Cleanup old configurations we no longer use. #13

Merged
june merged 1 commit from cleanup into main 2024-11-22 23:54:36 +01:00
52 changed files with 0 additions and 1377 deletions
Showing only changes of commit 433008d211 - Show all commits

View file

@ -1,4 +0,0 @@
mosquitto__mosquitto_conf_content: "{{ lookup('ansible.builtin.file', 'z9/configs/automation/mosquitto/mosquitto.conf') }}"
mosquitto__configs:
- name: winkekatz
content: "{{ lookup('ansible.builtin.file', 'z9/configs/automation/mosquitto/winkekatz.conf') }}"

View file

@ -1,14 +0,0 @@
certbot__version_spec: ""
certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
certbot__certificate_domains:
- "status.ccchh.net"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'z9/configs/uptime-kuma/compose.yaml') }}"
docker_compose__configuration_files: [ ]
nginx__version_spec: ""
nginx__configurations:
- name: status.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'z9/configs/uptime-kuma/nginx/status.ccchh.net.conf') }}"

View file

@ -1,15 +0,0 @@
zigbee2mqtt__version: "1.37.1"
zigbee2mqtt__network_key: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/z9/zigbee2mqtt/network_key', create=false, missing='error') }}"
zigbee2mqtt__initial_config: "{{ lookup('ansible.builtin.template', 'z9/configs/zigbee2mqtt/zigbee2mqtt/configuration.yaml.j2') }}"
certbot__version_spec: ""
certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
certbot__certificate_domains:
- "zigbee2mqtt.ccchh.net"
certbot__new_cert_commands:
- "systemctl reload nginx.service"
nginx__version_spec: ""
nginx__configurations:
- name: zigbee2mqtt
content: "{{ lookup('ansible.builtin.file', 'z9/configs/zigbee2mqtt/nginx/zigbee2mqtt.conf') }}"

View file

@ -8,43 +8,18 @@ all:
authoritative-dns:
ansible_host: authoritative-dns.z9.ccchh.net
ansible_user: chaos
uptime-kuma:
ansible_host: uptime-kuma.z9.ccchh.net
ansible_user: chaos
debian_12:
hosts:
nginx_hosts:
hosts:
light:
uptime-kuma:
public_reverse_proxy_hosts:
hosts:
cert_hosts:
hosts:
certbot_hosts:
hosts:
uptime-kuma:
zigbee2mqtt_hosts:
hosts:
mosquitto_hosts:
hosts:
ola_hosts:
hosts:
light:
foobazdmx_hosts:
hosts:
light:
hifiberry_hosts:
hosts:
bluetooth_audio_sink_hosts:
hosts:
shairport_sync_hosts:
hosts:
docker_compose_hosts:
hosts:
uptime-kuma:
infrastructure_authorized_keys_hosts:
hosts:
light:
authoritative-dns:
uptime-kuma:

View file

@ -1,7 +1,4 @@
---
- name: engelsystem_specific_pre_tasks
ansible.builtin.import_playbook: engelsystem_specific_pre_tasks.yaml
- name: Ensure SSH server config deployment on ssh_server_config_hosts
hosts: ssh_server_config_hosts
roles:
@ -17,21 +14,6 @@
roles:
- nextcloud
- name: Ensure HiFiBerry deployment on hifiberry_hosts
hosts: hifiberry_hosts
roles:
- hifiberry
- name: Ensure bluetooth audio sink deployment on bluetooth_audio_sink_hosts
hosts: bluetooth_audio_sink_hosts
roles:
- bluetooth_audio_sink
- name: Ensure shairport sync deployment on shairport_sync_hosts
hosts: shairport_sync_hosts
roles:
- shairport_sync
- name: Ensure ola deployment on ola_hosts
hosts: ola_hosts
roles:
@ -42,26 +24,11 @@
roles:
- foobazdmx
- name: Ensure Mosquitto MQTT broker deployment on mosquitto_hosts
hosts: mosquitto_hosts
roles:
- mosquitto
- name: Ensure Zigbee2MQTT deployment on zigbee2mqtt_hosts
hosts: zigbee2mqtt_hosts
roles:
- zigbee2mqtt
- name: Ensure Dokuwiki config
hosts: wiki
roles:
- dokuwiki
- name: Ensure certificate deployment on cert_hosts
hosts: cert_hosts
roles:
- cert
- name: Ensure NGINX deployment on nginx_hosts, which are also public_reverse_proxy_hosts, before certbot role runs
hosts: nginx_hosts:&public_reverse_proxy_hosts
roles:

View file

@ -1,23 +0,0 @@
---
- name: engelsystem on engelsystem.z9 specific pre tasks
hosts: engelsystem
pre_tasks:
- name: Install git
ansible.builtin.apt:
name: git
state: present
- name: Clone engelsystem repo
ansible.builtin.git:
repo: https://github.com/engelsystem/engelsystem.git
dest: "{{ ansible_user_dir }}/engelsystem"
version: main
force: true
update: false
- name: apply patch to code to add train drivers license
ansible.posix.patch:
src: patches/engelsystem/code_en.patch
dest: "{{ ansible_user_dir }}/engelsystem/includes/view/UserDriverLicenses_view.php"
- name: apply patch to german locale add train drivers license
ansible.posix.patch:
src: patches/engelsystem/lang_de.patch
dest: "{{ ansible_user_dir }}/engelsystem/resources/lang/de_DE/default.po"

