMWDqLBzmIPgM - W1Bz/hq/o6br+g4uAKjt4GTdTwWYxptA5L84aMoihpXRu0MaPhG+7MRsXpEa/+Ll - +ybl2DLpm6zm0iixkJuxwtOdQOGjqJqC/GLw/EZJTt2aO+ZUb8dLrChNmR7HJAjS - XgGBpFYao1AQqLZU3c+5B2/9/3rtOoVX1DQXhUsji5NkaHyYO8usauj9evPUf4qx - FAQRWua5/zp/cTlNWU3GknqtJ1G0g1mrkiVeBZCRxIK2Iyvyav7RALJ1jlkyW5c= - =meb0 + hQIMAxjNhCKPP69fARAAhSBdgW04fKM8tAU8sC6h8/4e0Io3W/D2l6P7nZiD9WVR + 2pUqS12mlNCoRt1I2empyJ5vm1wjor34BCuSCiyfLQ1WIlBJlDro96ygpsHZGmam + tNcrgwc7y6rg4ycqUWr+H+WVZ0kw1IYYKbfAjMAJF5lQqzz+VMvET9BbmvA595MO + l/dnMColnjxxBiYBIzO7mnli+uqRHB79rM2VVlrqoT+C2s9zuPfpJfY0PJaCbbdg + BlffAMqs9m2JZdDr2r0lrN/jyLUB2d3l9NCcF6UYP6tjgZsKmHv/JxSgXLf6IklE + wolO04qgDRK7jeO2UGEniweVQNi7hqA4vkp2TskGbfVsS10PyLYKw4N19GedLS3c + ZxRGde42Fze/PrccWq8bGdOfWhPBo2/MEyqVW4lgTeCCwrFRO3UNyYcWo7cmaN1q + lz7uaV6ffqbUDJSkjkphvxnJtuX62x9Uv/wcwrJuZUarSNclQ0nQV/e5wc7SzPgM + B+GLeR4tnconDZGFq8q+KKuHe7MSx2uwiZsJIVXohcZwhkd9wk5YQBPc8i4aP0NQ + wsb+QptuM8VpCEVAwKOUjp7IRRfUyqAIlmIRDkTijmHknSmI9HZXPyCvTLoy1Szf + KDrN1MAma6b4gsru1fFnVizXQyZozl5RVZFP2Uv+ndugdvRE5sv5aevlzgaWFg3S + XgFqaFwId78UDNTrxcs4EzjHmlwg4E05G9pUqbA9zBDdCqwlD4+6CfAgQ46A6ptY + 5p2QQJ3KXgJXrtlJySq8piReyq3mpagtWZJfAazovJA/ZF4o/xs9ZIu/q3qxHSE= + =nR8y -----END PGP MESSAGE----- fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA46L6MuPqfJqAQ/+NK0D10olgDK4KcArzoMtrJR7qwbrceSeKwaQGsUB1+RZ - xv6pZJ0zyw7McTuUV2I4bLYHy/TffSyJk5vLSSTGFXgHVdfKmjvm7VDEp5d2uKku - GW3Qh73quldfhd5GjO+F9V/S3rCysrNMpTmPnR5ha877FKGtc8168XRhIpe/1+mP - mvlE6h0Xizbx9myGR+ie17nHpoH+tjTtQFH640s38+xDgH6AozwWGUe/g5TdLaLJ - 8SKHyQnS8hOHQDkttvhWRbyhKa8WuGyOKSjuQ81HIv+/UPxh1fs7vovPHM8rtIyy - xGcWPzUeoKQiV2nyXUP3BqglhOhD1vokh3ejDcxwWWKuyASCSXhhvW7KMsV3Stdd - E3O1nyOi4+2I2E4TQo0NLt5mTJonPbvSn4IvV0LuatrG902UeNNZRRwQv3ZrVp6f - G2ZJ9HNSs+Tp9H8cJzBGjDBYjC6/d3GGWi7N/5G/n6C7T6W81BgO8UiQOleEDF1c - Bi6NPNeoGL8fivVGlGTHpLcpPpbYz+1ynsFs1ho4+v5bHS5w+UfvVvQC7dlDKmR0 - fUAkllcxLSnzKkpKis1HF+Gp+lSNc75/BzOeTA2gS3c8H9jMuncRolndPX1rVJA3 - mrLiQE/Mja9NaYHzUROKIHDEUOQ1ZzvpcRduggvfj6Gb2wzNdUdR5QrXnLeI2jbS - XgHO7Jr0HrHzr/+p+w89U+uH4b7onseYDiAjfLjAZpcYwkzuy7b2ZUmpLq1BjZRo - zs+rSqv4BP0Xa7LNIFrHj4OeL9ivwP7Kw/Tb36hU8DJ8xDfilx81n69Fer/cJ8Y= - =BNfm + hQIMA46L6MuPqfJqARAAjpM3MO83b2EUtzyZs66HWH6Kd60rl3QODTqs4PQm1cH5 + HdzfVJ2IDo1y+FMTMmfJov6xBqnlalNaOvg8XFAkKTUkZgUHRW/q1WXP4FywTWmP + aJV47x4dOQXQgj/i/ykMspUgsxA5049/nG1y06Wsm2agLO3KjL6KIJAx0LI28XPU + qA/NFtfNuEAv7DGS2LGz1+X1hnRYcBX/oUgpihzActWmMORD6VS7xZGcMdF2/+Ex + OCDAnwT0cBSAihBSLTmEMJ4xfmMG228nbLqm9r/gELgVIsIL5hXWz0CtxaewwLQQ + XFMm/ZV/G6bZKRJzKPOR9EcPMF7Z+nnBts9wKNlE+WA32p7zu7hjvEFZhLiDKYlN + +nFcx/rvyWB6sbFK0xn2x5MonxWNVUy58PnqGWmPi2VtXT1al1zSAoKAgg8Xdw21 + PQENtxqeUSLXXb0SZXFptMmYStwqoaFusLOCLW42DogFU246o14veDDtsS619T5G + RrszsNg543i3ra7MIm99YRXyniUaDp5VlKufPkWRexIT5YZYalOLtdLcaTTzfr7J + x4PNVOK2ddtmlKbbakvvmPWS3iBEUGMqw69dPhEdpY8yy7HJ2jpXX7TiezNqGJ9w + XqtI9RJmWrr0/zSoim0EpHDwXZhSf7YVcwTs0XCtwrXcQT6DLaZJr8cny/G1ErLS + XgEdnUqFpB1D0bacmRpfHA3PLZJd/x0QfwZ/b7gzz3f1xRfMXgnsM4iYu1S8+VAW + Dy21iVFZledWfrmuXh/PkLFftLipYK6tc0n922kFFxCn/xSP0yx9qKlNwzyduNI= + =4+Bv -----END PGP MESSAGE----- fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DQrf1tCqiJxoSAQdA7az9ylWMB3fWHwSVRmU8Gu4Qnd6HIyMuiG46weuS/Cww - QMCknkfCG06HtMrOcroNigaj7G6FEvDm64sUkpW/ggWkHUUEMuwi5jcKIdx7XdbJ - 0l4BDGUF81uOghQUq/JqDtiYPD8IzRHMXbJmXiO+4y6DE5b1t99wBUt3C5K5H91D - U3blcYO6GROPSkVp8ZIzfnWLvyVoWInd1ZiRs19n9MN6Yf8uWfx9/3xvN2kKQyvj - =4X+A + hF4DQrf1tCqiJxoSAQdActtZQL4KWrCP8UUZa/fLeDltuNV9JjxTYiI9upoH12Qw + 6n8EBLgKKNw1Hsb40u9M5Ro7Xzbys7zwZsL5CxEgFGDBxthtcdaI/ykjU0W3poLE + 0l4BcMpLoCyxxwIn49GpFxHiv84Q9xhouSMmCTe2p3bn5zCRBnKsetVHtEti4iRF + sY9FipGcyiNHfkp8KsWeUxD/j1QUIkGODXt2RqYkO8ltA5QS3kUCPErmWYymEAEu + =RFaD -----END PGP MESSAGE----- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DzAGzViGx4qcSAQdA/+jZ9/0jHioWKE2TK24OFDKjJ8futm2TP8z6Xat3uxww - DGwSznxagIkVgdTNKqAWmzGvOum8xDBqzP232CM8B/oxmwIjuIV8+FXtJuFHA/4b - 0lgBN9loSuX5uL5O4uWzPulEhqjFElrWRZXLHZn7uIWipW/7mP8CGu02wwV/lme5 - jvtJ6EjgopmHrxyaJqRk+e65gxBYKvxTQ1H1iETCUq8lOnxSBZVY5m5K - =7H6g + hF4DzAGzViGx4qcSAQdAoNdta1fDVjzrPWeSfKrmslkoFi86I2nWplPOli/gFXsw + 2Cx+wmejLlc61RE5sqAaQJc+0ctRezwXzBJbkuqznZ2jWPCK2A1EQ7r3Q7USCCca + 0lgB6XOo0ByOj/W4TrrGn7VmwLvEqIiWCt5zk4BEUSVc62Ffv48dcwL3hsB3HlRw + 6FXyR+2zwyEU5fuddFO4nMi8AXB6cfU6F4ugFgwn92lCgTom7IULY1D7 + =Czq/ -----END PGP MESSAGE----- fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA2pVdGTIrZI+AQ//aZjaPgcAM6RSG6QCnYJgn8EDEhG7HDvXmb58G7VfxArr - m+K4Hc3hW0Hh/c7/bzu2QWniN1ie4apqFSvQmAIJ3zQZSyOsqhzvbmyTFRAyzpzO - lOAo/s0xMu8s5V055vC2KWnKuqb9+WtWgJPotkpOf7wQM3aqtvXKFnPa74ihjXdt - uuopRsOsZPiG8MLcqkCrTy+pd1PywrqwjKeva+mfgbM8zpypw4kwLwrljsxCThkZ - To4dH+K8oesvSeyVOKWtAwnjQsPa3Zn5CFWXNwPnn2kpjyMoNRo07xuRkfHYI4L/ - 7D8zz07XdN47kJbEj2BYjChURtbxkFbAxq+IUDgbNDW+M7VQCKZW+vOFjwmFJAlT - CCco2I3lmrVX1j9BTMRr/3aQNbY/OzOxk0qjYZGnPqV1bH4IazaDFUB8pOdmit2t - KBzDt1L26V0Ek1CpOp1dcJxneITXX1j5IqjMbl0TzyoJ9CxsSaOWfZ6XsBBSXZNZ - VnDENbBAOGcJgatjmC2qH5FCNio7vMRRncX5j82sytDRWbj/7XHENFpfXyGPIuYg - AaHyxSVegFCeRUHpzXo+qeFpNFR4407v+otVaEdxbfj6MQfMZ7tDUOde+97NNRow - tAMUOAN9yhGuEPMPr4stQUz4lHseGMX3VdpJH8UQH+BxVdJhzKg0H/+6bAmnRi/U - aAEJAhAi7DZdrKpPPkDijPKnXCPJB+IzdAJdOCsnIhZFzaiDUo+RLvP9bEpoqv4m - ZFMtiF7P7bXyeNIObCCsgKhdX0thXI9lZvv7k9M4lAbFhPS9vlmDwf25t2Nm9Um8 - 2tbINg+K23jp - =syE6 + hQIMA2pVdGTIrZI+AQ/7B7h5br3PMgum71smOTJMBfl4OaxkQAirJeG/z2fjqbAG + l9q62H1cutGKS/IYOFLE0OQaRwmHtkdTkrdmf9yIuAktcdAGAeqwnYW3LwM3t7U1 + nfZRJH5Hi4xcSVVaWHn5mX0QpxzrCye1EIjHvPRx6/bWHD5sW9qnkZAlAvEJS3/K + jdyBLLlK8AITpsX4eeVnmVLZBjbVEXPlXfFCh9PFyqrl+iyBBY9bO2aMzWldbQIr + j1551Xe1wKAOn5SJTg2Mrm5ehBKfH53HY6ubCy9acbv5ZTe6JuStseWordtRNNXY + 9eVmR3MRVoFWgK4Ccb9Qq8l+uEHRuQfG9K7dSnxQIJpHCOAQO9oi3/ykDt9Vgvo6 + WKPpvyuJpWc5Tn+WF1qhz5wDTRX6XY+cUoHkUqZXG0qMTIfMLIAFZ6MuslHU9f6J + PlY0FTnwp5/v9rK/rjXZkfIxKjQtSWZwkZCszZ0WtNVuaY3KO6KYrd9rolFFYjqn + I2xFGnTNZwh3tjG/3INoMwilOkIUNXr18k6FsPqVCAhj1Oo0iNxb3j+3pGJsH9iN + ciTLeM8MsFW9MYXG23i65a5WVXi8hMTcyqCy9GyxLeFprt2DaH2HaBahF3RIWPop + KTNsvW1aawy+lDUyr4mBy9F0TA8Z1/db3l950Gtuz5s9/7D6bbmRn72O++W1RD3S + XgE3QuksqaIh7ZGt8tVPREEHpBWmPCskh35vLoqeO1QxGxzJcjrcuNeHtOH44EEj + mHzYUydn0e1jwKZkATG23DiBCyMpcNAWmsMH45wmk0fgNLdQhuslhKLqOUDLpN0= + =Ygd+ -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - - created_at: "2026-05-25T17:17:13Z" + - created_at: "2026-05-20T02:08:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DKKbvh61jX5USAQdAHw+hxKofus/fR32ThZOHfkL+8TIPvWeYnTYe5UUCC1ww - AtCE+MfZvMgRx7gUpVPcdWtch6nlFzun+r84QfPopFk4S824JFEkK8jG0scYCpy3 - 1GgBCQIQm+g/LWX0T3Do0NXrRGIuw0fiKrQiOpEhbO6a6ez/pES0zKKBdlH+scQl - +nLZoz6Mw5mkwhY6zIKsrikuQ/+sciO2fIq9tI4MR6cvD5gmVrGEjIyOZ4xgl3X9 - nX6OVR9w8cR7rA== - =voeW + hF4DKKbvh61jX5USAQdA8qtjYHoUe+GUdy3obbF+pNmvfuKQUqkMHa6V5ZXOpXAw + M/kx52Vu5xOdynB3NMBXsfTVH7KXh0f06HcehTREOkhlwVMYPcvDQQdzgJ3Xodpc + 0l4BdYtmbmk9ETTqr+wXvf+6BMYIuvyhsLLSqyWyCxJv7blQYsxsc3EAHZ4LB0ZS + /lw6gQ5lmQyvVt9PQZayt6Iku0+WMJcgrf9xykOAm3N2QrtUnr4jHV3FydvTiUwR + =snV0 -----END PGP MESSAGE----- fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 unencrypted_suffix: _unencrypted diff --git a/inventories/z9/host_vars/rt1.sops.yaml b/inventories/z9/host_vars/rt1.sops.yaml new file mode 100644 index 0000000..f4141fd --- /dev/null +++ b/inventories/z9/host_vars/rt1.sops.yaml @@ -0,0 +1,198 @@ +secrets__secrets: + - name: ENC[AES256_GCM,data:MmqDXUKy+U67JZFmKJTGLYAJcYPClQ8M2w==,iv:/eDx++bJCzdKXYB8YipB/GB6aM421JR3sy8i5trBKxk=,tag:/zTklys9bN839iT1qOH0UQ==,type:str] + content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str] + - name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str] + content: ENC[AES256_GCM,data:lrwHaNvHkh5E94ziiQsd8ua9YvuwmhZ6iIGZS0oFnZdYKuyNh7egWOoii2o=,iv:LLRKhbiJl1GwK/SfqNdNrrJuDF17YXw3hHmuhlyI87w=,tag:DbR/a7jfy1+4yswSdYfOFA==,type:str] + - name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str] + content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str] + - name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str] + content: ENC[AES256_GCM,data:W2h5AcoT85OkekPeRkrf1m0bDdBjG/YNSbWlrcZtP7FjaPh/F+cx+J6oRRI=,iv:CLVXTqfstpIU3BX/Zdcnp9w0gWxeGDI/G1MNl6xr4ZU=,tag:yCqN4r1MV/VTWQvZ6COfIw==,type:str] + - name: ENC[AES256_GCM,data:IRwwy+WQxgQ8cDpB8HaCLpKwJj7oC87p0XOxWRo=,iv:BLXNMcigvaOeY6y4NlLPMMWQt9XFi6nodRwIYFgAAnU=,tag:OdQalmujOgrzW8oi64xMRg==,type:str] + content: ENC[AES256_GCM,data:C5oIcuEYtODsvjQZnbqbWVfP63mQzcRuh8f5rlBCyjwSq2mZiYGQe9t0T78=,iv:sITUDo9SKZTSwPfsMv4m4U0ruuVCcaxu7SUT52U4FSE=,tag:4CsSMJWQQPAIeK8DwUDBqg==,type:str] + - name: ENC[AES256_GCM,data:r0sbpjaGjezoNlyl1khy+Dly+8xbbfQZNB8om/E4/tj9lmM=,iv:MLrglBJA6BrHGmFRprlQcf5/Hqh952e5OyQQ9nPxumY=,tag:Se05kMBkSQ7TRxzij7Fo8A==,type:str] + content: ENC[AES256_GCM,data:/c1nRf1eZhbUmoQWvcj8yDaVPtyAN7Uu+S054q3C1/kXlQ7CgOe4CrMXnmk=,iv:ppar0aCKuIU3DOjwAoliZ5TOL199Z+Ffo4pCktjs0W8=,tag:nfaGutK+5KnlWBKU1MTxkQ==,type:str] + - name: ENC[AES256_GCM,data:7mwuykEqbGISOa2n+pWb6INLsHYdjyf2HxTtWpAr5xP1,iv:NMcg+L2DFtBO1nhyPid31yzLr+ZX7DUGl/WxV1MnrqU=,tag:65/BiUEI8v5oMlQqpKNDRg==,type:str] + content: ENC[AES256_GCM,data:SObbA3D/sGN5/i5ps4Zz3alygIXKbSgptFjfPHlwC8G588O+gKAkvKQwU/s=,iv:PY2vLfI3gInFeQbse49KC2/zZ9O4jeXAQ0fpP84GHHE=,tag:214Mb8hIYDkQ4+UkRWtc9w==,type:str] + - name: ENC[AES256_GCM,data:bES9O6JI4wTnuZsup9gflfaozeUDkfjVGNIFn8RnZQ==,iv:98kigM3KZIN5qXNdgfLg5WLmxzAsYCjNqVzyUPco/BI=,tag:1fwEtwQ6i9QQC3OCewN0eA==,type:str] + content: ENC[AES256_GCM,data:flO3Nb4u2WfWNVhn8k5Bgo3LmsHo2cVnLCsrz8ST9Ip7gO9FY9d27FQgphM=,iv:aiDoq+41cSjwcCZRaIPLtbltkOpc7FeuNN7swPqkHXQ=,tag:OhzcY2xKKJF2jZVRseXCFg==,type:str] + - name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str] + content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str] +sops: + lastmodified: "2026-05-23T21:19:38Z" + mac: ENC[AES256_GCM,data:Ded0VfGn8H2qGMk5LDyqF1gW8hajKc9FgvCynHPQkWkhMSdaHYbFwf//gWi2TjIO22HD5sPw1w9KAjPy53b57RwBCjXfMMq0JCPvuePLK40NC8uCAi+wr5Er0fAWz1JiaA+dowposoi6RxBtyHCaNHMDVGMLh1j+IL+pTOyi6fk=,iv:gssOMmR0DDQC4WjMVXTD/zqbQa8qlBr9ZZWF15W0WnE=,tag:DORTxQfCmpVjDjyGSNH7dw==,type:str] + pgp: + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ//bbr0oza/X6GG43ay9coZbb+0aptj3pGzQqT1ND6nsI34 + iY3IZaMZIti+j/BS5kEfmRn56WZSx6EcbSrlbiyL5NZw9R4/bGRd848rOLwMvuYO + 8Usei9jHdpHiPvKBZnZXaXGU8E27L0Y/LCxSIFOXbyHzHogjz3JmtJQsYpSC+ue6 + mIRrSAJPALrqEL+DZ2bl5UYlBIRXdtIe/jL1CFCJhULt+EjJw72T62DZK/jaNZTj + eint63+IFZSxx5e5vrAeQB+p2EDsp6c5NbDrlgQWb8/J1q/G5bG4KxBs/0hum7OW + /sSsIDb4Qb8U/axt5LduV6AkMXXsclNLQU/LbFAbBRcV8Lvh11f0U3V/UnqUdmvp + efesb5VQh1x0uWjzobxaioLEV/YYbWx8binvuJ3MBHKp6E2xj7IrBTVl0MWgjEou + ZbQDF8DvxA49xEnJyOviL2/zjnV1kXy+Q+BKZga3pr8AnBHA8Ftbsvmk6CyDEM0R + i4FAUOVa9VWiszoOaqyn1Fl02YlweFmgzuFjd3wi74Tbi6RE37rN/vBKySbnRQYl + rFUU3SQlztxd4UBAXBo6gQKTz5B4rehvKVye2mmqEE9bas/lCWAKVJ7+3+0NQdA2 + lp/X7h7DRSD2Qkd35SzxkJz7P86rd0LM1aOu87psxYavEWw6vFs2ErDkSeqDn1DU + aAEJAhDb1s+jpDUa3GvVZjoiiCyutI018jfJU1vi12PGktg4KJcXBx66R/nLItO2 + ba6o66scIiAJZ+jYymW6RbJTI7XRHJp4Cs8COhpMRQeOGwEHFGGL2rpGd3KrOLQe + 0/C6EmrJvGpl + =atNE + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA1QflAioE8i3AQf+NkUGCBrTCkkyl+iBb6P1IWLDGqAY8s20mBZ7G3plKE/J + UrIe947letj/8EA+yoN0uzjwEkh3rDLtZrOLTSgflq1GMpdVhdaTbS71fD3kghJQ + P9tz0zDQEgXHBi+2q7iRrEETx/cu7UDNkSCNvQbWvDmo8MfbSBy+VFCknfupdQxj + 9hlq4kBA0pckPCY8V7E05nDhQntS8wpXIEO1SWiSuiGg+p4yFlvNzWNfhLyEFHxL + BZHVVIU/mzyClMajjLJWjKI1LSgHXXIa28tgdrtiBZOsF+CWveYqJlRJh9NUepJI + ZSeFNhyWmnS9ZkQu5BUyb7+oRxfq2NY51T76Xbo8gNJeAZWwyr1sj1wjubuVeNMF + aU6FiynYWr3I35JRVghTMJ93CnPl+NTpWnQuHpq1bzEGe2u8BMFhgrTu2yMD23VQ + eGien6SqfEbA/wAiz9ZaUgTQH8UyHpliteZ8/SQgkw== + =UJvq + -----END PGP MESSAGE----- + fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ/+O5JOJfDp/BuBCuXDQVUgJagspQO6LZ/MLrl9qH282AMf + MdgN5M/WjbOv6WZDCMg4nfXps1XgzUEiaA/1m4PxHlMmxjEoQHAE51GMcxsXg+B1 + lM+8uJ1+js1sdDX4xsZtJpbVxJKIbPuhF7oM950oDlL2+UKhUbPlCoxeOihlkVGa + RqHJ/M74xkyKH281oRI5bllJaAroBnXVSFIvbCxA7ts/O7YJPKBowTIj62Kye9Ra + aHC11bPy2RlJCcFZJjPSdnXvzUMpfzEd6O72VUtMBBQZn/in7efutC8FwpRYuUW7 + vSofxUN5n6Mtb8A1XSMFD/nfXVc/pM6Cu7kdtHSwSKgbKKf6mrCeVgaM9xcG0t2W + 9yEtWvkdvOOSqz/vd1vkftbBWcCejX7bktfmD408CJAs1bjzz5CyrDoWcnYmbxFY + 6N4rhMDRMTe19VH2UQ4EvSjQjmmYCspnUW3/78zi5kU1ijyQy13UpbgwulU7tSGc + KKtBjPoy6mLIVl0YhnEJZWD/XPIRWyW+0s+7m70YXCWSVipvCelEE8oPWjf8PLaE + J85crlZGkSRcRO7yOP/YtB9ZnajgaF33zJU3ZWr0C/IXj2TeepZp/JUteD2H/LRf + 9YJzOFYDOFIWcdmaTzJLBEaefWcDjT6wkIf6TBqQRMLsu8JUwy9VwFcsi/d5aMXS + XgEQqSxYb1B39OR0sS1Xpw0/CFe4imBPuG3w0tOAyM3DbPWYY1kZYIRZenV1ZIOS + aRZJh086kuWgHYB76VoNzDK3QperWvHL/8CT2g3HuPiVGSrrXwxCYXk5+UXB9bQ= + =Xx91 + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DsZXvxFXTXoQSAQdA0rZTVdySF9nUiz7ZyFJgq1tojyLojGTgE4UIEJzFSTUw + 9y4kbGn1cWMpAqr+sE3WHV9p7v6kgm/XdUjXGN4DadpUbiYx6sQW2Jov6Km2EYhq + 0l4BawupjX25wi7c2yR5iGdxYS8oCYVmGgcAB3T96v8VsXpkAOYQAOOh7B9GQIxm + hB3cFQLCy2un3VvBsiKGFMA2FhZYBOuaEwP/KmWnPv0IPIRH4by6LDB0xgq8MUNz + =xoVE + -----END PGP MESSAGE----- + fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAgcGcZ3BT6lsJ8FxkMghxg5/PZLtIzNeJaEUbxN0EFhsw + uM+Lec3k9BJSUJK8GeVmesYxQh8vP6Yi/+m2LnGjHXzkQg8Bx1HJzuC/Ap36rC6N + 0l4Bxj1URTsRD4yILEA3TY4Dn9St9uOtodJcf5YdAKvmeb3Uwy//huNnA1eK7b+v + WRHcU2K+GgkSzLiRLZTc/nMrrCQ/P5HzwYHmP2rypFX7kxXlPd3K6yMZWTiSgYZd + =gZLQ + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ//YGOLOFtORNbOu+KFCtGcJBXQMy6Ej3/tePVuDi2vmqLD + 3Dz6stB9D+BmBbcgbFlDA+g7Vi6DD+zcze9wM10iuc9t9ucAuQ7B/ymSvJc4MrYn + MJFvQv5IYgWJmzXLYEFYYpmZPGG3hSHSgWIPs+574wEA/L867ktguW6ZD3ZuMn3E + yjCTeT/ZkGjuIpGqMu2/o9Wvc+RYgWlCB69D8kTHtnbFzbqEzvKU5/zte5ThchA+ + QZwFd/gk3o1G/7WOYJJ6CbBSOQaSrfm0mnb6sppNPdOAQtqHVSFVX5vX96gXsht/ + AkrvD6/2R5eNzbqRaU83cg7c5far49xoBbL6czreWY3D56yK4BJbrrg9mK7oCEfO + GaRDFFD7R4LJPfVx2xDoIQ3Hyp4E3dz4nyJx0Kg7NSEt7soOb5MnZ+04LLAiHbaT + qZr618V530uw3qaCsYcgHy+WsZXXlqXQey3A7jphi3u9Kvn9UjeegjNvpOrMk6g1 + RhGzv72G0wjZnzjTjPlzeROHaQ6RPgfpkZjEcVZNZkfAgAbB3XPgCFGKz4qvx9MP + 4eHIlBSJizLzSi519o+0i5PwrZdEf9L4RUVxgQgdJXMh1JaydVh5DOU+xomdStD5 + Maymkt8fSgYgDaS953YA2e04PrkXCH0EHZ62T9EMxreEoU3nYTmw/TGx7RfU+wzS + XgEuQkLWSToJ40/Ir3obDA246yv7J2FpmPwG4oFypkM5xe1WjlMlk90b9RBhUgXk + ylRXXLBzau6mtbPOa7LGdVyVs2DClWQo9BoK+dxEsnW+TR144O4UmZEfifJXvgQ= + =ympd + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAAshm2x7wX/9g3XJtSN0AnSeCwSHO1I4+ebLKOsB7zcXh8 + hrVO3694jQcU9L01H7jGYw4lNNzBd61/uVE5AvMq4Sqn9iH3MFNESbAEOWVV+TRf + 53JMg9C/aZfde8gHgHPaiVXlCBVEVY9CqHpUXUKDmEE7iRb5P4DuMxOmybDYZGzY + 4c5Ke1MFMkGRmAtsT1qLrT2vh+F0CX4JwpMkxCmOzSWAXbwrVOigJ35l5zM6vme4 + 5EQu9jI8FApTxVchZbr0v3UOKxp5OebqC0jGeznZNf4qb0qnsvuowY6IIw5Tl3/q + H4TLq5EUOVqTC1voIWY/gMjieiW1gtr6vASy4MvbswsZLc26YVE9IbHzAOUWDN2o + f2iQ3aZYuINvniD23XtM0TKepDXWq5eF+AJpmyP/LL8sYvSnWFD+muK3O657djEu + yGZs2EFTrkiUvhBq3apOOYiU0eOi4Aq6UeEbOsLENnQrBRXuHEm4KUSwzOitVwJ1 + ByxQTu7wzY727SOR2hzjMC0LI602WGpEQU7ech5L4uWqtMFwaBP9HnUamcofKqqt + 1vI2BevsJfQ0rtTE6GWseHt702lllTGe3RnHWc6YsMWLwUfRdBPggMW37hAPPcfO + ytbU3RJIxx4vImRtXhkI5yvbpFQrooz1zSeXWaitPE5jmmiKe9IRStLnfiq9E2TS + XgFVuQM8K0LgUYEoAipvafhnC3ohfGsM2AYd36EoaMNLeQ2ZZEiV06/Y3EWoI0iM + aqRLwyBvTuDOc5BK32nCbAgUbbPJjPhqWaoNp5ymCBV76oW613gApkzoUF+OIUU= + =KKaI + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA8YKD21h5POTLPf04KvGN93omFgkYO+Y8Kc0jM0vdqm8w + 3zYRaLsDjdh8Zd89/HhHJUfLrTp/IJ0n81sK0ZjznbXKxgkseGthMzof+L7BnPAp + 0l4BnAs9iZS4q2LZVS7ySBP89xLmF97qhK2jagMNSAwq8Afxbcw8oQAVQmeyYfxx + X59irIHjI1ugO4o1WnTN67nTQjU5msbVBs0eALrw3jobzFHRL67fS0a4Soa59LTY + =ZHIU + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAN7rRlv3dMoFOfj9eHgf+0H8521b32nWqySUdriEy6Tcw + gjuReMBpKQOgUfuhIiWkHIKNtNgMrYWiC20ESOXX5b9uYZNpqHCgHQPlX0lEeGim + 0lgBOieL7mSEq4wkWLCSv4sBAmkQA+dnugBeF+TrlqKQTZsbe/Z+jNG4ZrHRvdqi + 4I5It+uaRV9Vrul1c6H7fNreRPUd4hNyJwU7gZQ+vU2WyAmgqerxE1Wb + =gplT + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAAjWK8mU99VcnM/Ckzm+YsZFTwnz4PDAenDDdZ1OOz5IXe + tS4SQPcQlSSOuXEkFLJMmm8QVxtUC3Gh4nF7o+7OygT+0ZXOrB7jFgg10+v/KVA9 + hSlqBdsMxcC0OzBtkGyAOXOxqnTVubuHEGyGpIryHt1/lthUUZHBbjgw7P0Tw2/U + sYK5j5YbqhyBl20gyZorkTTq7pHfVXDVtpe75+ZkqbOg4S6HgW3/dl+v6N0TLfRs + GVl0fUlWIK/akGCB71zdwJs2I1qTeMTlL6v+XSUdXj0YV+5fjh3wf8qzN9geIjQK + ybxGFWDKCAgTMnqoFF5BCL23hFtnCbTtLN1wQT7/m7zpjaBKHOBXZOGXYZCMGZui + sBsUvPANgNdfOse9H2aABQvUQh8WqFw8S73GasvrZHAwEmvnXzocMJd+kUovzmQu + 9FBk5UkcgXfmxeamoP8C700vh4zI+sKz6uEW0+AuVtLlLVqlb2w21kTc+ArZW52n + HLolH5q3Wj6pKuuFCWKr6UgLFcq2w4QngB2p+UABHU3RbwXIra7prDXCUcNC5iCn + ElRFY7OZ3nbHOf9oaW/MitcfszVLyl0ueoay6qxdlIGdXKRGpqxHqqr+92INV/iz + 6CRoAsTqVq1a7ZuAaUdJPvfKVAHHEHjPwlrOc9cXvykG0iQKsRzgqiOtPiGQShnU + aAEJAhDSqCwywHDnQ7X9ZWIzPjwvqyHpEVez8zYh3vpgKpsLb9uL+JizZjV02HMe + nhiL+4o/aNjJgGJWph1uPFhU4wO4AavnNBsHbJSiL/1yTS96hdf8d+gB41yVLU3e + kBkDFLKkIBkU + =aRLd + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DKKbvh61jX5USAQdABId/P8ozRgJ4ItF1zvxp98aH+g3LZ6UGnxjYjtDxjEIw + VmyerznjOLnpz0EobXRRoot1Lo82Va64HQmXt26LG3gFY1HVp0WOnIZXa/CUoUb8 + 1GgBCQIQloFxKcgFTiRidaJfN7hSeQLleiEe3aifZUyJj8niTmBaY29t+CSoA46N + xZzX1AlxVjfmputhYdTyOYSJtGrj7otmnUN2P+55pjz4L2qCYAEKi1+ibqgpmJh/ + bETQsT6WKJ8FXA== + =Ci7L + -----END PGP MESSAGE----- + fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 + unencrypted_suffix: _unencrypted + version: 3.13.1 diff --git a/inventories/z9/host_vars/z9-router.yaml b/inventories/z9/host_vars/rt1.yaml similarity index 53% rename from inventories/z9/host_vars/z9-router.yaml rename to inventories/z9/host_vars/rt1.yaml index c9d2b6f..876776a 100644 --- a/inventories/z9/host_vars/z9-router.yaml +++ b/inventories/z9/host_vars/rt1.yaml @@ -1,7 +1,7 @@ -systemd_networkd__config_dir: 'resources/z9/z9-router/systemd_networkd/' -systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/systemd_networkd_global_config.conf') }}" -nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/nftables/nftables.conf') }}" +systemd_networkd__config_dir: 'resources/z9/rt1/systemd_networkd/' +systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/systemd_networkd_global_config.conf') }}" +nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/nftables.conf') }}" ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_randomized_delay_sec: 0min unbound_access_control: [ "10.89.208.0/20" ] -kea_dhcp__include_vars: resources/z9/z9-router/kea_dhcp.yaml +kea_dhcp__include_vars: resources/z9/rt1/kea_dhcp.yaml diff --git a/inventories/z9/host_vars/z9-router.sops.yaml b/inventories/z9/host_vars/z9-router.sops.yaml deleted file mode 100644 index 33bd3c8..0000000 --- a/inventories/z9/host_vars/z9-router.sops.yaml +++ /dev/null @@ -1,209 +0,0 @@ -ansible_pull__age_private_key: ENC[AES256_GCM,data:TlMDo9sUTYznxKOGityGLexk54mM7LU9+U4ln0YYhO5fhXXmwvySxyMLHlaKzSlpU2/mRRy/0v7AIOuRVZx5XqV8X2JJsv3/NeY=,iv:r66g2UQ663KvWyAISitbHBRaLBlJ0gB2g/TW9JiL0Ls=,tag:VEq3Fqj+t40uBo9g4Icfew==,type:str] -secrets__secrets: - - name: ENC[AES256_GCM,data:gt9BarzsfE/GJ5gQeelgePquW6KAgE3Exv4=,iv:IPpUQI+zkf8O+ej+ZxLFyWUOrxGGlZvmDRG0ut2cNsA=,tag:GP66MvcKyCqyKV814+uMYg==,type:str] - content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str] - - name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str] - content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str] - - name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str] - content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str] - - name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str] - content: ENC[AES256_GCM,data:W2h5AcoT85OkekPeRkrf1m0bDdBjG/YNSbWlrcZtP7FjaPh/F+cx+J6oRRI=,iv:CLVXTqfstpIU3BX/Zdcnp9w0gWxeGDI/G1MNl6xr4ZU=,tag:yCqN4r1MV/VTWQvZ6COfIw==,type:str] - - name: ENC[AES256_GCM,data:IRwwy+WQxgQ8cDpB8HaCLpKwJj7oC87p0XOxWRo=,iv:BLXNMcigvaOeY6y4NlLPMMWQt9XFi6nodRwIYFgAAnU=,tag:OdQalmujOgrzW8oi64xMRg==,type:str] - content: ENC[AES256_GCM,data:C5oIcuEYtODsvjQZnbqbWVfP63mQzcRuh8f5rlBCyjwSq2mZiYGQe9t0T78=,iv:sITUDo9SKZTSwPfsMv4m4U0ruuVCcaxu7SUT52U4FSE=,tag:4CsSMJWQQPAIeK8DwUDBqg==,type:str] - - name: ENC[AES256_GCM,data:r0sbpjaGjezoNlyl1khy+Dly+8xbbfQZNB8om/E4/tj9lmM=,iv:MLrglBJA6BrHGmFRprlQcf5/Hqh952e5OyQQ9nPxumY=,tag:Se05kMBkSQ7TRxzij7Fo8A==,type:str] - content: ENC[AES256_GCM,data:/c1nRf1eZhbUmoQWvcj8yDaVPtyAN7Uu+S054q3C1/kXlQ7CgOe4CrMXnmk=,iv:ppar0aCKuIU3DOjwAoliZ5TOL199Z+Ffo4pCktjs0W8=,tag:nfaGutK+5KnlWBKU1MTxkQ==,type:str] - - name: ENC[AES256_GCM,data:7mwuykEqbGISOa2n+pWb6INLsHYdjyf2HxTtWpAr5xP1,iv:NMcg+L2DFtBO1nhyPid31yzLr+ZX7DUGl/WxV1MnrqU=,tag:65/BiUEI8v5oMlQqpKNDRg==,type:str] - content: ENC[AES256_GCM,data:SObbA3D/sGN5/i5ps4Zz3alygIXKbSgptFjfPHlwC8G588O+gKAkvKQwU/s=,iv:PY2vLfI3gInFeQbse49KC2/zZ9O4jeXAQ0fpP84GHHE=,tag:214Mb8hIYDkQ4+UkRWtc9w==,type:str] - - name: ENC[AES256_GCM,data:bES9O6JI4wTnuZsup9gflfaozeUDkfjVGNIFn8RnZQ==,iv:98kigM3KZIN5qXNdgfLg5WLmxzAsYCjNqVzyUPco/BI=,tag:1fwEtwQ6i9QQC3OCewN0eA==,type:str] - content: ENC[AES256_GCM,data:flO3Nb4u2WfWNVhn8k5Bgo3LmsHo2cVnLCsrz8ST9Ip7gO9FY9d27FQgphM=,iv:aiDoq+41cSjwcCZRaIPLtbltkOpc7FeuNN7swPqkHXQ=,tag:OhzcY2xKKJF2jZVRseXCFg==,type:str] - - name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str] - content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxallVTFdueHBucXBVNzIx - cENqanlOOUticExzVnlERS90b2hWQ2VldUE4Cm9SVmhZejVzanRDTkJhQzhwM3BM - MGcwTEZ4YVQvdjc3clBHei93VEN5SkkKLS0tIGI3KzRPbjlNTFFBL2huYlZSVTZh - OVdXYVRkVVJwbVltSHBXRktIY3BYL2sKe+eqKzYeCUWx0KmT0+aM+TwWRj+P0Ecp - tnFHmQgnEPypIhVvZtzL7i64kL6sHizTmNhbw+hlnCztvsdEV5T0cw== - -----END AGE ENCRYPTED FILE----- - recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp - lastmodified: "2026-05-25T17:15:30Z" - mac: ENC[AES256_GCM,data:IW9eN5H2J5cnXUHlK2aD+yd2ORx+weSFKBGWd7pIolFb5txg0WlGVp8UpD4h+Tv0SJ9NkQOT6KpcXDez/L7r7xNYtmgf7AdrdGpy3IOkEYzHJ+oHUMd/aL+h5w6/RahrpxlPSrNKAC+AfpY+l0iodwQ09iuLp4YXFxRaRDGpGZw=,iv:6M7RkDN9D9Zlyq1MCRoiT4f1bd6OBZNg+C65oEuSWn4=,tag:wRsq4lt4mHVyY6ruGkYNKQ==,type:str] - pgp: - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtARAAlyJLMDlT4FLpMKaC3ygn1cfA2390Dz24lzKlHmwl5GgE - yS9bdTGMpcM8zPOQoqaoy/my3kgx2/U3q7WiCTMdUyYePAWuJFh8ZRZjw/hPpv6n - GwYgK3M2C1I9++zmZD5LlR4TaTTpr99+hctYrrp79QJddgozUzAQ44g7WvDm5VhI - bb2UVSo0MpWvLEMXHqH9YZcjkQyVg/DL+IaU1rM9pmpZxoN7+0jQY4ci1ZeHVo9e - DbYcjMazBLakjZxxdtHrqx3DjZgbYCancMy/dUKVuvDF/lN35WWSxslv14BNHljL - +/9YBDRgIr11x9j1hq241UwBW+6mSFxWF3qQ5esdR5xlLEqbm27PYGtqC4LIdzRX - ZUvdujuQ2PHCYJY/jKWSf0cdfXKEGorc1ZGOV9FNq9L+aKvfmRLWfzX4D0Hp47H2 - d3itVuA9KYOdzmk6O+8FZv/VK1042L90tOPJhrtE287KhcJ2CvfT/Az4Qot8xg3c - tXmO3cWQpigXxJPfKRPjmmLJ9nq0BnBXj5ngkVz7d8R3FR1J/+TWG0F1VU7YeW2+ - Z04RAbbKf36xUTqnaV34EDum4QLLdTMra6fPYPy0KiQYIKDcRSdHeM/hEs7JXP1c - zbUX4xuBOXl7kWYR0e3MUTzxYiQBr9BvSDY+7sGQCb+fPw+AKvFxig1grjsnZvPU - ZgEJAhAUE/ebqBa2nGimcAPn3PfeihehcmjLg7HmyWBPkHHMt/TIOztjkbGiQSC/ - jBP+rhjmFxm0WKUGM4dkh14JkMgz7DZ9fozzLfo8zN8beuSDDzX1BndTIMBQJj8P - Q/rk1NL6pg== - =UXJ9 - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMA1QflAioE8i3AQgAg+PBxAqWTfRhxP7GxDfQBPK3d52zshP9xhutqANzszhs - nbo3nHWj/vjvHlEuD+Rr/lr9qxsE3qS4ON7FG929RoB1YFHJnQl29Xym2Q34T0Hy - Ih3dibykm0t/NE+fuxsU4iU0imtjqhqA6P0+8FNF3UeCg60brcqlrBTXM9jFqlZ2 - 9nuvk75HkM1FoHiKx837qAd+RjNNO7xKUpn+EX0l0l9tScuPqUkWNQxLrbHrcO5M - bcEC1syZHQKCiucsesS1pJ7TFWOJsnamZyaqhzANGwWdhYwGQv37bWKr6dYTCy3q - rsT2NxQK4/N9CxmP6xWeAZbX00BDhNMfEQVtTlYLgdJcAS433Hiw+DSEwGu2zvTa - pHtQlGlaoOZemNnthw0NO6JQWGhz6Bx5QqYmbrshtVKNPh87vNVV0HhL/fQ7qwLp - uCgnMi3P59r8EKDZqTSp0YGfE2bx2hpBDnyJ42A= - =rOz4 - -----END PGP MESSAGE----- - fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJAQ/7BOewbq1xQgTOruTFebugbSrodtfUlIDpCez+FZMw3Gos - uwfp6jslBKXHidsA39CRktJ40EYqygmBgcxGTvHGC94VwSl7OfCjHsyfD/93L358 - XsjpTHXBO/mOjQmJ2smhZx+q+iMLpJnq2QA8mGUI5uzPTjXD19sD9QdYdHF2p8D6 - mdpVWED2gRf/sDoN+y3c/iZvMTN2HeDCx5d/wIgl3mmoHLvWRO8pNBV3EUg3ZBiv - fc0Y7m/0KOqW1itE4yg9IoPBWJg2jYSZTkRnQMPEkKEEHNtbx6dq5tLOYUIIwOwC - 5JlL76BRoaul6ousBSHV8OWCAvS2N8OC+l0ATzk99p/h4zY7PCG7NhkKAOgYfWFa - /z5u6J6TMrmeLZjknFXepuVAzNmDU0CmuhMwZankGKq6lmsQQnHvdq8+ExGGWhfK - m6I8nPvG654md9H7Y3HusHa6y1rkf9gZp1UFzhvXQgZdvc7K5pJrhxjGUnEg6sS0 - m4daDRuNLW32PXiwoWTtTJfOQFv0t1f1eEKI9DO/O8/4fNtIvmI/8HDcdF1XzDnt - lGnyD9cZ5jKsKjGrT9DcvJhyTGWDFeBDTY+rlt52E8NbrzWUjX4J7Gyz8QRY9j7m - wRi4uaVt5KBmB8Ibo2bMTUXU3Db/0p8nCAg/89D1fP6FF4izg3GU4oD3vJyl81XS - XAH8tGT9wbjXuhomyhqemDYb0QdTRfpAznm4AS36qbeU/Tvj4M+Nm64qLpj7FFtK - aeDas4lzgeQf6/cdd5ItLlRHhlBOJEmjHVzRR4npabCWZojP8PTac1IlBgvS - =OH/y - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DsZXvxFXTXoQSAQdAIjnFVslIKlmP0X12z6AdWNqxkpVBDFvf03ToWQEQv3Uw - 8ka0OYl32rH6UiiSE1Vve1wZ/iVvK9/il6UhTpeAt8bIiCq6gEGR9Ba5NJnm6rSG - 0lwBwzEtaARPJbbcWu7Jl+dAQ0quP6uVS55OYBuSannlaPrQ5qBuS14AtuQ3UEVz - EbcLJ0b4lGL7hgyAf2E6nuDTkPGPChAJ5H5DfrB74ZB30GcYBTzwj13+jWx/VQ== - =Hxuh - -----END PGP MESSAGE----- - fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DerEtaFuTeewSAQdANsYlCeGhhqmBgnqcSuNdQBUwYKpucDrb6aR9Siyukjww - 72Gin/635k9bYXwknA1rPyTMvG00giQgjUr/QK6PSD/eGi0QOtMZLj1JRi8f5EU+ - 0lwB+MIM9+EEzHJ96ouzL3bu0e++NvRY1Qjyx1Xi43bM96eBeLZ5DAc1eTSdWizQ - EWTorcmXffkdfOQx1zrlGZo/qvfj5F706VcwX4aZwok/ASRmSeCfEXLgGLCwqQ== - =ccBm - -----END PGP MESSAGE----- - fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ/+IRYUQhf7zzIZy3AKAtQgyMKRINOUUqOEv6IKmNQaaQP7 - K5JXnVi2gjgBuG+2gH9iCEimIggnWxFhHerfOps+NkAI6y7kFz5hnMtOY2Qf3vxT - Hoyq4l6Yn+gG1HSLozVr9dTQPjyGOKJkm36ZKpM7gqSuLNP2ijKARzay4Chg3i+p - E1TVTVoEczrPdLg3O2fd5mi2UT1k3E4QREti0k6K4juMWqMz+5iJ5X98qCdmE1eX - L5dmW0QSUChzBVw+7NEcxeNx5WsbhWgPA5m2+bng3V8tHqAwrRUCoxn2+yabnsZB - Z0Z7TgcLk0Xnezw+BkT3bOsKgv+atE5lm2rBiRUHRDR3S04j0Ju6fJHf24CNy5ES - xMF7BE23SgmqUq0BrvdJB0ToNKYGMM0C5Xg4vGRiE61+18TiFIeC3mF9suvFFKc+ - houq6Cy7q3O5PEqEbu6t5vXAZHwL9Th+ZatIIe9jSToiZiLEOIEmiYptR009/OWq - v6ADzaAE6+i6HZ62xBYQuZFkiUrRKxYzTHFn0A10QUJrJgbWr8QjS76oKi8feEDC - BJAOwE/0aK+l46hI6mlh6rgeSy8XdOPLEnL4+1HjlshhTTiW1rE2cr0ZiTTA6UFX - UhABIUi6jiLnM13L+auulU1UZQ8wxp73okrcuu6g2bPT/l7zO9YNOCocWVPQa5vS - XAH7qrW533ttg2XAczCdALMulV2N5GHl7TbgRQBkdoBAKL+6oKfxbOZeQM2nrfZT - arytZbnjgCcy5ygnjeziRvWwLk7sysEpAQqQNRm50m2Cq+2ccedRP6zFzUhc - =4hCA - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqAQ/9G5pRNmw775xCYA+foCx9rM7eLXJFl2DjaI3a/O0yVc6t - 32xtPuaHwTnP00Pbbo5Vc9QG7k0Fr3Rgy+ep1lGzeCMoHwF9xk98LspDtYZoKopE - 6/L6KLldSauRv0rPVhCQHpZFsnx1VxaJiXn9vAW17+imC9SgqLYGWyrxAtLCOOqH - N68RnTsEDquXixEs82ao0EmQXPquimJgSx+xVSF4yitYYLLLHyUL+drMNuVb9q9Y - oAIdEL1svDIieTbTKGQUqZ8Alf8f/0cqPWpEkDwYIyB/i9KDkH5Oj7uBBRtVLGxQ - VxE32wO1xpXvKgUY2PhWD2rOBVDG8dW/hyqvc1WgIeo1A6FTq34b5dGC2lmTRngB - 9mBjUd59zeOvdXLmoGwXgbjVhpgnm/5wlUeiIC3xR9MjW3znRBT6ujCaglpAdXBC - 0AIugssGcuXbP9Tj5zMVlbdi2dj6Ylc8S1Tj/OjwxHCCj6AWRqpxN5vY28RiLFGy - +eAsryzPk6UTCPIydiWwsrP+w8EhbllFxzZM+Sn+fshAHdRug+EeyT3h5V5JF+Ko - BZCrZkwYqAcVkJjEYlukjvxVFvo+T6tRMz4F4yNgjqFjneUaeLCc6RllaT696H0Y - 8+lw5rK+XpcXBZqso6vsLChRdZQJjoj9lkjRDbmhOkaRglikC6Cx+mpY1/XnGvDS - XAFWOuNKjN/xIRtaDc6tmeWsKkuqghjHiMeRqw10/kTBjniMLLJIN9ssj4HjYqC3 - CsqyHqZmrbITUMr718gX1kkAvzF/fVAXT8YshOcK7rQbiMQJCZqeBp3fY7FC - =5yPR - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdAfLqKILCrCv2s2V7bLntk5lHI6Dc1FQlCg3LAefc8oTIw - a3UZU3OajQ1CCIhhu02JSlTKZm2z+pZKVHy+s5EgCqwAWTfPNAnyPT0ZGrhIdcah - 0lwBdg2Tq3+Nhix1ZuA/mUgcrbRBcFKlHY+IGEgOHKLJld9UPF2xEjTX6nmLyuTR - 6x+HW/7vVuc/jcFeQEmokhQw/SICVdyD7NQua4k1agLkty3hGcm1XCsfyKfj+w== - =Bxf9 - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DzAGzViGx4qcSAQdAr2tfPiCpUkxFj4rgSiLf7y4iyKbsgEY87iYH3GAZTVcw - vK2YpjSVgFRoJNx9s3bFr+9UG0LFmKvDZEP83ThQizYs2I/N7MSU8ERRImshaQMH - 0lYB4At0RHC1mp8eKqhRgXenOtpfCiBACtlIdS9m1aqcU6i9Drgt86Bk/LC/HSvJ - MUOit2PP7QZVRWV6F8wAHlUFd6bdTKv9eOCZLSB6mY6DQmkp93FIMg== - =lQcB - -----END PGP MESSAGE----- - fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA2pVdGTIrZI+ARAAjNHCArTtU9D8zw5yJzvf0KSwQoOaQWHui7AqQkvQ8mJv - 8+Vo9sb+JoSuFHQqqDbOU+VFpmc9CZ6HCJaWqO2gZVgjxrsrPgyfq795LBd6GhX5 - 6zwUH2huxv+n7XkfjN4HHJAlSj0pRyL3fyojdOdtXCTuBGbofLIBJUbuD1wro1K+ - nSHLvdBEitn8afKt5/SaatB8Prwyet6E6J4HluXFQjl+KdrRHHvXImmhNSR4yfIr - yQt2s8qapSvLhrUw9/GFXqM/jg4ZlDhPUhCAKI2Pr5PbsRMBqwdkSrDeB7MHdsU6 - tI4uyb7j8m3VMbFKNVpuluwgk47V+W/h+jtZetSR6ewYsXJjgHNmX6JX73XzR7R+ - q4EBfSAxR7ByZ/HHuumUH6BKBj8IcNJQwtEkLIZmLZ3OdFtJP3YY0esV+gEhG6K7 - m2Zl9C7axuYmvoLrqygaChmxMhMiebTPNkD/dH5Ircwl2cXfHC+bvF2WO73DTk9G - emHzrkniEtuUs+svMhT3NKM3/mpOJTiNezdH39HZADzkBwZ5Mmkfe4mbXByfRN7F - AEJWmnOcpXwXE9//sRbkRr+CGmB86raZE22wHPuk6U9IyVFJm8hJbOzFc7rwu1Eo - 0YWBCsc9dA+jH8hIKrIfXwqnfhYjTrX+oZJeK/8McOwfF7I2G9YrPAgwbokQmtLU - ZgEJAhC8ryOvXwp2kP9sv6nbXIEcwrX8lRjkEWduf6ZAWAfQ5FGBSPzR8WnZWGzN - PCxjg7utA9AHBChF1duwOV2Qr5XW8HTUGAx4fc0T0rjC862vSwf8yAY89WWJyUfk - n8qhhdw1uw== - =KgOe - -----END PGP MESSAGE----- - fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - - created_at: "2026-05-25T17:17:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DKKbvh61jX5USAQdAYrtySnoCK7k4ZZIyllSAr23fozsiZb9Nf6Q+r56i3lAw - 7IxBdJc2ipMxafy1Ntq0wfAYYk7nY6Vz1XtB+ekVeYLOjDmHRnJWq/Jw0K8wLvWT - 1GYBCQIQ/0zDLdFOrMNjVPMutGVJOkpm7mbD30GpgRugzEf2NZePGtptqnP6i1t1 - izBqFRByftV1MUw1uWgTFgB8zEVDh6gG0QAYeRuu3NS9QhwR71Wlu2J4eu+VhZi7 - AKabk3T3Z00= - =A2ad - -----END PGP MESSAGE----- - fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 - unencrypted_suffix: _unencrypted - version: 3.13.1 diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 39fa97b..407aa2f 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -14,12 +14,9 @@ all: yate: ansible_host: yate.ccchh.net ansible_user: chaos - z9-router: - ansible_host: z9-router.ccchh.net + rt1: + ansible_host: rt1.ccchh.net ansible_user: chaos -base_config_hosts: - hosts: - z9-router: certbot_hosts: hosts: dooris: @@ -41,7 +38,7 @@ infrastructure_authorized_keys_hosts: light: waybackproxy: yate: - z9-router: + rt1: nginx_hosts: hosts: dooris: @@ -55,29 +52,28 @@ proxmox_vm_template_hosts: thinkcccore0: systemd_networkd_hosts: hosts: - z9-router: + rt1: nftables_hosts: hosts: - z9-router: + rt1: unbound_hosts: hosts: - z9-router: + rt1: kea_dhcp_hosts: hosts: - z9-router: + rt1: alloy_hosts: hosts: light: yate: dooris: - z9-router: + rt1: ansible_pull_hosts: hosts: dooris: light: waybackproxy: yate: - z9-router: secrets_hosts: hosts: - z9-router: + rt1: diff --git a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone index 0360f81..bb5c16f 100644 --- a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone +++ b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone @@ -1,64 +1,73 @@ -$TTL 60 ; 1 minutes -@ SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( - 1 ; serial (overwritten by knot automatically) - 86400 ; refresh (1 day) - 7200 ; retry (2 hours) - 3600000 ; expire (5 weeks 6 days 16 hours) - 60 ; minimum/negative ttl (1 minute) - ) +$ORIGIN . +$TTL 900 ; 15 minutes +ccchh.net IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2026042801 ; serial + 86400 ; refresh (1 day) + 7200 ; retry (2 hours) + 3600000 ; expire (5 weeks 6 days 16 hours) + 7200 ; minimum (2 hours) + ) + NS auth-dns.hamburg.ccc.de. + NS ns.vie.ccc.de. -@ NS auth-dns.hamburg.ccc.de. -@ NS ns.vie.ccc.de. - - -; -; Network-Infrastructure -; -rt-wan A 185.161.129.134 - AAAA 2a07:c481::1:2 -sw-rack-1 A 10.89.213.2 - AAAA 2a07:c481:1:36::2 -sw-rack-2-poe A 10.89.213.3 - AAAA 2a07:c481:1:36::3 -sw-main-1 A 10.89.213.4 - AAAA 2a07:c481:1:36::4 -sw-main-2 A 10.89.213.5 - AAAA 2a07:c481:1:36::5 -sw-shop-1 A 10.89.213.6 - AAAA 2a07:c481:1:36::6 -sw-shop-2-poe A 10.89.213.7 - AAAA 2a07:c481:1:36::7 -sw-shop-3-poe A 10.89.213.8 - AAAA 2a07:c481:1:36::8 -pve01 A 10.89.213.11 - AAAA 2a07:c481:1:36::11 -pve02 A 10.89.213.12 - AAAA 2a07:c481:1:36::12 -pve03 A 10.89.213.13 - AAAA 2a07:c481:1:36::13 -pve04 A 10.89.213.14 - AAAA 2a07:c481:1:36::14 -pbs A 10.89.213.15 - AAAA 2a07:c481:1:36::15 -unifi A 10.89.213.21 - - -; -; Club-Services -; -xr18 A 172.31.200.21 - -;club-assistant AAAA 2a07:c481:1:d0::a -;;_acme-challenge.club-assistant CNAME d50ad73a-f82d-4244-87f0-6f5195b37d21.auth.acmedns.hamburg.ccc.de -;esphome AAAA 2a07:c481:1:d0::66 -;zigbee2mqtt A 185.161.129.132 -;light AAAA 2a07:c481:1:d0::16 -;_acme-challenge.light CNAME e59f55ee-9013-469d-a146-a159721b6fea.auth.acmedns.hamburg.ccc.de. -;light-werkstatt AAAA 2a07:c481:1:d0::16 -;_acme-challenge.light-werkstatt CNAME f408acc0-d9f5-4525-bb01-28938e3bb7d0.auth.acmedns.hamburg.ccc.de. -;hmdooris-ccu A 10.31.208.202 -;buba A 10.31.211.137 -;dooris AAAA 2a07:c481:1:d0::1c -;_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de. -;yate A 10.31.208.12 -;staubiv2 A 10.31.210.233 +$ORIGIN ccchh.net. +aes A 212.12.48.125 +club-assistant AAAA 2a07:c481:1:d0::a +;_acme-challenge.club-assistant CNAME d50ad73a-f82d-4244-87f0-6f5195b37d21.auth.acmedns.hamburg.ccc.de +club-assistant.z9 AAAA 2a07:c481:1:d0::a +;_acme-challenge.club-assistant.z9 CNAME 0efa74d1-7dcd-478b-bdc5-5b76d0f07642.auth.acmedns.hamburg.ccc.de +esphome AAAA 2a07:c481:1:d0::66 +esphome.z9 AAAA 