13 files changed, 823 insertions, 0 deletions

diff --git a/_graveyard_/inventory/group_vars/glt-live-misc/vars.yml b/_graveyard_/inventory/group_vars/glt-live-misc/vars.yml
new file mode 100644
index 00000000..4f1862b5
--- /dev/null
+++ b/_graveyard_/inventory/group_vars/glt-live-misc/vars.yml
@@ -0,0 +1,15 @@
+---
+install:
+  cloud:
+    credentials:
+      token: "{{ vault_hcloud_api_token }}"
+
+
+apt_repo_provider: hetzner
+
+ssh_keys_root_extra:
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/tPDEC1q6YIhKKYK3ioN+flmB2ACw0X7rew144g71jeD1/ZXt2JaPJND8TiGAITtM7jOAc6EVHCjpRrA71+tOu119T/0ewRDTTg1B+X7/MgiXtV7OaG0SuxULrzHv2oH0XWX750EKqdRN56uw2WKkyHQafKgPULIYcRKuj2NbUxh3jnbwA3yaPZ47I+nSRUuLLPr87eoaeJB0LYvK0DfDoe5jlwds8lp20jbY5SVYlPH+tqRo//hiYWbEUL5h3aFqOlphXp3eTnK1uUfWoII6IEudMfj7+ajn17CDd9THMNyIN7EdyZ7Lum9sIMjU1JGbT+xW1t6VVx0pGY2zmTt6XTVYrGmc/T/yD+aQZHKtaiRrvZiL5Izl5gkrvXgFmjgebMlLm6adplqK239PoyjgVjxBiZbKwsEq+YmNrCWImwoJ7d1j52Z0CqIcWF6DrXbT0nAFuIYayVjBSMvf2/dnan6NhYPxj+yfAUVUkhza5jtVW6woIgJlZ5Zi3rXmXDE= emergency@glt
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHB2GxQrL18sfbdgTvaimYR/F94UtZ3BMA8cNQyTzT8h martin@adelmann
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvzYsE/QAjqvmNU1MoYzd9FTe+xmNadvosoQHyyXYh5qBQYI5AfCpeZmkHgSrdUOiA4Z6BOW5RvDjbHQlQK2D3I1uuCSGIt830t4btbuffCw+6HpnZ9Q7Q/1GKLaUH+qdHISoNmt+3eFUPr3Xg5CK3fJ8zfCxjagHxn7AVXPBqJK5fRYtmXLNVo8NaoTe3o3YhChD7sR1FlzZhFIeqVHFJxvwFYtYbXfwsJI43oQON+oxHCIRodJDrUwsqBXIeqxJGBi/UjTHLaxBpy89oi5kZjPhmZDu3vyJpcEn9vkVpwKgKK110Zya2F07CXLTE/6VoetwAYeWDBiZiXfbLI7SPr1PZ+wkd8UX/evdEhJhh3ySW9Gi3n2AzCz8tUJPJvDxqr+KpiI138dYLAyuLoRK4I2MbvO/5/zAqByZP10Ru3MLunHrNsiI/pSu4bvOnwM8F71w9fkTuv5jOeIJo5YHupJZsl7LfcRwokxFMhJ2bk5fiJFvDeHkCKfnlq/dq7zk= lukas@regular
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5dIGN5o3LKThsA/hnTqazsVW5UNuGxia6Kheq40UChnfiF0+XaNRgXZYWO9HvKO0Cer9srZy9Ok1YirQBHAujRZmvnk3il7cbxepD+j2+oPaL57mevYD5lBzVqoqANCaTaq5if7aQEwGOqgz1HFtU44ElgAEjamwFfAOG3WPckOjGmqnSGQrS7+tZg/Z8S7d1zjbUJvXbvwehMpFz8pun2E1FhFrDWmmP4bA4GXGMAZvXDQ5bLeb4uspUI2N8oAFGvf5SxXLiZx2VmOf6ZIVS4FZqweR6wI0C8RBJuvAtzThZgaCY3kIrQKxD+eYYgBJB+mMYySoUQBFHaBW967v5T+2uR9oxD8l21lb39E3R6fhn3YM4BTv67GR2B1fvryu7Wz5u5wMW6dOptpVoyVaYbQAUcb0wRhzZzDjoL7xH+dYio6rs4BjtpWjspi0tRtN/L7H59qvZLxzK/VsBj82t2fXylE+/LnZQ+yNvcqHteJS+VH4LxTNOzqlaaRJ0GYs= ansible@glt
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCdm5WCNt0ul9R7B8ndbuh8aw+OWXDEx0jjXI2Ep8TcjXlo7b2NScunqZHA9WkLNNi8f46N1c2UYm7LVrLFs1mWaaVPeM0jzBHPXCVJPJDMiWPfdxsIQqKM+q09kVlGGNGQvEeVYVLPg+K2t/sEdPgjb7/UhOblurQhQewWvvypReVLhPU5K8/ZCh/uXHmBxmp0kcm0UhIJ73tjdpIoeseQgA7FjA/h1lKKakChu3kqGHL0FJmH9ZcMfPkYUziQ6hv583PrU03vq5Q3J+tyXR3ytY1yqTUntnkHHE6e2Q3zfFWZcrhgUG6UOch2exv1vH2c1yBL3EYecZ/1s2gx/7QX0rrP2byMRorvnAY06rIQ5HXBJrUMEPsiTM16EfLHC1CsolsKTEQ+2DrrqSCACJmO+La8QunqA6l0G2SnRCW6I/A3RATzP6V2bUuJpBnS3hVfP5Q11xO+8zfu/58i3S3EaMNsUc8GwxJ9L6sjTO3W2LQ1UsG2fECPm9Ghec6iJyM= spel@lspe.organsible
diff --git a/_graveyard_/inventory/group_vars/glt-live-r3/vars.yml b/_graveyard_/inventory/group_vars/glt-live-r3/vars.yml
new file mode 100644
index 00000000..8c360f8d
--- /dev/null
+++ b/_graveyard_/inventory/group_vars/glt-live-r3/vars.yml