View file

@ -1,42 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name aes.ccchh.net;
ssl_certificate /etc/letsencrypt/live/aes.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aes.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/aes.ccchh.net/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:5080/;
}
}

View file

@ -1,8 +0,0 @@
22c22
< form_checkbox('wants_to_drive', __('I am willing to drive a car for the event'), $user_driver_license->wantsToDrive()),
---
> form_checkbox('wants_to_drive', __('I am willing to drive a vehicle for the event'), $user_driver_license->wantsToDrive()),
48c48
< __('Forklift'),
---
> __('Train'),

View file

@ -1,12 +0,0 @@
1390,1391c1390,1391
< msgid "Forklift"
< msgstr "Gabelstapler"
---
> msgid "Train"
> msgstr "Lok"
1643,1644c1643,1644
< msgid "I am willing to drive a car for the event"
< msgstr "Ich möchte für das Event Auto fahren"
---
> msgid "I am willing to drive a vehicle for the event"
> msgstr "Ich möchte für das Event Fahrzeuge fahren"

View file

@ -1,16 +0,0 @@
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
per_listener_settings false
listener 1883
allow_anonymous true
pid_file /run/mosquitto/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d

View file

@ -1,8 +0,0 @@
connection winkekatz
address mqtt.winkekatze24.de
bridge_protocol_version mqttv311
topic winkekatze/allcats/eye/set in 2
topic winkekatze/allcats in 2
topic +/status out 2 winkekatze/ ""
topic +/connected out 2 winkekatze/ ""

View file

@ -1,17 +0,0 @@
## Links & Rescources:
#
# https://github.com/louislam/uptime-kuma
# https://github.com/louislam/uptime-kuma/wiki/%F0%9F%94%A7-How-to-Install
# https://github.com/louislam/uptime-kuma/blob/master/docker/docker-compose.yml
# https://github.com/louislam/uptime-kuma/wiki/%F0%9F%86%99-How-to-Update
# https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy
# https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
services:
uptime-kuma:
image: louislam/uptime-kuma:1
restart: unless-stopped
volumes:
- "./uptime-kuma-data:/app/data"
ports:
- 3001:3001

View file

@ -1,40 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
# Also see: https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 10.31.206.1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name status.ccchh.net;
ssl_certificate /etc/letsencrypt/live/status.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/status.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/status.ccchh.net/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# replace with the IP address of your resolver
resolver 10.31.206.1;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:3001/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

View file

@ -1,28 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name zigbee2mqtt.ccchh.net;
ssl_certificate /etc/letsencrypt/live/zigbee2mqtt.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/zigbee2mqtt.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/zigbee2mqtt.ccchh.net/chain.pem;
add_header Strict-Transport-Security "max-age=63072000" always;
location / {
proxy_pass http://localhost:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api {
proxy_pass http://localhost:8080/api;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

View file

@ -1,3 +0,0 @@
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin audiosink --noclear %I 38400 linux

View file

@ -1,8 +0,0 @@
[Unit]
Description=Bluetooth speaker agent
[Service]
ExecStart=python3 /opt/speaker-agent/speaker-agent.py
[Install]
WantedBy=default.target

View file

@ -1,14 +0,0 @@
---
- name: Restart bluetooth service
ansible.builtin.systemd:
service: bluetooth.service
state: restarted
- name: Restart speaker-agent service
become_user: audiosink
ansible.builtin.systemd:
service: speaker-agent.service
state: restarted
scope: user
daemon_reload: true
- name: Reboot host
ansible.builtin.reboot:

View file

@ -1,8 +0,0 @@
---
argument_specs:
main:
options:
bluetooth_audio_sink__name:
description: Name the bluetooth device should have
type: str
required: true

View file

@ -1,8 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- "11"

