From 3e8c0e35d40d5a47a7e84e75979e17820dee8f76 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 26 Oct 2020 17:10:27 +0100 Subject: don't use main.yml inside group_vars --- inventory/group_vars/accesspoints/main.yml | 177 --------------- inventory/group_vars/accesspoints/vars.yml | 177 +++++++++++++++ inventory/group_vars/all/main.yml | 62 ------ inventory/group_vars/all/vars.yml | 62 ++++++ inventory/group_vars/chaos-at-home-ap/main.yml | 48 ---- inventory/group_vars/chaos-at-home-ap/vars.yml | 48 ++++ .../group_vars/chaos-at-home-switches/main.yml | 15 -- .../group_vars/chaos-at-home-switches/vars.yml | 15 ++ .../group_vars/chaos-at-home-vpn-extern/main.yml | 45 ---- .../group_vars/chaos-at-home-vpn-extern/vars.yml | 45 ++++ inventory/group_vars/chaos-at-home/main.yml | 7 - inventory/group_vars/chaos-at-home/vars.yml | 7 + inventory/group_vars/dellos6/main.yml | 15 -- inventory/group_vars/dellos6/vars.yml | 15 ++ inventory/group_vars/dolmetsch-ctl/main.yml | 150 ------------- inventory/group_vars/dolmetsch-ctl/vars.yml | 150 +++++++++++++ inventory/group_vars/ele-ap/main.yml | 62 ------ inventory/group_vars/ele-ap/vars.yml | 62 ++++++ inventory/group_vars/ele-dolmetsch-ctl/main.yml | 3 - inventory/group_vars/ele-dolmetsch-ctl/vars.yml | 3 + inventory/group_vars/ele-dolmetsch-raspi/main.yml | 5 - inventory/group_vars/ele-dolmetsch-raspi/vars.yml | 5 + inventory/group_vars/ele-infobeamer/main.yml | 12 - inventory/group_vars/ele-infobeamer/vars.yml | 12 + inventory/group_vars/ele-ups/main.yml | 148 ------------- inventory/group_vars/ele-ups/vars.yml | 148 +++++++++++++ inventory/group_vars/elevate-festival/main.yml | 241 --------------------- inventory/group_vars/elevate-festival/vars.yml | 241 +++++++++++++++++++++ inventory/group_vars/elevate/main.yml | 8 - inventory/group_vars/elevate/vars.yml | 8 + inventory/group_vars/emc-xx/main.yml | 5 - inventory/group_vars/emc-xx/vars.yml | 5 + inventory/group_vars/emc/main.yml | 21 -- inventory/group_vars/emc/vars.yml | 21 ++ inventory/group_vars/hcloud/main.yml | 2 - inventory/group_vars/hcloud/vars.yml | 2 + inventory/group_vars/hetzner/main.yml | 6 - inventory/group_vars/hetzner/vars.yml | 6 + inventory/group_vars/hroot/main.yml | 2 - inventory/group_vars/hroot/vars.yml | 2 + inventory/group_vars/k8s-emc/main.yml | 54 ----- inventory/group_vars/k8s-emc/vars.yml | 54 +++++ inventory/group_vars/k8s-lwl/main.yml | 51 ----- inventory/group_vars/k8s-lwl/vars.yml | 51 +++++ inventory/group_vars/kvmguests/main.yml | 3 - inventory/group_vars/kvmguests/vars.yml | 3 + inventory/group_vars/kvmhosts/main.yml | 2 - inventory/group_vars/kvmhosts/vars.yml | 2 + inventory/group_vars/lendwirbel-live-xx/main.yml | 2 - inventory/group_vars/lendwirbel-live-xx/vars.yml | 2 + inventory/group_vars/lendwirbel-live/main.yml | 28 --- inventory/group_vars/lendwirbel-live/vars.yml | 28 +++ inventory/group_vars/realraum/main.yml | 2 - inventory/group_vars/realraum/vars.yml | 2 + inventory/group_vars/skillz/main.yml | 12 - inventory/group_vars/skillz/vars.yml | 12 + inventory/group_vars/spreadspace/main.yml | 8 - inventory/group_vars/spreadspace/vars.yml | 8 + inventory/group_vars/vmhost-ch-atlas/main.yml | 27 --- inventory/group_vars/vmhost-ch-atlas/vars.yml | 27 +++ inventory/group_vars/vmhost-ch-gnocchi/main.yml | 25 --- inventory/group_vars/vmhost-ch-gnocchi/vars.yml | 25 +++ inventory/group_vars/vmhost-ch-prometheus/main.yml | 31 --- inventory/group_vars/vmhost-ch-prometheus/vars.yml | 31 +++ inventory/group_vars/vmhost-sk-2019vm/main.yml | 36 --- inventory/group_vars/vmhost-sk-2019vm/vars.yml | 36 +++ inventory/group_vars/vmhost-sk-tomnext/main.yml | 28 --- inventory/group_vars/vmhost-sk-tomnext/vars.yml | 28 +++ 68 files changed, 1343 insertions(+), 1343 deletions(-) delete mode 100644 inventory/group_vars/accesspoints/main.yml create mode 100644 inventory/group_vars/accesspoints/vars.yml delete mode 100644 inventory/group_vars/all/main.yml create mode 100644 inventory/group_vars/all/vars.yml delete mode 100644 inventory/group_vars/chaos-at-home-ap/main.yml create mode 100644 inventory/group_vars/chaos-at-home-ap/vars.yml delete mode 100644 inventory/group_vars/chaos-at-home-switches/main.yml create mode 100644 inventory/group_vars/chaos-at-home-switches/vars.yml delete mode 100644 inventory/group_vars/chaos-at-home-vpn-extern/main.yml create mode 100644 inventory/group_vars/chaos-at-home-vpn-extern/vars.yml delete mode 100644 inventory/group_vars/chaos-at-home/main.yml create mode 100644 inventory/group_vars/chaos-at-home/vars.yml delete mode 100644 inventory/group_vars/dellos6/main.yml create mode 100644 inventory/group_vars/dellos6/vars.yml delete mode 100644 inventory/group_vars/dolmetsch-ctl/main.yml create mode 100644 inventory/group_vars/dolmetsch-ctl/vars.yml delete mode 100644 inventory/group_vars/ele-ap/main.yml create mode 100644 inventory/group_vars/ele-ap/vars.yml delete mode 100644 inventory/group_vars/ele-dolmetsch-ctl/main.yml create mode 100644 inventory/group_vars/ele-dolmetsch-ctl/vars.yml delete mode 100644 inventory/group_vars/ele-dolmetsch-raspi/main.yml create mode 100644 inventory/group_vars/ele-dolmetsch-raspi/vars.yml delete mode 100644 inventory/group_vars/ele-infobeamer/main.yml create mode 100644 inventory/group_vars/ele-infobeamer/vars.yml delete mode 100644 inventory/group_vars/ele-ups/main.yml create mode 100644 inventory/group_vars/ele-ups/vars.yml delete mode 100644 inventory/group_vars/elevate-festival/main.yml create mode 100644 inventory/group_vars/elevate-festival/vars.yml delete mode 100644 inventory/group_vars/elevate/main.yml create mode 100644 inventory/group_vars/elevate/vars.yml delete mode 100644 inventory/group_vars/emc-xx/main.yml create mode 100644 inventory/group_vars/emc-xx/vars.yml delete mode 100644 inventory/group_vars/emc/main.yml create mode 100644 inventory/group_vars/emc/vars.yml delete mode 100644 inventory/group_vars/hcloud/main.yml create mode 100644 inventory/group_vars/hcloud/vars.yml delete mode 100644 inventory/group_vars/hetzner/main.yml create mode 100644 inventory/group_vars/hetzner/vars.yml delete mode 100644 inventory/group_vars/hroot/main.yml create mode 100644 inventory/group_vars/hroot/vars.yml delete mode 100644 inventory/group_vars/k8s-emc/main.yml create mode 100644 inventory/group_vars/k8s-emc/vars.yml delete mode 100644 inventory/group_vars/k8s-lwl/main.yml create mode 100644 inventory/group_vars/k8s-lwl/vars.yml delete mode 100644 inventory/group_vars/kvmguests/main.yml create mode 100644 inventory/group_vars/kvmguests/vars.yml delete mode 100644 inventory/group_vars/kvmhosts/main.yml create mode 100644 inventory/group_vars/kvmhosts/vars.yml delete mode 100644 inventory/group_vars/lendwirbel-live-xx/main.yml create mode 100644 inventory/group_vars/lendwirbel-live-xx/vars.yml delete mode 100644 inventory/group_vars/lendwirbel-live/main.yml create mode 100644 inventory/group_vars/lendwirbel-live/vars.yml delete mode 100644 inventory/group_vars/realraum/main.yml create mode 100644 inventory/group_vars/realraum/vars.yml delete mode 100644 inventory/group_vars/skillz/main.yml create mode 100644 inventory/group_vars/skillz/vars.yml delete mode 100644 inventory/group_vars/spreadspace/main.yml create mode 100644 inventory/group_vars/spreadspace/vars.yml delete mode 100644 inventory/group_vars/vmhost-ch-atlas/main.yml create mode 100644 inventory/group_vars/vmhost-ch-atlas/vars.yml delete mode 100644 inventory/group_vars/vmhost-ch-gnocchi/main.yml create mode 100644 inventory/group_vars/vmhost-ch-gnocchi/vars.yml delete mode 100644 inventory/group_vars/vmhost-ch-prometheus/main.yml create mode 100644 inventory/group_vars/vmhost-ch-prometheus/vars.yml delete mode 100644 inventory/group_vars/vmhost-sk-2019vm/main.yml create mode 100644 inventory/group_vars/vmhost-sk-2019vm/vars.yml delete mode 100644 inventory/group_vars/vmhost-sk-tomnext/main.yml create mode 100644 inventory/group_vars/vmhost-sk-tomnext/vars.yml diff --git a/inventory/group_vars/accesspoints/main.yml b/inventory/group_vars/accesspoints/main.yml deleted file mode 100644 index 704dcbf3..00000000 --- a/inventory/group_vars/accesspoints/main.yml +++ /dev/null @@ -1,177 +0,0 @@ ---- -accesspoint_wired_interface: eth0 -accesspoint_wireless_device_paths: - 2g4: "platform/qca956x_wmac" - 5g: "pci0000:00/0000:00:00.0" - -accesspoint_wireless_frequencies: - - 2g4 - - 5g - - -accesspoint_network_base: - - name: globals 'globals' - options: - ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - - - name: interface 'loopback' - options: - ifname: lo - proto: static - ipaddr: 127.0.0.1 - netmask: 255.0.0.0 - - - name: interface 'mgmt' - options: - ifname: "{{ accesspoint_wired_interface }}{% if 'vlan' in network_mgmt_zone %}.{{ network_mgmt_zone.vlan }}{% endif %}" - accept_ra: 0 - proto: static - ipaddr: "{{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ipaddr('address') }}" - netmask: "{{ network_mgmt_zone.prefix | ipaddr('netmask') }}" - -accesspoint_network_zones: {} - - -accesspoint_wireless_devices: - - name: wifi-device 'radio5g' - options: - type: 'mac80211' - channel: "{{ accesspoint_wifi_channels['5g'][inventory_hostname] }}" - hwmode: '11a' - country: AT - path: "{{ accesspoint_wireless_device_paths['5g'] }}" - htmode: 'VHT80' - - - name: wifi-device 'radio2g4' - options: - type: 'mac80211' - channel: "{{ accesspoint_wifi_channels['2g4'][inventory_hostname] }}" - hwmode: '11g' - country: AT - path: "{{ accesspoint_wireless_device_paths['2g4'] }}" - htmode: 'HT20' - -accesspoint_wireless_ifaces: {} - - -openwrt_variant: openwrt -openwrt_release: 19.07.1 -openwrt_arch: ar71xx -openwrt_target: generic -openwrt_profile: ubnt-unifiac-lite -openwrt_output_image_suffixes: - - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin" - -openwrt_packages_remove: - - ppp - - ppp-mod-pppoe - - dnsmasq - - firewall - - odhcpd - - odhcpd-ipv6only -openwrt_packages_add: - - haveged - - htop - - ip - - less - - nano - - tcpdump-mini - - horst - -openwrt_mixin: - /etc/sysctl.conf: - content: | - # Defaults are configured in /etc/sysctl.d/* and can be customized in this file - # - # disable IP forwarding, we don't need it since we are - # only an AP that bridges VLANs to Wifi SSIDs - net.ipv4.conf.default.forwarding=0 - net.ipv4.conf.all.forwarding=0 - net.ipv4.ip_forward=0 - net.ipv6.conf.default.forwarding=0 - net.ipv6.conf.all.forwarding=0 - - /etc/dropbear/authorized_keys: - content: "{{ ssh_keys_root | join('\n') }}\n" - - /etc/htoprc: - file: "{{ global_files_dir }}/common/htoprc" - - /etc/rc.d/S22network-fw: - link: "../init.d/network-fw" - - /etc/rc.d/K91network-fw: - link: "../init.d/network-fw" - - /etc/init.d/network-fw: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=22 - STOP=91 - - MGMT_IF=$(uci get network.mgmt.ifname) - MGMT_IPADDR=$(uci get network.mgmt.ipaddr) - MGMT_NETMASK=$(uci get network.mgmt.netmask) - - start() { - iptables -A INPUT -i lo -j ACCEPT - iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT - iptables -P INPUT DROP - iptables -P FORWARD DROP - } - - stop() { - iptables -P INPUT ACCEPT - iptables -F INPUT - iptables -P FORWARD ACCEPT - } - - /usr/bin/list-stations: - mode: "0755" - content: | - #!