From 2fc93e6e626067703ebbfbda9692e134e355495b Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Sat, 23 May 2026 23:46:00 +0200 Subject: [PATCH 01/16] rt1(z9 host): create host and configure networkd and nftables --- inventories/z9/host_vars/rt1.sops.yaml | 198 ++++++++++++++++++ inventories/z9/host_vars/rt1.yaml | 6 + inventories/z9/hosts.yaml | 11 + resources/z9/rt1/nftables/nftables.conf | 111 ++++++++++ .../z9/rt1/systemd_networkd/00-netlan.link | 6 + .../z9/rt1/systemd_networkd/00-netwan.link | 6 + .../rt1/systemd_networkd/10-netlan.51.netdev | 7 + .../rt1/systemd_networkd/10-netlan.52.netdev | 7 + .../rt1/systemd_networkd/10-netlan.53.netdev | 7 + .../rt1/systemd_networkd/10-netlan.54.netdev | 7 + .../rt1/systemd_networkd/10-netwan.400.netdev | 7 + .../z9/rt1/systemd_networkd/10-wg55.netdev | 90 ++++++++ .../z9/rt1/systemd_networkd/20-netlan.network | 12 ++ .../z9/rt1/systemd_networkd/20-netwan.network | 9 + .../z9/rt1/systemd_networkd/20-wg55.network | 6 + .../21-netlan.51-clients.network | 27 +++ .../systemd_networkd/21-netlan.52-iot.network | 27 +++ .../21-netlan.53-public.network | 27 +++ .../21-netlan.54-management.network | 27 +++ .../21-netwan.400-fux_uplink.network | 26 +++ .../rt1/systemd_networkd_global_config.conf | 3 + 21 files changed, 627 insertions(+) create mode 100644 inventories/z9/host_vars/rt1.sops.yaml create mode 100644 inventories/z9/host_vars/rt1.yaml create mode 100644 resources/z9/rt1/nftables/nftables.conf create mode 100644 resources/z9/rt1/systemd_networkd/00-netlan.link create mode 100644 resources/z9/rt1/systemd_networkd/00-netwan.link create mode 100644 resources/z9/rt1/systemd_networkd/10-netlan.51.netdev create mode 100644 resources/z9/rt1/systemd_networkd/10-netlan.52.netdev create mode 100644 resources/z9/rt1/systemd_networkd/10-netlan.53.netdev create mode 100644 resources/z9/rt1/systemd_networkd/10-netlan.54.netdev create mode 100644 resources/z9/rt1/systemd_networkd/10-netwan.400.netdev create mode 100644 resources/z9/rt1/systemd_networkd/10-wg55.netdev create mode 100644 resources/z9/rt1/systemd_networkd/20-netlan.network create mode 100644 resources/z9/rt1/systemd_networkd/20-netwan.network create mode 100644 resources/z9/rt1/systemd_networkd/20-wg55.network create mode 100644 resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network create mode 100644 resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network create mode 100644 resources/z9/rt1/systemd_networkd/21-netlan.53-public.network create mode 100644 resources/z9/rt1/systemd_networkd/21-netlan.54-management.network create mode 100644 resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network create mode 100644 resources/z9/rt1/systemd_networkd_global_config.conf diff --git a/inventories/z9/host_vars/rt1.sops.yaml b/inventories/z9/host_vars/rt1.sops.yaml new file mode 100644 index 0000000..f4141fd --- /dev/null +++ b/inventories/z9/host_vars/rt1.sops.yaml @@ -0,0 +1,198 @@ +secrets__secrets: + - name: ENC[AES256_GCM,data:MmqDXUKy+U67JZFmKJTGLYAJcYPClQ8M2w==,iv:/eDx++bJCzdKXYB8YipB/GB6aM421JR3sy8i5trBKxk=,tag:/zTklys9bN839iT1qOH0UQ==,type:str] + content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str] + - name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str] + content: ENC[AES256_GCM,data:lrwHaNvHkh5E94ziiQsd8ua9YvuwmhZ6iIGZS0oFnZdYKuyNh7egWOoii2o=,iv:LLRKhbiJl1GwK/SfqNdNrrJuDF17YXw3hHmuhlyI87w=,tag:DbR/a7jfy1+4yswSdYfOFA==,type:str] + - name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str] + content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str] + - name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str] + content: ENC[AES256_GCM,data:W2h5AcoT85OkekPeRkrf1m0bDdBjG/YNSbWlrcZtP7FjaPh/F+cx+J6oRRI=,iv:CLVXTqfstpIU3BX/Zdcnp9w0gWxeGDI/G1MNl6xr4ZU=,tag:yCqN4r1MV/VTWQvZ6COfIw==,type:str] + - name: ENC[AES256_GCM,data:IRwwy+WQxgQ8cDpB8HaCLpKwJj7oC87p0XOxWRo=,iv:BLXNMcigvaOeY6y4NlLPMMWQt9XFi6nodRwIYFgAAnU=,tag:OdQalmujOgrzW8oi64xMRg==,type:str] + content: ENC[AES256_GCM,data:C5oIcuEYtODsvjQZnbqbWVfP63mQzcRuh8f5rlBCyjwSq2mZiYGQe9t0T78=,iv:sITUDo9SKZTSwPfsMv4m4U0ruuVCcaxu7SUT52U4FSE=,tag:4CsSMJWQQPAIeK8DwUDBqg==,type:str] + - name: ENC[AES256_GCM,data:r0sbpjaGjezoNlyl1khy+Dly+8xbbfQZNB8om/E4/tj9lmM=,iv:MLrglBJA6BrHGmFRprlQcf5/Hqh952e5OyQQ9nPxumY=,tag:Se05kMBkSQ7TRxzij7Fo8A==,type:str] + content: ENC[AES256_GCM,data:/c1nRf1eZhbUmoQWvcj8yDaVPtyAN7Uu+S054q3C1/kXlQ7CgOe4CrMXnmk=,iv:ppar0aCKuIU3DOjwAoliZ5TOL199Z+Ffo4pCktjs0W8=,tag:nfaGutK+5KnlWBKU1MTxkQ==,type:str] + - name: ENC[AES256_GCM,data:7mwuykEqbGISOa2n+pWb6INLsHYdjyf2HxTtWpAr5xP1,iv:NMcg+L2DFtBO1nhyPid31yzLr+ZX7DUGl/WxV1MnrqU=,tag:65/BiUEI8v5oMlQqpKNDRg==,type:str] + content: ENC[AES256_GCM,data:SObbA3D/sGN5/i5ps4Zz3alygIXKbSgptFjfPHlwC8G588O+gKAkvKQwU/s=,iv:PY2vLfI3gInFeQbse49KC2/zZ9O4jeXAQ0fpP84GHHE=,tag:214Mb8hIYDkQ4+UkRWtc9w==,type:str] + - name: ENC[AES256_GCM,data:bES9O6JI4wTnuZsup9gflfaozeUDkfjVGNIFn8RnZQ==,iv:98kigM3KZIN5qXNdgfLg5WLmxzAsYCjNqVzyUPco/BI=,tag:1fwEtwQ6i9QQC3OCewN0eA==,type:str] + content: ENC[AES256_GCM,data:flO3Nb4u2WfWNVhn8k5Bgo3LmsHo2cVnLCsrz8ST9Ip7gO9FY9d27FQgphM=,iv:aiDoq+41cSjwcCZRaIPLtbltkOpc7FeuNN7swPqkHXQ=,tag:OhzcY2xKKJF2jZVRseXCFg==,type:str] + - name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str] + content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str] +sops: + lastmodified: "2026-05-23T21:19:38Z" + mac: ENC[AES256_GCM,data:Ded0VfGn8H2qGMk5LDyqF1gW8hajKc9FgvCynHPQkWkhMSdaHYbFwf//gWi2TjIO22HD5sPw1w9KAjPy53b57RwBCjXfMMq0JCPvuePLK40NC8uCAi+wr5Er0fAWz1JiaA+dowposoi6RxBtyHCaNHMDVGMLh1j+IL+pTOyi6fk=,iv:gssOMmR0DDQC4WjMVXTD/zqbQa8qlBr9ZZWF15W0WnE=,tag:DORTxQfCmpVjDjyGSNH7dw==,type:str] + pgp: + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ//bbr0oza/X6GG43ay9coZbb+0aptj3pGzQqT1ND6nsI34 + iY3IZaMZIti+j/BS5kEfmRn56WZSx6EcbSrlbiyL5NZw9R4/bGRd848rOLwMvuYO + 8Usei9jHdpHiPvKBZnZXaXGU8E27L0Y/LCxSIFOXbyHzHogjz3JmtJQsYpSC+ue6 + mIRrSAJPALrqEL+DZ2bl5UYlBIRXdtIe/jL1CFCJhULt+EjJw72T62DZK/jaNZTj + eint63+IFZSxx5e5vrAeQB+p2EDsp6c5NbDrlgQWb8/J1q/G5bG4KxBs/0hum7OW + /sSsIDb4Qb8U/axt5LduV6AkMXXsclNLQU/LbFAbBRcV8Lvh11f0U3V/UnqUdmvp + efesb5VQh1x0uWjzobxaioLEV/YYbWx8binvuJ3MBHKp6E2xj7IrBTVl0MWgjEou + ZbQDF8DvxA49xEnJyOviL2/zjnV1kXy+Q+BKZga3pr8AnBHA8Ftbsvmk6CyDEM0R + i4FAUOVa9VWiszoOaqyn1Fl02YlweFmgzuFjd3wi74Tbi6RE37rN/vBKySbnRQYl + rFUU3SQlztxd4UBAXBo6gQKTz5B4rehvKVye2mmqEE9bas/lCWAKVJ7+3+0NQdA2 + lp/X7h7DRSD2Qkd35SzxkJz7P86rd0LM1aOu87psxYavEWw6vFs2ErDkSeqDn1DU + aAEJAhDb1s+jpDUa3GvVZjoiiCyutI018jfJU1vi12PGktg4KJcXBx66R/nLItO2 + ba6o66scIiAJZ+jYymW6RbJTI7XRHJp4Cs8COhpMRQeOGwEHFGGL2rpGd3KrOLQe + 0/C6EmrJvGpl + =atNE + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA1QflAioE8i3AQf+NkUGCBrTCkkyl+iBb6P1IWLDGqAY8s20mBZ7G3plKE/J + UrIe947letj/8EA+yoN0uzjwEkh3rDLtZrOLTSgflq1GMpdVhdaTbS71fD3kghJQ + P9tz0zDQEgXHBi+2q7iRrEETx/cu7UDNkSCNvQbWvDmo8MfbSBy+VFCknfupdQxj + 9hlq4kBA0pckPCY8V7E05nDhQntS8wpXIEO1SWiSuiGg+p4yFlvNzWNfhLyEFHxL + BZHVVIU/mzyClMajjLJWjKI1LSgHXXIa28tgdrtiBZOsF+CWveYqJlRJh9NUepJI + ZSeFNhyWmnS9ZkQu5BUyb7+oRxfq2NY51T76Xbo8gNJeAZWwyr1sj1wjubuVeNMF + aU6FiynYWr3I35JRVghTMJ93CnPl+NTpWnQuHpq1bzEGe2u8BMFhgrTu2yMD23VQ + eGien6SqfEbA/wAiz9ZaUgTQH8UyHpliteZ8/SQgkw== + =UJvq + -----END PGP MESSAGE----- + fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ/+O5JOJfDp/BuBCuXDQVUgJagspQO6LZ/MLrl9qH282AMf + MdgN5M/WjbOv6WZDCMg4nfXps1XgzUEiaA/1m4PxHlMmxjEoQHAE51GMcxsXg+B1 + lM+8uJ1+js1sdDX4xsZtJpbVxJKIbPuhF7oM950oDlL2+UKhUbPlCoxeOihlkVGa + RqHJ/M74xkyKH281oRI5bllJaAroBnXVSFIvbCxA7ts/O7YJPKBowTIj62Kye9Ra + aHC11bPy2RlJCcFZJjPSdnXvzUMpfzEd6O72VUtMBBQZn/in7efutC8FwpRYuUW7 + vSofxUN5n6Mtb8A1XSMFD/nfXVc/pM6Cu7kdtHSwSKgbKKf6mrCeVgaM9xcG0t2W + 9yEtWvkdvOOSqz/vd1vkftbBWcCejX7bktfmD408CJAs1bjzz5CyrDoWcnYmbxFY + 6N4rhMDRMTe19VH2UQ4EvSjQjmmYCspnUW3/78zi5kU1ijyQy13UpbgwulU7tSGc + KKtBjPoy6mLIVl0YhnEJZWD/XPIRWyW+0s+7m70YXCWSVipvCelEE8oPWjf8PLaE + J85crlZGkSRcRO7yOP/YtB9ZnajgaF33zJU3ZWr0C/IXj2TeepZp/JUteD2H/LRf + 9YJzOFYDOFIWcdmaTzJLBEaefWcDjT6wkIf6TBqQRMLsu8JUwy9VwFcsi/d5aMXS + XgEQqSxYb1B39OR0sS1Xpw0/CFe4imBPuG3w0tOAyM3DbPWYY1kZYIRZenV1ZIOS + aRZJh086kuWgHYB76VoNzDK3QperWvHL/8CT2g3HuPiVGSrrXwxCYXk5+UXB9bQ= + =Xx91 + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DsZXvxFXTXoQSAQdA0rZTVdySF9nUiz7ZyFJgq1tojyLojGTgE4UIEJzFSTUw + 9y4kbGn1cWMpAqr+sE3WHV9p7v6kgm/XdUjXGN4DadpUbiYx6sQW2Jov6Km2EYhq + 0l4BawupjX25wi7c2yR5iGdxYS8oCYVmGgcAB3T96v8VsXpkAOYQAOOh7B9GQIxm + hB3cFQLCy2un3VvBsiKGFMA2FhZYBOuaEwP/KmWnPv0IPIRH4by6LDB0xgq8MUNz + =xoVE + -----END PGP MESSAGE----- + fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAgcGcZ3BT6lsJ8FxkMghxg5/PZLtIzNeJaEUbxN0EFhsw + uM+Lec3k9BJSUJK8GeVmesYxQh8vP6Yi/+m2LnGjHXzkQg8Bx1HJzuC/Ap36rC6N + 0l4Bxj1URTsRD4yILEA3TY4Dn9St9uOtodJcf5YdAKvmeb3Uwy//huNnA1eK7b+v + WRHcU2K+GgkSzLiRLZTc/nMrrCQ/P5HzwYHmP2rypFX7kxXlPd3K6yMZWTiSgYZd + =gZLQ + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ//YGOLOFtORNbOu+KFCtGcJBXQMy6Ej3/tePVuDi2vmqLD + 3Dz6stB9D+BmBbcgbFlDA+g7Vi6DD+zcze9wM10iuc9t9ucAuQ7B/ymSvJc4MrYn + MJFvQv5IYgWJmzXLYEFYYpmZPGG3hSHSgWIPs+574wEA/L867ktguW6ZD3ZuMn3E + yjCTeT/ZkGjuIpGqMu2/o9Wvc+RYgWlCB69D8kTHtnbFzbqEzvKU5/zte5ThchA+ + QZwFd/gk3o1G/7WOYJJ6CbBSOQaSrfm0mnb6sppNPdOAQtqHVSFVX5vX96gXsht/ + AkrvD6/2R5eNzbqRaU83cg7c5far49xoBbL6czreWY3D56yK4BJbrrg9mK7oCEfO + GaRDFFD7R4LJPfVx2xDoIQ3Hyp4E3dz4nyJx0Kg7NSEt7soOb5MnZ+04LLAiHbaT + qZr618V530uw3qaCsYcgHy+WsZXXlqXQey3A7jphi3u9Kvn9UjeegjNvpOrMk6g1 + RhGzv72G0wjZnzjTjPlzeROHaQ6RPgfpkZjEcVZNZkfAgAbB3XPgCFGKz4qvx9MP + 4eHIlBSJizLzSi519o+0i5PwrZdEf9L4RUVxgQgdJXMh1JaydVh5DOU+xomdStD5 + Maymkt8fSgYgDaS953YA2e04PrkXCH0EHZ62T9EMxreEoU3nYTmw/TGx7RfU+wzS + XgEuQkLWSToJ40/Ir3obDA246yv7J2FpmPwG4oFypkM5xe1WjlMlk90b9RBhUgXk + ylRXXLBzau6mtbPOa7LGdVyVs2DClWQo9BoK+dxEsnW+TR144O4UmZEfifJXvgQ= + =ympd + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAAshm2x7wX/9g3XJtSN0AnSeCwSHO1I4+ebLKOsB7zcXh8 + hrVO3694jQcU9L01H7jGYw4lNNzBd61/uVE5AvMq4Sqn9iH3MFNESbAEOWVV+TRf + 53JMg9C/aZfde8gHgHPaiVXlCBVEVY9CqHpUXUKDmEE7iRb5P4DuMxOmybDYZGzY + 4c5Ke1MFMkGRmAtsT1qLrT2vh+F0CX4JwpMkxCmOzSWAXbwrVOigJ35l5zM6vme4 + 5EQu9jI8FApTxVchZbr0v3UOKxp5OebqC0jGeznZNf4qb0qnsvuowY6IIw5Tl3/q + H4TLq5EUOVqTC1voIWY/gMjieiW1gtr6vASy4MvbswsZLc26YVE9IbHzAOUWDN2o + f2iQ3aZYuINvniD23XtM0TKepDXWq5eF+AJpmyP/LL8sYvSnWFD+muK3O657djEu + yGZs2EFTrkiUvhBq3apOOYiU0eOi4Aq6UeEbOsLENnQrBRXuHEm4KUSwzOitVwJ1 + ByxQTu7wzY727SOR2hzjMC0LI602WGpEQU7ech5L4uWqtMFwaBP9HnUamcofKqqt + 1vI2BevsJfQ0rtTE6GWseHt702lllTGe3RnHWc6YsMWLwUfRdBPggMW37hAPPcfO + ytbU3RJIxx4vImRtXhkI5yvbpFQrooz1zSeXWaitPE5jmmiKe9IRStLnfiq9E2TS + XgFVuQM8K0LgUYEoAipvafhnC3ohfGsM2AYd36EoaMNLeQ2ZZEiV06/Y3EWoI0iM + aqRLwyBvTuDOc5BK32nCbAgUbbPJjPhqWaoNp5ymCBV76oW613gApkzoUF+OIUU= + =KKaI + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA8YKD21h5POTLPf04KvGN93omFgkYO+Y8Kc0jM0vdqm8w + 3zYRaLsDjdh8Zd89/HhHJUfLrTp/IJ0n81sK0ZjznbXKxgkseGthMzof+L7BnPAp + 0l4BnAs9iZS4q2LZVS7ySBP89xLmF97qhK2jagMNSAwq8Afxbcw8oQAVQmeyYfxx + X59irIHjI1ugO4o1WnTN67nTQjU5msbVBs0eALrw3jobzFHRL67fS0a4Soa59LTY + =ZHIU + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzAGzViGx4qcSAQdAN7rRlv3dMoFOfj9eHgf+0H8521b32nWqySUdriEy6Tcw + gjuReMBpKQOgUfuhIiWkHIKNtNgMrYWiC20ESOXX5b9uYZNpqHCgHQPlX0lEeGim + 0lgBOieL7mSEq4wkWLCSv4sBAmkQA+dnugBeF+TrlqKQTZsbe/Z+jNG4ZrHRvdqi + 4I5It+uaRV9Vrul1c6H7fNreRPUd4hNyJwU7gZQ+vU2WyAmgqerxE1Wb + =gplT + -----END PGP MESSAGE----- + fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2pVdGTIrZI+ARAAjWK8mU99VcnM/Ckzm+YsZFTwnz4PDAenDDdZ1OOz5IXe + tS4SQPcQlSSOuXEkFLJMmm8QVxtUC3Gh4nF7o+7OygT+0ZXOrB7jFgg10+v/KVA9 + hSlqBdsMxcC0OzBtkGyAOXOxqnTVubuHEGyGpIryHt1/lthUUZHBbjgw7P0Tw2/U + sYK5j5YbqhyBl20gyZorkTTq7pHfVXDVtpe75+ZkqbOg4S6HgW3/dl+v6N0TLfRs + GVl0fUlWIK/akGCB71zdwJs2I1qTeMTlL6v+XSUdXj0YV+5fjh3wf8qzN9geIjQK + ybxGFWDKCAgTMnqoFF5BCL23hFtnCbTtLN1wQT7/m7zpjaBKHOBXZOGXYZCMGZui + sBsUvPANgNdfOse9H2aABQvUQh8WqFw8S73GasvrZHAwEmvnXzocMJd+kUovzmQu + 9FBk5UkcgXfmxeamoP8C700vh4zI+sKz6uEW0+AuVtLlLVqlb2w21kTc+ArZW52n + HLolH5q3Wj6pKuuFCWKr6UgLFcq2w4QngB2p+UABHU3RbwXIra7prDXCUcNC5iCn + ElRFY7OZ3nbHOf9oaW/MitcfszVLyl0ueoay6qxdlIGdXKRGpqxHqqr+92INV/iz + 6CRoAsTqVq1a7ZuAaUdJPvfKVAHHEHjPwlrOc9cXvykG0iQKsRzgqiOtPiGQShnU + aAEJAhDSqCwywHDnQ7X9ZWIzPjwvqyHpEVez8zYh3vpgKpsLb9uL+JizZjV02HMe + nhiL+4o/aNjJgGJWph1uPFhU4wO4AavnNBsHbJSiL/1yTS96hdf8d+gB41yVLU3e + kBkDFLKkIBkU + =aRLd + -----END PGP MESSAGE----- + fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + - created_at: "2026-05-23T20:58:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DKKbvh61jX5USAQdABId/P8ozRgJ4ItF1zvxp98aH+g3LZ6UGnxjYjtDxjEIw + VmyerznjOLnpz0EobXRRoot1Lo82Va64HQmXt26LG3gFY1HVp0WOnIZXa/CUoUb8 + 1GgBCQIQloFxKcgFTiRidaJfN7hSeQLleiEe3aifZUyJj8niTmBaY29t+CSoA46N + xZzX1AlxVjfmputhYdTyOYSJtGrj7otmnUN2P+55pjz4L2qCYAEKi1+ibqgpmJh/ + bETQsT6WKJ8FXA== + =Ci7L + -----END PGP MESSAGE----- + fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 + unencrypted_suffix: _unencrypted + version: 3.13.1 diff --git a/inventories/z9/host_vars/rt1.yaml b/inventories/z9/host_vars/rt1.yaml new file mode 100644 index 0000000..218f4c4 --- /dev/null +++ b/inventories/z9/host_vars/rt1.yaml @@ -0,0 +1,6 @@ +systemd_networkd__config_dir: 'resources/z9/rt1/systemd_networkd/' +systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/systemd_networkd_global_config.conf') }}" +nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/nftables.conf') }}" +ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" +ansible_pull__timer_randomized_delay_sec: 0min +unbound_access_control: [ "10.89.208.0/20" ] diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index eab3880..d4c4ff4 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -14,6 +14,9 @@ all: yate: ansible_host: yate.ccchh.net ansible_user: chaos + rt1: + ansible_host: rt1.ccchh.net + ansible_user: chaos certbot_hosts: hosts: dooris: @@ -35,6 +38,7 @@ infrastructure_authorized_keys_hosts: light: waybackproxy: yate: + rt1: nginx_hosts: hosts: dooris: @@ -46,6 +50,12 @@ ola_hosts: proxmox_vm_template_hosts: hosts: thinkcccore0: +systemd_networkd_hosts: + hosts: + rt1: +nftables_hosts: + hosts: + rt1: alloy_hosts: hosts: light: @@ -59,3 +69,4 @@ ansible_pull_hosts: yate: secrets_hosts: hosts: + rt1: diff --git a/resources/z9/rt1/nftables/nftables.conf b/resources/z9/rt1/nftables/nftables.conf new file mode 100644 index 0000000..21bfbd1 --- /dev/null +++ b/resources/z9/rt1/nftables/nftables.conf @@ -0,0 +1,111 @@ +#!/usr/sbin/nft -f + +## Variables + +# Hosts + + +# Interfaces +define if_netwan = "netwan" +define if_netlan = "netlan" +define if_wg55_management = "wg55" +define if_netwan_400_fux_uplink = "netwan.400" +define if_netlan_51_clients = "netlan.51" +define if_netlan_52_iot = "netlan.52" +define if_netlan_53_public = "netlan.53" +define if_netlan_54_management = "netlan.54" + +# Interface Groups +define wan_ifs = { $if_netwan_400_fux_uplink } +define lan_ifs = { $if_netlan_51_clients, + $if_netlan_52_iot, + $if_netlan_53_public, + $if_netlan_54_management } +define v4_exposed_ifs = { $if_netlan_53_public } +define v6_exposed_ifs = { $if_netlan_53_public } +define v4_nat_ifs = { $if_netlan_51_clients, + $if_netlan_52_iot, + $if_netlan_54_management } + + +## Rules + +table inet reverse-path-forwarding { + chain rpf-filter { + type filter hook prerouting priority mangle + 10; policy drop; + + # Only allow packets if their source address is routed via their incoming interface. + # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100 + fib saddr . mark . iif oif exists accept + } +} + +table inet host { + chain input { + type filter hook input priority filter; policy drop; + + iifname "lo" accept comment "allow loopback" + + ct state invalid drop + ct state established,related accept + + ip protocol icmp accept + # ICMPv6 + # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24 + # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped" + # Error messages that are essential to the establishment and maintenance of communications: + icmpv6 type { destination-unreachable, packet-too-big } accept + icmpv6 type { time-exceeded } accept + icmpv6 type { parameter-problem } accept + # Connectivity checking messages: + icmpv6 type { echo-request, echo-reply } accept + # Address Configuration and Router Selection messages: + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept + # Link-Local Multicast Receiver Notification messages: + icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept + # SEND Certificate Path Notification messages: + icmpv6 type { 148, 149 } accept + # Multicast Router Discovery messages: + icmpv6 type { 151, 152, 153 } accept + + # Allow SSH access. + tcp dport 22 accept comment "allow ssh access" + + # Allow WireGuard access. + udp dport 51820 accept comment "allow WireGuard access" + + # Allow DHCP server access. + iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access" + } +} + +table ip v4nat { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + + iifname { $v4_nat_ifs, $if_wg55_management } oifname $wan_ifs masquerade + } +} + +table inet forward { + chain forward { + type filter hook forward priority filter; policy drop; + + ct state invalid drop + ct state established,related accept + + # Allow internet access. + iifname { $lan_ifs, $if_wg55_management } oifname $wan_ifs accept comment "allow internet access" + + # Allow access to exposed networks from internet. + meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" + meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" + + # Allow clients and managment to most + iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "allow clients and managment to lan_ifs" + } +} diff --git a/resources/z9/rt1/systemd_networkd/00-netlan.link b/resources/z9/rt1/systemd_networkd/00-netlan.link new file mode 100644 index 0000000..c2e2470 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/00-netlan.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:72:A3:27 +Type=ether + +[Link] +Name=netlan diff --git a/resources/z9/rt1/systemd_networkd/00-netwan.link b/resources/z9/rt1/systemd_networkd/00-netwan.link new file mode 100644 index 0000000..523e18a --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/00-netwan.link @@ -0,0 +1,6 @@ +[Match] +MACAddress=BC:24:11:CF:65:57 +Type=ether + +[Link] +Name=netwan diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.51.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.51.netdev new file mode 100644 index 0000000..b951ecc --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-netlan.51.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=netlan.51 +Kind=vlan + +[VLAN] +Id=51 + diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.52.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.52.netdev new file mode 100644 index 0000000..1f345c7 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-netlan.52.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=netlan.52 +Kind=vlan + +[VLAN] +Id=52 + diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.53.