View file

@ -1,182 +0,0 @@
---
- name: Ensure acl is installed
become: true
ansible.builtin.apt:
name: acl
- name: Ensure machine-info file is deployed
become: true
ansible.builtin.template:
src: machine-info.j2
dest: /etc/machine-info
mode: "644"
owner: root
group: root
notify: Restart bluetooth service
- name: Ensure bluetooth config is deployed
become: true
ansible.builtin.template:
src: main.conf.j2
dest: /etc/bluetooth/main.conf
mode: "644"
owner: root
group: root
notify: Restart bluetooth service
- name: Ensure bluetooth service is enabled and started
become: true
ansible.builtin.systemd:
service: bluetooth.service
state: started
enabled: true
- name: Ensure audiosink user exists
become: true
ansible.builtin.user:
name: audiosink
groups:
- audio
- name: Ensure user services are started without needing to login
become: true
ansible.builtin.command:
cmd: loginctl enable-linger audiosink
changed_when: false
- name: Detect if on Raspberry Pi # noqa ignore-errors
ansible.builtin.include_role:
name: raspberry_pi_check
ignore_errors: true
- name: Ensure debian archive keyring is installed # noqa no-handler
become: true
when: raspberry_pi_check__cpuinfo.found
ansible.builtin.apt:
deb: https://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2021.1.1+deb11u1_all.deb
- name: Ensure debian backports repository is enabled
ansible.builtin.include_role:
name: add_apt_repository
vars:
add_apt_repository__https_repo: false
add_apt_repository__repo: "deb http://deb.debian.org/debian {{ ansible_facts.lsb.codename }}-backports main contrib non-free"
add_apt_repository__filename: "{{ ansible_facts.lsb.codename }}-backports.list"
- name: Ensure pipewire, wireplumber and libspa-0.2-bluetooth are installed
become: true
ansible.builtin.apt:
name:
- pipewire
- wireplumber
- libspa-0.2-bluetooth
default_release: "{{ ansible_facts.lsb.codename }}-backports"
- name: Ensure pipewire user service is enabled and started
become: true
become_user: audiosink
ansible.builtin.systemd:
name: pipewire.service
state: started
enabled: true
scope: user
- name: Ensure pipewire-pulse user service is enabled and started
become: true
become_user: audiosink
ansible.builtin.systemd:
name: pipewire-pulse.service
state: started
enabled: true
scope: user
- name: Ensure wireplumber user service is enabled
become: true
become_user: audiosink
ansible.builtin.systemd:
name: wireplumber.service
enabled: true
scope: user
- name: Ensure speaker-agent dependencies are installed
become: true
ansible.builtin.apt:
name:
- git
- python3-dbus
- name: Ensure speaker-agent repository is cloned
become: true
ansible.builtin.git:
repo: https://github.com/fdanis-oss/pw_wp_bluetooth_rpi_speaker.git
dest: /opt/speaker-agent
version: 9a939a23865ea020816017e06fd2290f301c35f9
- name: Ensure .config directory exists
become: true
become_user: audiosink
ansible.builtin.file:
path: /home/audiosink/.config
state: directory
mode: "700"
owner: audiosink
group: audiosink
- name: Ensure .config/systemd directory exists
become: true
become_user: audiosink
ansible.builtin.file:
path: /home/audiosink/.config/systemd
state: directory
mode: "755"
owner: audiosink
group: audiosink
- name: Ensure .config/systemd/user directory exists
become: true
become_user: audiosink
ansible.builtin.file:
path: /home/audiosink/.config/systemd/user
state: directory
mode: "755"
owner: audiosink
group: audiosink
- name: Ensure speaker-agent service file is deployed
become: true
become_user: audiosink
ansible.builtin.copy:
src: speaker-agent.service
dest: /home/audiosink/.config/systemd/user/speaker-agent.service
mode: "644"
owner: audiosink
group: audiosink
notify: Restart speaker-agent service
- name: Ensure speaker-agent service is enabled and started
become: true
become_user: audiosink
ansible.builtin.systemd:
name: speaker-agent.service
state: started
enabled: true
scope: user
# This part is janky, but I don't know how to make the bluetooth service, wireplumber and pipewire
# work with each other without being logged in.
- name: Ensure getty@tty1 override file is deployed
become: true
ansible.builtin.copy:
src: override.conf
dest: /etc/systemd/system/getty@tty1.service.d/override.conf
mode: "644"
owner: root
group: root
notify: Reboot host
- name: Ensure autologin for audiosink user is enabled
become: true
ansible.builtin.systemd:
service: getty@tty1.service
enabled: true
notify: Reboot host

