commit d16d30e9aab81338ce3f3580ed8c761c27dbcfb3 Author: blat Date: Sat Dec 10 18:52:41 2022 +0100 update certs and build system diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d473be9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,10 @@ +/lime-mac/* +doc*.md + + +# public +/lime-mac/* +/host_vars/lime-* +!/host_vars/lime-000000000000.yml +group_vars/wg_server.yml +/mesh_devices.yml diff --git a/README.md b/README.md new file mode 100644 index 0000000..a99b6d0 --- /dev/null +++ b/README.md @@ -0,0 +1,38 @@ + +un ruolo ansible per aggiornare i belvederi e la macchina con gli strumenti + +alcuni ruoli per installare i componenti necessari al monitoring dei belvederi +- prometheus +- blackbox_exporter +- alertmanager + +requirements + pip3 install ansible + pip3 install jinja2-ansible-filters + +Aggiungi il percorso di dove ti ha installato ansible ed aggeggi vari nel tuo .bash_profile che hai in home: + +``` +#ansible ed ansible-galaxy +export PATH=$PATH:~/.local/bin +``` +dai `source ~/.bash_profile` + +Installa i componenti ansible-galaxy + + ansible-galaxy collection install community.general + ansible-galaxy install cloudalchemy.prometheus + ansible-galaxy install cloudalchemy.blackbox-exporter + ansible-galaxy install cloudalchemy.alertmanager + ansible-galaxy install nginxinc.nginx + ansible-galaxy install nginxinc.nginx_config + +run + ansible-playbook -i hosts -i inventory.yml main.yml + +setup dei belvederi + ansible-playbook -i hosts -i inventory.yml infra.yml + + +# +https://openwrt.org/docs/guide-developer/toolchain/use-buildsystem diff --git a/README_build.md b/README_build.md new file mode 100644 index 0000000..628ba61 --- /dev/null +++ b/README_build.md @@ -0,0 +1,43 @@ + +esempio di test per buildare per tutti i targets + +ansible-playbook \ + -i hosts \ + -i mesh_devices.yml \ + -i inventory.yml \ + --skip-tags preflight \ + --skip-tags openwrt_install \ + --skip-tags libremesh_install \ + --skip-tags libremesh_packages \ + --skip-tags configure_profiles \ + --skip-tags webserver \ + playbooks/build_all_targets.yml + +#### configura e builda + ansible-playbook \ + -i hosts \ + -i mesh_devices.yml \ + -i inventory.yml \ + --skip-tags preflight \ + --skip-tags openwrt_install \ + --skip-tags libremesh_install \ + --skip-tags webserver \ + playbooks/build_single_target_dev_test.yml + + +# nuovo target +ansible-playbook \ + -i hosts \ + -i mesh_devices.yml \ + -i inventory.yml \ + playbooks/build_single_target_dev_test.yml + + +ansible-playbook \ + -i hosts \ + -i mesh_devices.yml \ + -i inventory.yml \ + --skip-tags openwrt_install \ + --skip-tags libremesh_install \ + --skip-tags webserver \ + playbooks/build_all_targets.yml diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..e248359 --- /dev/null +++ b/TODO.md @@ -0,0 +1,23 @@ + +# roles/stable/build +[ ] create a build_all playbook +- [ ] create target specific vars for build_all +[ ] group firmware in human readable way +[ ] replace mac56_to_ipCD.sh with an ansible script if possible +[ ] move packages from roles/stable/build/files to a repo +- [ ] finish refactor of vs-ninux-wg (should it keep this name after refactor?) +[ ] setup a repo with an updated .gitignore for publishing purposes +[ ] update README with build system information +[ ] add tags or prefix in tasks of roles/stable/build/tasks/main.yml +[ ] reduce size of lime-mac files (include only ones of the same target?) + +[ ] issue: building for a new target ramips_mt76x8 doesn't select the device tl-wr6400-v4 at first time. props: changing target and then make defconfig, then cat EOF the target device and redo a make defconfig + +[ ] add workaround to initialize device br-lan on openwrt 21.02.3 +config device + option name 'br-lan' + option type 'bridge' + list ports 'eth0' + list ports 'bat0' + +[ ] try to add support for lbe-m5 on openwrt 21.02.3 diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..b828b1b --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,13 @@ + +[passwordstore_lookup] +lock=readwrite +locktimeout=45000s + +[defaults] +inventory = ./inventory.yml +interpreter_python = /usr/bin/python3 +remote_user = root + + +[ssh_connection] +scp_if_ssh=True diff --git a/group_vars/builder.yml b/group_vars/builder.yml new file mode 100644 index 0000000..e69de29 diff --git a/host_vars/belvedere-test.yml b/host_vars/belvedere-test.yml new file mode 100644 index 0000000..1cb355e --- /dev/null +++ b/host_vars/belvedere-test.yml @@ -0,0 +1,72 @@ +belvedere_targets: + - targets: ['10.170.169.234:9090'] + labels: + host: 'ninux-59a9ea' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.213.244:9090'] + labels: + host: 'scutigera' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.170.196:9090'] + labels: + host: 'cetonia' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.157.135:9090'] + labels: + host: 'stercoraro' + group: 'mesh_routers' + alert: 'yes' + + - targets: ['10.170.247.96:9090'] + labels: + host: 'neomantix' + group: 'mesh_stations' + alert: 'no' + + - targets: ['10.170.135.90:9090'] + labels: + host: 'cervo-volante' + group: 'home_routers' + alert: 'yes' + + - targets: ['10.169.165.230:9090'] + labels: + host: 'falena' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.154.103:9090'] + labels: + host: 'tarlo' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.207.117.192:9090'] + labels: + host: 'ninux-cabum' + group: 'mesh_stations' + alert: 'no' + + - targets: ['10.170.150.95:9090'] + labels: + host: 'grillo' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.135.117:9090'] + labels: + host: 'ninux-598775' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.248.242:9090'] + labels: + host: 'amphithrix' + group: 'mesh_stations' + alert: 'yes' diff --git a/host_vars/belvedere-vs.yml b/host_vars/belvedere-vs.yml new file mode 100644 index 0000000..2f7fd13 --- /dev/null +++ b/host_vars/belvedere-vs.yml @@ -0,0 +1,54 @@ +belvedere_targets: + - targets: ['10.170.161.237:9090'] + labels: + host: 'ninux-dba1ed' + group: 'mesh_stations' + alert: 'no' + + - targets: ['10.170.233.12:9090'] + labels: + host: 'zanzara' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.173.138:9090'] + labels: + host: 'scolopendra' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.147.243:9090'] + labels: + host: 'ape' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.254.23.220:9090'] + labels: + host: 'scarabeo' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.154.252:9090'] + labels: + host: 'formica' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.130.99:9090'] + labels: + host: 'mantide' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.163.2:9090'] + labels: + host: 'cavolaia' + group: 'mesh_stations' + alert: 'no' + + - targets: ['10.170.173.201:9090'] + labels: + host: 'ninux-25adc9' + group: 'home_routers' + alert: 'no' diff --git a/host_vars/belvedere.yml b/host_vars/belvedere.yml new file mode 100644 index 0000000..1cb355e --- /dev/null +++ b/host_vars/belvedere.yml @@ -0,0 +1,72 @@ +belvedere_targets: + - targets: ['10.170.169.234:9090'] + labels: + host: 'ninux-59a9ea' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.213.244:9090'] + labels: + host: 'scutigera' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.170.196:9090'] + labels: + host: 'cetonia' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.157.135:9090'] + labels: + host: 'stercoraro' + group: 'mesh_routers' + alert: 'yes' + + - targets: ['10.170.247.96:9090'] + labels: + host: 'neomantix' + group: 'mesh_stations' + alert: 'no' + + - targets: ['10.170.135.90:9090'] + labels: + host: 'cervo-volante' + group: 'home_routers' + alert: 'yes' + + - targets: ['10.169.165.230:9090'] + labels: + host: 'falena' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.154.103:9090'] + labels: + host: 'tarlo' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.207.117.192:9090'] + labels: + host: 'ninux-cabum' + group: 'mesh_stations' + alert: 'no' + + - targets: ['10.170.150.95:9090'] + labels: + host: 'grillo' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.135.117:9090'] + labels: + host: 'ninux-598775' + group: 'mesh_stations' + alert: 'yes' + + - targets: ['10.170.248.242:9090'] + labels: + host: 'amphithrix' + group: 'mesh_stations' + alert: 'yes' diff --git a/host_vars/lime-000000000000.yml b/host_vars/lime-000000000000.yml new file mode 100644 index 0000000..673b626 --- /dev/null +++ b/host_vars/lime-000000000000.yml @@ -0,0 +1,19 @@ +# BEGIN ANSIBLE MANAGED BLOCK lime-000000000000 utils +ip_host: 0.0 +# END ANSIBLE MANAGED BLOCK lime-000000000000 utils +# BEGIN ANSIBLE MANAGED BLOCK lime-000000000000 common +hostname: ninux-000000 +lime_mac: lime-000000000000 +main_ipv4_address: 10.170.0.0/16 +# END ANSIBLE MANAGED BLOCK lime-000000000000 common +# BEGIN ANSIBLE MANAGED BLOCK lime-000000000000 config +config_lime_system: option hostname 'ninux-000000' +config_lime_wifi: option channel_5ghz '48' +# END ANSIBLE MANAGED BLOCK lime-000000000000 config +# BEGIN ANSIBLE MANAGED BLOCK lime-000000000000 vpn wireguard wg0 +vpn_wg0_privatekey: UIHZ9uTOxW07jHTQHAzUvmWAS6tkPtQWqZU9Gp6LcHY= +vpn_wg0_publickey: HgdBD20UBNzWkDJfP4H20Nr+IyzOyWBdqXCV69XktQA= +vpn_wg0_presharedkey: 3rod8G0DsZzkxMmR95Sf76URdH4aiZEUdlol8lOL+ww= +vpn_wg0_listenport: 51800 +vpn_wg0_address: 192.168.0.0/16 +# END ANSIBLE MANAGED BLOCK lime-000000000000 vpn wireguard wg0 diff --git a/hosts b/hosts new file mode 100644 index 0000000..39fcb30 --- /dev/null +++ b/hosts @@ -0,0 +1,37 @@ +croara: + hosts: + belvedere: + ansible_host: 10.0.0.10 + ansible_user: pi + ansible_become_user: root + ansible_become: yes + ada: + ansible_host: 10.170.42.91 + ansible_user: antennine + ansible_become_pass: "{{ lookup('passwordstore', 'chiavi_antennine/ada/user_root', errors='strict') | default(omit) }}" + ansible_become_user: root + ansible_become_method: su + ansible_become_flags: + belvedere-test: + ansible_host: 10.170.64.34 + ansible_user: pi + ansible_become_user: root + ansible_become: yes + +valsamoggia: + hosts: + belvedere-vs: + ansible_host: 10.0.0.11 + ansible_user: pi + ansible_become_user: root + ansible_become: yes + +vps: + hosts: + jitsi: + ansible_host: 10.0.0.1 + ansible_user: + ansible_become_user: root + ansible_become_pass: "{{ lookup('passwordstore', 'chiavi_antennine/jitsi/user_root', errors='strict') | default(omit) }}" + ansible_become_method: su + ansible_become_flags: diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..e6228fb --- /dev/null +++ b/inventory.yml @@ -0,0 +1,23 @@ +belvederi: + hosts: + belvedere: + belvedere-vs: + +strumenti: + hosts: ada + +ca: + hosts: ada + +builder: + hosts: ada + +wg_server: + hosts: jitsi + +# test: +# hosts: test.jolly +# vars: +# ansible_user: debian + +all: diff --git a/main.yml b/main.yml new file mode 100644 index 0000000..985e692 --- /dev/null +++ b/main.yml @@ -0,0 +1,24 @@ +--- +- hosts: all + gather_facts: yes + become: yes + + tasks: + - name: Perform a dist-upgrade. + ansible.builtin.apt: + upgrade: dist + update_cache: yes + + - name: Check if a reboot is required. + ansible.builtin.stat: + path: /var/run/reboot-required + get_md5: no + register: reboot_required_file + + - name: Reboot the server (if required). + ansible.builtin.reboot: + when: reboot_required_file.stat.exists == true + + - name: Remove dependencies that are no longer required. + ansible.builtin.apt: + autoremove: yes diff --git a/mesh_devices_template.yml b/mesh_devices_template.yml new file mode 100644 index 0000000..9ffed0d --- /dev/null +++ b/mesh_devices_template.yml @@ -0,0 +1,13 @@ +mesh_devices: + hosts: + # litebeam + lime-000000000000: + hostname: cocciniglia + + # tplink_tl-wr940n-v6 + lime-000000000000: + hostname: cervovolante + + # tplink_cpe510 + lime-000000000000: + hostname: oncocera-semirubella diff --git a/playbooks/ada.yml b/playbooks/ada.yml new file mode 100644 index 0000000..3d99d66 --- /dev/null +++ b/playbooks/ada.yml @@ -0,0 +1,8 @@ +--- +## Ada +- name: Ada + hosts: ada + become: yes + roles: + - '../roles/stable/openssl_certificates' + tags: certificates diff --git a/playbooks/belvedere.yml b/playbooks/belvedere.yml new file mode 100644 index 0000000..bab7d25 --- /dev/null +++ b/playbooks/belvedere.yml @@ -0,0 +1,14 @@ +--- +## Monitoring +- name: Monitoring + hosts: belvedere + roles: + - '../roles/stable/monitoring/prometheus' + - '../roles/stable/monitoring/blackbox_exporter' + - '../roles/stable/monitoring/alertmanager' + - '../roles/stable/dnsmasq' + vars_files: + - ../vars/monitoring.yml + - ../vars/smtp.yml + - ../vars/telegram.yml + tags: monitoring diff --git a/playbooks/build_all_targets.yml b/playbooks/build_all_targets.yml new file mode 100644 index 0000000..f505b0a --- /dev/null +++ b/playbooks/build_all_targets.yml @@ -0,0 +1,32 @@ +--- +# Build all targets + +- name: Build {{ openwrt_version }} ath79_generic + gather_facts: false + hosts: builder + roles: + - ../roles/stable/build + vars_files: + - ../vars/build/dev_test.yml + - ../vars/build/targets/ath79_generic.yml + tags: generate device + +- name: Build {{ openwrt_version }} ar71xx_generic + gather_facts: false + hosts: builder + roles: + - ../roles/stable/build + vars_files: + - ../vars/build/dev_test.yml + - ../vars/build/targets/ar71xx_generic.yml + tags: generate device + +- name: Build ath79_tiny + gather_facts: false + hosts: builder + roles: + - ../roles/stable/build + vars_files: + - ../vars/build/dev_test.yml + - ../vars/build/targets/ath79_tiny.yml + tags: generate device diff --git a/playbooks/build_single_target_dev_test.yml b/playbooks/build_single_target_dev_test.yml new file mode 100644 index 0000000..eb044e9 --- /dev/null +++ b/playbooks/build_single_target_dev_test.yml @@ -0,0 +1,30 @@ +--- +# Build single target dev_test. +# +- name: Build single target dev_test. + gather_facts: false + hosts: builder + roles: + - ../roles/stable/build + vars_files: + - ../vars/build/openwrt.yml + - ../vars/build/dev_test.yml + - ../vars/build/_h5ai.yml + - ../vars/build/targets/test_stable_ramips_mt7620.yml + # - ../vars/build/targets/test_stable_ath79_generic.yml + # - ../vars/build/targets/22.03.1_ath79_generic.yml + tags: generate_device + +- name: Build single target dev_test. + gather_facts: false + hosts: builder + roles: + - ../roles/stable/build + vars_files: + - ../vars/build/openwrt.yml + - ../vars/build/dev_test.yml + - ../vars/build/_h5ai.yml + # - ../vars/build/targets/test_stable_ramips_mt7620.yml + - ../vars/build/targets/test_stable_ath79_generic.yml + # - ../vars/build/targets/22.03.1_ath79_generic.yml + tags: generate_device diff --git a/playbooks/generate-new-device.yml b/playbooks/generate-new-device.yml new file mode 100644 index 0000000..2f57688 --- /dev/null +++ b/playbooks/generate-new-device.yml @@ -0,0 +1,17 @@ +--- +# Generate a new device. +# +- name: Generate a new device. + gather_facts: false + hosts: builder + roles: + - ../roles/stable/build + vars_files: + - ../vars/build/main.yml + - ../vars/build/_h5ai.yml + - ../vars/build/ath79_generic.yml + tags: generate device + +- handlers: + - name: Add wireguard keys to server + import_tasks: ../roles/stable/build/tasks/server.yml diff --git a/playbooks/generate-new-test-device.yml b/playbooks/generate-new-test-device.yml new file mode 100644 index 0000000..a0f63d7 --- /dev/null +++ b/playbooks/generate-new-test-device.yml @@ -0,0 +1,13 @@ +--- +# Generate a new device. +# +- name: Generate a new device. + gather_facts: false + hosts: builder + roles: + - ../roles/stable/build + vars_files: + - ../vars/build/test.yml + - ../vars/build/_h5ai.yml + # - ../vars/build/devices.yml + tags: generate device diff --git a/playbooks/infra.test.yml b/playbooks/infra.test.yml new file mode 100644 index 0000000..0ba8e8f --- /dev/null +++ b/playbooks/infra.test.yml @@ -0,0 +1,20 @@ +--- +## Monitoring +- name: Monitoring + gather_facts: false + hosts: belvedere-test + roles: + - '../roles/stable/monitoring/prometheus' + - '../roles/stable/monitoring/blackbox_exporter' + - '../roles/stable/monitoring/alertmanager' + - '../roles/stable/dnsmasq' + - '../roles/wireguard' + - '../roles/stable/nginx' + vars_files: + - ../vars/monitoring.yml + - ../vars/smtp.yml + - ../vars/telegram.yml + - ../vars/test.yml + - ../vars/wireguard.yml + - ../vars/belvederi.yml + tags: monitoring diff --git a/playbooks/infra.yml b/playbooks/infra.yml new file mode 100644 index 0000000..78f6b13 --- /dev/null +++ b/playbooks/infra.yml @@ -0,0 +1,14 @@ +--- +## Monitoring +- name: Monitoring + hosts: belvederi + roles: + - '../roles/stable/monitoring/prometheus' + - '../roles/stable/monitoring/blackbox_exporter' + - '../roles/stable/monitoring/alertmanager' + - '../roles/stable/dnsmasq' + vars_files: + - ../vars/monitoring.yml + - ../vars/smtp.yml + - ../vars/telegram.yml + tags: monitoring diff --git a/roles/stable/build/defaults/main.yml b/roles/stable/build/defaults/main.yml new file mode 100644 index 0000000..2a5bddb --- /dev/null +++ b/roles/stable/build/defaults/main.yml @@ -0,0 +1,14 @@ +--- +skip_preflight: true +skip_openwrt_install: false +skip_libremesh_install: false +skip_configure_profiles: false +skip_configure_clean: false +skip_configure_custom: false +skip_configure_init: false +skip_webserver_update: false + +with_wireguard: false + +default_channel_5ghz: 48 +default_vpn_wg0_listenport: 51800 diff --git a/roles/stable/build/files/mac56-to-ip_host.sh b/roles/stable/build/files/mac56-to-ip_host.sh new file mode 100755 index 0000000..d4548e0 --- /dev/null +++ b/roles/stable/build/files/mac56-to-ip_host.