32 files changed, 110 insertions, 26 deletions

diff --git a/deploy-reboot.yml b/deploy-reboot.yml
index de7bed7..078d6cd 100644
--- a/deploy-reboot.yml
+++ b/deploy-reboot.yml
@@ -1,7 +1,7 @@
 ---
 - name: Deploy conditional reboot service and timer
   hosts: all
-  become: yes
+  become: true
 
   tasks:
     - name: Copy conditional-reboot.service file
@@ -14,8 +14,9 @@
           [Service]
           Type=oneshot
           ExecStart=/bin/sh -c 'if [ -f /var/run/reboot-required ]; then reboot; fi'
+        mode: "0640"
       notify:
-        - reload systemd
+        - Reload systemd
 
     - name: Copy conditional-reboot.timer file
       copy:
@@ -30,17 +31,17 @@
 
           [Install]
           WantedBy=timers.target
+        mode: "0640"
       notify:
-        - reload systemd
+        - Reload systemd
 
     - name: Enable and start conditional-reboot.timer
       systemd:
         name: conditional-reboot.timer
-        enabled: yes
+        enabled: true
         state: started
 
   handlers:
-    - name: reload systemd
+    - name: Reload systemd
       systemd:
-        daemon_reload: yes
-
+        daemon_reload: true
diff --git a/host_vars/firstroot/public b/host_vars/firstroot/public
index 3f931d1..26ea780 100644
--- a/host_vars/firstroot/public
+++ b/host_vars/firstroot/public
@@ -1,4 +1,4 @@
-tinc:
+tinc_options:
   configure: true
   name: firstroot
   connections: [hetzner]
diff --git a/host_vars/hetzner/public b/host_vars/hetzner/public
index 02b9c22..1c2f68f 100644
--- a/host_vars/hetzner/public
+++ b/host_vars/hetzner/public
@@ -1,4 +1,4 @@
-tinc:
+tinc_options:
   configure: true
   name: hetzner
   connections: [netcup]
diff --git a/host_vars/netcup/tinc b/host_vars/netcup/tinc
index 9d49382..4160b55 100644
--- a/host_vars/netcup/tinc
+++ b/host_vars/netcup/tinc
@@ -1,4 +1,4 @@
-tinc:
+tinc_options:
   configure: true
   name: netcup
   connections: [hetzner]
diff --git a/roles/linux-ns/README.md b/roles/linux_ns/README.md
index cf5808e..cf5808e 100644
--- a/roles/linux-ns/README.md
+++ b/roles/linux_ns/README.md
diff --git a/roles/linux-ns/defaults/main.yml b/roles/linux_ns/defaults/main.yml
index f7472ec..f7472ec 100644
--- a/roles/linux-ns/defaults/main.yml
+++ b/roles/linux_ns/defaults/main.yml
diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux_ns/files/iptables/ip6tables.save
index 036e5a5..ca67633 100644
--- a/roles/linux-ns/files/iptables/ip6tables.save
+++ b/roles/linux_ns/files/iptables/ip6tables.save
@@ -24,7 +24,17 @@
 -A INPUT -j REJECT --reject-with icmp6-port-unreachable
 
 -A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
+# don't match source alone - will prevent outer system from doing stuff.
+-A FORWARD -i eth0 -d fd00::/8 -j ACCEPT
+# replies!
+-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
+# post/prerouting, must allow forward
+# formerly for HTTP/S
+#-A FORWARD -s fd00::/8 -d fcee::1/128 -j ACCEPT
+#-A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT
+
+#-A FORWARD -j LOG --log-prefix "[dn42] forward"
 -A FORWARD -j REJECT --reject-with icmp6-port-unreachable
 
