CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 7 Pull requests 9 Wiki Activity Actions

Compare commits

base: CCCHH:main
Branches Tags
CCCHH:main
CCCHH:new_ccchh_router
CCCHH:renovate/docker.io-pretalx-standalone-2026.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/major-github-artifact-actions
CCCHH:renovate/docker.io-pretix-standalone-2026.x
CCCHH:renovate/docker.io-pretalx-standalone-2025.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:docs-outline-style
CCCHH:alloy
CCCHH:old-dns-zones
..
compare: CCCHH:new_ccchh_router
Branches Tags
CCCHH:new_ccchh_router
CCCHH:renovate/docker.io-pretalx-standalone-2026.x
CCCHH:renovate/docker.io-library-postgres-18.x
CCCHH:renovate/docker.io-library-mariadb-12.x
CCCHH:renovate/major-github-artifact-actions
CCCHH:renovate/docker.io-pretix-standalone-2026.x
CCCHH:renovate/docker.io-pretalx-standalone-2025.x
CCCHH:renovate/all-stable-minor-patch
CCCHH:main
CCCHH:docs-outline-style
CCCHH:alloy
CCCHH:old-dns-zones

15 commits
main ... new_ccchh_

Author SHA1 Message Date
bitwhisker
57ae1456a0
 		unbound(role): move resolvd vars to task
Some checks failed
/ Ansible Lint (pull_request) Successful in 2m37s
Details
/ build (pull_request) Failing after 2m40s
Details
/ Ansible Lint (push) Successful in 2m21s
Details
2026-05-26 10:43:56 +02:00
bitwhisker
c051fc6337
 		unbound(role): make unbound thread number configurable
Some checks failed
/ Ansible Lint (pull_request) Failing after 2m34s
Details
/ Ansible Lint (push) Failing after 2m36s
Details
/ build (pull_request) Failing after 2m40s
Details
2026-05-26 10:30:35 +02:00
bitwhisker
960315d182
 		unbound(role): reformat config template and use all vcpus
Some checks failed
/ build (pull_request) Failing after 2m41s
Details
/ Ansible Lint (push) Failing after 2m44s
Details
/ Ansible Lint (pull_request) Failing after 2m44s
Details
2026-05-26 10:21:29 +02:00
bitwhisker
bb127d1375
 		unbound(role): remove tags inside role 2026-05-26 10:21:29 +02:00
bitwhisker
84b1fa70ce
 		unbound(role): add FIXME note to unbound prometheus exporter install 2026-05-26 10:21:29 +02:00
bitwhisker
0a74ac02c2
 		unbound(role): use existing deploy_systemd_resolved_config role and some reordering 2026-05-26 10:21:29 +02:00
bitwhisker
a19262eae0
 		kea_dhcp(role): make stork-agent.env smaller and add link to documentation 2026-05-26 10:21:29 +02:00
bitwhisker
09a4869ac1
 		kea_dhcp(role): fix indentation in template 2026-05-26 10:21:28 +02:00
bitwhisker
2798e9e01c
 		kea_dhcp(role): add README.md 2026-05-26 10:21:28 +02:00
bitwhisker
9bff86df7f
 		kea_dhcp(role): some fixes and removing arch part 
- remove tags from tasks
- remove archlinux part
- use debian default package for kea
 2026-05-26 10:21:28 +02:00
bitwhisker
0fef65b2c2
 		z9-router(host): fix some spelling and a wireguard peer address 2026-05-26 10:21:28 +02:00
bitwhisker
311a4114f9
 		z9-router(host): add ansible pull 2026-05-26 10:21:28 +02:00
bitwhisker
3a091f7aa5
 		z9-router(host): rename rt1 to z9-router 2026-05-26 10:21:28 +02:00
bitwhisker
bbf45e91f4
 		rt1(z9 host) unbound(role) kea_dhcp(role): create unbound and kea_dhcp role for rt1 
- create unbound role
- create kea_dhcp role
- configure unbound and keadhcp on rt1(z9 host)
 2026-05-26 10:21:28 +02:00
bitwhisker
2fc93e6e62
 		rt1(z9 host): create host and configure networkd and nftables 2026-05-26 10:21:27 +02:00
44 changed files with 1849 additions and 143 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -48,6 +48,7 @@ keys:
- &host_light_ansible_pull_age_key age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q - &host_light_ansible_pull_age_key age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q
- &host_waybackproxy_ansible_pull_age_key age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j - &host_waybackproxy_ansible_pull_age_key age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j
- &host_yate_ansible_pull_age_key age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 - &host_yate_ansible_pull_age_key age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22
- &host_z9_router_ansible_pull_age_key age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp
creation_rules: creation_rules:
## group vars ## group vars
@ -241,6 +242,12 @@ creation_rules:
*admin_gpg_keys *admin_gpg_keys
age: age:
- *host_yate_ansible_pull_age_key - *host_yate_ansible_pull_age_key
- path_regex: "inventories/z9/host_vars/z9-router\\.sops\\..+"
key_groups:
- pgp:
*admin_gpg_keys
age:
- *host_z9_router_ansible_pull_age_key
# general # general
- path_regex: ".+\\.sops\\..+" - path_regex: ".+\\.sops\\..+"
key_groups: key_groups:

