sophia/ansible-infra
0
0
Fork 0
forked from CCCHH/ansible-infra
Code Pull requests Activity
712 commits 5 branches 0 tags 2.4 MiB
Commit graph

100 commits

Author SHA1 Message Date
lilly
3541c68357
 		disable dnssec for catalog zones on auth-dns 
Catalog zones are not real zones in the DNS hierarchy and don't
have a parent zone. Therefore they will never have a valid DNSSEC
delegation so we should skip signing those zones.
 2026-05-19 11:01:52 +02:00
June
73e77bde70
 		tag plays in playbooks (instead of tasks in roles) 2026-05-19 00:24:10 +02:00
June
6b19f69135
 		renovate(role): add cleanup service and timer for renovate volume 
With time the volume seems to just keeps growing with cache data, so
clean it up once a day.
 2026-05-19 00:23:26 +02:00
jtbx
83e6f76464 deploy_systemd_journal_config(role): Disable ForwardToSyslog 
We don't want hour journalctl logs mirrored to /var/log/syslog
 2026-05-15 19:25:44 +02:00
lilly
637dc6b25a
 		consider ansible-pull jobs failed after 30 minutes 2026-05-13 16:53:57 +02:00
lilly
bc4df9a3f4
 		fix ansible-lint warnings of knot role 2026-05-07 23:45:48 +02:00
lilly
50beedbc62
 		configure metric scraping from knot on auth-dns 2026-05-06 15:51:38 +02:00
lilly
5283d2da95
 		improve knot roles reloading behavior 
With this change, the nameserver is not restarted on configuration
updates but only reloaded instead.
 2026-05-06 14:33:04 +02:00
June
3aa146d723
 		nftables(role): reload instead of restart 
This should make the role more robust against misconfigurations.
 2026-05-06 14:19:38 +02:00
lilly
fa021fb737
 		migrate dns zone ccchh.net. to new auth-dns server 2026-05-06 12:12:54 +02:00
lilly
416ca85b11
 		rename auth_dns -> knot role 2026-05-06 11:52:33 +02:00
lilly
8c1553c707
 		fix role name auth-dns -> auth_dns 2026-05-06 11:47:10 +02:00
lilly
6fa2d65db2
 		enable auth-dns role to actually configure useful zones 2026-05-06 11:47:10 +02:00
lilly
fa94d59df6
 		add barebones knot config 
This configuration does not yet do much but it provisions a knot
server that runs.
 2026-05-06 11:47:10 +02:00
lilly
d880eb8677
 		fix systemd-resolved not being installed 
closes CCCHH/ansible-infra#88
 2026-05-03 16:50:45 +02:00
lilly
c304a1c82a
 		add README.md to deploy_systemd_resolved_config role 2026-05-02 01:01:23 +02:00
lilly
58ced1a85e
 		add capability to disable systemd-resolved to base_config role 2026-05-01 00:16:43 +02:00
lilly
0330c6b6ca
 		reduce ansible grafana log verbosity by using loop_control labels 2026-04-24 15:32:43 +02:00
June
8bf6dfbefb
 		certbot(role): support DNS-01 certs using acme-dns 
Introduce new configuration structure called certbot__certs, which
allows for different challenge types per cert with the first challenge
type supported being dns-01-acme-dns.
 2026-03-31 16:48:00 +02:00
June
2b5f261cd3
 		docker(role): move automatic cleanup of unused Docker data here 
Move the automatic cleanup of unused Docker data to the docker role from
the docker_compose role, so that hosts, which only use Docker (like
renovate) also have an automatic cleanup set up.
Also use a systemd timer instead of cron.
 2026-03-06 21:09:47 +01:00
June
fee18bd349
 		certbot(role): allow empty list of certificate domains 
Also explicitly document that they are used with the HTTP-01 challenge.
This is in preparation for adding a new option with DNS-01 challenge
support.
 2026-03-05 14:37:17 +01:00
June
3820a97584
 		certbot(role): move arguments documentation into README 
Do this to match how it's done in newer roles.
 2026-03-05 14:37:17 +01:00
June
711f2f1c64
 		certbot(role): don't use certbot__version_spec anymore as its not used 2026-03-01 20:08:49 +01:00
Stefan Bethke
08101ccef1 Fix permission 2026-02-22 18:37:01 +01:00
Stefan Bethke
d26fbf2577 Allow syncing an arbitrary set of files to the target 2026-02-22 18:21:47 +01:00
June
7b8dab07b6
 		distribution_check(role): remove role as it's not really needed 
As the roles are used internally only anyway, we don't need to specify
compatbilities like this and don't properly use it anyway.
 2026-02-09 17:49:49 +01:00
June
2e5b0ab940
 		nginx(role): to not log IPs, just disable the access log 2026-01-27 18:18:17 +01:00
Stefan Bethke
c33ae36af3 Enable IPv6 by default 2026-01-25 22:40:36 +01:00
Stefan Bethke
2cd0811b29 Fix warning 2026-01-25 22:40:36 +01:00
chris
5693989c38
 		add alloy to the z9 hosts and some cleanup 2026-01-25 21:44:49 +01:00
chris
c7d51af5b4
 		rollout Alloy to replace prometheus_node_exporter 
With the new network we need to deploy a push based solution in order to get metrics into prometheus
 2026-01-25 21:44:49 +01:00
June
995dbb06e2
 		wip: alloy 2026-01-25 21:44:49 +01:00
June
652aa32e21
 		docker_compose(role): document new build and pull arguments 2026-01-25 20:49:39 +01:00
Stefan Bethke
d35f1cc779 GPG must be installed for the docker role to be able to add the repo 2026-01-25 15:31:42 +01:00
Stefan Bethke
f887de25c5 make building and pulling configurable 2026-01-25 13:26:20 +01:00
Stefan Bethke
664b9115b8 Fix warning 2026-01-25 13:01:52 +01:00
June
d514688574
 		systemd_networkd(role),router(host): support global config to fix forw. 
With the router upgrade to Debian 13 the systemd version got upgraded as
well breaking the current configuration for IP forwarding.
Add a variable for global systemd-networkd configuration and use that to
enable IPv4 and IPv6 forwarding on the router.