2a07:c481:1:d0::66 +zigbee2mqtt A 185.161.129.132 +light AAAA 2a07:c481:1:d0::16 +_acme-challenge.light CNAME e59f55ee-9013-469d-a146-a159721b6fea.auth.acmedns.hamburg.ccc.de. +light.z9 AAAA 2a07:c481:1:d0::16 +_acme-challenge.light.z9 CNAME 3bc9e7ce-03dd-4533-a059-b5d38407eaa5.auth.acmedns.hamburg.ccc.de. +light-werkstatt AAAA 2a07:c481:1:d0::16 +_acme-challenge.light-werkstatt CNAME f408acc0-d9f5-4525-bb01-28938e3bb7d0.auth.acmedns.hamburg.ccc.de. +mailserver-endpoint A 82.165.121.46 +ns1 A 185.161.129.133 +send-only-mail MX 10 send-only-mailserver + TXT "v=spf1 mx -all" +send-only-mailserver A 82.165.121.46 +send-only-mailserver-access A 185.161.129.132 +thinkcccore0 AAAA 2a07:c481:1:f2::3 +thinkcccore0.z9 AAAA 2a07:c481:1:f2::3 +thinkcccore1 AAAA 2a07:c481:1:f2::4 +thinkcccore1.z9 AAAA 2a07:c481:1:f2::4 +opnsense AAAA 2a07:c481:1:f2::1 +opnsense.z9 AAAA 2a07:c481:1:f2::1 +pbs AAAA 2a07:c481:1:f2::4 +thinkcccore2 AAAA 2a07:c481:1:f2::5 +thinkcccore2.z9 AAAA 2a07:c481:1:f2::5 +thinkcccore3 AAAA 2a07:c481:1:f2::6 +thinkcccore3.z9 AAAA 2a07:c481:1:f2::6 +miniscccore0 AAAA 2a07:c481:1:f2::9 +miniscccore0.z9 AAAA 2a07:c481:1:f2::9 +uptime-kuma A 185.161.129.132 +status AAAA 2a07:c481:1:ce::a +status.z9 AAAA 2a07:c481:1:ce::a +wiki A 212.12.48.125 +hmdooris-ccu A 10.31.208.202 +buba A 10.31.211.137 +buba.z9 A 10.31.211.137 +dooris AAAA 2a07:c481:1:d0::1c +_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de. +waybackproxy A 10.31.208.99 +yate A 10.31.208.12 +staubiv2 A 10.31.210.233 +staubiv2.z9 A 10.31.210.233 +; Mail: hosts.z9.ccchh.net +hosts.z9 MX 10 cow.hamburg.ccc.de + TXT "v=spf1 mx -all" +dkim._domainkey.hosts.z9 TXT ("v=DKIM1;k=rsa;t=s;s=email;" + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsdypQ/tlrzto5KVP" + "5o7tEblXK/hOVRFB683uODzo26XTFMSRGjumMuo/tej59GMePdUu0uIsdq8hfj8" + "ot0R2OQNazdyp4NW4TUWfFGJ4S2f6LR3lE3I5Lw7fHiYHz0GnCGTqZIItkHK+xQ" + "i5Fdhwd1YbFJtO0XiZ0jY5w6pvny6pEH8WaKX85rEmz2zqCtpiYPRPmoK/Tn+rV" + "2e8fVioMRm9W8E4PU42WLds66qOkFR0KjKIavE6y7JahESEoVGcVnSPdtMOX0Ln" + "KbSMQNrTvNbBoPdLYvNaXOw7TmVPKjDV+FRCIIdK+m0fL82/vm5jPBvDr5+WlM1" + "xV/P/KlSnQIDAQAB") +$ORIGIN send-only-mail.ccchh.net. +_dmarc TXT "v=DMARC1;p=quarantine;" +key._domainkey TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqduM4+SQ+IQ2uAxbjFkd+0hAjohTgT3nM76jyrWGHJ8TizNU2PGkta0NjCq+m9VLBZUjIJphW2vrnlJsnN0JkGAdoLBL3Qs0kShT6V+xsxslZG2KHApihnJUp34tPSMES+aTnD+jEPGyxFLeoiK+3gywNhCGalHSQ+G88Z2n59wIDAQAB" diff --git a/resources/z9/z9-router/kea_dhcp.yaml b/resources/z9/rt1/kea_dhcp.yaml similarity index 100% rename from resources/z9/z9-router/kea_dhcp.yaml rename to resources/z9/rt1/kea_dhcp.yaml diff --git a/resources/z9/z9-router/nftables/nftables.conf b/resources/z9/rt1/nftables/nftables.conf similarity index 96% rename from resources/z9/z9-router/nftables/nftables.conf rename to resources/z9/rt1/nftables/nftables.conf index f639689..842ca04 100644 --- a/resources/z9/z9-router/nftables/nftables.conf +++ b/resources/z9/rt1/nftables/nftables.conf @@ -108,7 +108,7 @@ table inet forward { meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" - # Allow clients and management to most - iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "Allow clients and management to lan interfaces" + # Allow clients and managment to most + iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "allow clients and managment to lan_ifs" } } diff --git a/resources/z9/z9-router/systemd_networkd/00-netlan.link b/resources/z9/rt1/systemd_networkd/00-netlan.link similarity index 100% rename from resources/z9/z9-router/systemd_networkd/00-netlan.link rename to resources/z9/rt1/systemd_networkd/00-netlan.link diff --git a/resources/z9/z9-router/systemd_networkd/00-netwan.link b/resources/z9/rt1/systemd_networkd/00-netwan.link similarity index 100% rename from resources/z9/z9-router/systemd_networkd/00-netwan.link rename to resources/z9/rt1/systemd_networkd/00-netwan.link diff --git a/resources/z9/z9-router/systemd_networkd/10-netlan.51.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.51.netdev similarity index 100% rename from resources/z9/z9-router/systemd_networkd/10-netlan.51.netdev rename to resources/z9/rt1/systemd_networkd/10-netlan.51.netdev diff --git a/resources/z9/z9-router/systemd_networkd/10-netlan.52.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.52.netdev similarity index 100% rename from resources/z9/z9-router/systemd_networkd/10-netlan.52.netdev rename to resources/z9/rt1/systemd_networkd/10-netlan.52.netdev diff --git a/resources/z9/z9-router/systemd_networkd/10-netlan.53.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.53.netdev similarity index 100% rename from resources/z9/z9-router/systemd_networkd/10-netlan.53.netdev rename to resources/z9/rt1/systemd_networkd/10-netlan.53.netdev diff --git a/resources/z9/z9-router/systemd_networkd/10-netlan.54.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.54.netdev similarity index 100% rename from resources/z9/z9-router/systemd_networkd/10-netlan.54.netdev rename to resources/z9/rt1/systemd_networkd/10-netlan.54.netdev diff --git a/resources/z9/z9-router/systemd_networkd/10-netwan.400.netdev b/resources/z9/rt1/systemd_networkd/10-netwan.400.netdev similarity index 100% rename from resources/z9/z9-router/systemd_networkd/10-netwan.400.netdev rename to resources/z9/rt1/systemd_networkd/10-netwan.400.netdev diff --git a/resources/z9/z9-router/systemd_networkd/10-wg55.netdev b/resources/z9/rt1/systemd_networkd/10-wg55.netdev similarity index 96% rename from resources/z9/z9-router/systemd_networkd/10-wg55.netdev rename to resources/z9/rt1/systemd_networkd/10-wg55.netdev index f2de509..b3e41a6 100644 --- a/resources/z9/z9-router/systemd_networkd/10-wg55.netdev +++ b/resources/z9/rt1/systemd_networkd/10-wg55.netdev @@ -5,7 +5,7 @@ Name=wg55 [WireGuard] ListenPort=51820 -PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_private_key +PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_privat_key # WireGuard Peers @@ -75,7 +75,7 @@ PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk [WireGuardPeer] # friendly_name = lilly-lillysLaptop -AllowedIPs = 10.89.214.16/32,2a07:c481:1:37::16/128 +AllowedIPs = 10.89.214.16/32 #,2a07:c481:1:37::/128 PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk= [WireGuardPeer] diff --git a/resources/z9/z9-router/systemd_networkd/20-netlan.network b/resources/z9/rt1/systemd_networkd/20-netlan.network similarity index 100% rename from resources/z9/z9-router/systemd_networkd/20-netlan.network rename to resources/z9/rt1/systemd_networkd/20-netlan.network diff --git a/resources/z9/z9-router/systemd_networkd/20-netwan.network b/resources/z9/rt1/systemd_networkd/20-netwan.network similarity index 100% rename from resources/z9/z9-router/systemd_networkd/20-netwan.network rename to resources/z9/rt1/systemd_networkd/20-netwan.network diff --git a/resources/z9/z9-router/systemd_networkd/20-wg55.network b/resources/z9/rt1/systemd_networkd/20-wg55.network similarity index 100% rename from resources/z9/z9-router/systemd_networkd/20-wg55.network rename to resources/z9/rt1/systemd_networkd/20-wg55.network diff --git a/resources/z9/z9-router/systemd_networkd/21-netlan.51-clients.network b/resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network similarity index 100% rename from resources/z9/z9-router/systemd_networkd/21-netlan.51-clients.network rename to resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network diff --git a/resources/z9/z9-router/systemd_networkd/21-netlan.52-iot.network b/resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network similarity index 100% rename from resources/z9/z9-router/systemd_networkd/21-netlan.52-iot.network rename to resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network diff --git a/resources/z9/z9-router/systemd_networkd/21-netlan.53-public.network b/resources/z9/rt1/systemd_networkd/21-netlan.53-public.network similarity index 100% rename from resources/z9/z9-router/systemd_networkd/21-netlan.53-public.network rename to