298
inventories/z9/group_vars/all.sops.yaml
View file

@ -2,213 +2,225 @@ metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl
msmtp__smtp_password: ENC[AES256_GCM,data:FAih8FghRYDx3QGFCjKoJ8Zq0TkeCIx4n1jTx4/sASgECqvucg==,iv:8NDn3wj/bXsbHbuce3ycJTBVWde6XAVxv4NuMUkMbIM=,tag:jeE2b0i/8JPtguLYQvdV1w==,type:str] msmtp__smtp_password: ENC[AES256_GCM,data:FAih8FghRYDx3QGFCjKoJ8Zq0TkeCIx4n1jTx4/sASgECqvucg==,iv:8NDn3wj/bXsbHbuce3ycJTBVWde6XAVxv4NuMUkMbIM=,tag:jeE2b0i/8JPtguLYQvdV1w==,type:str]
sops: sops:
age: age:
- recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax - enc: |
enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VWJQWnBhcDc3VXh3TnMy YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTzAzaVFSRDQwN2llbmdl
RFljQU0vNS9iY3AvTWFraUxneHIremlDeUZvCmdzd0twWHZEdTZSbHpLbEpRRDNX alBBVDZwTWhWUkV2L3ZLZmNDUDRyTitDaFVzCkNRTEN4ODV5ekxRVlBZT3ZIM2pj
aGI4ZlczN0tFbC94TzJ4bm9aUjkwcVEKLS0tIHRGSGdkQkN6ZEVTUjl1cGhMZzVI Z0JxYUlobHZCeGxxNE9PcENkR2h2VDAKLS0tIFZiVXJHSU5naXhSSEFobVZBN1Rl
S2FtSktoWmF2TjZCZnNlYWpWYzQ4MzQKeK7f+UPSanQsOIXNjzZa9B5FafNFsN3W NnVDUVRyVWxlUnMydVhiQ2s0bGMzTGcKh97/UOPxrKieK5dKdGyRqCRi8Sm5UNcT
sjssDdbNQ1OEn2CLWRVQl1umKrADuvd85fMu3gUZrycZRDCCfsBzVg== I9jLCPqX8Utt0e2EEp+ivJwFxgo7QuNCYWu6jtPCO/Zmc5Q/2tJQ9Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax
enc: | - enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSmVEVyt3OCtvUUNqV2FR YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVUtpb0FmeUduNW9EdHJw
QW5WaDBFcnZVMTV3QWdSLzhxRENCdGNaVFU0CmxqM0xIWUVCSUwvY1pBVjQ0RCtq WEY0WllWdE8vRlVhODU1dUcxUnF3WE5mUG5vCnBQRlNkblNHbUFESXhvQ05YdGVW
T0psSG84VWdpY1dYa2doeFZXd2RKNVEKLS0tIGNFeDFRYzBDN3NWcnpUSVhEWitY UkhjdjdvclRmTk55UXRGRStXREFiVVkKLS0tIDlkMHhxVkxEK1BjV2orQUtndGc2
RXhLRkp3ajdlNGY4R3hRcWVSUU04T0UKdprDhBpp0aMc733Wx/K7hS/nLVohvlft Mk8rZm14SzFWTjJTanVXaE53UmViS28KQmnPfzLhgLasSuu1Aflp/JDWo1hqvYjb
N9aSQdcRoqT3/iMGu/6xdqbeq0/7a/U+6JvhYyWLkLsrzw2mlVRoIw== BijruPUZ3NuoZ4Wuo56FLlTLrch051fI3ottzy85FfX3lRnWZ2IK8g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q
enc: | - enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWWM1WFdidkY4a2hLNm03 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQSm9FZ1VmVWhadldRY0JU
TGdNNE9ZK2lvelhYQndTYy9sUzM4TkN5elRZClJwQU1qeCtwUlFzeVE2d0FSSCsz c2R5d0tNMDV5U2tzbVorai91RTFyZFdUMWo0CmxLVUJYdVFUN296U3Q3MTJQM0JW
WTdzQWZLYXpqUHcxc3VEWHZvNmZibU0KLS0tIElCTWdraXRLcHNHMjR2eDVxVCta LzNTYlVVVitRYmk3azQ4VXBLWTZiZjQKLS0tIDhXdFZaK1BWVFp4M09jbk0zdGpF
bHhVdFpOdDB0eUR5d2hhdWJlcmJDMjgKBbVkm7LNwnoUVrUF3NPI7d25b6tAIr1t dGxmUUZkQS9sMXZoeTJETGpvQW5VQ0EK9Y/trD7VhjQnqY+KryPfEv1J/D4NCWsx
HelMjQU5YFM7DvRYFOlNpgO7WmddNSq3C6WYa8AZDGpsjc6GypcLVw== CHv0R1ps6A0qoRJzS1UNxU5bLXDX1RGQiU/arhJ7LXFxHrNOdObsZQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22 recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j
enc: | - enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTmRaRXorMzBQZWwyNFp5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreTY4bzJ3T1FHOVdhS05v
VHdUUElyd1V2dUcvQ3k2STQ0d1QyMytsRG1BCm5CVCtRWU5FVmErQWl2N3Y4QTc1 dG40VWdVeWRpamdqd2ttajFJUjdYVHB0ZXdVCmk0UUJuRHdsUnE3ZThNakpwY3po
Mnh3K01QUnk2MGpSZk1NRVJWUlhFYWMKLS0tIEFOM0pMa3RVNUppS2xOakFVM1lR b3dtWXNNSUlvbzVHcXVIclNlaVNub00KLS0tIEMwL2FYcEZ1dkZ5MFl0S3pWSWFJ
cnlBL29XQVlsL1ZCenBIYTQ3S3JxQjQKq09vbn1XOC1jIXDpv+ThFMk9k7SyYknr NGdXVXA4UGJIOTN4UnhoMjRYaTRNWXMKGJNomXuB5TqXZKWk3Ub/rEc69CrfYABw
MBJRBp/0PrKBo/Xk+RCSWSLjgali5Cc8KTjDTJyBG8rFzzvLIazBRg== bBBidbCQBrv7cnsvjsVpHHGaTwyP9Nk1ceF/gbv9fD9gZ7dwt3SA1A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQWhjNHlDU0RKRmdKTzh0
M3dhOGcrc1N5SnozMHhSQWNUdERPSjRrZ3lZClBpd1lrbXY5OEVnMVgwTGl4YmUw
bWpJR0Z6RDZubG9lS1BIVnEvMWhEdlkKLS0tIFhSbVFhVnZIN2xETXlWNlh3TVVG
N1VTSWN3SEU5U2Uxc2lRUmwwaWc0L1UKfPWAEs93dF10GZdlQt3yeDltk/9Djmuh
3ZeGLgkOjcJPXO2hFQMZoJY7a2ZRIxN5Oa8PGwuy7DEtmQ9PdP/mbg==
-----END AGE ENCRYPTED FILE-----
recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp
lastmodified: "2026-05-23T22:10:20Z" lastmodified: "2026-05-23T22:10:20Z"
mac: ENC[AES256_GCM,data:JbnKG1qyAkvFDXr2iHu+gk7nRjedmm+dEK8vBFW5YzndWE4QKoYWeaqRHBk7wdWO9kpZgU2rFiu4Be+ikotoMS8jKAcd5wWSrWtSreaZxxiD2TWMWX8HwPtETnYe0rjrEZ3kPcUj4QPyNTphfbH3ARLjthedRXNF70NDc+DIpAY=,iv:4LN3oslWUWqoY3rQNVDSmlJn1o0c8JQELzsWd5btn7Y=,tag:c8X1q9XMMUkXed93j9C6ww==,type:str] mac: ENC[AES256_GCM,data:JbnKG1qyAkvFDXr2iHu+gk7nRjedmm+dEK8vBFW5YzndWE4QKoYWeaqRHBk7wdWO9kpZgU2rFiu4Be+ikotoMS8jKAcd5wWSrWtSreaZxxiD2TWMWX8HwPtETnYe0rjrEZ3kPcUj4QPyNTphfbH3ARLjthedRXNF70NDc+DIpAY=,iv:4LN3oslWUWqoY3rQNVDSmlJn1o0c8JQELzsWd5btn7Y=,tag:c8X1q9XMMUkXed93j9C6ww==,type:str]
pgp: pgp:
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ//VIMBtLL8lhncJeItw53fQW4Lia0hs84yuKLuSBucNXhy hQIMAxK/JaB2/SdtAQ//cayg/ELKtybgayA4z+xOUK10zQJDE/U43BcPRMrBN0+x
x3LT5r21C5CZ+JnucrGPxur4clsLnDnng2CgyWhksJNknk6smQIq3ZhyBd/OJzS4 VLu/C96Eom/dJN62SM2QamThHu454HMZj1PjDynMUzgfVqXEg/eG45bBBweWrI65
zNGUJIbitJsDaKjTrYDCdsQ3KVcRBDMu3ow7vzeP4wnL4qU5fUuQ7S2rK6a1hfMB s0tuzLmsqpdt9TJ5t0znliL2DYS3MPfmYRNbAsYsCbQd4I0YpxdzQwTvURdzjpUG
eTQmn4wD/Rl+Q0AWEo2V/X8UgchwGPeuOXfju2t9+1UVE0kUJdXw/JIrGyR8XrYM nVBUfzfcYH1Yqq8BVtR40MKfa/DbOsJGENHtpkQ9UDAa3gwVQs0NyZRQzg5w364C
6ZGXB3mPnlZTZjqhXVSFSSOUTRYu/0g+s/JuDLpgl8gVP+oDvSCPrB2pDNK+o2Oo UvItYlU77ZCKPkyOQuciLn4sM5poihu3UNWp855QsDK6fZVuxPTS4Cn54cfwdOTe
VbQbJMg6lMbIuewd0ZTTeCv/TFU9O51RtkFyxHIEW7dVelDrNkuciAG1mDUHFUUw rL/ZQjLcHJ7PRmZUiWR6GVNDrY55u7zhORD4b8BgrpWW4hhxpp/ENjnRmNt8jKR2
MHeWDjngeCzr1hj1Z78P1bvR7I2pqBQiWT+d/e50S5quNRVjtLVEjuU7r1eKiPDu dJ/5/uC4HBX0fM3mbfpUn19BxCk9+gFPmNUOUZ93UxpQ28l1lZxeiLBOHAw1srEs
pL1lYJZZu5+uY1nWE4qeJiI1KambjP9/C+RUCF38yT1wNvxrbwsM9haXGbI3t2cU 7ZfFrJ0osedPGHu8rVOe93DCAtb/oNxr1xvGuDK/licRkEh8t8cvuoVsVhYFjNBc
X/RRpK5VKKKwbBqyQmkZX7xaDR13hLF2vLtdVw6L9nYVVactfnFr9HKDV95HUnhO UKXIPrhvuSj69c3OiHa+u9fNZJX2XAi0oOcZqGp+sQCCgUCA15I5QiqTpalCSTKt
uevmzu+ShtAt9FMXz86dLYmBx90A2BSWxb6sKvZkG8UDY+vVT1K0gNK4kwxR9rKt /Stoj9BsmlSiy8YD2XBjmzHHVxJHfl8XHcuONKc3e4UmVjKlzkzc0bI73Y6XiEvt
LFzCq1a3ftx3UvrNMCwaboGQZLpRtiKr0lNQvGLpH/SRDZ2HksinV16FNVuN74HS zRIUmWxfvAvqP/zPcMSwaZke5h7N7ywKcjM+RHB4NqRUVYlBNwIWXvi7f5BdLhrU
XgG5HnRO9/lkL2Bn+ms7Q6+ki9QmC21FlLGJOBQIi+VHNVwy6J8XQlrs5NZPy6Ib aAEJAhBcA//3NJxuDzlf1zoXGKOhGIwNv5/Qb1n13OKIT2s0nfbqEHgAUm+tX3gk
LmWIV6BdIRejCAITlVeBRBpXymdUBicPLa/VQMK2s9L3SS7MUcv+4j+vje9YR5M= VKKMqFuVmq2mkAaxXWFq20VC6djTJJS1QOaNsc6x3bJ6iDtYV19Ddn/20jbmbqmn
=IEFm XbCDvb50nubC
=ZByJ
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70 fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQEMA1QflAioE8i3AQf7BB0RdJbe8Ro2Fv4Phw+VaR0rUIuQKWOb7zf3/9YCbV2w hQEMA1QflAioE8i3AQgAm+iazJdcOXiq08MvSGMQ9/NAvrgcDav4561Hew23n4Ms
rICGVIx7V1vJF5R5RgSfk0RDrLN3Pfoq/7Jfkq6bMoHIVCHSFdryHfjG5Dgm49Xv tKC5VLXf3l1f6yjhBZy6mnslYOWWdJ+X4XK0OqWkRr/t7zxEK4M6PC6g1W5hkaFU
gDZ2CPAHPn15mG0Rr/67YUWsC2Jy4y6/JY478wzYu4Og9IkxkeBd6ufBFB6bTn4H +9DrkBLKss8atz3EhexK6GeljTuRpVWM629BtvMPBo/41eyue78TLf81vCkbUJkC
qB7B2hfkyQzA66zoxc0r2O1mchbJ3A4pVJw0v2I/sWCiZoJQKmt8ksoEK8BAQCWC UpeB4alsETvD9Oz0ZRT8fipuXzdpGSjobOIgQa9bKwFMXXGY2fwBuKW8gVtSgbXP
E8sozb2opRzFaUCZSNEdhz/rnbV8u5wW378kd8kHSOlWxaFZNkWUP42YQiNTkd9/ mKwqvGaSdHz30BxQExmLne5ERKHOvzac2woG5tOmKPaihg8pbvuq/VjS2K0mzS5q
YpxxGvwCTIpHGAYFtU7CV7QfQHzTuAOz7ZElPZsYkdJeAZCwUFO24nzwpxYS43AV cbwyq/u4d5fGEFQYqMARW1aiyo3NjYk4xWDcGo5Ql9JeAdwhj3Wgm1wccULt2Hj7
29IHXvlKAQkjJunix0bPGcE3D6T8CUs0wXL2sUSDcvgOOQZSezRn4UNEqFCftjJ4 z/V1utNINoB0bPFb8ZQMmPpwAeH6nnoqjWmmoRSW0tL/EaPh5xQXdEuU+DloT5f+
Gmldo/baMO2Y054/iA0jvNmHRk6sJCY8aRYv9m5Fqg== k8c2KQC+v4bh6BMUcycAeIG/h4vKsgz/Jc6BWKKD2g==
=n7Qb =G51B
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7 fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAA4zyDJtNqK5w6QPYMyEtjuoAmva91yLA4oAU/diRpFXHx hQIMAz5uSgHG2iMJAQ/+NjXRTghMiYErsXenuJRaWdwHZ+6DkkG8nC5b+Aigljgu
D4UzksW8moYqmaiWblFy1HeQJFwZWrxnXeqg9B7PFOkhriIG7al4DpV2wXoCjami OJg5UQgYtX5W5T79uUuEh5BWKO5bMHBwDNHQC7Hn1FseYgrOxcoSYOsewlb8t2QH
DIkewGoeZjTbPNxsDVl0SbDafCARQFnQ8LNTmM2hi2X/ACg+c8mSM7eK6C3mh8yG fqGLLhv82nRnU0nTs8W/yvrBH/ub0kAtuko1jkPSAWnoonmeEW970iLVIF9lCVYJ
Bo2EsuCnIqzwzV6XbGCKnfOUh0QekWM7Jc/e3oYGSgCP2N5wb2PLVsW1220qdPvo idF+DDSiic9RDpHd4Csuxdv+1Q8OcaOW1HVAUrfrKOvC17sawd1Cat2DWC8EcOVD
8D1l5cDVj2Pgq7fnfbxZGJYSfdgJb1YweH8mjHk3gHU68AGeeSkV+VwcBGV2HObg clNn6A91FBCTxVnxwM4j2J/NXP1JRIGnlxaa4lATQMiX8lfheu0LyEpsFZai55RC
hKSbVWcyGAHrP1ppCNyXr5ZkBgyvdB/EjxjLqTLq7sdTnqjLLbMLgi9CCI0NuDMI dq20HWqPgYHiamp6eGQ+Uqe5edx6F5YX/25S2Jfrx4D5vRh0PFx6blY0kgZJp16a
jfgMjOdaImjUvvr8lCl7dOMyp9wc6ks0bwRbfG3AMLGKWeR+un3uaDYujD0bQLqZ ywNiMtLPh7HjOMbB1v7bcWtIDWrIhWDtyJ7axny8sMamCLCPOwPpPvdL/B5YOntm
m0g5mx1wHxNCJIb2ZQ6UVjDlnatTYGBnxEupqxr9PFyny0MRhaiYkuDIh4tHW3nH +0wMXHXCLCaljzsa5GFIyVYj3pTY/6O0Fgkv+6ow08ndPjsViHNikufCSW0ueIFF
xyCHN9QIO2/EktLkM4wcfhOeVgdpfvKgT+cMG9kS/yfInZ5ZAGvXznzvfNZZtKDL ehv0V2+AHhedoHChFZI/DEbGzIKVcr7JAA+GHAIWcklg7O5hss+/rr7nYxVB0A+t
fLvvF5AqYbN05c0h56WJa65tIT75P2wI6ZBncCSLqSAzyXWlZFV6UBP+5QLEkQaE Sfp5kVMInLpCPLRm2retun3zPF8+R0kN/ZrkLy02K7z4rrD8wVE5QUvSCWbpKdfS
