diff options
Diffstat (limited to 'inventory/host_vars')
-rw-r--r-- | inventory/host_vars/ch-calypso.yml | 10 | ||||
-rw-r--r-- | inventory/host_vars/ch-equinox-t450s.yml | 16 | ||||
-rw-r--r-- | inventory/host_vars/ch-equinox-ws.yml | 14 | ||||
-rw-r--r-- | inventory/host_vars/ch-hpws-maxi.yml | 62 | ||||
-rw-r--r-- | inventory/host_vars/ch-hpws-mini1.yml | 62 | ||||
-rw-r--r-- | inventory/host_vars/ch-mc.yml | 10 | ||||
-rw-r--r-- | inventory/host_vars/ch-telesto.yml | 10 | ||||
-rw-r--r-- | inventory/host_vars/ele-coturn.yml | 56 | ||||
-rw-r--r-- | inventory/host_vars/ele-jitsi.yml | 52 | ||||
-rw-r--r-- | inventory/host_vars/ele-router.yml | 284 | ||||
-rw-r--r-- | inventory/host_vars/ele-telesto.yml | 10 | ||||
-rw-r--r-- | inventory/host_vars/glt-coturn.yml | 2 | ||||
-rw-r--r-- | inventory/host_vars/lw-telesto.yml | 10 | ||||
-rw-r--r-- | inventory/host_vars/s2-mr-snuggles.yml | 14 | ||||
-rw-r--r-- | inventory/host_vars/sk-cloudio/collabora.yml | 2 | ||||
-rw-r--r-- | inventory/host_vars/sk-cloudio/coturn.yml | 8 | ||||
-rw-r--r-- | inventory/host_vars/sk-cloudio/jitsi.yml | 4 | ||||
-rw-r--r-- | inventory/host_vars/sk-cloudio/keycloak.yml | 4 | ||||
-rw-r--r-- | inventory/host_vars/sk-cloudio/nextcloud.yml | 8 | ||||
-rw-r--r-- | inventory/host_vars/sk-tomnext-nc.yml | 4 |
20 files changed, 400 insertions, 242 deletions
diff --git a/inventory/host_vars/ch-calypso.yml b/inventory/host_vars/ch-calypso.yml index 024e6896..52c57d89 100644 --- a/inventory/host_vars/ch-calypso.yml +++ b/inventory/host_vars/ch-calypso.yml @@ -1,13 +1,13 @@ --- -preseed_language: de -preseed_country: AT -preseed_locales: +debian_preseed_language: de +debian_preseed_country: AT +debian_preseed_locales: - de_AT.UTF-8 - de_DE.UTF-8 - en_US.UTF-8 -preseed_no_splash: no -preseed_install_tasks: +debian_preseed_no_splash: no +debian_preseed_install_tasks: - xubuntu-desktop diff --git a/inventory/host_vars/ch-equinox-t450s.yml b/inventory/host_vars/ch-equinox-t450s.yml index 2820f653..df7759e3 100644 --- a/inventory/host_vars/ch-equinox-t450s.yml +++ b/inventory/host_vars/ch-equinox-t450s.yml @@ -1,17 +1,17 @@ --- -preseed_language: de -preseed_country: AT -preseed_locales: +debian_preseed_language: de +debian_preseed_country: AT +debian_preseed_locales: - de_AT.UTF-8 - de_DE.UTF-8 - en_US.UTF-8 -preseed_no_splash: no -preseed_install_tasks: +debian_preseed_no_splash: no +debian_preseed_install_tasks: - xubuntu-desktop -preseed_no_netplan: yes -preseed_manual_partitioning: yes +debian_preseed_no_netplan: yes +debian_preseed_manual_partitioning: yes install: efi: yes @@ -85,6 +85,7 @@ ws_base_extra_packages: - cmake - cpu-x - cura + - ddrescueview - debhelper - dh-lua - dh-make @@ -114,6 +115,7 @@ ws_base_extra_packages: - freerdp2-x11 - fzf - gcc-avr + - gddrescue - gdebi - gerbv - ghex diff --git a/inventory/host_vars/ch-equinox-ws.yml b/inventory/host_vars/ch-equinox-ws.yml index 88d536b2..8e97ab10 100644 --- a/inventory/host_vars/ch-equinox-ws.yml +++ b/inventory/host_vars/ch-equinox-ws.yml @@ -1,14 +1,14 @@ --- -preseed_language: de -preseed_country: AT -preseed_locales: +debian_preseed_language: de +debian_preseed_country: AT +debian_preseed_locales: - de_AT.UTF-8 - de_DE.UTF-8 - en_US.UTF-8 -preseed_kernel_image: linux-generic-hwe-20.04 -preseed_no_splash: no -preseed_install_tasks: +debian_preseed_kernel_image: linux-generic-hwe-20.04 +debian_preseed_no_splash: no +debian_preseed_install_tasks: - xubuntu-desktop @@ -84,6 +84,7 @@ ws_base_extra_packages: - clinfo - cmake - cpu-x + - ddrescueview - debhelper - dh-lua - dh-make @@ -113,6 +114,7 @@ ws_base_extra_packages: - freerdp2-x11 - fzf - gcc-avr + - gddrescue - gdebi - gerbv - ghex diff --git a/inventory/host_vars/ch-hpws-maxi.yml b/inventory/host_vars/ch-hpws-maxi.yml new file mode 100644 index 00000000..c5637069 --- /dev/null +++ b/inventory/host_vars/ch-hpws-maxi.yml @@ -0,0 +1,62 @@ +--- +debian_preseed_language: de +debian_preseed_country: AT +debian_preseed_locales: + - de_AT.UTF-8 + - de_DE.UTF-8 + - en_US.UTF-8 + +debian_preseed_no_splash: no +debian_preseed_install_tasks: + - xubuntu-desktop + + +install: + efi: yes + disks: + primary: /dev/disk/by-id/ata-WDC_WDS120G2G0A-00JH30_200854443001 + system_lvm: + size: 50G + volumes: + - name: root + size: 20G + filesystem: ext4 + mountpoint: / + - name: var+log + size: 768M + filesystem: ext4 + mountpoint: /var/log + mount_options: + - noatime + - nodev + - noexec + +network: + nameservers: "{{ network_zones.lan.dns }}" + domain: "{{ host_domain }}" + primary: &_network_primary_ + name: eno1 + address: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + gateway: "{{ network_zones.lan.gateway }}" + interfaces: + - *_network_primary_ + + +apt_repo_components: + - main + - restricted + - universe + - multiverse + +base_modules_blacklist: "{{ base_modules_blacklist_all_but_sound }}" + +admin_users_host: + - equinox + +ws_base_extra_packages: + # needs apt-repo/obs-studio + - obs-studio + +ws_base_lightdm_defaults: + autologin-user: equinox + autologin-user-timeout: 0 diff --git a/inventory/host_vars/ch-hpws-mini1.yml b/inventory/host_vars/ch-hpws-mini1.yml new file mode 100644 index 00000000..bb51be47 --- /dev/null +++ b/inventory/host_vars/ch-hpws-mini1.yml @@ -0,0 +1,62 @@ +--- +debian_preseed_language: de +debian_preseed_country: AT +debian_preseed_locales: + - de_AT.UTF-8 + - de_DE.UTF-8 + - en_US.UTF-8 + +debian_preseed_no_splash: no +debian_preseed_install_tasks: + - xubuntu-desktop + + +install: + efi: yes + disks: + primary: /dev/disk/by-id/ata-WDC_WDS120G2G0A-00JH30_20123D806706 + system_lvm: + size: 50G + volumes: + - name: root + size: 20G + filesystem: ext4 + mountpoint: / + - name: var+log + size: 768M + filesystem: ext4 + mountpoint: /var/log + mount_options: + - noatime + - nodev + - noexec + +network: + nameservers: "{{ network_zones.lan.dns }}" + domain: "{{ host_domain }}" + primary: &_network_primary_ + name: eno1 + address: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + gateway: "{{ network_zones.lan.gateway }}" + interfaces: + - *_network_primary_ + + +apt_repo_components: + - main + - restricted + - universe + - multiverse + +base_modules_blacklist: "{{ base_modules_blacklist_all_but_sound }}" + +admin_users_host: + - equinox + +ws_base_extra_packages: + # needs apt-repo/obs-studio + - obs-studio + +ws_base_lightdm_defaults: + autologin-user: equinox + autologin-user-timeout: 0 diff --git a/inventory/host_vars/ch-mc.yml b/inventory/host_vars/ch-mc.yml index 730a6569..529c331e 100644 --- a/inventory/host_vars/ch-mc.yml +++ b/inventory/host_vars/ch-mc.yml @@ -1,13 +1,13 @@ --- -preseed_language: de -preseed_country: AT -preseed_locales: +debian_preseed_language: de +debian_preseed_country: AT +debian_preseed_locales: - de_AT.UTF-8 - de_DE.UTF-8 - en_US.UTF-8 -preseed_no_splash: no -preseed_install_tasks: +debian_preseed_no_splash: no +debian_preseed_install_tasks: - xubuntu-desktop diff --git a/inventory/host_vars/ch-telesto.yml b/inventory/host_vars/ch-telesto.yml