initial pfannkuchen

roles/base/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+base_user: sascha

roles/base/tasks/main.yml

@@ -0,0 +1,134 @@
+---
+- name: Hostname setzen
+  hostname:
+    name: "{{ inventory_hostname }}"
+
+- name: /etc/hosts aktualisieren
+  lineinfile:
+    path: /etc/hosts
+    regexp: '^127\.0\.1\.1'
+    line: "127.0.1.1  {{ inventory_hostname }}.local {{ inventory_hostname }}"
+
+- name: SSH Public Key für Benutzer {{ base_user }} hinterlegen
+  ansible.posix.authorized_key:
+    user: "{{ base_user }}"
+    state: present
+    key: "{{ vault_ssh_pubkey }}"
+
+- name: SSH Private Key für Benutzer {{ base_user }} deployen
+  copy:
+    content: "{{ vault_ssh_privkey }}\n"
+    dest: "/home/{{ base_user }}/.ssh/id_ed25519"
+    owner: "{{ base_user }}"
+    group: "{{ base_user }}"
+    mode: "0600"
+
+- name: SSH Public Key Datei für Benutzer {{ base_user }} deployen
+  copy:
+    content: "{{ vault_ssh_pubkey }}\n"
+    dest: "/home/{{ base_user }}/.ssh/id_ed25519.pub"
+    owner: "{{ base_user }}"
+    group: "{{ base_user }}"
+    mode: "0644"
+
+- name: SSH Key auch für root hinterlegen
+  ansible.posix.authorized_key:
+    user: root
+    state: present
+    key: "{{ vault_ssh_pubkey }}"
+
+- name: SSH Private Key für root deployen
+  copy:
+    content: "{{ vault_ssh_privkey }}\n"
+    dest: /root/.ssh/id_ed25519
+    owner: root
+    group: root
+    mode: "0600"
+
+- name: Standard Debian Trixie Repositories setzen
+  copy:
+    dest: /etc/apt/sources.list
+    content: |
+      deb http://ftp.gwdg.de/debian/ trixie main non-free-firmware non-free contrib
+      deb-src http://ftp.gwdg.de/debian/ trixie main non-free-firmware non-free contrib
+
+      deb http://security.debian.org/debian-security trixie-security main non-free-firmware non-free contrib
+      deb-src http://security.debian.org/debian-security trixie-security main non-free-firmware non-free contrib
+
+      deb http://ftp.gwdg.de/debian/ trixie-updates main non-free-firmware non-free contrib
+      deb-src http://ftp.gwdg.de/debian/ trixie-updates main non-free-firmware non-free contrib
+    owner: root
+    group: root
+    mode: '0644'
+  register: repo_status
+
+- name: Apt Cache aktualisieren (falls Repos geändert wurden)
+  apt:
+    update_cache: yes
+  when: repo_status.changed
+
+- name: Installiere benötigte Basis-Pakete
+  apt:
+    name:
+      - curl
+      - gnupg
+      - ca-certificates
+      - sudo
+      - wget
+      - vim
+      - mc
+    state: present
+    update_cache: yes
+
+- name: Locales-Paket sicherstellen
+  apt:
+    name: locales
+    state: present
+
+- name: en_US.UTF-8 Locale generieren
+  locale_gen:
+    name: en_US.UTF-8
+    state: present
+
+- name: Systemweite Sprache auf en_US.UTF-8 setzen
+  debconf:
+    name: locales
+    question: locales/default_environment_locale
+    value: en_US.UTF-8
+    vtype: select
+
+- name: Locale-Datei manuell schreiben (Sicherheitsnetz)
+  copy:
+    dest: /etc/default/locale
+    content: |
+      LANG=en_US.UTF-8
+      LC_ALL=en_US.UTF-8
+
+- name: Gruppe sudo passwortloses sudo erlauben
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: '^%sudo'
+    line: '%sudo   ALL=(ALL:ALL) NOPASSWD: ALL'
+    validate: '/usr/sbin/visudo -cf %s'
+
+- name: Benutzer {{ base_user }} zu sudo Gruppe hinzufügen
+  user:
+    name: "{{ base_user }}"
+    groups: sudo
+    append: yes
+
+- name: Unnötige Pakete entfernen
+  apt:
+    autoremove: yes
+
+- name: QEMU Guest Agent installieren
+  apt:
+    name: qemu-guest-agent
+    state: present
+
+- name: QEMU Guest Agent aktivieren
+  service:
+    name: qemu-guest-agent
+    state: started
+    enabled: yes

roles/borg/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+backup_source: /app-config
+borg_ssh_key: /root/.ssh/id_borg
+borg_passphrase: "{{ vault_borg_passphrase }}"
+borg_repo: "ssh://storagebox/home/{{ inventory_hostname }}"
+borg_retention_daily: 7
+borg_retention_weekly: 4
+borg_retention_monthly: 6
+borg_compression: lz4
+borg_remote_path: borg-1.4
+borg_logfile: /var/log/borg-backup.log
+hetzner_storage_host: "{{ vault_hetzner_storage_host }}"
+hetzner_storage_user: "{{ vault_hetzner_storage_user }}"
+hetzner_storage_port: 23

roles/borg/tasks/main.yml

@@ -0,0 +1,94 @@
+---
+- name: Borg installieren
+  apt:
+    name: borgbackup
+    state: present
+    update_cache: yes
+
+- name: SSH Private Key deployen
+  copy:
+    src: id_rsa
+    dest: "{{ borg_ssh_key }}"
+    mode: '0600'
+
+- name: SSH Public Key deployen
+  copy:
+    src: id_rsa.pub
+    dest: "{{ borg_ssh_key }}.pub"
+    mode: '0644'
+
+- name: SSH Config für Storage Box
+  blockinfile:
+    path: /root/.ssh/config
+    create: yes
+    mode: '0600'
+    marker: "# {mark} BORG STORAGEBOX"
+    block: |
+      Host storagebox
+        Hostname {{ hetzner_storage_host }}
+        User {{ hetzner_storage_user }}
+        Port {{ hetzner_storage_port }}
+        IdentityFile {{ borg_ssh_key }}
+        IdentitiesOnly yes
+        StrictHostKeyChecking accept-new
+
+- name: Backup-Verzeichnis auf Storage Box anlegen
+  command: ssh storagebox mkdir -p home/{{ inventory_hostname }}
+  changed_when: false
+
+- name: Borg Repo initialisieren
+  environment:
+    BORG_PASSPHRASE: "{{ borg_passphrase }}"
+  command: borg init --encryption=repokey {{ borg_repo }}
+  register: borg_init
+  failed_when: borg_init.rc != 0 and 'already exists' not in borg_init.stderr
+  changed_when: borg_init.rc == 0
+
+- name: Passphrase-Datei deployen
+  copy:
+    dest: /root/.borg-passphrase
+    content: "{{ borg_passphrase }}"
+    mode: '0400'
+
+- name: Backup-Script deployen
+  template:
+    src: borg-backup.sh.j2
+    dest: /usr/local/bin/borg-backup.sh
+    mode: '0700'
+
+- name: Systemd Timer Unit
+  copy:
+    dest: /etc/systemd/system/borg-backup.timer
+    content: |
+      [Unit]
+      Description=Borg Backup Timer
+
+      [Timer]
+      OnCalendar=*-*-* 03:00:00
+      RandomizedDelaySec=1800
+      Persistent=true
+
+      [Install]
+      WantedBy=timers.target
+
+- name: Systemd Service Unit
+  copy:
+    dest: /etc/systemd/system/borg-backup.service
+    content: |
+      [Unit]
+      Description=Borg Backup
+      After=network-online.target
+      Wants=network-online.target
+
+      [Service]
+      Type=oneshot
+      ExecStart=/usr/local/bin/borg-backup.sh
+      Nice=19
+      IOSchedulingClass=idle
+
+- name: Timer aktivieren und starten
+  systemd:
+    name: borg-backup.timer
+    enabled: true
+    state: started
+    daemon_reload: true

roles/borg/templates/borg-backup.sh.j2

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -euo pipefail
+
+export BORG_PASSPHRASE=$(cat /root/.borg-passphrase)
+REPO="{{ borg_repo }}"
+LOGFILE="{{ borg_logfile }}"
+
+echo "[$(date)] Starte Backup: {{ inventory_hostname }}" >> "$LOGFILE"
+
+borg create \
+  --verbose \
+  --filter AME \
+  --remote-path={{ borg_remote_path }} \
+  --stats \
+  --show-rc \
+  --compression {{ borg_compression }} \
+  "${REPO}::{{ inventory_hostname }}-$(date +%Y-%m-%d_%H-%M)" \
+  {{ backup_source }} >> "$LOGFILE" 2>&1
+
+BACKUP_RC=$?
+
+borg prune -v --list "${REPO}" \
+  --keep-daily={{ borg_retention_daily }} \
+  --keep-weekly={{ borg_retention_weekly }} \
+  --keep-monthly={{ borg_retention_monthly }} >> "$LOGFILE" 2>&1
+
+PRUNE_RC=$?
+
+borg compact "${REPO}" >> "$LOGFILE" 2>&1
+
+GLOBAL_RC=$(( BACKUP_RC > PRUNE_RC ? BACKUP_RC : PRUNE_RC ))
+echo "[$(date)] Backup beendet mit Code $GLOBAL_RC" >> "$LOGFILE"
+exit $GLOBAL_RC

roles/docker/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Verzeichnis für Keyrings erstellen
+  file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: '0755'
+
+- name: Docker GPG Key herunterladen
+  get_url:
+    url: https://download.docker.com/linux/debian/gpg
+    dest: /etc/apt/keyrings/docker.asc
+    mode: '0644'
+
+- name: Docker Repository Datei erstellen
+  copy:
+    dest: /etc/apt/sources.list.d/docker.list
+    content: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian trixie stable"
+    mode: '0644'
+  register: docker_repo
+
+- name: Paketliste aktualisieren
+  apt:
+    update_cache: yes
+  when: docker_repo.changed
+
+- name: Docker Engine installieren
+  apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-compose-plugin
+    state: present
+
+- name: Benutzer sascha zu docker Gruppe hinzufügen
+  user:
+    name: sascha
+    groups: docker
+    append: yes

roles/frp_client/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+frp_version: "0.68.0"
+frp_server_addr: "tunnel.sascha-lutz.de"
+frp_server_port: 8443
+frp_token: "{{ vault_frp_token }}"
+frp_tc_device: "ens18"

roles/frp_client/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: restart frpc
+  systemd:
+    name: frpc
+    state: restarted

roles/frp_client/tasks/main.yml

@@ -0,0 +1,104 @@
+---
+- name: frpc Binary herunterladen
+  get_url:
+    url: "https://github.com/fatedier/frp/releases/download/v{{ frp_version }}/frp_{{ frp_version }}_linux_amd64.tar.gz"
+    dest: /tmp/frp.tar.gz
+
+- name: frpc entpacken
+  unarchive:
+    src: /tmp/frp.tar.gz
+    dest: /tmp/
+    remote_src: yes
+
+- name: frpc Binary installieren
+  copy:
+    src: "/tmp/frp_{{ frp_version }}_linux_amd64/frpc"
+    dest: /usr/local/bin/frpc
+    mode: "0755"
+    remote_src: yes
+
+- name: frpc Config Verzeichnis
+  file:
+    path: /etc/frp
+    state: directory
+    mode: "0755"
+
+- name: frpc Config deployen
+  copy:
+    dest: /etc/frp/frpc.toml
+    content: |
+      serverAddr = "{{ frp_server_addr }}"
+      serverPort = {{ frp_server_port }}
+      auth.method = "token"
+      auth.token = "{{ frp_token }}"
+      transport.protocol = "quic"
+      transport.poolCount = 5
+      transport.tcpMux = true
+      {% for proxy in frp_proxies %}
+
+      [[proxies]]
+      name = "{{ proxy.name }}"
+      type = "tcp"
+      localIP = "{{ proxy.local_ip | default('127.0.0.1') }}"
+      localPort = {{ proxy.local_port }}
+      remotePort = {{ proxy.remote_port }}
+      transport.useCompression = true
+      transport.bandwidthLimit = "{{ proxy.bandwidth_limit | default('6MB') }}"
+      transport.bandwidthLimitMode = "server"
+      {% endfor %}
+    mode: "0600"
+  notify: restart frpc
+
+- name: frpc systemd Service
+  copy:
+    dest: /etc/systemd/system/frpc.service
+    content: |
+      [Unit]
+      Description=frp Client – Reverse Tunnel
+      After=network-online.target
+      Wants=network-online.target
+
+      [Service]
+      Type=simple
+      Restart=always
+      RestartSec=5
+      ExecStart=/usr/local/bin/frpc -c /etc/frp/frpc.toml
+
+      [Install]
+      WantedBy=multi-user.target
+    mode: "0644"
+  notify:
+    - reload systemd
+    - restart frpc
+
+- name: frpc aktivieren und starten
+  systemd:
+    name: frpc
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: iproute2 installieren (fuer tc)
+  apt:
+    name: iproute2
+    state: present
+    update_cache: yes
+
+- name: tc Fair Queueing mit Per-Flow-Limit
+  shell: /sbin/tc qdisc replace dev {{ frp_tc_device | default('ens18') }} root fq maxrate {{ frp_tc_maxrate | default('50mbit') }}
+  changed_when: false
+
+- name: tc Limit persistent via post-up
+  lineinfile:
+    path: /etc/network/interfaces
+    insertafter: "iface {{ frp_tc_device | default('ens18') }}"
+    line: "    post-up /sbin/tc qdisc replace dev {{ frp_tc_device | default('ens18') }} root fq maxrate {{ frp_tc_maxrate | default('50mbit') }}"
+    regexp: "post-up.*tc qdisc"
+
+- name: Temp-Dateien aufräumen
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /tmp/frp.tar.gz
+    - "/tmp/frp_{{ frp_version }}_linux_amd64"

roles/frp_server/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+frp_version: "0.68.0"
+frp_bind_port: 7000
+frp_quic_port: 8443
+frp_token: "{{ vault_frp_token }}"

roles/frp_server/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: restart frps
+  systemd:
+    name: frps
+    state: restarted

roles/frp_server/tasks/main.yml

@@ -0,0 +1,74 @@
+---
+- name: frps Binary herunterladen
+  get_url:
+    url: "https://github.com/fatedier/frp/releases/download/v{{ frp_version }}/frp_{{ frp_version }}_linux_amd64.tar.gz"
+    dest: /tmp/frp.tar.gz
+
+- name: frps entpacken
+  unarchive:
+    src: /tmp/frp.tar.gz
+    dest: /tmp/
+    remote_src: yes
+
+- name: frps Binary installieren
+  copy:
+    src: "/tmp/frp_{{ frp_version }}_linux_amd64/frps"
+    dest: /usr/local/bin/frps
+    mode: "0755"
+    remote_src: yes
+
+- name: frps Config Verzeichnis
+  file:
+    path: /etc/frp
+    state: directory
+    mode: "0755"
+
+- name: frps Config deployen
+  copy:
+    dest: /etc/frp/frps.toml
+    content: |
+      bindPort = {{ frp_bind_port }}
+      quicBindPort = {{ frp_quic_port }}
+      auth.method = "token"
+      auth.token = "{{ frp_token }}"
+      transport.tcpMux = true
+      transport.maxPoolCount = 10
+    mode: "0600"
+  notify: restart frps
+
+- name: frps systemd Service
+  copy:
+    dest: /etc/systemd/system/frps.service
+    content: |
+      [Unit]
+      Description=frp Server
+      After=network-online.target
+      Wants=network-online.target
+
+      [Service]
+      Type=simple
+      Restart=always
+      RestartSec=5
+      ExecStart=/usr/local/bin/frps -c /etc/frp/frps.toml
+
+      [Install]
+      WantedBy=multi-user.target
+    mode: "0644"
+  notify:
+    - reload systemd
+    - restart frps
+
+- name: frps aktivieren und starten
+  systemd:
+    name: frps
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: Temp-Dateien aufräumen
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /tmp/frp.tar.gz
+    - "/tmp/frp_{{ frp_version }}_linux_amd64"

roles/glances/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+glances_port: 61208

roles/glances/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: restart glances
+  systemd:
+    name: glances
+    state: restarted

roles/glances/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: Glances apt-Paket entfernen (fehlende Web-UI)
+  apt:
+    name: glances
+    state: absent
+
+- name: pip installieren
+  apt:
+    name: python3-pip
+    state: present
+    update_cache: yes
+
+- name: Glances mit Web-UI per pip installieren
+  pip:
+    name: "glances[web]"
+    state: present
+    extra_args: --break-system-packages
+
+- name: Glances systemd Service (Web-Modus)
+  copy:
+    dest: /etc/systemd/system/glances.service
+    content: |
+      [Unit]
+      Description=Glances Web Server
+      After=network.target
+
+      [Service]
+      Type=simple
+      Restart=always
+      RestartSec=5
+      ExecStart=/usr/local/bin/glances -w -B 0.0.0.0 -p {{ glances_port }} --disable-plugin cloud
+
+      [Install]
+      WantedBy=multi-user.target
+    mode: "0644"
+  notify:
+    - reload systemd
+    - restart glances
+
+- name: Glances aktivieren und starten
+  systemd:
+    name: glances
+    enabled: true
+    state: started
+    daemon_reload: true

roles/hawser/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart hawser
+  ansible.builtin.systemd:
+    name: hawser
+    state: restarted

roles/hawser/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Hawser installieren (offizielles Install-Script)
+  ansible.builtin.shell:
+    cmd: curl -fsSL https://raw.githubusercontent.com/Finsys/hawser/main/scripts/install.sh | bash
+    creates: /usr/local/bin/hawser
+
+- name: Hawser Token in Config setzen
+  ansible.builtin.lineinfile:
+    path: /etc/hawser/config
+    regexp: '^TOKEN='
+    line: "TOKEN={{ vault_hawser_token }}"
+  notify: restart hawser
+
+- name: Hawser aktivieren und starten
+  ansible.builtin.systemd:
+    name: hawser
+    enabled: true
+    state: started
+    daemon_reload: true

roles/nvidia/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+cuda_keyring_deb_url: "https://developer.download.nvidia.com/compute/cuda/repos/debian13/x86_64/cuda-keyring_1.1-1_all.deb"
+docker_daemon_config:
+  default-runtime: nvidia
+  runtimes:
+    nvidia:
+      path: nvidia-container-runtime
+      runtimeArgs: []

roles/nvidia/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Docker neustarten
+  ansible.builtin.service:
+    name: docker
+    state: restarted

roles/nvidia/tasks/main.yml

@@ -0,0 +1,77 @@
+---
+- name: Nouveau Treiber blacklisten
+  ansible.builtin.copy:
+    dest: /etc/modprobe.d/blacklist-nouveau.conf
+    content: |
+      blacklist nouveau
+      options nouveau modeset=0
+    mode: "0644"
+  register: nouveau_blacklist
+
+- name: initramfs-tools installieren
+  apt:
+    name: initramfs-tools
+    state: present
+
+- name: initramfs aktualisieren
+  ansible.builtin.command: update-initramfs -u
+  when: nouveau_blacklist.changed
+
+- name: CUDA Keyring herunterladen und installieren
+  ansible.builtin.apt:
+    deb: "{{ cuda_keyring_deb_url }}"
+
+- name: NVIDIA Container Toolkit GPG Key hinzufuegen
+  ansible.builtin.shell: |
+    curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey \
+      | gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg
+  args:
+    creates: /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg
+
+- name: NVIDIA Container Toolkit Repo hinzufuegen
+  ansible.builtin.shell: |
+    curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list \
+      | sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' \
+      | tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
+  args:
+    creates: /etc/apt/sources.list.d/nvidia-container-toolkit.list
+
+- name: apt update
+  ansible.builtin.apt:
+    update_cache: true
+
+- name: Kernel Headers und DKMS installieren
+  ansible.builtin.apt:
+    name:
+      - linux-headers-{{ ansible_kernel }}
+      - dkms
+    state: present
+
+- name: NVIDIA Treiber installieren (CUDA Repo)
+  ansible.builtin.apt:
+    name: cuda-drivers
+    state: present
+  register: nvidia_driver
+
+- name: NVIDIA Container Toolkit installieren
+  ansible.builtin.apt:
+    name:
+      - nvidia-container-toolkit
+    state: present
+
+- name: Docker daemon.json konfigurieren (NVIDIA als default runtime)
+  ansible.builtin.copy:
+    content: "{{ docker_daemon_config | to_nice_json }}"
+    dest: /etc/docker/daemon.json
+    mode: "0644"
+  notify: Docker neustarten
+
+- name: nvidia-ctk runtime fuer Docker konfigurieren
+  ansible.builtin.command: nvidia-ctk runtime configure --runtime=docker
+  changed_when: false
+
+- name: Reboot nach Treiberinstallation
+  ansible.builtin.reboot:
+    msg: "Reboot nach NVIDIA Treiber-Installation"
+    reboot_timeout: 300
+  when: nvidia_driver.changed

roles/pihole_dns/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+pihole_dns_domain: local
+pihole_custom_list: /etc/pihole/custom.list
+pihole_extra_records: []
+#  - ip: 10.4.1.120
+#    name: authentik

roles/pihole_dns/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Reload Pi-hole DNS
+  ansible.builtin.command: pihole restartdns reload
+  listen: reload pihole dns

roles/pihole_dns/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Deploy Pi-hole custom DNS records
+  ansible.builtin.template:
+    src: custom.list.j2
+    dest: "{{ pihole_custom_list }}"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: reload pihole dns

roles/pihole_dns/templates/custom.list.j2

@@ -0,0 +1,11 @@
+# Von Ansible generiert – nicht manuell bearbeiten
+{% for host in groups['all'] %}
+{% if hostvars[host].ansible_host is defined %}
+{{ hostvars[host].ansible_host }} {{ host }}.{{ pihole_dns_domain }}
+{{ hostvars[host].ansible_host }} {{ host }}
+{% endif %}
+{% endfor %}
+{% for entry in pihole_extra_records %}
+{{ entry.ip }} {{ entry.name }}.{{ pihole_dns_domain }}
+{{ entry.ip }} {{ entry.name }}
+{% endfor %}

roles/pve_gpu_passthrough/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Update GRUB
+  command: update-grub

roles/pve_gpu_passthrough/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: IOMMU Kernel-Parameter setzen (GRUB)
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt"'
+  register: grub_updated
+  notify: Update GRUB
+
+- name: VFIO Module in /etc/modules eintragen
+  copy:
+    dest: /etc/modules
+    content: |
+      # /etc/modules - VFIO fuer GPU Passthrough
+      vfio
+      vfio_iommu_type1
+      vfio_pci
+    mode: "0644"
+  register: modules_updated
+
+- name: Alte fehlerhafte modprobe Configs aufraeumen
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/modprobe.d/block-nouveau.conf
+    - /etc/modprobe.d/nvidia-installer-disable-nouveau.conf
+
+- name: NVIDIA und Nouveau auf Host blacklisten
+  copy:
+    dest: /etc/modprobe.d/gpu-passthrough.conf
+    content: |
+      blacklist nouveau
+      blacklist nvidia
+      blacklist nvidiafb
+      blacklist rivafb
+      options nouveau modeset=0
+      softdep nvidia pre: vfio-pci
+      softdep nouveau pre: vfio-pci
+    mode: "0644"
+  register: modprobe_updated
+
+- name: initramfs aktualisieren
+  command: update-initramfs -u -k all
+  when: grub_updated.changed or modules_updated.changed or modprobe_updated.changed

roles/pve_postinstall/tasks/main.yml

@@ -0,0 +1,122 @@
+---
+- name: Legacy .list Dateien finden
+  find:
+    paths: /etc/apt/sources.list.d
+    patterns: "*.list"
+  register: legacy_lists
+
+- name: Legacy .list Dateien umbenennen
+  command: mv "{{ item.path }}" "{{ item.path }}.bak"
+  loop: "{{ legacy_lists.files }}"
+  when: legacy_lists.files | length > 0
+  args:
+    creates: "{{ item.path }}.bak"
+
+- name: Legacy sources.list leeren
+  copy:
+    dest: /etc/apt/sources.list
+    content: ""
+    mode: "0644"
+
+- name: Debian Trixie Quellen (deb822)
+  copy:
+    dest: /etc/apt/sources.list.d/debian.sources
+    content: |
+      Types: deb
+      URIs: http://deb.debian.org/debian/
+      Suites: trixie trixie-updates
+      Components: main contrib non-free non-free-firmware
+      Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+      Types: deb
+      URIs: http://security.debian.org/debian-security/
+      Suites: trixie-security
+      Components: main contrib non-free non-free-firmware
+      Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+    mode: "0644"
+
+- name: Enterprise Repo deaktivieren (auskommentiert)
+  copy:
+    dest: /etc/apt/sources.list.d/pve-enterprise.sources
+    content: |
+      # Types: deb
+      # URIs: https://enterprise.proxmox.com/debian/pve
+      # Suites: trixie
+      # Components: pve-enterprise
+      # Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
+    mode: "0644"
+
+- name: Ceph Enterprise Repo deaktivieren (auskommentiert)
+  copy:
+    dest: /etc/apt/sources.list.d/ceph.sources
+    content: |
+      # Types: deb
+      # URIs: https://enterprise.proxmox.com/debian/ceph-squid
+      # Suites: trixie
+      # Components: enterprise
+      # Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
+    mode: "0644"
+
+- name: PVE No-Subscription Repo (deb822)
+  copy:
+    dest: /etc/apt/sources.list.d/proxmox.sources
+    content: |
+      Types: deb
+      URIs: http://download.proxmox.com/debian/pve
+      Suites: trixie
+      Components: pve-no-subscription
+      Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
+    mode: "0644"
+
+- name: PVE Test Repo (disabled)
+  copy:
+    dest: /etc/apt/sources.list.d/pve-test.sources
+    content: |
+      Types: deb
+      URIs: http://download.proxmox.com/debian/pve
+      Suites: trixie
+      Components: pve-test
+      Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
+      Enabled: false
+    mode: "0644"
+
+- name: Subscription Nag Patch Script deployen
+  copy:
+    dest: /usr/local/bin/pve-remove-nag.sh
+    mode: "0755"
+    content: |
+      #!/bin/sh
+      WEB_JS=/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
+      if [ -s "$WEB_JS" ] && ! grep -q NoMoreNagging "$WEB_JS"; then
+        sed -i -e "/data\.status/ s/!//" -e "/data\.status/ s/active/NoMoreNagging/" "$WEB_JS"
+      fi
+
+- name: Nag Patch als DPkg Post-Invoke registrieren
+  copy:
+    dest: /etc/apt/apt.conf.d/no-nag-script
+    content: 'DPkg::Post-Invoke { "/usr/local/bin/pve-remove-nag.sh"; };'
+    mode: "0644"
+
+- name: Nag Patch einmalig ausfuehren
+  command: /usr/local/bin/pve-remove-nag.sh
+  changed_when: false
+
+- name: HA Services deaktivieren
+  systemd:
+    name: "{{ item }}"
+    enabled: false
+    state: stopped
+  loop:
+    - pve-ha-lrm
+    - pve-ha-crm
+    - corosync
+  failed_when: false
+
+- name: Apt Cache aktualisieren
+  apt:
+    update_cache: yes
+
+- name: Dist-Upgrade ausfuehren
+  apt:
+    upgrade: dist
+    autoremove: yes

roles/sysctl/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: BBR Kernel Modul laden
+  ansible.builtin.modprobe:
+    name: tcp_bbr
+    state: present
+
+- name: BBR Modul beim Boot laden
+  ansible.builtin.copy:
+    content: "tcp_bbr\n"
+    dest: /etc/modules-load.d/bbr.conf
+    mode: "0644"
+
+- name: Sysctl Parameter setzen
+  ansible.posix.sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.value }}"
+    sysctl_file: /etc/sysctl.d/99-net-tuning.conf
+    reload: true
+    state: present
+  loop:
+    - { key: net.core.rmem_default,              value: "262144" }
+    - { key: net.core.wmem_default,              value: "262144" }
+    - { key: net.core.rmem_max,                  value: "67108864" }
+    - { key: net.core.wmem_max,                  value: "67108864" }
+    - { key: net.ipv4.tcp_rmem,                  value: "4096 87380 67108864" }
+    - { key: net.ipv4.tcp_wmem,                  value: "4096 65536 67108864" }
+    - { key: net.ipv4.tcp_window_scaling,        value: "1" }
+    - { key: net.ipv4.tcp_congestion_control,    value: "bbr" }
+    - { key: net.ipv4.tcp_slow_start_after_idle, value: "0" }
+    - { key: net.ipv4.tcp_fastopen,              value: "3" }
+    - { key: net.core.netdev_max_backlog,        value: "16384" }
+    - { key: net.core.somaxconn,                 value: "4096" }
+    - { key: net.ipv4.tcp_notsent_lowat,         value: "16384" }
+    - { key: net.ipv4.tcp_fin_timeout,           value: "15" }
+    - { key: net.ipv4.tcp_tw_reuse,              value: "1" }
+    - { key: vm.swappiness,                      value: "1" }
+    - { key: vm.dirty_ratio,                     value: "15" }
+    - { key: vm.dirty_background_ratio,          value: "5" }
+    - { key: net.ipv4.tcp_mtu_probing,           value: "1" }
+    - { key: net.ipv4.ip_forward,                value: "1" }
+    - { key: net.ipv6.conf.all.forwarding,       value: "1" }

roles/sysctl_proxmox/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: sysctl reload
+  ansible.builtin.command: sysctl --system
+
+- name: resolvconf update
+  ansible.builtin.command: resolvconf -u

roles/sysctl_proxmox/tasks/main.yml

@@ -0,0 +1,55 @@
+---
+- name: resolvconf installieren
+  ansible.builtin.apt:
+    name: resolvconf
+    state: present
+
+- name: DNS in resolvconf head setzen
+  ansible.builtin.copy:
+    dest: /etc/resolvconf/resolv.conf.d/head
+    content: |
+      # Managed by Ansible
+      nameserver 1.1.1.1
+      nameserver 1.0.0.1
+    mode: "0644"
+  notify: resolvconf update
+
+- name: /etc/hosts deployen
+  ansible.builtin.template:
+    src: hosts.j2
+    dest: /etc/hosts
+    mode: "0644"
+
+- name: sysctl.conf inkludiert sysctl.d
+  ansible.builtin.lineinfile:
+    path: /etc/sysctl.conf
+    create: true
+    mode: "0644"
+    line: "# Managed by Ansible – Drop-ins in /etc/sysctl.d/ werden automatisch geladen"
+    insertbefore: BOF
+  notify: sysctl reload
+
+- name: Sysctl Parameter setzen
+  ansible.posix.sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.value }}"
+    sysctl_file: /etc/sysctl.d/99-proxmox-tuning.conf
+    reload: true
+    state: present
+  loop:
+    - { key: vm.overcommit_memory,               value: "1" }
+    - { key: vm.swappiness,                      value: "1" }
+    - { key: fs.file-max,                        value: "9999999" }
+    - { key: fs.inotify.max_user_watches,        value: "524288" }
+    - { key: fs.inotify.max_user_instances,       value: "512" }
+    - { key: net.ipv4.ip_forward,                value: "1" }
+    - { key: net.ipv6.conf.all.forwarding,       value: "1" }
+    - { key: net.bridge.bridge-nf-call-iptables, value: "0" }
+    - { key: net.bridge.bridge-nf-call-ip6tables, value: "0" }
+    - { key: vm.dirty_expire_centisecs,          value: "3000" }
+    - { key: vm.dirty_writeback_centisecs,       value: "500" }
+    - { key: net.ipv4.tcp_mtu_probing,           value: "1" }
+    - { key: net.core.rmem_max,                  value: "67108864" }
+    - { key: net.core.wmem_max,                  value: "67108864" }
+    - { key: net.ipv4.tcp_rmem,                  value: "4096 87380 67108864" }
+    - { key: net.ipv4.tcp_wmem,                  value: "4096 65536 67108864" }

roles/sysctl_proxmox/templates/hosts.j2

@@ -0,0 +1,9 @@
+# Managed by Ansible
+127.0.0.1 localhost
+127.0.1.1 {{ inventory_hostname }}
+::1 localhost ip6-localhost ip6-loopback
+
+# Proxmox Hosts
+{% for host in groups['proxmox'] %}
+{{ hostvars[host]['ansible_host'] }} {{ host }}
+{% endfor %}

roles/telegraf/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+telegraf_influx_url: "https://influx.sascha-lutz.de"
+telegraf_influx_org: "influx.sascha-lutz.de"
+telegraf_influx_token: "{{ vault_telegraf_influx_token }}"
+telegraf_influx_bucket: "telegraf"
+telegraf_interval: "10s"
+telegraf_synology_snmp: false
+telegraf_synology_host: ""
+telegraf_snmp_sec_name: "{{ vault_snmp_sec_name | default('') }}"
+telegraf_snmp_auth_password: "{{ vault_snmp_auth_password | default('') }}"
+telegraf_snmp_priv_password: "{{ vault_snmp_priv_password | default('') }}"

roles/telegraf/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Telegraf neustarten
+  systemd:
+    name: telegraf
+    state: restarted

roles/telegraf/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+- name: InfluxData GPG Key hinzufuegen
+  get_url:
+    url: https://repos.influxdata.com/influxdata-archive_compat.key
+    dest: /etc/apt/keyrings/influxdata-archive-keyring.gpg
+    mode: "0644"
+
+- name: InfluxData Repo hinzufuegen
+  copy:
+    dest: /etc/apt/sources.list.d/influxdata.list
+    content: "deb [signed-by=/etc/apt/keyrings/influxdata-archive-keyring.gpg] https://repos.influxdata.com/debian stable main"
+    mode: "0644"
+  register: influx_repo
+
+- name: Apt Cache aktualisieren
+  apt:
+    update_cache: yes
+  when: influx_repo.changed
+
+- name: Telegraf installieren
+  apt:
+    name: telegraf
+    state: present
+
+- name: lm-sensors installieren (fuer inputs.sensors)
+  apt:
+    name: lm-sensors
+    state: present
+
+- name: SNMP Pakete installieren (fuer Synology Monitoring)
+  apt:
+    name:
+      - snmp
+      - snmp-mibs-downloader
+    state: present
+  when: telegraf_synology_snmp
+
+- name: Telegraf Config deployen
+  template:
+    src: telegraf.conf.j2
+    dest: /etc/telegraf/telegraf.conf
+    mode: "0640"
+    owner: root
+    group: telegraf
+  notify: Telegraf neustarten
+
+- name: Telegraf aktivieren und starten
+  systemd:
+    name: telegraf
+    enabled: true
+    state: started

roles/telegraf/templates/telegraf.conf.j2

@@ -0,0 +1,469 @@
+[global_tags]
+
+[agent]
+  interval = "{{ telegraf_interval }}"
+  round_interval = true
+  metric_batch_size = 1000
+  metric_buffer_limit = 10000
+  collection_jitter = "0s"
+  flush_interval = "10s"
+  flush_jitter = "0s"
+  precision = "0s"
+  hostname = ""
+  omit_hostname = false
+
+[[outputs.influxdb_v2]]
+  urls = ["{{ telegraf_influx_url }}"]
+  organization = "{{ telegraf_influx_org }}"
+  token = "{{ telegraf_influx_token }}"
+  bucket = "{{ telegraf_influx_bucket }}"
+
+[[inputs.cpu]]
+  percpu = true
+  totalcpu = true
+  fielddrop = ["time_*"]
+
+[[inputs.disk]]
+  ignore_fs = ["tmpfs", "devtmpfs", "devfs", "iso9660", "overlay", "aufs", "squashfs"]
+
+[[inputs.diskio]]
+
+[[inputs.kernel]]
+
+[[inputs.mem]]
+
+[[inputs.processes]]
+
+[[inputs.swap]]
+
+[[inputs.system]]
+
+[[inputs.nstat]]
+
+[[inputs.sensors]]
+
+{% if telegraf_synology_snmp %}
+# ============================================
+# Synology NAS SNMP Monitoring
+# ============================================
+[[inputs.snmp]]
+  agents = ["{{ telegraf_synology_host }}"]
+  interval = "30s"
+  timeout = "30s"
+  retries = 3
+  max_repetitions = 10
+  version = 3
+  sec_name = "{{ telegraf_snmp_sec_name }}"
+  auth_protocol = "MD5"
+  auth_password = "{{ telegraf_snmp_auth_password }}"
+  sec_level = "authPriv"
+  priv_protocol = "DES"
+  priv_password = "{{ telegraf_snmp_priv_password }}"
+  name = "snmp.Synology"
+
+  # --- SNMPv2 System Info ---
+  [[inputs.snmp.field]]
+    name = "sysName"
+    oid = "SNMPv2-MIB::sysName.0"
+    is_tag = true
+  [[inputs.snmp.field]]
+    name = "sysDescr"
+    oid = "SNMPv2-MIB::sysDescr.0"
+  [[inputs.snmp.field]]
+    name = "sysContact"
+    oid = "SNMPv2-MIB::sysContact.0"
+  [[inputs.snmp.field]]
+    name = "sysLocation"
+    oid = "SNMPv2-MIB::sysLocation.0"
+  [[inputs.snmp.field]]
+    name = "sysUpTime"
+    oid = "SNMPv2-MIB::sysUpTime.0"
+
+  # --- UCD-SNMP-MIB: System Stats ---
+  [[inputs.snmp.field]]
+    name = "systemStats.ssSwapIn"
+    oid = "UCD-SNMP-MIB::ssSwapIn.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssSwapOut"
+    oid = "UCD-SNMP-MIB::ssSwapOut.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssIOSent"
+    oid = "UCD-SNMP-MIB::ssIOSent.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssIOReceive"
+    oid = "UCD-SNMP-MIB::ssIOReceive.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssSysInterrupts"
+    oid = "UCD-SNMP-MIB::ssSysInterrupts.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssSysContext"
+    oid = "UCD-SNMP-MIB::ssSysContext.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuUser"
+    oid = "UCD-SNMP-MIB::ssCpuUser.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuSystem"
+    oid = "UCD-SNMP-MIB::ssCpuSystem.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuIdle"
+    oid = "UCD-SNMP-MIB::ssCpuIdle.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawUser"
+    oid = "UCD-SNMP-MIB::ssCpuRawUser.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawNice"
+    oid = "UCD-SNMP-MIB::ssCpuRawNice.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawSystem"
+    oid = "UCD-SNMP-MIB::ssCpuRawSystem.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawIdle"
+    oid = "UCD-SNMP-MIB::ssCpuRawIdle.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawWait"
+    oid = "UCD-SNMP-MIB::ssCpuRawWait.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawKernel"
+    oid = "UCD-SNMP-MIB::ssCpuRawKernel.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawInterrupt"
+    oid = "UCD-SNMP-MIB::ssCpuRawInterrupt.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssIORawSent"
+    oid = "UCD-SNMP-MIB::ssIORawSent.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssIORawReceived"
+    oid = "UCD-SNMP-MIB::ssIORawReceived.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssRawInterrupts"
+    oid = "UCD-SNMP-MIB::ssRawInterrupts.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssRawContexts"
+    oid = "UCD-SNMP-MIB::ssRawContexts.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawSoftIRQ"
+    oid = "UCD-SNMP-MIB::ssCpuRawSoftIRQ.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssRawSwapIn"
+    oid = "UCD-SNMP-MIB::ssRawSwapIn.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssRawSwapOut"
+    oid = "UCD-SNMP-MIB::ssRawSwapOut.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawSteal"
+    oid = "UCD-SNMP-MIB::ssCpuRawSteal.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawGuest"
+    oid = "UCD-SNMP-MIB::ssCpuRawGuest.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuRawGuestNice"
+    oid = "UCD-SNMP-MIB::ssCpuRawGuestNice.0"
+  [[inputs.snmp.field]]
+    name = "systemStats.ssCpuNumCpus"
+    oid = "UCD-SNMP-MIB::ssCpuNumCpus.0"
+
+  # --- UCD-SNMP-MIB: Memory ---
+  [[inputs.snmp.field]]
+    name = "memory.memTotalSwap"
+    oid = "UCD-SNMP-MIB::memTotalSwapX.0"
+  [[inputs.snmp.field]]
+    name = "memory.memAvailSwap"
+    oid = "UCD-SNMP-MIB::memAvailSwapX.0"
+  [[inputs.snmp.field]]
+    name = "memory.memTotalReal"
+    oid = "UCD-SNMP-MIB::memTotalRealX.0"
+  [[inputs.snmp.field]]
+    name = "memory.memAvailReal"
+    oid = "UCD-SNMP-MIB::memAvailRealX.0"
+  [[inputs.snmp.field]]
+    name = "memory.memTotalFree"
+    oid = "UCD-SNMP-MIB::memTotalFreeX.0"
+  [[inputs.snmp.field]]
+    name = "memory.memMinimumSwap"
+    oid = "UCD-SNMP-MIB::memMinimumSwapX.0"
+  [[inputs.snmp.field]]
+    name = "memory.memShared"
+    oid = "UCD-SNMP-MIB::memSharedX.0"
+  [[inputs.snmp.field]]
+    name = "memory.memBuffer"
+    oid = "UCD-SNMP-MIB::memBufferX.0"
+  [[inputs.snmp.field]]
+    name = "memory.memCached"
+    oid = "UCD-SNMP-MIB::memCachedX.0"
+
+  # --- HOST-RESOURCES-MIB: System ---
+  [[inputs.snmp.field]]
+    name = "hrSystem.hrSystemUptime"
+    oid = "HOST-RESOURCES-MIB::hrSystemUptime.0"
+  [[inputs.snmp.field]]
+    name = "hrSystem.hrSystemNumUsers"
+    oid = "HOST-RESOURCES-MIB::hrSystemNumUsers.0"
+  [[inputs.snmp.field]]
+    name = "hrSystem.hrSystemProcesses"
+    oid = "HOST-RESOURCES-MIB::hrSystemProcesses.0"
+
+  # --- SYNOLOGY-SYSTEM-MIB ---
+  [[inputs.snmp.field]]
+    name = "synoSystem.systemStatus"
+    oid = "SYNOLOGY-SYSTEM-MIB::systemStatus.0"
+  [[inputs.snmp.field]]
+    name = "synoSystem.temperature"
+    oid = "SYNOLOGY-SYSTEM-MIB::temperature.0"
+  [[inputs.snmp.field]]
+    name = "synoSystem.powerStatus"
+    oid = "SYNOLOGY-SYSTEM-MIB::powerStatus.0"
+  [[inputs.snmp.field]]
+    name = "synoSystem.systemFanStatus"
+    oid = "SYNOLOGY-SYSTEM-MIB::systemFanStatus.0"
+  [[inputs.snmp.field]]
+    name = "synoSystem.cpuFanStatus"
+    oid = "SYNOLOGY-SYSTEM-MIB::cpuFanStatus.0"
+  [[inputs.snmp.field]]
+    name = "synoSystem.modelName"
+    oid = "SYNOLOGY-SYSTEM-MIB::modelName.0"
+  [[inputs.snmp.field]]
+    name = "synoSystem.serialNumber"
+    oid = "SYNOLOGY-SYSTEM-MIB::serialNumber.0"
+  [[inputs.snmp.field]]
+    name = "synoSystem.version"
+    oid = "SYNOLOGY-SYSTEM-MIB::version.0"
+  [[inputs.snmp.field]]
+    name = "synoSystem.upgradeAvailable"
+    oid = "SYNOLOGY-SYSTEM-MIB::upgradeAvailable.0"
+
+  # --- Tables: Load ---
+  [[inputs.snmp.table]]
+    oid = "UCD-SNMP-MIB::laTable"
+    name = "snmp.Synology.load"
+    [[inputs.snmp.table.field]]
+      oid = "UCD-SNMP-MIB::laNames"
+      is_tag = true
+
+  # --- Tables: Network ---
+  [[inputs.snmp.table]]
+    oid = "IF-MIB::ifTable"
+    name = "snmp.Synology.network"
+    [[inputs.snmp.table.field]]
+      oid = "IF-MIB::ifDescr"
+      is_tag = true
+  [[inputs.snmp.table]]
+    oid = "IF-MIB::ifXTable"
+    name = "snmp.Synology.network"
+    [[inputs.snmp.table.field]]
+      oid = "IF-MIB::ifName"
+      is_tag = true
+
+  # --- Tables: Volume ---
+  [[inputs.snmp.table]]
+    oid = "HOST-RESOURCES-MIB::hrStorageTable"
+    name = "snmp.Synology.volume"
+    [[inputs.snmp.table.field]]
+      oid = "HOST-RESOURCES-MIB::hrStorageDescr"
+      is_tag = true
+
+  # --- Tables: Disk ---
+  [[inputs.snmp.table]]
+    oid = "SYNOLOGY-DISK-MIB::diskTable"
+    name = "snmp.Synology.disk"
+    [[inputs.snmp.table.field]]
+      oid = "SYNOLOGY-DISK-MIB::diskID"
+      is_tag = true
+
+  # --- Tables: RAID ---
+  [[inputs.snmp.table]]
+    oid = "SYNOLOGY-RAID-MIB::raidTable"
+    name = "snmp.Synology.raid"
+    [[inputs.snmp.table.field]]
+      oid = "SYNOLOGY-RAID-MIB::raidName"
+      is_tag = true
+
+  # --- Tables: SSD Cache ---
+  [[inputs.snmp.table]]
+    oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheTable"
+    name = "snmp.Synology.cache"
+    [[inputs.snmp.table.field]]
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheSpaceDev"
+      is_tag = true
+
+  # --- Tables: S.M.A.R.T. ---
+  [[inputs.snmp.table]]
+    oid = "SYNOLOGY-SMART-MIB::diskSMARTTable"
+    name = "snmp.Synology.smart"
+    [[inputs.snmp.table.field]]
+      oid = "SYNOLOGY-SMART-MIB::diskSMARTInfoDevName"
+      is_tag = true
+    [[inputs.snmp.table.field]]
+      oid = "SYNOLOGY-SMART-MIB::diskSMARTAttrName"
+      is_tag = true
+
+  # --- Tables: Space IO ---
+  [[inputs.snmp.table]]
+    oid = "SYNOLOGY-SPACEIO-MIB::spaceIOTable"
+    name = "snmp.Synology.spaceIO"
+    [[inputs.snmp.table.field]]
+      oid = "SYNOLOGY-SPACEIO-MIB::spaceIODevice"
+      is_tag = true
+
+  # --- Tables: Storage IO ---
+  [[inputs.snmp.table]]
+    oid = "SYNOLOGY-STORAGEIO-MIB::storageIOTable"
+    name = "snmp.Synology.storageIO"
+    [[inputs.snmp.table.field]]
+      oid = "SYNOLOGY-STORAGEIO-MIB::storageIODevice"
+      is_tag = true
+
+  # --- Tables: eBox ---
+  [[inputs.snmp.table]]
+    name = "snmp.Synology.ebox"
+    oid = "SYNOLOGY-EBOX-MIB::eboxTable"
+    [[inputs.snmp.table.field]]
+      name = "snmp.Synology.ebox.eboxIndex"
+      oid = "SYNOLOGY-EBOX-MIB::eboxIndex"
+    [[inputs.snmp.table.field]]
+      name = "snmp.Synology.ebox.eboxModel"
+      oid = "SYNOLOGY-EBOX-MIB::eboxModel"
+    [[inputs.snmp.table.field]]
+      name = "snmp.Synology.ebox.eboxPower"
+      oid = "SYNOLOGY-EBOX-MIB::eboxPower"
+    [[inputs.snmp.table.field]]
+      name = "snmp.Synology.ebox.eboxRedundantPower"
+      oid = "SYNOLOGY-EBOX-MIB::eboxRedundantPower"
+
+  # --- Tables: Flash Cache ---
+  [[inputs.snmp.table]]
+    name = "snmp.Synology.flashcache"
+    oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheTable"
+    [[inputs.snmp.table.field]]
+      name = "flashCacheIndex"
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheIndex"
+    [[inputs.snmp.table.field]]
+      name = "flashCacheSSDDev"
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheSSDDev"
+    [[inputs.snmp.table.field]]
+      name = "flashCacheSpaceDev"
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheSpaceDev"
+    [[inputs.snmp.table.field]]
+      name = "flashCacheReadHits"
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheReadHits"
+    [[inputs.snmp.table.field]]
+      name = "flashCacheWriteHits"
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheWriteHits"
+    [[inputs.snmp.table.field]]
+      name = "flashCacheTotalRead"
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheTotalRead"
+    [[inputs.snmp.table.field]]
+      name = "flashCacheTotalWrite"
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheTotalWrite"
+    [[inputs.snmp.table.field]]
+      name = "flashCacheReadHitRate"
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheReadHitRate"
+    [[inputs.snmp.table.field]]
+      name = "flashCacheWriteHitRate"
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheWriteHitRate"
+    [[inputs.snmp.table.field]]
+      name = "flashCacheSsdUuid"
+      oid = "SYNOLOGY-FLASHCACHE-MIB::flashCacheSsdUuid"
+
+  # --- Tables: GPU ---
+  [[inputs.snmp.table]]
+    name = "snmp.Synology.gpu"
+    [[inputs.snmp.table.field]]
+      name = "gpuUtilization"
+      oid = "SYNOLOGY-GPUINFO-MIB::gpuUtilization"
+    [[inputs.snmp.table.field]]
+      name = "gpuMemoryUtilization"
+      oid = "SYNOLOGY-GPUINFO-MIB::gpuMemoryUtilization"
+    [[inputs.snmp.table.field]]
+      name = "gpuMemoryFree"
+      oid = "SYNOLOGY-GPUINFO-MIB::gpuMemoryFree"
+    [[inputs.snmp.table.field]]
+      name = "gpuMemoryUsed"
+      oid = "SYNOLOGY-GPUINFO-MIB::gpuMemoryUsed"
+    [[inputs.snmp.table.field]]
+      name = "gpuMemoryTotal"
+      oid = "SYNOLOGY-GPUINFO-MIB::gpuMemoryTotal"
+
+  # --- Tables: iSCSI LUN ---
+  [[inputs.snmp.table]]
+    name = "snmp.Synology.iscsilun"
+    oid = "SYNOLOGY-ISCSILUN-MIB::iSCSILUNTable"
+    [[inputs.snmp.table.field]]
+      name = "iSCSILUNInfoIndex"
+      oid = "SYNOLOGY-ISCSILUN-MIB::iSCSILUNInfoIndex"
+    [[inputs.snmp.table.field]]
+      name = "iSCSILUNUUID"
+      oid = "SYNOLOGY-ISCSILUN-MIB::iSCSILUNUUID"
+    [[inputs.snmp.table.field]]
+      name = "iSCSILUNName"
+      oid = "SYNOLOGY-ISCSILUN-MIB::iSCSILUNName"
+    [[inputs.snmp.table.field]]
+      name = "iSCSILUNThroughputReadHigh"
+      oid = "SYNOLOGY-ISCSILUN-MIB::iSCSILUNThroughputReadHigh"
+    [[inputs.snmp.table.field]]
+      name = "iSCSILUNThroughputReadLow"
+      oid = "SYNOLOGY-ISCSILUN-MIB::iSCSILUNThroughputReadLow"
+    [[inputs.snmp.table.field]]
+      name = "iSCSILUNThroughputWriteHigh"
+      oid = "SYNOLOGY-ISCSILUN-MIB::iSCSILUNThroughputWriteHigh"
+    [[inputs.snmp.table.field]]
+      name = "iSCSILUNThroughputWriteLow"
+      oid = "SYNOLOGY-ISCSILUN-MIB::iSCSILUNThroughputWriteLow"
+    [[inputs.snmp.table.field]]
+      name = "iSCSILUNIopsRead"
+      oid = "SYNOLOGY-ISCSILUN-MIB::iSCSILUNIopsRead"
+    [[inputs.snmp.table.field]]
+      name = "iSCSILUNIopsWrite"
+      oid = "SYNOLOGY-ISCSILUN-MIB::iSCSILUNIopsWrite"
+
+  # --- Tables: iSCSI Target ---
+  [[inputs.snmp.table]]
+    name = "snmp.Synology.iscsitarget"
+    oid = "SYNOLOGY-ISCSITarget-MIB::iSCSITargetTable"
+    [[inputs.snmp.table.field]]
+      name = "iSCSITargetName"
+      oid = "SYNOLOGY-ISCSITarget-MIB::iSCSITargetName"
+    [[inputs.snmp.table.field]]
+      name = "iSCSITargetIQN"
+      oid = "SYNOLOGY-ISCSITarget-MIB::iSCSITargetIQN"
+    [[inputs.snmp.table.field]]
+      name = "iSCSITargetConnectionStatus"
+      oid = "SYNOLOGY-ISCSITarget-MIB::iSCSITargetConnectionStatus"
+
+  # --- Tables: Services ---
+  [[inputs.snmp.table]]
+    name = "snmp.Synology.services"
+    oid = "SYNOLOGY-SERVICES-MIB::serviceTable"
+    [[inputs.snmp.table.field]]
+      name = "serviceName"
+      oid = "SYNOLOGY-SERVICES-MIB::serviceName"
+      is_tag = true
+    [[inputs.snmp.table.field]]
+      name = "serviceUsers"
+      oid = "SYNOLOGY-SERVICES-MIB::serviceUsers"
+
+  # --- HA ---
+  [[inputs.snmp.field]]
+    name = "ha.activeNodeName"
+    oid = "SYNOLOGY-SHA-MIB::activeNodeName"
+  [[inputs.snmp.field]]
+    name = "ha.passiveNodeName"
+    oid = "SYNOLOGY-SHA-MIB::passiveNodeName"
+  [[inputs.snmp.field]]
+    name = "ha.clusterAutoFailover"
+    oid = "SYNOLOGY-SHA-MIB::clusterAutoFailover"
+  [[inputs.snmp.field]]
+    name = "ha.clusterName"
+    oid = "SYNOLOGY-SHA-MIB::clusterName"
+  [[inputs.snmp.field]]
+    name = "ha.clusterStatus"
+    oid = "SYNOLOGY-SHA-MIB::clusterStatus"
+  [[inputs.snmp.field]]
+    name = "ha.heartbeatStatus"
+    oid = "SYNOLOGY-SHA-MIB::heartbeatStatus"
+  [[inputs.snmp.field]]
+    name = "ha.heartbeatTxRate"
+    oid = "SYNOLOGY-SHA-MIB::heartbeatTxRate"
+  [[inputs.snmp.field]]
+    name = "ha.heartbeatLatency"
+    oid = "SYNOLOGY-SHA-MIB::heartbeatLatency"
+{% endif %}

roles/wireguard/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+wireguard_endpoint: "tunnel.sascha-lutz.de:51820"
+wireguard_vps_pubkey: "{{ vault_wireguard_vps_pubkey }}"
+wireguard_mtu: 1420
+wireguard_persistent_keepalive: 25

roles/wireguard/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart wireguard
+  systemd:
+    name: wg-quick@wg0
+    state: restarted

roles/wireguard/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+- name: WireGuard und resolvconf installieren
+  apt:
+    name:
+      - wireguard
+      - resolvconf
+    state: present
+    update_cache: yes
+
+- name: WireGuard Config deployen
+  copy:
+    dest: /etc/wireguard/wg0.conf
+    content: |
+      [Interface]
+      PrivateKey = {{ wireguard_private_key }}
+      Address = {{ wireguard_address }}
+      DNS = 8.8.8.8
+      MTU = {{ wireguard_mtu }}
+
+      [Peer]
+      PublicKey = {{ wireguard_vps_pubkey }}
+      Endpoint = {{ wireguard_endpoint }}
+      AllowedIPs = {{ wireguard_allowed_ips }}
+      PersistentKeepalive = {{ wireguard_persistent_keepalive }}
+    mode: "0600"
+  notify: restart wireguard
+
+- name: WireGuard aktivieren und starten
+  systemd:
+    name: wg-quick@wg0
+    enabled: true
+    state: started