.sops.yaml

@@ -48,6 +48,7 @@ keys:
         - &host_light_ansible_pull_age_key age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q
         - &host_waybackproxy_ansible_pull_age_key age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j
         - &host_yate_ansible_pull_age_key age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22
+        - &host_z9_router_ansible_pull_age_key age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp
 
 creation_rules:
   ## group vars
@@ -241,6 +242,12 @@ creation_rules:
           *admin_gpg_keys
         age:
           - *host_yate_ansible_pull_age_key
+  - path_regex: "inventories/z9/host_vars/z9-router\\.sops\\..+"
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+        age:
+          - *host_z9_router_ansible_pull_age_key
   # general
   - path_regex: ".+\\.sops\\..+"
     key_groups:

inventories/z9/group_vars/all.sops.yaml

@@ -2,213 +2,225 @@ metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl
 msmtp__smtp_password: ENC[AES256_GCM,data:FAih8FghRYDx3QGFCjKoJ8Zq0TkeCIx4n1jTx4/sASgECqvucg==,iv:8NDn3wj/bXsbHbuce3ycJTBVWde6XAVxv4NuMUkMbIM=,tag:jeE2b0i/8JPtguLYQvdV1w==,type:str]
 sops:
   age:
-    - recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax
-      enc: |
+    - enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VWJQWnBhcDc3VXh3TnMy
-        RFljQU0vNS9iY3AvTWFraUxneHIremlDeUZvCmdzd0twWHZEdTZSbHpLbEpRRDNX
-        aGI4ZlczN0tFbC94TzJ4bm9aUjkwcVEKLS0tIHRGSGdkQkN6ZEVTUjl1cGhMZzVI
-        S2FtSktoWmF2TjZCZnNlYWpWYzQ4MzQKeK7f+UPSanQsOIXNjzZa9B5FafNFsN3W
-        sjssDdbNQ1OEn2CLWRVQl1umKrADuvd85fMu3gUZrycZRDCCfsBzVg==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTzAzaVFSRDQwN2llbmdl
+        alBBVDZwTWhWUkV2L3ZLZmNDUDRyTitDaFVzCkNRTEN4ODV5ekxRVlBZT3ZIM2pj
+        Z0JxYUlobHZCeGxxNE9PcENkR2h2VDAKLS0tIFZiVXJHSU5naXhSSEFobVZBN1Rl
+        NnVDUVRyVWxlUnMydVhiQ2s0bGMzTGcKh97/UOPxrKieK5dKdGyRqCRi8Sm5UNcT
+        I9jLCPqX8Utt0e2EEp+ivJwFxgo7QuNCYWu6jtPCO/Zmc5Q/2tJQ9Q==
         -----END AGE ENCRYPTED FILE-----
-    - recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q
-      enc: |
+      recipient: age1j0876shgsn7f2thxh9kx9x5uwnh45z6sy2jlk2qz5jhgedm26g5srn9kax
+    - enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSmVEVyt3OCtvUUNqV2FR
-        QW5WaDBFcnZVMTV3QWdSLzhxRENCdGNaVFU0CmxqM0xIWUVCSUwvY1pBVjQ0RCtq
-        T0psSG84VWdpY1dYa2doeFZXd2RKNVEKLS0tIGNFeDFRYzBDN3NWcnpUSVhEWitY
-        RXhLRkp3ajdlNGY4R3hRcWVSUU04T0UKdprDhBpp0aMc733Wx/K7hS/nLVohvlft
-        N9aSQdcRoqT3/iMGu/6xdqbeq0/7a/U+6JvhYyWLkLsrzw2mlVRoIw==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVUtpb0FmeUduNW9EdHJw
+        WEY0WllWdE8vRlVhODU1dUcxUnF3WE5mUG5vCnBQRlNkblNHbUFESXhvQ05YdGVW
+        UkhjdjdvclRmTk55UXRGRStXREFiVVkKLS0tIDlkMHhxVkxEK1BjV2orQUtndGc2
+        Mk8rZm14SzFWTjJTanVXaE53UmViS28KQmnPfzLhgLasSuu1Aflp/JDWo1hqvYjb
+        BijruPUZ3NuoZ4Wuo56FLlTLrch051fI3ottzy85FfX3lRnWZ2IK8g==
         -----END AGE ENCRYPTED FILE-----
-    - recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j
-      enc: |
+      recipient: age1llkxtfx4dgnezmukj4ganx4ql9k4ga4ca9zuanf5r568jfp8peeqal490q
+    - enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWWM1WFdidkY4a2hLNm03
-        TGdNNE9ZK2lvelhYQndTYy9sUzM4TkN5elRZClJwQU1qeCtwUlFzeVE2d0FSSCsz
-        WTdzQWZLYXpqUHcxc3VEWHZvNmZibU0KLS0tIElCTWdraXRLcHNHMjR2eDVxVCta
-        bHhVdFpOdDB0eUR5d2hhdWJlcmJDMjgKBbVkm7LNwnoUVrUF3NPI7d25b6tAIr1t
-        HelMjQU5YFM7DvRYFOlNpgO7WmddNSq3C6WYa8AZDGpsjc6GypcLVw==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQSm9FZ1VmVWhadldRY0JU
+        c2R5d0tNMDV5U2tzbVorai91RTFyZFdUMWo0CmxLVUJYdVFUN296U3Q3MTJQM0JW
+        LzNTYlVVVitRYmk3azQ4VXBLWTZiZjQKLS0tIDhXdFZaK1BWVFp4M09jbk0zdGpF
+        dGxmUUZkQS9sMXZoeTJETGpvQW5VQ0EK9Y/trD7VhjQnqY+KryPfEv1J/D4NCWsx
+        CHv0R1ps6A0qoRJzS1UNxU5bLXDX1RGQiU/arhJ7LXFxHrNOdObsZQ==
         -----END AGE ENCRYPTED FILE-----
-    - recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22
-      enc: |
+      recipient: age197tmckjll9999v5apqh5h70dktdxzxn92uyzce5j7jmesvnneecs9p7m5j
+    - enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTmRaRXorMzBQZWwyNFp5
-        VHdUUElyd1V2dUcvQ3k2STQ0d1QyMytsRG1BCm5CVCtRWU5FVmErQWl2N3Y4QTc1
-        Mnh3K01QUnk2MGpSZk1NRVJWUlhFYWMKLS0tIEFOM0pMa3RVNUppS2xOakFVM1lR
-        cnlBL29XQVlsL1ZCenBIYTQ3S3JxQjQKq09vbn1XOC1jIXDpv+ThFMk9k7SyYknr
-        MBJRBp/0PrKBo/Xk+RCSWSLjgali5Cc8KTjDTJyBG8rFzzvLIazBRg==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreTY4bzJ3T1FHOVdhS05v
+        dG40VWdVeWRpamdqd2ttajFJUjdYVHB0ZXdVCmk0UUJuRHdsUnE3ZThNakpwY3po
+        b3dtWXNNSUlvbzVHcXVIclNlaVNub00KLS0tIEMwL2FYcEZ1dkZ5MFl0S3pWSWFJ
+        NGdXVXA4UGJIOTN4UnhoMjRYaTRNWXMKGJNomXuB5TqXZKWk3Ub/rEc69CrfYABw
+        bBBidbCQBrv7cnsvjsVpHHGaTwyP9Nk1ceF/gbv9fD9gZ7dwt3SA1A==
         -----END AGE ENCRYPTED FILE-----
+      recipient: age1yc9s8r7zt6tc7scfyxc3345khdwqrx0lwj4z6yp56h6rmauev50s5yqr22
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQWhjNHlDU0RKRmdKTzh0
+        M3dhOGcrc1N5SnozMHhSQWNUdERPSjRrZ3lZClBpd1lrbXY5OEVnMVgwTGl4YmUw
+        bWpJR0Z6RDZubG9lS1BIVnEvMWhEdlkKLS0tIFhSbVFhVnZIN2xETXlWNlh3TVVG
+        N1VTSWN3SEU5U2Uxc2lRUmwwaWc0L1UKfPWAEs93dF10GZdlQt3yeDltk/9Djmuh
+        3ZeGLgkOjcJPXO2hFQMZoJY7a2ZRIxN5Oa8PGwuy7DEtmQ9PdP/mbg==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp
   lastmodified: "2026-05-23T22:10:20Z"
   mac: ENC[AES256_GCM,data:JbnKG1qyAkvFDXr2iHu+gk7nRjedmm+dEK8vBFW5YzndWE4QKoYWeaqRHBk7wdWO9kpZgU2rFiu4Be+ikotoMS8jKAcd5wWSrWtSreaZxxiD2TWMWX8HwPtETnYe0rjrEZ3kPcUj4QPyNTphfbH3ARLjthedRXNF70NDc+DIpAY=,iv:4LN3oslWUWqoY3rQNVDSmlJn1o0c8JQELzsWd5btn7Y=,tag:c8X1q9XMMUkXed93j9C6ww==,type:str]
   pgp:
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAxK/JaB2/SdtAQ//VIMBtLL8lhncJeItw53fQW4Lia0hs84yuKLuSBucNXhy
-        x3LT5r21C5CZ+JnucrGPxur4clsLnDnng2CgyWhksJNknk6smQIq3ZhyBd/OJzS4
-        zNGUJIbitJsDaKjTrYDCdsQ3KVcRBDMu3ow7vzeP4wnL4qU5fUuQ7S2rK6a1hfMB
-        eTQmn4wD/Rl+Q0AWEo2V/X8UgchwGPeuOXfju2t9+1UVE0kUJdXw/JIrGyR8XrYM
-        6ZGXB3mPnlZTZjqhXVSFSSOUTRYu/0g+s/JuDLpgl8gVP+oDvSCPrB2pDNK+o2Oo
-        VbQbJMg6lMbIuewd0ZTTeCv/TFU9O51RtkFyxHIEW7dVelDrNkuciAG1mDUHFUUw
-        MHeWDjngeCzr1hj1Z78P1bvR7I2pqBQiWT+d/e50S5quNRVjtLVEjuU7r1eKiPDu
-        pL1lYJZZu5+uY1nWE4qeJiI1KambjP9/C+RUCF38yT1wNvxrbwsM9haXGbI3t2cU
-        X/RRpK5VKKKwbBqyQmkZX7xaDR13hLF2vLtdVw6L9nYVVactfnFr9HKDV95HUnhO
-        uevmzu+ShtAt9FMXz86dLYmBx90A2BSWxb6sKvZkG8UDY+vVT1K0gNK4kwxR9rKt
-        LFzCq1a3ftx3UvrNMCwaboGQZLpRtiKr0lNQvGLpH/SRDZ2HksinV16FNVuN74HS
-        XgG5HnRO9/lkL2Bn+ms7Q6+ki9QmC21FlLGJOBQIi+VHNVwy6J8XQlrs5NZPy6Ib
-        LmWIV6BdIRejCAITlVeBRBpXymdUBicPLa/VQMK2s9L3SS7MUcv+4j+vje9YR5M=
-        =IEFm
+        hQIMAxK/JaB2/SdtAQ//cayg/ELKtybgayA4z+xOUK10zQJDE/U43BcPRMrBN0+x
+        VLu/C96Eom/dJN62SM2QamThHu454HMZj1PjDynMUzgfVqXEg/eG45bBBweWrI65
+        s0tuzLmsqpdt9TJ5t0znliL2DYS3MPfmYRNbAsYsCbQd4I0YpxdzQwTvURdzjpUG
+        nVBUfzfcYH1Yqq8BVtR40MKfa/DbOsJGENHtpkQ9UDAa3gwVQs0NyZRQzg5w364C