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.53.netdev new file mode 100644 index 0000000..c6dab81 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-netlan.53.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=netlan.53 +Kind=vlan + +[VLAN] +Id=53 + diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.54.netdev b/resources/z9/rt1/systemd_networkd/10-netlan.54.netdev new file mode 100644 index 0000000..6271e6c --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-netlan.54.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=netlan.54 +Kind=vlan + +[VLAN] +Id=54 + diff --git a/resources/z9/rt1/systemd_networkd/10-netwan.400.netdev b/resources/z9/rt1/systemd_networkd/10-netwan.400.netdev new file mode 100644 index 0000000..e0b6afc --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-netwan.400.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=netwan.400 +Kind=vlan + +[VLAN] +Id=400 + diff --git a/resources/z9/rt1/systemd_networkd/10-wg55.netdev b/resources/z9/rt1/systemd_networkd/10-wg55.netdev new file mode 100644 index 0000000..b3e41a6 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/10-wg55.netdev @@ -0,0 +1,90 @@ +[NetDev] +Description=Admin-Wireguard +Kind=wireguard +Name=wg55 + +[WireGuard] +ListenPort=51820 +PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_privat_key + +# WireGuard Peers + +[WireGuardPeer] +# friendly_name = stb +AllowedIPs = 10.89.214.2/32,2a07:c481:1:37::2/128 +PublicKey = vILSL4dbaC5IaTsRhJviamV18ssxWSj+qLVyowLQ214= +PersistentKeepalive = 30 + +[WireGuardPeer] +# friendly_name = fi +AllowedIPs = 10.89.214.3/32,2a07:c481:1:37::3/128 +PublicKey = UHi/if5uW2V3+8Q3R+uk6/XpRi4fPXbw7chsKI4xlkI= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_fi_psk + +[WireGuardPeer] +# friendly_name = jtbx +AllowedIPs = 10.89.214.4/32,2a07:c481:1:37::4/128 +PublicKey = NyyEqdWgScgsnTF8Zz/Om4Lc84fdFMwVtvaCmLEkUlQ= + +[WireGuardPeer] +# friendly_name = June +AllowedIPs = 10.89.214.6/32,2a07:c481:1:37::6/128 +PublicKey = 6jAEB+f9przBGxPhuvv9U9gvZDEBQNqpQSD0BoGqXQQ= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June_psk + +[WireGuardPeer] +# friendly_name = Max +AllowedIPs = 10.89.214.7/32,2a07:c481:1:37::7/128 +PublicKey = oC1hJjtlAgLX/CmbwTC+LPmd1uwluQTwsN8RaMNmHn0= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_Max_psk + +[WireGuardPeer] +# friendly_name = dario +AllowedIPs = 10.89.214.9/32,2a07:c481:1:37::9/128 +PublicKey = bYF2EGRGpEGjiKcasi/oaWoWeLsgqsF6FGaq3Z4ERww= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_dario_psk + +[WireGuardPeer] +# friendly_name = June-mobile +AllowedIPs = 10.89.214.11/32,2a07:c481:1:37::11/128 +PublicKey = 6edjXykegUgGjbkIG1aJyBlX1SgTKcqXXaSBVPHdKDc= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June-mobile_psk + +[WireGuardPeer] +# friendly_name = djerun_at_ferrum.local +AllowedIPs = 10.89.214.12/32,2a07:c481:1:37::12/128 +PublicKey = aHbdkTHhPkd+o7wWfTua9nd72aF4OVp66zGtpaoD8Fg= + +[WireGuardPeer] +# friendly_name = c6ristian +AllowedIPs = 10.89.214.13/32,2a07:c481:1:37::13/128 +PublicKey = 6ndwj3Ur6AqfUPWuyPYXIaGZs2ujJKawSQ9LEvlYzEc= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_c6ristian_psk + +[WireGuardPeer] +# friendly_name = langoor +AllowedIPs = 10.89.214.14/32,2a07:c481:1:37::14/128 +PublicKey = qTnVQlQa1m4SucFFNli/xM6QWfsdWx2baRAit7Cg8RM= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_psk + +[WireGuardPeer] +# friendly_name = langoor_home +AllowedIPs = 10.89.214.15/32,2a07:c481:1:37::15/128 +PublicKey = NeMDs2+5rHuKO5ZYXVUR76GorgdesFUnDOFECQ3RzG4= +PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk + +[WireGuardPeer] +# friendly_name = lilly-lillysLaptop +AllowedIPs = 10.89.214.16/32 #,2a07:c481:1:37::/128 +PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk= + +[WireGuardPeer] +# friendly_name = bitwhisker +AllowedIPs = 10.89.214.17/32,2a07:c481:1:37::a/128 +PublicKey = DvEGvQPGi+IxeRTIA72Gx3WNINcrV9HRNB1v7mHnhjA= + +[WireGuardPeer] +# friendly_name = forestcat +AllowedIPs = 10.89.214.18/32,2a07:c481:1:37::b/128 +PublicKey = PdJ7KlIeASizj0WTY87d7oSi14/MebrhRa+L8YiPoQE= + diff --git a/resources/z9/rt1/systemd_networkd/20-netlan.network b/resources/z9/rt1/systemd_networkd/20-netlan.network new file mode 100644 index 0000000..3aed715 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/20-netlan.network @@ -0,0 +1,12 @@ +[Match] +Name=netlan + +[Link] +RequiredForOnline=no + +[Network] +VLAN=netwan.51 +VLAN=netwan.52 +VLAN=netwan.53 +VLAN=netwan.54 + diff --git a/resources/z9/rt1/systemd_networkd/20-netwan.network b/resources/z9/rt1/systemd_networkd/20-netwan.network new file mode 100644 index 0000000..89a8494 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/20-netwan.network @@ -0,0 +1,9 @@ +[Match] +Name=netwan + +[Link] +RequiredForOnline=no + +[Network] +VLAN=netwan.400 + diff --git a/resources/z9/rt1/systemd_networkd/20-wg55.network b/resources/z9/rt1/systemd_networkd/20-wg55.network new file mode 100644 index 0000000..750e844 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/20-wg55.network @@ -0,0 +1,6 @@ +[Match] +Name=wg55 + +[Network] +Address=10.89.214.1/24 +Address=2a07:c481:1:37::1/64 diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network b/resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network new file mode 100644 index 0000000..5e9635f --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network @@ -0,0 +1,27 @@ +[Match] +Name=netlan.51 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=clients + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=10.89.208.1/22 + +[IPv6SendRA] +UplinkInterface=netwan.400 +EmitDomains=true +Domains=ccchh.net +Managed=true + +[IPv6Prefix] +Prefix=2a07:c481:1:33::/64 +Assign=true +Token=static:::1 + diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network b/resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network new file mode 100644 index 0000000..5b58610 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network @@ -0,0 +1,27 @@ +[Match] +Name=netlan.52 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=IoT + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=10.89.212.1/24 + +[IPv6SendRA] +UplinkInterface=netwan.400 +EmitDomains=true +Domains=ccchh.net +Managed=true + +[IPv6Prefix] +Prefix=2a07:c481:1:34::/64 +Assign=true +Token=static:::1 + diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.53-public.network b/resources/z9/rt1/systemd_networkd/21-netlan.53-public.network new file mode 100644 index 0000000..f544a5b --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/21-netlan.53-public.network @@ -0,0 +1,27 @@ +[Match] +Name=netlan.53 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=public + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=185.161.130.65/28 + +[IPv6SendRA] +UplinkInterface=netwan.400 +EmitDomains=true +Domains=ccchh.net +Managed=true + +[IPv6Prefix] +Prefix=2a07:c481:1:35::/64 +Assign=true +Token=static:::1 + diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.54-management.network b/resources/z9/rt1/systemd_networkd/21-netlan.54-management.network new file mode 100644 index 0000000..2396da0 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/21-netlan.54-management.network @@ -0,0 +1,27 @@ +[Match] +Name=netlan.54 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=Management + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=10.89.213.0/24 + +[IPv6SendRA] +UplinkInterface=netwan.400 +EmitDomains=true +Domains=ccchh.net +Managed=true + +[IPv6Prefix] +Prefix=2a07:c481:1:36::/64 +Assign=true +Token=static:::1 + diff --git a/resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network b/resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network new file mode 100644 index 0000000..1657c40 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network @@ -0,0 +1,26 @@ +[Match] +Name=netwan.400 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=fux-uplink + +DNS=185.161.128.66 +DNS=2a07:c481:0:4::2 +DNS=185.161.128.67 +DNS=2a07:c481:0:4::3 + +IPv6AcceptRA=no +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=no + +[Address] +Address=185.161.129.134/25 +Address=2a07:c481::1:2/64 + +[Route] +Gateway=185.161.129.129 +Gateway=2a07:c481::1 diff --git a/resources/z9/rt1/systemd_networkd_global_config.conf b/resources/z9/rt1/systemd_networkd_global_config.conf new file mode 100644 index 0000000..2d3d8a3 --- /dev/null +++ b/resources/z9/rt1/systemd_networkd_global_config.conf @@ -0,0 +1,3 @@ +[Network] +IPv4Forwarding=true +IPv6Forwarding=true From bbf45e91f452c901dc317f30e43a31fa4ce9a066 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Sun, 24 May 2026 04:01:11 +0200 Subject: [PATCH 02/16] rt1(z9 host) unbound(role) kea_dhcp(role): create unbound and kea_dhcp role for rt1 - create unbound role - create kea_dhcp role - configure unbound and keadhcp on rt1(z9 host) --- inventories/z9/host_vars/rt1.yaml | 1 + inventories/z9/hosts.yaml | 7 + playbooks/deploy.yaml | 14 + resources/z9/rt1/kea_dhcp.yaml | 293 ++++++++++++++++++ resources/z9/rt1/nftables/nftables.conf | 3 + roles/kea_dhcp/defaults/main.yaml | 69 +++++ roles/kea_dhcp/handlers/main.yml | 30 ++ roles/kea_dhcp/meta/argument_specs.yaml | 125 ++++++++ roles/kea_dhcp/tasks/install_archlinux.yml | 8 + roles/kea_dhcp/tasks/install_debian.yml | 22 ++ roles/kea_dhcp/tasks/kea.yaml | 51 +++ roles/kea_dhcp/tasks/main.yml | 19 ++ roles/kea_dhcp/tasks/stork-agent.yaml | 76 +++++ .../kea_dhcp/templates/kea-ctrl-agent.conf.j2 | 20 ++ roles/kea_dhcp/templates/kea-dhcp4.conf.jinja | 27 ++ roles/kea_dhcp/templates/kea-dhcp6.conf.jinja | 27 ++ .../kea_dhcp/templates/stork-agent.env.jinja | 44 +++ roles/unbound/README.md | 19 ++ roles/unbound/defaults/main.yml | 7 + roles/unbound/files/no-resolved.resolv.conf | 1 + roles/unbound/handlers/main.yml | 27 ++ roles/unbound/tasks/main.yml | 63 ++++ roles/unbound/tasks/prometheus-exporter.yml | 17 + roles/unbound/templates/unbound.conf.j2 | 73 +++++ 24 files changed, 1043 insertions(+) create mode 100644 resources/z9/rt1/kea_dhcp.yaml create mode 100644 roles/kea_dhcp/defaults/main.yaml create mode 100644 roles/kea_dhcp/handlers/main.yml create mode 100644 roles/kea_dhcp/meta/argument_specs.yaml create mode 100644 roles/kea_dhcp/tasks/install_archlinux.yml create mode 100644 roles/kea_dhcp/tasks/install_debian.yml create mode 100644 roles/kea_dhcp/tasks/kea.yaml create mode 100644 roles/kea_dhcp/tasks/main.yml create mode 100644 roles/kea_dhcp/tasks/stork-agent.yaml create mode 100644 roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 create mode 100644 roles/kea_dhcp/templates/kea-dhcp4.conf.jinja create mode 100644 roles/kea_dhcp/templates/kea-dhcp6.conf.jinja create mode 100644 roles/kea_dhcp/templates/stork-agent.env.jinja create mode 100644 roles/unbound/README.md create mode 100644 roles/unbound/defaults/main.yml create mode 100644 roles/unbound/files/no-resolved.resolv.conf create mode 100644 roles/unbound/handlers/main.yml create mode 100644 roles/unbound/tasks/main.yml create mode 100644 roles/unbound/tasks/prometheus-exporter.yml create mode 100644 roles/unbound/templates/unbound.conf.j2 diff --git a/inventories/z9/host_vars/rt1.yaml b/inventories/z9/host_vars/rt1.yaml index 218f4c4..876776a 100644 --- a/inventories/z9/host_vars/rt1.yaml +++ b/inventories/z9/host_vars/rt1.yaml @@ -4,3 +4,4 @@ nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/ ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_randomized_delay_sec: 0min unbound_access_control: [ "10.89.208.0/20" ] +kea_dhcp__include_vars: resources/z9/rt1/kea_dhcp.yaml diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index d4c4ff4..407aa2f 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -56,11 +56,18 @@ systemd_networkd_hosts: nftables_hosts: hosts: rt1: +unbound_hosts: + hosts: + rt1: +kea_dhcp_hosts: + hosts: + rt1: alloy_hosts: hosts: light: yate: dooris: + rt1: ansible_pull_hosts: hosts: dooris: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index b7ce104..54d4098 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -27,6 +27,20 @@ tags: - nftables +- name: Ensure unbound deployment on unbound_hosts + hosts: unbound_hosts + roles: + - unbound + tags: + - unbound + +- name: Ensure kea_dhcp deployment on kea_dhcp_hosts + hosts: kea_dhcp_hosts + roles: + - kea_dhcp + tags: + - kea_dhcp + - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/resources/z9/rt1/kea_dhcp.yaml b/resources/z9/rt1/kea_dhcp.yaml new file mode 100644 index 0000000..d191881 --- /dev/null +++ b/resources/z9/rt1/kea_dhcp.yaml @@ -0,0 +1,293 @@ +kea_dhcp__dns_servers: + v4: + - 185.161.129.134 + v6: + - 2a07:c481::1:2 + +kea_dhcp__dhcp4: + enable: true + interfaces: [ "netlan.51", "netlan.52", "netlan.54" ] + control-sockets: + - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock + socket-type: unix + lease-database: + type: memfile + persist: true + option-data: + - name: "domain-name-servers" + code: 6 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}" + subnets: + - id: 1 + subnet: 10.89.208.0/22 + pools: + - pool: "10.89.208.32 - 10.89.211.250" + reservations: + - ip-address: 10.89.208.11 + hostname: beamer + hw-address: "ac:87:a3:18:9e:01" + - ip-address: 10.89.208.12 + hostname: Brother-CCCHH + hw-address: "00:80:77:04:3a:55" + - ip-address: 10.89.208.13 + hostname: muzak + hw-address: "00:11:24:5f:4f:80" + - ip-address: 10.89.208.14 + hostname: Big-Room-Beamer + hw-address: "64:d2:c4:db:08:5c" + - ip-address: 10.89.208.16 + hostname: dooris + hw-address: "bc:24:11:b3:93:9c" + - ip-address: 10.89.208.17 + hostname: hmdooris-ccu + hw-address: "bc:24:11:5f:2d:b1" + - ip-address: 10.89.208.27 + hostname: cisco-slm248p + hw-address: "00:23:eb:b0:fc:3f" + - ip-address: 10.89.208.47 + hw-address: "6c:df:fb:0b:34:21" + - ip-address: 10.89.208.48 + hw-address: "6c:df:fb:0d:91:63" + - ip-address: 10.89.209.28 + hostname: hp-color + hw-address: "3c:52:82:29:21:79" + - ip-address: 10.89.209.29 + hostname: dooris-ng + hw-address: "6c:4b:90:19:21:a1" + - ip-address: 10.89.209.166 + hostname: encoder-ccchh + hw-address: "00:4e:01:a2:40:d7" + - ip-address: 10.89.209.254 + hostname: ki10 + hw-address: "dc:a6:32:a9:ff:82" + option-data: + - name: routers, + csv-format: true + data: 10.89.208.1 + - id: 2 + subnet: 10.89.212.0/24 + pools: + - pool: "10.89.212.32 - 10.89.212.250" + reservations: + - ip-address: 10.89.212.3 + hostname: prusamk3 + hw-address: "10:9c:70:2e:59:3e" + - ip-address: 10.89.212.4 + hostname: prusamk4 + hw-address: "10:9c:70:2e:6e:f0" + - ip-address: 10.89.212.11 + hostname: Ziggy + hw-address: "44:17:93:53:65:57" + - ip-address: 10.89.212.12 + hostname: legacy + hw-address: "00:15:65:a1:ed:98" + - ip-address: 10.89.212.23 + hostname: foobarpay + hw-address: "f4:f2:6d:09:a6:73" + - ip-address: 10.89.212.24 + hostname: foobackup + hw-address: "bc:24:11:20:1a:a8" + - ip-address: 10.89.212.27 + hostname: ender3v2-sonic-pad + hw-address: "fc:ee:91:00:0e:14" + - ip-address: 10.89.212.31 + hostname: octopi + hw-address: "b8:27:eb:0f:d8:09" + - ip-address: 10.89.212.32 + hostname: 433mhz-bridge + hw-address: "0c:b8:15:fe:e3:34" + - ip-address: 10.89.212.33 + hostname: wled-kueche + hw-address: "30:ae:a4:7a:8d:a0" + - ip-address: 10.89.212.34 + hostname: wled-serverschrank + hw-address: "18:fe:34:a6:64:76" + - ip-address: 10.89.212.35 + hostname: wled-couch + hw-address: "64:b7:08:40:ab:c0" + - ip-address: 10.89.212.36 + hostname: laser + hw-address: "b8:27:eb:be:38:fa" + - ip-address: 10.89.212.37 + hostname: laser-eth + hw-address: "b8:27:eb:eb:6d:af" + - ip-address: 10.89.212.42 + hostname: t-mix + hw-address: "40:a5:ef:d9:eb:93" + - ip-address: 10.89.212.86 + hostname: fritz-fon + hw-address: "00:1f:3f:c9:e5:b2" + - ip-address: 10.89.212.211 + hostname: hauptraum-esphome + hw-address: "e8:db:84:e8:18:d2" + - ip-address: 10.89.212.212 + hostname: werkstatt-esphome + hw-address: "3c:71:bf:26:42:32" + - ip-address: 10.89.212.213 + hostname: ir-bridge-beamer + hw-address: "8c:ce:4e:51:93:dd" + - ip-address: 10.89.212.215 + hostname: pi-dmx-werkstatt + hw-address: "b8:27:eb:65:e5:31" + - ip-address: 10.89.212.227 + hostname: SIP-T46S + hw-address: "80:5e:c0:09:bf:55" + - ip-address: 10.89.212.230 + hostname: SIP-T46S + hw-address: "80:5e:c0:22:33:08" + - ip-address: 10.89.212.232 + hostname: staubi + hw-address: "b8:4d:43:98:51:2b" + - ip-address: 10.89.212.233 + hostname: staubiv2 + hw-address: "70:c9:32:82:25:b2" + - ip-address: 10.89.212.234 + hostname: AtemMini + hw-address: "7c:2e:0d:13:72:a8" + - ip-address: 10.89.212.235 + hostname: okilaser + hw-address: "2c:ff:65:22:b4:63" + - ip-address: 10.89.212.236 + hw-address: "b8:27:eb:29:bd:77" + option-data: + - name: routers, + csv-format: true + data: 10.89.212.1 + - id: 3 + subnet: 10.89.213.0/24 + pools: + - pool: "10.89.213.32 - 10.89.213.250" + reservations: + - ip-address: 10.89.213.2 + hostname: sw-rack-1 + hw-address: "F0:9F:C2:10:C3:AA" + - ip-address: 10.89.213.3 + hostname: sw-rack-2-peo + hw-address: "44:d9:e7:06:69:5d" + - ip-address: 10.89.213.4 + hostname: sw-main-1 + hw-address: "a8:9c:6c:16:df:cc" + - ip-address: 10.89.213.5 + hostname: sw-main-2 + hw-address: "a8:9c:6c:16:e8:86" + - ip-address: 10.89.213.6 + hostname: sw-shop-1 + hw-address: "C0:4A:00:FB:DA:C5" + - ip-address: 10.89.213.7 + hostname: sw-shop-2-peo + hw-address: "f4:e2:c6:bf:20:ee" + - ip-address: 10.89.213.8 + hostname: sw-shop-3-peo + hw-address: "d8:b3:70:85:72:76" + - ip-address: 10.89.213.11 + hostname: pve01 + hw-address: "38:05:25:30:80:35" + - ip-address: 10.89.213.12 + hostname: pve02 + hw-address: "b8:85:84:b1:57:b6" + - ip-address: 10.89.213.13 + hostname: pve03 + hw-address: "98:fa:9b:a2:ed:e8" + - ip-address: 10.89.213.15 + hostname: pbs + hw-address: "BC:24:11:D6:2C:81" + - ip-address: 10.89.213.21 + hostname: unifi + hw-address: "BC:24:11:25:77:60" + - ip-address: 10.89.213.22 + hostname: club-assistant + hw-address: "7a:55:61:c3:a2:89" + - ip-address: 10.89.213.23 + hostname: automation + hw-address: "f2:20:75:5a:2f:8c" + - ip-address: 10.89.213.24 + hostname: yate + hw-address: "bc:24:11:73:3e:f7" + - ip-address: 10.89.213.25 + hostname: ptouch-print-server + hw-address: "bc:24:11:f2:cf:8f" + - ip-address: 10.89.213.26 + hostname: mqtt + hw-address: "bc:24:11:48:85:73" + - ip-address: 10.89.213.27 + hostname: factorio + hw-address: "bc:24:11:a3:43:7f" + - ip-address: 10.89.213.28 + hostname: light + hw-address: "72:61:ea:e6:49:e3" + - ip-address: 10.89.213.29 + hostname: homematic + hw-address: "fe:3a:42:77:3a:be" + - ip-address: 10.89.213.30 + hostname: proxmox-backup-server + hw-address: "8a:48:dd:a3:22:40" + option-data: + - name: routers, + csv-format: true + data: 10.89.213.1 + +kea_dhcp__dhcp6: + enable: true + interfaces: [ "netlan.51", "netlan.52", "netlan.54" ] + control-sockets: + - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock + socket-type: unix + lease-database: + type: memfile + persist: true + option-data: + - name: "dns-servers" + code: 23 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}" + subnets: + - id: 1 + subnet: "2a07:c481:1:33::/64" + pools: + - pool: "2a07:c481:1:33::1:1 - 2a07:c481:1:33::FFFF:FFFF" + - id: 2 + subnet: "2a07:c481:1:34::/64" + pools: + - pool: "2a07:c481:1:34::1:1 - 2a07:c481:1:34::FFFF:FFFF" + - id: 3 + subnet: "2a07:c481:1:36::/64" + pools: + - pool: "2a07:c481:1:36::1:1 - 2a07:c481:1:36::FFFF:FFFF" + reservations: + - ip-address: "2a07:c481:1:36::2" + hostname: sw-rack-1 + hw-address: "F0:9F:C2:10:C3:AA" + - ip-address: "2a07:c481:1:36::3" + hostname: sw-rack-2-peo + hw-address: "44:d9:e7:06:69:5d" + - ip-address: "2a07:c481:1:36::4" + hostname: sw-main-1 + hw-address: "a8:9c:6c:16:df:cc" + - ip-address: "2a07:c481:1:36::5" + hostname: sw-main-2 + hw-address: "a8:9c:6c:16:e8:86" + - ip-address: "2a07:c481:1:36::6" + hostname: sw-shop-1 + hw-address: "C0:4A:00:FB:DA:C5" + - ip-address: "2a07:c481:1:36::7" + hostname: sw-shop-2-peo + hw-address: "f4:e2:c6:bf:20:ee" + - ip-address: "2a07:c481:1:36::8" + hostname: sw-shop-3-peo + hw-address: "d8:b3:70:85:72:76" + - ip-address: "2a07:c481:1:36::b" + hostname: pve01 + hw-address: "38:05:25:30:80:35" + - ip-address: "2a07:c481:1:36::c" + hostname: pve02 + hw-address: "b8:85:84:b1:57:b6" + - ip-address: "2a07:c481:1:36::d" + hostname: pve03 + hw-address: "98:fa:9b:a2:ed:e8" + - ip-address: "2a07:c481:1:36::f" + hostname: pbs + hw-address: "BC:24:11:D6:2C:81" + - ip-address: "2a07:c481:1:36::14" + hostname: unifi + hw-address: "BC:24:11:25:77:60" diff --git a/resources/z9/rt1/nftables/nftables.conf b/resources/z9/rt1/nftables/nftables.conf index 21bfbd1..842ca04 100644 --- a/resources/z9/rt1/nftables/nftables.conf +++ b/resources/z9/rt1/nftables/nftables.conf @@ -76,6 +76,9 @@ table inet host { # Allow DHCP server access. iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access" + + # Allow DNS server access from lan_ifs + iifname { $lan_ifs, $if_wg55_management } udp dport 53 accept comment "allow dns server access from lan_ifs" } } diff --git a/roles/kea_dhcp/defaults/main.yaml b/roles/kea_dhcp/defaults/main.yaml new file mode 100644 index 0000000..409f0a1 --- /dev/null +++ b/roles/kea_dhcp/defaults/main.yaml @@ -0,0 +1,69 @@ +kea_dhcp__stork_agent: + enable: false + prometheus_only: true +kea_dhcp__version_repo: "kea-3-0" +kea_dhcp__dns_servers: + v6: + - "2a07:c481:0:4::2" + - "2a07:c481:0:4::3" + v4: + - "185.161.128.66" + - "185.161.128.67" +kea_dhcp__include_vars: + +kea_dhcp__dhcp4: + enable: false + interfaces: [ ] + control-sockets: + - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock + socket-type: unix + lease-database: + type: memfile + persist: true + option-data: + - name: "domain-name-servers" + code: 6 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}" + subnets: + - id: 0 + subnet: nil + pools: + - pool: nil + reservations: + - ip-address: nil + hostname: beispiel.test + hw-address: "00:11:22:33:44:55" + option-data: + - name: nil, + code: nil, + csv-format: true + data: nil +kea_dhcp__dhcp6: + enable: false + interfaces: [ ] + lease-database: + type: memfile + persist: true + control-sockets: + - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock + socket-type: unix + option-data: + - name: "dns-servers" + code: 23 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}" + subnets: + - id: 0 + subnet: nil + pools: + - pool: nil + reservations: + - ip-address: nil + hostname: beispiel.test + hw-address: "00:11:22:33:44:55" + option-data: + - name: nil, + code: nil, + csv-format: true + data: nil diff --git a/roles/kea_dhcp/handlers/main.yml b/roles/kea_dhcp/handlers/main.yml new file mode 100644 index 0000000..5b44d6e --- /dev/null +++ b/roles/kea_dhcp/handlers/main.yml @@ -0,0 +1,30 @@ +--- +- name: Systemd.daemon_reload + become: true + ansible.builtin.systemd_service: + daemon_reload: true + +- name: Kea_dhcp4.reloaded + ansible.builtin.service: + name: kea-dhcp4 + state: restarted + enabled: true + +- name: Kea_dhcp6.reloaded + ansible.builtin.service: + name: kea-dhcp6 + state: restarted + enabled: true + +- name: Kea_ctrl.reloaded + ansible.builtin.systemd: + name: kea-ctrl-agent + state: restarted + enabled: true + +- name: Stork_agent.restarted + become: true + ansible.builtin.systemd: + name: isc-stork-agent + state: restarted + enabled: true diff --git a/roles/kea_dhcp/meta/argument_specs.yaml b/roles/kea_dhcp/meta/argument_specs.yaml new file mode 100644 index 0000000..995b838 --- /dev/null +++ b/roles/kea_dhcp/meta/argument_specs.yaml @@ -0,0 +1,125 @@ +--- +argument_specs: + main: + short_description: "Role for managing Kea DHCP server" + options: + kea_dhcp__stork_agent: + type: "dict" + description: "Configuration for Stork Agent" + options: + enable: + type: "bool" + default: false + prometheus_only: + type: "bool" + default: true + kea_dhcp__version_repo: + type: "str" + description: "Version of Kea DHCP repository to use" + default: "kea-3-0" + kea_dhcp__dns_servers: + type: "dict" + description: "Default DNS servers for DHCP clients" + options: + v6: + type: "list" + elements: "str" + v4: + type: "list" + elements: "str" + kea_dhcp__dhcp4: + type: "dict" + description: "Configuration for DHCPv4 service" + options: + enable: + type: "bool" + default: false + interfaces: + type: "list" + elements: "str" + default: [] + control-sockets: + type: "list" + elements: "dict" + lease-database: + type: "dict" + option-data: + type: "list" + elements: "dict" + subnets: + type: "list" + elements: "dict" + options: + id: + type: "int" + subnet: + type: "str" + pools: + type: "list" + elements: "dict" + options: + pool: + type: "str" + reservations: + type: "list" + elements: "dict" + options: + ip-address: + type: "str" + hostname: + type: "str" + hw-address: + type: "str" + duid: + type: "str" + option-data: + type: "list" + elements: "dict" + kea_dhcp__dhcp6: + type: "dict" + description: "Configuration for DHCPv6 service" + options: + enable: + type: "bool" + default: false + interfaces: + type: "list" + elements: "str" + default: [] + control-sockets: + type: "list" + elements: "dict" + lease-database: + type: "dict" + option-data: + type: "list" + elements: "dict" + subnets: + type: "list" + elements: "dict" + options: + id: + type: "int" + subnet: + type: "str" + pools: + type: "list" + elements: "dict" + options: + pool: + type: "str" + reservations: + type: "list" + elements: "dict" + options: + ip-address: + type: "str" + hostname: + type: "str" + hw-address: + type: "str" + duid: + type: "str" + option-data: + type: "list" + elements: "dict" diff --git a/roles/kea_dhcp/tasks/install_archlinux.yml b/roles/kea_dhcp/tasks/install_archlinux.yml new file mode 100644 index 0000000..7bdb140 --- /dev/null +++ b/roles/kea_dhcp/tasks/install_archlinux.yml @@ -0,0 +1,8 @@ +--- +- name: Install Kea on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + become: true + community.general.pacman: + name: kea + state: present + update_cache: false diff --git a/roles/kea_dhcp/tasks/install_debian.yml b/roles/kea_dhcp/tasks/install_debian.yml new file mode 100644 index 0000000..2ac2346 --- /dev/null +++ b/roles/kea_dhcp/tasks/install_debian.yml @@ -0,0 +1,22 @@ +--- +- name: Register isc-kea apt repository + become: true + register: kea_dhcp_repo + when: ansible_facts['distribution'] == "Debian" + ansible.builtin.deb822_repository: + name: "isc-{{ kea_dhcp__version_repo }}" + uris: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/deb/debian" + suites: any-version + components: main + signed_by: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/gpg.key" + +- name: Install Kea packages + become: true + when: ansible_facts['distribution'] == "Debian" + ansible.builtin.apt: + name: + - isc-kea-dhcp4 + - isc-kea-dhcp6 + - isc-kea-ctrl-agent + - isc-kea-admin + update_cache: "{{ kea_dhcp_install_repo.changed }}" diff --git a/roles/kea_dhcp/tasks/kea.yaml b/roles/kea_dhcp/tasks/kea.yaml new file mode 100644 index 0000000..a4fd3b5 --- /dev/null +++ b/roles/kea_dhcp/tasks/kea.yaml @@ -0,0 +1,51 @@ +--- +- name: Include config vars + tags: [ kea, include_vars ] + when: kea_dhcp__include_vars is not None + ansible.builtin.include_vars: + file: "{{ kea_dhcp__include_vars }}" + +- name: Deploy kea-dhcp4 configuration file + tags: [ kea, dhcp4 ] + become: true + when: kea_dhcp__dhcp4.enable + ansible.builtin.template: + src: kea-dhcp4.conf.jinja + dest: /etc/kea/kea-dhcp4.conf + backup: true + owner: root + group: kea + mode: "u=rw,g=r,o=" + validate: kea-dhcp4 -T %s + notify: + - Kea_dhcp4.reloaded + +- name: Deploy kea-dhcp6 configuration file + tags: [ kea, dhcp6 ] + become: true + when: kea_dhcp__dhcp6.enable + ansible.builtin.template: + src: kea-dhcp6.conf.jinja + dest: /etc/kea/kea-dhcp6.conf + backup: true + owner: root + group: kea + mode: "u=rw,g=r,o=" + validate: kea-dhcp6 -T %s + notify: + - Kea_dhcp6.reloaded + +- name: Copy kea-ctrl-agent configuration file + tags: [ kea, ctrl-agent ] + become: true + when: kea_dhcp__stork_agent.enable + ansible.builtin.template: + src: kea-ctrl-agent.conf.j2 + dest: /etc/kea/kea-ctrl-agent.conf + owner: root + group: kea + mode: "u=rw,g=r,o=" + validate: kea-ctrl-agent -t %s + notify: + - Kea_ctrl.reloaded + - Stork_agent.restarted diff --git a/roles/kea_dhcp/tasks/main.yml b/roles/kea_dhcp/tasks/main.yml new file mode 100644 index 0000000..a3478fa --- /dev/null +++ b/roles/kea_dhcp/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Setup Kea DHCP + tags: [kea, dhcp] + block: + - name: Install Kea on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + ansible.builtin.import_tasks: install_archlinux.yml + + - name: Install Kea on Debian + when: ansible_facts['distribution'] == "Debian" + ansible.builtin.import_tasks: install_debian.yml + + - name: Configure Kea + ansible.builtin.include_tasks: kea.yaml + +- name: Run stork-agent tasks + tags: [stork-agent, monitoring] + when: kea_dhcp__stork_agent.enable + ansible.builtin.include_tasks: stork-agent.yaml diff --git a/roles/kea_dhcp/tasks/stork-agent.yaml b/roles/kea_dhcp/tasks/stork-agent.yaml new file mode 100644 index 0000000..916760c --- /dev/null +++ b/roles/kea_dhcp/tasks/stork-agent.yaml @@ -0,0 +1,76 @@ +--- +- name: Install stork-agent + tags: [stork-agent] + block: + - name: Install stork-agent on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + tags: [stork-agent, archlinux] + block: + - name: Create stork-agent user + ansible.builtin.user: + name: stork-agent + create_home: false + home: "/var/lib/stork-agent" + shell: "/usr/bin/nologin" + system: true + groups: ["kea"] + append: true + + - name: Install stork-agent with aur_pkg_install + ansible.builtin.include_role: + name: aur_pkg_install + vars: + aur_pkg_install__pkg_name: "stork-agent" + aur_pkg_install__git_clone_url: "https://ansible:{{ secret__ansible_git_token }}@git.fux-eg.net/aur-mirror/stork-agent.git" + aur_pkg_install__git_ref: "bf96e34" + + - name: Install stork-agent on Debian + when: ansible_facts['distribution'] == "Debian" + tags: [stork-agent, debian] + block: + - name: Register isc-stork apt repository + become: true + register: "kea_dhcp_install_repo" + ansible.builtin.deb822_repository: + name: isc-stork + uris: https://dl.cloudsmith.io/public/isc/stork/deb/debian + suites: any-version + components: main + signed_by: https://dl.cloudsmith.io/public/isc/stork/gpg.key + + - name: Install isc-stork-agent + become: true + ansible.builtin.apt: + name: isc-stork-agent + update_cache: "{{ kea_dhcp_install_repo.changed }}" + + - name: Add stork-agent user to _kea group on Debian + when: ansible_facts['distribution'] == "Debian" + become: true + ansible.builtin.user: + name: stork-agent + groups: ["_kea"] + append: true + + - name: Config for stork-agent + ansible.builtin.template: + src: stork-agent.env.jinja + dest: /etc/stork/agent.env + owner: root + group: root + mode: "0660" + notify: + - Systemd_daemon_reload + - Stork_agent.restarted + + - name: Flush handlers + ansible.builtin.meta: flush_handlers + + - name: Ensure that stork kea exporter is working + ansible.builtin.uri: + url: "http://localhost:9547/metrics" + method: GET + register: kea_dhcp_stork_status_code + retries: 6 + delay: 5 + until: kea_dhcp_stork_status_code.status == 200 diff --git a/roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 b/roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 new file mode 100644 index 0000000..5ac1473 --- /dev/null +++ b/roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 @@ -0,0 +1,20 @@ +{ +"Control-agent": { + "http-host": "127.0.0.1", + "http-port": 8000, + "control-sockets": { + {% if kea_dhcp__dhcp4.enable | default(false) %} + "dhcp4": { + "socket-type": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-type'] }}", + "socket-name": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-name'] }}" + }{% if kea_dhcp__dhcp6.enable %},{% endif %} + {% endif %} + {% if kea_dhcp__dhcp6.enable | default(false) %} + "dhcp6": { + "socket-type": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-type'] }}", + "socket-name": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-name'] }}" + }, + {% endif %} + } +} +} diff --git a/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja new file mode 100644 index 0000000..78f06ae --- /dev/null +++ b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja @@ -0,0 +1,27 @@ +{ + "Dhcp4": { + "interfaces-config": { + "interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }} + }, + "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }}, + "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }}, + {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %} + "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }}, + {% endif %} + "subnet4": [ + {% for subnet in kea_dhcp__dhcp4.subnets %} + { + "id": {{ subnet.id }}, + "subnet": "{{ subnet.subnet }}", + "pools": {{ subnet.pools | to_nice_json }}, + {% if subnet.reservations is defined and subnet.reservations %} + "reservations": {{ subnet.reservations | to_nice_json }}, + {% endif %} + {% if subnet['option-data'] is defined and subnet['option-data'] %} + "option-data": {{ subnet['option-data'] | to_nice_json }} + {% endif %} + }{% if not loop.last %},{% endif %} + {% endfor %} + ] + } +} diff --git a/roles/kea_dhcp/templates/kea-dhcp6.conf.jinja b/roles/kea_dhcp/templates/kea-dhcp6.conf.jinja new file mode 100644 index 0000000..da1929a --- /dev/null +++ b/roles/kea_dhcp/templates/kea-dhcp6.conf.jinja @@ -0,0 +1,27 @@ +{ + "Dhcp6": { + "interfaces-config": { + "interfaces": {{ kea_dhcp__dhcp6.interfaces | to_nice_json }} + }, + "control-sockets": {{ kea_dhcp__dhcp6['control-sockets'] | to_nice_json }}, + "lease-database": {{ kea_dhcp__dhcp6['lease-database'] | to_nice_json }}, + {% if kea_dhcp__dhcp6['option-data'] is defined and kea_dhcp__dhcp6['option-data'] %} + "option-data": {{ kea_dhcp__dhcp6['option-data'] | to_nice_json }}, + {% endif %} + "subnet6": [ + {% for subnet in kea_dhcp__dhcp6.subnets %} + { + "id": {{ subnet.id }}, + "subnet": "{{ subnet.subnet }}", + "pools": {{ subnet.pools | to_nice_json }}, + {% if subnet.reservations is defined and subnet.reservations %} + "reservations": {{ subnet.reservations | to_nice_json }}, + {% endif %} + {% if subnet['option-data'] is defined and subnet['option-data'] %} + "option-data": {{ subnet['option-data'] | to_nice_json }} + {% endif %} + }{% if not loop.last %},{% endif %} + {% endfor %} + ] + } +} diff --git a/roles/kea_dhcp/templates/stork-agent.env.jinja b/roles/kea_dhcp/templates/stork-agent.env.jinja new file mode 100644 index 0000000..bdfa4d2 --- /dev/null +++ b/roles/kea_dhcp/templates/stork-agent.env.jinja @@ -0,0 +1,44 @@ +### the IP or hostname to listen on for incoming Stork server connections +# STORK_AGENT_HOST= + +### the TCP port to listen on for incoming Stork server connections +# STORK_AGENT_PORT=8081 + +### listen for commands from the Stork server only, but not for Prometheus requests +# STORK_AGENT_LISTEN_STORK_ONLY=true + +{% if kea_dhcp__stork_agent.prometheus_only %} +### listen for Prometheus requests only, but not for commands from the Stork server +STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true +{% endif %} + +### settings for exporting stats to Prometheus +### the IP or hostname on which the agent exports Kea statistics to Prometheus +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS= +### the port on which the agent exports Kea statistics to Prometheus +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT= +## enable or disable collecting per-subnet stats from Kea +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PER_SUBNET_STATS=true +### the IP or hostname on which the agent exports BIND 9 statistics to Prometheus +# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_ADDRESS= +### the port on which the agent exports BIND 9 statistics to Prometheus +# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_PORT= + +### Stork Server URL used by the agent to send REST commands to the server during agent registration +# STORK_AGENT_SERVER_URL= + +### skip TLS certificate verification when the Stork Agent connects +### to Kea over TLS and Kea uses self-signed certificates +# STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true + + +### Logging parameters + +### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR +STORK_LOG_LEVEL=DEBUG +### disable output colorization +# CLICOLOR=false + +### path to the hook directory +# STORK_AGENT_HOOK_DIRECTORY= + diff --git a/roles/unbound/README.md b/roles/unbound/README.md new file mode 100644 index 0000000..806b9d8 --- /dev/null +++ b/roles/unbound/README.md @@ -0,0 +1,19 @@ +# Unbound DNS resolver + +Role fora a validating, recursive, caching DNS resolver based on [Unbound](https://nlnetlabs.nl/projects/unbound/about/). +It is designed to be fast and lean and incorporates modern features based on open standards. + +- [Documentation](https://unbound.docs.nlnetlabs.nl/en/latest/) + +## Role Customization + +The following variables can be used to customize this role: + +| Variable | Type | Default | Description | +|------------------------------------------|-----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| unbound_install_prometheus_exporter | Boolean | `true` | Whether [Unbound Exporter](https://github.com/letsencrypt/unbound_exporter) should also be installed to expose resolver statistics in prometheus format. | +| unbound_bind_interfaces | List of Strings | `[0.0.0.0, ::]` | List of interface names or IP addresses on which unbound will listen for dns queries | +| unbound_enable_unbound_control | Boolean | `true` | Whether the [remote