resources/z9/rt1/systemd_networkd/21-netlan.53-public.network diff --git a/resources/z9/z9-router/systemd_networkd/21-netlan.54-management.network b/resources/z9/rt1/systemd_networkd/21-netlan.54-management.network similarity index 100% rename from resources/z9/z9-router/systemd_networkd/21-netlan.54-management.network rename to resources/z9/rt1/systemd_networkd/21-netlan.54-management.network diff --git a/resources/z9/z9-router/systemd_networkd/21-netwan.400-fux_uplink.network b/resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network similarity index 100% rename from resources/z9/z9-router/systemd_networkd/21-netwan.400-fux_uplink.network rename to resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network diff --git a/resources/z9/z9-router/systemd_networkd_global_config.conf b/resources/z9/rt1/systemd_networkd_global_config.conf similarity index 100% rename from resources/z9/z9-router/systemd_networkd_global_config.conf rename to resources/z9/rt1/systemd_networkd_global_config.conf diff --git a/roles/kea_dhcp/README.md b/roles/kea_dhcp/README.md deleted file mode 100644 index 9938cf9..0000000 --- a/roles/kea_dhcp/README.md +++ /dev/null @@ -1,102 +0,0 @@ -# Role `kea_dhcp` - -Install and manage Kea DHCP and [Stork Agent](https://stork.readthedocs.io/en/latest/man/stork-agent.8.html). - -## Supported Distributions - -Should work on Debian-based distributions. - -## Required Arguments - -None. - -## Optional Arguments - -- `kea_dhcp__stork_agent.enable`: Enable Kea DHCP stork agent. - Defaults to `false`. -- `kea_dhcp__stork_agent.prometheus_only`: Only enable the prometheus endpoint in stork agent. - Defaults to `true`. -- `kea_dhcp__dns_servers.v4`: List of IPv4 DNS Servers in DHCP response. - Defaults to FUX DNS Servers. -- `kea_dhcp__dns_servers.v6`: List of IPv6 DNS Servers in DHCP response. - Defaults to FUX DNS Servers. -- `kea_dhcp__include_vars`: Path to YAML File to separately load VARs for Kea config templating. -- `kea_dhcp__dhcp4.enable`: Enable Kea DHCP4 Service. - Defaults to `false`. -- `kea_dhcp__dhcp4.interfaces`: List of interfaces the DHCP4 Server should listen to and serve. - Defaults to the empty list (`[ ]`). -- `kea_dhcp__dhcp4.control-sockets`: List of Kea DHCP4 control sockets. - Defaults to the list with one entry (see below). -- `kea_dhcp__dhcp4.control-sockets.*.socket-name`: Control socket name. - Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-name: /var/run/kea-dhcp4-ctrl-agent.sock`. -- `kea_dhcp__dhcp4.control-sockets.*.socket-type`: Control socket type. - Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-type: unix`. -- `kea_dhcp__dhcp4.lease-database.type`: Type of lease database. - Defaults to `memfile`. -- `kea_dhcp__dhcp4.lease-database.persist`: Persist the lease database. - Defaults to `true`. -- `kea_dhcp__dhcp4.option-data`: List of DHCP4 Options. - Defaults to a list with one entry (see below). -- `kea_dhcp__dhcp4.option-data.*.name`: Name of DHCP4 Option. - Defaults to `kea_dhcp__dhcp4.option-data.0.name: "domain-name-servers"`. -- `kea_dhcp__dhcp4.option-data.*.code`: DHCP4 Option code. - Defaults to `kea_dhcp__dhcp4.option-data.0.code: 6`. -- `kea_dhcp__dhcp4.option-data.*.csv-format`: DHCP4 Option as csv format. - Defaults to `kea_dhcp__dhcp4.option-data.0.csv-format: true`. -- `kea_dhcp__dhcp4.option-data.*.data`: DHCP4 Option data. - Defaults to `kea_dhcp__dhcp4.option-data.0.data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"`. -- `kea_dhcp__dhcp4.subnets`: List of subnets the DHCP4 server should manage. - Defaults to the empty list (`[ ]`). -- `kea_dhcp__dhcp4.subnets.*.id`: ID of interface (starts with 1). -- `kea_dhcp__dhcp4.subnets.*.subnet`: Subnet on interface. -- `kea_dhcp__dhcp4.subnets.*.pools`: List of DHCP pools in subnet. -- `kea_dhcp__dhcp4.subnets.*.pools.*.pool`: DHCP pool in range format. -- `kea_dhcp__dhcp4.subnets.*.reservations`: List of DHCP lease reservations. -- `kea_dhcp__dhcp4.subnets.*.reservations.*.ip-address`: IP address of reservation. -- `kea_dhcp__dhcp4.subnets.*.reservations.*.hostname`: Hostname of reservation. -- `kea_dhcp__dhcp4.subnets.*.reservations.*.hw-address`: Hardware address of reservation. -- `kea_dhcp__dhcp4.subnets.*.option-data`: List of DHCP lease reservations. -- `kea_dhcp__dhcp4.subnets.*.option-data.*.name`: Name of DHCP4 Option. -- `kea_dhcp__dhcp4.subnets.*.option-data.*.code`: DHCP4 Option code. -- `kea_dhcp__dhcp4.subnets.*.option-data.*.csv-format`: DHCP4 Option as csv format. -- `kea_dhcp__dhcp4.subnets.*.option-data.*.data`: DHCP4 Option data. -- `kea_dhcp__dhcp6.enable`: Enable Kea DHCP6 Service. - Defaults to `false`. -- `kea_dhcp__dhcp6.interfaces`: List of interfaces the DHCP6 Server should listen to and serve. - Defaults to the empty list (`[ ]`). -- `kea_dhcp__dhcp6.control-sockets`: List of Kea DHCP6 control sockets. - Defaults to the list with one entry (see below). -- `kea_dhcp__dhcp6.control-sockets.*.socket-name`: Control socket name. - Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-name: /var/run/kea-dhcp6-ctrl-agent.sock`. -- `kea_dhcp__dhcp6.control-sockets.*.socket-type`: Control socket type. - Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-type: unix`. -- `kea_dhcp__dhcp6.lease-database.type`: Type of lease database. - Defaults to `memfile`. -- `kea_dhcp__dhcp6.lease-database.persist`: Persist the lease database. - Defaults to `true`. -- `kea_dhcp__dhcp6.option-data`: List of DHCP6 Options. - Defaults to a list with one entry (see below). -- `kea_dhcp__dhcp6.option-data.*.name`: Name of DHCP6 Option. - Defaults to `kea_dhcp__dhcp6.option-data.0.name: "domain-name-servers"`. -- `kea_dhcp__dhcp6.option-data.*.code`: DHCP6 Option code. - Defaults to `kea_dhcp__dhcp6.option-data.0.code: 6`. -- `kea_dhcp__dhcp6.option-data.*.csv-format`: DHCP6 Option as csv format. - Defaults to `kea_dhcp__dhcp6.option-data.0.csv-format: true`. -- `kea_dhcp__dhcp6.option-data.*.data`: DHCP6 Option data. - Defaults to `kea_dhcp__dhcp6.option-data.0.data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"`. -- `kea_dhcp__dhcp6.subnets`: List of subnets the DHCP6 server should manage. - Defaults to the empty list (`[ ]`). -- `kea_dhcp__dhcp6.subnets.*.id`: ID of interface (starts with 1). -- `kea_dhcp__dhcp6.subnets.*.subnet`: Subnet on interface. -- `kea_dhcp__dhcp6.subnets.*.pools`: List of DHCP pools in subnet. -- `kea_dhcp__dhcp6.subnets.*.pools.*.pool`: DHCP pool in range format. -- `kea_dhcp__dhcp6.subnets.*.reservations`: List of DHCP lease reservations. -- `kea_dhcp__dhcp6.subnets.*.reservations.*.ip-address`: IP address of reservation. -- `kea_dhcp__dhcp6.subnets.*.reservations.*.hostname`: Hostname of reservation. -- `kea_dhcp__dhcp6.subnets.*.reservations.*.hw-address`: Hardware address of reservation. -- `kea_dhcp__dhcp6.subnets.*.option-data`: List of DHCP lease reservations. -- `kea_dhcp__dhcp6.subnets.*.option-data.*.name`: Name of DHCP6 Option. -- `kea_dhcp__dhcp6.subnets.*.option-data.*.code`: DHCP6 Option code. -- `kea_dhcp__dhcp6.subnets.*.option-data.*.csv-format`: DHCP6 Option as csv format. -- `kea_dhcp__dhcp6.subnets.*.option-data.