/bin/sh - - interfaces=$(iw dev | grep "Interface " | awk '{ print($2) }' | sort) - - for interface in $interfaces; do - essid=$(iw $interface info | grep "ssid " | awk '{ print($2) }') - bssid=$(iw $interface info | grep "addr " | awk '{ print($2) }') - echo "$interface ($bssid, ssid: $essid)" - iw $interface station dump | grep "^Station" | awk '{ print(" - "$2) }'; - echo ""; - done - - exit 0 - - -openwrt_uci: - system: - - name: system - options: - hostname: '{{ inventory_hostname }}' - timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' - ttylogin: '0' - log_size: '64' - urandom_seed: '0' - - - name: timeserver 'ntp' - options: - enabled: '1' - enable_server: '0' - server: - - '0.lede.pool.ntp.org' - - '1.lede.pool.ntp.org' - - '2.lede.pool.ntp.org' - - '3.lede.pool.ntp.org' - - dropbear: - - name: dropbear - options: - PasswordAuth: 'off' - RootPasswordAuth: 'off' - Port: '{{ ansible_port }}' - - network: "{{ accesspoint_network_base + accesspoint_network_zones }}" - wireless: "{{ accesspoint_wireless_devices + accesspoint_wireless_ifaces }}" diff --git a/inventory/group_vars/accesspoints/vars.yml b/inventory/group_vars/accesspoints/vars.yml new file mode 100644 index 00000000..704dcbf3 --- /dev/null +++ b/inventory/group_vars/accesspoints/vars.yml @@ -0,0 +1,177 @@ +--- +accesspoint_wired_interface: eth0 +accesspoint_wireless_device_paths: + 2g4: "platform/qca956x_wmac" + 5g: "pci0000:00/0000:00:00.0" + +accesspoint_wireless_frequencies: + - 2g4 + - 5g + + +accesspoint_network_base: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + ifname: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: interface 'mgmt' + options: + ifname: "{{ accesspoint_wired_interface }}{% if 'vlan' in network_mgmt_zone %}.{{ network_mgmt_zone.vlan }}{% endif %}" + accept_ra: 0 + proto: static + ipaddr: "{{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ipaddr('address') }}" + netmask: "{{ network_mgmt_zone.prefix | ipaddr('netmask') }}" + +accesspoint_network_zones: {} + + +accesspoint_wireless_devices: + - name: wifi-device 'radio5g' + options: + type: 'mac80211' + channel: "{{ accesspoint_wifi_channels['5g'][inventory_hostname] }}" + hwmode: '11a' + country: AT + path: "{{ accesspoint_wireless_device_paths['5g'] }}" + htmode: 'VHT80' + + - name: wifi-device 'radio2g4' + options: + type: 'mac80211' + channel: "{{ accesspoint_wifi_channels['2g4'][inventory_hostname] }}" + hwmode: '11g' + country: AT + path: "{{ accesspoint_wireless_device_paths['2g4'] }}" + htmode: 'HT20' + +accesspoint_wireless_ifaces: {} + + +openwrt_variant: openwrt +openwrt_release: 19.07.1 +openwrt_arch: ar71xx +openwrt_target: generic +openwrt_profile: ubnt-unifiac-lite +openwrt_output_image_suffixes: + - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin" + +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - dnsmasq + - firewall + - odhcpd + - odhcpd-ipv6only +openwrt_packages_add: + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - horst + +openwrt_mixin: + /etc/sysctl.conf: + content: | + # Defaults are configured in /etc/sysctl.d/* and can be customized in this file + # + # disable IP forwarding, we don't need it since we are + # only an AP that bridges VLANs to Wifi SSIDs + net.ipv4.conf.default.forwarding=0 + net.ipv4.conf.all.forwarding=0 + net.ipv4.ip_forward=0 + net.ipv6.conf.default.forwarding=0 + net.ipv6.conf.all.forwarding=0 + + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /etc/rc.d/S22network-fw: + link: "../init.d/network-fw" + + /etc/rc.d/K91network-fw: + link: "../init.d/network-fw" + + /etc/init.d/network-fw: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=22 + STOP=91 + + MGMT_IF=$(uci get network.mgmt.ifname) + MGMT_IPADDR=$(uci get network.mgmt.ipaddr) + MGMT_NETMASK=$(uci get network.mgmt.netmask) + + start() { + iptables -A INPUT -i lo -j ACCEPT + iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT + iptables -P INPUT DROP + iptables -P FORWARD DROP + } + + stop() { + iptables -P INPUT ACCEPT + iptables -F INPUT + iptables -P FORWARD ACCEPT + } + + /usr/bin/list-stations: + mode: "0755" + content: | + #!/bin/sh + + interfaces=$(iw dev | grep "Interface " | awk '{ print($2) }' | sort) + + for interface in $interfaces; do + essid=$(iw $interface info | grep "ssid " | awk '{ print($2) }') + bssid=$(iw $interface info | grep "addr " | awk '{ print($2) }') + echo "$interface ($bssid, ssid: $essid)" + iw $interface station dump | grep "^Station" | awk '{ print(" - "$2) }'; + echo ""; + done + + exit 0 + + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ inventory_hostname }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '0' + server: + - '0.lede.pool.ntp.org' + - '1.lede.pool.ntp.org' + - '2.lede.pool.ntp.org' + - '3.lede.pool.ntp.org' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '{{ ansible_port }}' + + network: "{{ accesspoint_network_base + accesspoint_network_zones }}" + wireless: "{{ accesspoint_wireless_devices + accesspoint_wireless_ifaces }}" diff --git a/inventory/group_vars/all/main.yml b/inventory/group_vars/all/main.yml deleted file mode 100644 index 540c4a3e..00000000 --- a/inventory/group_vars/all/main.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -# Build-related directories -global_artifacts_dir: "{{ inventory_dir }}/../artifacts" -global_cache_dir: "{{ inventory_dir }}/../.cache" - -# Directory for static assets -global_files_dir: "{{ inventory_dir }}/../files" - - -ssh_users_root: - - equinox -ssh_keys_root: "{{ ssh_users_root | default([]) | map('extract', users) | map(attribute='ssh') | flatten | list }}" -ssh_keys_root_extra: [] - -admin_users_host: [] -sshd_allowusers_host: "{{ admin_users_host }}" - -admin_users_group: [] -sshd_allowusers_group: "{{ admin_users_group }}" - - -apt_repo_provider: default -apt_repo_providers: - default: - debian: - host: deb.debian.org - path: /debian - debian_security: - host: deb.debian.org - path: /debian-security - debian_archive: - host: archive.debian.org - path: /debian - ubuntu: - host: archive.ubuntu.com - path: /ubuntu - hetzner: - debian: - host: mirror.hetzner.de - path: /debian/packages - debian_security: - host: mirror.hetzner.de - path: /debian/security - debian_archive: - host: archive.debian.org - path: /debian - ubuntu: - host: mirror.hetzner.de - path: /ubuntu/packages - ffgraz: - debian: - host: debian.ffgraz.net - path: /debian - debian_security: - host: debian.ffgraz.net - path: /debian-security - debian_archive: - host: debian.ffgraz.net - path: /archive - ubuntu: - host: debian.ffgraz.net - path: /ubuntu diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml new file mode 100644 index 00000000..540c4a3e --- /dev/null +++ b/inventory/group_vars/all/vars.yml @@ -0,0 +1,62 @@ +--- +# Build-related directories +global_artifacts_dir: "{{ inventory_dir }}/../artifacts" +global_cache_dir: "{{ inventory_dir }}/../.cache" + +# Directory for static assets +global_files_dir: "{{ inventory_dir }}/../files" + + +ssh_users_root: + - equinox +ssh_keys_root: "{{ ssh_users_root | default([]) | map('extract', users) | map(attribute='ssh') | flatten | list }}" +ssh_keys_root_extra: [] + +admin_users_host: [] +sshd_allowusers_host: "{{ admin_users_host }}" + +admin_users_group: [] +sshd_allowusers_group: "{{ admin_users_group }}" + + +apt_repo_provider: default +apt_repo_providers: + default: + debian: + host: deb.debian.org + path: /debian + debian_security: + host: deb.debian.org + path: /debian-security + debian_archive: + host: archive.debian.org + path: /debian + ubuntu: + host: archive.ubuntu.com + path: /ubuntu + hetzner: + debian: + host: mirror.hetzner.de + path: /debian/packages + debian_security: + host: mirror.hetzner.de + path: /debian/security + debian_archive: + host: archive.debian.org + path: /debian + ubuntu: + host: mirror.hetzner.de + path: /ubuntu/packages + ffgraz: + debian: + host: debian.ffgraz.net + path: /debian + debian_security: + host: debian.ffgraz.net + path: /debian-security + debian_archive: + host: debian.ffgraz.net + path: /archive + ubuntu: + host: debian.ffgraz.net + path: /ubuntu diff --git a/inventory/group_vars/chaos-at-home-ap/main.yml b/inventory/group_vars/chaos-at-home-ap/main.yml deleted file mode 100644 index eb05dfad..00000000 --- a/inventory/group_vars/chaos-at-home-ap/main.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -network_mgmt_zone: "{{ network_zones.mgmt }}" - -accesspoint_wifi_channels: - 2g4: - ch-ap0: 5 - ch-ap1: 13 - 5g: - ch-ap0: 36 - ch-ap1: 48 - -accesspoint_zones: - lan: "{{ network_zones.lan.wifi }}" - iot: "{{ network_zones.iot.wifi }}" - - -accesspoint_network_zones: "{{ accesspoint_network_zones_yaml | from_yaml }}" -accesspoint_network_zones_yaml: | - {% for zone_name in accesspoint_zones.keys() %} - - name: "interface '{{ zone_name }}'" - options: - type: bridge - ifname: "{{ accesspoint_wired_interface }}.{{ network_zones[zone_name].vlan }}" - accept_ra: 0 - proto: none - {% endfor %} - - -## TODO: set up 802.11r see: -## * https://www.reddit.com/r/openwrt/comments/515oea/finally_got_80211r_roaming_working/ -## * https://gist.github.com/lg/998d3e908d547bd9972a6bb604df377b -accesspoint_wireless_ifaces: "{{ accesspoint_wireless_ifaces_yaml | from_yaml }}" -accesspoint_wireless_ifaces_yaml: | - {% for zone in accesspoint_zones.keys() %} - {% for freq in accesspoint_wireless_frequencies %} - - name: wifi-iface '{{ zone }}{{ freq }}' - options: - device: 'radio{{ freq }}' - network: '{{ zone }}' - mode: 'ap' - disassoc_low_ack: '1' - rsn_preauth: '1' - ssid: '{{ accesspoint_zones[zone].ssid }}' - encryption: '{{ accesspoint_zones[zone].encryption }}' - key: '{{ accesspoint_zones[zone].key }}' - {% endfor %} - {% endfor %} - diff --git a/inventory/group_vars/chaos-at-home-ap/vars.yml b/inventory/group_vars/chaos-at-home-ap/vars.yml new file mode 100644 index 00000000..eb05dfad --- /dev/null +++ b/inventory/group_vars/chaos-at-home-ap/vars.yml @@ -0,0 +1,48 @@ +--- +network_mgmt_zone: "{{ network_zones.mgmt }}" + +accesspoint_wifi_channels: + 2g4: + ch-ap0: 5 + ch-ap1: 13 + 5g: + ch-ap0: 36 + ch-ap1: 48 + +accesspoint_zones: + lan: "{{ network_zones.lan.wifi }}" + iot: "{{ network_zones.iot.wifi }}" + + +accesspoint_network_zones: "{{ accesspoint_network_zones_yaml | from_yaml }}" +accesspoint_network_zones_yaml: | + {% for zone_name in accesspoint_zones.keys() %} + - name: "interface '{{ zone_name }}'" + options: + type: bridge + ifname: "{{ accesspoint_wired_interface }}.