index f9ee0469..df580821 100644 --- a/inventory/host_vars/ch-telesto.yml +++ b/inventory/host_vars/ch-telesto.yml @@ -1,13 +1,13 @@ --- -preseed_language: de -preseed_country: AT -preseed_locales: +debian_preseed_language: de +debian_preseed_country: AT +debian_preseed_locales: - de_AT.UTF-8 - de_DE.UTF-8 - en_US.UTF-8 -preseed_no_splash: no -preseed_install_tasks: +debian_preseed_no_splash: no +debian_preseed_install_tasks: - xubuntu-desktop diff --git a/inventory/host_vars/ele-coturn.yml b/inventory/host_vars/ele-coturn.yml new file mode 100644 index 00000000..862ced63 --- /dev/null +++ b/inventory/host_vars/ele-coturn.yml @@ -0,0 +1,56 @@ +--- +install: + cloud: + credentials: + token: "{{ vault_hcloud_api_token }}" + +network: {} + +docker_storage: + type: lvm + vg: "{{ host_name }}" + lv: docker + size: 5G + fs: ext4 + +kubelet_storage: + type: lvm + vg: "{{ host_name }}" + lv: kubelet + size: 5G + fs: ext4 + + +acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" + + +kubernetes_version: 1.21.2 +kubernetes_container_runtime: docker +kubernetes_standalone_max_pods: 100 +kubernetes_standalone_pod_cidr: 192.168.255.0/24 +kubernetes_standalone_cni_variant: with-portmap + + +coturn_version: 4.5.2-r2 +coturn_realm: elev8.at +coturn_hostnames: + - stun.elev8.at + - turn.elev8.at + +coturn_auth_secret: "{{ vault_coturn_auth_secret }}" +coturn_listening_port: 3478 +coturn_tls_listening_port: 443 +coturn_install_nginx_vhost: no + + +mumble_version: 1.3.4 +mumble_instance: elev8.at +mumble_hostnames: + - mumble.elev8.at + +mumble_superuser_password: "{{ vault_mumble_superuser_password }}" + +mumble_config_options: + bonjour: false + welcometext: "Welcome to the Mumble Server of the Elevate Festival<br>Intercom for Staff of Elevate 2021" + rememberchannel: true diff --git a/inventory/host_vars/ele-jitsi.yml b/inventory/host_vars/ele-jitsi.yml new file mode 100644 index 00000000..80032c54 --- /dev/null +++ b/inventory/host_vars/ele-jitsi.yml @@ -0,0 +1,52 @@ +--- +install: + cloud: + credentials: + token: "{{ vault_hcloud_api_token }}" + +network: {} + +docker_storage: + type: lvm + vg: "{{ host_name }}" + lv: docker + size: 5G + fs: ext4 + +kubelet_storage: + type: lvm + vg: "{{ host_name }}" + lv: kubelet + size: 5G + fs: ext4 + + +ssh_users_root: + - equinox + - datacop + +acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" + + +kubernetes_version: 1.21.2 +kubernetes_container_runtime: docker +kubernetes_standalone_max_pods: 100 +kubernetes_standalone_pod_cidr: 192.168.255.0/24 +kubernetes_standalone_cni_variant: with-portmap + + +jitsi_meet_version: stable-5963 +jitsi_meet_hostname: remote.elev8.at + +jitsi_meet_p2p_enable: no + +jitsi_meet_secrets: "{{ vault_jitsi_meet_secrets }}" + +jitsi_meet_auth: + enable_guests: yes + users: + operator: "{{ vault_jitsi_meet_auth_user_passwords['operator'] }}" + +jitsi_meet_streamui: + http_port: "{{ jitsi_meet_http_port + 1 }}" + image_tag: latest diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml index 520bd751..9b660f99 100644 --- a/inventory/host_vars/ele-router.yml +++ b/inventory/host_vars/ele-router.yml @@ -3,6 +3,9 @@ ssh_users_root: - equinox - datacop +network_mgmt_zone: "{{ network_zones.mgmt }}" + + wireguard_keys: gwhetzner: pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY=" @@ -24,102 +27,38 @@ wireguard_gateway_tunnels: allowed_ips: - 0.0.0.0/0 - - -network_mgmt_zone: "{{ network_zones.mgmt }}" -network_internal_zone_names__emc: - - emc -network_internal_zone_names__wan: - - lan - - guest - - mixer - - infoscreens - -network_internal_zone_names: "{{ network_internal_zone_names__wan + network_internal_zone_names__emc }}" - - openwrt_network_external: - - name: switch_vlan - options: - device: 'switch0' - ## for some reason vlan-id 502 does not work. why?? - #vlan: '{{ network_zones.forum_a1.vlan }}' - vlan: '1' - ports: '4 6t' - - - name: interface 'wanforum' + - name: interface 'wanmur' options: - ## for some reason vlan-id 502 does not work. why?? - #ifname: 'eth0.{{ network_zones.forum_a1.vlan }}' - ifname: 'eth0.1' - proto: dhcp - defaultroute: '0' ## see static route 'forumdefault' below - accept_ra: 0 - - - name: rule - options: - priority: 40000 - lookup: 101 - - - name: route 'forumdefault' - options: - interface: 'wanforum' - table: 101 - target: '0.0.0.0/0' - gateway: 192.168.0.254 ## A1 router @ForumStadtpark uses this address - - - - name: switch_vlan - options: - device: 'switch0' - ## for some reason vlan-id 502 does not work. why?? - #vlan: '{{ network_zones.funkfeuer.vlan }}' - vlan: '2' - ports: '3 6t' - - - name: interface 'wanff' - options: - ## for some reason vlan-id 502 does not work. why?? - #ifname: 'eth0.{{ network_zones.funkfeuer.vlan }}' - ifname: 'eth0.2' + ifname: 'eth5' proto: static - ipaddr: "{{ network_zones.funkfeuer.prefix | ipaddr(network_zones.funkfeuer.offsets[inventory_hostname]) | ipaddr('address') }}" - netmask: "{{ network_zones.funkfeuer.prefix | ipaddr('netmask') }}" + ipaddr: "{{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ipaddr('address') }}" + netmask: "{{ network_zones.murat_transfer.prefix | ipaddr('netmask') }}" accept_ra: 0 - name: rule options: - priority: 39000 - src: "{{ network_zones.funkfeuer.prefix | ipaddr(network_zones.funkfeuer.offsets[inventory_hostname]) | ipaddr('address') }}/32" - lookup: 102 + priority: 41050 + src: "{{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ipaddr('address') }}/32" + lookup: 105 - name: rule options: - priority: 39001 - mark: 102 - lookup: 102 + priority: 41051 + mark: 105 + lookup: 105 - - name: route 'ffdefault' + - name: route 'murdefault' options: - interface: 'wanff' - table: 102 + interface: 'wanmur' + table: 105 target: '0.0.0.0/0' - gateway: "{{ network_zones.funkfeuer.gateway }}" + gateway: "{{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ipaddr('address') }}" - - name: switch_vlan - options: - device: 'switch0' - ## for some reason vlan-id 512 does not work. why?? - #vlan: '{{ network_zones.datacop_lte.vlan }}' - vlan: '3' - ports: '2 6t' - - name: interface 'wanlte' options: - ## for some reason vlan-id 512 does not work. why?? - #ifname: 'eth0.{{ network_zones.datacop_lte.vlan }}' - ifname: 'eth0.3' + ifname: 'eth4' proto: static ipaddr: "{{ network_zones.datacop_lte.prefix | ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ipaddr('address') }}" netmask: "{{ network_zones.datacop_lte.prefix | ipaddr('netmask') }}" @@ -127,34 +66,42 @@ openwrt_network_external: - name: rule options: - priority: 38000 + priority: 41040 src: "{{ network_zones.datacop_lte.prefix | ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ipaddr('address') }}/32" - lookup: 103 + lookup: 104 - name: rule options: - priority: 38001 - mark: 103 - lookup: 103 + priority: 41041 + mark: 104 + lookup: 104 - name: route 'ltedefault' options: interface: 'wanlte' - table: 103 + table: 104 target: '0.0.0.0/0' gateway: "{{ network_zones.datacop_lte.gateway }}" + - name: rule + options: + priority: 50000 + lookup: 105 + +network_internal_zone_names__wanmur: + - lan + - guest + - mixer + - infoscreens +network_internal_zone_names__wanlte: [] +network_internal_zone_names__wgemc: + - emc +network_internal_zone_names: "{{ network_internal_zone_names__wanmur + network_internal_zone_names__wanlte + network_internal_zone_names__wgemc }}" openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" openwrt_network_internal_yaml: | {% for zone_name in network_internal_zone_names %} - - name: switch_vlan - options: - device: 'switch0' - vlan: '{{ network_zones[zone_name].vlan }}' - ports: '0t 6t' - - name: "interface '{{ zone_name }}'" options: ifname: "eth0.{{ network_zones[zone_name].vlan }}" @@ -162,16 +109,9 @@ openwrt_network_internal_yaml: | ipaddr: "{{ network_zones[zone_name].gateway }}" netmask: "{{ network_zones[zone_name].prefix | ipaddr('netmask') }}" accept_ra: 0 - {% if zone_name in network_internal_zone_names__emc %} - - - name: rule - options: - priority: 33000 - in: "{{ zone_name }}" - lookup: 200 - {% endif %} {% endfor %} + openwrt_network_base: - name: globals 'globals' options: @@ -184,18 +124,6 @@ openwrt_network_base: ipaddr: 127.0.0.1 netmask: 255.0.0.0 - - name: switch - options: - name: 'switch0' - reset: '1' - enable_vlan: '1' - - - name: switch_vlan - options: - device: 'switch0' - vlan: '{{ network_mgmt_zone.vlan }}' - ports: '0t 1 6t' - - name: interface 'mgmt' options: ifname: "eth0.{{ network_mgmt_zone.vlan }}" @@ -205,15 +133,11 @@ openwrt_network_base: accept_ra: 0 -openwrt_dhcp_external: - - name: dhcp 'wanforum' - options: - interface: 'wanforum' - ignore: '1' - - name: dhcp 'wanff' +openwrt_dhcp_external: + - name: dhcp 'wanmur' options: - interface: 'wanff' + interface: 'wanmur' ignore: '1' - name: dhcp 'wanlte' @@ -221,6 +145,7 @@ openwrt_dhcp_external: interface: 'wanlte' ignore: '1' + openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" openwrt_dhcp_internal_yaml: | {% for zone_name in network_internal_zone_names %} @@ -238,6 +163,7 @@ openwrt_dhcp_internal_yaml: | {% endif %} {% endfor %} + openwrt_dhcp_base: - name: dnsmasq options: @@ -256,6 +182,8 @@ openwrt_dhcp_base: leasefile: '/tmp/dhcp.leases' resolvfile: '/tmp/resolv.conf.auto' localservice: '1' + server: + - 1.1.1.1 - name: odhcpd 'odhcpd' options: @@ -271,12 +199,12 @@ openwrt_dhcp_base: openwrt_variant: openwrt -openwrt_release: 19.07.1 -openwrt_arch: ramips -openwrt_target: mt7621 -openwrt_profile: ubnt-erx +openwrt_release: 19.07.7 +openwrt_arch: x86 +openwrt_target: 64 +openwrt_profile: Generic openwrt_output_image_suffixes: - - "{{ openwrt_profile }}-squashfs-sysupgrade.bin" + - "combined-ext4.img.gz" openwrt_packages_remove: - ppp @@ -311,13 +239,13 @@ openwrt_mixin: content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n" mode: "0600" - /etc/rc.d/S21network-emc: - link: "../init.d/network-emc" + /etc/rc.d/S21network-wgemc: + link: "../init.d/network-wgemc" - /etc/rc.d/K91network-emc: - link: "../init.d/network-emc" + /etc/rc.d/K91network-wgemc: + link: "../init.d/network-wgemc" - /etc/init.d/network-emc: + /etc/init.d/network-wgemc: mode: "0755" content: | #!