CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 7 Pull requests 9 Wiki Activity Actions

WIP: new z9 ccchh router #98

Draft
bitwhisker wants to merge 3 commits from new_ccchh_router into main
pull from: new_ccchh_router
merge into: CCCHH:main
Conversation 1 Commits 3 Files changed 43 +1043
24 changed files with 1043 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 866005c055 - Show all commits

rt1(z9 host) unbound(role) kea_dhcp(role): create unbound and kea_dhcp role for rt1
Some checks failed
/ Ansible Lint (push) Failing after 2m30s
Details
/ Ansible Lint (pull_request) Failing after 2m27s
Details
/ build (pull_request) Failing after 2m39s
Details

Prev Next 
- create unbound role
- create kea_dhcp role
- configure unbound and keadhcp on rt1(z9 host)
bitwhisker 2026-05-24 04:01:11 +02:00
commit 866005c055
Signed by: bitwhisker
SSH key fingerprint: SHA256:KybIk/tusSKao6eLGY+ILlFa1rCrzwx66/acBAcKUqE

1
inventories/z9/host_vars/rt1.yaml
View file

@ -4,3 +4,4 @@ nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__timer_randomized_delay_sec: 0min
unbound_access_control: [ "10.89.208.0/20" ]
kea_dhcp__include_vars: resources/z9/rt1/kea_dhcp.yaml

7
inventories/z9/hosts.yaml
View file

@ -56,11 +56,18 @@ systemd_networkd_hosts:
nftables_hosts:
hosts:
rt1:
unbound_hosts:
hosts:
rt1:
kea_dhcp_hosts:
hosts:
rt1:
alloy_hosts:
hosts:
light:
yate:
dooris:
rt1:
ansible_pull_hosts:
hosts:
dooris:

14
playbooks/deploy.yaml
View file

@ -27,6 +27,20 @@
tags:
- nftables
- name: Ensure unbound deployment on unbound_hosts
hosts: unbound_hosts
roles:
- unbound
tags:
- unbound
- name: Ensure kea_dhcp deployment on kea_dhcp_hosts
hosts: kea_dhcp_hosts
roles:
- kea_dhcp
tags:
- kea_dhcp
- name: Ensure deployment of infrastructure authorized keys
hosts: infrastructure_authorized_keys_hosts
roles:

293
resources/z9/rt1/kea_dhcp.yaml Normal file
View file

@ -0,0 +1,293 @@
kea_dhcp__dns_servers:
v4:
- 185.161.129.134
v6:
- 2a07:c481::1:2
kea_dhcp__dhcp4:
enable: true
interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
control-sockets:
- socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
socket-type: unix
lease-database:
type: memfile
persist: true
option-data:
- name: "domain-name-servers"
code: 6
csv-format: true
data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
subnets:
- id: 1
subnet: 10.89.208.0/22
pools:
- pool: "10.89.208.32 - 10.89.211.250"
reservations:
- ip-address: 10.89.208.11
hostname: beamer
hw-address: "ac:87:a3:18:9e:01"
- ip-address: 10.89.208.12
hostname: Brother-CCCHH
hw-address: "00:80:77:04:3a:55"
- ip-address: 10.89.208.13
hostname: muzak
hw-address: "00:11:24:5f:4f:80"
- ip-address: 10.89.208.14
hostname: Big-Room-Beamer
hw-address: "64:d2:c4:db:08:5c"
- ip-address: 10.89.208.16
hostname: dooris
hw-address: "bc:24:11:b3:93:9c"
- ip-address: 10.89.208.17
hostname: hmdooris-ccu
hw-address: "bc:24:11:5f:2d:b1"
- ip-address: 10.89.208.27
hostname: cisco-slm248p
hw-address: "00:23:eb:b0:fc:3f"
- ip-address: 10.89.208.47
hw-address: "6c:df:fb:0b:34:21"
- ip-address: 10.89.208.48
hw-address: "6c:df:fb:0d:91:63"
- ip-address: 10.89.209.28
hostname: hp-color
hw-address: "3c:52:82:29:21:79"
- ip-address: 10.89.209.29
hostname: dooris-ng
hw-address: "6c:4b:90:19:21:a1"
- ip-address: 10.89.209.166
hostname: encoder-ccchh
hw-address: "00:4e:01:a2:40:d7"
- ip-address: 10.89.209.254
hostname: ki10
hw-address: "dc:a6:32:a9:ff:82"
option-data:
- name: routers,
csv-format: true
data: 10.89.208.1
- id: 2
subnet: 10.89.212.0/24
pools:
- pool: "10.89.212.32 - 10.89.212.250"
reservations:
- ip-address: 10.89.212.3
hostname: prusamk3
hw-address: "10:9c:70:2e:59:3e"
- ip-address: 10.89.212.4
hostname: prusamk4
hw-address: "10:9c:70:2e:6e:f0"
- ip-address: 10.89.212.11
hostname: Ziggy
hw-address: "44:17:93:53:65:57"
- ip-address: 10.89.212.12
hostname: legacy
hw-address: "00:15:65:a1:ed:98"
- ip-address: 10.89.212.23
hostname: foobarpay
hw-address: "f4:f2:6d:09:a6:73"
- ip-address: 10.89.212.24
hostname: foobackup
hw-address: "bc:24:11:20:1a:a8"
- ip-address: 10.89.212.27
hostname: ender3v2-sonic-pad
hw-address: "fc:ee:91:00:0e:14"
- ip-address: 10.89.212.31
hostname: octopi
hw-address: "b8:27:eb:0f:d8:09"
- ip-address: 10.89.212.32
hostname: 433mhz-bridge
hw-address: "0c:b8:15:fe:e3:34"
- ip-address: 10.89.212.33
hostname: wled-kueche
hw-address: "30:ae:a4:7a:8d:a0"
- ip-address: 10.89.212.34
hostname: wled-serverschrank
hw-address: "18:fe:34:a6:64:76"
- ip-address: 10.89.212.35
hostname: wled-couch
hw-address: "64:b7:08:40:ab:c0"
- ip-address: 10.89.212.36
hostname: laser
hw-address: "b8:27:eb:be:38:fa"
- ip-address: 10.89.212.37
hostname: laser-eth
hw-address: "b8:27:eb:eb:6d:af"
- ip-address: 10.89.212.42
hostname: t-mix
hw-address: "40:a5:ef:d9:eb:93"
- ip-address: 10.89.212.86
hostname: fritz-fon
hw-address: "00:1f:3f:c9:e5:b2"
- ip-address: 10.89.212.211
hostname: hauptraum-esphome
hw-address: "e8:db:84:e8:18:d2"
- ip-address: 10.89.212.212
hostname: werkstatt-esphome
hw-address: "3c:71:bf:26:42:32"
- ip-address: 10.89.212.213
hostname: ir-bridge-beamer
hw-address: "8c:ce:4e:51:93:dd"
- ip-address: 10.89.212.215
hostname: pi-dmx-werkstatt
hw-address: "b8:27:eb:65:e5:31"
- ip-address: 10.89.212.227
hostname: SIP-T46S
hw-address: "80:5e:c0:09:bf:55"
- ip-address: 10.89.212.230
hostname: SIP-T46S
hw-address: "80:5e:c0:22:33:08"
- ip-address: 10.89.212.232
hostname: staubi
hw-address: "b8:4d:43:98:51:2b"
- ip-address: 10.89.212.233
hostname: staubiv2
hw-address: "70:c9:32:82:25:b2"
- ip-address: 10.89.212.234
hostname: AtemMini
hw-address: "7c:2e:0d:13:72:a8"
- ip-address: 10.89.212.235
hostname: okilaser
hw-address: "2c:ff:65:22:b4:63"
- ip-address: 10.89.212.236
hw-address: "b8:27:eb:29:bd:77"
option-data:
- name: routers,
csv-format: true
data: 10.89.212.1
- id: 3
subnet: 10.89.213.0/24
pools:
- pool: "10.89.213.32 - 10.89.213.250"
reservations:
- ip-address: 10.89.213.2
hostname: sw-rack-1
hw-address: "F0:9F:C2:10:C3:AA"
- ip-address: 10.89.213.3
hostname: sw-rack-2-peo
hw-address: "44:d9:e7:06:69:5d"
- ip-address: 10.89.213.4
hostname: sw-main-1
hw-address: "a8:9c:6c:16:df:cc"
- ip-address: 10.89.213.5
hostname: sw-main-2
hw-address: "a8:9c:6c:16:e8:86"
- ip-address: 10.89.213.6
hostname: sw-shop-1
hw-address: "C0:4A:00:FB:DA:C5"
- ip-address: 10.89.213.7
hostname: sw-shop-2-peo
hw-address: "f4:e2:c6:bf:20:ee"
- ip-address: 10.89.213.8
hostname: sw-shop-3-peo
hw-address: "d8:b3:70:85:72:76"
- ip-address: 10.89.213.11
hostname: pve01
hw-address: "38:05:25:30:80:35"
- ip-address: 10.89.213.12
hostname: pve02
hw-address: "b8:85:84:b1:57:b6"
- ip-address: 10.89.213.13
hostname: pve03
hw-address: "98:fa:9b:a2:ed:e8"
- ip-address: 10.89.213.15
hostname: pbs
hw-address: "BC:24:11:D6:2C:81"
- ip-address: 10.89.213.21
hostname: unifi
hw-address: "BC:24:11:25:77:60"
- ip-address: 10.89.213.22
hostname: club-assistant
hw-address: "7a:55:61:c3:a2:89"
- ip-address: 10.89.213.23
hostname: automation
hw-address: "f2:20:75:5a:2f:8c"
- ip-address: 10.89.213.24
hostname: yate
hw-address: "bc:24:11:73:3e:f7"
- ip-address: 10.89.213.25
hostname: ptouch-print-server
hw-address: "bc:24:11:f2:cf:8f"
- ip-address: 10.89.213.26
hostname: mqtt
hw-address: "bc:24:11:48:85:73"
- ip-address: 10.89.213.27
hostname: factorio
hw-address: "bc:24:11:a3:43:7f"
- ip-address: 10.89.213.28
hostname: light
hw-address: "72:61:ea:e6:49:e3"
- ip-address: 10.89.213.29
hostname: homematic
hw-address: "fe:3a:42:77:3a:be"
- ip-address: 10.89.213.30
hostname: proxmox-backup-server
hw-address: "8a:48:dd:a3:22:40"
option-data:
- name: routers,
csv-format: true
data: 10.89.213.1
kea_dhcp__dhcp6:
enable: true
interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
control-sockets:
- socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
socket-type: unix
lease-database:
type: memfile
persist: true
option-data:
- name: "dns-servers"
code: 23
csv-format: true
data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
subnets:
- id: 1
subnet: "2a07:c481:1:33::/64"
pools:
- pool: "2a07:c481:1:33::1:1 - 2a07:c481:1:33::FFFF:FFFF"
- id: 2
subnet: "2a07:c481:1:34::/64"
pools:
- pool: "2a07:c481:1:34::1:1 - 2a07:c481:1:34::FFFF:FFFF"
- id: 3
subnet: "2a07:c481:1:36::/64"
pools:
- pool: "2a07:c481:1:36::1:1 - 2a07:c481:1:36::FFFF:FFFF"
reservations:
- ip-address: "2a07:c481:1:36::2"
hostname: sw-rack-1
hw-address: "F0:9F:C2:10:C3:AA"
- ip-address: "2a07:c481:1:36::3"
hostname: sw-rack-2-peo
hw-address: "44:d9:e7:06:69:5d"
- ip-address: "2a07:c481:1:36::4"
hostname: sw-main-1
hw-address: "a8:9c:6c:16:df:cc"
- ip-address: "2a07:c481:1:36::5"
hostname: sw-main-2
hw-address: "a8:9c:6c:16:e8:86"
- ip-address: "2a07:c481:1:36::6"
hostname: sw-shop-1
hw-address: "C0:4A:00:FB:DA:C5"
- ip-address: "2a07:c481:1:36::7"
hostname: sw-shop-2-peo
hw-address: "f4:e2:c6:bf:20:ee"
- ip-address: "2a07:c481:1:36::8"
hostname: sw-shop-3-peo
hw-address: "d8:b3:70:85:72:76"
- ip-address: "2a07:c481:1:36::b"
hostname: pve01
hw-address: "38:05:25:30:80:35"
- ip-address: "2a07:c481:1:36::c"
hostname: pve02
hw-address: "b8:85:84:b1:57:b6"
- ip-address: "2a07:c481:1:36::d"
hostname: pve03
hw-address: "98:fa:9b:a2:ed:e8"
- ip-address: "2a07:c481:1:36::f"
hostname: pbs
hw-address: "BC:24:11:D6:2C:81"
- ip-address: "2a07:c481:1:36::14"
hostname: unifi
hw-address: "BC:24:11:25:77:60"