{{ network_zones[zone_name].vlan }}" + accept_ra: 0 + proto: none + {% endfor %} + + +## TODO: set up 802.11r see: +## * https://www.reddit.com/r/openwrt/comments/515oea/finally_got_80211r_roaming_working/ +## * https://gist.github.com/lg/998d3e908d547bd9972a6bb604df377b +accesspoint_wireless_ifaces: "{{ accesspoint_wireless_ifaces_yaml | from_yaml }}" +accesspoint_wireless_ifaces_yaml: | + {% for zone in accesspoint_zones.keys() %} + {% for freq in accesspoint_wireless_frequencies %} + - name: wifi-iface '{{ zone }}{{ freq }}' + options: + device: 'radio{{ freq }}' + network: '{{ zone }}' + mode: 'ap' + disassoc_low_ack: '1' + rsn_preauth: '1' + ssid: '{{ accesspoint_zones[zone].ssid }}' + encryption: '{{ accesspoint_zones[zone].encryption }}' + key: '{{ accesspoint_zones[zone].key }}' + {% endfor %} + {% endfor %} + diff --git a/inventory/group_vars/chaos-at-home-switches/main.yml b/inventory/group_vars/chaos-at-home-switches/main.yml deleted file mode 100644 index fb72c9b1..00000000 --- a/inventory/group_vars/chaos-at-home-switches/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -switch_mgmt_zone: "{{ network_zones.mgmt }}" -switch_mgmt_interface: "Gi1/0/28" - -switch_vlans: "{{ switch_vlans_yaml | from_yaml }}" -switch_vlans_yaml: | - {% for zone_name in network_zones.keys() %} - - name: "{{ zone_name }}" - id: "{{ network_zones[zone_name].vlan }}" - {% endfor %} - -switch_interfaces: "{{ switch_interfaces_yaml | from_yaml }}" -switch_interfaces_yaml: | - - spec: range Gi1/0/1-27 - vlan: {{ network_zones['lan'].vlan }} diff --git a/inventory/group_vars/chaos-at-home-switches/vars.yml b/inventory/group_vars/chaos-at-home-switches/vars.yml new file mode 100644 index 00000000..fb72c9b1 --- /dev/null +++ b/inventory/group_vars/chaos-at-home-switches/vars.yml @@ -0,0 +1,15 @@ +--- +switch_mgmt_zone: "{{ network_zones.mgmt }}" +switch_mgmt_interface: "Gi1/0/28" + +switch_vlans: "{{ switch_vlans_yaml | from_yaml }}" +switch_vlans_yaml: | + {% for zone_name in network_zones.keys() %} + - name: "{{ zone_name }}" + id: "{{ network_zones[zone_name].vlan }}" + {% endfor %} + +switch_interfaces: "{{ switch_interfaces_yaml | from_yaml }}" +switch_interfaces_yaml: | + - spec: range Gi1/0/1-27 + vlan: {{ network_zones['lan'].vlan }} diff --git a/inventory/group_vars/chaos-at-home-vpn-extern/main.yml b/inventory/group_vars/chaos-at-home-vpn-extern/main.yml deleted file mode 100644 index 2ada0a35..00000000 --- a/inventory/group_vars/chaos-at-home-vpn-extern/main.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -openvpn_ca_certificate: | - -----BEGIN CERTIFICATE----- - MIIG8TCCBNmgAwIBAgIJAOGcXf3qnvfBMA0GCSqGSIb3DQEBCwUAMIGrMQswCQYD - VQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQK - Ew1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxGTAXBgNVBAMTEGNoYW9z - IGF0IGhvbWUgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2Fk - bWluQGNoYW9zLWF0LWhvbWUub3JnMB4XDTE1MDUwMjAxMDQ0NFoXDTI1MDQyOTAx - MDQ0NFowgasxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcT - BEdyYXoxFjAUBgNVBAoTDWNoYW9zIGF0IGhvbWUxDzANBgNVBAsTBnN5c29wczEZ - MBcGA1UEAxMQY2hhb3MgYXQgaG9tZSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEmMCQG - CSqGSIb3DQEJARYXYWRtaW5AY2hhb3MtYXQtaG9tZS5vcmcwggIiMA0GCSqGSIb3 - DQEBAQUAA4ICDwAwggIKAoICAQCz+MrezJ744nzWHV1LqjnWOtthbHQ4bNv3odbu - bOJlyL3HLIzmJ4lRLvgDPpZKQP46XlvxNsDbwMlLCXgiaKZh3Y/WhM1wixE0t4SK - 132S2jDa1rIP4x37G/na7Q/QLPSkB7qCzo7herYizFU5FmGLxIIMUEYDQ8ryEkrl - ZZ5YG583gLX4prJ6gyeP8gyitA6VK+zGoAzjA7+gpQqM7HdtQtHWYKpuaPnqL8G0 - nCBCNyZVPLDRaYzT1RP6uittotXwBZ5+2ox1EubG3u+Insk11ydTmRubodB+DLaq - QRpzj2zbInd9s2FDZonSOhzLiRwg2Hkshs+NKTIf1K3eD6q6ts/83hdmYWPT/uAD - e7l0Py1FRc/5cQwPxdGGzo/q604oAyXEeXwHzrrVIZF1SrC33wTDtCn5PqLL/92t - E3sCyCAQNuGP4bLL8tMYOvzYuhurPzFlV/ijpDXc+GWdpeAf00g8m1ZLBFUuFLAy - Ymx/zgN7WOheBPqJSrt/l00k+FjSi3A++iGYFD9ro52jfDctV6j//Qv5HhEDgOi4 - UtvC3A02bb44IB7255pC1cZ8VCe7VGHIV40DwHt1103jRhDflicP9mDgicP2YquF - bM3aSjmxkhx1lkUUfbJpHRdiIcjaSazhWwUGIYCV5dDNqs/bwSuWXp5TXuUd5YLR - pIDaaQIDAQABo4IBFDCCARAwHQYDVR0OBBYEFOBTIefcIZSf3fW3IMVZWhzv6B8F - MIHgBgNVHSMEgdgwgdWAFOBTIefcIZSf3fW3IMVZWhzv6B8FoYGxpIGuMIGrMQsw - CQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYD - VQQKEw1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxGTAXBgNVBAMTEGNo - YW9zIGF0IGhvbWUgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEW - F2FkbWluQGNoYW9zLWF0LWhvbWUub3JnggkA4Zxd/eqe98EwDAYDVR0TBAUwAwEB - /zANBgkqhkiG9w0BAQsFAAOCAgEAJRsbExbfH/8EwAFwRlzXQaBocQvEISvnI50e - LDNv8uqWEdxQRXflD9BwzSivVeV5iNqspzwDETMTkj+ZDHA/gHJogR3Tl3jupQ2H - S0GBSfzv/2LeOGM88WfvOqLix9aKRhBvKPgzvm0ythD5+BA+pHoO/Hi6QxZQosMU - zBMcYZwASoOGn7jDDaXAtymyMl9SYHASPc15i3tYUHQrnZHl0vunJS6yTCHcOxOw - bd7ZNSyvLWF4mymE7tFFXtQ0g6mFX41wyRX0YAXYnV6qHGaFg81PO9wwSYRE90eq - nalqFM+8Q8G+avVlpbVN956S/SxaJzZZMrwBFOWgf09epO6ULjKQ2efoYQhCUHJo - xx3KkZhYIlqYlQ67cOlKHry4rNIZissUHFrVSYtsQG+F2PvIgmY5sefCNWujUj3m - 9R5o9p1ox4SNt0XuIh92xLLv9AKhSKaI0eMh07hZFT1RnoO6I35QPtVI7bqx8ryT - Hgd5pnSvdySd1JUDS8D/W0BTkPmDhjMad4GNAGpKhvNumZqOFTw3IeSN+oWWMhYt - z4mYklW/xDdkbFHoaZK0FFlJl6aM+qGNoOarRx1XlA+jT5GQl5ZbIVDENfRJBEt4 - 63sa1VvytDA7qx61roJ2jnZPZPnxbSGCgljEbgjb0LKSddOFx+sgqzc1c8KgmOlf - 6XrTyAc= - -----END CERTIFICATE----- - -openvpn_dhparams: "{{ vault_openvpn_dhparams }}" -openvpn_ta_key: "{{ vault_openvpn_ta_key }}" diff --git a/inventory/group_vars/chaos-at-home-vpn-extern/vars.yml b/inventory/group_vars/chaos-at-home-vpn-extern/vars.yml new file mode 100644 index 00000000..2ada0a35 --- /dev/null +++ b/inventory/group_vars/chaos-at-home-vpn-extern/vars.yml @@ -0,0 +1,45 @@ +--- +openvpn_ca_certificate: | + -----BEGIN CERTIFICATE----- + MIIG8TCCBNmgAwIBAgIJAOGcXf3qnvfBMA0GCSqGSIb3DQEBCwUAMIGrMQswCQYD + VQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQK + Ew1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxGTAXBgNVBAMTEGNoYW9z + IGF0IGhvbWUgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2Fk + bWluQGNoYW9zLWF0LWhvbWUub3JnMB4XDTE1MDUwMjAxMDQ0NFoXDTI1MDQyOTAx + MDQ0NFowgasxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcT + BEdyYXoxFjAUBgNVBAoTDWNoYW9zIGF0IGhvbWUxDzANBgNVBAsTBnN5c29wczEZ + MBcGA1UEAxMQY2hhb3MgYXQgaG9tZSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEmMCQG + CSqGSIb3DQEJARYXYWRtaW5AY2hhb3MtYXQtaG9tZS5vcmcwggIiMA0GCSqGSIb3 + DQEBAQUAA4ICDwAwggIKAoICAQCz+MrezJ744nzWHV1LqjnWOtthbHQ4bNv3odbu + bOJlyL3HLIzmJ4lRLvgDPpZKQP46XlvxNsDbwMlLCXgiaKZh3Y/WhM1wixE0t4SK + 132S2jDa1rIP4x37G/na7Q/QLPSkB7qCzo7herYizFU5FmGLxIIMUEYDQ8ryEkrl + ZZ5YG583gLX4prJ6gyeP8gyitA6VK+zGoAzjA7+gpQqM7HdtQtHWYKpuaPnqL8G0 + nCBCNyZVPLDRaYzT1RP6uittotXwBZ5+2ox1EubG3u+Insk11ydTmRubodB+DLaq + QRpzj2zbInd9s2FDZonSOhzLiRwg2Hkshs+NKTIf1K3eD6q6ts/83hdmYWPT/uAD + e7l0Py1FRc/5cQwPxdGGzo/q604oAyXEeXwHzrrVIZF1SrC33wTDtCn5PqLL/92t + E3sCyCAQNuGP4bLL8tMYOvzYuhurPzFlV/ijpDXc+GWdpeAf00g8m1ZLBFUuFLAy + Ymx/zgN7WOheBPqJSrt/l00k+FjSi3A++iGYFD9ro52jfDctV6j//Qv5HhEDgOi4 + UtvC3A02bb44IB7255pC1cZ8VCe7VGHIV40DwHt1103jRhDflicP9mDgicP2YquF + bM3aSjmxkhx1lkUUfbJpHRdiIcjaSazhWwUGIYCV5dDNqs/bwSuWXp5TXuUd5YLR + pIDaaQIDAQABo4IBFDCCARAwHQYDVR0OBBYEFOBTIefcIZSf3fW3IMVZWhzv6B8F + MIHgBgNVHSMEgdgwgdWAFOBTIefcIZSf3fW3IMVZWhzv6B8FoYGxpIGuMIGrMQsw + CQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYD + VQQKEw1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxGTAXBgNVBAMTEGNo + YW9zIGF0IGhvbWUgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEW + F2FkbWluQGNoYW9zLWF0LWhvbWUub3JnggkA4Zxd/eqe98EwDAYDVR0TBAUwAwEB + /zANBgkqhkiG9w0BAQsFAAOCAgEAJRsbExbfH/8EwAFwRlzXQaBocQvEISvnI50e + LDNv8uqWEdxQRXflD9BwzSivVeV5iNqspzwDETMTkj+ZDHA/gHJogR3Tl3jupQ2H + S0GBSfzv/2LeOGM88WfvOqLix9aKRhBvKPgzvm0ythD5+BA+pHoO/Hi6QxZQosMU + zBMcYZwASoOGn7jDDaXAtymyMl9SYHASPc15i3tYUHQrnZHl0vunJS6yTCHcOxOw + bd7ZNSyvLWF4mymE7tFFXtQ0g6mFX41wyRX0YAXYnV6qHGaFg81PO9wwSYRE90eq + nalqFM+8Q8G+avVlpbVN956S/SxaJzZZMrwBFOWgf09epO6ULjKQ2efoYQhCUHJo + xx3KkZhYIlqYlQ67cOlKHry4rNIZissUHFrVSYtsQG+F2PvIgmY5sefCNWujUj3m + 9R5o9p1ox4SNt0XuIh92xLLv9AKhSKaI0eMh07hZFT1RnoO6I35QPtVI7bqx8ryT + Hgd5pnSvdySd1JUDS8D/W0BTkPmDhjMad4GNAGpKhvNumZqOFTw3IeSN+oWWMhYt + z4mYklW/xDdkbFHoaZK0FFlJl6aM+qGNoOarRx1XlA+jT5GQl5ZbIVDENfRJBEt4 + 63sa1VvytDA7qx61roJ2jnZPZPnxbSGCgljEbgjb0LKSddOFx+sgqzc1c8KgmOlf + 6XrTyAc= + -----END CERTIFICATE----- + +openvpn_dhparams: "{{ vault_openvpn_dhparams }}" +openvpn_ta_key: "{{ vault_openvpn_ta_key }}" diff --git a/inventory/group_vars/chaos-at-home/main.yml b/inventory/group_vars/chaos-at-home/main.yml deleted file mode 100644 index b0322c81..00000000 --- a/inventory/group_vars/chaos-at-home/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -zsh_banner: chaos-at-home - -admin_users_group: - - equinox - -acmetool_account_email: admin@chaos-at-home.org diff --git a/inventory/group_vars/chaos-at-home/vars.yml b/inventory/group_vars/chaos-at-home/vars.yml new file mode 100644 index 00000000..b0322c81 --- /dev/null +++ b/inventory/group_vars/chaos-at-home/vars.yml @@ -0,0 +1,7 @@ +--- +zsh_banner: chaos-at-home + +admin_users_group: + - equinox + +acmetool_account_email: admin@chaos-at-home.org diff --git a/inventory/group_vars/dellos6/main.yml b/inventory/group_vars/dellos6/main.yml deleted file mode 100644 index 29c4c0db..00000000 --- a/inventory/group_vars/dellos6/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -ansible_connection: network_cli -ansible_network_os: dellos6 -ansible_become: yes -ansible_become_method: enable -ansible_become_password: "{{ vault_ansible_become_password }}" - - -dellos6_mgmt_vlan: "{{ switch_mgmt_zone.vlan }}" -dellos6_mgmt_ipaddr: "{{ switch_mgmt_zone.prefix | ipaddr(switch_mgmt_zone.offsets[inventory_hostname]) | ipaddr('address') }}" -dellos6_mgmt_netmask: "{{ switch_mgmt_zone.prefix | ipaddr('netmask') }}" -dellos6_mgmt_interface: "{{ switch_mgmt_interface | default('') }}" - -dellos6_vlans: "{{ switch_vlans }}" -dellos6_interfaces: "{{ switch_interfaces }}" diff --git a/inventory/group_vars/dellos6/vars.yml b/inventory/group_vars/dellos6/vars.yml new file mode 100644 index 00000000..29c4c0db --- /dev/null +++ b/inventory/group_vars/dellos6/vars.yml @@ -0,0 +1,15 @@ +--- +ansible_connection: network_cli +ansible_network_os: dellos6 +ansible_become: yes +ansible_become_method: enable +ansible_become_password: "{{ vault_ansible_become_password }}" + + +dellos6_mgmt_vlan: "{{ switch_mgmt_zone.vlan }}" +dellos6_mgmt_ipaddr: "{{ switch_mgmt_zone.prefix | ipaddr(switch_mgmt_zone.offsets[inventory_hostname]) | ipaddr('address') }}" +dellos6_mgmt_netmask: "{{ switch_mgmt_zone.prefix | ipaddr('netmask') }}" +dellos6_mgmt_interface: "{{ switch_mgmt_interface | default('') }}" + +dellos6_vlans: "{{ switch_vlans }}" +dellos6_interfaces: "{{ switch_interfaces }}" diff --git a/inventory/group_vars/dolmetsch-ctl/main.yml b/inventory/group_vars/dolmetsch-ctl/main.yml deleted file mode 100644 index a86517c0..00000000 --- a/inventory/group_vars/dolmetsch-ctl/main.yml +++ /dev/null @@ -1,150 +0,0 @@ ---- -openwrt_variant: lede -openwrt_release: 17.01.6 -openwrt_arch: ar71xx -openwrt_target: generic -openwrt_profile: tl-wr710n-v2 -openwrt_output_image_suffixes: - - "generic-{{ openwrt_profile }}-squashfs-sysupgrade.bin" - -openwrt_packages_remove: - - kmod-gpio-button-hotplug - - kmod-ath9k - - wpad-mini - - ppp - - ppp-mod-pppoe - - dnsmasq - - firewall - - odhcpd - - odhcpd-ipv6only -openwrt_packages_add: - - haveged - - htop - - ip - - less - - nano - - tcpdump-mini - - kmod-usb-audio - - alsa-lib - - alsa-utils - - alsa-utils-seq - - -openwrt_mixin: - /etc/sysctl.conf: - content: | - # Defaults are configured in /etc/sysctl.d/* and can be customized in this file - # - # disable IP forwarding, we don't need it since we are no router - net.ipv4.conf.default.forwarding=0 - net.ipv4.conf.all.forwarding=0 - net.ipv4.ip_forward=0 - net.ipv6.conf.default.forwarding=0 - net.ipv6.conf.all.forwarding=0 - - /etc/dropbear/authorized_keys: - content: "{{ ssh_keys_root | join('\n') }}\n" - - /etc/htoprc: - file: "{{ global_files_dir }}/common/htoprc" - - /etc/rc.d/S22network-fw: - link: "../init.d/network-fw" - - /etc/rc.d/K91network-fw: - link: "../init.d/network-fw" - - /etc/init.d/network-fw: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=22 - STOP=91 - - start() { - MGMT_IF=$(uci get network.mgmt.ifname) - MGMT_IPADDR=$(uci get network.mgmt.ipaddr) - MGMT_NETMASK=$(uci get network.mgmt.netmask) - MIXER_IF=br-mixer - MIXER_IPADDR=$(uci get network.mixer.ipaddr) - MIXER_NETMASK=$(uci get network.mixer.netmask) - - - iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT - iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT - - iptables -A INPUT -i "$MIXER_IF" -p tcp --dport {{ ansible_port }} -d "$MIXER_IPADDR" -j REJECT --reject-with tcp-reset - iptables -A INPUT -i "$MIXER_IF" -p icmp -d "$MIXER_IPADDR" -s "$MIXER_IPADDR/$MIXER_NETMASK" -j ACCEPT - iptables -A INPUT -i "$MIXER_IF" -p udp -d "$MIXER_IPADDR" -s "$MIXER_IPADDR/$MIXER_NETMASK" -j ACCEPT - iptables -A INPUT -i "$MIXER_IF" -p tcp -d "$MIXER_IPADDR" -s "$MIXER_IPADDR/$MIXER_NETMASK" -j ACCEPT - iptables -A INPUT -i "$MIXER_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - iptables -P INPUT DROP - iptables -P FORWARD DROP - } - - stop() { - iptables -P INPUT ACCEPT - iptables -F INPUT - iptables -P FORWARD ACCEPT - } - - -openwrt_uci: - system: - - name: system - options: - hostname: '{{ inventory_hostname }}' - timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' - ttylogin: '0' - log_size: '64' - urandom_seed: '0' - - - name: timeserver 'ntp' - options: - enabled: '1' - enable_server: '0' - server: - - '0.lede.pool.ntp.org' - - '1.lede.pool.ntp.org' - - '2.lede.pool.ntp.org' - - '3.lede.pool.ntp.org' - - dropbear: - - name: dropbear - options: - PasswordAuth: 'off' - RootPasswordAuth: 'off' - Port: '{{ ansible_port }}' - - network: - - name: globals 'globals' - options: - ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - - - name: interface 'loopback' - options: - ifname: lo - proto: static - ipaddr: 127.0.0.1 - netmask: 255.0.0.0 - - - name: interface 'mgmt' - options: - ifname: "eth0.{{ network_mgmt_zone.vlan }}" - accept_ra: 0 - proto: static - ipaddr: "{{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ipaddr('address') }}" - netmask: "{{ network_mgmt_zone.prefix | ipaddr('netmask') }}" - - - name: interface 'mixer' - options: - type: bridge - ifname: "eth0.{{ network_mixer_zone.vlan }} eth1" - accept_ra: 0 - proto: static - ipaddr: "{{ network_mixer_zone.prefix | ipaddr(network_mixer_zone.offsets[inventory_hostname]) | ipaddr('address') }}" - netmask: "{{ network_mixer_zone.prefix | ipaddr('netmask') }}" - gateway: "{{ network_mixer_zone.gateway }}" - dns: "{{ network_mixer_zone.dns }}" diff --git a/inventory/group_vars/dolmetsch-ctl/vars.yml b/inventory/group_vars/dolmetsch-ctl/vars.yml new file mode 100644 index 00000000..a86517c0 --- /dev/null +++ b/inventory/group_vars/dolmetsch-ctl/vars.yml @@ -0,0 +1,150 @@ +--- +openwrt_variant: lede +openwrt_release: 17.01.6 +openwrt_arch: ar71xx +openwrt_target: generic +openwrt_profile: tl-wr710n-v2 +openwrt_output_image_suffixes: + - "generic-{{ openwrt_profile }}-squashfs-sysupgrade.bin" + +openwrt_packages_remove: + - kmod-gpio-button-hotplug + - kmod-ath9k + - wpad-mini + - ppp + - ppp-mod-pppoe + - dnsmasq + - firewall + - odhcpd + - odhcpd-ipv6only +openwrt_packages_add: + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - kmod-usb-audio + - alsa-lib + - alsa-utils + - alsa-utils-seq + + +openwrt_mixin: + /etc/sysctl.conf: + content: | + # Defaults are configured in /etc/sysctl.d/* and can be customized in this file + # + # disable IP forwarding, we don't need it since we are no router + net.ipv4.conf.default.forwarding=0 + net.ipv4.conf.all.forwarding=0 + net.ipv4.ip_forward=0 + net.ipv6.conf.default.forwarding=0 + net.ipv6.conf.all.forwarding=0 + + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /etc/rc.d/S22network-fw: + link: "../init.d/network-fw" + + /etc/rc.d/K91network-fw: + link: "../init.d/network-fw" + + /etc/init.d/network-fw: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=22 + STOP=91 + + start() { + MGMT_IF=$(uci get network.mgmt.ifname) + MGMT_IPADDR=$(uci get network.mgmt.ipaddr) + MGMT_NETMASK=$(uci get network.mgmt.netmask) + MIXER_IF=br-mixer + MIXER_IPADDR=$(uci get network.mixer.ipaddr) + MIXER_NETMASK=$(uci get network.mixer.netmask) + + + iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT + + iptables -A INPUT -i "$MIXER_IF" -p tcp --dport {{ ansible_port }} -d "$MIXER_IPADDR" -j REJECT --reject-with tcp-reset + iptables -A INPUT -i "$MIXER_IF" -p icmp -d "$MIXER_IPADDR" -s "$MIXER_IPADDR/$MIXER_NETMASK" -j ACCEPT + iptables -A INPUT -i "$MIXER_IF" -p udp -d "$MIXER_IPADDR" -s "$MIXER_IPADDR/$MIXER_NETMASK" -j ACCEPT + iptables -A INPUT -i "$MIXER_IF" -p tcp -d "$MIXER_IPADDR" -s "$MIXER_IPADDR/$MIXER_NETMASK" -j ACCEPT + iptables -A INPUT -i "$MIXER_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + iptables -P INPUT DROP + iptables -P FORWARD DROP + } + + stop() { + iptables -P INPUT ACCEPT + iptables -F INPUT + iptables -P FORWARD ACCEPT + } + + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ inventory_hostname }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '0' + server: + - '0.lede.pool.ntp.org' + - '1.lede.pool.ntp.org' + - '2.lede.pool.ntp.org' + - '3.lede.pool.ntp.org' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '{{ ansible_port }}' + + network: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + ifname: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: interface 'mgmt' + options: + ifname: "eth0.{{ network_mgmt_zone.vlan }}" + accept_ra: 0 + proto: static + ipaddr: "{{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ipaddr('address') }}" + netmask: "{{ network_mgmt_zone.prefix | ipaddr('netmask') }}" + + - name: interface 'mixer' + options: + type: bridge + ifname: "eth0.{{ network_mixer_zone.vlan }} eth1" + accept_ra: 0 + proto: static + ipaddr: "{{ network_mixer_zone.prefix | ipaddr(network_mixer_zone.offsets[inventory_hostname]) | ipaddr('address') }}" + netmask: "{{ network_mixer_zone.prefix | ipaddr('netmask') }}" + gateway: "{{ network_mixer_zone.gateway }}" + dns: "{{ network_mixer_zone.dns }}" diff --git a/inventory/group_vars/ele-ap/main.yml b/inventory/group_vars/ele-ap/main.yml deleted file mode 100644 index d59e12fc..00000000 --- a/inventory/group_vars/ele-ap/main.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -ssh_users_root: - - equinox - - datacop - -network_mgmt_zone: "{{ network_zones.mgmt }}" - -accesspoint_wifi_channels: - 2g4: - ele-ap-forum0: 5 - ele-ap-forum1: 13 - ele-ap-forum2: 9 - ele-ap-forum3: 1 - ele-ap-parkhouse0: 6 - ele-ap-orpheum0: 8 - ele-ap-uhrturm0: 8 - 5g: - ele-ap-forum0: 40 - ele-ap-forum1: 48 - ele-ap-forum2: 44 - ele-ap-forum3: 36 - ele-ap-parkhouse0: 40 - ele-ap-orpheum0: 48 - ele-ap-uhrturm0: 48 - -accesspoint_zones: - lan: "{{ network_zones.lan.wifi }}" - guest: "{{ network_zones.guest.wifi }}" - infoscreens: "{{ network_zones.infoscreens.wifi }}" - - -accesspoint_network_zones: "{{ accesspoint_network_zones_yaml | from_yaml }}" -accesspoint_network_zones_yaml: | - {% for zone_name in accesspoint_zones.keys() %} - - name: "interface '{{ zone_name }}'" - options: - type: bridge - ifname: "{{ accesspoint_wired_interface }}.{{ network_zones[zone_name].vlan }}" - accept_ra: 0 - proto: none - {% endfor %} - - -## TODO: set up 802.11r see: -## * https://www.reddit.com/r/openwrt/comments/515oea/finally_got_80211r_roaming_working/ -## * https://gist.github.com/lg/998d3e908d547bd9972a6bb604df377b -accesspoint_wireless_ifaces: "{{ accesspoint_wireless_ifaces_yaml | from_yaml }}" -accesspoint_wireless_ifaces_yaml: | - {% for zone in accesspoint_zones.keys() %} - {% for freq in accesspoint_wireless_frequencies %} - - name: wifi-iface '{{ zone }}{{ freq }}' - options: - device: 'radio{{ freq }}' - network: '{{ zone }}' - mode: 'ap' - disassoc_low_ack: '1' - rsn_preauth: '1' - ssid: '{{ accesspoint_zones[zone].ssid }}' - encryption: '{{ accesspoint_zones[zone].encryption }}' - key: '{{ accesspoint_zones[zone].key }}' - {% endfor %} - {% endfor %} diff --git a/inventory/group_vars/ele-ap/vars.yml b/inventory/group_vars/ele-ap/vars.yml new file mode 100644 index 00000000..d59e12fc --- /dev/null +++ b/inventory/group_vars/ele-ap/vars.yml @@ -0,0 +1,62 @@ +--- +ssh_users_root: + - equinox + - datacop + +network_mgmt_zone: "{{ network_zones.mgmt }}" + +accesspoint_wifi_channels: + 2g4: + ele-ap-forum0: 5 + ele-ap-forum1: 13 + ele-ap-forum2: 9 + ele-ap-forum3: 1 + ele-ap-parkhouse0: 6 + ele-ap-orpheum0: 8 + ele-ap-uhrturm0: 8 + 5g: + ele-ap-forum0: 40 + ele-ap-forum1: 48 + ele-ap-forum2: 44 + ele-ap-forum3: 36 + ele-ap-parkhouse0: 40 + ele-ap-orpheum0: 48 + ele-ap-uhrturm0: 48 + +accesspoint_zones: + lan: "{{ network_zones.lan.wifi }}" + guest: "{{ network_zones.guest.wifi }}" + infoscreens: "{{ network_zones.infoscreens.wifi }}" + + +accesspoint_network_zones: "{{ accesspoint_network_zones_yaml | from_yaml }}" +accesspoint_network_zones_yaml: | + {% for zone_name in accesspoint_zones.keys() %} + - name: "interface '{{ zone_name }}'" + options: + type: bridge + ifname: "{{ accesspoint_wired_interface }}.