+        UvItYlU77ZCKPkyOQuciLn4sM5poihu3UNWp855QsDK6fZVuxPTS4Cn54cfwdOTe
+        rL/ZQjLcHJ7PRmZUiWR6GVNDrY55u7zhORD4b8BgrpWW4hhxpp/ENjnRmNt8jKR2
+        dJ/5/uC4HBX0fM3mbfpUn19BxCk9+gFPmNUOUZ93UxpQ28l1lZxeiLBOHAw1srEs
+        7ZfFrJ0osedPGHu8rVOe93DCAtb/oNxr1xvGuDK/licRkEh8t8cvuoVsVhYFjNBc
+        UKXIPrhvuSj69c3OiHa+u9fNZJX2XAi0oOcZqGp+sQCCgUCA15I5QiqTpalCSTKt
+        /Stoj9BsmlSiy8YD2XBjmzHHVxJHfl8XHcuONKc3e4UmVjKlzkzc0bI73Y6XiEvt
+        zRIUmWxfvAvqP/zPcMSwaZke5h7N7ywKcjM+RHB4NqRUVYlBNwIWXvi7f5BdLhrU
+        aAEJAhBcA//3NJxuDzlf1zoXGKOhGIwNv5/Qb1n13OKIT2s0nfbqEHgAUm+tX3gk
+        VKKMqFuVmq2mkAaxXWFq20VC6djTJJS1QOaNsc6x3bJ6iDtYV19Ddn/20jbmbqmn
+        XbCDvb50nubC
+        =ZByJ
         -----END PGP MESSAGE-----
       fp: EF643F59E008414882232C78FFA8331EEB7D6B70
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQEMA1QflAioE8i3AQf7BB0RdJbe8Ro2Fv4Phw+VaR0rUIuQKWOb7zf3/9YCbV2w
-        rICGVIx7V1vJF5R5RgSfk0RDrLN3Pfoq/7Jfkq6bMoHIVCHSFdryHfjG5Dgm49Xv
-        gDZ2CPAHPn15mG0Rr/67YUWsC2Jy4y6/JY478wzYu4Og9IkxkeBd6ufBFB6bTn4H
-        qB7B2hfkyQzA66zoxc0r2O1mchbJ3A4pVJw0v2I/sWCiZoJQKmt8ksoEK8BAQCWC
-        E8sozb2opRzFaUCZSNEdhz/rnbV8u5wW378kd8kHSOlWxaFZNkWUP42YQiNTkd9/
-        YpxxGvwCTIpHGAYFtU7CV7QfQHzTuAOz7ZElPZsYkdJeAZCwUFO24nzwpxYS43AV
-        29IHXvlKAQkjJunix0bPGcE3D6T8CUs0wXL2sUSDcvgOOQZSezRn4UNEqFCftjJ4
-        Gmldo/baMO2Y054/iA0jvNmHRk6sJCY8aRYv9m5Fqg==
-        =n7Qb
+        hQEMA1QflAioE8i3AQgAm+iazJdcOXiq08MvSGMQ9/NAvrgcDav4561Hew23n4Ms
+        tKC5VLXf3l1f6yjhBZy6mnslYOWWdJ+X4XK0OqWkRr/t7zxEK4M6PC6g1W5hkaFU
+        +9DrkBLKss8atz3EhexK6GeljTuRpVWM629BtvMPBo/41eyue78TLf81vCkbUJkC
+        UpeB4alsETvD9Oz0ZRT8fipuXzdpGSjobOIgQa9bKwFMXXGY2fwBuKW8gVtSgbXP
+        mKwqvGaSdHz30BxQExmLne5ERKHOvzac2woG5tOmKPaihg8pbvuq/VjS2K0mzS5q
+        cbwyq/u4d5fGEFQYqMARW1aiyo3NjYk4xWDcGo5Ql9JeAdwhj3Wgm1wccULt2Hj7
+        z/V1utNINoB0bPFb8ZQMmPpwAeH6nnoqjWmmoRSW0tL/EaPh5xQXdEuU+DloT5f+
+        k8c2KQC+v4bh6BMUcycAeIG/h4vKsgz/Jc6BWKKD2g==
+        =G51B
         -----END PGP MESSAGE-----
       fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAz5uSgHG2iMJARAA4zyDJtNqK5w6QPYMyEtjuoAmva91yLA4oAU/diRpFXHx
-        D4UzksW8moYqmaiWblFy1HeQJFwZWrxnXeqg9B7PFOkhriIG7al4DpV2wXoCjami
-        DIkewGoeZjTbPNxsDVl0SbDafCARQFnQ8LNTmM2hi2X/ACg+c8mSM7eK6C3mh8yG
-        Bo2EsuCnIqzwzV6XbGCKnfOUh0QekWM7Jc/e3oYGSgCP2N5wb2PLVsW1220qdPvo
-        8D1l5cDVj2Pgq7fnfbxZGJYSfdgJb1YweH8mjHk3gHU68AGeeSkV+VwcBGV2HObg
-        hKSbVWcyGAHrP1ppCNyXr5ZkBgyvdB/EjxjLqTLq7sdTnqjLLbMLgi9CCI0NuDMI
-        jfgMjOdaImjUvvr8lCl7dOMyp9wc6ks0bwRbfG3AMLGKWeR+un3uaDYujD0bQLqZ
-        m0g5mx1wHxNCJIb2ZQ6UVjDlnatTYGBnxEupqxr9PFyny0MRhaiYkuDIh4tHW3nH
-        xyCHN9QIO2/EktLkM4wcfhOeVgdpfvKgT+cMG9kS/yfInZ5ZAGvXznzvfNZZtKDL
-        fLvvF5AqYbN05c0h56WJa65tIT75P2wI6ZBncCSLqSAzyXWlZFV6UBP+5QLEkQaE
-        WtY8y2907OAx1v8g6vc5v5oHMqfwfWC4nuFbkoJo/ZbfvtDWq4eFZfkUKY3Au5LS
-        XgE/l6NTtWknF4nPYIRaibum4527ke053JdD/50eqfuRv8MFIHbRPfWE4lE6lgev
-        +/j0Ef9sYRu726Sv3wAgT7K6PmCFsLN1319OmjkZpBAJiNsxx9qwXyqgTpTvb34=
-        =Hr9J
+        hQIMAz5uSgHG2iMJAQ/+NjXRTghMiYErsXenuJRaWdwHZ+6DkkG8nC5b+Aigljgu
+        OJg5UQgYtX5W5T79uUuEh5BWKO5bMHBwDNHQC7Hn1FseYgrOxcoSYOsewlb8t2QH
+        fqGLLhv82nRnU0nTs8W/yvrBH/ub0kAtuko1jkPSAWnoonmeEW970iLVIF9lCVYJ
+        idF+DDSiic9RDpHd4Csuxdv+1Q8OcaOW1HVAUrfrKOvC17sawd1Cat2DWC8EcOVD
+        clNn6A91FBCTxVnxwM4j2J/NXP1JRIGnlxaa4lATQMiX8lfheu0LyEpsFZai55RC
+        dq20HWqPgYHiamp6eGQ+Uqe5edx6F5YX/25S2Jfrx4D5vRh0PFx6blY0kgZJp16a
+        ywNiMtLPh7HjOMbB1v7bcWtIDWrIhWDtyJ7axny8sMamCLCPOwPpPvdL/B5YOntm
+        +0wMXHXCLCaljzsa5GFIyVYj3pTY/6O0Fgkv+6ow08ndPjsViHNikufCSW0ueIFF
+        ehv0V2+AHhedoHChFZI/DEbGzIKVcr7JAA+GHAIWcklg7O5hss+/rr7nYxVB0A+t
+        Sfp5kVMInLpCPLRm2retun3zPF8+R0kN/ZrkLy02K7z4rrD8wVE5QUvSCWbpKdfS
+        deWIy4lp9wRXSunag1/CxqvrH3ZszlxSZPEQkC4hez+xOS//L/5QsiP52SavB9PS
+        XgHvkL3slXXsdnIgm3cYnHqEBf2rXLQR/ZTzusXMLEBaGCd9JB33T/Lz+TUftCUI
+        xxLwzFvm+dEvQ6bOB6/OvSMBIsvVzMZxaIblwZRdIYfQovEdKLCRc+F4lTqV8fE=
+        =1lXS
         -----END PGP MESSAGE-----
       fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DsZXvxFXTXoQSAQdAp7TsXm2MaBAh0qB3eOjtFuegcEsmtdQHsMP0rs0N/m0w
-        bbbzXLwq1TGL82l5Qon4NnX9Jg5gXnKydWOiKWhxCsQ0iHJ7eupJLxyfDD/kzga+
-        0l4BRUpbBFslWWa8Fb7zfNA7kslhkaQIJAmN92Yh/2NdkpmNEpMMaIrx2p2jK4Iz
-        mwGUQlUz4ZkK10xy+9LMaAtmLhBJgBhDTKKzw7OAsRAnASq2gXA/4wqEVgBU9BxB
-        =tBBK
+        hF4DsZXvxFXTXoQSAQdAJAr+RX2f5gW5PpXJ/WA+1qMPFjuWuDccIk1ecWzc4kEw
+        sNH69jVC0JL7l5RMrJTAaY0GRTMrJffoz28JxpVbUVFEpeHsd+myGCcD1jZyS1MX
+        0l4BllCKEsOVnEKKxOscOIctaIw8/MDNnLSoP04JI2xVKKThor+UwUhRzg+fVwxH
+        uEiHsx0xA/q0HVXhTNIvIWn0CKx/4uV8JwVa9JqjSSyQVm8PBwU+UTfXMQ5VcuHv
+        =uxSy
         -----END PGP MESSAGE-----
       fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DerEtaFuTeewSAQdAlBZhTjLL3YPqorSXq0jet/0CXmeZeLL8inGvm/HgmgIw
-        aplmjWHB80err0ffZeRfcvqx9DGujpwlgoFGDxjqn4LIqoNg6YK/VfFb9pXUvIOv
-        0l4B9xQ4DlaYOX1egCQUBw3KcdcnNlcEZwTOwTKn0Hg3gXp0u3TYlJFZAchw2G+l
-        XJjlWiwJN2gKfEG7hrtZ7MJkYJFsqMFa1aC1oWHduxU4jmdRdQqdIaQDsqkcqJc3
-        =KNVY
+        hF4DerEtaFuTeewSAQdA2k3VLlMvCocHQ1ULFwTJKqscSb2FScq8A2I1TIdlfXAw
+        jWLzGphdsfHuNBEsocoixm4nKAdhjgBsud2rfYkuwxpqX2MlBr6ikpN73dXlHtt2
+        0l4BkUvmqlioN961OV7nssbeQLzb49C9Gzm5S1dQqBQVCt/7qGodTHHiQON7bYJp
+        +OgUaI6bKZjd9Lhm/u98dTH2cdPm1B5bUQPDzptWX5vG8euzBQxXc7OrGsTFyYME
+        =e/rg
         -----END PGP MESSAGE-----
       fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAxjNhCKPP69fARAAhSBdgW04fKM8tAU8sC6h8/4e0Io3W/D2l6P7nZiD9WVR
-        2pUqS12mlNCoRt1I2empyJ5vm1wjor34BCuSCiyfLQ1WIlBJlDro96ygpsHZGmam
-        tNcrgwc7y6rg4ycqUWr+H+WVZ0kw1IYYKbfAjMAJF5lQqzz+VMvET9BbmvA595MO
-        l/dnMColnjxxBiYBIzO7mnli+uqRHB79rM2VVlrqoT+C2s9zuPfpJfY0PJaCbbdg
-        BlffAMqs9m2JZdDr2r0lrN/jyLUB2d3l9NCcF6UYP6tjgZsKmHv/JxSgXLf6IklE
-        wolO04qgDRK7jeO2UGEniweVQNi7hqA4vkp2TskGbfVsS10PyLYKw4N19GedLS3c
-        ZxRGde42Fze/PrccWq8bGdOfWhPBo2/MEyqVW4lgTeCCwrFRO3UNyYcWo7cmaN1q
-        lz7uaV6ffqbUDJSkjkphvxnJtuX62x9Uv/wcwrJuZUarSNclQ0nQV/e5wc7SzPgM
-        B+GLeR4tnconDZGFq8q+KKuHe7MSx2uwiZsJIVXohcZwhkd9wk5YQBPc8i4aP0NQ
-        wsb+QptuM8VpCEVAwKOUjp7IRRfUyqAIlmIRDkTijmHknSmI9HZXPyCvTLoy1Szf
-        KDrN1MAma6b4gsru1fFnVizXQyZozl5RVZFP2Uv+ndugdvRE5sv5aevlzgaWFg3S
-        XgFqaFwId78UDNTrxcs4EzjHmlwg4E05G9pUqbA9zBDdCqwlD4+6CfAgQ46A6ptY
-        5p2QQJ3KXgJXrtlJySq8piReyq3mpagtWZJfAazovJA/ZF4o/xs9ZIu/q3qxHSE=
-        =nR8y
+        hQIMAxjNhCKPP69fAQ//VLyOILC6lpvlq0W7NeYfUzL7KtKYXVDF7aSQ/b6Vn7Of
+        ggc9n40n6FkMJqknhbvSnhhlFdzVOCZkLy/hinNk+jF2POBlLbzBjCuzQSP+ZDyC
+        Dll2UJ/khITd+tQ4zwrFLpixr518Fgcj8NOgtljUovxR1bGIzYogpmiVFJEd0cT4
+        k7ldv5WbZtB2UprhPPpNe+98BaUvuSvA9RWCogaBbuQpY2p3g9t9Zo58spOawbP4
+        ccz7Pu03Esy3cenlnCt3G7gl19viIh+wHKrIXPa8dGO6TEsrRMPT0tNEs8iUJyDO
+        TNEgo6+yxQ2p+08EzAh0BCRwljqnPLjS/h2s2s208Z5rBOCpLY9RuoXz7JRvZ06p
