group_vars/prod

@@ -136,4 +136,5 @@ oauth_global:
 
 oidc_global:
   provider_url: https://uffd.warpzone.ms
-  logout_url: https://uffd.warpzone.ms/logout
\ No newline at end of file
+  logout_url: https://uffd.warpzone.ms/logout
+  ldap_base_dn: "dc=warpzone,dc=ms"

group_vars/test

@@ -47,10 +47,11 @@ oauth_global:
 oidc_global:
   provider_url: https://uffd.test-warpzone.de
   logout_url: https://uffd.test-warpzone.de/logout
+  ldap_base_dn: "dc=test-warpzone,dc=de"
 
 # Matrix Settings 
 matrix:
-  domain: matrix.warpzone.ms
-  public_url: https://matrix.warpzone.ms
-  identity_server: https://matrix.warpzone.ms
-  notifications_room_id: "!QxrpmOPYwofaPFqKMY:matrix.warpzone.ms"
\ No newline at end of file
+  domain: matrix.test-warpzone.de
+  public_url: https://matrix.test-warpzone.de
+  identity_server: https://matrix.test-warpzone.de
+  notifications_room_id: "!QxrpmOPYwofaPFqKMY:matrix.test-warpzone.de"

host_vars/ogg

@@ -31,8 +31,15 @@ webserver_ssl: false
 
 # Liste der gehosteten Domänen
 webserver_domains:
-  - "esphome.warpzone"
-  - "unifi.warpzone"
+  - "warpsrvint.warpzone"
+  - "esphome.warpzone.lan"
+  - "fridgeserver.warpzone.lan"
+  - "grafana.warpzone.lan"
+  - "services.warpzone.lan"
+  - "ha.warpzone.lan"
+  - "omada.warpzone.lan"
+  - "tasmoadmin.warpzone.lan"
+  - "zigbee2mqtt.warpzone.lan"
 
 administratorenteam:
   - "void"
@@ -66,6 +73,7 @@ alert:
     - { name: "mqtt-tgfloat-1" } 
     - { name: "nodered-app-1" }
     - { name: "omada-app-1" }
+    - { name: "pihole-app-1" }
     - { name: "tasmoadmin-app-1" }
     - { name: "traefik-app-1" }
     - { name: "watchtower-app-1" }

host_vars/pihole

+
+# Host spezifische Variablen
+
+motd_lines:
+  - "pihole - Interner pihole DNS @ warpzone"
+  - "Haupt-IP @ eth0: {{ansible_eth0.ipv4.address}}"
+
+debian_sources:
+  - "deb http://ftp2.de.debian.org/debian/ bookworm main contrib non-free non-free-firmware"
+  - "deb http://ftp.debian.org/debian bookworm-updates main contrib non-free non-free-firmware"
+  - "deb http://security.debian.org/ bookworm-security main contrib non-free non-free-firmware"
+  - "deb https://download.docker.com/linux/debian bookworm stable"
+
+debian_keys_id:
+
+debian_keys_url:
+  - "https://download.docker.com/linux/debian/gpg"
+
+
+# Primäre IP Adressen des Hosts
+#ext_ip4: <keine>
+#ext_ip6: <keine>
+int_ip4: 10.0.0.2
+
+
+# Art des Hosts: physical, vm, lxc
+host_type: "lxc"
+
+# SSL deaktivieren
+webserver_ssl: false
+
+# Liste der gehosteten Domänen
+webserver_domains:
+  - "pihole.warpzone.lan"
+
+administratorenteam:
+  - "void"
+  - "sandhome"
+  - "3d"
+  - "jabertwo"
+
+# Monitoring aktivieren
+alert:
+  load:
+    warn: 15
+    crit: 30
+  containers:
+    - { name: "dockerstats-app-1" }
+    - { name: "pihole-app-1" }
+  disks:
+    - { mountpoint: "/", warn: "1 GB", crit: "512 MB" }
\ No newline at end of file

host_vars/test-warpzone-de

@@ -58,6 +58,7 @@ administratorenteam:
   - "void"
   - "sandhome"
   - "jabertwo"
+  - "supervirus"
 
 # Docker konfigurationen 
 docker:

hosts.yml

@@ -37,6 +37,10 @@ prod:
     carrot:
       ansible_ssh_host: 192.168.0.202
       ansible_user: root
+    
+    pihole:
+      ansible_ssh_host: 10.0.0.2
+      ansible_user: root
 
