Merge branch 'master' into fetlab

doc/ariane.md

@@ -4,7 +4,7 @@
 | :-: | :-: | :-: | :-: | :-: |
 |**H1**|00 /dev/sda `6TB` <br> `WD-WX21D36PP32E`|04  |08  |12  |
 |**H2**|01 /dev/sdb `6TB` <br> `WD-WX21D36PPLPH`|05  |09  |13  |
-|**H3**|02 /dev/sdc `6TB` <br> `WD-C80TT4VG`    |06  |10  |14  |
+|**H3**|02 /dev/sdc `6TB` <br> `WD-WX21D36PP0K1`|06  |10  |14  |
 |**H4**|03 /dev/sdd `6TB` <br> `WD-WXB1HB4MJCMM`|07  |11  |15  |
 ## Debian setup install steps
 ```

doc/configs/switch.cfg

@@ -1,204 +0,0 @@
-!TL-SG5428
-#
-#
-#
-#
-#
-#
-#
-hostname "SW-FET-INT"
-location "CD0107A"
-contact-info "bofh@fet.at"
-#
-mac address-table aging-time 300
-#
-logging buffer 6
-logging file flash 2
-#
-enable secret 5 $1$F;J4O6I6N:@;M3K=H=G<C/A>B1B:E;A3]),,[
-enable password test
-#
-system-time ntp UTC+01:00 128.130.3.131 128.131.2.3 12
-system-time dst predefined Europe
-#
-#
-user name admin privilege admin secret 5 $1$F;J4O6I6N:@;M3K=H=G<C/A>B1B:E;A3]),,[
-#
-#
-#
-#
-#
-port-channel load-balance src-dst-ip
-#
-#
-#
-#
-no ip ssh version v1
-#
-interface gigabitEthernet 1/0/1
-  description "CD0109 potemkin"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/2
-  description "CD0109 lunik"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/3
-  description "CD0109 wlan"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/4
-  description "baikal"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/5
-  description "ariane enp9s0"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  channel-group 2 mode active
-  
-#
-interface gigabitEthernet 1/0/6
-  description "ariane enp10s0"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  channel-group 2 mode active
-  
-#
-interface gigabitEthernet 1/0/7
-  description "dnepr enp3s0"
-  channel-group 1 mode active
-  
-#
-interface gigabitEthernet 1/0/8
-  description "dnepr enp2s0"
-  channel-group 1 mode active
-  
-#
-interface gigabitEthernet 1/0/9
-  description "CD0111"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/10
-  description "CD0111"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/11
-  description "CD0111"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/12
-  description "CD0111"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/13
-  description "CD0111"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/14
-  description "CD0111"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/15
-  description "CD0111"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/16
-  description "CD0111 sputnik2"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/17
-  description "CD0111 fet-av"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/18
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/19
-  description "atlas enp7s1f1"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/20
-  description "CD0117 R"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/21
-  description "CD0117 L"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/22
-  description "kistl LAN"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/23
-  description "energija VLAN856"
-  spanning-tree common-config port-priority 64
-  spanning-tree bpdufilter
-  
-#
-interface gigabitEthernet 1/0/24
-  description "CD0109 absturz"
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/25
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/26
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/27
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface gigabitEthernet 1/0/28
-  spanning-tree common-config portfast enable
-  spanning-tree bpduguard
-  
-#
-interface vlan 1
-ip address-alloc dhcp
-#
-end

doc/fetlab.md

@@ -0,0 +1,75 @@
+# fetlab
+## Unlock and start after boot
+```shell
+zfs_mount.sh mount
+mkdir /var/run/motioneye && chown motion /var/run/motioneye/ && service motioneye restart && service motioneye status
+```
+
+## Update and reboot
+```shell
+apt update && apt list --upgradable
+apt dist-upgrade && apt autoremove
+service motioneye stop
+zfs_mount.sh reboot
+```
+
+## Debian Installation
+Boot Image Debian Netinstall on USB stick, Advanced Options->Expert Install
+Language: English, Location: other->Europe->Austria
+Locale: en_US.UTF-8, Additional Locale: de_AT.UTF-8, System Locale: en_US.UTF-8