@@ -0,0 +1,3 @@
+---
+apt_repo_provider: anexia
+#apt_repo_provider: ffgraz
diff --git a/_graveyard_/inventory/group_vars/glt-live/network.yml b/_graveyard_/inventory/group_vars/glt-live/network.yml
new file mode 100644
index 00000000..e78ddd2d
--- /dev/null
+++ b/_graveyard_/inventory/group_vars/glt-live/network.yml
@@ -0,0 +1,78 @@
+---
+network_zones:
+  r3_lan:
+    description: "realraum LAN, Internetuplink via Magenta"
+    vlan: 127
+    prefix: 192.168.127.0/24
+    gateway: 192.168.127.254
+    dns:
+    - 192.168.127.254
+    dhcp:
+      start: 1
+      limit: 149
+    offsets:
+      # Saal 1
+      glt-s1mod: 150
+      glt-s1slide: 151
+      glt-s1speak1: 152
+      glt-s1speak2: 153
+      glt-s1info: 154
+      glt-dione: 155
+      glt-calypso: 156
+      glt-s1atemctl: 157
+      glt-s1atem: 158
+      glt-s1switch: 159
+      # Saal 2
+      glt-s2mod: 160
+      glt-s2slide: 161
+      glt-s2speak: 162
+      glt-s2info: 163
+      glt-helene: 165
+      glt-telesto: 166
+      glt-s2atemctl: 167
+      glt-s2atem: 168
+      glt-s2switch: 169
+      # Saal 3
+      glt-s3mod: 170
+      glt-s3slide: 171
+      glt-s3speak: 172
+      glt-s3info: 173
+      glt-tsdatacop: 175
+      glt-thetys: 176
+      glt-s3atemctl: 177
+      glt-s3atem: 178
+      glt-s3switch: 179
+      # misc
+      equinox-t450s: 190
+      spel: 191
+      glt-gw-r3: 199
+
+  r3_ff:
+    description: "realraum Funkfeuer Subnet, Internetuplink via Funkfeuer and mur.at"
+    vlan: 255
+    prefix: 10.12.240.240/28
+    gateway: 10.12.240.247
+    dns:
+    - 10.12.0.10
+    offsets:
+      glt-gw-r3: 8
+
+  murat_transfer:
+    description: "transfer network for upstream via mur.at"
+    prefix: 172.31.255.240/28
+    offsets:
+      ele-tub: 1
+      ff-10g: 2
+      ele-mur: 14
+
+  tug_lan:
+    description: "glt@tug LAN, Internetuplink via TUG and ACOnet"
+    prefix: 192.168.27.0/24
+    gateway: 192.168.27.254
+    dns:
+    - 192.168.27.254
+    dhcp:
+      start: 1
+      limit: 199
+    offsets:
+      glt-gw-tug: 254
diff --git a/_graveyard_/inventory/group_vars/glt-live/vars.yml b/_graveyard_/inventory/group_vars/glt-live/vars.yml
new file mode 100644
index 00000000..65287b3a
--- /dev/null
+++ b/_graveyard_/inventory/group_vars/glt-live/vars.yml
@@ -0,0 +1,13 @@
+---
+zsh_banner: linuxtage
+
+ssh_users_root:
+  - equinox
+  - spel
+
+acme_account_email: equinox@spreadspace.org
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
+
+apt_repo_blackmagic_auth:
+  username: "glt"
+  password: "{{ vault_apt_repo_blackmagic_auth.password }}"
diff --git a/_graveyard_/inventory/host_vars/glt-calypso.yml b/_graveyard_/inventory/host_vars/glt-calypso.yml
new file mode 100644
index 00000000..afa7766c
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-calypso.yml
@@ -0,0 +1,77 @@
+---
+system_lvm_volume_size_root: 3G
+
+install:
+  efi: true
+  disks:
+    primary: /dev/disk/by-id/ata-OCZ-VERTEX2_OCZ-5328NA52AN84G246
+  kernel_cmdline:
+    - "consoleblank=0"
+    - "nomodeset"
+
+network:
+  nameservers: "{{ network_zones.r3_lan.dns }}"
+  domain: "{{ host_domain }}"