View file

@ -1 +0,0 @@
PRETTY_HOSTNAME=Audio Pi

View file

@ -1,211 +0,0 @@
[General]
# Defaults to 'BlueZ X.YZ', if Name is not set here and plugin 'hostname' is not loaded.
# The plugin 'hostname' is loaded by default and overides the Name set here so
# consider modifying /etc/machine-info with variable PRETTY_HOSTNAME=<NewName> instead.
Name = {{ bluetooth_audio_sink__name }}
# Default device class. Only the major and minor device class bits are
# considered. Defaults to '0x000000'.
Class = 0x200414 # Audio (Major Service Class), Audio/Video (Major Device Class), Loudspeaker (Minor Device Class)
# How long to stay in discoverable mode before going back to non-discoverable
# The value is in seconds. Default is 180, i.e. 3 minutes.
# 0 = disable timer, i.e. stay discoverable forever
#DiscoverableTimeout = 0
DiscoverableTimeout = 0
# Always allow pairing even if there are no agent registered
# Possible values: true, false
# Default: false
#AlwaysPairable = false
AlwaysPairable = true
# How long to stay in pairable mode before going back to non-discoverable
# The value is in seconds. Default is 0.
# 0 = disable timer, i.e. stay pairable forever
#PairableTimeout = 0
PairableTimeout = 0
# Use vendor id source (assigner), vendor, product and version information for
# DID profile support. The values are separated by ":" and assigner, VID, PID
# and version.
# Possible vendor id source values: bluetooth, usb (defaults to usb)
#DeviceID = bluetooth:1234:5678:abcd
# Do reverse service discovery for previously unknown devices that connect to
# us. For BR/EDR this option is really only needed for qualification since the
# BITE tester doesn't like us doing reverse SDP for some test cases, for LE
# this disables the GATT client functionally so it can be used in system which
# can only operate as peripheral.
# Defaults to 'true'.
#ReverseServiceDiscovery = true
# Enable name resolving after inquiry. Set it to 'false' if you don't need
# remote devices name and want shorter discovery cycle. Defaults to 'true'.
#NameResolving = true
# Enable runtime persistency of debug link keys. Default is false which
# makes debug link keys valid only for the duration of the connection
# that they were created for.
#DebugKeys = false
# Restricts all controllers to the specified transport. Default value
# is "dual", i.e. both BR/EDR and LE enabled (when supported by the HW).
# Possible values: "dual", "bredr", "le"
#ControllerMode = dual
# Enables Multi Profile Specification support. This allows to specify if
# system supports only Multiple Profiles Single Device (MPSD) configuration
# or both Multiple Profiles Single Device (MPSD) and Multiple Profiles Multiple
# Devices (MPMD) configurations.
# Possible values: "off", "single", "multiple"
#MultiProfile = off
# Permanently enables the Fast Connectable setting for adapters that
# support it. When enabled other devices can connect faster to us,
# however the tradeoff is increased power consumptions. This feature
# will fully work only on kernel version 4.1 and newer. Defaults to
# 'false'.
#FastConnectable = false
# Default privacy setting.
# Enables use of private address.
# Possible values: "off", "device", "network"
# "network" option not supported currently
# Defaults to "off"
# Privacy = off
# Specify the policy to the JUST-WORKS repairing initiated by peer
# Possible values: "never", "confirm", "always"
# Defaults to "never"
#JustWorksRepairing = never
JustWorksRepairing = always
# How long to keep temporary devices around
# The value is in seconds. Default is 30.
# 0 = disable timer, i.e. never keep temporary devices
#TemporaryTimeout = 30
# Enables the device to issue an SDP request to update known services when
# profile is connected. Defaults to true.
#RefreshDiscovery = true
Enable=Sink
[Controller]
# The following values are used to load default adapter parameters. BlueZ loads
# the values into the kernel before the adapter is powered if the kernel
# supports the MGMT_LOAD_DEFAULT_PARAMETERS command. If a value isn't provided,
# the kernel will be initialized to it's default value. The actual value will
# vary based on the kernel version and thus aren't provided here.
# The Bluetooth Core Specification should be consulted for the meaning and valid
# domain of each of these values.
# BR/EDR Page scan activity configuration
#BRPageScanType=
#BRPageScanInterval=
#BRPageScanWindow=
# BR/EDR Inquiry scan activity configuration
#BRInquiryScanType=
#BRInquiryScanInterval=
#BRInquiryScanWindow=
# BR/EDR Link supervision timeout
#BRLinkSupervisionTimeout=
# BR/EDR Page Timeout
#BRPageTimeout=
# BR/EDR Sniff Intervals
#BRMinSniffInterval=
#BRMaxSniffInterval=
# LE advertisement interval (used for legacy advertisement interface only)
#LEMinAdvertisementInterval=
#LEMaxAdvertisementInterval=
#LEMultiAdvertisementRotationInterval=
# LE scanning parameters used for passive scanning supporting auto connect
# scenarios
#LEScanIntervalAutoConnect=
#LEScanWindowAutoConnect=
# LE scanning parameters used for passive scanning supporting wake from suspend
# scenarios
#LEScanIntervalSuspend=
#LEScanWindowSuspend=
# LE scanning parameters used for active scanning supporting discovery
# proceedure
#LEScanIntervalDiscovery=
#LEScanWindowDiscovery=
# LE scanning parameters used for passive scanning supporting the advertisement
# monitor Apis
#LEScanIntervalAdvMonitor=
#LEScanWindowAdvMonitor=
# LE scanning parameters used for connection establishment.
#LEScanIntervalConnect=
#LEScanWindowConnect=
# LE default connection parameters. These values are superceeded by any
# specific values provided via the Load Connection Parameters interface
#LEMinConnectionInterval=
#LEMaxConnectionInterval=
#LEConnectionLatency=
#LEConnectionSupervisionTimeout=
#LEAutoconnecttimeout=
[GATT]
# GATT attribute cache.
# Possible values:
# always: Always cache attributes even for devices not paired, this is
# recommended as it is best for interoperability, with more consistent
# reconnection times and enables proper tracking of notifications for all
# devices.
# yes: Only cache attributes of paired devices.
# no: Never cache attributes
# Default: always
#Cache = always
# Minimum required Encryption Key Size for accessing secured characteristics.
# Possible values: 0 and 7-16. 0 means don't care.
# Defaults to 0
#KeySize = 0
# Exchange MTU size.
# Possible values: 23-517
# Defaults to 517
#ExchangeMTU = 517
# Number of ATT channels
# Possible values: 1-5 (1 disables EATT)
# Default to 3
#Channels = 3
[Policy]
#
# The ReconnectUUIDs defines the set of remote services that should try
# to be reconnected to in case of a link loss (link supervision
# timeout). The policy plugin should contain a sane set of values by
# default, but this list can be overridden here. By setting the list to
# empty the reconnection feature gets disabled.
#ReconnectUUIDs=00001112-0000-1000-8000-00805f9b34fb,0000111f-0000-1000-8000-00805f9b34fb,0000110a-0000-1000-8000-00805f9b34fb
# ReconnectAttempts define the number of attempts to reconnect after a link
# lost. Setting the value to 0 disables reconnecting feature.
#ReconnectAttempts=7
# ReconnectIntervals define the set of intervals in seconds to use in between
# attempts.
# If the number of attempts defined in ReconnectAttempts is bigger than the
# set of intervals the last interval is repeated until the last attempt.
#ReconnectIntervals=1,2,4,8,16,32,64
# AutoEnable defines option to enable all controllers when they are found.
# This includes adapters present on start as well as adapters that are plugged
# in later on. Defaults to 'false'.
AutoEnable=true

