hosts.yml

all:
  children:
    # work:
    #   hosts:
    #     ltu:
    #       host_is_work_vm: true
    #       host_is_virtual: true
    #       host_is_desktop: true
    #       host_has_backports: true
    #       host_is_laptop: true
    laptops:
      hosts:
        maxwell:
          deprecated: true
          host_is_desktop: true
          host_is_physical: true
          host_is_intel: true
          host_is_laptop: true
          host_has_backports: true
#          XKBMODEL: "inspiron"
        gamow:
          deprecated: true
          host_is_desktop: true
          host_is_physical: true
          host_is_intel: true
          host_is_laptop: true
          host_has_backports: true
#          XKBMODEL: "inspiron"
        fermi:
          host_can_have_spectre_mitigations: true  # speed optimisations (+ addition of security flaw) not needed because AMD does so much better at spectre/meltdown
          host_is_desktop: true
          host_is_physical: true
          host_is_amd: true
          host_is_laptop: true
          host_has_backports: true
          host_has_radeon: true
          host_is_small: true
          XKBMODEL: "inspiron"
        dirac-laptop:
          host_is_desktop: true
          host_is_physical: true
          host_is_intel: true
          host_is_laptop: true
          host_has_backports: true
          host_is_mgmt: true
          packages_to_install: [ 'intel-media-va-driver-non-free' ]
          mount_ceph_clients: true
#          modprobe_options:
#            iwlwifi: "11n_disable=8"  #https://www.reddit.com/r/linux/comments/1ep1ff0/psa_if_you_have_an_intel_wifi_card_with_antennas/?share_id=q-ihWrdZIGXNoW9jmteeq (of no benefit to dirac-laptop's old intel card)
    containers:
      hosts:
        #TODO:
        # - nextcloud
        # - zoneminder
        # - google photos: immich # https://www.reddit.com/r/selfhosted/comments/196nke8/how_i_left_the_cloud/
        # - google timeline location history: Dawarich https://www.reddit.com/r/selfhosted/comments/1f73ctc/dawarich_0120_selfhosted_google_location_history/
        # - Highly Available jump box (iot sort of fills this void now, but would prefer a more cut down machine with just ssh on it)
        # - mon: eg,
        #   - glances (eg, homeassistant should configure `glances` integration)
        #   - perhaps each of these, or they could be CTs each:
        #     - graphite or influxdb for pve->datacentre->metric server->add
        #     - Zabbix as well as influx/Grafana: https://reddit.com/r/Proxmox/s/OayU81fjJe
        #     - prometheus
        webserver:
          # webserver must not be hosted on iot itself - iot has the
          # keys to the kingdom.  webserver can just mount iot's NFS
          # share (some web services will need to ssh about, and when
          # this is needed, we need to lock the keys down to only
          # perform those services, such as AC control from
          # location.fcgi; we try to limit such calls to be initiated
          # from iot itself, through http reverse proxies; webserver
          # can't ssh anywhere itself)
          host_is_container: true
          host_is_ext_web_server: true

          munin_plugin_links:
            - { src: 'ssl_rather.puzzling.org', dest: 'ssl_' }
            - { src: 'ssl_angelahughes.org', dest: 'ssl_' }
        zm:
          debian_codename: buster
          host_is_container: true
          host_is_turnkey: true
          unattended_upgrades: false # ancient, has its own patching mechanism, and third party repos that might break
        zm12:
          not_active: true
          host_is_container: true
          host_has_backports: true
          packages_to_install: [ 'zoneminder', 'zoneminder-doc', 'apache2', 'php8.2-fpm', 'mariadb-server', 'ffmpeg' ] #, mariadb-server-core, zoneminder-doc, ffmpeg, default-mysql-server?
        jellyfin:
          host_is_container: true
          host_has_backports: true
          # unattended_upgrades: false # jellyfin is third party, so without CI/CD, can't automate that!  But unattended upgrades only deal with security patches by default
          custom_files:
            - etc/apt/sources.list.d/jellyfin.sources.j2
            - etc/apt/keyrings/jellyfin.gpg
          packages_to_install: [ 'jellyfin', 'yt-dlp', 'id3v2' ]
        met:
          #FIXME: pi becomes an X11/wayland kiosk https://gist.github.com/huksley/d5c2cda34094e63d6133fb0104e37eb9  https://forums.raspberrypi.com/viewtopic.php?t=358317 https://reelyactive.github.io/diy/pi-kiosk/ https://raspberrypi.stackexchange.com/questions/11866/how-can-i-start-x11-only-for-a-single-application https://baldbeardedbuilder.com/blog/setting-up-raspberry-pi-for-use-in-kiosk-mode-with-chromium/ https://bartsimons.me/raspberry-pi-kiosk-tutorial/ https://blog.r0b.io/post/minimal-rpi-kiosk/
          host_is_container: true
          host_has_backports: true
          host_is_user_web_server: true