3
resources/z9/rt1/nftables/nftables.conf
View file

@ -76,6 +76,9 @@ table inet host {
# Allow DHCP server access.
iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access"
june commented 2026-05-24 16:58:35 +02:00
Copy link

Same indentation problem here.

Same indentation problem here.
# Allow DNS server access from lan_ifs
iifname { $lan_ifs, $if_wg55_management } udp dport 53 accept comment "allow dns server access from lan_ifs"
}
}

69
roles/kea_dhcp/defaults/main.yaml Normal file
View file

@ -0,0 +1,69 @@
kea_dhcp__stork_agent:
enable: false
prometheus_only: true
kea_dhcp__version_repo: "kea-3-0"
kea_dhcp__dns_servers:
v6:
- "2a07:c481:0:4::2"
- "2a07:c481:0:4::3"
v4:
- "185.161.128.66"
- "185.161.128.67"
kea_dhcp__include_vars:
kea_dhcp__dhcp4:
enable: false
interfaces: [ ]
control-sockets:
- socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
socket-type: unix
lease-database:
type: memfile
persist: true
option-data:
- name: "domain-name-servers"
code: 6
csv-format: true
data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
subnets:
- id: 0
subnet: nil
pools:
- pool: nil
reservations:
- ip-address: nil
hostname: beispiel.test
hw-address: "00:11:22:33:44:55"
option-data:
- name: nil,
code: nil,
csv-format: true
data: nil
kea_dhcp__dhcp6:
enable: false
interfaces: [ ]
lease-database:
type: memfile
persist: true
control-sockets:
- socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
socket-type: unix
option-data:
- name: "dns-servers"
code: 23
csv-format: true
data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
subnets:
- id: 0
subnet: nil
pools:
- pool: nil
reservations:
- ip-address: nil
hostname: beispiel.test
hw-address: "00:11:22:33:44:55"
option-data:
- name: nil,
code: nil,
csv-format: true
data: nil

30
roles/kea_dhcp/handlers/main.yml Normal file
View file

@ -0,0 +1,30 @@
---
- name: Systemd.daemon_reload
become: true
ansible.builtin.systemd_service:
daemon_reload: true
- name: Kea_dhcp4.reloaded
june commented 2026-05-24 17:11:01 +02:00
Copy link

Called "reloaded" even tho the action is restarted. One of them needs to be adjusted.

