ctucx.git: ansible-configs

My personal ansible roles and playbooks

commit 5aee592cbe3700411bb5faf3ba36da6970b6faff
parent 8baef6c8f9a54821ed8633357ba3c4dc6e02aefa
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 2 Feb 2021 12:23:41 +0100

combined playbooks
4 files changed, 423 insertions(+), 433 deletions(-)
A
configuration/lollo.yml
|
307
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D
playbook-router.yml
|
342
-------------------------------------------------------------------------------
D
playbook-servers.yml
|
91
-------------------------------------------------------------------------------
A
playbook.yml
|
116
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/configuration/lollo.yml b/configuration/lollo.yml
@@ -0,0 +1,307 @@
+system:
+  hostname: lollo
+  domain: ctu.cx
+  timezone: Europe/Berlin
+  enableOwnRepos: true
+  enableSSH: true
+  enableSudo: true
+  useNTP: true #todo: support archlinux
+  nameservers:
+    - 1.1.1.1
+    - 8.8.8.8
+  users:
+    - name: leah
+      groups: "wheel"
+      password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0"
+      sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local"
+
+network:
+  ipForwarding: true
+  ferm:
+    enable: true
+    configFile: config-files/ferm/lollo.conf
+
+networkd:
+  networkd_resolv_conf_content:
+    - nameserver 1.1.1.1
+    - nameserver 8.8.8.8
+  networkd_apply_action: "restart"
+  netdev:
+    - name: enp2s0.5
+      priority: 20
+      content:
+        - NetDev:
+          - Name: enp2s0.5
+          - Kind: vlan
+        - VLAN:
+          - Id: 5
+    - name: wg-pbb
+      priority: 30
+      content:
+        - NetDev:
+          - Name: wg-pbb
+          - Kind: wireguard
+        - WireGuard:
+          - PrivateKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/lollo/wireguard.privkey returnall=true') }}"
+          - FirewallMark: 51820
+        - WireGuardPeer:
+          - PublicKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/desastro/wireguard.pubkey returnall=true') }}"
+          - AllowedIPs:  "0.0.0.0/0, ::/0"
+          - Endpoint: "195.39.247.172:51820"
+          - PersistentKeepalive: 10
+    - name: brlan
+      priority: 40 
+      content:
+        - NetDev:
+          - Name: brlan
+          - Kind: bridge
+  network:
+    - name: enp2s0
+      priority: 20
+      content:
+        - Match:
+          - Name: enp2s0
+        - Network:
+          - DHCP: yes
+          - VLAN: enp2s0.5
+    - name: enp2s0.5
+      priority: 20
+      content:
+        - Match:
+          - Name: enp2s0.5
+        - Network:
+          - Bridge: brlan
+    - name: wg-pbb
+      priority: 30
+      content:
+        - Match:
+          - Name: wg-pbb
+        - Link:
+          - MTUBytes: 1472
+        - Route:
+          - Destination: 0.0.0.0/0
+          - Table: 1234
+        - Route:
+          - Destination: ::/0
+          - Table: 1234
+    - name: brlan
+      priority: 40
+      content:
+        - Match:
+          - Name: brlan
+          - Driver: bridge
+        - Network:
+          - DHCP: no
+          - Address: 195.39.246.33/28
+          - Address: 10.0.0.1/24
+          - Address: 2a0f:4ac0:acab::1/62
+        - RoutingPolicyRule:
+          - From: 195.39.246.32/28
+          - Table: 254
+          - Priority: 1900
+          - SuppressPrefixLength: 0
+        - RoutingPolicyRule:
+          - From: 2a0f:4ac0:acab::/62
+          - Table: 254
+          - Priority: 1900
+          - SuppressPrefixLength: 0
+        - RoutingPolicyRule:
+          - From: 195.39.246.32/28
+          - Table: 1234
+          - Priority: 2000
+        - RoutingPolicyRule:
+          - From: 2a0f:4ac0:acab::/62
+          - Table: 1234
+          - Priority: 2000
+    - name: usb-tetherring
+      priority: 91
+      content:
+        - Match:
+          - Name: enp*s*u*