+        gBgPFSIH12VBGjfqCB1uZIatbtLQLjOo6+UU0evM65WhKw3//tUnLrox1reoiRzO
+        ro4JuytP+f4PylQRsr3jOYKRKCBzoZOOPZbVEpwQeBOe9zzxDgVQqHgVDDZQzCcw
+        VTHCrs4XVHxPH0aRMlS4A80xbH7VncYbcbf8a6VrTpnPflv0OryWMWDqLBzmIPgM
+        W1Bz/hq/o6br+g4uAKjt4GTdTwWYxptA5L84aMoihpXRu0MaPhG+7MRsXpEa/+Ll
+        +ybl2DLpm6zm0iixkJuxwtOdQOGjqJqC/GLw/EZJTt2aO+ZUb8dLrChNmR7HJAjS
+        XgGBpFYao1AQqLZU3c+5B2/9/3rtOoVX1DQXhUsji5NkaHyYO8usauj9evPUf4qx
+        FAQRWua5/zp/cTlNWU3GknqtJ1G0g1mrkiVeBZCRxIK2Iyvyav7RALJ1jlkyW5c=
+        =meb0
         -----END PGP MESSAGE-----
       fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA46L6MuPqfJqARAAjpM3MO83b2EUtzyZs66HWH6Kd60rl3QODTqs4PQm1cH5
-        HdzfVJ2IDo1y+FMTMmfJov6xBqnlalNaOvg8XFAkKTUkZgUHRW/q1WXP4FywTWmP
-        aJV47x4dOQXQgj/i/ykMspUgsxA5049/nG1y06Wsm2agLO3KjL6KIJAx0LI28XPU
-        qA/NFtfNuEAv7DGS2LGz1+X1hnRYcBX/oUgpihzActWmMORD6VS7xZGcMdF2/+Ex
-        OCDAnwT0cBSAihBSLTmEMJ4xfmMG228nbLqm9r/gELgVIsIL5hXWz0CtxaewwLQQ
-        XFMm/ZV/G6bZKRJzKPOR9EcPMF7Z+nnBts9wKNlE+WA32p7zu7hjvEFZhLiDKYlN
-        +nFcx/rvyWB6sbFK0xn2x5MonxWNVUy58PnqGWmPi2VtXT1al1zSAoKAgg8Xdw21
-        PQENtxqeUSLXXb0SZXFptMmYStwqoaFusLOCLW42DogFU246o14veDDtsS619T5G
-        RrszsNg543i3ra7MIm99YRXyniUaDp5VlKufPkWRexIT5YZYalOLtdLcaTTzfr7J
-        x4PNVOK2ddtmlKbbakvvmPWS3iBEUGMqw69dPhEdpY8yy7HJ2jpXX7TiezNqGJ9w
-        XqtI9RJmWrr0/zSoim0EpHDwXZhSf7YVcwTs0XCtwrXcQT6DLaZJr8cny/G1ErLS
-        XgEdnUqFpB1D0bacmRpfHA3PLZJd/x0QfwZ/b7gzz3f1xRfMXgnsM4iYu1S8+VAW
-        Dy21iVFZledWfrmuXh/PkLFftLipYK6tc0n922kFFxCn/xSP0yx9qKlNwzyduNI=
-        =4+Bv
+        hQIMA46L6MuPqfJqAQ/+NK0D10olgDK4KcArzoMtrJR7qwbrceSeKwaQGsUB1+RZ
+        xv6pZJ0zyw7McTuUV2I4bLYHy/TffSyJk5vLSSTGFXgHVdfKmjvm7VDEp5d2uKku
+        GW3Qh73quldfhd5GjO+F9V/S3rCysrNMpTmPnR5ha877FKGtc8168XRhIpe/1+mP
+        mvlE6h0Xizbx9myGR+ie17nHpoH+tjTtQFH640s38+xDgH6AozwWGUe/g5TdLaLJ
+        8SKHyQnS8hOHQDkttvhWRbyhKa8WuGyOKSjuQ81HIv+/UPxh1fs7vovPHM8rtIyy
+        xGcWPzUeoKQiV2nyXUP3BqglhOhD1vokh3ejDcxwWWKuyASCSXhhvW7KMsV3Stdd
+        E3O1nyOi4+2I2E4TQo0NLt5mTJonPbvSn4IvV0LuatrG902UeNNZRRwQv3ZrVp6f
+        G2ZJ9HNSs+Tp9H8cJzBGjDBYjC6/d3GGWi7N/5G/n6C7T6W81BgO8UiQOleEDF1c
+        Bi6NPNeoGL8fivVGlGTHpLcpPpbYz+1ynsFs1ho4+v5bHS5w+UfvVvQC7dlDKmR0
+        fUAkllcxLSnzKkpKis1HF+Gp+lSNc75/BzOeTA2gS3c8H9jMuncRolndPX1rVJA3
+        mrLiQE/Mja9NaYHzUROKIHDEUOQ1ZzvpcRduggvfj6Gb2wzNdUdR5QrXnLeI2jbS
+        XgHO7Jr0HrHzr/+p+w89U+uH4b7onseYDiAjfLjAZpcYwkzuy7b2ZUmpLq1BjZRo
+        zs+rSqv4BP0Xa7LNIFrHj4OeL9ivwP7Kw/Tb36hU8DJ8xDfilx81n69Fer/cJ8Y=
+        =BNfm
         -----END PGP MESSAGE-----
       fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DQrf1tCqiJxoSAQdActtZQL4KWrCP8UUZa/fLeDltuNV9JjxTYiI9upoH12Qw
-        6n8EBLgKKNw1Hsb40u9M5Ro7Xzbys7zwZsL5CxEgFGDBxthtcdaI/ykjU0W3poLE
-        0l4BcMpLoCyxxwIn49GpFxHiv84Q9xhouSMmCTe2p3bn5zCRBnKsetVHtEti4iRF
-        sY9FipGcyiNHfkp8KsWeUxD/j1QUIkGODXt2RqYkO8ltA5QS3kUCPErmWYymEAEu
-        =RFaD
+        hF4DQrf1tCqiJxoSAQdA7az9ylWMB3fWHwSVRmU8Gu4Qnd6HIyMuiG46weuS/Cww
+        QMCknkfCG06HtMrOcroNigaj7G6FEvDm64sUkpW/ggWkHUUEMuwi5jcKIdx7XdbJ
+        0l4BDGUF81uOghQUq/JqDtiYPD8IzRHMXbJmXiO+4y6DE5b1t99wBUt3C5K5H91D
+        U3blcYO6GROPSkVp8ZIzfnWLvyVoWInd1ZiRs19n9MN6Yf8uWfx9/3xvN2kKQyvj
+        =4X+A
         -----END PGP MESSAGE-----
       fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DzAGzViGx4qcSAQdAoNdta1fDVjzrPWeSfKrmslkoFi86I2nWplPOli/gFXsw
-        2Cx+wmejLlc61RE5sqAaQJc+0ctRezwXzBJbkuqznZ2jWPCK2A1EQ7r3Q7USCCca
-        0lgB6XOo0ByOj/W4TrrGn7VmwLvEqIiWCt5zk4BEUSVc62Ffv48dcwL3hsB3HlRw
-        6FXyR+2zwyEU5fuddFO4nMi8AXB6cfU6F4ugFgwn92lCgTom7IULY1D7
-        =Czq/
+        hF4DzAGzViGx4qcSAQdA/+jZ9/0jHioWKE2TK24OFDKjJ8futm2TP8z6Xat3uxww
+        DGwSznxagIkVgdTNKqAWmzGvOum8xDBqzP232CM8B/oxmwIjuIV8+FXtJuFHA/4b
+        0lgBN9loSuX5uL5O4uWzPulEhqjFElrWRZXLHZn7uIWipW/7mP8CGu02wwV/lme5
+        jvtJ6EjgopmHrxyaJqRk+e65gxBYKvxTQ1H1iETCUq8lOnxSBZVY5m5K
+        =7H6g
         -----END PGP MESSAGE-----
       fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA2pVdGTIrZI+AQ/7B7h5br3PMgum71smOTJMBfl4OaxkQAirJeG/z2fjqbAG
-        l9q62H1cutGKS/IYOFLE0OQaRwmHtkdTkrdmf9yIuAktcdAGAeqwnYW3LwM3t7U1
-        nfZRJH5Hi4xcSVVaWHn5mX0QpxzrCye1EIjHvPRx6/bWHD5sW9qnkZAlAvEJS3/K
-        jdyBLLlK8AITpsX4eeVnmVLZBjbVEXPlXfFCh9PFyqrl+iyBBY9bO2aMzWldbQIr
-        j1551Xe1wKAOn5SJTg2Mrm5ehBKfH53HY6ubCy9acbv5ZTe6JuStseWordtRNNXY
-        9eVmR3MRVoFWgK4Ccb9Qq8l+uEHRuQfG9K7dSnxQIJpHCOAQO9oi3/ykDt9Vgvo6
-        WKPpvyuJpWc5Tn+WF1qhz5wDTRX6XY+cUoHkUqZXG0qMTIfMLIAFZ6MuslHU9f6J
-        PlY0FTnwp5/v9rK/rjXZkfIxKjQtSWZwkZCszZ0WtNVuaY3KO6KYrd9rolFFYjqn
-        I2xFGnTNZwh3tjG/3INoMwilOkIUNXr18k6FsPqVCAhj1Oo0iNxb3j+3pGJsH9iN
-        ciTLeM8MsFW9MYXG23i65a5WVXi8hMTcyqCy9GyxLeFprt2DaH2HaBahF3RIWPop
-        KTNsvW1aawy+lDUyr4mBy9F0TA8Z1/db3l950Gtuz5s9/7D6bbmRn72O++W1RD3S
-        XgE3QuksqaIh7ZGt8tVPREEHpBWmPCskh35vLoqeO1QxGxzJcjrcuNeHtOH44EEj
-        mHzYUydn0e1jwKZkATG23DiBCyMpcNAWmsMH45wmk0fgNLdQhuslhKLqOUDLpN0=
-        =Ygd+
+        hQIMA2pVdGTIrZI+AQ//aZjaPgcAM6RSG6QCnYJgn8EDEhG7HDvXmb58G7VfxArr
+        m+K4Hc3hW0Hh/c7/bzu2QWniN1ie4apqFSvQmAIJ3zQZSyOsqhzvbmyTFRAyzpzO
+        lOAo/s0xMu8s5V055vC2KWnKuqb9+WtWgJPotkpOf7wQM3aqtvXKFnPa74ihjXdt
+        uuopRsOsZPiG8MLcqkCrTy+pd1PywrqwjKeva+mfgbM8zpypw4kwLwrljsxCThkZ
+        To4dH+K8oesvSeyVOKWtAwnjQsPa3Zn5CFWXNwPnn2kpjyMoNRo07xuRkfHYI4L/
+        7D8zz07XdN47kJbEj2BYjChURtbxkFbAxq+IUDgbNDW+M7VQCKZW+vOFjwmFJAlT
+        CCco2I3lmrVX1j9BTMRr/3aQNbY/OzOxk0qjYZGnPqV1bH4IazaDFUB8pOdmit2t
+        KBzDt1L26V0Ek1CpOp1dcJxneITXX1j5IqjMbl0TzyoJ9CxsSaOWfZ6XsBBSXZNZ
+        VnDENbBAOGcJgatjmC2qH5FCNio7vMRRncX5j82sytDRWbj/7XHENFpfXyGPIuYg
+        AaHyxSVegFCeRUHpzXo+qeFpNFR4407v+otVaEdxbfj6MQfMZ7tDUOde+97NNRow
+        tAMUOAN9yhGuEPMPr4stQUz4lHseGMX3VdpJH8UQH+BxVdJhzKg0H/+6bAmnRi/U
+        aAEJAhAi7DZdrKpPPkDijPKnXCPJB+IzdAJdOCsnIhZFzaiDUo+RLvP9bEpoqv4m
+        ZFMtiF7P7bXyeNIObCCsgKhdX0thXI9lZvv7k9M4lAbFhPS9vlmDwf25t2Nm9Um8
+        2tbINg+K23jp
+        =syE6
         -----END PGP MESSAGE-----
       fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
-    - created_at: "2026-05-20T02:08:49Z"
+    - created_at: "2026-05-25T17:17:13Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DKKbvh61jX5USAQdA8qtjYHoUe+GUdy3obbF+pNmvfuKQUqkMHa6V5ZXOpXAw
-        M/kx52Vu5xOdynB3NMBXsfTVH7KXh0f06HcehTREOkhlwVMYPcvDQQdzgJ3Xodpc
-        0l4BdYtmbmk9ETTqr+wXvf+6BMYIuvyhsLLSqyWyCxJv7blQYsxsc3EAHZ4LB0ZS
-        /lw6gQ5lmQyvVt9PQZayt6Iku0+WMJcgrf9xykOAm3N2QrtUnr4jHV3FydvTiUwR
-        =snV0
+        hF4DKKbvh61jX5USAQdAHw+hxKofus/fR32ThZOHfkL+8TIPvWeYnTYe5UUCC1ww
+        AtCE+MfZvMgRx7gUpVPcdWtch6nlFzun+r84QfPopFk4S824JFEkK8jG0scYCpy3
+        1GgBCQIQm+g/LWX0T3Do0NXrRGIuw0fiKrQiOpEhbO6a6ez/pES0zKKBdlH+scQl
+        +nLZoz6Mw5mkwhY6zIKsrikuQ/+sciO2fIq9tI4MR6cvD5gmVrGEjIyOZ4xgl3X9
+        nX6OVR9w8cR7rA==
+        =voeW
         -----END PGP MESSAGE-----
       fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
   unencrypted_suffix: _unencrypted

