diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..9016b7389b007c96d582adaabe3af59923eca062
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+roles/
+~*
+*~
+*.sw[op]
+*.retry
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000000000000000000000000000000000000..c8bc96e467ab4ea095832065f1d396bbb1aa3c5f
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "library/shore"]
+ path = library/shore
+ url = https://www.shore.co.il/git/ansible-modules
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..0538e6f1cb57d4439657afdde89e2c24f9ccf850
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,12 @@
+[defaults]
+inventory = hosts/
+private_key_file = ~/.ssh/shore_ecdsa
+vault_password_file = ~/Documents/Shore/vault.pwd
+roles_path = roles/
+library = library/
+
+[privilege_escalation]
+become = True
+become_method = sudo
+become_user = root
+become_ask_pass = False
diff --git a/common.yml b/common.yml
new file mode 100644
index 0000000000000000000000000000000000000000..139254550755a41296a1430f75b8c0d541509fbe
--- /dev/null
+++ b/common.yml
@@ -0,0 +1,27 @@
+---
+- hosts:
+ - ns1.shore.co.il
+ - 192.168.3.1
+ gather_facts: no
+ roles:
+ - role: openbsd-bootstrap
+ tags: [openbsd, openbsd-bootstrap]
+
+- hosts: all
+ roles:
+ - role: users
+ tags: [users]
+
+ - role: ca-store
+ tags: [ca-store]
+
+ - role: ntp-client
+ tags: [ntp-client]
+
+ - role: ufw
+ when: ansible_os_family == 'Debian'
+ tags: [ufw, Debian]
+
+ - role: unattended-upgrades
+ when: ansible_os_family == 'Debian'
+ tags: [unattended-upgrades, Debian]
diff --git a/files/compilekernel b/files/compilekernel
new file mode 100755
index 0000000000000000000000000000000000000000..5873731da0b19125dc4ba72259ecf5fc51b83af4
--- /dev/null
+++ b/files/compilekernel
@@ -0,0 +1,8 @@
+#!/bin/sh
+cd /usr/src/sys/arch/$(machine)/conf
+KK=$(sysctl -n kern.osversion | cut -d# -f1)
+config $KK
+cd ../compile/$KK
+make
+make install
+make clean
diff --git a/files/dhcpd.conf b/files/dhcpd.conf
new file mode 100644
index 0000000000000000000000000000000000000000..c6132890e0d2580a6de17fec74cb8f4bab9cd73b
--- /dev/null
+++ b/files/dhcpd.conf
@@ -0,0 +1,101 @@
+max-lease-time 86400;
+default-lease-time 3600;
+deny unknown-clients;
+authoritative;
+use-host-decl-names on;
+
+#DMZ, rl2 interface
+subnet 192.168.4.0 netmask 255.255.255.0
+{
+ option domain-name-servers 192.168.4.1;
+ option routers 192.168.4.1;
+ option domain-name "dmz";
+}
+
+#LAN, rl0, ral0 interfaces
+subnet 192.168.3.0 netmask 255.255.255.0
+{
+ allow unknown-clients;
+ option domain-name-servers 192.168.3.1;
+ option routers 192.168.3.1;
+ option domain-name "trusted";
+ range 192.168.3.100 192.168.3.199;
+ host nimrod
+ {
+ hardware ethernet 40:f0:2f:41:7a:be;
+ fixed-address nimrod.trusted;
+ }
+ host shoshana
+ {
+ #hardware ethernet 00:22:68:6F:A3:D5; #ethernet
+ hardware ethernet 00:A1:B0:30:0A:36; #wireless
+ fixed-address shoshana.trusted;
+ }
+ host wrt54gl
+ {
+ hardware ethernet 00:18:F8:DB:29:9C;
+ fixed-address wrt54gl.trusted;
+ }
+ host smtp
+ {
+ hardware ethernet 02:B2:5C:93:AE:8C;
+ fixed-address smtp.trusted;
+ }
+ host imap
+ {
+ hardware ethernet 02:57:A4:85:7A:EA;
+ fixed-address imap.trusted;
+ }
+ host ldap
+ {
+ hardware ethernet 02:1D:E0:C2:84:C7;
+ fixed-address ldap.trusted;
+ }
+ host web1
+ {
+ #hardware ethernet 00:19:d1:77:f8:10;
+ hardware ethernet 7a:99:ad:12:b6:c5;
+ fixed-address web1.trusted;
+ }
+ host ronit
+ {
+ hardware ethernet f4:b7:e2:f1:a9:a5;
+ fixed-address ronit.trusted;
+ }
+ host cgit
+ {
+ hardware ethernet 00:16:3e:9e:05:e0;
+ fixed-address cgit.trusted;
+ }
+ host gitweb
+ {
+ hardware ethernet 02:73:79:70:9A:87;
+ fixed-address gitweb.trusted;
+ }
+ host realestate
+ {
+ hardware ethernet 00:16:3e:af:73:1c;
+ fixed-address realestate.trusted;
+ }
+ host xbmc
+ {
+ #hardware ethernet ac:f1:df:12:33:24;
+ hardware ethernet 10:c3:7b:9c:b8:fa;
+ fixed-address xbmc.trusted;
+ }
+ host rtorrent
+ {
+ hardware ethernet 02:E4:A9:57:ED:56;
+ fixed-address rtorrent.trusted;
+ }
+ host wdr4300
+ {
+ hardware ethernet E8:94:F6:87:A8:D2;
+ fixed-address wdr4300.trusted;
+ }
+ host wordpress
+ {
+ hardware ethernet 02:B1:6A:42:E0:95;
+ fixed-address wordpress.trusted;
+ }
+}
diff --git a/files/public_ssh_keys/ronit.ecdsa b/files/public_ssh_keys/ronit.ecdsa
new file mode 100644
index 0000000000000000000000000000000000000000..68028fa3e5998fa93d5c731111f5a6518f33ef28
--- /dev/null
+++ b/files/public_ssh_keys/ronit.ecdsa
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDC3H9TeFDKlqzhooRfjDxyuhibOXYqOk232znuMBu9ci2aWpA8q/LYy5l7gJd02MGf9K1aefSCWGs3ZvNjbpMU= ronit@shore.co.il
diff --git a/files/public_ssh_keys/ronit.rsa b/files/public_ssh_keys/ronit.rsa
new file mode 100644
index 0000000000000000000000000000000000000000..6b9e5824401629ab6b5c23a2d18d1ce1ad6d59c5
--- /dev/null
+++ b/files/public_ssh_keys/ronit.rsa
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3QF9sEl5yWUwYOXuHxwOH+90RqxxKDzoeEtxx2cXC727p7ICFza3IW+E/fcntOmM7oJo+F8Fv5eLgZgVbdTABwOJ8Bg5e2TjKMl/jScRjF98ARd1hBoodGsDaDMDNvc6vwledhn/kwtkBuyW6vaz2w5TnHwPtC/Sp0JkpJTFip5mJtVLEz4WUzcZIPzOTYdalCP6znd1Z6FD2ZGcdGL8Z4rotsAfU7aVy/TyNBS+c/xDEvDlmIV8JL30EExWR6O+iyGqe5753Lxf30qqy3waQNc0n3/g5bZvyVdKCqPnByX4We6PLLgLwF8/Tf+B8ue2sWts6YiHwqVRu9U9TsrnD ronit.binenboim@googlemail.com
diff --git a/files/shore.co.il/google88c23a5c89fa3cb3.html b/files/shore.co.il/google88c23a5c89fa3cb3.html
new file mode 100644
index 0000000000000000000000000000000000000000..ceace0b5e9d1937c18b05816d6ec871e20bb5afa
--- /dev/null
+++ b/files/shore.co.il/google88c23a5c89fa3cb3.html
@@ -0,0 +1 @@
+google-site-verification: google88c23a5c89fa3cb3.html
\ No newline at end of file
diff --git a/files/shore.co.il/robots.txt b/files/shore.co.il/robots.txt
new file mode 100644
index 0000000000000000000000000000000000000000..5a6f1a9d3d065021b4cd1ce42c21892d9b49011b
--- /dev/null
+++ b/files/shore.co.il/robots.txt
@@ -0,0 +1,3 @@
+User-agent: *
+Crawl-delay: 3600
+Host: www.shore.co.il
diff --git a/files/updatesrc b/files/updatesrc
new file mode 100755
index 0000000000000000000000000000000000000000..7ef47c45927fc6f8b14a59e7cc9658fcedd184c6
--- /dev/null
+++ b/files/updatesrc
@@ -0,0 +1,9 @@
+#!/bin/sh
+if [ -d /usr/src/CSV ]
+then
+ cd /usr/src
+ cvs -q up -Pd
+else
+ cd /usr
+ cvs -qd anoncvs@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_$(uname -r | sed 's/\./_/') -P src
+fi
diff --git a/group_vars/all/vars b/group_vars/all/vars
new file mode 100644
index 0000000000000000000000000000000000000000..52d0d5dedef7304c1d71f77dabc76db2caba81a6
--- /dev/null
+++ b/group_vars/all/vars
@@ -0,0 +1,89 @@
+hosts:
+ ns1.trusted: 192.168.3.1
+ web1.trusted: 192.168.3.2
+ ronit.trusted: 192.168.3.3
+ smtp.trusted: 192.168.3.4
+ imap.trusted: 192.168.3.5
+ ldap.trusted: 192.168.3.6
+ gitweb.trusted: 192.168.3.7
+ shoshana.trusted: 192.168.3.8
+ wrt54gl.trusted: 192.168.3.9
+ nimrod.trusted: 192.168.3.10
+ realestate.trusted: 192.168.3.11
+ xbmc.trusted: 192.168.3.12
+ rtorrent.trusted: 192.168.3.13
+ wdr4300.trusted: 192.168.3.14
+ cgit.trusted: 192.168.3.15
+ wordpress.trusted: 192.168.3.16
+ ns1.dmz: 192.168.4.1
+ ns1.shore.co.il: 62.219.131.121
+
+www_shore_co_il_crt: |
+ -----BEGIN CERTIFICATE-----
+ MIIF5zCCBM+gAwIBAgIQJNgWXj7PheGka2E3QIb9fjANBgkqhkiG9w0BAQsFADB4
+ MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
+ U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
+ Q29tIENsYXNzIDEgRFYgU2VydmVyIENBMB4XDTE2MDIyODA5MDkwOFoXDTE3MDMw
+ MTA5MDkwOFowGjEYMBYGA1UEAwwPd3d3LnNob3JlLmNvLmlsMIICIjANBgkqhkiG
+ 9w0BAQEFAAOCAg8AMIICCgKCAgEA2fzG6N2LWVfEo3XQGdzhqnYnoBnB1M14Iq/m
+ Em8EYBeDVt0zNttSH+lj5Z1u1AhrnSxEFqQHnJaupukv/cnjqmzPhkAiEk27F+oP
+ t2K+qm1IV0XqyQUtm0oLvkL/lK1OEeGfeo/D7CO2+i3ocJnul/DirWlnQ7XekDTO
+ CROYDA55PV/e+gZliqpWgtS2e5j/M9hovcivuKzOG5F7JS35rlQXduPcIqh+j6ms
+ DyHHkzhgwNErsc2lJK0i0/pAmkZVQIOneS47bV0eC6Dt2HGflVCWsqYboYRVHaqy
+ PPb0OPEZmp3rQ1gpdqXDbMTgTiIDxj7KO0gLcGq7R9BOWD0UjnM+OKC7KiSlwQhz
+ KV/MfoWa6lWpbhLrzMIncKWSSpiyOGuju172UbW9s8YBxGcIuwZti7/D0TRkUpOf
+ aOAUIuq6AEY4sRVpeDfuLInfVqWCY9bmMFWTSXdrkXjmEBhCijchLVBjZLS4ajIA
+ o7pCQYrVSpHK/9IyCOdTfxg1qdEBeNeQC8s3i57/OWXYq+N7RlUJPdJXtki1rV1C
+ KjSN9ia++VEEjdbRRHEHc8eGTpy/pbfX17cWO3lSVuuBvbv1aa4dRQvZn7oUUJfi
+ skL6HWyUfT0ZjZSDL1ZpwCUpYr0o8BfXwxyEuhAuQbA5wEgJMXjhHwKErrgmjGSP
+ m4lW5hkCAwEAAaOCAckwggHFMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
+ BgEFBQcDAgYIKwYBBQUHAwEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUlOR/53RZUvz2
+ ceM9IX4KbFFjZDcwHwYDVR0jBBgwFoAU15FOAcSwv/jIZ5NEnOcz+q2TDK8wbwYI
+ KwYBBQUHAQEEYzBhMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5j
+ b20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3Nj
+ YS5zZXJ2ZXIxLmNydDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLnN0YXJ0
+ c3NsLmNvbS9zY2Etc2VydmVyMS5jcmwwJwYDVR0RBCAwHoIPd3d3LnNob3JlLmNv
+ LmlsggtzaG9yZS5jby5pbDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3Ns
+ LmNvbS8wUAYDVR0gBEkwRzAIBgZngQwBAgEwOwYLKwYBBAGBtTcBAgQwLDAqBggr
+ BgEFBQcCARYeaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3
+ DQEBCwUAA4IBAQDJv1SkEL9Fax4ItOTYJF5rQ7JsD8i8TdZXLsT2F2VGlBNlusPx
+ hPPWXM1nUy90tRrN5lQGxNtLR/0BGrXNKk1ReL3WU+Nqosk02Zoh4jeQYZQTDzRx
+ DZTnTS/DzitNoXheO7VSHw6Nok8pa6PdEkN7ekooemZYz0SMJrmoSFMl+Bh5t10W
+ M0GhcLYQldqqL8hE2220gg+bVKUzT/zl822mbYroZ3JcDKvE0GDqA/eSulCben9S
+ chj4MV3dXbyvSWh68PE8oGtl1i0gCuwb5pDuGZP0CHcQeJbiOEwwwl7gFUgzNfkv
+ iXgbEha8+rc5R1o//CrCC9zyr4nk7Rpj8Cst
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIF5TCCA82gAwIBAgIQal3D5TtOT9B7aR6l/OxkazANBgkqhkiG9w0BAQsFADB9
+ MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
+ U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
+ cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTUxMjE2MDEwMDA1WhcN
+ MzAxMjE2MDEwMDA1WjB4MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20g
+ THRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
+ JjAkBgNVBAMTHVN0YXJ0Q29tIENsYXNzIDEgRFYgU2VydmVyIENBMIIBIjANBgkq
+ hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2uz0qohni7BLYmaWv8lEaObCK0ygM86s
+ eeN2w9FW4HWvQbQKRYDvy43kFuMmFD4RHkHn1Mk7sijXkJ/F8NH+5Tjbins7tFIC
+ ZXd+Qe2ODCMcWbOLoYB54sM514tsZk6m3M4lZi3gmT7ISFiNdKpf/C3dZwasWea+
+ dbLpwQWZEcM6oCXmW/6L3kwQAhC0GhJm2rBVrYEDvZq1EK3Bv+g5gAW8DVfusUai
+ oyW0wfQdnKtOLv1M4rtezrKtE8T5tjyeKvFqMX93+LYVlT8Vs+sD12s3ncldqEDL
+ U89IiBjg6FsbLfM2Ket/3RbfvggfQMPQshipdhrZL8q10jibTlViGQIDAQABo4IB
+ ZDCCAWAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
+ BQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6
+ Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDBmBggrBgEFBQcBAQRaMFgwJAYI
+ KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTAwBggrBgEFBQcwAoYk
+ aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvY2EuY3J0MB0GA1UdDgQWBBTX
+ kU4BxLC/+Mhnk0Sc5zP6rZMMrzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD
+ 0EGu8jA/BgNVHSAEODA2MDQGBFUdIAAwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3
+ dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3DQEBCwUAA4ICAQCO5z+95Eu6
+ gog9K9e7DatQXfeUL8zq1Ycj0HKo3ZvFhRjULAVrMj7JrURtfoZziTDl39gvMDhL
+ voN5EFEYQWyre5ySsFgGeZQHIC0zhETILSyAE7JCKaEJ//APnkcQfx458GOuJvi+
+ p2JpRxa8Sc/HVJ9HqA687QbbJFFZlUP5IqLtCb8yZVBURd4Nm/+01DXBzomoQPwA
+ K3cYl9br6Q+eKmCKPKN6X4IT1gwtwXuca1f3OpZTbUFPdPz1KvP1qCFt+rNieSmO
+ BN76Xa9ffzoBByzVdnvk2OHuopmJq/eHF+E3s+GFYT6Oxjrez/lEbBvgEmGyXZOZ
+ aj6XeDnBxOIYRODfnZG99cy2q5WtDLHKuiMogJGO89PWaI2jK1Aq5sa0j55jp2Je
+ FXbRieKw5CKreCIiNR9MpaffieLgbTcK1BSKjxUZtd7BqJ3x1lvD2jbe7WKqzusZ
+ btPhFgrDDsgdw27zQokNYBZZaa1LwYZGZgddiAcLcYkilGobA2wLKk6eYz6VnatD
+ dI4aQx6FkHWvKU0e7s/cUym6Px3vXrC4z6woAztC98XaorPO0pkL73P4dKSjnKYY
+ rYsqe7BnBGtANf1XaG5Pm8BUWJ9WZAWin6KsJXTo8Nj0G4CRq7dq17LBnCbi9Qmp
+ Szc2kuPNbrV8PvbTLIXupfZFFj0d9mpaFg==
+ -----END CERTIFICATE-----
diff --git a/group_vars/all/vault b/group_vars/all/vault
new file mode 100644
index 0000000000000000000000000000000000000000..a7ed9cc34eaeee84a3d116f2431dd503ee9541f2
--- /dev/null
+++ b/group_vars/all/vault
@@ -0,0 +1,244 @@
+$ANSIBLE_VAULT;1.1;AES256
+30326238336263393830613164353238646634343862353962346535326664343736663031353633
+3336646436623835646335306136633231373030333735320a376437386465373666313365386533
+39366538663166636335336234303062353838303435663239383266626366346138336337313139
+6161393437393430310a626330376531336266656264663566333035363931343836646633313132
+30376666353762363539666436353365653662623630343161313230393966306337613465316430
+31353031313938616262356538343163613637376334333738366566646134306466613761373035
+32346666643533353662346137313836346234323333643862643037303630343539653964646232
+65386561613965386565323332633866666166663033316139303261373962653762303435316631
+61636335613062663436643130626438356537626333653130656635336631383562303731386265
+31663031623635383838376634336233636639656531326334656261626264663032373564633264
+39393163663731643432666364323933653632666538313530373233343663656164376631343361
+32653935376533306561363334363839316530343462613937383839333532626662666466396661
+64613239383537316332363932363661656663623263353862306130343635333331336163613730
+61616365316330626438326232643935633865323134663436336631353262623233666437346466
+34663864373035343962306262616563613830626137303265636139333636313162323637613835
+63376633613131323934383333636637306166633365346332356563363365666531396261333936