View file

@ -1,25 +0,0 @@
# Role `cert`
A role for ordering and renewing certificates from Lets Encrypt via ACME.
It uses the DNS challenge and fullfills it via a BIND 9 server given to the role.
## Supported Distributions
The following distributions are supported:
- Debian 11
## Required Arguments
For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yml)
## `hosts`
The `hosts` for this role need to be the machines on which you want to have the certificates.
## Links & Resources
- <https://docs.ansible.com/ansible/7/collections/community/crypto/acme_certificate_module.html>
- <https://docs.ansible.com/ansible/7/collections/community/crypto/openssl_privatekey_module.html>
- <https://docs.ansible.com/ansible/7/collections/community/crypto/openssl_csr_module.html>
- <https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates>

View file

@ -1,7 +0,0 @@
cert__handlers: []
cert__owner: root
cert__group: root
cert__fullchain_pem_permissions: "0660"
cert__chain_pem_permissions: "0660"
cert__cert_pem_permissions: "0660"
cert__privkey_pem_permissions: "0600"

View file

@ -1,52 +0,0 @@
---
argument_specs:
main:
short_description: Orders and renews certificates from Let's Encrypt
options:
cert__domains:
description: Domains for which to issue a certificate. Must be in the same DNS zone.
required: true
type: list
elements: str
cert__owner:
description: Owner of the certificate files.
required: false
type: str
default: root
cert__group:
description: Group of the certificate files.
required: false
type: str
default: root
cert__acme_account_email:
description: E-Mail address for ACME account
required: true
type: str
cert__bind_9_host:
description: The machine running BIND 9.
required: true
type: str
cert__bind_9_zone:
description: The zone to use for publishing the TXT record.
required: true
type: str
cert__fullchain_pem_permissions:
description: Permissons for the `fullchain.pem`.
type: str
required: false
default: "0660"
cert__chain_pem_permissions:
description: Permissons for the `chain.pem`.
type: str
required: false
default: "0660"
cert__cert_pem_permissions:
description: Permissons for the `cert.pem`.
type: str
required: false
default: "0660"
cert__privkey_pem_permissions:
description: Permissons for the `privkey.pem`.
type: str
required: false
default: "0600"

View file

@ -1,8 +0,0 @@
dependencies: # noqa meta-no-info
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- "11"
- "12"