Called "reloaded" even tho the action is `restarted`. One of them needs to be adjusted.
ansible.builtin.service:
name: kea-dhcp4
state: restarted
enabled: true
- name: Kea_dhcp6.reloaded
june commented 2026-05-24 17:11:08 +02:00
Copy link

Same restarted/reloaded comment as above.

Same restarted/reloaded comment as above.
ansible.builtin.service:
name: kea-dhcp6
state: restarted
enabled: true
- name: Kea_ctrl.reloaded
june commented 2026-05-24 17:11:26 +02:00
Copy link

Same restarted/reloaded comment as above.

Same restarted/reloaded comment as above.
ansible.builtin.systemd:
name: kea-ctrl-agent
state: restarted
enabled: true
- name: Stork_agent.restarted
become: true
ansible.builtin.systemd:
name: isc-stork-agent
state: restarted
enabled: true

125
roles/kea_dhcp/meta/argument_specs.yaml Normal file
View file

@ -0,0 +1,125 @@
---
argument_specs:
main:
short_description: "Role for managing Kea DHCP server"
options:
kea_dhcp__stork_agent:
type: "dict"
description: "Configuration for Stork Agent"
options:
enable:
type: "bool"
default: false
prometheus_only:
type: "bool"
default: true
kea_dhcp__version_repo:
type: "str"
description: "Version of Kea DHCP repository to use"
default: "kea-3-0"
kea_dhcp__dns_servers:
type: "dict"
description: "Default DNS servers for DHCP clients"
options:
v6:
type: "list"
elements: "str"
v4:
type: "list"
elements: "str"
kea_dhcp__dhcp4:
type: "dict"
description: "Configuration for DHCPv4 service"
options:
enable:
type: "bool"
default: false
interfaces:
type: "list"
elements: "str"
default: []
control-sockets:
type: "list"
elements: "dict"
lease-database:
type: "dict"
option-data:
type: "list"
elements: "dict"
subnets:
type: "list"
elements: "dict"
options:
id:
type: "int"
subnet:
type: "str"
pools:
type: "list"
elements: "dict"
options:
pool:
type: "str"
reservations:
type: "list"
elements: "dict"
options:
ip-address:
type: "str"
hostname:
type: "str"
hw-address:
type: "str"
duid:
type: "str"
option-data:
type: "list"
elements: "dict"
kea_dhcp__dhcp6:
type: "dict"
description: "Configuration for DHCPv6 service"
options:
enable:
type: "bool"
default: false
interfaces:
type: "list"
elements: "str"
default: []
control-sockets:
type: "list"
elements: "dict"
lease-database:
type: "dict"
option-data:
type: "list"
elements: "dict"
subnets:
type: "list"
elements: "dict"
options:
id:
type: "int"
subnet:
type: "str"
pools:
type: "list"
elements: "dict"
options:
pool:
type: "str"
reservations:
type: "list"
elements: "dict"
options:
ip-address:
type: "str"
hostname:
type: "str"
hw-address:
type: "str"
duid:
type: "str"
option-data:
type: "list"
elements: "dict"

8
roles/kea_dhcp/tasks/install_archlinux.yml Normal file
View file

@ -0,0 +1,8 @@
---
- name: Install Kea on Archlinux
june commented 2026-05-24 18:28:30 +02:00
Copy link

We don't have any Arch Linux infrastructure, so we don't need this.

We don't have any Arch Linux infrastructure, so we don't need this.
when: ansible_facts['distribution'] == "Archlinux"
become: true
community.general.pacman:
name: kea
state: present
update_cache: false

22
roles/kea_dhcp/tasks/install_debian.yml Normal file
View file

@ -0,0 +1,22 @@
---
- name: Register isc-kea apt repository
become: true
register: kea_dhcp_repo
when: ansible_facts['distribution'] == "Debian"
ansible.builtin.deb822_repository:
name: "isc-{{ kea_dhcp__version_repo }}"
uris: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/deb/debian"
june commented 2026-05-24 18:31:32 +02:00
Copy link

Do we have a requirement for the more up-to-date version present in the upstream repository or is the one in the Debian repos sufficient?

Do we have a requirement for the more up-to-date version present in the upstream repository or is the one in the Debian repos sufficient?
bitwhisker commented 2026-05-24 21:50:06 +02:00
Copy link

chris wrote this, I don't know why they thought this would be necessary

@c6ristian

chris wrote this, I don't know why they thought this would be necessary @c6ristian
c6ristian commented 2026-05-24 22:37:32 +02:00
Copy link

For Club this properly doesn't matter. This was because the compatibility between different version has history been often Subject to Change. As long as there are no plan to do HA its probably fine.

For Club this properly doesn't matter. This was because the compatibility between different version has history been often Subject to Change. As long as there are no plan to do HA its probably fine.
june commented 2026-05-24 22:44:41 +02:00
Copy link

Alright, gotcha. Then just using the Debian-packaged version nicely saves us adding a repo.