/bin/sh /etc/rc.common @@ -327,7 +255,7 @@ openwrt_mixin: start() { ip link add dev wg-emc type wireguard - wg set wg-emc fwmark 102 private-key /etc/wireguard/wg-emc.priv + wg set wg-emc fwmark 105 private-key /etc/wireguard/wg-emc.priv {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %} wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }} @@ -343,7 +271,6 @@ openwrt_mixin: stop() { ip link del dev wg-emc - ip rule del pref 33000 } /etc/rc.d/S22network-fw: @@ -361,65 +288,63 @@ openwrt_mixin: STOP=91 start() { - WAN_IF=$(uci get network.wanforum.ifname) - FF_IF=$(uci get network.wanff.ifname) - LTE_IF=$(uci get network.wanlte.ifname) + ### management MGMT_IF=$(uci get network.mgmt.ifname) MGMT_IPADDR=$(uci get network.mgmt.ipaddr) MGMT_NETMASK=$(uci get network.mgmt.netmask) - - - iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT - ### todo: limit the destination address? - iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT - iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A INPUT -i "$FF_IF" -p icmp -j ACCEPT - iptables -A INPUT -i "$FF_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "$FF_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + ### external zones + # mur + iptables -A INPUT -i "eth5" -p icmp -j ACCEPT + iptables -A INPUT -i "eth5" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "eth5" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A INPUT -i "$LTE_IF" -p icmp -j ACCEPT - iptables -A INPUT -i "$LTE_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "$LTE_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + # LTE + iptables -A INPUT -i "eth4" -p icmp -j ACCEPT + iptables -A INPUT -i "eth4" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "eth4" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + # Wireguard EMC iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -o "wg-emc" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - # all internal zones - for zone in {{ network_internal_zone_names | join(' ') }}; do - interface=$(uci get "network.$zone.ifname") - ipaddr=$(uci get "network.$zone.ipaddr") - netmask=$(uci get "network.$zone.netmask") - - ### todo: only add this if dhcp is in network_zones[zone] - iptables -A INPUT -i "$interface" -p udp --dport 67 --sport 68 -j ACCEPT - - ### todo: only do this if dhcp is in network_zones[zone] or $ipaddr is in network_zones[zone].dns - iptables -A INPUT -i "$interface" -p udp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT - iptables -A INPUT -i "$interface" -p tcp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT - - iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT - iptables -A INPUT -i "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - case "$zone" in - {{ network_internal_zone_names__wan | join('|') }}) - iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT - iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE - ;; - {{ network_internal_zone_names__emc | join('|') }}) - iptables -A FORWARD -i "$interface" -o "wg-emc" -s "$ipaddr/$netmask" -j ACCEPT - iptables -A FORWARD -i "wg-emc" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "wg-emc" -s "$ipaddr/$netmask" -j MASQUERADE - ;; - esac - done + ### internal zones + {% for zone_name in network_internal_zone_names %} + # {{ zone_name }} + {% if 'dhcp' in network_zones[zone_name] %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 67 --sport 68 -j ACCEPT + {% endif %} + {% if 'dhcp' in network_zones[zone_name] or network_zones[zone_name].gateway in network_zones[zone_name].dns %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p tcp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + {% endif %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p icmp -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + {% if zone_name in network_internal_zone_names__wanmur %} + {% set ext_interface = "eth5" %} + {% set rt_table = "105" %} + {% elif zone_name in network_internal_zone_names__wanlte %} + {% set ext_interface = "eth4" %} + {% set rt_table = "104" %} + {% elif zone_name in network_internal_zone_names__wgemc %} + {% set ext_interface = "wg-emc" %} + {% set rt_table = "200" %} + {% endif %} + iptables -A FORWARD -i "eth0.