+37646438353738383336363566386337623632623034633234643238623262653063623063656465
+33326233356163616238363661373965646665333738356263323665623434643533346435646439
+65346337663637623836383061613130643935396336353130313939316566363666633536633634
+39656438623830363961346237323639373939383639393636376562383463313133313161366336
+62313436363666663365653162653237393736613931393436643563353938613835306231303063
+32376434353364623035316238636133343938326535616637393962326533643763623866633836
+34646132616232636231333665383864343435323635383036323935376438633962643131333064
+35653537363235383531616639346134356634373432336434636363663238376438626139666636
+30626430323731393436323532636162666364366665363436633434653162623932316139666336
+30343963386136633238643466343665386133623335383436366361303931653839366631316436
+64326365373233343865373136373030373031613339383866343362343233666338333064613534
+38643666363365396232316565616261323538393561386339626566386164666633316163386665
+30623634393635623738373638393931326330323966613136316634393439383866346236356265
+63373964373537653566376663306564303661396239343165613330656533653239393237383235
+61663765653835333633613036383533393630303237663231653964626264613634363665663937
+32313038373934353936636532666263613939663166326435643565343339343138323831386464
+32343031323238613262666432326631313036363232313362643563623664626261333465383163
+34316563626339313334613735346362303862383037303866323164373734326331333537643730
+62393266306435396665313665386434656134343965386139626634636635313630393164663432
+31646462623236353239393931633837343430313235313361626537623262333166616632653538
+35396530336530643133343638323965643163396234653361663935336363616231613235616464
+61643437623032356261643534363961333865313031326233313061326265346332306135386334
+35363636646633393930643033313835363339373139306664306361306666613936626238323831
+63373962663337363261663239383333333031313961643865663662316537343637613161653633
+32636334306338326166656438643935626662633765396638386665646633396231613439366538
+66393364626161643832386433326336633538666139326233376163396233323036633038626166
+65623866363138623564663932663934636234303734636263636231336265386263336234353263
+65323362363432656338636532386136646463666536656335363232643539303266646531366230
+37623738623465643637373166383666303836393037393766643739336263363063653839626136
+66373331323666626464303630323732353537376638386532386430386332323334353832376661
+65333532353462313435313634326439663565343733356136333638316462623964633663646234
+31626234383634663933383664653762653139386162646464646539646230626665383466386133
+35376664356132626366363235626462613130366432363261313061616338386262373363633537
+38633938393766343036656162326665306636643762326331616533633864643939633335663964
+33303266306130626539373236343333383961303563393265336163343139393635326462303333
+36303062326537613530613233313062393763333933613334376238646534613136623533363334
+32396263663164353561646465313634393231346461633938623338316530303864323738323063
+64306133353662313962313537376561386665653966353637353961323737346562373761633061
+31653235343161396631363738306633653466336438326435623431653863353438613437623861
+38613532663835636538383530313964353439633333383334373930613431383961643630336436
+32373134646235373831373235353435343265336664373663393834316535376666613064626439
+35663565633765646233396562393865656234363832313464626430643865306232343765333030
+31383631666533363231643730636262383333316165626432383333393334626530346533303263
+62363865393862363533303162383537376333653936353237646366616163336561363931363030
+30336130303061626339366130303732333235313263623636363431366331303330333062303662
+39396532396139663062336632656435383266373666333664663138363565323263666363326339
+30353466666366653336653564633761633437313234643931396639633561303731363032343033
+64386265353838313631653130386431353139353138363465346561646664353532653264373564
+30393233366236663430346336666664386630303662333034653864313633343736356564383866
+32373937343036633662376663353062386361663734383261653334663765303036306331316432
+30363236323039356366303339646136373433643133306461653264333165346434666261626531
+64383764346137633830333462623136316134313632376639363961363033366235643066646261
+64373865396562626334663236343733333565643362343963313337643435623636633239343266
+39393139336439316365323133373165636337333461636635663465666536303031303537623866
+36623934306264656434333631373131643662333865656137633638363734386163366134653039
+35336436343933313635386338313630666534363862396131623061383838363136616331346237
+64326665643932373965353331366330353230336566353866303636616631326363396239353666
+63363135346266616266646465623436306539323535626236656162306133646437636631323561
+38323634313238633339616365323530323938373162613732626563643462636634396237666666
+62333165373461363663343230306136353330396666646239366539623162303965323038356133
+62363838613538363234616231633662383466386130653530313464376330326566393663343364
+36343062333865306336613465303937613036336462363365373535323530353430633864396536
+61633334396131356163386638366564376436393935366366363338396236313730643130353633
+30663731613764356265393236616662653138313161356132666435376633313166616361336465
+35656434636136383964383539346532396136666239363737343664323639343933383266643661
+31313334316565383561613532373262663765633766356335643635306335343132386662396131
+63626531386239653364373335663939316136303438613731623334616436353733386464353135
+32363530353134386332396566623234353637343535653662336434323334366536376565656433
+35616261616663373263666432393239396139343634353830383636376361373564333530383266
+36373931333764653239623633333032383262663864613934376237643135393163366364333132
+34393465333162336566343563383261643836393336663333623735306362633339336637366433
+37346461323530656533303332373763333836633133396439313638663337326333386339316433
+61386239356265633734306266656437633265373661376664326536613761343337336263643930
+64636338363166353331383832363834623465313335656266636164323339346538646639643361
+34613535333038333164333365363238666535653062646537653839343535383539663463373539
+65303532666162663439373065376133313430636436636362303330613138383235663637666434
+64383134613038656137363833396338326263346330656563376365386535643730656564363865
+62376665333065343432343138636232646563613964386161303039633464366364383835326564
+63643337303632393535333961663364376232376261626335663335383837333533663463323461
+35656164383134646364383933323334653562643163666134306432303237353138383938623836
+35343966343637663965356635666133313438303333386435646261383264346636373132663464
+36666262653861336436646533353836313566623136333564333131383731396161393864613839
+31353032666130393037636138653933396634346235646432393633643739363036386632373737
+65653339303761373136366563373965306663643063393364626631386432656235656561616534
+66633263313633623535633965363137313364393537376330366338623031623538626431613430
+36626631656633363965356564303766316266373732633636336532623964653339386466613963
+63353034633964613730396331383938633031336633393937623964336161306635636533643632
+34656638633030626530323561343661613737613633653964613363643162346638626132643162
+64323861663633656566356366353735333431386162316437323565363230333665613531633737
+63616634643132346238613737333331323230313065663261393631323136303536323635323762
+32343632633437353864393630633030616566386166313937636332386533626265656430323466
+35633535363635353962326434623835323130613539613135363137333633376265613438313136
+31356432356661396239656237386161393038326564636438346361333036313731616335666536
+64373734356565373333323366346539346539313864643162366232626136643439343865386535
+32383666346164313434393233393831346662646433653838663238643435633532353931386634
+64363832313535333935333739326131363539323263386336636261353236366563383930643635
+30613062386434363963343137333533393261336339656236393936303164303131376632383639
+30623666653664346239346537623136326164353535633165303636363030326163353939636233
+36656336346461633761626235656464393135343930396166376663303562643566383830376335
+66393533643734323565323936383865653530363934313832646365336535396434313636373438
+63633461323764666562613566353430643763333432616666376136323039316139393962393038
+32323232616131333961353662633261363133626536353966396634666231663038613030316131
+32636334396661663139663631626439396566333238636631313064623734306261313734633364
+39386134306232303236653137323534333330386535303562613461653265613330636163383735
+61326465313533316230663730333666366635383264306663656530636431616161383865353233
+32383536346136323066343565656639643261633330626534633536343561303132323838616535
+36363564333934623434613739623138313939666334636238353239396338346233323831643461
+65306236646666326133313364363231313764323937656434646162363161666665353561383263
+32376361353266383361616138333565633564633634303737343137313536303264326665303437
+38303662653931343963646563656134636165316564663134333037616537633831373239653639
+35396530656437326233333235656434653135336265376638313766363064346563356462316133
+35373433356235373066323630396134653532373434616633653130306334373062663337393033
+31616466613335303263663363346264386161316335396234633135383061373433383063376665
+35366330393835636434656336373965376435376565333233666335353065613663393462346533
+66386537336335373036633764323461333131343464363832653464393562656665366665623030
+30623738333637643038373233643135336538653133613736383437626563326238383534636533
+61383936373363336261663034663861363033303136666238393837333935646132313334356437
+39356333646566386362653832353364633536646338626135353331386435663666656666353661
+66316339376665373162326465653463333138353031316434656266653164373561373135306539
+39633831313036356536643463346363663733336265383639666164383765623233323633646636
+34613235363138363935636432313230656263356432656364653266623635346165303831356435
+33386561636433363331373938383763386530663236333634653965323332626261306262376364
+32623764643363633964396235663866613364336163353632643866363039363537623233353563
+38663730666237353434646239636138313761666363613337663131613164636634313531363464
+36653566326533376339633138303033326662623265356134393062383964346136333034646565
+61626133346235643030653830343430633864376137616363333762376366316364303634343464
+38373639393734666339343464333537336431303261393765333034366532373637656135373766
+62363238666438613733633637663232336662306331636561653435626237323939316162396462
+32393433396130653062383533323164646462393436663636383062353038616335393462383862
+61326564343061366265383663616163353563646665643364643061336630333835613635626239
+36346561313431383736666136363432386264323236643537636365336532383737343862353366
+33323865333834393062336633353836666565373136386639393534646536646230306264646366
+31656333393266613831616139363761316131626463316537663037303031393535336466633932
+64373537373737666463653038613361353164633130316336373830343031376334333036356137
+64643061353039666138663761633734316130616565353263396431343337643865646130336665
+33366365643464626235393133326133643162663431343962373164653963333362326339663434
+61373831306537306335633462663364353932323766626131626561643636326534393933383666
+66303464303039393736363434383064326562313138653337386339366532313366653433323863
+34356261303430383030653931356637656665643865623433326563656265316165383332366563
+32373535656464616264363738353831616536656236653463333830376462366664666162623933
+39326663303836383039653864343533613838653764616563643563306366383936303233633738
+34373030643832383136313634303037613930383433653065373932313131373564623662303464
+36616538333061653131396237633233323734636637336165653639363033326637383564623939
+35376439306130626366613536333165336466663164623766353866323530653935633439663266
+61386534656431393334623761353530326138393163356532393536303561613062626337623937
+33376134393061613933343766306632303262363232323136383137386539336334353630633664
+61393963386139626361313239356663343532636537313331363461656631656133633866356138
+34346238313262633139393864336362653937376232636638303665363339353835653366656565
+37396361303535613133353862633433323835646264653838613830376633666362393566336332
+63373462653430656631356638633431646230623337663436646539353131313464393731393265
+62396363383034323539373537333634306136633166653937313966396265346536326665353130
+63306234653965383939383032666539373561633561623666373538363634343838386264623139
+30663162396162393665306364613831373030653466646564613232643436633961393464336332
+35303238643034373461353265386162386338376336363836313733616337653463633638366538
+65343939643134656564343365373333616464663765666462343265336131666361393362613436
+61353135626266666335613964336430623230386164336366353331626664353238656439343064
+38633832313633626433643731333635316436356436663961353233656132353639313764643030
+30353635303931643239386261306661356337346661346131306636363935623138633834656230
+30383838633739363137633133666562366131616162333439353466333664333934313765303238
+66633638373736373835666635376139306561306439393864653364653934333263613863396532
+37326631643065373334383564613136353738353935306161656439386330363130396333303062