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +[ $1 = "" ] && exit +mac=$1 +mac_5=$(echo ${mac: -4:2}) +mac_6=$(echo ${mac: -2}) +ip_c=$(echo $((0x$mac_5))) +ip_d=$(echo $((0x$mac_6))) + +if [[ $2 = "--start-from" ]] +then + [[ $ip_c -lt $3 ]] && ((ip_c+=$3)) +fi + +echo ${ip_c}.${ip_d} diff --git a/roles/stable/build/files/packages/vs-fix-openwrt21/Makefile b/roles/stable/build/files/packages/vs-fix-openwrt21/Makefile new file mode 100644 index 0000000..6e266a6 --- /dev/null +++ b/roles/stable/build/files/packages/vs-fix-openwrt21/Makefile @@ -0,0 +1,8 @@ +include $(TOPDIR)/rules.mk + +PROFILE_DESCRIPTION:=fix openwrt21 add bat0 to brlan +PROFILE_DEPENDS:= +lime-system + +include ../../profile.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/roles/stable/build/files/packages/vs-fix-openwrt21/root/etc/uci-defaults/90_add_bat0_to_brlan b/roles/stable/build/files/packages/vs-fix-openwrt21/root/etc/uci-defaults/90_add_bat0_to_brlan new file mode 100755 index 0000000..d3de246 --- /dev/null +++ b/roles/stable/build/files/packages/vs-fix-openwrt21/root/etc/uci-defaults/90_add_bat0_to_brlan @@ -0,0 +1,4 @@ +#!/bin/sh + +uci add_list "network.@device[0].ports=bat0" +exit 0 diff --git a/roles/stable/build/files/packages/vs-fix-openwrt22/Makefile b/roles/stable/build/files/packages/vs-fix-openwrt22/Makefile new file mode 100644 index 0000000..6e266a6 --- /dev/null +++ b/roles/stable/build/files/packages/vs-fix-openwrt22/Makefile @@ -0,0 +1,8 @@ +include $(TOPDIR)/rules.mk + +PROFILE_DESCRIPTION:=fix openwrt21 add bat0 to brlan +PROFILE_DEPENDS:= +lime-system + +include ../../profile.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/roles/stable/build/files/packages/vs-fix-openwrt22/root/etc/uci-defaults/90_add_confdir_to_dnsmasq b/roles/stable/build/files/packages/vs-fix-openwrt22/root/etc/uci-defaults/90_add_confdir_to_dnsmasq new file mode 100644 index 0000000..723eec9 --- /dev/null +++ b/roles/stable/build/files/packages/vs-fix-openwrt22/root/etc/uci-defaults/90_add_confdir_to_dnsmasq @@ -0,0 +1,4 @@ +#!/bin/sh + +uci set "uci set dhcp.@dnsmasq[0].confdir=/etc/dnsmasq.d/" +exit 0 diff --git a/roles/stable/build/files/packages/vs-ninux-generic/Makefile b/roles/stable/build/files/packages/vs-ninux-generic/Makefile new file mode 100644 index 0000000..8822b18 --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-generic/Makefile @@ -0,0 +1,27 @@ +include $(TOPDIR)/rules.mk + +PROFILE_DESCRIPTION:=Generic valsamoggia configuration +PROFILE_DEPENDS:= +prometheus-node-exporter-lua \ + +prometheus-node-exporter-lua-wifi \ + +prometheus-node-exporter-lua-wifi_stations \ + +prometheus-node-exporter-lua-openwrt \ + +lime-proto-babeld \ + +lime-proto-batadv \ + +lime-proto-anygw \ + +lime-proto-wan \ + +lime-hwd-openwrt-wan \ + +shared-state \ + +hotplug-initd-services \ + +shared-state-babeld_hosts \ + +shared-state-bat_hosts \ + +shared-state-dnsmasq_hosts \ + +shared-state-dnsmasq_leases \ + +shared-state-nodes_and_links \ + +check-date-http \ + +lime-app \ + +lime-hwd-ground-routing \ + +lime-debug + +include ../../profile.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/roles/stable/build/files/packages/vs-ninux-generic/root/etc/config/lime-community b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/config/lime-community new file mode 100644 index 0000000..139e605 --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/config/lime-community @@ -0,0 +1,64 @@ +config lime system + option hostname 'ninux-%M4%M5%M6' + option domain 'valsamoggia.ninux.org' + option keep_on_upgrade 'libremesh base-files-essential /etc/sysupgrade.conf' + option root_password_policy 'SET_SECRET' + option root_password_secret '$1$5OlrdoPc$q0p0th7CmSUuCBqsS2.6W.' + +config lime network + option primary_interface 'eth0' + option main_ipv4_address '10.170.128.0/16/17' + option anygw_dhcp_start '5120' + option anygw_dhcp_limit '27648' + option main_ipv6_address 'fd%N1:%N2%N3:%N4%N5::/64' + list protocols ieee80211s + list protocols lan + list protocols anygw + list protocols batadv:%N1 + list protocols babeld:17 + list resolvers 4.2.2.2 # b.resolvers.Level3.net + list resolvers 141.1.1.1 # cns1.cw.net + list resolvers 2001:470:20::2 # ordns.he.net + option anygw_mac "aa:aa:aa:%N1:%N2:aa" + option use_odhcpd false + +config lime 'wifi' + option ap_ssid 'ninux' + option apname_ssid 'ninux/%H' + option ieee80211s_mesh_fwding '0' + option ieee80211s_mesh_id 'LiMe' + +config lime-wifi-band '2ghz' + list modes 'ap' + list modes 'apname' + list modes 'ieee80211s' + option channel '11' + option distance '1000' + +config lime-wifi-band '5ghz' + list modes 'ap' + list modes 'apname' + list modes 'ieee80211s' + option distance '10000' + option htmode 'HT40' + option channel '48' + +config generic_uci_config prometheus + list uci_set "prometheus-node-exporter-lua.main.listen_interface=*" + list uci_set "prometheus-node-exporter-lua.main.listen_ipv6=0" + list uci_set "prometheus-node-exporter-lua.main.listen_port=9090" + +config run_asset prometheus_enable + option asset 'community/prometheus_enable' + option when 'ATFIRSTBOOT' + +config run_asset cron_reboot + option asset 'community/cron_reboot' + option when 'ATFIRSTBOOT' + +config generic_uci_config dropbear + list uci_set "dropbear.@dropbear[0].RootPasswordAuth=off" + +config run_asset wireguard_server + option asset 'community/wireguard_server' + option when 'ATFIRSTBOOT' diff --git a/roles/stable/build/files/packages/vs-ninux-generic/root/etc/config/lime-node b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/config/lime-node new file mode 100644 index 0000000..7d01ca0 --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/config/lime-node @@ -0,0 +1,9 @@ + +config lime 'system' +# option hostname 'ninux-%M4%M5%M6' + +config lime 'network' + +config lime 'wifi' +# option channel_5ghz '48' +# option distance_5ghz '8000' diff --git a/roles/stable/build/files/packages/vs-ninux-generic/root/etc/dropbear/authorized_keys b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/dropbear/authorized_keys new file mode 100644 index 0000000..7bbd8cf --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/dropbear/authorized_keys @@ -0,0 +1,3 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQKltRbIX4D1akDOIQM+BrFQmWtRDQyojM9ZAwH87ju kiki@digitigrafo.it +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDwAsTNUxOjxe2FCeSZuoLU0ZmRvd6hOTN8885NoJTK00XdI5WZOUP9J42rGtRiWQ+rG29ZID33ALZCotS0PtLDg3LMOpJyOSluLhP1FeOsx0MzLhzFCBjfAUSUXqdTqLiFXbbNWdqYQO4XaAFbFEiMUyvsxdnVg59Uf5iLXh85dR7WUBE4AonNcfyxh7uSKOu2etUY/RpqnqFMzn068kHnDNlw6cSfJrAgLe7HAqhFiBls1/lofH/fDJqVmEjFhgaGAE59ELyg6fxhfqr5MiJD3CR6CetYxbZ6G9KKTuY9Vk8Vi3/lwFgv+0xcaMuxF4YYZ138w6fSRlhbwjPK1nnUZPFTMFbWOj95BlKXZWubIWz1bOVnJN+44CPyof2W5+2PhOq2U+TEkVwkJBCRX6LewwltPLtITWE3XZEjf7dGMtZOPF6Ue3ZCYKZls1112+pCPtIZfCS38FTQ6rJruFfh0BQFHHxlQerWwCaTd475N+KVpAU0Z6W0RmB3L5vKjRrnGTRbnUVS9hxYWQ6yDRUA76sircjKvZtKRYQJbhOEsFElLrh+4nOipL9ttLFNEux7SnKJdnXK9mgfHjd5skfs9uxjdgRhNkAsDFpKYdZ80NMLipsKSmeR/b80uL8Ng8935wvOxfFNchpLq3PgRvjiEgR4VesHdsmyeZbylsms9Q== agave@dracaena.it +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkVKuMvdWtExnsB2U2vF9DK4EUEwqiu92u34LU6MjavcvL6vSDu1D+jcFA4r+gVN667CMDcK/Biw/zByUW9pYh9Ynx7x+DGx2MyYbJ+9AQCJzb4X/QPxH/evVap9bOh6DjiWrZZ73kZ6yvVKm3N6+KZpUx2y4hC/NEtNJQ60/9upN6DuLPhi2h31A97ylCp+J4imrVKMTNWOPVleQXTmi93xiJqR+REOz3RM8F01WF42B+PQnkFrtubnvJ+CiHEdhVXiMhOt6x8rDrvrhAaqjn1fMUQU7ZA9pSMyya/qV+EmpYQYJkBncuIYxMi39+zcPjd6OXcGA3i/eQvlM4yC309rhUVcr+dxc8DOYcCXhUVo8hTa5vBELysnhCuSOWAgU7JVjJ+cUAZqEfckD9C6GXfcLKfXoRq6Hbb68Lixxoc38UFcSMPBJgSnoZKy0D1zdJWsNC+zwtedPreUDYQxFU9Ma9CB86iGGv7xYs4TnrljXklQ9t6uPEHO2LgSfidQy3ubHzCNVPtRHfIDnHi7HiaxmTHJ+EV9JLquuAxIhAivNk37jbMuhDDyaldSMR2yMr4aLm5oiR3K8CADhXY+Vu+6zW2G+mDPAtBey3+ftmK/IU2KE2UqA3Th3gNzIf0p37W/Ija1Twf3yBcYzRvln2hTx//TOzRY3DdfLiWQ56Bw== cricco@debian diff --git a/roles/stable/build/files/packages/vs-ninux-generic/root/etc/lime-assets/community/cron_reboot b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/lime-assets/community/cron_reboot new file mode 100644 index 0000000..3474b4d --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/lime-assets/community/cron_reboot @@ -0,0 +1,3 @@ +!#/bin/sh +echo "30 3 * * * reboot" >> /etc/crontabs/root + diff --git a/roles/stable/build/files/packages/vs-ninux-generic/root/etc/lime-assets/community/prometheus_enable b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/lime-assets/community/prometheus_enable new file mode 100644 index 0000000..636702e --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/lime-assets/community/prometheus_enable @@ -0,0 +1,5 @@ +!#/bin/sh + +[ -x /etc/init.d/prometheus-node-exporter-lua ] && + /etc/init.d/prometheus-node-exporter-lua enable +exit 0 diff --git a/roles/stable/build/files/packages/vs-ninux-generic/root/etc/lime-assets/community/wireguard_server b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/lime-assets/community/wireguard_server new file mode 100755 index 0000000..77ee209 --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-generic/root/etc/lime-assets/community/wireguard_server @@ -0,0 +1,12 @@ +#!/bin/sh + +[ -f /etc/config/wireguard ] && + touch /etc/config/wireguard + uci set "wireguard.peer_1=wg0" + uci set "wireguard.peer_1.public_key=" + uci set "wireguard.peer_1.endpoint_host=" + uci set "wireguard.peer_1.endpoint_port=51800" + uci set "wireguard.peer_1.allowed_ips=192.168.0.0/16" + uci set "wireguard.peer_1.persistent_keepalive=25" + uci commit wireguard +exit 0 diff --git a/roles/stable/build/files/packages/vs-ninux-tiny/Makefile b/roles/stable/build/files/packages/vs-ninux-tiny/Makefile new file mode 100644 index 0000000..afc480f --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-tiny/Makefile @@ -0,0 +1,22 @@ +include $(TOPDIR)/rules.mk + +PROFILE_DESCRIPTION:=Tiny valsamoggia configuration +PROFILE_DEPENDS:= +lime-proto-babeld \ + +lime-proto-batadv \ + +lime-proto-anygw \ + +lime-proto-wan \ + +lime-hwd-openwrt-wan \ + +shared-state \ + +hotplug-initd-services \ + +shared-state-babeld_hosts \ + +shared-state-bat_hosts \ + +shared-state-dnsmasq_hosts \ + +shared-state-dnsmasq_leases \ + +shared-state-nodes_and_links \ + +check-date-http \ + +lime-app \ + +lime-hwd-ground-routing \ + +lime-debug + +include ../../profile.mk +# call BuildPackage - OpenWrt buildroot signature diff --git a/roles/stable/build/files/packages/vs-ninux-tiny/root/etc/config/lime-community b/roles/stable/build/files/packages/vs-ninux-tiny/root/etc/config/lime-community new file mode 100644 index 0000000..31a34e3 --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-tiny/root/etc/config/lime-community @@ -0,0 +1,60 @@ +config lime system + option hostname 'ninux-%M4%M5%M6' + option domain 'valsamoggia.ninux.org' + option keep_on_upgrade 'libremesh base-files-essential /etc/sysupgrade.conf' + option root_password_policy 'SET_SECRET' + option root_password_secret '$1$5OlrdoPc$q0p0th7CmSUuCBqsS2.6W.' + +config lime network + option primary_interface 'eth0' + option main_ipv4_address '10.170.128.0/16/17' + option anygw_dhcp_start '5120' + option anygw_dhcp_limit '27648' + option main_ipv6_address 'fd%N1:%N2%N3:%N4%N5::/64' + list protocols ieee80211s + list protocols lan + list protocols anygw + list protocols batadv:%N1 + list protocols babeld:17 + list resolvers 4.2.2.2 # b.resolvers.Level3.net + list resolvers 141.1.1.1 # cns1.cw.net + list resolvers 2001:470:20::2 # ordns.he.net + option anygw_mac "aa:aa:aa:%N1:%N2:aa" + option use_odhcpd false + +config lime 'wifi' + option ap_ssid 'ninux' + option apname_ssid 'ninux/%H' + option ieee80211s_mesh_fwding '0' + option ieee80211s_mesh_id 'LiMe' + +config lime-wifi-band '2ghz' + list modes 'ap' + list modes 'apname' + list modes 'ieee80211s' + option channel '11' + option distance '1000' + +config lime-wifi-band '5ghz' + list modes 'ap' + list modes 'apname' + list modes 'ieee80211s' + option distance '10000' + option htmode 'HT40' + option channel '48' + +config generic_uci_config prometheus + list uci_set "prometheus-node-exporter-lua.main.listen_interface=*" + list uci_set "prometheus-node-exporter-lua.main.listen_ipv6=0" + list uci_set "prometheus-node-exporter-lua.main.listen_port=9090" + +config run_asset prometheus_enable + option asset 'community/prometheus_enable' + option when 'ATFIRSTBOOT' + +config run_asset cron_reboot + option asset 'community/cron_reboot' + option when 'ATFIRSTBOOT' + +config generic_uci_config dropbear + list uci_set "dropbear.@dropbear[0].RootPasswordAuth=off" diff --git a/roles/stable/build/files/packages/vs-ninux-wg/Makefile b/roles/stable/build/files/packages/vs-ninux-wg/Makefile new file mode 100644 index 0000000..b248242 --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-wg/Makefile @@ -0,0 +1,9 @@ +include $(TOPDIR)/rules.mk + +PROFILE_DESCRIPTION:=Valsamoggia wireguard +PROFILE_DEPENDS:=+wireguard-tools \ + +luci-app-wireguard \ + +luci-proto-wireguard +include ../../profile.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/roles/stable/build/files/packages/vs-ninux-wg/root/etc/init.d/wireguard b/roles/stable/build/files/packages/vs-ninux-wg/root/etc/init.d/wireguard new file mode 100755 index 0000000..6c0ae2f --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-wg/root/etc/init.d/wireguard @@ -0,0 +1,34 @@ +#!/bin/sh /etc/rc.common +# This is free software, licensed under the GNU General Public License v3. + +START=99 +USE_PROCD=1 + +start_service() { + config_load wireguard + config_load network + config_load firewall + + uci set firewall.wg_allow.dest_port="$(uci get wireguard.wg0.listen_port)" + + sed -i -r "s|^(PrivateKey =).*|\1 "$(uci get wireguard.wg0.private_key)"|g" /etc/wireguard/wg0.conf + sed -i -r "s|^(ListenPort =).*|\1 "$(uci get wireguard.wg0.listen_port)"|g" /etc/wireguard/wg0.conf + + # server + sed -i -r "s|^(PublicKey =).*|\1 "$(uci get wireguard.@wg0[0].public_key)"|g" /etc/wireguard/wg0.conf + sed -i -r "s|^(Endpoint =).*|\1 "$(uci get wireguard.@wg0[0].endpoint_host):$(uci get wireguard.@wg0[0].endpoint_port)"|g" /etc/wireguard/wg0.conf + sed -i -r "s|^(AllowedIPs =).*|\1 "$(uci get wireguard.@wg0[0].allowed_ips)"|g" /etc/wireguard/wg0.conf + sed -i -r "s|^(PersistentKeepalive =).*|\1 "$(uci get wireguard.@wg0[0].persistent_keepalive)"|g" /etc/wireguard/wg0.conf + + export ip=$(uci get network.lan.ipaddr) + export ip=${ip#*.*} + export ipCD=${ip#*.*} + + ip l d wg0 + ip l a wg0 type wireguard + ip a a 192.168.${ipCD}/16 dev wg0 + wg syncconf wg0 /etc/wireguard/wg0.conf + ip l set up wg0 + + /etc/init.d/network reload +} diff --git a/roles/stable/build/files/packages/vs-ninux-wg/root/etc/uci-defaults/90_wg-enable b/roles/stable/build/files/packages/vs-ninux-wg/root/etc/uci-defaults/90_wg-enable new file mode 100644 index 0000000..036f25e --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-wg/root/etc/uci-defaults/90_wg-enable @@ -0,0 +1,7 @@ +!#/bin/sh + +touch /etc/config/wireguard + +[ -x /etc/init.d/wireguard ] && + /etc/init.d/wireguard enable +exit 0 diff --git a/roles/stable/build/files/packages/vs-ninux-wg/root/etc/uci-defaults/90_wg-firewall b/roles/stable/build/files/packages/vs-ninux-wg/root/etc/uci-defaults/90_wg-firewall new file mode 100644 index 0000000..6c457e4 --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-wg/root/etc/uci-defaults/90_wg-firewall @@ -0,0 +1,36 @@ +#!/bin/sh + +uci set firewall.wg_allow="rule" +uci set firewall.wg_allow.src="*" +uci set firewall.wg_allow.target="ACCEPT" +uci set firewall.wg_allow.proto="udp" +uci set firewall.wg_allow.dest_port="51800" +uci set firewall.wg_allow.name="Allow-Wireguard-Inbound" + +# Add the firewall zone +uci add firewall zone +uci set firewall.@zone[-1].name='wg' +uci set firewall.@zone[-1].input='ACCEPT' +uci set firewall.@zone[-1].forward='ACCEPT' +uci set firewall.@zone[-1].output='ACCEPT' +uci set firewall.@zone[-1].masq='1' + +# Add the WG interface to it +uci set firewall.@zone[-1].network='wg0' + +# Forward WAN and LAN traffic to/from it +uci add firewall forwarding +uci set firewall.@forwarding[-1].src='wg' +uci set firewall.@forwarding[-1].dest='wan' +uci add firewall forwarding +uci set firewall.@forwarding[-1].src='wg' +uci set firewall.@forwarding[-1].dest='lan' +uci add firewall forwarding +uci set firewall.@forwarding[-1].src='lan' +uci set firewall.@forwarding[-1].dest='wg' +uci add firewall forwarding +uci set firewall.@forwarding[-1].src='wan' +uci set firewall.@forwarding[-1].dest='wg' + +uci commit firewall +/etc/init.d/firewall restart diff --git a/roles/stable/build/files/packages/vs-ninux-wg/root/etc/wireguard/wg0.conf b/roles/stable/build/files/packages/vs-ninux-wg/root/etc/wireguard/wg0.conf new file mode 100644 index 0000000..56f317b --- /dev/null +++ b/roles/stable/build/files/packages/vs-ninux-wg/root/etc/wireguard/wg0.conf @@ -0,0 +1,9 @@ +[Interface] +PrivateKey = default +ListenPort = default + +[Peer] +PublicKey = default +Endpoint = default +AllowedIPs = default +PersistentKeepalive = default diff --git a/roles/stable/build/files/packages/vs-test/Makefile b/roles/stable/build/files/packages/vs-test/Makefile new file mode 100644 index 0000000..16e2bec --- /dev/null +++ b/roles/stable/build/files/packages/vs-test/Makefile @@ -0,0 +1,8 @@ +include $(TOPDIR)/rules.mk + +PROFILE_DESCRIPTION:=vs-test +PROFILE_DEPENDS:= +lime-system + +include ../../profile.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/roles/stable/build/files/packages/vs-test/root/etc/uci-defaults/90_vs-test b/roles/stable/build/files/packages/vs-test/root/etc/uci-defaults/90_vs-test new file mode 100755 index 0000000..6df99cc --- /dev/null +++ b/roles/stable/build/files/packages/vs-test/root/etc/uci-defaults/90_vs-test @@ -0,0 +1,7 @@ +#!/bin/sh + +uci set "lime-node.system.domain=test" +uci set "lime-node.network.main_ipv4_address=10.%N1.128.1/16/17" +uci set "lime-node.wifi.ieee80211s_mesh_id=Test" +uci set "lime-node.wifi.ap_ssid=aa_test" +exit 0 diff --git a/roles/stable/build/handlers/main.yml b/roles/stable/build/handlers/main.yml new file mode 100644 index 0000000..2babce1 --- /dev/null +++ b/roles/stable/build/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: update and install feeds + shell: ./scripts/feeds update -a; ./scripts/feeds install -a + args: + chdir: "{{ openwrt_build_dir }}" diff --git a/roles/stable/build/tasks/conf_files_lime_mac.yml b/roles/stable/build/tasks/conf_files_lime_mac.yml new file mode 100644 index 0000000..f569c87 --- /dev/null +++ b/roles/stable/build/tasks/conf_files_lime_mac.yml @@ -0,0 +1,15 @@ +--- +- name: configure - profiles - Ensure selected profile device exist + file: + path: "{{ libremesh_profile_directory }}/{{ libremesh_profile_device }}/root/etc/config" + state: directory + +- name: configure - profiles - Add lime-mac files to profile device + ansible.posix.synchronize: + src: ../lime-mac/ + dest: "{{ libremesh_profile_directory }}/{{ libremesh_profile_device }}/root/etc/config" + +- name: configure - profiles - Install updated profiles + shell: ./scripts/feeds update profiles; ./scripts/feeds install -p profiles + args: + chdir: "{{ openwrt_build_dir }}" diff --git a/roles/stable/build/tasks/configure.yml b/roles/stable/build/tasks/configure.yml new file mode 100644 index 0000000..4960e78 --- /dev/null +++ b/roles/stable/build/tasks/configure.yml @@ -0,0 +1,18 @@ +--- +- name: configure - clean + include_tasks: configure_clean.yml + when: not skip_configure_clean + tags: + - configure_clean + +- name: configure - init + include_tasks: configure_init.yml + when: not skip_configure_init + tags: + - configure_init + +- name: configure - custom + include_tasks: configure_custom.yml + when: not skip_configure_custom + tags: + - configure_custom diff --git a/roles/stable/build/tasks/configure_clean.yml b/roles/stable/build/tasks/configure_clean.yml new file mode 100644 index 0000000..bcccea6 --- /dev/null +++ b/roles/stable/build/tasks/configure_clean.yml @@ -0,0 +1,21 @@ +--- +- name: configure - clean - stagin_dir/toolchain* + shell: + cmd: + # make config-clean; + rm -rf build_dir/toolchain*; + rm -rf staging_dir/toolchain*; + args: + chdir: "{{ openwrt_build_dir }}" + +- name: configure - clean - Clean info files + shell: + cmd: "rm -rf {{ openwrt_build_dir }}/tmp/info/.files-packageinfo.mk; + rm -rf {{ openwrt_build_dir }}/tmp/info/.files-targetinfo.mk;" + args: + chdir: "{{ openwrt_build_dir }}" + +- name: configure - clean - Remove .config + file: + path: "{{ openwrt_build_dir }}/.config" + state: absent diff --git a/roles/stable/build/tasks/configure_custom.yml b/roles/stable/build/tasks/configure_custom.yml new file mode 100644 index 0000000..1c02f43 --- /dev/null +++ b/roles/stable/build/tasks/configure_custom.yml @@ -0,0 +1,11 @@ +--- +- name: configure - Apply custom configs + blockinfile: + path: "{{ openwrt_build_dir }}/.config" + block: "{{ lookup('ansible.builtin.template', 'default_config.j2') }}" + +- name: configure - Expand to full config via make defconfig + shell: "cd {{ openwrt_build_dir }}; make defconfig" + +- name: configure - Diffconfig to configs/custom_config_{{openwrt_target}}_{{ openwrt_subtarget}} + shell: "cd {{ openwrt_build_dir }}; ./scripts/diffconfig.sh > configs/custom_config_{{openwrt_target}}_{{ openwrt_subtarget}}" diff --git a/roles/stable/build/tasks/configure_init.yml b/roles/stable/build/tasks/configure_init.yml new file mode 100644 index 0000000..e7bbdca --- /dev/null +++ b/roles/stable/build/tasks/configure_init.yml @@ -0,0 +1,16 @@ +--- +- name: configure - Initialize .config + shell: "cd {{ openwrt_build_dir }}; rm .config; make defconfig" + +- name: configure - Append target .config + blockinfile: + path: "{{ openwrt_build_dir }}/.config" + block: "{{ lookup('ansible.builtin.template', 'default_target_config.j2') }}" + +- name: configure - Expand to full config + shell: "cd {{ openwrt_build_dir }}; make defconfig" + +- name: configure - Copy .config to configs/default_config_{{openwrt_target}}_{{ openwrt_subtarget}} + shell: "cd {{ openwrt_build_dir }}; \ + mkdir configs; \ + cp .config configs/default_config_{{openwrt_target}}_{{ openwrt_subtarget}}" diff --git a/roles/stable/build/tasks/init_vars.yml b/roles/stable/build/tasks/init_vars.yml new file mode 100644 index 0000000..bde7913 --- /dev/null +++ b/roles/stable/build/tasks/init_vars.yml @@ -0,0 +1,35 @@ +--- +- name: preflight - {{item}} - Define ip_host + shell: + cmd: echo "$(../roles/stable/build/files/mac56-to-ip_host.sh {{ item }} --start-from 128)" + register: ip_host + delegate_to: localhost + +- name: preflight - {{item}} - Save ip_host + blockinfile: + path: ../host_vars/{{ item }}.yml + block: "ip_host: {{ ip_host.stdout }}" + marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }} utils" + create: yes + delegate_to: localhost + +- name: preflight - {{item}} - Init host_vars common + blockinfile: + path: ../host_vars/{{ item }}.yml + block: | + hostname: {{ hostvars[item].hostname }} + lime_mac: {{ item }} + main_ipv4_address: {{ ip_network }}.{{ ip_host.stdout }}{{ ip_netmask }} + marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }} common" + create: yes + delegate_to: localhost + +- name: preflight - {{item}} - Init host_vars config + blockinfile: + path: ../host_vars/{{ item }}.yml + block: | + config_lime_system: option hostname '{{ hostvars[item].hostname }}' + config_lime_wifi: option channel_5ghz '{% if hostvars[item].channel_5ghz is defined %}{{ hostvars[item].channel_5ghz }}{% else %}{{ default_channel_5ghz }}{% endif %}' + marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }} config" + create: yes + delegate_to: localhost diff --git a/roles/stable/build/tasks/init_wg_vars.yml b/roles/stable/build/tasks/init_wg_vars.yml new file mode 100644 index 0000000..c048ce4 --- /dev/null +++ b/roles/stable/build/tasks/init_wg_vars.yml @@ -0,0 +1,38 @@ +--- +- name: preflight - {{item}} - generate privatekey + shell: + cmd: echo $(wg genkey) + register: wg_privatekey + delegate_to: localhost + when: hostvars[item].vpn_wg0_privatekey is not defined + +- name: preflight - {{item}} - generate publickey + shell: + cmd: echo $(echo {{ wg_privatekey.stdout }} | wg pubkey) + register: wg_publickey + delegate_to: localhost + when: hostvars[item].vpn_wg0_publickey is not defined + +- name: preflight - {{item}} - generate presharedkey + shell: + cmd: wg genpsk + register: wg_presharedkey + delegate_to: localhost + when: hostvars[item].vpn_wg0_presharedkey is not defined + +- name: preflight - {{item}} - Init host_vars wireguard + blockinfile: + path: ../host_vars/{{ item }}.yml + block: | + vpn_wg0_privatekey: {% if hostvars[item].vpn_wg0_privatekey is defined %}{{ hostvars[item].vpn_wg0_privatekey}}{%else%}{{wg_privatekey.stdout}}{%endif%} + + vpn_wg0_publickey: {% if hostvars[item].vpn_wg0_publickey is defined %}{{ hostvars[item].vpn_wg0_publickey}}{%else%}{{wg_publickey.stdout}}{%endif%} + + vpn_wg0_presharedkey: {% if hostvars[item].vpn_wg0_presharedkey is defined %}{{hostvars[item].vpn_wg0_presharedkey}}{%else%}{{wg_presharedkey.stdout}}{%endif%} + + vpn_wg0_listenport: {{ default_vpn_wg0_listenport }} + vpn_wg0_address: {{ vpn_wg0_network }}.{{ hostvars[item].ip_host }}{{ vpn_wg0_netmask }} + + marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }} vpn wireguard wg0" + delegate_to: localhost + when: hostvars[item].vpn_wg0_privatekey is not defined diff --git a/roles/stable/build/tasks/install_feeds_libremesh.yml b/roles/stable/build/tasks/install_feeds_libremesh.yml new file mode 100644 index 0000000..c8d6358 --- /dev/null +++ b/roles/stable/build/tasks/install_feeds_libremesh.yml @@ -0,0 +1,7 @@ +--- +- name: install feeds - libremesh - Add Libremesh feeds + blockinfile: + path: "{{ openwrt_build_dir }}/feeds.conf" + block: "{{ libremesh_feeds }}" + register: feeds + notify: "update and install feeds" diff --git a/roles/stable/build/tasks/install_feeds_packages.yml b/roles/stable/build/tasks/install_feeds_packages.yml new file mode 100644 index 0000000..d963539 --- /dev/null +++ b/roles/stable/build/tasks/install_feeds_packages.yml @@ -0,0 +1,7 @@ +--- +- name: install feeds - packages - Add local packages + ansible.posix.synchronize: + src: packages/ + dest: "{{ libremesh_profile_directory }}/" + delete: yes + notify: "update and install feeds" diff --git a/roles/stable/build/tasks/install_openwrt.yml b/roles/stable/build/tasks/install_openwrt.yml new file mode 100644 index 0000000..8b0557e --- /dev/null +++ b/roles/stable/build/tasks/install_openwrt.yml @@ -0,0 +1,23 @@ +--- +- name: install - openwrt - Requirements + include_tasks: install_openwrt_requirements.yml + +- name: install - openwrt - Check if openwrt_build_dir is present + stat: + path: "{{ openwrt_build_dir }}" + register: openwrt_build_dir_initialized + +- name: install - openwrt - Clone openwrt + git: + repo: https://git.openwrt.org/openwrt/openwrt.git + dest: "{{ openwrt_build_dir }}" + single_branch: yes + version: "{{ openwrt_version_tag }}" + when: not openwrt_build_dir_initialized.stat.exists + +- name: install - openwrt - cp feeds.conf.default feeds.conf + shell: + cmd: cp feeds.conf.default feeds.conf + args: + chdir: "{{ openwrt_build_dir }}" + notify: "update and install feeds" diff --git a/roles/stable/build/tasks/install_openwrt_requirements.yml b/roles/stable/build/tasks/install_openwrt_requirements.yml new file mode 100644 index 0000000..06219ce --- /dev/null +++ b/roles/stable/build/tasks/install_openwrt_requirements.yml @@ -0,0 +1,35 @@ +--- +- name: install - openwrt - Install openwrt build system requirements + become: yes + ansible.builtin.apt: + update_cache: yes + state: present + pkg: + - build-essential + - ccache + - ecj + - fastjar + - file + - g++ + - gawk + - gettext + - git + - java-propose-classpath + - libelf-dev + - libncurses5-dev + - libncursesw5-dev + - libssl-dev + - python + - python2.7-dev + - python3 + - unzip + - wget + - python3-distutils-extra + - python3-setuptools + - python3-dev + - rsync + - subversion + - swig + - time + - xsltproc + - zlib1g-dev diff --git a/roles/stable/build/tasks/main.yml b/roles/stable/build/tasks/main.yml new file mode 100644 index 0000000..4d2c02e --- /dev/null +++ b/roles/stable/build/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: preflight + include_tasks: preflight.yml + when: not skip_preflight + tags: + - preflight + +- name: install - openwrt + include_tasks: install_openwrt.yml + when: not skip_openwrt_install + tags: + - openwrt_install + +- name: install - libremesh + include_tasks: install_feeds_libremesh.yml + when: not skip_libremesh_install + tags: + - libremesh_install + +- name: install - packages + include_tasks: install_feeds_packages.yml + tags: + - feeds_packages + +- name: Flush handlers + meta: flush_handlers + +- name: conf-files - lime mac + include_tasks: conf_files_lime_mac.yml + tags: + - conf_files_lime_mac + +- name: configure + include_tasks: configure.yml + tags: + - configure + +- name: build - Build + shell: make -j $(nproc) download world EXTRA_IMAGE_NAME="{{openwrt_extra_image_name}}" + args: + chdir: "{{ openwrt_build_dir }}" + tags: + - openwrt_build + +- name: webserver + include_tasks: webserver.yml + when: not skip_webserver_update + tags: + - webserver diff --git a/roles/stable/build/tasks/preflight.yml b/roles/stable/build/tasks/preflight.yml new file mode 100644 index 0000000..81d912e --- /dev/null +++ b/roles/stable/build/tasks/preflight.yml @@ -0,0 +1,21 @@ +--- +- name: preflight - Init host_vars common + include_tasks: init_vars.yml + loop: "{{ groups['mesh_devices'] }}" + when: hostvars[item].ip_host is not defined + +- name: preflight - Init host_vars vpn wireguard + include_tasks: init_wg_vars.yml + loop: "{{ groups['mesh_devices'] }}" + when: with_wireguard and hostvars[item].vpn_wg0_privatekey is not defined + +- name: preflight - Generate lime-mac files + template: + src: lime_mac.j2 + dest: "../lime-mac/{{ hostvars[item].lime_mac }}" + loop: "{{ groups['mesh_devices'] }}" + delegate_to: localhost + +- name: preflight - Add wireguard keys to server + include_tasks: vpn_wg_server.yml + when: with_wireguard diff --git a/roles/stable/build/tasks/vpn_wg_server.yml b/roles/stable/build/tasks/vpn_wg_server.yml new file mode 100644 index 0000000..ec2ac6d --- /dev/null +++ b/roles/stable/build/tasks/vpn_wg_server.yml @@ -0,0 +1,16 @@ +--- +- name: wg-server - Add peers to wg server + become: yes + blockinfile: + path: "/etc/wireguard/wg1.conf" + block: "{{ lookup('ansible.builtin.template', 'vpn_wg_peer.j2') }}" + delegate_to: "{{ hostvars[groups['wg_server'][0]].inventory_hostname }}" + loop: "{{ groups['mesh_devices'] }}" + +- name: wg-server - Make sure Wireguard Service is running + become: yes + service: + name: wg-quick@wg1 + state: restarted + enabled: yes + delegate_to: "{{ hostvars[groups['wg_server'][0]].inventory_hostname }}" diff --git a/roles/stable/build/tasks/webserver.yml b/roles/stable/build/tasks/webserver.yml new file mode 100644 index 0000000..89ee853 --- /dev/null +++ b/roles/stable/build/tasks/webserver.yml @@ -0,0 +1,10 @@ +--- +- name: webserver - Rsync build directories + become: yes + shell: + cmd: rsync -d {{ openwrt_dir }}/* {{ webui_path }} --delete + +- name: webserver - Create symbolic links for all targets + become: yes + shell: + cmd: for path in $(ls {{ openwrt_dir }}); do ln -s -f {{ openwrt_dir }}/${path}/bin/targets/* {{ webui_path }}/${path}/; done; diff --git a/roles/stable/build/templates/default_config.j2 b/roles/stable/build/templates/default_config.j2 new file mode 100644 index 0000000..10100be --- /dev/null +++ b/roles/stable/build/templates/default_config.j2 @@ -0,0 +1,15 @@ +# CONFIG_PACKAGE_dnsmasq is not set +# CONFIG_PACKAGE_ppp is not set +# CONFIG_PACKAGE_odhcpd-ipv6only is not set + +{{ target_configs }} + +{{ unstable_defaults }} + +{% if with_wireguard %} +CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-wg=y +{% else %} +# CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-wg is not set +{% endif %} + +# CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-fastd is not set diff --git a/roles/stable/build/templates/default_target_config.j2 b/roles/stable/build/templates/default_target_config.j2 new file mode 100644 index 0000000..f5e6d69 --- /dev/null +++ b/roles/stable/build/templates/default_target_config.j2 @@ -0,0 +1,12 @@ +CONFIG_USES_SQUASHFS=y +CONFIG_TARGET_ROOTFS_SQUASHFS=y +# CONFIG_TARGET_ROOTFS_EXT4FS is not set +# CONFIG_TARGET_IMAGES_GZIP is not set + +CONFIG_TARGET_{{ openwrt_target }}=y +CONFIG_TARGET_MULTI_PROFILE=y +CONFIG_TARGET_{{ openwrt_target }}_{{ openwrt_subtarget }}=y + +{% for device in openwrt_devices %} +CONFIG_TARGET_DEVICE_{{ openwrt_target }}_{{ openwrt_subtarget }}_DEVICE_{{ device }}=y +{% endfor %} diff --git a/roles/stable/build/templates/lime_mac.j2 b/roles/stable/build/templates/lime_mac.j2 new file mode 100644 index 0000000..68fce2f --- /dev/null +++ b/roles/stable/build/templates/lime_mac.j2 @@ -0,0 +1,22 @@ +config lime system +{% if hostvars[item].config_lime_system is defined %} + {{ hostvars[item].config_lime_system }} +{% endif %} + +config lime network +{% if hostvars[item].config_lime_network is defined %} + {{ hostvars[item].config_lime_network }} +{% endif %} + +config lime wifi +{% if hostvars[item].config_lime_wifi is defined %} + {{ hostvars[item].config_lime_wifi }} +{% endif %} + +{% if with_wireguard %} +config generic_uci_config wireguard + list uci_set "wireguard.wg0=interface" + list uci_set "wireguard.wg0.address={{ hostvars[item].vpn_wg0_address }}" + list uci_set "wireguard.wg0.private_key={{ hostvars[item].vpn_wg0_privatekey }}" + list uci_set "wireguard.wg0.listen_port={{ hostvars[item].vpn_wg0_listenport }}" +{% endif %} diff --git a/roles/stable/build/templates/vpn_wg_peer.j2 b/roles/stable/build/templates/vpn_wg_peer.j2 new file mode 100644 index 0000000..267fd34 --- /dev/null +++ b/roles/stable/build/templates/vpn_wg_peer.j2 @@ -0,0 +1,9 @@ +{% for device in groups['mesh_devices'] %} + +[Peer] +# {{ hostvars[device].hostname }} +PublicKey = {{ hostvars[device].vpn_wg0_publickey }} +Endpoint = 0.0.0.0:51800 +AllowedIPs = {{ vpn_wg0_network }}.