control](https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#set-up-remote-control) feature of unbound should be configured. | +| unbound_enable_dnssec | Boolean | `true` | Whether dnssec validation should be enabled | +| unbound_access_control | List of Strings | `[]` | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) | +| unbound_disable_systemd_networkd | Boolean | `true` | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver. | diff --git a/roles/unbound/defaults/main.yml b/roles/unbound/defaults/main.yml new file mode 100644 index 0000000..fa6cb24 --- /dev/null +++ b/roles/unbound/defaults/main.yml @@ -0,0 +1,7 @@ +unbound_install_prometheus_exporter: true +unbound_bind_interfaces: [ "0.0.0.0", "::" ] +unbound_disable_systemd_networkd: true +unbound_enable_unbound_control: true +unbound_enable_dnssec: true +unbound_access_control: [ ] +unbound_private_domain: [ ] diff --git a/roles/unbound/files/no-resolved.resolv.conf b/roles/unbound/files/no-resolved.resolv.conf new file mode 100644 index 0000000..bbc8559 --- /dev/null +++ b/roles/unbound/files/no-resolved.resolv.conf @@ -0,0 +1 @@ +nameserver 127.0.0.1 diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml new file mode 100644 index 0000000..e1345bf --- /dev/null +++ b/roles/unbound/handlers/main.yml @@ -0,0 +1,27 @@ +- name: unbound.restarted + tags: [ unbound, dns, dns_resolver ] + become: true + ansible.builtin.systemd: + name: unbound.service + state: restarted + +- name: unbound.reloaded + tags: [ unbound, dns, dns_resolver ] + become: true + ansible.builtin.systemd: + name: unbound.service + state: reloaded + +- name: prometheus-unbound-exporter.restarted + become: true + ansible.builtin.systemd: + name: prometheus-unbound-exporter.service + state: restarted + enabled: true + +- name: prometheus-unbound-exporter.enabled + become: true + ansible.builtin.systemd: + name: prometheus-unbound-exporter.service + enabled: true + daemon_reload: true diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000..7ed42cb --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,63 @@ +- name: unbound role main + tags: [ unbound, dns, dns_resolver ] + block: + + - name: install unbound dns resolver + become: true + ansible.builtin.package: + name: unbound + + - name: install extra dns tooling + become: true + ansible.builtin.package: + name: [ bind ] # the bind package includes tools like dig in archlinux + + - name: ensure correct directory permissions + become: true + ansible.builtin.file: + path: /etc/unbound + state: directory + mode: u=rwX,g=rX,o=rX + recurse: true + owner: unbound + group: unbound + + - name: configure unbound dns resolver + become: true + notify: unbound.restarted + ansible.builtin.template: + src: unbound.conf.j2 + dest: /etc/unbound/unbound.conf + owner: unbound + group: unbound + mode: u=rw,g=r,o=r + + - name: ensure unbound is running and enabled + become: true + ansible.builtin.systemd: + name: unbound.service + state: started + enabled: true + + - name: disable systemd-resolved + become: true + when: unbound_disable_systemd_networkd + ansible.builtin.systemd: + name: systemd-resolved.service + state: stopped + enabled: false + + - name: configure system resolver to point to local unbound + become: true + when: unbound_disable_systemd_networkd + ansible.builtin.copy: + src: no-resolved.resolv.conf + dest: /etc/resolv.conf + owner: unbound + group: unbound + mode: u=rw,g=r,o=r + + + - name: install and configure prometheus-exporter for unbound + ansible.builtin.import_tasks: prometheus-exporter.yml + when: unbound_install_prometheus_exporter diff --git a/roles/unbound/tasks/prometheus-exporter.yml b/roles/unbound/tasks/prometheus-exporter.yml new file mode 100644 index 0000000..d05b838 --- /dev/null +++ b/roles/unbound/tasks/prometheus-exporter.yml @@ -0,0 +1,17 @@ +--- +- name: install unbound prometheus exporter + become: true + ansible.builtin.package: + name: prometheus-unbound-exporter + notify: prometheus-unbound-exporter.enabled + +- name: configure unbound exporter + become: true + ansible.builtin.copy: + dest: /etc/conf.d/prometheus-unbound-exporter + content: | + UNBOUND_EXPORTER_ARGS="-unbound.ca "" -unbound.cert "" -unbound.host "unix:///run/unbound-control.sock" + owner: root + group: root + mode: '0660' + notify: prometheus-unbound-exporter.restarted diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 new file mode 100644 index 0000000..a1e310e --- /dev/null +++ b/roles/unbound/templates/unbound.conf.j2 @@ -0,0 +1,73 @@ +# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html +# unbound.conf(5) man page +server: + {% if unbound_enable_dnssec -%} + # disable chroot because unbound is the only thing running on the VM + # and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file + chroot: "" + + # location of the trust anchor file that enables DNSSEC + # this file is generated by the `unbound-anchor` command + auto-trust-anchor-file: "/etc/unbound/trusted-key.key" + {% endif -%} + + # use all CPUs + num-threads: 2 + + # more cache memory + rrset-cache-size: 60m + msg-cache-size: 30m + + # prefetch to keep the cache up to date + prefetch: yes + + # fetch the DNSKEYs earlier in the validation process, when a DS record is encountered + prefetch-key: yes + + # Faster UDP with multithreading (only on Linux). + so-reuseport: yes + + # disable special large send buffer handling and just use kernel defaults + so-sndbuf: 0 + + # send minimal amount of information to upstream servers to enhance privacy + qname-minimisation: yes + + # specify the interface to answer queries from by ip-address. + {% for i in unbound_bind_interfaces -%} + interface: "{{ i }}" + {% endfor %} + + # addresses from the IP range that are allowed to connect to the resolver + {% for i in unbound_access_control -%} + access-control: {{ i }} + {% endfor -%} + + {% for i in unbound_private_domain -%} + private-domain: {{ i }} + {% endfor -%} + + # The number of seconds between printing statistics to the log for every thread. + statistics-interval: 0 + + # Extended statistics are printed, Keeping track of more statistics takes time. + extended-statistics: yes + +remote-control: + control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} + control-interface: /run/unbound-control.sock + + +# configure some zones for which this resolver will act authoritatively +# https://www.dns.icann.org/services/axfr/ +{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %} +auth-zone: + name: "{{ i }}" + primary: "lax.xfr.dns.icann.org" + primary: "iad.xfr.dns.icann.org" + fallback-enabled: yes + for-downstream: no + for-upstream: yes + + +{% endfor %} From 3a091f7aa55d5ce1a1e4989ef82a7a986c75bd4b Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 18:31:05 +0200 Subject: [PATCH 03/16] z9-router(host): rename rt1 to z9-router --- .../{rt1.sops.yaml => z9-router.sops.yaml} | 8 ++++---- .../z9/host_vars/{rt1.yaml => z9-router.yaml} | 8 ++++---- inventories/z9/hosts.yaml | 18 +++++++++--------- resources/z9/{rt1 => z9-router}/kea_dhcp.yaml | 0 .../{rt1 => z9-router}/nftables/nftables.conf | 0 .../systemd_networkd/00-netlan.link | 0 .../systemd_networkd/00-netwan.link | 0 .../systemd_networkd/10-netlan.51.netdev | 0 .../systemd_networkd/10-netlan.52.netdev | 0 .../systemd_networkd/10-netlan.53.netdev | 0 .../systemd_networkd/10-netlan.54.netdev | 0 .../systemd_networkd/10-netwan.400.netdev | 0 .../systemd_networkd/10-wg55.netdev | 0 .../systemd_networkd/20-netlan.network | 0 .../systemd_networkd/20-netwan.network | 0 .../systemd_networkd/20-wg55.network | 0 .../21-netlan.51-clients.network | 0 .../systemd_networkd/21-netlan.52-iot.network | 0 .../21-netlan.53-public.network | 0 .../21-netlan.54-management.network | 0 .../21-netwan.400-fux_uplink.network | 0 .../systemd_networkd_global_config.conf | 0 22 files changed, 17 insertions(+), 17 deletions(-) rename inventories/z9/host_vars/{rt1.sops.yaml => z9-router.sops.yaml} (94%) rename inventories/z9/host_vars/{rt1.yaml => z9-router.yaml} (53%) rename resources/z9/{rt1 => z9-router}/kea_dhcp.yaml (100%) rename resources/z9/{rt1 => z9-router}/nftables/nftables.conf (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/00-netlan.link (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/00-netwan.link (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-netlan.51.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-netlan.52.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-netlan.53.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-netlan.54.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-netwan.400.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/10-wg55.netdev (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/20-netlan.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/20-netwan.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/20-wg55.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/21-netlan.51-clients.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/21-netlan.52-iot.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/21-netlan.53-public.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/21-netlan.54-management.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd/21-netwan.400-fux_uplink.network (100%) rename resources/z9/{rt1 => z9-router}/systemd_networkd_global_config.conf (100%) diff --git a/inventories/z9/host_vars/rt1.sops.yaml b/inventories/z9/host_vars/z9-router.sops.yaml similarity index 94% rename from inventories/z9/host_vars/rt1.sops.yaml rename to inventories/z9/host_vars/z9-router.sops.yaml index f4141fd..89f18e1 100644 --- a/inventories/z9/host_vars/rt1.sops.yaml +++ b/inventories/z9/host_vars/z9-router.sops.yaml @@ -1,8 +1,8 @@ secrets__secrets: - - name: ENC[AES256_GCM,data:MmqDXUKy+U67JZFmKJTGLYAJcYPClQ8M2w==,iv:/eDx++bJCzdKXYB8YipB/GB6aM421JR3sy8i5trBKxk=,tag:/zTklys9bN839iT1qOH0UQ==,type:str] + - name: ENC[AES256_GCM,data:gt9BarzsfE/GJ5gQeelgePquW6KAgE3Exv4=,iv:IPpUQI+zkf8O+ej+ZxLFyWUOrxGGlZvmDRG0ut2cNsA=,tag:GP66MvcKyCqyKV814+uMYg==,type:str] content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str] - name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str] - content: ENC[AES256_GCM,data:lrwHaNvHkh5E94ziiQsd8ua9YvuwmhZ6iIGZS0oFnZdYKuyNh7egWOoii2o=,iv:LLRKhbiJl1GwK/SfqNdNrrJuDF17YXw3hHmuhlyI87w=,tag:DbR/a7jfy1+4yswSdYfOFA==,type:str] + content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str] - name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str] content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str] - name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str] @@ -18,8 +18,8 @@ secrets__secrets: - name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str] content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str] sops: - lastmodified: "2026-05-23T21:19:38Z" - mac: ENC[AES256_GCM,data:Ded0VfGn8H2qGMk5LDyqF1gW8hajKc9FgvCynHPQkWkhMSdaHYbFwf//gWi2TjIO22HD5sPw1w9KAjPy53b57RwBCjXfMMq0JCPvuePLK40NC8uCAi+wr5Er0fAWz1JiaA+dowposoi6RxBtyHCaNHMDVGMLh1j+IL+pTOyi6fk=,iv:gssOMmR0DDQC4WjMVXTD/zqbQa8qlBr9ZZWF15W0WnE=,tag:DORTxQfCmpVjDjyGSNH7dw==,type:str] + lastmodified: "2026-05-25T16:29:22Z" + mac: ENC[AES256_GCM,data:zxtV1xgjQuKNMvh6S8oAOxX5J6+iBRO6k3vGw3vWNlhah4Gu3S/lt+5v8lQHogz1Vyc+Zff0yMj1cn6RstDDj5AuOCljRQN0FYs0fjCo4Yrxx5sMMwcwBYquC77skEiZhRnqdXKkjiOM7EGE8qj8O3DJ29borIjm5NAsflH/qkA=,iv:7EUElg+gu8mk2Gq32JQMTf+A1+ZhZufoqt5bk4+Ca1E=,tag:XG+F/zlXizsc2B8THoXj4g==,type:str] pgp: - created_at: "2026-05-23T20:58:22Z" enc: |- diff --git a/inventories/z9/host_vars/rt1.yaml b/inventories/z9/host_vars/z9-router.yaml similarity index 53% rename from inventories/z9/host_vars/rt1.yaml rename to inventories/z9/host_vars/z9-router.yaml index 876776a..c9d2b6f 100644 --- a/inventories/z9/host_vars/rt1.yaml +++ b/inventories/z9/host_vars/z9-router.yaml @@ -1,7 +1,7 @@ -systemd_networkd__config_dir: 'resources/z9/rt1/systemd_networkd/' -systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/systemd_networkd_global_config.conf') }}" -nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/nftables.conf') }}" +systemd_networkd__config_dir: 'resources/z9/z9-router/systemd_networkd/' +systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/systemd_networkd_global_config.conf') }}" +nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/nftables/nftables.conf') }}" ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_randomized_delay_sec: 0min unbound_access_control: [ "10.89.208.0/20" ] -kea_dhcp__include_vars: resources/z9/rt1/kea_dhcp.yaml +kea_dhcp__include_vars: resources/z9/z9-router/kea_dhcp.yaml diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 407aa2f..90f2efd 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -14,8 +14,8 @@ all: yate: ansible_host: yate.ccchh.net ansible_user: chaos - rt1: - ansible_host: rt1.ccchh.net + z9-router: + ansible_host: z9-router.ccchh.net ansible_user: chaos certbot_hosts: hosts: @@ -38,7 +38,7 @@ infrastructure_authorized_keys_hosts: light: waybackproxy: yate: - rt1: + z9-router: nginx_hosts: hosts: dooris: @@ -52,22 +52,22 @@ proxmox_vm_template_hosts: thinkcccore0: systemd_networkd_hosts: hosts: - rt1: + z9-router: nftables_hosts: hosts: - rt1: + z9-router: unbound_hosts: hosts: - rt1: + z9-router: kea_dhcp_hosts: hosts: - rt1: + z9-router: alloy_hosts: hosts: light: yate: dooris: - rt1: + z9-router: ansible_pull_hosts: hosts: dooris: @@ -76,4 +76,4 @@ ansible_pull_hosts: yate: secrets_hosts: hosts: - rt1: + z9-router: diff --git a/resources/z9/rt1/kea_dhcp.yaml b/resources/z9/z9-router/kea_dhcp.yaml similarity index 100% rename from resources/z9/rt1/kea_dhcp.yaml rename to resources/z9/z9-router/kea_dhcp.yaml diff --git a/resources/z9/rt1/nftables/nftables.conf b/resources/z9/z9-router/nftables/nftables.conf similarity index 100% rename from resources/z9/rt1/nftables/nftables.conf rename to resources/z9/z9-router/nftables/nftables.conf diff --git a/resources/z9/rt1/systemd_networkd/00-netlan.link b/resources/z9/z9-router/systemd_networkd/00-netlan.link similarity index 100% rename from resources/z9/rt1/systemd_networkd/00-netlan.link rename to resources/z9/z9-router/systemd_networkd/00-netlan.link diff --git a/resources/z9/rt1/systemd_networkd/00-netwan.link b/resources/z9/z9-router/systemd_networkd/00-netwan.link similarity index 100% rename from resources/z9/rt1/systemd_networkd/00-netwan.link rename to resources/z9/z9-router/systemd_networkd/00-netwan.link diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.51.netdev b/resources/z9/z9-router/systemd_networkd/10-netlan.51.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-netlan.51.netdev rename to resources/z9/z9-router/systemd_networkd/10-netlan.51.netdev diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.52.netdev b/resources/z9/z9-router/systemd_networkd/10-netlan.52.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-netlan.52.netdev rename to resources/z9/z9-router/systemd_networkd/10-netlan.52.netdev diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.53.netdev b/resources/z9/z9-router/systemd_networkd/10-netlan.53.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-netlan.53.netdev rename to resources/z9/z9-router/systemd_networkd/10-netlan.53.netdev diff --git a/resources/z9/rt1/systemd_networkd/10-netlan.54.netdev b/resources/z9/z9-router/systemd_networkd/10-netlan.54.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-netlan.54.netdev rename to resources/z9/z9-router/systemd_networkd/10-netlan.54.netdev diff --git a/resources/z9/rt1/systemd_networkd/10-netwan.400.netdev b/resources/z9/z9-router/systemd_networkd/10-netwan.400.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-netwan.400.netdev rename to resources/z9/z9-router/systemd_networkd/10-netwan.400.netdev diff --git a/resources/z9/rt1/systemd_networkd/10-wg55.netdev b/resources/z9/z9-router/systemd_networkd/10-wg55.netdev similarity index 100% rename from resources/z9/rt1/systemd_networkd/10-wg55.netdev rename to resources/z9/z9-router/systemd_networkd/10-wg55.netdev diff --git a/resources/z9/rt1/systemd_networkd/20-netlan.network b/resources/z9/z9-router/systemd_networkd/20-netlan.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/20-netlan.network rename to resources/z9/z9-router/systemd_networkd/20-netlan.network diff --git a/resources/z9/rt1/systemd_networkd/20-netwan.network b/resources/z9/z9-router/systemd_networkd/20-netwan.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/20-netwan.network rename to resources/z9/z9-router/systemd_networkd/20-netwan.network diff --git a/resources/z9/rt1/systemd_networkd/20-wg55.network b/resources/z9/z9-router/systemd_networkd/20-wg55.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/20-wg55.network rename to resources/z9/z9-router/systemd_networkd/20-wg55.network diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network b/resources/z9/z9-router/systemd_networkd/21-netlan.51-clients.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network rename to resources/z9/z9-router/systemd_networkd/21-netlan.51-clients.network diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network b/resources/z9/z9-router/systemd_networkd/21-netlan.52-iot.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network rename to resources/z9/z9-router/systemd_networkd/21-netlan.52-iot.network diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.53-public.network b/resources/z9/z9-router/systemd_networkd/21-netlan.53-public.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/21-netlan.53-public.network rename to resources/z9/z9-router/systemd_networkd/21-netlan.53-public.network diff --git a/resources/z9/rt1/systemd_networkd/21-netlan.54-management.network b/resources/z9/z9-router/systemd_networkd/21-netlan.54-management.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/21-netlan.54-management.network rename to resources/z9/z9-router/systemd_networkd/21-netlan.54-management.network diff --git a/resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network b/resources/z9/z9-router/systemd_networkd/21-netwan.400-fux_uplink.network similarity index 100% rename from resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network rename to resources/z9/z9-router/systemd_networkd/21-netwan.400-fux_uplink.network diff --git a/resources/z9/rt1/systemd_networkd_global_config.conf b/resources/z9/z9-router/systemd_networkd_global_config.conf similarity index 100% rename from resources/z9/rt1/systemd_networkd_global_config.conf rename to resources/z9/z9-router/systemd_networkd_global_config.conf From 311a4114f984cfab42abe55217a65da733919a46 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 19:26:52 +0200 Subject: [PATCH 04/16] z9-router(host): add ansible pull --- .sops.yaml | 7 + inventories/z9/group_vars/all.sops.yaml | 298 ++++++++++--------- inventories/z9/host_vars/z9-router.sops.yaml | 251 ++++++++-------- inventories/z9/hosts.yaml | 1 + 4 files changed, 294 insertions(+), 263 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index b517a43..bcb30f8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -48,6 +48,7 @@ keys: - &host_light_ansible_pull_age_key age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q - &host_waybackproxy_ansible_pull_age_key age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j - &host_yate_ansible_pull_age_key age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 + - &host_z9_router_ansible_pull_age_key age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp creation_rules: ## group vars @@ -241,6 +242,12 @@ creation_rules: *admin_gpg_keys age: - *host_yate_ansible_pull_age_key + - path_regex: "inventories/z9/host_vars/z9-router\\.sops\\..