cleanup old linuxtage stuff and add new glt-jitsi

author: Christian Pointner <equinox@spreadspace.org> 2024-04-03 20:18:22 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2024-04-03 20:18:22 +0200
commit: b90a0f8dfdcfc045bdfef50ce0e91bbd056f3d47 (patch)
tree: e4a3b32502905113b1c1a499ee6a2a10e3af78c3 /_graveyard_
parent: nginx/vhost: fix string concat issue incase nginx_vhost.name is not a string (diff)
24 files changed, 1357 insertions, 0 deletions
diff --git a/_graveyard_/files/glt/stream-stats.go b/_graveyard_/files/glt/stream-stats.go
new file mode 100644
index 00000000..6920b513
--- /dev/null
+++ b/_graveyard_/files/glt/stream-stats.go
@@ -0,0 +1,185 @@
+package main
+
+import (
+	"crypto/sha256"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+	"strconv"
+	"sync"
+	"time"
+)
+
+type LatestRequests map[string]bool
+
+var last5min LatestRequests
+var lMutex = &sync.Mutex{}
+
+const dateFormat = time.RFC3339
+
+func init() {
+	last5min = make(LatestRequests)
+}
+
+// find the next timestamp (i.e. time when minute is 4 mod 5 and second is 0)
+func nextTimestamp() time.Time {
+	now := time.Now()
+	if now.Minute()%5 == 4 && now.Second() == 0 {
+		return now.Add(5 * 60 * time.Second)
+	}
+
+	minDiff := 5
+	switch now.Minute() % 5 {
+	case 0:
+		minDiff = 4
+	case 1:
+		minDiff = 3
+	case 2:
+		minDiff = 2
+	case 3:
+		minDiff = 1
+	case 4:
+		minDiff = 5
+	}
+	return now.Add(-time.Duration(now.Second()) * time.Second).Add(time.Duration(minDiff) * 60 * time.Second)
+}
+
+// find the previous timestamp
+func previousTimestamp() time.Time {
+	now := time.Now()
+	if now.Minute()%5 == 4 && now.Second() == 0 {
+		return now.Add(-5 * 60 * time.Second)
+	}
+
+	minDiff := (now.Minute() % 5) + 1
+	return now.Add(-time.Duration(now.Second()) * time.Second).Add(-time.Duration(minDiff) * 60 * time.Second)
+}
+
+// writeToFile writes the 5min result to the file by appending data
+func writeToFile() {
+	filePath := os.Args[2]
+	timestamp := time.Now().Add(-5 * 60 * time.Second)
+	db := make(map[string]uint32)
+
+	// collect new count and erase data from 5-minutes data structure
+	lMutex.Lock()
+	latestCount := len(last5min)
+	last5min = make(LatestRequests)
+	lMutex.Unlock()
+
+	// read in existing data
+	content, err := ioutil.ReadFile(filePath)
+	if err == nil {
+		srcData := make(map[string]uint32)
+		err = json.Unmarshal(content, &srcData)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "failed to unmarshal file '%s': %s\n", filePath, err.Error())
+			return
+		}
+
+		// copy data over to database
+		for k, v := range srcData {
+			db[k] = v
+		}
+	}
+
+	// update database with latest count
+	db[timestamp.Format(dateFormat)] = uint32(latestCount)
+
+	// write to file
+	dump, _ := json.MarshalIndent(db, "", "  ")
+	err = ioutil.WriteFile(filePath, dump, 0644)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "error while writing file '%s': %s\n", filePath, err.Error())
+	}
+}
+
+// handle a request to /
+func handle(w http.ResponseWriter, r *http.Request) {
+	w.Header().Add("Content-type", "text/plain; charset=utf-8")
+	_, err := w.Write([]byte("request counter\nby meisterluk\nroutes: {/req, /list}\n"))
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+	}
+}
+
+// handle a request to /req
+// increments the counter within 5min plus one unless this client was already registered
+func handleRequest(w http.ResponseWriter, r *http.Request) {
+	// generate a key which detects trivial double requests
+	var ident string
+	ident = r.Header.Get("User-Agent")
+	ident += r.Header.Get("X-Forwarded-For")
+	//ident += time.Now().Format(dateFormat) // add this line to register every request for debugging
+	h := sha256.New()
+	key := string(h.Sum([]byte(ident)))
+
+	// register this client for counting
+	lMutex.Lock()
+	last5min[key] = true
+	defer lMutex.Unlock()
+
+	w.Write([]byte("request registered\n"))
+}
+
+func handleList(w http.ResponseWriter, r *http.Request) {
+	w.Header().Add("Content-type", "text/plain; charset=utf-8")
+	srcFile := os.Args[2]
+	db := make(map[string]uint32)
+
+	// add entry for current data
+	db[previousTimestamp().Format(dateFormat)] = uint32(len(last5min))
+
+	// read file
+	for {
+		content, err := ioutil.ReadFile(srcFile)
+		if err != nil {
+			fmt.Fprintln(os.Stderr, err)
+			break
+		}
+		srcDB := make(map[string]uint32)
+		err = json.Unmarshal(content, &srcDB)
+		if err != nil {
+			fmt.Fprintln(os.Stderr, err)
+			break
+		}
+
+		// copy data into db
+		for k, v := range srcDB {
+			db[k] = v
+		}
+		break // for loop used only for control flow
+	}
+
+	// print data
+	for timestamp, count := range db {
+		w.Write([]byte(timestamp + "\t" + strconv.Itoa(int(count)) + "\n"))
+	}
+}
+
+func main() {
+	if len(os.Args) != 3 {
+		fmt.Fprintln(os.Stderr, "usage: ./req-counter <int:port> <str:data-filepath>")
+		os.Exit(1)
+	}
+
+	http.HandleFunc("/", handle)
+	http.HandleFunc("/req", handleRequest)
+	http.HandleFunc("/list", handleList)
+
+	go func() {
+		for {
+			now := time.Now()
+			time.Sleep(nextTimestamp().Sub(now))
+
+			writeToFile()
+			fmt.Fprintf(os.Stderr, "File '%s' written.\n", os.Args[2])
+		}
+	}()
+
+	fmt.Println("listening on " + os.Args[1])
+	log.Fatal(http.ListenAndServe(os.Args[1], nil))
+}
diff --git a/_graveyard_/inventory/group_vars/glt-live-misc/vars.yml b/_graveyard_/inventory/group_vars/glt-live-misc/vars.yml
new file mode 100644
index 00000000..4f1862b5
--- /dev/null
+++ b/_graveyard_/inventory/group_vars/glt-live-misc/vars.yml
@@ -0,0 +1,15 @@
+---
+install:
+  cloud:
+    credentials:
+      token: "{{ vault_hcloud_api_token }}"
+
+
+apt_repo_provider: hetzner
+
+ssh_keys_root_extra:
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/tPDEC1q6YIhKKYK3ioN+flmB2ACw0X7rew144g71jeD1/ZXt2JaPJND8TiGAITtM7jOAc6EVHCjpRrA71+tOu119T/0ewRDTTg1B+X7/MgiXtV7OaG0SuxULrzHv2oH0XWX750EKqdRN56uw2WKkyHQafKgPULIYcRKuj2NbUxh3jnbwA3yaPZ47I+nSRUuLLPr87eoaeJB0LYvK0DfDoe5jlwds8lp20jbY5SVYlPH+tqRo//hiYWbEUL5h3aFqOlphXp3eTnK1uUfWoII6IEudMfj7+ajn17CDd9THMNyIN7EdyZ7Lum9sIMjU1JGbT+xW1t6VVx0pGY2zmTt6XTVYrGmc/T/yD+aQZHKtaiRrvZiL5Izl5gkrvXgFmjgebMlLm6adplqK239PoyjgVjxBiZbKwsEq+YmNrCWImwoJ7d1j52Z0CqIcWF6DrXbT0nAFuIYayVjBSMvf2/dnan6NhYPxj+yfAUVUkhza5jtVW6woIgJlZ5Zi3rXmXDE= emergency@glt
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHB2GxQrL18sfbdgTvaimYR/F94UtZ3BMA8cNQyTzT8h martin@adelmann
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvzYsE/QAjqvmNU1MoYzd9FTe+xmNadvosoQHyyXYh5qBQYI5AfCpeZmkHgSrdUOiA4Z6BOW5RvDjbHQlQK2D3I1uuCSGIt830t4btbuffCw+6HpnZ9Q7Q/1GKLaUH+qdHISoNmt+3eFUPr3Xg5CK3fJ8zfCxjagHxn7AVXPBqJK5fRYtmXLNVo8NaoTe3o3YhChD7sR1FlzZhFIeqVHFJxvwFYtYbXfwsJI43oQON+oxHCIRodJDrUwsqBXIeqxJGBi/UjTHLaxBpy89oi5kZjPhmZDu3vyJpcEn9vkVpwKgKK110Zya2F07CXLTE/6VoetwAYeWDBiZiXfbLI7SPr1PZ+wkd8UX/evdEhJhh3ySW9Gi3n2AzCz8tUJPJvDxqr+KpiI138dYLAyuLoRK4I2MbvO/5/zAqByZP10Ru3MLunHrNsiI/pSu4bvOnwM8F71w9fkTuv5jOeIJo5YHupJZsl7LfcRwokxFMhJ2bk5fiJFvDeHkCKfnlq/dq7zk= lukas@regular
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5dIGN5o3LKThsA/hnTqazsVW5UNuGxia6Kheq40UChnfiF0+XaNRgXZYWO9HvKO0Cer9srZy9Ok1YirQBHAujRZmvnk3il7cbxepD+j2+oPaL57mevYD5lBzVqoqANCaTaq5if7aQEwGOqgz1HFtU44ElgAEjamwFfAOG3WPckOjGmqnSGQrS7+tZg/Z8S7d1zjbUJvXbvwehMpFz8pun2E1FhFrDWmmP4bA4GXGMAZvXDQ5bLeb4uspUI2N8oAFGvf5SxXLiZx2VmOf6ZIVS4FZqweR6wI0C8RBJuvAtzThZgaCY3kIrQKxD+eYYgBJB+mMYySoUQBFHaBW967v5T+2uR9oxD8l21lb39E3R6fhn3YM4BTv67GR2B1fvryu7Wz5u5wMW6dOptpVoyVaYbQAUcb0wRhzZzDjoL7xH+dYio6rs4BjtpWjspi0tRtN/L7H59qvZLxzK/VsBj82t2fXylE+/LnZQ+yNvcqHteJS+VH4LxTNOzqlaaRJ0GYs= ansible@glt
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCdm5WCNt0ul9R7B8ndbuh8aw+OWXDEx0jjXI2Ep8TcjXlo7b2NScunqZHA9WkLNNi8f46N1c2UYm7LVrLFs1mWaaVPeM0jzBHPXCVJPJDMiWPfdxsIQqKM+q09kVlGGNGQvEeVYVLPg+K2t/sEdPgjb7/UhOblurQhQewWvvypReVLhPU5K8/ZCh/uXHmBxmp0kcm0UhIJ73tjdpIoeseQgA7FjA/h1lKKakChu3kqGHL0FJmH9ZcMfPkYUziQ6hv583PrU03vq5Q3J+tyXR3ytY1yqTUntnkHHE6e2Q3zfFWZcrhgUG6UOch2exv1vH2c1yBL3EYecZ/1s2gx/7QX0rrP2byMRorvnAY06rIQ5HXBJrUMEPsiTM16EfLHC1CsolsKTEQ+2DrrqSCACJmO+La8QunqA6l0G2SnRCW6I/A3RATzP6V2bUuJpBnS3hVfP5Q11xO+8zfu/58i3S3EaMNsUc8GwxJ9L6sjTO3W2LQ1UsG2fECPm9Ghec6iJyM= spel@lspe.organsible
diff --git a/_graveyard_/inventory/group_vars/glt-live-r3/vars.yml b/_graveyard_/inventory/group_vars/glt-live-r3/vars.yml
new file mode 100644
index 00000000..8c360f8d
--- /dev/null
+++ b/_graveyard_/inventory/group_vars/glt-live-r3/vars.yml
@@ -0,0 +1,3 @@
+---
+apt_repo_provider: anexia
+#apt_repo_provider: ffgraz
diff --git a/_graveyard_/inventory/group_vars/glt-live/network.yml b/_graveyard_/inventory/group_vars/glt-live/network.yml
new file mode 100644
index 00000000..e78ddd2d
--- /dev/null
+++ b/_graveyard_/inventory/group_vars/glt-live/network.yml
@@ -0,0 +1,78 @@
+---
+network_zones:
+  r3_lan:
+    description: "realraum LAN, Internetuplink via Magenta"
+    vlan: 127
+    prefix: 192.168.127.0/24
+    gateway: 192.168.127.254
+    dns:
+    - 192.168.127.254
+    dhcp:
+      start: 1
+      limit: 149
+    offsets:
+      # Saal 1
+      glt-s1mod: 150
+      glt-s1slide: 151
+      glt-s1speak1: 152
+      glt-s1speak2: 153
+      glt-s1info: 154
+      glt-dione: 155
+      glt-calypso: 156
+      glt-s1atemctl: 157
+      glt-s1atem: 158
+      glt-s1switch: 159
+      # Saal 2
+      glt-s2mod: 160
+      glt-s2slide: 161
+      glt-s2speak: 162
+      glt-s2info: 163
+      glt-helene: 165
+      glt-telesto: 166
+      glt-s2atemctl: 167
+      glt-s2atem: 168
+      glt-s2switch: 169
+      # Saal 3
+      glt-s3mod: 170
+      glt-s3slide: 171
+      glt-s3speak: 172
+      glt-s3info: 173
+      glt-tsdatacop: 175
+      glt-thetys: 176
+      glt-s3atemctl: 177
+      glt-s3atem: 178
+      glt-s3switch: 179
+      # misc
+      equinox-t450s: 190
+      spel: 191
+      glt-gw-r3: 199
+
+  r3_ff:
+    description: "realraum Funkfeuer Subnet, Internetuplink via Funkfeuer and mur.at"
+    vlan: 255
+    prefix: 10.12.240.240/28
+    gateway: 10.12.240.247
+    dns:
+    - 10.12.0.10
+    offsets:
+      glt-gw-r3: 8
+
+  murat_transfer:
+    description: "transfer network for upstream via mur.at"
+    prefix: 172.31.255.240/28
+    offsets:
+      ele-tub: 1
+      ff-10g: 2
+      ele-mur: 14
+
+  tug_lan:
+    description: "glt@tug LAN, Internetuplink via TUG and ACOnet"
+    prefix: 192.168.27.0/24
+    gateway: 192.168.27.254
+    dns:
+    - 192.168.27.254
+    dhcp:
+      start: 1
+      limit: 199
+    offsets:
+      glt-gw-tug: 254
diff --git a/_graveyard_/inventory/group_vars/glt-live/vars.yml b/_graveyard_/inventory/group_vars/glt-live/vars.yml
new file mode 100644
index 00000000..65287b3a
--- /dev/null
+++ b/_graveyard_/inventory/group_vars/glt-live/vars.yml
@@ -0,0 +1,13 @@
+---
+zsh_banner: linuxtage
+
+ssh_users_root:
+  - equinox
+  - spel
+
+acme_account_email: equinox@spreadspace.org
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
+
+apt_repo_blackmagic_auth:
+  username: "glt"
+  password: "{{ vault_apt_repo_blackmagic_auth.password }}"
diff --git a/_graveyard_/inventory/host_vars/glt-calypso.yml b/_graveyard_/inventory/host_vars/glt-calypso.yml
new file mode 100644
index 00000000..afa7766c
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-calypso.yml
@@ -0,0 +1,77 @@
+---
+system_lvm_volume_size_root: 3G
+
+install:
+  efi: true
+  disks:
+    primary: /dev/disk/by-id/ata-OCZ-VERTEX2_OCZ-5328NA52AN84G246
+  kernel_cmdline:
+    - "consoleblank=0"
