From: Bernhard Tittelbach <bernhard@tittelbach.org>
Date: Tue, 12 May 2026 17:23:20 +0000 (+0200)
Subject: role to deploy iot-stuff to iotscripts.mqtt.realraum.at, pretty similar to how it... 
X-Git-Url: https://git.realraum.at/?a=commitdiff_plain;h=b96cd4bc9a3daf082c6245822d267a4263b1188e;p=noc.git

role to deploy iot-stuff to iotscripts.mqtt.realraum.at, pretty similar to how it was on smsgw. (wip)
---

diff --git a/ansible/host_playbooks/iotscripts.yml b/ansible/host_playbooks/iotscripts.yml
new file mode 100644
index 0000000..5a80628
--- /dev/null
+++ b/ansible/host_playbooks/iotscripts.yml
@@ -0,0 +1,8 @@
+---
+- name: Deploy stuff to iotscripts.mqmt.realraum.at
+  hosts: iotscripts
+  become: true
+  roles:
+    - base
+    - iotscripts
+
diff --git a/ansible/host_vars/iotscripts/main.yml b/ansible/host_vars/iotscripts/main.yml
new file mode 100644
index 0000000..46804bf
--- /dev/null
+++ b/ansible/host_vars/iotscripts/main.yml
@@ -0,0 +1,3 @@
+---
+
+realraum_member_count: 82
\ No newline at end of file
diff --git a/ansible/host_vars/iotscripts/vault.yaml b/ansible/host_vars/iotscripts/vault.yaml
new file mode 100644
index 0000000..7afa9d4
--- /dev/null
+++ b/ansible/host_vars/iotscripts/vault.yaml
@@ -0,0 +1,33 @@
+$ANSIBLE_VAULT;1.1;AES256
+34633133633836363765333563633034323131306134356236633764386230613261326465363864
+3438356633313232656338376538656336313838393130620a313232336633343439353438646532
+30333330643266313036376565346539316633646135343135363865643138656532653364343666
+3338363831303639620a643965366433363831646630656539383738356165343839646531343266
+61343432646563333565333234666634356137613830616664356362323961316335356231386561
+62356433653761373136386236663066376166613435386436653633393662306164663631666337
+62353034323339666537366662316234613337646538393065656534363330323162346338656134
+32376136373663313764626361373939656663393561393562366232656266343962313766613639
+63626330313564313733636634366633353533343336363064366639616364346333666233353832
+66333362333632633530353564333263333463303366356439303237373163373466343532373932
+36353537656630393335316333386663633737303965373635376434383134386230303765613633
+63663830356230336536663064653334386537653062653030636430393137373961373937666637
+30663634303565376236376563643631366233346231663439343039663064643261623133646237
+38633535343533386231366661323130666636356663626166303030313034326438363733363539
+38633664613233346339313630373965613962343861343636393138363839656464653533303066
+61333036643636333939373164363663346561393334623639323966636237616332306564356163
+37323139653164366236643239303838326466623263626337613337376530616161376432623063
+35666339363762316563653831613135366365643535396633383835313163616662366633343933
+36386631353934613334383031623061303664616162376135663535623363663161666639623635
+61383236653063323732623530633338663964656362396636626630363436343163393730316631
+33643866363535666363353364623732386436643861306131653163346432656165353965346630
+64396361353765363231383832656635623438333932373138353161643937346536323038613336
+34643234323436333238393163303434313337616463666537616437363364346331376632616662
+35613736346537336436383063663563323866393364373430356666326233353139396138386432
+62326631613639633663643261393362346661336335643062336430363433386639613339633236
+33383336633639326633346437633236613363353462326265656665633963623938663236633035