     # Öffentlicher Webserver Warpzone
     # VM auf Tiffany

intern/docker_homeassistant/templates/config/configuration.yaml

@@ -821,6 +821,23 @@ automation ansible:
           area_id: schnackcenter
     mode: single
 
+  - alias: ANSIBLE_ZONE_NoAutoOn_aus
+    description: ""
+    triggers: []
+    conditions: []
+    actions:
+      - action: light.turn_off
+        metadata: {}
+        data: {}
+        target:
+          area_id: NoAutoOn
+      - action: switch.turn_off
+        metadata: {}
+        data: {}
+        target:
+          area_id: NoAutoOn
+    mode: single
+
   - alias: ANSIBLE_ZONE_backcenter_an
     description: ""
     triggers: []

intern/docker_omada/templates/docker-compose.yml

@@ -5,15 +5,18 @@ services:
     image: mbentley/omada-controller:latest
     restart: always
     ports:
-      - {{ omada_port_http }}:8088
-      - {{ omada_port_https }}:8043
-      - {{ omada_portal_https }}:8843 
+      - "{{ omada_port_http }}:{{ omada_port_http }}"
+      - "{{ omada_port_https }}:{{ omada_port_https }}"
+      - "{{ omada_portal_https }}:{{ omada_portal_https }}"
       - 27001:27001/udp 
+      - 27002:27002 
       - 29810:29810/udp 
       - 29811:29811 
       - 29812:29812 
       - 29813:29813 
       - 29814:29814 
+      - 29815:29815 
+      - 29816:29816 
     sysctls:
       - net.ipv4.ip_unprivileged_port_start=0
     volumes:
@@ -34,6 +37,8 @@ services:
       PORT_DISCOVERY: 29810
       PORT_MANAGER_V1: 29811
       PORT_MANAGER_V2: 29814
+      PORT_TRANSFER_V2: 29815
+      PORT_RTTY: 29816
       PORT_UPGRADE_V1: 29813
       SHOW_SERVER_LOGS: "true"
       SHOW_MONGODB_LOGS: "false"

intern/docker_pihole/templates/docker-compose.yml

+services:
+  app:
+    image: pihole/pihole:latest
+    restart: always
+    ports:
+      - "53:53/tcp"
+      - "53:53/udp"
+    volumes:
+      - "{{ basedir }}/etc:/etc/pihole"
+      - "{{ basedir }}/dnsmasq:/etc/dnsmasq.d"
+      - "/dev/null:/var/log/pihole.log"
+      - "/dev/null:/var/log/pihole-FTL.log"
+    hostname: pihole
+    environment:
+      TZ: 'Europe/Berlin'
+      TAIL_FTL_LOG: 0
+      FTLCONF_LOCAL_IPV4: '{{ int_ip4 }}'
+      WEBPASSWORD: '{{ admin_password }}'
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.services.{{ servicename }}.loadBalancer.server.port=80
+    networks:
+      - default
+      - web
+
+networks:
+  web:
+    external: true
\ No newline at end of file

keyfiles/supervirus.pub

+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6+Ex8TM4gP+Nph5Cy5zK6z2mceI9i7vsh0ec4oTfDC htk@ridcully
\ No newline at end of file

pihole/docker_pihole/tasks/main.yml

+       
+- include_tasks: ../functions/get_secret.yml
+  with_items:
+    - { path: "{{ basedir }}/secrets/admin_password",  type: create, length: 24 }
+
+- name: "create folder struct for {{ servicename }}"
+  file:
+    path: "{{ item }}"
+    state: "directory"
+  with_items:
+    - "{{ basedir }}"
+    - "{{ basedir }}/secrets"
+    - "{{ basedir }}/etc"
+
+- name: "create config files for {{ servicename }}"
+  template:
+    src: "{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
+  with_items:
+    - docker-compose.yml
+    - etc/pihole.toml
+  register: config
+
+- name: "stop {{ servicename}} docker"
+  community.docker.docker_compose_v2:
+    project_src: "{{ basedir }}"
+    state: absent
+  when: config.changed
+
+- name: "start {{ servicename}} docker"
+  community.docker.docker_compose_v2:
+    project_src: "{{ basedir }}"
+    state: present
\ No newline at end of file

