diff --git a/Earthfile b/Earthfile deleted file mode 100644 index 2c59020e3629b013557ab2756c6157cd226ba26a..0000000000000000000000000000000000000000 --- a/Earthfile +++ /dev/null @@ -1,26 +0,0 @@ -VERSION --use-copy-include-patterns 0.5 - -install-deps: - FROM debian:stable@sha256:13db79e523a13e3e55b606128a4193d7b9ae788d0c11c95d6a6de0bd30aa3a14 - -shorewall-deps: - FROM +install-deps - RUN apt update - RUN apt install shorewall shorewall6 ipset -y - USER root - -validate-shorewall: - FROM +shorewall-deps - RUN apt update - RUN apt install shorewall ipset -y - COPY ./roles/firewall/files/shorewall /tmp/shorewall - RUN --privileged shorewall check /tmp/shorewall - -validate-shorewall6: - FROM +shorewall-deps - COPY ./roles/firewall/files/shorewall6 /tmp/shorewall6 - RUN --privileged shorewall6 check /tmp/shorewall6 - -test: - BUILD +validate-shorewall - BUILD +validate-shorewall6 diff --git a/ansible.cfg b/ansible.cfg index e70461d648115a530d6a1fc54d75a60fd51f22e0..4de30240018243bbea62068d6b2cf825ca5650c4 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,20 +1,10 @@ [defaults] remote_tmp = /tmp/.ansible-${USER}/tmp timeout = 30 -#ask_pass = True -#ask_sudo_pass = False -#nocows = 1 retry_files_enabled = False interpreter_python=/usr/bin/python3 remote_user = root -callback_whitelist = foreman vault_password_file = /etc/ansible_vault_pw [ssh_connection] pipelining = True - -[callback_foreman] -url = 'https://foreman.intern.teckids.org' -ssl_cert = /etc/puppetlabs/puppet/ssl/certs/foreman.teckids.org.pem -ssl_key = /etc/puppetlabs/puppet/ssl/private_keys/foreman.teckids.org.pem -verify_certs = 0 diff --git a/roles/common/files/csync2.cfg b/roles/common/files/csync2.cfg deleted file mode 100644 index d9252638aa96770958a9fed59fa9b78713f360fc..0000000000000000000000000000000000000000 --- a/roles/common/files/csync2.cfg +++ /dev/null @@ -1,79 +0,0 @@ -# Csync2 Example Configuration File -# --------------------------------- -# -# Please read the documentation: -# http://oss.linbit.com/csync2/paper.pdf - -# group mygroup -# { -# host host1 host2 (host3); -# host host4@host4-eth2; -# -# key /etc/csync2.key_mygroup; -# -# # -# # WARNING: -# # You CANNOT use paths containing a symlink -# # component in include/exclude options! -# # -# # Here is a real-life example: -# # Suppose you have some 64bit Linux systems -# # and /usr/lib/ocf is what you want to keep -# # in sync. On 64bit Linux systems, /usr/lib -# # is usually a symlink to /usr/lib64. -# # This does not work: -# # include /usr/lib/ocf; -# # But this does work: -# # include /usr/lib64/ocf; -# # -# -# include /etc/apache; -# include %homedir%/bob; -# exclude %homedir%/bob/temp; -# exclude *~ .*; -# -# action -# { -# pattern /etc/apache/httpd.conf; -# pattern /etc/apache/sites-available/*; -# exec "/usr/sbin/apache2ctl graceful"; -# logfile "/var/log/csync2_action.log"; -# do-local; -# # you can use do-local-only if the execution -# # should be done locally only -# # do-local-only; -# } -# -# # The backup-directory needs to be created first! -# backup-directory /var/backups/csync2; -# backup-generations 3; -# -# auto none; -# } -# -# prefix homedir -# { -# on host[12]: /export/users; -# on *: /home; -# } - -nossl * *; -lock-timeout 60; - -group teckids-skole -{ - host desktop; - host skole-portable; - host skole-tarent; - host skole-hbrs; - host skole-rb; - - key /etc/csync2.key_teckids-skole; - - include /home; - exclude .git/index; - exclude /home/*/.cache; - exclude /home/*/.xsession-errors; - - auto younger; -} diff --git a/roles/common/files/guacamole-noauth-config.xml b/roles/common/files/guacamole-noauth-config.xml deleted file mode 100644 index e7abb35ff7a66e7e047244e8f602521c35d6bce8..0000000000000000000000000000000000000000 --- a/roles/common/files/guacamole-noauth-config.xml +++ /dev/null @@ -1,11 +0,0 @@ -<configs> - <config name="rdp" protocol="rdp"> - <param name="hostname" value="localhost" /> - <param name="port" value="3389" /> - <param name="security" value="rdp" /> - </config> - <config name="ssh" protocol="ssh"> - <param name="hostname" value="localhost" /> - <param name="port" value="22" /> - </config> -</configs> diff --git a/roles/common/files/http-teckids-auth b/roles/common/files/http-teckids-auth deleted file mode 100644 index f8a35b79a5c94a7619ca73055c459610bdd56456..0000000000000000000000000000000000000000 --- a/roles/common/files/http-teckids-auth +++ /dev/null @@ -1,12 +0,0 @@ -AuthName "Teckids-Account Login" - -# GSSAPI authentication -AuthType Kerberos -KrbServiceName http -KrbSaveCredentials on -KrbLocalUserMapping On - -# Forward to PAM if GSSAPI fails -KrbAuthoritative off -AuthBasicProvider PAM -AuthPAMService apache2 diff --git a/roles/common/files/ldap.conf b/roles/common/files/ldap.conf deleted file mode 100644 index cd675e7626a408ecc06c8957108c3189b3af3d13..0000000000000000000000000000000000000000 --- a/roles/common/files/ldap.conf +++ /dev/null @@ -1,19 +0,0 @@ -# -# LDAP Defaults -# - -# See ldap.conf(5) for details -# This file should be world readable but not world writable. - -BASE dc=teckids,dc=org -URI ldaps://db.teckids.org - -#SIZELIMIT 12 -#TIMELIMIT 15 -#DEREF never - -# TLS certificates (needed for GnuTLS) -TLS_CACERT /etc/ssl/certs/ca-certificates.crt -TLS_REQCERT demand - -SASL_MECH GSSAPI diff --git a/roles/common/files/ldapvi.conf b/roles/common/files/ldapvi.conf deleted file mode 100644 index 2ac98f9508fceaf0af84dd9cf636af0278eb9dd8..0000000000000000000000000000000000000000 --- a/roles/common/files/ldapvi.conf +++ /dev/null @@ -1,4 +0,0 @@ -profile default -unpaged-help: yes -ldap-conf: yes -bind: sasl diff --git a/roles/common/files/ltsp-build-client.conf b/roles/common/files/ltsp-build-client.conf deleted file mode 100644 index fc40a5ee54e0baf990166ae6451b8754d7ad6b9f..0000000000000000000000000000000000000000 --- a/roles/common/files/ltsp-build-client.conf +++ /dev/null @@ -1,14 +0,0 @@ -# Sat 02 April 16:02:00 CEST 2019 - Install new packages -# Changes to this timestamp trigger a rebuild of the LTSP images. -# Add a comment describing why you want to run a rebuild. - -ARCH=amd64 -FAT_CLIENT=True -#DEBCONF_SEEDS=/etc/ltsp/debconf.seeds -MOUNT_PACKAGE_DIR=/var/cache/apt/archives -EATMYDATA=True -ENABLE_POPCON=True -SQUASHFS_IMAGE=True -PURGE_CHROOT=True -LOCALE=de_DE.UTF-8 -COMPONENTS="main contrib non-free" diff --git a/roles/common/files/ltsp-debconf.seeds b/roles/common/files/ltsp-debconf.seeds deleted file mode 100644 index 7f8a8e6d1a3e7127b66fd0765d7479d576b2001f..0000000000000000000000000000000000000000 --- a/roles/common/files/ltsp-debconf.seeds +++ /dev/null @@ -1 +0,0 @@ -heimdal/realm heimdal/realm string TECKIDS.ORG diff --git a/roles/common/files/monit/sssd b/roles/common/files/monit/sssd deleted file mode 100644 index 4d8295a9b18c1a82be54cd2cea9afd9eab7e910b..0000000000000000000000000000000000000000 --- a/roles/common/files/monit/sssd +++ /dev/null @@ -1,5 +0,0 @@ -check process sssd pidfile "/run/sssd.pid" - start program = "/usr/sbin/service sssd start" - stop program = "/usr/sbin/service sssd stop" - if cpu > 20% for 2 cycles then restart - if 3 restarts within 10 cycles then timeout diff --git a/roles/common/files/monitrc b/roles/common/files/monitrc deleted file mode 100644 index cb8ed20f29f603569612e9f292814ac15add401b..0000000000000000000000000000000000000000 --- a/roles/common/files/monitrc +++ /dev/null @@ -1,6 +0,0 @@ -set alert root@teckids.org - -set httpd port 2812 and - use address localhost - allow localhost - \ No newline at end of file diff --git a/roles/common/files/redirect-root.conf b/roles/common/files/redirect-root.conf deleted file mode 100644 index 901172ec642f0134b1d705a0df73a5281da4a4d9..0000000000000000000000000000000000000000 --- a/roles/common/files/redirect-root.conf +++ /dev/null @@ -1,19 +0,0 @@ -<If "%{HTTP_HOST} == 'desktop.teckids.org'"> - RedirectMatch ^/?$ https://desktop.teckids.org/guacamole/#/client/cmRwAGMAbm9hdXRo -</If> -<If "%{HTTP_HOST} == 'shell.teckids.org'"> - RedirectMatch ^/?$ https://desktop.teckids.org/guacamole/#/client/c3NoAGMAbm9hdXRo -</If> -<If "%{HTTP_HOST} == 'mail.teckids.org'"> - RedirectMatch ^/?$ https://commu-intern.teckids.org/roundcube -</If> -<If "%{HTTP_HOST} == 'otrs.teckids.org'"> - RedirectMatch ^/?$ https://commu-intern.teckids.org/otrs -</If> -<If "%{HTTP_HOST} == 'wiki.teckids.org'"> - RedirectMatch ^/?$ https://commu-intern.teckids.org/wiki -</If> -<If "%{HTTP_HOST} == 'lists.teckids.org'"> - RedirectMatch ^/?$ https://commu-intern.teckids.org/wws -</If> - diff --git a/roles/common/files/sssd.conf b/roles/common/files/sssd.conf deleted file mode 100644 index 3578f6159eb3bf8e1fd8b59132583af2767bbd1b..0000000000000000000000000000000000000000 --- a/roles/common/files/sssd.conf +++ /dev/null @@ -1,41 +0,0 @@ -[sssd] -config_file_version = 2 -services = nss,pam,ssh,sudo -domains = TECKIDS.ORG - -[nss] -filter_users = root -filter_groups = root - -[pam] - -[ssh] - -[sudo] - -[domain/TECKIDS.ORG] -lookup_family_order = ipv6_first -id_provider = ldap -ignore_group_members = False -ldap_uri = ldap://db.teckids.org -ldap_search_base = dc=teckids,dc=org -ldap_id_use_start_tls = true -ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt -ldap_tls_reqcert = demand -ldap_sasl_mech = gssapi -ldap_user_search_base = ou=People,dc=teckids,dc=org -ldap_group_search_base = ou=Groups,dc=teckids,dc=org -ldap_schema = rfc2307 -ldap_account_expire_policy = shadow -ldap_pwd_policy = shadow -ldap_access_order = filter, expire -ldap_user_ssh_public_key = sshAuthorizedKey -auth_provider = krb5 -chpass_provider = krb5 -cache_credentials = true -krb5_server = db.teckids.org -krb5_realm = TECKIDS.ORG -krb5_renewable_lifetime = 7d -krb5_renew_interval = 3600 -sudo_provider = ldap -ldap_sudo_search_base = ou=SUDOers,dc=teckids,dc=org diff --git a/roles/common/files/update-kernels.conf b/roles/common/files/update-kernels.conf deleted file mode 100644 index 4aff4775275abfdfab03f595ac0b657c41b8230e..0000000000000000000000000000000000000000 --- a/roles/common/files/update-kernels.conf +++ /dev/null @@ -1,5 +0,0 @@ -PXELINUX_DEFAULT=menu -TIMEOUT=80 -ONTIMEOUT=ltsp-NBD -BOOT_METHODS=NBD -IAPPEND=3 diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 5f94aba95bb1f7b6bfd360ca910c6134e3e3c904..85783fc87520da2d7d7a8de4f4484b6fd87e5867 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -11,7 +11,7 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEg8L4ctkRadSf0bOrKAxX2QZY9+3Su4Sw+1pIszJxz1UjgrSncqGJ0zVeQr1nNZsC7ftJ8W5l//RczQNd8bBCrANK9F/5hsn0QB1UJC18QfocDysHQs9eDYRyjKKOXFteQI8u1eLHu1eQuKG8APTqlj9ReewEtJ6X0GSW84ligJOhknC657xFFhrKCtJtIzCUYwV5bgmrPIy9dumjXuJq/hMXJMTHScpoUm2cQkWjdlE3yJpnaVokB3RK4FHpwIOI9etFrpBg6BG8B4/Bg6FZY/CgVOOavxm+yU8XZAijdzWrjDt4RNyyt0PG5gwFDhxjXVI1/NwQknDiJHeSmsELGBd02drmoKXVmc8WvfOmOgHA/YBpjb2SCzDTJ/4XCaFIvDp7cnjUW7uTByR0uZaOJXagZY7XZ2clNTuJd7W0P2GaM1joCZmDJKBKjHeeB9wNfVbOgqOSKqd99OlimOOKOvieT9bugOGZfoPBC4rXg4VKZ6a55i0Rsoq/HFtq4JL11UnmyAcw4vlKLRqDLPX42GmEgzvutfmeZbGk6Qt5QMbsJSxwkJk/eoL+TJvbxMixgE4E4BQ5HFi5X3xQbY1aOXPeDfuOIHkMxSF9Wu8wfkhuwRB/7Ej/CfVEHvxKiCR3pjTvlGdZXQgSW81TLM24/w7/SkjQo2p97sRlTfRF4w== cardno:000612085137 - name: Add backports ansible.builtin.apt_repository: - repo: deb http://deb.debian.org/debian/ bullseye-backports main + repo: deb http://deb.debian.org/debian/ bookworm-backports main state: present filename: 'backports' when: ansible_facts['distribution'] == 'Debian' @@ -191,6 +191,10 @@ src: /etc/ansible/roles/common/files/rsyslog-server.conf dest: /etc/rsyslog.d/remote.conf when: ansible_facts['hostname'] == 'monitoring' +- name: Configure relay host + ansible.builtin.lineinfile: + regexp: '^relayhost =' + line: 'relayhost = commu-intern.teckids.org' - name: Touch statefile ansible.builtin.file: diff --git a/roles/common/templates/icinga-agent.sh.j2 b/roles/common/templates/icinga-agent.sh.j2 deleted file mode 100644 index 3d997b6fa9d6dd50f0535897a419972912213895..0000000000000000000000000000000000000000 --- a/roles/common/templates/icinga-agent.sh.j2 +++ /dev/null @@ -1,320 +0,0 @@ - - -#!/bin/bash - -# This generates and signs your required certificates. Please do not -# forget to install the Icinga 2 package and your desired monitoring -# plugins first. - -# Config from Director -ICINGA2_NODENAME='{{ inventory_hostname }}' -ICINGA2_CA_TICKET=$(curl -k -s -u teckids-icinga-api:{{ icinga_api_password }} -H 'Accept: application/json' -X GET "https://monitoring.teckids.org/icingaweb2/director/host/ticket?name={{ inventory_hostname }}") -ICINGA2_PARENT_ZONE='master' -ICINGA2_PARENT_ENDPOINTS=('monitoring.teckids.org,') -ICINGA2_CA_NODE='monitoring.teckids.org' -ICINGA2_GLOBAL_ZONES=('director-global') - -# Internal defaults -: "${ICINGA2_OSFAMILY:=}" -: "${ICINGA2_HOSTNAME:="$(hostname -f)"}" -: "${ICINGA2_NODENAME:="${ICINGA2_HOSTNAME}"}" -: "${ICINGA2_CA_NODE:=}" -: "${ICINGA2_CA_PORT:=5665}" -: "${ICINGA2_CA_TICKET:=}" -: "${ICINGA2_PARENT_ZONE:=master}" -: "${ICINGA2_PARENT_ENDPOINTS:=()}" -: "${ICINGA2_GLOBAL_ZONES:=director-global}" -: "${ICINGA2_DRYRUN:=}" -: "${ICINGA2_UPDATE_CONFIG:=}" - -# Helper functions -fail() { - echo "ERROR: $1" >&2 - exit 1 -} - -warn() { - echo "WARNING: $1" >&2 -} - -info() { - echo "INFO: $1" >&2 -} - -check_command() { - command -v "$@" &>/dev/null -} - -install_config() { - if [ -e "$1" ] && [ ! -e "${1}.orig" ]; then - info "Creating a backup at ${1}.orig" - cp "$1" "${1}.orig" - fi - echo "Writing config to ${1}" - echo "$2" > "${1}" -} - -[ "$BASH_VERSION" ] || fail "This is a Bash script" - -errors= -for key in NODENAME CA_NODE CA_PORT CA_TICKET PARENT_ZONE PARENT_ENDPOINTS; do - var="ICINGA2_${key}" - if [ -z "${!var}" ]; then - warn "The variable $var needs to be configured!" - errors+=1 - fi -done -[ -z "$errors" ] || exit 1 - -# Detect osfamily -if [ -n "$ICINGA2_OSFAMILY" ]; then - info "Assuming supplied osfamily $ICINGA2_OSFAMILY" -elif check_command rpm && ! check_command dpkg; then - info "This should be a RedHat system" - if [ -e /etc/sysconfig/icinga2 ]; then - # shellcheck disable=SC1091 - . /etc/sysconfig/icinga2 - fi - ICINGA2_OSFAMILY=redhat -elif check_command dpkg; then - info "This should be a Debian system" - if [ -e /etc/default/icinga2 ]; then - # shellcheck disable=SC1091 - . /etc/default/icinga2 - fi - ICINGA2_OSFAMILY=debian -elif check_command apk; then - info "This should be a Alpine system" - if [ -e /etc/icinga2/icinga2.sysconfig ]; then - # shellcheck disable=SC1091 - . /etc/icinga2/icinga2.sysconfig - fi - ICINGA2_OSFAMILY=alpine -else - fail "Could not determine your os type!" -fi - -# internal defaults -: "${ICINGA2_CONFIG_FILE:=/etc/icinga2/icinga2.conf}" -: "${ICINGA2_CONFIGDIR:="$(dirname "$ICINGA2_CONFIG_FILE")"}" -: "${ICINGA2_DATADIR:=/var/lib/icinga2}" -: "${ICINGA2_SSLDIR_OLD:="${ICINGA2_CONFIGDIR}"/pki}" -: "${ICINGA2_SSLDIR_NEW:="${ICINGA2_DATADIR}"/certs}" -: "${ICINGA2_SSLDIR:=}" -: "${ICINGA2_BIN:=icinga2}" - -case "$ICINGA2_OSFAMILY" in -debian) - : "${ICINGA2_USER:=nagios}" - : "${ICINGA2_GROUP:=nagios}" - ;; -redhat) - : "${ICINGA2_USER:=icinga}" - : "${ICINGA2_GROUP:=icinga}" - ;; -alpine) - : "${ICINGA2_USER:=icinga}" - : "${ICINGA2_GROUP:=icinga}" - ;; -*) - fail "Unknown osfamily '$ICINGA2_OSFAMILY'!" - ;; -esac - -icinga_version() { - "$ICINGA2_BIN" --version 2>/dev/null | grep -oPi '\(version: [rv]?\K\d+\.\d+\.\d+[^\)]*' -} - -version() { - echo "$@" | awk -F. '{ printf("%03d%03d%03d\n", $1,$2,$3); }' -} - -# Make sure icinga2 is installed and running -echo -n "check: icinga2 installed - " -if version=$(icinga_version); then - echo "OK: $version" -else - fail "You need to install icinga2!" -fi - -if [ -z "${ICINGA2_SSLDIR}" ]; then - if [ -f "${ICINGA2_SSLDIR_OLD}/${ICINGA2_NODENAME}.crt" ]; then - info "Using old SSL directory: ${ICINGA2_SSLDIR_OLD}" - info "Because you already have a certificate in ${ICINGA2_SSLDIR_OLD}/${ICINGA2_NODENAME}.crt" - ICINGA2_SSLDIR="${ICINGA2_SSLDIR_OLD}" - elif [ $(version $version) -gt $(version 2.8) ]; then - info "Using new SSL directory: ${ICINGA2_SSLDIR_NEW}" - ICINGA2_SSLDIR="${ICINGA2_SSLDIR_NEW}" - else - info "Using old SSL directory: ${ICINGA2_SSLDIR_OLD}" - ICINGA2_SSLDIR="${ICINGA2_SSLDIR_OLD}" - fi -fi - -if [ ! -d "$ICINGA2_SSLDIR" ]; then - mkdir "$ICINGA2_SSLDIR" - chown "$ICINGA2_USER.