+38396364633033343565383033373031623063643433323166356366373333303461353738313039
+66373530376636616330396131653265333939343736326130363734336566613239353630343438
+61316465316364656233376432393066353430323164333738326231373530623034376531633861
+38636462666638353237346535653863386533633630323432316534666366363333343166376364
+30363338613238343737363732663737626465306430313831343933613363663563316138623432
+32616661333830396133626364613136386537326665613761363538363539326538623964313838
+64313465306139326436313261396266626231353463626434383963323531383339326434646134
+32353735326132326132376266376233366264353233303531333232626262343665623934363133
+36636135336264373332303332383339396130666135663238663062366333323963336632663333
+34346631613464383733633234643634616330343664643038326438306265373966623830633064
+34343362643935393338363463623138393030363632623462313539353839663162636238633263
+63626165633233336262636663366530373763333961666137646165656338303165343265343963
+61303035373163633661313064613565623765303935356333623161636361393930343634653064
+64383364326434656432383534393430356136663031363531323866303231636133633066636439
+36646265396336366566346365623531633631383838353439393461663435636262346135313031
+39316165336435356264633065336265336164346261626161613230613764303263613534313661
+61646233666635626539393935333831613732656564383637353966323630303036353064306664
+30333362353666336638343866663237393564613032366431306332383238633035396535386462
+63633165623066643039656237343830376463373031656162663466633064376537383864316331
+36613866616139653361303034643736653865623730353039623036353566613635306665643939
+31363536656336323163303136343862636466333064623931393837333132323536666335646535
+34373835346461343565303032343764373536633162393030663262313738316166373761663634
+30313135366464343964326334363233386538346334343031396664303237653332383239623465
+32383536613538333733313237396561663938613337666262393738333161303661313839373233
+61356434333834633263373763653536326238383837613438373733306630303933353433383534
+36613733313865306664386563656337623033366336313661633637653664353865333938636366
+61346363373438353939373439323366323737613561336364643561653438303834616538326533
+61653865663366653462623432386537643131616264653231303438326361626331623033343933
+61393037653031646431323262366166653365383065633132366366303236323535386532646665
+38653765303765306631366564613463386631356466333562333039366632366530373664326434
+34663832373065613330643239383561323862396266613837323939626330366362333261356332
+33666462363764643430663430396463666337323166353332353263393735356266646535353439
+34356130313464656536376337383039636632636664653463656636616265313931353466373164
+38323263323863303333366331616565353539303961353439323435636463333035393930306234
+63343765636265646666333835396331333261383535623537373564323138633737636431643936
+36366331616436393630353831646536383162636665333439316136336266643462653664313063
+63393963313138366639323261366466653262616634323863323137666163613632386434626538
+62386665646234316261653335353763303038386264376339656431323665356564343139656332
+33383263393462373532366339333563643938626139616631633162333838303764303565663730
+35376261326664646436383263366161316564376337653334396430653735633566333938373462
+61313462613766313030613663336265326161316362353331653130653766613532313932643231
+66393530646465396332323232663763363134356334613230376566383633636564343031313036
+30363037323535613737636563323864303838613465613862613334636238363366333463306134
+61333362316461356235333736623230373565373234326262393563333538643533663039653663
+37616138343939393463346464356330356162636136663739316431316530333635643337633964
+36663337333563613562373935343039653035393464383433623331333937636131353435636237
+38646230346334363536336464633164343239303461636662343563666238646263366230366561
+66646463313034353436363964373431623730646538363166363939373465366431323634626564
+63303132303964613437376333393061316366633864363334646430333266306333613232646665
+39336134653131336138613463636331643963346533313132313530376434386561326434306132
+31333239663837383730336638633331306135313663346166633465353535666631396337643262
+36616532376330363638366333396664643436386537643666653933626161633663326364626434
+66626139356338623664666238636438323261356566633937306661653038386464383330336539
+32653739376335303763376536666635633030336130383635333434616661336533386162353738
+33316465346232646433633733613230663839623362663235633830303732383339366161623538
+61313565316534343037386664396631336634663638396266313934303839663262623461313639
+61663136663730336263373036383533333763643831316632663330313762323362626661613833
+63656135346230613437643965376237366565633862386437343536333731623734373839396139
+35316133323636666235376630343463633037623761336232336161353666363365393365333130
+61303037353162626237343536326339623863346432653464613636373163383333653431386562
+38343462363866353435303965326161646135623335653430386433316465376638633234333635
+61386463313733303166653265616237333931633665636636613430383265373461346435373036
+64343361343634613232376163383964336165353534343435613132326237363735663830366234
+33393861326533643632336632663565623566336234373365626330376133386561646664343637
+35633162323733656339656161393339316235623862353734346265643336356533633736333663
+353137323865363061333561393164373239
diff --git a/hosts/all b/hosts/all
new file mode 100644
index 0000000000000000000000000000000000000000..6629779cb53384bec9b924f490168d794ed2ff53
--- /dev/null
+++ b/hosts/all
@@ -0,0 +1,22 @@
+[nameservers]
+ns[1:3].shore.co.il
+
+[lxc]
+web1.trusted
+
+[cgit]
+cgit.trusted
+
+[dovecot]
+imap.trusted
+
+[exim]
+smtp.trusted
+
+[ldap]
+ldap.trusted
+
+[desktops]
+nimrod.trusted
+ronit.trusted
+shoshana.trusted
diff --git a/hosts/kodi b/hosts/kodi
new file mode 100644
index 0000000000000000000000000000000000000000..3855e1dfc1360ee90b01df888570a60d3a41da0e
--- /dev/null
+++ b/hosts/kodi
@@ -0,0 +1,2 @@
+[kodi]
+xbmc.trusted
diff --git a/ns1.yml b/ns1.yml
new file mode 100644
index 0000000000000000000000000000000000000000..49848acd8c85ca8966afd09fc01de16fdefb724d
--- /dev/null
+++ b/ns1.yml
@@ -0,0 +1,214 @@
+---
+- hosts:
+ - ns1.shore.co.il
+ pre_tasks:
+ - name: pkg add
+ openbsd_pkg:
+ name: rsync
+ state: present
+
+ - name: Enable IP forwarding
+ sysctl:
+ name: net.inet.ip.forwarding
+ value: 1
+ reload: yes
+
+ - name: Create intefaces configuration
+ with_dict:
+ pppoe0: |
+ inet 62.219.131.121 255.255.255.255 NONE \
+ pppoedev em5 authproto pap \
+ authname 'ns_nimadar@014' authkey '12345678' up
+ dest 0.0.0.1
+ description "The connection to the internet."