*.data`: DHCP6 Option data. - diff --git a/roles/kea_dhcp/defaults/main.yaml b/roles/kea_dhcp/defaults/main.yaml index dc6453a..409f0a1 100644 --- a/roles/kea_dhcp/defaults/main.yaml +++ b/roles/kea_dhcp/defaults/main.yaml @@ -1,6 +1,7 @@ kea_dhcp__stork_agent: enable: false prometheus_only: true +kea_dhcp__version_repo: "kea-3-0" kea_dhcp__dns_servers: v6: - "2a07:c481:0:4::2" diff --git a/roles/kea_dhcp/handlers/main.yml b/roles/kea_dhcp/handlers/main.yml index d06aa1c..5b44d6e 100644 --- a/roles/kea_dhcp/handlers/main.yml +++ b/roles/kea_dhcp/handlers/main.yml @@ -4,19 +4,19 @@ ansible.builtin.systemd_service: daemon_reload: true -- name: Kea_dhcp4.restarted +- name: Kea_dhcp4.reloaded ansible.builtin.service: name: kea-dhcp4 state: restarted enabled: true -- name: Kea_dhcp6.restarted +- name: Kea_dhcp6.reloaded ansible.builtin.service: name: kea-dhcp6 state: restarted enabled: true -- name: Kea_ctrl.restarted +- name: Kea_ctrl.reloaded ansible.builtin.systemd: name: kea-ctrl-agent state: restarted diff --git a/roles/kea_dhcp/meta/argument_specs.yaml b/roles/kea_dhcp/meta/argument_specs.yaml index 4d0d594..995b838 100644 --- a/roles/kea_dhcp/meta/argument_specs.yaml +++ b/roles/kea_dhcp/meta/argument_specs.yaml @@ -37,7 +37,7 @@ argument_specs: interfaces: type: "list" elements: "str" - default: [ ] + default: [] control-sockets: type: "list" elements: "dict" @@ -85,7 +85,7 @@ argument_specs: interfaces: type: "list" elements: "str" - default: [ ] + default: [] control-sockets: type: "list" elements: "dict" diff --git a/roles/kea_dhcp/tasks/install_archlinux.yml b/roles/kea_dhcp/tasks/install_archlinux.yml new file mode 100644 index 0000000..7bdb140 --- /dev/null +++ b/roles/kea_dhcp/tasks/install_archlinux.yml @@ -0,0 +1,8 @@ +--- +- name: Install Kea on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + become: true + community.general.pacman: + name: kea + state: present + update_cache: false diff --git a/roles/kea_dhcp/tasks/install_debian.yml b/roles/kea_dhcp/tasks/install_debian.yml index f897ddb..2ac2346 100644 --- a/roles/kea_dhcp/tasks/install_debian.yml +++ b/roles/kea_dhcp/tasks/install_debian.yml @@ -1,25 +1,22 @@ --- +- name: Register isc-kea apt repository + become: true + register: kea_dhcp_repo + when: ansible_facts['distribution'] == "Debian" + ansible.builtin.deb822_repository: + name: "isc-{{ kea_dhcp__version_repo }}" + uris: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/deb/debian" + suites: any-version + components: main + signed_by: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/gpg.key" + - name: Install Kea packages become: true when: ansible_facts['distribution'] == "Debian" - block: - - name: Install Kea dhcp4 - when: kea_dhcp__dhcp4.enable - ansible.builtin.apt: - name: - - isc-kea-dhcp4 - - name: Install Kea dhcp6 - when: kea_dhcp__dhcp6.enable - ansible.builtin.apt: - name: - - isc-kea-dhcp6 - - name: Install Kea ctrl agent - when: kea_dhcp__stork_agent.enable - ansible.builtin.apt: - name: - - isc-kea-ctrl-agent - - name: Install Kea admin - when: kea_dhcp__stork_agent.enable - ansible.builtin.apt: - name: - - isc-kea-admin + ansible.builtin.apt: + name: + - isc-kea-dhcp4 + - isc-kea-dhcp6 + - isc-kea-ctrl-agent + - isc-kea-admin + update_cache: "{{ kea_dhcp_install_repo.changed }}" diff --git a/roles/kea_dhcp/tasks/kea.yaml b/roles/kea_dhcp/tasks/kea.yaml index 116c7dd..a4fd3b5 100644 --- a/roles/kea_dhcp/tasks/kea.yaml +++ b/roles/kea_dhcp/tasks/kea.yaml @@ -1,10 +1,12 @@ --- - name: Include config vars + tags: [ kea, include_vars ] when: kea_dhcp__include_vars is not None ansible.builtin.include_vars: file: "{{ kea_dhcp__include_vars }}" - name: Deploy kea-dhcp4 configuration file + tags: [ kea, dhcp4 ] become: true when: kea_dhcp__dhcp4.enable ansible.builtin.template: @@ -16,9 +18,10 @@ mode: "u=rw,g=r,o=" validate: kea-dhcp4 -T %s notify: - - Kea_dhcp4.restarted + - Kea_dhcp4.reloaded - name: Deploy kea-dhcp6 configuration file + tags: [ kea, dhcp6 ] become: true when: kea_dhcp__dhcp6.enable ansible.builtin.template: @@ -30,9 +33,10 @@ mode: "u=rw,g=r,o=" validate: kea-dhcp6 -T %s notify: - - Kea_dhcp6.restarted + - Kea_dhcp6.reloaded - name: Copy kea-ctrl-agent configuration file + tags: [ kea, ctrl-agent ] become: true when: kea_dhcp__stork_agent.enable ansible.builtin.template: @@ -43,5 +47,5 @@ mode: "u=rw,g=r,o=" validate: kea-ctrl-agent -t %s notify: - - Kea_ctrl.restarted + - Kea_ctrl.reloaded - Stork_agent.restarted diff --git a/roles/kea_dhcp/tasks/main.yml b/roles/kea_dhcp/tasks/main.yml index 6fced08..a3478fa 100644 --- a/roles/kea_dhcp/tasks/main.yml +++ b/roles/kea_dhcp/tasks/main.yml @@ -1,6 +1,11 @@ --- - name: Setup Kea DHCP + tags: [kea, dhcp] block: + - name: Install Kea on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + ansible.builtin.import_tasks: install_archlinux.yml + - name: Install Kea on Debian when: ansible_facts['distribution'] == "Debian" ansible.builtin.import_tasks: install_debian.yml @@ -9,5 +14,6 @@ ansible.builtin.include_tasks: kea.yaml - name: Run stork-agent tasks + tags: [stork-agent, monitoring] when: kea_dhcp__stork_agent.enable ansible.builtin.include_tasks: stork-agent.yaml diff --git a/roles/kea_dhcp/tasks/stork-agent.yaml b/roles/kea_dhcp/tasks/stork-agent.yaml index 0e777d4..916760c 100644 --- a/roles/kea_dhcp/tasks/stork-agent.yaml +++ b/roles/kea_dhcp/tasks/stork-agent.yaml @@ -1,18 +1,55 @@ --- - name: Install stork-agent + tags: [stork-agent] block: - - name: Install isc-stork-agent + - name: Install stork-agent on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + tags: [stork-agent, archlinux] + block: + - name: Create stork-agent user + ansible.builtin.user: + name: stork-agent + create_home: false + home: "/var/lib/stork-agent" + shell: "/usr/bin/nologin" + system: true + groups: ["kea"] + append: true + + - name: Install stork-agent with aur_pkg_install + ansible.builtin.include_role: + name: aur_pkg_install + vars: + aur_pkg_install__pkg_name: "stork-agent" + aur_pkg_install__git_clone_url: "https://ansible:{{ secret__ansible_git_token }}@git.fux-eg.net/aur-mirror/stork-agent.git" + aur_pkg_install__git_ref: "bf96e34" + + - name: Install stork-agent on Debian when: ansible_facts['distribution'] == "Debian" - become: true - ansible.builtin.apt: - name: isc-stork-agent + tags: [stork-agent, debian] + block: + - name: Register isc-stork apt repository + become: true + register: "kea_dhcp_install_repo" + ansible.builtin.deb822_repository: + name: isc-stork + uris: https://dl.cloudsmith.io/public/isc/stork/deb/debian + suites: any-version + components: main + signed_by: https://dl.cloudsmith.io/public/isc/stork/gpg.key + + - name: Install isc-stork-agent + become: true + ansible.builtin.apt: + name: isc-stork-agent + update_cache: "{{ kea_dhcp_install_repo.changed }}" - name: Add stork-agent user to _kea group on Debian when: ansible_facts['distribution'] == "Debian" become: true ansible.builtin.user: name: stork-agent - groups: [ "_kea" ] + groups: ["_kea"] append: true - name: Config for stork-agent diff --git a/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja index fa7cfd5..78f06ae 100644 --- a/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja +++ b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja @@ -3,12 +3,12 @@ "interfaces-config": { "interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }} }, - "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }}, - "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }}, - {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %} - "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }}, - {% endif %} - "subnet4": [ + "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }}, + "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }}, + {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %} + "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }}, + {% endif %} + "subnet4": [ {% for subnet in kea_dhcp__dhcp4.subnets %} { "id": {{ subnet.id }}, diff --git a/roles/kea_dhcp/templates/stork-agent.env.jinja b/roles/kea_dhcp/templates/stork-agent.env.jinja index 75250b0..bdfa4d2 100644 --- a/roles/kea_dhcp/templates/stork-agent.env.jinja +++ b/roles/kea_dhcp/templates/stork-agent.env.jinja @@ -1,6 +1,11 @@ -### Stork Agent env file -### (created and managed by ansible kea_dhcp role) +### the IP or hostname to listen on for incoming Stork server connections +# STORK_AGENT_HOST= +### the TCP port to listen on for incoming Stork server connections +# STORK_AGENT_PORT=8081 + +### listen for commands from the Stork server only, but not for Prometheus requests +# STORK_AGENT_LISTEN_STORK_ONLY=true {% if kea_dhcp__stork_agent.prometheus_only %} ### listen for Prometheus requests only, but not for commands from the Stork server @@ -9,12 +14,31 @@ STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true ### settings for exporting stats to Prometheus ### the IP or hostname on which the agent exports Kea