+36623334303432623633623030343937373134393731396539336163653231396532326234643966
+31383362383639363538646665326465356632363062303336336533656331346236393462363261
+37393166616139656161366463326265356564656264336565366333393332626134353439386466
+37353866653237663538633632663138336463303062396538613863303631383438656666313165
+32386535313633313461646266383939393939343930316666653438653061383962346665663963
+62343164393935376235
diff --git a/ansible/host_vars/vex2/main.yml b/ansible/host_vars/vex2/main.yml
index 227d26e..cab1259 100644
--- a/ansible/host_vars/vex2/main.yml
+++ b/ansible/host_vars/vex2/main.yml
@@ -4,7 +4,7 @@ sshd_allowusers_host:
 
 r3status_spaceapi_path: /dev/shm/spaceapi
 r3status_ics_path: /dev/shm/ics
-r3status_spaceapi_update_user_ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcwqg/oohCV3sTFHODBPUViOaGsoKL2Vp5suNAdLFJz4pdhfH7n4eXzI/3Ork6mDrDZ8XNmDq9g6jERweWQmS37THL33N2RmyDFfpwyQog/pzvEB6U0BGE6VN2zmgmrmvVZNdhKh/E74dM/22abAt32I6xSJi8C2CfVshHaFzNAV8N4lmGMGi0QXNMkAZDaYG0iptRuZOoZarCkfRybyh8pFkHt4Hl/tWocMOihI1KsWtbIgRUdTTpGMXmxMd0k2t9am+NxiUlBIRE8aEc4nTqcZTqullddEAGoksuUCLc0yYbFCzpTkZ1lrU5+oQhZyPWgnJ7s2yK7M2luBSAle8T realraum@smsgw.realraum.at
+r3status_spaceapi_update_user_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJG4w4B95bogd2HOCZNY+OMx+fdo6iPI2tLUPu3RJOUp realraum@iotscripts.mgmt.realraum.at
 
 r3status_www_content:
   url: 'https://github.com/realraum/infokiosk/archive/c2571da52f5c68d11d8d2e2d00a4580aea7b83e7.tar.gz'
diff --git a/ansible/hosts.ini b/ansible/hosts.ini
index e15441e..425c0fb 100644
--- a/ansible/hosts.ini
+++ b/ansible/hosts.ini
@@ -13,6 +13,7 @@ hacksch
 r3home
 mqtt    ansible_port=22
 gnocchi[0:1]
+iotscripts   ansible_port=22
 
 ## TODO: remove the variable once https://github.com/ansible/ansible/issues/39119 is fixed
 metrics localconfig_ssh_config_user=root
diff --git a/ansible/roles/iotscripts/defaults/main.yml b/ansible/roles/iotscripts/defaults/main.yml
new file mode 100644
index 0000000..f96c23e
--- /dev/null
+++ b/ansible/roles/iotscripts/defaults/main.yml
@@ -0,0 +1,45 @@
+---
+realraum_user: realraum
+realraum_home: /home/realraum
+realraum_bin: /home/realraum/bin
+realraum_config_dir: /home/realraum/.config/realraum
+realraum_systemd_user_dir: /home/realraum/.local/share/systemd/user
+
+door_and_sensors_repo: "https://github.com/realraum/door_and_sensors"
+door_and_sensors_ref: "master"
+
+# Architecture of the target host
+go_target_goarch: "amd64"
+go_target_goos: "linux"
+
+# Local temporary build directory (on the Ansible controller)
+local_build_dir: "/tmp/ansible_iotscripts_build"
+
+python_scripts:
+  - name: dostuff_switch_lights.py
+    url: "https://github.com/realraum/door_and_sensors/raw/refs/heads/master/scripts/dostuff_switch_lights.py"
+  - name: olga_freezer_sensordata_forwarder.py
+    url: "https://github.com/realraum/door_and_sensors/raw/refs/heads/master/scripts/olga_freezer_sensordata_forwarder.py"
+
+go_binaries:
+  - name: r3-metaevt-maker
+    subdir: r3-metaevt-maker
+  - name: r3-spaceapistatus
+    subdir: r3-spaceapistatus
+
+systemd_user_services:
+  - dostuff_switch_lights
+  - olga_freezer_sensordata_forwarder
+  - r3-metaevt-maker
+  - r3-spaceapistatus
+  - restart_ledpipe
+
+systemd_user_timers:
+  - restart_ledpipe
+
+mqtt_broker_uri: "tcp://mqtt.realraum.at:1883"
+
+spaceapi_publish_username: spaceapi
+spaceapi_publish_host_port: "vex2.realraum.at:22000"
+
+realraum_member_count: 80