 COMMIT
diff --git a/roles/linux-ns/files/iptables/iptables.save b/roles/linux_ns/files/iptables/iptables.save
index 4f72cc5..4f72cc5 100644
--- a/roles/linux-ns/files/iptables/iptables.save
+++ b/roles/linux_ns/files/iptables/iptables.save
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lg.service b/roles/linux_ns/files/systemd/dn42_bird-lg.service
index 85c5358..85c5358 100644
--- a/roles/linux-ns/files/systemd/dn42_bird-lg.service
+++ b/roles/linux_ns/files/systemd/dn42_bird-lg.service
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service
index 273ab16..273ab16 100644
--- a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
+++ b/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service
diff --git a/roles/linux-ns/files/systemd/dn42_bird.service b/roles/linux_ns/files/systemd/dn42_bird.service
index cbf80f0..cbf80f0 100644
--- a/roles/linux-ns/files/systemd/dn42_bird.service
+++ b/roles/linux_ns/files/systemd/dn42_bird.service
diff --git a/roles/linux-ns/files/systemd/dn42_namespace.service b/roles/linux_ns/files/systemd/dn42_namespace.service
index 4034879..4034879 100644
--- a/roles/linux-ns/files/systemd/dn42_namespace.service
+++ b/roles/linux_ns/files/systemd/dn42_namespace.service
diff --git a/roles/linux-ns/files/systemd/dn42_nginx.service b/roles/linux_ns/files/systemd/dn42_nginx.service
index 43d8a67..43d8a67 100644
--- a/roles/linux-ns/files/systemd/dn42_nginx.service
+++ b/roles/linux_ns/files/systemd/dn42_nginx.service
diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux_ns/files/systemd/dn42_pdns.service
index 45cc367..45cc367 100644
--- a/roles/linux-ns/files/systemd/dn42_pdns.service
+++ b/roles/linux_ns/files/systemd/dn42_pdns.service
diff --git a/roles/linux-ns/files/systemd/dn42_tinc@.service b/roles/linux_ns/files/systemd/dn42_tinc@.service
index bf17815..bf17815 100644
--- a/roles/linux-ns/files/systemd/dn42_tinc@.service
+++ b/roles/linux_ns/files/systemd/dn42_tinc@.service
diff --git a/roles/linux-ns/files/systemd/dn42_wg@.service b/roles/linux_ns/files/systemd/dn42_wg@.service
index 0f67fda..0f67fda 100644
--- a/roles/linux-ns/files/systemd/dn42_wg@.service
+++ b/roles/linux_ns/files/systemd/dn42_wg@.service
diff --git a/roles/linux-ns/files/systemd/my-netns@.service b/roles/linux_ns/files/systemd/my-netns@.service
index c9735b7..c9735b7 100644
--- a/roles/linux-ns/files/systemd/my-netns@.service
+++ b/roles/linux_ns/files/systemd/my-netns@.service
diff --git a/roles/linux-ns/files/systemd/readme.txt b/roles/linux_ns/files/systemd/readme.txt
index 99d220e..99d220e 100644
--- a/roles/linux-ns/files/systemd/readme.txt
+++ b/roles/linux_ns/files/systemd/readme.txt
diff --git a/roles/linux-ns/handlers/main.yml b/roles/linux_ns/handlers/main.yml
index 144e1c1..144e1c1 100644
--- a/roles/linux-ns/handlers/main.yml
+++ b/roles/linux_ns/handlers/main.yml
diff --git a/roles/linux-ns/meta/main.yml b/roles/linux_ns/meta/main.yml
index 20a965c..088c53c 100644
--- a/roles/linux-ns/meta/main.yml
+++ b/roles/linux_ns/meta/main.yml
@@ -8,7 +8,7 @@ galaxy_info:
 
   license: MIT
 
-  min_ansible_version: 2.1
+  min_ansible_version: "2.1"
 
   galaxy_tags: []
 