+ !/sbin/route add default -ifp pppoe0 62.219.131.121
+ bridge0: |
+ add em0
+ blocknonip em0
+ add em1
+ blocknonip em1
+ group internal
+ group trusted
+ up
+ em2: |
+ inet 192.168.3.1 255.255.255.0
+ description "Connected to internal LAN."
+ group internal
+ group trusted
+ up
+ em4: |
+ inet 192.168.4.1 255.255.255.0
+ description "Connected to DMZ."
+ group internal
+ group dmz
+ up
+ em5: |
+ description "Connected to DSL modem for PPPoE connection to the ISP."
+ up
+ template:
+ src: hostname.j2
+ dest: '/etc/hostname.{{ item.key }}'
+ owner: root
+ group: 0
+ mode: 0o0640
+ notify:
+ - Run netstart
+
+ - name: Add hosts entries
+ with_dict: '{{ hosts }}'
+ lineinfile:
+ dest: /etc/hosts
+ line: '{{ item.value }} {{ item.key }}'
+ regexp: '{{ item.value }} '
+ state: present
+
+ - name: Touch /etc/pf.conf.bgp-spamd
+ file:
+ path: /etc/pf.conf.bgp-spamd
+ owner: root
+ group: 0
+ mode: 0o0600
+ state: touch
+
+ - name: Configure PF
+ template:
+ src: ns1.pf.conf
+ dest: /etc/pf.conf
+ owner: root
+ group: 0
+ mode: 0o0600
+ notify:
+ - Reload PF
+
+ - name: Daily PF brute table purge
+ cron:
+ name: PF brute table purge
+ user: root
+ job: /sbin/pfctl -t brute -T expire 86400
+ state: present
+ special_time: daily
+
+ - name: Copy SSL cert, key
+ with_items:
+ - dest: /usr/local/share/ca-certificates/shore.co.il.crt
+ owner: root
+ group: 0
+ mode: 0o0644
+ content: '{{ www_shore_co_il_crt }}'
+ - dest: /etc/ssl/private/shore.co.il.key
+ owner: root
+ group: ssl-cert
+ mode: 0o0640
+ content: '{{ www_shore_co_il_key }}'
+ template:
+ src: ssl.j2
+ dest: '{{ item.dest }}'
+ owner: '{{ item.owner }}'
+ group: '{{ item.group }}'
+ mode: '{{ item.mode }}'
+
+ - name: Update CA store
+ command: update-ca-certificates
+ roles:
+ - role: unbound
+ tags: [unbound, dns]
+ - role: nginx
+ tags: [nginx]
+ - role: nsd
+ tags: [nsd, dns]
+ - role: bgp-spamd
+ tags: [spamd]
+ spamd_hostname: smtp.shore.co.il
+ post_tasks:
+ - name: Configure resolving
+ template:
+ src: ns1.resolv.conf
+ dest: /etc/resolv.conf
+ owner: root
+ group: 0
+ mode: 0o0644
+
+ - name: Create web server directories
+ with_items:
+ - path: /var/www/htdocs/www.shore.co.il
+ - path: /var/www/htdocs/www.shore.co.il/uploads
+ mode: 0o0777
+ - path: /var/www/htdocs/www.shore.co.il/blog
+ owner: nimrod
+ - path: /var/www/htdocs/www.shore.co.il/resume
+ owner: nimrod
+ - path: /var/www/htdocs/www.shore.co.il/ronit
+ owner: ronit
+ - path: /var/www/htdocs/www.shore.co.il/repo
+ owner: nimrod
+ file:
+ path: '{{ item.path }}'
+ state: directory
+ owner: '{{ item.owner|default("root") }}'
+ group: '{{ item.group|default(0) }}'
+ mode: '{{ item.mode|default("0o0755") }}'
+
+ - name: Copy shore.co.il assets
+ with_fileglob:
+ - files/shore.co.il/*
+ copy:
+ src: '{{ item }}'
+ dest: /var/www/htdocs/www.shore.co.il
+ owner: root
+ group: 0
+ mode: 0o0644
+
+ - name: Copy OpenBSD update scripts
+ with_items:
+ - compilekernel
+ - updatesrc
+ copy:
+ src: '{{ item }}'
+ dest: /usr/local/sbin
+ owner: root
+ group: 0
+ mode: 0o0755
+
+ - name: Configure DHCPd
+ copy:
+ src: dhcpd.conf
+ dest: /etc/dhcpd.conf
+ owner: root
+ group: 0
+ mode: 0o0644
+ notify:
+ - Restart DHCPd
+
+ - name: Disable some services
+ with_items:
+ - sndiod
+ service:
+ name: '{{ item }}'
+ state: stopped
+ enabled: no
+
+ - name: Enable other services
+ with_items:
+ - apmd
+ - ftpproxy
+ - dhcpd
+ service:
+ name: '{{ item }}'
+ state: started
+ enabled: yes
+ handlers:
+ - name: Run netstart
+ command: /etc/netstart
+
+ - name: Reload PF
+ command: /sbin/pfctl -f /etc/pf.conf
+
+ - name: Restart ftpproxy
+ service:
+ name: ftpproxy
+ state: restarted
+
+ - name: Restart DHCPd
+ service:
+ name: dhcpd
+ state: restarted
diff --git a/requirements.yml b/requirements.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fc331d87a85ff117b6c85edc65b7cae8fd008176
--- /dev/null
+++ b/requirements.yml
@@ -0,0 +1,31 @@
+---
+- src: https://www.shore.co.il/git/ansible-role-openbsd-bootstrap
+ scm: git
+ name: openbsd-bootstrap
+- src: https://www.shore.co.il/git/ansible-role-unattended-upgrades
+ scm: git
+ name: unattended-upgrades
+- src: https://www.shore.co.il/git/ansible-role-users
+ scm: git
+ name: users
+- src: https://www.shore.co.il/git/ansible-role-nginx
+ scm: git
+ name: nginx
+- src: https://www.shore.co.il/git/ansible-role-nsd
+ scm: git
+ name: nsd
+- src: https://www.shore.co.il/git/ansible-role-unbound
+ scm: git
+ name: unbound
+- src: https://www.shore.co.il/git/ansible-role-bgp-spamd
+ scm: git
+ name: bgp-spamd
+- src: https://www.shore.co.il/git/ansible-role-ca-store
+ scm: git
+ name: ca-store
+- src: https://www.shore.co.il/git/ansible-role-ntp-client
+ scm: git
+ name: ntp-client
+- src: https://www.shore.co.il/git/ansible-role-ufw
+ scm: git
+ name: ufw
diff --git a/site.yml b/site.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6734ec49beb6347244909d77ebe16acc7378c0e0
--- /dev/null
+++ b/site.yml
@@ -0,0 +1,4 @@
+---
+- include: common.yml
+ tags: [common]
+- include: ns1.yml
diff --git a/templates/dhcpd.conf b/templates/dhcpd.conf
new file mode 100644
index 0000000000000000000000000000000000000000..c783b14b5506ebbe7e58bdcbae4458727deb6727
--- /dev/null
+++ b/templates/dhcpd.conf
@@ -0,0 +1,31 @@
+max-lease-time 86400;
+default-lease-time 3600;
+deny unknown-clients;
+authoritative;
+use-host-decl-names on;
+
+#DMZ, rl2 interface
+subnet 192.168.4.0 netmask 255.255.255.0
+{
+ option domain-name-servers 192.168.4.1;
+ option routers 192.168.4.1;
+ option domain-name "dmz";
+}
+
+#LAN, rl0, ral0 interfaces
+subnet 192.168.3.0 netmask 255.255.255.0
+{
+ allow unknown-clients;
+ option domain-name-servers 192.168.3.1;
+ option routers 192.168.3.1;
+ option domain-name "trusted";
+ range 192.168.3.100 192.168.3.199;
+ {% for host in hosts|selectattr('network', 'equalto', 'lan')
+ |selectattr('mac', 'defined') %}
+ host {{ host.split('.')[0] }}
+ {
+ hardware ethernet {{ hosts[host].mac }};
+ fixed-address {{ hosts[host].ip }};
+ }
+ {% endfor %}
+}
diff --git a/templates/hostname.j2 b/templates/hostname.j2
new file mode 100644
index 0000000000000000000000000000000000000000..6b1a02a2ba012ac73a1d9de56ff45636c4857ca1
--- /dev/null
+++ b/templates/hostname.j2
@@ -0,0 +1 @@
+{{ item.value }}
diff --git a/templates/nginx/sites-enabled/shore.co.il b/templates/nginx/sites-enabled/shore.co.il
new file mode 100644
index 0000000000000000000000000000000000000000..389959036bb5c7478db6bf1b64008f893da778a4
--- /dev/null
+++ b/templates/nginx/sites-enabled/shore.co.il
@@ -0,0 +1,71 @@
+{% set header %}
+ gzip on;