diff --git a/ansible/roles/iotscripts/files/ledpipe_restart.sh b/ansible/roles/iotscripts/files/ledpipe_restart.sh
new file mode 100644
index 0000000..47f7a4b
--- /dev/null
+++ b/ansible/roles/iotscripts/files/ledpipe_restart.sh
@@ -0,0 +1,2 @@
+#!/bin/zsh
+nc r3lothrpipeleds.iot.realraum.at 23 <<< '_G.node.restart()'
diff --git a/ansible/roles/iotscripts/handlers/main.yml b/ansible/roles/iotscripts/handlers/main.yml
new file mode 100644
index 0000000..e9afc15
--- /dev/null
+++ b/ansible/roles/iotscripts/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Reload systemd user daemon
+  ansible.builtin.systemd:
+    daemon_reload: true
+    scope: user
+  become: true
+  become_user: "{{ realraum_user }}"
+  environment:
+    XDG_RUNTIME_DIR: "/run/user/{{ ansible_facts['getent_passwd'][realraum_user][1] }}"
diff --git a/ansible/roles/iotscripts/tasks/build_go_local.yml b/ansible/roles/iotscripts/tasks/build_go_local.yml
new file mode 100644
index 0000000..e9b08ad
--- /dev/null
+++ b/ansible/roles/iotscripts/tasks/build_go_local.yml
@@ -0,0 +1,42 @@
+---
+- name: "Ensure local build directory exists"
+  ansible.builtin.file:
+    path: "{{ local_build_dir }}"
+    state: directory
+    mode: "0755"
+  delegate_to: localhost
+  become: false
+  run_once: true  # shared across all binaries; repo cloned once
+
+- name: "Clone door_and_sensors repo locally"
+  ansible.builtin.git:
+    repo: "{{ door_and_sensors_repo }}"
+    dest: "{{ local_build_dir }}/door_and_sensors"
+    version: "{{ door_and_sensors_ref }}"
+    force: false
+  delegate_to: localhost
+  become: false
+  run_once: true
+
+- name: "Build {{ go_binary.name }} locally (cross-compile)"
+  ansible.builtin.command:
+    cmd: >
+      go build
+      -o {{ local_build_dir }}/{{ go_binary.name }}
+      ./{{ go_binary.subdir }}
+    chdir: "{{ local_build_dir }}/door_and_sensors"
+  delegate_to: localhost
+  become: false
+  environment:
+    GOOS: "{{ go_target_goos }}"
+    GOARCH: "{{ go_target_goarch }}"
+    CGO_ENABLED: "0"
+  changed_when: true  # always rebuild to pick up upstream changes
+
+- name: "Copy {{ go_binary.name }} to target host"
+  ansible.builtin.copy:
+    src: "{{ local_build_dir }}/{{ go_binary.name }}"
+    dest: "{{ realraum_bin }}/{{ go_binary.name }}"
+    owner: "{{ realraum_user }}"
+    group: "{{ realraum_user }}"
+    mode: "0755"
diff --git a/ansible/roles/iotscripts/tasks/main.yml b/ansible/roles/iotscripts/tasks/main.yml
new file mode 100644
index 0000000..4430e91
--- /dev/null
+++ b/ansible/roles/iotscripts/tasks/main.yml
@@ -0,0 +1,129 @@
+---
+- name: Ensure realraum group exists
+  ansible.builtin.group:
+    name: "{{ realraum_user }}"
+    state: present
+
+- name: Create realraum user
+  ansible.builtin.user:
+    name: "{{ realraum_user }}"
+    group: "{{ realraum_user }}"
+    home: "{{ realraum_home }}"
+    shell: /bin/zsh
+    create_home: true
+    state: present
+
+- name: Enable loginctl linger for realraum
+  ansible.builtin.command:
+    cmd: loginctl enable-linger {{ realraum_user }}
+    creates: /var/lib/systemd/linger/{{ realraum_user }}
+
+- name: Create required directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ realraum_user }}"
+    group: "{{ realraum_user }}"
+    mode: "0750"
+  loop:
+    - "{{ realraum_bin }}"
+    - "{{ realraum_config_dir }}"
+    - "{{ realraum_systemd_user_dir }}"
+    - "{{ realraum_home }}/.ssh"