WtY8y2907OAx1v8g6vc5v5oHMqfwfWC4nuFbkoJo/ZbfvtDWq4eFZfkUKY3Au5LS deWIy4lp9wRXSunag1/CxqvrH3ZszlxSZPEQkC4hez+xOS//L/5QsiP52SavB9PS
XgE/l6NTtWknF4nPYIRaibum4527ke053JdD/50eqfuRv8MFIHbRPfWE4lE6lgev XgHvkL3slXXsdnIgm3cYnHqEBf2rXLQR/ZTzusXMLEBaGCd9JB33T/Lz+TUftCUI
+/j0Ef9sYRu726Sv3wAgT7K6PmCFsLN1319OmjkZpBAJiNsxx9qwXyqgTpTvb34= xxLwzFvm+dEvQ6bOB6/OvSMBIsvVzMZxaIblwZRdIYfQovEdKLCRc+F4lTqV8fE=
=Hr9J =1lXS
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DsZXvxFXTXoQSAQdAp7TsXm2MaBAh0qB3eOjtFuegcEsmtdQHsMP0rs0N/m0w hF4DsZXvxFXTXoQSAQdAJAr+RX2f5gW5PpXJ/WA+1qMPFjuWuDccIk1ecWzc4kEw
bbbzXLwq1TGL82l5Qon4NnX9Jg5gXnKydWOiKWhxCsQ0iHJ7eupJLxyfDD/kzga+ sNH69jVC0JL7l5RMrJTAaY0GRTMrJffoz28JxpVbUVFEpeHsd+myGCcD1jZyS1MX
0l4BRUpbBFslWWa8Fb7zfNA7kslhkaQIJAmN92Yh/2NdkpmNEpMMaIrx2p2jK4Iz 0l4BllCKEsOVnEKKxOscOIctaIw8/MDNnLSoP04JI2xVKKThor+UwUhRzg+fVwxH
mwGUQlUz4ZkK10xy+9LMaAtmLhBJgBhDTKKzw7OAsRAnASq2gXA/4wqEVgBU9BxB uEiHsx0xA/q0HVXhTNIvIWn0CKx/4uV8JwVa9JqjSSyQVm8PBwU+UTfXMQ5VcuHv
=tBBK =uxSy
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAlBZhTjLL3YPqorSXq0jet/0CXmeZeLL8inGvm/HgmgIw hF4DerEtaFuTeewSAQdA2k3VLlMvCocHQ1ULFwTJKqscSb2FScq8A2I1TIdlfXAw
aplmjWHB80err0ffZeRfcvqx9DGujpwlgoFGDxjqn4LIqoNg6YK/VfFb9pXUvIOv jWLzGphdsfHuNBEsocoixm4nKAdhjgBsud2rfYkuwxpqX2MlBr6ikpN73dXlHtt2
0l4B9xQ4DlaYOX1egCQUBw3KcdcnNlcEZwTOwTKn0Hg3gXp0u3TYlJFZAchw2G+l 0l4BkUvmqlioN961OV7nssbeQLzb49C9Gzm5S1dQqBQVCt/7qGodTHHiQON7bYJp
XJjlWiwJN2gKfEG7hrtZ7MJkYJFsqMFa1aC1oWHduxU4jmdRdQqdIaQDsqkcqJc3 +OgUaI6bKZjd9Lhm/u98dTH2cdPm1B5bUQPDzptWX5vG8euzBQxXc7OrGsTFyYME
=KNVY =e/rg
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fARAAhSBdgW04fKM8tAU8sC6h8/4e0Io3W/D2l6P7nZiD9WVR hQIMAxjNhCKPP69fAQ//VLyOILC6lpvlq0W7NeYfUzL7KtKYXVDF7aSQ/b6Vn7Of
2pUqS12mlNCoRt1I2empyJ5vm1wjor34BCuSCiyfLQ1WIlBJlDro96ygpsHZGmam ggc9n40n6FkMJqknhbvSnhhlFdzVOCZkLy/hinNk+jF2POBlLbzBjCuzQSP+ZDyC
tNcrgwc7y6rg4ycqUWr+H+WVZ0kw1IYYKbfAjMAJF5lQqzz+VMvET9BbmvA595MO Dll2UJ/khITd+tQ4zwrFLpixr518Fgcj8NOgtljUovxR1bGIzYogpmiVFJEd0cT4
l/dnMColnjxxBiYBIzO7mnli+uqRHB79rM2VVlrqoT+C2s9zuPfpJfY0PJaCbbdg k7ldv5WbZtB2UprhPPpNe+98BaUvuSvA9RWCogaBbuQpY2p3g9t9Zo58spOawbP4
BlffAMqs9m2JZdDr2r0lrN/jyLUB2d3l9NCcF6UYP6tjgZsKmHv/JxSgXLf6IklE ccz7Pu03Esy3cenlnCt3G7gl19viIh+wHKrIXPa8dGO6TEsrRMPT0tNEs8iUJyDO
wolO04qgDRK7jeO2UGEniweVQNi7hqA4vkp2TskGbfVsS10PyLYKw4N19GedLS3c TNEgo6+yxQ2p+08EzAh0BCRwljqnPLjS/h2s2s208Z5rBOCpLY9RuoXz7JRvZ06p
ZxRGde42Fze/PrccWq8bGdOfWhPBo2/MEyqVW4lgTeCCwrFRO3UNyYcWo7cmaN1q gBgPFSIH12VBGjfqCB1uZIatbtLQLjOo6+UU0evM65WhKw3//tUnLrox1reoiRzO
lz7uaV6ffqbUDJSkjkphvxnJtuX62x9Uv/wcwrJuZUarSNclQ0nQV/e5wc7SzPgM ro4JuytP+f4PylQRsr3jOYKRKCBzoZOOPZbVEpwQeBOe9zzxDgVQqHgVDDZQzCcw
B+GLeR4tnconDZGFq8q+KKuHe7MSx2uwiZsJIVXohcZwhkd9wk5YQBPc8i4aP0NQ VTHCrs4XVHxPH0aRMlS4A80xbH7VncYbcbf8a6VrTpnPflv0OryWMWDqLBzmIPgM
wsb+QptuM8VpCEVAwKOUjp7IRRfUyqAIlmIRDkTijmHknSmI9HZXPyCvTLoy1Szf W1Bz/hq/o6br+g4uAKjt4GTdTwWYxptA5L84aMoihpXRu0MaPhG+7MRsXpEa/+Ll
KDrN1MAma6b4gsru1fFnVizXQyZozl5RVZFP2Uv+ndugdvRE5sv5aevlzgaWFg3S +ybl2DLpm6zm0iixkJuxwtOdQOGjqJqC/GLw/EZJTt2aO+ZUb8dLrChNmR7HJAjS
XgFqaFwId78UDNTrxcs4EzjHmlwg4E05G9pUqbA9zBDdCqwlD4+6CfAgQ46A6ptY XgGBpFYao1AQqLZU3c+5B2/9/3rtOoVX1DQXhUsji5NkaHyYO8usauj9evPUf4qx
5p2QQJ3KXgJXrtlJySq8piReyq3mpagtWZJfAazovJA/ZF4o/xs9ZIu/q3qxHSE= FAQRWua5/zp/cTlNWU3GknqtJ1G0g1mrkiVeBZCRxIK2Iyvyav7RALJ1jlkyW5c=
=nR8y =meb0
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAjpM3MO83b2EUtzyZs66HWH6Kd60rl3QODTqs4PQm1cH5 hQIMA46L6MuPqfJqAQ/+NK0D10olgDK4KcArzoMtrJR7qwbrceSeKwaQGsUB1+RZ
HdzfVJ2IDo1y+FMTMmfJov6xBqnlalNaOvg8XFAkKTUkZgUHRW/q1WXP4FywTWmP xv6pZJ0zyw7McTuUV2I4bLYHy/TffSyJk5vLSSTGFXgHVdfKmjvm7VDEp5d2uKku
aJV47x4dOQXQgj/i/ykMspUgsxA5049/nG1y06Wsm2agLO3KjL6KIJAx0LI28XPU GW3Qh73quldfhd5GjO+F9V/S3rCysrNMpTmPnR5ha877FKGtc8168XRhIpe/1+mP
qA/NFtfNuEAv7DGS2LGz1+X1hnRYcBX/oUgpihzActWmMORD6VS7xZGcMdF2/+Ex mvlE6h0Xizbx9myGR+ie17nHpoH+tjTtQFH640s38+xDgH6AozwWGUe/g5TdLaLJ
OCDAnwT0cBSAihBSLTmEMJ4xfmMG228nbLqm9r/gELgVIsIL5hXWz0CtxaewwLQQ 8SKHyQnS8hOHQDkttvhWRbyhKa8WuGyOKSjuQ81HIv+/UPxh1fs7vovPHM8rtIyy
XFMm/ZV/G6bZKRJzKPOR9EcPMF7Z+nnBts9wKNlE+WA32p7zu7hjvEFZhLiDKYlN xGcWPzUeoKQiV2nyXUP3BqglhOhD1vokh3ejDcxwWWKuyASCSXhhvW7KMsV3Stdd
+nFcx/rvyWB6sbFK0xn2x5MonxWNVUy58PnqGWmPi2VtXT1al1zSAoKAgg8Xdw21 E3O1nyOi4+2I2E4TQo0NLt5mTJonPbvSn4IvV0LuatrG902UeNNZRRwQv3ZrVp6f
PQENtxqeUSLXXb0SZXFptMmYStwqoaFusLOCLW42DogFU246o14veDDtsS619T5G G2ZJ9HNSs+Tp9H8cJzBGjDBYjC6/d3GGWi7N/5G/n6C7T6W81BgO8UiQOleEDF1c
RrszsNg543i3ra7MIm99YRXyniUaDp5VlKufPkWRexIT5YZYalOLtdLcaTTzfr7J Bi6NPNeoGL8fivVGlGTHpLcpPpbYz+1ynsFs1ho4+v5bHS5w+UfvVvQC7dlDKmR0
x4PNVOK2ddtmlKbbakvvmPWS3iBEUGMqw69dPhEdpY8yy7HJ2jpXX7TiezNqGJ9w fUAkllcxLSnzKkpKis1HF+Gp+lSNc75/BzOeTA2gS3c8H9jMuncRolndPX1rVJA3
XqtI9RJmWrr0/zSoim0EpHDwXZhSf7YVcwTs0XCtwrXcQT6DLaZJr8cny/G1ErLS mrLiQE/Mja9NaYHzUROKIHDEUOQ1ZzvpcRduggvfj6Gb2wzNdUdR5QrXnLeI2jbS
XgEdnUqFpB1D0bacmRpfHA3PLZJd/x0QfwZ/b7gzz3f1xRfMXgnsM4iYu1S8+VAW XgHO7Jr0HrHzr/+p+w89U+uH4b7onseYDiAjfLjAZpcYwkzuy7b2ZUmpLq1BjZRo
Dy21iVFZledWfrmuXh/PkLFftLipYK6tc0n922kFFxCn/xSP0yx9qKlNwzyduNI= zs+rSqv4BP0Xa7LNIFrHj4OeL9ivwP7Kw/Tb36hU8DJ8xDfilx81n69Fer/cJ8Y=
=4+Bv =BNfm
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdActtZQL4KWrCP8UUZa/fLeDltuNV9JjxTYiI9upoH12Qw hF4DQrf1tCqiJxoSAQdA7az9ylWMB3fWHwSVRmU8Gu4Qnd6HIyMuiG46weuS/Cww
6n8EBLgKKNw1Hsb40u9M5Ro7Xzbys7zwZsL5CxEgFGDBxthtcdaI/ykjU0W3poLE QMCknkfCG06HtMrOcroNigaj7G6FEvDm64sUkpW/ggWkHUUEMuwi5jcKIdx7XdbJ
0l4BcMpLoCyxxwIn49GpFxHiv84Q9xhouSMmCTe2p3bn5zCRBnKsetVHtEti4iRF 0l4BDGUF81uOghQUq/JqDtiYPD8IzRHMXbJmXiO+4y6DE5b1t99wBUt3C5K5H91D
sY9FipGcyiNHfkp8KsWeUxD/j1QUIkGODXt2RqYkO8ltA5QS3kUCPErmWYymEAEu U3blcYO6GROPSkVp8ZIzfnWLvyVoWInd1ZiRs19n9MN6Yf8uWfx9/3xvN2kKQyvj
=RFaD =4X+A
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAoNdta1fDVjzrPWeSfKrmslkoFi86I2nWplPOli/gFXsw hF4DzAGzViGx4qcSAQdA/+jZ9/0jHioWKE2TK24OFDKjJ8futm2TP8z6Xat3uxww
2Cx+wmejLlc61RE5sqAaQJc+0ctRezwXzBJbkuqznZ2jWPCK2A1EQ7r3Q7USCCca DGwSznxagIkVgdTNKqAWmzGvOum8xDBqzP232CM8B/oxmwIjuIV8+FXtJuFHA/4b
0lgB6XOo0ByOj/W4TrrGn7VmwLvEqIiWCt5zk4BEUSVc62Ffv48dcwL3hsB3HlRw 0lgBN9loSuX5uL5O4uWzPulEhqjFElrWRZXLHZn7uIWipW/7mP8CGu02wwV/lme5
6FXyR+2zwyEU5fuddFO4nMi8AXB6cfU6F4ugFgwn92lCgTom7IULY1D7 jvtJ6EjgopmHrxyaJqRk+e65gxBYKvxTQ1H1iETCUq8lOnxSBZVY5m5K
=Czq/ =7H6g
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+AQ/7B7h5br3PMgum71smOTJMBfl4OaxkQAirJeG/z2fjqbAG hQIMA2pVdGTIrZI+AQ//aZjaPgcAM6RSG6QCnYJgn8EDEhG7HDvXmb58G7VfxArr
l9q62H1cutGKS/IYOFLE0OQaRwmHtkdTkrdmf9yIuAktcdAGAeqwnYW3LwM3t7U1 m+K4Hc3hW0Hh/c7/bzu2QWniN1ie4apqFSvQmAIJ3zQZSyOsqhzvbmyTFRAyzpzO
nfZRJH5Hi4xcSVVaWHn5mX0QpxzrCye1EIjHvPRx6/bWHD5sW9qnkZAlAvEJS3/K lOAo/s0xMu8s5V055vC2KWnKuqb9+WtWgJPotkpOf7wQM3aqtvXKFnPa74ihjXdt
jdyBLLlK8AITpsX4eeVnmVLZBjbVEXPlXfFCh9PFyqrl+iyBBY9bO2aMzWldbQIr uuopRsOsZPiG8MLcqkCrTy+pd1PywrqwjKeva+mfgbM8zpypw4kwLwrljsxCThkZ
j1551Xe1wKAOn5SJTg2Mrm5ehBKfH53HY6ubCy9acbv5ZTe6JuStseWordtRNNXY To4dH+K8oesvSeyVOKWtAwnjQsPa3Zn5CFWXNwPnn2kpjyMoNRo07xuRkfHYI4L/
9eVmR3MRVoFWgK4Ccb9Qq8l+uEHRuQfG9K7dSnxQIJpHCOAQO9oi3/ykDt9Vgvo6 7D8zz07XdN47kJbEj2BYjChURtbxkFbAxq+IUDgbNDW+M7VQCKZW+vOFjwmFJAlT
WKPpvyuJpWc5Tn+WF1qhz5wDTRX6XY+cUoHkUqZXG0qMTIfMLIAFZ6MuslHU9f6J CCco2I3lmrVX1j9BTMRr/3aQNbY/OzOxk0qjYZGnPqV1bH4IazaDFUB8pOdmit2t
PlY0FTnwp5/v9rK/rjXZkfIxKjQtSWZwkZCszZ0WtNVuaY3KO6KYrd9rolFFYjqn KBzDt1L26V0Ek1CpOp1dcJxneITXX1j5IqjMbl0TzyoJ9CxsSaOWfZ6XsBBSXZNZ
I2xFGnTNZwh3tjG/3INoMwilOkIUNXr18k6FsPqVCAhj1Oo0iNxb3j+3pGJsH9iN VnDENbBAOGcJgatjmC2qH5FCNio7vMRRncX5j82sytDRWbj/7XHENFpfXyGPIuYg
ciTLeM8MsFW9MYXG23i65a5WVXi8hMTcyqCy9GyxLeFprt2DaH2HaBahF3RIWPop AaHyxSVegFCeRUHpzXo+qeFpNFR4407v+otVaEdxbfj6MQfMZ7tDUOde+97NNRow
KTNsvW1aawy+lDUyr4mBy9F0TA8Z1/db3l950Gtuz5s9/7D6bbmRn72O++W1RD3S tAMUOAN9yhGuEPMPr4stQUz4lHseGMX3VdpJH8UQH+BxVdJhzKg0H/+6bAmnRi/U
XgE3QuksqaIh7ZGt8tVPREEHpBWmPCskh35vLoqeO1QxGxzJcjrcuNeHtOH44EEj aAEJAhAi7DZdrKpPPkDijPKnXCPJB+IzdAJdOCsnIhZFzaiDUo+RLvP9bEpoqv4m
mHzYUydn0e1jwKZkATG23DiBCyMpcNAWmsMH45wmk0fgNLdQhuslhKLqOUDLpN0= ZFMtiF7P7bXyeNIObCCsgKhdX0thXI9lZvv7k9M4lAbFhPS9vlmDwf25t2Nm9Um8
=Ygd+ 2tbINg+K23jp
=syE6
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
- created_at: "2026-05-20T02:08:49Z" - created_at: "2026-05-25T17:17:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DKKbvh61jX5USAQdA8qtjYHoUe+GUdy3obbF+pNmvfuKQUqkMHa6V5ZXOpXAw hF4DKKbvh61jX5USAQdAHw+hxKofus/fR32ThZOHfkL+8TIPvWeYnTYe5UUCC1ww
M/kx52Vu5xOdynB3NMBXsfTVH7KXh0f06HcehTREOkhlwVMYPcvDQQdzgJ3Xodpc AtCE+MfZvMgRx7gUpVPcdWtch6nlFzun+r84QfPopFk4S824JFEkK8jG0scYCpy3
0l4BdYtmbmk9ETTqr+wXvf+6BMYIuvyhsLLSqyWyCxJv7blQYsxsc3EAHZ4LB0ZS 1GgBCQIQm+g/LWX0T3Do0NXrRGIuw0fiKrQiOpEhbO6a6ez/pES0zKKBdlH+scQl
/lw6gQ5lmQyvVt9PQZayt6Iku0+WMJcgrf9xykOAm3N2QrtUnr4jHV3FydvTiUwR +nLZoz6Mw5mkwhY6zIKsrikuQ/+sciO2fIq9tI4MR6cvD5gmVrGEjIyOZ4xgl3X9
=snV0 nX6OVR9w8cR7rA==
=voeW
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49 fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

