teuserer/netz39-infra-ansible
1
0
Fork 0
forked from Netz39_Admin/netz39-infra-ansible
Code Pull requests Activity
Ansible configuration for the Netz39 infrastructure
1,781 commits 7 branches 0 tags 4.5 MiB
Find a file
Exact
Stefan Haun 42ff7684a4 Merge pull request 'chore(deps): update nodered/node-red docker tag to v4.1.1' (#671) from renovate/nodered-node-red-4.x into master 
Reviewed-on: Netz39_Admin/netz39-infra-ansible#671
Reviewed-by: Stefan Haun <tux@netz39.de>
2025-11-08 21:00:33 +01:00
files prosody: Indicate conf files are managed through Ansible 2025-10-26 20:39:52 +01:00
group_vars dyndns: Move vault vars away from global scope 2025-10-22 18:36:12 +02:00
host_vars chore(deps): update renovate/renovate docker tag to v42 2025-11-07 00:21:31 +00:00
roles chore(deps): update mrtux/cleanuri-webui docker tag to v0.2.9 2025-11-01 15:18:20 +00:00
templates prosody: Merge updates from v13.0 dist config 2025-10-26 21:30:48 +01:00
.editorconfig 🔧 editorconfig: Handle renovate.json file 2025-07-17 16:42:46 +02:00
.gitignore gitignore: Add local hidden ansible directory 2025-11-03 07:22:38 +01:00
.mailmap 📝 mailmap: Merge some new identies 2025-02-27 21:59:00 +01:00
.yamllint yamllint: Ignore local hidden ansible directory 2025-11-06 20:15:24 +01:00
ansible.cfg Update config yaml format in default callback plugin 2025-04-30 13:17:14 +02:00
configure-grafana.yml update requirements.yml to correctly install collection 2022-11-12 15:31:51 +01:00
group-all.yml Fix a stupid mistake in vars spec 2025-07-28 13:32:47 +02:00
group-docker_host.yml Merge pull request 'chore(deps): update telegraf docker tag to v1.36.3' (#686) from renovate/telegraf-1.x into master 2025-10-22 06:32:15 +02:00
group-k3s.yml 🚨 Add names to plays to fix name[play] linter warnings 2025-03-02 09:22:05 +01:00
group-proxmox.yml 🚨 Add names to plays to fix name[play] linter warnings 2025-03-02 09:22:05 +01:00
host-beaker.yml Fix a stupid mistake in vars spec 2025-07-28 13:32:47 +02:00
host-hobbes.yml Fix a stupid mistake in vars spec 2025-07-28 13:32:47 +02:00
host-holmium.yml Fix a stupid mistake in vars spec 2025-07-28 13:32:47 +02:00
host-krypton.yml group: docker: Make creation of data dir explicit 2025-10-21 22:28:28 +02:00
host-oganesson.yml Fix a stupid mistake in vars spec 2025-07-28 13:32:47 +02:00
host-platon.yml Remove explicit interpreter setting 2025-07-28 13:09:35 +02:00
host-plumbum.yml 🚨 Add names to plays to fix name[play] linter warnings 2025-03-02 09:22:05 +01:00
host-pottwal.yml Merge pull request 'dyndns: Move vault vars away from global scope' (#688) from dyndns into master 2025-10-28 08:25:54 +01:00
host-radon.yml Merge pull request 'chore(deps): update nodered/node-red docker tag to v4.1.1' (#671) from renovate/nodered-node-red-4.x into master 2025-11-08 21:00:33 +01:00
host-sisyphos.yml chore(deps): update docker docker tag to v28.5.2 2025-11-05 18:18:17 +00:00
host-tau.yml group: docker: Make creation of data dir explicit 2025-10-21 22:28:28 +02:00
host-unicorn.yml Merge pull request 'chore(deps): update jacobalberty/unifi docker tag to v9.5.21' (#672) from renovate/jacobalberty-unifi-9.x into master 2025-10-29 08:17:31 +01:00
host-wittgenstein.yml Use our local copy of wiringPi instead of downloading 2025-08-22 13:01:55 +02:00
inventory.yml Add new host 'sisyphos' 2025-10-15 22:23:01 +02:00
main.yml Add new host 'sisyphos' 2025-10-15 22:23:01 +02:00
README.md Add hint to Galaxy sync to README 2025-07-20 13:35:38 +02:00
renovate.json Add a custom Renovate manager to update cleanURI dependencies 2025-09-10 12:47:13 +02:00
requirements.yml chore(deps): update dependency netz39.host_docker to v0.7.0 2025-10-14 13:18:15 +00:00
setup-ssh.yml 🚨 setup-ssh: Fix risky-file-permissions linter warnings 2025-07-23 08:45:35 +02:00

README.md

Ansible configuration for the Netz39 infrastructure

This call lists all hosts defined in the inventory:

ansible all --list-hosts

Setup

ansible-galaxy install -r requirements.yml

Setup SSH Access to hosts

LOGUSER=<loguser>
SSH_KEY=<absolute/path/to/ssh/private/key>
ansible-playbook setup-ssh.yml --ask-vault-pass -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY"

This playbook also adds rhodium.n39.eu (OpenWRT router), but our Ansible cannot set up SSH keys (yet). Please add your key to OpenWRT manually.

Edit vault encrypted vars files

ansible-vault edit group_vars/all/vault

Call with

ansible-galaxy install --force -r requirements.yml
ansible-playbook --ask-vault-pass main.yml

Please make sure that the galaxy roles are in sync with the requirements file!

You need to provide a user with sudo rights and the vault password.

Verify Changes

ansible-lint main.yml
ansible-playbook --ask-vault-pass main.yml --check --diff

HTTPS ingress configuration

HTTPS ingress is controlled by the server holmium and forwarded to the configured servers.

To set up a new HTTPS vhost, the following steps need to be taken:

  1. Select a domain (for internal services we use sub-domains of .n39.eu).
  2. Create an external CNAME from this domain to dyndns.n39.eu.
  3. Create an internal DNS entry in the Descartes DNS config. This is usually an alias on an existing server.
  4. Add the entry to the holmium playbook.
  5. Set up Dehydrated and vhost on the target host, e.g. using setup_http_site_proxy.

Do not forget to execute all playbooks with relevant changes.