+" + key_groups: + - pgp: + *admin_gpg_keys + age: + - *host_z9_router_ansible_pull_age_key # general - path_regex: ".+\\.sops\\..+" key_groups: diff --git a/inventories/z9/group_vars/all.sops.yaml b/inventories/z9/group_vars/all.sops.yaml index bc4c3f1..f5aed04 100644 --- a/inventories/z9/group_vars/all.sops.yaml +++ b/inventories/z9/group_vars/all.sops.yaml @@ -2,213 +2,225 @@ metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl msmtp__smtp_password: ENC[AES256_GCM,data:FAih8FghRYDx3QGFCjKoJ8Zq0TkeCIx4n1jTx4/sASgECqvucg==,iv:8NDn3wj/bXsbHbuce3ycJTBVWde6XAVxv4NuMUkMbIM=,tag:jeE2b0i/8JPtguLYQvdV1w==,type:str] sops: age: - - recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax - enc: | + - enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VWJQWnBhcDc3VXh3TnMy - RFljQU0vNS9iY3AvTWFraUxneHIremlDeUZvCmdzd0twWHZEdTZSbHpLbEpRRDNX - aGI4ZlczN0tFbC94TzJ4bm9aUjkwcVEKLS0tIHRGSGdkQkN6ZEVTUjl1cGhMZzVI - S2FtSktoWmF2TjZCZnNlYWpWYzQ4MzQKeK7f+UPSanQsOIXNjzZa9B5FafNFsN3W - sjssDdbNQ1OEn2CLWRVQl1umKrADuvd85fMu3gUZrycZRDCCfsBzVg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTzAzaVFSRDQwN2llbmdl + alBBVDZwTWhWUkV2L3ZLZmNDUDRyTitDaFVzCkNRTEN4ODV5ekxRVlBZT3ZIM2pj + Z0JxYUlobHZCeGxxNE9PcENkR2h2VDAKLS0tIFZiVXJHSU5naXhSSEFobVZBN1Rl + NnVDUVRyVWxlUnMydVhiQ2s0bGMzTGcKh97/UOPxrKieK5dKdGyRqCRi8Sm5UNcT + I9jLCPqX8Utt0e2EEp+ivJwFxgo7QuNCYWu6jtPCO/Zmc5Q/2tJQ9Q== -----END AGE ENCRYPTED FILE----- - - recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q - enc: | + recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax + - enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSmVEVyt3OCtvUUNqV2FR - QW5WaDBFcnZVMTV3QWdSLzhxRENCdGNaVFU0CmxqM0xIWUVCSUwvY1pBVjQ0RCtq - T0psSG84VWdpY1dYa2doeFZXd2RKNVEKLS0tIGNFeDFRYzBDN3NWcnpUSVhEWitY - RXhLRkp3ajdlNGY4R3hRcWVSUU04T0UKdprDhBpp0aMc733Wx/K7hS/nLVohvlft - N9aSQdcRoqT3/iMGu/6xdqbeq0/7a/U+6JvhYyWLkLsrzw2mlVRoIw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVUtpb0FmeUduNW9EdHJw + WEY0WllWdE8vRlVhODU1dUcxUnF3WE5mUG5vCnBQRlNkblNHbUFESXhvQ05YdGVW + UkhjdjdvclRmTk55UXRGRStXREFiVVkKLS0tIDlkMHhxVkxEK1BjV2orQUtndGc2 + Mk8rZm14SzFWTjJTanVXaE53UmViS28KQmnPfzLhgLasSuu1Aflp/JDWo1hqvYjb + BijruPUZ3NuoZ4Wuo56FLlTLrch051fI3ottzy85FfX3lRnWZ2IK8g== -----END AGE ENCRYPTED FILE----- - - recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j - enc: | + recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q + - enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWWM1WFdidkY4a2hLNm03 - TGdNNE9ZK2lvelhYQndTYy9sUzM4TkN5elRZClJwQU1qeCtwUlFzeVE2d0FSSCsz - WTdzQWZLYXpqUHcxc3VEWHZvNmZibU0KLS0tIElCTWdraXRLcHNHMjR2eDVxVCta - bHhVdFpOdDB0eUR5d2hhdWJlcmJDMjgKBbVkm7LNwnoUVrUF3NPI7d25b6tAIr1t - HelMjQU5YFM7DvRYFOlNpgO7WmddNSq3C6WYa8AZDGpsjc6GypcLVw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQSm9FZ1VmVWhadldRY0JU + c2R5d0tNMDV5U2tzbVorai91RTFyZFdUMWo0CmxLVUJYdVFUN296U3Q3MTJQM0JW + LzNTYlVVVitRYmk3azQ4VXBLWTZiZjQKLS0tIDhXdFZaK1BWVFp4M09jbk0zdGpF + dGxmUUZkQS9sMXZoeTJETGpvQW5VQ0EK9Y/trD7VhjQnqY+KryPfEv1J/D4NCWsx + CHv0R1ps6A0qoRJzS1UNxU5bLXDX1RGQiU/arhJ7LXFxHrNOdObsZQ== -----END AGE ENCRYPTED FILE----- - - recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 - enc: | + recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j + - enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTmRaRXorMzBQZWwyNFp5 - VHdUUElyd1V2dUcvQ3k2STQ0d1QyMytsRG1BCm5CVCtRWU5FVmErQWl2N3Y4QTc1 - Mnh3K01QUnk2MGpSZk1NRVJWUlhFYWMKLS0tIEFOM0pMa3RVNUppS2xOakFVM1lR - cnlBL29XQVlsL1ZCenBIYTQ3S3JxQjQKq09vbn1XOC1jIXDpv+ThFMk9k7SyYknr - MBJRBp/0PrKBo/Xk+RCSWSLjgali5Cc8KTjDTJyBG8rFzzvLIazBRg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreTY4bzJ3T1FHOVdhS05v + dG40VWdVeWRpamdqd2ttajFJUjdYVHB0ZXdVCmk0UUJuRHdsUnE3ZThNakpwY3po + b3dtWXNNSUlvbzVHcXVIclNlaVNub00KLS0tIEMwL2FYcEZ1dkZ5MFl0S3pWSWFJ + NGdXVXA4UGJIOTN4UnhoMjRYaTRNWXMKGJNomXuB5TqXZKWk3Ub/rEc69CrfYABw + bBBidbCQBrv7cnsvjsVpHHGaTwyP9Nk1ceF/gbv9fD9gZ7dwt3SA1A== -----END AGE ENCRYPTED FILE----- + recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQWhjNHlDU0RKRmdKTzh0 + M3dhOGcrc1N5SnozMHhSQWNUdERPSjRrZ3lZClBpd1lrbXY5OEVnMVgwTGl4YmUw + bWpJR0Z6RDZubG9lS1BIVnEvMWhEdlkKLS0tIFhSbVFhVnZIN2xETXlWNlh3TVVG + N1VTSWN3SEU5U2Uxc2lRUmwwaWc0L1UKfPWAEs93dF10GZdlQt3yeDltk/9Djmuh + 3ZeGLgkOjcJPXO2hFQMZoJY7a2ZRIxN5Oa8PGwuy7DEtmQ9PdP/mbg== + -----END AGE ENCRYPTED FILE----- + recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp lastmodified: "2026-05-23T22:10:20Z" mac: ENC[AES256_GCM,data:JbnKG1qyAkvFDXr2iHu+gk7nRjedmm+dEK8vBFW5YzndWE4QKoYWeaqRHBk7wdWO9kpZgU2rFiu4Be+ikotoMS8jKAcd5wWSrWtSreaZxxiD2TWMWX8HwPtETnYe0rjrEZ3kPcUj4QPyNTphfbH3ARLjthedRXNF70NDc+DIpAY=,iv:4LN3oslWUWqoY3rQNVDSmlJn1o0c8JQELzsWd5btn7Y=,tag:c8X1q9XMMUkXed93j9C6ww==,type:str] pgp: - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxK/JaB2/SdtAQ//VIMBtLL8lhncJeItw53fQW4Lia0hs84yuKLuSBucNXhy - x3LT5r21C5CZ+JnucrGPxur4clsLnDnng2CgyWhksJNknk6smQIq3ZhyBd/OJzS4 - zNGUJIbitJsDaKjTrYDCdsQ3KVcRBDMu3ow7vzeP4wnL4qU5fUuQ7S2rK6a1hfMB - eTQmn4wD/Rl+Q0AWEo2V/X8UgchwGPeuOXfju2t9+1UVE0kUJdXw/JIrGyR8XrYM - 6ZGXB3mPnlZTZjqhXVSFSSOUTRYu/0g+s/JuDLpgl8gVP+oDvSCPrB2pDNK+o2Oo - VbQbJMg6lMbIuewd0ZTTeCv/TFU9O51RtkFyxHIEW7dVelDrNkuciAG1mDUHFUUw - MHeWDjngeCzr1hj1Z78P1bvR7I2pqBQiWT+d/e50S5quNRVjtLVEjuU7r1eKiPDu - pL1lYJZZu5+uY1nWE4qeJiI1KambjP9/C+RUCF38yT1wNvxrbwsM9haXGbI3t2cU - X/RRpK5VKKKwbBqyQmkZX7xaDR13hLF2vLtdVw6L9nYVVactfnFr9HKDV95HUnhO - uevmzu+ShtAt9FMXz86dLYmBx90A2BSWxb6sKvZkG8UDY+vVT1K0gNK4kwxR9rKt - LFzCq1a3ftx3UvrNMCwaboGQZLpRtiKr0lNQvGLpH/SRDZ2HksinV16FNVuN74HS - XgG5HnRO9/lkL2Bn+ms7Q6+ki9QmC21FlLGJOBQIi+VHNVwy6J8XQlrs5NZPy6Ib - LmWIV6BdIRejCAITlVeBRBpXymdUBicPLa/VQMK2s9L3SS7MUcv+4j+vje9YR5M= - =IEFm + hQIMAxK/JaB2/SdtAQ//cayg/ELKtybgayA4z+xOUK10zQJDE/U43BcPRMrBN0+x + VLu/C96Eom/dJN62SM2QamThHu454HMZj1PjDynMUzgfVqXEg/eG45bBBweWrI65 + s0tuzLmsqpdt9TJ5t0znliL2DYS3MPfmYRNbAsYsCbQd4I0YpxdzQwTvURdzjpUG + nVBUfzfcYH1Yqq8BVtR40MKfa/DbOsJGENHtpkQ9UDAa3gwVQs0NyZRQzg5w364C + UvItYlU77ZCKPkyOQuciLn4sM5poihu3UNWp855QsDK6fZVuxPTS4Cn54cfwdOTe + rL/ZQjLcHJ7PRmZUiWR6GVNDrY55u7zhORD4b8BgrpWW4hhxpp/ENjnRmNt8jKR2 + dJ/5/uC4HBX0fM3mbfpUn19BxCk9+gFPmNUOUZ93UxpQ28l1lZxeiLBOHAw1srEs + 7ZfFrJ0osedPGHu8rVOe93DCAtb/oNxr1xvGuDK/licRkEh8t8cvuoVsVhYFjNBc + UKXIPrhvuSj69c3OiHa+u9fNZJX2XAi0oOcZqGp+sQCCgUCA15I5QiqTpalCSTKt + /Stoj9BsmlSiy8YD2XBjmzHHVxJHfl8XHcuONKc3e4UmVjKlzkzc0bI73Y6XiEvt + zRIUmWxfvAvqP/zPcMSwaZke5h7N7ywKcjM+RHB4NqRUVYlBNwIWXvi7f5BdLhrU + aAEJAhBcA//3NJxuDzlf1zoXGKOhGIwNv5/Qb1n13OKIT2s0nfbqEHgAUm+tX3gk + VKKMqFuVmq2mkAaxXWFq20VC6djTJJS1QOaNsc6x3bJ6iDtYV19Ddn/20jbmbqmn + XbCDvb50nubC + =ZByJ -----END PGP MESSAGE----- fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQEMA1QflAioE8i3AQf7BB0RdJbe8Ro2Fv4Phw+VaR0rUIuQKWOb7zf3/9YCbV2w - rICGVIx7V1vJF5R5RgSfk0RDrLN3Pfoq/7Jfkq6bMoHIVCHSFdryHfjG5Dgm49Xv - gDZ2CPAHPn15mG0Rr/67YUWsC2Jy4y6/JY478wzYu4Og9IkxkeBd6ufBFB6bTn4H - qB7B2hfkyQzA66zoxc0r2O1mchbJ3A4pVJw0v2I/sWCiZoJQKmt8ksoEK8BAQCWC - E8sozb2opRzFaUCZSNEdhz/rnbV8u5wW378kd8kHSOlWxaFZNkWUP42YQiNTkd9/ - YpxxGvwCTIpHGAYFtU7CV7QfQHzTuAOz7ZElPZsYkdJeAZCwUFO24nzwpxYS43AV - 29IHXvlKAQkjJunix0bPGcE3D6T8CUs0wXL2sUSDcvgOOQZSezRn4UNEqFCftjJ4 - Gmldo/baMO2Y054/iA0jvNmHRk6sJCY8aRYv9m5Fqg== - =n7Qb + hQEMA1QflAioE8i3AQgAm+iazJdcOXiq08MvSGMQ9/NAvrgcDav4561Hew23n4Ms + tKC5VLXf3l1f6yjhBZy6mnslYOWWdJ+X4XK0OqWkRr/t7zxEK4M6PC6g1W5hkaFU + +9DrkBLKss8atz3EhexK6GeljTuRpVWM629BtvMPBo/41eyue78TLf81vCkbUJkC + UpeB4alsETvD9Oz0ZRT8fipuXzdpGSjobOIgQa9bKwFMXXGY2fwBuKW8gVtSgbXP + mKwqvGaSdHz30BxQExmLne5ERKHOvzac2woG5tOmKPaihg8pbvuq/VjS2K0mzS5q + cbwyq/u4d5fGEFQYqMARW1aiyo3NjYk4xWDcGo5Ql9JeAdwhj3Wgm1wccULt2Hj7 + z/V1utNINoB0bPFb8ZQMmPpwAeH6nnoqjWmmoRSW0tL/EaPh5xQXdEuU+DloT5f+ + k8c2KQC+v4bh6BMUcycAeIG/h4vKsgz/Jc6BWKKD2g== + =G51B -----END PGP MESSAGE----- fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAz5uSgHG2iMJARAA4zyDJtNqK5w6QPYMyEtjuoAmva91yLA4oAU/diRpFXHx - D4UzksW8moYqmaiWblFy1HeQJFwZWrxnXeqg9B7PFOkhriIG7al4DpV2wXoCjami - DIkewGoeZjTbPNxsDVl0SbDafCARQFnQ8LNTmM2hi2X/ACg+c8mSM7eK6C3mh8yG - Bo2EsuCnIqzwzV6XbGCKnfOUh0QekWM7Jc/e3oYGSgCP2N5wb2PLVsW1220qdPvo - 8D1l5cDVj2Pgq7fnfbxZGJYSfdgJb1YweH8mjHk3gHU68AGeeSkV+VwcBGV2HObg - hKSbVWcyGAHrP1ppCNyXr5ZkBgyvdB/EjxjLqTLq7sdTnqjLLbMLgi9CCI0NuDMI - jfgMjOdaImjUvvr8lCl7dOMyp9wc6ks0bwRbfG3AMLGKWeR+un3uaDYujD0bQLqZ - m0g5mx1wHxNCJIb2ZQ6UVjDlnatTYGBnxEupqxr9PFyny0MRhaiYkuDIh4tHW3nH - xyCHN9QIO2/EktLkM4wcfhOeVgdpfvKgT+cMG9kS/yfInZ5ZAGvXznzvfNZZtKDL - fLvvF5AqYbN05c0h56WJa65tIT75P2wI6ZBncCSLqSAzyXWlZFV6UBP+5QLEkQaE - WtY8y2907OAx1v8g6vc5v5oHMqfwfWC4nuFbkoJo/ZbfvtDWq4eFZfkUKY3Au5LS - XgE/l6NTtWknF4nPYIRaibum4527ke053JdD/50eqfuRv8MFIHbRPfWE4lE6lgev - +/j0Ef9sYRu726Sv3wAgT7K6PmCFsLN1319OmjkZpBAJiNsxx9qwXyqgTpTvb34= - =Hr9J + hQIMAz5uSgHG2iMJAQ/+NjXRTghMiYErsXenuJRaWdwHZ+6DkkG8nC5b+Aigljgu + OJg5UQgYtX5W5T79uUuEh5BWKO5bMHBwDNHQC7Hn1FseYgrOxcoSYOsewlb8t2QH + fqGLLhv82nRnU0nTs8W/yvrBH/ub0kAtuko1jkPSAWnoonmeEW970iLVIF9lCVYJ + idF+DDSiic9RDpHd4Csuxdv+1Q8OcaOW1HVAUrfrKOvC17sawd1Cat2DWC8EcOVD + clNn6A91FBCTxVnxwM4j2J/NXP1JRIGnlxaa4lATQMiX8lfheu0LyEpsFZai55RC + dq20HWqPgYHiamp6eGQ+Uqe5edx6F5YX/25S2Jfrx4D5vRh0PFx6blY0kgZJp16a + ywNiMtLPh7HjOMbB1v7bcWtIDWrIhWDtyJ7axny8sMamCLCPOwPpPvdL/B5YOntm + +0wMXHXCLCaljzsa5GFIyVYj3pTY/6O0Fgkv+6ow08ndPjsViHNikufCSW0ueIFF + ehv0V2+AHhedoHChFZI/DEbGzIKVcr7JAA+GHAIWcklg7O5hss+/rr7nYxVB0A+t + Sfp5kVMInLpCPLRm2retun3zPF8+R0kN/ZrkLy02K7z4rrD8wVE5QUvSCWbpKdfS + deWIy4lp9wRXSunag1/CxqvrH3ZszlxSZPEQkC4hez+xOS//L/5QsiP52SavB9PS + XgHvkL3slXXsdnIgm3cYnHqEBf2rXLQR/ZTzusXMLEBaGCd9JB33T/Lz+TUftCUI + xxLwzFvm+dEvQ6bOB6/OvSMBIsvVzMZxaIblwZRdIYfQovEdKLCRc+F4lTqV8fE= + =1lXS -----END PGP MESSAGE----- fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DsZXvxFXTXoQSAQdAp7TsXm2MaBAh0qB3eOjtFuegcEsmtdQHsMP0rs0N/m0w - bbbzXLwq1TGL82l5Qon4NnX9Jg5gXnKydWOiKWhxCsQ0iHJ7eupJLxyfDD/kzga+ - 0l4BRUpbBFslWWa8Fb7zfNA7kslhkaQIJAmN92Yh/2NdkpmNEpMMaIrx2p2jK4Iz - mwGUQlUz4ZkK10xy+9LMaAtmLhBJgBhDTKKzw7OAsRAnASq2gXA/4wqEVgBU9BxB - =tBBK + hF4DsZXvxFXTXoQSAQdAJAr+RX2f5gW5PpXJ/WA+1qMPFjuWuDccIk1ecWzc4kEw + sNH69jVC0JL7l5RMrJTAaY0GRTMrJffoz28JxpVbUVFEpeHsd+myGCcD1jZyS1MX + 0l4BllCKEsOVnEKKxOscOIctaIw8/MDNnLSoP04JI2xVKKThor+UwUhRzg+fVwxH + uEiHsx0xA/q0HVXhTNIvIWn0CKx/4uV8JwVa9JqjSSyQVm8PBwU+UTfXMQ5VcuHv + =uxSy -----END PGP MESSAGE----- fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DerEtaFuTeewSAQdAlBZhTjLL3YPqorSXq0jet/0CXmeZeLL8inGvm/HgmgIw - aplmjWHB80err0ffZeRfcvqx9DGujpwlgoFGDxjqn4LIqoNg6YK/VfFb9pXUvIOv - 0l4B9xQ4DlaYOX1egCQUBw3KcdcnNlcEZwTOwTKn0Hg3gXp0u3TYlJFZAchw2G+l - XJjlWiwJN2gKfEG7hrtZ7MJkYJFsqMFa1aC1oWHduxU4jmdRdQqdIaQDsqkcqJc3 - =KNVY + hF4DerEtaFuTeewSAQdA2k3VLlMvCocHQ1ULFwTJKqscSb2FScq8A2I1TIdlfXAw + jWLzGphdsfHuNBEsocoixm4nKAdhjgBsud2rfYkuwxpqX2MlBr6ikpN73dXlHtt2 + 0l4BkUvmqlioN961OV7nssbeQLzb49C9Gzm5S1dQqBQVCt/7qGodTHHiQON7bYJp + +OgUaI6bKZjd9Lhm/u98dTH2cdPm1B5bUQPDzptWX5vG8euzBQxXc7OrGsTFyYME + =e/rg -----END PGP MESSAGE----- fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxjNhCKPP69fARAAhSBdgW04fKM8tAU8sC6h8/4e0Io3W/D2l6P7nZiD9WVR - 2pUqS12mlNCoRt1I2empyJ5vm1wjor34BCuSCiyfLQ1WIlBJlDro96ygpsHZGmam - tNcrgwc7y6rg4ycqUWr+H+WVZ0kw1IYYKbfAjMAJF5lQqzz+VMvET9BbmvA595MO - l/dnMColnjxxBiYBIzO7mnli+uqRHB79rM2VVlrqoT+C2s9zuPfpJfY0PJaCbbdg - BlffAMqs9m2JZdDr2r0lrN/jyLUB2d3l9NCcF6UYP6tjgZsKmHv/JxSgXLf6IklE - wolO04qgDRK7jeO2UGEniweVQNi7hqA4vkp2TskGbfVsS10PyLYKw4N19GedLS3c - ZxRGde42Fze/PrccWq8bGdOfWhPBo2/MEyqVW4lgTeCCwrFRO3UNyYcWo7cmaN1q - lz7uaV6ffqbUDJSkjkphvxnJtuX62x9Uv/wcwrJuZUarSNclQ0nQV/e5wc7SzPgM - B+GLeR4tnconDZGFq8q+KKuHe7MSx2uwiZsJIVXohcZwhkd9wk5YQBPc8i4aP0NQ - wsb+QptuM8VpCEVAwKOUjp7IRRfUyqAIlmIRDkTijmHknSmI9HZXPyCvTLoy1Szf - KDrN1MAma6b4gsru1fFnVizXQyZozl5RVZFP2Uv+ndugdvRE5sv5aevlzgaWFg3S - XgFqaFwId78UDNTrxcs4EzjHmlwg4E05G9pUqbA9zBDdCqwlD4+6CfAgQ46A6ptY - 5p2QQJ3KXgJXrtlJySq8piReyq3mpagtWZJfAazovJA/ZF4o/xs9ZIu/q3qxHSE= - =nR8y + hQIMAxjNhCKPP69fAQ//VLyOILC6lpvlq0W7NeYfUzL7KtKYXVDF7aSQ/b6Vn7Of + ggc9n40n6FkMJqknhbvSnhhlFdzVOCZkLy/hinNk+jF2POBlLbzBjCuzQSP+ZDyC + Dll2UJ/khITd+tQ4zwrFLpixr518Fgcj8NOgtljUovxR1bGIzYogpmiVFJEd0cT4 + k7ldv5WbZtB2UprhPPpNe+98BaUvuSvA9RWCogaBbuQpY2p3g9t9Zo58spOawbP4 + ccz7Pu03Esy3cenlnCt3G7gl19viIh+wHKrIXPa8dGO6TEsrRMPT0tNEs8iUJyDO + TNEgo6+yxQ2p+08EzAh0BCRwljqnPLjS/h2s2s208Z5rBOCpLY9RuoXz7JRvZ06p + gBgPFSIH12VBGjfqCB1uZIatbtLQLjOo6+UU0evM65WhKw3//tUnLrox1reoiRzO + ro4JuytP+f4PylQRsr3jOYKRKCBzoZOOPZbVEpwQeBOe9zzxDgVQqHgVDDZQzCcw + VTHCrs4XVHxPH0aRMlS4A80xbH7VncYbcbf8a6VrTpnPflv0OryWMWDqLBzmIPgM + W1Bz/hq/o6br+g4uAKjt4GTdTwWYxptA5L84aMoihpXRu0MaPhG+7MRsXpEa/+Ll + +ybl2DLpm6zm0iixkJuxwtOdQOGjqJqC/GLw/EZJTt2aO+ZUb8dLrChNmR7HJAjS + XgGBpFYao1AQqLZU3c+5B2/9/3rtOoVX1DQXhUsji5NkaHyYO8usauj9evPUf4qx + FAQRWua5/zp/cTlNWU3GknqtJ1G0g1mrkiVeBZCRxIK2Iyvyav7RALJ1jlkyW5c= + =meb0 -----END PGP MESSAGE----- fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA46L6MuPqfJqARAAjpM3MO83b2EUtzyZs66HWH6Kd60rl3QODTqs4PQm1cH5 - HdzfVJ2IDo1y+FMTMmfJov6xBqnlalNaOvg8XFAkKTUkZgUHRW/q1WXP4FywTWmP - aJV47x4dOQXQgj/i/ykMspUgsxA5049/nG1y06Wsm2agLO3KjL6KIJAx0LI28XPU - qA/NFtfNuEAv7DGS2LGz1+X1hnRYcBX/oUgpihzActWmMORD6VS7xZGcMdF2/+Ex - OCDAnwT0cBSAihBSLTmEMJ4xfmMG228nbLqm9r/gELgVIsIL5hXWz0CtxaewwLQQ - XFMm/ZV/G6bZKRJzKPOR9EcPMF7Z+nnBts9wKNlE+WA32p7zu7hjvEFZhLiDKYlN - +nFcx/rvyWB6sbFK0xn2x5MonxWNVUy58PnqGWmPi2VtXT1al1zSAoKAgg8Xdw21 - PQENtxqeUSLXXb0SZXFptMmYStwqoaFusLOCLW42DogFU246o14veDDtsS619T5G - RrszsNg543i3ra7MIm99YRXyniUaDp5VlKufPkWRexIT5YZYalOLtdLcaTTzfr7J - x4PNVOK2ddtmlKbbakvvmPWS3iBEUGMqw69dPhEdpY8yy7HJ2jpXX7TiezNqGJ9w - XqtI9RJmWrr0/zSoim0EpHDwXZhSf7YVcwTs0XCtwrXcQT6DLaZJr8cny/G1ErLS - XgEdnUqFpB1D0bacmRpfHA3PLZJd/x0QfwZ/b7gzz3f1xRfMXgnsM4iYu1S8+VAW - Dy21iVFZledWfrmuXh/PkLFftLipYK6tc0n922kFFxCn/xSP0yx9qKlNwzyduNI= - =4+Bv + hQIMA46L6MuPqfJqAQ/+NK0D10olgDK4KcArzoMtrJR7qwbrceSeKwaQGsUB1+RZ + xv6pZJ0zyw7McTuUV2I4bLYHy/TffSyJk5vLSSTGFXgHVdfKmjvm7VDEp5d2uKku + GW3Qh73quldfhd5GjO+F9V/S3rCysrNMpTmPnR5ha877FKGtc8168XRhIpe/1+mP + mvlE6h0Xizbx9myGR+ie17nHpoH+tjTtQFH640s38+xDgH6AozwWGUe/g5TdLaLJ + 8SKHyQnS8hOHQDkttvhWRbyhKa8WuGyOKSjuQ81HIv+/UPxh1fs7vovPHM8rtIyy + xGcWPzUeoKQiV2nyXUP3BqglhOhD1vokh3ejDcxwWWKuyASCSXhhvW7KMsV3Stdd + E3O1nyOi4+2I2E4TQo0NLt5mTJonPbvSn4IvV0LuatrG902UeNNZRRwQv3ZrVp6f + G2ZJ9HNSs+Tp9H8cJzBGjDBYjC6/d3GGWi7N/5G/n6C7T6W81BgO8UiQOleEDF1c + Bi6NPNeoGL8fivVGlGTHpLcpPpbYz+1ynsFs1ho4+v5bHS5w+UfvVvQC7dlDKmR0 + fUAkllcxLSnzKkpKis1HF+Gp+lSNc75/BzOeTA2gS3c8H9jMuncRolndPX1rVJA3 + mrLiQE/Mja9NaYHzUROKIHDEUOQ1ZzvpcRduggvfj6Gb2wzNdUdR5QrXnLeI2jbS + XgHO7Jr0HrHzr/+p+w89U+uH4b7onseYDiAjfLjAZpcYwkzuy7b2ZUmpLq1BjZRo + zs+rSqv4BP0Xa7LNIFrHj4OeL9ivwP7Kw/Tb36hU8DJ8xDfilx81n69Fer/cJ8Y= + =BNfm -----END PGP MESSAGE----- fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DQrf1tCqiJxoSAQdActtZQL4KWrCP8UUZa/fLeDltuNV9JjxTYiI9upoH12Qw - 6n8EBLgKKNw1Hsb40u9M5Ro7Xzbys7zwZsL5CxEgFGDBxthtcdaI/ykjU0W3poLE - 0l4BcMpLoCyxxwIn49GpFxHiv84Q9xhouSMmCTe2p3bn5zCRBnKsetVHtEti4iRF - sY9FipGcyiNHfkp8KsWeUxD/j1QUIkGODXt2RqYkO8ltA5QS3kUCPErmWYymEAEu - =RFaD + hF4DQrf1tCqiJxoSAQdA7az9ylWMB3fWHwSVRmU8Gu4Qnd6HIyMuiG46weuS/Cww + QMCknkfCG06HtMrOcroNigaj7G6FEvDm64sUkpW/ggWkHUUEMuwi5jcKIdx7XdbJ + 0l4BDGUF81uOghQUq/JqDtiYPD8IzRHMXbJmXiO+4y6DE5b1t99wBUt3C5K5H91D + U3blcYO6GROPSkVp8ZIzfnWLvyVoWInd1ZiRs19n9MN6Yf8uWfx9/3xvN2kKQyvj + =4X+A -----END PGP MESSAGE----- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DzAGzViGx4qcSAQdAoNdta1fDVjzrPWeSfKrmslkoFi86I2nWplPOli/gFXsw - 2Cx+wmejLlc61RE5sqAaQJc+0ctRezwXzBJbkuqznZ2jWPCK2A1EQ7r3Q7USCCca - 0lgB6XOo0ByOj/W4TrrGn7VmwLvEqIiWCt5zk4BEUSVc62Ffv48dcwL3hsB3HlRw - 6FXyR+2zwyEU5fuddFO4nMi8AXB6cfU6F4ugFgwn92lCgTom7IULY1D7 - =Czq/ + hF4DzAGzViGx4qcSAQdA/+jZ9/0jHioWKE2TK24OFDKjJ8futm2TP8z6Xat3uxww + DGwSznxagIkVgdTNKqAWmzGvOum8xDBqzP232CM8B/oxmwIjuIV8+FXtJuFHA/4b + 0lgBN9loSuX5uL5O4uWzPulEhqjFElrWRZXLHZn7uIWipW/7mP8CGu02wwV/lme5 + jvtJ6EjgopmHrxyaJqRk+e65gxBYKvxTQ1H1iETCUq8lOnxSBZVY5m5K + =7H6g -----END PGP MESSAGE----- fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA2pVdGTIrZI+AQ/7B7h5br3PMgum71smOTJMBfl4OaxkQAirJeG/z2fjqbAG - l9q62H1cutGKS/IYOFLE0OQaRwmHtkdTkrdmf9yIuAktcdAGAeqwnYW3LwM3t7U1 - nfZRJH5Hi4xcSVVaWHn5mX0QpxzrCye1EIjHvPRx6/bWHD5sW9qnkZAlAvEJS3/K - jdyBLLlK8AITpsX4eeVnmVLZBjbVEXPlXfFCh9PFyqrl+iyBBY9bO2aMzWldbQIr - j1551Xe1wKAOn5SJTg2Mrm5ehBKfH53HY6ubCy9acbv5ZTe6JuStseWordtRNNXY - 9eVmR3MRVoFWgK4Ccb9Qq8l+uEHRuQfG9K7dSnxQIJpHCOAQO9oi3/ykDt9Vgvo6 - WKPpvyuJpWc5Tn+WF1qhz5wDTRX6XY+cUoHkUqZXG0qMTIfMLIAFZ6MuslHU9f6J - PlY0FTnwp5/v9rK/rjXZkfIxKjQtSWZwkZCszZ0WtNVuaY3KO6KYrd9rolFFYjqn - I2xFGnTNZwh3tjG/3INoMwilOkIUNXr18k6FsPqVCAhj1Oo0iNxb3j+3pGJsH9iN - ciTLeM8MsFW9MYXG23i65a5WVXi8hMTcyqCy9GyxLeFprt2DaH2HaBahF3RIWPop - KTNsvW1aawy+lDUyr4mBy9F0TA8Z1/db3l950Gtuz5s9/7D6bbmRn72O++W1RD3S - XgE3QuksqaIh7ZGt8tVPREEHpBWmPCskh35vLoqeO1QxGxzJcjrcuNeHtOH44EEj - mHzYUydn0e1jwKZkATG23DiBCyMpcNAWmsMH45wmk0fgNLdQhuslhKLqOUDLpN0= - =Ygd+ + hQIMA2pVdGTIrZI+AQ//aZjaPgcAM6RSG6QCnYJgn8EDEhG7HDvXmb58G7VfxArr + m+K4Hc3hW0Hh/c7/bzu2QWniN1ie4apqFSvQmAIJ3zQZSyOsqhzvbmyTFRAyzpzO + lOAo/s0xMu8s5V055vC2KWnKuqb9+WtWgJPotkpOf7wQM3aqtvXKFnPa74ihjXdt + uuopRsOsZPiG8MLcqkCrTy+pd1PywrqwjKeva+mfgbM8zpypw4kwLwrljsxCThkZ + To4dH+K8oesvSeyVOKWtAwnjQsPa3Zn5CFWXNwPnn2kpjyMoNRo07xuRkfHYI4L/ + 7D8zz07XdN47kJbEj2BYjChURtbxkFbAxq+IUDgbNDW+M7VQCKZW+vOFjwmFJAlT + CCco2I3lmrVX1j9BTMRr/3aQNbY/OzOxk0qjYZGnPqV1bH4IazaDFUB8pOdmit2t + KBzDt1L26V0Ek1CpOp1dcJxneITXX1j5IqjMbl0TzyoJ9CxsSaOWfZ6XsBBSXZNZ + VnDENbBAOGcJgatjmC2qH5FCNio7vMRRncX5j82sytDRWbj/7XHENFpfXyGPIuYg + AaHyxSVegFCeRUHpzXo+qeFpNFR4407v+otVaEdxbfj6MQfMZ7tDUOde+97NNRow + tAMUOAN9yhGuEPMPr4stQUz4lHseGMX3VdpJH8UQH+BxVdJhzKg0H/+6bAmnRi/U + aAEJAhAi7DZdrKpPPkDijPKnXCPJB+IzdAJdOCsnIhZFzaiDUo+RLvP9bEpoqv4m + ZFMtiF7P7bXyeNIObCCsgKhdX0thXI9lZvv7k9M4lAbFhPS9vlmDwf25t2Nm9Um8 + 2tbINg+K23jp + =syE6 -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - - created_at: "2026-05-20T02:08:49Z" + - created_at: "2026-05-25T17:17:13Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DKKbvh61jX5USAQdA8qtjYHoUe+GUdy3obbF+pNmvfuKQUqkMHa6V5ZXOpXAw - M/kx52Vu5xOdynB3NMBXsfTVH7KXh0f06HcehTREOkhlwVMYPcvDQQdzgJ3Xodpc - 0l4BdYtmbmk9ETTqr+wXvf+6BMYIuvyhsLLSqyWyCxJv7blQYsxsc3EAHZ4LB0ZS - /lw6gQ5lmQyvVt9PQZayt6Iku0+WMJcgrf9xykOAm3N2QrtUnr4jHV3FydvTiUwR - =snV0 + hF4DKKbvh61jX5USAQdAHw+hxKofus/fR32ThZOHfkL+8TIPvWeYnTYe5UUCC1ww + AtCE+MfZvMgRx7gUpVPcdWtch6nlFzun+r84QfPopFk4S824JFEkK8jG0scYCpy3 + 1GgBCQIQm+g/LWX0T3Do0NXrRGIuw0fiKrQiOpEhbO6a6ez/pES0zKKBdlH+scQl + +nLZoz6Mw5mkwhY6zIKsrikuQ/+sciO2fIq9tI4MR6cvD5gmVrGEjIyOZ4xgl3X9 + nX6OVR9w8cR7rA== + =voeW -----END PGP MESSAGE----- fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 unencrypted_suffix: _unencrypted diff --git a/inventories/z9/host_vars/z9-router.sops.yaml b/inventories/z9/host_vars/z9-router.sops.yaml index 89f18e1..33bd3c8 100644 --- a/inventories/z9/host_vars/z9-router.sops.yaml +++ b/inventories/z9/host_vars/z9-router.sops.yaml @@ -1,3 +1,4 @@ +ansible_pull__age_private_key: ENC[AES256_GCM,data:TlMDo9sUTYznxKOGityGLexk54mM7LU9+U4ln0YYhO5fhXXmwvySxyMLHlaKzSlpU2/mRRy/0v7AIOuRVZx5XqV8X2JJsv3/NeY=,iv:r66g2UQ663KvWyAISitbHBRaLBlJ0gB2g/TW9JiL0Ls=,tag:VEq3Fqj+t40uBo9g4Icfew==,type:str] secrets__secrets: - name: ENC[AES256_GCM,data:gt9BarzsfE/GJ5gQeelgePquW6KAgE3Exv4=,iv:IPpUQI+zkf8O+ej+ZxLFyWUOrxGGlZvmDRG0ut2cNsA=,tag:GP66MvcKyCqyKV814+uMYg==,type:str] content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str] @@ -18,180 +19,190 @@ secrets__secrets: - name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str] content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str] sops: - lastmodified: "2026-05-25T16:29:22Z" - mac: ENC[AES256_GCM,data:zxtV1xgjQuKNMvh6S8oAOxX5J6+iBRO6k3vGw3vWNlhah4Gu3S/lt+5v8lQHogz1Vyc+Zff0yMj1cn6RstDDj5AuOCljRQN0FYs0fjCo4Yrxx5sMMwcwBYquC77skEiZhRnqdXKkjiOM7EGE8qj8O3DJ29borIjm5NAsflH/qkA=,iv:7EUElg+gu8mk2Gq32JQMTf+A1+ZhZufoqt5bk4+Ca1E=,tag:XG+F/zlXizsc2B8THoXj4g==,type:str] + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxallVTFdueHBucXBVNzIx + cENqanlOOUticExzVnlERS90b2hWQ2VldUE4Cm9SVmhZejVzanRDTkJhQzhwM3BM + MGcwTEZ4YVQvdjc3clBHei93VEN5SkkKLS0tIGI3KzRPbjlNTFFBL2huYlZSVTZh + OVdXYVRkVVJwbVltSHBXRktIY3BYL2sKe+eqKzYeCUWx0KmT0+aM+TwWRj+P0Ecp + tnFHmQgnEPypIhVvZtzL7i64kL6sHizTmNhbw+hlnCztvsdEV5T0cw== + -----END AGE ENCRYPTED FILE----- + recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp + lastmodified: "2026-05-25T17:15:30Z" + mac: ENC[AES256_GCM,data:IW9eN5H2J5cnXUHlK2aD+yd2ORx+weSFKBGWd7pIolFb5txg0WlGVp8UpD4h+Tv0SJ9NkQOT6KpcXDez/L7r7xNYtmgf7AdrdGpy3IOkEYzHJ+oHUMd/aL+h5w6/RahrpxlPSrNKAC+AfpY+l0iodwQ09iuLp4YXFxRaRDGpGZw=,iv:6M7RkDN9D9Zlyq1MCRoiT4f1bd6OBZNg+C65oEuSWn4=,tag:wRsq4lt4mHVyY6ruGkYNKQ==,type:str] pgp: - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxK/JaB2/SdtAQ//bbr0oza/X6GG43ay9coZbb+0aptj3pGzQqT1ND6nsI34 - iY3IZaMZIti+j/BS5kEfmRn56WZSx6EcbSrlbiyL5NZw9R4/bGRd848rOLwMvuYO - 8Usei9jHdpHiPvKBZnZXaXGU8E27L0Y/LCxSIFOXbyHzHogjz3JmtJQsYpSC+ue6 - mIRrSAJPALrqEL+DZ2bl5UYlBIRXdtIe/jL1CFCJhULt+EjJw72T62DZK/jaNZTj - eint63+IFZSxx5e5vrAeQB+p2EDsp6c5NbDrlgQWb8/J1q/G5bG4KxBs/0hum7OW - /sSsIDb4Qb8U/axt5LduV6AkMXXsclNLQU/LbFAbBRcV8Lvh11f0U3V/UnqUdmvp - efesb5VQh1x0uWjzobxaioLEV/YYbWx8binvuJ3MBHKp6E2xj7IrBTVl0MWgjEou - ZbQDF8DvxA49xEnJyOviL2/zjnV1kXy+Q+BKZga3pr8AnBHA8Ftbsvmk6CyDEM0R - i4FAUOVa9VWiszoOaqyn1Fl02YlweFmgzuFjd3wi74Tbi6RE37rN/vBKySbnRQYl - rFUU3SQlztxd4UBAXBo6gQKTz5B4rehvKVye2mmqEE9bas/lCWAKVJ7+3+0NQdA2 - lp/X7h7DRSD2Qkd35SzxkJz7P86rd0LM1aOu87psxYavEWw6vFs2ErDkSeqDn1DU - aAEJAhDb1s+jpDUa3GvVZjoiiCyutI018jfJU1vi12PGktg4KJcXBx66R/nLItO2 - ba6o66scIiAJZ+jYymW6RbJTI7XRHJp4Cs8COhpMRQeOGwEHFGGL2rpGd3KrOLQe - 0/C6EmrJvGpl - =atNE + hQIMAxK/JaB2/SdtARAAlyJLMDlT4FLpMKaC3ygn1cfA2390Dz24lzKlHmwl5GgE + yS9bdTGMpcM8zPOQoqaoy/my3kgx2/U3q7WiCTMdUyYePAWuJFh8ZRZjw/hPpv6n + GwYgK3M2C1I9++zmZD5LlR4TaTTpr99+hctYrrp79QJddgozUzAQ44g7WvDm5VhI + bb2UVSo0MpWvLEMXHqH9YZcjkQyVg/DL+IaU1rM9pmpZxoN7+0jQY4ci1ZeHVo9e + DbYcjMazBLakjZxxdtHrqx3DjZgbYCancMy/dUKVuvDF/lN35WWSxslv14BNHljL + +/9YBDRgIr11x9j1hq241UwBW+6mSFxWF3qQ5esdR5xlLEqbm27PYGtqC4LIdzRX + ZUvdujuQ2PHCYJY/jKWSf0cdfXKEGorc1ZGOV9FNq9L+aKvfmRLWfzX4D0Hp47H2 + d3itVuA9KYOdzmk6O+8FZv/VK1042L90tOPJhrtE287KhcJ2CvfT/Az4Qot8xg3c + tXmO3cWQpigXxJPfKRPjmmLJ9nq0BnBXj5ngkVz7d8R3FR1J/+TWG0F1VU7YeW2+ + Z04RAbbKf36xUTqnaV34EDum4QLLdTMra6fPYPy0KiQYIKDcRSdHeM/hEs7JXP1c + zbUX4xuBOXl7kWYR0e3MUTzxYiQBr9BvSDY+7sGQCb+fPw+AKvFxig1grjsnZvPU + ZgEJAhAUE/ebqBa2nGimcAPn3PfeihehcmjLg7HmyWBPkHHMt/TIOztjkbGiQSC/ + jBP+rhjmFxm0WKUGM4dkh14JkMgz7DZ9fozzLfo8zN8beuSDDzX1BndTIMBQJj8P + Q/rk1NL6pg== + =UXJ9 -----END PGP MESSAGE----- fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQEMA1QflAioE8i3AQf+NkUGCBrTCkkyl+iBb6P1IWLDGqAY8s20mBZ7G3plKE/J - UrIe947letj/8EA+yoN0uzjwEkh3rDLtZrOLTSgflq1GMpdVhdaTbS71fD3kghJQ - P9tz0zDQEgXHBi+2q7iRrEETx/cu7UDNkSCNvQbWvDmo8MfbSBy+VFCknfupdQxj - 9hlq4kBA0pckPCY8V7E05nDhQntS8wpXIEO1SWiSuiGg+p4yFlvNzWNfhLyEFHxL - BZHVVIU/mzyClMajjLJWjKI1LSgHXXIa28tgdrtiBZOsF+CWveYqJlRJh9NUepJI - ZSeFNhyWmnS9ZkQu5BUyb7+oRxfq2NY51T76Xbo8gNJeAZWwyr1sj1wjubuVeNMF - aU6FiynYWr3I35JRVghTMJ93CnPl+NTpWnQuHpq1bzEGe2u8BMFhgrTu2yMD23VQ - eGien6SqfEbA/wAiz9ZaUgTQH8UyHpliteZ8/SQgkw== - =UJvq + hQEMA1QflAioE8i3AQgAg+PBxAqWTfRhxP7GxDfQBPK3d52zshP9xhutqANzszhs + nbo3nHWj/vjvHlEuD+Rr/lr9qxsE3qS4ON7FG929RoB1YFHJnQl29Xym2Q34T0Hy + Ih3dibykm0t/NE+fuxsU4iU0imtjqhqA6P0+8FNF3UeCg60brcqlrBTXM9jFqlZ2 + 9nuvk75HkM1FoHiKx837qAd+RjNNO7xKUpn+EX0l0l9tScuPqUkWNQxLrbHrcO5M + bcEC1syZHQKCiucsesS1pJ7TFWOJsnamZyaqhzANGwWdhYwGQv37bWKr6dYTCy3q + rsT2NxQK4/N9CxmP6xWeAZbX00BDhNMfEQVtTlYLgdJcAS433Hiw+DSEwGu2zvTa + pHtQlGlaoOZemNnthw0NO6JQWGhz6Bx5QqYmbrshtVKNPh87vNVV0HhL/fQ7qwLp + uCgnMi3P59r8EKDZqTSp0YGfE2bx2hpBDnyJ42A= + =rOz4 -----END PGP MESSAGE----- fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAz5uSgHG2iMJAQ/+O5JOJfDp/BuBCuXDQVUgJagspQO6LZ/MLrl9qH282AMf - MdgN5M/WjbOv6WZDCMg4nfXps1XgzUEiaA/1m4PxHlMmxjEoQHAE51GMcxsXg+B1 - lM+8uJ1+js1sdDX4xsZtJpbVxJKIbPuhF7oM950oDlL2+UKhUbPlCoxeOihlkVGa - RqHJ/M74xkyKH281oRI5bllJaAroBnXVSFIvbCxA7ts/O7YJPKBowTIj62Kye9Ra - aHC11bPy2RlJCcFZJjPSdnXvzUMpfzEd6O72VUtMBBQZn/in7efutC8FwpRYuUW7 - vSofxUN5n6Mtb8A1XSMFD/nfXVc/pM6Cu7kdtHSwSKgbKKf6mrCeVgaM9xcG0t2W - 9yEtWvkdvOOSqz/vd1vkftbBWcCejX7bktfmD408CJAs1bjzz5CyrDoWcnYmbxFY - 6N4rhMDRMTe19VH2UQ4EvSjQjmmYCspnUW3/78zi5kU1ijyQy13UpbgwulU7tSGc - KKtBjPoy6mLIVl0YhnEJZWD/XPIRWyW+0s+7m70YXCWSVipvCelEE8oPWjf8PLaE - J85crlZGkSRcRO7yOP/YtB9ZnajgaF33zJU3ZWr0C/IXj2TeepZp/JUteD2H/LRf - 9YJzOFYDOFIWcdmaTzJLBEaefWcDjT6wkIf6TBqQRMLsu8JUwy9VwFcsi/d5aMXS - XgEQqSxYb1B39OR0sS1Xpw0/CFe4imBPuG3w0tOAyM3DbPWYY1kZYIRZenV1ZIOS - aRZJh086kuWgHYB76VoNzDK3QperWvHL/8CT2g3HuPiVGSrrXwxCYXk5+UXB9bQ= - =Xx91 + hQIMAz5uSgHG2iMJAQ/7BOewbq1xQgTOruTFebugbSrodtfUlIDpCez+FZMw3Gos + uwfp6jslBKXHidsA39CRktJ40EYqygmBgcxGTvHGC94VwSl7OfCjHsyfD/93L358 + XsjpTHXBO/mOjQmJ2smhZx+q+iMLpJnq2QA8mGUI5uzPTjXD19sD9QdYdHF2p8D6 + mdpVWED2gRf/sDoN+y3c/iZvMTN2HeDCx5d/wIgl3mmoHLvWRO8pNBV3EUg3ZBiv + fc0Y7m/0KOqW1itE4yg9IoPBWJg2jYSZTkRnQMPEkKEEHNtbx6dq5tLOYUIIwOwC + 5JlL76BRoaul6ousBSHV8OWCAvS2N8OC+l0ATzk99p/h4zY7PCG7NhkKAOgYfWFa + /z5u6J6TMrmeLZjknFXepuVAzNmDU0CmuhMwZankGKq6lmsQQnHvdq8+ExGGWhfK + m6I8nPvG654md9H7Y3HusHa6y1rkf9gZp1UFzhvXQgZdvc7K5pJrhxjGUnEg6sS0 + m4daDRuNLW32PXiwoWTtTJfOQFv0t1f1eEKI9DO/O8/4fNtIvmI/8HDcdF1XzDnt + lGnyD9cZ5jKsKjGrT9DcvJhyTGWDFeBDTY+rlt52E8NbrzWUjX4J7Gyz8QRY9j7m + wRi4uaVt5KBmB8Ibo2bMTUXU3Db/0p8nCAg/89D1fP6FF4izg3GU4oD3vJyl81XS + XAH8tGT9wbjXuhomyhqemDYb0QdTRfpAznm4AS36qbeU/Tvj4M+Nm64qLpj7FFtK + aeDas4lzgeQf6/cdd5ItLlRHhlBOJEmjHVzRR4npabCWZojP8PTac1IlBgvS + =OH/y -----END PGP MESSAGE----- fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DsZXvxFXTXoQSAQdA0rZTVdySF9nUiz7ZyFJgq1tojyLojGTgE4UIEJzFSTUw - 9y4kbGn1cWMpAqr+sE3WHV9p7v6kgm/XdUjXGN4DadpUbiYx6sQW2Jov6Km2EYhq - 0l4BawupjX25wi7c2yR5iGdxYS8oCYVmGgcAB3T96v8VsXpkAOYQAOOh7B9GQIxm - hB3cFQLCy2un3VvBsiKGFMA2FhZYBOuaEwP/KmWnPv0IPIRH4by6LDB0xgq8MUNz - =xoVE + hF4DsZXvxFXTXoQSAQdAIjnFVslIKlmP0X12z6AdWNqxkpVBDFvf03ToWQEQv3Uw + 8ka0OYl32rH6UiiSE1Vve1wZ/iVvK9/il6UhTpeAt8bIiCq6gEGR9Ba5NJnm6rSG + 0lwBwzEtaARPJbbcWu7Jl+dAQ0quP6uVS55OYBuSannlaPrQ5qBuS14AtuQ3UEVz + EbcLJ0b4lGL7hgyAf2E6nuDTkPGPChAJ5H5DfrB74ZB30GcYBTzwj13+jWx/VQ== + =Hxuh -----END PGP MESSAGE----- fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DerEtaFuTeewSAQdAgcGcZ3BT6lsJ8FxkMghxg5/PZLtIzNeJaEUbxN0EFhsw - uM+Lec3k9BJSUJK8GeVmesYxQh8vP6Yi/+m2LnGjHXzkQg8Bx1HJzuC/Ap36rC6N - 0l4Bxj1URTsRD4yILEA3TY4Dn9St9uOtodJcf5YdAKvmeb3Uwy//huNnA1eK7b+v - WRHcU2K+GgkSzLiRLZTc/nMrrCQ/P5HzwYHmP2rypFX7kxXlPd3K6yMZWTiSgYZd - =gZLQ + hF4DerEtaFuTeewSAQdANsYlCeGhhqmBgnqcSuNdQBUwYKpucDrb6aR9Siyukjww + 72Gin/635k9bYXwknA1rPyTMvG00giQgjUr/QK6PSD/eGi0QOtMZLj1JRi8f5EU+ + 0lwB+MIM9+EEzHJ96ouzL3bu0e++NvRY1Qjyx1Xi43bM96eBeLZ5DAc1eTSdWizQ + EWTorcmXffkdfOQx1zrlGZo/qvfj5F706VcwX4aZwok/ASRmSeCfEXLgGLCwqQ== + =ccBm -----END PGP MESSAGE----- fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAxjNhCKPP69fAQ//YGOLOFtORNbOu+KFCtGcJBXQMy6Ej3/tePVuDi2vmqLD - 3Dz6stB9D+BmBbcgbFlDA+g7Vi6DD+zcze9wM10iuc9t9ucAuQ7B/ymSvJc4MrYn - MJFvQv5IYgWJmzXLYEFYYpmZPGG3hSHSgWIPs+574wEA/L867ktguW6ZD3ZuMn3E - yjCTeT/ZkGjuIpGqMu2/o9Wvc+RYgWlCB69D8kTHtnbFzbqEzvKU5/zte5ThchA+ - QZwFd/gk3o1G/7WOYJJ6CbBSOQaSrfm0mnb6sppNPdOAQtqHVSFVX5vX96gXsht/ - AkrvD6/2R5eNzbqRaU83cg7c5far49xoBbL6czreWY3D56yK4BJbrrg9mK7oCEfO - GaRDFFD7R4LJPfVx2xDoIQ3Hyp4E3dz4nyJx0Kg7NSEt7soOb5MnZ+04LLAiHbaT - qZr618V530uw3qaCsYcgHy+WsZXXlqXQey3A7jphi3u9Kvn9UjeegjNvpOrMk6g1 - RhGzv72G0wjZnzjTjPlzeROHaQ6RPgfpkZjEcVZNZkfAgAbB3XPgCFGKz4qvx9MP - 4eHIlBSJizLzSi519o+0i5PwrZdEf9L4RUVxgQgdJXMh1JaydVh5DOU+xomdStD5 - Maymkt8fSgYgDaS953YA2e04PrkXCH0EHZ62T9EMxreEoU3nYTmw/TGx7RfU+wzS - XgEuQkLWSToJ40/Ir3obDA246yv7J2FpmPwG4oFypkM5xe1WjlMlk90b9RBhUgXk - ylRXXLBzau6mtbPOa7LGdVyVs2DClWQo9BoK+dxEsnW+TR144O4UmZEfifJXvgQ= - =ympd + hQIMAxjNhCKPP69fAQ/+IRYUQhf7zzIZy3AKAtQgyMKRINOUUqOEv6IKmNQaaQP7 + K5JXnVi2gjgBuG+2gH9iCEimIggnWxFhHerfOps+NkAI6y7kFz5hnMtOY2Qf3vxT + Hoyq4l6Yn+gG1HSLozVr9dTQPjyGOKJkm36ZKpM7gqSuLNP2ijKARzay4Chg3i+p + E1TVTVoEczrPdLg3O2fd5mi2UT1k3E4QREti0k6K4juMWqMz+5iJ5X98qCdmE1eX + L5dmW0QSUChzBVw+7NEcxeNx5WsbhWgPA5m2+bng3V8tHqAwrRUCoxn2+yabnsZB + Z0Z7TgcLk0Xnezw+BkT3bOsKgv+atE5lm2rBiRUHRDR3S04j0Ju6fJHf24CNy5ES + xMF7BE23SgmqUq0BrvdJB0ToNKYGMM0C5Xg4vGRiE61+18TiFIeC3mF9suvFFKc+ + houq6Cy7q3O5PEqEbu6t5vXAZHwL9Th+ZatIIe9jSToiZiLEOIEmiYptR009/OWq + v6ADzaAE6+i6HZ62xBYQuZFkiUrRKxYzTHFn0A10QUJrJgbWr8QjS76oKi8feEDC + BJAOwE/0aK+l46hI6mlh6rgeSy8XdOPLEnL4+1HjlshhTTiW1rE2cr0ZiTTA6UFX + UhABIUi6jiLnM13L+auulU1UZQ8wxp73okrcuu6g2bPT/l7zO9YNOCocWVPQa5vS + XAH7qrW533ttg2XAczCdALMulV2N5GHl7TbgRQBkdoBAKL+6oKfxbOZeQM2nrfZT + arytZbnjgCcy5ygnjeziRvWwLk7sysEpAQqQNRm50m2Cq+2ccedRP6zFzUhc + =4hCA -----END PGP MESSAGE----- fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA46L6MuPqfJqARAAshm2x7wX/9g3XJtSN0AnSeCwSHO1I4+ebLKOsB7zcXh8 - hrVO3694jQcU9L01H7jGYw4lNNzBd61/uVE5AvMq4Sqn9iH3MFNESbAEOWVV+TRf - 53JMg9C/aZfde8gHgHPaiVXlCBVEVY9CqHpUXUKDmEE7iRb5P4DuMxOmybDYZGzY - 4c5Ke1MFMkGRmAtsT1qLrT2vh+F0CX4JwpMkxCmOzSWAXbwrVOigJ35l5zM6vme4 - 5EQu9jI8FApTxVchZbr0v3UOKxp5OebqC0jGeznZNf4qb0qnsvuowY6IIw5Tl3/q - H4TLq5EUOVqTC1voIWY/gMjieiW1gtr6vASy4MvbswsZLc26YVE9IbHzAOUWDN2o - f2iQ3aZYuINvniD23XtM0TKepDXWq5eF+AJpmyP/LL8sYvSnWFD+muK3O657djEu - yGZs2EFTrkiUvhBq3apOOYiU0eOi4Aq6UeEbOsLENnQrBRXuHEm4KUSwzOitVwJ1 - ByxQTu7wzY727SOR2hzjMC0LI602WGpEQU7ech5L4uWqtMFwaBP9HnUamcofKqqt - 1vI2BevsJfQ0rtTE6GWseHt702lllTGe3RnHWc6YsMWLwUfRdBPggMW37hAPPcfO - ytbU3RJIxx4vImRtXhkI5yvbpFQrooz1zSeXWaitPE5jmmiKe9IRStLnfiq9E2TS - XgFVuQM8K0LgUYEoAipvafhnC3ohfGsM2AYd36EoaMNLeQ2ZZEiV06/Y3EWoI0iM - aqRLwyBvTuDOc5BK32nCbAgUbbPJjPhqWaoNp5ymCBV76oW613gApkzoUF+OIUU= - =KKaI + hQIMA46L6MuPqfJqAQ/9G5pRNmw775xCYA+foCx9rM7eLXJFl2DjaI3a/O0yVc6t + 32xtPuaHwTnP00Pbbo5Vc9QG7k0Fr3Rgy+ep1lGzeCMoHwF9xk98LspDtYZoKopE + 6/L6KLldSauRv0rPVhCQHpZFsnx1VxaJiXn9vAW17+imC9SgqLYGWyrxAtLCOOqH + N68RnTsEDquXixEs82ao0EmQXPquimJgSx+xVSF4yitYYLLLHyUL+drMNuVb9q9Y + oAIdEL1svDIieTbTKGQUqZ8Alf8f/0cqPWpEkDwYIyB/i9KDkH5Oj7uBBRtVLGxQ + VxE32wO1xpXvKgUY2PhWD2rOBVDG8dW/hyqvc1WgIeo1A6FTq34b5dGC2lmTRngB + 9mBjUd59zeOvdXLmoGwXgbjVhpgnm/5wlUeiIC3xR9MjW3znRBT6ujCaglpAdXBC + 0AIugssGcuXbP9Tj5zMVlbdi2dj6Ylc8S1Tj/OjwxHCCj6AWRqpxN5vY28RiLFGy + +eAsryzPk6UTCPIydiWwsrP+w8EhbllFxzZM+Sn+fshAHdRug+EeyT3h5V5JF+Ko + BZCrZkwYqAcVkJjEYlukjvxVFvo+T6tRMz4F4yNgjqFjneUaeLCc6RllaT696H0Y + 8+lw5rK+XpcXBZqso6vsLChRdZQJjoj9lkjRDbmhOkaRglikC6Cx+mpY1/XnGvDS + XAFWOuNKjN/xIRtaDc6tmeWsKkuqghjHiMeRqw10/kTBjniMLLJIN9ssj4HjYqC3 + CsqyHqZmrbITUMr718gX1kkAvzF/fVAXT8YshOcK7rQbiMQJCZqeBp3fY7FC + =5yPR -----END PGP MESSAGE----- fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DQrf1tCqiJxoSAQdA8YKD21h5POTLPf04KvGN93omFgkYO+Y8Kc0jM0vdqm8w - 3zYRaLsDjdh8Zd89/HhHJUfLrTp/IJ0n81sK0ZjznbXKxgkseGthMzof+L7BnPAp - 0l4BnAs9iZS4q2LZVS7ySBP89xLmF97qhK2jagMNSAwq8Afxbcw8oQAVQmeyYfxx - X59irIHjI1ugO4o1WnTN67nTQjU5msbVBs0eALrw3jobzFHRL67fS0a4Soa59LTY - =ZHIU + hF4DQrf1tCqiJxoSAQdAfLqKILCrCv2s2V7bLntk5lHI6Dc1FQlCg3LAefc8oTIw + a3UZU3OajQ1CCIhhu02JSlTKZm2z+pZKVHy+s5EgCqwAWTfPNAnyPT0ZGrhIdcah + 0lwBdg2Tq3+Nhix1ZuA/mUgcrbRBcFKlHY+IGEgOHKLJld9UPF2xEjTX6nmLyuTR + 6x+HW/7vVuc/jcFeQEmokhQw/SICVdyD7NQua4k1agLkty3hGcm1XCsfyKfj+w== + =Bxf9 -----END PGP MESSAGE----- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DzAGzViGx4qcSAQdAN7rRlv3dMoFOfj9eHgf+0H8521b32nWqySUdriEy6Tcw - gjuReMBpKQOgUfuhIiWkHIKNtNgMrYWiC20ESOXX5b9uYZNpqHCgHQPlX0lEeGim - 0lgBOieL7mSEq4wkWLCSv4sBAmkQA+dnugBeF+TrlqKQTZsbe/Z+jNG4ZrHRvdqi - 4I5It+uaRV9Vrul1c6H7fNreRPUd4hNyJwU7gZQ+vU2WyAmgqerxE1Wb - =gplT + hF4DzAGzViGx4qcSAQdAr2tfPiCpUkxFj4rgSiLf7y4iyKbsgEY87iYH3GAZTVcw + vK2YpjSVgFRoJNx9s3bFr+9UG0LFmKvDZEP83ThQizYs2I/N7MSU8ERRImshaQMH + 0lYB4At0RHC1mp8eKqhRgXenOtpfCiBACtlIdS9m1aqcU6i9Drgt86Bk/LC/HSvJ + MUOit2PP7QZVRWV6F8wAHlUFd6bdTKv9eOCZLSB6mY6DQmkp93FIMg== + =lQcB -----END PGP MESSAGE----- fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA2pVdGTIrZI+ARAAjWK8mU99VcnM/Ckzm+YsZFTwnz4PDAenDDdZ1OOz5IXe - tS4SQPcQlSSOuXEkFLJMmm8QVxtUC3Gh4nF7o+7OygT+0ZXOrB7jFgg10+v/KVA9 - hSlqBdsMxcC0OzBtkGyAOXOxqnTVubuHEGyGpIryHt1/lthUUZHBbjgw7P0Tw2/U - sYK5j5YbqhyBl20gyZorkTTq7pHfVXDVtpe75+ZkqbOg4S6HgW3/dl+v6N0TLfRs - GVl0fUlWIK/akGCB71zdwJs2I1qTeMTlL6v+XSUdXj0YV+5fjh3wf8qzN9geIjQK - ybxGFWDKCAgTMnqoFF5BCL23hFtnCbTtLN1wQT7/m7zpjaBKHOBXZOGXYZCMGZui - sBsUvPANgNdfOse9H2aABQvUQh8WqFw8S73GasvrZHAwEmvnXzocMJd+kUovzmQu - 9FBk5UkcgXfmxeamoP8C700vh4zI+sKz6uEW0+AuVtLlLVqlb2w21kTc+ArZW52n - HLolH5q3Wj6pKuuFCWKr6UgLFcq2w4QngB2p+UABHU3RbwXIra7prDXCUcNC5iCn - ElRFY7OZ3nbHOf9oaW/MitcfszVLyl0ueoay6qxdlIGdXKRGpqxHqqr+92INV/iz - 6CRoAsTqVq1a7ZuAaUdJPvfKVAHHEHjPwlrOc9cXvykG0iQKsRzgqiOtPiGQShnU - aAEJAhDSqCwywHDnQ7X9ZWIzPjwvqyHpEVez8zYh3vpgKpsLb9uL+JizZjV02HMe - nhiL+4o/aNjJgGJWph1uPFhU4wO4AavnNBsHbJSiL/1yTS96hdf8d+gB41yVLU3e - kBkDFLKkIBkU - =aRLd + hQIMA2pVdGTIrZI+ARAAjNHCArTtU9D8zw5yJzvf0KSwQoOaQWHui7AqQkvQ8mJv + 8+Vo9sb+JoSuFHQqqDbOU+VFpmc9CZ6HCJaWqO2gZVgjxrsrPgyfq795LBd6GhX5 + 6zwUH2huxv+n7XkfjN4HHJAlSj0pRyL3fyojdOdtXCTuBGbofLIBJUbuD1wro1K+ + nSHLvdBEitn8afKt5/SaatB8Prwyet6E6J4HluXFQjl+KdrRHHvXImmhNSR4yfIr + yQt2s8qapSvLhrUw9/GFXqM/jg4ZlDhPUhCAKI2Pr5PbsRMBqwdkSrDeB7MHdsU6 + tI4uyb7j8m3VMbFKNVpuluwgk47V+W/h+jtZetSR6ewYsXJjgHNmX6JX73XzR7R+ + q4EBfSAxR7ByZ/HHuumUH6BKBj8IcNJQwtEkLIZmLZ3OdFtJP3YY0esV+gEhG6K7 + m2Zl9C7axuYmvoLrqygaChmxMhMiebTPNkD/dH5Ircwl2cXfHC+bvF2WO73DTk9G + emHzrkniEtuUs+svMhT3NKM3/mpOJTiNezdH39HZADzkBwZ5Mmkfe4mbXByfRN7F + AEJWmnOcpXwXE9//sRbkRr+CGmB86raZE22wHPuk6U9IyVFJm8hJbOzFc7rwu1Eo + 0YWBCsc9dA+jH8hIKrIfXwqnfhYjTrX+oZJeK/8McOwfF7I2G9YrPAgwbokQmtLU + ZgEJAhC8ryOvXwp2kP9sv6nbXIEcwrX8lRjkEWduf6ZAWAfQ5FGBSPzR8WnZWGzN + PCxjg7utA9AHBChF1duwOV2Qr5XW8HTUGAx4fc0T0rjC862vSwf8yAY89WWJyUfk + n8qhhdw1uw== + =KgOe -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - - created_at: "2026-05-23T20:58:22Z" + - created_at: "2026-05-25T17:17:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DKKbvh61jX5USAQdABId/P8ozRgJ4ItF1zvxp98aH+g3LZ6UGnxjYjtDxjEIw - VmyerznjOLnpz0EobXRRoot1Lo82Va64HQmXt26LG3gFY1HVp0WOnIZXa/CUoUb8 - 1GgBCQIQloFxKcgFTiRidaJfN7hSeQLleiEe3aifZUyJj8niTmBaY29t+CSoA46N - xZzX1AlxVjfmputhYdTyOYSJtGrj7otmnUN2P+55pjz4L2qCYAEKi1+ibqgpmJh/ - bETQsT6WKJ8FXA== - =Ci7L + hF4DKKbvh61jX5USAQdAYrtySnoCK7k4ZZIyllSAr23fozsiZb9Nf6Q+r56i3lAw + 7IxBdJc2ipMxafy1Ntq0wfAYYk7nY6Vz1XtB+ekVeYLOjDmHRnJWq/Jw0K8wLvWT + 1GYBCQIQ/0zDLdFOrMNjVPMutGVJOkpm7mbD30GpgRugzEf2NZePGtptqnP6i1t1 + izBqFRByftV1MUw1uWgTFgB8zEVDh6gG0QAYeRuu3NS9QhwR71Wlu2J4eu+VhZi7 + AKabk3T3Z00= + =A2ad -----END PGP MESSAGE----- fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 unencrypted_suffix: _unencrypted diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 90f2efd..740c7ba 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -74,6 +74,7 @@ ansible_pull_hosts: light: waybackproxy: yate: + z9-router: secrets_hosts: hosts: z9-router: From 0fef65b2c291d52bd124a8a73c125d9438a707fd Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 19:50:01 +0200 Subject: [PATCH 05/16] z9-router(host): fix some spelling and a wireguard peer address --- resources/z9/z9-router/nftables/nftables.conf | 4 ++-- resources/z9/z9-router/systemd_networkd/10-wg55.netdev | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/resources/z9/z9-router/nftables/nftables.conf b/resources/z9/z9-router/nftables/nftables.conf index 842ca04..f639689 100644 --- a/resources/z9/z9-router/nftables/nftables.conf +++ b/resources/z9/z9-router/nftables/nftables.conf @@ -108,7 +108,7 @@ table inet forward { meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" - # Allow clients and managment to most - iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "allow clients and managment to lan_ifs" + # Allow clients and management to most + iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "Allow clients and management to lan interfaces" } } diff --git a/resources/z9/z9-router/systemd_networkd/10-wg55.netdev b/resources/z9/z9-router/systemd_networkd/10-wg55.netdev index b3e41a6..f2de509 100644 --- a/resources/z9/z9-router/systemd_networkd/10-wg55.netdev +++ b/resources/z9/z9-router/systemd_networkd/10-wg55.netdev @@ -5,7 +5,7 @@ Name=wg55 [WireGuard] ListenPort=51820 -PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_privat_key +PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_private_key # WireGuard Peers @@ -75,7 +75,7 @@ PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk [WireGuardPeer] # friendly_name = lilly-lillysLaptop -AllowedIPs = 10.89.214.16/32 #,2a07:c481:1:37::/128 +AllowedIPs = 10.89.214.16/32,2a07:c481:1:37::16/128 PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk= [WireGuardPeer] From 9bff86df7fbe4ae1d2c1ade9f07a78a0bf0fc132 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 20:13:29 +0200 Subject: [PATCH 06/16] kea_dhcp(role): some fixes and removing arch part - remove tags from tasks - remove archlinux part - use debian default package for kea --- roles/kea_dhcp/defaults/main.yaml | 1 - roles/kea_dhcp/handlers/main.yml | 6 +-- roles/kea_dhcp/meta/argument_specs.yaml | 4 +- roles/kea_dhcp/tasks/install_archlinux.yml | 8 ---- roles/kea_dhcp/tasks/install_debian.yml | 39 +++++++++--------- roles/kea_dhcp/tasks/kea.yaml | 10 ++--- roles/kea_dhcp/tasks/main.yml | 6 --- roles/kea_dhcp/tasks/stork-agent.yaml | 47 +++------------------- 8 files changed, 34 insertions(+), 87 deletions(-) delete mode 100644 roles/kea_dhcp/tasks/install_archlinux.yml diff --git a/roles/kea_dhcp/defaults/main.yaml b/roles/kea_dhcp/defaults/main.yaml index 409f0a1..dc6453a 100644 --- a/roles/kea_dhcp/defaults/main.yaml +++ b/roles/kea_dhcp/defaults/main.yaml @@ -1,7 +1,6 @@ kea_dhcp__stork_agent: enable: false prometheus_only: true -kea_dhcp__version_repo: "kea-3-0" kea_dhcp__dns_servers: v6: - "2a07:c481:0:4::2" diff --git a/roles/kea_dhcp/handlers/main.yml b/roles/kea_dhcp/handlers/main.yml index 5b44d6e..d06aa1c 100644 --- a/roles/kea_dhcp/handlers/main.yml +++ b/roles/kea_dhcp/handlers/main.yml @@ -4,19 +4,19 @@ ansible.builtin.systemd_service: daemon_reload: true -- name: Kea_dhcp4.reloaded +- name: Kea_dhcp4.restarted ansible.builtin.service: name: kea-dhcp4 state: restarted enabled: true -- name: Kea_dhcp6.reloaded +- name: Kea_dhcp6.restarted ansible.builtin.service: name: kea-dhcp6 state: restarted enabled: true -- name: Kea_ctrl.reloaded +- name: Kea_ctrl.restarted ansible.builtin.systemd: name: kea-ctrl-agent state: restarted diff --git a/roles/kea_dhcp/meta/argument_specs.yaml b/roles/kea_dhcp/meta/argument_specs.yaml index 995b838..4d0d594 100644 --- a/roles/kea_dhcp/meta/argument_specs.yaml +++ b/roles/kea_dhcp/meta/argument_specs.yaml @@ -37,7 +37,7 @@ argument_specs: interfaces: type: "list" elements: "str" - default: [] + default: [ ] control-sockets: type: "list" elements: "dict" @@ -85,7 +85,7 @@ argument_specs: interfaces: type: "list" elements: "str" - default: [] + default: [ ] control-sockets: type: "list" elements: "dict" diff --git a/roles/kea_dhcp/tasks/install_archlinux.yml b/roles/kea_dhcp/tasks/install_archlinux.yml deleted file mode 100644 index 7bdb140..0000000 --- a/roles/kea_dhcp/tasks/install_archlinux.