209
inventories/z9/host_vars/z9-router.sops.yaml Normal file
View file

@ -0,0 +1,209 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:TlMDo9sUTYznxKOGityGLexk54mM7LU9+U4ln0YYhO5fhXXmwvySxyMLHlaKzSlpU2/mRRy/0v7AIOuRVZx5XqV8X2JJsv3/NeY=,iv:r66g2UQ663KvWyAISitbHBRaLBlJ0gB2g/TW9JiL0Ls=,tag:VEq3Fqj+t40uBo9g4Icfew==,type:str]
secrets__secrets:
- name: ENC[AES256_GCM,data:gt9BarzsfE/GJ5gQeelgePquW6KAgE3Exv4=,iv:IPpUQI+zkf8O+ej+ZxLFyWUOrxGGlZvmDRG0ut2cNsA=,tag:GP66MvcKyCqyKV814+uMYg==,type:str]
content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str]
- name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str]
content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str]
- name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str]
content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str]
- name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str]
content: ENC[AES256_GCM,data:W2h5AcoT85OkekPeRkrf1m0bDdBjG/YNSbWlrcZtP7FjaPh/F+cx+J6oRRI=,iv:CLVXTqfstpIU3BX/Zdcnp9w0gWxeGDI/G1MNl6xr4ZU=,tag:yCqN4r1MV/VTWQvZ6COfIw==,type:str]
- name: ENC[AES256_GCM,data:IRwwy+WQxgQ8cDpB8HaCLpKwJj7oC87p0XOxWRo=,iv:BLXNMcigvaOeY6y4NlLPMMWQt9XFi6nodRwIYFgAAnU=,tag:OdQalmujOgrzW8oi64xMRg==,type:str]
content: ENC[AES256_GCM,data:C5oIcuEYtODsvjQZnbqbWVfP63mQzcRuh8f5rlBCyjwSq2mZiYGQe9t0T78=,iv:sITUDo9SKZTSwPfsMv4m4U0ruuVCcaxu7SUT52U4FSE=,tag:4CsSMJWQQPAIeK8DwUDBqg==,type:str]
- name: ENC[AES256_GCM,data:r0sbpjaGjezoNlyl1khy+Dly+8xbbfQZNB8om/E4/tj9lmM=,iv:MLrglBJA6BrHGmFRprlQcf5/Hqh952e5OyQQ9nPxumY=,tag:Se05kMBkSQ7TRxzij7Fo8A==,type:str]
content: ENC[AES256_GCM,data:/c1nRf1eZhbUmoQWvcj8yDaVPtyAN7Uu+S054q3C1/kXlQ7CgOe4CrMXnmk=,iv:ppar0aCKuIU3DOjwAoliZ5TOL199Z+Ffo4pCktjs0W8=,tag:nfaGutK+5KnlWBKU1MTxkQ==,type:str]
- name: ENC[AES256_GCM,data:7mwuykEqbGISOa2n+pWb6INLsHYdjyf2HxTtWpAr5xP1,iv:NMcg+L2DFtBO1nhyPid31yzLr+ZX7DUGl/WxV1MnrqU=,tag:65/BiUEI8v5oMlQqpKNDRg==,type:str]
content: ENC[AES256_GCM,data:SObbA3D/sGN5/i5ps4Zz3alygIXKbSgptFjfPHlwC8G588O+gKAkvKQwU/s=,iv:PY2vLfI3gInFeQbse49KC2/zZ9O4jeXAQ0fpP84GHHE=,tag:214Mb8hIYDkQ4+UkRWtc9w==,type:str]
- name: ENC[AES256_GCM,data:bES9O6JI4wTnuZsup9gflfaozeUDkfjVGNIFn8RnZQ==,iv:98kigM3KZIN5qXNdgfLg5WLmxzAsYCjNqVzyUPco/BI=,tag:1fwEtwQ6i9QQC3OCewN0eA==,type:str]
content: ENC[AES256_GCM,data:flO3Nb4u2WfWNVhn8k5Bgo3LmsHo2cVnLCsrz8ST9Ip7gO9FY9d27FQgphM=,iv:aiDoq+41cSjwcCZRaIPLtbltkOpc7FeuNN7swPqkHXQ=,tag:OhzcY2xKKJF2jZVRseXCFg==,type:str]
- name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str]
content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxallVTFdueHBucXBVNzIx
cENqanlOOUticExzVnlERS90b2hWQ2VldUE4Cm9SVmhZejVzanRDTkJhQzhwM3BM
MGcwTEZ4YVQvdjc3clBHei93VEN5SkkKLS0tIGI3KzRPbjlNTFFBL2huYlZSVTZh
OVdXYVRkVVJwbVltSHBXRktIY3BYL2sKe+eqKzYeCUWx0KmT0+aM+TwWRj+P0Ecp
tnFHmQgnEPypIhVvZtzL7i64kL6sHizTmNhbw+hlnCztvsdEV5T0cw==
-----END AGE ENCRYPTED FILE-----
recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp
lastmodified: "2026-05-25T17:15:30Z"
mac: ENC[AES256_GCM,data:IW9eN5H2J5cnXUHlK2aD+yd2ORx+weSFKBGWd7pIolFb5txg0WlGVp8UpD4h+Tv0SJ9NkQOT6KpcXDez/L7r7xNYtmgf7AdrdGpy3IOkEYzHJ+oHUMd/aL+h5w6/RahrpxlPSrNKAC+AfpY+l0iodwQ09iuLp4YXFxRaRDGpGZw=,iv:6M7RkDN9D9Zlyq1MCRoiT4f1bd6OBZNg+C65oEuSWn4=,tag:wRsq4lt4mHVyY6ruGkYNKQ==,type:str]
pgp:
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAlyJLMDlT4FLpMKaC3ygn1cfA2390Dz24lzKlHmwl5GgE
yS9bdTGMpcM8zPOQoqaoy/my3kgx2/U3q7WiCTMdUyYePAWuJFh8ZRZjw/hPpv6n
GwYgK3M2C1I9++zmZD5LlR4TaTTpr99+hctYrrp79QJddgozUzAQ44g7WvDm5VhI
bb2UVSo0MpWvLEMXHqH9YZcjkQyVg/DL+IaU1rM9pmpZxoN7+0jQY4ci1ZeHVo9e
DbYcjMazBLakjZxxdtHrqx3DjZgbYCancMy/dUKVuvDF/lN35WWSxslv14BNHljL
+/9YBDRgIr11x9j1hq241UwBW+6mSFxWF3qQ5esdR5xlLEqbm27PYGtqC4LIdzRX
ZUvdujuQ2PHCYJY/jKWSf0cdfXKEGorc1ZGOV9FNq9L+aKvfmRLWfzX4D0Hp47H2
d3itVuA9KYOdzmk6O+8FZv/VK1042L90tOPJhrtE287KhcJ2CvfT/Az4Qot8xg3c
tXmO3cWQpigXxJPfKRPjmmLJ9nq0BnBXj5ngkVz7d8R3FR1J/+TWG0F1VU7YeW2+
Z04RAbbKf36xUTqnaV34EDum4QLLdTMra6fPYPy0KiQYIKDcRSdHeM/hEs7JXP1c
zbUX4xuBOXl7kWYR0e3MUTzxYiQBr9BvSDY+7sGQCb+fPw+AKvFxig1grjsnZvPU
ZgEJAhAUE/ebqBa2nGimcAPn3PfeihehcmjLg7HmyWBPkHHMt/TIOztjkbGiQSC/
jBP+rhjmFxm0WKUGM4dkh14JkMgz7DZ9fozzLfo8zN8beuSDDzX1BndTIMBQJj8P
Q/rk1NL6pg==
=UXJ9
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA1QflAioE8i3AQgAg+PBxAqWTfRhxP7GxDfQBPK3d52zshP9xhutqANzszhs
nbo3nHWj/vjvHlEuD+Rr/lr9qxsE3qS4ON7FG929RoB1YFHJnQl29Xym2Q34T0Hy
Ih3dibykm0t/NE+fuxsU4iU0imtjqhqA6P0+8FNF3UeCg60brcqlrBTXM9jFqlZ2
9nuvk75HkM1FoHiKx837qAd+RjNNO7xKUpn+EX0l0l9tScuPqUkWNQxLrbHrcO5M
bcEC1syZHQKCiucsesS1pJ7TFWOJsnamZyaqhzANGwWdhYwGQv37bWKr6dYTCy3q
rsT2NxQK4/N9CxmP6xWeAZbX00BDhNMfEQVtTlYLgdJcAS433Hiw+DSEwGu2zvTa
pHtQlGlaoOZemNnthw0NO6JQWGhz6Bx5QqYmbrshtVKNPh87vNVV0HhL/fQ7qwLp
uCgnMi3P59r8EKDZqTSp0YGfE2bx2hpBDnyJ42A=
=rOz4
-----END PGP MESSAGE-----
fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ/7BOewbq1xQgTOruTFebugbSrodtfUlIDpCez+FZMw3Gos
uwfp6jslBKXHidsA39CRktJ40EYqygmBgcxGTvHGC94VwSl7OfCjHsyfD/93L358
XsjpTHXBO/mOjQmJ2smhZx+q+iMLpJnq2QA8mGUI5uzPTjXD19sD9QdYdHF2p8D6
mdpVWED2gRf/sDoN+y3c/iZvMTN2HeDCx5d/wIgl3mmoHLvWRO8pNBV3EUg3ZBiv
fc0Y7m/0KOqW1itE4yg9IoPBWJg2jYSZTkRnQMPEkKEEHNtbx6dq5tLOYUIIwOwC
5JlL76BRoaul6ousBSHV8OWCAvS2N8OC+l0ATzk99p/h4zY7PCG7NhkKAOgYfWFa
/z5u6J6TMrmeLZjknFXepuVAzNmDU0CmuhMwZankGKq6lmsQQnHvdq8+ExGGWhfK
m6I8nPvG654md9H7Y3HusHa6y1rkf9gZp1UFzhvXQgZdvc7K5pJrhxjGUnEg6sS0
m4daDRuNLW32PXiwoWTtTJfOQFv0t1f1eEKI9DO/O8/4fNtIvmI/8HDcdF1XzDnt
lGnyD9cZ5jKsKjGrT9DcvJhyTGWDFeBDTY+rlt52E8NbrzWUjX4J7Gyz8QRY9j7m
wRi4uaVt5KBmB8Ibo2bMTUXU3Db/0p8nCAg/89D1fP6FF4izg3GU4oD3vJyl81XS
XAH8tGT9wbjXuhomyhqemDYb0QdTRfpAznm4AS36qbeU/Tvj4M+Nm64qLpj7FFtK
aeDas4lzgeQf6/cdd5ItLlRHhlBOJEmjHVzRR4npabCWZojP8PTac1IlBgvS
=OH/y
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DsZXvxFXTXoQSAQdAIjnFVslIKlmP0X12z6AdWNqxkpVBDFvf03ToWQEQv3Uw
8ka0OYl32rH6UiiSE1Vve1wZ/iVvK9/il6UhTpeAt8bIiCq6gEGR9Ba5NJnm6rSG
0lwBwzEtaARPJbbcWu7Jl+dAQ0quP6uVS55OYBuSannlaPrQ5qBuS14AtuQ3UEVz
EbcLJ0b4lGL7hgyAf2E6nuDTkPGPChAJ5H5DfrB74ZB30GcYBTzwj13+jWx/VQ==
=Hxuh
-----END PGP MESSAGE-----
fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdANsYlCeGhhqmBgnqcSuNdQBUwYKpucDrb6aR9Siyukjww
72Gin/635k9bYXwknA1rPyTMvG00giQgjUr/QK6PSD/eGi0QOtMZLj1JRi8f5EU+
0lwB+MIM9+EEzHJ96ouzL3bu0e++NvRY1Qjyx1Xi43bM96eBeLZ5DAc1eTSdWizQ
EWTorcmXffkdfOQx1zrlGZo/qvfj5F706VcwX4aZwok/ASRmSeCfEXLgGLCwqQ==
=ccBm
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/+IRYUQhf7zzIZy3AKAtQgyMKRINOUUqOEv6IKmNQaaQP7
K5JXnVi2gjgBuG+2gH9iCEimIggnWxFhHerfOps+NkAI6y7kFz5hnMtOY2Qf3vxT
Hoyq4l6Yn+gG1HSLozVr9dTQPjyGOKJkm36ZKpM7gqSuLNP2ijKARzay4Chg3i+p
E1TVTVoEczrPdLg3O2fd5mi2UT1k3E4QREti0k6K4juMWqMz+5iJ5X98qCdmE1eX
L5dmW0QSUChzBVw+7NEcxeNx5WsbhWgPA5m2+bng3V8tHqAwrRUCoxn2+yabnsZB
Z0Z7TgcLk0Xnezw+BkT3bOsKgv+atE5lm2rBiRUHRDR3S04j0Ju6fJHf24CNy5ES
xMF7BE23SgmqUq0BrvdJB0ToNKYGMM0C5Xg4vGRiE61+18TiFIeC3mF9suvFFKc+
houq6Cy7q3O5PEqEbu6t5vXAZHwL9Th+ZatIIe9jSToiZiLEOIEmiYptR009/OWq
v6ADzaAE6+i6HZ62xBYQuZFkiUrRKxYzTHFn0A10QUJrJgbWr8QjS76oKi8feEDC
BJAOwE/0aK+l46hI6mlh6rgeSy8XdOPLEnL4+1HjlshhTTiW1rE2cr0ZiTTA6UFX
UhABIUi6jiLnM13L+auulU1UZQ8wxp73okrcuu6g2bPT/l7zO9YNOCocWVPQa5vS
XAH7qrW533ttg2XAczCdALMulV2N5GHl7TbgRQBkdoBAKL+6oKfxbOZeQM2nrfZT
arytZbnjgCcy5ygnjeziRvWwLk7sysEpAQqQNRm50m2Cq+2ccedRP6zFzUhc
=4hCA
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ/9G5pRNmw775xCYA+foCx9rM7eLXJFl2DjaI3a/O0yVc6t
32xtPuaHwTnP00Pbbo5Vc9QG7k0Fr3Rgy+ep1lGzeCMoHwF9xk98LspDtYZoKopE
6/L6KLldSauRv0rPVhCQHpZFsnx1VxaJiXn9vAW17+imC9SgqLYGWyrxAtLCOOqH
N68RnTsEDquXixEs82ao0EmQXPquimJgSx+xVSF4yitYYLLLHyUL+drMNuVb9q9Y
oAIdEL1svDIieTbTKGQUqZ8Alf8f/0cqPWpEkDwYIyB/i9KDkH5Oj7uBBRtVLGxQ
VxE32wO1xpXvKgUY2PhWD2rOBVDG8dW/hyqvc1WgIeo1A6FTq34b5dGC2lmTRngB
9mBjUd59zeOvdXLmoGwXgbjVhpgnm/5wlUeiIC3xR9MjW3znRBT6ujCaglpAdXBC
0AIugssGcuXbP9Tj5zMVlbdi2dj6Ylc8S1Tj/OjwxHCCj6AWRqpxN5vY28RiLFGy
+eAsryzPk6UTCPIydiWwsrP+w8EhbllFxzZM+Sn+fshAHdRug+EeyT3h5V5JF+Ko
BZCrZkwYqAcVkJjEYlukjvxVFvo+T6tRMz4F4yNgjqFjneUaeLCc6RllaT696H0Y
8+lw5rK+XpcXBZqso6vsLChRdZQJjoj9lkjRDbmhOkaRglikC6Cx+mpY1/XnGvDS
XAFWOuNKjN/xIRtaDc6tmeWsKkuqghjHiMeRqw10/kTBjniMLLJIN9ssj4HjYqC3
CsqyHqZmrbITUMr718gX1kkAvzF/fVAXT8YshOcK7rQbiMQJCZqeBp3fY7FC
=5yPR
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAfLqKILCrCv2s2V7bLntk5lHI6Dc1FQlCg3LAefc8oTIw
a3UZU3OajQ1CCIhhu02JSlTKZm2z+pZKVHy+s5EgCqwAWTfPNAnyPT0ZGrhIdcah
0lwBdg2Tq3+Nhix1ZuA/mUgcrbRBcFKlHY+IGEgOHKLJld9UPF2xEjTX6nmLyuTR
6x+HW/7vVuc/jcFeQEmokhQw/SICVdyD7NQua4k1agLkty3hGcm1XCsfyKfj+w==
=Bxf9
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAr2tfPiCpUkxFj4rgSiLf7y4iyKbsgEY87iYH3GAZTVcw
vK2YpjSVgFRoJNx9s3bFr+9UG0LFmKvDZEP83ThQizYs2I/N7MSU8ERRImshaQMH
0lYB4At0RHC1mp8eKqhRgXenOtpfCiBACtlIdS9m1aqcU6i9Drgt86Bk/LC/HSvJ
MUOit2PP7QZVRWV6F8wAHlUFd6bdTKv9eOCZLSB6mY6DQmkp93FIMg==
=lQcB
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAAjNHCArTtU9D8zw5yJzvf0KSwQoOaQWHui7AqQkvQ8mJv
8+Vo9sb+JoSuFHQqqDbOU+VFpmc9CZ6HCJaWqO2gZVgjxrsrPgyfq795LBd6GhX5
6zwUH2huxv+n7XkfjN4HHJAlSj0pRyL3fyojdOdtXCTuBGbofLIBJUbuD1wro1K+
nSHLvdBEitn8afKt5/SaatB8Prwyet6E6J4HluXFQjl+KdrRHHvXImmhNSR4yfIr
yQt2s8qapSvLhrUw9/GFXqM/jg4ZlDhPUhCAKI2Pr5PbsRMBqwdkSrDeB7MHdsU6
tI4uyb7j8m3VMbFKNVpuluwgk47V+W/h+jtZetSR6ewYsXJjgHNmX6JX73XzR7R+
q4EBfSAxR7ByZ/HHuumUH6BKBj8IcNJQwtEkLIZmLZ3OdFtJP3YY0esV+gEhG6K7
m2Zl9C7axuYmvoLrqygaChmxMhMiebTPNkD/dH5Ircwl2cXfHC+bvF2WO73DTk9G
emHzrkniEtuUs+svMhT3NKM3/mpOJTiNezdH39HZADzkBwZ5Mmkfe4mbXByfRN7F
AEJWmnOcpXwXE9//sRbkRr+CGmB86raZE22wHPuk6U9IyVFJm8hJbOzFc7rwu1Eo
0YWBCsc9dA+jH8hIKrIfXwqnfhYjTrX+oZJeK/8McOwfF7I2G9YrPAgwbokQmtLU
ZgEJAhC8ryOvXwp2kP9sv6nbXIEcwrX8lRjkEWduf6ZAWAfQ5FGBSPzR8WnZWGzN
PCxjg7utA9AHBChF1duwOV2Qr5XW8HTUGAx4fc0T0rjC862vSwf8yAY89WWJyUfk
n8qhhdw1uw==
=KgOe
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
- created_at: "2026-05-25T17:17:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DKKbvh61jX5USAQdAYrtySnoCK7k4ZZIyllSAr23fozsiZb9Nf6Q+r56i3lAw
7IxBdJc2ipMxafy1Ntq0wfAYYk7nY6Vz1XtB+ekVeYLOjDmHRnJWq/Jw0K8wLvWT
1GYBCQIQ/0zDLdFOrMNjVPMutGVJOkpm7mbD30GpgRugzEf2NZePGtptqnP6i1t1
izBqFRByftV1MUw1uWgTFgB8zEVDh6gG0QAYeRuu3NS9QhwR71Wlu2J4eu+VhZi7
AKabk3T3Z00=
=A2ad
-----END PGP MESSAGE-----
fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
unencrypted_suffix: _unencrypted
version: 3.13.1