+        - Network:
+          - DHCP: yes
+
+services:
+  prometheus_node_exporter:
+    enable: true
+
+  acme_redirect:
+    enable: true
+    email: lets-encrypt@ctu.cx
+    acme_url: https://api.buypass.com/acme/directory
+    certs:
+      lollo.ctu.cx:
+        dns_names: 
+          - lollo.ctu.cx
+        renew_tasks:
+          - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/lollo.ctu.cx
+      syncthing.lollo.ctu.cx:
+        dns_names: 
+          - syncthing.lollo.ctu.cx
+        renew_tasks:
+          - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/syncthing.lollo.ctu.cx
+      home.ctu.cx:
+        dns_names: 
+          - home.ctu.cx
+          - legacy.home.ctu.cx
+        renew_tasks:
+          - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/home.ctu.cx
+      home.flauschekatze.space:
+        dns_names: 
+          - home.flauschekatze.space
+          - legacy.home.flauschekatze.space
+        renew_tasks:
+          - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/home.flauschekatze.space
+
+  nginx:
+    enable: true
+    sslOnly: true
+    vhosts:
+      lollo.ctu.cx:
+        defaultserver: true
+        ssl:
+          enable: true
+          cert: "/var/lib/acme-redirect/live/lollo.ctu.cx/fullchain"
+          privkey: "/var/lib/acme-redirect/live/lollo.ctu.cx/privkey"
+        locations:
+          - path: /node-exporter
+            proxy: http://127.0.0.1:9100/metrics
+      home.ctu.cx legacy.home.ctu.cx:
+        root: /var/lib/websites/home.ctu.cx
+        extraConfig: "
+          index index.html index.php;
+          try_files $uri $uri/ /index.php?$query_string;
+        "
+        ssl:
+          enable: true
+          cert: "/var/lib/acme-redirect/live/home.ctu.cx/fullchain"
+          privkey: "/var/lib/acme-redirect/live/home.ctu.cx/privkey"
+        locations:
+          - path: ~ \.php$
+            extraConfig: "
+              fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
+              fastcgi_index index.php;
+              include fastcgi_params;
+            "
+      home.flauschekatze.space legacy.home.flauschekatze.space:
+        root: /var/lib/websites/home.ctu.cx
+        extraConfig: "
+          index index.html index.php;
+          try_files $uri $uri/ /index.php?$query_string;
+        "
+        ssl:
+          enable: true
+          cert: "/var/lib/acme-redirect/live/home.flauschekatze.space/fullchain"
+          privkey: "/var/lib/acme-redirect/live/home.flauschekatze.space/privkey"
+        locations:
+          - path: ~ \.php$
+            extraConfig: "
+              fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
+              fastcgi_index index.php;
+              include fastcgi_params;
+            "
+
+  hostapd:
+    enable: false
+    interface: wlp3s0
+    bridge: brlan
+    channel: 1
+    ssid: legacy.home.ctu.cx
+    passphrase: "{{ lookup('diskcache', 'community.general.passwordstore', 'WiFi/legacy.home.ctu.cx returnall=true')}}"
+
+  dnsmasq:
+    enable: true
+    local_service: true
+    no_resolv: true
+    domain_needed: true
+    bogus_priv: true
+    expand_hosts: false
+    read_ethers: false
+    enable_ra: true
+    quiet_ra: true
+    domain: home.ctu.cx
+    auth_ttl: 600
+    auth_server: home.ctu.cx, wg-pbb
+    auth_zones:
+      - home.ctu.cx,                        10.0.0.1/24,   195.39.246.32/28,   2a0f:4ac0:acab::1/64
+      - home.flauschekatze.space,           10.0.0.1/24,   195.39.246.32/28,   2a0f:4ac0:acab::1/64
+    local_addresses:
+      - /fritz.box/192.168.178.1
+      - /intel-nuc/192.168.178.21
+      - /lollo/192.168.178.20
+      - /repo-vm/192.168.178.24
+      - /mastodon-backup/192.168.178.25
+      - /foo-nuc/192.168.178.23
+    addresses:
+      - home.ctu.cx,                        195.39.246.33,   2a0f:4ac0:acab::1