+    - "{{ realraum_home }}/.config/systemd/user/default.target.wants"
+
+- name: Set strict permissions on .ssh
+  ansible.builtin.file:
+    path: "{{ realraum_home }}/.ssh"
+    state: directory
+    owner: "{{ realraum_user }}"
+    group: "{{ realraum_user }}"
+    mode: "0700"
+
+- name: Deploy smsgw.env
+  ansible.builtin.template:
+    src: "smsgw.env.j2"
+    dest: "{{ realraum_config_dir }}/smsgw.env"
+    owner: "{{ realraum_user }}"
+    group: "{{ realraum_user }}"
+    mode: "0600"
+  no_log: true
+
+- name: Deploy SSH private key
+  ansible.builtin.copy:
+    content: "{{ vault_iotscripts_realraum_spaceapi_ssh_key_content }}"
+    dest: "{{ realraum_home }}/.ssh/{{ vault_iotscripts_realraum_spaceapi_ssh_key_name }}"
+    owner: "{{ realraum_user }}"
+    group: "{{ realraum_user }}"
+    mode: "0600"
+  no_log: true
+
+- name: Download Python scripts
+  ansible.builtin.get_url:
+    url: "{{ item.url }}"
+    dest: "{{ realraum_bin }}/{{ item.name }}"
+    owner: "{{ realraum_user }}"
+    group: "{{ realraum_user }}"
+    mode: "0755"
+  loop: "{{ python_scripts }}"
+
+- name: Deploy ledpipe_restart.sh
+  ansible.builtin.copy:
+    src: ledpipe_restart.sh
+    dest: "{{ realraum_bin }}/ledpipe_restart.sh"
+    owner: "{{ realraum_user }}"
+    group: "{{ realraum_user }}"
+    mode: "0755"
+
+- name: Build Go binaries locally and copy to host
+  ansible.builtin.include_tasks: build_go_local.yml
+  loop: "{{ go_binaries }}"
+  loop_control:
+    loop_var: go_binary
+
+- name: Deploy systemd user service units
+  ansible.builtin.template:
+    src: "{{ item }}.service.j2"
+    dest: "{{ realraum_systemd_user_dir }}/{{ item }}.service"
+    owner: "{{ realraum_user }}"
+    group: "{{ realraum_user }}"
+    mode: "0644"
+  loop: "{{ systemd_user_services }}"
+  notify: Reload systemd user daemon
+
+- name: Deploy systemd user timer units
+  ansible.builtin.template:
+    src: "{{ item }}.timer.j2"
+    dest: "{{ realraum_systemd_user_dir }}/{{ item }}.timer"
+    owner: "{{ realraum_user }}"
+    group: "{{ realraum_user }}"
+    mode: "0644"
+  loop: "{{ systemd_user_timers }}"
+  notify: Reload systemd user daemon
+
+- name: Flush handlers before enabling units
+  ansible.builtin.meta: flush_handlers
+
+- name: Enable and start systemd user services
+  ansible.builtin.systemd:
+    name: "{{ item }}.service"
+    enabled: true
+    state: started
+    scope: user
+  become: true
+  become_user: "{{ realraum_user }}"
+  environment:
+    XDG_RUNTIME_DIR: "/run/user/{{ ansible_facts['getent_passwd'][realraum_user][1] }}"
+  loop: "{{ systemd_user_services }}"
+
+- name: Enable and start systemd user timers
+  ansible.builtin.systemd:
+    name: "{{ item }}.timer"
+    enabled: true
+    state: started
+    scope: user
+  become: true
+  become_user: "{{ realraum_user }}"
+  environment:
+    XDG_RUNTIME_DIR: "/run/user/{{ ansible_facts['getent_passwd'][realraum_user][1] }}"
+  loop: "{{ systemd_user_timers }}"
diff --git a/ansible/roles/iotscripts/templates/dostuff_switch_lights.service.j2 b/ansible/roles/iotscripts/templates/dostuff_switch_lights.service.j2
new file mode 100644
index 0000000..a08a40c
--- /dev/null
+++ b/ansible/roles/iotscripts/templates/dostuff_switch_lights.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Switch Lights depending on members present or not
+Wants=network.target
+
+[Service]
+Nice=2
+Type=simple
+Restart=always