+  primary: &_network_primary_
+    name: eno1
+    address: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets[inventory_hostname]) }}"
+    gateway: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets['glt-gw-r3']) | ansible.utils.ipaddr('address') }}"
+  interfaces:
+  - *_network_primary_
+
+
+apt_repo_components:
+  - main
+  - contrib ## for zfs
+  - non-free-firmware ## for microcode updates
+
+spreadspace_apt_repo_components:
+  - container
+
+zfs_arc_size:
+  min: 1GB
+  max: 2GB
+
+zfs_pools:
+  storage:
+    mountpoint: /srv/storage
+    create_vdevs: mirror /dev/disk/by-id/ata-SAMSUNG_HD103UJ_S1PVJDWQ720805 /dev/disk/by-id/ata-SAMSUNG_HD103UJ_S1PVJDWQ720811
+
+
+blackmagic_desktopvideo_version: 12.5a15
+blackmagic_desktopvideo_include_gui: yes
+
+
+docker_pkg_provider: docker-com
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 15G
+  fs: ext4
+
+kubelet_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 10G
+  fs: ext4
+
+kubernetes_version: 1.29.2
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 42
+kubernetes_standalone_cni_variant: with-portmap
+
+
+recorder_storage:
+  type: zfs
+  pool: storage
+  name: recorder
+recorder_base_path: /srv/storage/recorder
+recorder_inst_name: feed-glt21s1
+recorder_ffmpeg_image_version: bookworm-decklink12.5-2024-02-18.33
+recorder_input: ['-f', 'decklink', '-video_input', 'sdi', '-format_code', 'Hp25', '-channels', '2', '-i', 'DeckLink SDI (1)']
+recorder_video_filter_common: "colorspace=iall=bt709:irange=tv:all=bt709:range=tv"
+
+recorder_segment_time: 3600
+recorder_segment_clocktime_offset: 3300
diff --git a/_graveyard_/inventory/host_vars/glt-coturn.yml b/_graveyard_/inventory/host_vars/glt-coturn.yml
new file mode 100644
index 00000000..6dc0f5c4
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-coturn.yml
@@ -0,0 +1,56 @@
+---
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 5G
+  fs: ext4
+
+kubelet_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 5G
+  fs: ext4
+
+
+spreadspace_apt_repo_components:
+  - container
+
+acme_client: acmetool
+
+
+kubernetes_version: 1.29.2
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 100
+kubernetes_standalone_pod_cidr: 192.168.255.0/24
+kubernetes_standalone_cni_variant: with-portmap
+
+
+coturn_version: 4.6.2-r4
+coturn_realm: linuxtage.at
+coturn_hostnames:
+ - cdn13.linuxtage.at
+
+coturn_auth_secret: "{{ vault_coturn_auth_secret }}"
+coturn_listening_port: 3478
+coturn_tls_listening_port: 443
+coturn_install_nginx_vhost: no
+coturn_tls:
+  certificate_provider: "{{ acme_client }}"
+
+
+mumble_version: v1.4.287-4
+mumble_instance: linuxtage.at
+mumble_hostnames:
+ - mumble.linuxtage.at
+mumble_tls:
+  certificate_provider: "{{ acme_client }}"
+
+mumble_superuser_password: "{{ vault_mumble_superuser_password }}"
+
+mumble_config_options:
+  bonjour: false
+  sslCiphers: "ECDHE+AESGCM:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!RSA:!ADH:!AECDH:!MD5"
+  welcometext: "Willkommen im Mumble der Grazer Linuxtage <br>Intercom für Helfer und Orga während der GLT21"
+  rememberchannel: true
diff --git a/_graveyard_/inventory/host_vars/glt-gw-r3.yml b/_graveyard_/inventory/host_vars/glt-gw-r3.yml