inventories/z9/host_vars/z9-router.sops.yaml

@@ -0,0 +1,209 @@
+ansible_pull__age_private_key: ENC[AES256_GCM,data:TlMDo9sUTYznxKOGityGLexk54mM7LU9+U4ln0YYhO5fhXXmwvySxyMLHlaKzSlpU2/mRRy/0v7AIOuRVZx5XqV8X2JJsv3/NeY=,iv:r66g2UQ663KvWyAISitbHBRaLBlJ0gB2g/TW9JiL0Ls=,tag:VEq3Fqj+t40uBo9g4Icfew==,type:str]
+secrets__secrets:
+  - name: ENC[AES256_GCM,data:gt9BarzsfE/GJ5gQeelgePquW6KAgE3Exv4=,iv:IPpUQI+zkf8O+ej+ZxLFyWUOrxGGlZvmDRG0ut2cNsA=,tag:GP66MvcKyCqyKV814+uMYg==,type:str]
+    content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str]
+  - name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str]
+    content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str]
+  - name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str]
+    content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str]
+  - name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str]
+    content: ENC[AES256_GCM,data:W2h5AcoT85OkekPeRkrf1m0bDdBjG/YNSbWlrcZtP7FjaPh/F+cx+J6oRRI=,iv:CLVXTqfstpIU3BX/Zdcnp9w0gWxeGDI/G1MNl6xr4ZU=,tag:yCqN4r1MV/VTWQvZ6COfIw==,type:str]
+  - name: ENC[AES256_GCM,data:IRwwy+WQxgQ8cDpB8HaCLpKwJj7oC87p0XOxWRo=,iv:BLXNMcigvaOeY6y4NlLPMMWQt9XFi6nodRwIYFgAAnU=,tag:OdQalmujOgrzW8oi64xMRg==,type:str]
+    content: ENC[AES256_GCM,data:C5oIcuEYtODsvjQZnbqbWVfP63mQzcRuh8f5rlBCyjwSq2mZiYGQe9t0T78=,iv:sITUDo9SKZTSwPfsMv4m4U0ruuVCcaxu7SUT52U4FSE=,tag:4CsSMJWQQPAIeK8DwUDBqg==,type:str]
+  - name: ENC[AES256_GCM,data:r0sbpjaGjezoNlyl1khy+Dly+8xbbfQZNB8om/E4/tj9lmM=,iv:MLrglBJA6BrHGmFRprlQcf5/Hqh952e5OyQQ9nPxumY=,tag:Se05kMBkSQ7TRxzij7Fo8A==,type:str]
+    content: ENC[AES256_GCM,data:/c1nRf1eZhbUmoQWvcj8yDaVPtyAN7Uu+S054q3C1/kXlQ7CgOe4CrMXnmk=,iv:ppar0aCKuIU3DOjwAoliZ5TOL199Z+Ffo4pCktjs0W8=,tag:nfaGutK+5KnlWBKU1MTxkQ==,type:str]
+  - name: ENC[AES256_GCM,data:7mwuykEqbGISOa2n+pWb6INLsHYdjyf2HxTtWpAr5xP1,iv:NMcg+L2DFtBO1nhyPid31yzLr+ZX7DUGl/WxV1MnrqU=,tag:65/BiUEI8v5oMlQqpKNDRg==,type:str]
+    content: ENC[AES256_GCM,data:SObbA3D/sGN5/i5ps4Zz3alygIXKbSgptFjfPHlwC8G588O+gKAkvKQwU/s=,iv:PY2vLfI3gInFeQbse49KC2/zZ9O4jeXAQ0fpP84GHHE=,tag:214Mb8hIYDkQ4+UkRWtc9w==,type:str]
+  - name: ENC[AES256_GCM,data:bES9O6JI4wTnuZsup9gflfaozeUDkfjVGNIFn8RnZQ==,iv:98kigM3KZIN5qXNdgfLg5WLmxzAsYCjNqVzyUPco/BI=,tag:1fwEtwQ6i9QQC3OCewN0eA==,type:str]
+    content: ENC[AES256_GCM,data:flO3Nb4u2WfWNVhn8k5Bgo3LmsHo2cVnLCsrz8ST9Ip7gO9FY9d27FQgphM=,iv:aiDoq+41cSjwcCZRaIPLtbltkOpc7FeuNN7swPqkHXQ=,tag:OhzcY2xKKJF2jZVRseXCFg==,type:str]
+  - name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str]
+    content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxallVTFdueHBucXBVNzIx
+        cENqanlOOUticExzVnlERS90b2hWQ2VldUE4Cm9SVmhZejVzanRDTkJhQzhwM3BM
+        MGcwTEZ4YVQvdjc3clBHei93VEN5SkkKLS0tIGI3KzRPbjlNTFFBL2huYlZSVTZh
+        OVdXYVRkVVJwbVltSHBXRktIY3BYL2sKe+eqKzYeCUWx0KmT0+aM+TwWRj+P0Ecp
+        tnFHmQgnEPypIhVvZtzL7i64kL6sHizTmNhbw+hlnCztvsdEV5T0cw==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tx03yh67f052jzehvtvzmhe5ja6ca0rlugw8pr9v7q67z38w2ahs2a4alp
+  lastmodified: "2026-05-25T17:15:30Z"
+  mac: ENC[AES256_GCM,data:IW9eN5H2J5cnXUHlK2aD+yd2ORx+weSFKBGWd7pIolFb5txg0WlGVp8UpD4h+Tv0SJ9NkQOT6KpcXDez/L7r7xNYtmgf7AdrdGpy3IOkEYzHJ+oHUMd/aL+h5w6/RahrpxlPSrNKAC+AfpY+l0iodwQ09iuLp4YXFxRaRDGpGZw=,iv:6M7RkDN9D9Zlyq1MCRoiT4f1bd6OBZNg+C65oEuSWn4=,tag:wRsq4lt4mHVyY6ruGkYNKQ==,type:str]
+  pgp:
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtARAAlyJLMDlT4FLpMKaC3ygn1cfA2390Dz24lzKlHmwl5GgE
+        yS9bdTGMpcM8zPOQoqaoy/my3kgx2/U3q7WiCTMdUyYePAWuJFh8ZRZjw/hPpv6n
+        GwYgK3M2C1I9++zmZD5LlR4TaTTpr99+hctYrrp79QJddgozUzAQ44g7WvDm5VhI
+        bb2UVSo0MpWvLEMXHqH9YZcjkQyVg/DL+IaU1rM9pmpZxoN7+0jQY4ci1ZeHVo9e
+        DbYcjMazBLakjZxxdtHrqx3DjZgbYCancMy/dUKVuvDF/lN35WWSxslv14BNHljL
+        +/9YBDRgIr11x9j1hq241UwBW+6mSFxWF3qQ5esdR5xlLEqbm27PYGtqC4LIdzRX
+        ZUvdujuQ2PHCYJY/jKWSf0cdfXKEGorc1ZGOV9FNq9L+aKvfmRLWfzX4D0Hp47H2
+        d3itVuA9KYOdzmk6O+8FZv/VK1042L90tOPJhrtE287KhcJ2CvfT/Az4Qot8xg3c
+        tXmO3cWQpigXxJPfKRPjmmLJ9nq0BnBXj5ngkVz7d8R3FR1J/+TWG0F1VU7YeW2+
+        Z04RAbbKf36xUTqnaV34EDum4QLLdTMra6fPYPy0KiQYIKDcRSdHeM/hEs7JXP1c
+        zbUX4xuBOXl7kWYR0e3MUTzxYiQBr9BvSDY+7sGQCb+fPw+AKvFxig1grjsnZvPU
+        ZgEJAhAUE/ebqBa2nGimcAPn3PfeihehcmjLg7HmyWBPkHHMt/TIOztjkbGiQSC/
+        jBP+rhjmFxm0WKUGM4dkh14JkMgz7DZ9fozzLfo8zN8beuSDDzX1BndTIMBQJj8P
+        Q/rk1NL6pg==
+        =UXJ9
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQEMA1QflAioE8i3AQgAg+PBxAqWTfRhxP7GxDfQBPK3d52zshP9xhutqANzszhs
+        nbo3nHWj/vjvHlEuD+Rr/lr9qxsE3qS4ON7FG929RoB1YFHJnQl29Xym2Q34T0Hy
+        Ih3dibykm0t/NE+fuxsU4iU0imtjqhqA6P0+8FNF3UeCg60brcqlrBTXM9jFqlZ2
+        9nuvk75HkM1FoHiKx837qAd+RjNNO7xKUpn+EX0l0l9tScuPqUkWNQxLrbHrcO5M
+        bcEC1syZHQKCiucsesS1pJ7TFWOJsnamZyaqhzANGwWdhYwGQv37bWKr6dYTCy3q
+        rsT2NxQK4/N9CxmP6xWeAZbX00BDhNMfEQVtTlYLgdJcAS433Hiw+DSEwGu2zvTa
+        pHtQlGlaoOZemNnthw0NO6JQWGhz6Bx5QqYmbrshtVKNPh87vNVV0HhL/fQ7qwLp
+        uCgnMi3P59r8EKDZqTSp0YGfE2bx2hpBDnyJ42A=
+        =rOz4
+        -----END PGP MESSAGE-----
+      fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJAQ/7BOewbq1xQgTOruTFebugbSrodtfUlIDpCez+FZMw3Gos
+        uwfp6jslBKXHidsA39CRktJ40EYqygmBgcxGTvHGC94VwSl7OfCjHsyfD/93L358
+        XsjpTHXBO/mOjQmJ2smhZx+q+iMLpJnq2QA8mGUI5uzPTjXD19sD9QdYdHF2p8D6
+        mdpVWED2gRf/sDoN+y3c/iZvMTN2HeDCx5d/wIgl3mmoHLvWRO8pNBV3EUg3ZBiv
+        fc0Y7m/0KOqW1itE4yg9IoPBWJg2jYSZTkRnQMPEkKEEHNtbx6dq5tLOYUIIwOwC
+        5JlL76BRoaul6ousBSHV8OWCAvS2N8OC+l0ATzk99p/h4zY7PCG7NhkKAOgYfWFa
+        /z5u6J6TMrmeLZjknFXepuVAzNmDU0CmuhMwZankGKq6lmsQQnHvdq8+ExGGWhfK
+        m6I8nPvG654md9H7Y3HusHa6y1rkf9gZp1UFzhvXQgZdvc7K5pJrhxjGUnEg6sS0
+        m4daDRuNLW32PXiwoWTtTJfOQFv0t1f1eEKI9DO/O8/4fNtIvmI/8HDcdF1XzDnt
+        lGnyD9cZ5jKsKjGrT9DcvJhyTGWDFeBDTY+rlt52E8NbrzWUjX4J7Gyz8QRY9j7m
+        wRi4uaVt5KBmB8Ibo2bMTUXU3Db/0p8nCAg/89D1fP6FF4izg3GU4oD3vJyl81XS
+        XAH8tGT9wbjXuhomyhqemDYb0QdTRfpAznm4AS36qbeU/Tvj4M+Nm64qLpj7FFtK
+        aeDas4lzgeQf6/cdd5ItLlRHhlBOJEmjHVzRR4npabCWZojP8PTac1IlBgvS
+        =OH/y
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DsZXvxFXTXoQSAQdAIjnFVslIKlmP0X12z6AdWNqxkpVBDFvf03ToWQEQv3Uw
+        8ka0OYl32rH6UiiSE1Vve1wZ/iVvK9/il6UhTpeAt8bIiCq6gEGR9Ba5NJnm6rSG
+        0lwBwzEtaARPJbbcWu7Jl+dAQ0quP6uVS55OYBuSannlaPrQ5qBuS14AtuQ3UEVz
+        EbcLJ0b4lGL7hgyAf2E6nuDTkPGPChAJ5H5DfrB74ZB30GcYBTzwj13+jWx/VQ==
+        =Hxuh
+        -----END PGP MESSAGE-----
+      fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdANsYlCeGhhqmBgnqcSuNdQBUwYKpucDrb6aR9Siyukjww
+        72Gin/635k9bYXwknA1rPyTMvG00giQgjUr/QK6PSD/eGi0QOtMZLj1JRi8f5EU+
+        0lwB+MIM9+EEzHJ96ouzL3bu0e++NvRY1Qjyx1Xi43bM96eBeLZ5DAc1eTSdWizQ
+        EWTorcmXffkdfOQx1zrlGZo/qvfj5F706VcwX4aZwok/ASRmSeCfEXLgGLCwqQ==
+        =ccBm
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fAQ/+IRYUQhf7zzIZy3AKAtQgyMKRINOUUqOEv6IKmNQaaQP7
+        K5JXnVi2gjgBuG+2gH9iCEimIggnWxFhHerfOps+NkAI6y7kFz5hnMtOY2Qf3vxT
+        Hoyq4l6Yn+gG1HSLozVr9dTQPjyGOKJkm36ZKpM7gqSuLNP2ijKARzay4Chg3i+p
+        E1TVTVoEczrPdLg3O2fd5mi2UT1k3E4QREti0k6K4juMWqMz+5iJ5X98qCdmE1eX
+        L5dmW0QSUChzBVw+7NEcxeNx5WsbhWgPA5m2+bng3V8tHqAwrRUCoxn2+yabnsZB
+        Z0Z7TgcLk0Xnezw+BkT3bOsKgv+atE5lm2rBiRUHRDR3S04j0Ju6fJHf24CNy5ES
+        xMF7BE23SgmqUq0BrvdJB0ToNKYGMM0C5Xg4vGRiE61+18TiFIeC3mF9suvFFKc+
+        houq6Cy7q3O5PEqEbu6t5vXAZHwL9Th+ZatIIe9jSToiZiLEOIEmiYptR009/OWq
+        v6ADzaAE6+i6HZ62xBYQuZFkiUrRKxYzTHFn0A10QUJrJgbWr8QjS76oKi8feEDC
+        BJAOwE/0aK+l46hI6mlh6rgeSy8XdOPLEnL4+1HjlshhTTiW1rE2cr0ZiTTA6UFX
+        UhABIUi6jiLnM13L+auulU1UZQ8wxp73okrcuu6g2bPT/l7zO9YNOCocWVPQa5vS
+        XAH7qrW533ttg2XAczCdALMulV2N5GHl7TbgRQBkdoBAKL+6oKfxbOZeQM2nrfZT
+        arytZbnjgCcy5ygnjeziRvWwLk7sysEpAQqQNRm50m2Cq+2ccedRP6zFzUhc
+        =4hCA
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqAQ/9G5pRNmw775xCYA+foCx9rM7eLXJFl2DjaI3a/O0yVc6t
+        32xtPuaHwTnP00Pbbo5Vc9QG7k0Fr3Rgy+ep1lGzeCMoHwF9xk98LspDtYZoKopE
+        6/L6KLldSauRv0rPVhCQHpZFsnx1VxaJiXn9vAW17+imC9SgqLYGWyrxAtLCOOqH
+        N68RnTsEDquXixEs82ao0EmQXPquimJgSx+xVSF4yitYYLLLHyUL+drMNuVb9q9Y
+        oAIdEL1svDIieTbTKGQUqZ8Alf8f/0cqPWpEkDwYIyB/i9KDkH5Oj7uBBRtVLGxQ
+        VxE32wO1xpXvKgUY2PhWD2rOBVDG8dW/hyqvc1WgIeo1A6FTq34b5dGC2lmTRngB
+        9mBjUd59zeOvdXLmoGwXgbjVhpgnm/5wlUeiIC3xR9MjW3znRBT6ujCaglpAdXBC
+        0AIugssGcuXbP9Tj5zMVlbdi2dj6Ylc8S1Tj/OjwxHCCj6AWRqpxN5vY28RiLFGy
+        +eAsryzPk6UTCPIydiWwsrP+w8EhbllFxzZM+Sn+fshAHdRug+EeyT3h5V5JF+Ko
+        BZCrZkwYqAcVkJjEYlukjvxVFvo+T6tRMz4F4yNgjqFjneUaeLCc6RllaT696H0Y
+        8+lw5rK+XpcXBZqso6vsLChRdZQJjoj9lkjRDbmhOkaRglikC6Cx+mpY1/XnGvDS
+        XAFWOuNKjN/xIRtaDc6tmeWsKkuqghjHiMeRqw10/kTBjniMLLJIN9ssj4HjYqC3
+        CsqyHqZmrbITUMr718gX1kkAvzF/fVAXT8YshOcK7rQbiMQJCZqeBp3fY7FC
+        =5yPR
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdAfLqKILCrCv2s2V7bLntk5lHI6Dc1FQlCg3LAefc8oTIw
+        a3UZU3OajQ1CCIhhu02JSlTKZm2z+pZKVHy+s5EgCqwAWTfPNAnyPT0ZGrhIdcah
+        0lwBdg2Tq3+Nhix1ZuA/mUgcrbRBcFKlHY+IGEgOHKLJld9UPF2xEjTX6nmLyuTR
+        6x+HW/7vVuc/jcFeQEmokhQw/SICVdyD7NQua4k1agLkty3hGcm1XCsfyKfj+w==
+        =Bxf9
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdAr2tfPiCpUkxFj4rgSiLf7y4iyKbsgEY87iYH3GAZTVcw
+        vK2YpjSVgFRoJNx9s3bFr+9UG0LFmKvDZEP83ThQizYs2I/N7MSU8ERRImshaQMH
+        0lYB4At0RHC1mp8eKqhRgXenOtpfCiBACtlIdS9m1aqcU6i9Drgt86Bk/LC/HSvJ
+        MUOit2PP7QZVRWV6F8wAHlUFd6bdTKv9eOCZLSB6mY6DQmkp93FIMg==
+        =lQcB
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+ARAAjNHCArTtU9D8zw5yJzvf0KSwQoOaQWHui7AqQkvQ8mJv
+        8+Vo9sb+JoSuFHQqqDbOU+VFpmc9CZ6HCJaWqO2gZVgjxrsrPgyfq795LBd6GhX5
+        6zwUH2huxv+n7XkfjN4HHJAlSj0pRyL3fyojdOdtXCTuBGbofLIBJUbuD1wro1K+
+        nSHLvdBEitn8afKt5/SaatB8Prwyet6E6J4HluXFQjl+KdrRHHvXImmhNSR4yfIr
+        yQt2s8qapSvLhrUw9/GFXqM/jg4ZlDhPUhCAKI2Pr5PbsRMBqwdkSrDeB7MHdsU6
+        tI4uyb7j8m3VMbFKNVpuluwgk47V+W/h+jtZetSR6ewYsXJjgHNmX6JX73XzR7R+
+        q4EBfSAxR7ByZ/HHuumUH6BKBj8IcNJQwtEkLIZmLZ3OdFtJP3YY0esV+gEhG6K7
+        m2Zl9C7axuYmvoLrqygaChmxMhMiebTPNkD/dH5Ircwl2cXfHC+bvF2WO73DTk9G
+        emHzrkniEtuUs+svMhT3NKM3/mpOJTiNezdH39HZADzkBwZ5Mmkfe4mbXByfRN7F
+        AEJWmnOcpXwXE9//sRbkRr+CGmB86raZE22wHPuk6U9IyVFJm8hJbOzFc7rwu1Eo
+        0YWBCsc9dA+jH8hIKrIfXwqnfhYjTrX+oZJeK/8McOwfF7I2G9YrPAgwbokQmtLU
+        ZgEJAhC8ryOvXwp2kP9sv6nbXIEcwrX8lRjkEWduf6ZAWAfQ5FGBSPzR8WnZWGzN
+        PCxjg7utA9AHBChF1duwOV2Qr5XW8HTUGAx4fc0T0rjC862vSwf8yAY89WWJyUfk
+        n8qhhdw1uw==
+        =KgOe
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+    - created_at: "2026-05-25T17:17:14Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DKKbvh61jX5USAQdAYrtySnoCK7k4ZZIyllSAr23fozsiZb9Nf6Q+r56i3lAw
+        7IxBdJc2ipMxafy1Ntq0wfAYYk7nY6Vz1XtB+ekVeYLOjDmHRnJWq/Jw0K8wLvWT
+        1GYBCQIQ/0zDLdFOrMNjVPMutGVJOkpm7mbD30GpgRugzEf2NZePGtptqnP6i1t1
+        izBqFRByftV1MUw1uWgTFgB8zEVDh6gG0QAYeRuu3NS9QhwR71Wlu2J4eu+VhZi7
+        AKabk3T3Z00=
+        =A2ad
+        -----END PGP MESSAGE-----
+      fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
+  unencrypted_suffix: _unencrypted
+  version: 3.13.1