          packages_to_install: [ 'tigervnc-standalone-server', 'psmisc', 'x11-apps', 'fvwm', 'libapache2-mod-fcgid', 'apache2-suexec-pristine', 'libjson-perl', 'perl-tk', 'mpv', 'puf', 'socat', 'graphicsmagick', 'curl', 'ksh', 'libdatetime-format-strptime-perl', 'libapache2-mod-php', 'xserver-xorg-core', 'x11vnc', 'websockify', 'ncal', 'gpg' ]
          local_packages_to_install: [ 'softbeep_0.3-18_amd64.deb' ]
          # xserver-xorg-core for gtf for xrandr setting, although we fixed that later by getting tigervnc to set the right framebuffer size at invocation
          apache_modules_to_enable: [ 'suexec', 'expires', 'headers', 'cgid' ]
          apache_root_symlink: /home/tconnors/public_html
          apache_sites:
            - source: etc/apache2/sites-enabled/000-default.conf.met
              dest: /etc/apache2/sites-enabled/000-default.conf
            - source: etc/apache2/mods-available/php8.2.conf.met
              dest: /etc/apache2/mods-available/php8.2.conf
          systemd_services:
            - met.service
            - met-vncserver.service
          custom_files:
            - name: /etc/rc.local
              source: etc/rc.local.met
            - name: /etc/logrotate.d/met
              source: etc/logrotate.d/met
            - name: /etc/logrotate.d/ac
              source: etc/logrotate.d/ac
            - name: /etc/logrotate.d/pidisplay
              source: etc/logrotate.d/pidisplay
        syslog:
          host_is_container: true
          host_has_backports: true
          host_is_syslog: true
          #FIXME: would like one of the multitude of ELK, etc
        smtp:
          # incoming from the public (would rather use pmg for that,
          # but this one was used briefly for angelahughes.org before
          # settling on the forwarding solution we used there;
          # firewall entry for :25 currently disabled in gateway)
          # host_is_incoming_mailserver: true
          # Setting up dmarc:
          # https://www.reddit.com/r/selfhosted/s/Efmws5mi7H
          # https://www.reddit.com/r/selfhosted/s/9OvZfnW17F
          host_is_container: true
          host_is_smtp_relay: true
          host_is_mda: true
          smtp_local_networks: "127.0.0.0/8 192.168.0.0/16"
          smtp_relay_to_gmail: true
#        homeassistant:
#          host_is_container: true # not strictly, but we don't want to go buggering around with the installation more than necessary
    desktops:
      hosts:
        dirac-new:
          not_active: true
          host_is_virtual: true
          host_is_desktop: true
          host_has_backports: true
          host_has_radeon: true
          host_can_have_spectre_mitigations: true
          ssh_host_rsa_key_pub: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwxeKtbN2I7BAFhxebq1UxbgjJi9A7okaww9SxlT2N2yNAdBnMo4YX1UgNLpZoFOYmP0ISr3F2ujGbE0L7tk3OAyNwdxO7llhkb5aHziDlzOJ9gspecr6s7VnHBIYdu+XP3nT9Vd17tdzOzhqx/TRSdoKCgb9M12NpAb6xs8/sn+ypoizUJUAOo4/Yf1EKuAjNPenmUz2n1YXYF/yqIgn1gV6jzSmYZsz6mWYbchKmWBKH27nRl8xRS2y8nCWDp1Z+lHfTQm4E8sa2Xvhk46DG01PWOugqw9R9gMY78EG1aiNldZaV7ReOuxCVQQftnA+TFYjST/E4zLrwJZxOyUk4Q== root@dirac
          ssh_host_ecdsa_key_pub: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJwodSOQQaUIaLLR/tiuyem605fwZYUwyd/ZX2VDYVnabg2v6If7xL3kx7VLq/KM1aJxuAsczyhbfYvNEUjXrVY= root@dirac
          ssh_host_ed25519_key_pub: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZJOwqSOY735IP2J6S7CuNS4i90RAXX81pUof8EbXo2 root@dirac
          root_id_rsa_pub: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1ox/X4uwWJ9agYQIYZF/3JomqkNFjTzHQ8c+1odLWtpdGyU7JABLdHSMzMTqxnnyMW2oaqxtzhB2iAIgaIgt9LodCDyppJBwIGT81fofs5yQDnDm1BzJaRX09Fnbp20GJAWSdvYeChfcSOYEtauQwuLBiTSrTC7vi6AJN48E/wA4E1M3w57pnTLK3oPUaXdgXdOGwuMDyugl7wSvbZE++ewKlPu1omzsE0CocDE1hvBD95oT8O7z5OrWrmS7/sLLM9qaqQe8zHJVvqksr2IvtGgTZTsw1JHBTOqOQB5OTgwfAOfpWHB+4gkZKlGw9Uf10vGG7W5MtKz//9WT5g80j root@dirac-new
          root_authorized_keys: |
            ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAni+3/e/xdeHtk5g1nk2kAR1GkEEwje2uF7YZFUS0wmrcf1A3a9plNFuf41fEDNiqK/Ug4ijNIv+pFjJBFSHxR+syyC949O0mgxk+IRlORRlkpOh+zaqIPCZrj8+J7qN+yIJA0P6wtUzLgpwqDk3NuVWEt57OJB3ncChqEAfDDA7xWeFD9Fd6Iz+o1+BYmqT1DKJEdefLIrX9qYdSF9CUYCtN7A1pWEo+Ihc44EBxreC3pbz0R6FZPqd6nz3gqF1UKcTvZXjZxWzXVtr/RmG3Jy/j5VLEXl2x5U5XYQ7lcwbRGtemyf3Yt9V+PTjutQq70r4UJ+efU8Ky2M0F8sz7ww== tconnors@dirac
            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1ox/X4uwWJ9agYQIYZF/3JomqkNFjTzHQ8c+1odLWtpdGyU7JABLdHSMzMTqxnnyMW2oaqxtzhB2iAIgaIgt9LodCDyppJBwIGT81fofs5yQDnDm1BzJaRX09Fnbp20GJAWSdvYeChfcSOYEtauQwuLBiTSrTC7vi6AJN48E/wA4E1M3w57pnTLK3oPUaXdgXdOGwuMDyugl7wSvbZE++ewKlPu1omzsE0CocDE1hvBD95oT8O7z5OrWrmS7/sLLM9qaqQe8zHJVvqksr2IvtGgTZTsw1JHBTOqOQB5OTgwfAOfpWHB+4gkZKlGw9Uf10vGG7W5MtKz//9WT5g80j root@dirac
###
    servers:
      hosts:
        dirac:
          host_is_virtual: true
          host_is_desktop: true
          host_can_have_spectre_mitigations: true # speed optimisations not needed because running on pve2, which is amd
          host_is_mgmt: true
          host_is_syslog: true
          host_is_user_web_server: true
          host_has_backports: true
          host_has_radeon: true
          unattended_upgrades: false # never want things on my main desktop being done when I'm not explicitly ready for them
          mount_ceph_clients: true # need to add this host in proxmox>datacenter>firewall>ipset>cephclients # FIXME: could simply add each ip to /etc/pve/firewall/cluster.fw:[IPSET cephclients]
          grub_boot_flags: "amdgpu.ppfeaturemask=0xfffd7fff"
          packages_to_install: [ 'ricks-amdgpu-utils', 'fancontrol' ]
          # FIXME: metrics monitor should pick up amdgpu values (gpu load, memory load, power/powercap, vram,gtt usage, sclk, gddgfx, fan speed