new file mode 100644
index 00000000..d5d8538e
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-gw-r3.yml
@@ -0,0 +1,147 @@
+---
+openwrt_arch: x86
+openwrt_target: geode
+openwrt_profile: generic
+openwrt_output_image_suffixes:
+  - "{{ openwrt_profile }}-ext4-combined.img.gz"
+
+openwrt_packages_remove:
+  - ppp
+  - ppp-mod-pppoe
+  - firewall
+  - dnsmasq
+  - odhcpd-ipv6only
+openwrt_packages_add:
+  - kmod-ipt-nat
+  - kmod-ipt-conntrack
+  - haveged
+  - htop
+  - ip
+  - less
+  - nano
+  - tcpdump-mini
+  - iperf
+  - iperf3
+  - mtr
+  - iptraf-ng
+
+
+openwrt_mixin:
+  /etc/dropbear/authorized_keys:
+    content: "{{ ssh_keys_root | join('\n') }}\n"
+
+  /etc/htoprc:
+    file: "{{ global_files_dir }}/common/htoprc"
+
+  /etc/rc.d/S22network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/rc.d/K92network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/init.d/network-fw:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=22
+      STOP=91
+
+      start() {
+        WAN_IF=$(uci get network.wan.device)
+        LAN_IF=$(uci get network.lan.device)
+        LAN_IP=$(uci get network.lan.ipaddr)
+        LAN_MASK=$(uci get network.lan.netmask)
+
+        iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+        ### external incoming
+        iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        ### internal
+        iptables -A INPUT -i "$LAN_IF" -p udp --dport 67 --sport 68 -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p udp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p tcp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+
+        iptables -A INPUT -i "$LAN_IF" -p icmp -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p tcp --dport {{ ansible_port }} -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        iptables -A FORWARD -i "$LAN_IF" -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A FORWARD -i "$WAN_IF" -o "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+        iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j MASQUERADE
+
+        ### default policies
+        iptables -P INPUT DROP
+        iptables -P FORWARD DROP
+      }
+
+      stop() {
+        iptables -P INPUT ACCEPT
+        iptables -F INPUT
+        iptables -P FORWARD ACCEPT
+        iptables -F FORWARD
+        iptables -t nat -F POSTROUTING
+      }
+
+openwrt_uci:
+  system:
+    - name: system
+      options:
+        hostname: '{{ host_name }}'
+        timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
+        ttylogin: '0'
+        log_size: '64'
+        urandom_seed: '0'
+
+    - name: timeserver 'ntp'
+      options:
+        enabled: '1'
+        enable_server: '0'
+        server:
+          - '0.lede.pool.ntp.org'
+          - '1.lede.pool.ntp.org'
+          - '2.lede.pool.ntp.org'
+          - '3.lede.pool.ntp.org'
+
+  dropbear:
+    - name: dropbear
+      options:
+        PasswordAuth: 'off'
+        RootPasswordAuth: 'off'
+        Port: '{{ ansible_port }}'
+
+  network:
+    - name: globals 'globals'
+      options:
+        ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
