README.md

 # Warpzone Infrastruktur Konfiguration
 
 Die Infrastruktur der Warpzone wird nach und nach durch das Konfigurationstool Ansible aufgebaut.
-Diese Konfiguration wird von den verschiedenen Teams gemeinschaftlich genutzt und soll als zentrale Dokumentation dienen.
-
+Diese Konfiguration soll als zentrale Dokumentation dienen.
 
 ## Aktueller Status
 
-Aktuell ist nur der neue Websserver in der Konfiguration erfasst.
-Weitere Dienste (wie z.B. der bestehende Webserver und die interne Infrastruktur) sind noch nicht abgebildet.
+Alle Server sind erfasst
 
 ## Vorraussetzungen
 Installiertes ansible
@@ -22,7 +20,7 @@ ansible-galaxy collection install community.docker
 
 Ausführen von Rollen per
 ```
-ansible-playbook  site.yml -l webserver -t hackmd
+ansible-playbook -i hosts.yml site.yml -l webserver -t hackmd
 ```
 
 mit -l wird der hosts eingeschränkt mit -t der tag bzw die Rolle, alle tags stehen in der site.yml

ansible.cfg

 [defaults]
 # some default values for ansible
-inventory = hosts
+inventory = hosts.yml
 interpreter_python = /usr/bin/python3

common/crowdsec/tasks/main.yml

+---
+
+- name: "create folder struct for {{ servicename }}"
+  file:
+    path: "{{ item }}"
+    state: "directory"
+  with_items:
+    - "{{ basedir }}"
+
+- name: "deploy {{ servicename }} config files"
+  template:
+    dest:  "{{ basedir }}/{{ item }}"
+    src: "{{ item }}"
+    mode: 0644
+  with_items:
+    - docker-compose.yml
+  register: config
+
+# Start containers
+- name: "stop {{ servicename }} docker"
+  docker_compose:
+    project_src: "{{ basedir }}"
+    state: absent
+  when: config.changed
+
+- name: "start {{ servicename }} docker"
+  docker_compose:
+    project_src: "{{ basedir }}"
+    state: present
\ No newline at end of file

common/crowdsec/templates/crowdsec/dashboard/Dockerfile

+FROM metabase/metabase:v0.46.6.2
+
+RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/
\ No newline at end of file

common/crowdsec/templates/docker-compose.yml

+version: '3'
+
+services:
+  app:
+    image: crowdsecurity/crowdsec:v1.5.2
+    healthcheck:
+      test: ["CMD", "cscli", "version"]
+      interval: 20s
+      timeout: 2s
+      retries: 5
+      start_period: 10s
+    ports:
+      - "127.0.0.1:8080:8080"
+    environment:
+      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd"
+      GID: "${GID-1000}"
+      CUSTOM_HOSTNAME: dSHB
+    volumes:
+      - /etc/localtime:/etc/localtime:ro  
+      - /var/log:/var/log:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/systemd/journal/socket:/var/run/systemd/journal/socket:ro
+      - {{ basedir }}/appdata/crowdsec/data:/var/lib/crowdsec/data
+      - {{ basedir }}/appdata/crowdsec/config:/etc/crowdsec
+      - {{ basedir }}/crowdsec-db:
+  
+  dashboard:
+    build: ./crowdsec/dashboard
+    restart: always
+    environment:
+      MB_DB_FILE: /data/metabase.db
+      MGID: "${GID-1000}"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=3000
+    volumes:
+      - crowdsec-db:/metabase-data/
\ No newline at end of file

common/docker_traefik/templates/docker-compose.yml

@@ -3,7 +3,7 @@ version: '2.4'
 services:
 
     app:
-        image: traefik:v3.0
+        image: traefik:v3.0.0-beta3
         restart: always
         ports:
             - "80:80"