{{ network_zones[zone_name].vlan }}" -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A FORWARD -i "{{ ext_interface }}" -o "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j MASQUERADE + ip rule add pref {{ loop.index + 33000 }} iif "eth0.{{ network_zones[zone_name].vlan }}" lookup {{ rt_table }} + + {% endfor %} + + ### iptables -P INPUT DROP iptables -P FORWARD DROP } @@ -430,6 +355,9 @@ openwrt_mixin: iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F POSTROUTING + {% for zone_name in network_internal_zone_names %} + ip rule del pref {{ loop.index + 33000 }} + {% endfor %} } @@ -453,12 +381,6 @@ openwrt_uci: - '2.lede.pool.ntp.org' - '3.lede.pool.ntp.org' - - name: gpio_switch 'poe_passthrough' - options: - name: 'PoE Passthrough' - gpio_pin: '0' - value: '0' - dropbear: - name: dropbear options: diff --git a/inventory/host_vars/ele-telesto.yml b/inventory/host_vars/ele-telesto.yml index 6e642dee..5aa6c608 100644 --- a/inventory/host_vars/ele-telesto.yml +++ b/inventory/host_vars/ele-telesto.yml @@ -1,13 +1,13 @@ --- -preseed_language: de -preseed_country: AT -preseed_locales: +debian_preseed_language: de +debian_preseed_country: AT +debian_preseed_locales: - de_AT.UTF-8 - de_DE.UTF-8 - en_US.UTF-8 -preseed_no_splash: no -preseed_install_tasks: +debian_preseed_no_splash: no +debian_preseed_install_tasks: - xubuntu-desktop diff --git a/inventory/host_vars/glt-coturn.yml b/inventory/host_vars/glt-coturn.yml index f598384d..9cff4891 100644 --- a/inventory/host_vars/glt-coturn.yml +++ b/inventory/host_vars/glt-coturn.yml @@ -20,7 +20,7 @@ kubernetes_standalone_pod_cidr: 192.168.255.0/24 kubernetes_standalone_cni_variant: with-portmap -coturn_version: 4.5.2 +coturn_version: 4.5.2-r2 coturn_realm: linuxtage.at coturn_hostnames: - cdn13.linuxtage.at diff --git a/inventory/host_vars/lw-telesto.yml b/inventory/host_vars/lw-telesto.yml index ce9847a9..8e9a0061 100644 --- a/inventory/host_vars/lw-telesto.yml +++ b/inventory/host_vars/lw-telesto.yml @@ -1,13 +1,13 @@ --- -preseed_language: de -preseed_country: AT -preseed_locales: +debian_preseed_language: de +debian_preseed_country: AT +debian_preseed_locales: - de_AT.UTF-8 - de_DE.UTF-8 - en_US.UTF-8 -preseed_no_splash: no -preseed_install_tasks: +debian_preseed_no_splash: no +debian_preseed_install_tasks: - xubuntu-desktop diff --git a/inventory/host_vars/s2-mr-snuggles.yml b/inventory/host_vars/s2-mr-snuggles.yml index b8151728..482f7651 100644 --- a/inventory/host_vars/s2-mr-snuggles.yml +++ b/inventory/host_vars/s2-mr-snuggles.yml @@ -1,17 +1,17 @@ --- -preseed_language: de -preseed_country: AT -preseed_locales: +debian_preseed_language: de +debian_preseed_country: AT +debian_preseed_locales: - de_AT.UTF-8 - de_DE.UTF-8 - en_US.UTF-8 -preseed_no_splash: no -preseed_install_tasks: +debian_preseed_no_splash: no +debian_preseed_install_tasks: - xubuntu-desktop -preseed_no_netplan: yes -preseed_manual_partitioning: yes +debian_preseed_no_netplan: yes +debian_preseed_manual_partitioning: yes install: efi: no diff --git a/inventory/host_vars/sk-cloudio/collabora.yml b/inventory/host_vars/sk-cloudio/collabora.yml index 99cb5242..2346d007 100644 --- a/inventory/host_vars/sk-cloudio/collabora.yml +++ b/inventory/host_vars/sk-cloudio/collabora.yml @@ -3,7 +3,7 @@ collabora_code_base_path: /srv/storage/collabora/code collabora_code_instances: o.skillz.biz: - version: 6.4.8.1 + version: 6.4.10.2 port: 8200 hostname: o.skillz.biz admin: diff --git a/inventory/host_vars/sk-cloudio/coturn.yml b/inventory/host_vars/sk-cloudio/coturn.yml index dd749f41..ae4a187c 100644 --- a/inventory/host_vars/sk-cloudio/coturn.yml +++ b/inventory/host_vars/sk-cloudio/coturn.yml @@ -1,11 +1,11 @@ --- coturn_base_path: /srv/storage/coturn -coturn_version: 4.5.2 -coturn_realm: elev8.at +coturn_version: 4.5.2-r2 +coturn_realm: elevate.at coturn_hostnames: - - stun.elev8.at - - turn.elev8.at + - stun.elevate.at + - turn.elevate.at coturn_max_bps: 1048576 ## 8Mbit/s coturn_bps_capacity: 13107200 ## 100Mbit/s diff --git a/inventory/host_vars/sk-cloudio/jitsi.yml b/inventory/host_vars/sk-cloudio/jitsi.yml index 8c593bb5..be279ead 100644 --- a/inventory/host_vars/sk-cloudio/jitsi.yml +++ b/inventory/host_vars/sk-cloudio/jitsi.yml @@ -1,8 +1,8 @@ --- jitsi_meet_base_path: /srv/storage/jitsi/meet -jitsi_meet_version: stable-5390-3 -jitsi_meet_hostname: meet.elev8.at +jitsi_meet_version: stable-5963 +jitsi_meet_hostname: meet.elevate.at jitsi_meet_p2p_enable: no diff --git a/inventory/host_vars/sk-cloudio/keycloak.yml b/inventory/host_vars/sk-cloudio/keycloak.yml index b9bc445d..92ce73bd 100644 --- a/inventory/host_vars/sk-cloudio/keycloak.yml +++ b/inventory/host_vars/sk-cloudio/keycloak.yml @@ -8,7 +8,7 @@ keycloak_zfs: keycloak_instances: id.elevate.at: # new: true - version: 11.0.3 + version: 14.0.0 port: 8500 hostname: id.elevate.at admin: @@ -18,5 +18,5 @@ keycloak_instances: quota: 1G database: type: mariadb - version: 10.5.8 + version: 10.5.11 password: "{{ vault_keycloak_database_passwords['id.elevate.at'] }}" diff --git a/inventory/host_vars/sk-cloudio/nextcloud.yml b/inventory/host_vars/sk-cloudio/nextcloud.yml index 80a825b1..d7db2ea5 100644 --- a/inventory/host_vars/sk-cloudio/nextcloud.yml +++ b/inventory/host_vars/sk-cloudio/nextcloud.yml @@ -8,7 +8,7 @@ nextcloud_zfs: nextcloud_instances: wolke.elevate.at: # new: true - version: 21.0.2 + version: 21.0.3 port: 8100 hostnames: - wolke.elevate.at @@ -20,7 +20,7 @@ nextcloud_instances: password: "{{ vault_nextcloud_database_passwords['wolke.elevate.at'] }}" insomnia.skillz.biz: # new: true - version: 21.0.2 + version: 21.0.3 port: 8101 hostnames: - insomnia.skillz.biz @@ -32,7 +32,7 @@ nextcloud_instances: password: "{{ vault_nextcloud_database_passwords['insomnia.skillz.biz'] }}" nc.skillz.biz: # new: true - version: 21.0.2 + version: 21.0.3 port: 8102 hostnames: - nc.skillz.biz @@ -44,7 +44,7 @@ nextcloud_instances: password: "{{ vault_nextcloud_database_passwords['nc.skillz.biz'] }}" wae.elevate.at: # new: true - version: 21.0.2 + version: 21.0.3 port: 8104 hostnames: - wae.elevate.at diff --git a/inventory/host_vars/sk-tomnext-nc.yml b/inventory/host_vars/sk-tomnext-nc.yml index 9b9b940d..c9f0be3e 100644 --- a/inventory/host_vars/sk-tomnext-nc.yml +++ b/inventory/host_vars/sk-tomnext-nc.yml @@ -123,7 +123,7 @@ nextcloud_zfs: nextcloud_instances: team.tomwaitz.eu: # new: true - version: 21.0.2 + version: 21.0.3 port: 8100 hostnames: - team.tomwaitz.eu @@ -146,7 +146,7 @@ collabora_code_base_path: /srv/storage/collabora/code collabora_code_instances: o.tomwaitz.eu: - version: 6.4.8.1 + version: 6.4.10.2 port: 8200 hostname: o.tomwaitz.eu admin: |