+
+    - name: interface 'loopback'
+      options:
+        device: lo
+        proto: static
+        ipaddr: 127.0.0.1
+        netmask: 255.0.0.0
+
+    - name: interface 'wan'
+      options:
+        device: eth0
+        proto: static
+        ipaddr: "{{ network_zones.r3_ff.prefix | ansible.utils.ipaddr(network_zones.r3_ff.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+        netmask: "{{ network_zones.r3_ff.prefix | ansible.utils.ipaddr('netmask') }}"
+        gateway: "{{ network_zones.r3_ff.gateway }}"
+        dns: "{{ network_zones.r3_ff.dns }}"
+
+    - name: interface 'lan'
+      options:
+        device: eth1
+        proto: static
+        ipaddr: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+        netmask: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr('netmask') }}"
+
+    - name: interface 'unused'
+      options:
+        device: eth2
+        proto: none
diff --git a/_graveyard_/inventory/host_vars/glt-gw-tug.yml b/_graveyard_/inventory/host_vars/glt-gw-tug.yml
new file mode 100644
index 00000000..5e1d0a45
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-gw-tug.yml
@@ -0,0 +1,177 @@
+---
+openwrt_arch: x86
+openwrt_target: 64
+openwrt_profile: generic
+openwrt_output_image_suffixes:
+  - "{{ openwrt_profile }}-ext4-combined.img.gz"
+
+openwrt_packages_remove:
+  - ppp
+  - ppp-mod-pppoe
+  - firewall
+openwrt_packages_add:
+  - kmod-ipt-nat
+  - kmod-ipt-conntrack
+  - haveged
+  - htop
+  - ip
+  - less
+  - nano
+  - tcpdump-mini
+  - iperf
+  - iperf3
+  - mtr
+  - iptraf-ng
+
+
+openwrt_mixin:
+  /etc/dropbear/authorized_keys:
+    content: "{{ ssh_keys_root | join('\n') }}\n"
+
+  /etc/htoprc:
+    file: "{{ global_files_dir }}/common/htoprc"
+
+  /etc/rc.d/S22network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/rc.d/K92network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/init.d/network-fw:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=22
+      STOP=91
+
+      start() {
+        WAN_IF=$(uci get network.wan.device)
+        LAN_IF="br-lan"
+        LAN_IP=$(uci get network.lan.ipaddr)
+        LAN_MASK=$(uci get network.lan.netmask)
+
+        iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+        ### external incoming
+        iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        ### internal
+        iptables -A INPUT -i "$LAN_IF" -p udp --dport 67 --sport 68 -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p udp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p tcp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+
+        iptables -A INPUT -i "$LAN_IF" -p icmp -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -p tcp --dport {{ ansible_port }} -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A INPUT -i "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        iptables -A FORWARD -i "$LAN_IF" -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+        iptables -A FORWARD -i "$WAN_IF" -o "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+        iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j MASQUERADE
+
+        ### default policies