{{ hostvars[device].ip_host }}/32 + +{% endfor %} diff --git a/roles/stable/dnsmasq/handlers/main.yml b/roles/stable/dnsmasq/handlers/main.yml new file mode 100644 index 0000000..6697c78 --- /dev/null +++ b/roles/stable/dnsmasq/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart dnsmasq + service: + name: dnsmasq + state: restarted + tags: dnsmasq diff --git a/roles/stable/dnsmasq/tasks/main.yml b/roles/stable/dnsmasq/tasks/main.yml new file mode 100644 index 0000000..b568d2f --- /dev/null +++ b/roles/stable/dnsmasq/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Install Dnsmasq + package: + name: dnsmasq + state: present + tags: dnsmasq + +- name: Set configuration file + template: + src: etc_dnsmasq.conf.j2 + dest: /etc/dnsmasq.conf + validate: 'dnsmasq --test --conf-file=%s' + notify: restart dnsmasq + tags: dnsmasq + +- name: Make sure Dnsmasq is running + service: + name: dnsmasq + state: started + enabled: yes + tags: dnsmasq diff --git a/roles/stable/dnsmasq/templates/etc_dnsmasq.conf.j2 b/roles/stable/dnsmasq/templates/etc_dnsmasq.conf.j2 new file mode 100644 index 0000000..433e1be --- /dev/null +++ b/roles/stable/dnsmasq/templates/etc_dnsmasq.conf.j2 @@ -0,0 +1,57 @@ +# Dnsmasq configuration +# {{ ansible_managed }} + +{% if dnsmasq_listen_address is defined %} +listen-address={{ dnsmasq_listen_address }} +{% endif %} +{% if dnsmasq_interface is defined %} +interface={{ dnsmasq_interface }} +{% endif %} +{% if dnsmasq_port is defined %} +port={{ dnsmasq_port }} + +{% endif %} +{% if dnsmasq_domain_needed %} +domain-needed +{% endif %} +{% if dnsmasq_bogus_priv %} +bogus-priv +{% endif %} + +{% if dnsmasq_resolv_file is defined %} +resolv-file={{ dnsmasq_resolv_file }} + +{% endif %} +{% if dnsmasq_addn_hosts is defined %} +addn-hosts={{ dnsmasq_addn_hosts }} + +{% endif %} +{% if dnsmasq_expand_hosts %} +expand-hosts +{% endif %} +{% if dnsmasq_domain is defined %} +domain={{ dnsmasq_domain }} +{% endif %} +{% if dnsmasq_no_resolv is defined %} +no-resolv +{% endif %} + +{% if dnsmasq_upstream_servers is defined %} +{% if dnsmasq_upstream_servers is iterable %} +{% for host in dnsmasq_upstream_servers %} +server={{ host }} +{% endfor %} +{% else %} +server={{ dnsmasq_upstream_servers }} +{% endif %} +{% endif %} + +{% if dnsmasq_force_address is defined %} +{% if dnsmasq_force_address is iterable %} +{% for address in dnsmasq_force_address %} +address={{ address }} +{% endfor %} +{% endif %} +{% endif %} + +conf-dir=/etc/dnsmasq.d diff --git a/roles/stable/dnsmasq/vars/main.yml b/roles/stable/dnsmasq/vars/main.yml new file mode 100644 index 0000000..b4ebb63 --- /dev/null +++ b/roles/stable/dnsmasq/vars/main.yml @@ -0,0 +1,19 @@ +# roles/dnsmasq/defaults/main.yml +--- +dnsmasq_listen_address: "{{ ansible_host }}" +dnsmasq_interface: wg0 +# dnsmasq_port: + +dnsmasq_domain_needed: false +dnsmasq_bogus_priv: true +dnsmasq_expand_hosts: false +dnsmasq_no_resolv: true + +dnsmasq_upstream_servers: + - '10.170.0.1' + +dnsmasq_force_address: + - '/ada/10.0.0.5' + - '/*.ada/10.0.0.5' + - '/belvedere/10.0.0.10' + - '/belvedere-vs/10.0.0.11' diff --git a/roles/stable/monitoring/alertmanager/tasks/main.yml b/roles/stable/monitoring/alertmanager/tasks/main.yml new file mode 100644 index 0000000..7f1603a --- /dev/null +++ b/roles/stable/monitoring/alertmanager/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: Install alertmanager + ansible.builtin.import_role: + name: cloudalchemy.alertmanager + vars: + alertmanager_version: latest + alertmanager_receivers: + - name: email + email_configs: + - send_resolved: true + to: "{{ maintainer_emails }}" + - name: email_telegram_valli + email_configs: + - send_resolved: true + to: "{{ maintainer_emails }}" + telegram_configs: + - send_resolved: true + bot_token: "{{ telegram_bot_token }}" + api_url: "https://api.telegram.org" + chat_id: "{{ telegram_chat_id }}" + parse_mode: "HTML" + alertmanager_route: + group_by: ['alertname', 'cluster', 'service'] + group_wait: 30s + group_interval: 5m + repeat_interval: 1d + receiver: email_telegram_valli + routes: + - match: + alertname: Watchdog + receiver: email + continue: false + repeat_interval: 1w + alertmanager_smtp: + from: "{{ smtp_from }}" + smarthost: "{{ smtp_smarthost }}" + auth_username: "{{ smtp_auth_username }}" + auth_password: "{{ smtp_auth_password }}" + auth_secret: '' + auth_identity: '' + require_tls: "True" diff --git a/roles/stable/monitoring/blackbox_exporter/tasks/main.yml b/roles/stable/monitoring/blackbox_exporter/tasks/main.yml new file mode 100644 index 0000000..9e8b49c --- /dev/null +++ b/roles/stable/monitoring/blackbox_exporter/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- name: Install Blackbox Exporter + include_role: + name: cloudalchemy.blackbox-exporter diff --git a/roles/stable/monitoring/blackbox_exporter/vars/main.yml b/roles/stable/monitoring/blackbox_exporter/vars/main.yml new file mode 100644 index 0000000..f18c2c2 --- /dev/null +++ b/roles/stable/monitoring/blackbox_exporter/vars/main.yml @@ -0,0 +1,47 @@ +--- +blackbox_exporter_version: 0.22.0 # 0.22.0 / 2022-08-02 +blackbox_exporter_web_listen_address: "0.0.0.0:9115" +blackbox_exporter_cli_flags: {} +blackbox_exporter_configuration_modules: + http_2xx_head: + http: + method: HEAD + follow_redirects: true + fail_if_ssl: false + fail_if_not_ssl: false + tls_config: + insecure_skip_verify: true + ip_protocol_fallback: false + preferred_ip_protocol: ip4 + valid_http_versions: + - HTTP/1.1 + - HTTP/2.0 + valid_status_codes: + - 200 + - 204 + prober: http + timeout: 15s + http_2xx_get: + http: + method: GET + follow_redirects: true + fail_if_ssl: false + fail_if_not_ssl: false + tls_config: + insecure_skip_verify: true + ip_protocol_fallback: false + preferred_ip_protocol: ip4 + valid_http_versions: + - HTTP/1.1 + - HTTP/2.0 + valid_status_codes: + - 200 + - 204 + - 302 # Found + prober: http + timeout: 15s + icmp: + prober: icmp + timeout: 5s + icmp: + preferred_ip_protocol: "ip4" diff --git a/roles/stable/monitoring/prometheus/tasks/main.yml b/roles/stable/monitoring/prometheus/tasks/main.yml new file mode 100644 index 0000000..b25b2dc --- /dev/null +++ b/roles/stable/monitoring/prometheus/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: Install Prometheus + ansible.builtin.import_role: + name: cloudalchemy.prometheus + +- name: Ensure Prometheus Service is running + service: + name: prometheus + state: restarted + enabled: yes + +- name: Ensure a job that reboot every 6 hours exists. + ansible.builtin.cron: + name: "reboot every 6 hours" + minute: "0" + hour: "*/6" + job: "/sbin/reboot" diff --git a/roles/stable/monitoring/prometheus/vars/main.yml b/roles/stable/monitoring/prometheus/vars/main.yml new file mode 100644 index 0000000..ef2b1d4 --- /dev/null +++ b/roles/stable/monitoring/prometheus/vars/main.yml @@ -0,0 +1,223 @@ +--- +prometheus_version: 2.37.0 # LTS +prometheus_binary_local_dir: '' # default /usr/local/bin +prometheus_skip_install: false + +prometheus_config_dir: /etc/prometheus +prometheus_db_dir: /var/lib/prometheus +prometheus_read_only_dirs: [] + +prometheus_web_listen_address: "0.0.0.0:9090" +prometheus_web_external_url: '' +# See https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md + +prometheus_storage_retention: "30d" +# Available since Prometheus 2.7.0 +# [EXPERIMENTAL] Maximum number of bytes that can be stored for blocks. Units +# supported: KB, MB, GB, TB, PB. +prometheus_storage_retention_size: "0" + +# Alternative config file name, searched in ansible templates path. +prometheus_config_file: 'prometheus.yml.j2' + +prometheus_targets: "{{ all_targets }}" + +prometheus_alertmanager_config: + - static_configs: + - targets: + - localhost:9093 + +prometheus_scrape_configs: + - job_name: "prometheus" + metrics_path: "{{ prometheus_metrics_path }}" + static_configs: + - targets: + - "{{ ansible_fqdn | default(ansible_host) | default('localhost') }}:9090" + - job_name: "node" + file_sd_configs: + - files: + - "{{ prometheus_config_dir }}/file_sd/node.yml" + + - job_name: 'blackbox-external-targets' + metrics_path: /probe + params: + module: [http_2xx_head] + static_configs: + - targets: + - https://www.google.com + - https://www.ripe.net + relabel_configs: "{{ blackbox_relabel_configs }}" + + - job_name: 'blackbox-server_head' + metrics_path: /probe + params: + module: [http_2xx_head] + static_configs: + - targets: + - https://ada + relabel_configs: "{{ blackbox_relabel_configs }}" + + - job_name: 'blackbox-server_get' + metrics_path: /probe + params: + module: [http_2xx_get] + static_configs: + - targets: + - https://torrent.ada/ + relabel_configs: "{{ blackbox_relabel_configs }}" + + - job_name: 'blackbox-ping-external' + metrics_path: /probe + params: + module: [icmp] + static_configs: + - targets: + - 1.1.1.1 + - 8.8.8.8 + - 4.2.2.2 + relabel_configs: "{{ blackbox_relabel_configs }}" + + - job_name: 'blackbox-ping-internal' + file_sd_configs: + - files: + - "{{ prometheus_config_dir }}/file_sd/blackbox_ping_internal.yml" + metrics_path: /probe + params: + module: [icmp] + relabel_configs: "{{ blackbox_relabel_configs }}" + +prometheus_alert_rules: + - alert: Watchdog + expr: vector(1) + for: 10m + labels: + severity: warning + annotations: + description: "This is an alert meant to ensure that the entire alerting pipeline is functional.\nThis alert is always firing, therefore it should always be firing in Alertmanager\nand always fire against a receiver. There are integrations with various notification\nmechanisms that send a notification when this alert is not firing. For example the\n\"DeadMansSnitch\" integration in PagerDuty." + summary: 'Ensure entire alerting pipeline is functional' + - alert: NodeDown + expr: "up{job=\"node\", alert=\"yes\"} == 0" + for: 5m + labels: + severity: critical + annotations: + description: '{% raw %}{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.{% endraw %}' + summary: '{% raw %}Instance {{ $labels.instance }} down{% endraw %}' + - alert: ToolDown + expr: "probe_success{job=\"blackbox-ping-internal\"} == 0" + for: 5m + labels: + severity: critical + annotations: + description: '{% raw %}{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.{% endraw %}' + summary: '{% raw %}Instance {{ $labels.instance }} down{% endraw %}' + - alert: RebootRequired + expr: 'node_reboot_required > 0' + labels: + severity: warning + annotations: + description: '{% raw %}{{ $labels.instance }} requires a reboot.{% endraw %}' + summary: '{% raw %}Instance {{ $labels.instance }} - reboot required{% endraw %}' + - alert: NodeFilesystemSpaceFillingUp + annotations: + description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left and is filling up.{% endraw %}' + summary: 'Filesystem is predicted to run out of space within the next 24 hours.' + expr: "(\n node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"} / node_filesystem_size_bytes{job=\"node\",fstype!=\"\"} * 100 < 40\nand\n predict_linear(node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"}[6h], 24*60*60) < 0\nand\n node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n" + for: 1h + labels: + severity: warning + - alert: NodeFilesystemSpaceFillingUp + annotations: + description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left and is filling up fast.{% endraw %}' + summary: 'Filesystem is predicted to run out of space within the next 4 hours.' + expr: "(\n node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"} / node_filesystem_size_bytes{job=\"node\",fstype!=\"\"} * 100 < 20\nand\n predict_linear(node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"}[6h], 4*60*60) < 0\nand\n node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n" + for: 1h + labels: + severity: critical + - alert: NodeFilesystemAlmostOutOfSpace + annotations: + description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left.{% endraw %}' + summary: 'Filesystem has less than 5% space left.' + expr: "(\n node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"} / node_filesystem_size_bytes{job=\"node\",fstype!=\"\"} * 100 < 5\nand\n node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n" + for: 1h + labels: + severity: warning + - alert: NodeFilesystemAlmostOutOfSpace + annotations: + description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available space left.{% endraw %}' + summary: 'Filesystem has less than 3% space left.' + expr: "(\n node_filesystem_avail_bytes{job=\"node\",fstype!=\"\"} / node_filesystem_size_bytes{job=\"node\",fstype!=\"\"} * 100 < 3\nand\n node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n" + for: 1h + labels: + severity: critical + - alert: NodeFilesystemFilesFillingUp + annotations: + description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left and is filling up.{% endraw %}' + summary: 'Filesystem is predicted to run out of inodes within the next 24 hours.' + expr: "(\n node_filesystem_files_free{job=\"node\",fstype!=\"\"} / node_filesystem_files{job=\"node\",fstype!=\"\"} * 100 < 40\nand\n predict_linear(node_filesystem_files_free{job=\"node\",fstype!=\"\"}[6h], 24*60*60) < 0\nand\n node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n" + for: 1h + labels: + severity: warning + - alert: NodeFilesystemFilesFillingUp + annotations: + description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left and is filling up fast.{% endraw %}' + summary: 'Filesystem is predicted to run out of inodes within the next 4 hours.' + expr: "(\n node_filesystem_files_free{job=\"node\",fstype!=\"\"} / node_filesystem_files{job=\"node\",fstype!=\"\"} * 100 < 20\nand\n predict_linear(node_filesystem_files_free{job=\"node\",fstype!=\"\"}[6h], 4*60*60) < 0\nand\n node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n" + for: 1h + labels: + severity: critical + - alert: NodeFilesystemAlmostOutOfFiles + annotations: + description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left.{% endraw %}' + summary: 'Filesystem has less than 5% inodes left.' + expr: "(\n node_filesystem_files_free{job=\"node\",fstype!=\"\"} / node_filesystem_files{job=\"node\",fstype!=\"\"} * 100 < 5\nand\n node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n" + for: 1h + labels: + severity: warning + - alert: NodeFilesystemAlmostOutOfFiles + annotations: + description: '{% raw %}Filesystem on {{ $labels.device }} at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available inodes left.{% endraw %}' + summary: 'Filesystem has less than 3% inodes left.' + expr: "(\n node_filesystem_files_free{job=\"node\",fstype!=\"\"} / node_filesystem_files{job=\"node\",fstype!=\"\"} * 100 < 3\nand\n node_filesystem_readonly{job=\"node\",fstype!=\"\"} == 0\n)\n" + for: 1h + labels: + severity: critical + - alert: NodeNetworkReceiveErrs + annotations: + description: '{% raw %}{{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf "%.0f" $value }} receive errors in the last two minutes.