+Keyboard: German
+Detect and mount CD-ROM, Load installer components: no extra
+Detect network hardware, Configure Network: Hostname: fetlabserv, IP 128.131.95.223/24 domain htu.tuwien.ac.at
+Setup Users and Passwords: shadow, allow root login, no normal user
+Configure the clock: NTP Server: tutimea.tuwien.ac.at,tutimeb.tuwien.ac.at,tutimec.tuwien.ac.at,
+Detect disks, partition disks: manual
+msdos table, 32GB primary for RAID
+RAID: Create MD device RAID1
+part LVM in raid1
+LVM: volume group root on /dev/md0, logical volume sys 24GB, swap 6GB
+root-roo btrfs for /
+root-swap as swap
+Generic Kernel
+Mirror, no nonfree, contrib, allow backported
+install with ssh server and standard sys utilities
+Install Grub on /dev/sda(to removable media path)
+Install Grub on /dev/sdb(to removable media path)
+reboot, log in as root
+edit /etc/ssh/sshd_config set PermitRootlogin to yes
+service sshd reload
+ssh-copy-id root@fetlabserv from client
+edit /etc/ssh/sshd_config set PermitRootlogin to prohibit-password
+## Setup ZFS
+```shell
+for i in a b c d e f g h i; do echo -n "/dev/sd$i: "; hdparm -I /dev/sd$i | awk '/Serial Number/ {print $3}'; done
+lsblk
+sgdisk -n1:0:0 -t1:BF01 /dev/sda
+sgdisk -n1:0:0 -t1:BF01 /dev/sdb
+cryptsetup luksFormat /dev/disk/by-id/ata-ST4000VN008-2DR166_ZDH35RRA-part1
+cryptsetup luksFormat /dev/disk/by-id/ata-ST4000VN008-2DR166_ZDH469JD-part1
+zfs_mount.sh mount
+zpool create -o ashift=12 -o autoexpand=on -o autoreplace=on -O atime=off -O compression=lz4 -O acltype=posixacl -O xattr=sa lab mirror /dev/mapper/ata-ST4000VN008-2DR166_ZDH35RRA-part1 /dev/mapper/ata-ST4000VN008-2DR166_ZDH469JD-part1
+/sbin/zpool scrub lab
+zfs create lab/rec
+mkdir /var/lib/motioneye
+zfs create -o mountpoint=/var/lib/motioneye lab/rec/motion
+```
+## Get video input resolutions
+```shell
+ffmpeg -f video4linux2 -list_formats all -i /dev/video0
+```
+## Formats and File sizes
+96x72 1.9K
+640x480 55K
+Input #0, mov,mp4,m4a,3gp,3g2,mj2, from '3_2017-01-01_02-23-38.mp4':
+  Metadata:
+    major_brand     : isom
+    minor_version   : 512
+    compatible_brands: isomiso2avc1mp41
+    encoder         : Lavf56.25.101
+  Duration: 00:15:01.96, start: 0.000000, bitrate: 203 kb/s
+    Stream #0:0(und): Video: h264 (High) (avc1 / 0x31637661), yuv420p, 640x480, 202 kb/s, 9.99 fps, 25 tbr, 16k tbn, 2k tbc (default)
+    Metadata:
+      handler_name    : VideoHandler
+
+## Mainboad DP965LT

doc/fsdrnas.md

@@ -1,39 +0,0 @@
-# fsdrnas
-Install with UEFI partition
-## Setup Network
-```shell
-vi /etc/dhcpcd.conf
-interface enp4s0
-static ip_address=128.131.95.243/24
-static routers=128.131.95.1
-static domain_name_servers=128.130.4.3 128.131.4.3
-sv restart dhcpcd.conf
-```
-## Enable SSH and prohibit-password
-```shell
-xbps-install -Suy
-vim /etc/ssh/sshd_config
-ln -s /etc/sv/sshd/ /var/service
-vim /etc/ssh/sshd_config
-sv restart sshd
-```
-# Setup Auto Update
-```shell
-xbps-install -y cronie
-ln -s /etc/sv/cronie/ /var/service
-crontab -e
-@reboot vkpurge rm all
-5 16 * * 0 xbps-install -Suy && xbps-install -Suy && xbps-remove -oOy && reboot
-5 17 * * 1 zfs scrub ...
-```
-## Install LXD & ZFS
-xbps-install -y sqlite
-xbps-install -y lxd zfs
-```shell
-```
-## Check disks
-```shell
-xbps-install smartmontools
-smartctl -a /dev/sda
-smartctl -a /dev/sdb
-```

doc/fsdrnas.yml

@@ -0,0 +1,20 @@
+# fsdrnas
+## Enable SSH and prohibit-password
+```shell
+xbps-install -Su
+vim /etc/ssh/sshd_config
+ln -s /etc/sv/sshd/ /var/service/
+```
+# Create RAID
+```shell
+xbps-install mdadm
+mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2
+mkfs.btrfs -f /dev/md0
+cat /proc/mdstat
+```
+## Check disks
+```shell
+xbps-install smartmontools
+smartctl -a /dev/sda
+smartctl -a /dev/sdb
+```

doc/wlan.md

@@ -1,10 +1,3 @@
 # wlan
 ## Current config
 See [config file](configs/wlan-OpenWrt-backup.tar.gz)
-
-## Extra Packages
-### SSH to and install
-```shell
-opkg update
-opkg remove wpad-basic && opkg install wpad
-```

group_vars/all

@@ -46,7 +46,6 @@ common_openssh_keys_root:
   - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmv/aixvhRzeQiD3XABD448WHW2sHSX5wj5TkqKmHG3MekovCjacEDwAEdH+3MzXzbQXCD8NOHxlvRsqfzsaIZw6al+i7hd7xeYzRAITeXAod/eQNJY71Czh1xt/rtfjgVrwFKe6kUo+RqUUBxOXjKNtCROxvsa/gxTSJD4xz/TGOTM7EbRfkOGBh3j/xmdBinURTACwKwHCR4SUnpAA7usY/QQGW22Nqczvj9SW1Un0TnYpMm7jAghGo7pvwInTerbbA2OQ07QEp9T/mAbPUks5QGEw1lwMZgEtl0EZrKxDoWjssGPw5ZA6RzwIggjuEN1zzE+pn9jWL+9sd2Tihr pet@fet.at"
   - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyK21mF11p4DAWSL2x7sAs9brbuRYgbdlEm/npOT1ufV6YGnNGjgrIS+a5VxiyKXhor8TUgTHjlmzcLSdEs3puBB2nZifwIEnbEwxvj5LRIljPp9rx9irPG6wnkpMXmRRuyAijf+Lhf1jMtsSgCH9HVG2F6H5hwFwaXcwiInn8tiKaDyuxl1Y9kNDUayTmbWfu2hyyRTDRvpgG4PITuUpXuA5/lHv9+kEXKl71BlyFsJ2LQx+1Lwruy6cQmfttApsrbowlbdtaJOWwnoFGNKupBpFgcGGqNTUajPGx3R1QREm+44NzPH9vGdYTg/+8vDCcTYe3zX0/XecB+Ka4WI2B3c4NPsxtZJNPWzihCVW8xpV4ipHqqFnZuVThJYtoC5C8h3LKbpQeaBwMIv34sN/AS7y3l8k7/70ttcvH4AmoEjc4OgXOE8nkwly2XZx1ndfevBdUU5osf6UTsCa3gdB/d67djz7jU50q/LtiSsL3oontw5khBR98iZAu4m7MXC7VvbyFz0Ju4OLmDBY6mxwBjakihEdfrs8jwnzxsZ3QuVIq96HC/E8gWpspECzGeXwezwTvT1tUefD7rwz9jD18qLMK8SSteDUqhXION/6gXhZ8FENUnBI2Qj6gHcwFc2tbfKMbXDqHAUHrtDdxgyxRc7JTnOI/9gS5idKXzsanhw== bajo@fet.at"
   - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGP2Y1fDTbN/fbWBCVYVpXUDyBRgUYo+OwDJq2gdII6O2YHeW7k6wY5wQEIIJR6sjHUrT7lNIx8/xv3SRlaq5w0KLZrI3fpiK07GMy0AxGIBCN1xhKb6fvlgLTTSl+/X2XhsmuxtUREENnq9M909kUuUb/8BiVV4sGSIURk4khN3oh/E7mL/sICDju1N2j+p/V0pn4kWuXRp8BMG73xIBvOMzjP/B7Y0SdLWI08bgQHi/OYLBDSHj17N4B/ZE4f5OqpZI7RqwC+TxkCJey04IMw+AXitm6q25zffGI9Mt+4lrBi/RMlEOjE7bQU4p9ZyZY2OIDNRPSr3nDBqA6g3a/v0C7cpdIYPf3khyNtV61x/irRBcOjsc44g0umaUgrmity5f/ZLyvD/zd+HSF0ft1m3AAp6z9w7bxAWs7m894HWZPJ0l39SRGVF2uiOJhbZEXG1lmCWss+do0jfy+U4hb6vC7LTKUBp6or5PF9tHDsNe3CxOmiRPt5GQmr/AA/FQRBC1BC+PO8INltKO4Np15DZ2v7Y2+nlcI++F2ef/IgJmAEfl5Y7d8N/wT5IyfBYy5+PuqLqCOOFBc/sOb2OJvsR0syX5SJM5roznrQ071G2BpxPWaPIgfABKJ8T0M/R+mdIGxlttD3z6S2LRNLoeNOKF1vIEYkxIErpRBavuvXQ== andis@fet.at"
-  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD49PS1E7mfg/hQjp2lwcQLnu75G64LvMZ5OVLKqmnYFFqulQ3nERJfHgoGAzRTP78AwUqWwicKa7cgsRVFGEckpVKc5n/EiBdpF7Y7+ewb4jGfulVqW0CilwWD2QY+cnh+hqU7j93PpDXhPnr06z+zg30ADrrGRqKcjEI57uBXBar95C6jKaslkzLKzH/bx/peG4KjshC9dALJuGTGIczgn1ewcCUfyYc/V8mqlN6t7TN9sWU30vTxyYATsdZxnOBfHPx/TstWV9CQURAaTbUoLpsfl6FCJx2WbTtrI06VyY0oO5PJT0N8WGmejE3NfQKsOr/8MqA2WKZsgvY1h0Op andreas@LAPTOP-VMVFFSM9 andis@fet.at"
   - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGy7lvScEwrJ7/PiykH1b2+K7WQH2WovdUMV/1n7y90kwm2sMERJN9R9mSQIGdF325MPWREAv+cEPIvyRAgER9CuiLF9fWFPas8tKumtu4rPyGim0jR30nn4ARSe5GEn+R8lgdJ9nKiBF0D5kFCeUoxkSu4mF9hqHL4JtmU7IfcD05VLTLNivInKAh6OuN2iF6D9BfWS1TkB7LCYjpKPJ94srh86EM5uV5WjPLnERZkBixk0Bi7mVq8qXWZCrMP4o7wwCCeEnbTKUq9zy629fu28O9t7N5J23g0SdH+3Y+WfYjp4CAtFWULdAHwjNp8ql0IbBzY7Q6Pf0+rOKaM7d3HvnV7Ihv8+hEHVtxC/PiCaIQJKpVpi5qhf8mMHMkPmdJZ9a3zmdUvVQVCrCMqXjn6fx0/4s1aogkujXnN5yZP4KfPkiEc0+FtY7j0P4dOZ/Uc6INkxSXphnjDoAi5M8dbH3Gn7prS+jZpSX/S4q7HDxnEZDvhD9gu0v3eaVmjVaVZEiuPgtKiTvXK/kJzIu7RdgHSqTx2kN9rR61oTVu2fcDr1N94axQTqjuey27ixytOMYVP3ZsCNFi+M4Y8ExYGgpDl34ne8IN6JHtCsIiUSPVteLppjOr4C2IkXBuqnHymfzt0Il2RKLnnbJvgxVgzEyqnAMTKuKjv2DWWK7H4w== berni@fet.at"
   - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC97hn9b7HPGpD2iQTelwxn/xLuvc2ZmOKoczpYequTYYNBf2SGBWTj75rIk7En+6J7cwRd+UDzI1MU09+TPY+e9PenzxCed9cvdhrjkigqBs9Gwz1rTE8Sgl2m9XtIqzg4Pu2ZTyTFB2ZOrF/3BEJ6UBycmnUaxOuoCoxMflEk/Xc14ZXnjAw2M5IZzgZBPYeHtn032noBlglXtgfXQy5dZy2DvbfuEPlc2x/m/zz/QFiWyFHn05FNpvz8grifz+7VIuWvXS0H7uWFFq2Zwjf3yfr8EZo3/bX/fseW5lpkWwYYKjeIXGkwZOnfCFqbbopB+vqhhISwTCQM3ObpY3VlEKyIpKM+0pzfDdQhv3ze4NPLf4wl4fHKvUEdOvpYBkn54s3inft6AzwRw1PRzIiBZbCHM2Lj1/m0s0LB979MvDkkG9wyAWqrRfVRZHO8D/9xfPyDJsNiSpO0R4rpfTV21BRowxBfEjGDsxf+MtzGHSpt6G0MUbg4LOPXmJKecfxK46hFMCDGotQHNf3ZUF2hMpee8dbNhj7Ao0fuf+hYmGrYBdA9SB8XJJLoAjiA0yQpreQD+jTd4pjfofKr5FHZnEBRY0etl6oc4wALfhSDSqd81lBGTEfJx4++6Vm7fI1aQ7UAfqLeT126rXqG9aN20MZ10sEU4isJFgm5741w2w== moses@fet.at"
   - key: 'no-pty,no-agent-forwarding,no-X11-forwarding,command="zfs_mount.sh shutdown || shutdown -h +1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCiI41+XkobMT0K8ZrHdCeomdGAIRMZbdX1VjGe5OWa72rcaDFmBtK7MxD5xPZEdSaDkn+Nrpwv5/j10MccvkAOI/tx6PIxcgDF52FnHLMMVrXRM3cnkm9CrBi4kCN0D2fpbDLhknJhiqftIcPdct/a9foZQwkWOzGUN2Rk0mCw2QzkGyWHNxOMzMjV0gpfAWPv6Jg+JKDl5EHf2xJTeJ/l0TG6O0lsc5YY/7cqjRJJzTVFDo1Gy+qNgff0mbPrhcbWepG5R1tjkdT++f8uuoVkBUamwkjwDpH2y57sdESEPB0C5ES2cglOp2X3MMN7EnUBHYU3mMiYU0wV+b7Q3oKmQuG86a2D+yEp+0+WFaUY/TMCNpslGOtTBrNLshMIX/bnrx/aF9DApl9L/kUIlSxwwBNiPIl4VVU1p5Zzj/YAPvRl0kAKjosOZgl108JeRUbhQSGVrcODyhaIMQv4BAzHnV0kii7jNACHhqBR36eo3N6HX7GkbnU1YadZRcrxrpE9z9mrXuqWxzl4Cmz1yHb1JTwsnQQ2Dy0trIklQjEmLxvG8zpxHLV3EQmtIMK/g2Mk6VTdz9HZnwYLU7Mj/uZk0DWhTZ5Eyj6QAbcw2gLPLEUmdQhkHSoQKxHY0at3OjGFGydyc/3n7B7d578uxVBrp04uhTbW7SDi6mYGCkvCRQ== nut ups shutdown'