common/wireguard/tasks/main.yml

@@ -53,6 +53,11 @@
   ansible.builtin.systemd:
     daemon_reload: true
 
+- name: "Stop systemd service for wg0"
+  ansible.builtin.systemd:
+    name: "wg-quick@wg0"
+    state: stopped
+
 - name: "Start systemd service for wg0"
   ansible.builtin.systemd:
     name: "wg-quick@wg0"

common/wireguard/templates/webserver.conf

@@ -5,4 +5,4 @@ ListenPort = 51821
 
 [Peer]
 PublicKey = 9FLaGBXWjInPv4PFRuAJPPrPWruzocVrXg9lsmwGdX4=
-AllowedIPs = 10.43.1.2, 192.168.0.0/24, 10.0.0.0/23
+AllowedIPs = 10.43.1.2, 192.168.0.0/24, 10.0.0.0/22

host_vars/ogg

@@ -57,9 +57,6 @@ alert:
     - { name: "esphome-dev_app_1" }    
     - { name: "fridgeserver_app_1" }    
     - { name: "grafana_app_1" }    
-    - { name: "graylog_graylog_1" }    
-    - { name: "graylog_mongodb_1" }    
-    - { name: "graylog_opensearch_1" }    
     - { name: "heimdall_app_1" }    
     - { name: "homeassistant_app_1" }    
     - { name: "homeassistant_influxdb_1" }    

host_vars/webserver

@@ -103,6 +103,7 @@ alert:
     - { name: "mail_mailman-nginx_1" }
     - { name: "matrix_ma1sd_1" }
     - { name: "matrix_db_1" }
+    - { name: "matrix_purgemediacache_1" }
     - { name: "matrix_synapse_1" }
     - { name: "matterbridge_cw_1" }
     - { name: "matterbridge_wz_1" }
@@ -120,7 +121,7 @@ alert:
     - { name: "workadventure_redis_1" }
   disks: 
     - { mountpoint: "/", warn: "5 GB", crit: "1 GB" }
-    - { mountpoint: "/srv", warn: "1 GB", crit: "500 MB" }
+    - { mountpoint: "/srv", warn: "5 GB", crit: "1 GB" }
   
 
 # Definition von Borgbackup Repositories 

hosts

-
-# Nameskonvention für Server: Pratchett Name/Charaktere
-# Namensliste: https://wiki.lspace.org/List_of_Pratchett_characters
-# Nächste freie Namen: vimes, cake, colon, detritus, dibbler, dorfl, gaspode, quirm, cherry, nobby, ramkin, ron, shoe, slant, angua, vetinary, bursar, coin, dean, worblehat, luggage. mustrum, rincewind, wrangler, stibbons, whitlow  
-
-[test]
-
-[prod]
-
-# Interner Proxmox-Server
-# Für Verbindungen über den Webserver als Jumphost folgende Parameter ergänzen: 
-# ansible_ssh_common_args='-o ForwardAgent=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="ssh -W %h:%p -q 159.69.57.51"'
-weatherwax   ansible_ssh_host=192.168.0.200
-
-# Server für interne Dienste
-# Container auf dem internen Proxmox Server 
-# Wichtige Optionen: Nesting = Yes, keyctl = enabled
-ogg          ansible_ssh_host=192.168.0.201
-
-# Server für VPN Verbindung zum Webserver 
-# Container auf dem internen Proxmox Server 
-# Wichtige Optionen: Nesting = Yes, keyctl = enabled
-carrot       ansible_ssh_host=192.168.0.202
-
-# Externe Server Warpzone
-# Öffentlicher Root Server Warpzone bei Hetzner 
-tiffany     ansible_ssh_host=159.69.57.15
-
-# Öffentlicher Webserver Warpzone 
-# VM auf Tiffany
-webserver   ansible_ssh_host=159.69.57.51 
-
-# Vorstands-VM
-# VM auf Tiffany
-# Auch erreichbar unter verwaltung.warpzone.ms
-verwaltung ansible_ssh_host=195.201.179.60
-
-# Physischer Server für Veranstaltungen / Camps 
-# warpzone.remote Proxmox-Server
-hex         ansible_ssh_host=10.111.10.100
-
-# Virtueller Server für Infrastruktur-Dienste auf Veranstaltungen / Camps
-# Container auf dem warpzone.remote Proxmox-Server 
-# Wichtige Optionen: Nesting = Yes, keyctl = enabled
-hix         ansible_ssh_host=10.111.10.101