{% endraw %}' + summary: 'Network interface is reporting many receive errors.' + expr: "increase(node_network_receive_errs_total[2m]) > 10\n" + for: 1h + labels: + severity: warning + - alert: NodeNetworkTransmitErrs + annotations: + description: '{% raw %}{{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf "%.0f" $value }} transmit errors in the last two minutes.{% endraw %}' + summary: 'Network interface is reporting many transmit errors.' + expr: "increase(node_network_transmit_errs_total[2m]) > 10\n" + for: 1h + labels: + severity: warning + - alert: NodeHighNumberConntrackEntriesUsed + annotations: + description: '{% raw %}{{ $value | humanizePercentage }} of conntrack entries are used{% endraw %}' + summary: 'Number of conntrack are getting close to the limit' + expr: "(node_nf_conntrack_entries / node_nf_conntrack_entries_limit) > 0.75\n" + labels: + severity: warning + - alert: NodeClockSkewDetected + annotations: + message: '{% raw %}Clock on {{ $labels.instance }} is out of sync by more than 300s. Ensure NTP is configured correctly on this host.{% endraw %}' + summary: 'Clock skew detected.' + expr: "(\n node_timex_offset_seconds > 0.05\nand\n deriv(node_timex_offset_seconds[5m]) >= 0\n)\nor\n(\n node_timex_offset_seconds < -0.05\nand\n deriv(node_timex_offset_seconds[5m]) <= 0\n)\n" + for: 10m + labels: + severity: warning + - alert: NodeClockNotSynchronising + annotations: + message: '{% raw %}Clock on {{ $labels.instance }} is not synchronising. Ensure NTP is configured on this host.{% endraw %}' + summary: 'Clock not synchronising.' + expr: "min_over_time(node_timex_sync_status[5m]) == 0\n" + for: 10m + labels: + severity: warning diff --git a/roles/stable/nginx/defaults/main.yml b/roles/stable/nginx/defaults/main.yml new file mode 100644 index 0000000..f31adce --- /dev/null +++ b/roles/stable/nginx/defaults/main.yml @@ -0,0 +1,6 @@ +--- +reverse_services: [] +fpm_services: [] +with_certbot: false +with_ssl: false +with_distributed_certificates: false diff --git a/roles/stable/nginx/tasks/certbot.yml b/roles/stable/nginx/tasks/certbot.yml new file mode 100644 index 0000000..e66f959 --- /dev/null +++ b/roles/stable/nginx/tasks/certbot.yml @@ -0,0 +1,23 @@ +--- +- name: Install snapd + become: yes + apt: + pkg: ['snapd'] + +- name: Install snap core + become: yes + snap: + name: core + +- name: Install cerbot via snap + become: yes + snap: + name: certbot + classic: yes + +- name: Generate certificate if needed + become: yes + command: /snap/bin/certbot --nginx --non-interactive --agree-tos --expand + --domains {{ fpm_services | items2dict(key_name='server_name', value_name='server_name') | join(',') }} + {{ reverse_services | items2dict(key_name='server_name', value_name='server_name') | join(',') }} + --email {{certbot_email}} diff --git a/roles/stable/nginx/tasks/certificates.yml b/roles/stable/nginx/tasks/certificates.yml new file mode 100644 index 0000000..87d688b --- /dev/null +++ b/roles/stable/nginx/tasks/certificates.yml @@ -0,0 +1,38 @@ +--- +- name: Create tmp certificates directory + file: + path: ./tmp/{{ hostvars['ada'].inventory_hostname }} + state: directory + delegate_to: localhost + +- name: Create certificates directory + file: + path: /etc/nginx/certs + state: directory + +- name: Copy crt from CA + ansible.builtin.fetch: + src: /etc/nginx/certs/{{ hostvars['ada'].inventory_hostname }}/ada.crt + dest: ./tmp/{{ hostvars['ada'].inventory_hostname }}/ + flat: yes + delegate_to: "{{ item }}" + loop: "{{ groups['ca'] }}" + +- name: Copy key from CA + ansible.builtin.fetch: + src: /etc/nginx/certs/{{ hostvars['ada'].inventory_hostname }}/ada.key + dest: ./tmp/{{ hostvars['ada'].inventory_hostname }}/ + flat: yes + delegate_to: "{{ item }}" + loop: "{{ groups['ca'] }}" + +- name: Copy to belvedere + ansible.builtin.copy: + src: ./tmp/{{ hostvars['ada'].inventory_hostname }}/ + dest: /etc/nginx/certs/{{ hostvars['ada'].inventory_hostname }}/ + +- name: Delete tmp + file: + path: ./tmp/ + state: absent + delegate_to: localhost diff --git a/roles/stable/nginx/tasks/main.yml b/roles/stable/nginx/tasks/main.yml new file mode 100644 index 0000000..06b5a82 --- /dev/null +++ b/roles/stable/nginx/tasks/main.yml @@ -0,0 +1,78 @@ +--- +- name: Install NGINX + become: yes + apt: + name: nginx + +- name: Default Configuration + become: yes + template: + src: default.j2 + dest: /etc/nginx/sites-available/default + +- name: Link Default NGINX Configuration + become: yes + file: + src: "/etc/nginx/sites-available/default" + dest: "/etc/nginx/sites-enabled/default" + state: link + +- name: Configure Reverse Proxies + become: yes + template: + src: reverse_proxy.conf.j2 + dest: /etc/nginx/sites-available/{{item.server_name}}.conf + loop: "{{ reverse_services }}" + +- name: Link NGINX Reverse Proxies + become: yes + file: + src: "/etc/nginx/sites-available/{{item.server_name}}.conf" + dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf" + state: link + loop: "{{ reverse_services }}" + +- name: Configure FPM Services + become: yes + template: + src: fpm_service.conf.j2 + dest: /etc/nginx/sites-available/{{item.server_name}}.conf + loop: "{{ fpm_services }}" + +- name: Link NGINX FPM Services + become: yes + file: + src: "/etc/nginx/sites-available/{{item.server_name}}.conf" + dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf" + state: link + loop: "{{ fpm_services }}" + +- name: Configure Static Services + become: yes + template: + src: static_service.conf.j2 + dest: /etc/nginx/sites-available/{{item.server_name}}.conf + loop: "{{ static_services }}" + +- name: Link NGINX Static Services + become: yes + file: + src: "/etc/nginx/sites-available/{{item.server_name}}.conf" + dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf" + state: link + loop: "{{ static_services }}" + +- name: Make sure NGINX Service is running + become: yes + service: + name: nginx + state: restarted + enabled: yes + +- name: Run Certbot if needed + include: certbot.yml + when: with_certbot | bool + +- name: Sync distributed certificates + include: certificates.yml + when: with_distributed_certificates | bool diff --git a/roles/stable/nginx/templates/default.j2 b/roles/stable/nginx/templates/default.j2 new file mode 100644 index 0000000..8a71045 --- /dev/null +++ b/roles/stable/nginx/templates/default.j2 @@ -0,0 +1,25 @@ +# cache +proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=10g use_temp_path=off; + +{% if with_certbot -%} +# redirect all http traffic to https +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$host$request_uri; +} +{%- endif %} + +server { + listen 80; + listen [::]:80; + server_name _server_name; + root /var/www/html; +} + +# enable proxy websocket +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} diff --git a/roles/stable/nginx/templates/fpm_service.conf.j2 b/roles/stable/nginx/templates/fpm_service.conf.j2 new file mode 100644 index 0000000..718d6e1 --- /dev/null +++ b/roles/stable/nginx/templates/fpm_service.conf.j2 @@ -0,0 +1,31 @@ + +server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + server_name {{item.server_name}}; + root {{item.root | default('/var/www/html/')}}; + index index.html index.html index.htm index.php; + + # keepalive_timeout 200; + {{item.custom_config | default('') | indent(2)}} + + location / { + try_files $uri $uri/ /index.php?$args; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass {{item.proxy_pass | default('unix:/run/php/php7.4-fpm.sock')}}; + {{item.custom_fastcgi_config | default('') | indent(2)}} + } + + # compression + gzip on; + gzip_types text/plain application/xml application/json; + gzip_proxied no-cache no-store private expired auth; + gzip_min_length 1000; + + # cache + proxy_cache STATIC; +} diff --git a/roles/stable/nginx/templates/reverse_proxy.conf.j2 b/roles/stable/nginx/templates/reverse_proxy.conf.j2 new file mode 100644 index 0000000..fd1609c --- /dev/null +++ b/roles/stable/nginx/templates/reverse_proxy.conf.j2 @@ -0,0 +1,44 @@ + +server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + server_name {{item.server_name}}; + + keepalive_timeout 200; + {{item.custom_config | default('') | indent(2)}} + + {% if with_ssl %} + + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_certificate /etc/nginx/certs/ada/ada.crt; + ssl_certificate_key /etc/nginx/certs/ada/ada.key; + {% endif %} + + location / { + proxy_pass {{item.proxy_pass}}; + + # set host + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For 42.42.42.42; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # websocket proxy + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # compression + gzip on; + gzip_types text/plain application/xml application/json; + gzip_proxied no-cache no-store private expired auth; + gzip_min_length 1000; + + # cache + proxy_cache STATIC; + } +} diff --git a/roles/stable/nginx/templates/static_service.conf.j2 b/roles/stable/nginx/templates/static_service.conf.j2 new file mode 100644 index 0000000..ba8260a --- /dev/null +++ b/roles/stable/nginx/templates/static_service.conf.j2 @@ -0,0 +1,33 @@ + +server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + server_name {{item.server_name}}; + + keepalive_timeout 200; + {{item.custom_config | default('') | indent(2)}} + + {% if with_ssl %} + + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_certificate /etc/nginx/certs/ada/ada.crt; + ssl_certificate_key /etc/nginx/certs/ada/ada.key; + {% endif %} + + root {{ item.server_root }}; + + location / { + + # compression + gzip on; + gzip_types text/plain application/xml application/json; + gzip_proxied no-cache no-store private expired auth; + gzip_min_length 1000; + + # cache + proxy_cache STATIC; + } +} diff --git a/roles/stable/openssl_certificates/defaults/main.yml b/roles/stable/openssl_certificates/defaults/main.yml new file mode 100644 index 0000000..1c67b40 --- /dev/null +++ b/roles/stable/openssl_certificates/defaults/main.yml @@ -0,0 +1,4 @@ +skip_certification_authority: false +skip_certification_authority_webserver: true +skip_server_certificate: false +skip_server_certificate_webserver: true diff --git a/roles/stable/openssl_certificates/files/ca/images/android-12_firefox_ca-enable.jpg b/roles/stable/openssl_certificates/files/ca/images/android-12_firefox_ca-enable.jpg new file mode 100644 index 0000000..52ca497 Binary files /dev/null and b/roles/stable/openssl_certificates/files/ca/images/android-12_firefox_ca-enable.jpg differ diff --git a/roles/stable/openssl_certificates/files/ca/images/android-12_firefox_ca-enabled.jpg b/roles/stable/openssl_certificates/files/ca/images/android-12_firefox_ca-enabled.jpg new file mode 100644 index 0000000..c8ec5ec Binary files /dev/null and b/roles/stable/openssl_certificates/files/ca/images/android-12_firefox_ca-enabled.jpg differ diff --git a/roles/stable/openssl_certificates/files/ca/images/android-12_settings_ca-install.jpg b/roles/stable/openssl_certificates/files/ca/images/android-12_settings_ca-install.jpg new file mode 100644 index 0000000..a8628e7 Binary files /dev/null and b/roles/stable/openssl_certificates/files/ca/images/android-12_settings_ca-install.jpg differ diff --git a/roles/stable/openssl_certificates/files/ca/images/android-12_settings_ca-installed.jpg b/roles/stable/openssl_certificates/files/ca/images/android-12_settings_ca-installed.jpg new file mode 100644 index 0000000..2f8f914 Binary files /dev/null and b/roles/stable/openssl_certificates/files/ca/images/android-12_settings_ca-installed.jpg differ diff --git a/roles/stable/openssl_certificates/files/ca/images/green_lock.png b/roles/stable/openssl_certificates/files/ca/images/green_lock.png new file mode 100644 index 0000000..1ef1678 Binary files /dev/null and b/roles/stable/openssl_certificates/files/ca/images/green_lock.png differ diff --git a/roles/stable/openssl_certificates/files/ca/images/linux_chromium.jpg b/roles/stable/openssl_certificates/files/ca/images/linux_chromium.jpg new file mode 100644 index 0000000..d663de4 Binary files /dev/null and b/roles/stable/openssl_certificates/files/ca/images/linux_chromium.jpg differ diff --git a/roles/stable/openssl_certificates/files/ca/images/linux_firefox.jpg b/roles/stable/openssl_certificates/files/ca/images/linux_firefox.jpg new file mode 100644 index 0000000..f2b4e47 Binary files /dev/null and b/roles/stable/openssl_certificates/files/ca/images/linux_firefox.jpg differ diff --git a/roles/stable/openssl_certificates/files/ca/images/openssl_logo.svg b/roles/stable/openssl_certificates/files/ca/images/openssl_logo.svg new file mode 100644 index 0000000..f640f2a --- /dev/null +++ b/roles/stable/openssl_certificates/files/ca/images/openssl_logo.svg @@ -0,0 +1,41 @@ + + + + + OpenSSL + Cryptography and SSL/TLS Toolkit + + diff --git a/roles/stable/openssl_certificates/files/ca/vendor/imagebox.min.css b/roles/stable/openssl_certificates/files/ca/vendor/imagebox.min.css new file mode 100644 index 0000000..e56d295 --- /dev/null +++ b/roles/stable/openssl_certificates/files/ca/vendor/imagebox.min.css @@ -0,0 +1,6 @@ +/* + ImageBox v1.3.0 + (c) Tobias Roeder + tobiasroeder.github.io/imagebox/license +*/ +body.imagebox{overflow:hidden}img[data-imagebox]{cursor:pointer}#imagebox{z-index:99992;position:fixed;top:0;right:0;bottom:0;left:0;background-color:rgba(0,0,0,.87);font-family:"Helvetica Neue","Helvetica",sans-serif}#imagebox *{margin:0;padding:0;box-sizing:border-box}#imagebox .ib-loading{z-index:2;position:fixed;top:50%;left:50%;-webkit-animation:ibLoading 1s linear infinite;animation:ibLoading 1s linear infinite;border:3px solid #f3f3f3;border-top:3px solid #555;border-radius:50%;width:30px;height:30px}#imagebox .ib-content{z-index:99994;background-color:transparent;position:relative;width:100%;height:100%}#imagebox .ib-content .ib-topbar{z-index:99996;position:fixed;top:0;right:0;width:100%;display:flex;justify-content:space-between}#imagebox .ib-content .ib-topbar .ib-indexes{color:#a8a8a8;font-size:1em;align-items:center;padding:10px;width:100%}#imagebox .ib-content .ib-topbar .ib-buttons{display:flex;justify-content:flex-end;flex-flow:row nowrap;width:100%}#imagebox .ib-content .ib-topbar .ib-buttons .ib-button{width:41px;height:41px;background:#858585 no-repeat center center;background-size:21px 21px;cursor:pointer;transition:ease-in-out .2s;text-align:center}#imagebox .ib-content .ib-topbar .ib-buttons .ib-button:hover{background-color:#a8a8a8}#imagebox .ib-content .ib-topbar .ib-buttons .ib-button.ib-close{background-image:url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSBzdmcgIFBVQkxJQyAnLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4nICAnaHR0cDovL3d3dy53My5vcmcvR3JhcGhpY3MvU1ZHLzEuMS9EVEQvc3ZnMTEuZHRkJz48c3ZnIGVuYWJsZS1iYWNrZ3JvdW5kPSJuZXcgMCAwIDMyIDMyIiBoZWlnaHQ9IjMycHgiIGlkPSLQodC70L7QuV8xIiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzMiAzMiIgd2lkdGg9IjMycHgiIHhtbDpzcGFjZT0icHJlc2VydmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPjxwYXRoIGQ9Ik0xNy40NTksMTYuMDE0bDguMjM5LTguMTk0YzAuMzk1LTAuMzkxLDAuMzk1LTEuMDI0LDAtMS40MTRjLTAuMzk0LTAuMzkxLTEuMDM0LTAuMzkxLTEuNDI4LDAgIGwtOC4yMzIsOC4xODdMNy43Myw2LjI4NGMtMC4zOTQtMC4zOTUtMS4wMzQtMC4zOTUtMS40MjgsMGMtMC4zOTQsMC4zOTYtMC4zOTQsMS4wMzcsMCwxLjQzMmw4LjMwMiw4LjMwM2wtOC4zMzIsOC4yODYgIGMtMC4zOTQsMC4zOTEtMC4zOTQsMS4wMjQsMCwxLjQxNGMwLjM5NCwwLjM5MSwxLjAzNCwwLjM5MSwxLjQyOCwwbDguMzI1LTguMjc5bDguMjc1LDguMjc2YzAuMzk0LDAuMzk1LDEuMDM0LDAuMzk1LDEuNDI4LDAgIGMwLjM5NC0wLjM5NiwwLjM5NC0xLjAzNywwLTEuNDMyTDE3LjQ1OSwxNi4wMTR6IiBmaWxsPSIjZmZmZmZmIiBpZD0iQ2xvc2UiLz48Zy8+PGcvPjxnLz48Zy8+PGcvPjxnLz48L3N2Zz4=);right:0}#imagebox .ib-content .ib-image-wrapper{opacity:0;z-index:99995;position:fixed;top:0;right:0;bottom:0;left:0;transition:opacity .6s;width:-webkit-fit-content;width:-moz-fit-content;width:fit-content}#imagebox .ib-content .ib-image-wrapper img.ib-image{z-index:99995;position:fixed;top:50%;left:50%;transform:translate(-50%, -50%);max-width:100vw;max-height:100vh;min-width:48px;min-height:48px;-o-object-fit:contain;object-fit:contain;transition:ease-in-out .6s;display:block}#imagebox .ib-content .ib-image-wrapper img.ib-hidden{opacity:0}#imagebox .ib-content .ib-image-wrapper img.ibFadeOut{animation:ibFadeOut .6s forwards}#imagebox .ib-content .ib-image-wrapper img.ibFadeIn{animation:ibFadeIn .6s forwards}#imagebox .ib-content .ib-control div{z-index:99996;position:fixed;top:50%;transform:translateY(-50%);background-color:#858585;background-size:32px 32px;background-position:center;background-repeat:no-repeat;padding:32px 20px;cursor:pointer;transition:ease-in-out .4s}#imagebox .ib-content .ib-control div[disabled]{cursor:default;background-color:#3d3d3d;box-shadow:none;pointer-events:none}#imagebox .ib-content .ib-control .ib-control-left{left:0;border-radius:0 3px 3px 