+        iptables -P INPUT DROP
+        iptables -P FORWARD DROP
+      }
+
+      stop() {
+        iptables -P INPUT ACCEPT
+        iptables -F INPUT
+        iptables -P FORWARD ACCEPT
+        iptables -F FORWARD
+        iptables -t nat -F POSTROUTING
+      }
+
+openwrt_uci:
+  system:
+    - name: system
+      options:
+        hostname: '{{ host_name }}'
+        timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
+        ttylogin: '0'
+        log_size: '64'
+        urandom_seed: '0'
+
+    - name: timeserver 'ntp'
+      options:
+        enabled: '1'
+        enable_server: '0'
+        server:
+          - '0.lede.pool.ntp.org'
+          - '1.lede.pool.ntp.org'
+          - '2.lede.pool.ntp.org'
+          - '3.lede.pool.ntp.org'
+
+  dropbear:
+    - name: dropbear
+      options:
+        PasswordAuth: 'off'
+        RootPasswordAuth: 'off'
+        Port: '{{ ansible_port }}'
+
+  dhcp:
+    - name: dnsmasq
+      options:
+        domainneeded: '1'
+        boguspriv: '0'
+        filterwin2k: '0'
+        localise_queries: '1'
+        rebind_protection: '0'
+        rebind_localhost: '1'
+        local: '/lan/'
+        domain: 'lan'
+        expandhosts: '1'
+        nonegcache: '0'
+        authoritative: '1'
+        readethers: '1'
+        leasefile: '/tmp/dhcp.leases'
+        resolvfile: '/tmp/resolv.conf.auto'
+        localservice: '1'
+
+    - name: odhcpd 'odhcpd'
+      options:
+        maindhcp: '0'
+        leasefile: '/tmp/hosts/odhcpd'
+        leasetrigger: '/usr/sbin/odhcpd-update'
+
+    - name: dhcp 'wan'
+      options:
+        interface: 'wan'
+        ignore: '1'
+
+    - name: dhcp 'lan'
+      options:
+        interface: 'lan'
+        start: "{{ network_zones.tug_lan.dhcp.start }}"
+        limit: "{{ network_zones.tug_lan.dhcp.limit }}"
+        leasetime: "{{ network_zones.tug_lan.dhcp.leasetime | default('12h') }}"
+        dhcpv6: 'disabled'
+        ra: 'disabled'
+
+  network:
+    - name: globals 'globals'
+      options:
+        ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
+
+    - name: interface 'loopback'
+      options:
+        device: lo
+        proto: static
+        ipaddr: 127.0.0.1
+        netmask: 255.0.0.0
+
+    - name: interface 'lan'
+      options:
+        type: bridge
+        device: "eth0 eth1 eth2 eth3 eth4"
+        proto: static
+        ipaddr: "{{ network_zones.tug_lan.prefix | ansible.utils.ipaddr(network_zones.tug_lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+        netmask: "{{ network_zones.tug_lan.prefix | ansible.utils.ipaddr('netmask') }}"
+
+    - name: interface 'wan'
+      options:
+        device: eth5
+        proto: dhcp
+        macaddr: 00:11:22:33:44:55
diff --git a/_graveyard_/inventory/host_vars/glt-meet1.yml b/_graveyard_/inventory/host_vars/glt-meet1.yml
new file mode 100644
index 00000000..a7d619c8
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-meet1.yml
@@ -0,0 +1,65 @@
+---
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 5G
+  fs: ext4
+
+kubelet_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 5G
+  fs: ext4
+
+