hosts.yml

@@ -12,11 +12,13 @@ prod:
         # ansible_ssh_common_args='-o ForwardAgent=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="ssh -W %h:%p -q 159.69.57.51"'
         weatherwax:
           ansible_ssh_host: 192.168.0.200
+          ansible_user: root
 
         # Externe Server Warpzone
         # Öffentlicher Root Server Warpzone bei Hetzner
         tiffany:
           ansible_ssh_host: 159.69.57.15
+          ansible_user: root
 
     vms:
       children:
@@ -27,12 +29,14 @@ prod:
             # Wichtige Optionen: Nesting = Yes, keyctl = enabled
             ogg:
               ansible_ssh_host: 192.168.0.201
+              ansible_user: root
 
             # Server für VPN Verbindung zum Webserver
             # Container auf dem internen Proxmox Server
             # Wichtige Optionen: Nesting = Yes, keyctl = enabled
             carrot:
               ansible_ssh_host: 192.168.0.202
+              ansible_user: root
 
         tiffany-vms:
           hosts:
@@ -40,12 +44,14 @@ prod:
             # VM auf Tiffany
             webserver:
               ansible_ssh_host: 159.69.57.51
+              ansible_user: root
 
             # Vorstands-VM
             # VM auf Tiffany
             # Auch erreichbar unter verwaltung.warpzone.ms
             verwaltung:
               ansible_ssh_host: 195.201.179.60
+              ansible_user: root
 
 event:
   children:
@@ -55,6 +61,7 @@ event:
         # warpzone.remote Proxmox-Server
         hex:
           ansible_ssh_host: 10.111.10.100
+          ansible_user: root
 
     vms:
       hosts:
@@ -63,3 +70,4 @@ event:
         # Wichtige Optionen: Nesting = Yes, keyctl = enabled
         hix:
           ansible_ssh_host: 10.111.10.101
+          ansible_user: root
\ No newline at end of file

intern/docker_grafana/templates/docker-compose.yml

@@ -4,7 +4,7 @@ services:
 
   app:
 
-    image: grafana/grafana:9.4.3
+    image: grafana/grafana:9.5.6
     restart: always
     volumes:
       - "{{ basedir }}/grafana.ini:/etc/grafana/grafana.ini"

intern/docker_graylog/tasks/main.yml

----
-
-- name: "create folder struct for {{ servicename }}"
-  file: 
-    path: "{{ basedir }}" 
-    state: "directory"
-
-- name: "create folder struct for {{ servicename }}"
-  file: 
-    path: "{{ basedir }}/{{ item }}" 
-    state: "directory"
-    owner: 508
-    group: 508
-  with_items:
-    - "data"
-    - "logs"
-
-- name: "create config files for {{ servicename }}"
-  template: 
-    src: "{{ item }}"
-    dest: "{{ basedir }}/{{ item }}"
-  with_items:
-    - docker-compose.yml 
-
-- name: "start {{ servicename }} docker"
-  docker_compose:
-    project_src: "{{ basedir }}"
-    state: present
-

