diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py deleted file mode 100644 index b7f9215..0000000 --- a/nodes/fkusei-locutus.py +++ /dev/null @@ -1,184 +0,0 @@ -nodes['fkusei-locutus'] = { - 'hostname': '172.19.138.96', - 'bundles': { - 'arch-with-gui', - 'bird', - 'lldp', - 'lm-sensors', - 'nfs-client', - 'systemd-boot', - 'telegraf-battery-usage', - 'wireguard', - 'voc-tracker-worker', - 'zfs', - }, - 'groups': { - 'arch', - }, - 'metadata': { - 'arch-with-gui': { - 'autologin_as': 'fkunsmann', - }, - 'bird': { - 'bgp_neighbors': { - 'smedia': { - 'local_as': 4200128002, - 'local_ip': '10.200.128.2', - 'neighbor_as': 64900, - 'neighbor_ip': '10.200.128.1', - }, - }, - }, - 'firewall': { - 'port_rules': { - # obs websocket thingie - just allow all RFC1918 ips here - #'4444': { - # '10.0.0.0/8', - # '172.16.0.0/12', - # '192.168.0.0/16', - #}, - # For the occasional file-share using `python -m http.server` - '8000': {'*'}, - }, - }, - 'interfaces': { - 'enp0s31f6': { - 'dhcp': True, - 'ips': { - '172.19.138.96', # for static dhcp lease - }, - 'mac': 'e8:6a:64:ef:cc:5c', - }, - # there is also wlp2s0, but that's managed by netctl - }, - 'location': 'home', # not actually true, but needed for static dhcp lease - 'nfs-client': { - 'mounts': { - 'nas-storage': { - 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/nas', - 'mount_options': { - 'retry=0', - 'ro', - }, - }, - }, - }, - 'openssh': { - 'restrict-to': { - 'rfc1918', - 'ipv6', - }, - }, - 'pacman': { - 'linux-lts': True, - 'packages': { - # video drivers - 'xf86-video-intel': {}, - - # all that other random stuff one needs - 'apachedirectorystudio': {}, - 'direnv': {}, - 'freerdp': {}, - 'sdl_ttf': {}, # for compiling testcard - 'thermald': {}, - }, - }, - 'systemd-boot': { - 'default': 'arch-lts', - 'entries': { - 'arch-lts': { - 'title': 'Arch Linux (LTS kernel)', - 'linux': '/vmlinuz-linux-lts', - 'initrd': [ - '/intel-ucode.img', - '/initramfs-linux-lts.img', - ], - 'options': { - 'zfs=zroot/system/root', - 'rw', - }, - }, - 'arch-lts-fallback': { - 'title': 'Arch Linux (LTS kernel, no ucode, fallback initramfs)', - 'linux': '/vmlinuz-linux-lts', - 'initrd': [ - '/initramfs-linux-lts-fallback.img', - ], - 'options': { - 'zfs=zroot/system/root', - 'rw', - }, - }, - }, - }, - 'timezone': 'Europe/Berlin', - 'users': { - 'fkunsmann': { - 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), - 'shell': '/usr/bin/fish', - 'sudo_commands': { - 'ALL', - }, - }, - 'sophie': { - 'delete': True, - }, - }, - 'voc-tracker-worker': { - 'url': 'https://tracker.c3voc.de/rpc', - 'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'), - 'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'), - }, - 'wireguard': { - 'privatekey': vault.decrypt('smedia$NotViaThisRepository'), - 'peers': { - 'smedia': { - 'endpoint': '185.122.180.82:51820', - 'my_ip': '10.200.128.2/20', - 'my_port': 51820, - 'psk': vault.decrypt('smedia$NotViaThisRepository'), - 'pubkey': vault.decrypt('smedia$NotViaThisRepository'), - 'their_ip': '10.200.128.1', - }, - }, - }, - 'zfs': { - 'datasets': { - # this is not