+      - home.flauschekatze.space,           195.39.246.33,   2a0f:4ac0:acab::1
+      - legacy.home.ctu.cx,                 195.39.246.33,   2a0f:4ac0:acab::1
+      - legacy.home.flauschekatze.space,    195.39.246.33,   2a0f:4ac0:acab::1
+    dns_servers:
+      - 1.1.1.1
+      - 1.0.0.1
+      - 8.8.8.8
+      - 8.8.4.4
+    dhcp:
+      authoritative: true
+      rapid_commit:  true
+      sequential_ip: true
+      options:
+        - option6:information-refresh-time, 6h
+        - option6:dns-server,               [2a0f:4ac0:acab::1]
+        - private, option:router,           10.0.0.1
+        - private, option:dns-server,       10.0.0.1
+        - public,  option:router,           195.39.246.33
+        - public,  option:dns-server,       195.39.246.33
+      ranges:
+        - private, 10.0.0.100,          10.0.0.200,                           255.255.255.0,                  48h
+        - public,  195.39.246.34,       static,                               255.255.255.240, 195.39.246.47, 48h
+        -          2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64,                             48h
+      hosts:
+        # accesspoint
+        - f4:06:8d:df:1f:e3,                                          accesspoint,      10.0.0.2
+        # tradfri gateway
+        - 58:d5:0a:ba:23:29,                                          tradfri,          10.0.0.10
+        # ctucx macbook
+        - id:00:01:00:01:27:51:55:30:80:e6:50:21:e0:6a,               toaster,          [2a0f:4ac0:acab::34]
+        - 80:e6:50:21:e0:6a,                                          toaster,          195.39.246.34
+        # ctucx thinkcentre
+        - id:00:01:00:01:27:60:18:8c:e8:6a:64:f4:49:e7,               stasicontainer,   [2a0f:4ac0:acab::39]
+        - e8:6a:64:f4:49:e7,                                          stasicontainer,   195.39.246.39
+        # ctucx thinkpad t470 (mac: wlan, eth)
+        - id:00:04:37:8e:fd:cc:26:b8:11:b2:a8:5c:b8:77:0b:6e:a2:e6,   coladose,         [2a0f:4ac0:acab::35]
+        - 7c:2a:31:fb:e6:b8, 8c:16:45:da:61:8e,                       coladose,         195.39.246.35
+        # isa macbook
+        - id:00:01:00:01:23:53:5d:7e:6c:40:08:af:2e:9c,               isabelles-mbp,    [2a0f:4ac0:acab::38]
+        - 6c:40:08:af:2e:9c,                                          isabelles-mbp,    195.39.246.38
+        # isa thinkpad x230
+        - id:00:04:e8:51:c5:1d:f6:53:58:4a:9b:c0:28:59:a4:c7:76:32,   isa-x230,         [2a0f:4ac0:acab::36]
+        - 64:80:99:75:c5:5c,                                          isa-x230,         195.39.246.36
+        # isa p2max
+        - id:00:04:97:db:54:73:1e:20:bb:fe:bf:35:dd:14:70:59:c2:d5,   isa-p2max,        [2a0f:4ac0:acab::40]
+        - ac:67:5d:12:2f:5a,                                          isa-p2max,        195.39.246.40
+  syncthing:
+    enable: true
+    user: leah
+    nginx:
+      enable: true
+      domain: "syncthing.lollo.ctu.cx"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/syncthing.lollo.ctu.cx/fullchain"
+        privkey: "/var/lib/acme-redirect/live/syncthing.lollo.ctu.cx/privkey"
+
+  frpc:
+    enable: true
+    serverAddress: wanderduene.ctu.cx
+    serverPort: 5050
+    token: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/wanderduene/frps/token returnall=true')}}"
+    dashboard: false
+    tunnels:
+      - name: lollo-ssh
+        type: tcp
+        local_ip: 127.0.0.1
+        local_port: 22
+        remote_port: 2202
+
diff --git a/playbook-router.yml b/playbook-router.yml
@@ -1,342 +0,0 @@
----
-- hosts: lollo
-  remote_user: root
-  gather_facts: false
-  tasks:
-    - name: "[Alpine] Install Python"
-      raw: test -e /usr/bin/python || (test -e /sbin/apk && apk update && apk add python3; true)
-    - name: "[Archlinux] Install Python"
-      raw: test -e /usr/bin/python || (test -e /usr/bin/pacman && pacman -Sy --noconfirm python; true)