statistics to Prometheus -STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS=localhost +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS= ### the port on which the agent exports Kea statistics to Prometheus # STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT= +## enable or disable collecting per-subnet stats from Kea +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PER_SUBNET_STATS=true +### the IP or hostname on which the agent exports BIND 9 statistics to Prometheus +# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_ADDRESS= +### the port on which the agent exports BIND 9 statistics to Prometheus +# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_PORT= + +### Stork Server URL used by the agent to send REST commands to the server during agent registration +# STORK_AGENT_SERVER_URL= + +### skip TLS certificate verification when the Stork Agent connects +### to Kea over TLS and Kea uses self-signed certificates +# STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true + ### Logging parameters ### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR STORK_LOG_LEVEL=DEBUG +### disable output colorization +# CLICOLOR=false + +### path to the hook directory +# STORK_AGENT_HOOK_DIRECTORY= diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml index 09af699..e1345bf 100644 --- a/roles/unbound/handlers/main.yml +++ b/roles/unbound/handlers/main.yml @@ -1,10 +1,12 @@ - name: unbound.restarted + tags: [ unbound, dns, dns_resolver ] become: true ansible.builtin.systemd: name: unbound.service state: restarted - name: unbound.reloaded + tags: [ unbound, dns, dns_resolver ] become: true ansible.builtin.systemd: name: unbound.service @@ -16,3 +18,10 @@ name: prometheus-unbound-exporter.service state: restarted enabled: true + +- name: prometheus-unbound-exporter.enabled + become: true + ansible.builtin.systemd: + name: prometheus-unbound-exporter.service + enabled: true + daemon_reload: true diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index a4a6896..7ed42cb 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -1,4 +1,5 @@ - name: unbound role main + tags: [ unbound, dns, dns_resolver ] block: - name: install unbound dns resolver @@ -6,6 +7,11 @@ ansible.builtin.package: name: unbound + - name: install extra dns tooling + become: true + ansible.builtin.package: + name: [ bind ] # the bind package includes tools like dig in archlinux + - name: ensure correct directory permissions become: true ansible.builtin.file: @@ -34,10 +40,23 @@ enabled: true - name: disable systemd-resolved + become: true when: unbound_disable_systemd_networkd - ansible.builtin.include_role: - name: deploy_systemd_resolved_config - vars_from: deploy_systemd_resolved_config + ansible.builtin.systemd: + name: systemd-resolved.service + state: stopped + enabled: false + + - name: configure system resolver to point to local unbound + become: true + when: unbound_disable_systemd_networkd + ansible.builtin.copy: + src: no-resolved.resolv.conf + dest: /etc/resolv.conf + owner: unbound + group: unbound + mode: u=rw,g=r,o=r + - name: install and configure prometheus-exporter for unbound ansible.builtin.import_tasks: prometheus-exporter.yml diff --git a/roles/unbound/tasks/prometheus-exporter.yml b/roles/unbound/tasks/prometheus-exporter.yml index fba5090..d05b838 100644 --- a/roles/unbound/tasks/prometheus-exporter.yml +++ b/roles/unbound/tasks/prometheus-exporter.yml @@ -1,15 +1,9 @@ --- -- name: install unbound prometheus exporter # FIXME: there is no prometheus-unbound-exporter in debian .deb exists in https://github.com/letsencrypt/unbound_exporter/releases/tag/v0.6.0 +- name: install unbound prometheus exporter become: true ansible.builtin.package: name: prometheus-unbound-exporter - -- name: enable unbound prometheus exporter - become: true - ansible.builtin.systemd: - name: prometheus-unbound-exporter.service - enabled: true - daemon_reload: true + notify: prometheus-unbound-exporter.enabled - name: configure unbound exporter become: true diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index 96aa9cd..a1e310e 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -1,18 +1,22 @@ # ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html # unbound.conf(5) man page server: - {% if unbound_enable_dnssec -%} - # location of the trust anchor file that enables DNSSEC - # this file is generated by the `unbound-anchor` command - auto-trust-anchor-file: "/etc/unbound/trusted-key.key" - {% endif -%} + {% if unbound_enable_dnssec -%} + # disable chroot because unbound is the only thing running on the VM + # and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file + chroot: "" + + # location of the trust anchor file that enables DNSSEC + # this file is generated by the `unbound-anchor` command + auto-trust-anchor-file: "/etc/unbound/trusted-key.key" + {% endif -%} # use all CPUs - num-threads: {{ ansible_facts['processor_vcpus'] }} + num-threads: 2 # more cache memory - rrset-cache-size: 60m - msg-cache-size: 30m + rrset-cache-size: 60m + msg-cache-size: 30m # prefetch to keep the cache up to date prefetch: yes @@ -21,48 +25,49 @@ server: prefetch-key: yes # Faster UDP with multithreading (only on Linux). - so-reuseport: yes + so-reuseport: yes # disable special large send buffer handling and just use kernel defaults - so-sndbuf: 0 + so-sndbuf: 0 - # send minimal amount of information to upstream servers to enhance privacy - qname-minimisation: yes + # send minimal amount of information to upstream servers to enhance privacy + qname-minimisation: yes - # specify the interface to answer queries from by ip-address. - {% for i in unbound_bind_interfaces -%} - interface: "{{ i }}" - {% endfor %} + # specify the interface to answer queries from by ip-address. + {% for i in unbound_bind_interfaces -%} + interface: "{{ i }}" + {% endfor %} - # addresses from the IP range that are allowed to connect to the resolver - {% for i in unbound_access_control -%} - access-control: {{ i }} - {% endfor -%} + # addresses from the IP range that are allowed to connect to the resolver + {% for i in unbound_access_control -%} + access-control: {{ i }} + {% endfor -%} - {% for i in unbound_private_domain -%} - private-domain: {{ i }} - {% endfor -%} + {% for i in unbound_private_domain -%} + private-domain: {{ i }} + {% endfor -%} - # The number of seconds between printing statistics to the log for every thread. - statistics-interval: 0 + # The number of seconds between printing statistics to the log for every thread. + statistics-interval: 0 - # Extended statistics are printed, Keeping track of more statistics takes time. - extended-statistics: yes + # Extended statistics are printed, Keeping track of more statistics takes time. + extended-statistics: yes remote-control: - control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} - control-interface: /run/unbound-control.sock + control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} + control-interface: /run/unbound-control.sock # configure some zones for which this resolver will act authoritatively # https://www.dns.icann.org/services/axfr/ {% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %} auth-zone: - name: "{{ i }}" - primary: "lax.xfr.dns.icann.org" - primary: "iad.xfr.dns.icann.org" - fallback-enabled: yes - for-downstream: no - for-upstream: yes + name: "{{ i }}" + primary: "lax.xfr.dns.icann.org" + primary: "iad.xfr.dns.icann.org" + fallback-enabled: yes + for-downstream: no + for-upstream: yes + {% endfor %} diff --git a/roles/unbound/vars/deploy_systemd_resolved_config.yaml b/roles/unbound/vars/deploy_systemd_resolved_config.yaml deleted file mode 100644 index 0da57c1..0000000 --- a/roles/unbound/vars/deploy_systemd_resolved_config.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -deploy_systemd_resolved_config__enable: false -deploy_systemd_resolved_config__dns: - - 127.0.0.1 -deploy_systemd_resolved_config__fallback_dns: # Fux DNS Server - - 185.161.128.66 - - 2a07:c481:0:4::2 - - 185.161.128.67 - - 2a07:c481:0:4::3