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Install Kea on Archlinux - when: ansible_facts['distribution'] == "Archlinux" - become: true - community.general.pacman: - name: kea - state: present - update_cache: false diff --git a/roles/kea_dhcp/tasks/install_debian.yml b/roles/kea_dhcp/tasks/install_debian.yml index 2ac2346..f897ddb 100644 --- a/roles/kea_dhcp/tasks/install_debian.yml +++ b/roles/kea_dhcp/tasks/install_debian.yml @@ -1,22 +1,25 @@ --- -- name: Register isc-kea apt repository - become: true - register: kea_dhcp_repo - when: ansible_facts['distribution'] == "Debian" - ansible.builtin.deb822_repository: - name: "isc-{{ kea_dhcp__version_repo }}" - uris: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/deb/debian" - suites: any-version - components: main - signed_by: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/gpg.key" - - name: Install Kea packages become: true when: ansible_facts['distribution'] == "Debian" - ansible.builtin.apt: - name: - - isc-kea-dhcp4 - - isc-kea-dhcp6 - - isc-kea-ctrl-agent - - isc-kea-admin - update_cache: "{{ kea_dhcp_install_repo.changed }}" + block: + - name: Install Kea dhcp4 + when: kea_dhcp__dhcp4.enable + ansible.builtin.apt: + name: + - isc-kea-dhcp4 + - name: Install Kea dhcp6 + when: kea_dhcp__dhcp6.enable + ansible.builtin.apt: + name: + - isc-kea-dhcp6 + - name: Install Kea ctrl agent + when: kea_dhcp__stork_agent.enable + ansible.builtin.apt: + name: + - isc-kea-ctrl-agent + - name: Install Kea admin + when: kea_dhcp__stork_agent.enable + ansible.builtin.apt: + name: + - isc-kea-admin diff --git a/roles/kea_dhcp/tasks/kea.yaml b/roles/kea_dhcp/tasks/kea.yaml index a4fd3b5..116c7dd 100644 --- a/roles/kea_dhcp/tasks/kea.yaml +++ b/roles/kea_dhcp/tasks/kea.yaml @@ -1,12 +1,10 @@ --- - name: Include config vars - tags: [ kea, include_vars ] when: kea_dhcp__include_vars is not None ansible.builtin.include_vars: file: "{{ kea_dhcp__include_vars }}" - name: Deploy kea-dhcp4 configuration file - tags: [ kea, dhcp4 ] become: true when: kea_dhcp__dhcp4.enable ansible.builtin.template: @@ -18,10 +16,9 @@ mode: "u=rw,g=r,o=" validate: kea-dhcp4 -T %s notify: - - Kea_dhcp4.reloaded + - Kea_dhcp4.restarted - name: Deploy kea-dhcp6 configuration file - tags: [ kea, dhcp6 ] become: true when: kea_dhcp__dhcp6.enable ansible.builtin.template: @@ -33,10 +30,9 @@ mode: "u=rw,g=r,o=" validate: kea-dhcp6 -T %s notify: - - Kea_dhcp6.reloaded + - Kea_dhcp6.restarted - name: Copy kea-ctrl-agent configuration file - tags: [ kea, ctrl-agent ] become: true when: kea_dhcp__stork_agent.enable ansible.builtin.template: @@ -47,5 +43,5 @@ mode: "u=rw,g=r,o=" validate: kea-ctrl-agent -t %s notify: - - Kea_ctrl.reloaded + - Kea_ctrl.restarted - Stork_agent.restarted diff --git a/roles/kea_dhcp/tasks/main.yml b/roles/kea_dhcp/tasks/main.yml index a3478fa..6fced08 100644 --- a/roles/kea_dhcp/tasks/main.yml +++ b/roles/kea_dhcp/tasks/main.yml @@ -1,11 +1,6 @@ --- - name: Setup Kea DHCP - tags: [kea, dhcp] block: - - name: Install Kea on Archlinux - when: ansible_facts['distribution'] == "Archlinux" - ansible.builtin.import_tasks: install_archlinux.yml - - name: Install Kea on Debian when: ansible_facts['distribution'] == "Debian" ansible.builtin.import_tasks: install_debian.yml @@ -14,6 +9,5 @@ ansible.builtin.include_tasks: kea.yaml - name: Run stork-agent tasks - tags: [stork-agent, monitoring] when: kea_dhcp__stork_agent.enable ansible.builtin.include_tasks: stork-agent.yaml diff --git a/roles/kea_dhcp/tasks/stork-agent.yaml b/roles/kea_dhcp/tasks/stork-agent.yaml index 916760c..0e777d4 100644 --- a/roles/kea_dhcp/tasks/stork-agent.yaml +++ b/roles/kea_dhcp/tasks/stork-agent.yaml @@ -1,55 +1,18 @@ --- - name: Install stork-agent - tags: [stork-agent] block: - - name: Install stork-agent on Archlinux - when: ansible_facts['distribution'] == "Archlinux" - tags: [stork-agent, archlinux] - block: - - name: Create stork-agent user - ansible.builtin.user: - name: stork-agent - create_home: false - home: "/var/lib/stork-agent" - shell: "/usr/bin/nologin" - system: true - groups: ["kea"] - append: true - - - name: Install stork-agent with aur_pkg_install - ansible.builtin.include_role: - name: aur_pkg_install - vars: - aur_pkg_install__pkg_name: "stork-agent" - aur_pkg_install__git_clone_url: "https://ansible:{{ secret__ansible_git_token }}@git.fux-eg.net/aur-mirror/stork-agent.git" - aur_pkg_install__git_ref: "bf96e34" - - - name: Install stork-agent on Debian + - name: Install isc-stork-agent when: ansible_facts['distribution'] == "Debian" - tags: [stork-agent, debian] - block: - - name: Register isc-stork apt repository - become: true - register: "kea_dhcp_install_repo" - ansible.builtin.deb822_repository: - name: isc-stork - uris: https://dl.cloudsmith.io/public/isc/stork/deb/debian - suites: any-version - components: main - signed_by: https://dl.cloudsmith.io/public/isc/stork/gpg.key - - - name: Install isc-stork-agent - become: true - ansible.builtin.apt: - name: isc-stork-agent - update_cache: "{{ kea_dhcp_install_repo.changed }}" + become: true + ansible.builtin.apt: + name: isc-stork-agent - name: Add stork-agent user to _kea group on Debian when: ansible_facts['distribution'] == "Debian" become: true ansible.builtin.user: name: stork-agent - groups: ["_kea"] + groups: [ "_kea" ] append: true - name: Config for stork-agent From 2798e9e01c7ae58938ae9601ffeadddd60a0b4d2 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 21:18:56 +0200 Subject: [PATCH 07/16] kea_dhcp(role): add README.md --- roles/kea_dhcp/README.md | 102 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 roles/kea_dhcp/README.md diff --git a/roles/kea_dhcp/README.md b/roles/kea_dhcp/README.md new file mode 100644 index 0000000..4071943 --- /dev/null +++ b/roles/kea_dhcp/README.md @@ -0,0 +1,102 @@ +# Role `kea_dhcp` + +Install and manage kea dhcp. + +## Supported Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +None. + +## Optional Arguments + +- `kea_dhcp__stork_agent.enable`: Enable Kea DHCP stork agent. + Defaults to `false`. +- `kea_dhcp__stork_agent.prometheus_only`: Only enable the prometheus endpoint in stork agent. + Defaults to `true`. +- `kea_dhcp__dns_servers.v4`: List of IPv4 DNS Servers in DHCP response. + Defaults to FUX DNS Servers. +- `kea_dhcp__dns_servers.v6`: List of IPv6 DNS Servers in DHCP response. + Defaults to FUX DNS Servers. +- `kea_dhcp__include_vars`: Path to YAML File to separately load VARs for Kea config templating. +- `kea_dhcp__dhcp4.enable`: Enable Kea DHCP4 Service. + Defaults to `false`. +- `kea_dhcp__dhcp4.interfaces`: List of interfaces the DHCP4 Server should listen to and serve. + Defaults to the empty list (`[ ]`). +- `kea_dhcp__dhcp4.control-sockets`: List of Kea DHCP4 control sockets. + Defaults to the list with one entry (see below). +- `kea_dhcp__dhcp4.control-sockets.*.socket-name`: Control socket name. + Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-name: /var/run/kea-dhcp4-ctrl-agent.sock`. +- `kea_dhcp__dhcp4.control-sockets.*.socket-type`: Control socket type. + Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-type: unix`. +- `kea_dhcp__dhcp4.lease-database.type`: Type of lease database. + Defaults to `memfile`. +- `kea_dhcp__dhcp4.lease-database.persist`: Persist the lease database. + Defaults to `true`. +- `kea_dhcp__dhcp4.option-data`: List of DHCP4 Options. + Defaults to a list with one entry (see below). +- `kea_dhcp__dhcp4.option-data.*.name`: Name of DHCP4 Option. + Defaults to `kea_dhcp__dhcp4.option-data.0.name: "domain-name-servers"`. +- `kea_dhcp__dhcp4.option-data.*.code`: DHCP4 Option code. + Defaults to `kea_dhcp__dhcp4.option-data.0.code: 6`. +- `kea_dhcp__dhcp4.option-data.*.csv-format`: DHCP4 Option as csv format. + Defaults to `kea_dhcp__dhcp4.option-data.0.csv-format: true`. +- `kea_dhcp__dhcp4.option-data.*.data`: DHCP4 Option data. + Defaults to `kea_dhcp__dhcp4.option-data.0.data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"`. +- `kea_dhcp__dhcp4.subnets`: List of subnets the DHCP4 server should manage. + Defaults to the empty list (`[ ]`). +- `kea_dhcp__dhcp4.subnets.*.id`: ID of interface (starts with 1). +- `kea_dhcp__dhcp4.subnets.*.subnet`: Subnet on interface. +- `kea_dhcp__dhcp4.subnets.*.pools`: List of DHCP pools in subnet. +- `kea_dhcp__dhcp4.subnets.*.pools.*.pool`: DHCP pool in range format. +- `kea_dhcp__dhcp4.subnets.*.reservations`: List of DHCP lease reservations. +- `kea_dhcp__dhcp4.subnets.*.reservations.*.ip-address`: IP address of reservation. +- `kea_dhcp__dhcp4.subnets.*.reservations.*.hostname`: Hostname of reservation. +- `kea_dhcp__dhcp4.subnets.*.reservations.*.hw-address`: Hardware address of reservation. +- `kea_dhcp__dhcp4.subnets.*.option-data`: List of DHCP lease reservations. +- `kea_dhcp__dhcp4.subnets.*.option-data.*.name`: Name of DHCP4 Option. +- `kea_dhcp__dhcp4.subnets.*.option-data.*.code`: DHCP4 Option code. +- `kea_dhcp__dhcp4.subnets.*.option-data.*.csv-format`: DHCP4 Option as csv format. +- `kea_dhcp__dhcp4.subnets.*.option-data.*.data`: DHCP4 Option data. +- `kea_dhcp__dhcp6.enable`: Enable Kea DHCP6 Service. + Defaults to `false`. +- `kea_dhcp__dhcp6.interfaces`: List of interfaces the DHCP6 Server should listen to and serve. + Defaults to the empty list (`[ ]`). +- `kea_dhcp__dhcp6.control-sockets`: List of Kea DHCP6 control sockets. + Defaults to the list with one entry (see below). +- `kea_dhcp__dhcp6.control-sockets.*.socket-name`: Control socket name. + Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-name: /var/run/kea-dhcp6-ctrl-agent.sock`. +- `kea_dhcp__dhcp6.control-sockets.*.socket-type`: Control socket type. + Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-type: unix`. +- `kea_dhcp__dhcp6.lease-database.type`: Type of lease database. + Defaults to `memfile`. +- `kea_dhcp__dhcp6.lease-database.persist`: Persist the lease database. + Defaults to `true`. +- `kea_dhcp__dhcp6.option-data`: List of DHCP6 Options. + Defaults to a list with one entry (see below). +- `kea_dhcp__dhcp6.option-data.*.name`: Name of DHCP6 Option. + Defaults to `kea_dhcp__dhcp6.option-data.0.name: "domain-name-servers"`. +- `kea_dhcp__dhcp6.option-data.*.code`: DHCP6 Option code. + Defaults to `kea_dhcp__dhcp6.option-data.0.code: 6`. +- `kea_dhcp__dhcp6.option-data.*.csv-format`: DHCP6 Option as csv format. + Defaults to `kea_dhcp__dhcp6.option-data.0.csv-format: true`. +- `kea_dhcp__dhcp6.option-data.*.data`: DHCP6 Option data. + Defaults to `kea_dhcp__dhcp6.option-data.0.data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"`. +- `kea_dhcp__dhcp6.subnets`: List of subnets the DHCP6 server should manage. + Defaults to the empty list (`[ ]`). +- `kea_dhcp__dhcp6.subnets.*.id`: ID of interface (starts with 1). +- `kea_dhcp__dhcp6.subnets.*.subnet`: Subnet on interface. +- `kea_dhcp__dhcp6.subnets.*.pools`: List of DHCP pools in subnet. +- `kea_dhcp__dhcp6.subnets.*.pools.*.pool`: DHCP pool in range format. +- `kea_dhcp__dhcp6.subnets.*.reservations`: List of DHCP lease reservations. +- `kea_dhcp__dhcp6.subnets.*.reservations.*.ip-address`: IP address of reservation. +- `kea_dhcp__dhcp6.subnets.*.reservations.*.hostname`: Hostname of reservation. +- `kea_dhcp__dhcp6.subnets.*.reservations.*.hw-address`: Hardware address of reservation. +- `kea_dhcp__dhcp6.subnets.*.option-data`: List of DHCP lease reservations. +- `kea_dhcp__dhcp6.subnets.*.option-data.*.name`: Name of DHCP6 Option. +- `kea_dhcp__dhcp6.subnets.*.option-data.*.code`: DHCP6 Option code. +- `kea_dhcp__dhcp6.subnets.*.option-data.*.csv-format`: DHCP6 Option as csv format. +- `kea_dhcp__dhcp6.subnets.*.option-data.*.data`: DHCP6 Option data. + From 09a4869ac11feeb31a97aae61e13f83479757849 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Mon, 25 May 2026 21:27:25 +0200 Subject: [PATCH 08/16] kea_dhcp(role): fix indentation in template --- roles/kea_dhcp/templates/kea-dhcp4.conf.jinja | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja index 78f06ae..fa7cfd5 100644 --- a/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja +++ b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja @@ -3,12 +3,12 @@ "interfaces-config": { "interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }} }, - "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }}, - "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }}, - {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %} - "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }}, - {% endif %} - "subnet4": [ + "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }}, + "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }}, + {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %} + "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }}, + {% endif %} + "subnet4": [ {% for subnet in kea_dhcp__dhcp4.subnets %} { "id": {{ subnet.id }}, From a19262eae0476a3c7bca25a644f25dc597d7bacb Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 08:37:40 +0200 Subject: [PATCH 09/16] kea_dhcp(role): make stork-agent.env smaller and add link to documentation --- roles/kea_dhcp/README.md | 2 +- .../kea_dhcp/templates/stork-agent.env.jinja | 30 ++----------------- 2 files changed, 4 insertions(+), 28 deletions(-) diff --git a/roles/kea_dhcp/README.md b/roles/kea_dhcp/README.md index 4071943..9938cf9 100644 --- a/roles/kea_dhcp/README.md +++ b/roles/kea_dhcp/README.md @@ -1,6 +1,6 @@ # Role `kea_dhcp` -Install and manage kea dhcp. +Install and manage Kea DHCP and [Stork Agent](https://stork.readthedocs.io/en/latest/man/stork-agent.8.html). ## Supported Distributions diff --git a/roles/kea_dhcp/templates/stork-agent.env.jinja b/roles/kea_dhcp/templates/stork-agent.env.jinja index bdfa4d2..75250b0 100644 --- a/roles/kea_dhcp/templates/stork-agent.env.jinja +++ b/roles/kea_dhcp/templates/stork-agent.env.jinja @@ -1,11 +1,6 @@ -### the IP or hostname to listen on for incoming Stork server connections -# STORK_AGENT_HOST= +### Stork Agent env file +### (created and managed by ansible kea_dhcp role) -### the TCP port to listen on for incoming Stork server connections -# STORK_AGENT_PORT=8081 - -### listen for commands from the Stork server only, but not for Prometheus requests -# STORK_AGENT_LISTEN_STORK_ONLY=true {% if kea_dhcp__stork_agent.prometheus_only %} ### listen for Prometheus requests only, but not for commands from the Stork server @@ -14,31 +9,12 @@ STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true ### settings for exporting stats to Prometheus ### the IP or hostname on which the agent exports Kea statistics to Prometheus -# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS= +STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS=localhost ### the port on which the agent exports Kea statistics to Prometheus # STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT= -## enable or disable collecting per-subnet stats from Kea -# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PER_SUBNET_STATS=true -### the IP or hostname on which the agent exports BIND 9 statistics to Prometheus -# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_ADDRESS= -### the port on which the agent exports BIND 9 statistics to Prometheus -# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_PORT= - -### Stork Server URL used by the agent to send REST commands to the server during agent registration -# STORK_AGENT_SERVER_URL= - -### skip TLS certificate verification when the Stork Agent connects -### to Kea over TLS and Kea uses self-signed certificates -# STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true - ### Logging parameters ### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR STORK_LOG_LEVEL=DEBUG -### disable output colorization -# CLICOLOR=false - -### path to the hook directory -# STORK_AGENT_HOOK_DIRECTORY= From 0a74ac02c21d35bc58a0d9bc48c54efcc08133fe Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:06:52 +0200 Subject: [PATCH 10/16] unbound(role): use existing deploy_systemd_resolved_config role and some reordering --- inventories/z9/hosts.yaml | 3 +++ roles/unbound/handlers/main.yml | 7 ------ roles/unbound/tasks/main.yml | 24 +++---------------- roles/unbound/tasks/prometheus-exporter.yml | 8 ++++++- .../vars/deploy_systemd_resolved_config.yaml | 9 +++++++ 5 files changed, 22 insertions(+), 29 deletions(-) create mode 100644 roles/unbound/vars/deploy_systemd_resolved_config.yaml diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 740c7ba..39fa97b 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -17,6 +17,9 @@ all: z9-router: ansible_host: z9-router.ccchh.net ansible_user: chaos +base_config_hosts: + hosts: + z9-router: certbot_hosts: hosts: dooris: diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml index e1345bf..222e8c5 100644 --- a/roles/unbound/handlers/main.yml +++ b/roles/unbound/handlers/main.yml @@ -18,10 +18,3 @@ name: prometheus-unbound-exporter.service state: restarted enabled: true - -- name: prometheus-unbound-exporter.enabled - become: true - ansible.builtin.systemd: - name: prometheus-unbound-exporter.service - enabled: true - daemon_reload: true diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 