+ add_header X-Frame-Options SAMEORIGIN;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+ server_tokens off;
+ location = / { return 301 https://www.shore.co.il/blog/; }
+{% endset %}
+
+{% set ssl_header %}
+ ssl on;
+ ssl_certificate /etc/letsencrypt/live/shore.co.il/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/shore.co.il/privkey.pem;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_timeout 5m;
+ resolver 127.0.0.1;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+{% endset %}
+
+{% set shore_co_il %}
+ server_name www.shore.co.il;
+ root /var/www/htdocs/www.shore.co.il/;
+ error_page 404 /blog/;
+ location = /resume/ { index resume.html; }
+ location /repo/ { autoindex on; }
+ location /about { return 301 https://www.shore.co.il/blog/pages/about-me.html; }
+{% endset %}
+
+{% macro proxy(location, destination) %}
+ location {{ location }} {
+ proxy_pass {{ destination }};
+ proxy_http_version 1.1;
+ }
+{% endmacro %}
+
+server {
+ {{ header }}
+ listen 80;
+ listen [::]:80;
+ return 301 https://www.shore.co.il$request_uri;
+}
+
+server {
+ {{ header }}
+ {{ ssl_header }}
+ listen 443;
+ listen [::]:443;
+ server_name shore.co.il;
+ return 301 https://www.shore.co.il$request_uri;
+}
+
+server {
+ {{ header }}
+ listen 80;
+ listen [::]:80;
+ {{ shore_co_il }}
+}
+
+server {
+ {{ header }}
+ {{ ssl_header }}
+ listen 443;
+ listen [::]:443;
+ {{ shore_co_il }}
+ {{ proxy('/cgit/', 'http://cgit.shore.co.il/cgit/') }}
+ {{ proxy('/git/', 'http://cgit.shore.co.il/cgit/') }}
+ {{ proxy('/d16ebf5287f85724083b0e20a9c300f3/', 'http://xbmc.shore.co.il:9091/') }}
+}
diff --git a/templates/ns1.pf.conf b/templates/ns1.pf.conf
new file mode 100644
index 0000000000000000000000000000000000000000..097d56e798fd0ab02bc570113cc6077a88984b81
--- /dev/null
+++ b/templates/ns1.pf.conf
@@ -0,0 +1,66 @@
+# Policy
+{% set bandwidth = 10 %}
+set skip on lo
+set block-policy return
+set limit table-entries 400000 #bgp-spamd-bypass full list is 200k entries as of March 1, 2014
+anchor "ftp-proxy/*"
+block quick inet6 all
+block in quick from <brute>
+block out quick to <brute>
+block drop in quick on egress from <martians>
+block drop out quick on egress to <martians>
+antispoof quick for internal
+
+# Macros and tables
+#smtp_trusted = "192.168.3.4"
+#imap_trusted = "192.168.3.5"
+#xbmc_trusted = "192.168.3.12"
+wwwproxy = "3129" #port for Squid proxy
+ftpproxy = "8021" #port for ftp proxy
+bittorrent = "51413" #port number for bittorrent
+table <martians> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
+10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
+0.0.0.0/8, 240.0.0.0/4 } #non routable address blocks
+table <brute> persist #table for brute force attempts, etc.
+#table <spamd-white> persist #spamd white list
+#table <bgp-spamd-bypass> persist #spamd whilte list distributed via BGP
+include "/etc/pf.conf.bgp-spamd"
+
+# Queues, priorities
+queue egress on pppoe0 bandwidth {{ bandwidth }}M qlimit 10000
+queue critical parent egress bandwidth {{ (bandwidth/3)|int }}M max {{ (bandwidth*0.7)|int }}M min 1M qlimit 2000
+queue services parent egress bandwidth {{ (bandwidth/2)|int }}M max {{ (bandwidth*0.7)|int }}M qlimit 2000
+queue other parent egress bandwidth {{ (bandwidth/3)|int }}M max {{ (bandwidth*0.6)|int }}M default qlimit 1000
+queue bulk parent egress bandwidth {{ (bandwidth*0.6)|int }}M qlimit 200
+match on egress proto { tcp, udp } to port { ssh, isakmp, l2tp, ipsec-nat-t, domain } set queue critical set prio 6
+match on egress proto { ah, esp, gre, icmp } set queue critical set prio 6
+match on egress proto tcp to port { smtp, www, https, submission, imaps } set queue services set prio 4
+match on egress proto { tcp, udp } from xbmc.trusted port $bittorrent set queue bulk set prio 1
+match on egress proto { tcp, udp } to xbmc.trusted port $bittorrent set queue bulk set prio 1
+
+# Defaults
+pass in quick proto tcp to (all:0) port ssh keep state (source-track rule, max 100, max-src-nodes 10, max-src-conn-rate 15/60, overload <brute> flush global)
+match out on egress inet from (internal:network) nat-to (egress)
+block in all
+pass out all
+pass quick inet proto icmp icmp-type { echoreq, unreach }
+
+# Allowed local services
+pass in quick on internal proto { tcp, udp } to (internal:0) port { bootps, bootpc } set prio ( 4, 6 )
+pass in quick proto { tcp, udp } to port domain set queue services set prio ( 4, 6 )
+pass in quick proto tcp to (egress:0) port { www, https } set prio ( 4, 6 )
+
+# Port redirection
+pass in quick proto tcp to (egress:0) port imaps rdr-to imap.trusted set queue critical set prio ( 4, 6 )
+pass out quick proto tcp to imap.trusted port imaps received-on trusted nat-to trusted set prio ( 4, 6 )
+pass in quick proto tcp from { <bgp-spamd-bypass>, <spamd-white> } to (egress:0) port smtp rdr-to smtp.trusted set queue critical set prio ( 4, 6 )
+pass in quick proto tcp to (egress:0) port smtp divert-to localhost port spamd
+pass in quick proto tcp to (egress:0) port submission rdr-to smtp.trusted set queue critical set prio ( 4, 6 )
+pass out quick proto tcp to smtp.trusted port { submission, smtp } received-on trusted nat-to trusted set prio ( 4, 6 )
+pass in quick proto { tcp, udp } to (egress:0) port $bittorrent rdr-to xbmc.trusted set queue bulk set prio 1
+
+# Allowd NAT and proxying
+#pass in quick on internal inet proto tcp to egress:network port www divert-to localhost port $wwwproxy
+pass in quick on internal inet proto tcp to port ftp divert-to localhost port $ftpproxy
+pass in quick on trusted inet to !(internal:0)
+pass in quick on dmz inet proto tcp to !(internal:network) port { www, https, smtp }
diff --git a/templates/ns1.resolv.conf b/templates/ns1.resolv.conf
new file mode 100644
index 0000000000000000000000000000000000000000..c99076a58f351e25ecb7e3b555616db44a5dc593
--- /dev/null
+++ b/templates/ns1.resolv.conf
@@ -0,0 +1,3 @@
+search shore.co.il
+nameserver 127.0.0.1
+lookup file bind
diff --git a/templates/nsd/conf.d/shore_co_il.conf b/templates/nsd/conf.d/shore_co_il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..39db5a06ef61f19d74b5a8d8c584469c10cb477c
--- /dev/null
+++ b/templates/nsd/conf.d/shore_co_il.conf
@@ -0,0 +1,5 @@
+zone:
+ name: "shore.co.il"
+ zonefile: "shore.co.il"
+ notify: 54.247.117.88 NOKEY #ns2.shore.co.il
+ provide-xfr: 0.0.0.0/0 NOKEY
diff --git a/templates/nsd/zones/shore.co.il b/templates/nsd/zones/shore.co.il
new file mode 100644
index 0000000000000000000000000000000000000000..5ef4575b290431a3681a5131c66cc3f9b42e13df
--- /dev/null
+++ b/templates/nsd/zones/shore.co.il
@@ -0,0 +1,39 @@
+$TTL 1h
+$ORIGIN shore.co.il.