          # FIXME: backport kernel?
          # FIXME: pipewire:
          #        -investigate setting quantum with pw-top then restart with `systemctl --user restart wireplumber pipewire pipewire-pulse`
          #        - /usr/share/doc/pipewire/README.Debian.gz for other recommendations

          modprobe_blacklist: hid_logitech_hidpp
          modprobe_blacklist_comment: "For Logitech MX Master 3, using solaar, we can get a lot of mouse parameters we like, but I can't get rid of scrollwheel hysteresis.  Since hi-res scroll isn't giving us any benefit in any of the applications we use (emacs, firefox), let's blacklist it"
          custom_files:
            - name: /etc/fancontrol
              source: etc/fancontrol.dirac
        work:
          host_is_virtual: true
          host_has_backports: true
          packages_to_install: [ 'systemd-zram-generator', 'xterm', 'libgtk-3-0', 'libwebkit2gtk-4.0-37', 'fvwm', 'xdm', 'x11-utils', 'xinit', 'tcpdump', 'keepassxc', 'webext-keepassxc-browser', 'kpcli', 'nfs-kernel-server'] # libgtk-3-0,libwebkit2gtk-4.0-37 for cisco VPN client; window manager for VPN startup
          # host_is_desktop: true
          host_is_work: true
          custom_files:
            - name: /etc/exports
              source: etc/exports.work
        fs:
          host_is_virtual: true
          host_has_backports: true
          host_is_fileserver: true
          host_is_zfs: true
          host_is_user_web_server: true
          unattended_upgrades: false # never want things on my main fileserver being done when I'm not explicitly ready for them
          packages_to_install: [ 'systemd-zram-generator' ]
          mount_ceph_clients: true   # so we can access photos etc to back them up
          default_zfs_flags:
            ZFS_SHARE: "no"
            ZFS_UNSHARE: "no"
            DO_OVERLAY_MOUNTS: "yes"
        iot:
          host_is_virtual: true
          host_has_backports: true
          host_is_nut_master: true
          host_is_munin_server: true
          host_is_user_web_server: true
          unattended_upgrades: false # never want things on my main IOT orchestration platform (and weewx server, with its fragile config) being done when I'm not explicitly ready for them