7ed42cb..eb88f93 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -7,11 +7,6 @@ ansible.builtin.package: name: unbound - - name: install extra dns tooling - become: true - ansible.builtin.package: - name: [ bind ] # the bind package includes tools like dig in archlinux - - name: ensure correct directory permissions become: true ansible.builtin.file: @@ -40,23 +35,10 @@ enabled: true - name: disable systemd-resolved - become: true when: unbound_disable_systemd_networkd - ansible.builtin.systemd: - name: systemd-resolved.service - state: stopped - enabled: false - - - name: configure system resolver to point to local unbound - become: true - when: unbound_disable_systemd_networkd - ansible.builtin.copy: - src: no-resolved.resolv.conf - dest: /etc/resolv.conf - owner: unbound - group: unbound - mode: u=rw,g=r,o=r - + ansible.builtin.include_role: + name: deploy_systemd_resolved_config + vars_from: deploy_systemd_resolved_config - name: install and configure prometheus-exporter for unbound ansible.builtin.import_tasks: prometheus-exporter.yml diff --git a/roles/unbound/tasks/prometheus-exporter.yml b/roles/unbound/tasks/prometheus-exporter.yml index d05b838..b794e07 100644 --- a/roles/unbound/tasks/prometheus-exporter.yml +++ b/roles/unbound/tasks/prometheus-exporter.yml @@ -3,7 +3,13 @@ become: true ansible.builtin.package: name: prometheus-unbound-exporter - notify: prometheus-unbound-exporter.enabled + +- name: enable unbound prometheus exporter + become: true + ansible.builtin.systemd: + name: prometheus-unbound-exporter.service + enabled: true + daemon_reload: true - name: configure unbound exporter become: true diff --git a/roles/unbound/vars/deploy_systemd_resolved_config.yaml b/roles/unbound/vars/deploy_systemd_resolved_config.yaml new file mode 100644 index 0000000..0da57c1 --- /dev/null +++ b/roles/unbound/vars/deploy_systemd_resolved_config.yaml @@ -0,0 +1,9 @@ +--- +deploy_systemd_resolved_config__enable: false +deploy_systemd_resolved_config__dns: + - 127.0.0.1 +deploy_systemd_resolved_config__fallback_dns: # Fux DNS Server + - 185.161.128.66 + - 2a07:c481:0:4::2 + - 185.161.128.67 + - 2a07:c481:0:4::3 From 84b1fa70cec9e7bea03e8b916707062431acd411 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:08:11 +0200 Subject: [PATCH 11/16] unbound(role): add FIXME note to unbound prometheus exporter install --- roles/unbound/tasks/prometheus-exporter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/unbound/tasks/prometheus-exporter.yml b/roles/unbound/tasks/prometheus-exporter.yml index b794e07..fba5090 100644 --- a/roles/unbound/tasks/prometheus-exporter.yml +++ b/roles/unbound/tasks/prometheus-exporter.yml @@ -1,5 +1,5 @@ --- -- name: install unbound prometheus exporter +- name: install unbound prometheus exporter # FIXME: there is no prometheus-unbound-exporter in debian .deb exists in https://github.com/letsencrypt/unbound_exporter/releases/tag/v0.6.0 become: true ansible.builtin.package: name: prometheus-unbound-exporter From bb127d13754e6f1f9438b174f4ccee71c0eb08f9 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:09:50 +0200 Subject: [PATCH 12/16] unbound(role): remove tags inside role --- roles/unbound/handlers/main.yml | 2 -- roles/unbound/tasks/main.yml | 1 - 2 files changed, 3 deletions(-) diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml index 222e8c5..09af699 100644 --- a/roles/unbound/handlers/main.yml +++ b/roles/unbound/handlers/main.yml @@ -1,12 +1,10 @@ - name: unbound.restarted - tags: [ unbound, dns, dns_resolver ] become: true ansible.builtin.systemd: name: unbound.service state: restarted - name: unbound.reloaded - tags: [ unbound, dns, dns_resolver ] become: true ansible.builtin.systemd: name: unbound.service diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index eb88f93..a4a6896 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -1,5 +1,4 @@ - name: unbound role main - tags: [ unbound, dns, dns_resolver ] block: - name: install unbound dns resolver From 960315d1826fabcc8441ce14f648fc268ac0db22 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:19:42 +0200 Subject: [PATCH 13/16] unbound(role): reformat config template and use all vcpus --- roles/unbound/templates/unbound.conf.j2 | 75 ++++++++++++------------- 1 file changed, 35 insertions(+), 40 deletions(-) diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index a1e310e..96aa9cd 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -1,22 +1,18 @@ # ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html # unbound.conf(5) man page server: - {% if unbound_enable_dnssec -%} - # disable chroot because unbound is the only thing running on the VM - # and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file - chroot: "" - - # location of the trust anchor file that enables DNSSEC - # this file is generated by the `unbound-anchor` command - auto-trust-anchor-file: "/etc/unbound/trusted-key.key" - {% endif -%} + {% if unbound_enable_dnssec -%} + # location of the trust anchor file that enables DNSSEC + # this file is generated by the `unbound-anchor` command + auto-trust-anchor-file: "/etc/unbound/trusted-key.key" + {% endif -%} # use all CPUs - num-threads: 2 + num-threads: {{ ansible_facts['processor_vcpus'] }} # more cache memory - rrset-cache-size: 60m - msg-cache-size: 30m + rrset-cache-size: 60m + msg-cache-size: 30m # prefetch to keep the cache up to date prefetch: yes @@ -25,49 +21,48 @@ server: prefetch-key: yes # Faster UDP with multithreading (only on Linux). - so-reuseport: yes + so-reuseport: yes # disable special large send buffer handling and just use kernel defaults - so-sndbuf: 0 + so-sndbuf: 0 - # send minimal amount of information to upstream servers to enhance privacy - qname-minimisation: yes + # send minimal amount of information to upstream servers to enhance privacy + qname-minimisation: yes - # specify the interface to answer queries from by ip-address. - {% for i in unbound_bind_interfaces -%} - interface: "{{ i }}" - {% endfor %} + # specify the interface to answer queries from by ip-address. + {% for i in unbound_bind_interfaces -%} + interface: "{{ i }}" + {% endfor %} - # addresses from the IP range that are allowed to connect to the resolver - {% for i in unbound_access_control -%} - access-control: {{ i }} - {% endfor -%} + # addresses from the IP range that are allowed to connect to the resolver + {% for i in unbound_access_control -%} + access-control: {{ i }} + {% endfor -%} - {% for i in unbound_private_domain -%} - private-domain: {{ i }} - {% endfor -%} + {% for i in unbound_private_domain -%} + private-domain: {{ i }} + {% endfor -%} - # The number of seconds between printing statistics to the log for every thread. - statistics-interval: 0 + # The number of seconds between printing statistics to the log for every thread. + statistics-interval: 0 - # Extended statistics are printed, Keeping track of more statistics takes time. - extended-statistics: yes + # Extended statistics are printed, Keeping track of more statistics takes time. + extended-statistics: yes remote-control: - control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} - control-interface: /run/unbound-control.sock + control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} + control-interface: /run/unbound-control.sock # configure some zones for which this resolver will act authoritatively # https://www.dns.icann.org/services/axfr/ {% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %} auth-zone: - name: "{{ i }}" - primary: "lax.xfr.dns.icann.org" - primary: "iad.xfr.dns.icann.org" - fallback-enabled: yes - for-downstream: no - for-upstream: yes - + name: "{{ i }}" + primary: "lax.xfr.dns.icann.org" + primary: "iad.xfr.dns.icann.org" + fallback-enabled: yes + for-downstream: no + for-upstream: yes {% endfor %} From c051fc63378cc7942b6ca0cd0f97181e4d5cb661 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:30:35 +0200 Subject: [PATCH 14/16] unbound(role): make unbound thread number configurable --- roles/unbound/README.md | 1 + roles/unbound/templates/unbound.conf.j2 | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/unbound/README.md b/roles/unbound/README.md index 806b9d8..c44805b 100644 --- a/roles/unbound/README.md +++ b/roles/unbound/README.md @@ -17,3 +17,4 @@ The following variables can be used to customize this role: | unbound_enable_dnssec | Boolean | `true` | Whether dnssec validation should be enabled | | unbound_access_control | List of Strings | `[]` | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) | | unbound_disable_systemd_networkd | Boolean | `true` | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver. | +| unbound_thread_count | Integer | Max vCPU Count | The number of threads unbound uses | diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index 96aa9cd..d9b612c 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -7,8 +7,8 @@ server: auto-trust-anchor-file: "/etc/unbound/trusted-key.key" {% endif -%} - # use all CPUs - num-threads: {{ ansible_facts['processor_vcpus'] }} + # num of threads + num-threads: {{ unbound_thread_count | default(ansible_facts['processor_vcpus']) }} # more cache memory rrset-cache-size: 60m From 57ae1456a07bbbaefddb9772af7ee36be5388722 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Tue, 26 May 2026 10:43:56 +0200 Subject: [PATCH 15/16] unbound(role): move resolvd vars to task --- roles/unbound/tasks/main.yml | 5 ++++- roles/unbound/vars/deploy_systemd_resolved_config.yaml | 9 --------- 2 files changed, 4 insertions(+), 10 deletions(-) delete mode 100644 roles/unbound/vars/deploy_systemd_resolved_config.yaml diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index a4a6896..3b038c6 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -37,7 +37,10 @@ when: unbound_disable_systemd_networkd ansible.builtin.include_role: name: deploy_systemd_resolved_config - vars_from: deploy_systemd_resolved_config + vars: + deploy_systemd_resolved_config__enable: false + deploy_systemd_resolved_config__dns: + - 127.0.0.1 - name: install and configure prometheus-exporter for unbound ansible.builtin.import_tasks: prometheus-exporter.yml diff --git a/roles/unbound/vars/deploy_systemd_resolved_config.yaml b/roles/unbound/vars/deploy_systemd_resolved_config.yaml deleted file mode 100644 index 0da57c1..0000000 --- a/roles/unbound/vars/deploy_systemd_resolved_config.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -deploy_systemd_resolved_config__enable: false -deploy_systemd_resolved_config__dns: - - 127.0.0.1 -deploy_systemd_resolved_config__fallback_dns: # Fux DNS Server - - 185.161.128.66 - - 2a07:c481:0:4::2 - - 185.161.128.67 - - 2a07:c481:0:4::3 From a72accca201aff89b2bf95d72ed4e9551a4a2377 Mon Sep 17 00:00:00 2001 From: forestcat-admin Date: Wed, 27 May 2026 20:49:07 +0200 Subject: [PATCH 16/16] Add documentation style outline (#97) Reviewed-on: https://git.hamburg.ccc.de/CCCHH/ansible-infra/pulls/97 Reviewed-by: lilly --- .../documentation-structure.md | 103 +++++++++++++++++- docs/guides/writing-documentation.md | 2 +- mkdocs.yml | 1 + 3 files changed, 99 insertions(+), 7 deletions(-) diff --git a/docs/concepts-and-configurations/documentation-structure.md b/docs/concepts-and-configurations/documentation-structure.md index 0ca89d3..f5f4a21 100644 --- a/docs/concepts-and-configurations/documentation-structure.md +++ b/docs/concepts-and-configurations/documentation-structure.md @@ -5,12 +5,103 @@ summary: >- How our documentation is organized and what we do to balance ease of writing and understanding. --- -!!! info "ToDo" +!!! info "Info" - This section needs updating + If you're looking for a hands-on approach on how documentation is to be written you can find a [guide](../guides/writing-documentation.md) explaining the process. If you're unsure how to start you can find [templates](../guides/writing-documentation.md#3-addedit-your-markdown-file) there aswell. -- Docs should be english -- Guides are for step-by-step things - - Guides always have a "Goal" explicitly formulated -- Concepts and Configuration aim to make readers understand something in detail +## General Rules +These rules are general formatting and writing decisions that apply to every document. Their goal is to provide a concise style across the whole documentation to keep the text easy to follow. +- All documents written in this project should be written in **english** to maximize the compatability across readers. +- The documentation structure is intended to be followed, while not being **enforced** to keep a low entry barier for documentation authors. +- Use features like _Admonitions_ given by markdown and the theme whenever they can help by increasing the readability and outlining important parts. For instructions on how to use these theme specific features please refer down to the [MkDocs shadcn](https://asiffer.github.io/mkdocs-shadcn/) documentation. + +## Defining a Document Scope +The scope for a document should be set to define responsibility and set boundaries to where that document applies. Especially lining out which services are affected by it. It **does not** need to be defined explicitly in the text, but should be kept in mind while writing. + +!!! note "Example" + + The scope for this document is aiming to convey the base concepts on how to structure concepts and configurations in this documentation. To provide high readability and a project wide concise structure that authors and readers can rely on. + +We generally distinguish between concepts, configurations and guides in this documentation. Their separation should be clarified with folowing list: + +- **Concept:** A concept includes an abstract definition about a specific structure while not going into implementation details. It is a document intending to further abstract the understanding of structure. It can also go into detail about _why_ we do things a certain way. +- **Configuration:** A configuration can be a follow up of a concept, explaining the specific implementation in a given environment. +- **Guide:** A guide is a step-by-step hands-on instruction for the reader to follow along. It can reference concepts and configurations. The important difference to the other two document types is that guides are goal oriented. Understanding how things work is secondary to achieving a specific thing. + + +## Structuring Concepts + +!!! note "Goal" + + The goal for a concept is to provide the reader with a structured detailed explanation about an abstract concept, conveying why this concept was choosen and how it is intended to be used. + +### Describing the Concept +This section is a summary to give the reader a quick overview about the concept answering following questions: + +- What is this concept about? +- Why is this concept needed? +- What does this concept do? + +### Explaining the Concept +This section should be an in depth explanation about the concept, explaining the concept as detailed as needed for the reader to be able to transfer it into an implementation. The usage of graphs and diagrams is advised when they can help the reader understand the concept better. + +### Referencing additional Sources +This section should include sources to other documentations, concepts and hand-on guides which the reader can look up to futher explore the defined concept. + + +## Structuring Configurations + +!!! note "Goal" + + A configuration document is intended to provide the reader with examples and best practices for configuring a specific item. It focuses on the technical implementation rather than an abstract concept. + +### Describing the Configuration +This section should give the reader a quick overview which configuration files are being described. + +### Providing the Configuration +Here the author should provide configuration sections or full templates. The configurations don't have to be fully complete, they're rather a more structured view on which options are important and what to watch out for. + +### Discussing Authors Thoughts +A discussion why the author choose which configuration options and what to watch out for. Best practices should be taught here. This section can also link to outside sources. + +### Referencing Documentation +Here the author should provide upstream documentation which includes configuration options and further explanations why and how they are used. + + +## Structuring Guides + +!!! note "Goal" + + A guide intends to provide a hands-on approach to the reader which they can follow step-by-step to archive the guides defined goal. A good example for a guide can be found at [Writing Documentation](../guides/writing-documentation.md). + +### Defining the Goal +A guide should always have a goal defined in the beginning, using the _Admonition_ for a success box is highly advised. An example for a goal box is shown below: + +/// tab | Source + +```markdown +!!! success "Goal" + How to setup, write its baseline documentation in ansible, and deploy a service. +``` + +/// + +/// tab | Rendered + +!!! success "Goal" + How to setup, write its baseline documentation in ansible, and deploy a service. + +/// + +### Instructing the Reader +A guide should always have numbered instruction steps which are easy to follow. Important notices and information should written in _Admonitions_ as direct notices from the author to the reader. Dangerous steps or options should use a `danger` Admonition. + +### Closing Up +While this section is optional, a guide should be finished with steps and facts that can be checked by the reader to ensure that the guide worked as intended and all steps are completed correctly. + +## References +Here you can find useful documentation regarding writing documentation: + +- [MkDocs](https://www.mkdocs.org/user-guide/): This is the official mkdocs documentation, although it mostly explains configuring the mkdocs instance rather than explaining the usage. +- [MkDocs shadcn](https://asiffer.github.io/mkdocs-shadcn/): This is our theme for MkDocs which has its own syntax and quircks which can help writing more readable documentation diff --git a/docs/guides/writing-documentation.md b/docs/guides/writing-documentation.md index fd2681f..15fe254 100644 --- a/docs/guides/writing-documentation.md +++ b/docs/guides/writing-documentation.md @@ -38,7 +38,7 @@ Once you have cloned the repository, you can just edit a file in the [`docs/`](h ```shell uv venv uv pip install -r docs_requirements.txt - mkdocs serve + uv run mkdocs serve ``` When adding new content, you can use one of the templates below to get started: diff --git a/mkdocs.yml b/mkdocs.yml index 0ae452d..8158c75 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -9,6 +9,7 @@ markdown_extensions: - attr_list - codehilite - pymdownx.blocks.details + - pymdownx.blocks.tab - pymdownx.superfences: css_class: codehilite