+spreadspace_apt_repo_components:
+  - container
+
+acme_client: acmetool
+
+
+kubernetes_version: 1.29.2
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 100
+kubernetes_standalone_cni_variant: with-portmap
+
+
+jitsi_meet_base_path: /srv/jitsi/meet
+
+jitsi_meet_version: stable-9258
+jitsi_meet_hostname: meet1.linuxtage.at
+
+jitsi_meet_p2p_enable: no
+jitsi_meet_require_display_name: yes
+
+jitsi_meet_resolution:
+  default:
+    width: 1920
+    height: 1080
+  min:
+    width: 1280
+    height: 720
+
+jitsi_meet_jvb_config_extra: |
+  videobridge {
+    cc {
+      trust-bwe = false
+      onstage-preferred-framerate = 25
+    }
+  }
+
+jitsi_meet_secrets: "{{ vault_jitsi_meet_secrets }}"
+
+jitsi_meet_auth:
+  enable_guests: yes
+  users:
+    operator: "{{ vault_jitsi_meet_auth_user_passwords['operator'] }}"
+
+jitsi_meet_streamui:
+  http_port: "{{ jitsi_meet_http_port + 1 }}"
+#  http_auth:
+#    operator: "{{ vault_jitsi_meet_auth_user_passwords['operator'] }}"
+  image_tag: latest
+  default_control_room: glt
diff --git a/_graveyard_/inventory/host_vars/glt-meet2.yml b/_graveyard_/inventory/host_vars/glt-meet2.yml
new file mode 100644
index 00000000..b194b9f6
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-meet2.yml
@@ -0,0 +1,65 @@
+---
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 5G
+  fs: ext4
+
+kubelet_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 5G
+  fs: ext4
+
+
+spreadspace_apt_repo_components:
+  - container
+
+acme_client: acmetool
+
+
+kubernetes_version: 1.29.2
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 100
+kubernetes_standalone_cni_variant: with-portmap
+
+
+jitsi_meet_base_path: /srv/jitsi/meet
+
+jitsi_meet_version: stable-9258
+jitsi_meet_hostname: meet2.linuxtage.at
+
+jitsi_meet_p2p_enable: no
+jitsi_meet_require_display_name: yes
+
+jitsi_meet_resolution:
+  default:
+    width: 1920
+    height: 1080
+  min:
+    width: 1280
+    height: 720
+
+jitsi_meet_jvb_config_extra: |
+  videobridge {
+    cc {
+      trust-bwe = false
+      onstage-preferred-framerate = 25
+    }
+  }
+
+jitsi_meet_secrets: "{{ vault_jitsi_meet_secrets }}"
+
+jitsi_meet_auth:
+  enable_guests: yes
+  users:
+    operator: "{{ vault_jitsi_meet_auth_user_passwords['operator'] }}"
+
+jitsi_meet_streamui:
+  http_port: "{{ jitsi_meet_http_port + 1 }}"
+#  http_auth:
+#    operator: "{{ vault_jitsi_meet_auth_user_passwords['operator'] }}"
+  image_tag: latest
+  default_control_room: glt
diff --git a/_graveyard_/inventory/host_vars/glt-stream.yml b/_graveyard_/inventory/host_vars/glt-stream.yml
new file mode 100644
index 00000000..db9292da
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-stream.yml
@@ -0,0 +1,8 @@
+---
+lvm_volumes:
+  system/www:
+    vg: "{{ host_name }}"
+    lv: www
+    size: 10G
+    fs: ext4
+    dest: /srv/www
diff --git a/_graveyard_/inventory/host_vars/glt-tsdatacop.yml b/_graveyard_/inventory/host_vars/glt-tsdatacop.yml
new file mode 100644
index 00000000..c78513a6
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-tsdatacop.yml
@@ -0,0 +1,70 @@
+---
+system_lvm_volume_size_root: 3G
+
+install:
+  efi: false