inventories/z9/host_vars/z9-router.yaml

@@ -0,0 +1,7 @@
+systemd_networkd__config_dir: 'resources/z9/z9-router/systemd_networkd/'
+systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/systemd_networkd_global_config.conf') }}"
+nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/z9-router/nftables/nftables.conf') }}"
+ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
+ansible_pull__timer_randomized_delay_sec: 0min
+unbound_access_control: [ "10.89.208.0/20" ]
+kea_dhcp__include_vars: resources/z9/z9-router/kea_dhcp.yaml

inventories/z9/hosts.yaml

@@ -14,6 +14,12 @@ all:
     yate:
       ansible_host: yate.ccchh.net
       ansible_user: chaos
+    z9-router:
+      ansible_host: z9-router.ccchh.net
+      ansible_user: chaos
+base_config_hosts:
+  hosts:
+    z9-router:
 certbot_hosts:
   hosts:
     dooris:
@@ -35,6 +41,7 @@ infrastructure_authorized_keys_hosts:
     light:
     waybackproxy:
     yate:
+    z9-router:
 nginx_hosts:
   hosts:
     dooris:
@@ -46,16 +53,31 @@ ola_hosts:
 proxmox_vm_template_hosts:
   hosts:
     thinkcccore0:
+systemd_networkd_hosts:
+  hosts:
+    z9-router:
+nftables_hosts:
+  hosts:
+    z9-router:
+unbound_hosts:
+  hosts:
+    z9-router:
+kea_dhcp_hosts:
+  hosts:
+    z9-router:
 alloy_hosts:
   hosts:
     light:
     yate:
     dooris:
+    z9-router:
 ansible_pull_hosts:
   hosts:
     dooris:
     light:
     waybackproxy:
     yate:
+    z9-router:
 secrets_hosts:
   hosts:
+    z9-router:

playbooks/deploy.yaml

@@ -27,6 +27,20 @@
   tags:
     - nftables
 
+- name: Ensure unbound deployment on unbound_hosts
+  hosts: unbound_hosts
+  roles:
+    - unbound
+  tags:
+    - unbound
+
+- name: Ensure kea_dhcp deployment on kea_dhcp_hosts
+  hosts: kea_dhcp_hosts
+  roles:
+    - kea_dhcp
+  tags:
+    - kea_dhcp
+
 - name: Ensure deployment of infrastructure authorized keys
   hosts: infrastructure_authorized_keys_hosts
   roles:

resources/z9/z9-router/kea_dhcp.yaml

@@ -0,0 +1,293 @@
+kea_dhcp__dns_servers:
+  v4:
+    - 185.161.129.134
+  v6:
+    - 2a07:c481::1:2
+
+kea_dhcp__dhcp4:
+  enable: true
+  interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
+      socket-type: unix
+  lease-database:
+    type: memfile
+    persist: true
+  option-data:
+    - name: "domain-name-servers"
+      code: 6
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
+  subnets:
+    - id: 1
+      subnet: 10.89.208.0/22
+      pools:
+        - pool: "10.89.208.32 - 10.89.211.250"
+      reservations:
+        - ip-address: 10.89.208.11
+          hostname: beamer
+          hw-address: "ac:87:a3:18:9e:01"
+        - ip-address: 10.89.208.12
+          hostname: Brother-CCCHH
+          hw-address: "00:80:77:04:3a:55"
+        - ip-address: 10.89.208.13
+          hostname: muzak
+          hw-address: "00:11:24:5f:4f:80"
+        - ip-address: 10.89.208.14
+          hostname: Big-Room-Beamer
+          hw-address: "64:d2:c4:db:08:5c"
+        - ip-address: 10.89.208.16
+          hostname: dooris
+          hw-address: "bc:24:11:b3:93:9c"
+        - ip-address: 10.89.208.17
+          hostname: hmdooris-ccu
+          hw-address: "bc:24:11:5f:2d:b1"
+        - ip-address: 10.89.208.27
+          hostname: cisco-slm248p
+          hw-address: "00:23:eb:b0:fc:3f"
+        - ip-address: 10.89.208.47
+          hw-address: "6c:df:fb:0b:34:21"
+        - ip-address: 10.89.208.48
+          hw-address: "6c:df:fb:0d:91:63"
+        - ip-address: 10.89.209.28
+          hostname: hp-color
+          hw-address: "3c:52:82:29:21:79"
+        - ip-address: 10.89.209.29
+          hostname: dooris-ng
+          hw-address: "6c:4b:90:19:21:a1"
+        - ip-address: 10.89.209.166
+          hostname: encoder-ccchh
+          hw-address: "00:4e:01:a2:40:d7"
+        - ip-address: 10.89.209.254
+          hostname: ki10
+          hw-address: "dc:a6:32:a9:ff:82"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.208.1
+    - id: 2
+      subnet: 10.89.212.0/24
+      pools:
+        - pool: "10.89.212.32 - 10.89.212.250"
+      reservations:
+        - ip-address: 10.89.212.3
+          hostname: prusamk3
+          hw-address: "10:9c:70:2e:59:3e"
+        - ip-address: 10.89.212.4
+          hostname: prusamk4
+          hw-address: "10:9c:70:2e:6e:f0"
+        - ip-address: 10.89.212.11
+          hostname: Ziggy
+          hw-address: "44:17:93:53:65:57"
+        - ip-address: 10.89.212.12
+          hostname: legacy
+          hw-address: "00:15:65:a1:ed:98"
+        - ip-address: 10.89.212.23
+          hostname: foobarpay
+          hw-address: "f4:f2:6d:09:a6:73"
+        - ip-address: 10.89.212.24
+          hostname: foobackup
+          hw-address: "bc:24:11:20:1a:a8"
+        - ip-address: 10.89.212.27
+          hostname: ender3v2-sonic-pad
+          hw-address: "fc:ee:91:00:0e:14"
+        - ip-address: 10.89.212.31
+          hostname: octopi
+          hw-address: "b8:27:eb:0f:d8:09"
+        - ip-address: 10.89.212.32
+          hostname: 433mhz-bridge
+          hw-address: "0c:b8:15:fe:e3:34"
+        - ip-address: 10.89.212.33
+          hostname: wled-kueche
+          hw-address: "30:ae:a4:7a:8d:a0"
+        - ip-address: 10.89.212.34
+          hostname: wled-serverschrank
+          hw-address: "18:fe:34:a6:64:76"
+        - ip-address: 10.89.212.35
+          hostname: wled-couch
+          hw-address: "64:b7:08:40:ab:c0"
+        - ip-address: 10.89.212.36
+          hostname: laser
+          hw-address: "b8:27:eb:be:38:fa"
+        - ip-address: 10.89.212.37
+          hostname: laser-eth
+          hw-address: "b8:27:eb:eb:6d:af"
+        - ip-address: 10.89.212.42
+          hostname: t-mix
+          hw-address: "40:a5:ef:d9:eb:93"
+        - ip-address: 10.89.212.86
+          hostname: fritz-fon
+          hw-address: "00:1f:3f:c9:e5:b2"
+        - ip-address: 10.89.212.211
+          hostname: hauptraum-esphome
+          hw-address: "e8:db:84:e8:18:d2"
+        - ip-address: 10.89.212.212
+          hostname: werkstatt-esphome
+          hw-address: "3c:71:bf:26:42:32"
+        - ip-address: 10.89.212.213
+          hostname: ir-bridge-beamer
+          hw-address: "8c:ce:4e:51:93:dd"
+        - ip-address: 10.89.212.215
+          hostname: pi-dmx-werkstatt
+          hw-address: "b8:27:eb:65:e5:31"
+        - ip-address: 10.89.212.227
+          hostname: SIP-T46S
+          hw-address: "80:5e:c0:09:bf:55"
+        - ip-address: 10.89.212.230
+          hostname: SIP-T46S
+          hw-address: "80:5e:c0:22:33:08"
+        - ip-address: 10.89.212.232
+          hostname: staubi
+          hw-address: "b8:4d:43:98:51:2b"
+        - ip-address: 10.89.212.233
+          hostname: staubiv2
+          hw-address: "70:c9:32:82:25:b2"
+        - ip-address: 10.89.212.234
+          hostname: AtemMini
+          hw-address: "7c:2e:0d:13:72:a8"
+        - ip-address: 10.89.212.235
+          hostname: okilaser
+          hw-address: "2c:ff:65:22:b4:63"
+        - ip-address: 10.89.212.236
+          hw-address: "b8:27:eb:29:bd:77"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.212.1
+    - id: 3
+      subnet: 10.89.213.0/24
+      pools:
+        - pool: "10.89.213.32 - 10.89.213.250"
+      reservations:
+        - ip-address: 10.89.213.2
+          hostname: sw-rack-1
+          hw-address: "F0:9F:C2:10:C3:AA"
+        - ip-address: 10.89.213.3
+          hostname: sw-rack-2-peo
+          hw-address: "44:d9:e7:06:69:5d"
+        - ip-address: 10.89.213.4
+          hostname: sw-main-1
+          hw-address: "a8:9c:6c:16:df:cc"
+        - ip-address: 10.89.213.5
+          hostname: sw-main-2
+          hw-address: "a8:9c:6c:16:e8:86"
+        - ip-address: 10.89.213.6
+          hostname: sw-shop-1
+          hw-address: "C0:4A:00:FB:DA:C5"
+        - ip-address: 10.89.213.7
+          hostname: sw-shop-2-peo
+          hw-address: "f4:e2:c6:bf:20:ee"
+        - ip-address: 10.89.213.8
+          hostname: sw-shop-3-peo
+          hw-address: "d8:b3:70:85:72:76"
+        - ip-address: 10.89.213.11
+          hostname: pve01
+          hw-address: "38:05:25:30:80:35"
+        - ip-address: 10.89.213.12
+          hostname: pve02
+          hw-address: "b8:85:84:b1:57:b6"
+        - ip-address: 10.89.213.13
+          hostname: pve03
+          hw-address: "98:fa:9b:a2:ed:e8"
+        - ip-address: 10.89.213.15
+          hostname: pbs
+          hw-address: "BC:24:11:D6:2C:81"
+        - ip-address: 10.89.213.21
+          hostname: unifi
+          hw-address: "BC:24:11:25:77:60"
+        - ip-address: 10.89.213.22
+          hostname: club-assistant
+          hw-address: "7a:55:61:c3:a2:89"
+        - ip-address: 10.89.213.23
+          hostname: automation
+          hw-address: "f2:20:75:5a:2f:8c"
+        - ip-address: 10.89.213.24
+          hostname: yate
+          hw-address: "bc:24:11:73:3e:f7"
+        - ip-address: 10.89.213.25
+          hostname: ptouch-print-server
+          hw-address: "bc:24:11:f2:cf:8f"
+        - ip-address: 10.89.213.26
+          hostname: mqtt
+          hw-address: "bc:24:11:48:85:73"
+        - ip-address: 10.89.213.27
+          hostname: factorio
+          hw-address: "bc:24:11:a3:43:7f"
+        - ip-address: 10.89.213.28
+          hostname: light
+          hw-address: "72:61:ea:e6:49:e3"
+        - ip-address: 10.89.213.29
+          hostname: homematic
+          hw-address: "fe:3a:42:77:3a:be"
+        - ip-address: 10.89.213.30
+          hostname: proxmox-backup-server
+          hw-address: "8a:48:dd:a3:22:40"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.213.1
+
+kea_dhcp__dhcp6:
+  enable: true
+  interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
+      socket-type: unix
+  lease-database:
+    type: memfile
+    persist: true
+  option-data:
+    - name: "dns-servers"
+      code: 23
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
+  subnets:
+    - id: 1
+      subnet: "2a07:c481:1:33::/64"
+      pools:
+        - pool: "2a07:c481:1:33::1:1 - 2a07:c481:1:33::FFFF:FFFF"
+    - id: 2
+      subnet: "2a07:c481:1:34::/64"
+      pools:
+        - pool: "2a07:c481:1:34::1:1 - 2a07:c481:1:34::FFFF:FFFF"
+    - id: 3
+      subnet: "2a07:c481:1:36::/64"
+      pools:
+        - pool: "2a07:c481:1:36::1:1 - 2a07:c481:1:36::FFFF:FFFF"
+      reservations:
+        - ip-address: "2a07:c481:1:36::2"
+          hostname: sw-rack-1
+          hw-address: "F0:9F:C2:10:C3:AA"
+        - ip-address: "2a07:c481:1:36::3"
+          hostname: sw-rack-2-peo
+          hw-address: "44:d9:e7:06:69:5d"
+        - ip-address: "2a07:c481:1:36::4"
+          hostname: sw-main-1
+          hw-address: "a8:9c:6c:16:df:cc"
+        - ip-address: "2a07:c481:1:36::5"
+          hostname: sw-main-2
+          hw-address: "a8:9c:6c:16:e8:86"
+        - ip-address: "2a07:c481:1:36::6"
+          hostname: sw-shop-1
+          hw-address: "C0:4A:00:FB:DA:C5"
+        - ip-address: "2a07:c481:1:36::7"
+          hostname: sw-shop-2-peo
+          hw-address: "f4:e2:c6:bf:20:ee"
+        - ip-address: "2a07:c481:1:36::8"
+          hostname: sw-shop-3-peo
+          hw-address: "d8:b3:70:85:72:76"
+        - ip-address: "2a07:c481:1:36::b"
+          hostname: pve01
+          hw-address: "38:05:25:30:80:35"
+        - ip-address: "2a07:c481:1:36::c"
+          hostname: pve02
+          hw-address: "b8:85:84:b1:57:b6"
+        - ip-address: "2a07:c481:1:36::d"
+          hostname: pve03
+          hw-address: "98:fa:9b:a2:ed:e8"
+        - ip-address: "2a07:c481:1:36::f"
+          hostname: pbs
+          hw-address: "BC:24:11:D6:2C:81"
+        - ip-address: "2a07:c481:1:36::14"
+          hostname: unifi
+          hw-address: "BC:24:11:25:77:60"

