diff options
Diffstat (limited to 'inventory/host_vars')
57 files changed, 662 insertions, 391 deletions
diff --git a/inventory/host_vars/ch-apps/node-red.yml b/inventory/host_vars/ch-apps/node-red.yml index c4b80efd..738d875b 100644 --- a/inventory/host_vars/ch-apps/node-red.yml +++ b/inventory/host_vars/ch-apps/node-red.yml @@ -5,7 +5,7 @@ _node_red_zfs_base_: node_red_instances: node-red.chaos-at-home.org: - version: 3.1.9 + version: 3.1.10 port: 1880 credential_secret: "{{ vault_nodered_credential_secrets['node-red.chaos-at-home.org'] }}" mqtt_tls: diff --git a/inventory/host_vars/ch-apps/vars.yml b/inventory/host_vars/ch-apps/vars.yml index 36ca183d..57a7e485 100644 --- a/inventory/host_vars/ch-apps/vars.yml +++ b/inventory/host_vars/ch-apps/vars.yml @@ -65,21 +65,22 @@ prometheus_exporters_extra: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner prometheus_job_multitarget_ssl__probe: ch-apps: - - instance: "sslcert-standalone-kubelet-{{ inventory_hostname }}" + - module: file target: "/etc/ssl/standalone-kubelet/*.pem" - module: file - - instance: "sslcert-node-red-{{ inventory_hostname }}" + sslcert_instance: "standalone-kubelet" + - module: file target: "/etc/ssl/node-red-*/*.pem" - module: file - - instance: "sslcert-whawty-auth-{{ inventory_hostname }}" + sslcert_instance: "node-red" + - module: file target: "/etc/ssl/whawty-auth-*/*.pem" - module: file + sslcert_instance: "whawty-auth" zfs_arc_size: @@ -140,7 +141,7 @@ kubelet_storage: quota: 10G 'syncoid:sync': 'false' -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 42 kubernetes_standalone_cni_variant: with-portmap diff --git a/inventory/host_vars/ch-apps/whawty.yml b/inventory/host_vars/ch-apps/whawty.yml index 170c159a..e071bf3a 100644 --- a/inventory/host_vars/ch-apps/whawty.yml +++ b/inventory/host_vars/ch-apps/whawty.yml @@ -5,7 +5,7 @@ _whawty_auth_zfs_base_: whawty_auth_instances: passwd.chaos-at-home.org: - version: 0.3 + version: 0.3.1 port: 3080 store: "{{ whawty_auth_store__chaos_at_home }}" sync: diff --git a/inventory/host_vars/ch-atlas.yml b/inventory/host_vars/ch-atlas.yml index f342445b..1f4dda2f 100644 --- a/inventory/host_vars/ch-atlas.yml +++ b/inventory/host_vars/ch-atlas.yml @@ -73,6 +73,7 @@ prometheus_exporter_node_textfile_collector_scripts: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network.primary.address | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner diff --git a/inventory/host_vars/ch-chromebook.yml b/inventory/host_vars/ch-chromebook.yml index bf93cba1..55bde4b6 100644 --- a/inventory/host_vars/ch-chromebook.yml +++ b/inventory/host_vars/ch-chromebook.yml @@ -1,4 +1,7 @@ --- +## enable this for installation if @ N28 +#apt_repo_provider: chaos-at-home-cache + ubuntu_autoinstall_locale: de_AT ubuntu_autoinstall_keyboard_layout: de ubuntu_autoinstall_keyboard_variant: nodeadkeys diff --git a/inventory/host_vars/ch-cm4-sensors0.yml b/inventory/host_vars/ch-cm4-sensors0.yml index abc0c0bb..7f7982f1 100644 --- a/inventory/host_vars/ch-cm4-sensors0.yml +++ b/inventory/host_vars/ch-cm4-sensors0.yml @@ -3,19 +3,16 @@ raspios_variant: lite raspios_arch: arm64 network: - nameservers: "{{ network_zones.svc.dns }}" - domain: "{{ host_domain }}" + nameservers: "{{ network_zones.iot.dns }}" primary: &_network_primary_ name: eth0 - address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}" - gateway: "{{ network_zones.svc.gateway }}" - static_routes: - - destination: "{{ network_zones.lan.prefix }}" - gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}" + address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) }}" interfaces: - *_network_primary_ raspios_boot_config: + - regexp: '^#?dtparam=i2c_arm' + line: 'dtparam=i2c_arm=on' - regexp: '^#?dtparam=i2c_vc' line: 'dtparam=i2c_vc=on' - regexp: '^#?dtoverlay=i2c-rtc' @@ -28,5 +25,17 @@ raspios_boot_config: line: 'dtoverlay=audremap,pins_18_19' - regexp: '^#?dtoverlay=gpio-shutdown' line: 'dtoverlay=gpio-shutdown,gpio_pin=4' + - regexp: '^#?dtoverlay=spi0-1cs' + line: 'dtoverlay=spi0-1cs' + - regexp: '^#?dtoverlay=sc16is752-spi0' + line: 'dtoverlay=sc16is752-spi0' base_entropy_generator: rngd + + +ntp_variant: systemd-timesyncd + +ntp_client: + servers: + - name: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets['ch-iot']) | ansible.utils.ipaddr('address') }}" + options: iburst diff --git a/inventory/host_vars/ch-cm4-sensors1.yml b/inventory/host_vars/ch-cm4-sensors1.yml index abc0c0bb..7f7982f1 100644 --- a/inventory/host_vars/ch-cm4-sensors1.yml +++ b/inventory/host_vars/ch-cm4-sensors1.yml @@ -3,19 +3,16 @@ raspios_variant: lite raspios_arch: arm64 network: - nameservers: "{{ network_zones.svc.dns }}" - domain: "{{ host_domain }}" + nameservers: "{{ network_zones.iot.dns }}" primary: &_network_primary_ name: eth0 - address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}" - gateway: "{{ network_zones.svc.gateway }}" - static_routes: - - destination: "{{ network_zones.lan.prefix }}" - gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}" + address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) }}" interfaces: - *_network_primary_ raspios_boot_config: + - regexp: '^#?dtparam=i2c_arm' + line: 'dtparam=i2c_arm=on' - regexp: '^#?dtparam=i2c_vc' line: 'dtparam=i2c_vc=on' - regexp: '^#?dtoverlay=i2c-rtc' @@ -28,5 +25,17 @@ raspios_boot_config: line: 'dtoverlay=audremap,pins_18_19' - regexp: '^#?dtoverlay=gpio-shutdown' line: 'dtoverlay=gpio-shutdown,gpio_pin=4' + - regexp: '^#?dtoverlay=spi0-1cs' + line: 'dtoverlay=spi0-1cs' + - regexp: '^#?dtoverlay=sc16is752-spi0' + line: 'dtoverlay=sc16is752-spi0' base_entropy_generator: rngd + + +ntp_variant: systemd-timesyncd + +ntp_client: + servers: + - name: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets['ch-iot']) | ansible.utils.ipaddr('address') }}" + options: iburst diff --git a/inventory/host_vars/ch-companion-raspi.yml b/inventory/host_vars/ch-companion-raspi.yml index 4bff74aa..d82f5b8e 100644 --- a/inventory/host_vars/ch-companion-raspi.yml +++ b/inventory/host_vars/ch-companion-raspi.yml @@ -29,15 +29,14 @@ docker_pkg_provider: docker-com docker_plugins: - buildx -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 42 kubernetes_standalone_cni_variant: with-portmap -kubernetes_standalone_install_kubeletctl: no companion_storage: type: directory dest: /srv/companion -companion_version: 3.2.2 +companion_version: 3.3.1 diff --git a/inventory/host_vars/ch-dione.yml b/inventory/host_vars/ch-dione.yml index 84c48d6c..1782ceea 100644 --- a/inventory/host_vars/ch-dione.yml +++ b/inventory/host_vars/ch-dione.yml @@ -49,7 +49,7 @@ kubelet_storage: size: 5G fs: ext4 -# kubernetes_version: 1.30.0 +# kubernetes_version: 1.30.4 # kubernetes_container_runtime: docker # kubernetes_standalone_max_pods: 42 # kubernetes_standalone_cni_variant: with-portmap diff --git a/inventory/host_vars/ch-epimetheus.yml b/inventory/host_vars/ch-epimetheus.yml index 15e5f622..39ddbc3d 100644 --- a/inventory/host_vars/ch-epimetheus.yml +++ b/inventory/host_vars/ch-epimetheus.yml @@ -40,7 +40,8 @@ prometheus_exporter_node_textfile_collector_scripts: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner diff --git a/inventory/host_vars/ch-equinox-t450s.yml b/inventory/host_vars/ch-equinox-t450s.yml index 336b0b7f..869bcac8 100644 --- a/inventory/host_vars/ch-equinox-t450s.yml +++ b/inventory/host_vars/ch-equinox-t450s.yml @@ -1,4 +1,10 @@ --- +## enable this for installation if @ N28 +#apt_repo_provider: chaos-at-home-cache +#kubernetes_apt_repo_baseurl: http://apt.chaos-at-home.org/kubernetes +#spreadspace_apt_repo_baseurl: http://apt.chaos-at-home.org/spreadspace + + ubuntu_autoinstall_locale: de_AT ubuntu_autoinstall_keyboard_layout: de ubuntu_autoinstall_keyboard_variant: nodeadkeys @@ -11,7 +17,7 @@ ubuntu_autoinstall_manual_partitioning: yes # edit ESP -> size 128M # add new GPT Part, 1G, ext4, /boot # add new GPT Part, rest of disk, unformatted -> create new LVM: name t450s, enable crypto -# add new LV, root, 50G, ext4, / +# add new LV, root, 70G, ext4, / # add new LV, storage, 380G, unformatted @@ -25,7 +31,7 @@ install_dhcp: yes network: domain: "{{ host_domain }}" primary: - name: enx00e04d6a076e + name: enx00e04c025fa4 base_modules_blacklist: "{{ base_modules_blacklist_none }}" @@ -96,7 +102,6 @@ ws_base_extra_packages: - clinfo - cmake - cpu-x - - cura - ddrescueview - debhelper - debmake @@ -112,9 +117,12 @@ ws_base_extra_packages: - doxygen - easytag - elpa-debian-el + - elpa-dockerfile-mode - elpa-go-mode + - elpa-jinja2-mode - elpa-lua-mode - elpa-php-mode + - elpa-py-autopep8 - elpa-rust-mode - elpa-web-mode - elpa-yaml-mode @@ -125,7 +133,6 @@ ws_base_extra_packages: - flac - fldigi - flex - - freecad - freerdp2-x11 - fzf - gcc-avr @@ -159,15 +166,9 @@ ws_base_extra_packages: - jq - kdenlive - keepassx - - kicad - - kicad-footprints - - kicad-libraries - - kicad-packages3d - - kicad-symbols - kpartx - libdbd-mysql-perl - libgpgme11 - - libncurses5 - libusb-dev - libusb-1.0-0-dev - libvirt-clients @@ -224,8 +225,7 @@ ws_base_extra_packages: - python3-sphinx-rtd-theme - python3-toml - python3-xopen - - qemu - - qemu-kvm + - qemu-system - qemu-system-gui - qemu-user-static - qemu-utils @@ -262,6 +262,8 @@ ws_base_extra_packages: - texlive-lang-german - texlive-latex-extra - tlp + - tor + - tor-geoipdb - torbrowser-launcher - totem - unrar @@ -286,26 +288,24 @@ ws_base_extra_packages: - xdg-desktop-portal-gtk - xfce4-goodies - xorriso - - xul-ext-lightning - yamllint - yasm # needs apt-repo/spreadspace - go - info-beamer - #- helm ## TODO: not yet in repo for jammy - k9s - kubeletctl - grype # needs apt-repo/ansible - ansible - # needs apt-repo/tor-project - - tor - - tor-geoipdb # needs apt-repo/kubernetes - kubectl # needs apt-repo/element - element-desktop +ws_base_extra_snaps: + - thunderbird + kubernetes_version: "1.30" @@ -408,11 +408,26 @@ ws_minet_wpa_supplicant_conf: "{{ lookup('unvault', ([global_files_dir, 'chaos-a ws_flatpak_apps: - name: org.tenacityaudio.Tenacity - link: tenacity + shortcuts: + - name: tenacity - name: org.audacityteam.Audacity - link: audacity + shortcuts: + - name: audacity - name: org.pipewire.Helvum - link: helvum + shortcuts: + - name: helvum - name: org.localsend.localsend_app - link: localsend + shortcuts: + - name: localsend - name: com.st.STM32CubeIDE + - name: org.freecadweb.FreeCAD + shortcuts: + - name: freecad + - name: freecadcmd + command: FreeCADCmd + - name: org.kicad.KiCad + shortcuts: + - name: kicad + - name: com.ultimaker.cura + shortcuts: + - name: cura diff --git a/inventory/host_vars/ch-equinox-ws.yml b/inventory/host_vars/ch-equinox-ws.yml index 18ea12a9..188a309b 100644 --- a/inventory/host_vars/ch-equinox-ws.yml +++ b/inventory/host_vars/ch-equinox-ws.yml @@ -106,7 +106,6 @@ ws_base_extra_packages: - clinfo - cmake - cpu-x - - cura - ddrescueview - debhelper - debmake @@ -122,9 +121,12 @@ ws_base_extra_packages: - doxygen - easytag - elpa-debian-el + - elpa-dockerfile-mode - elpa-go-mode + - elpa-jinja2-mode - elpa-lua-mode - elpa-php-mode + - elpa-py-autopep8 - elpa-rust-mode - elpa-web-mode - elpa-yaml-mode @@ -135,7 +137,6 @@ ws_base_extra_packages: - flac - fldigi - flex - - freecad - freerdp2-x11 - fzf - gcc-avr @@ -166,15 +167,9 @@ ws_base_extra_packages: - jq - kdenlive - keepassx - - kicad - - kicad-footprints - - kicad-libraries - - kicad-packages3d - - kicad-symbols - kpartx - libdbd-mysql-perl - libgpgme11 - - libncurses5 - libusb-dev - libusb-1.0-0-dev - libvirt-clients @@ -189,7 +184,6 @@ ws_base_extra_packages: - meld - meson - mingw-w64 - - mono-devel - mosh - msmtp-mta - mumble @@ -232,8 +226,7 @@ ws_base_extra_packages: - python3-sphinx-rtd-theme - python3-toml - python3-xopen - - qemu - - qemu-kvm + - qemu-system - qemu-system-gui - qemu-user-static - qemu-utils @@ -258,7 +251,7 @@ ws_base_extra_packages: - spice-client-gtk - sqlite3 - sshfs - - steam + - steam-installer - stlink-tools - stm32flash - stress @@ -271,6 +264,8 @@ ws_base_extra_packages: - texlive - texlive-lang-german - texlive-latex-extra + - tor + - tor-geoipdb - torbrowser-launcher - totem - unrar @@ -294,25 +289,25 @@ ws_base_extra_packages: - xdg-desktop-portal-gtk - xfce4-goodies - xorriso - - xul-ext-lightning - yamllint - yasm # needs apt-repo/spreadspace - go - info-beamer - #- helm ## TODO: not yet in repo for jammy - k9s - kubeletctl - grype # needs apt-repo/ansible - ansible - # needs apt-repo/tor-project - - tor - - tor-geoipdb # needs apt-repo/kubernetes - kubectl # needs apt-repo/element - element-desktop + ## needs apt-repo/qmk + #- qmk + +ws_base_extra_snaps: + - thunderbird kubernetes_version: "1.30" @@ -330,11 +325,26 @@ ws_base_xrandr_setup_script: | ws_flatpak_apps: - name: org.tenacityaudio.Tenacity - link: tenacity + shortcuts: + - name: tenacity - name: org.audacityteam.Audacity - link: audacity + shortcuts: + - name: audacity - name: org.pipewire.Helvum - link: helvum + shortcuts: + - name: helvum - name: org.localsend.localsend_app - link: localsend + shortcuts: + - name: localsend - name: com.st.STM32CubeIDE + - name: org.freecadweb.FreeCAD + shortcuts: + - name: freecad + - name: freecadcmd + command: FreeCADCmd + - name: org.kicad.KiCad + shortcuts: + - name: kicad + - name: com.ultimaker.cura + shortcuts: + - name: cura diff --git a/inventory/host_vars/ch-greenbone.yml b/inventory/host_vars/ch-greenbone.yml index 05489600..e5e4c3fc 100644 --- a/inventory/host_vars/ch-greenbone.yml +++ b/inventory/host_vars/ch-greenbone.yml @@ -43,10 +43,12 @@ spreadspace_apt_repo_components: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner - - instance: "https-greenbone.chaos-at-home.org" + - svc_kind: https + svc_instance: "greenbone.chaos-at-home.org" target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/robots.txt" module: http_tls_2xx diff --git a/inventory/host_vars/ch-gw-lan.yml b/inventory/host_vars/ch-gw-lan.yml index 11bc30e0..5677359c 100644 --- a/inventory/host_vars/ch-gw-lan.yml +++ b/inventory/host_vars/ch-gw-lan.yml @@ -48,7 +48,8 @@ spreadspace_apt_repo_components: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner diff --git a/inventory/host_vars/ch-helene.yml b/inventory/host_vars/ch-helene.yml index e831ff26..52b3a3f9 100644 --- a/inventory/host_vars/ch-helene.yml +++ b/inventory/host_vars/ch-helene.yml @@ -49,7 +49,7 @@ kubelet_storage: size: 5G fs: ext4 -# kubernetes_version: 1.30.0 +# kubernetes_version: 1.30.4 # kubernetes_container_runtime: docker # kubernetes_standalone_max_pods: 42 # kubernetes_standalone_cni_variant: with-portmap diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml index 53c3cfce..bdbde798 100644 --- a/inventory/host_vars/ch-http-proxy.yml +++ b/inventory/host_vars/ch-http-proxy.yml @@ -49,19 +49,21 @@ prometheus_exporters_extra: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner - - instance: "https-login.chaos-at-home.org" + - svc_kind: https + svc_instance: "login.chaos-at-home.org" target: "https://{{ network_services.http.addr }}/login" module: "http_tls_2xx" hostname: "login.chaos-at-home.org" prometheus_job_multitarget_ssl__probe: ch-http-proxy: - - instance: "sslcert-apps-publish-{{ inventory_hostname }}" + - module: file target: "/etc/ssl/apps-publish-*/*.pem" - module: file + sslcert_instance: apps-publish whawty_auth_store_instances: @@ -124,5 +126,4 @@ whawty_nginx_sso_logins: prometheus_job_multitarget_whawty_nginx_sso: ch-http-proxy: - - instance: "whawty-nginx-sso-{{ inventory_hostname }}-chaos-at-home" - instance_name: chaos-at-home + - app_instance: chaos-at-home diff --git a/inventory/host_vars/ch-imap-proxy.yml b/inventory/host_vars/ch-imap-proxy.yml index 76a62757..b54fabcc 100644 --- a/inventory/host_vars/ch-imap-proxy.yml +++ b/inventory/host_vars/ch-imap-proxy.yml @@ -42,7 +42,8 @@ spreadspace_apt_repo_components: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner diff --git a/inventory/host_vars/ch-iot.yml b/inventory/host_vars/ch-iot.yml index 3772e9a6..8eb72d9c 100644 --- a/inventory/host_vars/ch-iot.yml +++ b/inventory/host_vars/ch-iot.yml @@ -49,20 +49,57 @@ ntp_server: - "{{ network_zones.iot.prefix }}" +nftables_base_rules: + main: | + table inet global { + chain input_iot { + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + tcp dport { domain, http, 1883 } accept + udp dport { bootps, domain, ntp } accept + } + + chain input { + type filter hook input priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname vmap { lo: accept, svc0: accept, iot0: jump input_iot } + } + + chain forward { + type filter hook forward priority 0; policy drop; + } + } + + +coredns_config: | + . { + bind iot0 + hosts { + {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }} apt.chaos-at-home.org + no_reverse + } + prometheus 127.0.0.1:9153 + } + + spreadspace_apt_repo_components: + - main - prometheus prometheus_exporters_extra: - chrony - mosquitto + - coredns prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner - - instance: "mqtt-mqtt.chaos-at-home.org" + - svc_kind: mqtt + svc_instance: "mqtt.chaos-at-home.org" target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:1883" module: "tcp_tls_connect" hostname: "mqtt.chaos-at-home.org" diff --git a/inventory/host_vars/ch-jump.yml b/inventory/host_vars/ch-jump.yml index 92adb5cf..d0d84bf5 100644 --- a/inventory/host_vars/ch-jump.yml +++ b/inventory/host_vars/ch-jump.yml @@ -68,6 +68,7 @@ spreadspace_apt_repo_components: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml index b8716d05..d2ad251b 100644 --- a/inventory/host_vars/ch-mimas.yml +++ b/inventory/host_vars/ch-mimas.yml @@ -9,8 +9,6 @@ install: external_ip: "116.203.212.131" external_ip6: "2a01:4f8:c2c:906c::2" -apt_repo_provider: hetzner - apt_repo_components: - main - contrib ## for zfs @@ -65,7 +63,7 @@ wireguard_p2p_peers: - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI=" endpoint: host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" - port: 51820 + port: 5182 allowed_ips: - "{{ network_zones.remote.prefix }}" - "{{ network_zones.svc.prefix }}" @@ -136,10 +134,12 @@ prometheus_exporters_extra: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ external_ip }}:{{ ansible_port | default(22) }}" module: ssh_banner - - instance: "https-mimas.chaos-at-home.org" + - svc_kind: https + svc_instance: "mimas.chaos-at-home.org" target: "https://mimas.chaos-at-home.org" module: http_tls_2xx diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 7671b155..b93dbd05 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -58,6 +58,30 @@ spreadspace_apt_repo_components: nftables_base_rules: + main: | + table inet global { + chain input_iot { + ip saddr != {{ network_zones.iot.prefix }} drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + } + + chain input_mgmt { + ip saddr != {{ network_zones.mgmt.prefix }} drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + } + + chain input { + type filter hook input priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname vmap { lo: accept, svc0: accept, iot0: jump input_iot, mgmt0: jump input_mgmt } + } + + chain forward { + type filter hook forward priority 0; policy drop; + } + } protect-grafana-auth-proxy: | table inet filter { chain protect-grafana-auth-proxy { @@ -97,8 +121,7 @@ whawty_nginx_sso_auths: prometheus_job_multitarget_whawty_nginx_sso: ch-mon: - - instance: "whawty-nginx-sso-{{ inventory_hostname }}-chaos-at-home" - instance_name: chaos-at-home + - app_instance: chaos-at-home prometheus_server_storage: @@ -118,6 +141,7 @@ prometheus_server_alertmanager: basic_auth: username: server password: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}" + scrape_instance: "{{ inventory_hostname }}" prometheus_server_web_external_url: "http://mon.chaos-at-home.org/prometheus/" @@ -150,18 +174,21 @@ prometheus_exporter_smokeping_targets: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner - - instance: "https-mon.chaos-at-home.org" + - svc_kind: https + svc_instance: "mon.chaos-at-home.org" target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/healthz" module: http_tls_2xx prometheus_job_multitarget_ssl__probe: ch-mon: - - instance: "sslcert-prometheus-{{ inventory_hostname }}" + - module: file target: "/etc/ssl/prometheus/**/*.pem" - module: file + sslcert_instance: prometheus + prometheus_server_rules_node_extra: - alert: GitFsckMetricsOutdated @@ -234,27 +261,33 @@ grafana_datasources: manageAlerts: no grafana_dashboards: - - file: node-full + - file: sys/node-full + datasource: "Prometheus" + - file: sys/openwrt + datasource: "Prometheus" + - file: sys/ipmi + datasource: "Prometheus" + - file: environment/sensors datasource: "Prometheus" - - file: openwrt + - file: blackbox/ssh datasource: "Prometheus" - - file: chrony + - file: blackbox/https datasource: "Prometheus" - - file: environment-sensors + - file: blackbox/mqtt datasource: "Prometheus" - - file: blackbox + - file: net/chrony datasource: "Prometheus" - - file: smokeping + - file: net/smokeping datasource: "Prometheus" - - file: bind + - file: net/bind datasource: "Prometheus" - - file: ipmi + - file: net/mosquitto datasource: "Prometheus" - - file: standalone-kubelet-overview + - file: net/coredns datasource: "Prometheus" - - file: whawty-nginx-sso + - file: apps/standalone-kubelet-overview datasource: "Prometheus" - - file: mosquitto + - file: apps/whawty-nginx-sso datasource: "Prometheus" grafana_admin_password: "{{ vault_grafana_admin_password }}" diff --git a/inventory/host_vars/mz-ap.yml b/inventory/host_vars/ch-mz-ap.yml index 044f41f9..044f41f9 100644 --- a/inventory/host_vars/mz-ap.yml +++ b/inventory/host_vars/ch-mz-ap.yml diff --git a/inventory/host_vars/mz-router.yml b/inventory/host_vars/ch-mz-router.yml index 254aaf02..c798623b 100644 --- a/inventory/host_vars/mz-router.yml +++ b/inventory/host_vars/ch-mz-router.yml @@ -1,10 +1,4 @@ --- -## TOOD: -# After router upgrades run this command to generate a new dyndns ssh key -# $ dropbearkey -t ed25519 -f /etc/dyndns/id_ed25519 -# Then replace the key at the dyndns server (/var/lib/dyndns/.ssh/authorized_keys) -# after that run the dyndns update script manually to accept the ssh host-key - openwrt_arch: ath79 openwrt_target: generic openwrt_profile: tplink_tl-wdr4300-v1 diff --git a/inventory/host_vars/ch-pan.yml b/inventory/host_vars/ch-pan.yml index c364dd7f..2b7fc39b 100644 --- a/inventory/host_vars/ch-pan.yml +++ b/inventory/host_vars/ch-pan.yml @@ -58,7 +58,7 @@ wireguard_p2p_peers: - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI=" endpoint: host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" - port: 51820 + port: 5182 allowed_ips: - "{{ network_zones.remote.prefix }}" - "{{ network_zones.svc.prefix }}" @@ -77,7 +77,7 @@ dyndns: rname: hostmaster.schaaas.at refresh: 1200 retry: 900 - expire: 2592000 + expire: 2419200 default_ttl: 60 static_records: - "schaaas.at. 7200 IN NS ns0.chaos-at-home.org." @@ -88,7 +88,7 @@ dyndns: - "dyn.schaaas.at. 7200 IN AAAA 2a02:3e0:407::19" - "captive.schaaas.at. 7200 IN CNAME dyn.schaaas.at." clients: - mz-router: mzl + ch-mz-router: mzl ch-equinox-t450s: equinox ele-media: elemedia @@ -170,10 +170,12 @@ prometheus_exporters_extra: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network.primary.address | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner - - instance: "https-pan.chaos-at-home.org" + - svc_kind: https + svc_instance: "pan.chaos-at-home.org" target: "https://pan.chaos-at-home.org" module: http_tls_2xx diff --git a/inventory/host_vars/ch-phoebe.yml b/inventory/host_vars/ch-phoebe.yml index cfcfebc8..0f2ed044 100644 --- a/inventory/host_vars/ch-phoebe.yml +++ b/inventory/host_vars/ch-phoebe.yml @@ -69,7 +69,8 @@ prometheus_exporter_ipmi_modules: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner diff --git a/inventory/host_vars/ch-prometheus.yml b/inventory/host_vars/ch-prometheus.yml index de7e273b..b5641464 100644 --- a/inventory/host_vars/ch-prometheus.yml +++ b/inventory/host_vars/ch-prometheus.yml @@ -64,7 +64,8 @@ prometheus_exporter_ipmi_modules: prometheus_job_multitarget_blackbox__probe: ch-mon: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner diff --git a/inventory/host_vars/ch-repo.yml b/inventory/host_vars/ch-repo.yml new file mode 100644 index 00000000..de952d74 --- /dev/null +++ b/inventory/host_vars/ch-repo.yml @@ -0,0 +1,86 @@ +--- +## for installation only +# apt_repo_provider: anexia +install_jumphost: ch-jump + +install: + vm: + memory: 2G + numcpus: 2 + autostart: True + disks: + primary: /dev/sda + scsi: + sda: + type: zfs + name: root + size: 10g + sdb: + type: zfs + name: data + size: 50g + properties: + 'syncoid:sync': 'false' + interfaces: + - bridge: br-svc + name: svc0 + +network: + nameservers: "{{ network_zones.svc.dns }}" + domain: "{{ host_domain }}" + systemd_link: + interfaces: "{{ install.interfaces }}" + primary: &_network_primary_ + name: svc0 + address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}" + gateway: "{{ network_zones.svc.gateway }}" + static_routes: + - destination: "{{ network_zones.lan.prefix }}" + gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}" + interfaces: + - *_network_primary_ + + +spreadspace_apt_repo_components: + - prometheus + +ntp_variant: systemd-timesyncd + + +lvm_groups: + storage: + pvs: + - /dev/sdb + + +approx_storage: + type: lvm + vg: storage + lv: approx + size: 15G + fs: ext4 + +approx_hostname: apt.chaos-at-home.org + +approx_backends: + debian: http://debian.anexia.at/debian + debian-security: http://debian.anexia.at/debian-security + debian-archive: http://archive.debian.org/debian + ubuntu: http://ubuntu.anexia.at/ubuntu + kali: http://http.kali.org/kali + raspios: http://archive.raspberrypi.com/debian + spreadspace: http://build.spreadspace.org + kubernetes: "https://pkgs.k8s.io/core:/stable:" + docker-com: https://download.docker.com/linux + + +prometheus_job_multitarget_blackbox__probe: + ch-mon: + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" + target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" + module: ssh_banner + - svc_kind: http + svc_instance: "apt.chaos-at-home.org" + target: "http://{{ approx_hostname }}" + module: "http_2xx" diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index 9c07b42d..aaa46bb2 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -49,7 +49,6 @@ openwrt_packages_add: - wireguard-tools - iptraf-ng - prometheus-node-exporter-lua - - prometheus-node-exporter-lua-nat_traffic - prometheus-node-exporter-lua-netstat - prometheus-node-exporter-lua-openwrt @@ -186,7 +185,7 @@ openwrt_mixin: ip protocol icmp accept ip6 nexthdr ipv6-icmp accept tcp dport { {{ ansible_port }} } accept - udp dport { openvpn, 51820 } accept + udp dport { openvpn, 5182 } accept } chain input_openvpn { @@ -369,7 +368,7 @@ openwrt_uci: options: proto: wireguard private_key: "{{ vault_wireguard_remote_private_key }}" - listen_port: 51820 + listen_port: 5182 addresses: - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" nohostroute: 1 @@ -405,8 +404,8 @@ openwrt_uci: options: enabled: '1' interface: 'eth1' - download: '147000' - upload: '20000' + download: '510000' + upload: '72000' qdisc: 'cake' script: 'piece_of_cake.qos' qdisc_advanced: '0' diff --git a/inventory/host_vars/ch-sw0.yml b/inventory/host_vars/ch-sw2.yml index f2f6d3df..88a7a3c7 100644 --- a/inventory/host_vars/ch-sw0.yml +++ b/inventory/host_vars/ch-sw2.yml @@ -1,15 +1,13 @@ --- switch_interfaces_yaml: | - - spec: Te1/0/1 - description: "sw1" - switchport_mode: trunk - - - spec: Te1/0/2 - description: "RFU" + - spec: Te1/0/1-2 + channel_group: 64 + - spec: port-channel 64 + description: "sw0" switchport_mode: trunk - spec: Te1/0/3 - description: "FRU" + description: "RFU" vlan: {{ network_zones.lan.vlan }} - spec: Te1/0/4 diff --git a/inventory/host_vars/ch-sw1.yml b/inventory/host_vars/ch-sw3.yml index cf77edbf..39dbadf6 100644 --- a/inventory/host_vars/ch-sw1.yml +++ b/inventory/host_vars/ch-sw3.yml @@ -1,15 +1,13 @@ --- switch_interfaces_yaml: | - - spec: Te1/0/1 + - spec: Te1/0/1-2 + channel_group: 64 + - spec: port-channel 64 description: "sw0" switchport_mode: trunk - - spec: Te1/0/2 - description: "RFU" - switchport_mode: trunk - - spec: Te1/0/3 - description: "epimetheus" + description: "RFU" vlan: {{ network_zones.lan.vlan }} - spec: Te1/0/4 diff --git a/inventory/host_vars/ch-tarvos.yml b/inventory/host_vars/ch-tarvos.yml index f92255b3..1b457d84 100644 --- a/inventory/host_vars/ch-tarvos.yml +++ b/inventory/host_vars/ch-tarvos.yml @@ -12,6 +12,7 @@ debian_preseed_install_tasks: install: + efi: no disks: primary: /dev/disk/by-id/ata-Samsung_SSD_850_PRO_128GB_S1SMNSAG201847J system_lvm: diff --git a/inventory/host_vars/ch-testvm-hcloud.yml b/inventory/host_vars/ch-testvm-hcloud.yml index f9e59624..66a1ab01 100644 --- a/inventory/host_vars/ch-testvm-hcloud.yml +++ b/inventory/host_vars/ch-testvm-hcloud.yml @@ -5,6 +5,3 @@ install: cloud: credentials: token: "{{ vault_hcloud_api_token }}" - - -apt_repo_provider: hetzner diff --git a/inventory/host_vars/ele-calypso.yml b/inventory/host_vars/ele-calypso.yml index 5280da0c..8da4c4af 100644 --- a/inventory/host_vars/ele-calypso.yml +++ b/inventory/host_vars/ele-calypso.yml @@ -74,7 +74,7 @@ kubelet_storage: size: 5G fs: ext4 -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 42 kubernetes_standalone_cni_variant: with-portmap @@ -101,6 +101,7 @@ prometheus_server_storage: prometheus_server_alertmanager: url: "127.0.0.1:9093" path_prefix: "/alertmanager/" + scrape_instance: "{{ inventory_hostname }}" prometheus_server_web_external_url: "http://{{ network.primary.address | ansible.utils.ipaddr('address') }}/prometheus/" @@ -122,7 +123,8 @@ prometheus_exporter_blackbox_modules_extra: prometheus_job_multitarget_blackbox__probe: ele-calypso: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner @@ -172,19 +174,19 @@ grafana_datasources: manageAlerts: no grafana_dashboards: - - file: node-full + - file: sys/node-full datasource: "Prometheus" - - file: openwrt + - file: sys/openwrt datasource: "Prometheus" - - file: chrony + - file: sys/ipmi datasource: "Prometheus" - - file: blackbox + - file: net/chrony datasource: "Prometheus" - - file: network-ups-tools + - file: blackbox/ssh datasource: "Prometheus" - - file: ipmi + - file: environment/network-ups-tools datasource: "Prometheus" - - file: standalone-kubelet-overview + - file: apps/standalone-kubelet-overview datasource: "Prometheus" grafana_admin_password: "{{ vault_grafana_admin_password }}" diff --git a/inventory/host_vars/ele-companion-raspi.yml b/inventory/host_vars/ele-companion-raspi.yml index 5f30ce02..b25acb27 100644 --- a/inventory/host_vars/ele-companion-raspi.yml +++ b/inventory/host_vars/ele-companion-raspi.yml @@ -29,22 +29,21 @@ docker_pkg_provider: docker-com docker_plugins: - buildx -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 42 kubernetes_standalone_cni_variant: with-portmap -kubernetes_standalone_install_kubeletctl: no companion_storage: type: directory dest: /srv/companion -companion_version: 3.2.2 +companion_version: 3.3.1 ontime_storage: type: directory dest: /srv/ontime -ontime_version: 2.28.17 +ontime_version: 3.1.1 diff --git a/inventory/host_vars/ele-coturn.yml b/inventory/host_vars/ele-coturn.yml index 4264a6a0..1cbc2767 100644 --- a/inventory/host_vars/ele-coturn.yml +++ b/inventory/host_vars/ele-coturn.yml @@ -27,7 +27,7 @@ acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" acme_client: acmetool -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 100 kubernetes_standalone_pod_cidr: 192.168.255.0/24 diff --git a/inventory/host_vars/ele-dione.yml b/inventory/host_vars/ele-dione.yml index 7b1d98d7..7f5b8a31 100644 --- a/inventory/host_vars/ele-dione.yml +++ b/inventory/host_vars/ele-dione.yml @@ -98,6 +98,7 @@ prometheus_exporter_ipmi_modules: prometheus_job_multitarget_blackbox__probe: ele-calypso: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.emc.prefix | ansible.utils.ipaddr(network_zones.emc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner diff --git a/inventory/host_vars/ele-helene.yml b/inventory/host_vars/ele-helene.yml index 750e9317..76f7978c 100644 --- a/inventory/host_vars/ele-helene.yml +++ b/inventory/host_vars/ele-helene.yml @@ -66,7 +66,8 @@ prometheus_exporter_ipmi_modules: prometheus_job_multitarget_blackbox__probe: ele-calypso: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner @@ -91,7 +92,7 @@ kubelet_storage: size: 5G fs: ext4 -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 42 kubernetes_standalone_cni_variant: with-portmap diff --git a/inventory/host_vars/ele-jitsi.yml b/inventory/host_vars/ele-jitsi.yml index 19c5b115..4fe526c0 100644 --- a/inventory/host_vars/ele-jitsi.yml +++ b/inventory/host_vars/ele-jitsi.yml @@ -32,7 +32,7 @@ acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" acme_client: acmetool -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 100 kubernetes_standalone_cni_variant: with-portmap diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml index 741b73bb..d0fe5e2f 100644 --- a/inventory/host_vars/ele-media.yml +++ b/inventory/host_vars/ele-media.yml @@ -51,7 +51,8 @@ prometheus_exporter_node_textfile_collector_scripts: prometheus_job_multitarget_blackbox__probe: ele-calypso: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner @@ -72,7 +73,7 @@ kubelet_storage: size: 5G fs: ext4 -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_cni_variant: with-portmap @@ -133,7 +134,7 @@ elevate_media_nextcloud_storage: elevate_media_nextcloud_instance_name: media.elev8.at elevate_media_nextcloud_instance: - version: 28.0.4 + version: 29.0.3 port: 8100 hostnames: - media.elev8.at diff --git a/inventory/host_vars/ele-router-emc.yml b/inventory/host_vars/ele-router-emc.yml index ae933d1a..9a1199ec 100644 --- a/inventory/host_vars/ele-router-emc.yml +++ b/inventory/host_vars/ele-router-emc.yml @@ -138,7 +138,6 @@ openwrt_packages_add: - mtr - iptraf-ng - prometheus-node-exporter-lua - - prometheus-node-exporter-lua-nat_traffic - prometheus-node-exporter-lua-netstat - prometheus-node-exporter-lua-openwrt diff --git a/inventory/host_vars/ele-router-hmtsaal.yml b/inventory/host_vars/ele-router-hmtsaal.yml index 426e4c02..827e207e 100644 --- a/inventory/host_vars/ele-router-hmtsaal.yml +++ b/inventory/host_vars/ele-router-hmtsaal.yml @@ -170,7 +170,6 @@ openwrt_packages_add: - sqm-scripts - openvpn-openssl - prometheus-node-exporter-lua - - prometheus-node-exporter-lua-nat_traffic - prometheus-node-exporter-lua-netstat - prometheus-node-exporter-lua-openwrt diff --git a/inventory/host_vars/ele-router-orpheum.yml b/inventory/host_vars/ele-router-orpheum.yml index 890bd293..9b0fad43 100644 --- a/inventory/host_vars/ele-router-orpheum.yml +++ b/inventory/host_vars/ele-router-orpheum.yml @@ -168,7 +168,6 @@ openwrt_packages_add: - sqm-scripts - openvpn-openssl - prometheus-node-exporter-lua - - prometheus-node-exporter-lua-nat_traffic - prometheus-node-exporter-lua-netstat - prometheus-node-exporter-lua-openwrt diff --git a/inventory/host_vars/ele-telesto.yml b/inventory/host_vars/ele-telesto.yml index 030a7111..f70efa16 100644 --- a/inventory/host_vars/ele-telesto.yml +++ b/inventory/host_vars/ele-telesto.yml @@ -74,6 +74,7 @@ prometheus_exporter_ipmi_modules: prometheus_job_multitarget_blackbox__probe: ele-calypso: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.emc.prefix | ansible.utils.ipaddr(network_zones.emc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner diff --git a/inventory/host_vars/ele-thetys.yml b/inventory/host_vars/ele-thetys.yml index af76d2e6..8d00359e 100644 --- a/inventory/host_vars/ele-thetys.yml +++ b/inventory/host_vars/ele-thetys.yml @@ -51,7 +51,8 @@ prometheus_exporters_extra: prometheus_job_multitarget_blackbox__probe: ele-calypso: - - instance: "ssh-{{ inventory_hostname }}" + - svc_kind: ssh + svc_instance: "{{ inventory_hostname }}" target: "{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner @@ -76,7 +77,7 @@ kubelet_storage: size: 5G fs: ext4 -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 42 kubernetes_standalone_cni_variant: with-portmap diff --git a/inventory/host_vars/ele-tub.yml b/inventory/host_vars/ele-tub.yml index 46d165e8..ff950a29 100644 --- a/inventory/host_vars/ele-tub.yml +++ b/inventory/host_vars/ele-tub.yml @@ -38,7 +38,6 @@ openwrt_packages_add: - mtr - iptraf-ng - prometheus-node-exporter-lua - - prometheus-node-exporter-lua-nat_traffic - prometheus-node-exporter-lua-netstat - prometheus-node-exporter-lua-openwrt diff --git a/inventory/host_vars/glt-jitsi.yml b/inventory/host_vars/glt-jitsi.yml index 28fa7906..69e51909 100644 --- a/inventory/host_vars/glt-jitsi.yml +++ b/inventory/host_vars/glt-jitsi.yml @@ -27,7 +27,7 @@ acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" acme_client: acmetool -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 100 kubernetes_standalone_cni_variant: with-portmap diff --git a/inventory/host_vars/s2-thetys.yml b/inventory/host_vars/s2-thetys.yml index 809eade7..8f03e497 100644 --- a/inventory/host_vars/s2-thetys.yml +++ b/inventory/host_vars/s2-thetys.yml @@ -53,7 +53,7 @@ kubelet_storage: size: 5G fs: ext4 -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 42 kubernetes_standalone_cni_variant: with-portmap diff --git a/inventory/host_vars/sk-2024.yml b/inventory/host_vars/sk-2024.yml new file mode 100644 index 00000000..338ffeca --- /dev/null +++ b/inventory/host_vars/sk-2024.yml @@ -0,0 +1,63 @@ +--- +system_lvm_volume_size_root: 4G +install: + cloud: + credentials: "{{ vault_hroot_robot_account }}" + disks: + primary: software-raid + raid: + level: 1 + members: + - /dev/nvme0n1 + - /dev/nvme1n1 + system_lvm: + size: 15G + +network: + nameservers: "{{ vm_host.network.dns }}" + domain: "{{ host_domain }}" + interfaces: + - name: br-public + address: "{{ vm_host.network.bridges.public.prefix | ansible.utils.ipaddr(vm_host.network.bridges.public.offsets[inventory_hostname]) }}" + +external_ip: "94.130.242.46" + +ssh_users_root: + - equinox + - dan + +apt_repo_components: + - main + - contrib ## for zfs + - non-free-firmware + + +luks_devices: + crypto-nvme0: + passphrase: "{{ vault_luks_devices['crypto-nvme0'].passphrase }}" + device: /dev/disk/by-id/nvme-eui.002538b531b04024-part3 + crypto-nvme1: + passphrase: "{{ vault_luks_devices['crypto-nvme1'].passphrase }}" + device: /dev/disk/by-id/nvme-eui.002538b531b0402c-part3 + + +zfs_arc_size: + min: 2GB + max: 8GB + +zfs_pools: + storage: + mountpoint: /srv/storage + create_vdevs: mirror /dev/mapper/crypto-nvme0 /dev/mapper/crypto-nvme1 + properties: + ashift: 12 + autotrim: "on" + +zfs_sanoid_modules: + storage/vm: + use_template: production + recursive: yes + process_children_only: yes + storage/vm/sk-cloudio/data: + use_template: ignore + recursive: yes diff --git a/inventory/host_vars/sk-cloudio/bluespice.yml b/inventory/host_vars/sk-cloudio/bluespice.yml deleted file mode 100644 index 30b3f330..00000000 --- a/inventory/host_vars/sk-cloudio/bluespice.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -## bluespice role does not work yet... - -# bluespice_zfs: -# pool: storage -# name: bluespice -# properties: -# compression: lz4 -# quota: 20G - -# bluespice_instances: -# example: -# version: 4.2.4 -# port: 8000 -# hostname: bs.elev8.at -# language: en -# admin: -# username: admin -# password: test -# db_password: secretgeheim diff --git a/inventory/host_vars/sk-cloudio/collabora.yml b/inventory/host_vars/sk-cloudio/collabora.yml index 93cab2eb..5910da27 100644 --- a/inventory/host_vars/sk-cloudio/collabora.yml +++ b/inventory/host_vars/sk-cloudio/collabora.yml @@ -1,11 +1,17 @@ --- -collabora_code_base_path: /srv/storage/collabora/code - collabora_code_instances: o.skillz.biz: - version: 23.05.6.4.1 + version: 24.04.6.2.1 port: 8200 - hostname: o.skillz.biz + storage: + type: directory + dest: /srv/storage/collabora/code/o.skillz.biz + publish: + zone: "{{ apps_publish_zone__sk_cloudio }}" + hostnames: + - o.skillz.biz + tls: + certificate_provider: acmetool admin: username: admin password: "{{ vault_collabora_code_admin_passwords['o.skillz.biz'] }}" diff --git a/inventory/host_vars/sk-cloudio/etherpad.yml b/inventory/host_vars/sk-cloudio/etherpad.yml deleted file mode 100644 index a368be44..00000000 --- a/inventory/host_vars/sk-cloudio/etherpad.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -etherpad_lite_zfs: - pool: storage - name: etherpad-lite - properties: - compression: lz4 - -etherpad_lite_instances: - pad.elevate.at: - version: c65c5f17aa26c9179ce591f44721861ba6f6bec4-elevate - port: 8300 - hostnames: - - pad.elevate.at - zfs_properties: - quota: 5G - settings: - title: Elevate Etherpad - users: - admin: - is_admin: true - password: "{{ vault_etherpad_lite_user_passwords['pad.elevate.at']['admin'] }}" - user: - is_admin: false - password: "{{ vault_etherpad_lite_user_passwords['pad.elevate.at']['user'] }}" - - defaultPadText: "Welcome to the ELEVATE - Etherpad!