{{ network_zones[zone_name].vlan }}" + accept_ra: 0 + proto: none + {% endfor %} + + +## TODO: set up 802.11r see: +## * https://www.reddit.com/r/openwrt/comments/515oea/finally_got_80211r_roaming_working/ +## * https://gist.github.com/lg/998d3e908d547bd9972a6bb604df377b +accesspoint_wireless_ifaces: "{{ accesspoint_wireless_ifaces_yaml | from_yaml }}" +accesspoint_wireless_ifaces_yaml: | + {% for zone in accesspoint_zones.keys() %} + {% for freq in accesspoint_wireless_frequencies %} + - name: wifi-iface '{{ zone }}{{ freq }}' + options: + device: 'radio{{ freq }}' + network: '{{ zone }}' + mode: 'ap' + disassoc_low_ack: '1' + rsn_preauth: '1' + ssid: '{{ accesspoint_zones[zone].ssid }}' + encryption: '{{ accesspoint_zones[zone].encryption }}' + key: '{{ accesspoint_zones[zone].key }}' + {% endfor %} + {% endfor %} diff --git a/inventory/group_vars/ele-dolmetsch-ctl/main.yml b/inventory/group_vars/ele-dolmetsch-ctl/main.yml deleted file mode 100644 index a69d45ee..00000000 --- a/inventory/group_vars/ele-dolmetsch-ctl/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -network_mgmt_zone: "{{ network_zones.mgmt }}" -network_mixer_zone: "{{ network_zones.mixer }}" diff --git a/inventory/group_vars/ele-dolmetsch-ctl/vars.yml b/inventory/group_vars/ele-dolmetsch-ctl/vars.yml new file mode 100644 index 00000000..a69d45ee --- /dev/null +++ b/inventory/group_vars/ele-dolmetsch-ctl/vars.yml @@ -0,0 +1,3 @@ +--- +network_mgmt_zone: "{{ network_zones.mgmt }}" +network_mixer_zone: "{{ network_zones.mixer }}" diff --git a/inventory/group_vars/ele-dolmetsch-raspi/main.yml b/inventory/group_vars/ele-dolmetsch-raspi/main.yml deleted file mode 100644 index c440e448..00000000 --- a/inventory/group_vars/ele-dolmetsch-raspi/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -ssh_users_root: - - equinox - - datacop - - nhg diff --git a/inventory/group_vars/ele-dolmetsch-raspi/vars.yml b/inventory/group_vars/ele-dolmetsch-raspi/vars.yml new file mode 100644 index 00000000..c440e448 --- /dev/null +++ b/inventory/group_vars/ele-dolmetsch-raspi/vars.yml @@ -0,0 +1,5 @@ +--- +ssh_users_root: + - equinox + - datacop + - nhg diff --git a/inventory/group_vars/ele-infobeamer/main.yml b/inventory/group_vars/ele-infobeamer/main.yml deleted file mode 100644 index c049f4b5..00000000 --- a/inventory/group_vars/ele-infobeamer/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -info_beamer_tvservice: "{{ info_beamer_tvservices['1080p50'] }}" -info_beamer_audio_target: "hdmi" -info_beamer_ssh_keys: "{{ ssh_keys_root }}" - -info_beamer_wireless: "{{ network_zones.infoscreens.wifi }}" -info_beamer_prefer_wired: true - -info_beamer_branding_logo: "{{ global_files_dir }}/dan/elevate/info-beamer/branding.ppm" -info_beamer_branding_background: "{{ global_files_dir }}/dan/elevate/info-beamer/e20-branding.jpg" - -info_beamer_device_connect_key: "{{ vault_info_beamer_device_connect_key }}" diff --git a/inventory/group_vars/ele-infobeamer/vars.yml b/inventory/group_vars/ele-infobeamer/vars.yml new file mode 100644 index 00000000..c049f4b5 --- /dev/null +++ b/inventory/group_vars/ele-infobeamer/vars.yml @@ -0,0 +1,12 @@ +--- +info_beamer_tvservice: "{{ info_beamer_tvservices['1080p50'] }}" +info_beamer_audio_target: "hdmi" +info_beamer_ssh_keys: "{{ ssh_keys_root }}" + +info_beamer_wireless: "{{ network_zones.infoscreens.wifi }}" +info_beamer_prefer_wired: true + +info_beamer_branding_logo: "{{ global_files_dir }}/dan/elevate/info-beamer/branding.ppm" +info_beamer_branding_background: "{{ global_files_dir }}/dan/elevate/info-beamer/e20-branding.jpg" + +info_beamer_device_connect_key: "{{ vault_info_beamer_device_connect_key }}" diff --git a/inventory/group_vars/ele-ups/main.yml b/inventory/group_vars/ele-ups/main.yml deleted file mode 100644 index 4758804e..00000000 --- a/inventory/group_vars/ele-ups/main.yml +++ /dev/null @@ -1,148 +0,0 @@ ---- -ssh_users_root: - - equinox - - datacop - -network_mgmt_zone: "{{ network_zones.funkfeuer }}" - -openwrt_variant: openwrt -openwrt_release: 19.07.2 -openwrt_arch: ramips -openwrt_target: mt7620 -openwrt_profile: ravpower_wd03 -openwrt_output_image_suffixes: - - "{{ openwrt_profile }}-squashfs-sysupgrade.bin" - -openwrt_packages_remove: - - ppp - - ppp-mod-pppoe - - dnsmasq - - firewall - - odhcpd - - odhcpd-ipv6only -openwrt_packages_add: - - haveged - - htop - - ip - - less - - nano - - tcpdump-mini - - usbutils - - kmod-usb-storage - - nut-server - - nut-driver-usbhid-ups - - nut-upsc - - nut-upscmd - - -openwrt_mixin: - /etc/dropbear/authorized_keys: - content: "{{ ssh_keys_root | join('\n') }}\n" - - /etc/htoprc: - file: "{{ global_files_dir }}/common/htoprc" - - /usr/bin/powercycle-ups: - mode: "0755" - content: | - #!/bin/sh - - UPS="{{ inventory_hostname | regex_replace('^ele-ups-(.*)$', '\1') }}" - - upscmd -u admin -p secret "$UPS" load.off - sleep 5 - upscmd -u admin -p secret "$UPS" load.on - - /etc/rc.d/S22network-fw: - link: "../init.d/network-fw" - - /etc/rc.d/K92network-fw: - link: "../init.d/network-fw" - - /etc/init.d/network-fw: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=22 - STOP=91 - - start() { - iptables -A INPUT -p tcp --dport 3493 -s 127.0.0.0/8 -j ACCEPT - iptables -A INPUT -p tcp --dport 3493 -s {{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ipaddr('address') }} -j ACCEPT - iptables -A INPUT -p tcp --dport 3493 -j DROP - } - - stop() { - iptables -D INPUT -p tcp --dport 3493 -j DROP - iptables -D INPUT -p tcp --dport 3493 -s {{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ipaddr('address') }} -j ACCEPT - iptables -D INPUT -p tcp --dport 3493 -s 127.0.0.0/8 -j ACCEPT - } - - -openwrt_uci: - system: - - name: system - options: - hostname: '{{ host_name }}' - timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' - ttylogin: '0' - log_size: '64' - urandom_seed: '0' - - - name: timeserver 'ntp' - options: - enabled: '1' - enable_server: '0' - server: - - '0.lede.pool.ntp.org' - - '1.lede.pool.ntp.org' - - '2.lede.pool.ntp.org' - - '3.lede.pool.ntp.org' - - dropbear: - - name: dropbear - options: - PasswordAuth: 'off' - RootPasswordAuth: 'off' - Port: '{{ ansible_port }}' - - network: - - name: globals 'globals' - options: - ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - - - name: interface 'loopback' - options: - ifname: lo - proto: static - ipaddr: 127.0.0.1 - netmask: 255.0.0.0 - - - name: interface 'mgmt' - options: - ifname: "eth0" - proto: static - ipaddr: "{{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ipaddr('address') }}" - netmask: "{{ network_mgmt_zone.prefix | ipaddr('netmask') }}" - gateway: "{{ network_mgmt_zone.gateway }}" - dns: "{{ network_mgmt_zone.dns }}" - accept_ra: 0 - - nut_server: - - name: listen_address - options: - address: 0.0.0.0 - - - name: "driver '{{ inventory_hostname | regex_replace('^ele-ups-(.*)$', '\\1') }}'" - options: - driver: usbhid-ups - port: auto - enable_usb_serial: 0 - - - name: user - options: - username: admin - password: secret - instcmd: - - ALL diff --git a/inventory/group_vars/ele-ups/vars.yml b/inventory/group_vars/ele-ups/vars.yml new file mode 100644 index 00000000..4758804e --- /dev/null +++ b/inventory/group_vars/ele-ups/vars.yml @@ -0,0 +1,148 @@ +--- +ssh_users_root: + - equinox + - datacop + +network_mgmt_zone: "{{ network_zones.funkfeuer }}" + +openwrt_variant: openwrt +openwrt_release: 19.07.2 +openwrt_arch: ramips +openwrt_target: mt7620 +openwrt_profile: ravpower_wd03 +openwrt_output_image_suffixes: + - "{{ openwrt_profile }}-squashfs-sysupgrade.bin" + +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - dnsmasq + - firewall + - odhcpd + - odhcpd-ipv6only +openwrt_packages_add: + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - usbutils + - kmod-usb-storage + - nut-server + - nut-driver-usbhid-ups + - nut-upsc + - nut-upscmd + + +openwrt_mixin: + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /usr/bin/powercycle-ups: + mode: "0755" + content: | + #!/bin/sh + + UPS="{{ inventory_hostname | regex_replace('^ele-ups-(.*)$', '\1') }}" + + upscmd -u admin -p secret "$UPS" load.off + sleep 5 + upscmd -u admin -p secret "$UPS" load.on + + /etc/rc.d/S22network-fw: + link: "../init.d/network-fw" + + /etc/rc.d/K92network-fw: + link: "../init.d/network-fw" + + /etc/init.d/network-fw: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=22 + STOP=91 + + start() { + iptables -A INPUT -p tcp --dport 3493 -s 127.0.0.0/8 -j ACCEPT + iptables -A INPUT -p tcp --dport 3493 -s {{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ipaddr('address') }} -j ACCEPT + iptables -A INPUT -p tcp --dport 3493 -j DROP + } + + stop() { + iptables -D INPUT -p tcp --dport 3493 -j DROP + iptables -D INPUT -p tcp --dport 3493 -s {{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ipaddr('address') }} -j ACCEPT + iptables -D INPUT -p tcp --dport 3493 -s 127.0.0.0/8 -j ACCEPT + } + + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ host_name }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '0' + server: + - '0.lede.pool.ntp.org' + - '1.lede.pool.ntp.org' + - '2.lede.pool.ntp.org' + - '3.lede.pool.ntp.org' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '{{ ansible_port }}' + + network: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + ifname: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: interface 'mgmt' + options: + ifname: "eth0" + proto: static + ipaddr: "{{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ipaddr('address') }}" + netmask: "{{ network_mgmt_zone.prefix | ipaddr('netmask') }}" + gateway: "{{ network_mgmt_zone.gateway }}" + dns: "{{ network_mgmt_zone.dns }}" + accept_ra: 0 + + nut_server: + - name: listen_address + options: + address: 0.0.0.0 + + - name: "driver '{{ inventory_hostname | regex_replace('^ele-ups-(.