-
-
-- hosts: lollo
-  name:  Install lollo
-  roles: 
-    - role: common
-      tags: common
-    - role: kawaidesu.ansible_networkd
-      tags: systemd-networkd
-    - role: acme-redirect
-      tags: acme-redirect
-    - role: nginx
-      tags: nginx
-    - role: hostapd
-      tags: hostapd
-    - role: dnsmasq
-      tags: dnsmasq
-    - role: syncthing
-      tags: syncthing
-    - role: frp
-      tags:
-        - frp
-        - frpc
-        - frps 
-
-  vars:
-    system:
-      hostname: lollo
-      domain: ctu.cx
-      timezone: Europe/Berlin
-      enableOwnRepos: true
-      enableSSH: true
-      enableSudo: true
-      useNTP: true #todo: support archlinux
-      nameservers:
-        - 1.1.1.1
-        - 8.8.8.8
-      users:
-        - name: leah
-          groups: "wheel"
-          password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0"
-          sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local"
-
-    network:
-      ipForwarding: true
-      ferm:
-        enable: true
-        configFile: config-files/ferm/lollo.conf
-
-    networkd:
-      networkd_resolv_conf_content:
-        - nameserver 1.1.1.1
-        - nameserver 8.8.8.8
-      networkd_apply_action: "restart"
-      netdev:
-        - name: enp2s0.5
-          priority: 20
-          content:
-            - NetDev:
-              - Name: enp2s0.5
-              - Kind: vlan
-            - VLAN:
-              - Id: 5
-        - name: wg-pbb
-          priority: 30
-          content:
-            - NetDev:
-              - Name: wg-pbb
-              - Kind: wireguard
-            - WireGuard:
-              - PrivateKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/lollo/wireguard.privkey returnall=true') }}"
-              - FirewallMark: 51820
-            - WireGuardPeer:
-              - PublicKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/desastro/wireguard.pubkey returnall=true') }}"
-              - AllowedIPs:  "0.0.0.0/0, ::/0"
-              - Endpoint: "195.39.247.172:51820"
-              - PersistentKeepalive: 10
-        - name: brlan
-          priority: 40 
-          content:
-            - NetDev:
-              - Name: brlan
-              - Kind: bridge
-      network:
-        - name: enp2s0
-          priority: 20
-          content:
-            - Match:
-              - Name: enp2s0
-            - Network:
-              - DHCP: yes
-              - VLAN: enp2s0.5
-        - name: enp2s0.5
-          priority: 20
-          content:
-            - Match:
-              - Name: enp2s0.5
-            - Network:
-              - Bridge: brlan
-        - name: wg-pbb
-          priority: 30
-          content:
-            - Match:
-              - Name: wg-pbb
-            - Link:
-              - MTUBytes: 1472
-            - Route:
-              - Destination: 0.0.0.0/0
-              - Table: 1234
-            - Route:
-              - Destination: ::/0
-              - Table: 1234
-        - name: brlan
-          priority: 40
-          content:
-            - Match:
-              - Name: brlan
-              - Driver: bridge
-            - Network:
-              - DHCP: no
-              - Address: 195.39.246.33/28
-              - Address: 10.0.0.1/24
-              - Address: 2a0f:4ac0:acab::1/62
-            - RoutingPolicyRule:
-              - From: 195.39.246.32/28
-              - Table: 254
-              - Priority: 1900
-              - SuppressPrefixLength: 0
-            - RoutingPolicyRule:
-              - From: 2a0f:4ac0:acab::/62
-              - Table: 254
-              - Priority: 1900
-              - SuppressPrefixLength: 0
-            - RoutingPolicyRule:
-              - From: 195.39.246.32/28
-              - Table: 1234
-              - Priority: 2000
-            - RoutingPolicyRule:
-              - From: 2a0f:4ac0:acab::/62
-              - Table: 1234
-              - Priority: 2000
-        - name: usb-tetherring
-          priority: 91
-          content:
-            - Match:
-              - Name: enp*s*u*
-            - Network:
-              - DHCP: yes
-
-    services:
-      prometheus_node_exporter:
-        enable: true
-
-      acme_redirect:
-        enable: true
-        email: lets-encrypt@ctu.cx
-        acme_url: https://api.buypass.com/acme/directory
-        certs:
-          lollo.ctu.cx:
-            dns_names: 
-              - lollo.ctu.cx
-            renew_tasks:
-              - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/lollo.ctu.cx
-          syncthing.lollo.ctu.cx:
-            dns_names: 
-              - syncthing.lollo.ctu.cx
-            renew_tasks:
-              - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/syncthing.lollo.ctu.cx
-          home.ctu.cx:
-            dns_names: 
-              - home.ctu.cx
-              - legacy.home.ctu.cx
-            renew_tasks:
-              - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/home.ctu.cx
-          home.flauschekatze.space:
-            dns_names: 
-              - home.flauschekatze.space
-              - legacy.home.flauschekatze.space
-            renew_tasks:
-              - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/home.flauschekatze.space
-
-      nginx:
-        enable: true
-        sslOnly: true
-        vhosts:
-          lollo.ctu.cx:
-            defaultserver: true
-            ssl:
-              enable: true
-              cert: "/var/lib/acme-redirect/live/lollo.ctu.cx/fullchain"
-              privkey: "/var/lib/acme-redirect/live/lollo.ctu.cx/privkey"
-            locations:
-              - path: /node-exporter
-                proxy: http://127.0.0.1:9100/metrics
-          home.ctu.cx legacy.home.ctu.cx:
-            root: /var/lib/websites/home.ctu.cx
-            extraConfig: "
-              index index.html index.php;
-              try_files $uri $uri/ /index.php?$query_string;
-            "
-            ssl:
-              enable: true
-              cert: "/var/lib/acme-redirect/live/home.ctu.cx/fullchain"
-              privkey: "/var/lib/acme-redirect/live/home.ctu.cx/privkey"
-            locations:
-              - path: ~ \.php$
-                extraConfig: "
-                  fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
-                  fastcgi_index index.php;
-                  include fastcgi_params;
-                "
-          home.flauschekatze.space legacy.home.flauschekatze.space:
-            root: /var/lib/websites/home.ctu.cx
-            extraConfig: "
-              index index.html index.php;
-              try_files $uri $uri/ /index.php?$query_string;
-            "
-            ssl:
-              enable: true
-              cert: "/var/lib/acme-redirect/live/home.flauschekatze.space/fullchain"
-              privkey: "/var/lib/acme-redirect/live/home.flauschekatze.space/privkey"
-            locations:
-              - path: ~ \.php$
-                extraConfig: "
-                  fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
-                  fastcgi_index index.php;
-                  include fastcgi_params;
-                "
-
-      hostapd:
-        enable: false
-        interface: wlp3s0
-        bridge: brlan
-        channel: 1
-        ssid: legacy.home.ctu.cx
-        passphrase: "{{ lookup('diskcache', 'community.general.passwordstore', 'WiFi/legacy.home.ctu.cx returnall=true')}}"
-
-      dnsmasq:
-        enable: true
-        local_service: true
-        no_resolv: true
-        domain_needed: true
-        bogus_priv: true
-        expand_hosts: false
-        read_ethers: false
-        enable_ra: true
-        quiet_ra: true
