unbound(role): move resolvd vars to task

- remove tags from tasks
- remove archlinux part
- use debian default package for kea

.sops.yaml

@@ -48,6 +48,7 @@ keys:
         - &host_light_ansible_pull_age_key age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q
         - &host_waybackproxy_ansible_pull_age_key age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j
         - &host_yate_ansible_pull_age_key age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22
+        - &host_z9_router_ansible_pull_age_key age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp
 
 creation_rules:
   ## group vars
@@ -241,6 +242,12 @@ creation_rules:
           *admin_gpg_keys
         age:
           - *host_yate_ansible_pull_age_key
+  - path_regex: "inventories/z9/host_vars/z9-router\\.sops\\..+"
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+        age:
+          - *host_z9_router_ansible_pull_age_key
   # general
   - path_regex: ".+\\.sops\\..+"
     key_groups:

docs/concepts-and-configurations/documentation-structure.md

@@ -5,103 +5,12 @@ summary: >-
   How our documentation is organized and what we do to balance ease of writing and understanding.
 ---
 
-!!! info "Info"
+!!! info "ToDo"
 
-    If you're looking for a hands-on approach on how documentation is to be written you can find a [guide](../guides/writing-documentation.md) explaining the process. If you're unsure how to start you can find [templates](../guides/writing-documentation.md#3-addedit-your-markdown-file) there aswell. 
+    This section needs updating
 
-## General Rules
-These rules are general formatting and writing decisions that apply to every document. Their goal is to provide a concise style across the whole documentation to keep the text easy to follow.
+- Docs should be english
+- Guides are for step-by-step things
+  - Guides always have a "Goal" explicitly formulated
+- Concepts and Configuration aim to make readers understand something in detail
 
-- All documents written in this project should be written in **english** to maximize the compatability across readers.
-- The documentation structure is intended to be followed, while not being **enforced** to keep a low entry barier for documentation authors.
-- Use features like _Admonitions_ given by markdown and the theme whenever they can help by increasing the readability and outlining important parts. For instructions on how to use these theme specific features please refer down to the [MkDocs shadcn](https://asiffer.github.io/mkdocs-shadcn/) documentation.
-
-## Defining a Document Scope
-The scope for a document should be set to define responsibility and set boundaries to where that document applies. Especially lining out which services are affected by it. It **does not** need to be defined explicitly in the text, but should be kept in mind while writing.
-
-!!! note "Example"
-  
-    The scope for this document is aiming to convey the base concepts on how to structure concepts and configurations in this documentation. To provide high readability and a project wide concise structure that authors and readers can rely on.
-
-We generally distinguish between concepts, configurations and guides in this documentation. Their separation should be clarified with folowing list:
-
-- **Concept:** A concept includes an abstract definition about a specific structure while not going into implementation details. It is a document intending to further abstract the understanding of structure. It can also go into detail about _why_ we do things a certain way.
-- **Configuration:** A configuration can be a follow up of a concept, explaining the specific implementation in a given environment.
-- **Guide:** A guide is a step-by-step hands-on instruction for the reader to follow along. It can reference concepts and configurations. The important difference to the other two document types is that guides are goal oriented. Understanding how things work is secondary to achieving a specific thing.
-
-
-## Structuring Concepts 
-
-!!! note "Goal"
-
-    The goal for a concept is to provide the reader with a structured detailed explanation about an abstract concept, conveying why this concept was choosen and how it is intended to be used.
-
-### Describing the Concept
-This section is a summary to give the reader a quick overview about the concept answering following questions:
-
-- What is this concept about? 
-- Why is this concept needed?
-- What does this concept do?
-
-### Explaining the Concept
-This section should be an in depth explanation about the concept, explaining the concept as detailed as needed for the reader to be able to transfer it into an implementation. The usage of graphs and diagrams is advised when they can help the reader understand the concept better.
-
-### Referencing additional Sources
-This section should include sources to other documentations, concepts and hand-on guides which the reader can look up to futher explore the defined concept. 
-
-
-## Structuring Configurations
-
-!!! note "Goal"
-
-    A configuration document is intended to provide the reader with examples and best practices for configuring a specific item. It focuses on the technical implementation rather than an abstract concept.
-
-### Describing the Configuration
-This section should give the reader a quick overview which configuration files are being described.
-
-### Providing the Configuration
-Here the author should provide configuration sections or full templates. The configurations don't have to be fully complete, they're rather a more structured view on which options are important and what to watch out for.
-
-### Discussing Authors Thoughts
-A discussion why the author choose which configuration options and what to watch out for. Best practices should be taught here. This section can also link to outside sources.
-
-### Referencing Documentation
-Here the author should provide upstream documentation which includes configuration options and further explanations why and how they are used.  
-
-
-## Structuring Guides
-
-!!! note "Goal"
-
-    A guide intends to provide a hands-on approach to the reader which they can follow step-by-step to archive the guides defined goal. A good example for a guide can be found at [Writing Documentation](../guides/writing-documentation.md).
-
-### Defining the Goal 
-A guide should always have a goal defined in the beginning, using the _Admonition_ for a success box is highly advised. An example for a goal box is shown below:
-
-/// tab | Source
-
-```markdown
-!!! success "Goal"
-    How to setup, write its baseline documentation in ansible, and deploy a service. 
-```
-
-///
-
-/// tab | Rendered
-
-!!! success "Goal"
-    How to setup, write its baseline documentation in ansible, and deploy a service.
-
-///
-
-### Instructing the Reader 
-A guide should always have numbered instruction steps which are easy to follow. Important notices and information should written in _Admonitions_ as direct notices from the author to the reader. Dangerous steps or options should use a `danger` Admonition.
-
-### Closing Up
-While this section is optional, a guide should be finished with steps and facts that can be checked by the reader to ensure that the guide worked as intended and all steps are completed correctly.
-
-## References
-Here you can find useful documentation regarding writing documentation:
-
-- [MkDocs](https://www.mkdocs.org/user-guide/): This is the official mkdocs documentation, although it mostly explains configuring the mkdocs instance rather than explaining the usage.
-- [MkDocs shadcn](https://asiffer.github.io/mkdocs-shadcn/): This is our theme for MkDocs which has its own syntax and quircks which can help writing more readable documentation

docs/guides/writing-documentation.md

@@ -38,7 +38,7 @@ Once you have cloned the repository, you can just edit a file in the [`docs/`](h
     ```shell
     uv venv
     uv pip install -r docs_requirements.txt
-    uv run mkdocs serve
+    mkdocs serve
     ```
 
 When adding new content, you can use one of the templates below to get started:

inventories/z9/group_vars/all.sops.yaml

@@ -2,213 +2,225 @@ metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl
 msmtp__smtp_password: ENC[AES256_GCM,data:FAih8FghRYDx3QGFCjKoJ8Zq0TkeCIx4n1jTx4/sASgECqvucg==,iv:8NDn3wj/bXsbHbuce3ycJTBVWde6XAVxv4NuMUkMbIM=,tag:jeE2b0i/8JPtguLYQvdV1w==,type:str]
 sops:
   age:
-    - recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax
-      enc: |
+    - enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VWJQWnBhcDc3VXh3TnMy
-        RFljQU0vNS9iY3AvTWFraUxneHIremlDeUZvCmdzd0twWHZEdTZSbHpLbEpRRDNX
-        aGI4ZlczN0tFbC94TzJ4bm9aUjkwcVEKLS0tIHRGSGdkQkN6ZEVTUjl1cGhMZzVI
-        S2FtSktoWmF2TjZCZnNlYWpWYzQ4MzQKeK7f+UPSanQsOIXNjzZa9B5FafNFsN3W
-        sjssDdbNQ1OEn2CLWRVQl1umKrADuvd85fMu3gUZrycZRDCCfsBzVg==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTzAzaVFSRDQwN2llbmdl
+        alBBVDZwTWhWUkV2L3ZLZmNDUDRyTitDaFVzCkNRTEN4ODV5ekxRVlBZT3ZIM2pj
+        Z0JxYUlobHZCeGxxNE9PcENkR2h2VDAKLS0tIFZiVXJHSU5naXhSSEFobVZBN1Rl
+        NnVDUVRyVWxlUnMydVhiQ2s0bGMzTGcKh97/UOPxrKieK5dKdGyRqCRi8Sm5UNcT
+        I9jLCPqX8Utt0e2EEp+ivJwFxgo7QuNCYWu6jtPCO/Zmc5Q/2tJQ9Q==
         -----END AGE ENCRYPTED FILE-----
-    - recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q
-      enc: |
+      recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax
+    - enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSmVEVyt3OCtvUUNqV2FR
-        QW5WaDBFcnZVMTV3QWdSLzhxRENCdGNaVFU0CmxqM0xIWUVCSUwvY1pBVjQ0RCtq
-        T0psSG84VWdpY1dYa2doeFZXd2RKNVEKLS0tIGNFeDFRYzBDN3NWcnpUSVhEWitY
-        RXhLRkp3ajdlNGY4R3hRcWVSUU04T0UKdprDhBpp0aMc733Wx/K7hS/nLVohvlft
-        N9aSQdcRoqT3/iMGu/6xdqbeq0/7a/U+6JvhYyWLkLsrzw2mlVRoIw==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVUtpb0FmeUduNW9EdHJw
+        WEY0WllWdE8vRlVhODU1dUcxUnF3WE5mUG5vCnBQRlNkblNHbUFESXhvQ05YdGVW
+        UkhjdjdvclRmTk55UXRGRStXREFiVVkKLS0tIDlkMHhxVkxEK1BjV2orQUtndGc2
+        Mk8rZm14SzFWTjJTanVXaE53UmViS28KQmnPfzLhgLasSuu1Aflp/JDWo1hqvYjb
+        BijruPUZ3NuoZ4Wuo56FLlTLrch051fI3ottzy85FfX3lRnWZ2IK8g==
         -----END AGE ENCRYPTED FILE-----
-    - recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j
-      enc: |
+      recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q
+    - enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWWM1WFdidkY4a2hLNm03
-        TGdNNE9ZK2lvelhYQndTYy9sUzM4TkN5elRZClJwQU1qeCtwUlFzeVE2d0FSSCsz
-        WTdzQWZLYXpqUHcxc3VEWHZvNmZibU0KLS0tIElCTWdraXRLcHNHMjR2eDVxVCta
-        bHhVdFpOdDB0eUR5d2hhdWJlcmJDMjgKBbVkm7LNwnoUVrUF3NPI7d25b6tAIr1t
-        HelMjQU5YFM7DvRYFOlNpgO7WmddNSq3C6WYa8AZDGpsjc6GypcLVw==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQSm9FZ1VmVWhadldRY0JU
+        c2R5d0tNMDV5U2tzbVorai91RTFyZFdUMWo0CmxLVUJYdVFUN296U3Q3MTJQM0JW
+        LzNTYlVVVitRYmk3azQ4VXBLWTZiZjQKLS0tIDhXdFZaK1BWVFp4M09jbk0zdGpF
+        dGxmUUZkQS9sMXZoeTJETGpvQW5VQ0EK9Y/trD7VhjQnqY+KryPfEv1J/D4NCWsx
+        CHv0R1ps6A0qoRJzS1UNxU5bLXDX1RGQiU/arhJ7LXFxHrNOdObsZQ==
         -----END AGE ENCRYPTED FILE-----
-    - recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22
-      enc: |
+      recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j
+    - enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTmRaRXorMzBQZWwyNFp5
-        VHdUUElyd1V2dUcvQ3k2STQ0d1QyMytsRG1BCm5CVCtRWU5FVmErQWl2N3Y4QTc1
-        Mnh3K01QUnk2MGpSZk1NRVJWUlhFYWMKLS0tIEFOM0pMa3RVNUppS2xOakFVM1lR
-        cnlBL29XQVlsL1ZCenBIYTQ3S3JxQjQKq09vbn1XOC1jIXDpv+ThFMk9k7SyYknr
-        MBJRBp/0PrKBo/Xk+RCSWSLjgali5Cc8KTjDTJyBG8rFzzvLIazBRg==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreTY4bzJ3T1FHOVdhS05v
+        dG40VWdVeWRpamdqd2ttajFJUjdYVHB0ZXdVCmk0UUJuRHdsUnE3ZThNakpwY3po
+        b3dtWXNNSUlvbzVHcXVIclNlaVNub00KLS0tIEMwL2FYcEZ1dkZ5MFl0S3pWSWFJ
+        NGdXVXA4UGJIOTN4UnhoMjRYaTRNWXMKGJNomXuB5TqXZKWk3Ub/rEc69CrfYABw
+        bBBidbCQBrv7cnsvjsVpHHGaTwyP9Nk1ceF/gbv9fD9gZ7dwt3SA1A==
         -----END AGE ENCRYPTED FILE-----
+      recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQWhjNHlDU0RKRmdKTzh0
+        M3dhOGcrc1N5SnozMHhSQWNUdERPSjRrZ3lZClBpd1lrbXY5OEVnMVgwTGl4YmUw
+        bWpJR0Z6RDZubG9lS1BIVnEvMWhEdlkKLS0tIFhSbVFhVnZIN2xETXlWNlh3TVVG
+        N1VTSWN3SEU5U2Uxc2lRUmwwaWc0L1UKfPWAEs93dF10GZdlQt3yeDltk/9Djmuh
+        3ZeGLgkOjcJPXO2hFQMZoJY7a2ZRIxN5Oa8PGwuy7DEtmQ9PdP/mbg==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp
   lastmodified: "2026-05-23T22:10:20Z"
   mac: ENC[AES256_GCM,data:JbnKG1qyAkvFDXr2iHu+gk7nRjedmm+dEK8vBFW5YzndWE4QKoYWeaqRHBk7wdWO9kpZgU2rFiu4Be+ikotoMS8jKAcd5wWSrWtSreaZxxiD2TWMWX8HwPtETnYe0rjrEZ3kPcUj4QPyNTphfbH3ARLjthedRXNF70NDc+DIpAY=,iv:4LN3oslWUWqoY3rQNVDSmlJn1o0c8JQELzsWd5btn7Y=,tag:c8X1q9XMMUkXed93j9C6ww==,type:str]
   pgp:
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAxK/JaB2/SdtAQ//VIMBtLL8lhncJeItw53fQW4Lia0hs84yuKLuSBucNXhy
-        x3LT5r21C5CZ+JnucrGPxur4clsLnDnng2CgyWhksJNknk6smQIq3ZhyBd/OJzS4
-        zNGUJIbitJsDaKjTrYDCdsQ3KVcRBDMu3ow7vzeP4wnL4qU5fUuQ7S2rK6a1hfMB
-        eTQmn4wD/Rl+Q0AWEo2V/X8UgchwGPeuOXfju2t9+1UVE0kUJdXw/JIrGyR8XrYM
-        6ZGXB3mPnlZTZjqhXVSFSSOUTRYu/0g+s/JuDLpgl8gVP+oDvSCPrB2pDNK+o2Oo
-        VbQbJMg6lMbIuewd0ZTTeCv/TFU9O51RtkFyxHIEW7dVelDrNkuciAG1mDUHFUUw
-        MHeWDjngeCzr1hj1Z78P1bvR7I2pqBQiWT+d/e50S5quNRVjtLVEjuU7r1eKiPDu
-        pL1lYJZZu5+uY1nWE4qeJiI1KambjP9/C+RUCF38yT1wNvxrbwsM9haXGbI3t2cU
-        X/RRpK5VKKKwbBqyQmkZX7xaDR13hLF2vLtdVw6L9nYVVactfnFr9HKDV95HUnhO
-        uevmzu+ShtAt9FMXz86dLYmBx90A2BSWxb6sKvZkG8UDY+vVT1K0gNK4kwxR9rKt
-        LFzCq1a3ftx3UvrNMCwaboGQZLpRtiKr0lNQvGLpH/SRDZ2HksinV16FNVuN74HS
-        XgG5HnRO9/lkL2Bn+ms7Q6+ki9QmC21FlLGJOBQIi+VHNVwy6J8XQlrs5NZPy6Ib
-        LmWIV6BdIRejCAITlVeBRBpXymdUBicPLa/VQMK2s9L3SS7MUcv+4j+vje9YR5M=
-        =IEFm
+        hQIMAxK/JaB2/SdtAQ//cayg/ELKtybgayA4z+xOUK10zQJDE/U43BcPRMrBN0+x
+        VLu/C96Eom/dJN62SM2QamThHu454HMZj1PjDynMUzgfVqXEg/eG45bBBweWrI65
+        s0tuzLmsqpdt9TJ5t0znliL2DYS3MPfmYRNbAsYsCbQd4I0YpxdzQwTvURdzjpUG
+        nVBUfzfcYH1Yqq8BVtR40MKfa/DbOsJGENHtpkQ9UDAa3gwVQs0NyZRQzg5w364C
+        UvItYlU77ZCKPkyOQuciLn4sM5poihu3UNWp855QsDK6fZVuxPTS4Cn54cfwdOTe
+        rL/ZQjLcHJ7PRmZUiWR6GVNDrY55u7zhORD4b8BgrpWW4hhxpp/ENjnRmNt8jKR2
+        dJ/5/uC4HBX0fM3mbfpUn19BxCk9+gFPmNUOUZ93UxpQ28l1lZxeiLBOHAw1srEs
+        7ZfFrJ0osedPGHu8rVOe93DCAtb/oNxr1xvGuDK/licRkEh8t8cvuoVsVhYFjNBc
+        UKXIPrhvuSj69c3OiHa+u9fNZJX2XAi0oOcZqGp+sQCCgUCA15I5QiqTpalCSTKt
+        /Stoj9BsmlSiy8YD2XBjmzHHVxJHfl8XHcuONKc3e4UmVjKlzkzc0bI73Y6XiEvt
+        zRIUmWxfvAvqP/zPcMSwaZke5h7N7ywKcjM+RHB4NqRUVYlBNwIWXvi7f5BdLhrU
+        aAEJAhBcA//3NJxuDzlf1zoXGKOhGIwNv5/Qb1n13OKIT2s0nfbqEHgAUm+tX3gk
+        VKKMqFuVmq2mkAaxXWFq20VC6djTJJS1QOaNsc6x3bJ6iDtYV19Ddn/20jbmbqmn
+        XbCDvb50nubC
+        =ZByJ
         -----END PGP MESSAGE-----
       fp: EF643F59E008414882232C78FFA8331EEB7D6B70
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQEMA1QflAioE8i3AQf7BB0RdJbe8Ro2Fv4Phw+VaR0rUIuQKWOb7zf3/9YCbV2w
-        rICGVIx7V1vJF5R5RgSfk0RDrLN3Pfoq/7Jfkq6bMoHIVCHSFdryHfjG5Dgm49Xv
-        gDZ2CPAHPn15mG0Rr/67YUWsC2Jy4y6/JY478wzYu4Og9IkxkeBd6ufBFB6bTn4H
-        qB7B2hfkyQzA66zoxc0r2O1mchbJ3A4pVJw0v2I/sWCiZoJQKmt8ksoEK8BAQCWC
-        E8sozb2opRzFaUCZSNEdhz/rnbV8u5wW378kd8kHSOlWxaFZNkWUP42YQiNTkd9/
-        YpxxGvwCTIpHGAYFtU7CV7QfQHzTuAOz7ZElPZsYkdJeAZCwUFO24nzwpxYS43AV
-        29IHXvlKAQkjJunix0bPGcE3D6T8CUs0wXL2sUSDcvgOOQZSezRn4UNEqFCftjJ4
-        Gmldo/baMO2Y054/iA0jvNmHRk6sJCY8aRYv9m5Fqg==
-        =n7Qb
+        hQEMA1QflAioE8i3AQgAm+iazJdcOXiq08MvSGMQ9/NAvrgcDav4561Hew23n4Ms
+        tKC5VLXf3l1f6yjhBZy6mnslYOWWdJ+X4XK0OqWkRr/t7zxEK4M6PC6g1W5hkaFU
+        +9DrkBLKss8atz3EhexK6GeljTuRpVWM629BtvMPBo/41eyue78TLf81vCkbUJkC
+        UpeB4alsETvD9Oz0ZRT8fipuXzdpGSjobOIgQa9bKwFMXXGY2fwBuKW8gVtSgbXP
+        mKwqvGaSdHz30BxQExmLne5ERKHOvzac2woG5tOmKPaihg8pbvuq/VjS2K0mzS5q
+        cbwyq/u4d5fGEFQYqMARW1aiyo3NjYk4xWDcGo5Ql9JeAdwhj3Wgm1wccULt2Hj7
+        z/V1utNINoB0bPFb8ZQMmPpwAeH6nnoqjWmmoRSW0tL/EaPh5xQXdEuU+DloT5f+
+        k8c2KQC+v4bh6BMUcycAeIG/h4vKsgz/Jc6BWKKD2g==
+        =G51B
         -----END PGP MESSAGE-----
       fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAz5uSgHG2iMJARAA4zyDJtNqK5w6QPYMyEtjuoAmva91yLA4oAU/diRpFXHx
-        D4UzksW8moYqmaiWblFy1HeQJFwZWrxnXeqg9B7PFOkhriIG7al4DpV2wXoCjami
-        DIkewGoeZjTbPNxsDVl0SbDafCARQFnQ8LNTmM2hi2X/ACg+c8mSM7eK6C3mh8yG
-        Bo2EsuCnIqzwzV6XbGCKnfOUh0QekWM7Jc/e3oYGSgCP2N5wb2PLVsW1220qdPvo
-        8D1l5cDVj2Pgq7fnfbxZGJYSfdgJb1YweH8mjHk3gHU68AGeeSkV+VwcBGV2HObg
-        hKSbVWcyGAHrP1ppCNyXr5ZkBgyvdB/EjxjLqTLq7sdTnqjLLbMLgi9CCI0NuDMI
-        jfgMjOdaImjUvvr8lCl7dOMyp9wc6ks0bwRbfG3AMLGKWeR+un3uaDYujD0bQLqZ
-        m0g5mx1wHxNCJIb2ZQ6UVjDlnatTYGBnxEupqxr9PFyny0MRhaiYkuDIh4tHW3nH
-        xyCHN9QIO2/EktLkM4wcfhOeVgdpfvKgT+cMG9kS/yfInZ5ZAGvXznzvfNZZtKDL
-        fLvvF5AqYbN05c0h56WJa65tIT75P2wI6ZBncCSLqSAzyXWlZFV6UBP+5QLEkQaE
-        WtY8y2907OAx1v8g6vc5v5oHMqfwfWC4nuFbkoJo/ZbfvtDWq4eFZfkUKY3Au5LS
-        XgE/l6NTtWknF4nPYIRaibum4527ke053JdD/50eqfuRv8MFIHbRPfWE4lE6lgev
-        +/j0Ef9sYRu726Sv3wAgT7K6PmCFsLN1319OmjkZpBAJiNsxx9qwXyqgTpTvb34=
-        =Hr9J
+        hQIMAz5uSgHG2iMJAQ/+NjXRTghMiYErsXenuJRaWdwHZ+6DkkG8nC5b+Aigljgu
+        OJg5UQgYtX5W5T79uUuEh5BWKO5bMHBwDNHQC7Hn1FseYgrOxcoSYOsewlb8t2QH
+        fqGLLhv82nRnU0nTs8W/yvrBH/ub0kAtuko1jkPSAWnoonmeEW970iLVIF9lCVYJ
+        idF+DDSiic9RDpHd4Csuxdv+1Q8OcaOW1HVAUrfrKOvC17sawd1Cat2DWC8EcOVD
+        clNn6A91FBCTxVnxwM4j2J/NXP1JRIGnlxaa4lATQMiX8lfheu0LyEpsFZai55RC
+        dq20HWqPgYHiamp6eGQ+Uqe5edx6F5YX/25S2Jfrx4D5vRh0PFx6blY0kgZJp16a
+        ywNiMtLPh7HjOMbB1v7bcWtIDWrIhWDtyJ7axny8sMamCLCPOwPpPvdL/B5YOntm
+        +0wMXHXCLCaljzsa5GFIyVYj3pTY/6O0Fgkv+6ow08ndPjsViHNikufCSW0ueIFF
+        ehv0V2+AHhedoHChFZI/DEbGzIKVcr7JAA+GHAIWcklg7O5hss+/rr7nYxVB0A+t
+        Sfp5kVMInLpCPLRm2retun3zPF8+R0kN/ZrkLy02K7z4rrD8wVE5QUvSCWbpKdfS
+        deWIy4lp9wRXSunag1/CxqvrH3ZszlxSZPEQkC4hez+xOS//L/5QsiP52SavB9PS
+        XgHvkL3slXXsdnIgm3cYnHqEBf2rXLQR/ZTzusXMLEBaGCd9JB33T/Lz+TUftCUI