*)$', '\\1') }}'" + options: + driver: usbhid-ups + port: auto + enable_usb_serial: 0 + + - name: user + options: + username: admin + password: secret + instcmd: + - ALL diff --git a/inventory/group_vars/elevate-festival/main.yml b/inventory/group_vars/elevate-festival/main.yml deleted file mode 100644 index 18168aa3..00000000 --- a/inventory/group_vars/elevate-festival/main.yml +++ /dev/null @@ -1,241 +0,0 @@ ---- -network_zones: - lan: - description: "internet and fileserver access for Elevate staff" - vlan: 18 - prefix: 192.168.18.0/24 - gateway: 192.168.18.254 - dns: - - 192.168.18.254 - dhcp: - start: 1 - limit: 199 - offsets: - ele-media: 200 - ele-telesto: 201 - ele-thetys: 202 - ele-calypso: 203 - ele-orpheum: 240 - tricaster: 245 - datacop: 249 - equinox-t450s: 250 - ele-laptop: 251 - ele-router: 254 - wifi: - ssid: "elevate Staff" - encryption: "psk2" - key: "{{ vault_wifi_keys.lan }}" - - emc: - description: "internet via wireguard tunnel to Hetzner VM, reserved for streams" - vlan: 20 - prefix: 192.168.20.0/24 - gateway: 192.168.20.254 - dns: - - 192.168.20.254 - dhcp: - start: 1 - limit: 199 - offsets: - equinox-t450s: 250 - ele-laptop: 251 - jampo: 252 - ele-router: 254 - - guest: - description: "public internet access for all Elevate guests" - vlan: 23 - prefix: 192.168.23.0/24 - gateway: 192.168.23.254 - dns: - - 192.168.23.254 - dhcp: - start: 1 - limit: 250 - leasetime: 2h - offsets: - equinox-t450s: 250 - ele-helene: 253 - ele-router: 254 - wifi: - ssid: "elevate Public" - encryption: "psk2" - key: "{{ vault_wifi_keys.guest }}" - - mgmt: - description: "management access to all switches, access points, etc." - vlan: 42 - prefix: 192.168.42.0/24 - offsets: - ele-sw-spreadencoder: 1 - ele-sw-spreadmixer: 2 - ele-dione: 100 ## ipmi - ele-helene: 101 ## ipmi - - - ### Forum Stadtpark - ele-sw-forum0: 10 - ele-sw-forum1: 11 - ele-sw-forum2: 12 - ele-br-forum1: 18 # --> ele-br-parkhouse0 - ele-br-forum0: 19 # --> ele-br-uhrturm0 - ele-ap-forum0: 110 - ele-ap-forum1: 111 - ele-ap-forum2: 112 - ele-ap-forum3: 113 - - ### Dom im Berg - # ele-sw-dom0: 20 - # ele-ap-dom0: 120 - - ### Kunsthaus - # ele-sw-kunsthaus0: 30 - # ele-ap-kunsthaus0: 130 - - ### Orpheum - ele-sw-orpheum0: 40 - ele-br-orpheum0: 49 # --> ele-br-uhrturm1 - ele-ap-orpheum0: 140 - - ### Uhrturm/Rosengarten/Uhrturm-Kasematten - ele-sw-uhrturm0: 50 - ele-br-uhrturm1: 58 # --> ele-br-orpheum0 - ele-br-uhrturm0: 59 # --> ele-br-forum0 - ele-ap-uhrturm0: 150 - - ### Parkhouse - ele-sw-parkhouse0: 60 - ele-br-parkhouse0: 69 # --> ele-br-forum1 - ele-ap-parkhouse0: 160 - - - ele-dol-mixer: 200 - ele-dol-translator: 201 - datacop: 249 - equinox-t450s: 250 - ele-router: 254 - - - mixer: - description: "video and audio mixer control interfaces" - vlan: 48 - prefix: 192.168.48.0/24 - gateway: 192.168.48.254 - dns: - - 192.168.48.254 - offsets: - companion: 42 - kuschelbaer: 48 - atem-datacop: 90 - hyperdeck-datacop: 91 - atemctrl-datacop: 92 - atemwinvm-datacop: 93 - ele-dol-mixer: 100 - ele-dol-translator: 101 - ele-dol-raspi0: 102 - ele-dol-raspi1: 103 - atem-mini: 204 - atem-tvstudio: 206 - atem-tvstudiopro4k: 208 - x32core: 232 - nhg: 240 - datacop: 249 - equinox-t450s: 250 - ele-router: 254 - - infoscreens: - description: "internet access for infobeamer" - vlan: 73 - prefix: 192.168.73.0/24 - gateway: 192.168.73.254 - dns: - - 192.168.73.254 - dhcp: - start: 100 - limit: 199 - offsets: - equinox-t450s: 250 - ele-router: 254 - wifi: - ssid: "elevate Infoscreens" - encryption: "psk2" - key: "{{ vault_wifi_keys.infoscreens }}" - - cityaccess: - description: "captive portal of citycom public wifi, used for local streamingserver" - vlan: 250 - prefix: 192.168.250.0/24 - - ccinet: - description: "citycom upstream for general internet access (Fiber)" - vlan: 500 - prefix: 85.237.2.96/28 - gateway: 85.237.2.97 - dns: - - 217.29.144.65 - - 217.29.144.66 - offsets: - ## citycom uses offset 1,2 and 3 - ele-router: 4 # 85.237.2.100 - ele-media: 5 # 85.237.2.101 - - ccemc: - description: "citycom upstream for streams-only (Fiber)" - vlan: 501 - prefix: 85.237.28.192/28 - gateway: 85.237.28.193 - dns: - - 217.29.144.65 - - 217.29.144.66 - offsets: - ## citycom uses offset 1,2 and 3 - ele-helene: 4 # 85.237.28.196 - ele-dione: 5 # 85.237.28.197 - ele-laptop: 7 # 85.237.28.199 - - forum_a1: - description: "A1 upstream for general internet access (DSL)" - vlan: 502 - - dom_im_berg: - description: "public wifi at Dom im Berg operated by Spielstätten (used by infobeamer)" - wifi: - ssid: Dom - key: "{{ vault_wifi_keys.dom_im_berg }}" - - funkfeuer: - description: "funkfeuer access, subnet will be announced by olsr using HNA" - vlan: 511 - prefix: 10.12.241.128/28 - gateway: 10.12.241.142 - offsets: - ele-tub: 14 - ele-br-tub0: 13 - ele-br-uhrturm2: 12 - ele-router: 11 - equinox-t450s: 10 - datacop: 9 - ele-ups-forum0: 8 - ele-ups-forum1: 7 - ele-ups-uhrturm0: 6 - ele-ups-parkhouse0: 5 - nhg: 3 - ele-helene: 2 - ele-dione: 1 - dns: - - 10.12.0.10 - - murat_transfer: - description: "transfer network for upstream via mur.at" - prefix: 172.31.255.0/24 - offsets: - ele-tub: 1 - ele-mur: 254 - - datacop_lte: - description: "drei Upstream via router by datacop (LTE)" - vlan: 512 - prefix: 100.64.0.0/24 - gateway: 100.64.0.1 - offsets: - ele-router: 2 diff --git a/inventory/group_vars/elevate-festival/vars.yml b/inventory/group_vars/elevate-festival/vars.yml new file mode 100644 index 00000000..18168aa3 --- /dev/null +++ b/inventory/group_vars/elevate-festival/vars.yml @@ -0,0 +1,241 @@ +--- +network_zones: + lan: + description: "internet and fileserver access for Elevate staff" + vlan: 18 + prefix: 192.168.18.0/24 + gateway: 192.168.18.254 + dns: + - 192.168.18.254 + dhcp: + start: 1 + limit: 199 + offsets: + ele-media: 200 + ele-telesto: 201 + ele-thetys: 202 + ele-calypso: 203 + ele-orpheum: 240 + tricaster: 245 + datacop: 249 + equinox-t450s: 250 + ele-laptop: 251 + ele-router: 254 + wifi: + ssid: "elevate Staff" + encryption: "psk2" + key: "{{ vault_wifi_keys.lan }}" + + emc: + description: "internet via wireguard tunnel to Hetzner VM, reserved for streams" + vlan: 20 + prefix: 192.168.20.0/24 + gateway: 192.168.20.254 + dns: + - 192.168.20.254 + dhcp: + start: 1 + limit: 199 + offsets: + equinox-t450s: 250 + ele-laptop: 251 + jampo: 252 + ele-router: 254 + + guest: + description: "public internet access for all Elevate guests" + vlan: 23 + prefix: 192.168.23.0/24 + gateway: 192.168.23.254 + dns: + - 192.168.23.254 + dhcp: + start: 1 + limit: 250 + leasetime: 2h + offsets: + equinox-t450s: 250 + ele-helene: 253 + ele-router: 254 + wifi: + ssid: "elevate Public" + encryption: "psk2" + key: "{{ vault_wifi_keys.guest }}" + + mgmt: + description: "management access to all switches, access points, etc." + vlan: 42 + prefix: 192.168.42.0/24 + offsets: + ele-sw-spreadencoder: 1 + ele-sw-spreadmixer: 2 + ele-dione: 100 ## ipmi + ele-helene: 101 ## ipmi + + + ### Forum Stadtpark + ele-sw-forum0: 10 + ele-sw-forum1: 11 + ele-sw-forum2: 12 + ele-br-forum1: 18 # --> ele-br-parkhouse0 + ele-br-forum0: 19 # --> ele-br-uhrturm0 + ele-ap-forum0: 110 + ele-ap-forum1: 111 + ele-ap-forum2: 112 + ele-ap-forum3: 113 + + ### Dom im Berg + # ele-sw-dom0: 20 + # ele-ap-dom0: 120 + + ### Kunsthaus + # ele-sw-kunsthaus0: 30 + # ele-ap-kunsthaus0: 130 + + ### Orpheum + ele-sw-orpheum0: 40 + ele-br-orpheum0: 49 # --> ele-br-uhrturm1 + ele-ap-orpheum0: 140 + + ### Uhrturm/Rosengarten/Uhrturm-Kasematten + ele-sw-uhrturm0: 50 + ele-br-uhrturm1: 58 # --> ele-br-orpheum0 + ele-br-uhrturm0: 59 # --> ele-br-forum0 + ele-ap-uhrturm0: 150 + + ### Parkhouse + ele-sw-parkhouse0: 60 + ele-br-parkhouse0: 69 # --> ele-br-forum1 + ele-ap-parkhouse0: 160 + + + ele-dol-mixer: 200 + ele-dol-translator: 201 + datacop: 249 + equinox-t450s: 250 + ele-router: 254 + + + mixer: + description: "video and audio mixer control interfaces" + vlan: 48 + prefix: 192.168.48.0/24 + gateway: 192.168.48.254 + dns: + - 192.168.48.254 + offsets: + companion: 42 + kuschelbaer: 48 + atem-datacop: 90 + hyperdeck-datacop: 91 + atemctrl-datacop: 92 + atemwinvm-datacop: 93 + ele-dol-mixer: 100 + ele-dol-translator: 101 + ele-dol-raspi0: 102 + ele-dol-raspi1: 103 + atem-mini: 204 + atem-tvstudio: 206 + atem-tvstudiopro4k: 208 + x32core: 232 + nhg: 240 + datacop: 249 + equinox-t450s: 250 + ele-router: 254 + + infoscreens: + description: "internet access for infobeamer" + vlan: 73 + prefix: 192.168.73.0/24 + gateway: 192.168.73.254 + dns: + - 192.168.73.254 + dhcp: + start: 100 + limit: 199 + offsets: + equinox-t450s: 250 + ele-router: 254 + wifi: + ssid: "elevate Infoscreens" + encryption: "psk2" + key: "{{ vault_wifi_keys.infoscreens }}" + + cityaccess: + description: "captive portal of citycom public wifi, used for local streamingserver" + vlan: 250 + prefix: 192.168.250.0/24 + + ccinet: + description: "citycom upstream for general internet access (Fiber)" + vlan: 500 + prefix: 85.237.2.96/28 + gateway: 85.237.2.97 + dns: + - 217.29.144.65 + - 217.29.144.66 + offsets: + ## citycom uses offset 1,2 and 3 + ele-router: 4 # 85.237.2.100 + ele-media: 5 # 85.237.2.101 + + ccemc: + description: "citycom upstream for streams-only (Fiber)" + vlan: 501 + prefix: 85.237.28.192/28 + gateway: 85.237.28.193 + dns: + - 217.29.144.65 + - 217.29.144.66 + offsets: + ## citycom uses offset 1,2 and 3 + ele-helene: 4 # 85.237.28.196 + ele-dione: 5 # 85.237.28.197 + ele-laptop: 7 # 85.237.28.199 + + forum_a1: + description: "A1 upstream for general internet access (DSL)" + vlan: 502 + + dom_im_berg: + description: "public wifi at Dom im Berg operated by Spielstätten (used by infobeamer)" + wifi: + ssid: Dom + key: "{{ vault_wifi_keys.dom_im_berg }}" + + funkfeuer: + description: "funkfeuer access, subnet will be announced by olsr using HNA" + vlan: 511 + prefix: 10.12.241.128/28 + gateway: 10.12.241.142 + offsets: + ele-tub: 14 + ele-br-tub0: 13 + ele-br-uhrturm2: 12 + ele-router: 11 + equinox-t450s: 10 + datacop: 9 + ele-ups-forum0: 8 + ele-ups-forum1: 7 + ele-ups-uhrturm0: 6 + ele-ups-parkhouse0: 5 + nhg: 3 + ele-helene: 2 + ele-dione: 1 + dns: + - 10.12.0.10 + + murat_transfer: + description: "transfer network for upstream via mur.at" + prefix: 172.31.255.0/24 + offsets: + ele-tub: 1 + ele-mur: 254 + + datacop_lte: + description: "drei Upstream via router by datacop (LTE)" + vlan: 512 + prefix: 100.64.0.0/24 + gateway: 100.64.0.1 + offsets: + ele-router: 2 diff --git a/inventory/group_vars/elevate/main.yml b/inventory/group_vars/elevate/main.yml deleted file mode 100644 index e108d8f2..00000000 --- a/inventory/group_vars/elevate/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -zsh_banner: elevate - -acmetool_account_email: equinox@elevate.at - -apt_repo_blackmagic_auth: - username: "elevate" - password: "{{ vault_apt_repo_blackmagic_auth.password }}" diff --git a/inventory/group_vars/elevate/vars.yml b/inventory/group_vars/elevate/vars.yml new file mode 100644 index 00000000..e108d8f2 --- /dev/null +++ b/inventory/group_vars/elevate/vars.yml @@ -0,0 +1,8 @@ +--- +zsh_banner: elevate + +acmetool_account_email: equinox@elevate.at + +apt_repo_blackmagic_auth: + username: "elevate" + password: "{{ vault_apt_repo_blackmagic_auth.password }}" diff --git a/inventory/group_vars/emc-xx/main.yml b/inventory/group_vars/emc-xx/main.yml deleted file mode 100644 index 1e0dd476..00000000 --- a/inventory/group_vars/emc-xx/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -acmetool_account_email: equinox@spreadspace.org -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" - -install_playbook: emc-xx diff --git a/inventory/group_vars/emc-xx/vars.yml b/inventory/group_vars/emc-xx/vars.yml new file mode 100644 index 00000000..1e0dd476 --- /dev/null +++ b/inventory/group_vars/emc-xx/vars.yml @@ -0,0 +1,5 @@ +--- +acmetool_account_email: equinox@spreadspace.org +acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" + +install_playbook: emc-xx diff --git a/inventory/group_vars/emc/main.yml b/inventory/group_vars/emc/main.yml