0;background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAHlBMVEUAAAD///////////////////////////////////8kfJuVAAAACXRSTlMAFRqzwcvM0tm5QgwQAAAAK0lEQVR4AWMYtoCJlRm/PAcnCwF5dsZhLM/ABpKnSAETxwhTwUI4yQ0zAAD12gHrZ1kh5AAAAABJRU5ErkJggg==);box-shadow:2px 0 16px rgba(0,0,0,.5)}#imagebox .ib-content .ib-control .ib-control-right{right:0;border-radius:3px 0 0 3px;background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAHlBMVEUAAAD///////////////////////////////////8kfJuVAAAACXRSTlMAFhq+w8bM1dlMuAVXAAAAKklEQVR4AWMYdoCZlRG/AjZOdvwqmDhGmAoWchUgrBie8ogEQzDJDVMAAPJZAelGeIG8AAAAAElFTkSuQmCC);box-shadow:-2px 0 16px rgba(0,0,0,.5)}#imagebox .ib-content .ib-caption{z-index:99996;position:fixed;bottom:0;display:none;padding:60px;color:#fff;font-size:1.2em;box-sizing:border-box;width:100%;background:linear-gradient(rgba(0, 0, 0, 0), #222)}#imagebox .ib-content .ib-caption.location::before{z-index:99996;position:fixed;content:"";width:1.2em;height:1.2em;margin-left:-28px;background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB+UlEQVRYhcWWPUscURSGzwSjIJqoiPEDrVQMpBFtFFKZIoLC2thZi41NersUJr9BEUwVCKRQBMUVhAgWgVSSRkUWFPwOARWNPCm8gWF3zuy5O7PmLe/c8z7PZXeYG4hHgCYRyYjIiIj0iEiLe3QkIj9FZElEvgZBcOzTawHXAx+Ba4rnGvgA1KcF7wdyBnB+ckBfUvgb46m1XAFDpcK7gYsE8H85B7pKEdgqUnwAbADb7qRx+eYLH4sp2wFe5+2vBmaA25i5jI9AVin5AlTFzPUCv5XZdSu8AbiLKDjE8GoBk4rAnWVegGGlYMp0goeOHaXjbf7eJxHzbUrvmlVARLLKekF3lECDMnzmIXCirNdZBC6U4RZlPSqtynrOIlCwyWXUQgYqRKTgt3bZsxTUEv0+/wLaDfMzyh/wBqi1HEKAFaVkE2iMmRtR5AEWTXBXNKSUABwDE0B1aH8nMB8zAzBgFnCly0UKb3n4HpwW2Qew4gV3Ai/caZPmBGj2FnASmRQExkqChyTmEsAXEsGdQA2wWwJ8H3iWWMBJDAJ/POD35N0Z0pB47yEwmyrcCTwFvhvgP4DK1AWcxEvi7383wKuywEMS0zEC78oKdwIBsBoBzwJB2QWcRCtwFoJfAh2PAg9JjIcEJh4VHpL4BHz+L3An8BzQ7pCm/AXwpqsk2iQyUAAAAABJRU5ErkJggg==);background-size:1.2em 1.2em}@-webkit-keyframes ibLoading{0%{-webkit-transform:rotate(0deg);-webkit-transform:translate(-50%, -50%)}100%{-webkit-transform:rotate(360deg);-webkit-transform:translate(-50%, -50%)}}@keyframes ibLoading{0%{transform:translate(-50%, -50%) rotate(0deg)}100%{transform:translate(-50%, -50%) rotate(360deg)}}@media screen and (max-width: 720px){#imagebox .ib-content .ib-description{padding:45px}}@keyframes ibFadeIn{from{opacity:0}to{opacity:1}}@keyframes ibFadeOut{from{opacity:1}to{opacity:0}} diff --git a/roles/stable/openssl_certificates/files/ca/vendor/imagebox.min.js b/roles/stable/openssl_certificates/files/ca/vendor/imagebox.min.js new file mode 100644 index 0000000..2eb6ded --- /dev/null +++ b/roles/stable/openssl_certificates/files/ca/vendor/imagebox.min.js @@ -0,0 +1,6 @@ +/* + ImageBox v1.3.0 + (c) Tobias Roeder + tobiasroeder.github.io/imagebox/license +*/ +var $jscomp = $jscomp || {}; $jscomp.scope = {}, $jscomp.createTemplateTagFirstArg = function (e) { return e.raw = e }, $jscomp.createTemplateTagFirstArgWithRaw = function (e, t) { return e.raw = t, e }; var imagebox = { init: function () { imagebox.settings.info && console.log("%cImageBox v1.3.0\nhttps://tobiasroeder.github.io/imagebox", "color:#39c"), imagebox.settings.keyControls && (window.onkeyup = function (e) { if (document.body.classList.contains("imagebox")) switch (e.keyCode) { case 27: imagebox.close(); break; case 37: (e = document.querySelector(".ib-control-left")) && e.click(); break; case 39: (e = document.querySelector(".ib-control-right")) && e.click() } }), imagebox.finder() }, galleryNames: [], galleries: [], finder: function () { document.querySelectorAll("img[data-imagebox]").forEach((function (e) { var t = e.dataset.imagebox; e.setAttribute("onclick", "imagebox.open(this)"), "" !== t && (imagebox.galleryNames.includes(t) || imagebox.galleryNames.push(t)) })), imagebox.galleryNames.forEach((function (e) { e = document.querySelectorAll('[data-imagebox="' + e + '"]'), imagebox.galleries.push(e) })), imagebox.galleries.forEach((function (e, t) { e.forEach((function (e, i) { e.setAttribute("data-imagebox-image-index", i), e.setAttribute("data-imagebox-gallery-index", t) })) })) }, settings: { info: !1, swipeToChange: !0, swipeToClose: !0, keyControls: !0, closeEverywhere: !0 }, options: function (e) { var t = void 0 === e.swipeToChange || e.swipeToChange, i = void 0 === e.swipeToClose || e.swipeToClose, o = void 0 === e.keyControls || e.keyControls, a = void 0 === e.closeEverywhere || e.closeEverywhere; imagebox.settings.info = void 0 !== e.info && e.info, imagebox.settings.swipeToChange = t, imagebox.settings.swipeToClose = i, imagebox.settings.keyControls = o, imagebox.settings.closeEverywhere = a }, open: function (e) { var t, i = !0, o = e.dataset.imagebox; "image" !== o && "" !== o || (i = !1), o = null, document.body.classList.add("imagebox"), null == document.querySelector("#imagebox") && ((o = document.createElement("div")).setAttribute("id", "imagebox"), o.setAttribute("class", "ib-remove"), document.body.appendChild(o)), o = null != (t = e.dataset.imageboxSrc) ? t : e.src, t = document.querySelector("#imagebox"); var a = "", n = "", c = "", s = ""; if (i) { n = parseInt(e.dataset.imageboxImageIndex), a = parseInt(e.dataset.imageboxGalleryIndex); var r = "", l = ""; 0 == n && (r = "disabled"), n == (c = imagebox.galleries[a].length) - 1 && (l = "disabled"), a = '
\n\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
", n = '
\n\t\t\t\t\t' + (n + 1) + ' / ' + c + "\n\t\t\t\t
", c = '' } else imagebox.settings.closeEverywhere && (s = ' onclick="imagebox.close(this)"'); t.innerHTML = '
\n\t\t\t
\n\t\t\t\t
' + n + '\n\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t' + a + '\n\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t' + c + '\n\t\t\t\t
\n\t\t\t\t
Lorem Ipsum
\n\t\t\t
', imagebox.caption(e), imagebox.fade.in(t), document.querySelector("#imagebox .ib-image").onload = function () { document.querySelector("#imagebox .ib-loading").style.opacity = "0", document.querySelector("#imagebox .ib-image-wrapper").style.opacity = "1" }, imagebox.swipe(document.querySelector("#imagebox .ib-content"), i) }, close: function () { document.body.classList.remove("imagebox"); var e = document.querySelector("#imagebox"); e.classList.remove("ib-remove"), imagebox.fade.out(e) }, change: function (e, t, i) { var o = document.querySelector("#imagebox .ib-loading"), a = imagebox.galleries[t].length, n = document.querySelector("img[data-imagebox-image-index='" + e + "'][data-imagebox-gallery-index='" + t + "']"), c = document.querySelector("#imagebox .ib-control-left"), s = document.querySelector("#imagebox .ib-control-right"), r = document.querySelector("#imagebox .ib-current-index"); o.style.opacity = "1", "prev" == i && (0 == e && c.setAttribute("disabled", ""), s.removeAttribute("disabled")), "next" == i && (e == a - 1 && s.setAttribute("disabled", ""), c.removeAttribute("disabled")), c.setAttribute("onclick", "imagebox.prev(" + e + ", " + t + ")"), s.setAttribute("onclick", "imagebox.next(" + e + ", " + t + ")"), r.innerText = e + 1; var l, m = document.querySelector("#imagebox .ib-image-next"), b = document.querySelector("#imagebox .ib-image-current"); b.classList.add("ibFadeOut"), m.src = null != (l = n.dataset.imageboxSrc) ? l : n.src, imagebox.caption(n), m.onload = function () { m.classList.add("ibFadeIn"), o.style.opacity = 0, setTimeout((function () { b.className = "ib-image ib-hidden ib-image-next", b.src = "", m.className = "ib-image ib-image-current" }), 600) } }, prev: function (e, t) { 0 != e && (e = 0 >= e ? e = 0 : e - 1, imagebox.change(e, t, "prev")) }, next: function (e, t) { var i = imagebox.galleries[t].length - 1; e != i && (e = e >= i ? e = i : e + 1, imagebox.change(e, t, "next")) }, caption: function (e) { e = e.getAttribute("data-imagebox-caption"); var t = document.querySelector("#imagebox .ib-caption"); (t.textContent = e) ? (-1 < e.indexOf("{loc}") ? (t.classList.add("location"), e = e.replace(/{loc}/, ""), t.textContent = e) : t.classList.remove("location"), t.style.display = "block") : t.style.display = "none" }, swipe: function (e, t) { e && (e.ontouchstart = function (i) { var o = i.layerX, a = i.layerY; e.ontouchend = function (e) { var i = o - e.layerX; e = a - e.layerY; var n = window.innerWidth / 10, c = window.innerHeight / 10; imagebox.settings.swipeToClose && (e >= c || e <= -c) && imagebox.close(), t && imagebox.settings.swipeToChange && (i >= n && document.querySelector("#imagebox .ib-control-right").click(), i <= -n && document.querySelector("#imagebox .ib-control-left").click()) } }) }, fade: { duration: .1, out: function (e, t, i) { t = void 0 !== t && t, e.style.opacity = 1, function o() { var a = parseFloat(e.style.opacity); 0 > (a -= imagebox.fade.duration) ? (i && i(), t && document.querySelector("#imagebox .ib-image-wrapper").removeChild(e), e.style.display = "none") : (e.style.opacity = a, requestAnimationFrame(o)) }() }, in: function (e, t) { e.style.opacity = 0, e.style.display = "block", function i() { var o = parseFloat(e.style.opacity); 1 < (o += imagebox.fade.duration) ? t && t() : (e.style.opacity = o, requestAnimationFrame(i)) }() } } }; window.onload = imagebox.init; diff --git a/roles/stable/openssl_certificates/tasks/authority.yml b/roles/stable/openssl_certificates/tasks/authority.yml new file mode 100644 index 0000000..09d0949 --- /dev/null +++ b/roles/stable/openssl_certificates/tasks/authority.yml @@ -0,0 +1,44 @@ +--- +- name: Install openssl + apt: + update_cache: yes + state: present + pkg: + - openssl + +- name: Make certificates directory + file: + path: "{{ ca_cert_dir }}" + state: directory + +- name: Certification Authority - Check if the private key is already present + stat: + path: "{{ ca_cert_dir }}/{{ ca_cert_name }}.key" + register: ca_cert_key + +- name: Certification Authority - Generate the CA private key + shell: openssl genrsa -des3 -passout pass:"{{ ca_cert_key_pass }}" -out {{ ca_cert_name }}.key 4096 + args: + chdir: "{{ ca_cert_dir }}" + when: not ca_cert_key.stat.exists + +- name: Certification Authority - Check if the CA root certificate is already presentt + stat: + path: "{{ ca_cert_dir }}/{{ ca_cert_name }}.pem" + register: ca_cert_pem + +- name: Certification Authority - Generate the CA root configuration file + template: + src: authority.conf.j2 + dest: "{{ ca_cert_dir }}/{{ ca_cert_name }}.conf" + when: not ca_cert_pem.stat.exists + +- name: Certification Authority - Generate the CA root certificate + shell: openssl req -x509 -new -nodes \ + -key {{ ca_cert_name }}.key \ + -passin pass:"{{ ca_cert_key_pass }}" \ + -sha256 -days {{ ca_cert_days }} -out {{ ca_cert_name }}.pem \ + -config {{ ca_cert_name }}.conf + args: + chdir: "{{ ca_cert_dir }}" + when: not ca_cert_pem.stat.exists diff --git a/roles/stable/openssl_certificates/tasks/authority_webserver.yml b/roles/stable/openssl_certificates/tasks/authority_webserver.yml new file mode 100644 index 0000000..0a2d703 --- /dev/null +++ b/roles/stable/openssl_certificates/tasks/authority_webserver.yml @@ -0,0 +1,42 @@ +--- +- name: Certification Authority - Webserver - Create static_service root + file: + path: /home/antennine/ca/certs + state: directory + +- name: Certification Authority - Webserver - Copy certificates to webserver dir + copy: + src: /etc/certs/{{ ca_cert_name }}.pem + dest: /home/antennine/ca/certs/ + remote_src: true + +- name: Certification Authority - Webserver - Create sha1 fingerprint + shell: openssl x509 -sha1 -in {{ ca_cert_dir }}/{{ ca_cert_name }}.pem -noout -fingerprint + register: ca_cert_sha1 + +# - name: Certification Authority - Webserver - Convert certificate in format DER +# shell: openssl x509 -in {{ ca_cert_name }}.pem -inform pem -out {{ ca_cert_name }}.der -outform der +# register: ca_cert_der + +# - name: Certification Authority - Webserver - Convert certificate in format TXT +# shell: +# register: ca_cert_txt + +# - name: Certification Authority - Webserver - Create certificate revocation list CRL +# shell: +# register: ca_cert_crl + +- name: Certification Authority - Webserver - Generate index.html + template: + src: authority.html.j2 + dest: "/home/antennine/ca/index.html" + +- name: Certification Authority - Webserver - Copy files + copy: + src: ./ca/ + dest: /home/antennine/ca/ + +- name: Certification Authority - Webserver - Webserver + include_role: + name: ../roles/stable/nginx + tasks_from: main diff --git a/roles/stable/openssl_certificates/tasks/main.yml b/roles/stable/openssl_certificates/tasks/main.yml new file mode 100644 index 0000000..bfbedbd --- /dev/null +++ b/roles/stable/openssl_certificates/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: Certification Authority + include_tasks: authority.yml + when: not skip_certification_authority + +- name: Server Certificate + include_tasks: server.yml + when: not skip_server_certificate + +- name: Certification Authority - Webserver + include_tasks: authority_webserver.yml + when: not skip_certification_authority_webserver + +- name: Server Certificate - Webserver + include_tasks: server_webserver.yml + when: not skip_server_certificate_webserver diff --git a/roles/stable/openssl_certificates/tasks/server.yml b/roles/stable/openssl_certificates/tasks/server.yml new file mode 100644 index 0000000..9a2f801 --- /dev/null +++ b/roles/stable/openssl_certificates/tasks/server.yml @@ -0,0 +1,42 @@ +--- +- name: Server Certificate - Make certificates directory + file: + path: "{{ server_cert_dir }}" + state: directory + +- name: Server Certificate - Check if private key is already present + stat: + path: "{{ server_cert_dir }}/{{ server_cert_name }}.key" + register: server_cert_key + +- name: Server Certificate - Generate the private key + shell: openssl genrsa -out {{ server_cert_name }}.key 4096 + args: + chdir: "{{ server_cert_dir }}" + when: not server_cert_key.stat.exists + +- name: Server Certificate - Generate the server configuration file + template: + src: server.conf.j2 + dest: "{{ server_cert_dir }}/{{ server_cert_name }}.conf" + +- name: Server Certificate - Create the certificate signin request + shell: openssl req -new -key {{ server_cert_name }}.key -days {{ server_cert_days }} -out {{ server_cert_name }}.csr -config {{ server_cert_name }}.conf + args: + chdir: "{{ server_cert_dir }}" + +- name: Server Certificate - Create the X509 V3 extension config file to define SAN + template: + src: server.ext.j2 + dest: "{{ server_cert_dir }}/{{ server_cert_name }}.ext" + +- name: Server Certificate - Sign the certificate with x509 V3 extensions + shell: openssl x509 -req \ + -in {{ server_cert_name }}.csr \ + -CA {{ ca_cert_dir }}/{{ ca_cert_name }}.pem -CAkey {{ ca_cert_dir }}/{{ ca_cert_name }}.key -CAcreateserial \ + -passin pass:"{{ ca_cert_key_pass }}" \ + -out {{ server_cert_name }}.crt \ + -days {{ server_cert_days }} -sha256 \ + -extfile {{ server_cert_name }}.ext + args: + chdir: "{{ server_cert_dir }}" diff --git a/roles/stable/openssl_certificates/tasks/server_webserver.yml b/roles/stable/openssl_certificates/tasks/server_webserver.yml new file mode 100644 index 0000000..d591adc --- /dev/null +++ b/roles/stable/openssl_certificates/tasks/server_webserver.yml @@ -0,0 +1,20 @@ +--- +- name: Server Certificate - Webserver - Ensure webserver certs dir exists + file: + path: /etc/nginx/certs/{{ server_cert_name }}/ + state: directory + +- name: Server Certificate - Webserver - Copy server key + copy: + src: /etc/certs/{{ server_cert_name }}/{{ server_cert_name }}.key + dest: /etc/nginx/certs/{{ server_cert_name }}/ + remote_src: true + +- name: Server Certificate - Webserver - Copy server certificate + copy: + src: /etc/certs/{{ server_cert_name }}/{{ server_cert_name }}.crt + dest: /etc/nginx/certs/{{ server_cert_name }}/ + remote_src: true + +- name: Server Certificate - Webserver - Restart Nginx + shell: systemctl restart nginx diff --git a/roles/stable/openssl_certificates/templates/authority.conf.j2 b/roles/stable/openssl_certificates/templates/authority.conf.j2 new file mode 100644 index 0000000..6451af0 --- /dev/null +++ b/roles/stable/openssl_certificates/templates/authority.conf.j2 @@ -0,0 +1,14 @@ +[req] +default_bits = 4096 +prompt = no +default_md = sha256 +distinguished_name = dn + +[dn] +C = {{ ca_distinguished_name['C'] }} +ST = {{ ca_distinguished_name['ST'] }} +L = {{ ca_distinguished_name['L'] }} +O = {{ ca_distinguished_name['O'] }} +OU = {{ ca_distinguished_name['OU'] }} +emailAddress = {{ ca_distinguished_name['emailAddress'] }} +CN = {{ ca_distinguished_name['CN'] }} diff --git a/roles/stable/openssl_certificates/templates/authority.html.j2 b/roles/stable/openssl_certificates/templates/authority.html.j2 new file mode 100644 index 0000000..8e0de57 --- /dev/null +++ b/roles/stable/openssl_certificates/templates/authority.html.j2 @@ -0,0 +1,140 @@ + + + + + + Certificati di Antennine + + + + + + + + + Openssl logo + +
+
+ +