The systemd_networkd role could be a bit nicer, not deploying/deleting
the global configuration, if the variable is empty and
reloading/restarting systemd-networkd at appropriate times. But as is
works for now.
 2026-01-18 19:21:33 +01:00
June
951ec7ebcd
 		netbox(role): fix oidc integration by no longer using is_staff 
is_staff got removed in 4.5.0.
See: https://github.com/netbox-community/netbox/releases/tag/v4.5.0
 2026-01-13 02:25:06 +01:00
June
a92e144cfc
 		base_config(role): ensure base set of admin tools is installed 
See:
https://git.hamburg.ccc.de/CCCHH/nix-infra/src/branch/main/config/common/admin-environment.nix
 2026-01-13 00:41:06 +01:00
June
fbd3ea5496
 		base_config: disable cloud-init ssh module to avoid hostkey regeneration 
It should run once on first boot anyway and since it apparently runs for
every change in the Proxmox cloud init config, disable it, so it
doesn't, since it's annoying to have "random" hostkey changes.
 2026-01-07 18:09:48 +01:00
Stefan Bethke
a328e92971 Should be compatible with trixie/13 2026-01-03 14:03:26 +01:00
Stefan Bethke
25db54b8ad Make sure pip is installed 2026-01-03 14:02:56 +01:00
June
5a476f2103
 		cloud(host): move to new network and hostname 2025-12-16 20:47:44 +01:00
June
d0618e3820
 		nftables(role): introduce role for deploying nftables 2025-12-13 22:07:37 +01:00
June
d6ba70523c
 		systemd_networkd(role): introd. role for deploy. systemd-networkd config 2025-12-13 22:07:35 +01:00
c6ristian
5f6000adca
 		ssh_config: also enable sntrup761x25519-sha512 for Debain 13 
tldr: PQC algorithms are complex but sntrup still is not brocken
 2025-11-11 22:47:42 +01:00
lilly
63917722ff
 		fix foobazdmx role 
poetry is available via apt now so we install it that way
 2025-11-06 21:19:20 +01:00
lilly
aeec08fce8
 		remove distribution checks 
Signed-Off-By: june
 2025-11-06 21:16:42 +01:00
c6ristian
d690f81e3d
 		deploy_ssh_server_config: setup ssh pq cryptography 2025-11-05 23:08:28 +01:00
June
ae60d6fea6
 		docker_compose(role): use community.docker.docker_compose_v2 module 
Use the community.docker.docker_compose_v2 module as it supports proper
changed handling out of the box, making the roles code more
straightforward and work. Also just do a docker compose restart instead
of having the custom docker compose reload script.

https://docs.ansible.com/ansible/latest/collections/community/docker/docker_compose_v2_module.html
 2025-11-02 23:13:20 +01:00