deleted file mode 100644 index 42515184..00000000 --- a/inventory/group_vars/emc/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -zsh_banner: elevate - -install: - cloud: - credentials: - token: "{{ vault_hcloud_api_token }}" - -network: {} - -docker_lvm: - vg: "{{ host_name }}" - lv: docker - size: 15G - fs: ext4 - -kubelet_lvm: - vg: "{{ host_name }}" - lv: kubelet - size: 10G - fs: ext4 diff --git a/inventory/group_vars/emc/vars.yml b/inventory/group_vars/emc/vars.yml new file mode 100644 index 00000000..42515184 --- /dev/null +++ b/inventory/group_vars/emc/vars.yml @@ -0,0 +1,21 @@ +--- +zsh_banner: elevate + +install: + cloud: + credentials: + token: "{{ vault_hcloud_api_token }}" + +network: {} + +docker_lvm: + vg: "{{ host_name }}" + lv: docker + size: 15G + fs: ext4 + +kubelet_lvm: + vg: "{{ host_name }}" + lv: kubelet + size: 10G + fs: ext4 diff --git a/inventory/group_vars/hcloud/main.yml b/inventory/group_vars/hcloud/main.yml deleted file mode 100644 index 564ce6e1..00000000 --- a/inventory/group_vars/hcloud/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -cloud_provider: hcloud diff --git a/inventory/group_vars/hcloud/vars.yml b/inventory/group_vars/hcloud/vars.yml new file mode 100644 index 00000000..564ce6e1 --- /dev/null +++ b/inventory/group_vars/hcloud/vars.yml @@ -0,0 +1,2 @@ +--- +cloud_provider: hcloud diff --git a/inventory/group_vars/hetzner/main.yml b/inventory/group_vars/hetzner/main.yml deleted file mode 100644 index 2e5c8b4a..00000000 --- a/inventory/group_vars/hetzner/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -debian_mirror: - packages: http://mirror.hetzner.de/debian/packages - security: http://mirror.hetzner.de/debian/security - -ubuntu_mirror: http://mirror.hetzner.de/ubuntu/packages diff --git a/inventory/group_vars/hetzner/vars.yml b/inventory/group_vars/hetzner/vars.yml new file mode 100644 index 00000000..2e5c8b4a --- /dev/null +++ b/inventory/group_vars/hetzner/vars.yml @@ -0,0 +1,6 @@ +--- +debian_mirror: + packages: http://mirror.hetzner.de/debian/packages + security: http://mirror.hetzner.de/debian/security + +ubuntu_mirror: http://mirror.hetzner.de/ubuntu/packages diff --git a/inventory/group_vars/hroot/main.yml b/inventory/group_vars/hroot/main.yml deleted file mode 100644 index 7802f3ad..00000000 --- a/inventory/group_vars/hroot/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -cloud_provider: hroot diff --git a/inventory/group_vars/hroot/vars.yml b/inventory/group_vars/hroot/vars.yml new file mode 100644 index 00000000..7802f3ad --- /dev/null +++ b/inventory/group_vars/hroot/vars.yml @@ -0,0 +1,2 @@ +--- +cloud_provider: hroot diff --git a/inventory/group_vars/k8s-emc/main.yml b/inventory/group_vars/k8s-emc/main.yml deleted file mode 100644 index 28b7c785..00000000 --- a/inventory/group_vars/k8s-emc/main.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -docker_pkg_provider: docker-com -docker_pkg_name: docker-ce - -kubernetes_version: 1.17.2 -kubernetes_container_runtime: docker -kubernetes_network_plugin: kubeguard - -kubernetes: - cluster_name: emc - - dedicated_master: False - api_extra_sans: - - 178.63.180.137 - - emc-master.elev8.at - - pod_ip_range: 172.18.0.0/16 - pod_ip_range_size: 24 - service_ip_range: 172.18.192.0/18 - - -kubernetes_secrets: - encryption_config_keys: "{{ vault_kubernetes_encryption_config_keys }}" - - -kubeguard: - ## node_index must be in the range between 1 and 190 -> 189 hosts possible - ## - ## hardcoded hostnames are not nice but if we do this via host_vars - ## the info is spread over multiple files and this makes it more diffcult - ## to find mistakes, so it is nicer to keep it in one place... - node_index: - emc-01: 1 - emc-02: 2 - emc-03: 3 - emc-04: 4 - emc-05: 5 - emc-06: 6 - emc-00: 100 - emc-dist0: 110 - ele-dione: 111 - ele-helene: 112 - emc-master: 127 - - direct_net_zones: - encoder: - transfer_net: 172.18.191.0/24 - node_interface: - ele-dione: eno2 - ele-helene: eno2 - -kubernetes_overlay_node_ip: "{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ipaddr(1) | ipaddr('address') }}" - -kubernetes_metrics_server_version: 0.3.7 diff --git a/inventory/group_vars/k8s-emc/vars.yml b/inventory/group_vars/k8s-emc/vars.yml new file mode 100644 index 00000000..28b7c785 --- /dev/null +++ b/inventory/group_vars/k8s-emc/vars.yml @@ -0,0 +1,54 @@ +--- +docker_pkg_provider: docker-com +docker_pkg_name: docker-ce + +kubernetes_version: 1.17.2 +kubernetes_container_runtime: docker +kubernetes_network_plugin: kubeguard + +kubernetes: + cluster_name: emc + + dedicated_master: False + api_extra_sans: + - 178.63.180.137 + - emc-master.elev8.at + + pod_ip_range: 172.18.0.0/16 + pod_ip_range_size: 24 + service_ip_range: 172.18.192.0/18 + + +kubernetes_secrets: + encryption_config_keys: "{{ vault_kubernetes_encryption_config_keys }}" + + +kubeguard: + ## node_index must be in the range between 1 and 190 -> 189 hosts possible + ## + ## hardcoded hostnames are not nice but if we do this via host_vars + ## the info is spread over multiple files and this makes it more diffcult + ## to find mistakes, so it is nicer to keep it in one place... + node_index: + emc-01: 1 + emc-02: 2 + emc-03: 3 + emc-04: 4 + emc-05: 5 + emc-06: 6 + emc-00: 100 + emc-dist0: 110 + ele-dione: 111 + ele-helene: 112 + emc-master: 127 + + direct_net_zones: + encoder: + transfer_net: 172.18.191.0/24 + node_interface: + ele-dione: eno2 + ele-helene: eno2 + +kubernetes_overlay_node_ip: "{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ipaddr(1) | ipaddr('address') }}" + +kubernetes_metrics_server_version: 0.3.7 diff --git a/inventory/group_vars/k8s-lwl/main.yml b/inventory/group_vars/k8s-lwl/main.yml deleted file mode 100644 index 821e083c..00000000 --- a/inventory/group_vars/k8s-lwl/main.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -docker_pkg_provider: docker-com -docker_pkg_name: docker-ce - -kubernetes_version: 1.17.5 -kubernetes_container_runtime: docker -kubernetes_network_plugin: kubeguard - -kubernetes: - cluster_name: lndwrbl-live - - dedicated_master: False - api_extra_sans: - - 178.63.180.137 - - k8s-master.lndwrbl.live - - pod_ip_range: 172.18.0.0/16 - pod_ip_range_size: 24 - service_ip_range: 172.18.192.0/18 - - -kubernetes_secrets: - encryption_config_keys: "{{ vault_kubernetes_encryption_config_keys }}" - - -kubeguard: - ## node_index must be in the range between 1 and 190 -> 189 hosts possible - ## - ## hardcoded hostnames are not nice but if we do this via host_vars - ## the info is spread over multiple files and this makes it more diffcult - ## to find mistakes, so it is nicer to keep it in one place... - node_index: - lw-live-01: 1 - lw-live-02: 2 - lw-live-03: 3 - lw-live-00: 100 - lw-live-dist0: 110 - lw-dione: 111 - lw-helene: 112 - lw-master: 127 - - direct_net_zones: - encoder: - transfer_net: 172.18.191.0/24 - node_interface: - lw-dione: eno2 - lw-helene: eno2 - -kubernetes_overlay_node_ip: "{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ipaddr(1) | ipaddr('address') }}" - -kubernetes_metrics_server_version: 0.3.7 diff --git a/inventory/group_vars/k8s-lwl/vars.yml b/inventory/group_vars/k8s-lwl/vars.yml new file mode 100644 index 00000000..821e083c --- /dev/null +++ b/inventory/group_vars/k8s-lwl/vars.yml @@ -0,0 +1,51 @@ +--- +docker_pkg_provider: docker-com +docker_pkg_name: docker-ce + +kubernetes_version: 1.17.5 +kubernetes_container_runtime: docker +kubernetes_network_plugin: kubeguard + +kubernetes: + cluster_name: lndwrbl-live + + dedicated_master: False + api_extra_sans: + - 178.63.180.137 + - k8s-master.lndwrbl.live + + pod_ip_range: 172.18.0.0/16 + pod_ip_range_size: 24 + service_ip_range: 172.18.192.0/18 + + +kubernetes_secrets: + encryption_config_keys: "{{ vault_kubernetes_encryption_config_keys }}" + + +kubeguard: + ## node_index must be in the range between 1 and 190 -> 189 hosts possible + ## + ## hardcoded hostnames are not nice but if we do this via host_vars + ## the info is spread over multiple files and this makes it more diffcult + ## to find mistakes, so it is nicer to keep it in one place... + node_index: + lw-live-01: 1 + lw-live-02: 2 + lw-live-03: 3 + lw-live-00: 100 + lw-live-dist0: 110 + lw-dione: 111 + lw-helene: 112 + lw-master: 127 + + direct_net_zones: + encoder: + transfer_net: 172.18.191.0/24 + node_interface: + lw-dione: eno2 + lw-helene: eno2 + +kubernetes_overlay_node_ip: "{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ipaddr(1) | ipaddr('address') }}" + +kubernetes_metrics_server_version: 0.3.7 diff --git a/inventory/group_vars/kvmguests/main.yml b/inventory/group_vars/kvmguests/main.yml deleted file mode 100644 index 9b7b95cb..00000000 --- a/inventory/group_vars/kvmguests/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# will be installed by vm/guest -base_entropy_generator: "none" diff --git a/inventory/group_vars/kvmguests/vars.yml b/inventory/group_vars/kvmguests/vars.yml new file mode 100644 index 00000000..9b7b95cb --- /dev/null +++ b/inventory/group_vars/kvmguests/vars.yml @@ -0,0 +1,3 @@ +--- +# will be installed by vm/guest +base_entropy_generator: "none" diff --git a/inventory/group_vars/kvmhosts/main.yml b/inventory/group_vars/kvmhosts/main.yml deleted file mode 100644 index 36a5be1d..00000000 --- a/inventory/group_vars/kvmhosts/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -installer_base_path: /srv/installer diff --git a/inventory/group_vars/kvmhosts/vars.yml b/inventory/group_vars/kvmhosts/vars.yml new file mode 100644 index 00000000..36a5be1d --- /dev/null +++ b/inventory/group_vars/kvmhosts/vars.yml @@ -0,0 +1,2 @@ +--- +installer_base_path: /srv/installer diff --git a/inventory/group_vars/lendwirbel-live-xx/main.yml b/inventory/group_vars/lendwirbel-live-xx/main.yml deleted file mode 100644 index 6defdb17..00000000 --- a/inventory/group_vars/lendwirbel-live-xx/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -install_playbook: lendwirbel-live-xx diff --git a/inventory/group_vars/lendwirbel-live-xx/vars.yml b/inventory/group_vars/lendwirbel-live-xx/vars.yml new file mode 100644 index 00000000..6defdb17 --- /dev/null +++ b/inventory/group_vars/lendwirbel-live-xx/vars.yml @@ -0,0 +1,2 @@ +--- +install_playbook: lendwirbel-live-xx diff --git a/inventory/group_vars/lendwirbel-live/main.yml b/inventory/group_vars/lendwirbel-live/main.yml deleted file mode 100644 index 37d3ec1a..00000000 --- a/inventory/group_vars/lendwirbel-live/main.