+        xxLwzFvm+dEvQ6bOB6/OvSMBIsvVzMZxaIblwZRdIYfQovEdKLCRc+F4lTqV8fE=
+        =1lXS
         -----END PGP MESSAGE-----
       fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DsZXvxFXTXoQSAQdAp7TsXm2MaBAh0qB3eOjtFuegcEsmtdQHsMP0rs0N/m0w
-        bbbzXLwq1TGL82l5Qon4NnX9Jg5gXnKydWOiKWhxCsQ0iHJ7eupJLxyfDD/kzga+
-        0l4BRUpbBFslWWa8Fb7zfNA7kslhkaQIJAmN92Yh/2NdkpmNEpMMaIrx2p2jK4Iz
-        mwGUQlUz4ZkK10xy+9LMaAtmLhBJgBhDTKKzw7OAsRAnASq2gXA/4wqEVgBU9BxB
-        =tBBK
+        hF4DsZXvxFXTXoQSAQdAJAr+RX2f5gW5PpXJ/WA+1qMPFjuWuDccIk1ecWzc4kEw
+        sNH69jVC0JL7l5RMrJTAaY0GRTMrJffoz28JxpVbUVFEpeHsd+myGCcD1jZyS1MX
+        0l4BllCKEsOVnEKKxOscOIctaIw8/MDNnLSoP04JI2xVKKThor+UwUhRzg+fVwxH
+        uEiHsx0xA/q0HVXhTNIvIWn0CKx/4uV8JwVa9JqjSSyQVm8PBwU+UTfXMQ5VcuHv
+        =uxSy
         -----END PGP MESSAGE-----
       fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DerEtaFuTeewSAQdAlBZhTjLL3YPqorSXq0jet/0CXmeZeLL8inGvm/HgmgIw
-        aplmjWHB80err0ffZeRfcvqx9DGujpwlgoFGDxjqn4LIqoNg6YK/VfFb9pXUvIOv
-        0l4B9xQ4DlaYOX1egCQUBw3KcdcnNlcEZwTOwTKn0Hg3gXp0u3TYlJFZAchw2G+l
-        XJjlWiwJN2gKfEG7hrtZ7MJkYJFsqMFa1aC1oWHduxU4jmdRdQqdIaQDsqkcqJc3
-        =KNVY
+        hF4DerEtaFuTeewSAQdA2k3VLlMvCocHQ1ULFwTJKqscSb2FScq8A2I1TIdlfXAw
+        jWLzGphdsfHuNBEsocoixm4nKAdhjgBsud2rfYkuwxpqX2MlBr6ikpN73dXlHtt2
+        0l4BkUvmqlioN961OV7nssbeQLzb49C9Gzm5S1dQqBQVCt/7qGodTHHiQON7bYJp
+        +OgUaI6bKZjd9Lhm/u98dTH2cdPm1B5bUQPDzptWX5vG8euzBQxXc7OrGsTFyYME
+        =e/rg
         -----END PGP MESSAGE-----
       fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAxjNhCKPP69fARAAhSBdgW04fKM8tAU8sC6h8/4e0Io3W/D2l6P7nZiD9WVR
-        2pUqS12mlNCoRt1I2empyJ5vm1wjor34BCuSCiyfLQ1WIlBJlDro96ygpsHZGmam
-        tNcrgwc7y6rg4ycqUWr+H+WVZ0kw1IYYKbfAjMAJF5lQqzz+VMvET9BbmvA595MO
-        l/dnMColnjxxBiYBIzO7mnli+uqRHB79rM2VVlrqoT+C2s9zuPfpJfY0PJaCbbdg
-        BlffAMqs9m2JZdDr2r0lrN/jyLUB2d3l9NCcF6UYP6tjgZsKmHv/JxSgXLf6IklE
-        wolO04qgDRK7jeO2UGEniweVQNi7hqA4vkp2TskGbfVsS10PyLYKw4N19GedLS3c
-        ZxRGde42Fze/PrccWq8bGdOfWhPBo2/MEyqVW4lgTeCCwrFRO3UNyYcWo7cmaN1q
-        lz7uaV6ffqbUDJSkjkphvxnJtuX62x9Uv/wcwrJuZUarSNclQ0nQV/e5wc7SzPgM
-        B+GLeR4tnconDZGFq8q+KKuHe7MSx2uwiZsJIVXohcZwhkd9wk5YQBPc8i4aP0NQ
-        wsb+QptuM8VpCEVAwKOUjp7IRRfUyqAIlmIRDkTijmHknSmI9HZXPyCvTLoy1Szf
-        KDrN1MAma6b4gsru1fFnVizXQyZozl5RVZFP2Uv+ndugdvRE5sv5aevlzgaWFg3S
-        XgFqaFwId78UDNTrxcs4EzjHmlwg4E05G9pUqbA9zBDdCqwlD4+6CfAgQ46A6ptY
-        5p2QQJ3KXgJXrtlJySq8piReyq3mpagtWZJfAazovJA/ZF4o/xs9ZIu/q3qxHSE=
-        =nR8y
+        hQIMAxjNhCKPP69fAQ//VLyOILC6lpvlq0W7NeYfUzL7KtKYXVDF7aSQ/b6Vn7Of
+        ggc9n40n6FkMJqknhbvSnhhlFdzVOCZkLy/hinNk+jF2POBlLbzBjCuzQSP+ZDyC
+        Dll2UJ/khITd+tQ4zwrFLpixr518Fgcj8NOgtljUovxR1bGIzYogpmiVFJEd0cT4
+        k7ldv5WbZtB2UprhPPpNe+98BaUvuSvA9RWCogaBbuQpY2p3g9t9Zo58spOawbP4
+        ccz7Pu03Esy3cenlnCt3G7gl19viIh+wHKrIXPa8dGO6TEsrRMPT0tNEs8iUJyDO
+        TNEgo6+yxQ2p+08EzAh0BCRwljqnPLjS/h2s2s208Z5rBOCpLY9RuoXz7JRvZ06p
+        gBgPFSIH12VBGjfqCB1uZIatbtLQLjOo6+UU0evM65WhKw3//tUnLrox1reoiRzO
+        ro4JuytP+f4PylQRsr3jOYKRKCBzoZOOPZbVEpwQeBOe9zzxDgVQqHgVDDZQzCcw
+        VTHCrs4XVHxPH0aRMlS4A80xbH7VncYbcbf8a6VrTpnPflv0OryWMWDqLBzmIPgM
+        W1Bz/hq/o6br+g4uAKjt4GTdTwWYxptA5L84aMoihpXRu0MaPhG+7MRsXpEa/+Ll
+        +ybl2DLpm6zm0iixkJuxwtOdQOGjqJqC/GLw/EZJTt2aO+ZUb8dLrChNmR7HJAjS
+        XgGBpFYao1AQqLZU3c+5B2/9/3rtOoVX1DQXhUsji5NkaHyYO8usauj9evPUf4qx
+        FAQRWua5/zp/cTlNWU3GknqtJ1G0g1mrkiVeBZCRxIK2Iyvyav7RALJ1jlkyW5c=
+        =meb0
         -----END PGP MESSAGE-----
       fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA46L6MuPqfJqARAAjpM3MO83b2EUtzyZs66HWH6Kd60rl3QODTqs4PQm1cH5
-        HdzfVJ2IDo1y+FMTMmfJov6xBqnlalNaOvg8XFAkKTUkZgUHRW/q1WXP4FywTWmP
-        aJV47x4dOQXQgj/i/ykMspUgsxA5049/nG1y06Wsm2agLO3KjL6KIJAx0LI28XPU
-        qA/NFtfNuEAv7DGS2LGz1+X1hnRYcBX/oUgpihzActWmMORD6VS7xZGcMdF2/+Ex
-        OCDAnwT0cBSAihBSLTmEMJ4xfmMG228nbLqm9r/gELgVIsIL5hXWz0CtxaewwLQQ
-        XFMm/ZV/G6bZKRJzKPOR9EcPMF7Z+nnBts9wKNlE+WA32p7zu7hjvEFZhLiDKYlN
-        +nFcx/rvyWB6sbFK0xn2x5MonxWNVUy58PnqGWmPi2VtXT1al1zSAoKAgg8Xdw21
-        PQENtxqeUSLXXb0SZXFptMmYStwqoaFusLOCLW42DogFU246o14veDDtsS619T5G
-        RrszsNg543i3ra7MIm99YRXyniUaDp5VlKufPkWRexIT5YZYalOLtdLcaTTzfr7J
-        x4PNVOK2ddtmlKbbakvvmPWS3iBEUGMqw69dPhEdpY8yy7HJ2jpXX7TiezNqGJ9w
-        XqtI9RJmWrr0/zSoim0EpHDwXZhSf7YVcwTs0XCtwrXcQT6DLaZJr8cny/G1ErLS
-        XgEdnUqFpB1D0bacmRpfHA3PLZJd/x0QfwZ/b7gzz3f1xRfMXgnsM4iYu1S8+VAW
-        Dy21iVFZledWfrmuXh/PkLFftLipYK6tc0n922kFFxCn/xSP0yx9qKlNwzyduNI=
-        =4+Bv
+        hQIMA46L6MuPqfJqAQ/+NK0D10olgDK4KcArzoMtrJR7qwbrceSeKwaQGsUB1+RZ
+        xv6pZJ0zyw7McTuUV2I4bLYHy/TffSyJk5vLSSTGFXgHVdfKmjvm7VDEp5d2uKku
+        GW3Qh73quldfhd5GjO+F9V/S3rCysrNMpTmPnR5ha877FKGtc8168XRhIpe/1+mP
+        mvlE6h0Xizbx9myGR+ie17nHpoH+tjTtQFH640s38+xDgH6AozwWGUe/g5TdLaLJ
+        8SKHyQnS8hOHQDkttvhWRbyhKa8WuGyOKSjuQ81HIv+/UPxh1fs7vovPHM8rtIyy
+        xGcWPzUeoKQiV2nyXUP3BqglhOhD1vokh3ejDcxwWWKuyASCSXhhvW7KMsV3Stdd
+        E3O1nyOi4+2I2E4TQo0NLt5mTJonPbvSn4IvV0LuatrG902UeNNZRRwQv3ZrVp6f
+        G2ZJ9HNSs+Tp9H8cJzBGjDBYjC6/d3GGWi7N/5G/n6C7T6W81BgO8UiQOleEDF1c
+        Bi6NPNeoGL8fivVGlGTHpLcpPpbYz+1ynsFs1ho4+v5bHS5w+UfvVvQC7dlDKmR0
+        fUAkllcxLSnzKkpKis1HF+Gp+lSNc75/BzOeTA2gS3c8H9jMuncRolndPX1rVJA3
+        mrLiQE/Mja9NaYHzUROKIHDEUOQ1ZzvpcRduggvfj6Gb2wzNdUdR5QrXnLeI2jbS
+        XgHO7Jr0HrHzr/+p+w89U+uH4b7onseYDiAjfLjAZpcYwkzuy7b2ZUmpLq1BjZRo
+        zs+rSqv4BP0Xa7LNIFrHj4OeL9ivwP7Kw/Tb36hU8DJ8xDfilx81n69Fer/cJ8Y=
+        =BNfm
         -----END PGP MESSAGE-----
       fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DQrf1tCqiJxoSAQdActtZQL4KWrCP8UUZa/fLeDltuNV9JjxTYiI9upoH12Qw
-        6n8EBLgKKNw1Hsb40u9M5Ro7Xzbys7zwZsL5CxEgFGDBxthtcdaI/ykjU0W3poLE
-        0l4BcMpLoCyxxwIn49GpFxHiv84Q9xhouSMmCTe2p3bn5zCRBnKsetVHtEti4iRF
-        sY9FipGcyiNHfkp8KsWeUxD/j1QUIkGODXt2RqYkO8ltA5QS3kUCPErmWYymEAEu
-        =RFaD
+        hF4DQrf1tCqiJxoSAQdA7az9ylWMB3fWHwSVRmU8Gu4Qnd6HIyMuiG46weuS/Cww
+        QMCknkfCG06HtMrOcroNigaj7G6FEvDm64sUkpW/ggWkHUUEMuwi5jcKIdx7XdbJ
+        0l4BDGUF81uOghQUq/JqDtiYPD8IzRHMXbJmXiO+4y6DE5b1t99wBUt3C5K5H91D
+        U3blcYO6GROPSkVp8ZIzfnWLvyVoWInd1ZiRs19n9MN6Yf8uWfx9/3xvN2kKQyvj
+        =4X+A
         -----END PGP MESSAGE-----
       fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DzAGzViGx4qcSAQdAoNdta1fDVjzrPWeSfKrmslkoFi86I2nWplPOli/gFXsw
-        2Cx+wmejLlc61RE5sqAaQJc+0ctRezwXzBJbkuqznZ2jWPCK2A1EQ7r3Q7USCCca
-        0lgB6XOo0ByOj/W4TrrGn7VmwLvEqIiWCt5zk4BEUSVc62Ffv48dcwL3hsB3HlRw
-        6FXyR+2zwyEU5fuddFO4nMi8AXB6cfU6F4ugFgwn92lCgTom7IULY1D7
-        =Czq/
+        hF4DzAGzViGx4qcSAQdA/+jZ9/0jHioWKE2TK24OFDKjJ8futm2TP8z6Xat3uxww
+        DGwSznxagIkVgdTNKqAWmzGvOum8xDBqzP232CM8B/oxmwIjuIV8+FXtJuFHA/4b
+        0lgBN9loSuX5uL5O4uWzPulEhqjFElrWRZXLHZn7uIWipW/7mP8CGu02wwV/lme5
+        jvtJ6EjgopmHrxyaJqRk+e65gxBYKvxTQ1H1iETCUq8lOnxSBZVY5m5K
+        =7H6g
         -----END PGP MESSAGE-----
       fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA2pVdGTIrZI+AQ/7B7h5br3PMgum71smOTJMBfl4OaxkQAirJeG/z2fjqbAG
-        l9q62H1cutGKS/IYOFLE0OQaRwmHtkdTkrdmf9yIuAktcdAGAeqwnYW3LwM3t7U1
-        nfZRJH5Hi4xcSVVaWHn5mX0QpxzrCye1EIjHvPRx6/bWHD5sW9qnkZAlAvEJS3/K
-        jdyBLLlK8AITpsX4eeVnmVLZBjbVEXPlXfFCh9PFyqrl+iyBBY9bO2aMzWldbQIr
-        j1551Xe1wKAOn5SJTg2Mrm5ehBKfH53HY6ubCy9acbv5ZTe6JuStseWordtRNNXY
-        9eVmR3MRVoFWgK4Ccb9Qq8l+uEHRuQfG9K7dSnxQIJpHCOAQO9oi3/ykDt9Vgvo6
-        WKPpvyuJpWc5Tn+WF1qhz5wDTRX6XY+cUoHkUqZXG0qMTIfMLIAFZ6MuslHU9f6J
-        PlY0FTnwp5/v9rK/rjXZkfIxKjQtSWZwkZCszZ0WtNVuaY3KO6KYrd9rolFFYjqn
-        I2xFGnTNZwh3tjG/3INoMwilOkIUNXr18k6FsPqVCAhj1Oo0iNxb3j+3pGJsH9iN
-        ciTLeM8MsFW9MYXG23i65a5WVXi8hMTcyqCy9GyxLeFprt2DaH2HaBahF3RIWPop
-        KTNsvW1aawy+lDUyr4mBy9F0TA8Z1/db3l950Gtuz5s9/7D6bbmRn72O++W1RD3S
-        XgE3QuksqaIh7ZGt8tVPREEHpBWmPCskh35vLoqeO1QxGxzJcjrcuNeHtOH44EEj
-        mHzYUydn0e1jwKZkATG23DiBCyMpcNAWmsMH45wmk0fgNLdQhuslhKLqOUDLpN0=
-        =Ygd+
+        hQIMA2pVdGTIrZI+AQ//aZjaPgcAM6RSG6QCnYJgn8EDEhG7HDvXmb58G7VfxArr
+        m+K4Hc3hW0Hh/c7/bzu2QWniN1ie4apqFSvQmAIJ3zQZSyOsqhzvbmyTFRAyzpzO
+        lOAo/s0xMu8s5V055vC2KWnKuqb9+WtWgJPotkpOf7wQM3aqtvXKFnPa74ihjXdt
+        uuopRsOsZPiG8MLcqkCrTy+pd1PywrqwjKeva+mfgbM8zpypw4kwLwrljsxCThkZ
+        To4dH+K8oesvSeyVOKWtAwnjQsPa3Zn5CFWXNwPnn2kpjyMoNRo07xuRkfHYI4L/
+        7D8zz07XdN47kJbEj2BYjChURtbxkFbAxq+IUDgbNDW+M7VQCKZW+vOFjwmFJAlT
+        CCco2I3lmrVX1j9BTMRr/3aQNbY/OzOxk0qjYZGnPqV1bH4IazaDFUB8pOdmit2t
+        KBzDt1L26V0Ek1CpOp1dcJxneITXX1j5IqjMbl0TzyoJ9CxsSaOWfZ6XsBBSXZNZ
+        VnDENbBAOGcJgatjmC2qH5FCNio7vMRRncX5j82sytDRWbj/7XHENFpfXyGPIuYg
+        AaHyxSVegFCeRUHpzXo+qeFpNFR4407v+otVaEdxbfj6MQfMZ7tDUOde+97NNRow
+        tAMUOAN9yhGuEPMPr4stQUz4lHseGMX3VdpJH8UQH+BxVdJhzKg0H/+6bAmnRi/U
+        aAEJAhAi7DZdrKpPPkDijPKnXCPJB+IzdAJdOCsnIhZFzaiDUo+RLvP9bEpoqv4m
+        ZFMtiF7P7bXyeNIObCCsgKhdX0thXI9lZvv7k9M4lAbFhPS9vlmDwf25t2Nm9Um8
+        2tbINg+K23jp
+        =syE6
         -----END PGP MESSAGE-----
       fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DKKbvh61jX5USAQdA8qtjYHoUe+GUdy3obbF+pNmvfuKQUqkMHa6V5ZXOpXAw
-        M/kx52Vu5xOdynB3NMBXsfTVH7KXh0f06HcehTREOkhlwVMYPcvDQQdzgJ3Xodpc
-        0l4BdYtmbmk9ETTqr+wXvf+6BMYIuvyhsLLSqyWyCxJv7blQYsxsc3EAHZ4LB0ZS
-        /lw6gQ5lmQyvVt9PQZayt6Iku0+WMJcgrf9xykOAm3N2QrtUnr4jHV3FydvTiUwR
-        =snV0
+        hF4DKKbvh61jX5USAQdAHw+hxKofus/fR32ThZOHfkL+8TIPvWeYnTYe5UUCC1ww
+        AtCE+MfZvMgRx7gUpVPcdWtch6nlFzun+r84QfPopFk4S824JFEkK8jG0scYCpy3
+        1GgBCQIQm+g/LWX0T3Do0NXrRGIuw0fiKrQiOpEhbO6a6ez/pES0zKKBdlH+scQl
+        +nLZoz6Mw5mkwhY6zIKsrikuQ/+sciO2fIq9tI4MR6cvD5gmVrGEjIyOZ4xgl3X9
+        nX6OVR9w8cR7rA==
+        =voeW
         -----END PGP MESSAGE-----
       fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
   unencrypted_suffix: _unencrypted