group_vars/fet_lxc_debian

@@ -19,6 +19,6 @@ common_basic_packages:
   - zsh
   # for ansible/debian
   - lsb-release
-  - python-apt
+  - python3-apt
-  - python-pycurl
+  - python3-pycurl
   - molly-guard

host_vars/ariane

@@ -21,8 +21,8 @@ lxc:
       - lxc.network.1.hwaddr = 00:50:fc:ce:1b:c3
       - lxc.network.1.link = br0
       - lxc.network.1.flags = up
-      - lxc.network.1.ipv4 = 128.130.95.206/27
+      - lxc.network.1.ipv4 = 128.131.95.206/24
-      - lxc.network.1.ipv4.gateway = 128.130.95.193
+      - lxc.network.1.ipv4.gateway = 128.131.95.1
       - lxc.pts = 6
 
   - name: betam
@@ -70,8 +70,8 @@ lxc:
       - lxc.network.1.hwaddr = 00:15:c5:5d:78:0e
       - lxc.network.1.link = br0
       - lxc.network.1.flags = up
-      - lxc.network.1.ipv4 = 128.130.95.205/27
+      - lxc.network.1.ipv4 = 128.131.95.204/24
-      - lxc.network.1.ipv4.gateway = 128.130.95.193
+      - lxc.network.1.ipv4.gateway = 128.131.95.1
 
       - lxc.pts = 6
       - lxc.mount.entry = /zv1/laika /var/lib/lxc/lxc-laika-01/rootfs/home/backup/repos none bind,create=dir 0 0
@@ -94,6 +94,24 @@ lxc:
       - lxc.network.link = br1
       - lxc.network.flags = up
 
+  - name: alekse
+    revision: "01"
+    template: debian
+    config:
+      - lxc.network.type = veth
+      - lxc.network.hwaddr = 2e:6d:b6:07:21:01
+      - lxc.network.link = br1
+      - lxc.network.flags = up
+
+  - name: wostok
+    revision: "01"
+    template: debian
+    config:
+      - lxc.network.type = veth
+      - lxc.network.hwaddr = 2e:6d:b6:07:22:01
+      - lxc.network.link = br1
+      - lxc.network.flags = up
+
   - name: fetsite
     revision: "01"
     template: debian
@@ -114,34 +132,47 @@ lxc:
       - lxc.network.flags = up
       - lxc.mount.entry = /zv1/andis /var/lib/lxc/lxc-fetsite-02/rootfs/srv/ none bind,create=dir 0 0
 
-  - name: fetsite
-    revision: "03"
-    template: debian
-    config:
-      - lxc.network.type = veth
-      - lxc.network.hwaddr = 2e:6d:b6:07:10:03
-      - lxc.network.link = br1
-      - lxc.network.flags = up
-      - lxc.mount.entry = /zv1/andis /var/lib/lxc/lxc-fetsite-03/rootfs/srv/ none bind,create=dir 0 0
-
-  - name: fetsite
-    revision: "04"
-    template: debian
-    config:
-      - lxc.network.type = veth
-      - lxc.network.hwaddr = 2e:6d:b6:07:10:04
-      - lxc.network.link = br1
-      - lxc.network.flags = up
-      - lxc.mount.entry = /zv1/andis /var/lib/lxc/lxc-fetsite-04/rootfs/srv/ none bind,create=dir 0 0
-
-  - name: fetsite
-    revision: "05"
-    template: debian
-    config:
-      - lxc.network.type = veth
-      - lxc.network.hwaddr = 2e:6d:b6:07:10:05
-      - lxc.network.link = br1
-      - lxc.network.flags = up
-      - lxc.mount.entry = /zv1/andis /var/lib/lxc/lxc-fetsite-05/rootfs/srv/ none bind,create=dir 0 0
-
 common_zfs: True
+
+common_snapper: False
+
+borgbackup_install_from_repo: False
+
+borgbackup_encryption_mode: "none"
+
+borgbackup_client_backup_server: fetlabserv.htu.tuwien.ac.at
+borgbackup_server_pool: "/lab/backup"
+
+borgbackup_create_jobs:
+  - name: system
+    options: "--lock-wait 1800"
+    day: 1
+    hour: 1                                                     # default value = 1
+    minute: 0                                                   # default value = 0
+    random_minute: 59                                           # default value : ignore randomization
+    directories:
+      - "/zv1/daten"
+      - "/zv1/fotos"
+      - "/zv1/homes"
+    excludes: []
+
+borgbackup_prune_enabled: yes
+borgbackup_prune_jobs:
+  - name: system
+    prune_options: "--lock-wait 1800 --keep-daily=750 --keep-weekly=52 --keep-monthly=24 --keep-yearly=-1"
+    day: "*"
+    hour: 12                                                     # default value = 1
+    minute: 0                                                    # default value = 0
+    random_hour: 5                                               # default value : ignore randomization