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -zsh_banner: lendwirbel - -acmetool_account_email: equinox@spreadspace.org -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" - -apt_repo_blackmagic_auth: - username: "spreadspace" - password: "{{ vault_apt_repo_blackmagic_auth.password }}" - -install: - cloud: - credentials: - token: "{{ vault_hcloud_api_token }}" - -network: {} - -docker_lvm: - vg: "{{ host_name }}" - lv: docker - size: 15G - fs: ext4 - -kubelet_lvm: - vg: "{{ host_name }}" - lv: kubelet - size: 10G - fs: ext4 diff --git a/inventory/group_vars/lendwirbel-live/vars.yml b/inventory/group_vars/lendwirbel-live/vars.yml new file mode 100644 index 00000000..37d3ec1a --- /dev/null +++ b/inventory/group_vars/lendwirbel-live/vars.yml @@ -0,0 +1,28 @@ +--- +zsh_banner: lendwirbel + +acmetool_account_email: equinox@spreadspace.org +acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" + +apt_repo_blackmagic_auth: + username: "spreadspace" + password: "{{ vault_apt_repo_blackmagic_auth.password }}" + +install: + cloud: + credentials: + token: "{{ vault_hcloud_api_token }}" + +network: {} + +docker_lvm: + vg: "{{ host_name }}" + lv: docker + size: 15G + fs: ext4 + +kubelet_lvm: + vg: "{{ host_name }}" + lv: kubelet + size: 10G + fs: ext4 diff --git a/inventory/group_vars/realraum/main.yml b/inventory/group_vars/realraum/main.yml deleted file mode 100644 index 8329f99a..00000000 --- a/inventory/group_vars/realraum/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -ssh_keys_root: "{{ ssh_key_map.equinox.realraum }}" diff --git a/inventory/group_vars/realraum/vars.yml b/inventory/group_vars/realraum/vars.yml new file mode 100644 index 00000000..8329f99a --- /dev/null +++ b/inventory/group_vars/realraum/vars.yml @@ -0,0 +1,2 @@ +--- +ssh_keys_root: "{{ ssh_key_map.equinox.realraum }}" diff --git a/inventory/group_vars/skillz/main.yml b/inventory/group_vars/skillz/main.yml deleted file mode 100644 index 83765f7b..00000000 --- a/inventory/group_vars/skillz/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -zsh_banner: skillz - -ssh_users_root: - - equinox - - dan - -admin_users_group: - - equinox - - dan - -acmetool_account_email: equinox@spreadspace.org diff --git a/inventory/group_vars/skillz/vars.yml b/inventory/group_vars/skillz/vars.yml new file mode 100644 index 00000000..83765f7b --- /dev/null +++ b/inventory/group_vars/skillz/vars.yml @@ -0,0 +1,12 @@ +--- +zsh_banner: skillz + +ssh_users_root: + - equinox + - dan + +admin_users_group: + - equinox + - dan + +acmetool_account_email: equinox@spreadspace.org diff --git a/inventory/group_vars/spreadspace/main.yml b/inventory/group_vars/spreadspace/main.yml deleted file mode 100644 index a9f37087..00000000 --- a/inventory/group_vars/spreadspace/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -zsh_banner: spreadspace - -acmetool_account_email: equinox@spreadspace.org - -apt_repo_blackmagic_auth: - username: "spreadspace" - password: "{{ vault_apt_repo_blackmagic_auth.password }}" diff --git a/inventory/group_vars/spreadspace/vars.yml b/inventory/group_vars/spreadspace/vars.yml new file mode 100644 index 00000000..a9f37087 --- /dev/null +++ b/inventory/group_vars/spreadspace/vars.yml @@ -0,0 +1,8 @@ +--- +zsh_banner: spreadspace + +acmetool_account_email: equinox@spreadspace.org + +apt_repo_blackmagic_auth: + username: "spreadspace" + password: "{{ vault_apt_repo_blackmagic_auth.password }}" diff --git a/inventory/group_vars/vmhost-ch-atlas/main.yml b/inventory/group_vars/vmhost-ch-atlas/main.yml deleted file mode 100644 index ce0421b5..00000000 --- a/inventory/group_vars/vmhost-ch-atlas/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -vm_host: - name: ch-atlas - network: - dns: - - 89.106.208.7 - - 89.106.208.12 - bridges: - public: - interfaces: - - eth0 - prefix: 89.106.215.16/28 - gateway: 89.106.215.30 - prefix6: 2a02:3e0:407::/64 - gateway6: 2a02:3e0:407::1 - offsets: - ch-keyserver: 3 - ch-testvm: 4 - ele-mur: 5 - r3-vex2: 11 - ch-atlas: 13 - k8stest: {} - funkfeuer: - interfaces: - - eth0.502 - -apt_repo_provider: ffgraz diff --git a/inventory/group_vars/vmhost-ch-atlas/vars.yml b/inventory/group_vars/vmhost-ch-atlas/vars.yml new file mode 100644 index 00000000..ce0421b5 --- /dev/null +++ b/inventory/group_vars/vmhost-ch-atlas/vars.yml @@ -0,0 +1,27 @@ +--- +vm_host: + name: ch-atlas + network: + dns: + - 89.106.208.7 + - 89.106.208.12 + bridges: + public: + interfaces: + - eth0 + prefix: 89.106.215.16/28 + gateway: 89.106.215.30 + prefix6: 2a02:3e0:407::/64 + gateway6: 2a02:3e0:407::1 + offsets: + ch-keyserver: 3 + ch-testvm: 4 + ele-mur: 5 + r3-vex2: 11 + ch-atlas: 13 + k8stest: {} + funkfeuer: + interfaces: + - eth0.502 + +apt_repo_provider: ffgraz diff --git a/inventory/group_vars/vmhost-ch-gnocchi/main.yml b/inventory/group_vars/vmhost-ch-gnocchi/main.yml deleted file mode 100644 index 5b36795e..00000000 --- a/inventory/group_vars/vmhost-ch-gnocchi/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -__vmhost_bridge_interface_zones__: - enp1s0: - - lan - - svc - enp2s0: - - magenta - enp3s0: - - mgmt - - iot - -__vmhost_bridge_interface_zones_yaml__: | - {% for interface in (__vmhost_bridge_interface_zones__.keys() | sort) %} - {% for zone in __vmhost_bridge_interface_zones__[interface] %} - {{ zone }}: - interfaces: - - {{ interface }}.{{ network_zones[zone].vlan }} - {% endfor %} - {% endfor %} - - -vm_host: - name: ch-gnocchi - network: - bridges: "{{ __vmhost_bridge_interface_zones_yaml__ | from_yaml }}" diff --git a/inventory/group_vars/vmhost-ch-gnocchi/vars.yml b/inventory/group_vars/vmhost-ch-gnocchi/vars.yml new file mode 100644 index 00000000..5b36795e --- /dev/null +++ b/inventory/group_vars/vmhost-ch-gnocchi/vars.yml @@ -0,0 +1,25 @@ +--- +__vmhost_bridge_interface_zones__: + enp1s0: + - lan + - svc + enp2s0: + - magenta + enp3s0: + - mgmt + - iot + +__vmhost_bridge_interface_zones_yaml__: | + {% for interface in (__vmhost_bridge_interface_zones__.keys() | sort) %} + {% for zone in __vmhost_bridge_interface_zones__[interface] %} + {{ zone }}: + interfaces: + - {{ interface }}.{{ network_zones[zone].vlan }} + {% endfor %} + {% endfor %} + + +vm_host: + name: ch-gnocchi + network: + bridges: "{{ __vmhost_bridge_interface_zones_yaml__ | from_yaml }}" diff --git a/inventory/group_vars/vmhost-ch-prometheus/main.yml b/inventory/group_vars/vmhost-ch-prometheus/main.yml deleted file mode 100644 index 015b0aa3..00000000 --- a/inventory/group_vars/vmhost-ch-prometheus/main.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -__vmhost_bridge_interface_zones__: - bond0: "{{ network_zones | list | difference(['lan']) }}" - -__vmhost_bridge_interface_zones_yaml__: | - {% for interface in (__vmhost_bridge_interface_zones__.keys() | sort) %} - {% for zone in __vmhost_bridge_interface_zones__[interface] %} - {{ zone }}: - interfaces: - - {{ interface }}.{{ network_zones[zone].vlan }} - {% endfor %} - {% endfor %} - lan: - interfaces: - - enp1s0 - -vm_host: - name: ch-prometheus - network: - bridges: "{{ __vmhost_bridge_interface_zones_yaml__ | from_yaml }}" - zfs: - default: - pool: nvme - name: vm - properties: - compression: lz4 - storage: - pool: storage - name: vm - properties: - compression: lz4 diff --git a/inventory/group_vars/vmhost-ch-prometheus/vars.yml b/inventory/group_vars/vmhost-ch-prometheus/vars.yml new file mode 100644 index 00000000..015b0aa3 --- /dev/null +++ b/inventory/group_vars/vmhost-ch-prometheus/vars.yml @@ -0,0 +1,31 @@ +--- +__vmhost_bridge_interface_zones__: + bond0: "{{ network_zones | list | difference(['lan']) }}" + +__vmhost_bridge_interface_zones_yaml__: | + {% for interface in (__vmhost_bridge_interface_zones__.keys() | sort) %} + {% for zone in __vmhost_bridge_interface_zones__[interface] %} + {{ zone }}: + interfaces: + - {{ interface }}.{{ network_zones[zone].vlan }} + {% endfor %} + {% endfor %} + lan: + interfaces: + - enp1s0 + +vm_host: + name: ch-prometheus + network: + bridges: "{{ __vmhost_bridge_interface_zones_yaml__ | from_yaml }}" + zfs: + default: + pool: nvme + name: vm + properties: + compression: lz4 + storage: + pool: storage + name: vm + properties: + compression: lz4 diff --git a/inventory/group_vars/vmhost-sk-2019vm/main.yml b/inventory/group_vars/vmhost-sk-2019vm/main.yml deleted file mode 100644 index 4786040b..00000000 --- a/inventory/group_vars/vmhost-sk-2019vm/main.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -vm_host: - name: sk-2019vm - network: - dns: - - 213.133.100.100 - - 213.133.98.98 - - 213.133.99.99 - bridges: - public: - prefix: 192.168.250.0/24 - offsets: - sk-torrent: 136 -# emc-master: 137 - lw-master: 137 - ele-gwhetzner: 138 - ch-mimas: 142 - sk-testvm: 253 - sk-2019vm: 254 - nat: yes - overlays: - default: - prefix: 178.63.180.136/29 - offsets: - sk-torrent: 0 -# emc-master: 1 - lw-master: 1 - ele-gwhetzner: 2 - ch-mimas: 6 - sk-testvm: 7 - zfs: - default: - pool: storage - name: vm - properties: - compression: lz4 diff --git a/inventory/group_vars/vmhost-sk-2019vm/vars.yml b/inventory/group_vars/vmhost-sk-2019vm/vars.yml new file mode 100644 index 00000000..4786040b --- /dev/null +++ b/inventory/group_vars/vmhost-sk-2019vm/vars.yml @@ -0,0 +1,36 @@ +--- +vm_host: + name: sk-2019vm + network: + dns: + - 213.133.100.100 + - 213.133.98.98 + - 213.133.99.99 + bridges: + public: + prefix: 192.168.250.0/24 + offsets: + sk-torrent: 136 +# emc-master: 137 + lw-master: 137 + ele-gwhetzner: 138 + ch-mimas: 142 + sk-testvm: 253 + sk-2019vm: 254 + nat: yes + overlays: + default: + prefix: 178.63.180.136/29 + offsets: + sk-torrent: 0 +# emc-master: 1 + lw-master: 1 + ele-gwhetzner: 2 + ch-mimas: 6 + sk-testvm: 7 + zfs: + default: + pool: storage + name: vm + properties: + compression: lz4 diff --git a/inventory/group_vars/vmhost-sk-tomnext/main.yml b/inventory/group_vars/vmhost-sk-tomnext/main.yml deleted file mode 100644 index a3706dcd..00000000 --- a/inventory/group_vars/vmhost-sk-tomnext/main.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -vm_host: - name: sk-tomnext - network: - dns: - - 213.133.100.100 - - 213.133.98.98 - - 213.133.99.99 - bridges: - public: - prefix: 192.168.250.0/24 - offsets: - sk-tomnext-nc: 103 - sk-tomnext-hp: 104 - sk-tomnext: 254 - nat: yes - overlays: - default: - prefix: 94.130.206.64/26 - offsets: - sk-tomnext-nc: 39 - sk-tomnext-hp: 40 - zfs: - default: - pool: storage - name: vm - properties: - compression: lz4 diff --git a/inventory/group_vars/vmhost-sk-tomnext/vars.yml b/inventory/group_vars/vmhost-sk-tomnext/vars.yml new file mode 100644 index 00000000..a3706dcd --- /dev/null +++ b/inventory/group_vars/vmhost-sk-tomnext/vars.yml @@ -0,0 +1,28 @@ +--- +vm_host: + name: sk-tomnext + network: + dns: + - 213.133.100.100 + - 213.133.98.98 + - 213.133.99.99 + bridges: + public: + prefix: 192.168.250.0/24 + offsets: + sk-tomnext-nc: 103 + sk-tomnext-hp: 104 + sk-tomnext: 254 + nat: yes + overlays: + default: + prefix: 94.130.206.64/26 + offsets: + sk-tomnext-nc: 39 + sk-tomnext-hp: 40 + zfs: + default: + pool: storage + name: vm + properties: + compression: lz4 -- cgit v1.2.3