+    - "nomodeset"
+
+network:
+  nameservers: "{{ network_zones.r3_lan.dns }}"
+  domain: "{{ host_domain }}"
+  primary: &_network_primary_
+    name: eno1
+    address: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets[inventory_hostname]) }}"
+    gateway: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets['glt-gw-r3']) | ansible.utils.ipaddr('address') }}"
+  interfaces:
+  - *_network_primary_
+
+
+apt_repo_components:
+  - main
+  - contrib ## for zfs
+  - non-free-firmware ## for microcode updates
+
+spreadspace_apt_repo_components:
+  - container
+
+zfs_arc_size:
+  min: 1GB
+  max: 2GB
+
+zfs_pools:
+  storage:
+    mountpoint: /srv/storage
+    create_vdevs: mirror /dev/disk/by-id/ata-SAMSUNG_HD103UJ_S1PVJDWQ720805 /dev/disk/by-id/ata-SAMSUNG_HD103UJ_S1PVJDWQ720811
+
+
+blackmagic_desktopvideo_version: 12.5a15
+blackmagic_desktopvideo_include_gui: yes
+
+
+docker_pkg_provider: docker-com
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 15G
+  fs: ext4
+
+kubelet_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 10G
+  fs: ext4
+
+kubernetes_version: 1.29.2
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 42
+kubernetes_standalone_cni_variant: with-portmap
+
+
+recorder_storage:
+  type: zfs
+  pool: storage
+  name: recorder
+recorder_base_path: /srv/storage/recorder
+recorder_inst_name: feed-glt21s1
+recorder_ffmpeg_image_version: bookworm-decklink12.5-2024-02-18.33
+recorder_input: ['-f', 'decklink', '-video_input', 'sdi', '-format_code', 'Hp25', '-channels', '2', '-i', 'DeckLink SDI (1)']
+recorder_video_filter_common: "colorspace=iall=bt709:irange=tv:all=bt709:range=tv"
+
+recorder_segment_time: 3600
+recorder_segment_clocktime_offset: 3300
diff --git a/_graveyard_/inventory/host_vars/glt-coturn.yml b/_graveyard_/inventory/host_vars/glt-coturn.yml
new file mode 100644
index 00000000..6dc0f5c4
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-coturn.yml
@@ -0,0 +1,56 @@
+---
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 5G
+  fs: ext4
+
+kubelet_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 5G
+  fs: ext4
+
+
+spreadspace_apt_repo_components:
+  - container
+
+acme_client: acmetool
+
+
+kubernetes_version: 1.29.2
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 100
+kubernetes_standalone_pod_cidr: 192.168.255.0/24
+kubernetes_standalone_cni_variant: with-portmap
+
+
+coturn_version: 4.6.2-r4
+coturn_realm: linuxtage.at
+coturn_hostnames:
+ - cdn13.linuxtage.at
+
+coturn_auth_secret: "{{ vault_coturn_auth_secret }}"
+coturn_listening_port: 3478
+coturn_tls_listening_port: 443
+coturn_install_nginx_vhost: no
+coturn_tls:
+  certificate_provider: "{{ acme_client }}"
+
+
+mumble_version: v1.4.287-4
+mumble_instance: linuxtage.at
+mumble_hostnames:
+ - mumble.linuxtage.at
+mumble_tls:
+  certificate_provider: "{{ acme_client }}"
+
+mumble_superuser_password: "{{ vault_mumble_superuser_password }}"
+
+mumble_config_options:
+  bonjour: false
+  sslCiphers: "ECDHE+AESGCM:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!RSA:!ADH:!AECDH:!MD5"
+  welcometext: "Willkommen im Mumble der Grazer Linuxtage <br>Intercom für Helfer und Orga während der GLT21"
+  rememberchannel: true
diff --git a/_graveyard_/inventory/host_vars/glt-gw-r3.yml b/_graveyard_/inventory/host_vars/glt-gw-r3.yml
new file mode 100644
index 00000000..d5d8538e
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-gw-r3.yml
@@ -0,0 +1,147 @@
+---
+openwrt_arch: x86
+openwrt_target: geode
+openwrt_profile: generic
+openwrt_output_image_suffixes:
+  - "{{ openwrt_profile }}-ext4-combined.img.gz"
+
+openwrt_packages_remove:
+  - ppp
+  - ppp-mod-pppoe
+  - firewall
+  - dnsmasq
+  - odhcpd-ipv6only
+openwrt_packages_add:
+  - kmod-ipt-nat
+  - kmod-ipt-conntrack
+  - haveged
+  - htop
+  - ip
+  - less
+  - nano
+  - tcpdump-mini
+  - iperf
+  - iperf3
+  - mtr
+  - iptraf-ng
+
+
+openwrt_mixin:
+  /etc/dropbear/authorized_keys:
+    content: "{{ ssh_keys_root | join('\n') }}\n"
+
+  /etc/htoprc:
+    file: "{{ global_files_dir }}/common/htoprc"
+
+  /etc/rc.d/S22network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/rc.d/K92network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/init.d/network-fw:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=22
+      STOP=91
+
+      start() {
+        WAN_IF=$(uci get network.wan.device)
+        LAN_IF=$(uci get network.lan.device)
+        LAN_IP=$(uci get network.lan.ipaddr)
+        LAN_MASK=$(uci get network.lan.netmask)
+
+        iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+        ### external incoming
+        iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        ### internal
+        iptables -A INPUT -i "$LAN_IF" -p udp --dport 67 --sport 68 -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p udp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p tcp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+
+        iptables -A INPUT -i "$LAN_IF" -p icmp -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p tcp --dport {{ ansible_port }} -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        iptables -A FORWARD -i "$LAN_IF" -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A FORWARD -i "$WAN_IF" -o "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+        iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j MASQUERADE
+
+        ### default policies
+        iptables -P INPUT DROP
+        iptables -P FORWARD DROP
+      }
+
+      stop() {
+        iptables -P INPUT ACCEPT
+        iptables -F INPUT
+        iptables -P FORWARD ACCEPT
+        iptables -F FORWARD
+        iptables -t nat -F POSTROUTING
+      }
+
+openwrt_uci:
+  system:
+    - name: system
+      options:
+        hostname: '{{ host_name }}'
+        timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
+        ttylogin: '0'
+        log_size: '64'
+        urandom_seed: '0'
+
+    - name: timeserver 'ntp'
+      options:
+        enabled: '1'
+        enable_server: '0'
+        server:
+          - '0.lede.pool.ntp.org'
+          - '1.lede.pool.ntp.org'
+          - '2.lede.pool.ntp.org'
+          - '3.lede.pool.ntp.org'
+
+  dropbear:
+    - name: dropbear
+      options:
+        PasswordAuth: 'off'
+        RootPasswordAuth: 'off'
+        Port: '{{ ansible_port }}'
+
+  network:
+    - name: globals 'globals'
+      options:
+        ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
+
+    - name: interface 'loopback'
+      options:
+        device: lo
+        proto: static
+        ipaddr: 127.0.0.1
+        netmask: 255.0.0.0
+
+    - name: interface 'wan'
+      options:
+        device: eth0
+        proto: static
+        ipaddr: "{{ network_zones.r3_ff.prefix | ansible.utils.ipaddr(network_zones.r3_ff.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+        netmask: "{{ network_zones.r3_ff.prefix | ansible.utils.ipaddr('netmask') }}"
+        gateway: "{{ network_zones.r3_ff.gateway }}"
+        dns: "{{ network_zones.r3_ff.dns }}"
+
+    - name: interface 'lan'
+      options:
+        device: eth1
+        proto: static
+        ipaddr: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+        netmask: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr('netmask') }}"
+
+    - name: interface 'unused'
+      options:
+        device: eth2
+        proto: none
diff --git a/_graveyard_/inventory/host_vars/glt-gw-tug.yml b/_graveyard_/inventory/host_vars/glt-gw-tug.yml
new file mode 100644
index 00000000..5e1d0a45
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-gw-tug.yml
@@ -0,0 +1,177 @@
+---
+openwrt_arch: x86
+openwrt_target: 64
+openwrt_profile: generic
+openwrt_output_image_suffixes:
+  - "{{ openwrt_profile }}-ext4-combined.img.gz"
+
+openwrt_packages_remove:
+  - ppp
+  - ppp-mod-pppoe
+  - firewall
+openwrt_packages_add:
+  - kmod-ipt-nat
+  - kmod-ipt-conntrack
+  - haveged
+  - htop
+  - ip
+  - less
+  - nano
+  - tcpdump-mini
+  - iperf
+  - iperf3
+  - mtr
+  - iptraf-ng
+
+
+openwrt_mixin:
+  /etc/dropbear/authorized_keys:
+    content: "{{ ssh_keys_root | join('\n') }}\n"
+
+  /etc/htoprc:
+    file: "{{ global_files_dir }}/common/htoprc"
+
+  /etc/rc.d/S22network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/rc.d/K92network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/init.d/network-fw:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=22
+      STOP=91
+
+      start() {
+        WAN_IF=$(uci get network.wan.device)
+        LAN_IF="br-lan"
+        LAN_IP=$(uci get network.lan.ipaddr)
+        LAN_MASK=$(uci get network.lan.netmask)
+
+        iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+        ### external incoming
+        iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        ### internal
+        iptables -A INPUT -i "$LAN_IF" -p udp --dport 67 --sport 68 -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p udp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p tcp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+
+        iptables -A INPUT -i "$LAN_IF" -p icmp -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p tcp --dport {{ ansible_port }} -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        iptables -A FORWARD -i "$LAN_IF" -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A FORWARD -i "$WAN_IF" -o "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+        iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j MASQUERADE
+
+        ### default policies
+        iptables -P INPUT DROP
+        iptables -P FORWARD DROP
+      }
+
+      stop() {
+        iptables -P INPUT ACCEPT
+        iptables -F INPUT
+        iptables -P FORWARD ACCEPT
+        iptables -F FORWARD
+        iptables -t nat -F POSTROUTING
+      }
+
+openwrt_uci:
+  system:
+    - name: system
+      options:
+        hostname: '{{ host_name }}'
+        timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
+        ttylogin: '0'
+        log_size: '64'
+        urandom_seed: '0'
+
+    - name: timeserver 'ntp'
+      options:
+        enabled: '1'
+        enable_server: '0'
+        server:
+          - '0.lede.pool.ntp.org'
+          - '1.lede.pool.ntp.org'
+          - '2.lede.pool.ntp.org'
+          - '3.lede.pool.ntp.org'
+
+  dropbear:
+    - name: dropbear
+      options:
+        PasswordAuth: 'off'
+        RootPasswordAuth: 'off'
+        Port: '{{ ansible_port }}'
+
+  dhcp:
+    - name: dnsmasq
+      options:
+        domainneeded: '1'
+        boguspriv: '0'
+        filterwin2k: '0'
+        localise_queries: '1'
+        rebind_protection: '0'
+        rebind_localhost: '1'
+        local: '/lan/'
+        domain: 'lan'
+        expandhosts: '1'
+        nonegcache: '0'
+        authoritative: '1'
+        readethers: '1'
+        leasefile: '/tmp/dhcp.leases'
+        resolvfile: '/tmp/resolv.conf.auto'
+        localservice: '1'
+
+    - name: odhcpd 'odhcpd'
+      options:
+        maindhcp: '0'
+        leasefile: '/tmp/hosts/odhcpd'
+        leasetrigger: '/usr/sbin/odhcpd-update'
+
+    - name: dhcp 'wan'
+      options:
+        interface: 'wan'
+        ignore: '1'
+
+    - name: dhcp 'lan'
+      options:
+        interface: 'lan'
+        start: "{{ network_zones.tug_lan.dhcp.start }}"
+        limit: "{{ network_zones.tug_lan.dhcp.limit }}"
+        leasetime: "{{ network_zones.tug_lan.dhcp.leasetime | default('12h') }}"