-        domain: home.ctu.cx
-        auth_ttl: 600
-        auth_server: home.ctu.cx, wg-pbb
-        auth_zones:
-          - home.ctu.cx,                        10.0.0.1/24,   195.39.246.32/28,   2a0f:4ac0:acab::1/64
-          - home.flauschekatze.space,           10.0.0.1/24,   195.39.246.32/28,   2a0f:4ac0:acab::1/64
-        local_addresses:
-          - /fritz.box/192.168.178.1
-          - /intel-nuc/192.168.178.21
-          - /lollo/192.168.178.20
-          - /repo-vm/192.168.178.24
-          - /mastodon-backup/192.168.178.25
-          - /foo-nuc/192.168.178.23
-        addresses:
-          - home.ctu.cx,                        195.39.246.33,   2a0f:4ac0:acab::1
-          - home.flauschekatze.space,           195.39.246.33,   2a0f:4ac0:acab::1
-          - legacy.home.ctu.cx,                 195.39.246.33,   2a0f:4ac0:acab::1
-          - legacy.home.flauschekatze.space,    195.39.246.33,   2a0f:4ac0:acab::1
-        dns_servers:
-          - 1.1.1.1
-          - 1.0.0.1
-          - 8.8.8.8
-          - 8.8.4.4
-        dhcp:
-          authoritative: true
-          rapid_commit:  true
-          sequential_ip: true
-          options:
-            - option6:information-refresh-time, 6h
-            - option6:dns-server,               [2a0f:4ac0:acab::1]
-            - private, option:router,           10.0.0.1
-            - private, option:dns-server,       10.0.0.1
-            - public,  option:router,           195.39.246.33
-            - public,  option:dns-server,       195.39.246.33
-          ranges:
-            - private, 10.0.0.100,          10.0.0.200,                           255.255.255.0,                  48h
-            - public,  195.39.246.34,       static,                               255.255.255.240, 195.39.246.47, 48h
-            -          2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64,                             48h
-          hosts:
-            # accesspoint
-            - f4:06:8d:df:1f:e3,                                          accesspoint,      10.0.0.2
-            # tradfri gateway
-            - 58:d5:0a:ba:23:29,                                          tradfri,          10.0.0.10
-            # ctucx macbook
-            - id:00:01:00:01:27:51:55:30:80:e6:50:21:e0:6a,               toaster,          [2a0f:4ac0:acab::34]
-            - 80:e6:50:21:e0:6a,                                          toaster,          195.39.246.34
-            # ctucx thinkcentre
-            - id:00:01:00:01:27:60:18:8c:e8:6a:64:f4:49:e7,               stasicontainer,   [2a0f:4ac0:acab::39]
-            - e8:6a:64:f4:49:e7,                                          stasicontainer,   195.39.246.39
-            # ctucx thinkpad t470 (mac: wlan, eth)
-            - id:00:04:37:8e:fd:cc:26:b8:11:b2:a8:5c:b8:77:0b:6e:a2:e6,   coladose,         [2a0f:4ac0:acab::35]
-            - 7c:2a:31:fb:e6:b8, 8c:16:45:da:61:8e,                       coladose,         195.39.246.35
-            # isa macbook
-            - id:00:01:00:01:23:53:5d:7e:6c:40:08:af:2e:9c,               isabelles-mbp,    [2a0f:4ac0:acab::38]
-            - 6c:40:08:af:2e:9c,                                          isabelles-mbp,    195.39.246.38
-            # isa thinkpad x230
-            - id:00:04:e8:51:c5:1d:f6:53:58:4a:9b:c0:28:59:a4:c7:76:32,   isa-x230,         [2a0f:4ac0:acab::36]
-            - 64:80:99:75:c5:5c,                                          isa-x230,         195.39.246.36
-            # isa p2max
-            - id:00:04:97:db:54:73:1e:20:bb:fe:bf:35:dd:14:70:59:c2:d5,   isa-p2max,        [2a0f:4ac0:acab::40]
-            - ac:67:5d:12:2f:5a,                                          isa-p2max,        195.39.246.40
-      syncthing:
-        enable: true
-        user: leah
-        nginx:
-          enable: true
-          domain: "syncthing.lollo.ctu.cx"
-          sslOnly: true