pihole/docker_pihole/templates/docker-compose.yml

+services:
+  app:
+    image: pihole/pihole:2025.02.6
+    restart: always
+    network_mode: host
+    volumes:
+      - '{{ basedir }}/etc:/etc/pihole'
+    hostname: pihole
+    environment:
+      TZ: 'Europe/Berlin'
+      WEBPASSWORD: '{{ admin_password }}'
+    cap_add:
+      - NET_ADMIN
+      - SYS_NICE
+      - SYS_TIME
+      - NET_BIND_SERVICE
+      - NET_RAW

site.yml

@@ -76,6 +76,12 @@
         basedir: "/srv/{{ servicename }}",
         domain: "md.test-warpzone.de"
       }
+    - { 
+        role: testserver/docker_matrix, tags: [ test_matrix, docker_services ],
+        servicename: "matrix",
+        basedir: "/srv/{{ servicename }}",
+        domain: "matrix.test-warpzone.de"
+      }
     - { 
         role: testserver/docker_nextcloud, tags: [ test_nextcloud, docker_services ],
         servicename: "nextcloud",
@@ -244,6 +250,24 @@
         domain: "zigbee2mqtt.warpzone.lan"
       }
 
+- hosts: pihole
+  remote_user: root
+  roles:
+    - { role: common/cronapt, tags: cronapt }
+    - { role: common/docker, tags: docker }
+    - { role: common/prometheus-node, tags: prometheus-node }
+    - { 
+        role: common/docker_dockerstats, tags: [ dockerstats, docker_services ], 
+        servicename: dockerstats, 
+        basedir: /srv/dockerstats, 
+        metrics_port: 9487 
+      }
+    - { 
+        role: pihole/docker_pihole, tags: pihole,
+        servicename: pihole,
+        basedir: /srv/pihole,
+        domain: "pihole.warpzone.lan"
+      }
 
 - hosts: webserver
   remote_user: root

testserver/docker_dokuwiki/tasks/main.yml

@@ -12,6 +12,10 @@
     - "{{ basedir }}"
     - "{{ basedir }}/data"
     - "{{ basedir }}/pdftemplate"
+    - "{{ basedir }}/data/lib"
+    - "{{ basedir }}/data/lib/plugins"
+    - "{{ basedir }}/data/lib/plugins/oauth"
+    - "{{ basedir }}/data/lib/plugins/oauthgeneric"
 
 - name: Docker Compose Konfig-Datei erstellen
   template:
@@ -20,9 +24,36 @@
   with_items:
     - docker-compose.yml
     - Dockerfile
-    - authuffd_vars.php
   register: config
 
+- name: oauth plugin clonen
+  ansible.builtin.git:
+    repo: https://github.com/cosmocode/dokuwiki-plugin-oauth.git
+    dest: "{{ basedir }}/data/lib/plugins/oauth"
+    force: true
+
+- name: config für oauth kopieren
+  ansible.builtin.template:
+    src: oauth_vars.php
+    dest: "{{ basedir }}/data/lib/plugins/oauth/conf/default.php"
+
+- name: oauthgeneric plugin clonen
+  ansible.builtin.git:
+    repo: https://github.com/cosmocode/dokuwiki-plugin-oauthgeneric.git
+    dest: "{{ basedir }}/data/lib/plugins/oauthgeneric"
+    force: true
+
+- name: config für oauthgeneric kopieren
+  ansible.builtin.template:
+    src: oauthgeneric_vars.php
+    dest: "{{ basedir }}/data/lib/plugins/oauthgeneric/conf/default.php"
+
+- name: oauth provider aktivieren
+  ansible.builtin.lineinfile:
+    path: "{{ basedir }}/data/conf/local.php"
+    regexp: "^$conf['authtype'] = "
+    line: "$conf['authtype'] = 'oauth';"
+
 - name: "stop {{ servicename}} docker"
   community.docker.docker_compose_v2:
     project_src: "{{ basedir }}"

testserver/docker_dokuwiki/templates/Dockerfile

@@ -25,16 +25,6 @@ RUN apt-get update && apt-get install -y wget unzip git \
     && tar -xvzf dokuwiki-stable.tgz -C /var/www/html --strip-components=1 \
     && rm dokuwiki-stable.tgz
 