+    random_minute: 59                                            # default value : ignore randomization
+
+borgbackup_check_enabled: yes
+borgbackup_check_jobs:
+  - name: system
+    check_options: "--lock-wait 28800"
+    day: 1
+    hour: 12                                                     # default value = 1
+    minute: 0                                                    # default value = 0
+    random_hour: 5                                               # default value : ignore randomization
+    random_minute: 59                                            # default value : ignore randomization
+    random_day: 27                                               # default value : ignore randomization

host_vars/fetlab

@@ -0,0 +1,19 @@
+---
+inventory_hostname: fetlab.fet.htu.tuwien.ac.at
+inventory_hostname_short: fetlab
+
+common_iptables_v4: "iptables_fetlab_v4.j2"
+common_iptables_v6: "iptables_fetlab_v6.j2"
+
+common_resolvconf_nameservers: ["128.130.4.3", "128.131.4.3"]
+common_openssh_keys_root:
+  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzkK6ENya4mKcoG9iuMaodMpifeCgZK56zVF1zxyZhLtUyBx//qsLCXEdBNiGJY57Yp4l0PJKk9B4hpCFKuz6H622l84SOHzXhmFQUXWe/L6x4kRfQJvhBCNMi9brfR0n6AwX59RNRsbUeUjb7RuhCrzpbW0iWYjv/H9rjeyfY5Ne9dUUeBQDcsM1O7XfZJWwA5nxEGjbDB7l4/K43DoqaqzHOEOoETmHGfugO7A5QwhRmblu90pLD4+DOPv/4LGBRNpS8FyRzYrEJm7yUyF7nDzR+0xlLCapU4pKhmIFfSv4afsuBFvLb6Rgln5wUt2KIPh/qnqSP9jZGovYOadC0yb70dec7nnfwXTmqwzdwXtBlo3UzbPwt0iJG9fhYCw83Bkt/GpOsIW2fcxZhJ8CUeBw3Ox71lkeozb49oRMeHzUpYckrFt1FGxUWuHHykCrOXcxso0MRfKjl9RPUc+O5oQDG1KAoTd9doB3jygVr68wYVc/4kTTsXUlMIBMOUiek8XygQ7sV6Et6FpzvLvdf/iL1FMXAluRgUWJvKqe4IBPyWu2KyDF+2ZDMse3WhQYlYgNRqGCwfxOJGWtkvVO0L4YGJrLXKhY4yw2H+pQOHaugfGO8IYPV/vbPi+dB9OV89Zonu2iVjjDFFXI0xE7WSXCV3RQyed26Bq9BBO9DDQ== damadmai@fet.at"
+
+common_zfs: True
+common_snapper: False
+
+borgbackup_install_from_repo: False
+borgbackup_binary: "/usr/bin/borg"
+
+borgbackup_encryption_mode: "none"
+borgbackup_server_pool: "/lab/backup"

host_vars/fetsite3

@@ -1,3 +0,0 @@
-inventory_hostname: fetsite3.fet.htu.tuwien.ac.at
-inventory_hostname_short: fetsite3
-

host_vars/fetsite4

@@ -1,3 +0,0 @@
-inventory_hostname: fetsite4.fet.htu.tuwien.ac.at
-inventory_hostname_short: fetsite4
-

host_vars/fetsite5

@@ -1,3 +0,0 @@
-inventory_hostname: fetsite5.fet.htu.tuwien.ac.at
-inventory_hostname_short: fetsite5
-

hosts/production

@@ -3,6 +3,7 @@ all:
     fet_hosts:
       hosts:
         ariane:
+        fetlab:
     fet_lxc_debian:
       hosts:
         betam:
@@ -11,11 +12,6 @@ all:
         alekse:
         wostok:
         fetsite:
-        fetsite3:
-        fetsite4:
-        fetsite5:
-        fetsite6:
-        fetsite21:
     fet_lxc_void:
       hosts:
         sputnik:

install3

@@ -1,7 +0,0 @@
-#/bin/bash
-if [ ! -d ".env_ansible" ]; then
-python3 -m venv .env_ansible
-fi
-source .env_ansible/bin/activate
-pip3 install --upgrade pip
-pip3 install --upgrade ansible

roles/fetlab/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+fetlab_zfs: True
+fetlab_motion: True

roles/fetlab/files/motion.conf

@@ -0,0 +1,17 @@
+# @enabled on
+# @show_advanced on
+# @normal_password da559fac89e576192f868ff898652ec74cb7b4d6
+# @admin_username admin
+# @admin_password da559fac89e576192f868ff898652ec74cb7b4d6
+# @normal_username user
+
+
+webcontrol_html_output on
+webcontrol_port 7999
+setup_mode off
+webcontrol_parms 2
+webcontrol_localhost on
+
+thread thread-1.conf
+thread thread-2.conf
+thread thread-3.conf

roles/fetlab/files/motioneye.conf

@@ -0,0 +1,97 @@
+
+# path to the configuration directory (must be writable by motionEye)
+conf_path /etc/motioneye
+
+# path to the directory where pid files go (must be writable by motionEye)
+run_path /var/run/motioneye
+
+# path to the directory where log files go (must be writable by motionEye)
+log_path /var/log/motioneye
+
+# default output path for media files (must be writable by motionEye)
+media_path /var/lib/motioneye
+
+# the log level (use quiet, error, warning, info or debug)
+log_level info
+
+# the IP address to listen on
+# (0.0.0.0 for all interfaces, 127.0.0.1 for localhost)
+listen 127.0.0.1
+
+# the TCP port to listen on
+port 8765
+