View file

@ -1,180 +0,0 @@
- name: Ensure `ansible_certs` directory exists
ansible.builtin.file:
path: /etc/ansible_certs
state: directory
owner: root
group: root
mode: "755"
become: true
- name: Ensure `certs` sub-directory exists
ansible.builtin.file:
path: /etc/ansible_certs/certs
state: directory
owner: root
group: root
mode: "755"
become: true
- name: Ensure sub-directory for the certificate exists
ansible.builtin.file:
path: "/etc/ansible_certs/certs/{{ item }}"
state: directory
owner: "{{ cert__owner }}"
group: "{{ cert__group }}"
mode: "755"
become: true
- name: Ensure private key for certificate exists
community.crypto.openssl_privatekey:
path: "/etc/ansible_certs/certs/{{ item }}/privkey.pem"
size: 4096
type: RSA
owner: "{{ cert__owner }}"
group: "{{ cert__group }}"
mode: "{{ cert__privkey_pem_permissions }}"
become: true
- name: Ensure certificate signing request is created
community.crypto.openssl_csr:
path: "/etc/ansible_certs/certs/{{ item }}/csr.pem"
privatekey_path: "/etc/ansible_certs/certs/{{ item }}/privkey.pem"
common_name: "{{ item }}"
owner: "{{ cert__owner }}"
group: "{{ cert__group }}"
mode: "0660"
become: true
register: cert__csr_result
- name: Ensure private key for ACME account exists
community.crypto.openssl_privatekey:
path: "/etc/ansible_certs/account_key.pem"
size: 4096
type: RSA
owner: root
group: root
mode: "0600"
become: true
- name: Check certificate status and create ACME challenge if needed
community.crypto.acme_certificate:
account_email: "{{ cert__acme_account_email }}"
account_key_src: "/etc/ansible_certs/account_key.pem"
acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_version: 2
remaining_days: 28
terms_agreed: true
challenge: dns-01
csr: "/etc/ansible_certs/certs/{{ item }}/csr.pem"
dest: "/etc/ansible_certs/certs/{{ item }}/cert.pem"
fullchain_dest: "/etc/ansible_certs/certs/{{ item }}/fullchain.pem"
become: true
register: cert__acme_challenge
- name: Retrieve certificate and fulfill challenge if needed # noqa no-handler
when: cert__acme_challenge.changed # Can't be put in a handler, because then the block "always" tasks won't be executed for some reason
block:
- name: Add file containing nsupdate commands for adding TXT record for DNS-01 challenge
ansible.builtin.template:
src: nsupdate_add_txt_record.j2
dest: /root/nsupdate_add_txt_record
owner: root
group: root
mode: "0600"
vars:
cert__nsupdate_domain: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}"
cert__nsupdate_txt_data: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}"
become: true
delegate_to: "{{ cert__bind_9_host }}"
- name: Add DNS record to BIND 9 server via nsupdate # noqa: no-changed-when
ansible.builtin.command: /usr/bin/nsupdate -l /root/nsupdate_add_txt_record
become: true
delegate_to: "{{ cert__bind_9_host }}"
- name: Retrieve certificate
community.crypto.acme_certificate:
account_email: "{{ cert__acme_account_email }}"
account_key_src: "/etc/ansible_certs/account_key.pem"
acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_version: 2
terms_agreed: true
remaining_days: 28
challenge: dns-01
csr: "/etc/ansible_certs/certs/{{ item }}/csr.pem"
dest: "/etc/ansible_certs/certs/{{ item }}/cert.pem"
fullchain_dest: "/etc/ansible_certs/certs/{{ item }}/fullchain.pem"
data: "{{ cert__acme_challenge }}"
become: true
notify: "{{ cert__handlers }}"
always:
- name: Remove file containing nsupdate commands for adding TXT record again
ansible.builtin.file:
path: /root/nsupdate_add_txt_record
state: absent
become: true
delegate_to: "{{ cert__bind_9_host }}"
- name: Remove TXT record again
block:
- name: Add file containing nsupdate commands for deleting TXT record for DNS-01 challenge
ansible.builtin.template:
src: nsupdate_delete_txt_record.j2
dest: /root/nsupdate_delete_txt_record
owner: root
group: root
mode: "0600"
vars:
cert__nsupdate_domain: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}"
cert__nsupdate_txt_data: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}"
become: true
delegate_to: "{{ cert__bind_9_host }}"
- name: Remove DNS record from BIND 9 server via nsupdate # noqa: no-changed-when
ansible.builtin.command: /usr/bin/nsupdate -l /root/nsupdate_delete_txt_record
become: true
delegate_to: "{{ cert__bind_9_host }}"
always:
- name: Remove file containing nsupdate commands for deleting TXT record again
ansible.builtin.file:
path: /root/nsupdate_delete_txt_record
state: absent
become: true
delegate_to: "{{ cert__bind_9_host }}"
- name: Ensure correct permissions for certificate are set
ansible.builtin.file:
path: "/etc/ansible_certs/certs/{{ item }}/cert.pem"
owner: "{{ cert__owner }}"
group: "{{ cert__group }}"
mode: "{{ cert__cert_pem_permissions }}"
become: true
- name: Ensure correct permissions for fullchain cert are set
ansible.builtin.file:
path: "/etc/ansible_certs/certs/{{ item }}/fullchain.pem"
owner: "{{ cert__owner }}"
group: "{{ cert__group }}"
mode: "{{ cert__fullchain_pem_permissions }}"
become: true
- name: Get content of cert.pem
ansible.builtin.slurp:
src: "/etc/ansible_certs/certs/{{ item }}/cert.pem"
become: true
register: cert__cert_slurp
- name: Get content of fullchain.pem
ansible.builtin.slurp:
src: "/etc/ansible_certs/certs/{{ item }}/fullchain.pem"
become: true
register: cert__fullchain_slurp
- name: Ensure chain.pem is created
ansible.builtin.copy:
content: "{{ cert__fullchain_slurp.content | b64decode | replace(cert__cert_slurp.content | b64decode, '') }}"
dest: "/etc/ansible_certs/certs/{{ item }}/chain.pem"
owner: "{{ cert__owner }}"
group: "{{ cert__group }}"
mode: "{{ cert__chain_pem_permissions }}"
become: true

View file

@ -1,3 +0,0 @@
- name: Deploy cert
ansible.builtin.include_tasks: deploy_cert.yaml
loop: "{{ cert__domains }}"

View file

@ -1,4 +0,0 @@
debug
zone {{ cert__bind_9_zone }}
update add {{ cert__nsupdate_domain }} 60 TXT {{ cert__nsupdate_txt_data }}
send

