commit c136c0777477606dff490b60109750b42ad05cb9
parent c3bbd5fd1a5a23ad981b582326e3604dab8a9f88
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sat, 20 Feb 2021 22:49:18 +0100
parent c3bbd5fd1a5a23ad981b582326e3604dab8a9f88
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sat, 20 Feb 2021 22:49:18 +0100
update host configurations
3 files changed, 122 insertions(+), 21 deletions(-)
M
|
72
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------
diff --git a/configuration/joguhrtbecher.yml b/configuration/joguhrtbecher.yml @@ -15,6 +15,11 @@ system: password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0" sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829" +network: + nftables: + enable: true + configFile: config-files/nftables/joguhrtbecher.nft + networkd: networkd_resolv_conf_content: - nameserver 1.1.1.1 @@ -29,14 +34,14 @@ networkd: - Kind: wireguard - WireGuard: - PrivateKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/joguhrtbecher/wireguard.privkey returnall=true') }}" - - FirewallMark: 51820 + - FirewallMark: 0x8888 - WireGuardPeer: - PublicKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/desastro/wireguard.pubkey returnall=true') }}" - AllowedIPs: "0.0.0.0/0, ::/0" - Endpoint: "195.39.247.172:51820" - PersistentKeepalive: 10 network: - - name: enp2s0 + - name: enp0s25 priority: 20 content: - Match: @@ -51,26 +56,76 @@ networkd: - Network: - Address: 195.39.247.49/32 - Address: 2a0f:4ac0:acab:1234::49/128 - - Route: - - Destination: 0.0.0.0/0 - - Route: - - Destination: ::/0 + - DNS: 8.8.8.8 + - DNSDefaultRoute: true + - Domains: ~. - Link: - MTUBytes: 1472 + - RoutingPolicyRule: + - FirewallMark: 0x8888 + - InvertRule: true + - Table: 1000 + - Priority: 10 + - Route: + - Destination: 0.0.0.0/0 + - Table: 1234 + - Route: + - Destination: ::/0 + - Table: 1234 + - RoutingPolicyRule: + - From: 195.39.247.49/32 + - Table: 1234 + - Priority: 2000 + - RoutingPolicyRule: + - From: 2a0f:4ac0:acab:1234::49/128 + - Table: 1234 + - Priority: 2000 services: prometheus_node_exporter: enable: true + syncthing: enable: true user: leah + nginx: + enable: true + domain: "syncthing.lollo.ctu.cx" + sslOnly: true + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/syncthing.joguhrtbecher.ctu.cx/fullchain" + privkey: "/var/lib/acme-redirect/live/syncthing.joguhrtbecher.ctu.cx/privkey" + + + acme_redirect: + enable: true + email: lets-encrypt@ctu.cx + acme_url: https://api.buypass.com/acme/directory + certs: + joguhrtbecher.ctu.cx: + dns_names: + - joguhrtbecher.ctu.cx + renew_tasks: + - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/joguhrtbecher.ctu.cx + syncthing.joguhrtbecher.ctu.cx: + dns_names: + - syncthing.joguhrtbecher.ctu.cx + renew_tasks: + - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/syncthing.joguhrtbecher.ctu.cx + nginx: enable: true + sslOnly: true vhosts: joguhrtbecher.ctu.cx: - defaultServer: true + defaultserver: true + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/joguhrtbecher.ctu.cx/fullchain" + privkey: "/var/lib/acme-redirect/live/joguhrtbecher.ctu.cx/privkey" locations: - path: /node-exporter - proxy: http://127.0.0.1:9100- \ No newline at end of file + proxy: http://127.0.0.1:9100/metrics