\n\nThis pad text is synchronized\ - \ as you type, so that everyone viewing this page sees the same text. This allows\ - \ you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http://etherpad.org\n\ - \n IMPORTANT: THIS PAD IS PRIVIDED FOR FREE TO THE PUBLIC! There is no guarantee\ - \ for your data - please take care of backups yourself! This is usually intended\ - \ only for the Elevate Team and it might get access control in the future! If you\ - \ are interested in having a PAD for your project, please get back to dan@elevate.at\ - \ for information. It can be made available!" - favicon: favicon.ico - - maxAge: 21600 - editOnly: false - minify: true - requireSession: false - requireAuthentication: false - requireAuthorization: false - socketTransportProtocols: [xhr-polling, jsonp-polling, htmlfile] - abiword: null - loglevel: INFO - logconfig: - appenders: - - type: console - dbType: "mysql" - dbSettings: - host: "127.0.0.1" - user: "etherpad-lite" - password: "{{ vault_etherpad_lite_database_passwords['pad.elevate.at'] }}" - database: "etherpad-lite" - charset: "utf8mb4" - database: - type: mariadb - version: 10.4.22 - password: "{{ vault_etherpad_lite_database_passwords['pad.elevate.at'] }}" diff --git a/inventory/host_vars/sk-cloudio/nextcloud.yml b/inventory/host_vars/sk-cloudio/nextcloud.yml index 82ffca47..3c5e5ae0 100644 --- a/inventory/host_vars/sk-cloudio/nextcloud.yml +++ b/inventory/host_vars/sk-cloudio/nextcloud.yml @@ -1,94 +1,116 @@ --- -nextcloud_zfs: +_nextcloud_zfs_base_: pool: storage name: nextcloud - properties: - compression: lz4 nextcloud_instances: - luzesombra.skillz.biz: - # new: true - version: 28.0.4 - port: 8100 - hostnames: - - luzesombra.skillz.biz - zfs_properties: - quota: 200G - redis: - version: 7.2.1 - database: - type: mariadb - version: 11.1.2 - password: "{{ vault_nextcloud_database_passwords['luzesombra.skillz.biz'] }}" - insomnia.skillz.biz: - # new: true - version: 28.0.4 - port: 8101 - hostnames: - - insomnia.skillz.biz - zfs_properties: - quota: 400G - redis: - version: 7.2.1 - database: - type: mariadb - version: 10.11.5 - password: "{{ vault_nextcloud_database_passwords['insomnia.skillz.biz'] }}" - nc.skillz.biz: - # new: true - version: 28.0.4 - port: 8102 - hostnames: - - nc.skillz.biz - zfs_properties: - quota: 200G - redis: - version: 7.2.1 - database: - type: mariadb - version: 10.11.5 - password: "{{ vault_nextcloud_database_passwords['nc.skillz.biz'] }}" - extra_args: - - "--log_bin_trust_function_creators=true" - custom_image: - dockerfile: | - RUN set -x \ - && apt-get update -q \ - && apt-get install -y -q ffmpeg \ - && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* - visuals.pixeldada.com: - # new: true - version: 28.0.4 - port: 8103 - hostnames: - - visuals.pixeldada.com - zfs_properties: - quota: 100G - redis: - version: 7.2.4 - database: - type: mariadb - version: 11.3.2 - password: "{{ vault_nextcloud_database_passwords['visuals.pixeldada.com'] }}" - extra_args: - - "--log_bin_trust_function_creators=true" - custom_image: - dockerfile: | - RUN set -x \ - && apt-get update -q \ - && apt-get install -y -q ffmpeg \ - && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* +# luzesombra.skillz.biz: +# # new: true +# version: 29.0.4 +# port: 8100 +# hostnames: +# - luzesombra.skillz.biz +# storage: +# type: zfs +# parent: "{{ _nextcloud_zfs_base_ }}" +# name: luzesombra.skillz.biz +# properties: +# quota: 200G +# redis: +# version: 7.2.1 +# database: +# type: mariadb +# version: 11.1.2 +# password: "{{ vault_nextcloud_database_passwords['luzesombra.skillz.biz'] }}" +# insomnia.skillz.biz: +# # new: true +# version: 29.0.4 +# port: 8101 +# hostnames: +# - insomnia.skillz.biz +# storage: +# type: zfs +# parent: "{{ _nextcloud_zfs_base_ }}" +# name: insomnia.skillz.biz +# properties: +# quota: 400G +# redis: +# version: 7.2.1 +# database: +# type: mariadb +# version: 10.11.5 +# password: "{{ vault_nextcloud_database_passwords['insomnia.skillz.biz'] }}" +# nc.skillz.biz: +# # new: true +# version: 29.0.4 +# port: 8102 +# hostnames: +# - nc.skillz.biz +# storage: +# type: zfs +# parent: "{{ _nextcloud_zfs_base_ }}" +# name: nc.skillz.biz +# properties: +# quota: 200G +# redis: +# version: 7.2.1 +# database: +# type: mariadb +# version: 10.11.5 +# password: "{{ vault_nextcloud_database_passwords['nc.skillz.biz'] }}" +# extra_args: +# - "--log_bin_trust_function_creators=true" +# custom_image: +# dockerfile: | +# RUN set -x \ +# && apt-get update -q \ +# && apt-get install -y -q ffmpeg \ +# && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* +# visuals.pixeldada.com: +# # new: true +# version: 29.0.4 +# port: 8103 +# hostnames: +# - visuals.pixeldada.com +# storage: +# type: zfs +# parent: "{{ _nextcloud_zfs_base_ }}" +# name: visuals.pixeldada.com +# properties: +# quota: 100G +# redis: +# version: 7.2.4 +# database: +# type: mariadb +# version: 11.3.2 +# password: "{{ vault_nextcloud_database_passwords['visuals.pixeldada.com'] }}" +# extra_args: +# - "--log_bin_trust_function_creators=true" +# custom_image: +# dockerfile: | +# RUN set -x \ +# && apt-get update -q \ +# && apt-get install -y -q ffmpeg \ +# && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* wolke.elev8.at: # new: true - version: 28.0.4 + version: 29.0.3 port: 8105 - hostnames: - - wolke.elev8.at - zfs_properties: - quota: 10G + storage: + type: zfs + parent: "{{ _nextcloud_zfs_base_ }}" + name: wolke.elev8.at + properties: + quota: 10G redis: version: 7.2.1 database: type: mariadb version: 10.11.5 password: "{{ vault_nextcloud_database_passwords['wolke.elev8.at'] }}" + publish: + zone: "{{ apps_publish_zone__sk_cloudio }}" + hostnames: + - wolke.elev8.at + tls: + certificate_provider: acmetool diff --git a/inventory/host_vars/sk-cloudio/onlyoffice.yml b/inventory/host_vars/sk-cloudio/onlyoffice.yml index 026d11ba..d8d3da82 100644 --- a/inventory/host_vars/sk-cloudio/onlyoffice.yml +++ b/inventory/host_vars/sk-cloudio/onlyoffice.yml @@ -1,20 +1,30 @@ --- -onlyoffice_zfs: +_onlyoffice_zfs_base_: pool: storage name: onlyoffice properties: compression: lz4 - quota: 5G onlyoffice_instances: office.elev8.at: - version: 7.5.1.1 + version: 8.1.1.2 port: 8600 - hostname: office.elev8.at jwt_secret: "{{ vault_onlyoffice_jwt_secrets['office.elev8.at'] }}" + storage: + type: zfs + parent: "{{ _onlyoffice_zfs_base_ }}" + name: office.elev8.at + properties: + quota: 5G database: - version: 9.5.25 + version: 12.20 password: "{{ vault_onlyoffice_database_passwords['office.elev8.at'] }}" amqp: - version: 3.11.28 + version: 3.13.7 password: "{{ vault_onlyoffice_amqp_passwords['office.elev8.at'] }}" + publish: + zone: "{{ apps_publish_zone__sk_cloudio }}" + hostnames: + - office.elev8.at + tls: + certificate_provider: acmetool diff --git a/inventory/host_vars/sk-cloudio/pigallery2.yml b/inventory/host_vars/sk-cloudio/pigallery2.yml deleted file mode 100644 index 2a7d5c84..00000000 --- a/inventory/host_vars/sk-cloudio/pigallery2.