View file

@ -1,4 +0,0 @@
debug
zone {{ cert__bind_9_zone }}
update delete {{ cert__nsupdate_domain }} 60 TXT {{ cert__nsupdate_txt_data }}
send

View file

@ -1,4 +0,0 @@
---
- name: Restart system
become: true
ansible.builtin.reboot:

View file

@ -1,17 +0,0 @@
---
argument_specs:
main:
options:
hifiberry__device:
description: Which HiFiBerry board to enable
type: str
choices:
- hifiberry-dac
- hifiberry-dacplus
- hifiberry-dacplushd
- hifiberry-dacplusadc
- hifiberry-dacplusadcpro
- hifiberry-digi
- hifiberry-digi-pro
- hifiberry-amp
required: true

View file

@ -1,9 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- "11"
- role: raspberry_pi_check

View file

@ -1,23 +0,0 @@
---
- name: Remove dtparam=audio=on
become: true
ansible.builtin.lineinfile:
line: dtparam=audio=on
dest: /boot/config.txt
state: absent
notify: Restart system
- name: Set audio=off for dtoverlay=vc4-kms-v3d
become: true
ansible.builtin.lineinfile:
regexp: ^dtoverlay=vc4-kms-v3d
line: dtoverlay=vc4-kms-v3d,audio=off
dest: /boot/config.txt
notify: Restart system
- name: Add hifiberry dtoverlay
become: true
ansible.builtin.lineinfile:
line: "dtoverlay={{ hifiberry__device }}"
dest: /boot/config.txt
notify: Restart system

View file

@ -1,6 +0,0 @@
---
- name: Restart mosquitto
become: true
ansible.builtin.systemd:
service: mosquitto.service
state: restarted

View file

@ -1,26 +0,0 @@
---
argument_specs:
main:
options:
mosquitto__mosquitto_conf_content:
description: The content of the main mosquitto configuration file.
type: str
required: true
mosquitto__configs:
description: A list of additional mosquitto configurations.
type: list
elements: dict
required: false
options:
name:
description: >-
The name of the configuration file, where the configuration should
be deployed to. The file will be placed under `/etc/mosquitto/conf.d` and
`.conf` will be appended to the given name. So in the end the path
will be like this: `/etc/mosquitto/conf.d/\{\ name \}\}.conf`.
type: str
required: true
content:
description: The content of the configuration.
type: str
required: true

View file

@ -1,8 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- "11"

View file

@ -1,33 +0,0 @@
---
- name: Ensure mosquitto is installed
become: true
ansible.builtin.apt:
name: mosquitto
- name: Ensure main configuraton file is deployed
become: true
ansible.builtin.copy:
content: "{{ mosquitto__mosquitto_conf_content }}"
dest: /etc/mosquitto/mosquitto.conf
mode: "644"
owner: root
group: root
notify: Restart mosquitto
- name: Ensure all additional configuraton files are deployed
become: true
ansible.builtin.copy:
content: "{{ item.content }}"
dest: /etc/mosquitto/conf.d/{{ item.name }}.conf
mode: "644"
owner: root
group: root
loop: "{{ mosquitto__configs }}"
notify: Restart mosquitto
- name: Ensure mosquitto service is enabled and started
become: true
ansible.builtin.systemd:
service: mosquitto.service
enabled: true
state: started

View file

@ -1,8 +0,0 @@
---
argument_specs:
main:
options:
nodejs__major_version:
description: Major version of nodejs to install
type: int
required: true

View file

@ -1,17 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- "11"
- "12"
- role: add_apt_repository
vars:
add_apt_repository__https_repo: true
add_apt_repository__keyring_url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
add_apt_repository__keyring_path: /usr/share/keyrings/nodesource.gpg
add_apt_repository__repo: "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_\
{{ nodejs__major_version }}.x {{ ansible_facts.lsb.codename }} main"
add_apt_repository__filename: nodesource.list

View file

@ -1,4 +0,0 @@
---
- name: Ensure nodejs is installed
ansible.builtin.apt:
name: nodejs

View file

@ -1,12 +0,0 @@
- name: Detect if on Raspberry Pi
ansible.builtin.lineinfile:
path: /proc/cpuinfo
regexp: ".*Raspberry Pi.*"
state: absent
check_mode: true
register: raspberry_pi_check__cpuinfo
changed_when: false
- name: Fail when not on Raspberry Pi # noqa no-handler
when: not raspberry_pi_check__cpuinfo.found
ansible.builtin.fail:
msg: You are not running on Raspberry Pi hardware!