a complete list, but we can't create that - # structure using bundlewrap anyway, so there's no point - # in adding it here. - 'zroot': { - 'compression': 'lz4', - 'relatime': 'on', - 'xattr': 'sa', - 'primarycache': 'metadata' - # encryption is enabled, too. - }, - 'zroot/system/journal': { - 'mountpoint': '/var/log/journal', - 'acltype': 'posix', - }, - 'zroot/system/root': { - 'canmount': 'noauto', - 'mountpoint': '/', - }, - 'zroot/user/fkunsmann': { - 'mountpoint': '/home/fkunsmann', - }, - }, - 'snapshots': { - 'retain_per_dataset': { - 'zroot/user/fkunsmann': { - # juuuuuuuust to be sure - 'hourly': 100, - }, - }, - 'snapshot_never': { - 'zroot/system/journal', - }, - }, - }, - }, - 'os': 'arch', -} diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py deleted file mode 100644 index 0f2a592..0000000 --- a/nodes/ovh/icinga2.py +++ /dev/null @@ -1,171 +0,0 @@ -nodes['ovh.icinga2'] = { - 'dummy': True, # gekündigt - 'bundles': { - 'bird', - 'icinga2', - 'php', - 'postgresql', - 'simple-icinga-dashboard', - 'unbound', - 'wireguard', - 'zfs', - }, - 'groups': { - 'debian-bullseye', - 'webserver', - }, - 'metadata': { - 'interfaces': { - 'eth0': { - 'ips': { - '51.195.44.8', - '2001:41d0:701:1100::2618/128' - }, - 'gateway4': '51.195.44.1', - 'gateway6': '2001:41d0:701:1100::1' - }, - 'dummy-snat': { - 'ips': { - '172.19.136.3', - }, - }, - }, - 'icinga_options': { - 'exclude_from_monitoring': True, - }, - 'bird': { - 'static_routes': { - '172.19.136.3/32', - }, - }, - 'icinga2': { - 'web_domain': 'icinga.kunsmann.eu', - 'api_users': { - 'dashboard': { - 'password': vault.password_for('ovh.icinga2 icinga2 api_user dashboard'), - 'permissions': { - 'objects/query/Service', - 'objects/query/Host', - }, - }, - # Used with - 'icinga2beamer': { - 'password': vault.decrypt('encrypt$gAAAAABf3wM9YS5ZpRdhp3xyIFX21_MK0omzqHqykWbWdkZWp2xyJ6awaUSXODnZQ5j-rws6n0yrpaeMdXoj1irb2FrgxMDTdfCh88hIsqcKGOObzwGaRg6Ze0tuiMrzIfOO3tRnc9Kd'), - 'permissions': { - 'objects/query/Host', - 'objects/query/Service' - }, - }, - }, - 'restrict-to': { - '172.19.138.0/24', - }, - 'sipgate': { - 'user': bwpass.attr('sipgate.de/hi@kunsmann.eu', 'icinga_tokenid'), - 'pass': bwpass.attr('sipgate.de/hi@kunsmann.eu', 'icinga_token'), - }, - 'ntfy': { - 'url': 'https://ntfy.franzi.business/icinga2', - 'user': vault.decrypt('encrypt$gAAAAABkMtfW_tyGDUh7TkVX6AN8wSkKixWcQiOrPUWHtDZqnzjqrAkfD40fD8M_PiPDvW5pAa6xHNcUSU34jHolxnC44rDiLw=='), - 'pass': vault.decrypt('encrypt$gAAAAABkMtfD8lenogwJc8uKeGZUQ8QVWHMpAqY_GLW3VhF3Jt0TOC4JiJn49qfaC9Ij5rw6GGsowNIsNBe1Ac83HXOLveANEU2o-O4fp5TxNF0xFWebCCtcaTkj_L2DjUbSUe8QVDn3'), - }, - }, - 'icinga2_api': { - 'custom': { - # redundant monitoring of services/hosts - 'services': { - 'flauschekatze.space CERTIFICATE': { - 'check_command': 'check_https_cert_at_url', - 'vars.domain': 'flauschekatze.space', - }, - 'matrix.flauschekatze.space CERTIFICATE': { - 'check_command': 'check_https_cert_at_url', - 'vars.domain': 'matrix.flauschekatze.space', - }, - }, - }, - }, - 'nginx': { - 'vhosts': { - 'icingaweb': { - 'domain': 'icinga.kunsmann.eu', - 