intern/docker_graylog/templates/docker-compose.yml

-version: "3"
-
-services:
-  mongodb:
-    image: "mongo:6.0.4"
-    restart: "always"
-
-  opensearch:
-    image: "opensearchproject/opensearch:2.6.0"
-    environment:
-      - "TZ=Europe/Berlin"
-      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
-      - "bootstrap.memory_lock=true"
-      - "discovery.type=single-node"
-      - "action.auto_create_index=false"
-      - "plugins.security.ssl.http.enabled=false"
-      - "plugins.security.disabled=true"
-    restart: "always"
-
-  graylog:
-    hostname: "server"
-    image: "graylog/graylog:5.0.5"
-    entrypoint: "/usr/bin/tini -- wait-for-it opensearch:9200 --  /docker-entrypoint.sh"
-    environment:
-      TZ: "Europe/Berlin"
-      GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/config/node-id"
-      GRAYLOG_PASSWORD_SECRET: "warpzonewarpzone"
-      GRAYLOG_ROOT_PASSWORD_SHA2: "26230bc6e5e044e6e3cef7c76a2800fdf2d3952ef03e85c83491b99eef149c40"
-      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
-      GRAYLOG_HTTP_EXTERNAL_URI: "http://graylog.warpzone.lan/"
-      GRAYLOG_ELASTICSEARCH_HOSTS: "http://opensearch:9200"
-      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
-    ports:
-      - "514:5140/udp"   # Syslog
-      - "514:5140/tcp"   # Syslog
-    restart: "always"
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
-      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
-      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=9000
-    networks:
-      - web
-      - default
-
-networks:
-  web:
-    external: true

intern/docker_homeassistant/templates/config/configuration.yaml

@@ -79,6 +79,12 @@ rest_command:
   set_zone_status_closed: 
     url: "https://api.warpzone.ms/setstatus?newstatus=CLOSED&update_key={{ warpai_status_update_key }}"
     method: GET 
+  set_lounge_matrix_off:
+    url: "http://led-matrix.warpzone.lan/play/off.png"
+    method: GET
+  set_lounge_matrix_on:
+    url: "http://led-matrix.warpzone.lan/skip"
+    method: GET
 
 # https://www.home-assistant.io/integrations/telegram/
 telegram_bot:
@@ -705,6 +711,8 @@ automation ansible:
             - kuche
             - lounge
             - serverrack
+      - service: rest_command.set_lounge_matrix_off
+        data: {}
     mode: queued
     max: 30
   
@@ -732,7 +740,7 @@ automation ansible:
     max: 30
 
   # WLED default Lounge
-  - alias: "ANSIBLE_WLED_lougne_default"
+  - alias: "ANSIBLE_WLED_lounge_default"
     description: WLED Default effect in der Lounge
     trigger:
       - type: turned_on
@@ -769,6 +777,8 @@ automation ansible:
             - select.lampan_preset
             - select.clock_preset
             - select.fernseher01_preset
+      - service: rest_command.set_lounge_matrix_on
+        data: {}
     mode: single
 
   # WLED default hackcenter
@@ -815,7 +825,7 @@ automation ansible:
 
 
   # WLED meteor lounge
-  - alias: "ANSIBLE_WLED_Lounge_Meteor"
+  - alias: "ANSIBLE_WLED_lounge_Meteor"
     description: WLED Meteor effect in der Lounge
     trigger:
       - type: turned_on

intern/docker_homeassistant/templates/docker-compose.yml

@@ -26,7 +26,7 @@ services:
   
   influxdb:
 
-    image: influxdb:2.6.1
+    image: influxdb:2.7.1
     restart: always
     ports:
       - "{{ int_ip4 }}:{{ influxdb_port }}:8086"

intern/docker_nodered/templates/docker-compose.yml

@@ -9,7 +9,7 @@ version: "3"
 services:
 
   app:
-    image: nodered/node-red:2.2.3
+    image: nodered/node-red:3.0.2
     restart: always
     volumes:
       - "{{ basedir }}/data:/data"

remote/docker_homeassistant/templates/docker-compose.yml

@@ -24,7 +24,7 @@ services:
   
   influxdb:
 
-    image: influxdb:2.6.0
+    image: influxdb:2.7.1
     restart: always
     ports:
       - "{{ int_ip4 }}:{{ influxdb_port }}:8086"

remote/docker_prometheus/templates/docker-compose.yml

@@ -5,7 +5,7 @@ services:
 
   app:
 
-    image: prom/prometheus:v2.42.0
+    image: prom/prometheus:v2.45.0
     restart: always
     ports:
       - 9090:9090