View file

@ -1,6 +0,0 @@
---
- name: Restart shairport-sync service
become: true
ansible.builtin.systemd:
service: shairport-sync
state: restarted

View file

@ -1,8 +0,0 @@
---
argument_specs:
main:
options:
shairport_sync__config:
description: shairport-sync config content
type: str
required: true

View file

@ -1,8 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- "11"

View file

@ -1,22 +0,0 @@
---
- name: Ensure shairport-sync is installed
become: true
ansible.builtin.apt:
name: shairport-sync
- name: Ensure shairport-sync config is deployed
become: true
ansible.builtin.copy:
content: "{{ shairport_sync__config }}"
dest: /etc/shairport-sync.conf
mode: "644"
owner: root
group: root
notify: Restart shairport-sync service
- name: Ensure shairport-sync service is enabled and started
become: true
ansible.builtin.systemd:
service: shairport-sync
state: started
enabled: true

View file

@ -1,18 +0,0 @@
[Unit]
Description=zigbee2mqtt
After=network.target
[Service]
Environment=ZIGBEE2MQTT_DATA=/home/zigbee2mqtt/zigbee2mqtt_data
Environment=NODE_ENV=production
ExecStart=/usr/bin/npm start
WorkingDirectory=/opt/zigbee2mqtt
StandardOutput=inherit
# Or use StandardOutput=null if you don't want Zigbee2MQTT messages filling syslog, for more options see systemd.exec(5)
StandardError=inherit
Restart=always
RestartSec=10s
User=zigbee2mqtt
[Install]
WantedBy=multi-user.target

View file

@ -1,12 +0,0 @@
- name: Restart zigbee2mqtt
become: true
ansible.builtin.systemd:
name: zigbee2mqtt
state: restarted
- name: Reload systemd-daemon and restart zigbee2mqtt
become: true
ansible.builtin.systemd:
name: zigbee2mqtt
state: restarted
daemon_reload: true

View file

@ -1,13 +0,0 @@
---
argument_specs:
main:
options:
zigbee2mqtt__version:
description: zigbee2mqtt version to install
type: str
required: true
zigbee2mqtt__initial_config:
description: Configuration file content for initial deployment.
It does not replace the configuration if it already exists.
type: str
required: true

View file

@ -1,12 +0,0 @@
---
dependencies:
- role: distribution_check
vars:
distribution_check__distribution_support_spec:
- name: Debian
major_versions:
- "11"
- "12"
- role: nodejs
vars:
nodejs__major_version: 16

View file

@ -1,87 +0,0 @@
- name: Ensure acl is installed
become: true
ansible.builtin.apt:
name: acl
- name: Ensure git is installed
become: true
ansible.builtin.apt:
name: git
- name: Ensure zigbee2mqtt user exists
become: true
ansible.builtin.user:
name: zigbee2mqtt
groups:
- zigbee2mqtt
- dialout
group: zigbee2mqtt
- name: Ensure installation directory exists
become: true
ansible.builtin.file:
dest: /opt/zigbee2mqtt
state: directory
mode: "755"
owner: zigbee2mqtt
group: zigbee2mqtt
- name: Ensure zigbee2mqtt repository is cloned
become: true
become_user: zigbee2mqtt
ansible.builtin.git:
repo: https://github.com/Koenkk/zigbee2mqtt.git
depth: 1
dest: /opt/zigbee2mqtt
version: "{{ zigbee2mqtt__version }}"
notify: Restart zigbee2mqtt
- name: Ensure npm dependencies are installed
become: true
become_user: zigbee2mqtt
community.general.npm:
path: /opt/zigbee2mqtt
ci: true
changed_when: false # installs packages according to package-lock.json, but always reports a change
- name: Ensure custom zigbee2mqtt data directory exists
become: true
ansible.builtin.file:
dest: /home/zigbee2mqtt/zigbee2mqtt_data
state: directory
mode: "755"
owner: zigbee2mqtt
group: zigbee2mqtt
- name: Check configuration file status
ansible.builtin.stat:
path: /home/zigbee2mqtt/zigbee2mqtt_data/configuration.yaml
register: zigbee2mqtt__conf_stat
- name: Ensure configuration file is deployed when it doesn't exist
become: true
when: not zigbee2mqtt__conf_stat.stat.exists
ansible.builtin.copy:
content: "{{ zigbee2mqtt__initial_config }}"
dest: /home/zigbee2mqtt/zigbee2mqtt_data/configuration.yaml
mode: "640"
owner: zigbee2mqtt
group: zigbee2mqtt
notify: Restart zigbee2mqtt
- name: Ensure zigbee2mqtt service file is deployed
become: true
ansible.builtin.copy:
src: zigbee2mqtt.service
dest: /etc/systemd/system/zigbee2mqtt.service
mode: "644"
owner: root
group: root
notify: Reload systemd-daemon and restart zigbee2mqtt
- name: Ensure zigbee2mqtt is enabled and started
become: true
ansible.builtin.systemd:
service: zigbee2mqtt
enabled: true
state: started

View file

@ -1,21 +0,0 @@
homeassistant: true
permit_join: false
mqtt:
base_topic: zigbee2mqtt
server: 'mqtt://mqtt.z9'
serial:
port: /dev/serial/by-id/usb-Texas_Instruments_TI_CC2531_USB_CDC___0X00124B0014DBC72F-if00
advanced:
network_key: [{{ zigbee2mqtt__network_key }}]
pan_id: 32673
ext_pan_id: [58, 76, 37, 2, 22, 198, 237, 124]
channel: 11
frontend:
port: 8080
host: localhost
url: https://zigbee2mqtt.z9