resources/z9/z9-router/nftables/nftables.conf

@@ -0,0 +1,114 @@
+#!/usr/sbin/nft -f
+
+## Variables
+
+# Hosts
+
+
+# Interfaces
+define if_netwan = "netwan"
+define if_netlan = "netlan"
+define if_wg55_management   = "wg55"
+define if_netwan_400_fux_uplink = "netwan.400"
+define if_netlan_51_clients = "netlan.51"
+define if_netlan_52_iot = "netlan.52"
+define if_netlan_53_public = "netlan.53"
+define if_netlan_54_management = "netlan.54"
+
+# Interface Groups
+define wan_ifs = { $if_netwan_400_fux_uplink }
+define lan_ifs = { $if_netlan_51_clients,
+                   $if_netlan_52_iot,
+                   $if_netlan_53_public,
+                   $if_netlan_54_management }
+define v4_exposed_ifs = { $if_netlan_53_public }
+define v6_exposed_ifs = { $if_netlan_53_public }
+define v4_nat_ifs = { $if_netlan_51_clients,
+                      $if_netlan_52_iot,
+                      $if_netlan_54_management }
+
+
+## Rules
+
+table inet reverse-path-forwarding {
+    chain rpf-filter {
+        type filter hook prerouting priority mangle + 10; policy drop;
+
+        # Only allow packets if their source address is routed via their incoming interface.
+        # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
+        fib saddr . mark . iif oif exists accept
+    }
+}
+
+table inet host {
+    chain input {
+        type filter hook input priority filter; policy drop;
+
+        iifname "lo" accept comment "allow loopback"
+
+        ct state invalid drop
+        ct state established,related accept
+
+		    ip protocol icmp accept
+        # ICMPv6
+        # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
+        # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
+        # Error messages that are essential to the establishment and maintenance of communications:
+        icmpv6 type { destination-unreachable, packet-too-big } accept
+        icmpv6 type { time-exceeded } accept
+        icmpv6 type { parameter-problem } accept
+        # Connectivity checking messages:
+        icmpv6 type { echo-request, echo-reply } accept
+        # Address Configuration and Router Selection messages:
+        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
+        # Link-Local Multicast Receiver Notification messages:
+        icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
+        # SEND Certificate Path Notification messages:
+        icmpv6 type { 148, 149 } accept
+        # Multicast Router Discovery messages:
+        icmpv6 type { 151, 152, 153 } accept
+
+        # Allow SSH access.
+        tcp dport 22 accept comment "allow ssh access"
+
+        # Allow WireGuard access.
+        udp dport 51820 accept comment "allow WireGuard access"
+
+        # Allow DHCP server access.
+		    iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access"
+
+        # Allow DNS server access from lan_ifs
+        iifname { $lan_ifs, $if_wg55_management } udp dport 53 accept comment "allow dns server access from lan_ifs"
+    }
+}
+
+table ip v4nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority srcnat; policy accept;
+
+        iifname { $v4_nat_ifs, $if_wg55_management } oifname $wan_ifs masquerade
+    }
+}
+
+table inet forward {
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+
+        ct state invalid drop
+        ct state established,related accept
+
+        # Allow internet access.
+		    iifname { $lan_ifs, $if_wg55_management } oifname $wan_ifs accept comment "allow internet access"
+
+        # Allow access to exposed networks from internet.
+        meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
+        meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
+
+        # Allow clients and management to most
+        iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "Allow clients and management to lan interfaces"
+    }
+}

resources/z9/z9-router/systemd_networkd/00-netlan.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:72:A3:27
+Type=ether
+
+[Link]
+Name=netlan

resources/z9/z9-router/systemd_networkd/00-netwan.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:CF:65:57
+Type=ether
+
+[Link]
+Name=netwan

resources/z9/z9-router/systemd_networkd/10-netlan.51.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.51
+Kind=vlan
+
+[VLAN]
+Id=51
+

resources/z9/z9-router/systemd_networkd/10-netlan.52.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.52
+Kind=vlan
+
+[VLAN]
+Id=52
+

resources/z9/z9-router/systemd_networkd/10-netlan.53.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.53
+Kind=vlan
+
+[VLAN]
+Id=53
+

resources/z9/z9-router/systemd_networkd/10-netlan.54.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.54
+Kind=vlan
+
+[VLAN]
+Id=54
+

resources/z9/z9-router/systemd_networkd/10-netwan.400.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netwan.400
+Kind=vlan
+
+[VLAN]
+Id=400
+

resources/z9/z9-router/systemd_networkd/10-wg55.netdev

@@ -0,0 +1,90 @@
+[NetDev]
+Description=Admin-Wireguard
+Kind=wireguard
+Name=wg55
+
+[WireGuard]
+ListenPort=51820
+PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_private_key
+
+# WireGuard Peers
+
+[WireGuardPeer]
+# friendly_name = stb
+AllowedIPs = 10.89.214.2/32,2a07:c481:1:37::2/128
+PublicKey = vILSL4dbaC5IaTsRhJviamV18ssxWSj+qLVyowLQ214=
+PersistentKeepalive = 30
+
+[WireGuardPeer]
+# friendly_name = fi
+AllowedIPs = 10.89.214.3/32,2a07:c481:1:37::3/128
+PublicKey = UHi/if5uW2V3+8Q3R+uk6/XpRi4fPXbw7chsKI4xlkI=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_fi_psk
+
+[WireGuardPeer]
+# friendly_name = jtbx
+AllowedIPs = 10.89.214.4/32,2a07:c481:1:37::4/128
+PublicKey = NyyEqdWgScgsnTF8Zz/Om4Lc84fdFMwVtvaCmLEkUlQ=
+
+[WireGuardPeer]
+# friendly_name = June
+AllowedIPs = 10.89.214.6/32,2a07:c481:1:37::6/128
+PublicKey = 6jAEB+f9przBGxPhuvv9U9gvZDEBQNqpQSD0BoGqXQQ=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June_psk
+
+[WireGuardPeer]
+# friendly_name = Max
+AllowedIPs = 10.89.214.7/32,2a07:c481:1:37::7/128
+PublicKey = oC1hJjtlAgLX/CmbwTC+LPmd1uwluQTwsN8RaMNmHn0=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_Max_psk
+
+[WireGuardPeer]
+# friendly_name = dario
+AllowedIPs = 10.89.214.9/32,2a07:c481:1:37::9/128
+PublicKey = bYF2EGRGpEGjiKcasi/oaWoWeLsgqsF6FGaq3Z4ERww=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_dario_psk
+
+[WireGuardPeer]
+# friendly_name = June-mobile
+AllowedIPs = 10.89.214.11/32,2a07:c481:1:37::11/128
+PublicKey = 6edjXykegUgGjbkIG1aJyBlX1SgTKcqXXaSBVPHdKDc=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June-mobile_psk
+
+[WireGuardPeer]
+# friendly_name = djerun_at_ferrum.local
+AllowedIPs = 10.89.214.12/32,2a07:c481:1:37::12/128
+PublicKey = aHbdkTHhPkd+o7wWfTua9nd72aF4OVp66zGtpaoD8Fg=
+
+[WireGuardPeer]
+# friendly_name = c6ristian
+AllowedIPs = 10.89.214.13/32,2a07:c481:1:37::13/128
+PublicKey = 6ndwj3Ur6AqfUPWuyPYXIaGZs2ujJKawSQ9LEvlYzEc=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_c6ristian_psk
+
+[WireGuardPeer]
+# friendly_name = langoor
+AllowedIPs = 10.89.214.14/32,2a07:c481:1:37::14/128
+PublicKey = qTnVQlQa1m4SucFFNli/xM6QWfsdWx2baRAit7Cg8RM=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_psk
+
+[WireGuardPeer]
+# friendly_name = langoor_home
+AllowedIPs = 10.89.214.15/32,2a07:c481:1:37::15/128
+PublicKey = NeMDs2+5rHuKO5ZYXVUR76GorgdesFUnDOFECQ3RzG4=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk
+
+[WireGuardPeer]
+# friendly_name = lilly-lillysLaptop
+AllowedIPs = 10.89.214.16/32,2a07:c481:1:37::16/128
+PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk=
+
+[WireGuardPeer]
+# friendly_name = bitwhisker
+AllowedIPs = 10.89.214.17/32,2a07:c481:1:37::a/128
+PublicKey = DvEGvQPGi+IxeRTIA72Gx3WNINcrV9HRNB1v7mHnhjA=
+
+[WireGuardPeer]
+# friendly_name = forestcat
+AllowedIPs = 10.89.214.18/32,2a07:c481:1:37::b/128
+PublicKey = PdJ7KlIeASizj0WTY87d7oSi14/MebrhRa+L8YiPoQE=
+

resources/z9/z9-router/systemd_networkd/20-netlan.network

@@ -0,0 +1,12 @@
+[Match]
+Name=netlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+VLAN=netwan.51
+VLAN=netwan.52
+VLAN=netwan.53
+VLAN=netwan.54
+

resources/z9/z9-router/systemd_networkd/20-netwan.network

@@ -0,0 +1,9 @@
+[Match]
+Name=netwan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+VLAN=netwan.400
+

resources/z9/z9-router/systemd_networkd/20-wg55.network

@@ -0,0 +1,6 @@
+[Match]
+Name=wg55
+
+[Network]
+Address=10.89.214.1/24
+Address=2a07:c481:1:37::1/64

resources/z9/z9-router/systemd_networkd/21-netlan.51-clients.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.51
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=clients
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.208.1/22
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:33::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netlan.52-iot.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.52
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=IoT
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.212.1/24
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:34::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netlan.53-public.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.53
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=public
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=185.161.130.65/28
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:35::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netlan.54-management.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.54
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=Management
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.213.0/24
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:36::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netwan.400-fux_uplink.network