Alright, gotcha. Then just using the Debian-packaged version nicely saves us adding a repo.
suites: any-version
components: main
signed_by: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/gpg.key"
- name: Install Kea packages
become: true
when: ansible_facts['distribution'] == "Debian"
ansible.builtin.apt:
name:
- isc-kea-dhcp4
- isc-kea-dhcp6
june commented 2026-05-24 18:33:53 +02:00
Copy link

Since we got granular control over whether to use dhcpv4, v6 or the agent, would it make sense to then also granularly install the relevant packages?
I would think Debian would also automatically start the services, which wouldn't make sense, if no sensible v6 config is present.

Since we got granular control over whether to use dhcpv4, v6 or the agent, would it make sense to then also granularly install the relevant packages? I would think Debian would also automatically start the services, which wouldn't make sense, if no sensible v6 config is present.
- isc-kea-ctrl-agent
- isc-kea-admin
update_cache: "{{ kea_dhcp_install_repo.changed }}"

51
roles/kea_dhcp/tasks/kea.yaml Normal file
View file

@ -0,0 +1,51 @@
---
- name: Include config vars
tags: [ kea, include_vars ]
june commented 2026-05-24 18:30:07 +02:00
Copy link

I would rather just stick to only having tags at the playbook level. I don't think this kind granular control for the role is really needed as it the config files also shouldn't trigger a reload, if not changed.

I would rather just stick to only having tags at the playbook level. I don't think this kind granular control for the role is really needed as it the config files also shouldn't trigger a reload, if not changed.
bitwhisker commented 2026-05-24 21:51:03 +02:00
Copy link

this was just copied from the fux noc ansible, but I can remove it

this was just copied from the fux noc ansible, but I can remove it
👍 1
when: kea_dhcp__include_vars is not None
ansible.builtin.include_vars:
file: "{{ kea_dhcp__include_vars }}"
- name: Deploy kea-dhcp4 configuration file
tags: [ kea, dhcp4 ]
become: true
when: kea_dhcp__dhcp4.enable
ansible.builtin.template:
src: kea-dhcp4.conf.jinja
dest: /etc/kea/kea-dhcp4.conf
backup: true
owner: root
group: kea
mode: "u=rw,g=r,o="
validate: kea-dhcp4 -T %s
notify:
- Kea_dhcp4.reloaded
- name: Deploy kea-dhcp6 configuration file
tags: [ kea, dhcp6 ]
become: true
when: kea_dhcp__dhcp6.enable
ansible.builtin.template:
src: kea-dhcp6.conf.jinja
dest: /etc/kea/kea-dhcp6.conf
backup: true
owner: root
group: kea
mode: "u=rw,g=r,o="
validate: kea-dhcp6 -T %s
notify:
- Kea_dhcp6.reloaded
- name: Copy kea-ctrl-agent configuration file
tags: [ kea, ctrl-agent ]
become: true
when: kea_dhcp__stork_agent.enable
ansible.builtin.template:
src: kea-ctrl-agent.conf.j2
dest: /etc/kea/kea-ctrl-agent.conf
owner: root
group: kea
mode: "u=rw,g=r,o="
validate: kea-ctrl-agent -t %s
notify:
- Kea_ctrl.reloaded
- Stork_agent.restarted

19
roles/kea_dhcp/tasks/main.yml Normal file
View file

@ -0,0 +1,19 @@
---
- name: Setup Kea DHCP
tags: [kea, dhcp]
block:
- name: Install Kea on Archlinux
when: ansible_facts['distribution'] == "Archlinux"
june commented 2026-05-24 18:30:58 +02:00
Copy link

Again, getting rid of the Arch Linux logic also greatly simplifies this file.

Again, getting rid of the Arch Linux logic also greatly simplifies this file.
bitwhisker commented 2026-05-24 21:51:15 +02:00
Copy link

this was just copied from the fux noc ansible, but I can remove it

this was just copied from the fux noc ansible, but I can remove it
👍 1
ansible.builtin.import_tasks: install_archlinux.yml
- name: Install Kea on Debian
when: ansible_facts['distribution'] == "Debian"
ansible.builtin.import_tasks: install_debian.yml
- name: Configure Kea
ansible.builtin.include_tasks: kea.yaml
- name: Run stork-agent tasks
tags: [stork-agent, monitoring]
when: kea_dhcp__stork_agent.enable
ansible.builtin.include_tasks: stork-agent.yaml

76
roles/kea_dhcp/tasks/stork-agent.yaml Normal file
View file

@ -0,0 +1,76 @@
---
- name: Install stork-agent
tags: [stork-agent]
block:
- name: Install stork-agent on Archlinux
when: ansible_facts['distribution'] == "Archlinux"
tags: [stork-agent, archlinux]
block:
- name: Create stork-agent user
ansible.builtin.user:
name: stork-agent
create_home: false
home: "/var/lib/stork-agent"
shell: "/usr/bin/nologin"
system: true
groups: ["kea"]
append: true
- name: Install stork-agent with aur_pkg_install
ansible.builtin.include_role:
name: aur_pkg_install
june commented 2026-05-24 18:34:21 +02:00
Copy link

We don't even have this role present in our repo, so just getting rid of the Arch Linux logic probably makes sense.