+# path to the motion binary to use (automatically detected if commented)
+#motion_binary /usr/bin/motion
+
+# whether motion HTTP control interface listens on
+# localhost or on all interfaces
+motion_control_localhost true
+
+# the TCP port that motion HTTP control interface listens on
+motion_control_port 7999
+
+# interval in seconds at which motionEye checks if motion is running
+motion_check_interval 10
+
+# whether to restart the motion daemon when an error occurs while communicating with it
+motion_restart_on_errors false
+
+# interval in seconds at which motionEye checks the SMB mounts
+mount_check_interval 300
+
+# interval in seconds at which the janitor is called
+# to remove old pictures and movies
+cleanup_interval 43200
+
+# timeout in seconds to wait for response from a remote motionEye server
+remote_request_timeout 10
+
+# timeout in seconds to wait for mjpg data from the motion daemon
+mjpg_client_timeout 10
+
+# timeout in seconds after which an idle mjpg client is removed
+# (set to 0 to disable)
+mjpg_client_idle_timeout 10
+
+# enable SMB shares (requires motionEye to run as root)
+smb_shares false
+
+# the directory where the SMB mount points will be created
+smb_mount_root /media
+
+# path to the wpa_supplicant.conf file
+# (enable this to configure wifi settings from the UI)
+#wpa_supplicant_conf /etc/wpa_supplicant.conf
+
+# path to the localtime file
+# (enable this to configure the system time zone from the UI)
+#local_time_file /etc/localtime
+
+# enables shutdown and rebooting after changing system settings
+# (such as wifi settings or time zone)
+enable_reboot false
+
+# timeout in seconds to use when talking to the SMTP server
+smtp_timeout 60
+
+# timeout in seconds to wait for media files list
+list_media_timeout 120
+
+# timeout in seconds to wait for media files list, when sending emails
+list_media_timeout_email 10
+
+# timeout in seconds to wait for zip file creation
+zip_timeout 500
+
+# timeout in seconds to wait for timelapse creation
+timelapse_timeout 500
+
+# enable adding and removing cameras from UI
+add_remove_cameras true
+
+# enables HTTP basic authentication scheme (in addition to, not instead of the signature mechanism)
+http_basic_auth false
+
+# overrides the hostname (useful if motionEye runs behind a reverse proxy)
+server_name lab.fet.at

roles/fetlab/files/motioneye.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=motionEye Server
+
+[Service]
+ExecStart=/usr/local/bin/meyectl startserver -c /etc/motioneye/motioneye.conf
+Restart=on-abort
+User=motion
+
+[Install]
+WantedBy=multi-user.target

roles/fetlab/files/thread-1.conf

@@ -0,0 +1,82 @@
+# @webcam_resolution 100
+# @upload_subfolders on
+# @upload_server 
+# @enabled on
+# @network_server 
+# @upload_username 
+# @motion_detection on
+# @upload_port 
+# @upload_location 
+# @preserve_movies 93
+# @network_username 
+# @upload_movie on
+# @id 1
+# @manual_record off
+# @upload_password 
+# @upload_method post
+# @upload_picture on
+# @working_schedule_type outside
+# @network_password 
+# @upload_service ftp
+# @name Camera1
+# @preserve_pictures 365
+# @storage_device custom-path
+# @manual_snapshots on
+# @network_share_name 
+# @upload_enabled off
+# @webcam_server_resize off
+# @working_schedule 
+
+
+ffmpeg_output_movies on
+height 576
+stream_quality 85
+threshold 6220
+quality 85
+noise_level 31
+ffmpeg_output_debug_movies off
+pre_capture 1
+noise_tune on
+smart_mask_speed 0
+stream_maxrate 5
+output_pictures on
+hue 0
+saturation 0
+stream_localhost on
+ffmpeg_variable_bitrate 75
+ffmpeg_video_codec mp4
+text_changes off
+movie_filename %Y-%m-%d/%H-%M-%S
+auto_brightness off
+stream_port 8081
+rotate 180
+brightness 0
+lightswitch 0
+framerate 2
+emulate_motion off
+snapshot_filename %Y-%m-%d/%H-%M-%S
+despeckle_filter 
+snapshot_interval 0
+stream_auth_method 0
+stream_motion off
+target_dir /var/lib/motioneye/Camera1
+text_double on
+post_capture 1
+stream_authentication user:da559fac89e576192f868ff898652ec74cb7b4d6
+output_debug_pictures off
+on_picture_save /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" picture_save %t %f
+on_movie_end /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" movie_end %t %f
+text_left Camera1
+picture_filename %Y-%m-%d/%H-%M-%S