@@ -0,0 +1,26 @@
+[Match]
+Name=netwan.400
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=fux-uplink
+
+DNS=185.161.128.66
+DNS=2a07:c481:0:4::2
+DNS=185.161.128.67
+DNS=2a07:c481:0:4::3
+
+IPv6AcceptRA=no
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=no
+
+[Address]
+Address=185.161.129.134/25
+Address=2a07:c481::1:2/64
+
+[Route]
+Gateway=185.161.129.129
+Gateway=2a07:c481::1

resources/z9/z9-router/systemd_networkd_global_config.conf

@@ -0,0 +1,3 @@
+[Network]
+IPv4Forwarding=true
+IPv6Forwarding=true

roles/kea_dhcp/README.md

@@ -0,0 +1,102 @@
+# Role `kea_dhcp`
+
+Install and manage Kea DHCP and [Stork Agent](https://stork.readthedocs.io/en/latest/man/stork-agent.8.html).
+
+## Supported Distributions
+
+Should work on Debian-based distributions.
+
+## Required Arguments
+
+None.
+
+## Optional Arguments
+
+- `kea_dhcp__stork_agent.enable`: Enable Kea DHCP stork agent.
+  Defaults to `false`.
+- `kea_dhcp__stork_agent.prometheus_only`: Only enable the prometheus endpoint in stork agent.
+  Defaults to `true`.
+- `kea_dhcp__dns_servers.v4`: List of IPv4 DNS Servers in DHCP response.
+  Defaults to FUX DNS Servers.
+- `kea_dhcp__dns_servers.v6`: List of IPv6 DNS Servers in DHCP response.
+  Defaults to FUX DNS Servers.
+- `kea_dhcp__include_vars`: Path to YAML File to separately load VARs for Kea config templating.
+- `kea_dhcp__dhcp4.enable`: Enable Kea DHCP4 Service.
+  Defaults to `false`.
+- `kea_dhcp__dhcp4.interfaces`: List of interfaces the DHCP4 Server should listen to and serve.
+  Defaults to the empty list (`[ ]`).
+- `kea_dhcp__dhcp4.control-sockets`: List of Kea DHCP4 control sockets.
+  Defaults to the list with one entry (see below).
+- `kea_dhcp__dhcp4.control-sockets.*.socket-name`: Control socket name.
+  Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-name: /var/run/kea-dhcp4-ctrl-agent.sock`.
+- `kea_dhcp__dhcp4.control-sockets.*.socket-type`: Control socket type.
+  Defaults to `kea_dhcp__dhcp4.control-sockets.0.socket-type: unix`.
+- `kea_dhcp__dhcp4.lease-database.type`: Type of lease database.
+  Defaults to `memfile`.
+- `kea_dhcp__dhcp4.lease-database.persist`: Persist the lease database.
+  Defaults to `true`.
+- `kea_dhcp__dhcp4.option-data`: List of DHCP4 Options.
+  Defaults to a list with one entry (see below).
+- `kea_dhcp__dhcp4.option-data.*.name`: Name of DHCP4 Option.
+  Defaults to `kea_dhcp__dhcp4.option-data.0.name: "domain-name-servers"`.
+- `kea_dhcp__dhcp4.option-data.*.code`: DHCP4 Option code.
+  Defaults to `kea_dhcp__dhcp4.option-data.0.code: 6`.
+- `kea_dhcp__dhcp4.option-data.*.csv-format`: DHCP4 Option as csv format.
+  Defaults to `kea_dhcp__dhcp4.option-data.0.csv-format: true`.
+- `kea_dhcp__dhcp4.option-data.*.data`: DHCP4 Option data.
+  Defaults to `kea_dhcp__dhcp4.option-data.0.data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"`.
+- `kea_dhcp__dhcp4.subnets`: List of subnets the DHCP4 server should manage.
+  Defaults to the empty list (`[ ]`).
+- `kea_dhcp__dhcp4.subnets.*.id`: ID of interface (starts with 1).
+- `kea_dhcp__dhcp4.subnets.*.subnet`: Subnet on interface.
+- `kea_dhcp__dhcp4.subnets.*.pools`: List of DHCP pools in subnet.
+- `kea_dhcp__dhcp4.subnets.*.pools.*.pool`: DHCP pool in range format.
+- `kea_dhcp__dhcp4.subnets.*.reservations`: List of DHCP lease reservations.
+- `kea_dhcp__dhcp4.subnets.*.reservations.*.ip-address`: IP address of reservation.
+- `kea_dhcp__dhcp4.subnets.*.reservations.*.hostname`: Hostname of reservation.
+- `kea_dhcp__dhcp4.subnets.*.reservations.*.hw-address`: Hardware address of reservation.
+- `kea_dhcp__dhcp4.subnets.*.option-data`: List of DHCP lease reservations.
+- `kea_dhcp__dhcp4.subnets.*.option-data.*.name`: Name of DHCP4 Option.
+- `kea_dhcp__dhcp4.subnets.*.option-data.*.code`: DHCP4 Option code.
+- `kea_dhcp__dhcp4.subnets.*.option-data.*.csv-format`: DHCP4 Option as csv format.
+- `kea_dhcp__dhcp4.subnets.*.option-data.*.data`: DHCP4 Option data.
+- `kea_dhcp__dhcp6.enable`: Enable Kea DHCP6 Service.
+  Defaults to `false`.
+- `kea_dhcp__dhcp6.interfaces`: List of interfaces the DHCP6 Server should listen to and serve.
+  Defaults to the empty list (`[ ]`).
+- `kea_dhcp__dhcp6.control-sockets`: List of Kea DHCP6 control sockets.
+  Defaults to the list with one entry (see below).
+- `kea_dhcp__dhcp6.control-sockets.*.socket-name`: Control socket name.
+  Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-name: /var/run/kea-dhcp6-ctrl-agent.sock`.
+- `kea_dhcp__dhcp6.control-sockets.*.socket-type`: Control socket type.
+  Defaults to `kea_dhcp__dhcp6.control-sockets.0.socket-type: unix`.
+- `kea_dhcp__dhcp6.lease-database.type`: Type of lease database.
+  Defaults to `memfile`.
+- `kea_dhcp__dhcp6.lease-database.persist`: Persist the lease database.
+  Defaults to `true`.
+- `kea_dhcp__dhcp6.option-data`: List of DHCP6 Options.
+  Defaults to a list with one entry (see below).
+- `kea_dhcp__dhcp6.option-data.*.name`: Name of DHCP6 Option.
+  Defaults to `kea_dhcp__dhcp6.option-data.0.name: "domain-name-servers"`.
+- `kea_dhcp__dhcp6.option-data.*.code`: DHCP6 Option code.
+  Defaults to `kea_dhcp__dhcp6.option-data.0.code: 6`.
+- `kea_dhcp__dhcp6.option-data.*.csv-format`: DHCP6 Option as csv format.
+  Defaults to `kea_dhcp__dhcp6.option-data.0.csv-format: true`.
+- `kea_dhcp__dhcp6.option-data.*.data`: DHCP6 Option data.
+  Defaults to `kea_dhcp__dhcp6.option-data.0.data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"`.
+- `kea_dhcp__dhcp6.subnets`: List of subnets the DHCP6 server should manage.
+  Defaults to the empty list (`[ ]`).
+- `kea_dhcp__dhcp6.subnets.*.id`: ID of interface (starts with 1).
+- `kea_dhcp__dhcp6.subnets.*.subnet`: Subnet on interface.
+- `kea_dhcp__dhcp6.subnets.*.pools`: List of DHCP pools in subnet.
+- `kea_dhcp__dhcp6.subnets.*.pools.*.pool`: DHCP pool in range format.
+- `kea_dhcp__dhcp6.subnets.*.reservations`: List of DHCP lease reservations.
+- `kea_dhcp__dhcp6.subnets.*.reservations.*.ip-address`: IP address of reservation.
+- `kea_dhcp__dhcp6.subnets.*.reservations.*.hostname`: Hostname of reservation.
+- `kea_dhcp__dhcp6.subnets.*.reservations.*.hw-address`: Hardware address of reservation.
+- `kea_dhcp__dhcp6.subnets.*.option-data`: List of DHCP lease reservations.
+- `kea_dhcp__dhcp6.subnets.*.option-data.*.name`: Name of DHCP6 Option.
+- `kea_dhcp__dhcp6.subnets.*.option-data.*.code`: DHCP6 Option code.
+- `kea_dhcp__dhcp6.subnets.*.option-data.*.csv-format`: DHCP6 Option as csv format.
+- `kea_dhcp__dhcp6.subnets.*.option-data.*.data`: DHCP6 Option data.
+

roles/kea_dhcp/defaults/main.yaml

@@ -0,0 +1,68 @@
+kea_dhcp__stork_agent:
+  enable: false
+  prometheus_only: true
+kea_dhcp__dns_servers:
+  v6:
+    - "2a07:c481:0:4::2"
+    - "2a07:c481:0:4::3"
+  v4:
+    - "185.161.128.66"
+    - "185.161.128.67"
+kea_dhcp__include_vars:
+
+kea_dhcp__dhcp4:
+  enable: false
+  interfaces: [ ]
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
+      socket-type: unix
+  lease-database:
+    type: memfile
+    persist: true
+  option-data:
+    - name: "domain-name-servers"
+      code: 6
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
+  subnets:
+    - id: 0
+      subnet: nil
+      pools:
+        - pool: nil
+      reservations:
+        - ip-address: nil
+          hostname: beispiel.test
+          hw-address: "00:11:22:33:44:55"
+      option-data:
+        - name: nil,
+          code: nil,
+          csv-format: true
+          data: nil
+kea_dhcp__dhcp6:
+  enable: false
+  interfaces: [ ]
+  lease-database:
+    type: memfile
+    persist: true
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
+      socket-type: unix
+  option-data:
+    - name: "dns-servers"
+      code: 23
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
+  subnets:
+    - id: 0
+      subnet: nil
+      pools:
+        - pool: nil
+      reservations:
+        - ip-address: nil
+          hostname: beispiel.test
+          hw-address: "00:11:22:33:44:55"
+      option-data:
+        - name: nil,
+          code: nil,
+          csv-format: true
+          data: nil

roles/kea_dhcp/handlers/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Systemd.daemon_reload
+  become: true
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+
+- name: Kea_dhcp4.restarted
+  ansible.builtin.service:
+    name: kea-dhcp4
+    state: restarted
+    enabled: true
+
+- name: Kea_dhcp6.restarted
+  ansible.builtin.service:
+    name: kea-dhcp6
+    state: restarted
+    enabled: true
+
+- name: Kea_ctrl.restarted
+  ansible.builtin.systemd:
+    name: kea-ctrl-agent
+    state: restarted
+    enabled: true
+
+- name: Stork_agent.restarted
+  become: true
+  ansible.builtin.systemd:
+    name: isc-stork-agent
+    state: restarted
+    enabled: true

roles/kea_dhcp/meta/argument_specs.yaml

@@ -0,0 +1,125 @@
+---
+argument_specs:
+  main:
+    short_description: "Role for managing Kea DHCP server"
+    options:
+      kea_dhcp__stork_agent:
+        type: "dict"
+        description: "Configuration for Stork Agent"
+        options:
+          enable:
+            type: "bool"
+            default: false
+          prometheus_only:
+            type: "bool"
+            default: true
+      kea_dhcp__version_repo:
+        type: "str"
+        description: "Version of Kea DHCP repository to use"
+        default: "kea-3-0"
+      kea_dhcp__dns_servers:
+        type: "dict"
+        description: "Default DNS servers for DHCP clients"
+        options:
+          v6:
+            type: "list"
+            elements: "str"
+          v4:
+            type: "list"
+            elements: "str"
+      kea_dhcp__dhcp4:
+        type: "dict"
+        description: "Configuration for DHCPv4 service"
+        options:
+          enable:
+            type: "bool"
+            default: false
+          interfaces:
+            type: "list"
+            elements: "str"
+            default: [ ]
+          control-sockets:
+            type: "list"
+            elements: "dict"
+          lease-database:
+            type: "dict"
+          option-data:
+            type: "list"
+            elements: "dict"
+          subnets:
+            type: "list"
+            elements: "dict"
+            options:
+              id:
+                type: "int"
+              subnet:
+                type: "str"
+              pools:
+                type: "list"
+                elements: "dict"
+                options:
+                  pool:
+                    type: "str"
+              reservations:
+                type: "list"
+                elements: "dict"
+                options:
+                  ip-address:
+                    type: "str"
+                  hostname:
+                    type: "str"
+                  hw-address:
+                    type: "str"
+                  duid:
+                    type: "str"
+              option-data:
+                type: "list"
+                elements: "dict"
+      kea_dhcp__dhcp6:
+        type: "dict"
+        description: "Configuration for DHCPv6 service"
+        options:
+          enable:
+            type: "bool"
+            default: false
+          interfaces:
+            type: "list"
+            elements: "str"
+            default: [ ]
+          control-sockets:
+            type: "list"
+            elements: "dict"
+          lease-database:
+            type: "dict"
+          option-data:
+            type: "list"
+            elements: "dict"
+          subnets:
+            type: "list"
+            elements: "dict"
+            options:
+              id:
+                type: "int"
+              subnet:
+                type: "str"
+              pools:
+                type: "list"
+                elements: "dict"
+                options:
+                  pool:
+                    type: "str"
+              reservations:
+                type: "list"
+                elements: "dict"
+                options:
+                  ip-address:
+                    type: "str"
+                  hostname:
+                    type: "str"
+                  hw-address:
+                    type: "str"
+                  duid:
+                    type: "str"
+              option-data:
+                type: "list"
+                elements: "dict"

roles/kea_dhcp/tasks/install_debian.yml

@@ -0,0 +1,25 @@
+---
+- name: Install Kea packages
+  become: true
+  when: ansible_facts['distribution'] == "Debian"
+  block:
+    - name: Install Kea dhcp4
+      when: kea_dhcp__dhcp4.enable
+      ansible.builtin.apt:
+        name:
+          - isc-kea-dhcp4
+    - name: Install Kea dhcp6
+      when: kea_dhcp__dhcp6.enable
+      ansible.builtin.apt:
+        name:
+          - isc-kea-dhcp6
+    - name: Install Kea ctrl agent
+      when: kea_dhcp__stork_agent.enable
+      ansible.builtin.apt:
+        name:
+          - isc-kea-ctrl-agent
+    - name: Install Kea admin
+      when: kea_dhcp__stork_agent.enable
+      ansible.builtin.apt:
+        name:
+          - isc-kea-admin