          packages_to_install: [ 'python3-ephem', 'python3-pip', 'qemu-user-static', 'systemd-zram-generator', 'autofs', 'python3-broadlink', 'libdatetime-format-natural-perl' ] #python3-ephem for weewx almanac ephemerides, libdatetime-format-natural-perl for modify-weewx.sdb and python3-pip also needed by weewx, qemu-user-static for chroot into /piroot
          systemd_services:
            - munin-cron.timer
            - munin-cron.service
            - copy-munin-from-hdd.service
          custom_files:
            - etc/logrotate.d/monitor_iot
            - etc/logrotate.d/location
            - etc/logrotate.d/logups
            - name: /etc/genders
              source: management/genders
            - name: /etc/weewx/logrotate.d/weewx
              source: etc/logrotate.d/weewx
              mode: "0644"
            - name: /etc/cron.d/munin
              source: etc/cron.d/munin
            # in all-host tree: - name: /etc/systemd/system/munin.slice
            # in all-host tree:   source: etc/systemd/system/munin.slice
              notify: systemd daemon reload
        pi:
          # We've already moved the entire pi functionality to to an
          # intel VM, met (now that we don't need any GPIO and the UPS
          # talks to other hardware), except the display, which we use
          # via the pi talking VNC to met.
          #
          # If we hadn't ported to intel, we could have also
          # virtualised aarch64:
          # https://www.reddit.com/r/Proxmox/comments/ed2ldo/installing_and_launching_an_arm_vm_from_proxmox/
          # (all apparently important steps except for serial terminal
          # setup in description already performed, except don't have
          # a uefi boot mechanism - so need to actually install
          # aarch64 and then configure the boot flags accordingly)
          #
          # Only remaining task is the display.  A possible display
          # solution complete with touchscreen is to just get a cheap
          # phone, talking VNC again
          host_is_pi: true
          host_is_nfsroot: true
          host_is_not_using_dnsmasq_cache: true # implies installation
                                                # of NetworkManager,
                                                # which we don't want
                                                # on pi because it's
                                                # nfsrooted arch:
                                                # armv7l
          arch: aarch64
          munin_no_fork: true
          packages_to_install: [ 'man-db', 'directvnc', 'python3-rpi.gpio', 'dpkg-dev', 'fakeroot', 'wiringpi', 'nfs-kernel-server' ]
          custom_files:
            - name: /etc/default/raspi-extra-cmdline
              source: etc/default/raspi-extra-cmdline.pi
            - name: /etc/rc.local
              source: etc/rc.local.pi
            - name: /etc/exports
              source: etc/exports.pi
          custom_remove_files:
            - /etc/network/interfaces.d/eth0
          # We currently use directvnc to get a mimic of met's display
          # without Xorg, but if we converted to openwrt to remove
          # need for nfsroot, I wonder if we can talk to the
          # framebuffer there.  framebuffer comes up on pi 4, but
          # maybe not pi 3
        hass-debian:
          not_active: true
          host_is_virtual: true
        fs-new:
          not_active: true
          host_is_virtual: true
          host_is_fileserver: true
          host_is_zfs: true
          ssh_host_rsa_key_pub:
            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDEgKmem5wjy7Rc8shNABrThLaDFQQmXHPwNlrJlYWDOz+fcYfTcp1haGxpT5KPvKucm57+k0BsAS1p7+u+jhvDDmULcQfD1WPVM8QBz+h9a8Fz+/thDKok/292H2d9RERHQ3KlTNnAutU39R8fqvgd/lyAl2/BLpCWqKGvITQIyD0QpLOQyBWiJlGTf+ubUq4bhTsCj4k3/S93y9rUlL9rYztTX1BhZscWY0IdPHcKWOwOij3gySGvtF7F4kJJL8hH/cTRyEwlJFQDGU/0hMxmPBK03xVKCof8F9kO3sMX6p166t5kFB6CErWMEVy9fF2gONOxK1vAjRPV6jIJACt root@fs
          ssh_host_ecdsa_key_pub: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAXUG8WAzABE7PB20fnzmX1YZjrOtEOlkJOyd1sM3rqShPQ2NWNehgMMzmy/Sov9sTPKBwCvz5h3x9kFiNM4vmM= root@fs
          ssh_host_ed25519_key_pub: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILh+oFev4KL6WtjH3wq3KYs0KH/QQFvJFxo/xgcxzpnZ root@fs
          root_id_rsa_pub: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoJ65rWsr2zuaY/936uOuWD3aTq6Mdztvb6hxzR6sK9yUSY9BlNVPFS7E0wilY/PBihpDPtueAjzRlbR+In+azPDJ9OD9kYIG8d+MavU6JPbD8wjq2vo0MPw3krhIqEWiSED6yMS4M0vvhL0UoUPR1rM2oROlqjGq1Ag/VCHUlYdkgC8ZTVWTaqbiTIzwsVFobQOR9g8MkF7KewDJQhvD1+OOuSMmpO5vm8sR+JMUODCPx+Xc7NCSpKyBa3Pxrxf1KlLCLiknXviY7tFNy1mscAwFDszdNFNatavLFEG1LipOck2ETDTdsWIH0xwHweEhta/QAv0w46QftkrdDp4Zqw== root@fs-new
          root_authorized_keys: |
            ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoJ65rWsr2zuaY/936uOuWD3aTq6Mdztvb6hxzR6sK9yUSY9BlNVPFS7E0wilY/PBihpDPtueAjzRlbR+In+azPDJ9OD9kYIG8d+MavU6JPbD8wjq2vo0MPw3krhIqEWiSED6yMS4M0vvhL0UoUPR1rM2oROlqjGq1Ag/VCHUlYdkgC8ZTVWTaqbiTIzwsVFobQOR9g8MkF7KewDJQhvD1+OOuSMmpO5vm8sR+JMUODCPx+Xc7NCSpKyBa3Pxrxf1KlLCLiknXviY7tFNy1mscAwFDszdNFNatavLFEG1LipOck2ETDTdsWIH0xwHweEhta/QAv0w46QftkrdDp4Zqw== root@dirac
        pve-backup:
          inet_addr_suffix: 9
          network_interfaces:
            - { interface_name: eth0, mac_addr: '44:a8:42:03:69:d0' }
          host_is_physical: true
          host_is_dell_server: true
          dell_omsa_version: 11010/jammy jammy
#          dell_omsa_version: 10300/focal focal
          host_is_intel: true
          host_is_pve_server: true
          host_is_zfs: true
          host_is_in_pve_cluster: true
          host_is_nut_server: true
          unattended_upgrades: false # pve way too fragile and important to auto-patch
        pve1:
          packages_to_install: [ 'digitemp' ]

          inet_addr_suffix: 8
          network_interfaces:
            - { interface_name: enge0, mac_addr: '18:66:da:e7:83:74' }
            - { interface_name: enxg0, mac_addr: '6c:92:bf:64:76:54' }
            - { interface_name: enxg1, mac_addr: '6c:92:bf:64:76:55' }

          host_is_physical: true
          host_is_dell_server: true
          fan_speed_control_is_enabled: false
          dell_omsa_version: 11010/jammy jammy
#          dell_omsa_version: 10300/focal focal
          host_is_intel: true
          host_is_pve_server: true
          host_is_zfs: true
          host_is_in_pve_cluster: true
          host_is_nut_server: true
          unattended_upgrades: false # pve way too fragile and important to auto-patch

          custom_files:
            - name: /etc/systemd/system/103.scope.d/override.conf
              source: etc/systemd/system/103.scope.d/override.conf
              mode: "0644"
              notify: systemd daemon reload
            - name: /etc/digitemp.conf
              source: etc/digitemp.conf.pve1
            - name: /etc/munin/plugins/digitemp_DS9097
              source: monitoring/munin/digitemp_
              mode: "0755"
              local_follow: true
              notify: restart munin-node