+locate_motion_style redbox
+locate_motion_mode off
+contrast 0
+videodevice /dev/video0
+max_movie_time 0
+on_event_end /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" stop %t
+text_right %Y-%m-%d\n%T
+on_event_start /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" start %t
+event_gap 30
+minimum_motion_frames 20
+mask_file 
+width 720

roles/fetlab/files/thread-2.conf

@@ -0,0 +1,82 @@
+# @webcam_resolution 100
+# @upload_subfolders on
+# @upload_server 
+# @enabled on
+# @network_server 
+# @upload_username 
+# @motion_detection on
+# @upload_port 
+# @upload_location 
+# @preserve_movies 93
+# @network_username 
+# @upload_movie on
+# @id 2
+# @manual_record off
+# @upload_password 
+# @upload_method post
+# @upload_picture on
+# @working_schedule_type outside
+# @network_password 
+# @upload_service ftp
+# @name Camera2
+# @preserve_pictures 365
+# @storage_device custom-path
+# @manual_snapshots on
+# @network_share_name 
+# @upload_enabled off
+# @webcam_server_resize off
+# @working_schedule 
+
+
+ffmpeg_output_movies on
+height 576
+stream_quality 85
+threshold 6220
+quality 85
+noise_level 31
+ffmpeg_output_debug_movies off
+pre_capture 1
+noise_tune on
+smart_mask_speed 0
+stream_maxrate 5
+output_pictures on
+hue 0
+saturation 0
+stream_localhost on
+ffmpeg_variable_bitrate 75
+ffmpeg_video_codec mp4
+text_changes off
+movie_filename %Y-%m-%d/%H-%M-%S
+auto_brightness off
+stream_port 8082
+rotate 180
+brightness 0
+lightswitch 0
+framerate 2
+emulate_motion off
+snapshot_filename %Y-%m-%d/%H-%M-%S
+despeckle_filter 
+snapshot_interval 0
+stream_auth_method 0
+stream_motion off
+target_dir /var/lib/motioneye/Camera2
+text_double on
+post_capture 1
+stream_authentication user:da559fac89e576192f868ff898652ec74cb7b4d6
+output_debug_pictures off
+on_picture_save /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" picture_save %t %f
+on_movie_end /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" movie_end %t %f
+text_left Camera2
+picture_filename %Y-%m-%d/%H-%M-%S
+locate_motion_style redbox
+locate_motion_mode off
+contrast 0
+videodevice /dev/video1
+max_movie_time 0
+on_event_end /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" stop %t
+text_right %Y-%m-%d\n%T
+on_event_start /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" start %t
+event_gap 30
+minimum_motion_frames 20
+mask_file 
+width 720

roles/fetlab/files/thread-3.conf

@@ -0,0 +1,82 @@
+# @webcam_resolution 100
+# @upload_subfolders on
+# @upload_server 
+# @enabled on
+# @network_server 
+# @upload_username 
+# @motion_detection on
+# @upload_port 
+# @upload_location 
+# @preserve_movies 93
+# @network_username 
+# @upload_movie on
+# @id 3
+# @manual_record off
+# @upload_password 
+# @upload_method post
+# @upload_picture on
+# @working_schedule_type outside
+# @network_password 
+# @upload_service ftp
+# @name Camera3
+# @preserve_pictures 365
+# @storage_device custom-path
+# @manual_snapshots on
+# @network_share_name 
+# @upload_enabled off
+# @webcam_server_resize off
+# @working_schedule 
+
+
+ffmpeg_output_movies on
+height 576
+stream_quality 85
+threshold 6220
+quality 85
+noise_level 31
+ffmpeg_output_debug_movies off
+pre_capture 1
+noise_tune on
+smart_mask_speed 0
+stream_maxrate 5
+output_pictures on
+hue 0
+saturation 0
+stream_localhost on
+ffmpeg_variable_bitrate 75
+ffmpeg_video_codec mp4
+text_changes off
+movie_filename %Y-%m-%d/%H-%M-%S
+auto_brightness off
+stream_port 8083
+rotate 180
+brightness 0
+lightswitch 0
+framerate 2
+emulate_motion off
+snapshot_filename %Y-%m-%d/%H-%M-%S
+despeckle_filter 
+snapshot_interval 0
+stream_auth_method 0
+stream_motion off
+target_dir /var/lib/motioneye/Camera3
+text_double on
+post_capture 1
+stream_authentication user:da559fac89e576192f868ff898652ec74cb7b4d6
+output_debug_pictures off
+on_picture_save /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" picture_save %t %f
+on_movie_end /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" movie_end %t %f
+text_left Camera3
+picture_filename %Y-%m-%d/%H-%M-%S
+locate_motion_style redbox
+locate_motion_mode off
+contrast 0
+videodevice /dev/video2
+max_movie_time 0
+on_event_end /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" stop %t