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -pigallery2_zfs: - pool: storage - name: pigallery2 - properties: - compression: lz4 - -pigallery2_instances: - pix.elevate.at: - version: 1.9.3 - port: 8700 - hostname: pix.elevate.at - zfs_properties: - quota: 5G - images_paths: - 2019: /srv/storage/nextcloud/wolke.elevate.at/nextcloud/data/__groupfolders/1/Editions_from_2014/Fotos_Editions/2019/ - 2020: /srv/storage/nextcloud/wolke.elevate.at/nextcloud/data/__groupfolders/1/Editions_from_2014/Fotos_Editions/2020/ - 2021: /srv/storage/nextcloud/wolke.elevate.at/nextcloud/data/__groupfolders/1/Editions_from_2014/Fotos_Editions/2021/ - 2022: /srv/storage/nextcloud/wolke.elevate.at/nextcloud/data/__groupfolders/1/Editions_from_2014/Fotos_Editions/2022/ - 2023: /srv/storage/nextcloud/wolke.elevate.at/nextcloud/data/__groupfolders/1/Editions_from_2014/Fotos_Editions/2023/ diff --git a/inventory/host_vars/sk-cloudio/vars.yml b/inventory/host_vars/sk-cloudio/vars.yml index 36c6dfe6..be136e82 100644 --- a/inventory/host_vars/sk-cloudio/vars.yml +++ b/inventory/host_vars/sk-cloudio/vars.yml @@ -1,19 +1,43 @@ --- -system_lvm_volume_size_root: 3584M +system_lvm_volume_size_root: 4G system_lvm_volume_size_varlog: 5G install: - cloud: - credentials: "{{ vault_hroot_robot_account }}" - server_name: "{{ host_name }}" + vm: + memory: 48G + numcpus: 12 + autostart: True disks: - primary: software-raid - raid: - level: 1 - members: - - /dev/nvme0n1 - - /dev/nvme1n1 - system_lvm: - size: 15G + primary: /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0 + scsi: + sda: + type: zfs + name: root + size: 15g + sdb: + type: zfs + name: data + size: 900g + properties: + 'syncoid:sync': 'false' + interfaces: + - bridge: br-public + name: primary0 + +network: + nameservers: "{{ vm_host.network.dns }}" + domain: "{{ host_domain }}" + systemd_link: + interfaces: "{{ install.interfaces }}" + primary: &_network_primary_ + name: primary0 + address: "{{ vm_host.network.bridges.public.prefix | ansible.utils.ipaddr(vm_host.network.bridges.public.offsets[inventory_hostname]) }}" + gateway: "{{ vm_host.network.bridges.public.prefix | ansible.utils.ipaddr(vm_host.network.bridges.public.offsets[vm_host.name]) | ansible.utils.ipaddr('address') }}" + template: overlay + overlay: "{{ (vm_host.network.bridges.public.overlays.default.prefix | ansible.utils.ipaddr(vm_host.network.bridges.public.overlays.default.offsets[inventory_hostname])).split('/')[0] }}" + interfaces: + - *_network_primary_ + +external_ip: "{{ network.primary.overlay }}" apt_repo_components: @@ -22,7 +46,6 @@ apt_repo_components: - non-free-firmware spreadspace_apt_repo_components: - - main - container @@ -33,20 +56,23 @@ zfs_arc_size: zfs_pools: storage: mountpoint: /srv/storage - create_vdevs: mirror /dev/nvme0n1p3 /dev/nvme1n1p3 + create_vdevs: /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-1 properties: ashift: 12 autotrim: "on" +zfs_volumes: + storage: + nextcloud: + properties: + compression: lz4 + xattr: sa + zfs_sanoid_modules: storage/nextcloud: use_template: production recursive: yes process_children_only: yes - storage/etherpad-lite: - use_template: production - recursive: yes - process_children_only: yes storage/keycloak: use_template: production recursive: yes @@ -58,6 +84,8 @@ zfs_sanoid_modules: docker_pkg_provider: docker-com +docker_plugins: + - buildx docker_storage: type: zfs @@ -73,7 +101,7 @@ kubelet_storage: properties: quota: 20G -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 100 kubernetes_standalone_pod_cidr: 192.168.255.0/24 @@ -94,8 +122,43 @@ postfix_base_inet_protocols: acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" acme_client: acmetool -## TODO: remove once migration of elevate services has been done -ssh_users_root: - - equinox - - dan - - brt + +sk_cloudio_apps_publish_ca_key: "{{ vault_sk_cloudio_apps_publish_ca_key }}" +sk_cloudio_apps_publish_ca_cert: | + -----BEGIN CERTIFICATE----- + MIIE+DCCAuCgAwIBAgIUWYAlW7BhaDHZaWjkVlttP26KVhgwDQYJKoZIhvcNAQEL + BQAwKTEnMCUGA1UEAwweQXBwcyBQdWJsaXNoIENBIGZvciBzay1jbG91ZGlvMCAX + DTI0MDgyNDIwNDEzNloYDzIwNjQwNzA2MjA0MTM2WjApMScwJQYDVQQDDB5BcHBz + IFB1Ymxpc2ggQ0EgZm9yIHNrLWNsb3VkaW8wggIiMA0GCSqGSIb3DQEBAQUAA4IC + DwAwggIKAoICAQDUOVJTgNrqTlD6FXupVLIoMbQ7O9Xj3XmtYGVtF6LUPodbrlTs + 9TRkhWwVSUGokfgRtKOx1Zk13HFadKw92t9zzTVnT62drH9xOPPGitBXyxeCiyzr + Ib98qnDeO9o+9x0cRsg4tvjksfyMV0JtFxOsSJ6diHrGrakk9SIRVk63GYbRSKBQ + wKCeAihFX35oyd3qCmIt6ZuueX5Z2dNdiaXmcrwe0MhBghd4Upqe3BPopGeVzJtY + Bm6Fsq/V2H28g6l3kNU5sPpgPWMpDRuUTjnfe1MFVu51QwmbkxqWhODaH8dClshJ + imACGnRmTxJ5bAqBbT2z3IEdhaEnKKUyN8OYqX3mtmU1/We9d52cLvghtbiRuhrE + 4eK7GRCvc0QqU/hk6eFvfXVd5KI48tB8at9tKP6tWeavlYyfq5G3canmzOTTbxuA + TfpbFrHIwHCk9M3VTIcABMeb38EGoOpaSTTcX3eOT/k97tQJPKFlfl+EF+fhbijN + 1CEdR+6m2BIvcNmGkKl0VH6eVXiAUFKm03Kg1sH0gh4upQKdx+54szF51jsrHcPI + 16oBChS0t+JG1tcvbluVWwLMw1G5nvm302/RxYahNyCniMAUl/eaubTHarTBtK7w + lAYryanwtlbAR/XQZAHBNzhG/2er1nCr6E5Wh+98ID+ElWbmaQ5ale/8OQIDAQAB + oxYwFDASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4ICAQCpTUjN + veOg2dZ/44tg5P5RnZKZFiyYapaaxv3W6cfqpfUhrI8qSuBn9G/UAJAfMszU87rf + OZ1PRZCFuzu+dB7CrmMgvqt0cTRpaxlN9CzZpfpFADlt9NQKYxK4T8IxIZ7ebISl + UNyX08mRXNB3N+Qq1CcTVtwHNLbnwkLttryGJ1tmAwEu4QIHauG7cDXFQuRGP0CE + x+DSdLTcs6hvOYq4OfpX0Zci5zy4SI50DLoT5h94IaIPAL6XBi7n9bj8ZSHqa1ZC + lveyaGguEy53meARTXSCm/jxtpo8xD7pWz4vnYPZuyMGe9rbE77Y8CwWK/RvUdYx + th09ALKw76W59e78RkxKTqBvGmZYw1igY4p8IqcXci65xtO2HiRDHX2jU7AYkgAD + z5Rv+2ZMcOQHOPzxDRXk06+pQUZ3qQ3cU9ASziTSaLITnMVH0VokRNXvSZYxeuwR + yDqb1H4MsV91Sy4UyXmtfXZYouM3/3OwCzxpkgvxdVdQBzssUssLrRcS5UEcJGr8 + 69M2CNHXX1fy0mLKdgqHNPzX9ALnqTHJMV5C5J3Q4RU6Vl2Un3Vg3A3dRKLPkg5P + C69nyBua3CIlx6Z8o2Ik9tJdwCULV6lYLGEfpsJHt627gF893Jexxuo3zI7XWQhb + ucrEkA2qzf0fHzCwFeiACMjssiN1YyevdI4Flw== + -----END CERTIFICATE----- + +apps_publish_zone__sk_cloudio: + name: sk-cloudio + publisher: sk-cloudio + certificate_provider: static-ca + certificate_ca_config: + cert_content: "{{ sk_cloudio_apps_publish_ca_cert }}" + key_content: "{{ sk_cloudio_apps_publish_ca_key }}" diff --git a/inventory/host_vars/sk-testvm.yml b/inventory/host_vars/sk-testvm.yml index 8ad7aba8..d728464d 100644 --- a/inventory/host_vars/sk-testvm.yml +++ b/inventory/host_vars/sk-testvm.yml @@ -56,7 +56,7 @@ kubelet_storage: size: 1G fs: ext4 -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 100 kubernetes_standalone_pod_cidr: 192.168.255.0/24 diff --git a/inventory/host_vars/sk-tomnext-nc.yml b/inventory/host_vars/sk-tomnext-nc.yml index b0e809aa..01cf6e8c 100644 --- a/inventory/host_vars/sk-tomnext-nc.yml +++ b/inventory/host_vars/sk-tomnext-nc.yml @@ -88,7 +88,7 @@ kubelet_storage: properties: quota: 15G -kubernetes_version: 1.30.0 +kubernetes_version: 1.30.4 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 15 kubernetes_standalone_cni_variant: with-portmap @@ -117,7 +117,7 @@ nextcloud_zfs: nextcloud_instances: team.tomwaitz.eu: # new: true - version: 28.0.4 + version: 29.0.4 port: 8100 hostnames: - team.tomwaitz.eu @@ -148,13 +148,15 @@ nextcloud_instances: && docker-php-ext-enable smbclient \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* -collabora_code_base_path: /srv/storage/collabora/code collabora_code_instances: o.tomwaitz.eu: version: 23.05.6.4.1 port: 8200 hostname: o.tomwaitz.eu + storage: + type: directory + dest: /srv/storage/collabora/code/o.tomwaitz.eu admin: username: admin password: "{{ vault_collabora_code_admin_passwords['o.tomwaitz.eu'] }}" @@ -171,13 +173,13 @@ onlyoffice_zfs: onlyoffice_instances: oo.tomwaitz.eu: - version: 7.5.1.1 + version: 8.1.0.1 port: 8600 hostname: oo.tomwaitz.eu jwt_secret: "{{ vault_onlyoffice_jwt_secrets['oo.tomwaitz.eu'] }}" database: - version: 9.5.25 + version: 12.19 password: "{{ vault_onlyoffice_database_passwords['oo.tomwaitz.eu'] }}" amqp: - version: 3.11.28 + version: 3.13.4 password: "{{ vault_onlyoffice_amqp_passwords['oo.tomwaitz.eu'] }}" |