-          ssl:
-            enable: true
-            cert: "/var/lib/acme-redirect/live/syncthing.lollo.ctu.cx/fullchain"
-            privkey: "/var/lib/acme-redirect/live/syncthing.lollo.ctu.cx/privkey"
-
-      frpc:
-        enable: true
-        serverAddress: wanderduene.ctu.cx
-        serverPort: 5050
-        token: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/wanderduene/frps/token returnall=true')}}"
-        dashboard: false
-        tunnels:
-          - name: lollo-ssh
-            type: tcp
-            local_ip: 127.0.0.1
-            local_port: 22
-            remote_port: 2202
-    
diff --git a/playbook-servers.yml b/playbook-servers.yml
@@ -1,91 +0,0 @@
----
-- hosts: all
-  remote_user: root
-  gather_facts: false
-  tasks:
-    - name: "[Alpine] Install Python"
-      raw: test -e /usr/bin/python || (test -e /sbin/apk && apk update && apk add python3; true)
-    - name: "[Archlinux] Install Python"
-      raw: test -e /usr/bin/python || (test -e /usr/bin/pacman && pacman -Sy --noconfirm python; true)
-
-- hosts: wanderduene
-  name:  Install wanderduene
-  vars_files: configuration/wanderduene.yml
-  roles: 
-    - role: common            # supports: alpine, arch
-      tags: common
-    - role: files             # supports: alpine, arch
-      tags: files
-    - role: bind              # supports: alpine, arch(untested)
-      tags: bind
-    - role: acme-redirect     # supports: alpine, arch
-      tags: acme-redirect
-    - role: nginx             # supports: alpine, arch
-      tags: nginx
-    - role: gitolite          # supports: alpine, arch(untested)
-      tags: gitolite
-    - role: cgit              # supports: alpine, arch(untested)
-      tags: cgit
-    - role: oeffisearch       # supports: alpine
-      tags: oeffisearch
-    - role: oeffi-web         # supports: alpine
-      tags: oeffi-web
-    - role: maddy             # supports: alpine
-      tags: maddy
-    - role: radicale          # supports: alpine, arch(untested)
-      tags: radicale
-    - role: pleroma           # supports: alpine
-      tags: pleroma
-    - role: synapse           # supports: alpine, arch(untested)
-      tags: synapse
-    - role: prometheus        # supports: alpine, arch(untested)
-      tags: prometheus
-    - role: grafana           # supports: alpine, arch(untested)
-      tags: grafana
-    - role: fritzboxExporter  # supports: alpine
-      tags: fritzboxExporter
-    - role: frp               # frps supports: alpine, arch(untested)
-      tags: [ frp, frps ]
-    - role: backup            # todo
-      tags: backup
-
-
-- hosts: taurus
-  name: Install taurus
-  vars_files: configuration/taurus.yml
-  roles:
-    - role: common            # supports: alpine, arch
-      tags: common
-    - role: files             # supports: alpine, arch
-      tags: files
-    - role: bind              # supports: alpine, arch(untested)
-      tags: bind
-    - role: nfsserver         # supports: alpine
-      tags: nfs
-    - role: acme-redirect     # supports: alpine, arch
-      tags: acme-redirect
-    - role: nginx             # supports: alpine, arch
-      tags: nginx
-    - role: syncthing         # supports: alpine, arch
-      tags: syncthing
-    - role: rest-server       # supports: alpine, arch(untested)
-      vars:
-        rest_server:
-          nginx:
-            password: "{}"
-      tags: [ backup, rest-server, restic ]
-
-- hosts: joguhrtbecher
-  name: Install joguhrtbecher
-  vars_files: configuration/joguhrtbecher.yml
-  roles:
-    - role: common            # supports: alpine, arch
-      tags: common
-    - role: kawaidesu.ansible_networkd
-      tags: systemd-networkd
-    - role: files             # supports: alpine, arch
-      tags: files
-    - role: nginx             # supports: alpine, arch
-      tags: nginx