+text_right %Y-%m-%d\n%T
+on_event_start /usr/local/lib/python2.7/dist-packages/motioneye/scripts/relayevent.sh "/etc/motioneye/motioneye.conf" start %t
+event_gap 30
+minimum_motion_frames 20
+mask_file 
+width 720

roles/fetlab/files/zfs_mount_settings.sh

@@ -0,0 +1,11 @@
+#list our zpools to be mounted, one per line, no delimiter
+pools=(
+	"lab"
+)
+#list all devs and their aliases to be used with luksOpen
+declare -A devs=(
+	["/dev/disk/by-id/ata-ST4000VN008-2DR166_ZDH35RRA-part1"]="ata-ST4000VN008-2DR166_ZDH35RRA-part1"
+	["/dev/disk/by-id/ata-ST4000VN008-2DR166_ZDH469JD-part1"]="ata-ST4000VN008-2DR166_ZDH469JD-part1"
+)
+#set your log file name
+LOG=/var/log/zfs_mount

roles/fetlab/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: restart motion
+  service: name=motion state=restarted
+
+- name: restart motioneye systemd
+  systemd: daemon_reload=yes
+  listen: restart motioneye
+
+- name: restart motioneye service
+  service: name=motioneye state=restarted
+  listen: restart motioneye

roles/fetlab/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+- import_tasks: zfs.yml
+  when: fetlab_zfs
+  tags: ['fetlab_zfs', 'zfs']
+
+- import_tasks: motion.yml
+  when: fetlab_motion
+  tags: ['fetlab_motion', 'motion']

roles/fetlab/tasks/motion.yml

@@ -0,0 +1,60 @@
+---
+- name: motion - install motion
+  package: name=motion
+
+#- name: motion - /etc/default/motion
+#  replace:
+#    path: /etc/default/motion
+#    regexp: "^start_motion_daemon=.*"
+#    replace: "start_motion_daemon=yes"
+#  notify: restart motion
+
+- name: motion - install motioneye packages
+  package: "name={{ item }}"
+  with_items:
+  - python-pip
+  - python-dev
+  - python-setuptools
+  - curl
+  - libssl-dev
+  - libcurl4-openssl-dev
+  - libjpeg-dev
+  - libz-dev
+  - ffmpeg
+  - v4l-utils
+
+- name: motion - install motioneye
+  pip: name=motioneye state=latest executable=pip
+  notify: restart motioneye
+
+- name: motion - setup storage
+  file: "path={{ item }} owner=motion group=adm mode=755 state=directory"
+  with_items:
+  - /var/lib/motioneye/
+  - /var/log/motioneye/
+  - /var/run/motioneye/
+  - /etc/motioneye/
+
+- name: motion - configure motioneye
+  copy: "src={{ item }} dest=/etc/motioneye/{{ item }} owner=motion group=adm mode=0644"
+  with_items:
+  - motion.conf
+  - motioneye.conf
+  - thread-1.conf
+  - thread-2.conf
+  - thread-3.conf
+  notify: restart motioneye
+
+- name: motion - remove logo
+  lineinfile:
+    dest: /usr/local/lib/python2.7/dist-packages/motioneye/templates/main.html
+    regexp: "{{ item }}"
+    state: absent
+  with_items:
+  - '<span class="logo">motionEye</span>'
+  - '<div class="copyright-note">copyright &copy; Calin Crisan</div>'
+
+- name: motion - copy service file
+  copy: src=motioneye.service dest=/etc/systemd/system/motioneye.service
+  notify: restart motioneye
+

roles/fetlab/tasks/zfs.yml

@@ -0,0 +1,20 @@
+---
+- name : zfs - zfs_mount_settings.sh
+  copy: src=zfs_mount_settings.sh dest=/etc/ owner=root group=root mode=0755
+
+- name: zfs - set quota
+  zfs:
+    name: "{{ item.name }}"
+    state: present
+    extra_zfs_properties:
+      quota: "{{ item.quota }}"
+  with_items:
+  - { name: lab/rec, quota: "2T" }
+
+- name: zfs - pool scrub cronjob for lab
+  cron:
+    name: zfs scrub lab
+    minute: 5
+    hour: 2
+    weekday: 1
+    job: "/sbin/zpool scrub lab"

site.yml

@@ -24,6 +24,7 @@
 - hosts: ariane
   roles:
   - ariane
+  - borg_client
 #  - rvm1-ansible
 
 - hosts: sputnik
@@ -52,6 +53,11 @@
   roles:
   - borg_client
 
+- hosts: fetlab
+  roles:
+  - fetlab
+  - borg_server
+
 - hosts: buran
   roles:
   - borg_client

ssh.cfg

@@ -43,18 +43,6 @@ Host progress
     User root
     Proxyjump sputnik
 
-Host fetsite3
-    User root
-    Proxyjump sputnik
-
-Host fetsite4
-    User root
-    Proxyjump sputnik
-
-Host fetsite5
-    User root
-    Proxyjump sputnik
-
 Host energija
     Hostname energija.htu.tuwien.ac.at
     ProxyJump sputnik

templates/iptables_fetlab_v4.j2

@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+COMMIT

templates/iptables_fetlab_v6.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp --syn -j DROP
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+COMMIT