7
inventories/z9/host_vars/z9-router.yaml Normal file
View file

@ -0,0 +1,7 @@
systemd_networkd__config_dir: 'resources/z9/z9-router/systemd_networkd/'
systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/systemd_networkd_global_config.conf') }}"
nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/nftables/nftables.conf') }}"
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__timer_randomized_delay_sec: 0min
unbound_access_control: [ "10.89.208.0/20" ]
kea_dhcp__include_vars: resources/z9/z9-router/kea_dhcp.yaml

22
inventories/z9/hosts.yaml
View file

@ -14,6 +14,12 @@ all:
yate: yate:
ansible_host: yate.ccchh.net ansible_host: yate.ccchh.net
ansible_user: chaos ansible_user: chaos
z9-router:
ansible_host: z9-router.ccchh.net
ansible_user: chaos
base_config_hosts:
hosts:
z9-router:
certbot_hosts: certbot_hosts:
hosts: hosts:
dooris: dooris:
@ -35,6 +41,7 @@ infrastructure_authorized_keys_hosts:
light: light:
waybackproxy: waybackproxy:
yate: yate:
z9-router:
nginx_hosts: nginx_hosts:
hosts: hosts:
dooris: dooris:
@ -46,16 +53,31 @@ ola_hosts:
proxmox_vm_template_hosts: proxmox_vm_template_hosts:
hosts: hosts:
thinkcccore0: thinkcccore0:
systemd_networkd_hosts:
hosts:
z9-router:
nftables_hosts:
hosts:
z9-router:
unbound_hosts:
hosts:
z9-router:
kea_dhcp_hosts:
hosts:
z9-router:
alloy_hosts: alloy_hosts:
hosts: hosts:
light: light:
yate: yate:
dooris: dooris:
z9-router:
ansible_pull_hosts: ansible_pull_hosts:
hosts: hosts:
dooris: dooris:
light: light:
waybackproxy: waybackproxy:
yate: yate:
z9-router:
secrets_hosts: secrets_hosts:
hosts: hosts:
z9-router:

14
playbooks/deploy.yaml
View file

@ -27,6 +27,20 @@
tags: tags:
- nftables - nftables
- name: Ensure unbound deployment on unbound_hosts
hosts: unbound_hosts
roles:
- unbound
tags:
- unbound
- name: Ensure kea_dhcp deployment on kea_dhcp_hosts
hosts: kea_dhcp_hosts
roles:
- kea_dhcp
tags:
- kea_dhcp
- name: Ensure deployment of infrastructure authorized keys - name: Ensure deployment of infrastructure authorized keys
hosts: infrastructure_authorized_keys_hosts hosts: infrastructure_authorized_keys_hosts
roles: roles:

293
resources/z9/z9-router/kea_dhcp.yaml Normal file
View file

@ -0,0 +1,293 @@
kea_dhcp__dns_servers:
v4:
- 185.161.129.134
v6:
- 2a07:c481::1:2
kea_dhcp__dhcp4:
enable: true
interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
control-sockets:
- socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
socket-type: unix
lease-database:
type: memfile
persist: true
option-data:
- name: "domain-name-servers"
code: 6
csv-format: true
data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
subnets:
- id: 1
subnet: 10.89.208.0/22
pools:
- pool: "10.89.208.32 - 10.89.211.250"
reservations:
- ip-address: 10.89.208.11
hostname: beamer
hw-address: "ac:87:a3:18:9e:01"
- ip-address: 10.89.208.12
hostname: Brother-CCCHH
hw-address: "00:80:77:04:3a:55"
- ip-address: 10.89.208.13
hostname: muzak
hw-address: "00:11:24:5f:4f:80"
- ip-address: 10.89.208.14
hostname: Big-Room-Beamer
hw-address: "64:d2:c4:db:08:5c"
- ip-address: 10.89.208.16
hostname: dooris
hw-address: "bc:24:11:b3:93:9c"
- ip-address: 10.89.208.17
hostname: hmdooris-ccu
hw-address: "bc:24:11:5f:2d:b1"
- ip-address: 10.89.208.27
hostname: cisco-slm248p
hw-address: "00:23:eb:b0:fc:3f"
- ip-address: 10.89.208.47
hw-address: "6c:df:fb:0b:34:21"
- ip-address: 10.89.208.48
hw-address: "6c:df:fb:0d:91:63"
- ip-address: 10.89.209.28
hostname: hp-color
hw-address: "3c:52:82:29:21:79"
- ip-address: 10.89.209.29
hostname: dooris-ng
hw-address: "6c:4b:90:19:21:a1"
- ip-address: 10.89.209.166
hostname: encoder-ccchh
hw-address: "00:4e:01:a2:40:d7"
- ip-address: 10.89.209.254
hostname: ki10
hw-address: "dc:a6:32:a9:ff:82"
option-data:
- name: routers,
csv-format: true
data: 10.89.208.1
- id: 2
subnet: 10.89.212.0/24
pools:
- pool: "10.89.212.32 - 10.89.212.250"
reservations:
- ip-address: 10.89.212.3
hostname: prusamk3
hw-address: "10:9c:70:2e:59:3e"
- ip-address: 10.89.212.4
hostname: prusamk4
hw-address: "10:9c:70:2e:6e:f0"
- ip-address: 10.89.212.11
hostname: Ziggy
hw-address: "44:17:93:53:65:57"
- ip-address: 10.89.212.12
hostname: legacy
hw-address: "00:15:65:a1:ed:98"
- ip-address: 10.89.212.23
hostname: foobarpay
hw-address: "f4:f2:6d:09:a6:73"
- ip-address: 10.89.212.24
hostname: foobackup
hw-address: "bc:24:11:20:1a:a8"
- ip-address: 10.89.212.27
hostname: ender3v2-sonic-pad
hw-address: "fc:ee:91:00:0e:14"
- ip-address: 10.89.212.31
hostname: octopi
hw-address: "b8:27:eb:0f:d8:09"
- ip-address: 10.89.212.32
hostname: 433mhz-bridge
hw-address: "0c:b8:15:fe:e3:34"
- ip-address: 10.89.212.33
hostname: wled-kueche
hw-address: "30:ae:a4:7a:8d:a0"
- ip-address: 10.89.212.34
hostname: wled-serverschrank
hw-address: "18:fe:34:a6:64:76"
- ip-address: 10.89.212.35
hostname: wled-couch
hw-address: "64:b7:08:40:ab:c0"
- ip-address: 10.89.212.36
hostname: laser
hw-address: "b8:27:eb:be:38:fa"
- ip-address: 10.89.212.37
hostname: laser-eth
hw-address: "b8:27:eb:eb:6d:af"
- ip-address: 10.89.212.42
hostname: t-mix
hw-address: "40:a5:ef:d9:eb:93"
- ip-address: 10.89.212.86
hostname: fritz-fon
hw-address: "00:1f:3f:c9:e5:b2"
- ip-address: 10.89.212.211
hostname: hauptraum-esphome
hw-address: "e8:db:84:e8:18:d2"
- ip-address: 10.89.212.212
hostname: werkstatt-esphome
hw-address: "3c:71:bf:26:42:32"
- ip-address: 10.89.212.213
hostname: ir-bridge-beamer
hw-address: "8c:ce:4e:51:93:dd"
- ip-address: 10.89.212.215
hostname: pi-dmx-werkstatt
hw-address: "b8:27:eb:65:e5:31"
- ip-address: 10.89.212.227
hostname: SIP-T46S
hw-address: "80:5e:c0:09:bf:55"
- ip-address: 10.89.212.230
hostname: SIP-T46S
hw-address: "80:5e:c0:22:33:08"
- ip-address: 10.89.212.232
hostname: staubi
hw-address: "b8:4d:43:98:51:2b"
- ip-address: 10.89.212.233
hostname: staubiv2
hw-address: "70:c9:32:82:25:b2"
- ip-address: 10.89.212.234
hostname: AtemMini
hw-address: "7c:2e:0d:13:72:a8"
- ip-address: 10.89.212.235
hostname: okilaser
hw-address: "2c:ff:65:22:b4:63"
- ip-address: 10.89.212.236
hw-address: "b8:27:eb:29:bd:77"
option-data:
- name: routers,
csv-format: true
data: 10.89.212.1
- id: 3
subnet: 10.89.213.0/24
pools:
- pool: "10.89.213.32 - 10.89.213.250"
reservations:
- ip-address: 10.89.213.2
hostname: sw-rack-1
hw-address: "F0:9F:C2:10:C3:AA"
- ip-address: 10.89.213.3
hostname: sw-rack-2-peo
hw-address: "44:d9:e7:06:69:5d"
- ip-address: 10.89.213.4
hostname: sw-main-1
hw-address: "a8:9c:6c:16:df:cc"
- ip-address: 10.89.213.5
hostname: sw-main-2
hw-address: "a8:9c:6c:16:e8:86"
- ip-address: 10.89.213.6
hostname: sw-shop-1
hw-address: "C0:4A:00:FB:DA:C5"
- ip-address: 10.89.213.7
hostname: sw-shop-2-peo
hw-address: "f4:e2:c6:bf:20:ee"
- ip-address: 10.89.213.8
hostname: sw-shop-3-peo
hw-address: "d8:b3:70:85:72:76"
- ip-address: 10.89.213.11
hostname: pve01
hw-address: "38:05:25:30:80:35"
- ip-address: 10.89.213.12
hostname: pve02
hw-address: "b8:85:84:b1:57:b6"
- ip-address: 10.89.213.13
hostname: pve03
hw-address: "98:fa:9b:a2:ed:e8"
- ip-address: 10.89.213.15
hostname: pbs
hw-address: "BC:24:11:D6:2C:81"
- ip-address: 10.89.213.21
hostname: unifi
hw-address: "BC:24:11:25:77:60"
- ip-address: 10.89.213.22
hostname: club-assistant
hw-address: "7a:55:61:c3:a2:89"
- ip-address: 10.89.213.23
hostname: automation
hw-address: "f2:20:75:5a:2f:8c"
- ip-address: 10.89.213.24
hostname: yate
hw-address: "bc:24:11:73:3e:f7"
- ip-address: 10.89.213.25
hostname: ptouch-print-server
hw-address: "bc:24:11:f2:cf:8f"
- ip-address: 10.89.213.26
hostname: mqtt
hw-address: "bc:24:11:48:85:73"
- ip-address: 10.89.213.27
hostname: factorio
hw-address: "bc:24:11:a3:43:7f"
- ip-address: 10.89.213.28
hostname: light
hw-address: "72:61:ea:e6:49:e3"
- ip-address: 10.89.213.29
hostname: homematic
hw-address: "fe:3a:42:77:3a:be"
- ip-address: 10.89.213.30
hostname: proxmox-backup-server
hw-address: "8a:48:dd:a3:22:40"
option-data:
- name: routers,
csv-format: true
data: 10.89.213.1
kea_dhcp__dhcp6:
enable: true
interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
control-sockets:
- socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
socket-type: unix
lease-database:
type: memfile
persist: true
option-data:
- name: "dns-servers"
code: 23
csv-format: true
data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
subnets:
- id: 1
subnet: "2a07:c481:1:33::/64"
pools:
- pool: "2a07:c481:1:33::1:1 - 2a07:c481:1:33::FFFF:FFFF"
- id: 2
subnet: "2a07:c481:1:34::/64"
pools:
- pool: "2a07:c481:1:34::1:1 - 2a07:c481:1:34::FFFF:FFFF"
- id: 3
subnet: "2a07:c481:1:36::/64"
pools:
- pool: "2a07:c481:1:36::1:1 - 2a07:c481:1:36::FFFF:FFFF"
reservations:
- ip-address: "2a07:c481:1:36::2"
hostname: sw-rack-1
hw-address: "F0:9F:C2:10:C3:AA"
- ip-address: "2a07:c481:1:36::3"
hostname: sw-rack-2-peo
hw-address: "44:d9:e7:06:69:5d"
- ip-address: "2a07:c481:1:36::4"
hostname: sw-main-1
hw-address: "a8:9c:6c:16:df:cc"
- ip-address: "2a07:c481:1:36::5"
hostname: sw-main-2
hw-address: "a8:9c:6c:16:e8:86"
- ip-address: "2a07:c481:1:36::6"
hostname: sw-shop-1
hw-address: "C0:4A:00:FB:DA:C5"
- ip-address: "2a07:c481:1:36::7"
hostname: sw-shop-2-peo
hw-address: "f4:e2:c6:bf:20:ee"
- ip-address: "2a07:c481:1:36::8"
hostname: sw-shop-3-peo
hw-address: "d8:b3:70:85:72:76"
- ip-address: "2a07:c481:1:36::b"
hostname: pve01
hw-address: "38:05:25:30:80:35"
- ip-address: "2a07:c481:1:36::c"
hostname: pve02
hw-address: "b8:85:84:b1:57:b6"
- ip-address: "2a07:c481:1:36::d"
hostname: pve03
hw-address: "98:fa:9b:a2:ed:e8"
- ip-address: "2a07:c481:1:36::f"
hostname: pbs
hw-address: "BC:24:11:D6:2C:81"
- ip-address: "2a07:c481:1:36::14"
hostname: unifi
hw-address: "BC:24:11:25:77:60"

114
resources/z9/z9-router/nftables/nftables.conf Normal file
View file

@ -0,0 +1,114 @@
#!/usr/sbin/nft -f
## Variables
# Hosts
# Interfaces
define if_netwan = "netwan"
define if_netlan = "netlan"
define if_wg55_management = "wg55"
define if_netwan_400_fux_uplink = "netwan.400"
define if_netlan_51_clients = "netlan.51"
define if_netlan_52_iot = "netlan.52"
define if_netlan_53_public = "netlan.53"
define if_netlan_54_management = "netlan.54"
# Interface Groups
define wan_ifs = { $if_netwan_400_fux_uplink }
define lan_ifs = { $if_netlan_51_clients,
$if_netlan_52_iot,
$if_netlan_53_public,
$if_netlan_54_management }
define v4_exposed_ifs = { $if_netlan_53_public }
define v6_exposed_ifs = { $if_netlan_53_public }
define v4_nat_ifs = { $if_netlan_51_clients,
$if_netlan_52_iot,
$if_netlan_54_management }
## Rules
table inet reverse-path-forwarding {
chain rpf-filter {
type filter hook prerouting priority mangle + 10; policy drop;
# Only allow packets if their source address is routed via their incoming interface.
# https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
fib saddr . mark . iif oif exists accept
}
}
table inet host {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "allow loopback"
ct state invalid drop
ct state established,related accept
ip protocol icmp accept
# ICMPv6
# https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
# Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
# Error messages that are essential to the establishment and maintenance of communications:
icmpv6 type { destination-unreachable, packet-too-big } accept
icmpv6 type { time-exceeded } accept
icmpv6 type { parameter-problem } accept
# Connectivity checking messages:
icmpv6 type { echo-request, echo-reply } accept
# Address Configuration and Router Selection messages:
icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
# Link-Local Multicast Receiver Notification messages:
icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
# SEND Certificate Path Notification messages:
icmpv6 type { 148, 149 } accept
# Multicast Router Discovery messages:
icmpv6 type { 151, 152, 153 } accept
# Allow SSH access.
tcp dport 22 accept comment "allow ssh access"
# Allow WireGuard access.
udp dport 51820 accept comment "allow WireGuard access"
# Allow DHCP server access.
iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access"
# Allow DNS server access from lan_ifs
iifname { $lan_ifs, $if_wg55_management } udp dport 53 accept comment "allow dns server access from lan_ifs"
}
}
table ip v4nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
iifname { $v4_nat_ifs, $if_wg55_management } oifname $wan_ifs masquerade
}
}
table inet forward {
chain forward {
type filter hook forward priority filter; policy drop;
ct state invalid drop
ct state established,related accept
# Allow internet access.
iifname { $lan_ifs, $if_wg55_management } oifname $wan_ifs accept comment "allow internet access"
# Allow access to exposed networks from internet.
meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
# Allow clients and management to most
iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "Allow clients and management to lan interfaces"
}
}

6
resources/z9/z9-router/systemd_networkd/00-netlan.link Normal file
View file

@ -0,0 +1,6 @@
[Match]
MACAddress=BC:24:11:72:A3:27
Type=ether
[Link]
Name=netlan

6
resources/z9/z9-router/systemd_networkd/00-netwan.link Normal file
View file

@ -0,0 +1,6 @@
[Match]
MACAddress=BC:24:11:CF:65:57
Type=ether
[Link]
Name=netwan

7
resources/z9/z9-router/systemd_networkd/10-netlan.51.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=netlan.51
Kind=vlan
[VLAN]
Id=51

7
resources/z9/z9-router/systemd_networkd/10-netlan.52.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=netlan.52
Kind=vlan
[VLAN]
Id=52

7
resources/z9/z9-router/systemd_networkd/10-netlan.53.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=netlan.53
Kind=vlan
[VLAN]
Id=53

7
resources/z9/z9-router/systemd_networkd/10-netlan.54.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=netlan.54
Kind=vlan
[VLAN]
Id=54

7
resources/z9/z9-router/systemd_networkd/10-netwan.400.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=netwan.400
Kind=vlan
[VLAN]
Id=400

90
resources/z9/z9-router/systemd_networkd/10-wg55.netdev Normal file
View file

@ -0,0 +1,90 @@
[NetDev]
Description=Admin-Wireguard
Kind=wireguard
Name=wg55
[WireGuard]
ListenPort=51820
PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_private_key
# WireGuard Peers
[WireGuardPeer]
# friendly_name = stb
AllowedIPs = 10.89.214.2/32,2a07:c481:1:37::2/128
PublicKey = vILSL4dbaC5IaTsRhJviamV18ssxWSj+qLVyowLQ214=
PersistentKeepalive = 30
[WireGuardPeer]
# friendly_name = fi
AllowedIPs = 10.89.214.3/32,2a07:c481:1:37::3/128
PublicKey = UHi/if5uW2V3+8Q3R+uk6/XpRi4fPXbw7chsKI4xlkI=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_fi_psk
[WireGuardPeer]
# friendly_name = jtbx
AllowedIPs = 10.89.214.4/32,2a07:c481:1:37::4/128
PublicKey = NyyEqdWgScgsnTF8Zz/Om4Lc84fdFMwVtvaCmLEkUlQ=
[WireGuardPeer]
# friendly_name = June
AllowedIPs = 10.89.214.6/32,2a07:c481:1:37::6/128
PublicKey = 6jAEB+f9przBGxPhuvv9U9gvZDEBQNqpQSD0BoGqXQQ=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June_psk
[WireGuardPeer]
# friendly_name = Max
AllowedIPs = 10.89.214.7/32,2a07:c481:1:37::7/128
PublicKey = oC1hJjtlAgLX/CmbwTC+LPmd1uwluQTwsN8RaMNmHn0=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_Max_psk
[WireGuardPeer]
# friendly_name = dario
AllowedIPs = 10.89.214.9/32,2a07:c481:1:37::9/128
PublicKey = bYF2EGRGpEGjiKcasi/oaWoWeLsgqsF6FGaq3Z4ERww=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_dario_psk
[WireGuardPeer]
# friendly_name = June-mobile
AllowedIPs = 10.89.214.11/32,2a07:c481:1:37::11/128
PublicKey = 6edjXykegUgGjbkIG1aJyBlX1SgTKcqXXaSBVPHdKDc=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June-mobile_psk
[WireGuardPeer]
# friendly_name = djerun_at_ferrum.local
AllowedIPs = 10.89.214.12/32,2a07:c481:1:37::12/128
PublicKey = aHbdkTHhPkd+o7wWfTua9nd72aF4OVp66zGtpaoD8Fg=
[WireGuardPeer]
# friendly_name = c6ristian
AllowedIPs = 10.89.214.13/32,2a07:c481:1:37::13/128
PublicKey = 6ndwj3Ur6AqfUPWuyPYXIaGZs2ujJKawSQ9LEvlYzEc=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_c6ristian_psk
[WireGuardPeer]
# friendly_name = langoor
AllowedIPs = 10.89.214.14/32,2a07:c481:1:37::14/128
PublicKey = qTnVQlQa1m4SucFFNli/xM6QWfsdWx2baRAit7Cg8RM=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_psk
[WireGuardPeer]
# friendly_name = langoor_home
AllowedIPs = 10.89.214.15/32,2a07:c481:1:37::15/128
PublicKey = NeMDs2+5rHuKO5ZYXVUR76GorgdesFUnDOFECQ3RzG4=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk
[WireGuardPeer]
# friendly_name = lilly-lillysLaptop
AllowedIPs = 10.89.214.16/32,2a07:c481:1:37::16/128
PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk=
[WireGuardPeer]
# friendly_name = bitwhisker
AllowedIPs = 10.89.214.17/32,2a07:c481:1:37::a/128
PublicKey = DvEGvQPGi+IxeRTIA72Gx3WNINcrV9HRNB1v7mHnhjA=
[WireGuardPeer]
# friendly_name = forestcat
AllowedIPs = 10.89.214.18/32,2a07:c481:1:37::b/128
PublicKey = PdJ7KlIeASizj0WTY87d7oSi14/MebrhRa+L8YiPoQE=

12
resources/z9/z9-router/systemd_networkd/20-netlan.network Normal file
View file

@ -0,0 +1,12 @@
[Match]
Name=netlan
[Link]
RequiredForOnline=no
[Network]
VLAN=netwan.51
VLAN=netwan.52
VLAN=netwan.53
VLAN=netwan.54

9
resources/z9/z9-router/systemd_networkd/20-netwan.network Normal file
View file

@ -0,0 +1,9 @@
[Match]
Name=netwan
[Link]
RequiredForOnline=no
[Network]
VLAN=netwan.400

