teuserer/netz39-infra-ansible
1
0
Fork 0
forked from Netz39_Admin/netz39-infra-ansible
Code Pull requests Activity
Ansible configuration for the Netz39 infrastructure
1,923 commits 10 branches 0 tags 4.7 MiB
Find a file
Exact
Alexander Dahl 8fc5391e79 Merge pull request 'chore(deps): update influxdb docker tag to v2.8' (#741) from renovate/influxdb-2.x into master 
Reviewed-on: Netz39_Admin/netz39-infra-ansible#741
Reviewed-by: Alexander Dahl <alex@netz39.de>
2026-03-14 11:43:49 +01:00
files prosody: Indicate conf files are managed through Ansible 2025-10-26 20:39:52 +01:00
group_vars Add ssh key for teuserer 2026-02-25 21:53:22 +01:00
host_vars chore(deps): update renovate/renovate docker tag to v42.74.7 2026-01-09 05:18:37 +00:00
roles chore(deps): update mrtux/cleanuri-webui docker tag to v0.2.12 2026-02-14 15:18:37 +00:00
templates prosody: Merge updates from v13.0 dist config 2025-10-26 21:30:48 +01:00
.editorconfig chore(editorconfig): trim trailing whitespace in yaml files 2025-11-14 19:42:22 +01:00
.gitignore gitignore: Add local hidden ansible directory 2025-11-03 07:22:38 +01:00
.mailmap 📝 mailmap: Merge some new identies 2025-02-27 21:59:00 +01:00
.yamllint yamllint: Add recommendations of ansible-lint 2025-11-25 21:27:10 +01:00
ansible.cfg Specify the vault password file as Ansible configuration 2026-01-29 10:22:48 +01:00
configure-grafana.yml update requirements.yml to correctly install collection 2022-11-12 15:31:51 +01:00
group-all.yml Fix a stupid mistake in vars spec 2025-07-28 13:32:47 +02:00
group-docker_host.yml chore(deps): update telegraf docker tag to v1.38.0 2026-03-09 23:18:42 +00:00
group-k3s.yml 🚨 Add names to plays to fix name[play] linter warnings 2025-03-02 09:22:05 +01:00
group-proxmox.yml 🚨 Add names to plays to fix name[play] linter warnings 2025-03-02 09:22:05 +01:00
host-beaker.yml Fix a stupid mistake in vars spec 2025-07-28 13:32:47 +02:00
host-hobbes.yml Fix a stupid mistake in vars spec 2025-07-28 13:32:47 +02:00
host-holmium.yml Add CiviCRM container for member management 2025-11-16 22:21:23 +01:00
host-krypton.yml chore(deps): update mariadb docker tag to v12.2.2 2026-02-16 17:18:36 +00:00
host-oganesson.yml Fix a stupid mistake in vars spec 2025-07-28 13:32:47 +02:00
host-platon.yml host: platon: Use make module instead of shell command 2025-11-25 21:27:10 +01:00
host-plumbum.yml 🚨 Add names to plays to fix name[play] linter warnings 2025-03-02 09:22:05 +01:00
host-pottwal.yml Merge pull request 'chore(deps): update influxdb docker tag to v2.8' (#741) from renovate/influxdb-2.x into master 2026-03-14 11:43:49 +01:00
host-radon.yml chore(deps): update nodered/node-red docker tag to v4.1.3 2026-01-18 12:07:55 +01:00
host-sisyphos.yml chore(deps): update docker docker tag to v29.2.1 2026-02-15 17:18:36 +00:00
host-tau.yml group: docker: Make creation of data dir explicit 2025-10-21 22:28:28 +02:00
host-unicorn.yml Merge pull request 'chore(deps): update jacobalberty/unifi docker tag to v9.5.21' (#672) from renovate/jacobalberty-unifi-9.x into master 2025-10-29 08:17:31 +01:00
host-wittgenstein.yml Merge pull request 'chore(deps): update netz39/ampel-controller docker tag to v0.3.1' (#748) from renovate/netz39-ampel-controller-0.x into master 2025-12-27 12:05:35 +01:00
inventory.yml Add new host 'sisyphos' 2025-10-15 22:23:01 +02:00
main.yml Add new host 'sisyphos' 2025-10-15 22:23:01 +02:00
README.md Adjust documentation for the vault password file 2026-01-29 10:22:48 +01:00
renovate.json chore(renovate): Fix reviewer team 2025-11-26 22:02:19 +01:00
requirements.yml chore(deps): update dependency netz39.host_docker to v0.8.0 2026-02-15 11:18:39 +00:00
setup-ssh.yml Rename Netz39 config to n39.conf 2026-01-23 15:38:14 +01:00

README.md

Ansible configuration for the Netz39 infrastructure

This call lists all hosts defined in the inventory:

ansible all --list-hosts

Setup

ansible-galaxy install -r requirements.yml

Vault Password

Store the vault password in a file named vault-pass in the projects root directory. Make sure that this file is only readable by you:

 echo "<your-vault-password>" > vault-pass
chmod 600 vault-pass

The password will automatically be picked up by Ansible.

If you do not want to store the vault password in a file, you can also provide it interactively by adding the option --ask-vault-pass (or -J) to the ansible-playbook command.

Setup SSH Access to hosts

LOGUSER=<loguser>
SSH_KEY=<absolute/path/to/ssh/private/key>
ansible-playbook setup-ssh.yml -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY"

This playbook also adds rhodium.n39.eu (OpenWRT router), but our Ansible cannot set up SSH keys (yet). Please add your key to OpenWRT manually.

Edit vault encrypted vars files

ansible-vault edit group_vars/all/vault

Call with

ansible-galaxy install --force -r requirements.yml
ansible-playbook main.yml

Please make sure that the galaxy roles are in sync with the requirements file!

You need to provide a user with sudo rights and the vault password.

Verify Changes

ansible-lint main.yml
ansible-playbook main.yml --check --diff

HTTPS ingress configuration

HTTPS ingress is controlled by the server holmium and forwarded to the configured servers.

To set up a new HTTPS vhost, the following steps need to be taken:

  1. Select a domain (for internal services we use sub-domains of .n39.eu).
  2. Create an external CNAME from this domain to dyndns.n39.eu.
  3. Create an internal DNS entry in the Descartes DNS config. This is usually an alias on an existing server.
  4. Add the entry to the holmium playbook.
  5. Set up Dehydrated and vhost on the target host, e.g. using setup_http_site_proxy.

Do not forget to execute all playbooks with relevant changes.