+@ IN SOA ns1 hostmaster (
+ 2017051701
+ 1h
+ 5m
+ 4w
+ 3h )
+
+ IN NS ns1
+ IN NS ns2
+ IN MX 10 smtp
+ns1 IN A 62.219.131.121
+ns2 IN A 54.247.117.88
+ns3 IN A 212.47.245.209
+www IN CNAME ns1
+smtp IN A 62.219.131.121
+ldap IN CNAME ns1
+imap IN CNAME smtp
+@ IN A 62.219.131.121
+;_imaps._tcp IN SRV 0 1 993 imap
+;_smtp._tcp IN SRV 0 1 587 smtp
+@ IN TXT "v=spf1 +mx -all"
+ns1 IN TXT "v=spf1 -all"
+ns2 IN TXT "v=spf1 -all"
+ns3 IN TXT "v=spf1 -all"
+smtp IN TXT "v=spf1 -all"
+@ IN SPF "v=spf1 +mx -all"
+ns1 IN SPF "v=spf1 -all"
+ns2 IN SPF "v=spf1 -all"
+ns3 IN SPF "v=spf1 -all"
+smtp IN SPF "v=spf1 -all"
+web1._domainkey IN TXT ("v=DKIM1\; k=rsa\;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqjDIbjejGNlpH1HAw8TFKoP"
+"9bZJwHy7QZb8/qJNWTl6hKN95gAHuepGjEdF1z/ss1mltFjvV7veWg7zmOp2XTCSWM7hmtWRmybVzFCxfM5XWvlHL"
+"SkKenQp9i8t+d4tNbWfqcD0Qki4XzakLg3uT125+BoqyM55s88+8DWI3vg43fjdg3eXbL/8xvDUE6GPlS4CpByTbU"
+"iBn7a2I0nogM47QJXBiJ/3cFcajC+Ikr0iYq/SNwJO/znLLIP4CPcVrgF7XK3/2wNCcgGvygZTh0+0xDD/qHjIDt0"
+"PekkyJfioDn4+s34uxo2y2oGZQgG+juWO96tbYX/6Hrlt8YQKEhwIDAQAB\;")
+_adsp._domainkey IN TXT "dkim=all;"
+_dmarc IN TXT "v=DMARC1;fo=1;pct=100;rua=mailto:postmaster@shore.co.il;ruf=mailto:postmaster@shore.co.il;p=quarantine;sp=reject;adkim=s;aspf=s"
diff --git a/templates/ssl.j2 b/templates/ssl.j2
new file mode 100644
index 0000000000000000000000000000000000000000..37774b9c4116b254809db740570198c46bc055c3
--- /dev/null
+++ b/templates/ssl.j2
@@ -0,0 +1 @@
+{{ item.content }}
diff --git a/templates/unbound/conf.d/dmz.conf b/templates/unbound/conf.d/dmz.conf
new file mode 100644
index 0000000000000000000000000000000000000000..baeb6c48e1348f5941cb3c3c55076a9c61c93591
--- /dev/null
+++ b/templates/unbound/conf.d/dmz.conf
@@ -0,0 +1,5 @@
+server:
+ interface: 192.168.4.1 #dmz
+ access-control: 192.168.4.0/8 allow
+ local-zone: "dmz." transparent
+ local-data: "ns1.dmz. A 192.168.4.1"
diff --git a/templates/unbound/conf.d/shore.co.il.conf b/templates/unbound/conf.d/shore.co.il.conf
new file mode 100644
index 0000000000000000000000000000000000000000..19666dca8d3e0087f68fea63c24d05a2a2a7b24a
--- /dev/null
+++ b/templates/unbound/conf.d/shore.co.il.conf
@@ -0,0 +1,6 @@
+server:
+ access-control: 192.168.3.0/8 allow
+ access-control: 127.0.0.0/8 allow
+ {% for host in ['cgit', 'xbmc', 'host01', 'wdr4300'] %}
+ local-data: "{{ host }}.shore.co.il. A {{ hosts[host + '.trusted'] }}"
+ {% endfor %}
diff --git a/templates/unbound/conf.d/trusted.conf b/templates/unbound/conf.d/trusted.conf
new file mode 100644
index 0000000000000000000000000000000000000000..388e4d954bb294687d8a053ab4006d39d65c78f6
--- /dev/null
+++ b/templates/unbound/conf.d/trusted.conf
@@ -0,0 +1,19 @@
+server:
+ interface: 192.168.3.1 #trusted
+ local-zone: "trusted." static
+ access-control: 192.168.3.0/8 allow
+ local-data: "ns1.trusted. A 192.168.3.1"
+ local-data: "web1.trusted. A 192.168.3.2"
+ local-data: "ronit.trusted. A 192.168.3.3"
+ local-data: "smtp.trusted. A 192.168.3.4"
+ local-data: "imap.trusted. A 192.168.3.5"
+ local-data: "ldap.trusted. A 192.168.3.6"
+ local-data: "gitweb.trusted. A 192.168.3.7"
+ local-data: "shoshana.trusted. A 192.168.3.8"
+ local-data: "wrt54gl.trusted. A 192.168.3.9"
+ local-data: "nimrod.trusted. A 192.168.3.10"
+ local-data: "realestate.trusted. A 192.168.3.11"
+ local-data: "xbmc.trusted. A 192.168.3.12"
+ local-data: "rtorrent.trusted. A 192.168.3.13"
+ local-data: "wdr4300.trusted. A 192.168.3.14"
+ local-data: "cgit.trusted. A 192.168.3.15"