+        dhcpv6: 'disabled'
+        ra: 'disabled'
+
+  network:
+    - name: globals 'globals'
+      options:
+        ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
+
+    - name: interface 'loopback'
+      options:
+        device: lo
+        proto: static
+        ipaddr: 127.0.0.1
+        netmask: 255.0.0.0
+
+    - name: interface 'lan'
+      options:
+        type: bridge
+        device: "eth0 eth1 eth2 eth3 eth4"
+        proto: static
+        ipaddr: "{{ network_zones.tug_lan.prefix | ansible.utils.ipaddr(network_zones.tug_lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+        netmask: "{{ network_zones.tug_lan.prefix | ansible.utils.ipaddr('netmask') }}"
+
+    - name: interface 'wan'
+      options:
+        device: eth5
+        proto: dhcp
+        macaddr: 00:11:22:33:44:55
diff --git a/_graveyard_/inventory/host_vars/glt-meet1.yml b/_graveyard_/inventory/host_vars/glt-meet1.yml
new file mode 100644
index 00000000..a7d619c8
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-meet1.yml
@@ -0,0 +1,65 @@
+---
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 5G
+  fs: ext4
+
+kubelet_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 5G
+  fs: ext4
+
+
+spreadspace_apt_repo_components:
+  - container
+
+acme_client: acmetool
+
+
+kubernetes_version: 1.29.2
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 100
+kubernetes_standalone_cni_variant: with-portmap
+
+
+jitsi_meet_base_path: /srv/jitsi/meet
+
+jitsi_meet_version: stable-9258
+jitsi_meet_hostname: meet1.linuxtage.at
+
+jitsi_meet_p2p_enable: no
+jitsi_meet_require_display_name: yes
+
+jitsi_meet_resolution:
+  default:
+    width: 1920
+    height: 1080
+  min:
+    width: 1280
+    height: 720
+
+jitsi_meet_jvb_config_extra: |
+  videobridge {
+    cc {
+      trust-bwe = false
+      onstage-preferred-framerate = 25
+    }
+  }
+
+jitsi_meet_secrets: "{{ vault_jitsi_meet_secrets }}"
+
+jitsi_meet_auth:
+  enable_guests: yes
+  users:
+    operator: "{{ vault_jitsi_meet_auth_user_passwords['operator'] }}"
+
+jitsi_meet_streamui:
+  http_port: "{{ jitsi_meet_http_port + 1 }}"
+#  http_auth:
+#    operator: "{{ vault_jitsi_meet_auth_user_passwords['operator'] }}"
+  image_tag: latest
+  default_control_room: glt
diff --git a/_graveyard_/inventory/host_vars/glt-meet2.yml b/_graveyard_/inventory/host_vars/glt-meet2.yml
new file mode 100644
index 00000000..b194b9f6
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-meet2.yml
@@ -0,0 +1,65 @@
+---
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 5G
+  fs: ext4
+
+kubelet_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 5G
+  fs: ext4
+
+
+spreadspace_apt_repo_components:
+  - container
+
+acme_client: acmetool
+
+
+kubernetes_version: 1.29.2
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 100
+kubernetes_standalone_cni_variant: with-portmap
+
+
+jitsi_meet_base_path: /srv/jitsi/meet
+
+jitsi_meet_version: stable-9258
+jitsi_meet_hostname: meet2.linuxtage.at
+
+jitsi_meet_p2p_enable: no
+jitsi_meet_require_display_name: yes
+
+jitsi_meet_resolution:
+  default:
+    width: 1920
+    height: 1080
+  min:
+    width: 1280
+    height: 720
+
+jitsi_meet_jvb_config_extra: |
+  videobridge {
+    cc {
+      trust-bwe = false
+      onstage-preferred-framerate = 25
+    }
+  }
+
+jitsi_meet_secrets: "{{ vault_jitsi_meet_secrets }}"
+
+jitsi_meet_auth:
+  enable_guests: yes
+  users:
+    operator: "{{ vault_jitsi_meet_auth_user_passwords['operator'] }}"
+
+jitsi_meet_streamui:
+  http_port: "{{ jitsi_meet_http_port + 1 }}"
+#  http_auth:
+#    operator: "{{ vault_jitsi_meet_auth_user_passwords['operator'] }}"
+  image_tag: latest
+  default_control_room: glt
diff --git a/_graveyard_/inventory/host_vars/glt-stream.yml b/_graveyard_/inventory/host_vars/glt-stream.yml
new file mode 100644
index 00000000..db9292da
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-stream.yml
@@ -0,0 +1,8 @@
+---
+lvm_volumes:
+  system/www:
+    vg: "{{ host_name }}"
+    lv: www
+    size: 10G
+    fs: ext4
+    dest: /srv/www
diff --git a/_graveyard_/inventory/host_vars/glt-tsdatacop.yml b/_graveyard_/inventory/host_vars/glt-tsdatacop.yml
new file mode 100644
index 00000000..c78513a6
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-tsdatacop.yml
@@ -0,0 +1,70 @@
+---
+system_lvm_volume_size_root: 3G
+
+install:
+  efi: false
+  disks:
+    primary: /dev/disk/by-id/ata-WDC_WDS120G2G0A-00JH30_200854446208
+  kernel_cmdline:
+    - "consoleblank=0"
+
+network:
+  nameservers: "{{ network_zones.r3_lan.dns }}"
+  domain: "{{ host_domain }}"
+  primary: &_network_primary_
+    name: eno1
+    address: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets[inventory_hostname]) }}"
+    gateway: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets['glt-gw-r3']) | ansible.utils.ipaddr('address') }}"
+  interfaces:
+  - *_network_primary_
+
+
+spreadspace_apt_repo_components:
+  - container
+
+
+lvm_groups:
+  storage:
+    pvs:
+    - /dev/disk/by-id/ata-WDC_WD5000AAJS-00TKA0_WD-WCAPW2771922-part1
+
+
+blackmagic_desktopvideo_version: 12.5a15
+blackmagic_desktopvideo_include_gui: yes
+
+
+docker_pkg_provider: docker-com
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 15G
+  fs: ext4
+
+kubelet_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 10G
+  fs: ext4
+
+kubernetes_version: 1.29.2
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 42
+kubernetes_standalone_cni_variant: with-portmap
+
+
+recorder_storage:
+  type: lvm
+  vg: storage
+  lv: recorder
+  size: 400G
+  fs: ext4
+recorder_base_path: /srv/recorder
+recorder_inst_name: feed-glt21s3