-    - role: syncthing         # supports: alpine, arch
-      tags: syncthing
diff --git a/playbook.yml b/playbook.yml
@@ -0,0 +1,115 @@
+---
+- hosts: all
+  remote_user: root
+  gather_facts: false
+  tasks:
+    - name: "[Alpine] Install Python"
+      raw: test -e /usr/bin/python || (test -e /sbin/apk && apk update && apk add python3; true)
+    - name: "[Archlinux] Install Python"
+      raw: test -e /usr/bin/python || (test -e /usr/bin/pacman && pacman -Sy --noconfirm python; true)
+
+- hosts: wanderduene
+  name:  Install wanderduene
+  vars_files: configuration/wanderduene.yml
+  roles: 
+    - role: common            # supports: alpine, arch
+      tags: common
+    - role: files             # supports: alpine, arch
+      tags: files
+    - role: bind              # supports: alpine, arch(untested)
+      tags: bind
+    - role: acme-redirect     # supports: alpine, arch
+      tags: acme-redirect
+    - role: nginx             # supports: alpine, arch
+      tags: nginx
+    - role: gitolite          # supports: alpine, arch(untested)
+      tags: gitolite
+    - role: cgit              # supports: alpine, arch(untested)
+      tags: cgit
+    - role: oeffisearch       # supports: alpine
+      tags: oeffisearch
+    - role: oeffi-web         # supports: alpine
+      tags: oeffi-web
+    - role: maddy             # supports: alpine
+      tags: maddy
+    - role: radicale          # supports: alpine, arch(untested)
+      tags: radicale
+    - role: pleroma           # supports: alpine
+      tags: pleroma
+    - role: synapse           # supports: alpine, arch(untested)
+      tags: synapse
+    - role: prometheus        # supports: alpine, arch(untested)
+      tags: prometheus
+    - role: grafana           # supports: alpine, arch(untested)
+      tags: grafana
+    - role: fritzboxExporter  # supports: alpine
+      tags: fritzboxExporter
+    - role: frp               # frps supports: alpine, arch(untested)
+      tags: [ frp, frps ]
+    - role: backup            # todo
+      tags: backup
+
+
+- hosts: taurus
+  name: Install taurus
+  vars_files: configuration/taurus.yml
+  roles:
+    - role: common            # supports: alpine, arch
+      tags: common
+    - role: files             # supports: alpine, arch
+      tags: files
+    - role: bind              # supports: alpine, arch(untested)
+      tags: bind
+    - role: nfsserver         # supports: alpine
+      tags: nfs
+    - role: acme-redirect     # supports: alpine, arch
+      tags: acme-redirect
+    - role: nginx             # supports: alpine, arch
+      tags: nginx
+    - role: syncthing         # supports: alpine, arch
+      tags: syncthing
+    - role: rest-server       # supports: alpine, arch(untested)
+      vars:
+        rest_server:
+          nginx:
+            password: "{}"
+      tags: [ backup, rest-server, restic ]
+
+- hosts: joguhrtbecher
+  name: Install joguhrtbecher
+  vars_files: configuration/joguhrtbecher.yml
+  roles:
+    - role: common            # supports: alpine, arch
+      tags: common
+    - role: kawaidesu.ansible_networkd
+      tags: systemd-networkd
+    - role: files             # supports: alpine, arch
+      tags: files
+    - role: nginx             # supports: alpine, arch
+      tags: nginx
+    - role: syncthing         # supports: alpine, arch
+      tags: syncthing
+
+- hosts: lollo
+  name:  Install lollo
+  vars_files: configuration/lollo.yml
+  roles: 
+    - role: common
+      tags: common
+    - role: kawaidesu.ansible_networkd
+      tags: systemd-networkd
+    - role: acme-redirect
+      tags: acme-redirect
+    - role: nginx
+      tags: nginx
+    - role: hostapd
+      tags: hostapd
+    - role: dnsmasq
+      tags: dnsmasq
+    - role: syncthing
+      tags: syncthing
+    - role: frp
+      tags:
+        - frp
+        - frpc
+        - frps +
\ No newline at end of file