          # hosts the RX 550 for original dirac, but we plan to use it for passing through to containers
          #modprobe_blacklist: "radeon,amdgpu,snd_hda_intel,xhci_hcd,xhci_pci"
#          vfio_ids: "ids=8086:8d31,8086:8d2d,8086:8d26" # obtain with:
          # just want to pass through XHCI
          #vfio_ids: "ids=8086:8d31" # obtain with:
#          vfio_ids: "ids=1002:699f,1002:aae0,1022:43ee" # obtain with lspci -nvvv | grep -e VGA\ controller -e XHCI -e 1002
#          host_has_backports: true
          ssh_host_rsa_key_pub: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaKgXeqwkkw+tlnbUSA34MwHUtnghtsyHkQyOfdgJL5K8ezKEijkECNPdMheBDKHTB5L2KNxekh2mN3OS3l3i8yvteDEhXlOiQDip1kdlUPXydo9lAunIIwxUZX40AKjEY8iOwwHGSevGuBfHDjdiUh9DCtWobW2BbH7dhC9fX6u3x5RG28TCkdmjLUqahAVxmhw3wv/B9TBYq1Rn9ydFUGgwvMVM+1eAqxthn5ISSHuhK0aLUfrgsjz6tjDGGLFtrTOgDbKG2JeDIYG/jyD57OP9Ht3x1WAJmoSN4LJ2upXHUQubA2tmuZbgfgEZXtkTWaYLqulcP829tpR/9VfnWjqR0/KllPPdDQv3j+2w5ra7DeeqY+UVyC6GCTHykQZu7TGpl/N8h/yEEFm2ALTrqDcRWfN5clt/+aGUYwu/Vsb/esWRAJCmP7GlYz3Z87X/REHsV6xn+1k/X08x6KuHdJqcJB8gsn8aJIZ7qKRSyoMUVJMvuNS3CnZOyzUaJnSU= root@pve
          ssh_host_ecdsa_key_pub: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLGQtLolSQw13PGsfTlDdvJfoREUmqNK7rHyvfv3z9CciLFXK6T907Go+B13kvSuvJG2XfKivp4o+yOC3NFmrJc= root@pve
          ssh_host_ed25519_key_pub: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnUkqwxjgCpOpHaTCebqo79dKlPM5U7yiYKP7e+RdKM root@pve
        pve2:
#          packages_to_install: [ 'firmware-realtek' ] # consider r8168-dkms if unstable: https://forum.proxmox.com/threads/system-hanging-after-upgrade-nic-driver.129366/page-2 also power management: https://forum.proxmox.com/threads/networking-issues-pve8.129742/
          no_softdog_reboot: true   # don't want pve2 rebooting when it becomes separated from the cluster, because it's my workstation, and the workstation runs off dedicated ceph disks
          inet_addr_suffix: 6
          network_interfaces:
            - { interface_name: enge0, mac_addr: '04:42:1a:2d:76:29' }
            - { interface_name: enxg0, mac_addr: '6c:92:bf:76:49:a9' }
            - { interface_name: enxg1, mac_addr: '6c:92:bf:76:49:aa' }

          host_is_physical: true
          host_is_amd: true
          host_is_pve_server: true
          host_is_zfs: true
          host_is_in_pve_cluster: true
          host_can_have_spectre_mitigations: true  # speed optimisations (+ addition of security flaw) not needed because AMD does so much better at spectre/meltdown
          unattended_upgrades: false # pve way too fragile and important to auto-patch

          custom_files:
            - name: /etc/sensors.d/asus-tuf-gaming-b550-plus-wifi.conf
              source: etc/sensors.d/asus-tuf-gaming-b550-plus-wifi.conf.pve2
              notify: run sensors -s

          modprobe_blacklist: "radeon,amdgpu,snd_hda_intel,xhci_hcd,xhci_pci"
          modprobe_blacklist_comment: "separate out all IOMMU groups, blacklist all the desktop functions we want to passthrough to VM, and override the blacklist from the rescue variable, GRUB_CMDLINE_LINUX"
          modprobe:
            # detected with sensors-detect
            - nct6775

          # hosts the RX 570 for dirac:
          vfio_ids: "ids=1022:149c,1002:67df,1002:aaf0,1022:43ee,1022:1487,8086:2723" # obtain with:

          # for d in /sys/kernel/iommu_groups/*/devices/*; do
#n=${d#*/iommu_groups/*}; n=${n%%/*}
#    printf 'IOMMU Group %s ' "$n"
#    lspci -nns "${d##*/}"
#done | grep --color -i -e USB -e VGA\ co -e XHCI -e Audio -e 'IOMMU Group 13' -e 'IOMMU Group 2[3489]' -e 1022:149c -e 1002:67df -e 1002:aaf0 -e 1022:43ee -e 1022:1487
#          host_has_backports: true

          ssh_host_rsa_key_pub: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaKgXeqwkkw+tlnbUSA34MwHUtnghtsyHkQyOfdgJL5K8ezKEijkECNPdMheBDKHTB5L2KNxekh2mN3OS3l3i8yvteDEhXlOiQDip1kdlUPXydo9lAunIIwxUZX40AKjEY8iOwwHGSevGuBfHDjdiUh9DCtWobW2BbH7dhC9fX6u3x5RG28TCkdmjLUqahAVxmhw3wv/B9TBYq1Rn9ydFUGgwvMVM+1eAqxthn5ISSHuhK0aLUfrgsjz6tjDGGLFtrTOgDbKG2JeDIYG/jyD57OP9Ht3x1WAJmoSN4LJ2upXHUQubA2tmuZbgfgEZXtkTWaYLqulcP829tpR/9VfnWjqR0/KllPPdDQv3j+2w5ra7DeeqY+UVyC6GCTHykQZu7TGpl/N8h/yEEFm2ALTrqDcRWfN5clt/+aGUYwu/Vsb/esWRAJCmP7GlYz3Z87X/REHsV6xn+1k/X08x6KuHdJqcJB8gsn8aJIZ7qKRSyoMUVJMvuNS3CnZOyzUaJnSU= root@pve
          ssh_host_ecdsa_key_pub: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLGQtLolSQw13PGsfTlDdvJfoREUmqNK7rHyvfv3z9CciLFXK6T907Go+B13kvSuvJG2XfKivp4o+yOC3NFmrJc= root@pve
          ssh_host_ed25519_key_pub: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnUkqwxjgCpOpHaTCebqo79dKlPM5U7yiYKP7e+RdKM root@pve
        pve3:
#          packages_to_install: [ 'firmware-realtek' ] # consider r8168-dkms if unstable: https://forum.proxmox.com/threads/system-hanging-after-upgrade-nic-driver.129366/page-2 also power management: https://forum.proxmox.com/threads/networking-issues-pve8.129742/
          packages_to_install: [ 'usbrelay', 'usbrelayd', 'digitemp', 'fancontrol' ]