inventories/z9/host_vars/z9-router.sops.yaml

@@ -0,0 +1,209 @@
+ansible_pull__age_private_key: ENC[AES256_GCM,data:TlMDo9sUTYznxKOGityGLexk54mM7LU9+U4ln0YYhO5fhXXmwvySxyMLHlaKzSlpU2/mRRy/0v7AIOuRVZx5XqV8X2JJsv3/NeY=,iv:r66g2UQ663KvWyAISitbHBRaLBlJ0gB2g/TW9JiL0Ls=,tag:VEq3Fqj+t40uBo9g4Icfew==,type:str]
+secrets__secrets:
+  - name: ENC[AES256_GCM,data:gt9BarzsfE/GJ5gQeelgePquW6KAgE3Exv4=,iv:IPpUQI+zkf8O+ej+ZxLFyWUOrxGGlZvmDRG0ut2cNsA=,tag:GP66MvcKyCqyKV814+uMYg==,type:str]
+    content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str]
+  - name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str]
+    content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str]
+  - name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str]
+    content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str]
+  - name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str]
+    content: ENC[AES256_GCM,data:W2h5AcoT85OkekPeRkrf1m0bDdBjG/YNSbWlrcZtP7FjaPh/F+cx+J6oRRI=,iv:CLVXTqfstpIU3BX/Zdcnp9w0gWxeGDI/G1MNl6xr4ZU=,tag:yCqN4r1MV/VTWQvZ6COfIw==,type:str]
+  - name: ENC[AES256_GCM,data:IRwwy+WQxgQ8cDpB8HaCLpKwJj7oC87p0XOxWRo=,iv:BLXNMcigvaOeY6y4NlLPMMWQt9XFi6nodRwIYFgAAnU=,tag:OdQalmujOgrzW8oi64xMRg==,type:str]
+    content: ENC[AES256_GCM,data:C5oIcuEYtODsvjQZnbqbWVfP63mQzcRuh8f5rlBCyjwSq2mZiYGQe9t0T78=,iv:sITUDo9SKZTSwPfsMv4m4U0ruuVCcaxu7SUT52U4FSE=,tag:4CsSMJWQQPAIeK8DwUDBqg==,type:str]
+  - name: ENC[AES256_GCM,data:r0sbpjaGjezoNlyl1khy+Dly+8xbbfQZNB8om/E4/tj9lmM=,iv:MLrglBJA6BrHGmFRprlQcf5/Hqh952e5OyQQ9nPxumY=,tag:Se05kMBkSQ7TRxzij7Fo8A==,type:str]
+    content: ENC[AES256_GCM,data:/c1nRf1eZhbUmoQWvcj8yDaVPtyAN7Uu+S054q3C1/kXlQ7CgOe4CrMXnmk=,iv:ppar0aCKuIU3DOjwAoliZ5TOL199Z+Ffo4pCktjs0W8=,tag:nfaGutK+5KnlWBKU1MTxkQ==,type:str]
+  - name: ENC[AES256_GCM,data:7mwuykEqbGISOa2n+pWb6INLsHYdjyf2HxTtWpAr5xP1,iv:NMcg+L2DFtBO1nhyPid31yzLr+ZX7DUGl/WxV1MnrqU=,tag:65/BiUEI8v5oMlQqpKNDRg==,type:str]
+    content: ENC[AES256_GCM,data:SObbA3D/sGN5/i5ps4Zz3alygIXKbSgptFjfPHlwC8G588O+gKAkvKQwU/s=,iv:PY2vLfI3gInFeQbse49KC2/zZ9O4jeXAQ0fpP84GHHE=,tag:214Mb8hIYDkQ4+UkRWtc9w==,type:str]
+  - name: ENC[AES256_GCM,data:bES9O6JI4wTnuZsup9gflfaozeUDkfjVGNIFn8RnZQ==,iv:98kigM3KZIN5qXNdgfLg5WLmxzAsYCjNqVzyUPco/BI=,tag:1fwEtwQ6i9QQC3OCewN0eA==,type:str]
+    content: ENC[AES256_GCM,data:flO3Nb4u2WfWNVhn8k5Bgo3LmsHo2cVnLCsrz8ST9Ip7gO9FY9d27FQgphM=,iv:aiDoq+41cSjwcCZRaIPLtbltkOpc7FeuNN7swPqkHXQ=,tag:OhzcY2xKKJF2jZVRseXCFg==,type:str]
+  - name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str]
+    content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxallVTFdueHBucXBVNzIx
+        cENqanlOOUticExzVnlERS90b2hWQ2VldUE4Cm9SVmhZejVzanRDTkJhQzhwM3BM
+        MGcwTEZ4YVQvdjc3clBHei93VEN5SkkKLS0tIGI3KzRPbjlNTFFBL2huYlZSVTZh
+        OVdXYVRkVVJwbVltSHBXRktIY3BYL2sKe+eqKzYeCUWx0KmT0+aM+TwWRj+P0Ecp
+        tnFHmQgnEPypIhVvZtzL7i64kL6sHizTmNhbw+hlnCztvsdEV5T0cw==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp
+  lastmodified: "2026-05-25T17:15:30Z"
+  mac: ENC[AES256_GCM,data:IW9eN5H2J5cnXUHlK2aD+yd2ORx+weSFKBGWd7pIolFb5txg0WlGVp8UpD4h+Tv0SJ9NkQOT6KpcXDez/L7r7xNYtmgf7AdrdGpy3IOkEYzHJ+oHUMd/aL+h5w6/RahrpxlPSrNKAC+AfpY+l0iodwQ09iuLp4YXFxRaRDGpGZw=,iv:6M7RkDN9D9Zlyq1MCRoiT4f1bd6OBZNg+C65oEuSWn4=,tag:wRsq4lt4mHVyY6ruGkYNKQ==,type:str]
+  pgp:
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtARAAlyJLMDlT4FLpMKaC3ygn1cfA2390Dz24lzKlHmwl5GgE
+        yS9bdTGMpcM8zPOQoqaoy/my3kgx2/U3q7WiCTMdUyYePAWuJFh8ZRZjw/hPpv6n
+        GwYgK3M2C1I9++zmZD5LlR4TaTTpr99+hctYrrp79QJddgozUzAQ44g7WvDm5VhI
+        bb2UVSo0MpWvLEMXHqH9YZcjkQyVg/DL+IaU1rM9pmpZxoN7+0jQY4ci1ZeHVo9e
+        DbYcjMazBLakjZxxdtHrqx3DjZgbYCancMy/dUKVuvDF/lN35WWSxslv14BNHljL
+        +/9YBDRgIr11x9j1hq241UwBW+6mSFxWF3qQ5esdR5xlLEqbm27PYGtqC4LIdzRX
+        ZUvdujuQ2PHCYJY/jKWSf0cdfXKEGorc1ZGOV9FNq9L+aKvfmRLWfzX4D0Hp47H2
+        d3itVuA9KYOdzmk6O+8FZv/VK1042L90tOPJhrtE287KhcJ2CvfT/Az4Qot8xg3c
+        tXmO3cWQpigXxJPfKRPjmmLJ9nq0BnBXj5ngkVz7d8R3FR1J/+TWG0F1VU7YeW2+
+        Z04RAbbKf36xUTqnaV34EDum4QLLdTMra6fPYPy0KiQYIKDcRSdHeM/hEs7JXP1c
+        zbUX4xuBOXl7kWYR0e3MUTzxYiQBr9BvSDY+7sGQCb+fPw+AKvFxig1grjsnZvPU
+        ZgEJAhAUE/ebqBa2nGimcAPn3PfeihehcmjLg7HmyWBPkHHMt/TIOztjkbGiQSC/
+        jBP+rhjmFxm0WKUGM4dkh14JkMgz7DZ9fozzLfo8zN8beuSDDzX1BndTIMBQJj8P
+        Q/rk1NL6pg==
+        =UXJ9
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQEMA1QflAioE8i3AQgAg+PBxAqWTfRhxP7GxDfQBPK3d52zshP9xhutqANzszhs
+        nbo3nHWj/vjvHlEuD+Rr/lr9qxsE3qS4ON7FG929RoB1YFHJnQl29Xym2Q34T0Hy
+        Ih3dibykm0t/NE+fuxsU4iU0imtjqhqA6P0+8FNF3UeCg60brcqlrBTXM9jFqlZ2
+        9nuvk75HkM1FoHiKx837qAd+RjNNO7xKUpn+EX0l0l9tScuPqUkWNQxLrbHrcO5M
+        bcEC1syZHQKCiucsesS1pJ7TFWOJsnamZyaqhzANGwWdhYwGQv37bWKr6dYTCy3q
+        rsT2NxQK4/N9CxmP6xWeAZbX00BDhNMfEQVtTlYLgdJcAS433Hiw+DSEwGu2zvTa
+        pHtQlGlaoOZemNnthw0NO6JQWGhz6Bx5QqYmbrshtVKNPh87vNVV0HhL/fQ7qwLp
+        uCgnMi3P59r8EKDZqTSp0YGfE2bx2hpBDnyJ42A=
+        =rOz4
+        -----END PGP MESSAGE-----
+      fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJAQ/7BOewbq1xQgTOruTFebugbSrodtfUlIDpCez+FZMw3Gos
+        uwfp6jslBKXHidsA39CRktJ40EYqygmBgcxGTvHGC94VwSl7OfCjHsyfD/93L358
+        XsjpTHXBO/mOjQmJ2smhZx+q+iMLpJnq2QA8mGUI5uzPTjXD19sD9QdYdHF2p8D6
+        mdpVWED2gRf/sDoN+y3c/iZvMTN2HeDCx5d/wIgl3mmoHLvWRO8pNBV3EUg3ZBiv
+        fc0Y7m/0KOqW1itE4yg9IoPBWJg2jYSZTkRnQMPEkKEEHNtbx6dq5tLOYUIIwOwC
+        5JlL76BRoaul6ousBSHV8OWCAvS2N8OC+l0ATzk99p/h4zY7PCG7NhkKAOgYfWFa
+        /z5u6J6TMrmeLZjknFXepuVAzNmDU0CmuhMwZankGKq6lmsQQnHvdq8+ExGGWhfK
+        m6I8nPvG654md9H7Y3HusHa6y1rkf9gZp1UFzhvXQgZdvc7K5pJrhxjGUnEg6sS0
+        m4daDRuNLW32PXiwoWTtTJfOQFv0t1f1eEKI9DO/O8/4fNtIvmI/8HDcdF1XzDnt
+        lGnyD9cZ5jKsKjGrT9DcvJhyTGWDFeBDTY+rlt52E8NbrzWUjX4J7Gyz8QRY9j7m
+        wRi4uaVt5KBmB8Ibo2bMTUXU3Db/0p8nCAg/89D1fP6FF4izg3GU4oD3vJyl81XS
+        XAH8tGT9wbjXuhomyhqemDYb0QdTRfpAznm4AS36qbeU/Tvj4M+Nm64qLpj7FFtK
+        aeDas4lzgeQf6/cdd5ItLlRHhlBOJEmjHVzRR4npabCWZojP8PTac1IlBgvS
+        =OH/y
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DsZXvxFXTXoQSAQdAIjnFVslIKlmP0X12z6AdWNqxkpVBDFvf03ToWQEQv3Uw
+        8ka0OYl32rH6UiiSE1Vve1wZ/iVvK9/il6UhTpeAt8bIiCq6gEGR9Ba5NJnm6rSG
+        0lwBwzEtaARPJbbcWu7Jl+dAQ0quP6uVS55OYBuSannlaPrQ5qBuS14AtuQ3UEVz
+        EbcLJ0b4lGL7hgyAf2E6nuDTkPGPChAJ5H5DfrB74ZB30GcYBTzwj13+jWx/VQ==
+        =Hxuh
+        -----END PGP MESSAGE-----
+      fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdANsYlCeGhhqmBgnqcSuNdQBUwYKpucDrb6aR9Siyukjww
+        72Gin/635k9bYXwknA1rPyTMvG00giQgjUr/QK6PSD/eGi0QOtMZLj1JRi8f5EU+
+        0lwB+MIM9+EEzHJ96ouzL3bu0e++NvRY1Qjyx1Xi43bM96eBeLZ5DAc1eTSdWizQ
+        EWTorcmXffkdfOQx1zrlGZo/qvfj5F706VcwX4aZwok/ASRmSeCfEXLgGLCwqQ==
+        =ccBm
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fAQ/+IRYUQhf7zzIZy3AKAtQgyMKRINOUUqOEv6IKmNQaaQP7
+        K5JXnVi2gjgBuG+2gH9iCEimIggnWxFhHerfOps+NkAI6y7kFz5hnMtOY2Qf3vxT
+        Hoyq4l6Yn+gG1HSLozVr9dTQPjyGOKJkm36ZKpM7gqSuLNP2ijKARzay4Chg3i+p
+        E1TVTVoEczrPdLg3O2fd5mi2UT1k3E4QREti0k6K4juMWqMz+5iJ5X98qCdmE1eX
+        L5dmW0QSUChzBVw+7NEcxeNx5WsbhWgPA5m2+bng3V8tHqAwrRUCoxn2+yabnsZB
+        Z0Z7TgcLk0Xnezw+BkT3bOsKgv+atE5lm2rBiRUHRDR3S04j0Ju6fJHf24CNy5ES
+        xMF7BE23SgmqUq0BrvdJB0ToNKYGMM0C5Xg4vGRiE61+18TiFIeC3mF9suvFFKc+
+        houq6Cy7q3O5PEqEbu6t5vXAZHwL9Th+ZatIIe9jSToiZiLEOIEmiYptR009/OWq
+        v6ADzaAE6+i6HZ62xBYQuZFkiUrRKxYzTHFn0A10QUJrJgbWr8QjS76oKi8feEDC
+        BJAOwE/0aK+l46hI6mlh6rgeSy8XdOPLEnL4+1HjlshhTTiW1rE2cr0ZiTTA6UFX
+        UhABIUi6jiLnM13L+auulU1UZQ8wxp73okrcuu6g2bPT/l7zO9YNOCocWVPQa5vS
+        XAH7qrW533ttg2XAczCdALMulV2N5GHl7TbgRQBkdoBAKL+6oKfxbOZeQM2nrfZT
+        arytZbnjgCcy5ygnjeziRvWwLk7sysEpAQqQNRm50m2Cq+2ccedRP6zFzUhc
+        =4hCA
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqAQ/9G5pRNmw775xCYA+foCx9rM7eLXJFl2DjaI3a/O0yVc6t
+        32xtPuaHwTnP00Pbbo5Vc9QG7k0Fr3Rgy+ep1lGzeCMoHwF9xk98LspDtYZoKopE
+        6/L6KLldSauRv0rPVhCQHpZFsnx1VxaJiXn9vAW17+imC9SgqLYGWyrxAtLCOOqH
+        N68RnTsEDquXixEs82ao0EmQXPquimJgSx+xVSF4yitYYLLLHyUL+drMNuVb9q9Y
+        oAIdEL1svDIieTbTKGQUqZ8Alf8f/0cqPWpEkDwYIyB/i9KDkH5Oj7uBBRtVLGxQ
+        VxE32wO1xpXvKgUY2PhWD2rOBVDG8dW/hyqvc1WgIeo1A6FTq34b5dGC2lmTRngB
+        9mBjUd59zeOvdXLmoGwXgbjVhpgnm/5wlUeiIC3xR9MjW3znRBT6ujCaglpAdXBC
+        0AIugssGcuXbP9Tj5zMVlbdi2dj6Ylc8S1Tj/OjwxHCCj6AWRqpxN5vY28RiLFGy
+        +eAsryzPk6UTCPIydiWwsrP+w8EhbllFxzZM+Sn+fshAHdRug+EeyT3h5V5JF+Ko
+        BZCrZkwYqAcVkJjEYlukjvxVFvo+T6tRMz4F4yNgjqFjneUaeLCc6RllaT696H0Y
+        8+lw5rK+XpcXBZqso6vsLChRdZQJjoj9lkjRDbmhOkaRglikC6Cx+mpY1/XnGvDS
+        XAFWOuNKjN/xIRtaDc6tmeWsKkuqghjHiMeRqw10/kTBjniMLLJIN9ssj4HjYqC3
+        CsqyHqZmrbITUMr718gX1kkAvzF/fVAXT8YshOcK7rQbiMQJCZqeBp3fY7FC
+        =5yPR
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdAfLqKILCrCv2s2V7bLntk5lHI6Dc1FQlCg3LAefc8oTIw
+        a3UZU3OajQ1CCIhhu02JSlTKZm2z+pZKVHy+s5EgCqwAWTfPNAnyPT0ZGrhIdcah
+        0lwBdg2Tq3+Nhix1ZuA/mUgcrbRBcFKlHY+IGEgOHKLJld9UPF2xEjTX6nmLyuTR
+        6x+HW/7vVuc/jcFeQEmokhQw/SICVdyD7NQua4k1agLkty3hGcm1XCsfyKfj+w==
+        =Bxf9
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdAr2tfPiCpUkxFj4rgSiLf7y4iyKbsgEY87iYH3GAZTVcw
+        vK2YpjSVgFRoJNx9s3bFr+9UG0LFmKvDZEP83ThQizYs2I/N7MSU8ERRImshaQMH
+        0lYB4At0RHC1mp8eKqhRgXenOtpfCiBACtlIdS9m1aqcU6i9Drgt86Bk/LC/HSvJ
+        MUOit2PP7QZVRWV6F8wAHlUFd6bdTKv9eOCZLSB6mY6DQmkp93FIMg==
+        =lQcB
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+ARAAjNHCArTtU9D8zw5yJzvf0KSwQoOaQWHui7AqQkvQ8mJv
+        8+Vo9sb+JoSuFHQqqDbOU+VFpmc9CZ6HCJaWqO2gZVgjxrsrPgyfq795LBd6GhX5
+        6zwUH2huxv+n7XkfjN4HHJAlSj0pRyL3fyojdOdtXCTuBGbofLIBJUbuD1wro1K+
+        nSHLvdBEitn8afKt5/SaatB8Prwyet6E6J4HluXFQjl+KdrRHHvXImmhNSR4yfIr
+        yQt2s8qapSvLhrUw9/GFXqM/jg4ZlDhPUhCAKI2Pr5PbsRMBqwdkSrDeB7MHdsU6
+        tI4uyb7j8m3VMbFKNVpuluwgk47V+W/h+jtZetSR6ewYsXJjgHNmX6JX73XzR7R+
+        q4EBfSAxR7ByZ/HHuumUH6BKBj8IcNJQwtEkLIZmLZ3OdFtJP3YY0esV+gEhG6K7
+        m2Zl9C7axuYmvoLrqygaChmxMhMiebTPNkD/dH5Ircwl2cXfHC+bvF2WO73DTk9G
+        emHzrkniEtuUs+svMhT3NKM3/mpOJTiNezdH39HZADzkBwZ5Mmkfe4mbXByfRN7F
+        AEJWmnOcpXwXE9//sRbkRr+CGmB86raZE22wHPuk6U9IyVFJm8hJbOzFc7rwu1Eo
+        0YWBCsc9dA+jH8hIKrIfXwqnfhYjTrX+oZJeK/8McOwfF7I2G9YrPAgwbokQmtLU
+        ZgEJAhC8ryOvXwp2kP9sv6nbXIEcwrX8lRjkEWduf6ZAWAfQ5FGBSPzR8WnZWGzN
+        PCxjg7utA9AHBChF1duwOV2Qr5XW8HTUGAx4fc0T0rjC862vSwf8yAY89WWJyUfk
+        n8qhhdw1uw==
+        =KgOe
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DKKbvh61jX5USAQdAYrtySnoCK7k4ZZIyllSAr23fozsiZb9Nf6Q+r56i3lAw
+        7IxBdJc2ipMxafy1Ntq0wfAYYk7nY6Vz1XtB+ekVeYLOjDmHRnJWq/Jw0K8wLvWT
+        1GYBCQIQ/0zDLdFOrMNjVPMutGVJOkpm7mbD30GpgRugzEf2NZePGtptqnP6i1t1
+        izBqFRByftV1MUw1uWgTFgB8zEVDh6gG0QAYeRuu3NS9QhwR71Wlu2J4eu+VhZi7
+        AKabk3T3Z00=
+        =A2ad
+        -----END PGP MESSAGE-----
+      fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
+  unencrypted_suffix: _unencrypted
+  version: 3.13.1

inventories/z9/host_vars/z9-router.yaml

@@ -0,0 +1,7 @@
+systemd_networkd__config_dir: 'resources/z9/z9-router/systemd_networkd/'
+systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/systemd_networkd_global_config.conf') }}"
+nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/nftables/nftables.conf') }}"
+ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
+ansible_pull__timer_randomized_delay_sec: 0min
+unbound_access_control: [ "10.89.208.0/20" ]
+kea_dhcp__include_vars: resources/z9/z9-router/kea_dhcp.yaml

inventories/z9/hosts.yaml

@@ -14,6 +14,12 @@ all:
     yate:
       ansible_host: yate.ccchh.net
       ansible_user: chaos
+    z9-router:
+      ansible_host: z9-router.ccchh.net
+      ansible_user: chaos
+base_config_hosts:
+  hosts:
+    z9-router:
 certbot_hosts:
   hosts:
     dooris:
@@ -35,6 +41,7 @@ infrastructure_authorized_keys_hosts:
     light:
     waybackproxy:
     yate:
+    z9-router:
 nginx_hosts:
   hosts:
     dooris:
@@ -46,16 +53,31 @@ ola_hosts:
 proxmox_vm_template_hosts:
   hosts:
     thinkcccore0:
+systemd_networkd_hosts:
+  hosts:
+    z9-router:
+nftables_hosts:
+  hosts:
+    z9-router:
+unbound_hosts:
+  hosts:
+    z9-router:
+kea_dhcp_hosts:
+  hosts:
+    z9-router:
 alloy_hosts:
   hosts:
     light:
     yate:
     dooris:
+    z9-router:
 ansible_pull_hosts:
   hosts:
     dooris:
     light:
     waybackproxy:
     yate:
+    z9-router:
 secrets_hosts:
   hosts:
+    z9-router:

mkdocs.yml

@@ -9,7 +9,6 @@ markdown_extensions:
   - attr_list
   - codehilite
   - pymdownx.blocks.details
-  - pymdownx.blocks.tab
   - pymdownx.superfences:
       css_class: codehilite
 

playbooks/deploy.yaml

@@ -27,6 +27,20 @@
   tags:
     - nftables
 
+- name: Ensure unbound deployment on unbound_hosts
+  hosts: unbound_hosts
+  roles:
+    - unbound
+  tags:
+    - unbound
+
+- name: Ensure kea_dhcp deployment on kea_dhcp_hosts
+  hosts: kea_dhcp_hosts
+  roles:
+    - kea_dhcp
+  tags:
+    - kea_dhcp
+
 - name: Ensure deployment of infrastructure authorized keys
   hosts: infrastructure_authorized_keys_hosts
   roles:

resources/z9/z9-router/kea_dhcp.yaml

@@ -0,0 +1,293 @@
+kea_dhcp__dns_servers:
+  v4:
+    - 185.161.129.134
+  v6:
+    - 2a07:c481::1:2
+
+kea_dhcp__dhcp4:
+  enable: true
+  interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
+      socket-type: unix
+  lease-database:
+    type: memfile
+    persist: true
+  option-data:
+    - name: "domain-name-servers"
+      code: 6
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
+  subnets:
+    - id: 1
+      subnet: 10.89.208.0/22
+      pools:
+        - pool: "10.89.208.32 - 10.89.211.250"
+      reservations:
+        - ip-address: 10.89.208.11
+          hostname: beamer
+          hw-address: "ac:87:a3:18:9e:01"
+        - ip-address: 10.89.208.12
+          hostname: Brother-CCCHH
+          hw-address: "00:80:77:04:3a:55"
+        - ip-address: 10.89.208.13
+          hostname: muzak
+          hw-address: "00:11:24:5f:4f:80"
+        - ip-address: 10.89.208.14
+          hostname: Big-Room-Beamer
+          hw-address: "64:d2:c4:db:08:5c"
+        - ip-address: 10.89.208.16
+          hostname: dooris
+          hw-address: "bc:24:11:b3:93:9c"
+        - ip-address: 10.89.208.17
+          hostname: hmdooris-ccu
+          hw-address: "bc:24:11:5f:2d:b1"
+        - ip-address: 10.89.208.27
+          hostname: cisco-slm248p
+          hw-address: "00:23:eb:b0:fc:3f"
+        - ip-address: 10.89.208.47
+          hw-address: "6c:df:fb:0b:34:21"
+        - ip-address: 10.89.208.48
+          hw-address: "6c:df:fb:0d:91:63"
+        - ip-address: 10.89.209.28
+          hostname: hp-color
+          hw-address: "3c:52:82:29:21:79"
+        - ip-address: 10.89.209.29
+          hostname: dooris-ng
+          hw-address: "6c:4b:90:19:21:a1"
+        - ip-address: 10.89.209.166
+          hostname: encoder-ccchh
+          hw-address: "00:4e:01:a2:40:d7"
+        - ip-address: 10.89.209.254
+          hostname: ki10
+          hw-address: "dc:a6:32:a9:ff:82"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.208.1
+    - id: 2
+      subnet: 10.89.212.0/24
+      pools:
+        - pool: "10.89.212.32 - 10.89.212.250"
+      reservations:
+        - ip-address: 10.89.212.3
+          hostname: prusamk3
+          hw-address: "10:9c:70:2e:59:3e"
+        - ip-address: 10.89.212.4
+          hostname: prusamk4
+          hw-address: "10:9c:70:2e:6e:f0"
+        - ip-address: 10.89.212.11
+          hostname: Ziggy
+          hw-address: "44:17:93:53:65:57"
+        - ip-address: 10.89.212.12
+          hostname: legacy
+          hw-address: "00:15:65:a1:ed:98"
+        - ip-address: 10.89.212.23
+          hostname: foobarpay
+          hw-address: "f4:f2:6d:09:a6:73"
+        - ip-address: 10.89.212.24
+          hostname: foobackup
+          hw-address: "bc:24:11:20:1a:a8"
+        - ip-address: 10.89.212.27
+          hostname: ender3v2-sonic-pad
+          hw-address: "fc:ee:91:00:0e:14"
+        - ip-address: 10.89.212.31
+          hostname: octopi
+          hw-address: "b8:27:eb:0f:d8:09"
+        - ip-address: 10.89.212.32
+          hostname: 433mhz-bridge
+          hw-address: "0c:b8:15:fe:e3:34"
+        - ip-address: 10.89.212.33
+          hostname: wled-kueche
+          hw-address: "30:ae:a4:7a:8d:a0"
+        - ip-address: 10.89.212.34
+          hostname: wled-serverschrank
+          hw-address: "18:fe:34:a6:64:76"
+        - ip-address: 10.89.212.35
+          hostname: wled-couch
+          hw-address: "64:b7:08:40:ab:c0"
+        - ip-address: 10.89.212.36
+          hostname: laser
+          hw-address: "b8:27:eb:be:38:fa"
+        - ip-address: 10.89.212.37
+          hostname: laser-eth
+          hw-address: "b8:27:eb:eb:6d:af"
+        - ip-address: 10.89.212.42
+          hostname: t-mix
+          hw-address: "40:a5:ef:d9:eb:93"
+        - ip-address: 10.89.212.86
+          hostname: fritz-fon
+          hw-address: "00:1f:3f:c9:e5:b2"
+        - ip-address: 10.89.212.211
+          hostname: hauptraum-esphome
+          hw-address: "e8:db:84:e8:18:d2"
+        - ip-address: 10.89.212.212
+          hostname: werkstatt-esphome
+          hw-address: "3c:71:bf:26:42:32"
+        - ip-address: 10.89.212.213
+          hostname: ir-bridge-beamer
+          hw-address: "8c:ce:4e:51:93:dd"
+        - ip-address: 10.89.212.215
+          hostname: pi-dmx-werkstatt
+          hw-address: "b8:27:eb:65:e5:31"
+        - ip-address: 10.89.212.227
+          hostname: SIP-T46S
+          hw-address: "80:5e:c0:09:bf:55"
+        - ip-address: 10.89.212.230
+          hostname: SIP-T46S
+          hw-address: "80:5e:c0:22:33:08"
+        - ip-address: 10.89.212.232
+          hostname: staubi
+          hw-address: "b8:4d:43:98:51:2b"
+        - ip-address: 10.89.212.233
+          hostname: staubiv2
+          hw-address: "70:c9:32:82:25:b2"
+        - ip-address: 10.89.212.234
+          hostname: AtemMini
+          hw-address: "7c:2e:0d:13:72:a8"
+        - ip-address: 10.89.212.235
+          hostname: okilaser
+          hw-address: "2c:ff:65:22:b4:63"
+        - ip-address: 10.89.212.236
+          hw-address: "b8:27:eb:29:bd:77"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.212.1
+    - id: 3
+      subnet: 10.89.213.0/24
+      pools:
+        - pool: "10.89.213.32 - 10.89.213.250"
+      reservations:
+        - ip-address: 10.89.213.2
+          hostname: sw-rack-1
+          hw-address: "F0:9F:C2:10:C3:AA"
+        - ip-address: 10.89.213.3
+          hostname: sw-rack-2-peo
+          hw-address: "44:d9:e7:06:69:5d"
+        - ip-address: 10.89.213.4
+          hostname: sw-main-1
+          hw-address: "a8:9c:6c:16:df:cc"
+        - ip-address: 10.89.213.5
+          hostname: sw-main-2
+          hw-address: "a8:9c:6c:16:e8:86"
+        - ip-address: 10.89.213.6
+          hostname: sw-shop-1
+          hw-address: "C0:4A:00:FB:DA:C5"
+        - ip-address: 10.89.213.7
+          hostname: sw-shop-2-peo
+          hw-address: "f4:e2:c6:bf:20:ee"
+        - ip-address: 10.89.213.8
+          hostname: sw-shop-3-peo
+          hw-address: "d8:b3:70:85:72:76"
+        - ip-address: 10.89.213.11
+          hostname: pve01
+          hw-address: "38:05:25:30:80:35"
+        - ip-address: 10.89.213.12
+          hostname: pve02
+          hw-address: "b8:85:84:b1:57:b6"
+        - ip-address: 10.89.213.13
+          hostname: pve03
+          hw-address: "98:fa:9b:a2:ed:e8"
+        - ip-address: 10.89.213.15
+          hostname: pbs
+          hw-address: "BC:24:11:D6:2C:81"
+        - ip-address: 10.89.213.21
+          hostname: unifi
+          hw-address: "BC:24:11:25:77:60"
+        - ip-address: 10.89.213.22
+          hostname: club-assistant
+          hw-address: "7a:55:61:c3:a2:89"
+        - ip-address: 10.89.213.23
+          hostname: automation
+          hw-address: "f2:20:75:5a:2f:8c"
+        - ip-address: 10.89.213.24
+          hostname: yate
+          hw-address: "bc:24:11:73:3e:f7"
+        - ip-address: 10.89.213.25
+          hostname: ptouch-print-server
+          hw-address: "bc:24:11:f2:cf:8f"
+        - ip-address: 10.89.213.26
+          hostname: mqtt
+          hw-address: "bc:24:11:48:85:73"
+        - ip-address: 10.89.213.27
+          hostname: factorio
+          hw-address: "bc:24:11:a3:43:7f"
+        - ip-address: 10.89.213.28
+          hostname: light
+          hw-address: "72:61:ea:e6:49:e3"
+        - ip-address: 10.89.213.29
+          hostname: homematic
+          hw-address: "fe:3a:42:77:3a:be"
+        - ip-address: 10.89.213.30
+          hostname: proxmox-backup-server
+          hw-address: "8a:48:dd:a3:22:40"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.213.1
+
+kea_dhcp__dhcp6:
+  enable: true
+  interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
+      socket-type: unix
+  lease-database:
+    type: memfile
+    persist: true
+  option-data:
+    - name: "dns-servers"
+      code: 23
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
+  subnets:
+    - id: 1
+      subnet: "2a07:c481:1:33::/64"
+      pools:
+        - pool: "2a07:c481:1:33::1:1 - 2a07:c481:1:33::FFFF:FFFF"
+    - id: 2
+      subnet: "2a07:c481:1:34::/64"
+      pools:
+        - pool: "2a07:c481:1:34::1:1 - 2a07:c481:1:34::FFFF:FFFF"
+    - id: 3
+      subnet: "2a07:c481:1:36::/64"
+      pools:
+        - pool: "2a07:c481:1:36::1:1 - 2a07:c481:1:36::FFFF:FFFF"
+      reservations:
+        - ip-address: "2a07:c481:1:36::2"
+          hostname: sw-rack-1
+          hw-address: "F0:9F:C2:10:C3:AA"
+        - ip-address: "2a07:c481:1:36::3"
+          hostname: sw-rack-2-peo
+          hw-address: "44:d9:e7:06:69:5d"
+        - ip-address: "2a07:c481:1:36::4"
+          hostname: sw-main-1
+          hw-address: "a8:9c:6c:16:df:cc"
+        - ip-address: "2a07:c481:1:36::5"
+          hostname: sw-main-2
+          hw-address: "a8:9c:6c:16:e8:86"
+        - ip-address: "2a07:c481:1:36::6"
+          hostname: sw-shop-1
+          hw-address: "C0:4A:00:FB:DA:C5"
+        - ip-address: "2a07:c481:1:36::7"
+          hostname: sw-shop-2-peo
+          hw-address: "f4:e2:c6:bf:20:ee"
+        - ip-address: "2a07:c481:1:36::8"
+          hostname: sw-shop-3-peo
+          hw-address: "d8:b3:70:85:72:76"
+        - ip-address: "2a07:c481:1:36::b"
+          hostname: pve01
+          hw-address: "38:05:25:30:80:35"
+        - ip-address: "2a07:c481:1:36::c"
+          hostname: pve02
+          hw-address: "b8:85:84:b1:57:b6"
+        - ip-address: "2a07:c481:1:36::d"
+          hostname: pve03
+          hw-address: "98:fa:9b:a2:ed:e8"
+        - ip-address: "2a07:c481:1:36::f"
+          hostname: pbs
+          hw-address: "BC:24:11:D6:2C:81"
+        - ip-address: "2a07:c481:1:36::14"
+          hostname: unifi
+          hw-address: "BC:24:11:25:77:60"