'webroot': '/usr/share/icingaweb2/public', - 'extras': True, - }, - 'icinga_statusmonitor': { - 'domain': 'statusmonitor.icinga.kunsmann.eu', - 'locations': { - '/': { - 'target': 'http://127.0.0.1:5000/', - } - }, - }, - 'statuspage': { - 'domain': 'status.franzi.business', - 'ssl': '_.franzi.business', - 'webroot': '/opt/simple-icinga-dashboard/out', - }, - }, - }, - 'php': { - 'version': '8.0', - 'packages': { - 'curl', - 'gd', - 'intl', - 'imagick', - 'ldap', - 'mysql', - 'opcache', - 'pgsql', - 'readline', - 'xml', - }, - }, - 'postgresql': { - 'version': '11', - }, - 'simple-icinga-dashboard': { - 'icinga2_api': { - 'baseurl': 'https://127.0.0.1:5665', - 'username': 'dashboard', - 'password': vault.password_for('ovh.icinga2 icinga2 api_user dashboard'), - }, - 'filters': { - 'services': '"statuspage" in service.groups', - }, - 'output': { - 'page_title': 'franzi.business Service Status', - }, - 'prettify': { - 'CONTENT': '', - 'NGINX': 'WEBSERVER', - 'PROCESS': 'SERVICE', - }, - }, - 'wireguard': { - 'peers': { - 'ovh.wireguard': { - 'snat_to': '172.19.136.3', - }, - }, - }, - 'zfs': { - 'pools': { - 'tank': { - 'when_creating': { - 'config': [{ - 'devices': { - '/dev/sdb' - }, - }], - }, - }, - }, - }, - 'vm': { - 'cpu': 1, - 'ram': 2, - }, - }, -} diff --git a/nodes/ovh/wireguard.py b/nodes/ovh/wireguard.py deleted file mode 100644 index c3405e9..0000000 --- a/nodes/ovh/wireguard.py +++ /dev/null @@ -1,62 +0,0 @@ -nodes['ovh.wireguard'] = { - 'bundles': { - 'bird', - 'wireguard', - }, - 'groups': { - 'debian-buster', - }, - 'metadata': { - 'interfaces': { - 'eth0': { - 'ips': { - '51.195.47.180', - '2001:41d0:701:1100::20da/128' - }, - 'gateway4': '51.195.44.1', - 'gateway6': '2001:41d0:701:1100::1' - }, - }, - 'bird': { - 'static_routes': { - '172.19.136.64/26', - }, - }, - 'icinga_options': { - 'exclude_from_monitoring': True, - }, - 'backups': { - 'exclude_from_backups': True, - }, - 'vm': { - 'cpu': 1, - 'ram': 2, - }, - 'wireguard': { - 'peers': { - 'ovh.icinga2': {}, - 'home.router': {}, - 'htz-cloud.wireguard': {}, - 'kunsi-oneplus3': { - 'their_ip': '172.19.136.65', - 'my_ip': '172.19.136.64', - 'my_port': 51819, - 'psk': vault.decrypt('encrypt$gAAAAABgKYeeuPfokbk7lSbbJX-52kap5Cs3tdCHpezkKcExV-yLTHPjszIcAh1T9wW1BtGElRdZea7VTikV3qEu3bupiSqEW4l2lmD5cn2ERYRfuVCoYSkOlmEGokHUX7Nja4G_A2_x'), - 'pubkey': vault.decrypt('encrypt$gAAAAABgKYdTqLG3DcB13QqQadUxyzIjvSxwgZQNjorQi-ADSLsNdDbhikSAGQnSmGelLB74V175awIIir768WEnpLJUKX6nt_i2BxOP3JazvKZSQECkiK8G-IRn8wWWgKarfmtqRwh6'), - 'exclude_from_monitoring': True, - }, - 'sophie-ejgwthink': { - 'their_ip': '172.19.136.67', - 'my_ip': '172.19.136.66', - 'my_port': 51818, - 'psk': vault.decrypt('encrypt$gAAAAABhWWg7WWnVAl3R46oXfPHnmsuXIFELWoMb4wGeDDInKUAwjtI6Y9nYkMpvdxiPRbHnwG4sPxgUAu3l83E4BLTNwb-9_ZYPjz6bQQGYA7oYvCdsezWYYx22hmu8wJhq_j4sMyLK'), - 'pubkey': vault.decrypt('encrypt$gAAAAABhWWg7fSm9snyXS_VLCpEv28_o2fvu6MRzrqngbKQ41DSAQE5fg4ADSbQpi0uwP_6VE_aGo56z1qmLV9wHpOUYCqgYk57w2KcuHR92r_Cw6iNs_h85k38nFGkmuvHzUecqpCNa'), - 'exclude_from_monitoring': True, - }, - }, - 'restrict-to': { - '*', - }, - }, - }, -}