          inet_addr_suffix: 7
          network_interfaces:
            - { interface_name: enge0, mac_addr: '98:90:96:cb:dc:89' }
            - { interface_name: enxg0, mac_addr: '6c:92:bf:64:79:0a' }
            - { interface_name: enxg1, mac_addr: '6c:92:bf:64:79:0b' }
# FIXME: we may also need to disable LRO when configuring bridging, per https://dl.dell.com/manuals/all-products/esuprt_data_center_infra_int/esuprt_data_center_infra_network_adapters/intel-pro-adapters_user's-guide_en-us.pdf
# but LRO seems to be default off on these 10gbe cards
          #       post-up /usr/bin/logger -p debug -t ifup "Disabling segmentation and LRO offload for $IFACE" && /sbin/ethtool -K $IFACE lro off tso off gso off && /usr/bin/logger -p debug -t ifup "Disabled offload for $IFACE"
          enge0_interface_addendum: "\tpost-up /usr/bin/logger -p debug -t ifup \"Disabling segmentation offload for $IFACE\" && /sbin/ethtool -K $IFACE tso off gso off && /usr/bin/logger -p debug -t ifup \"Disabled offload for $IFACE\""
#          eth0_interface_addendum: "\toffload-tso off\n\toffload-gso off" # pve3 unit hang https://forum.proxmox.com/threads/e1000-driver-hang.58284/post-463259 into /etc/network/interfaces if no more unit hangs (might need more: https://forum.proxmox.com/threads/e1000-driver-hang.58284/post-512789 and ifupdown2 is cleaner: https://forum.proxmox.com/threads/e1000-driver-hang.58284/post-567651 )

          host_is_physical: true
          host_is_intel: true
          host_is_pve_server: true
          host_is_zfs: true
          host_is_in_pve_cluster: true
          host_can_have_spectre_mitigations: true  # want security on this box (especially since internet gateway on it), and don't care so much about speed
          host_is_nut_server: true
          unattended_upgrades: false # pve way too fragile and important to auto-patch

          systemd_services:
            - powertop-custom.service
          custom_files:
            - name: /usr/local/bin/powertop-custom.sh
              source: usr/local/bin/powertop-custom.sh
              mode: "0755"
            - name: /etc/fancontrol
              source: etc/fancontrol.pve3
            - name: /etc/usbrelayd.conf
              source: etc/usbrelayd.conf.pve3
            - name: /etc/digitemp.conf
              source: etc/digitemp.conf.pve3
            - name: /etc/munin/plugins/digitemp_DS9097
              source: monitoring/munin/digitemp_
              mode: "0755"
              local_follow: true
              notify: restart munin-node
            - name: /etc/sensors.d/dell-optiplex-9020.conf.conf
              source: etc/sensors.d/dell-optiplex-9020.conf.pve3
              notify: run sensors -s

          modprobe_options:
            dell_smm_hwmon: "force=1"  #aka i8k module in kernel6 - allows a bunch of fan and temperature metrics in Dell Optiplex 9020SFF
          modprobe:
            - dell_smm_hwmon

#          modprobe_blacklist:
#          vfio_ids: "ids=1022:149c,1002:67df,1002:aaf0,1022:43ee,1022:1487" # obtain with:
          # for d in /sys/kernel/iommu_groups/*/devices/*; do
#n=${d#*/iommu_groups/*}; n=${n%%/*}
#    printf 'IOMMU Group %s ' "$n"
#    lspci -nns "${d##*/}"
#done | grep --color -i -e USB -e VGA\ co -e XHCI -e Audio -e 'IOMMU Group 13' -e 'IOMMU Group 2[3489]' -e 1022:149c -e 1002:67df -e 1002:aaf0 -e 1022:43ee -e 1022:1487
#          host_has_backports: true

          ssh_host_rsa_key_pub: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaKgXeqwkkw+tlnbUSA34MwHUtnghtsyHkQyOfdgJL5K8ezKEijkECNPdMheBDKHTB5L2KNxekh2mN3OS3l3i8yvteDEhXlOiQDip1kdlUPXydo9lAunIIwxUZX40AKjEY8iOwwHGSevGuBfHDjdiUh9DCtWobW2BbH7dhC9fX6u3x5RG28TCkdmjLUqahAVxmhw3wv/B9TBYq1Rn9ydFUGgwvMVM+1eAqxthn5ISSHuhK0aLUfrgsjz6tjDGGLFtrTOgDbKG2JeDIYG/jyD57OP9Ht3x1WAJmoSN4LJ2upXHUQubA2tmuZbgfgEZXtkTWaYLqulcP829tpR/9VfnWjqR0/KllPPdDQv3j+2w5ra7DeeqY+UVyC6GCTHykQZu7TGpl/N8h/yEEFm2ALTrqDcRWfN5clt/+aGUYwu/Vsb/esWRAJCmP7GlYz3Z87X/REHsV6xn+1k/X08x6KuHdJqcJB8gsn8aJIZ7qKRSyoMUVJMvuNS3CnZOyzUaJnSU= root@pve
          ssh_host_ecdsa_key_pub: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLGQtLolSQw13PGsfTlDdvJfoREUmqNK7rHyvfv3z9CciLFXK6T907Go+B13kvSuvJG2XfKivp4o+yOC3NFmrJc= root@pve
          ssh_host_ed25519_key_pub: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnUkqwxjgCpOpHaTCebqo79dKlPM5U7yiYKP7e+RdKM root@pve
          # FIXME: it'd be nice to get these host keys as being the sole contents of /etc/pve/priv/known_hosts (and making sure that symlink still exists for /etc/ssh/ssh_known_hosts )
    openwrt:
      hosts:
        gateway:
          type: router
          openwrt_heavy_installation: true
          openwrt_router_packages: true
          inet_addr_suffix: 254

          packages_to_install: 'qemu-ga,pciutils'
        b1300:
          deprecated: true
          type: router
          openwrt_heavy_installation: true
          openwrt_router_packages: true
          inet_addr_suffix: 246

          packages_to_install: 'lm-sensors'