We don't even have this role present in our repo, so just getting rid of the Arch Linux logic probably makes sense.
vars:
aur_pkg_install__pkg_name: "stork-agent"
aur_pkg_install__git_clone_url: "https://ansible:{{ secret__ansible_git_token }}@git.fux-eg.net/aur-mirror/stork-agent.git"
aur_pkg_install__git_ref: "bf96e34"
- name: Install stork-agent on Debian
when: ansible_facts['distribution'] == "Debian"
tags: [stork-agent, debian]
block:
- name: Register isc-stork apt repository
become: true
register: "kea_dhcp_install_repo"
ansible.builtin.deb822_repository:
name: isc-stork
uris: https://dl.cloudsmith.io/public/isc/stork/deb/debian
suites: any-version
components: main
signed_by: https://dl.cloudsmith.io/public/isc/stork/gpg.key
- name: Install isc-stork-agent
become: true
ansible.builtin.apt:
name: isc-stork-agent
update_cache: "{{ kea_dhcp_install_repo.changed }}"
- name: Add stork-agent user to _kea group on Debian
when: ansible_facts['distribution'] == "Debian"
become: true
ansible.builtin.user:
name: stork-agent
groups: ["_kea"]
append: true
- name: Config for stork-agent
ansible.builtin.template:
src: stork-agent.env.jinja
dest: /etc/stork/agent.env
owner: root
group: root
mode: "0660"
notify:
- Systemd_daemon_reload
- Stork_agent.restarted
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Ensure that stork kea exporter is working
ansible.builtin.uri:
url: "http://localhost:9547/metrics"
method: GET
register: kea_dhcp_stork_status_code
retries: 6
delay: 5
until: kea_dhcp_stork_status_code.status == 200

20
roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 Normal file
View file

@ -0,0 +1,20 @@
{
"Control-agent": {
"http-host": "127.0.0.1",
"http-port": 8000,
"control-sockets": {
{% if kea_dhcp__dhcp4.enable | default(false) %}
"dhcp4": {
"socket-type": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-type'] }}",
"socket-name": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-name'] }}"
}{% if kea_dhcp__dhcp6.enable %},{% endif %}
{% endif %}
{% if kea_dhcp__dhcp6.enable | default(false) %}
"dhcp6": {
"socket-type": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-type'] }}",
"socket-name": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-name'] }}"
},
{% endif %}
}
}
}

27
roles/kea_dhcp/templates/kea-dhcp4.conf.jinja Normal file
View file

@ -0,0 +1,27 @@
{
"Dhcp4": {
"interfaces-config": {
"interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }}
},
"control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }},
"lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }},
{% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %}
"option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }},
{% endif %}
"subnet4": [
{% for subnet in kea_dhcp__dhcp4.subnets %}
{
"id": {{ subnet.id }},
"subnet": "{{ subnet.subnet }}",
"pools": {{ subnet.pools | to_nice_json }},
{% if subnet.reservations is defined and subnet.reservations %}
"reservations": {{ subnet.reservations | to_nice_json }},
{% endif %}
{% if subnet['option-data'] is defined and subnet['option-data'] %}
"option-data": {{ subnet['option-data'] | to_nice_json }}
{% endif %}
}{% if not loop.last %},{% endif %}
{% endfor %}
]
}
}

27
roles/kea_dhcp/templates/kea-dhcp6.conf.jinja Normal file
View file

@ -0,0 +1,27 @@
{
"Dhcp6": {
"interfaces-config": {
"interfaces": {{ kea_dhcp__dhcp6.interfaces | to_nice_json }}
},
"control-sockets": {{ kea_dhcp__dhcp6['control-sockets'] | to_nice_json }},
"lease-database": {{ kea_dhcp__dhcp6['lease-database'] | to_nice_json }},
{% if kea_dhcp__dhcp6['option-data'] is defined and kea_dhcp__dhcp6['option-data'] %}
"option-data": {{ kea_dhcp__dhcp6['option-data'] | to_nice_json }},
{% endif %}
"subnet6": [
{% for subnet in kea_dhcp__dhcp6.subnets %}
{
"id": {{ subnet.id }},
"subnet": "{{ subnet.subnet }}",
june commented 2026-05-24 18:35:38 +02:00
Copy link

Just a nit-pick, but having the indentation be consistent across the dhcp4 and dhcp6 config would be nice.

Just a nit-pick, but having the indentation be consistent across the dhcp4 and dhcp6 config would be nice.
"pools": {{ subnet.pools | to_nice_json }},
{% if subnet.reservations is defined and subnet.reservations %}
"reservations": {{ subnet.reservations | to_nice_json }},
{% endif %}
{% if subnet['option-data'] is defined and subnet['option-data'] %}
"option-data": {{ subnet['option-data'] | to_nice_json }}
{% endif %}
}{% if not loop.last %},{% endif %}
{% endfor %}
]
}
}

44
roles/kea_dhcp/templates/stork-agent.env.jinja Normal file
View file

@ -0,0 +1,44 @@
### the IP or hostname to listen on for incoming Stork server connections
# STORK_AGENT_HOST=
june commented 2026-05-24 18:37:07 +02:00
Copy link

Most of the variables here are commented out, so we can just massively simplify this file.
If they are included for documentation purposes, I would rather include a link in the README.