resources/z9/z9-router/nftables/nftables.conf

@@ -0,0 +1,114 @@
+#!/usr/sbin/nft -f
+
+## Variables
+
+# Hosts
+
+
+# Interfaces
+define if_netwan = "netwan"
+define if_netlan = "netlan"
+define if_wg55_management   = "wg55"
+define if_netwan_400_fux_uplink = "netwan.400"
+define if_netlan_51_clients = "netlan.51"
+define if_netlan_52_iot = "netlan.52"
+define if_netlan_53_public = "netlan.53"
+define if_netlan_54_management = "netlan.54"
+
+# Interface Groups
+define wan_ifs = { $if_netwan_400_fux_uplink }
+define lan_ifs = { $if_netlan_51_clients,
+                   $if_netlan_52_iot,
+                   $if_netlan_53_public,
+                   $if_netlan_54_management }
+define v4_exposed_ifs = { $if_netlan_53_public }
+define v6_exposed_ifs = { $if_netlan_53_public }
+define v4_nat_ifs = { $if_netlan_51_clients,
+                      $if_netlan_52_iot,
+                      $if_netlan_54_management }
+
+
+## Rules
+
+table inet reverse-path-forwarding {
+    chain rpf-filter {
+        type filter hook prerouting priority mangle + 10; policy drop;
+
+        # Only allow packets if their source address is routed via their incoming interface.
+        # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
+        fib saddr . mark . iif oif exists accept
+    }
+}
+
+table inet host {
+    chain input {
+        type filter hook input priority filter; policy drop;
+
+        iifname "lo" accept comment "allow loopback"
+
+        ct state invalid drop
+        ct state established,related accept
+
+		    ip protocol icmp accept
+        # ICMPv6
+        # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
+        # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
+        # Error messages that are essential to the establishment and maintenance of communications:
+        icmpv6 type { destination-unreachable, packet-too-big } accept
+        icmpv6 type { time-exceeded } accept
+        icmpv6 type { parameter-problem } accept
+        # Connectivity checking messages:
+        icmpv6 type { echo-request, echo-reply } accept
+        # Address Configuration and Router Selection messages:
+        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
+        # Link-Local Multicast Receiver Notification messages:
+        icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
+        # SEND Certificate Path Notification messages:
+        icmpv6 type { 148, 149 } accept
+        # Multicast Router Discovery messages:
+        icmpv6 type { 151, 152, 153 } accept
+
+        # Allow SSH access.
+        tcp dport 22 accept comment "allow ssh access"
+
+        # Allow WireGuard access.
+        udp dport 51820 accept comment "allow WireGuard access"
+
+        # Allow DHCP server access.
+		    iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access"
+
+        # Allow DNS server access from lan_ifs
+        iifname { $lan_ifs, $if_wg55_management } udp dport 53 accept comment "allow dns server access from lan_ifs"
+    }
+}
+
+table ip v4nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority srcnat; policy accept;
+
+        iifname { $v4_nat_ifs, $if_wg55_management } oifname $wan_ifs masquerade
+    }
+}
+
+table inet forward {
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+
+        ct state invalid drop
+        ct state established,related accept
+
+        # Allow internet access.
+		    iifname { $lan_ifs, $if_wg55_management } oifname $wan_ifs accept comment "allow internet access"
+
+        # Allow access to exposed networks from internet.
+        meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
+        meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
+
+        # Allow clients and management to most
+        iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "Allow clients and management to lan interfaces"
+    }
+}

resources/z9/z9-router/systemd_networkd/00-netlan.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:72:A3:27
+Type=ether
+
+[Link]
+Name=netlan

resources/z9/z9-router/systemd_networkd/00-netwan.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:CF:65:57
+Type=ether
+
+[Link]
+Name=netwan

resources/z9/z9-router/systemd_networkd/10-netlan.51.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.51
+Kind=vlan
+
+[VLAN]
+Id=51
+

resources/z9/z9-router/systemd_networkd/10-netlan.52.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.52
+Kind=vlan
+
+[VLAN]
+Id=52
+

resources/z9/z9-router/systemd_networkd/10-netlan.53.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.53
+Kind=vlan
+
+[VLAN]
+Id=53
+

resources/z9/z9-router/systemd_networkd/10-netlan.54.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.54
+Kind=vlan
+
+[VLAN]
+Id=54
+

resources/z9/z9-router/systemd_networkd/10-netwan.400.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netwan.400
+Kind=vlan
+
+[VLAN]
+Id=400
+

resources/z9/z9-router/systemd_networkd/10-wg55.netdev

@@ -0,0 +1,90 @@
+[NetDev]
+Description=Admin-Wireguard
+Kind=wireguard
+Name=wg55
+
+[WireGuard]
+ListenPort=51820
+PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_private_key
+
+# WireGuard Peers
+
+[WireGuardPeer]
+# friendly_name = stb
+AllowedIPs = 10.89.214.2/32,2a07:c481:1:37::2/128
+PublicKey = vILSL4dbaC5IaTsRhJviamV18ssxWSj+qLVyowLQ214=
+PersistentKeepalive = 30
+
+[WireGuardPeer]
+# friendly_name = fi
+AllowedIPs = 10.89.214.3/32,2a07:c481:1:37::3/128
+PublicKey = UHi/if5uW2V3+8Q3R+uk6/XpRi4fPXbw7chsKI4xlkI=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_fi_psk
+
+[WireGuardPeer]
+# friendly_name = jtbx
+AllowedIPs = 10.89.214.4/32,2a07:c481:1:37::4/128
+PublicKey = NyyEqdWgScgsnTF8Zz/Om4Lc84fdFMwVtvaCmLEkUlQ=
+
+[WireGuardPeer]
+# friendly_name = June
+AllowedIPs = 10.89.214.6/32,2a07:c481:1:37::6/128
+PublicKey = 6jAEB+f9przBGxPhuvv9U9gvZDEBQNqpQSD0BoGqXQQ=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June_psk
+
+[WireGuardPeer]
+# friendly_name = Max
+AllowedIPs = 10.89.214.7/32,2a07:c481:1:37::7/128
+PublicKey = oC1hJjtlAgLX/CmbwTC+LPmd1uwluQTwsN8RaMNmHn0=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_Max_psk
+
+[WireGuardPeer]
+# friendly_name = dario
+AllowedIPs = 10.89.214.9/32,2a07:c481:1:37::9/128
+PublicKey = bYF2EGRGpEGjiKcasi/oaWoWeLsgqsF6FGaq3Z4ERww=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_dario_psk
+
+[WireGuardPeer]
+# friendly_name = June-mobile
+AllowedIPs = 10.89.214.11/32,2a07:c481:1:37::11/128
+PublicKey = 6edjXykegUgGjbkIG1aJyBlX1SgTKcqXXaSBVPHdKDc=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June-mobile_psk
+
+[WireGuardPeer]
+# friendly_name = djerun_at_ferrum.local
+AllowedIPs = 10.89.214.12/32,2a07:c481:1:37::12/128
+PublicKey = aHbdkTHhPkd+o7wWfTua9nd72aF4OVp66zGtpaoD8Fg=
+
+[WireGuardPeer]
+# friendly_name = c6ristian
+AllowedIPs = 10.89.214.13/32,2a07:c481:1:37::13/128
+PublicKey = 6ndwj3Ur6AqfUPWuyPYXIaGZs2ujJKawSQ9LEvlYzEc=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_c6ristian_psk
+
+[WireGuardPeer]
+# friendly_name = langoor
+AllowedIPs = 10.89.214.14/32,2a07:c481:1:37::14/128
+PublicKey = qTnVQlQa1m4SucFFNli/xM6QWfsdWx2baRAit7Cg8RM=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_psk
+
+[WireGuardPeer]
+# friendly_name = langoor_home
+AllowedIPs = 10.89.214.15/32,2a07:c481:1:37::15/128
+PublicKey = NeMDs2+5rHuKO5ZYXVUR76GorgdesFUnDOFECQ3RzG4=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk
+
+[WireGuardPeer]
+# friendly_name = lilly-lillysLaptop
+AllowedIPs = 10.89.214.16/32,2a07:c481:1:37::16/128
+PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk=
+
+[WireGuardPeer]
+# friendly_name = bitwhisker
+AllowedIPs = 10.89.214.17/32,2a07:c481:1:37::a/128
+PublicKey = DvEGvQPGi+IxeRTIA72Gx3WNINcrV9HRNB1v7mHnhjA=
+
+[WireGuardPeer]
+# friendly_name = forestcat
+AllowedIPs = 10.89.214.18/32,2a07:c481:1:37::b/128
+PublicKey = PdJ7KlIeASizj0WTY87d7oSi14/MebrhRa+L8YiPoQE=
+

resources/z9/z9-router/systemd_networkd/20-netlan.network

@@ -0,0 +1,12 @@
+[Match]
+Name=netlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+VLAN=netwan.51
+VLAN=netwan.52
+VLAN=netwan.53
+VLAN=netwan.54
+

resources/z9/z9-router/systemd_networkd/20-netwan.network

@@ -0,0 +1,9 @@
+[Match]
+Name=netwan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+VLAN=netwan.400
+

resources/z9/z9-router/systemd_networkd/20-wg55.network

@@ -0,0 +1,6 @@
+[Match]
+Name=wg55
+
+[Network]
+Address=10.89.214.1/24
+Address=2a07:c481:1:37::1/64

resources/z9/z9-router/systemd_networkd/21-netlan.51-clients.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.51
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=clients
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.208.1/22
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:33::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netlan.52-iot.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.52
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=IoT
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.212.1/24
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:34::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netlan.53-public.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.53
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=public
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=185.161.130.65/28
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:35::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netlan.54-management.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.54
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=Management
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.213.0/24
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:36::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netwan.400-fux_uplink.network

@@ -0,0 +1,26 @@
+[Match]
+Name=netwan.400
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=fux-uplink
+
+DNS=185.161.128.66
+DNS=2a07:c481:0:4::2
+DNS=185.161.128.67
+DNS=2a07:c481:0:4::3
+
+IPv6AcceptRA=no
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=no
+
+[Address]
+Address=185.161.129.134/25
+Address=2a07:c481::1:2/64
+
+[Route]
+Gateway=185.161.129.129
+Gateway=2a07:c481::1

resources/z9/z9-router/systemd_networkd_global_config.conf

@@ -0,0 +1,3 @@
+[Network]
+IPv4Forwarding=true
+IPv6Forwarding=true

roles/kea_dhcp/README.md

@@ -0,0 +1,102 @@
+# Role `kea_dhcp`
+
+Install and manage Kea DHCP and [Stork Agent](https://stork.readthedocs.io/en/latest/man/stork-agent.8.html).
+
+## Supported Distributions
+
+Should work on Debian-based distributions.
+
+## Required Arguments
+
+None.
+
+## Optional Arguments
+
+- `kea_dhcp__stork_agent.enable`: Enable Kea DHCP stork agent.
+  Defaults to `false`.
+- `kea_dhcp__stork_agent.prometheus_only`: Only enable the prometheus endpoint in stork agent.
+  Defaults to `true`.
+- `kea_dhcp__dns_servers.v4`: List of IPv4 DNS Servers in DHCP response.
+  Defaults to FUX DNS Servers.
+- `kea_dhcp__dns_servers.v6`: List of IPv6 DNS Servers in DHCP response.
+  Defaults to FUX DNS Servers.
+- `kea_dhcp__include_vars`: Path to YAML File to separately load VARs for Kea config templating.
+- `kea_dhcp__dhcp4.enable`: Enable Kea DHCP4 Service.
+  Defaults to `false`.
+- `kea_dhcp__dhcp4.interfaces`: List of interfaces the DHCP4 Server should listen to and serve.
+  Defaults to the empty list (`[ ]`).
+- `kea_dhcp__dhcp4.control-sockets`: List of Kea DHCP4 control sockets.
+  Defaults to the list with one entry (see below).
+- `kea_dhcp__dhcp4.control-sockets.*.socket-name`: Control socket name.
+  Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-name: /var/run/kea-dhcp4-ctrl-agent.sock`.
+- `kea_dhcp__dhcp4.control-sockets.*.socket-type`: Control socket type.
+  Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-type: unix`.
+- `kea_dhcp__dhcp4.lease-database.type`: Type of lease database.
+  Defaults to `memfile`.
+- `kea_dhcp__dhcp4.lease-database.persist`: Persist the lease database.
+  Defaults to `true`.
+- `kea_dhcp__dhcp4.option-data`: List of DHCP4 Options.
+  Defaults to a list with one entry (see below).
+- `kea_dhcp__dhcp4.option-data.*.name`: Name of DHCP4 Option.
+  Defaults to `kea_dhcp__dhcp4.option-data.0.name: "domain-name-servers"`.
+- `kea_dhcp__dhcp4.option-data.*.code`: DHCP4 Option code.
+  Defaults to `kea_dhcp__dhcp4.option-data.0.code: 6`.
+- `kea_dhcp__dhcp4.option-data.*.csv-format`: DHCP4 Option as csv format.
+  Defaults to `kea_dhcp__dhcp4.option-data.0.csv-format: true`.
+- `kea_dhcp__dhcp4.option-data.*.data`: DHCP4 Option data.
+  Defaults to `kea_dhcp__dhcp4.option-data.0.data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"`.
+- `kea_dhcp__dhcp4.subnets`: List of subnets the DHCP4 server should manage.
+  Defaults to the empty list (`[ ]`).
+- `kea_dhcp__dhcp4.subnets.*.id`: ID of interface (starts with 1).
+- `kea_dhcp__dhcp4.subnets.*.subnet`: Subnet on interface.
+- `kea_dhcp__dhcp4.subnets.*.pools`: List of DHCP pools in subnet.
+- `kea_dhcp__dhcp4.subnets.*.pools.*.pool`: DHCP pool in range format.
+- `kea_dhcp__dhcp4.subnets.*.reservations`: List of DHCP lease reservations.
+- `kea_dhcp__dhcp4.subnets.*.reservations.*.ip-address`: IP address of reservation.
+- `kea_dhcp__dhcp4.subnets.*.reservations.*.hostname`: Hostname of reservation.
+- `kea_dhcp__dhcp4.subnets.*.reservations.*.hw-address`: Hardware address of reservation.
+- `kea_dhcp__dhcp4.subnets.*.option-data`: List of DHCP lease reservations.
+- `kea_dhcp__dhcp4.subnets.*.option-data.*.name`: Name of DHCP4 Option.
+- `kea_dhcp__dhcp4.subnets.*.option-data.*.code`: DHCP4 Option code.
+- `kea_dhcp__dhcp4.subnets.*.option-data.*.csv-format`: DHCP4 Option as csv format.
+- `kea_dhcp__dhcp4.subnets.*.option-data.*.data`: DHCP4 Option data.
+- `kea_dhcp__dhcp6.enable`: Enable Kea DHCP6 Service.
+  Defaults to `false`.
+- `kea_dhcp__dhcp6.interfaces`: List of interfaces the DHCP6 Server should listen to and serve.
+  Defaults to the empty list (`[ ]`).
+- `kea_dhcp__dhcp6.control-sockets`: List of Kea DHCP6 control sockets.
+  Defaults to the list with one entry (see below).
+- `kea_dhcp__dhcp6.control-sockets.*.socket-name`: Control socket name.
+  Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-name: /var/run/kea-dhcp6-ctrl-agent.sock`.
+- `kea_dhcp__dhcp6.control-sockets.*.socket-type`: Control socket type.
+  Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-type: unix`.
+- `kea_dhcp__dhcp6.lease-database.type`: Type of lease database.
+  Defaults to `memfile`.
+- `kea_dhcp__dhcp6.lease-database.persist`: Persist the lease database.
+  Defaults to `true`.
+- `kea_dhcp__dhcp6.option-data`: List of DHCP6 Options.
+  Defaults to a list with one entry (see below).
+- `kea_dhcp__dhcp6.option-data.*.name`: Name of DHCP6 Option.
+  Defaults to `kea_dhcp__dhcp6.option-data.0.name: "domain-name-servers"`.
+- `kea_dhcp__dhcp6.option-data.*.code`: DHCP6 Option code.
+  Defaults to `kea_dhcp__dhcp6.option-data.0.code: 6`.
+- `kea_dhcp__dhcp6.option-data.*.csv-format`: DHCP6 Option as csv format.
+  Defaults to `kea_dhcp__dhcp6.option-data.0.csv-format: true`.
+- `kea_dhcp__dhcp6.option-data.*.data`: DHCP6 Option data.
+  Defaults to `kea_dhcp__dhcp6.option-data.0.data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"`.
+- `kea_dhcp__dhcp6.subnets`: List of subnets the DHCP6 server should manage.
+  Defaults to the empty list (`[ ]`).
+- `kea_dhcp__dhcp6.subnets.*.id`: ID of interface (starts with 1).
+- `kea_dhcp__dhcp6.subnets.*.subnet`: Subnet on interface.
+- `kea_dhcp__dhcp6.subnets.*.pools`: List of DHCP pools in subnet.
+- `kea_dhcp__dhcp6.subnets.*.pools.*.pool`: DHCP pool in range format.
+- `kea_dhcp__dhcp6.subnets.*.reservations`: List of DHCP lease reservations.
+- `kea_dhcp__dhcp6.subnets.*.reservations.*.ip-address`: IP address of reservation.
+- `kea_dhcp__dhcp6.subnets.*.reservations.*.hostname`: Hostname of reservation.
+- `kea_dhcp__dhcp6.subnets.*.reservations.*.hw-address`: Hardware address of reservation.
+- `kea_dhcp__dhcp6.subnets.*.option-data`: List of DHCP lease reservations.
+- `kea_dhcp__dhcp6.subnets.*.option-data.*.name`: Name of DHCP6 Option.
+- `kea_dhcp__dhcp6.subnets.*.option-data.*.code`: DHCP6 Option code.
+- `kea_dhcp__dhcp6.subnets.*.option-data.*.csv-format`: DHCP6 Option as csv format.
+- `kea_dhcp__dhcp6.subnets.*.option-data.*.data`: DHCP6 Option data.
+

roles/kea_dhcp/defaults/main.yaml

@@ -0,0 +1,68 @@
+kea_dhcp__stork_agent:
+  enable: false
+  prometheus_only: true
+kea_dhcp__dns_servers:
+  v6:
+    - "2a07:c481:0:4::2"
+    - "2a07:c481:0:4::3"
+  v4:
+    - "185.161.128.66"
+    - "185.161.128.67"
+kea_dhcp__include_vars:
+
+kea_dhcp__dhcp4:
+  enable: false
+  interfaces: [ ]
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
+      socket-type: unix
+  lease-database:
+    type: memfile
+    persist: true
+  option-data:
+    - name: "domain-name-servers"
+      code: 6
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
+  subnets:
+    - id: 0
+      subnet: nil
+      pools:
+        - pool: nil
+      reservations:
+        - ip-address: nil
+          hostname: beispiel.test
+          hw-address: "00:11:22:33:44:55"
+      option-data:
+        - name: nil,
+          code: nil,
+          csv-format: true
+          data: nil
+kea_dhcp__dhcp6:
+  enable: false
+  interfaces: [ ]
+  lease-database:
+    type: memfile
+    persist: true
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
+      socket-type: unix
+  option-data:
+    - name: "dns-servers"
+      code: 23
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
+  subnets:
+    - id: 0
+      subnet: nil
+      pools:
+        - pool: nil
+      reservations:
+        - ip-address: nil
+          hostname: beispiel.test
+          hw-address: "00:11:22:33:44:55"
+      option-data:
+        - name: nil,
+          code: nil,
+          csv-format: true
+          data: nil

roles/kea_dhcp/handlers/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Systemd.daemon_reload
+  become: true
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+
+- name: Kea_dhcp4.restarted
+  ansible.builtin.service:
+    name: kea-dhcp4
+    state: restarted
+    enabled: true
+
+- name: Kea_dhcp6.restarted
+  ansible.builtin.service:
+    name: kea-dhcp6
+    state: restarted
+    enabled: true
+
+- name: Kea_ctrl.restarted
+  ansible.builtin.systemd:
+    name: kea-ctrl-agent
+    state: restarted
+    enabled: true
+
+- name: Stork_agent.restarted
+  become: true
+  ansible.builtin.systemd:
+    name: isc-stork-agent
+    state: restarted
+    enabled: true

roles/kea_dhcp/meta/argument_specs.yaml

@@ -0,0 +1,125 @@
+---
+argument_specs:
+  main:
+    short_description: "Role for managing Kea DHCP server"
+    options:
+      kea_dhcp__stork_agent:
+        type: "dict"
+        description: "Configuration for Stork Agent"
+        options:
+          enable:
+            type: "bool"
+            default: false
+          prometheus_only:
+            type: "bool"
+            default: true
+      kea_dhcp__version_repo:
+        type: "str"
+        description: "Version of Kea DHCP repository to use"
+        default: "kea-3-0"
+      kea_dhcp__dns_servers:
+        type: "dict"
+        description: "Default DNS servers for DHCP clients"
+        options:
+          v6:
+            type: "list"
+            elements: "str"
+          v4:
+            type: "list"
+            elements: "str"
+      kea_dhcp__dhcp4:
+        type: "dict"
+        description: "Configuration for DHCPv4 service"
+        options:
+          enable:
+            type: "bool"
+            default: false
+          interfaces:
+            type: "list"
+            elements: "str"
+            default: [ ]
+          control-sockets:
+            type: "list"
+            elements: "dict"
+          lease-database:
+            type: "dict"
+          option-data:
+            type: "list"
+            elements: "dict"
+          subnets:
+            type: "list"
+            elements: "dict"
+            options:
+              id:
+                type: "int"
+              subnet:
+                type: "str"
+              pools:
+                type: "list"
+                elements: "dict"
+                options:
+                  pool:
+                    type: "str"
+              reservations:
+                type: "list"
+                elements: "dict"
+                options:
+                  ip-address:
+                    type: "str"
+                  hostname:
+                    type: "str"
+                  hw-address:
+                    type: "str"
+                  duid:
+                    type: "str"
+              option-data:
+                type: "list"
+                elements: "dict"
+      kea_dhcp__dhcp6:
+        type: "dict"
+        description: "Configuration for DHCPv6 service"
+        options:
+          enable:
+            type: "bool"
+            default: false
+          interfaces:
+            type: "list"
+            elements: "str"
+            default: [ ]
+          control-sockets:
+            type: "list"
+            elements: "dict"
+          lease-database:
+            type: "dict"
+          option-data:
+            type: "list"
+            elements: "dict"
+          subnets:
+            type: "list"
+            elements: "dict"
+            options:
+              id:
+                type: "int"
+              subnet:
+                type: "str"
+              pools:
+                type: "list"
+                elements: "dict"
+                options:
+                  pool:
+                    type: "str"
+              reservations:
+                type: "list"
+                elements: "dict"
+                options:
+                  ip-address:
+                    type: "str"
+                  hostname:
+                    type: "str"
+                  hw-address:
+                    type: "str"
+                  duid:
+                    type: "str"
+              option-data:
+                type: "list"
+                elements: "dict"

roles/kea_dhcp/tasks/install_debian.yml

@@ -0,0 +1,25 @@
+---
+- name: Install Kea packages
+  become: true
+  when: ansible_facts['distribution'] == "Debian"
+  block:
+    - name: Install Kea dhcp4
+      when: kea_dhcp__dhcp4.enable
+      ansible.builtin.apt:
+        name:
+          - isc-kea-dhcp4
+    - name: Install Kea dhcp6
+      when: kea_dhcp__dhcp6.enable
+      ansible.builtin.apt:
+        name:
+          - isc-kea-dhcp6
+    - name: Install Kea ctrl agent
+      when: kea_dhcp__stork_agent.enable
+      ansible.builtin.apt:
+        name:
+          - isc-kea-ctrl-agent
+    - name: Install Kea admin
+      when: kea_dhcp__stork_agent.enable
+      ansible.builtin.apt:
+        name:
+          - isc-kea-admin