          # channel choices:
          # - https://en.wikipedia.org/wiki/List_of_WLAN_channels
          # - https://wisp.net.au/info/5ghz-channel-spectral-width-in-australia-6.html?srsltid=AfmBOoqqHXCHDZfcHQrWLzRiVZv_mjq5ewdJ5ObGfU11z3KNB8icrz21
          # - https://www.ekahau.com/blog/channel-planning-best-practices-for-better-wi-fi/
          # - https://community.netgear.com/t5/Nighthawk-Wi-Fi-5-AC-Routers/Why-you-should-NEVER-select-channel-165-in-5-GHz/td-p/1848856
        archerc72:
          # back yard
          type: ap
          openwrt_heavy_installation: true
          inet_addr_suffix: 243
          switch_interface: eth1

          packages_to_install: 'lm-sensors'

          # mode_5ghz: AC
          hwmode_5ghz: '11a'
          channel_5ghz: '161'
          htmode_5ghz: 'VHT80'
#          power_5ghz: omit
          distance_5ghz: '60'
          density_5ghz: '3'

          hwmode_24ghz: '11g'
          channel_24ghz: '1'
          htmode_24ghz: 'HT20'
          density_24ghz: '3'
          distance_24ghz: '60'
#          power_24ghz: '20'

          ssid1_24ghz: Asio2.4
          ssid1_5ghz: Asio5
          ssid2_24ghz: AsioYard2.4
          ssid2_5ghz: AsioYard5

        archerc7:
          # patio
          type: ap
          openwrt_heavy_installation: true
          inet_addr_suffix: 250

          packages_to_install: 'lm-sensors'

          # mode_5ghz: AC
          hwmode_5ghz: '11a'
          channel_5ghz: '149'
          htmode_5ghz: 'VHT80'
#          power_5ghz: omit
          distance_5ghz: '60'
          density_5ghz: '3'

          hwmode_24ghz: '11g'
          channel_24ghz: '6'
          htmode_24ghz: 'HT20'
          density_24ghz: '3'
          distance_24ghz: '60'
#          power_24ghz: '20'

          ssid1_24ghz: Asio2.4
          ssid1_5ghz: Asio5
          ssid2_24ghz: AsioPatio2.4
          ssid2_5ghz: AsioPatio5

        ap1:   # pve3's USB wifi6 card
          type: ap
          openwrt_heavy_installation: true
          inet_addr_suffix: 245

          packages_to_install: 'qemu-ga,pciutils,kmod-mt7921-firmware,kmod-mt7921u'

          # mode_5ghz: AC
#           hwmode_5ghz: '11a'
#           channel_5ghz: '157'
#           htmode_5ghz: 'VHT80'
# #          power_5ghz: omit
#           distance_5ghz: '60'
#           density_5ghz: '3'

#uci set wireless.radio0.band='6g'

          hwmode_24ghz: '11g'
          channel_24ghz: '11'   # FIXME: don't know why 'wifi up' has to be called on boot and after each wifi restart after a reconfiguration (possibly because usb hotplug is done behind its back by the pve host), but need to do so!  This is done through rc.local
#          htmode_24ghz: 'HE80'
          htmode_24ghz: 'HT20'  # channel 6 is too overlapping to have HT40
          density_24ghz: '3'
          distance_24ghz: '60'
#          power_24ghz: '20'

          ssid1_24ghz: Asio2.4
          ssid1_5ghz: Asio5
          ssid2_24ghz: AsioVirtual2.4
          ssid2_5ghz: AsioVirtual5

        ap2:   # pve2's ax200 wifi6 card
          type: ap
          openwrt_heavy_installation: true
          inet_addr_suffix: 244

          packages_to_install: 'qemu-ga,pciutils,iwlwifi-firmware-ax200,kmod-iwlwifi'

          # mode_5ghz: AC
#           hwmode_5ghz: '11a'
#           channel_5ghz: '157'
#           htmode_5ghz: 'VHT80'
# #          power_5ghz: omit
#           distance_5ghz: '60'
#           density_5ghz: '3'

#uci set wireless.radio0.band='6g'

          hwmode_24ghz: '11g'
          channel_24ghz: '6'
          htmode_24ghz: 'HT20'
#          htmode_24ghz: 'HE80'
          density_24ghz: '3'
          distance_24ghz: '60'
#          power_24ghz: '20'

          ssid1_24ghz: Asio2.4
          ssid1_5ghz: Asio5
          ssid2_24ghz: AsioVirtual2.4
          ssid2_5ghz: AsioVirtual5

        archerd7:
          type: ap
          openwrt_heavy_installation: true
          inet_addr_suffix: 251

          packages_to_install: 'lm-sensors'

          channel_5ghz: '36'
          htmode_5ghz: 'VHT80'
#          power_5ghz: omit
          distance_5ghz: '80'
          density_5ghz: '3'

          channel_24ghz: '11'
          htmode_24ghz: 'HT20'
          density_24ghz: '3'
          distance_24ghz: '80'
#          power_24ghz: omit

          ssid1_24ghz: Asio2.4
          ssid1_5ghz: Asio5
          ssid2_24ghz: AsioStudy2.4
          ssid2_5ghz: AsioStudy5