+  disks:
+    primary: /dev/disk/by-id/ata-WDC_WDS120G2G0A-00JH30_200854446208
+  kernel_cmdline:
+    - "consoleblank=0"
+
+network:
+  nameservers: "{{ network_zones.r3_lan.dns }}"
+  domain: "{{ host_domain }}"
+  primary: &_network_primary_
+    name: eno1
+    address: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets[inventory_hostname]) }}"
+    gateway: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets['glt-gw-r3']) | ansible.utils.ipaddr('address') }}"
+  interfaces:
+  - *_network_primary_
+
+
+spreadspace_apt_repo_components:
+  - container
+
+
+lvm_groups:
+  storage:
+    pvs:
+    - /dev/disk/by-id/ata-WDC_WD5000AAJS-00TKA0_WD-WCAPW2771922-part1
+
+
+blackmagic_desktopvideo_version: 12.5a15
+blackmagic_desktopvideo_include_gui: yes
+
+
+docker_pkg_provider: docker-com
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 15G
+  fs: ext4
+
+kubelet_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: kubelet
+  size: 10G
+  fs: ext4
+
+kubernetes_version: 1.29.2
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 42
+kubernetes_standalone_cni_variant: with-portmap
+
+
+recorder_storage:
+  type: lvm
+  vg: storage
+  lv: recorder
+  size: 400G
+  fs: ext4
+recorder_base_path: /srv/recorder
+recorder_inst_name: feed-glt21s3
+recorder_ffmpeg_image_version: bookworm-decklink12.5-2024-02-18.33
+recorder_input: ['-f', 'decklink', '-video_input', 'sdi', '-format_code', 'Hp25', '-channels', '2', '-i', 'DeckLink Mini Recorder']
+recorder_video_filter_common: "colorspace=iall=bt709:irange=tv:all=bt709:range=tv"
+
+recorder_segment_time: 3600
+recorder_segment_clocktime_offset: 3300
diff --git a/_graveyard_/inventory/hosts.ini b/_graveyard_/inventory/hosts.ini
index a0381990..bf8ab79e 100644
--- a/_graveyard_/inventory/hosts.ini
+++ b/_graveyard_/inventory/hosts.ini
@@ -28,6 +28,34 @@ r3-cccamp19-av host_name=av
 ###############################
 # environment: spreadspace
 
+[glt-live:vars]
+host_domain=linuxtage.at
+env_group=spreadspace
+
+[glt-live:children]
+glt-live-misc
+glt-live-r3
+glt-live-tug
+
+[glt-live-misc]
+glt-coturn host_name=cdn13
+glt-meet1 host_name=meet1
+glt-meet2 host_name=meet2
+glt-stream host_name=stream
+
+[glt-live-r3]
+glt-gw-r3 host_name=gw-r3
+#glt-dione host_name=dione
+#glt-helene host_name=helene
+glt-calypso host_name=calypso
+#glt-telesto host_name=telesto
+glt-tsdatacop host_name=tsdatacop
+#glt-thetys host_name=thetys
+
+[glt-live-tug]
+glt-gw-tug host_name=gw-tug
+
+
 [lendwirbel-live:vars]
 host_domain=lndwrbl.live
 env_group=spreadspace
@@ -77,6 +105,11 @@ ele-laptop host_name=elevatop
 ###############################
 # host categories
 
+## OS
+[openwrt]
+glt-gw-r3
+glt-gw-tug
+
 [dellos6]
 r3-cccamp19-sw0
 
@@ -118,6 +151,12 @@ lw-master
 sgg-icecast
 
 
+[hcloud]
+glt-coturn
+glt-meet1
+glt-meet2
+glt-stream
+
 [hcloud:children]
 lendwirbel-live-dist
 lendwirbel-live-xx
@@ -128,6 +167,16 @@ k8s-lwl
 [standalone-kubelet]
 lw-thetys
 sgg-icecast
+glt-coturn
+glt-meet1
+glt-meet2
+glt-dione
+glt-helene
+glt-calypso
+glt-telesto
+glt-tsdatacop
+glt-thetys
+
 
 ### Kubernetes Cluster: lendwirbel-live
 [k8s-lwl-encoder]