diff --git a/roles/linux-ns/tasks/main.yml b/roles/linux_ns/tasks/main.yml
index 6984b1f..6984b1f 100644
--- a/roles/linux-ns/tasks/main.yml
+++ b/roles/linux_ns/tasks/main.yml
diff --git a/roles/linux-ns/templates/dn42-route-namespace.sh b/roles/linux_ns/templates/dn42-route-namespace.sh
index 6822834..6822834 100755
--- a/roles/linux-ns/templates/dn42-route-namespace.sh
+++ b/roles/linux_ns/templates/dn42-route-namespace.sh
diff --git a/roles/linux-ns/vars/main.yml b/roles/linux_ns/vars/main.yml
index 0635f6c..0635f6c 100644
--- a/roles/linux-ns/vars/main.yml
+++ b/roles/linux_ns/vars/main.yml
diff --git a/roles/tinc/defaults/main.yml b/roles/tinc/defaults/main.yml
index 64aa1e7..d493ac2 100644
--- a/roles/tinc/defaults/main.yml
+++ b/roles/tinc/defaults/main.yml
@@ -1,3 +1,11 @@
-tinc_netname: tn_int
-tinc:
-  configure: false
\ No newline at end of file
+tinc_options:
+  configure: false
+  netname: tn_int
+  name: example
+  connections: [example]
+  address:
+    - fe80::/64
+    - 10.0.0.1/32
+  listen_on: any
+  extra_up:
+    - echo configured
diff --git a/roles/tinc/handlers/main.yml b/roles/tinc/handlers/main.yml
index 56b5829..1fa1217 100644
--- a/roles/tinc/handlers/main.yml
+++ b/roles/tinc/handlers/main.yml
@@ -5,7 +5,7 @@
 - name: Stop Tinc
   listen: configure tinc
   service:
-    name: "tinc@{{ tinc_netname }}"
+    name: "tinc@{{ tinc_options.netname }}"
     state: stopped
 - name: Wait
   listen: configure tinc
@@ -14,5 +14,5 @@
 - name: Start Tinc
   listen: configure tinc
   service:
-    name: "tinc@{{ tinc_netname }}"
+    name: "tinc@{{ tinc_options.netname }}"
     state: started
diff --git a/roles/tinc/tasks/main.yml b/roles/tinc/tasks/main.yml
index 4cfc7cd..8a9b44d 100644
--- a/roles/tinc/tasks/main.yml
+++ b/roles/tinc/tasks/main.yml
@@ -8,5 +8,5 @@
   import_tasks: tinc.yml
   when:
     - tinc is defined
-    - tinc.configure is defined
-    - tinc.configure
+    - tinc_options.configure is defined
+    - tinc_options.configure
diff --git a/roles/tinc/tasks/tinc.yml b/roles/tinc/tasks/tinc.yml
index 7453811..c97c180 100644
--- a/roles/tinc/tasks/tinc.yml
+++ b/roles/tinc/tasks/tinc.yml
@@ -38,7 +38,7 @@
     - exec
 - name: Ensure tinc is enabled
   service:
-    name: "tinc@{{ tinc_netname }}"
+    name: "tinc@{{ tinc_options.netname }}"
     daemon_reload: true
     enabled: true
   when: ansible_os_family != "OpenWrt"
diff --git a/roles/tinc/templates/tinc-up.j2 b/roles/tinc/templates/tinc-up.j2
index 92aa782..ea81512 100755
--- a/roles/tinc/templates/tinc-up.j2
+++ b/roles/tinc/templates/tinc-up.j2
@@ -1,11 +1,11 @@
 #!/bin/sh
 ip link set $INTERFACE up
 ip -6 addr flush dev $INTERFACE
-{% for addr in tinc.address %}
+{% for addr in tinc_options.address %}
 ip addr add {{ addr }} dev $INTERFACE
 {% endfor %}
-{% if tinc.extra_up is defined %}
-{% for cmd in tinc.extra_up %}
+{% if tinc_options.extra_up is defined %}
+{% for cmd in tinc_options.extra_up %}
 {{ cmd }}
 {% endfor %}
 {% endif %}