6
resources/z9/z9-router/systemd_networkd/20-wg55.network Normal file
View file

@ -0,0 +1,6 @@
[Match]
Name=wg55
[Network]
Address=10.89.214.1/24
Address=2a07:c481:1:37::1/64

27
resources/z9/z9-router/systemd_networkd/21-netlan.51-clients.network Normal file
View file

@ -0,0 +1,27 @@
[Match]
Name=netlan.51
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=clients
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
[Address]
Address=10.89.208.1/22
[IPv6SendRA]
UplinkInterface=netwan.400
EmitDomains=true
Domains=ccchh.net
Managed=true
[IPv6Prefix]
Prefix=2a07:c481:1:33::/64
Assign=true
Token=static:::1

27
resources/z9/z9-router/systemd_networkd/21-netlan.52-iot.network Normal file
View file

@ -0,0 +1,27 @@
[Match]
Name=netlan.52
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=IoT
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
[Address]
Address=10.89.212.1/24
[IPv6SendRA]
UplinkInterface=netwan.400
EmitDomains=true
Domains=ccchh.net
Managed=true
[IPv6Prefix]
Prefix=2a07:c481:1:34::/64
Assign=true
Token=static:::1

27
resources/z9/z9-router/systemd_networkd/21-netlan.53-public.network Normal file
View file

@ -0,0 +1,27 @@
[Match]
Name=netlan.53
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=public
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
[Address]
Address=185.161.130.65/28
[IPv6SendRA]
UplinkInterface=netwan.400
EmitDomains=true
Domains=ccchh.net
Managed=true
[IPv6Prefix]
Prefix=2a07:c481:1:35::/64
Assign=true
Token=static:::1

27
resources/z9/z9-router/systemd_networkd/21-netlan.54-management.network Normal file
View file

@ -0,0 +1,27 @@
[Match]
Name=netlan.54
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=Management
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
[Address]
Address=10.89.213.0/24
[IPv6SendRA]
UplinkInterface=netwan.400
EmitDomains=true
Domains=ccchh.net
Managed=true
[IPv6Prefix]
Prefix=2a07:c481:1:36::/64
Assign=true
Token=static:::1

26
resources/z9/z9-router/systemd_networkd/21-netwan.400-fux_uplink.network Normal file
View file

@ -0,0 +1,26 @@
[Match]
Name=netwan.400
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=fux-uplink
DNS=185.161.128.66
DNS=2a07:c481:0:4::2
DNS=185.161.128.67
DNS=2a07:c481:0:4::3
IPv6AcceptRA=no
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=no
[Address]
Address=185.161.129.134/25
Address=2a07:c481::1:2/64
[Route]
Gateway=185.161.129.129
Gateway=2a07:c481::1

3
resources/z9/z9-router/systemd_networkd_global_config.conf Normal file
View file

@ -0,0 +1,3 @@
[Network]
IPv4Forwarding=true
IPv6Forwarding=true

102
roles/kea_dhcp/README.md Normal file
View file

@ -0,0 +1,102 @@
# Role `kea_dhcp`
Install and manage Kea DHCP and [Stork Agent](https://stork.readthedocs.io/en/latest/man/stork-agent.8.html).
## Supported Distributions
Should work on Debian-based distributions.
## Required Arguments
None.
## Optional Arguments
- `kea_dhcp__stork_agent.enable`: Enable Kea DHCP stork agent.
Defaults to `false`.
- `kea_dhcp__stork_agent.prometheus_only`: Only enable the prometheus endpoint in stork agent.
Defaults to `true`.
- `kea_dhcp__dns_servers.v4`: List of IPv4 DNS Servers in DHCP response.
Defaults to FUX DNS Servers.
- `kea_dhcp__dns_servers.v6`: List of IPv6 DNS Servers in DHCP response.
Defaults to FUX DNS Servers.
- `kea_dhcp__include_vars`: Path to YAML File to separately load VARs for Kea config templating.
- `kea_dhcp__dhcp4.enable`: Enable Kea DHCP4 Service.
Defaults to `false`.
- `kea_dhcp__dhcp4.interfaces`: List of interfaces the DHCP4 Server should listen to and serve.
Defaults to the empty list (`[ ]`).
- `kea_dhcp__dhcp4.control-sockets`: List of Kea DHCP4 control sockets.
Defaults to the list with one entry (see below).
- `kea_dhcp__dhcp4.control-sockets.*.socket-name`: Control socket name.
Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-name: /var/run/kea-dhcp4-ctrl-agent.sock`.
- `kea_dhcp__dhcp4.control-sockets.*.socket-type`: Control socket type.
Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-type: unix`.
- `kea_dhcp__dhcp4.lease-database.type`: Type of lease database.
Defaults to `memfile`.
- `kea_dhcp__dhcp4.lease-database.persist`: Persist the lease database.
Defaults to `true`.
- `kea_dhcp__dhcp4.option-data`: List of DHCP4 Options.
Defaults to a list with one entry (see below).
- `kea_dhcp__dhcp4.option-data.*.name`: Name of DHCP4 Option.
Defaults to `kea_dhcp__dhcp4.option-data.0.name: "domain-name-servers"`.
- `kea_dhcp__dhcp4.option-data.*.code`: DHCP4 Option code.
Defaults to `kea_dhcp__dhcp4.option-data.0.code: 6`.
- `kea_dhcp__dhcp4.option-data.*.csv-format`: DHCP4 Option as csv format.
Defaults to `kea_dhcp__dhcp4.option-data.0.csv-format: true`.
- `kea_dhcp__dhcp4.option-data.*.data`: DHCP4 Option data.
Defaults to `kea_dhcp__dhcp4.option-data.0.data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"`.
- `kea_dhcp__dhcp4.subnets`: List of subnets the DHCP4 server should manage.
Defaults to the empty list (`[ ]`).
- `kea_dhcp__dhcp4.subnets.*.id`: ID of interface (starts with 1).
- `kea_dhcp__dhcp4.subnets.*.subnet`: Subnet on interface.
- `kea_dhcp__dhcp4.subnets.*.pools`: List of DHCP pools in subnet.
- `kea_dhcp__dhcp4.subnets.*.pools.*.pool`: DHCP pool in range format.
- `kea_dhcp__dhcp4.subnets.*.reservations`: List of DHCP lease reservations.
- `kea_dhcp__dhcp4.subnets.*.reservations.*.ip-address`: IP address of reservation.
- `kea_dhcp__dhcp4.subnets.*.reservations.*.hostname`: Hostname of reservation.
- `kea_dhcp__dhcp4.subnets.*.reservations.*.hw-address`: Hardware address of reservation.
- `kea_dhcp__dhcp4.subnets.*.option-data`: List of DHCP lease reservations.
- `kea_dhcp__dhcp4.subnets.*.option-data.*.name`: Name of DHCP4 Option.
- `kea_dhcp__dhcp4.subnets.*.option-data.*.code`: DHCP4 Option code.
- `kea_dhcp__dhcp4.subnets.*.option-data.*.csv-format`: DHCP4 Option as csv format.
- `kea_dhcp__dhcp4.subnets.*.option-data.*.data`: DHCP4 Option data.
- `kea_dhcp__dhcp6.enable`: Enable Kea DHCP6 Service.
Defaults to `false`.
- `kea_dhcp__dhcp6.interfaces`: List of interfaces the DHCP6 Server should listen to and serve.
Defaults to the empty list (`[ ]`).
- `kea_dhcp__dhcp6.control-sockets`: List of Kea DHCP6 control sockets.
Defaults to the list with one entry (see below).
- `kea_dhcp__dhcp6.control-sockets.*.socket-name`: Control socket name.
Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-name: /var/run/kea-dhcp6-ctrl-agent.sock`.
- `kea_dhcp__dhcp6.control-sockets.*.socket-type`: Control socket type.
Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-type: unix`.
- `kea_dhcp__dhcp6.lease-database.type`: Type of lease database.
Defaults to `memfile`.
- `kea_dhcp__dhcp6.lease-database.persist`: Persist the lease database.
Defaults to `true`.
- `kea_dhcp__dhcp6.option-data`: List of DHCP6 Options.
Defaults to a list with one entry (see below).
- `kea_dhcp__dhcp6.option-data.*.name`: Name of DHCP6 Option.
Defaults to `kea_dhcp__dhcp6.option-data.0.name: "domain-name-servers"`.
- `kea_dhcp__dhcp6.option-data.*.code`: DHCP6 Option code.
Defaults to `kea_dhcp__dhcp6.option-data.0.code: 6`.
- `kea_dhcp__dhcp6.option-data.*.csv-format`: DHCP6 Option as csv format.
Defaults to `kea_dhcp__dhcp6.option-data.0.csv-format: true`.
- `kea_dhcp__dhcp6.option-data.*.data`: DHCP6 Option data.
Defaults to `kea_dhcp__dhcp6.option-data.0.data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"`.
- `kea_dhcp__dhcp6.subnets`: List of subnets the DHCP6 server should manage.
Defaults to the empty list (`[ ]`).
- `kea_dhcp__dhcp6.subnets.*.id`: ID of interface (starts with 1).
- `kea_dhcp__dhcp6.subnets.*.subnet`: Subnet on interface.
- `kea_dhcp__dhcp6.subnets.*.pools`: List of DHCP pools in subnet.
- `kea_dhcp__dhcp6.subnets.*.pools.*.pool`: DHCP pool in range format.
- `kea_dhcp__dhcp6.subnets.*.reservations`: List of DHCP lease reservations.
- `kea_dhcp__dhcp6.subnets.*.reservations.*.ip-address`: IP address of reservation.
- `kea_dhcp__dhcp6.subnets.*.reservations.*.hostname`: Hostname of reservation.
- `kea_dhcp__dhcp6.subnets.*.reservations.*.hw-address`: Hardware address of reservation.
- `kea_dhcp__dhcp6.subnets.*.option-data`: List of DHCP lease reservations.
- `kea_dhcp__dhcp6.subnets.*.option-data.*.name`: Name of DHCP6 Option.
- `kea_dhcp__dhcp6.subnets.*.option-data.*.code`: DHCP6 Option code.
- `kea_dhcp__dhcp6.subnets.*.option-data.*.csv-format`: DHCP6 Option as csv format.
- `kea_dhcp__dhcp6.subnets.*.option-data.*.data`: DHCP6 Option data.

68
roles/kea_dhcp/defaults/main.yaml Normal file
View file

@ -0,0 +1,68 @@
kea_dhcp__stork_agent:
enable: false
prometheus_only: true
kea_dhcp__dns_servers:
v6:
- "2a07:c481:0:4::2"
- "2a07:c481:0:4::3"
v4:
- "185.161.128.66"
- "185.161.128.67"
kea_dhcp__include_vars:
kea_dhcp__dhcp4:
enable: false
interfaces: [ ]
control-sockets:
- socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
socket-type: unix
lease-database:
type: memfile
persist: true
option-data:
- name: "domain-name-servers"
code: 6
csv-format: true
data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
subnets:
- id: 0
subnet: nil
pools:
- pool: nil
reservations:
- ip-address: nil
hostname: beispiel.test
hw-address: "00:11:22:33:44:55"
option-data:
- name: nil,
code: nil,
csv-format: true
data: nil
kea_dhcp__dhcp6:
enable: false
interfaces: [ ]
lease-database:
type: memfile
persist: true
control-sockets:
- socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
socket-type: unix
option-data:
- name: "dns-servers"
code: 23
csv-format: true
data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
subnets:
- id: 0
subnet: nil
pools:
- pool: nil
reservations:
- ip-address: nil
hostname: beispiel.test
hw-address: "00:11:22:33:44:55"
option-data:
- name: nil,
code: nil,
csv-format: true
data: nil

30
roles/kea_dhcp/handlers/main.yml Normal file
View file

@ -0,0 +1,30 @@
---
- name: Systemd.daemon_reload
become: true
ansible.builtin.systemd_service:
daemon_reload: true
- name: Kea_dhcp4.restarted
ansible.builtin.service:
name: kea-dhcp4
state: restarted
enabled: true
- name: Kea_dhcp6.restarted
ansible.builtin.service:
name: kea-dhcp6
state: restarted
enabled: true
- name: Kea_ctrl.restarted
ansible.builtin.systemd:
name: kea-ctrl-agent
state: restarted
enabled: true
- name: Stork_agent.restarted
become: true
ansible.builtin.systemd:
name: isc-stork-agent
state: restarted
enabled: true

125
roles/kea_dhcp/meta/argument_specs.yaml Normal file
View file

@ -0,0 +1,125 @@
---
argument_specs:
main:
short_description: "Role for managing Kea DHCP server"
options:
kea_dhcp__stork_agent:
type: "dict"
description: "Configuration for Stork Agent"
options:
enable:
type: "bool"
default: false
prometheus_only:
type: "bool"
default: true
kea_dhcp__version_repo:
type: "str"
description: "Version of Kea DHCP repository to use"
default: "kea-3-0"
kea_dhcp__dns_servers:
type: "dict"
description: "Default DNS servers for DHCP clients"
options:
v6:
type: "list"
elements: "str"
v4:
type: "list"
elements: "str"
kea_dhcp__dhcp4:
type: "dict"
description: "Configuration for DHCPv4 service"
options:
enable:
type: "bool"
default: false
interfaces:
type: "list"
elements: "str"
default: [ ]
control-sockets:
type: "list"
elements: "dict"
lease-database:
type: "dict"
option-data:
type: "list"
elements: "dict"
subnets:
type: "list"
elements: "dict"
options:
id:
type: "int"
subnet:
type: "str"
pools:
type: "list"
elements: "dict"
options:
pool:
type: "str"
reservations:
type: "list"
elements: "dict"
options:
ip-address:
type: "str"
hostname:
type: "str"
hw-address:
type: "str"
duid:
type: "str"
option-data:
type: "list"
elements: "dict"
kea_dhcp__dhcp6:
type: "dict"
description: "Configuration for DHCPv6 service"
options:
enable:
type: "bool"
default: false
interfaces:
type: "list"
elements: "str"
default: [ ]
control-sockets:
type: "list"
elements: "dict"
lease-database:
type: "dict"
option-data:
type: "list"
elements: "dict"
subnets:
type: "list"
elements: "dict"
options:
id:
type: "int"
subnet:
type: "str"
pools:
type: "list"
elements: "dict"
options:
pool:
type: "str"
reservations:
type: "list"
elements: "dict"
options:
ip-address:
type: "str"
hostname:
type: "str"
hw-address:
type: "str"
duid:
type: "str"
option-data:
type: "list"
elements: "dict"