Certificati di {{ ca_distinguished_name['O'] }}

+
+ +
+

In questa pagina si trovano i certificati e le informazioni riguardanti la + Certification Authority di {{ ca_distinguished_name['O'] }}.

+ +

Il certificato è disponibile: +

    + +
  • in formato PEM
    • + +
+ + +
+ +

Verifica

+
+

Dopo aver scaricato il certificato, verificare la fingerprint tramite il comando di openssl:

+ $ openssl x509 -sha1 -in {{ ca_cert_name }}.pem -noout -fingerprint +

Che deve resitituire questo risultato:

+ {{ ca_cert_sha1.stdout }} +
+ +

Installazione su sistema Linux

+
+
+
+

Firefox

+

Andare in about:preferences#privacy

+

Ed importare il certificato nella sezione Authorities

+
+ Screenshot installazione su Firefox + +
+ +
+
+

Chromium

+

Andare in chrome://settings/certificates

+

Ed importare il certificato nella sezione Authorities

+
+ Screenshot installazione su Chromium +
+ +
+

Linux system-wide (Debian, Ubuntu)

+

Per installare la CA system-wide su Linux usare i seguenti passi:

+ +

Mettere una copia del certificato in formato PEM in /usr/share/ca-certificates/

+ # cp ~/Downloads/antennineCA.pem /usr/share/ca-certificates/ +

Aggiungere il nome del file del certificato (senza directory) alla fine di /etc/ca-certificates.conf

+ # echo {{ ca_cert_name }}.pem >> /etc/ca-certificates.conf +

Installare il certificato

+ # update-ca-certificates --verbose +
+
+ +

Installazione su sistema Android

+

Nota: su Android è necessario installare la CA su tutto il sistema (system-wide).

+

Firefox inoltre richiede di abilitare l'utilizzo dei certificati installati dall'utente.

+ +
+
+
+

Android system-wide

+

Andare in Settings e ricercare la sezione dei certificati

+

Installare il certificato che verrà inserito nella sezione User e non System

+

Ora sui browsers Chrome, Brave, ecc. sarà possibile navigare col protocollo sicuro https://

+
+
+ Screenshot installazione su Android + Screenshot installazione su Android +
+
+ +
+
+

Firefox

+

Andare in Settings e poi in About Firefox

+

Toccare 7 volte il logo di Firefox per abilitare i Secret Settings

+

Andare in Settings e poi in Secret Settings, e abilitare Use third party CA certificates

+
+
+ Screenshot installazione su Firefox Android + Screenshot installazione su Firefox Android +
+
+ +
+

Firefox Beta, Firefox Nightly, IceCatMobile

+

In altre versioni derivate da Firefox ricercare about:config

+

Andare in about:config e impostare:

+

security.enterprise_roots.enabled = true

+
+
+
+ + diff --git a/roles/stable/openssl_certificates/templates/server.conf.j2 b/roles/stable/openssl_certificates/templates/server.conf.j2 new file mode 100644 index 0000000..8cb021e --- /dev/null +++ b/roles/stable/openssl_certificates/templates/server.conf.j2 @@ -0,0 +1,14 @@ +[req] +default_bits = 4096 +prompt = no +default_md = sha256 +distinguished_name = dn + +[dn] +C = {{ server_distinguished_name['C'] }} +ST = {{ server_distinguished_name['ST'] }} +L = {{ server_distinguished_name['L'] }} +O = {{ server_distinguished_name['O'] }} +OU = {{ server_distinguished_name['OU'] }} +emailAddress = {{ server_distinguished_name['emailAddress'] }} +CN = {{ server_distinguished_name['CN'] }} diff --git a/roles/stable/openssl_certificates/templates/server.ext.j2 b/roles/stable/openssl_certificates/templates/server.ext.j2 new file mode 100644 index 0000000..7ec9b2e --- /dev/null +++ b/roles/stable/openssl_certificates/templates/server.ext.j2 @@ -0,0 +1,26 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = ada + +# wildcard +DNS.2 = test.ada +DNS.3 = *.test.ada +DNS.4 = infra.ada +DNS.5 = *.infra.ada + +# common +DNS.6 = info.ada +DNS.7 = doc.ada +DNS.8 = ca.ada + +# network +DNS.9 = panorama.ada +DNS.10 = mappe.ada +DNS.11 = librespeed.ada +DNS.12 = nodi.ada +DNS.13 = torrent.ada +DNS.14 = firmware.ada diff --git a/roles/stable/openssl_certificates/vars/main.yml b/roles/stable/openssl_certificates/vars/main.yml new file mode 100644 index 0000000..44ebf6a --- /dev/null +++ b/roles/stable/openssl_certificates/vars/main.yml @@ -0,0 +1,36 @@ +skip_certification_authority: false +skip_certification_authority_webserver: false +skip_server_certificate: false +skip_server_certificate_webserver: false + +ca_cert_dir: /etc/certs/ +ca_cert_name: antennineCA +ca_cert_days: 3650 # ten years +ca_cert_key_pass: "{{ lookup('passwordstore', 'chiavi_antennine/openssl/antennineCA.key', errors='strict') | default(omit) }}" +ca_distinguished_name: + C: IT + ST: Emilia-Romagna + L: Prunarolo + O: Antennine + OU: antennine.noblogs.org + emailAddress: eno@burdig.one + CN: Antennine CA + +with_ssl: true +static_services: + - ca: + server_name: ca.ada + server_root: /home/antennine/ca/ + +server_cert_dir: /etc/certs/ada +server_cert_name: ada +server_cert_days: 1095 # 3 years +server_cert_key_pass: "{{ lookup('passwordstore', 'chiavi_antennine/openssl/ada.key', errors='strict') | default(omit) }}" +server_distinguished_name: + C: IT + ST: Emilia-Romagna + L: Prunarolo + O: Antennine + OU: antennine.noblogs.org + emailAddress: eno@burdig.one + CN: Ada diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..6df596f --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,58 @@ +--- +- name: Install Wireguard + become: yes + package: + name: wireguard + state: present + +- name: mkdir -p /etc/wireguard/keys + file: + path: /etc/wireguard/keys + state: directory + +- name: Check keys are created + stat: + path: /etc/wireguard/keys/privatekey + register: wireguard_skip_key_generation + +- name: umask 077 + shell: umask 077 + args: + chdir: /etc/wireguard/keys + when: not wireguard_skip_key_generation.stat.exists + +- name: Creating client privatekey and publickey + shell: wg genkey | tee privatekey | wg pubkey > publickey + args: + chdir: /etc/wireguard/keys + when: not wireguard_skip_key_generation.stat.exists + +- name: cat privatekey => var_privatekey + shell: cat privatekey + register: var_privatekey + args: + chdir: /etc/wireguard/keys + +- name: Creating /etc/wireguard/wg0.conf + template: + src: client_wg0.j2 + dest: /etc/wireguard/wg0.conf + +- name: Starting wg service + systemd: + state: started + name: wg-quick@wg0 + enabled: yes + +- name: cat publickey => var_publickey + shell: cat publickey + register: var_publickey + args: + chdir: /etc/wireguard/keys + +- name: Make sure Wireguard Service is running + become: yes + service: + name: wg-quick@wg0 + state: started + enabled: yes diff --git a/roles/wireguard/tasks/server.yml b/roles/wireguard/tasks/server.yml new file mode 100644 index 0000000..0daf8f6 --- /dev/null +++ b/roles/wireguard/tasks/server.yml @@ -0,0 +1,8 @@ +--- +- name: Make sure Wireguard Service is running + become: yes + service: + name: wg-quick@wg0 + state: started + enabled: yes + # delegate_to: "{{ hostvars['jitsi'].inventory_hostname }}" diff --git a/roles/wireguard/templates/client_wg0.j2 b/roles/wireguard/templates/client_wg0.j2 new file mode 100644 index 0000000..32487af --- /dev/null +++ b/roles/wireguard/templates/client_wg0.j2 @@ -0,0 +1,11 @@ +[Interface] +Address = {{ wireguard_client_ip }} +PrivateKey = {{ var_privatekey.stdout }} +ListenPort = {{ wireguard_client_wg0_port }} +DNS = {{ wireguard_dns }} + +[Peer] +PublicKey = {{ wireguard_server_PublicKey }} +Endpoint = {{ wireguard_server_public_ip }}:{{ wireguard_server_wg0_port }} +AllowedIPs = {{ wireguard_client_AllowedIPs }} +PersistentKeepalive = 25 diff --git a/vars/belvederi.yml b/vars/belvederi.yml new file mode 100644 index 0000000..9062178 --- /dev/null +++ b/vars/belvederi.yml @@ -0,0 +1,12 @@ +--- +with_certbot: false +with_distributed_certificates: true +# certbot_email: +reverse_services: + - info: + server_name: info.ada + proxy_pass: https://info.ada + + - doc: + server_name: doc.ada + proxy_pass: https://doc.ada diff --git a/vars/build/_h5ai.yml b/vars/build/_h5ai.yml new file mode 100644 index 0000000..23a19d0 --- /dev/null +++ b/vars/build/_h5ai.yml @@ -0,0 +1,12 @@ +--- +fpm_services: + - firmware.test.ada: + server_name: firmware.test.ada + root: /opt/openwrt-lime-firmware_test + custom_config: " + index /_h5ai/public/index.php; + + location /_h5ai/private { + return 403; + } + " diff --git a/vars/build/dev_test.yml b/vars/build/dev_test.yml new file mode 100644 index 0000000..0aa3f9f --- /dev/null +++ b/vars/build/dev_test.yml @@ -0,0 +1,44 @@ +--- +openwrt_version: "{{openwrt_release['old_stable']}}" +libremesh_version: "librerouteros" +libremesh_profile: valsamoggia.ninux.org +libremesh_profile_device: vs-ninux-generic + +skip_preflight: false +skip_openwrt_install: false +skip_libremesh_install: false +skip_configure_profiles: false +skip_configure_clean: true +skip_webserver_update: false + +with_wireguard: true + +# webserver index +webui_path: /opt/openwrt-lime-firmware_test + +# openwrt +openwrt_build_user: "antennine" +openwrt_dir: "/home/antennine/openwrt/test" +openwrt_build_dirname: "openwrt-{{openwrt_version}}-libremesh-{{libremesh_version}}" +openwrt_build_dir: "{{openwrt_dir}}/{{openwrt_build_dirname}}" +openwrt_version_tag: "v{{openwrt_version}}" +openwrt_extra_image_name: "{{openwrt_version}}_libremesh-{{libremesh_version}}" + +# libremesh +libremesh_profile_directory: "{{openwrt_build_dir}}/feeds/profiles/{{libremesh_profile}}" +libremesh_feeds: | + src-git libremesh https://github.com/libremesh/lime-packages.git;{{ libremesh_version }} + src-git profiles https://github.com/libremesh/network-profiles.git + +# libremesh_version: "librerouteros" +# libremesh_version: "^0bddc6b50da6f13b1fd20a28f5c4d557c3819737" +# libremesh_version: "v2020.1" + +ip_network: "10.170" +ip_netmask: "/16" + +vpn_wg0_network: "192.168" +vpn_wg0_netmask: "/16" + +default_vpn_wg0_listenport: 51800 +default_channel_5ghz: 48 diff --git a/vars/build/main.yml b/vars/build/main.yml new file mode 100644 index 0000000..bd9fda4 --- /dev/null +++ b/vars/build/main.yml @@ -0,0 +1,45 @@ +--- +openwrt_version: "21.02.3" +libremesh_version: "librerouteros" +libremesh_profile: valsamoggia.ninux.org +libremesh_profile_device: vs-ninux-generic + +skip_preflight: false +skip_openwrt_install: false +skip_libremesh_install: false +skip_configure_profiles: false +skip_configure_clean: false +skip_webserver_update: false + +with_wireguard: true +with_luci: false + +# webserver index +webui_path: /opt/openwrt-lime-firmware_test + +# openwrt +openwrt_build_user: "antennine" +openwrt_dir: "/home/antennine/openwrt/test" +openwrt_build_dirname: "openwrt-{{openwrt_version}}-libremesh-{{libremesh_version}}" +openwrt_build_dir: "{{openwrt_dir}}/{{openwrt_build_dirname}}" +openwrt_version_tag: "v{{openwrt_version}}" +openwrt_extra_image_name: "{{openwrt_version}}_libremesh-{{libremesh_version}}" + +# libremesh +libremesh_profile_directory: "{{openwrt_build_dir}}/feeds/profiles/{{libremesh_profile}}" +libremesh_feeds: | + src-git libremesh https://github.com/libremesh/lime-packages.git;{{ libremesh_version }} + src-git profiles https://github.com/libremesh/network-profiles.git + +# libremesh_version: "librerouteros" +# libremesh_version: "^0bddc6b50da6f13b1fd20a28f5c4d557c3819737" +# libremesh_version: "v2020.1" + +ip_network: "10.170" +ip_netmask: "/16" + +vpn_wg0_network: "192.168" +vpn_wg0_netmask: "/16" + +default_vpn_wg0_listenport: 51800 +default_channel_5ghz: 48 diff --git a/vars/build/openwrt.yml b/vars/build/openwrt.yml new file mode 100644 index 0000000..e9c1f93 --- /dev/null +++ b/vars/build/openwrt.yml @@ -0,0 +1,7 @@ +openwrt_release: + stable: 22.03.2 # 17. October 2022 + old_stable: 21.02.5 # 17. October 2022 + +openwrt_release_archive: + 19: 19.07.10 # + 18: 18.06 # diff --git a/vars/build/targets/21.02.3_ramips_mt76x8.yml b/vars/build/targets/21.02.3_ramips_mt76x8.yml new file mode 100644 index 0000000..12c1729 --- /dev/null +++ b/vars/build/targets/21.02.3_ramips_mt76x8.yml @@ -0,0 +1,26 @@ +# ath79_generic +openwrt_target: ramips +openwrt_subtarget: mt76x8 +openwrt_devices: + - tl-mr6400-v4 + +# override +openwrt_version: 21.02.3 +libremesh_profile_device: vs-ninux-generic + +# configs +skip_configure_clean: true + +target_configs: | + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y + # CONFIG_PACKAGE_kmod-ppp is not set + # CONFIG_PACKAGE_luci-proto-ppp is not set + # CONFIG_PACKAGE_luci is not set + CONFIG_PACKAGE_babeld-auto-gw-mode=y + CONFIG_PACKAGE_ubus-lime-batman-adv=y + CONFIG_PACKAGE_wpad-basic=y + # CONFIG_PACKAGE_wpad-basic-wolfssl is not set + # CONFIG_PACKAGE_wpad-mesh-wolfssl=y + # CONFIG_PACKAGE_ATH_DFS is not set + # CONFIG_ATH_USER_REGD is not set + CONFIG_PACKAGE_kmod-mt7603=y diff --git a/vars/build/targets/ar71xx_generic.yml b/vars/build/targets/ar71xx_generic.yml new file mode 100644 index 0000000..fdb1044 --- /dev/null +++ b/vars/build/targets/ar71xx_generic.yml @@ -0,0 +1,43 @@ +# ar71xx_generic +openwrt_target: ar71xx +openwrt_subtarget: generic +openwrt_devices: + - ubnt-lbe-m5 + - ubnt-loco-m-xw + - ubnt-nano-m-xw + - ubnt-nano-m + +# override +openwrt_version: 19.07.10 +libremesh_profile_device: vs-ninux-generic + +# configs +skip_configure_clean: true + +target_configs: | + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y + # CONFIG_PACKAGE_kmod-ppp is not set + # CONFIG_PACKAGE_luci-proto-ppp is not set + CONFIG_PACKAGE_kmod-rtc-pcf8563=y + CONFIG_PACKAGE_kmod-rtc-pcf2123=y + CONFIG_PACKAGE_ATH_DEBUG=y + CONFIG_PACKAGE_ATH_DYNACK=y + CONFIG_PACKAGE_ATH_SPECTRAL=y + CONFIG_PACKAGE_luci=y + CONFIG_PACKAGE_prometheus-node-exporter-lua-location-latlon=y + CONFIG_PACKAGE_prometheus-node-exporter-lua-wifi-params=y + CONFIG_PACKAGE_prometheus-node-exporter-lua-wifi-stations-extra=y + CONFIG_PACKAGE_prometheus-node-exporter-lua-wifi-survey=y + CONFIG_PACKAGE_prometheus-node-push-influx=y + CONFIG_PACKAGE_shared-state-persist=y + CONFIG_PACKAGE_tmate=y + CONFIG_PACKAGE_ubus-tmate=y + CONFIG_PACKAGE_pirania=y + CONFIG_PACKAGE_pirania-app=y + CONFIG_PACKAGE_watchping=y + CONFIG_PACKAGE_wifi-unstuck-wa=y + CONFIG_PACKAGE_babeld-auto-gw-mode=y + # CONFIG_PACKAGE_wpad-basic is not set + # CONFIG_PACKAGE_wpad-basic-wolfssl is not set + CONFIG_PACKAGE_wpad-mesh-wolfssl=y + " diff --git a/vars/build/targets/ath79_tiny.yml b/vars/build/targets/ath79_tiny.yml new file mode 100644 index 0000000..797096f --- /dev/null +++ b/vars/build/targets/ath79_tiny.yml @@ -0,0 +1,20 @@ +# ath79_tiny +openwrt_target: ath79 +openwrt_subtarget: tiny +openwrt_devices: + - tplink_tl-wr940n-v6 + +# override +# openwrt_version: 18.06.9 +openwrt_version: 19.07.10 +libremesh_profile_device: vs-ninux-tiny + +# configs +skip_configure_clean: true +with_wireguard: false + +target_configs: | + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-tiny=y + # CONFIG_PACKAGE_kmod-ppp is not set + # CONFIG_PACKAGE_luci is not set + # CONFIG_PACKAGE_luci-proto-ppp is not set diff --git a/vars/build/targets/old_stable_ath79_generic.yml b/vars/build/targets/old_stable_ath79_generic.yml new file mode 100644 index 0000000..198b1d9 --- /dev/null +++ b/vars/build/targets/old_stable_ath79_generic.yml @@ -0,0 +1,24 @@ +# ath79_generic +openwrt_target: ath79 +openwrt_subtarget: generic +openwrt_devices: + - tplink_cpe510-v3 + +# override +openwrt_version: "{{openwrt_release['old_stable']}}" +libremesh_profile_device: vs-ninux-generic + +# configs +skip_configure_clean: true + +target_configs: | + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt=y + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y + # CONFIG_PACKAGE_kmod-ppp is not set + # CONFIG_PACKAGE_luci-proto-ppp is not set + # CONFIG_PACKAGE_luci is not set + CONFIG_PACKAGE_babeld-auto-gw-mode=y + CONFIG_PACKAGE_ubus-lime-batman-adv=y + CONFIG_PACKAGE_wpad-basic=y + # CONFIG_PACKAGE_wpad-basic-wolfssl is not set + # CONFIG_PACKAGE_wpad-mesh-wolfssl=y diff --git a/vars/build/targets/test_stable_ath79_generic.yml b/vars/build/targets/test_stable_ath79_generic.yml new file mode 100644 index 0000000..03939f8 --- /dev/null +++ b/vars/build/targets/test_stable_ath79_generic.yml @@ -0,0 +1,28 @@ +# ath79_generic +openwrt_target: ath79 +openwrt_subtarget: generic +openwrt_devices: + - tplink_cpe510-v3 + +# override +openwrt_version: "{{openwrt_release['stable']}}" +libremesh_profile_device: vs-ninux-generic + +# configs +skip_configure_clean: false + +# test commenting +target_configs: | + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt22=y + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt21=y + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-test=y + CONFIG_PACKAGE_luci=y + CONFIG_PACKAGE_babeld-auto-gw-mode=y + CONFIG_PACKAGE_ubus-lime-batman-adv=y + CONFIG_PACKAGE_wpad-basic=y + # CONFIG_PACKAGE_wpad-basic-wolfssl is not set + # CONFIG_PACKAGE_wpad-mesh-wolfssl=y + +unstable_defaults: | + CONFIG_PACKAGE_rssileds=y diff --git a/vars/build/targets/test_stable_ramips_mt7620.yml b/vars/build/targets/test_stable_ramips_mt7620.yml new file mode 100644 index 0000000..b79c3de --- /dev/null +++ b/vars/build/targets/test_stable_ramips_mt7620.yml @@ -0,0 +1,27 @@ +# mt7620 _generic +openwrt_target: ramips +openwrt_subtarget: mt7620 +openwrt_devices: + - asus_rt-ac51u + +# override +openwrt_version: "{{openwrt_release['stable']}}" +libremesh_profile_device: vs-ninux-generic + +# configs +skip_configure_clean: false + +target_configs: | + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt22=y + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt21=y + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y + CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-test=y + CONFIG_PACKAGE_luci=y + CONFIG_PACKAGE_babeld-auto-gw-mode=y + CONFIG_PACKAGE_ubus-lime-batman-adv=y + CONFIG_PACKAGE_wpad-basic=y + # CONFIG_PACKAGE_wpad-basic-wolfssl is not set + # CONFIG_PACKAGE_wpad-mesh-wolfssl=y + +unstable_defaults: | + CONFIG_DRIVER_11AC_SUPPORT=y diff --git a/vars/build/test.yml b/vars/build/test.yml new file mode 100644 index 0000000..bd9fda4 --- /dev/null +++ b/vars/build/test.yml @@ -0,0 +1,45 @@ +--- +openwrt_version: "21.02.3" +libremesh_version: "librerouteros" +libremesh_profile: valsamoggia.ninux.org +libremesh_profile_device: vs-ninux-generic + +skip_preflight: false +skip_openwrt_install: false +skip_libremesh_install: false +skip_configure_profiles: false +skip_configure_clean: false +skip_webserver_update: false + +with_wireguard: true +with_luci: false + +# webserver index +webui_path: /opt/openwrt-lime-firmware_test + +# openwrt +openwrt_build_user: "antennine" +openwrt_dir: "/home/antennine/openwrt/test" +openwrt_build_dirname: "openwrt-{{openwrt_version}}-libremesh-{{libremesh_version}}" +openwrt_build_dir: "{{openwrt_dir}}/{{openwrt_build_dirname}}" +openwrt_version_tag: "v{{openwrt_version}}" +openwrt_extra_image_name: "{{openwrt_version}}_libremesh-{{libremesh_version}}" + +# libremesh +libremesh_profile_directory: "{{openwrt_build_dir}}/feeds/profiles/{{libremesh_profile}}" +libremesh_feeds: | + src-git libremesh https://github.com/libremesh/lime-packages.git;{{ libremesh_version }} + src-git profiles https://github.com/libremesh/network-profiles.git + +# libremesh_version: "librerouteros" +# libremesh_version: "^0bddc6b50da6f13b1fd20a28f5c4d557c3819737" +# libremesh_version: "v2020.1" + +ip_network: "10.170" +ip_netmask: "/16" + +vpn_wg0_network: "192.168" +vpn_wg0_netmask: "/16" + +default_vpn_wg0_listenport: 51800 +default_channel_5ghz: 48 diff --git a/vars/libremesh.yml b/vars/libremesh.yml new file mode 100644 index 0000000..c5b3b6e --- /dev/null +++ b/vars/libremesh.yml @@ -0,0 +1,4 @@ + +libremesh_versions: + - librerouteros # ^0bddc6b50da6f13b1fd20a28f5c4d557c3819737 Released: Thu Mar 17 2022 + - 2020.1 # Released: Fri Dec 11 2020 diff --git a/vars/monitoring.yml b/vars/monitoring.yml new file mode 100644 index 0000000..23f3eb4 --- /dev/null +++ b/vars/monitoring.yml @@ -0,0 +1,22 @@ + +maintainer_emails: ', ' + +all_targets: + node: "{{ belvedere_targets }}" + blackbox_ping_internal: "{{ blackbox_ping_internal}}" + +blackbox_ping_internal: + - targets: "[ {%for host in groups['belvederi']%}'{{hostvars[host].ansible_host}}'{% if not loop.last %},{% endif %}{% endfor %} ]" + labels: + host: 'belvederi' + - targets: "[ {%for host in groups['strumenti']%}'{{hostvars[host].ansible_host}}'{% if not loop.last %},{% endif %}{% endfor %} ]" + labels: + host: 'strumenti' + +blackbox_relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: 127.0.0.1:9115 diff --git a/vars/smtp.yml b/vars/smtp.yml new file mode 100644 index 0000000..e435921 --- /dev/null +++ b/vars/smtp.yml @@ -0,0 +1,5 @@ + +smtp_from: '' +smtp_smarthost: 'mail.gandi.net:587' +smtp_auth_username: '' +smtp_auth_password: "{{ lookup('passwordstore', 'chiavi_antennine/emails/', errors='strict') | default(omit) }}" diff --git a/vars/telegram.yml b/vars/telegram.yml new file mode 100644 index 0000000..28ef4cb --- /dev/null +++ b/vars/telegram.yml @@ -0,0 +1,3 @@ + +telegram_bot_token: "{{ lookup('passwordstore', 'chiavi_antennine/telegram/bot_api_token', errors='strict') | default(omit) }}" +telegram_chat_id: diff --git a/vars/test.yml b/vars/test.yml new file mode 100644 index 0000000..d66902c --- /dev/null +++ b/vars/test.yml @@ -0,0 +1 @@ +maintainer_emails: '' diff --git a/vars/wireguard.yml b/vars/wireguard.yml new file mode 100644 index 0000000..faaab77 --- /dev/null +++ b/vars/wireguard.yml @@ -0,0 +1,10 @@ + +wireguard_server_public_ip: +wireguard_server_PublicKey: '' +wireguard_server_wg0_port: 51820 + +wireguard_client_ip: # 10.0.0.9 +wireguard_client_wg0_port: 51820 +wireguard_client_AllowedIPs: 10.0.0.0/24 + +wireguard_dns: # 10.0.0.10