diff --git a/roles/tinc/templates/tinc.conf.j2 b/roles/tinc/templates/tinc.conf.j2
index b7011e1..aa639ab 100644
--- a/roles/tinc/templates/tinc.conf.j2
+++ b/roles/tinc/templates/tinc.conf.j2
@@ -1,11 +1,11 @@
-Name = {{ tinc.name }}
-{% if tinc.listen_on is defined %}
-AddressFamily = {{ tinc.listen_on }}
+Name = {{ tinc_options.name }}
+{% if tinc_options.listen_on is defined %}
+AddressFamily = {{ tinc_options.listen_on }}
 {% else %}
 AddressFamily = ipv6
 {% endif %}
 Interface = tn_int
 Mode = switch
-{% for conn in tinc.connections %}
+{% for conn in tinc_options.connections %}
 ConnectTo = {{ conn }}
 {% endfor %}
diff --git a/scripts/acme/dns-auth.sh b/scripts/acme/dns-auth.sh
new file mode 100755
index 0000000..43a5dad
--- /dev/null
+++ b/scripts/acme/dns-auth.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+if [[ -z "${CERTBOT_DOMAIN}" || -z "${CERTBOT_VALIDATION}" ]]; then
+    echo "Environment not set"
+    exit 1
+fi
+
+ZONE=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
+NAMEONLY=$(expr match "$CERTBOT_DOMAIN" '\(.*\.\).*\..*')
+CREATE_DOMAIN="_acme-challenge.${NAMEONLY}"
+
+pdnsutil add-record "${ZONE}" "${CREATE_DOMAIN}" TXT 120 '"'"${CERTBOT_VALIDATION}"'"'
+pdnsutil increase-serial "${ZONE}"
+pdns_control notify "${ZONE}"
+
+sleep 30
diff --git a/scripts/acme/dns-clean.sh b/scripts/acme/dns-clean.sh
new file mode 100755
index 0000000..0eeab27
--- /dev/null
+++ b/scripts/acme/dns-clean.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+if [[ -z "${CERTBOT_DOMAIN}" || -z "${CERTBOT_VALIDATION}" ]]; then
+    echo "Environment not set"
+    exit 1
+fi
+
+ZONE=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
+NAMEONLY=$(expr match "$CERTBOT_DOMAIN" '\(.*\.\).*\..*')
+CREATE_DOMAIN="_acme-challenge.${NAMEONLY}"
+
+pdnsutil delete-rrset ${ZONE} ${CREATE_DOMAIN} TXT
+pdnsutil increase-serial "${ZONE}"
+pdns_control notify "${ZONE}"
diff --git a/tailscale-fuckup.yml b/tailscale-fuckup.yml
new file mode 100644
index 0000000..8ea9f34
--- /dev/null
+++ b/tailscale-fuckup.yml
@@ -0,0 +1,35 @@
+---
+- name: Prevent Tailscale logging fuckup
+  hosts: all
+  tasks:
+    - name: Check if /var/lib/tailscale/ exists
+      stat:
+        path: /var/lib/tailscale/
+      register: tailscale_dir
+
+    - name: Ensure /etc/systemd/system/tailscaled.service.d/ exists
+      file:
+        path: /etc/systemd/system/tailscaled.service.d/
+        state: directory
+        mode: '0755'
+      when: tailscale_dir.stat.exists
+
+    - name: Create override.conf if directory exists
+      copy:
+        dest: /etc/systemd/system/tailscaled.service.d/override.conf
+        content: |
+          [Service]
+          StandardOutput=null
+          StandardError=null
+        mode: '0644'
+      when: tailscale_dir.stat.exists
+      notify:
+        - Reload systemd
+        - Restart tailscaled
+
+  handlers:
+    - name: Reload systemd
+      command: systemctl daemon-reload
+
+    - name: Restart tailscaled
+      command: systemctl restart tailscaled