-# Plugin-Verzeichnis erstellen und das Authentifizierungs-Plugin hinzufügen
-RUN mkdir -p /var/www/html/lib/plugins/authuffd \
-    && git clone https://git.cccv.de/uffd/dokuwiki-plugin-authuffd.git /var/www/html/lib/plugins/authuffd
-
-# Konfigurationsdatei für das Plugin anpassen
-COPY authuffd_vars.php /var/www/html/lib/plugins/authuffd/conf/default.php
-
-# DokuWiki Konfiguration anpassen
-RUN echo "\$conf['authtype'] = 'authuffd';" >> /var/www/html/conf/local.php
-
 # Setzen der richtigen Berechtigungen
 RUN chown -R www-data:www-data /var/www/html
 

testserver/docker_dokuwiki/templates/authuffd_vars.php

-<?php
-
-$conf['name'] = 'uffd';
-$conf['baseurl'] = '{{ oidc_global.provider_url }}';
-$conf['oauth2_client_id'] = '{{ servicename }}';
-$conf['oauth2_client_secret'] = '{{ oauth_secret }}';
-$conf['oauth2_redirect_uri'] = '{{ domain }}/dokuwiki/doku.php?id=authredirect';
-#$conf['api_username'] = '';
-#$conf['api_password'] = '';

testserver/docker_dokuwiki/templates/oauth_vars.php

+<?php
+
+/**
+ * Default settings for the oauth plugin
+ *
+ * @author Andreas Gohr <andi@splitbrain.org>
+ */
+
+$conf['info'] = '';
+$conf['custom-redirectURI']  = '';
+$conf['mailRestriction']     = '';
+$conf['singleService']       = '';
+$conf['register-on-auth']    = 1;
+$conf['overwrite-groups']    = 0;
\ No newline at end of file

testserver/docker_dokuwiki/templates/oauthgeneric_vars.php

+<?php
+/**
+ * Default settings for the oauthgeneric plugin
+ */
+
+$conf['key'] = 'dokuwiki';
+$conf['secret'] = '{{ oauth_secret }}';
+
+$conf['authurl'] = '{{ oauth_global.authorize_url }}';
+$conf['tokenurl'] = '{{ oauth_global.token_url }}';
+$conf['userurl'] = '{{ oauth_global.userinfo_url }}';
+$conf['authmethod'] = '1';
+$conf['scopes'] = 'email, openid, profile, groups';
+$conf['needs-state'] = 0;
+
+$conf['json-user'] = 'prefered_username';
+$conf['json-name'] = 'name';
+$conf['json-mail'] = 'email';
+$conf['json-grps'] = 'groups';
+
+$conf['label'] = 'uffd';
+$conf['color'] = '#ff3d00';
\ No newline at end of file

testserver/docker_matrix/tasks/main.yml

@@ -3,7 +3,12 @@
 - include_tasks: ../functions/get_secret.yml
   with_items:
    - { path: /srv/shared/noreply_email_pass, length: -1 }
-   - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
+   - { path: /srv/matrix/uffd_api_secret, length: 32 }
+   - { path: /srv/matrix/ldap_bind_pw, length: 32 }
+   - { path: /srv/matrix/matrix_macaroon_secret_key, length: 32 }
+   - { path: /srv/matrix/matrix_registration_shared_secret, length: 32 }
+   - { path: /srv/matrix/matrix_form_secret, length: 32 }
+   - { path: /srv/matrix/matrix_oidc_secret, length: 32 }
    - { path: /srv/matrix/postgres_user_pass,  length: 24 }
    - { path: /srv/matrix/admin_access_token,  length: -1 } # Get in Element fo an Admin User: Settings > Help > Advanced 
 
@@ -16,8 +21,6 @@
     group: www-data
   with_items:
     - "/srv/matrix/"
-    - "/srv/matrix/ma1sd-config/"
-    - "/srv/matrix/ma1sd-data/"
     - "/srv/matrix/synapse-data/"
 
 
@@ -29,6 +32,7 @@
     group: "999"
   with_items:
     - "/srv/matrix/db/"
+    - "/srv/matrix/uffd-ldapd/"
 
 
 - name: Konfig-Dateien erstellen
@@ -37,10 +41,9 @@
     dest: "/srv/matrix/{{ item }}"
   with_items:
     - docker-compose.yml
-    - rest_auth_provider.py
-    - ma1sd-config/ma1sd.yaml
     - synapse-data/homeserver.log.config
     - synapse-data/homeserver.yaml
+    - uffd-ldapd/Dockerfile
   register: configs