Most of the variables here are commented out, so we can just massively simplify this file. If they are included for documentation purposes, I would rather include a link in the README.
### the TCP port to listen on for incoming Stork server connections
# STORK_AGENT_PORT=8081
### listen for commands from the Stork server only, but not for Prometheus requests
# STORK_AGENT_LISTEN_STORK_ONLY=true
{% if kea_dhcp__stork_agent.prometheus_only %}
### listen for Prometheus requests only, but not for commands from the Stork server
STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true
{% endif %}
### settings for exporting stats to Prometheus
### the IP or hostname on which the agent exports Kea statistics to Prometheus
# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS=
### the port on which the agent exports Kea statistics to Prometheus
# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT=
## enable or disable collecting per-subnet stats from Kea
# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PER_SUBNET_STATS=true
### the IP or hostname on which the agent exports BIND 9 statistics to Prometheus
# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_ADDRESS=
### the port on which the agent exports BIND 9 statistics to Prometheus
# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_PORT=
### Stork Server URL used by the agent to send REST commands to the server during agent registration
# STORK_AGENT_SERVER_URL=
### skip TLS certificate verification when the Stork Agent connects
### to Kea over TLS and Kea uses self-signed certificates
# STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true
### Logging parameters
### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR
STORK_LOG_LEVEL=DEBUG
### disable output colorization
# CLICOLOR=false
### path to the hook directory
# STORK_AGENT_HOOK_DIRECTORY=

19
roles/unbound/README.md Normal file
View file

@ -0,0 +1,19 @@
# Unbound DNS resolver
Role fora a validating, recursive, caching DNS resolver based on [Unbound](https://nlnetlabs.nl/projects/unbound/about/).
It is designed to be fast and lean and incorporates modern features based on open standards.
- [Documentation](https://unbound.docs.nlnetlabs.nl/en/latest/)
## Role Customization
The following variables can be used to customize this role:
| Variable | Type | Default | Description |
|------------------------------------------|-----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| unbound_install_prometheus_exporter | Boolean | `true` | Whether [Unbound Exporter](https://github.com/letsencrypt/unbound_exporter) should also be installed to expose resolver statistics in prometheus format. |
| unbound_bind_interfaces | List of Strings | `[0.0.0.0, ::]` | List of interface names or IP addresses on which unbound will listen for dns queries |
| unbound_enable_unbound_control | Boolean | `true` | Whether the [remote control](https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#set-up-remote-control) feature of unbound should be configured. |
| unbound_enable_dnssec | Boolean | `true` | Whether dnssec validation should be enabled |
| unbound_access_control | List of Strings | `[]` | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) |
| unbound_disable_systemd_networkd | Boolean | `true` | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver. |

7
roles/unbound/defaults/main.yml Normal file
View file

@ -0,0 +1,7 @@
unbound_install_prometheus_exporter: true
unbound_bind_interfaces: [ "0.0.0.0", "::" ]
unbound_disable_systemd_networkd: true
unbound_enable_unbound_control: true
unbound_enable_dnssec: true
unbound_access_control: [ ]
unbound_private_domain: [ ]

1
roles/unbound/files/no-resolved.resolv.conf Normal file
View file

@ -0,0 +1 @@
nameserver 127.0.0.1
june commented 2026-05-24 18:47:40 +02:00
Copy link

Same comment as below: We already have a role for managing the resolv.conf, so rather include that.
See: 7832978ff7/roles/deploy_systemd_resolved_config

Same comment as below: We already have a role for managing the `resolv.conf`, so rather include that. See: https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/7832978ff732208f2f29f04ef446c7c51076c6d1/roles/deploy_systemd_resolved_config

27
roles/unbound/handlers/main.yml Normal file
View file

@ -0,0 +1,27 @@
- name: unbound.restarted
tags: [ unbound, dns, dns_resolver ]
june commented 2026-05-24 18:38:17 +02:00
Copy link

Again, same comment as in the kea role, I don't think it makes sense to have granular tags in the role itself.

Again, same comment as in the kea role, I don't think it makes sense to have granular tags in the role itself.
become: true
ansible.builtin.systemd:
name: unbound.service
state: restarted
- name: unbound.reloaded
tags: [ unbound, dns, dns_resolver ]
become: true
ansible.builtin.systemd:
name: unbound.service
state: reloaded
- name: prometheus-unbound-exporter.restarted
become: true
ansible.builtin.systemd:
name: prometheus-unbound-exporter.service
state: restarted
enabled: true
- name: prometheus-unbound-exporter.enabled
become: true
ansible.builtin.systemd:
name: prometheus-unbound-exporter.service
enabled: true
daemon_reload: true

63
roles/unbound/tasks/main.yml Normal file
View file

@ -0,0 +1,63 @@
- name: unbound role main
tags: [ unbound, dns, dns_resolver ]
block:
- name: install unbound dns resolver
become: true
ansible.builtin.package:
name: unbound
- name: install extra dns tooling
become: true
ansible.builtin.package:
name: [ bind ] # the bind package includes tools like dig in archlinux
june commented 2026-05-24 18:41:04 +02:00
Copy link