25
roles/kea_dhcp/tasks/install_debian.yml Normal file
View file

@ -0,0 +1,25 @@
---
- name: Install Kea packages
become: true
when: ansible_facts['distribution'] == "Debian"
block:
- name: Install Kea dhcp4
when: kea_dhcp__dhcp4.enable
ansible.builtin.apt:
name:
- isc-kea-dhcp4
- name: Install Kea dhcp6
when: kea_dhcp__dhcp6.enable
ansible.builtin.apt:
name:
- isc-kea-dhcp6
- name: Install Kea ctrl agent
when: kea_dhcp__stork_agent.enable
ansible.builtin.apt:
name:
- isc-kea-ctrl-agent
- name: Install Kea admin
when: kea_dhcp__stork_agent.enable
ansible.builtin.apt:
name:
- isc-kea-admin

47
roles/kea_dhcp/tasks/kea.yaml Normal file
View file

@ -0,0 +1,47 @@
---
- name: Include config vars
when: kea_dhcp__include_vars is not None
ansible.builtin.include_vars:
file: "{{ kea_dhcp__include_vars }}"
- name: Deploy kea-dhcp4 configuration file
become: true
when: kea_dhcp__dhcp4.enable
ansible.builtin.template:
src: kea-dhcp4.conf.jinja
dest: /etc/kea/kea-dhcp4.conf
backup: true
owner: root
group: kea
mode: "u=rw,g=r,o="
validate: kea-dhcp4 -T %s
notify:
- Kea_dhcp4.restarted
- name: Deploy kea-dhcp6 configuration file
become: true
when: kea_dhcp__dhcp6.enable
ansible.builtin.template:
src: kea-dhcp6.conf.jinja
dest: /etc/kea/kea-dhcp6.conf
backup: true
owner: root
group: kea
mode: "u=rw,g=r,o="
validate: kea-dhcp6 -T %s
notify:
- Kea_dhcp6.restarted
- name: Copy kea-ctrl-agent configuration file
become: true
when: kea_dhcp__stork_agent.enable
ansible.builtin.template:
src: kea-ctrl-agent.conf.j2
dest: /etc/kea/kea-ctrl-agent.conf
owner: root
group: kea
mode: "u=rw,g=r,o="
validate: kea-ctrl-agent -t %s
notify:
- Kea_ctrl.restarted
- Stork_agent.restarted

13
roles/kea_dhcp/tasks/main.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: Setup Kea DHCP
block:
- name: Install Kea on Debian
when: ansible_facts['distribution'] == "Debian"
ansible.builtin.import_tasks: install_debian.yml
- name: Configure Kea
ansible.builtin.include_tasks: kea.yaml
- name: Run stork-agent tasks
when: kea_dhcp__stork_agent.enable
ansible.builtin.include_tasks: stork-agent.yaml

39
roles/kea_dhcp/tasks/stork-agent.yaml Normal file
View file

@ -0,0 +1,39 @@
---
- name: Install stork-agent
block:
- name: Install isc-stork-agent
when: ansible_facts['distribution'] == "Debian"
become: true
ansible.builtin.apt:
name: isc-stork-agent
- name: Add stork-agent user to _kea group on Debian
when: ansible_facts['distribution'] == "Debian"
become: true
ansible.builtin.user:
name: stork-agent
groups: [ "_kea" ]
append: true
- name: Config for stork-agent
ansible.builtin.template:
src: stork-agent.env.jinja
dest: /etc/stork/agent.env
owner: root
group: root
mode: "0660"
notify:
- Systemd_daemon_reload
- Stork_agent.restarted
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Ensure that stork kea exporter is working
ansible.builtin.uri:
url: "http://localhost:9547/metrics"
method: GET
register: kea_dhcp_stork_status_code
retries: 6
delay: 5
until: kea_dhcp_stork_status_code.status == 200

20
roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 Normal file
View file

@ -0,0 +1,20 @@
{
"Control-agent": {
"http-host": "127.0.0.1",
"http-port": 8000,
"control-sockets": {
{% if kea_dhcp__dhcp4.enable | default(false) %}
"dhcp4": {
"socket-type": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-type'] }}",
"socket-name": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-name'] }}"
}{% if kea_dhcp__dhcp6.enable %},{% endif %}
{% endif %}
{% if kea_dhcp__dhcp6.enable | default(false) %}
"dhcp6": {
"socket-type": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-type'] }}",
"socket-name": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-name'] }}"
},
{% endif %}
}
}
}

27
roles/kea_dhcp/templates/kea-dhcp4.conf.jinja Normal file
View file

@ -0,0 +1,27 @@
{
"Dhcp4": {
"interfaces-config": {
"interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }}
},
"control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }},
"lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }},
{% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %}
"option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }},
{% endif %}
"subnet4": [
{% for subnet in kea_dhcp__dhcp4.subnets %}
{
"id": {{ subnet.id }},
"subnet": "{{ subnet.subnet }}",
"pools": {{ subnet.pools | to_nice_json }},
{% if subnet.reservations is defined and subnet.reservations %}
"reservations": {{ subnet.reservations | to_nice_json }},
{% endif %}
{% if subnet['option-data'] is defined and subnet['option-data'] %}
"option-data": {{ subnet['option-data'] | to_nice_json }}
{% endif %}
}{% if not loop.last %},{% endif %}
{% endfor %}
]
}
}

27
roles/kea_dhcp/templates/kea-dhcp6.conf.jinja Normal file
View file

@ -0,0 +1,27 @@
{
"Dhcp6": {
"interfaces-config": {
"interfaces": {{ kea_dhcp__dhcp6.interfaces | to_nice_json }}
},
"control-sockets": {{ kea_dhcp__dhcp6['control-sockets'] | to_nice_json }},
"lease-database": {{ kea_dhcp__dhcp6['lease-database'] | to_nice_json }},
{% if kea_dhcp__dhcp6['option-data'] is defined and kea_dhcp__dhcp6['option-data'] %}
"option-data": {{ kea_dhcp__dhcp6['option-data'] | to_nice_json }},
{% endif %}
"subnet6": [
{% for subnet in kea_dhcp__dhcp6.subnets %}
{
"id": {{ subnet.id }},
"subnet": "{{ subnet.subnet }}",
"pools": {{ subnet.pools | to_nice_json }},
{% if subnet.reservations is defined and subnet.reservations %}
"reservations": {{ subnet.reservations | to_nice_json }},
{% endif %}
{% if subnet['option-data'] is defined and subnet['option-data'] %}
"option-data": {{ subnet['option-data'] | to_nice_json }}
{% endif %}
}{% if not loop.last %},{% endif %}
{% endfor %}
]
}
}

20
roles/kea_dhcp/templates/stork-agent.env.jinja Normal file
View file

@ -0,0 +1,20 @@
### Stork Agent env file
### (created and managed by ansible kea_dhcp role)
{% if kea_dhcp__stork_agent.prometheus_only %}
### listen for Prometheus requests only, but not for commands from the Stork server
STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true
{% endif %}
### settings for exporting stats to Prometheus
### the IP or hostname on which the agent exports Kea statistics to Prometheus
STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS=localhost
### the port on which the agent exports Kea statistics to Prometheus
# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT=
### Logging parameters
### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR
STORK_LOG_LEVEL=DEBUG

20
roles/unbound/README.md Normal file
View file

@ -0,0 +1,20 @@
# Unbound DNS resolver
Role fora a validating, recursive, caching DNS resolver based on [Unbound](https://nlnetlabs.nl/projects/unbound/about/).
It is designed to be fast and lean and incorporates modern features based on open standards.
- [Documentation](https://unbound.docs.nlnetlabs.nl/en/latest/)
## Role Customization
The following variables can be used to customize this role:
| Variable | Type | Default | Description |
|------------------------------------------|-----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| unbound_install_prometheus_exporter | Boolean | `true` | Whether [Unbound Exporter](https://github.com/letsencrypt/unbound_exporter) should also be installed to expose resolver statistics in prometheus format. |
| unbound_bind_interfaces | List of Strings | `[0.0.0.0, ::]` | List of interface names or IP addresses on which unbound will listen for dns queries |
| unbound_enable_unbound_control | Boolean | `true` | Whether the [remote control](https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#set-up-remote-control) feature of unbound should be configured. |
| unbound_enable_dnssec | Boolean | `true` | Whether dnssec validation should be enabled |
| unbound_access_control | List of Strings | `[]` | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) |
| unbound_disable_systemd_networkd | Boolean | `true` | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver. |
| unbound_thread_count | Integer | Max vCPU Count | The number of threads unbound uses |

7
roles/unbound/defaults/main.yml Normal file
View file

@ -0,0 +1,7 @@
unbound_install_prometheus_exporter: true
unbound_bind_interfaces: [ "0.0.0.0", "::" ]
unbound_disable_systemd_networkd: true
unbound_enable_unbound_control: true
unbound_enable_dnssec: true
unbound_access_control: [ ]
unbound_private_domain: [ ]

1
roles/unbound/files/no-resolved.resolv.conf Normal file
View file

@ -0,0 +1 @@
nameserver 127.0.0.1

18
roles/unbound/handlers/main.yml Normal file
View file

@ -0,0 +1,18 @@
- name: unbound.restarted
become: true
ansible.builtin.systemd:
name: unbound.service
state: restarted
- name: unbound.reloaded
become: true
ansible.builtin.systemd:
name: unbound.service
state: reloaded
- name: prometheus-unbound-exporter.restarted
become: true
ansible.builtin.systemd:
name: prometheus-unbound-exporter.service
state: restarted
enabled: true

47
roles/unbound/tasks/main.yml Normal file
View file

@ -0,0 +1,47 @@
- name: unbound role main
block:
- name: install unbound dns resolver
become: true
ansible.builtin.package:
name: unbound
- name: ensure correct directory permissions
become: true
ansible.builtin.file:
path: /etc/unbound
state: directory
mode: u=rwX,g=rX,o=rX
recurse: true
owner: unbound
group: unbound
- name: configure unbound dns resolver
become: true
notify: unbound.restarted
ansible.builtin.template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
owner: unbound
group: unbound
mode: u=rw,g=r,o=r
- name: ensure unbound is running and enabled
become: true
ansible.builtin.systemd:
name: unbound.service
state: started
enabled: true
- name: disable systemd-resolved
when: unbound_disable_systemd_networkd
ansible.builtin.include_role:
name: deploy_systemd_resolved_config
vars:
deploy_systemd_resolved_config__enable: false
deploy_systemd_resolved_config__dns:
- 127.0.0.1
- name: install and configure prometheus-exporter for unbound
ansible.builtin.import_tasks: prometheus-exporter.yml
when: unbound_install_prometheus_exporter

23
roles/unbound/tasks/prometheus-exporter.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: install unbound prometheus exporter # FIXME: there is no prometheus-unbound-exporter in debian .deb exists in https://github.com/letsencrypt/unbound_exporter/releases/tag/v0.6.0
become: true
ansible.builtin.package:
name: prometheus-unbound-exporter
- name: enable unbound prometheus exporter
become: true
ansible.builtin.systemd:
name: prometheus-unbound-exporter.service
enabled: true
daemon_reload: true
- name: configure unbound exporter
become: true
ansible.builtin.copy:
dest: /etc/conf.d/prometheus-unbound-exporter
content: |
UNBOUND_EXPORTER_ARGS="-unbound.ca "" -unbound.cert "" -unbound.host "unix:///run/unbound-control.sock"
owner: root
group: root
mode: '0660'
notify: prometheus-unbound-exporter.restarted

68
roles/unbound/templates/unbound.conf.j2 Normal file
View file

@ -0,0 +1,68 @@
# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
# unbound.conf(5) man page
server:
{% if unbound_enable_dnssec -%}
# location of the trust anchor file that enables DNSSEC
# this file is generated by the `unbound-anchor` command
auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
{% endif -%}
# num of threads
num-threads: {{ unbound_thread_count | default(ansible_facts['processor_vcpus']) }}
# more cache memory
rrset-cache-size: 60m
msg-cache-size: 30m
# prefetch to keep the cache up to date
prefetch: yes
# fetch the DNSKEYs earlier in the validation process, when a DS record is encountered
prefetch-key: yes
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# disable special large send buffer handling and just use kernel defaults
so-sndbuf: 0
# send minimal amount of information to upstream servers to enhance privacy
qname-minimisation: yes
# specify the interface to answer queries from by ip-address.
{% for i in unbound_bind_interfaces -%}
interface: "{{ i }}"
{% endfor %}
# addresses from the IP range that are allowed to connect to the resolver
{% for i in unbound_access_control -%}
access-control: {{ i }}
{% endfor -%}
{% for i in unbound_private_domain -%}
private-domain: {{ i }}
{% endfor -%}
# The number of seconds between printing statistics to the log for every thread.
statistics-interval: 0
# Extended statistics are printed, Keeping track of more statistics takes time.
extended-statistics: yes
remote-control:
control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }}
control-interface: /run/unbound-control.sock
# configure some zones for which this resolver will act authoritatively
# https://www.dns.icann.org/services/axfr/
{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %}
auth-zone:
name: "{{ i }}"
primary: "lax.xfr.dns.icann.org"
primary: "iad.xfr.dns.icann.org"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
{% endfor %}