#         wavlink:
#           type: ap
#           # allowed since we offloaded big files to NFS:
#           openwrt_heavy_installation: true
#           inet_addr_suffix: 253

#           hwmode_5ghz: '11a'
#           channel_5ghz: '104'
#           htmode_5ghz: 'VHT80'
# #          power_5ghz: omit
#           distance_5ghz: '100'
#           density_5ghz: '3'

#           hwmode_24ghz: '11g'
#           channel_24ghz: '6'
#           htmode_24ghz: 'HE20'
#           density_24ghz: '3'
#           distance_24ghz: '100'
# #          power_24ghz: omit

#           ssid1_24ghz: Asio2.4
#           ssid1_5ghz: Asio5
#           ssid2_24ghz: AsioYard2.4
#           ssid2_5ghz: AsioYard5

#        re450:
#          type: ap
        # maxwell:
        #   type: ap
        #   openwrt_heavy_installation: true
        #   inet_addr_suffix: 22
        asusrtax53u:
          #front of house
          type: ap
          openwrt_heavy_installation: true
          inet_addr_suffix: 252
          openwrt_dsa_switch_config: true
#          nut_install: true

          packages_to_install: 'lm-sensors'

          hwmode_5ghz: '11a'
          channel_5ghz: '161'
          htmode_5ghz: 'HE80'
#          power_5ghz: omit
          distance_5ghz: '60'
          density_5ghz: '3'

          hwmode_24ghz: '11g'
          channel_24ghz: '1'
          htmode_24ghz: 'HE40'
          density_24ghz: '3'
          distance_24ghz: '60'
          power_24ghz: '20'

          ssid1_24ghz: Asio2.4
          ssid1_5ghz: Asio5
          ssid2_24ghz: AsioLounge2.4
          ssid2_5ghz: AsioLounge5

    tasmota:
      hosts:
        # FIXME: would be a lot better off generating dynamic
        # inventory from /etc/genders
        ac-power:
          ssid2: AsioLounge2.4
        loungeroomlights-power:
          ssid2: AsioStudy2.4
        bedroomlights-power:
          ssid2: AsioStudy2.4
        garagelights-power:
          ssid2: AsioYard2.4
        heatedseat-power:
          ssid2: AsioLounge2.4
        studio-power:
          ssid2: AsioYard2.4
          FriendlyName1: "Outside Lights"
          FriendlyName2: "Inside Lights"
          FriendlyName3: "Stereo Preamp (linked to bluetooth)"
          FriendlyName4: "Stereo Bluetooth"
          Rule1: "ON Power3#state=1 DO Power4 1 ENDON ON Power3#state=0 DO Power4 0 ENDON"
        studio-power2:
          ssid2: AsioYard2.4
        patiolights-power:
          ssid2: AsioLounge2.4
          Rule1: "ON button1#state=3 DO publish cmnd/studio_power/power1 toggle ENDON"
        laundrylights-power:
          ssid2: AsioStudy2.4
        christmaslights-power:
          ssid2: AsioLounge2.4
        beerfridges-power:
          ssid2: AsioStudy2.4
        aquapump-power:
          ssid2: AsioStudy2.4
        aquaheater-power:
          ssid2: AsioStudy2.4
        brewfridge-power:
          ssid2: AsioStudy2.4
        washingmachine-power:
          ssid2: AsioStudy2.4
        measure-power:
          ssid2: AsioYard2.4
        pvebackup-power:
          ssid2: AsioYard2.4
        angela-power:
          ssid2: AsioLounge2.4
        chromecast-lounge-power:
          ssid2: AsioStudy2.4
        panasonic-power:
          ssid2: AsioStudy2.4
        electricblanket-power:
          ssid2: AsioLounge2.4
        study-power:
          ssid2: AsioStudy2.4
        ad-hoc-power:
          ssid2: AsioStudy2.4
        airmon1:
          ssid2: AsioStudy2.4
        fanstudy1:
          ssid2: AsioStudy2.4
          FriendlyName1: Foot Fan
          FriendlyName2: Desk Fan
          SetOption99: "ON"
          # -vvv tells us for setoption68, that the saved value is "1" rather than "ON"
          SetOption68: 1
          SetOption91: "ON"
          LedTable: "OFF"
        fridge1:
          ssid2: AsioStudy2.4
          FriendlyName1: Power supply
          FriendlyName2: Temperature Setpoint
          FriendlyName3: Cooling Demand1
          FriendlyName4: Cooling Demand2
          FriendlyName5: Internal Fan
          FriendlyName6: Heatsink Fan
          FriendlyName7: PID Prop
          FriendlyName8: PID Ti
#          FriendlyName9: PID Td   # max 8 friendlynames
#          Channel2: 27 # 8.1degrees
          Channel2: 33 # 9.9degrees
          PWM6: 307    # 1.5degrees
          PWM7: 1023   # 1800sec
          PWM8: 1023   # 450sec
          SetOption68: 1
#          AdcParam1: "2,32000,10000,3350,0"
          AdcGpio32: "32000,10000,3350,0"
          LedTable: "OFF"
          SaveData: 3600  # setoption0 is another option
          TempRes: 2
          # PidDSmooth: 60
        batterymon1:
          ssid2: AsioYard2.4
          disable_default_reset_on_power_reset7: 1    # device is at the end of a long power chain, so don't let it reset itself like it has several times already
          AdcGpio17: "0,1023,0,24730"
        loungefrontlight-power:
          ssid2: AsioStudy2.4
          disable_default_reset_on_power_reset7: 1    # device is easy to knock out of the power board, so don't let it reset itself like it has several times already
        fishtank-temperature:
          ssid2: AsioStudy2.4