There is no bind package on Debian and we already install dig in the base_config role:

Line 30 in 7832978
- dnsutils

There is no `bind` package on Debian and we already install `dig` in the `base_config` role: https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/7832978ff732208f2f29f04ef446c7c51076c6d1/roles/base_config/tasks/main.yaml#L30
- name: ensure correct directory permissions
become: true
ansible.builtin.file:
path: /etc/unbound
state: directory
mode: u=rwX,g=rX,o=rX
recurse: true
owner: unbound
group: unbound
- name: configure unbound dns resolver
become: true
notify: unbound.restarted
ansible.builtin.template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
owner: unbound
group: unbound
mode: u=rw,g=r,o=r
- name: ensure unbound is running and enabled
become: true
ansible.builtin.systemd:
name: unbound.service
state: started
enabled: true
- name: disable systemd-resolved
june commented 2026-05-24 18:46:03 +02:00
Copy link

We have a nice role for managing systemd-resolved already, so no need to duplicate functionality here.
See: 7832978ff7/roles/deploy_systemd_resolved_config

We have a nice role for managing systemd-resolved already, so no need to duplicate functionality here. See: https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/7832978ff732208f2f29f04ef446c7c51076c6d1/roles/deploy_systemd_resolved_config
become: true
when: unbound_disable_systemd_networkd
ansible.builtin.systemd:
name: systemd-resolved.service
state: stopped
enabled: false
- name: configure system resolver to point to local unbound
become: true
when: unbound_disable_systemd_networkd
ansible.builtin.copy:
src: no-resolved.resolv.conf
dest: /etc/resolv.conf
owner: unbound
group: unbound
mode: u=rw,g=r,o=r
- name: install and configure prometheus-exporter for unbound
ansible.builtin.import_tasks: prometheus-exporter.yml
when: unbound_install_prometheus_exporter

17
roles/unbound/tasks/prometheus-exporter.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: install unbound prometheus exporter
become: true
ansible.builtin.package:
june commented 2026-05-24 18:43:20 +02:00
Copy link

There's no unbound-prometheus-exporter package on Debian.

There's no `unbound-prometheus-exporter` package on Debian.
name: prometheus-unbound-exporter
notify: prometheus-unbound-exporter.enabled
june commented 2026-05-24 18:43:07 +02:00
Copy link

I would rather move the enable and start logic into the file itself, since that's not really the job of a handler. See the main unbound setup tasks for reference.

I would rather move the enable and start logic into the file itself, since that's not really the job of a handler. See the main unbound setup tasks for reference.
- name: configure unbound exporter
become: true
ansible.builtin.copy:
dest: /etc/conf.d/prometheus-unbound-exporter
content: |
UNBOUND_EXPORTER_ARGS="-unbound.ca "" -unbound.cert "" -unbound.host "unix:///run/unbound-control.sock"
owner: root
group: root
mode: '0660'
notify: prometheus-unbound-exporter.restarted

73
roles/unbound/templates/unbound.conf.j2 Normal file
View file

@ -0,0 +1,73 @@
# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
# unbound.conf(5) man page
server:
{% if unbound_enable_dnssec -%}
# disable chroot because unbound is the only thing running on the VM
# and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file
june commented 2026-05-24 18:44:00 +02:00
Copy link

Is this still relevant on Debian? Again, we don't use Arch Linux in our infra.

Is this still relevant on Debian? Again, we don't use Arch Linux in our infra.
chroot: ""
# location of the trust anchor file that enables DNSSEC
# this file is generated by the `unbound-anchor` command
auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
{% endif -%}
# use all CPUs
num-threads: 2
june commented 2026-05-24 18:44:30 +02:00
Copy link

Are those all the CPUs we use? Might it make sense to have this configurable or at least change the comment?

Are those all the CPUs we use? Might it make sense to have this configurable or at least change the comment?
# more cache memory
rrset-cache-size: 60m
msg-cache-size: 30m
# prefetch to keep the cache up to date
prefetch: yes
# fetch the DNSKEYs earlier in the validation process, when a DS record is encountered
prefetch-key: yes
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# disable special large send buffer handling and just use kernel defaults
so-sndbuf: 0
# send minimal amount of information to upstream servers to enhance privacy
qname-minimisation: yes
# specify the interface to answer queries from by ip-address.
{% for i in unbound_bind_interfaces -%}
interface: "{{ i }}"
{% endfor %}
# addresses from the IP range that are allowed to connect to the resolver
{% for i in unbound_access_control -%}
access-control: {{ i }}
{% endfor -%}
{% for i in unbound_private_domain -%}
private-domain: {{ i }}
{% endfor -%}
# The number of seconds between printing statistics to the log for every thread.
statistics-interval: 0
# Extended statistics are printed, Keeping track of more statistics takes time.
extended-statistics: yes
remote-control:
control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }}
control-interface: /run/unbound-control.sock
# configure some zones for which this resolver will act authoritatively
# https://www.dns.icann.org/services/axfr/
{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %}
auth-zone:
name: "{{ i }}"
primary: "lax.xfr.dns.icann.org"
primary: "iad.xfr.dns.icann.org"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
{% endfor %}