$ICINGA2_GROUP" "$ICINGA2_SSLDIR" -fi - -if [ -f "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.crt" ]; then - warn "ERROR: a certificate for '${ICINGA2_NODENAME}' already exists" - warn "Please remove ${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.??? in case you want a" - warn "new certificate to be generated and signed by ${ICINGA2_CA_NODE}" - - if [ -z "${ICINGA2_UPDATE_CONFIG}" ] && [ -z "${ICINGA2_DRYRUN}" ]; then - warn "Aborting here, you can can call the script like this to just update config:" - info " ICINGA2_UPDATE_CONFIG=1 $0" - exit 1 - fi -elif [ -z "${ICINGA2_DRYRUN}" ]; then - if ! "$ICINGA2_BIN" pki new-cert --cn "${ICINGA2_NODENAME}" \ - --cert "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.crt" \ - --csr "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.csr" \ - --key "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.key" - then fail "Could not create self signed certificate!" - fi - - if ! "$ICINGA2_BIN" pki save-cert \ - --host "${ICINGA2_CA_NODE}" \ - --port "${ICINGA2_CA_PORT}" \ - --key "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.key" \ - --trustedcert "${ICINGA2_SSLDIR}/trusted-master.crt" - then fail "Could not retrieve trusted certificate from host ${ICINGA2_CA_NODE}" - fi - - if ! "$ICINGA2_BIN" pki request \ - --host "${ICINGA2_CA_NODE}" \ - --port "${ICINGA2_CA_PORT}" \ - --ticket "${ICINGA2_CA_TICKET}" \ - --key "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.key" \ - --cert "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.crt" \ - --trustedcert "${ICINGA2_SSLDIR}/trusted-master.crt" \ - --ca "${ICINGA2_SSLDIR}/ca.crt" - then fail "Could not retrieve final certificate from host ${ICINGA2_CA_NODE}" - fi -else - info "Would create certificates under ${ICINGA2_SSLDIR}, but in dry-run!" -fi - -# Prepare Config Files -content_config=$(cat << EOF -/** Icinga 2 Config - proposed by Icinga Director */ - -include "constants.conf" - -$([ "${ICINGA2_HOSTNAME}" != "${ICINGA2_NODENAME}" ] || echo '// ')const NodeName = "${ICINGA2_NODENAME}" - -include "zones.conf" -include "features-enabled/*.conf" - -include <itl> -include <plugins> -include <plugins-contrib> -include <manubulon> -include <windows-plugins> -include <nscp> -EOF -) - -endpoint_list='' -for item in "${ICINGA2_PARENT_ENDPOINTS[@]}"; do - endpoint=$(echo "$item" | cut -d, -f1) - endpoint_list+="\"${endpoint}\", " -done - -content_zones=$(cat << EOF -/** Icinga 2 Config - proposed by Icinga Director */ - -object Endpoint "${ICINGA2_NODENAME}" {} - -object Zone "${ICINGA2_NODENAME}" { - parent = "${ICINGA2_PARENT_ZONE}" - endpoints = [ "${ICINGA2_NODENAME}" ] -} - -object Zone "${ICINGA2_PARENT_ZONE}" { - endpoints = [ ${endpoint_list%, } ] -} -EOF -) - -for item in "${ICINGA2_PARENT_ENDPOINTS[@]}"; do - endpoint=$(echo "$item" | cut -d, -f1) - host=$(echo "$item" | cut -s -d, -f2) - - content_zones+=$(cat << EOF - -object Endpoint "${endpoint}" { -$([ -n "$host" ] && echo " host = \"${host}\"" || echo " //host = \"${endpoint}\"") -} -EOF -) -done - -for zone in "${ICINGA2_GLOBAL_ZONES[@]}"; do - content_zones+=$(cat << EOF - -object Zone "${zone}" { - global = true -} -EOF -) -done - -content_api="/** Icinga 2 Config - proposed by Icinga Director */ - -object ApiListener \"api\" {" - -if [ "${ICINGA2_SSLDIR}" = "${ICINGA2_SSLDIR_OLD}" ]; then -content_api+=" - cert_path = SysconfDir + \"/icinga2/pki/${ICINGA2_NODENAME}.crt\" - key_path = SysconfDir + \"/icinga2/pki/${ICINGA2_NODENAME}.key\" - ca_path = SysconfDir + \"/icinga2/pki/ca.crt\" -" -fi -content_api+=" - accept_commands = true - accept_config = true -} -" - -if [ -z "${ICINGA2_DRYRUN}" ]; then - install_config "$ICINGA2_CONFIGDIR"/icinga2.conf "$content_config" - install_config "$ICINGA2_CONFIGDIR"/zones.conf "$content_zones" - install_config "$ICINGA2_CONFIGDIR"/features-available/api.conf "$content_api" - - "$ICINGA2_BIN" feature enable api - - "$ICINGA2_BIN" daemon -C - - echo "Please restart icinga2:" - case "$ICINGA2_OSFAMILY" in - debian) - echo " systemctl restart icinga2" - ;; - redhat) - echo " systemctl restart icinga2" - ;; - alpine) - echo " rc-service icinga2 restart" - ;; - *) - fail "Unknown osfamily '$ICINGA2_OSFAMILY'!" - ;; - esac -else - output_code() { - sed 's/^/ /m' <<<"$1" - } - echo "### $ICINGA2_CONFIGDIR"/icinga2.conf - echo - output_code "$content_config" - echo - echo "### $ICINGA2_CONFIGDIR"/zones.conf - echo - output_code "$content_zones" - echo - echo "### $ICINGA2_CONFIGDIR"/features-available/api.conf - echo - output_code "$content_api" -fi diff --git a/roles/common/vars/common.yaml b/roles/common/vars/common.yaml deleted file mode 100644 index b7e76cf01bd9b108766e7781dd5b7767179e729e..0000000000000000000000000000000000000000 --- a/roles/common/vars/common.yaml +++ /dev/null @@ -1,7 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -38303739653035666339616536383832353838626363323638366162346538343532303232336636 -3166303033666266383034356539616637383563653136660a333465636437306139376439626665 -38666431613064306561313638363666373265333734313036326635343837613231346430303033 -3535373731623231620a653733336265376566626236356530326264373366313130336566666638 -36613964306230356134343039653739346334396333656435643335336232333439353366396364 -3862663163646365333733653137356637653665666639353666 diff --git a/roles/gitlab_runner/templates/gitlab-runner-config.j2 b/roles/gitlab_runner/templates/gitlab-runner-config.j2 index 4df5aff21b86e667620926ca2112fd3f429e1d7f..3dbc6b1f41de5dd716c23d1bddd31b470ad7ac43 100644 --- a/roles/gitlab_runner/templates/gitlab-runner-config.j2 +++ b/roles/gitlab_runner/templates/gitlab-runner-config.j2 @@ -16,7 +16,7 @@ check_interval = 0 [runners.cache.gcs] [runners.docker] tls_verify = false - image = "debian:bullseye" + image = "debian:bookworm" privileged = {{ gitlab_runner_privileged }} disable_entrypoint_overwrite = false oom_kill_disable = false diff --git a/roles/teckids_hosted/tasks/main.yml b/roles/teckids_hosted/tasks/main.yml deleted file mode 100644 index bf5b0c6228fa332391b59de10972a1c7ddfd3830..0000000000000000000000000000000000000000 --- a/roles/teckids_hosted/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Configure relay host - ansible.builtin.lineinfile: - regexp: '^relayhost =' - line: 'relayhost = commu-intern.teckids.org'