roles/kea_dhcp/tasks/kea.yaml

@@ -0,0 +1,47 @@
+---
+- name: Include config vars
+  when: kea_dhcp__include_vars is not None
+  ansible.builtin.include_vars:
+    file: "{{ kea_dhcp__include_vars }}"
+
+- name: Deploy kea-dhcp4 configuration file
+  become: true
+  when: kea_dhcp__dhcp4.enable
+  ansible.builtin.template:
+    src: kea-dhcp4.conf.jinja
+    dest: /etc/kea/kea-dhcp4.conf
+    backup: true
+    owner: root
+    group: kea
+    mode: "u=rw,g=r,o="
+    validate: kea-dhcp4 -T %s
+  notify:
+    - Kea_dhcp4.restarted
+
+- name: Deploy kea-dhcp6 configuration file
+  become: true
+  when: kea_dhcp__dhcp6.enable
+  ansible.builtin.template:
+    src: kea-dhcp6.conf.jinja
+    dest: /etc/kea/kea-dhcp6.conf
+    backup: true
+    owner: root
+    group: kea
+    mode: "u=rw,g=r,o="
+    validate: kea-dhcp6 -T %s
+  notify:
+    - Kea_dhcp6.restarted
+
+- name: Copy kea-ctrl-agent configuration file
+  become: true
+  when: kea_dhcp__stork_agent.enable
+  ansible.builtin.template:
+    src: kea-ctrl-agent.conf.j2
+    dest: /etc/kea/kea-ctrl-agent.conf
+    owner: root
+    group: kea
+    mode: "u=rw,g=r,o="
+    validate: kea-ctrl-agent -t %s
+  notify:
+    - Kea_ctrl.restarted
+    - Stork_agent.restarted

roles/kea_dhcp/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Setup Kea DHCP
+  block:
+    - name: Install Kea on Debian
+      when: ansible_facts['distribution'] == "Debian"
+      ansible.builtin.import_tasks: install_debian.yml
+
+    - name: Configure Kea
+      ansible.builtin.include_tasks: kea.yaml
+
+- name: Run stork-agent tasks
+  when: kea_dhcp__stork_agent.enable
+  ansible.builtin.include_tasks: stork-agent.yaml

roles/kea_dhcp/tasks/stork-agent.yaml

@@ -0,0 +1,39 @@
+---
+- name: Install stork-agent
+  block:
+    - name: Install isc-stork-agent
+      when: ansible_facts['distribution'] == "Debian"
+      become: true
+      ansible.builtin.apt:
+        name: isc-stork-agent
+
+    - name: Add stork-agent user to _kea group on Debian
+      when: ansible_facts['distribution'] == "Debian"
+      become: true
+      ansible.builtin.user:
+        name: stork-agent
+        groups: [ "_kea" ]
+        append: true
+
+    - name: Config for stork-agent
+      ansible.builtin.template:
+        src: stork-agent.env.jinja
+        dest: /etc/stork/agent.env
+        owner: root
+        group: root
+        mode: "0660"
+      notify:
+        - Systemd_daemon_reload
+        - Stork_agent.restarted
+
+    - name: Flush handlers
+      ansible.builtin.meta: flush_handlers
+
+    - name: Ensure that stork kea exporter is working
+      ansible.builtin.uri:
+        url: "http://localhost:9547/metrics"
+        method: GET
+      register: kea_dhcp_stork_status_code
+      retries: 6
+      delay: 5
+      until: kea_dhcp_stork_status_code.status == 200

roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2

@@ -0,0 +1,20 @@
+{
+"Control-agent": {
+	"http-host": "127.0.0.1",
+	"http-port": 8000,
+	"control-sockets": {
+		{% if kea_dhcp__dhcp4.enable | default(false) %}
+		"dhcp4": {
+			"socket-type": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-type'] }}",
+			"socket-name": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-name'] }}"
+		}{% if kea_dhcp__dhcp6.enable  %},{% endif %}
+		{% endif %}
+		{% if kea_dhcp__dhcp6.enable | default(false) %}
+		"dhcp6": {
+			"socket-type": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-type'] }}",
+			"socket-name": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-name'] }}"
+		},
+		{% endif %}
+	}
+}
+}

roles/kea_dhcp/templates/kea-dhcp4.conf.jinja

@@ -0,0 +1,27 @@
+{
+  "Dhcp4": {
+    "interfaces-config": {
+      "interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }}
+    },
+    "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }},
+    "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }},
+    {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %}
+    "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }},
+    {% endif %}
+    "subnet4": [
+      {% for subnet in kea_dhcp__dhcp4.subnets %}
+      {
+        "id": {{ subnet.id }},
+        "subnet": "{{ subnet.subnet }}",
+        "pools": {{ subnet.pools | to_nice_json }},
+        {% if subnet.reservations is defined and subnet.reservations %}
+        "reservations": {{ subnet.reservations | to_nice_json }},
+        {% endif %}
+        {% if subnet['option-data'] is defined and subnet['option-data'] %}
+        "option-data": {{ subnet['option-data'] | to_nice_json }}
+        {% endif %}
+      }{% if not loop.last %},{% endif %}
+      {% endfor %}
+    ]
+  }
+}

roles/kea_dhcp/templates/kea-dhcp6.conf.jinja

@@ -0,0 +1,27 @@
+{
+  "Dhcp6": {
+    "interfaces-config": {
+      "interfaces": {{ kea_dhcp__dhcp6.interfaces | to_nice_json }}
+    },
+		"control-sockets": {{ kea_dhcp__dhcp6['control-sockets'] | to_nice_json }},
+		"lease-database": {{ kea_dhcp__dhcp6['lease-database'] | to_nice_json }},
+    {% if kea_dhcp__dhcp6['option-data'] is defined and kea_dhcp__dhcp6['option-data'] %}
+    "option-data": {{ kea_dhcp__dhcp6['option-data'] | to_nice_json }},
+    {% endif %}
+    "subnet6": [
+      {% for subnet in kea_dhcp__dhcp6.subnets %}
+      {
+        "id": {{ subnet.id }},
+	      "subnet": "{{ subnet.subnet }}",
+        "pools": {{ subnet.pools | to_nice_json }},
+        {% if subnet.reservations is defined and subnet.reservations %}
+        "reservations": {{ subnet.reservations | to_nice_json }},
+	      {% endif %}
+        {% if subnet['option-data'] is defined and subnet['option-data'] %}
+        "option-data": {{ subnet['option-data'] | to_nice_json }}
+        {% endif %}
+      }{% if not loop.last %},{% endif %}
+      {% endfor %}
+    ]
+	}
+}

roles/kea_dhcp/templates/stork-agent.env.jinja

@@ -0,0 +1,20 @@
+### Stork Agent env file
+### (created and managed by ansible kea_dhcp role)
+
+
+{% if kea_dhcp__stork_agent.prometheus_only %}
+### listen for Prometheus requests only, but not for commands from the Stork server
+STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true
+{% endif %}
+
+### settings for exporting stats to Prometheus
+### the IP or hostname on which the agent exports Kea statistics to Prometheus
+STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS=localhost
+### the port on which the agent exports Kea statistics to Prometheus
+# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT=
+
+### Logging parameters
+
+### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR
+STORK_LOG_LEVEL=DEBUG
+

roles/unbound/README.md

@@ -0,0 +1,20 @@
+# Unbound DNS resolver
+
+Role fora a validating, recursive, caching DNS resolver based on [Unbound](https://nlnetlabs.nl/projects/unbound/about/). 
+It is designed to be fast and lean and incorporates modern features based on open standards.
+
+- [Documentation](https://unbound.docs.nlnetlabs.nl/en/latest/)
+
+## Role Customization
+
+The following variables can be used to customize this role:
+
+| Variable                                 | Type            | Default         | Description                                                                                                                                                                               |
+|------------------------------------------|-----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| unbound_install_prometheus_exporter | Boolean         | `true`          | Whether [Unbound Exporter](https://github.com/letsencrypt/unbound_exporter) should also be installed to expose resolver statistics in prometheus format.                                  |
+| unbound_bind_interfaces             | List of Strings | `[0.0.0.0, ::]` | List of interface names or IP addresses on which unbound will listen for dns queries                                                                                                      |
+| unbound_enable_unbound_control      | Boolean         | `true`          | Whether the [remote control](https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#set-up-remote-control) feature of unbound should be configured.               |
+| unbound_enable_dnssec               | Boolean         | `true`          | Whether dnssec validation should be enabled                                                                                                                                               |
+| unbound_access_control              | List of Strings | `[]`            | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) |
+| unbound_disable_systemd_networkd    | Boolean         | `true`          | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver.                                                                                |
+| unbound_thread_count                | Integer         | Max vCPU Count | The number of threads unbound uses |

roles/unbound/defaults/main.yml

@@ -0,0 +1,7 @@
+unbound_install_prometheus_exporter: true
+unbound_bind_interfaces: [ "0.0.0.0", "::" ]
+unbound_disable_systemd_networkd: true
+unbound_enable_unbound_control: true
+unbound_enable_dnssec: true
+unbound_access_control: [ ]
+unbound_private_domain: [ ]

roles/unbound/files/no-resolved.resolv.conf

@@ -0,0 +1 @@
+nameserver 127.0.0.1

roles/unbound/handlers/main.yml

@@ -0,0 +1,18 @@
+- name: unbound.restarted
+  become: true
+  ansible.builtin.systemd:
+    name: unbound.service
+    state: restarted
+
+- name: unbound.reloaded
+  become: true
+  ansible.builtin.systemd:
+    name: unbound.service
+    state: reloaded
+
+- name: prometheus-unbound-exporter.restarted
+  become: true
+  ansible.builtin.systemd:
+    name: prometheus-unbound-exporter.service
+    state: restarted
+    enabled: true

roles/unbound/tasks/main.yml

@@ -0,0 +1,47 @@
+- name: unbound role main
+  block:
+
+    - name: install unbound dns resolver
+      become: true
+      ansible.builtin.package:
+        name: unbound
+
+    - name: ensure correct directory permissions
+      become: true
+      ansible.builtin.file:
+        path: /etc/unbound
+        state: directory
+        mode: u=rwX,g=rX,o=rX
+        recurse: true
+        owner: unbound
+        group: unbound
+
+    - name: configure unbound dns resolver
+      become: true
+      notify: unbound.restarted
+      ansible.builtin.template:
+        src: unbound.conf.j2
+        dest: /etc/unbound/unbound.conf
+        owner: unbound
+        group: unbound
+        mode: u=rw,g=r,o=r
+
+    - name: ensure unbound is running and enabled
+      become: true
+      ansible.builtin.systemd:
+        name: unbound.service
+        state: started
+        enabled: true
+
+    - name: disable systemd-resolved
+      when: unbound_disable_systemd_networkd
+      ansible.builtin.include_role:
+        name: deploy_systemd_resolved_config
+      vars:
+        deploy_systemd_resolved_config__enable: false
+        deploy_systemd_resolved_config__dns:
+          - 127.0.0.1
+
+    - name: install and configure prometheus-exporter for unbound
+      ansible.builtin.import_tasks: prometheus-exporter.yml
+      when: unbound_install_prometheus_exporter

roles/unbound/tasks/prometheus-exporter.yml

@@ -0,0 +1,23 @@
+---
+- name: install unbound prometheus exporter # FIXME: there is no prometheus-unbound-exporter in debian .deb exists in https://github.com/letsencrypt/unbound_exporter/releases/tag/v0.6.0
+  become: true
+  ansible.builtin.package:
+    name: prometheus-unbound-exporter
+
+- name: enable unbound prometheus exporter
+  become: true
+  ansible.builtin.systemd:
+    name: prometheus-unbound-exporter.service
+    enabled: true
+    daemon_reload: true
+
+- name: configure unbound exporter
+  become: true
+  ansible.builtin.copy:
+    dest: /etc/conf.d/prometheus-unbound-exporter
+    content: |
+      UNBOUND_EXPORTER_ARGS="-unbound.ca "" -unbound.cert "" -unbound.host "unix:///run/unbound-control.sock"
+    owner: root
+    group: root
+    mode: '0660'
+  notify: prometheus-unbound-exporter.restarted

roles/unbound/templates/unbound.conf.j2

@@ -0,0 +1,68 @@
+# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
+#      unbound.conf(5) man page
+server:
+  {% if unbound_enable_dnssec -%}
+  # location of the trust anchor file that enables DNSSEC
+  # this file is generated by the `unbound-anchor` command
+  auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
+  {% endif -%}
+
+	# num of threads
+	num-threads: {{ unbound_thread_count | default(ansible_facts['processor_vcpus']) }}
+
+	# more cache memory
+  rrset-cache-size: 60m
+  msg-cache-size: 30m
+
+	# prefetch to keep the cache up to date
+	prefetch: yes
+
+	# fetch the DNSKEYs earlier in the validation process, when a DS record is encountered
+	prefetch-key: yes
+
+	# Faster UDP with multithreading (only on Linux).
+  so-reuseport: yes
+
+	# disable special large send buffer handling and just use kernel defaults
+  so-sndbuf: 0
+
+  # send minimal amount of information to upstream servers to enhance privacy
+  qname-minimisation: yes
+
+  # specify the interface to answer queries from by ip-address.
+  {% for i in unbound_bind_interfaces -%}
+  interface: "{{ i }}"
+  {% endfor %}
+
+  # addresses from the IP range that are allowed to connect to the resolver
+  {% for i in unbound_access_control -%}
+  access-control: {{ i }}
+  {% endfor -%}
+
+  {% for i in unbound_private_domain -%}
+  private-domain: {{ i }}
+  {% endfor -%}
+
+  # The number of seconds between printing statistics to the log for every thread.
+  statistics-interval: 0
+
+  # Extended statistics are printed, Keeping track of more statistics takes time.
+  extended-statistics: yes
+
+remote-control:
+  control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }}
+  control-interface: /run/unbound-control.sock
+
+
+# configure some zones for which this resolver will act authoritatively
+# https://www.dns.icann.org/services/axfr/
+{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %}
+auth-zone:
+  name: "{{ i }}"
+  primary: "lax.xfr.dns.icann.org"
+  primary: "iad.xfr.dns.icann.org"
+  fallback-enabled: yes
+  for-downstream: no
+  for-upstream: yes
+
+{% endfor %}