roles/kea_dhcp/tasks/kea.yaml

@@ -0,0 +1,47 @@
+---
+- name: Include config vars
+  when: kea_dhcp__include_vars is not None
+  ansible.builtin.include_vars:
+    file: "{{ kea_dhcp__include_vars }}"
+
+- name: Deploy kea-dhcp4 configuration file
+  become: true
+  when: kea_dhcp__dhcp4.enable
+  ansible.builtin.template:
+    src: kea-dhcp4.conf.jinja
+    dest: /etc/kea/kea-dhcp4.conf
+    backup: true
+    owner: root
+    group: kea
+    mode: "u=rw,g=r,o="
+    validate: kea-dhcp4 -T %s
+  notify:
+    - Kea_dhcp4.restarted
+
+- name: Deploy kea-dhcp6 configuration file
+  become: true
+  when: kea_dhcp__dhcp6.enable
+  ansible.builtin.template:
+    src: kea-dhcp6.conf.jinja
+    dest: /etc/kea/kea-dhcp6.conf
+    backup: true
+    owner: root
+    group: kea
+    mode: "u=rw,g=r,o="
+    validate: kea-dhcp6 -T %s
+  notify:
+    - Kea_dhcp6.restarted
+
+- name: Copy kea-ctrl-agent configuration file
+  become: true
+  when: kea_dhcp__stork_agent.enable
+  ansible.builtin.template:
+    src: kea-ctrl-agent.conf.j2
+    dest: /etc/kea/kea-ctrl-agent.conf
+    owner: root
+    group: kea
+    mode: "u=rw,g=r,o="
+    validate: kea-ctrl-agent -t %s
+  notify:
+    - Kea_ctrl.restarted
+    - Stork_agent.restarted

roles/kea_dhcp/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Setup Kea DHCP
+  block:
+    - name: Install Kea on Debian
+      when: ansible_facts['distribution'] == "Debian"
+      ansible.builtin.import_tasks: install_debian.yml
+
+    - name: Configure Kea
+      ansible.builtin.include_tasks: kea.yaml
+
+- name: Run stork-agent tasks
+  when: kea_dhcp__stork_agent.enable
+  ansible.builtin.include_tasks: stork-agent.yaml

roles/kea_dhcp/tasks/stork-agent.yaml

@@ -0,0 +1,39 @@
+---
+- name: Install stork-agent
+  block:
+    - name: Install isc-stork-agent
+      when: ansible_facts['distribution'] == "Debian"
+      become: true
+      ansible.builtin.apt:
+        name: isc-stork-agent
+
+    - name: Add stork-agent user to _kea group on Debian
+      when: ansible_facts['distribution'] == "Debian"
+      become: true
+      ansible.builtin.user:
+        name: stork-agent
+        groups: [ "_kea" ]
+        append: true
+
+    - name: Config for stork-agent
+      ansible.builtin.template:
+        src: stork-agent.env.jinja
+        dest: /etc/stork/agent.env
+        owner: root
+        group: root
+        mode: "0660"
+      notify:
+        - Systemd_daemon_reload
+        - Stork_agent.restarted
+
+    - name: Flush handlers
+      ansible.builtin.meta: flush_handlers
+
+    - name: Ensure that stork kea exporter is working
+      ansible.builtin.uri:
+        url: "http://localhost:9547/metrics"
+        method: GET
+      register: kea_dhcp_stork_status_code
+      retries: 6
+      delay: 5
+      until: kea_dhcp_stork_status_code.status == 200

roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2

@@ -0,0 +1,20 @@
+{
+"Control-agent": {
+	"http-host": "127.0.0.1",
+	"http-port": 8000,
+	"control-sockets": {
+		{% if kea_dhcp__dhcp4.enable | default(false) %}
+		"dhcp4": {
+			"socket-type": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-type'] }}",
+			"socket-name": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-name'] }}"
+		}{% if kea_dhcp__dhcp6.enable  %},{% endif %}
+		{% endif %}
+		{% if kea_dhcp__dhcp6.enable | default(false) %}
+		"dhcp6": {
+			"socket-type": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-type'] }}",
+			"socket-name": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-name'] }}"
+		},
+		{% endif %}
+	}
+}
+}

roles/kea_dhcp/templates/kea-dhcp4.conf.jinja

@@ -0,0 +1,27 @@
+{
+  "Dhcp4": {
+    "interfaces-config": {
+      "interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }}
+    },
+    "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }},
+    "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }},
+    {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %}
+    "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }},
+    {% endif %}
+    "subnet4": [
+      {% for subnet in kea_dhcp__dhcp4.subnets %}
+      {
+        "id": {{ subnet.id }},
+        "subnet": "{{ subnet.subnet }}",
+        "pools": {{ subnet.pools | to_nice_json }},
+        {% if subnet.reservations is defined and subnet.reservations %}
+        "reservations": {{ subnet.reservations | to_nice_json }},
+        {% endif %}
+        {% if subnet['option-data'] is defined and subnet['option-data'] %}
+        "option-data": {{ subnet['option-data'] | to_nice_json }}
+        {% endif %}
+      }{% if not loop.last %},{% endif %}
+      {% endfor %}
+    ]
+  }
+}

roles/kea_dhcp/templates/kea-dhcp6.conf.jinja

@@ -0,0 +1,27 @@
+{
+  "Dhcp6": {
+    "interfaces-config": {
+      "interfaces": {{ kea_dhcp__dhcp6.interfaces | to_nice_json }}
+    },
+		"control-sockets": {{ kea_dhcp__dhcp6['control-sockets'] | to_nice_json }},
+		"lease-database": {{ kea_dhcp__dhcp6['lease-database'] | to_nice_json }},
+    {% if kea_dhcp__dhcp6['option-data'] is defined and kea_dhcp__dhcp6['option-data'] %}
+    "option-data": {{ kea_dhcp__dhcp6['option-data'] | to_nice_json }},
+    {% endif %}
+    "subnet6": [
+      {% for subnet in kea_dhcp__dhcp6.subnets %}
+      {
+        "id": {{ subnet.id }},
+	      "subnet": "{{ subnet.subnet }}",
+        "pools": {{ subnet.pools | to_nice_json }},
+        {% if subnet.reservations is defined and subnet.reservations %}
+        "reservations": {{ subnet.reservations | to_nice_json }},
+	      {% endif %}
+        {% if subnet['option-data'] is defined and subnet['option-data'] %}
+        "option-data": {{ subnet['option-data'] | to_nice_json }}
+        {% endif %}
+      }{% if not loop.last %},{% endif %}
+      {% endfor %}
+    ]
+	}
+}

roles/kea_dhcp/templates/stork-agent.env.jinja

@@ -0,0 +1,20 @@
+### Stork Agent env file
+### (created and managed by ansible kea_dhcp role)
+
+
+{% if kea_dhcp__stork_agent.prometheus_only %}
+### listen for Prometheus requests only, but not for commands from the Stork server
+STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true
+{% endif %}
+
+### settings for exporting stats to Prometheus
+### the IP or hostname on which the agent exports Kea statistics to Prometheus
+STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS=localhost
+### the port on which the agent exports Kea statistics to Prometheus
+# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT=
+
+### Logging parameters
+
+### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR
+STORK_LOG_LEVEL=DEBUG
+

roles/unbound/README.md

@@ -0,0 +1,20 @@
+# Unbound DNS resolver
+
+Role fora a validating, recursive, caching DNS resolver based on [Unbound](https://nlnetlabs.nl/projects/unbound/about/). 
+It is designed to be fast and lean and incorporates modern features based on open standards.
+
+- [Documentation](https://unbound.docs.nlnetlabs.nl/en/latest/)
+
+## Role Customization
+
+The following variables can be used to customize this role:
+
+| Variable                                 | Type            | Default         | Description                                                                                                                                                                               |
+|------------------------------------------|-----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| unbound_install_prometheus_exporter | Boolean         | `true`          | Whether [Unbound Exporter](https://github.com/letsencrypt/unbound_exporter) should also be installed to expose resolver statistics in prometheus format.                                  |
+| unbound_bind_interfaces             | List of Strings | `[0.0.0.0, ::]` | List of interface names or IP addresses on which unbound will listen for dns queries                                                                                                      |
+| unbound_enable_unbound_control      | Boolean         | `true`          | Whether the [remote control](https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#set-up-remote-control) feature of unbound should be configured.               |
+| unbound_enable_dnssec               | Boolean         | `true`          | Whether dnssec validation should be enabled                                                                                                                                               |
+| unbound_access_control              | List of Strings | `[]`            | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) |
+| unbound_disable_systemd_networkd    | Boolean         | `true`          | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver.                                                                                |
+| unbound_thread_count                | Integer         | Max vCPU Count | The number of threads unbound uses |

roles/unbound/defaults/main.yml

@@ -0,0 +1,7 @@
+unbound_install_prometheus_exporter: true
+unbound_bind_interfaces: [ "0.0.0.0", "::" ]
+unbound_disable_systemd_networkd: true
+unbound_enable_unbound_control: true
+unbound_enable_dnssec: true
+unbound_access_control: [ ]
+unbound_private_domain: [ ]

roles/unbound/files/no-resolved.resolv.conf

@@ -0,0 +1 @@
+nameserver 127.0.0.1

roles/unbound/handlers/main.yml

@@ -0,0 +1,18 @@
+- name: unbound.restarted
+  become: true
+  ansible.builtin.systemd:
+    name: unbound.service
+    state: restarted
+
+- name: unbound.reloaded
+  become: true
+  ansible.builtin.systemd:
+    name: unbound.service
+    state: reloaded
+
+- name: prometheus-unbound-exporter.restarted
+  become: true
+  ansible.builtin.systemd:
+    name: prometheus-unbound-exporter.service
+    state: restarted
+    enabled: true

roles/unbound/tasks/main.yml

@@ -0,0 +1,47 @@
+- name: unbound role main
+  block:
+
+    - name: install unbound dns resolver
+      become: true
+      ansible.builtin.package:
+        name: unbound
+
+    - name: ensure correct directory permissions
+      become: true
+      ansible.builtin.file:
+        path: /etc/unbound
+        state: directory
      - dnsutils
      - dnsutils
+        mode: u=rwX,g=rX,o=rX
+        recurse: true
+        owner: unbound
+        group: unbound
+
+    - name: configure unbound dns resolver
+      become: true
+      notify: unbound.restarted
+      ansible.builtin.template:
+        src: unbound.conf.j2
+        dest: /etc/unbound/unbound.conf
+        owner: unbound
+        group: unbound
+        mode: u=rw,g=r,o=r
+
+    - name: ensure unbound is running and enabled
+      become: true
+      ansible.builtin.systemd:
+        name: unbound.service
+        state: started
+        enabled: true
+
+    - name: disable systemd-resolved
+      when: unbound_disable_systemd_networkd
+      ansible.builtin.include_role:
+        name: deploy_systemd_resolved_config
+      vars:
+        deploy_systemd_resolved_config__enable: false
+        deploy_systemd_resolved_config__dns:
+          - 127.0.0.1
+
+    - name: install and configure prometheus-exporter for unbound
+      ansible.builtin.import_tasks: prometheus-exporter.yml
+      when: unbound_install_prometheus_exporter

roles/unbound/tasks/prometheus-exporter.yml

@@ -0,0 +1,23 @@
+---
+- name: install unbound prometheus exporter # FIXME: there is no prometheus-unbound-exporter in debian .deb exists in https://github.com/letsencrypt/unbound_exporter/releases/tag/v0.6.0
+  become: true
+  ansible.builtin.package:
+    name: prometheus-unbound-exporter
+
+- name: enable unbound prometheus exporter
+  become: true
+  ansible.builtin.systemd:
+    name: prometheus-unbound-exporter.service
+    enabled: true
+    daemon_reload: true
+
+- name: configure unbound exporter
+  become: true
+  ansible.builtin.copy:
+    dest: /etc/conf.d/prometheus-unbound-exporter
+    content: |
+      UNBOUND_EXPORTER_ARGS="-unbound.ca "" -unbound.cert "" -unbound.host "unix:///run/unbound-control.sock"
+    owner: root
+    group: root
+    mode: '0660'
+  notify: prometheus-unbound-exporter.restarted

roles/unbound/templates/unbound.conf.j2

@@ -0,0 +1,68 @@
+# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
+#      unbound.conf(5) man page
+server:
+  {% if unbound_enable_dnssec -%}
+  # location of the trust anchor file that enables DNSSEC
+  # this file is generated by the `unbound-anchor` command
+  auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
+  {% endif -%}
+
+	# num of threads
+	num-threads: {{ unbound_thread_count | default(ansible_facts['processor_vcpus']) }}
+
+	# more cache memory
+  rrset-cache-size: 60m
+  msg-cache-size: 30m
+
+	# prefetch to keep the cache up to date
+	prefetch: yes
+
+	# fetch the DNSKEYs earlier in the validation process, when a DS record is encountered
+	prefetch-key: yes
+
+	# Faster UDP with multithreading (only on Linux).
+  so-reuseport: yes
+
+	# disable special large send buffer handling and just use kernel defaults
+  so-sndbuf: 0
+
+  # send minimal amount of information to upstream servers to enhance privacy
+  qname-minimisation: yes
+
+  # specify the interface to answer queries from by ip-address.
+  {% for i in unbound_bind_interfaces -%}
+  interface: "{{ i }}"
+  {% endfor %}
+
+  # addresses from the IP range that are allowed to connect to the resolver
+  {% for i in unbound_access_control -%}
+  access-control: {{ i }}
+  {% endfor -%}
+
+  {% for i in unbound_private_domain -%}
+  private-domain: {{ i }}
+  {% endfor -%}
+
+  # The number of seconds between printing statistics to the log for every thread.
+  statistics-interval: 0
+
+  # Extended statistics are printed, Keeping track of more statistics takes time.
+  extended-statistics: yes
+
+remote-control:
+  control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }}
+  control-interface: /run/unbound-control.sock
+
+
+# configure some zones for which this resolver will act authoritatively
+# https://www.dns.icann.org/services/axfr/
+{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %}
+auth-zone:
+  name: "{{ i }}"
+  primary: "lax.xfr.dns.icann.org"
+  primary: "iad.xfr.dns.icann.org"
+  fallback-enabled: yes
+  for-downstream: no
+  for-upstream: yes
+
+{% endfor %}