+recorder_ffmpeg_image_version: bookworm-decklink12.5-2024-02-18.33
+recorder_input: ['-f', 'decklink', '-video_input', 'sdi', '-format_code', 'Hp25', '-channels', '2', '-i', 'DeckLink Mini Recorder']
+recorder_video_filter_common: "colorspace=iall=bt709:irange=tv:all=bt709:range=tv"
+
+recorder_segment_time: 3600
+recorder_segment_clocktime_offset: 3300
diff --git a/_graveyard_/inventory/hosts.ini b/_graveyard_/inventory/hosts.ini
index a0381990..bf8ab79e 100644
--- a/_graveyard_/inventory/hosts.ini
+++ b/_graveyard_/inventory/hosts.ini
@@ -28,6 +28,34 @@ r3-cccamp19-av host_name=av
 ###############################
 # environment: spreadspace
 
+[glt-live:vars]
+host_domain=linuxtage.at
+env_group=spreadspace
+
+[glt-live:children]
+glt-live-misc
+glt-live-r3
+glt-live-tug
+
+[glt-live-misc]
+glt-coturn host_name=cdn13
+glt-meet1 host_name=meet1
+glt-meet2 host_name=meet2
+glt-stream host_name=stream
+
+[glt-live-r3]
+glt-gw-r3 host_name=gw-r3
+#glt-dione host_name=dione
+#glt-helene host_name=helene
+glt-calypso host_name=calypso
+#glt-telesto host_name=telesto
+glt-tsdatacop host_name=tsdatacop
+#glt-thetys host_name=thetys
+
+[glt-live-tug]
+glt-gw-tug host_name=gw-tug
+
+
 [lendwirbel-live:vars]
 host_domain=lndwrbl.live
 env_group=spreadspace
@@ -77,6 +105,11 @@ ele-laptop host_name=elevatop
 ###############################
 # host categories
 
+## OS
+[openwrt]
+glt-gw-r3
+glt-gw-tug
+
 [dellos6]
 r3-cccamp19-sw0
 
@@ -118,6 +151,12 @@ lw-master
 sgg-icecast
 
 
+[hcloud]
+glt-coturn
+glt-meet1
+glt-meet2
+glt-stream
+
 [hcloud:children]
 lendwirbel-live-dist
 lendwirbel-live-xx
@@ -128,6 +167,16 @@ k8s-lwl
 [standalone-kubelet]
 lw-thetys
 sgg-icecast
+glt-coturn
+glt-meet1
+glt-meet2
+glt-dione
+glt-helene
+glt-calypso
+glt-telesto
+glt-tsdatacop
+glt-thetys
+
 
 ### Kubernetes Cluster: lendwirbel-live
 [k8s-lwl-encoder]
diff --git a/_graveyard_/spreadspace/glt-calypso.yml b/_graveyard_/spreadspace/glt-calypso.yml
new file mode 100644
index 00000000..07dd2eb2
--- /dev/null
+++ b/_graveyard_/spreadspace/glt-calypso.yml
@@ -0,0 +1,44 @@
+---
+- name: Basic Setup
+  hosts: glt-calypso
+  roles:
+  - role: apt-repo/base
+  - role: core/base
+  - role: core/sshd/base
+  - role: core/zsh
+  - role: core/ntp
+  - role: core/cpu-microcode
+  - role: storage/zfs/base
+  - role: apt-repo/spreadspace
+  - role: streaming/blackmagic/desktopvideo
+  - role: kubernetes/base
+  - role: kubernetes/standalone/base
+  - role: streaming/recorder
+  post_tasks:
+  - name: install lm-sensors and i7z
+    apt:
+      name:
+      - lm-sensors
+      - i7z
+
+  - name: load modules for lm-sensors
+    vars:
+      sensors_modules:
+      - coretemp
+      - w83627ehf
+    block:
+    - name: load special modules for lm-sensors
+      loop: "{{ sensors_modules }}"
+      modprobe:
+        name: "{{ item }}"
+        state: present
+
+    - name: make sure sensor modules are loaded on reboot
+      copy:
+        content: |
+          # Ansible managed
+
+          {% for module in sensors_modules %}
+          {{ module }}
+          {% endfor %}
+        dest: /etc/modules-load.d/sensors.conf
diff --git a/_graveyard_/spreadspace/glt-coturn.yml b/_graveyard_/spreadspace/glt-coturn.yml
new file mode 100644
index 00000000..91641cd5
--- /dev/null
+++ b/_graveyard_/spreadspace/glt-coturn.yml
@@ -0,0 +1,15 @@
+---
+- name: Basic Setup
+  hosts: glt-coturn
+  roles:
+  - role: apt-repo/base
+  - role: core/base
+  - role: core/sshd/base
+  - role: core/zsh
+  - role: core/ntp
+  - role: apt-repo/spreadspace
+  - role: kubernetes/base
+  - role: kubernetes/standalone/base
+  - role: x509/acmetool/base
+  - role: apps/coturn
+  - role: apps/mumble
diff --git a/_graveyard_/spreadspace/glt-meet1.yml b/_graveyard_/spreadspace/glt-meet1.yml
new file mode 100644
index 00000000..b2447cd8
--- /dev/null
+++ b/_graveyard_/spreadspace/glt-meet1.yml
@@ -0,0 +1,15 @@
+---
+- name: Basic Setup
+  hosts: glt-meet1
+  roles:
+  - role: apt-repo/base
+  - role: core/base
+  - role: core/sshd/base
+  - role: core/zsh
+  - role: core/ntp
+  - role: apt-repo/spreadspace
+  - role: kubernetes/base
+  - role: kubernetes/standalone/base
+  - role: x509/acmetool/base
+  - role: nginx/base
+  - role: apps/jitsi/meet
diff --git a/_graveyard_/spreadspace/glt-meet2.yml b/_graveyard_/spreadspace/glt-meet2.yml
new file mode 100644
index 00000000..f91dd3a8
--- /dev/null
+++ b/_graveyard_/spreadspace/glt-meet2.yml
@@ -0,0 +1,15 @@
+---
+- name: Basic Setup
+  hosts: glt-meet2
+  roles:
+  - role: apt-repo/base
+  - role: core/base
+  - role: core/sshd/base
+  - role: core/zsh
+  - role: core/ntp
+  - role: apt-repo/spreadspace
+  - role: kubernetes/base
+  - role: kubernetes/standalone/base
+  - role: x509/acmetool/base
+  - role: nginx/base
+  - role: apps/jitsi/meet
diff --git a/_graveyard_/spreadspace/glt-stream.yml b/_graveyard_/spreadspace/glt-stream.yml
new file mode 100644
index 00000000..c76904ab
--- /dev/null
+++ b/_graveyard_/spreadspace/glt-stream.yml
@@ -0,0 +1,148 @@
+---
+- name: Basic Setup
+  hosts: glt-stream
+  roles:
+  - role: apt-repo/base
+  - role: core/base
+  - role: core/sshd/base
+  - role: core/zsh
+  - role: core/ntp
+  - role: apt-repo/spreadspace
+  - role: x509/acmetool/base
+  - role: nginx/base
+  - name: storage/lvm/base
+  post_tasks:
+  - name: create base directory for static www content
+    file:
+      path: /srv/www/stream
+      state: directory
+
+  - name: configure default vhost stream.linuxtage.at
+    vars:
+      nginx_vhost:
+        default: yes
+        name: stream
+        template: generic
+        tls:
+          certificate_provider: acmetool
+        hostnames:
+        - stream.linuxtage.at
+        extra_directives: |-
+          add_header Access-Control-Allow-Headers "origin,range,accept-encoding,referer";
+          add_header Access-Control-Allow-Methods "GET,HEAD,OPTIONS";
+          add_header Access-Control-Allow-Origin "*";
+          add_header Access-Control-Expose-Headers "Server,range,Content-Length,Content-Range,Date";
+
+          {% for room_id in [1,2,3] %}
+          location /stats/saal{{ room_id }}/ {
+              include snippets/proxy-nobuff.conf;
+              proxy_set_header Host $host;
+              include snippets/proxy-forward-headers.conf;
+              proxy_pass http://127.0.0.1:{{ 4200 + room_id }}/;
+          }
+          {% endfor %}
+        locations:
+          '/':
+            root: /srv/www/stream
+            index: index.html
+          '/preped':
+            root: /srv/www/stream
+            autoindex: {}
+    include_role:
+      name: nginx/vhost
+
+  - name: install golang
+    apt:
+      name: go
+      state: present
+
+  - name: create base directory for stats
+    file:
+      path: /srv/www/stats
+      state: directory
+
+  - name: add user for stats
+    user:
+      name: stats
+      system: yes
+      home: /srv/www/stats
+
+  - name: create data and gocache directories for stats
+    loop:
+      - data
+      - .gocache
+    file:
+      path: "/srv/www/stats/{{ item }}"
+      state: directory
+      group: stats
+      mode: 0775
+
+  - name: install stats collector script
+    copy:
+      src: "{{ global_files_dir }}/glt/stream-stats.go"
+      dest: /srv/www/stats/stream-stats.go
+
+  - name: install start script for collector
+    copy:
+      content: |
+        #!/bin/bash
+        ROOM=$1
+        case "$ROOM" in
+          saal1)
+            PORT=4201
+            ;;
+          saal2)
+            PORT=4202
+            ;;
+          saal3)
+            PORT=4203
+            ;;
+          *)
+            echo "unknown room"
+            exit 1
+            ;;
+        esac
+        exec /usr/bin/go run /srv/www/stats/stream-stats.go 127.0.0.1:$PORT /srv/www/stats/data/glt21-$ROOM.json
+      dest: /srv/www/stats/run.sh
+      mode: 0755
+
+  - name: install systemd unit for stats collector
+    copy:
+      content: |
+        [Unit]
+        Description=GLT21 Stream Stats Collector (%I)
+
+        [Service]
+        Type=simple
+        User=stats
+        Environment="GOCACHE=/srv/www/stats/.gocache"
+        ExecStart=/srv/www/stats/run.sh %i
+        Restart=always
+        RestartSecs=1s
+        StartLimitBurst=10
+        StartLimitIntervalSec=5s
+        NoNewPrivileges=yes
+        PrivateTmp=yes
+        PrivateDevices=yes
+        ProtectSystem=strict
+        ReadWritePaths=/srv/www/stats/data /srv/www/stats/.gocache
+        ProtectHome=yes
+        ProtectKernelTunables=yes
+        ProtectControlGroups=yes
+        RestrictRealtime=yes
+        RestrictAddressFamilies=AF_INET
+
+        [Install]
+        WantedBy=multi-user.target
+      dest: /etc/systemd/system/stream-stats@.service
+
+  - name: make sure stats collector service units are enabled and started
+    loop:
+    - saal1
+    - saal2
+    - saal3
+    systemd:
+      name: "stream-stats@{{ item }}.service"
+      daemon_reload: yes
+      enabled: yes
+      state: started
diff --git a/_graveyard_/spreadspace/glt-tsdatacop.yml b/_graveyard_/spreadspace/glt-tsdatacop.yml
new file mode 100644
index 00000000..82c363ab
--- /dev/null
+++ b/_graveyard_/spreadspace/glt-tsdatacop.yml
@@ -0,0 +1,43 @@
+---
+- name: Basic Setup
+  hosts: glt-tsdatacop
+  roles:
+  - role: apt-repo/base
+  - role: core/base
+  - role: core/sshd/base
+  - role: core/zsh
+  - role: core/ntp
+  - role: core/cpu-microcode
+  - role: storage/lvm/base
+  - role: apt-repo/spreadspace
+  - role: streaming/blackmagic/desktopvideo
+  - role: kubernetes/base
+  - role: kubernetes/standalone/base
+  - role: streaming/recorder
+  post_tasks:
+  - name: install lm-sensors and i7z
+    apt:
+      name:
+      - lm-sensors
+      - i7z
+
+  - name: load modules for lm-sensors
+    vars:
+      sensors_modules:
+      - coretemp
+    block:
+    - name: load special modules for lm-sensors
+      loop: "{{ sensors_modules }}"
+      modprobe:
+        name: "{{ item }}"
+        state: present
+
+    - name: make sure sensor modules are loaded on reboot
+      copy:
+        content: |
+          # Ansible managed
+
+          {% for module in sensors_modules %}
+          {{ module }}
+          {% endfor %}
+        dest: /etc/modules-load.d/sensors.conf
diff --git a/_graveyard_/spreadspace/group_vars/glt-live.yml b/_graveyard_/spreadspace/group_vars/glt-live.yml
new file mode 100644
index 00000000..c3acc3db
--- /dev/null
+++ b/_graveyard_/spreadspace/group_vars/glt-live.yml
@@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.2;AES256;spreadspace
+38636362363330663663313064613361323466333236656166303266343666626135313830363065
+6231383766616637626564666265386464343437666434660a393130616566306364623134313138
+61333064663033393063323335616265386164383233666434326137646236346334386439656265
+6565653465383364300a396639353965313365616261346166336565333762376634376463366264
+38343064336635333364353064653731376362616236653732376365336565303163663434373862
+39376530393839653965336134623633656161373531383439613936656338633332623564643862
+38626638326632643265633134343162653064323564356365343535386664333133316537336337
+31326166643535306439333838653264636265356432636336303165376533393763643966656266
+33613465303931376335333763613034636236393762353139336433383434333965336336626361