diff --git a/configuration/lollo.yml b/configuration/lollo.yml @@ -121,20 +121,31 @@ networkd: - Network: - DHCP: yes -timers: - powermeter-archiver: - timer_command: php /usr/local/bin/powermeter-archiver.php - timer_user: leah - timer_OnCalendar: "minutely" - timer_AccuracySec: 5s - files: + /etc/nginx/passwd/influx: + state: "file" + content: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/{{system.hostname}}/passwd/home.ctu.cx/influx returnall=true')}}" + mode: "0600" + owner: "nginx" + group: "nginx" /etc/udev/rules.d/99-modbus-serial.rules: state: "file" content: 'SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{serial}=="1337", SYMLINK+="modbus0"' mode: "0755" owner: "root" group: "root" + /etc/udev/rules.d/99-tempsensors-serial.rules: + state: "file" + content: 'SUBSYSTEM=="tty", ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="7523", SYMLINK+="tempsensors0"' + mode: "0755" + owner: "root" + group: "root" + /etc/udev/rules.d/99-zigbee-serial.rules: + state: "file" + content: 'SUBSYSTEM=="tty", ATTRS{idVendor}=="1d6b", ATTRS{idProduct}=="0002", SYMLINK+="zigbee0"' + mode: "0755" + owner: "root" + group: "root" /usr/local/bin/powermeter-archiver.php: state: "file" src: "scripts/powermeter-archiver.php" @@ -177,6 +188,11 @@ services: - dnsmasq.home.ctu.cx renew_tasks: - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/dnsmasq.home.ctu.cx + influx.home.ctu.cx: + dns_names: + - influx.home.ctu.cx + renew_tasks: + - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/influx.home.ctu.cx nginx: enable: true @@ -208,13 +224,41 @@ services: fastcgi_index index.php; include fastcgi_params; " + influx.home.ctu.cx: + root: /var/lib/websites/home.home.ctu.cx + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/influx.home.ctu.cx/fullchain" + privkey: "/var/lib/acme-redirect/live/influx.home.ctu.cx/privkey" + locations: + - path: / + extraConfig: " + auth_basic 'Needs Autherization'; + auth_basic_user_file /etc/nginx/passwd/influx; + + proxy_pass http://127.0.0.1:8086/; + proxy_redirect default; + proxy_http_version 1.1; + proxy_set_header Connection ''; + proxy_set_header Authorization ''; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_max_temp_file_size 0; + proxy_connect_timeout 240; + proxy_send_timeout 240; + proxy_read_timeout 240; + expires -1; + add_header Cache-Control private; + " hostapd: - enable: false + enable: true interface: wlp3s0 bridge: brlan channel: 1 - ssid: legacy.home.ctu.cx + ssid: hostapd.home.ctu.cx passphrase: "{{ lookup('diskcache', 'community.general.passwordstore', 'WiFi/legacy.home.ctu.cx returnall=true')}}" dnsmasq: @@ -244,6 +288,7 @@ services: - home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 - legacy.home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 - dnsmasq.home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 + - influx.home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 # - home.flauschekatze.space, 195.39.246.33, 2a0f:4ac0:acab::1 # - legacy.home.flauschekatze.space, 195.39.246.33, 2a0f:4ac0:acab::1 dns_servers: @@ -317,7 +362,10 @@ services: influxdb: enable: true databases: - - powermeter + - powermeters + - sensors + - test_powermeters + - test_sensors mbusd: enable: true
diff --git a/configuration/wanderduene.yml b/configuration/wanderduene.yml @@ -154,7 +154,6 @@ services: - stasicontainer.frp.ctu.cx - coladose.frp.ctu.cx - toaster.frp.ctu.cx - - joghurtbecher.frp.ctu.cx - isa.frp.ctu.cx - isa-mac.frp.ctu.cx renew_tasks: @@ -439,6 +438,7 @@ services: 'taurus.ctu.cx', 'desastro.ctu.cx', 'lollo.ctu.cx', + 'joguhrtbecher.ctu.cx', 'repo.f2k1.de', 'toaster.frp.ctu.cx', 'stasicontainer-mac.frp.ctu.cx' @@ -530,7 +530,6 @@ services: - toaster - isa - isa-mac - - joghurtbecher files: /var/lib/websites/ctu.cx: