monitoring: extend ifInErrors alert to non-snmp devices

also automatically clear alarm after 2 hours because linux devices have
no way to clear the nic error counters

.gitignore

@@ -1,2 +1,3 @@
 ansible-facts.json/
+switch-configs-stock/
 *.html

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "roles/gekmihesg.openwrt"]
+	path = roles/gekmihesg.openwrt
+	url = https://github.com/gekmihesg/ansible-openwrt.git

README.md

@@ -1,11 +1,18 @@
-# Freifunk Leipzig - Erstaufnahme Einrichtung - Am Deutschen Platz
+# Freifunk Leipzig - Erstaufnahme Einrichtungen
 
-This repo contains the config and documentation for our installation at the "Erstaufnahme Einrichtung - Am Deutschen Platz"
+This repo contains the config and documentation for our installations at
+* `Am Deutschen Platz`
+* `Arno-Nitzsche-Straße`
 
 ---
 
 **this is a work in progress**
 
+* this repo was created for `Am Deutschen Platz` and was then reused for `Arno-Nitzsche-Straße`
+* therefore the ansible stuff is a bit smelly
+* there is a lot of documentation missing for the `Arno-Nitzsche-Straße`
+* ...
+
 ---
 
 ## Quick Links
@@ -27,7 +34,7 @@ This repo contains the config and documentation for our installation at the "Ers
 ### Initial Setup
 
 0. install requirements
-1. clone repo and change directory:    `git clone https://git.sr.ht/~hirnpfirsich/ffl-eae-adp && cd ffl-aea-adp`
+1. clone repo and change directory:    `git clone --recurse-submodules https://git.sr.ht/~hirnpfirsich/ffl-eae-adp && cd ffl-aea-adp`
 2. create python3 virtual enviroment:  `python3 -m venv ansible-environment`
 3. enter python3 virtual environment:  `. ansible-environment/bin/activate`
 4. install ansible and dependencies:   `pip3 install -r ansible-environment.txt`
@@ -46,6 +53,30 @@ Should something in the inventory change or you want to use/change the jumphost
 
 Passwords managed using `pass`. Simply call `pass` after sourcing the environment.
 
+### Monitoring
+
+Initially we've deployed the monitoring on `monitoring01` (that lives on `hyper01` in `Am Deutschen Platz`).
+
+After deploying the second camp we've decided to move the monitoring into the `cloud`.
+The new monitoring stack runs on `eae-adp-jump01`.
+Unfortunately `prometheus` crashes every few hours on `openbsd`.
+So there is a cronjob restarting `prometheus` every 2 hours on `eae-adp-jump01`.
+
+As soon as someone finds the time we will move the monitoring stack onto a normal linux machine.
+
+* old monitoring: `monitoring01   - 10.84.1.51`
+	* is not getting new configs via ansible
+	* rocks an old version of the grafana dashboard
+	* the facility management still has a link to this instance
+* new monitoring: `eae-adp-jump01 - 10.84.254.0`
+
+Both stacks offer the following services:
+* `prometheus`:   `tcp/9090`
+* `alertmanager`: `tcp/9093`
+* `grafana`:      `tcp/3000`
+
+Use `ssh -D 8888 eae-adp-jump01` an configure this socks proxy in your favorite browser to visit the webguis.
+
 ### Descriptions
 
 * `environment`:                             configure environment (path to `pass` store, http(s) socks proxy and python venv for ansible)

ansible-environment.txt

@@ -1,13 +1,14 @@
-ansible==6.0.0
-ansible-core==2.13.1
+ansible==6.1.0
+ansible-core==2.13.2
 certifi==2022.6.15
 cffi==1.15.1
 charset-normalizer==2.1.0
-cryptography==37.0.2
+cryptography==37.0.4
 idna==3.3
 Jinja2==3.1.2
 MarkupSafe==2.1.1
 packaging==21.3
+pkg_resources==0.0.0
 proxmoxer==1.3.1
 pycparser==2.21
 pyparsing==3.0.9
@@ -15,4 +16,4 @@ PySocks==1.7.1
 PyYAML==6.0
 requests==2.28.1
 resolvelib==0.8.1
-urllib3==1.26.9
+urllib3==1.26.10

ansible-inventory

@@ -1,21 +1,187 @@
 [accesspoints]
-ap-c5d1 ip=10.84.1.33 channel_2g=1  channel_5g=36  # Office
-ap-8f42 ip=10.84.1.36 channel_2g=6  channel_5g=40  # Tent 1
-ap-0b99 ip=10.84.1.32 channel_2g=11 channel_5g=44  # Tent 2
-ap-c495 ip=10.84.1.34 channel_2g=1  channel_5g=48  # Tent 3
-ap-2bbf ip=10.84.1.30 channel_2g=11 channel_5g=149 # Tent 4
-ap-1a38 ip=10.84.1.35 channel_2g=6  channel_5g=153 # Tent 5
+ap-c5d1 ip=10.84.1.33 location=office-social2  channel_2g=1  channel_5g=36  txpower_2g=12 txpower_5g=13
+ap-ac7c ip=10.84.1.31 location=office-social1  channel_2g=11 channel_5g=161 txpower_2g=12 txpower_5g=13
+ap-8f42 ip=10.84.1.36 location=tent-1          channel_2g=6  channel_5g=40
+ap-0b99 ip=10.84.1.32 location=tent-2          channel_2g=11 channel_5g=44
+ap-c495 ip=10.84.1.34 location=tent-3          channel_2g=1  channel_5g=48
+ap-2bbf ip=10.84.1.30 location=tent-4          channel_2g=11 channel_5g=149
+ap-1a38 ip=10.84.1.35 location=tent-5          channel_2g=6  channel_5g=153
+ap-8f39 ip=10.84.1.37 location=tent-5          channel_2g=1  channel_5g=157
+ap-1293 ip=10.84.1.38 location=office-facility channel_2g=1  channel_5g=100 txpower_2g=6 txpower_5g=7
+
+ap-b62f ip=10.85.1.31 location=tent-1          channel_2g=1  channel_5g=36  txpower_2g=15 txpower_5g=20
+ap-b656 ip=10.85.1.35 location=tent-1          channel_2g=6  channel_5g=140 txpower_2g=15 txpower_5g=20
+ap-b6ee ip=10.85.1.32 location=office-security channel_2g=1  channel_5g=48  txpower_2g=12 txpower_5g=13
+ap-b5df ip=10.85.1.38 location=office-social   channel_2g=11 channel_5g=153 txpower_2g=12 txpower_5g=13
+ap-b6cb ip=10.85.1.33 location=office-facility channel_2g=6  channel_5g=60  txpower_2g=12 txpower_5g=13
+ap-b641 ip=10.85.1.30 location=tent-2          channel_2g=1  channel_5g=136 txpower_2g=15 txpower_5g=20
+ap-b6d7 ip=10.85.1.34 location=tent-2          channel_2g=6  channel_5g=104 txpower_2g=15 txpower_5g=20
+ap-b644 ip=10.85.1.36 location=tent-2          channel_2g=11 channel_5g=124 txpower_2g=15 txpower_5g=20
+ap-b634 ip=10.85.1.37 location=tent-3          channel_2g=1  channel_5g=116 txpower_2g=15 txpower_5g=20
+ap-b6cc ip=10.85.1.39 location=tent-3          channel_2g=6  channel_5g=40  txpower_2g=15 txpower_5g=20
+ap-b682 ip=10.85.1.40 location=tent-3          channel_2g=11 channel_5g=64  txpower_2g=15 txpower_5g=20
+
+ap-116e ip=10.86.1.31 location=p203            disable_2g=1   channel_5g=48  txpower_2g=17 txpower_5g=20
+ap-11c4 ip=10.86.1.32 location=office-security channel_2g=1   channel_5g=36  txpower_2g=17 txpower_5g=20
+ap-1202 ip=10.86.1.33 location=p201            disable_2g=1   channel_5g=153 txpower_2g=17 txpower_5g=20
+ap-12a8 ip=10.86.1.34 location=p104            channel_2g=11  channel_5g=60  txpower_2g=17 txpower_5g=20
+ap-13ac ip=10.86.1.35 location=p106            disable_2g=1   channel_5g=116 txpower_2g=17 txpower_5g=20
+ap-144c ip=10.86.1.36 location=p108            channel_2g=1   channel_5g=140 txpower_2g=17 txpower_5g=20
+ap-12c2 ip=10.86.1.37 location=p207            disable_2g=1   channel_5g=128 txpower_2g=17 txpower_5g=20
+ap-16bc ip=10.86.1.38 location=p205            channel_2g=6   channel_5g=104 txpower_2g=17 txpower_5g=20
+ap-1374 ip=10.86.1.39 location=kitchen-og      disable_2g=1   channel_5g=153 txpower_2g=17 txpower_5g=20
+
+[accesspoints:vars]
+ansible_remote_tmp=/tmp
+garet_profile=aruba-ap-105_22.03
+garet_release=9974455
+
+[aptype_aruba_ap_303]
+ap-11c4
+ap-116e
+ap-1202
+ap-12a8
+ap-13ac
+ap-144c
+ap-12c2
+ap-16bc
+ap-1374
+
+[aptype_aruba_ap_105]
+ap-c5d1
+ap-ac7c
+ap-8f42
+ap-0b99
+ap-c495
+ap-2bbf
+ap-1a38
+ap-8f39
+ap-1293
+ap-b62f
+ap-b656
+ap-b6ee
+ap-b5df
+ap-b6cb
+ap-b641
+ap-b6d7
+ap-b644
+ap-b634
+ap-b6cc
+ap-b682
 
 [switches]
-sw-access01 ip=10.84.1.11 
-sw-access02 ip=10.84.1.12 
+sw-access01 ip=10.84.1.11 base_mac=bc:cf:4f:e3:bb:8d location=office-social2
+sw-access02 ip=10.84.1.12 base_mac=bc:cf:4f:e3:ac:39 location=tent-5
+sw-access04 ip=10.84.1.14 base_mac=5c:e2:8c:6a:7f:cc location=tent-2
+
+[switches_stock]
+ffl-ans-sw-distribution01 ip=10.85.1.11 base_mac=5c:e2:8c:60:82:fb sw_type=gs1900-10hp   location=office-facility
+ffl-ans-sw-access01       ip=10.85.1.12 base_mac=04:bf:6d:15:c6:b3 sw_type=gs1900-10hp   location=tent-1
+ffl-ans-sw-access02       ip=10.85.1.13 base_mac=04:bf:6d:15:c6:92 sw_type=gs1900-10hp   location=tent-2
+sax-rgs-sw-access01       ip=10.86.1.11                            sw_type=s2800s-8t2f-p location=p104
+sax-rgs-sw-access02       ip=10.86.1.12                            sw_type=s2800s-8t2f-p location=p204
 
 [gateways]
-gw-core01 ip=10.84.1.1
+gw-core01         ip=10.84.1.1
+ffl-ans-gw-core01 ip=10.85.1.1
+sax-rgs-gw-core01 ip=10.86.1.1 garet_profile=sophos-sg-xxx_22.03 garet_release=601bc29
+
+[gateways:vars]
+ansible_remote_tmp=/tmp
+garet_profile=sophos-sg-125r2_22.03
+garet_release=89cbd27
 
 [server]
 hyper01 ip=10.84.1.21 
 
 [vms]
 eae-adp-jump01 ip=162.55.53.85 monitoring_ip=10.84.254.0 ansible_python_interpreter=/usr/local/bin/python3
-monitoring01 ip=10.84.1.51
+
+[container]
+monitoring01      ip=10.84.1.51  cpus=2 disk=50 memory=1024 net='{"net0":"name=eth0,ip=10.84.1.51/24,gw=10.84.1.1,bridge=vmbr0"}'
+mon-e2e-clients01 ip=10.84.7.30  cpus=1 disk=10 memory=256  net='{"net0":"name=eth0,ip=dhcp,bridge=vmbr1"}'
+mon-e2e-wan01     ip=192.168.0.3 cpus=1 disk=10 memory=256  net='{"net0":"name=eth0,ip=dhcp,bridge=vmbr3"}'
+
+[container:vars]
+ostemplate=local:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst
+
+[openwrt:children]
+switches
+
+[site_adp]
+ap-c5d1
+ap-ac7c
+ap-8f42
+ap-0b99
+ap-c495
+ap-2bbf
+ap-1a38
+ap-8f39
+ap-1293
+sw-access01
+sw-access02
+sw-access04
+gw-core01
+hyper01
+monitoring01
+mon-e2e-clients01
+mon-e2e-wan01
+
+[site_adp:vars]
+wifi_ssid="GU Deutscher Platz"
+wifi_encryption=none
+backoffice_wifi_ssid="GU Deutscher Platz Backoffice"
+backoffice_wifi_encryption=psk2
+backoffice_wifi_psk="{{ lookup('passwordstore', 'wifi/GU_Deutscher_Platz_Backoffice') }}"
+site=adp
+
+[site_ans]
+ap-b641
+ap-b62f
+ap-b6ee
+ap-b6cb
+ap-b6d7
+ap-b656
+ap-b644
+ap-b634
+ap-b5df
+ap-b682
+ap-b6cc
+ffl-ans-gw-core01
+ffl-ans-sw-distribution01
+ffl-ans-sw-access01
+ffl-ans-sw-access02
+
+[site_ans:vars]
+wifi_ssid="GU Arno-Nitzsche-Strasse"
+wifi_encryption=none
+wifi_disabled=0
+backoffice_wifi_ssid="GU Arno-Nitzsche-Strasse BO"
+backoffice_wifi_encryption=psk2
+backoffice_wifi_psk="{{ lookup('passwordstore', 'wifi/GU_Arno-Nitzsche-Straße_Backoffice') }}"
+mgmt_gateway=10.85.1.1
+site=ans
+
+[site_rgs]
+sax-rgs-sw-access01
+sax-rgs-sw-access02
+sax-rgs-gw-core01
+ap-11c4
+ap-116e
+ap-1202
+ap-12a8
+ap-13ac
+ap-144c
+ap-12c2
+ap-16bc
+ap-1374
+
+[site_rgs:vars]
+wifi_ssid="{{ lookup('passwordstore', 'wifi/site_rgs_ssid') }}"
+wifi_encryption=none
+wifi_disabled=0
+backoffice_wifi_ssid="{{ lookup('passwordstore', 'wifi/site_rgs_backoffice_ssid') }}"
+backoffice_wifi_encryption=psk2
+backoffice_wifi_psk="{{ lookup('passwordstore', 'wifi/site_rgs_backoffice') }}"
+mgmt_gateway=10.86.1.1
+site=rgs

ansible.cfg

@@ -4,3 +4,4 @@ interpreter_python=/usr/bin/python3
 gathering=smart
 fact_caching=jsonfile
 fact_caching_connection=ansible-facts.json
+callbacks_enabled = ansible.posix.profile_tasks

documentation/EAE-ANS.drawio

@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2023-03-14T01:11:23.043Z" agent="5.0 (X11)" etag="HeUGzaMI0PEll7OsNIGH" version="21.0.6" type="device"><diagram name="Page-1" id="YwlCLJMcKuBeH3aDT3El">7R3bcqM49mvy6BQS98e2k57tquntbGe2ZvepC4NiM0OMC5N2sl+/EkgYkAC5zUWJ6U6VrSMh4Nx1zpF8o6+eX39LvP32axyg6AZqweuNfncDITRMDX8QyFsOcSwK2CRhkIPACfAY/g9RIBv2EgboUBmYxnGUhvsq0I93O+SnFZiXJPGxOuwpjqp33XsbxAEefS/ioX+GQbqlb8Fei8D/gcLNlt0ZaLTn2WODKeCw9YL4WALp9zf6KonjNP/2/LpCEUEew0t+3eeG3uLBErRLZS5w7N/sf23saPH564/7ryvwLbzbL4BOn+6nF73QV6aPm74xHCTxyy5AZBrtRl8et2GKHveeT3qPmOoYtk2fI9wC+CudDiUpem18UlC8P2YcFD+jNHnDQ9gFNn0oyjOQtY8nCkBGgW0J+wXQo1TfFHOfEIO/UNycgyfoqo8n4EjiyR0OTc47QJMmiSZnMDQBCW5Cu+ATUWC4tYt3GLgMvMM2wxuo4ojAH7w0Rckug0BNx9BDmsR/F0oL42dZRXx+QxRw+q8TryW8idDGYAmKvDT8WZ1ehEt6h4c4xDcuyLbQG7QAm+IQvyQ+oleVFV9tItfomCj1kg1KuYky0havfQm1JYRipnaDLruU2txEg1Pbnql9NrW1vqhdn2hwaps9G7ynMIpWcRQn2bX6kxfYnl+QvNSzNixTM/oxkYZuilVkiR3w7Xh+GNDjAtbgmHUDU4RZDxlAhz1h1oAVzOqWwPlgBqKMWWAMh1ljWMyuPd8JdBFmoW4YZnAhZlt4FFgCnTUkj76H1dP03i4clt8CzUcIivjNtExgo57w6tg1SQYcYkUqckhBBgMLsoZ0ZIkQqyFHc5x+EAst+9asoZbn2ZFR63YgMk7SbbyJd170exzvKfr+Qmn6RmNY3ksaV5GLXsP0P+TyW2jS5n9LXXevdOqs8cYanKeIIZ9D8jZ5P/bxHulDnp7p/gSV9gXxy2ZOVwtWmJeQO1UtAy0xwc/zGvF7e2+lAXvixB1KM9d8QWgZVS4yawGx+niotY3HX/In6NVhLKKBgzDWR+croPfBWBwn6FrNZDrurVv+Z1RnbFid9MYjYEgesT88k9jDMAmw+2CSc7WarltnaTXdNtvGD6PVLIfj2G7eGEjvae0sjRsPKAnxG6OkYHP89qWJSLMQDtI4TZW1ZMWjT+aXNbzmhbx/kdekd7ujh79R6m8pgijv4w5zif+0W42EU1bF542JL1llPa7T1UM/Sz1sNr4H5oAqUASzeSDI5oSmACiC2fV7ZwAguHcdBgVA4ZSCe2u1h8R/+pJ46aGPBcxbo+ghPoRpGJOo4jpO0/i5Klts7Kco3JAxKZHJpXfY50nWp/CVSO7So90+5mgiTzlJUXL/E+WUJXMdtt6ekP/5dUOSxLd+ePBj4N4m2VzLffLFz54jgj8OxzBjj/pK5PMn8l+4EtFMzdZ7WonUdCcUZIraoqK9C5REoGYWqFmglBUosyZPggT1qPIkE6/bYL9k3/jutM7EW7Ph2rk4AW51sWHogmCHACn1rGVvSJGIs/N6Rc/kgfimFREjkWyxHrjVjRrYgYKxri2aOJd8y+YGU33E6QSR+GuwYXRtcjnRrujdkeX8GGJ/Dh0OPzzfJx/ZtbyMF5JclXHqq0qJd4sUNQv9tDIuKq2wIoKeNf6yIV+8/WJtIcTg+DZFF8f6GDtplcJCbJZRT0Ecieus8RwGQbYSEkVlRQndPon1ViVDh/KBg2lkidzA0BoZ2oppZEOiPOhypLTQo7UuYFRUAIk15WydZutUFx5VrZMw9y4wT2bwdBXmqYlaqpgnCed4aPOkG9VV1OTmSabCbdbJs06ui5GyOllUnytaMvjrq9DJTdRSRCezRGAbuZ6eooW3OywOx0UQYuyH6xcijhr4aATsWNmwbSssACegHWAViuMQT2J5XiJerq6ujWy1TLMuMPgAWiNSjbHIRPndm1J2t8j1NpUsiHO5p+xtUy4Xt/jEcEf9gyCZnCNq1KSvIWamcXK+hjEla4CZNVpZY9JyAGZsJs22KBbaMyVKdue107x2qkuRqmsnUxS/F62d4HXEs5qopcjayZQIpw+tklXLf5sSVTYDZVvMhnrmyVAhsZtxtk6zdaoLj7LWSRS+F1knMvAarFMDtRSxTuxm864rUcise7HXYHcv3PhgVe21LnkOx7kbHWo7+UfZt2AOus3v3e60kWa4S8MLYk4A2jgcB6bYAGhJJE8HL3jSqwHmYh97V4B5uJRyN1LaC92bysolnEHhOGDkDiL9LLuqptnSlfWwIYL5nFPPuyghx5yYTzJQ/XiLjDQXRDjTepUWv0piKavNceHHCdL4HZxquI5P8S5ldgT0T6BmP3LcfJXNO5KT7UfsMvwjJiV69BEsWR/hUp/0Ij5wJOzK0MbWqDm2k8e7HFHIdg7yzEGeDjFSNcjjiGLaoiAPSVVfQZCniVqKBHmcUcLtHRwLVdPJEoH3gXIQTkNMcDJUzPsRZ/N0nsJrCEMpYp5EAR+hefpwVY5nUUsV8yRxWPPg5slVbMeHI7EhcdbJs06ui5GqOpmVoAh0chD+PKlekZoObLGaLmCVGT6a8m4gqyLK21Ug3mOxQ05UUd7uHO+ZlfdZUu4qHe9xZeM9vn8VDnUTtVTRyQrEe2xLNZ08XbzHVSze487xntk8nafwlI73uLLxHv060hFN1FLFPCkQ73F0xeI97hzvmXXyeVKudLynqCjtVMoOvA6lrHYcB2gqBHI0WNHKotNrx62SlVg0zMdBz8dBT3gcdJs0K1vPa0gYB/5MmuswFI20U6XUF2g6h/TLK3klTvfgT6aBHeePiH56ZMx9PdR8dJbs5gWiU9XsAo0/UWYign4Uek7yc2wmUw1sd5Vm1nhjgN1VgN5kGuY5a4vpmJzCLFw3qzQcxzosq1hsfTjmRjyg2ROwSifVf2n76BSs4l5qJRp4oXYYe3H4Xc+bP+3ayVAj8Rz/Q2mjqaezzkp7L7bNncS22e4ktm2I3eq/xDwfxdN1LzV3F/72hWjhWaMwT6DAO2wzkoMqKQn8wUsxyncZBGqnOO+fdHkGG5aG3VhvTRi3LdcvtAcLvSpqZn0l2WAPuIlco2OinFu4iXoTX0bcErVX377fcxRXI2SQxKlH41ekXPJXtg53JL1qRc4AUn+sI+hc9wd6FEe+sOjuy+Mf378s//3Hl2//nAmVt6HgtIiRCcWXFH1are4fH2cSUdQLUhUjk4jPVSy/fb+7/z6TKG8bfNB7ZApJ1F3NzkfVZ+jL9xjb9dB514Oj9diHDskeaj9YNlUCJ/OZQ1dz5hCVEWWTlOzAlRK7bsKN57+skaImtaezhhoJM3wGEjeTOE7Lypgw7tc4QGTE/wE=</diagram></mxfile>

documentation/OVERVIEW.md

@@ -9,19 +9,35 @@ Diagram:
 IPAM / Device Overview:
 -----------------------
 
-| Name           | Location  | MGMT IPv4    | MAC                 | Device               | Notes |
-| -------------- | --------- | ------------ | ------------------- | -------------------- | ----- |
-| `gw-core01`    | Büro      | `10.84.1.1`  | `78:8a:20:bd:b6:ae` | Ubiquiti EdgeRouterX |       |
-| `sw-access01`  | Büro      | `10.84.1.10` | `bc:cf:4f:e3:bb:8d` | Zyxel GS1800-8HP     |       |
-| `sw-access02`  | Zelt 5    | `10.84.1.11` | `bc:cf:4f:e3:ac:39` | Zyxel GS1800-8HP     |       |
-| `hyper01`      | Büro      | `10.84.1.21` | `00:23:24:54:f0:fe` | Lenovo ThinkCentre ? |       |
-| `monitoring01` | `hyper01` | `10.84.1.51` | `16:b9:13:c3:10:5e` | Proxmox VM           |       |
-| `ap-2bbf`      | Zelt 4    | `10.84.1.30` | `24:de:c6:cc:2b:bf` | Aruba AP-105         |       |
-| `ap-1a38`      | Zelt 5    | `10.84.1.35` | `24:de:c6:c3:ac:7c` | Aruba AP-105         |       |
-| `ap-0b99`      | Zelt 2    | `10.84.1.32` | `6c:f3:7f:c9:0b:99` | Aruba AP-105         |       |
-| `ap-c5d1`      | Büro      | `10.84.1.33` | `ac:a3:1e:cf:c5:d1` | Aruba AP-105         |       |
-| `ap-c495`      | Zelt 3    | `10.84.1.34` | `ac:a3:1e:cf:c4:95` | Aruba AP-105         |       |
-| `ap-8f42`      | Zelt 1    | `10.84.1.36` | `d8:c7:c8:c2:8f:42` | Aruba AP-105         |       |
+| Name                | Location     | MGMT IPv4     | MAC                 | Device               | Notes                                             |
+| ------------------- | ------------ | ------------- | ------------------- | -------------------- | ------------------------------------------------- |
+| `gigacube-2001`     | Büro         | `192.168.0.1` | `c8:ea:f8:b6:e9:50` | ZTE MF289F/Gigacube  | property of Saxonia Catering/rental from Vodafone |
+| `gw-core01`         | Büro         | `10.84.1.1`   | `00:1a:8c:48:b3:98` | Sophos SG125r2       |                                                   |
+| `sw-access01`       | Büro         | `10.84.1.11`  | `bc:cf:4f:e3:bb:8d` | Zyxel GS1800-8HP     |                                                   |
+| `sw-access02`       | Zelt 5       | `10.84.1.12`  | `bc:cf:4f:e3:ac:39` | Zyxel GS1800-8HP     |                                                   |
+| `sw-access03`       | Sozialarbeit | /             | /                   | KTI KGS-510F         | manageable but used as a dumb switch              |
+| `hyper01`           | Büro         | `10.84.1.21`  | `00:23:24:54:f0:fe` | Lenovo ThinkCentre ? |                                                   |
+| `monitoring01`      | `hyper01`    | `10.84.1.51`  | `16:b9:13:c3:10:5e` | Proxmox Container    |                                                   |
+| `mon-e2e-clients01` | `hyper01`    | `10.84.7.30`  | `ca:ac:5a:d0:b6:02` | Proxmox Container    | used for end to end monitoring of the public net  |
+| `ap-2bbf`           | Zelt 4       | `10.84.1.30`  | `24:de:c6:cc:2b:bf` | Aruba AP-105         |                                                   |
+| `ap-1a38`           | Zelt 5       | `10.84.1.35`  | `18:64:72:cf:1a:38` | Aruba AP-105         |                                                   |
+| `ap-ac7c`           | Sozialarbeit | `10.84.1.31`  | `24:de:c6:c3:ac:7c` | Aruba AP-105         |                                                   |
+| `ap-0b99`           | Zelt 2       | `10.84.1.32`  | `6c:f3:7f:c9:0b:99` | Aruba AP-105         |                                                   |
+| `ap-c5d1`           | Büro         | `10.84.1.33`  | `ac:a3:1e:cf:c5:d1` | Aruba AP-105         |                                                   |
+| `ap-c495`           | Zelt 3       | `10.84.1.34`  | `ac:a3:1e:cf:c4:95` | Aruba AP-105         |                                                   |
+| `ap-8f42`           | Zelt 1       | `10.84.1.36`  | `d8:c7:c8:c2:8f:42` | Aruba AP-105         |                                                   |
+| `ap-8f39`           | Zelt 5       | `10.84.1.37`  | `??:??:??:??:??:??` | Aruba AP-105         |                                                   |
+
+
+Upstream Connectivity:
+----------------------
+
+The gigacube itself only get's an RFC1918 address from Vodafone (CGNAT - no IPv6).
+Our gateway (`gw-core01`) itself also nats, because there is no way to configure additional networks on the gigacube.
+
+Currently the generated traffic is directly routed into the internet - without an vpn tunnel.
+
+Therefore v4 streams get masqueraded 3 times.
 
 Cloud VMs:
 ----------
@@ -34,19 +50,21 @@ Cloud VMs:
 Networks:
 ---------
 
-| Name       | VLAN | v4 Space          | v6 Space | Description                                                           |
-| ---------- | ---- | ----------------- | -------- | --------------------------------------------------------------------- |
-| `mgmt`     |   1  | `10.84.1.0/24`    | /        | default network which is used for administrative and monitoring tasks |
-| `clients`  |   2  | `10.84.2.0/22`    | /        | this is where the wifi clients live                                   |
-| `gigacube` |   /  | `192.168.8.0/24`  | /        | created by the gigacube. wan for our gateway                          |
-| `backbone` |   /  | `10.84.254.0/30`  | /        | tunnel network between `gw-core01` and `eae-adp-jump01`               |
+| Name         | VLAN | v4 Space          | v6 Space | Description                                                           |
+| ------------ | ---- | ----------------- | -------- | --------------------------------------------------------------------- |
+| `mgmt`       |   1  | `10.84.1.0/24`    | /        | default network which is used for administrative and monitoring tasks |
+| `clients`    |   2  | `10.84.4.0/22`    | /        | this is where the wifi clients live                                   |
+| `wan`        |   3  | `192.168.0.0/24`  | /        | created by the gigacube. wan for our gateway                          |
+| `backbone`   |   /  | `10.84.254.0/30`  | /        | tunnel network between `gw-core01` and `eae-adp-jump01`               |
+| `backoffice` |   8  | `10.84.8.0/24`    | /        | backoffice network for the orga                                       |
 
 WiFi Networks:
 --------------
 
-| SSID                 | Encryption | VLAN | Description |
-| -------------------- | ---------- | ---- | ----------- |
-| `GU Deutscher Platz` | /          | 2    |             |
+| SSID                            | Encryption | VLAN | Description |
+| ------------------------------- | ---------- | ---- | ----------- |
+| `GU Deutscher Platz`            | /          | 2    |             |
+| `GU Deutscher Platz Backoffice` | wpa2 psk   | 8    |             |
 
 Remote Access / VPN:
 --------------------

documentation/TODO.md

@@ -2,11 +2,13 @@
 
 ## Software
 
-* [ ] add monitoring vm
+* [x] add monitoring vm
   * replace `prometheus-node-exporter-lua-hostapd_stations` with an exporter that does not collect mac addresses!
-* [ ] put aps on non overlapping wifi channels
-* [ ] document configuration of `gw-core01`
-* [ ] provision config of `gw-core01` via ansible (network, firewall, ...)
+* [x] put aps on non overlapping wifi channels
+* [x] document configuration of `gw-core01`
+* [x] provision config of `gw-core01` via ansible (network, firewall, ...)
+* [ ] bootstrap an additional prometheus instance on `eae-adp-jump01` that alarms on a missing connection to `gw-core01`
+* [ ] move openwrt device to 22.03 - track fw version in ansible ?
 * [ ] add wireguard profiles for admins on `eae-adp-jump01`
 
 ## Hardware
@@ -15,5 +17,16 @@
 
 ## Documentation
 
+* [x] publish `incident 21 - replace gw-core01, reorg cabling`
+* [x] publish `incident 22 - installation of directional LTE antenna`
 * [ ] document backbone between `gw-core01` and `eap-adp-jump01`
-* [ ] move config/installation stuff into other file (keep OS versions in `README.MD`)
+* [x] move config/installation stuff into other file (keep OS versions in `README.MD`)
+
+## Wifi Experience
+
+* [ ] increase airtime by only broadcasting `GU Deutscher Platz Backoffice` in the office containers
+* [ ] improve wifi experience for residents
+	- put at least two aps into every tent
+	- put the aps into more central locations into the tents
+	- measure and decrease tx signal power of aps
+	- maybe replace aps with something more modern (> 2012, > 802.11a/n)

files/alerting_rules.yml

@@ -0,0 +1,90 @@
+groups:
+  - name: Basic
+    rules:
+        # from https://awesome-prometheus-alerts.grep.to/rules.html#rule-prometheus-self-monitoring-1-2
+        - alert: PrometheusTargetMissing
+          expr: up == 0
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: Prometheus target missing (instance {{ $labels.instance }})
+            description: "A Prometheus target has disappeared. An exporter might be crashed.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+        - alert: NodeRebooted
+          expr: changes(node_boot_time_seconds[2h]) > 0
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: A node rebooted in the last 2 hours (instance {{ $labels.instance }})
+            description: "The uptime of a node changed in the last two hours. VALUE = {{ $value }}\n LABELS = {{ $labels }}"
+
+        - alert: PublicWifiUpstreamLost
+          expr: sum(probe_success{job="e2e_adp_clients_v4"}) == 0
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: The public wifi lost its ability to route into the internet
+            description: "check the vpn connection"
+
+  - name: ServerSpecific
+    rules:
+        # https://awesome-prometheus-alerts.grep.to/rules#rule-host-and-hardware-1-7
+        #
+        # Please add ignored mountpoints in node_exporter parameters like
+        # "--collector.filesystem.ignored-mount-points=^/(sys|proc|dev|run)($|/)".
+        # Same rule using "node_filesystem_free_bytes" will fire when disk fills for non-root users.
+        - alert: HostOutOfDiskSpace
+          expr: (node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes < 10 and ON (instance, device, mountpoint) node_filesystem_readonly == 0
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Host out of disk space (instance {{ $labels.instance }})
+            description: "Disk is almost full (< 10% left)\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+        # https://awesome-prometheus-alerts.grep.to/rules#rule-host-and-hardware-1-9
+        - alert: HostOutOfInodes
+          expr: node_filesystem_files_free / node_filesystem_files * 100 < 10 and ON (instance, device, mountpoint) node_filesystem_readonly == 0
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Host out of inodes (instance {{ $labels.instance }})
+            description: "Disk is almost running out of available inodes (< 10% left)\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+  - name: Network
+    rules:
+      - alert: PortChangedState
+        expr: changes(ifLastChange[2h]) != 0
+        labels:
+          severity: warning
+        annotations:
+          summary: "{{ $labels.ifName }} on {{ $labels.instance }} changed it's state {{ $value }}x time(s) in the last 2 hours"
+          description: "This alarm will clear in 2 hours"
+
+      - alert: PortIfInErrors
+        expr: increase(ifInErrors[2h]) > 0 or increase(node_network_receive_errs_total[2h]) > 0
+        labels:
+          severity: critical
+        annotations:
+          summary: "{{ if $labels.ifName }} {{ $labels.ifName }} {{ else }} {{ $labels.device }} {{ end }} on {{ $labels.instance }} has {{ $value }} ifInErrors in the last 2 hours. This alarm will clear automatically in 2 hours"
+          description: "For some reason the port is throwing ifInErrors"
+
+      - alert: PortIfOutErrors
+        expr: increase(ifOutErrors[2h]) > 0 or increase(node_network_transmit_errs_total[2h]) > 0
+        labels:
+          severity: critical
+        annotations:
+          summary: "{{ if $labels.ifName }} {{ $labels.ifName }} {{ else }} {{ $labels.device }} {{ end }} on {{ $labels.instance }} has {{ $value }} ifOutErrors in the last 2 hours"
+          description: "For some reason the port is throwing ifOutErrors. This alarm will clear automatically in 2 hours"
+
+      - alert: SNMPNodeRebooted
+        expr: (sysUpTime / 100) <= (60 * 60 * 2)
+        labels:
+          severity: critical
+        annotations:
+          summary: "{{ $labels.instance }} rebooted at least one time in the last two hours"
+          description: "This alarm will clear in 2 hours"

files/authorized_keys

@@ -3,3 +3,5 @@ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAykqqvlk2XTSa5xxAtWUA7RpEcI0rPBIAmFmT+zzU2VdU
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTFLWYfL9LhAj1tTfjdy2b9ncT3IqxDSXrVyG0Anci7H37GbkVGxiQw86HPR5CL2TzIX9jhrWnK8T3f/CQmhEiYhjE6p3kRkZN+krTTfm77sarb3wdg1OHtmlCNm6EmkIOuK7ewIzHgNsHW5jeNg4wl/klmXK4XKMIiJsr7s1gTZ6F7jz3av2p0aaHF6ntAyMmSPJTVhCbvUQaM27tSaPjGUOya2sxXajgIVbVBSMsaSwSGfOCty/Bef4WTM14NNMiSpdYs3uW1BMM39bYy2vgONFPeQLjmWr/X940wZZvYCcEaYSyTAbIXdaVyilxyC69ZDEg/rf3jvyemO0pWQn3 chaosox@molly (Linux)
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDaUUOwqS03cgJmvA5ryagZXKxmU03gLfoYZVQ8zJIDeHzgNyfFX8orXCxL6vZYeMuM5KRFsqXQPXFc5ILjoen5qhkTI+qc70nHr2Zvy3+Zq4zVqcE8Vpcgfy4VbzJPrrcxwxmdeGzf8LlfrWPlX5OG8rZx8kpSqUpDadG3ma1guykyq4FN8oEEuzlo6gBjgSuse9qrC94JwRUbd+jHN/RbaKnbXKwslO73zVNkdbq3BVCHLjLNq40NkxQv49vYVyWIozugFoNTul3hI/M0OPxNfkx+kzkG+2cgE8nxLdjkojqAkVKNM+SC70UCuEVofEYbyyzXDWwZ3JwDO9mUpsH2XKPLsdKCwlIc9dwnKu5Pu2Q9rsvpbgmcTNhsV8EXXglsROO3YXspKwg9oAXAFjmeAzYylrMRjFv/q0RL5d8+YnN6xoRZad7/fcj5OHpaxFTDeyTQ50TSc1uIlWJmnFCE0PzWmuTz/BkR0X52fh7Tu2vE90nOn24lrZxokiLVwDo7WBbBtT7MXTnr0wKf3jMPSk7Mp2e4TaLoole4NyNHa7RwHWhwu4o/y29qwW4SvKoSOiKFnpa7HiRCkEvxpuYgVA/KsmGWySRXNndMn4TOFfRJcMHx1B67XgGLTDTtGMrP+eN2mIerAxdv/4uAIwnQUaWnycPex90BN1uyc6/itw== chaosox@wintermute
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWktkX613ZL6iXrSXXFykgXj3XHTGhHAUMXLypKV5Qw chaosox@molly (WSL)
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCVJAFhvSqCggIxCjxl8ybLUGP/WJJJ67AzipkIVpVsfYUwNGvMUFu13meHBaf34c2sVVSn7dV0qw51Xj3h570KFFuijFwsQbRb7xtyPY6c+Vw7Ehhu9EPcopxGltSk8VmxNdyO5X4DxVrnGN2xZOQq/4aDNnl1aegVtsMEXfy/wUvkMp89gJmn9u2yXhjnbgdYB4VE/Zxtwi1h0JqL6WbGf/wrvwjD6xJBmUe+G/+2tdcyYcEPmyObpNq4RYtu3JhNYD8xXRxEFVy+dNXm2P3/8JspW6N7VHYpLQTvDf3PzxoTlfENap+pgihag1URJzhqhJ4g+OHGAcpk3rKcnJbF rsa-key-20221112
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzA1vg4hukp41JZYW7I/TG02s4pBEiuUgfUqmQskbjoKpvcHxhZv82S3QqJQnqBANtOL+QTCrVyMEn6pjQ61BVTgaYNldUnedWorHXS93r32Eqz+NWW7zTqPgylEdWzznY3Sx8mimaHNnGjBjcgAgyVekk+vx4LOaTw8pqu85Da5eKAp97XQTxdJtEsxG1etp7LZrvKCL2+1KGz5J/AoyMHMdEWgMRHZPFzOJJ81uxBwvEt+1dIcO72bl+rNK1AgwEnqyrJav5mA0Z1Dj85cCb6QccUZI2J3c9RDSLMIrab359rdMj7mOVgm5GGaHS2VZb2Zjsxux9JBY7yv/wh5katkSXlpsW9LS5SGN4TPsALVEmDPLkaA0LXDsXyvWs12Sdamw5igdpJhWfnmsqvkiD3eNb0uTf/uhO8qyNx8fzn1WhxkDEphSfmH/0rP3mCvkyTWqBS1Dr15Iq4dHyVc1IfhijErbk0RUF3aedmvj7Jbpg/NfZ3dGrHUWEbRhZXngKgS9WJ3KayF7T6CsH/P2iPufYaa9PcOAp01Ezdk/wvdq1O1hRb5H76+5ilKg1HjtJ/kMgX7U39jchNZ94KGIDDiWKKvq3D+Q9Cxe6qndiGmPAyCszQ8dzEs/p11QxhDlIJHLaUF/nMRuVsFaJljIe5SA2r4tYzWQ5O7BL09e6qQ== mowoe@decima

files/blackbox.yml

@@ -0,0 +1,36 @@
+modules:
+  http_2xx:
+    prober: http
+  http_post_2xx:
+    prober: http
+    http:
+      method: POST
+  tcp_connect:
+    prober: tcp
+  pop3s_banner:
+    prober: tcp
+    tcp:
+      query_response:
+      - expect: "^+OK"
+      tls: true
+      tls_config:
+        insecure_skip_verify: false
+  ssh_banner:
+    prober: tcp
+    tcp:
+      query_response:
+      - expect: "^SSH-2.0-"
+  irc_banner:
+    prober: tcp
+    tcp:
+      query_response:
+      - send: "NICK prober"
+      - send: "USER prober prober prober :prober"
+      - expect: "PING :([^ ]+)"
+        send: "PONG ${1}"
+      - expect: "^:[^ ]+ 001"
+  icmp_v4:
+    prober: icmp
+    icmp:
+      preferred_ip_protocol: ip4
+      ip_protocol_fallback: false

files/gpg/lodrich.asc.pub

@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEY2/88hYJKwYBBAHaRw8BAQdAV9QF5wXsizMDUD2w2GTUurA04t+z3n7SAq4V
+blntKKu0Fk1heCA8YWRtaW5AbG9kcmljaC5kZT6ImQQTFgoAQRYhBCLp8m6zG1Mb
+22CRck/7U9n7BCTMBQJjb/zyAhsDBQkDwzg+BQsJCAcCAiICBhUKCQgLAgQWAgMB
+Ah4HAheAAAoJEE/7U9n7BCTMkIMBAKHQMDe8Rb1bi2mF+caQyYP5sklMVbOTlSY4
+f1tbqzG3AQDCZoClNCVF7ppCYjPsEpuhayRmS+mI9YR4JuF73owsDbg4BGNv/PIS
+CisGAQQBl1UBBQEBB0CbniuHfjUu/nd6uBDYVkW4MSJo3lpg/Mdt5s64NY4jQwMB
+CAeIfgQYFgoAJhYhBCLp8m6zG1Mb22CRck/7U9n7BCTMBQJjb/zyAhsMBQkDwzg+
+AAoJEE/7U9n7BCTM/CwBAO+rrWsyE4x0Owx4bggh144JIu5J5DGij1KboGsoxFW0
+AP9Xe4aoaYfKNEouckI2G0cmDE/9FtA9v73SkzeXTKQfDw==
+=0vzZ
+-----END PGP PUBLIC KEY BLOCK-----

files/gpg/mowoe.asc.pub

@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGOvMSsBEACf1T6IuReSSg+qo/qZCPvOKAiZhVc230/iM0sPaxhtCOD7mpNA
+NX59dLNGfGF3jlA4+cL1pI48klLB98VttVQwxGBTN1RtIjN/WXk5OoNXfGMbj63V
+/sn/4vhgWcW1r1sJBE5I5/E5GU7RJfW44IRNbMoGjNoMiAHAX/RS7Sk2JsYM4fd/
+RcSIFTicCUuMoyIVUw7PYUPertOf1l/+vS4VI/J9X7ykk+jdWqu5LmdKbFY+1CSf
+cmqn5/5oG00wByTEGelzW9f3tAr+WGIclD0VKZeIEwnifxrucI3EWPb/p2yatSLS
+1OZj4Ub0N3bHSUwOuBuzwKD9zK4PpDUCD8we9uN8SdvhDNh/zVoQh3RrqaQJBixb
+hpTEPwZt17Mxop3KNruBiGHutnOO3OAr8U1iOeIwLjiG/BnuGMm97tniLAZi/7d5
+4/AgmF2yYdDvl1TfYAMD80ZA97hWR50anjPQGaCgp7lOruffMPK4kEOv1t2+Tn0P
+Msf04xYa+8kn/ck9TUxFcEkhtJ9nhqX8JY+a/HPI3wFY0FOveatWAg2y17FR3yv2
+laOEIztRoFmj8foxWv8bUZKAkmXlkSbbQwJyBNQKYFEpag4VR7bCZNyOo9pgLTza
+r5pVFuejTKnYfWful+fiHlfyYtaIQEzAKDiJFY/N9vMRBsOO3PPZZ/tXFwARAQAB
+tCFtb3dvZS1pbmZyYS1kcGwgPG1vd29lQG1vd29lLmNvbT6JAk4EEwEIADgWIQQx
+eV+4PFvI2a2yPLoBNQ7MK4nlcgUCY68xKwIbAwULCQgHAgYVCgkICwIEFgIDAQIe
+AQIXgAAKCRABNQ7MK4nlchfID/9XzAxH0CFa0v3skLBcAWbFvy2vWvJ9rPALGnO4
+IYznzUy9lt8LT4lK1fqcGMWpe1Ore1e1rdtHLNZuII2VkTJqImsWT4B4JMO2vkfy
+rDlOc0cO+/hS1jchs4165YiCvnhoGO9kCGvFNzvoDY7xFHccPO8STRSiRpC7YMXH
+JNSAONUHe25zlfRORauAa58QAaxRhhb8E7zcnad2jIbYEBqBh2rFgMmVk99L1SBt
+IhrLYX5iRKKwSEiuhjBeTlUbhXPMr2WGE1PFfGKT0HFmDBC1Z8csz4mZSa/wQoH8
+40lx+c3wBS/CE2JKRM3LCJX0Tm9pjhPKg5ykV9WT5QHxy4Tbv7FUbA9Fs9VuT1r7
+cGprH+aXFWKK3DQJ3CsvhOx9zRSOGk1/RqteJ8LeaFxwocjOfQtjFv3uJ/Mc5A8V
+lM8OfB6hLdTX+HP7U9glaT4A7Dmu/q6CGvKN1+kDGf8Ansn2yGrOG1kD9Fd2htEH
+xqZK34PZALOZzG644adnHS6yYBCXjEQdKWfg3wOMWDITVFeirFvJ654r7WgrUJ6F
+jE4CNNu7R8e1Nm6Z4iVP0yjJjnZBZHSTW3nY2hz8fXEpxjBB8GCSDjVS7fkA5gBe
+A9TVT3EWXl+zImRoWqjLGXbFMrM0aAjO+ralQzExATxqXH75l4i2FDX78sXGfsmE
+DLVjerkCDQRjrzErARAA9ikeaDPeCGPeFsxSkxTNMtVdguY3WOo/dG/HOIE+DAgK
+A0ZrDr6IhrnKPu4tsAjpxY7qgaT1crkXKFkc/eRWFUS5+3x2JkbLD0Qzhm+S76HE
+NL+UtiXXNOTGt3yFLZrq6PF8LN00e0ottzcEr52R8UShvKyH3GotQuULdOmOxa7V
+0HAdPAkI6waFgZ6c5Oje4R6aCTK5VuVBgZXuh5TRkF/fcvtP5lI94dKVHAIE+OGX
+Rh1aKuzxwrVlwgbFKKqySnUdc/RO6xD6Cw2KNjs2HYSNw5oM0oEYJo5IQWTpw2zF
+Ut7pOx4Htbtv7DXr1OiPOFjKl/9MgbErmdmw6Ovjw4IT++jVrUWOJy16fiDsulk0
+9Z5Lv6PQLB814mXyCCWK9Juhymv4Ii1d8u7f55Di7vVJoyT2dG23OloYitWSfldA
+Cp3jVtv6YHxjOR3/LzI6Qdg23vOxFYYesDb8REnGpood0ProNdesfd8TJIuPTJGo
+fanWAmk+10mIgm0DuBv9ZAbxFPa/PJBlARCapr3uMmtJ+RwXW8k/MPzoLEsM7VWv
+rSvGAjACVLV+FjV+nHzITOOX7xHoT3xl81cXx4NdyCGsHlpoE8Us07g8qMGJX45+
+4N6YZi/x0/5M0qwdJTQoMIPqystBCGfijLLFP/+vpjm21WRc9gMrQVlORsJbuLkA
+EQEAAYkCNgQYAQgAIBYhBDF5X7g8W8jZrbI8ugE1DswrieVyBQJjrzErAhsMAAoJ
+EAE1DswrieVyQCMP/0d9bXYs9yYq1PkopIOOc8BnfNSTMkl8qjZR7Cx5IBH6wHWx
+Q4RuETNsMJhAgZyjCKP2A/SS8BmFsc2OcnGVjdYDDovrfZW53Cz0kM0KS1NY0t+S
+IdGw64twNoxQxtSvySTC7kofBMJxbjdEAyxnft0qPWDKrWxRiGVepcnIGnxjHOGU
+L6GyJfw/0X5lF8yVIsio8A0cvlhgpL5p7blgrYrmyCPV2HIfUgCDAqDnm8Kfsr6e
+FqARo3P5SrGCKDXBSG9NSjsbKRATdpg9ZwMqoKNMCNzUl1DbzJ+BzY9PWn31FeNL
+BBd7DDp92gH+hgu1O23m/S6GX/ZehnyF8jucwMlY1S5giOOehmvLd1YZKlDTkpV2
+9ucFM77IVyQryiix/vC31s0g/4aeKxFmkilKlEXqY2A7zfjhIy08xl9nr2BKd9aL
+ZTZLydkDuPWeYrk6yTJS8tSQyN5U4ivAdXVhi2/Da2+OEEsL3CgMp4HLiZDljHco
+m0wJkU6O9psJGMuewgStPUhY0TkYOsR5vRu27HAy/c/YPFHYGTj7chSpR8zkBSYc
+LZaotTEQWm+RYOtyDumuLXAuZzhYd9fbY3bpRNC1673+Bm9y0uNRtfxBC1j/K/bs
+nTTsaduddyYg2mV8VlVt/hTTAreMwfDpejWq7W7xhcwP5MCovdGD+d/hCLk6
+=OJvy
+-----END PGP PUBLIC KEY BLOCK-----

files/ospfd.conf

@@ -28,4 +28,10 @@ area 0.0.0.0 {
 	interface wg0 {
 		type p2p
 	}
+	interface wg2 {
+		type p2p
+	}
+	interface wg3 {
+		type p2p
+	}
 }

files/pf.wg2.conf

@@ -0,0 +1,11 @@
+# allow incoming udp packets for wg2
+pass in proto udp from any to self port 51822
+
+# allow ospf on wg2
+pass on wg2 proto ospf
+
+# allow prometheus on wg2
+pass on wg2 proto tcp from any to self port 9100
+
+# allow outgoing snmp on wg2
+pass out on wg2 proto udp from self to any port snmp

files/pf.wg3.conf

@@ -0,0 +1,11 @@
+# allow incoming udp packets for wg3
+pass in proto udp from any to self port 51823
+
+# allow ospf on wg3
+pass on wg3 proto ospf
+
+# allow prometheus on wg3
+pass on wg3 proto tcp from any to self port 9100
+
+# allow outgoing snmp on wg3
+pass out on wg3 proto udp from self to any port snmp

files/wifi.lua

@@ -0,0 +1,58 @@
+local ubus = require "ubus"
+local iwinfo = require "iwinfo"
+
+local function scrape()
+  local metric_wifi_network_quality = metric("wifi_network_quality","gauge")
+  local metric_wifi_network_bitrate = metric("wifi_network_bitrate","gauge")
+  local metric_wifi_network_noise = metric("wifi_network_noise_dbm","gauge")
+  local metric_wifi_network_signal = metric("wifi_network_signal_dbm","gauge")
+  local metric_wifi_clients = metric("wifi_network_clients", "gauge")
+  local metric_wifi_airtime_total       = metric("wifi_network_airtime_total", "gauge")
+  local metric_wifi_airtime_busy        = metric("wifi_network_airtime_busy", "gauge")
+  local metric_wifi_airtime_utilization = metric("wifi_network_airtime_utilization", "gauge")
+
+  local u = ubus.connect()
+  local status = u:call("network.wireless", "status", {})
+
+  for dev, dev_table in pairs(status) do
+    for _, intf in ipairs(dev_table['interfaces']) do
+      local ifname = intf['ifname']
+      if ifname ~= nil then
+        local iw = iwinfo[iwinfo.type(ifname)]
+        local labels = {
+          channel = iw.channel(ifname),
+          ssid = iw.ssid(ifname),
+          bssid = string.lower(iw.bssid(ifname)),
+          mode = iw.mode(ifname),
+          ifname = ifname,
+          country = iw.country(ifname),
+          frequency = iw.frequency(ifname),
+          device = dev,
+        }
+
+        local qc = iw.quality(ifname) or 0
+        local qm = iw.quality_max(ifname) or 0
+        local quality = 0
+        if qc > 0 and qm > 0 then
+          quality = math.floor((100 / qm) * qc)
+        end
+
+        local wifi_clients = 0
+        for _ in pairs(iw.assoclist(ifname)) do wifi_clients = wifi_clients +1 end
+
+        local hostapd_status = u:call("hostapd." .. ifname, "get_status", {})
+
+        metric_wifi_network_quality(labels, quality)
+        metric_wifi_network_noise(labels, iw.noise(ifname) or 0)
+        metric_wifi_network_bitrate(labels, iw.bitrate(ifname) or 0)
+        metric_wifi_network_signal(labels, iw.signal(ifname) or -255)
+        metric_wifi_clients(labels, wifi_clients)
+        metric_wifi_airtime_total(labels, hostapd_status.airtime.time)
+        metric_wifi_airtime_busy(labels, hostapd_status.airtime.time_busy)
+        metric_wifi_airtime_utilization(labels, hostapd_status.airtime.utilization)
+      end
+    end
+  end
+end
+
+return { scrape = scrape }

firmware/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

group_vars/aptype_aruba_ap_105.yml

@@ -0,0 +1,12 @@
+---
+radios:
+  radio0:
+    type:   "mac80211"
+    path:   "pci0000:00/0000:00:11.0"
+    band:   "2g"
+    htmode: "HT20"
+  radio1:
+    type:   "mac80211"
+    path:   "pci0000:00/0000:00:12.0"
+    band:   "5g"
+    htmode: "HT20"

group_vars/aptype_aruba_ap_303.yml

@@ -0,0 +1,12 @@
+---
+radios:
+  radio0:
+    type:   "mac80211"
+    path:   "platform/soc/a000000.wifi"
+    band:   "2g"
+    htmode: "HT20"
+  radio1:
+    type:   "mac80211"
+    path:   "platform/soc/a800000.wifi"
+    band:   "5g"
+    htmode: "VHT20"

password-store/.gpg-id

@@ -1,2 +1,4 @@
 EB0D409FD8884BBECC04532AF937CB4882C16136
 C2AA3A4266D111B27C3774EB2438B8ADFDF45447
+22E9F26EB31B531BDB6091724FFB53D9FB0424CC
+31795FB83C5BC8D9ADB23CBA01350ECC2B89E572