+32396464353837353332653031336165343063303634653531323838653766386363336234626530
+39316532343738623336373265616239653139643135613338643466663839383432636533346632
+62636164343730646633633534373038663536323163333835653862343463376464303135386330
+36373539303136663264306136333538636666633238653334366539653737333536616363646666
+61336630383763633634363539393238396635653963373162656436346430323762303138313437
+65616235346430353036333934646236363438666663353632343238313335343533653432626137
+36646135666636376665643030636135646236353333613761613533366533623661373234323766
+31366230373331363038326134323634333536316339613632313365356635363061396666373632
+62623133653562376562373035656363363961306264336438383564653839353636316232343966
+663135326231386530636236633835663562
diff --git a/_graveyard_/spreadspace/host_vars/glt-coturn.yml b/_graveyard_/spreadspace/host_vars/glt-coturn.yml
new file mode 100644
index 00000000..8db669d5
--- /dev/null
+++ b/_graveyard_/spreadspace/host_vars/glt-coturn.yml
@@ -0,0 +1,13 @@
+$ANSIBLE_VAULT;1.2;AES256;spreadspace
+34643737663831333765666266333265633032346535306135383838643031633362343338393334
+6362383337353530346563316630313437313138633763370a613938353666646462316332353065
+66653436613537666465633263626632386263633734663330373430323865613733396463343363
+3837626238356534300a316361623361303430623863376661636233383436366131316338376230
+31326533353032666437643533633631333935643037636231333264386135646436383163663435
+33343838353534663932643630396236363636393131383539663536363738363539363238343965
+65633362636466623865366431623132366462386232653665393231646465323662663464356232
+30396239643238313734623461323366303961343463623433663133333761323933653534623037
+37313366636130366230343365393064396163313761626566366530613665306132656364623237
+65333239386435346465663234653339633930323766636631393134306235613636623339626638
+62313739346630343538366265336232646438306432353133393465333934376363653338373537
+66376330366533353937
diff --git a/_graveyard_/spreadspace/host_vars/glt-meet1.yml b/_graveyard_/spreadspace/host_vars/glt-meet1.yml
new file mode 100644
index 00000000..27359daf
--- /dev/null
+++ b/_graveyard_/spreadspace/host_vars/glt-meet1.yml
@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.2;AES256;spreadspace
+37653436633131353132383533623834613061323731356639366330303961333434303162366130
+6566653037323333396333653663656230663066393531640a313764303365623038346430646238
+32333030613535373734303030633130626439616533613932353831383630313432646564323065
+3864393963666636630a626432373633636330636136656561366133303239363932626239373036
+61623336663032376331646131363937646261333065313263303536383339376232666162636335
+64666263326236336634343962663931353638363764383336303966343533343964636566646661
+63643262616234623565333966663437366332373763326339643963366132313936643836353362
+35326332373664366366313931366433353661353232646334656539636334376134383231653865
+65383632373264623666663933313261393330613465333861373237303964316431373434306364
+37373032646164383038346431383166306364343363313964633137353438303230343133323038
+35343633333038366136663237346465666631373062633534623163656564356632333938356163
+37353036333663383764343561623634363966346237663463393165363035383061323738653134
+37306638343065313033646431373661313965663562666438373536313630356661356561346130
+34306363333237316138303036633539373562626461343133663331643161396364386166626239
+63313165363634316661666634363532643161373962336139663731326666616131376562386534
+34343339376665633437303936313664663431643962333234323262653236646564666633313738
+61613434363536303061343330636534373037656433306437633663386362616535
diff --git a/_graveyard_/spreadspace/host_vars/glt-meet2.yml b/_graveyard_/spreadspace/host_vars/glt-meet2.yml
new file mode 100644
index 00000000..96f9f897
--- /dev/null
+++ b/_graveyard_/spreadspace/host_vars/glt-meet2.yml
@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.2;AES256;spreadspace
+63653634373839386431343362316530613563303631396333343630376435646562356561303135
+6133316465333138663739383532663430313937343932660a643532316462656539663239346231
+66643032363066353331313630633933613736323865376565363562663030656434306362393065
+6639633038623864390a323762626461316661323839303866656236303461343432643939313030
+32666664356235383437326562653962373035656132383364633566303364306233653136333161
+34363562343930353632653163383663313736343538663463316265323564643936306138313133
+35316135653438656266633430383163623634393734633133393463393333663133613739656662
+66356133343934666462623365376161613961333766636366663138353139663131636137613634
+66356433643234303466363034333263613665633365623135343364653563383663313066623638
+63623732643438366661616535643238323439366338626235633835346538333939616666636664
+34653831313563623963333661646336396664306530353766393532383165363563646633646230
+62363936343961313263623636333430663365373739616462343761616366393032396138353833
+31613564653139366330303438326662306361383963346133316130303936653162363036613565
+32363231633065306231663562613038313566626233323932343431643137316164333831336539
+32393030623162636266326639316362633139633330656462393130316232366631323161323238
+33663535343264663336616563393837396533366632373965616666353135653937396164343963
+64336364353137396534353836336630636639303530356630376565323566336564
author	Christian Pointner <equinox@spreadspace.org>	2024-04-03 20:18:22 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2024-04-03 20:18:22 +0200
commit	b90a0f8dfdcfc045bdfef50ce0e91bbd056f3d47 (patch)
tree	e4a3b32502905113b1c1a499ee6a2a10e3af78c3 /_graveyard_
parent	nginx/vhost: fix string concat issue incase nginx_vhost.name is not a string (diff)