+WorkingDirectory={{ realraum_home }}
+ExecStart={{ realraum_bin }}/dostuff_switch_lights.py
+SyslogIdentifier=%i
+
+[Install]
+WantedBy=default.target
diff --git a/ansible/roles/iotscripts/templates/olga_freezer_sensordata_forwarder.service.j2 b/ansible/roles/iotscripts/templates/olga_freezer_sensordata_forwarder.service.j2
new file mode 100644
index 0000000..9cb9d75
--- /dev/null
+++ b/ansible/roles/iotscripts/templates/olga_freezer_sensordata_forwarder.service.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description=OlgaFreezer SMS Notifier and SensorData Forwarder
+Wants=network.target
+#OnFailure=xmppnotifyxro@olga_freezer_sensordata_forwarder.service
+
+[Service]
+Type=simple
+Restart=always
+WorkingDirectory={{ realraum_home }}
+EnvironmentFile={{ realraum_config_dir }}/smsgw.env
+ExecStart={{ realraum_bin }}/olga_freezer_sensordata_forwarder.py
+SyslogIdentifier=%i
+
+[Install]
+WantedBy=default.target
diff --git a/ansible/roles/iotscripts/templates/r3-metaevt-maker.service.j2 b/ansible/roles/iotscripts/templates/r3-metaevt-maker.service.j2
new file mode 100644
index 0000000..f0c1e1c
--- /dev/null
+++ b/ansible/roles/iotscripts/templates/r3-metaevt-maker.service.j2
@@ -0,0 +1,16 @@
+[Unit]
+Description=r3events meta event maker
+Wants=network.target
+#Wants=mosquitto.service
+#After=mosquitto.service
+#OnFailure=xmppnotifyxro@r3-metaevt-maker.service
+
+[Service]
+Type=simple
+Restart=always
+WorkingDirectory={{ realraum_home }}
+EnvironmentFile={{ realraum_config_dir }}/smsgw.env
+ExecStart={{ realraum_bin }}/r3-metaevt-maker
+
+[Install]
+WantedBy=default.target
diff --git a/ansible/roles/iotscripts/templates/r3-spaceapistatus.service.j2 b/ansible/roles/iotscripts/templates/r3-spaceapistatus.service.j2
new file mode 100644
index 0000000..f7b1b08
--- /dev/null
+++ b/ansible/roles/iotscripts/templates/r3-spaceapistatus.service.j2
@@ -0,0 +1,18 @@
+[Unit]
+Description=SpaceApi Publisher
+Wants=network.target
+# Wants=mosquitto.service
+# After=mosquitto.service
+After=r3-metaevt-maker.service
+# OnFailure=xmppnotifyxro@r3-spaceapistatus.service
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=60
+WorkingDirectory={{ realraum_home }}
+EnvironmentFile={{ realraum_config_dir }}/smsgw.env
+ExecStart={{ realraum_bin }}/r3-spaceapistatus
+
+[Install]
+WantedBy=default.target
diff --git a/ansible/roles/iotscripts/templates/restart_ledpipe.service.j2 b/ansible/roles/iotscripts/templates/restart_ledpipe.service.j2
new file mode 100644
index 0000000..45a06f3
--- /dev/null
+++ b/ansible/roles/iotscripts/templates/restart_ledpipe.service.j2
@@ -0,0 +1,12 @@
+[Unit]
+Description=Reset LED LoTHR Pipe
+Wants=network.target
+
+[Service]
+Type=oneshot
+WorkingDirectory={{ realraum_home }}
+ExecStart={{ realraum_bin }}/ledpipe_restart.sh
+SyslogIdentifier=%i
+
+[Install]
+WantedBy=default.target
diff --git a/ansible/roles/iotscripts/templates/restart_ledpipe.timer.j2 b/ansible/roles/iotscripts/templates/restart_ledpipe.timer.j2
new file mode 100644
index 0000000..491c480
--- /dev/null
+++ b/ansible/roles/iotscripts/templates/restart_ledpipe.timer.j2
@@ -0,0 +1,8 @@
+[Unit]
+Description=Once Per Day, reset LED Bar
+
+[Timer]
+OnCalendar=08:00
+
+[Install]
+WantedBy=default.target
diff --git a/ansible/roles/iotscripts/templates/smsgw.env.j2 b/ansible/roles/iotscripts/templates/smsgw.env.j2
new file mode 100644
index 0000000..8e3702c
--- /dev/null
+++ b/ansible/roles/iotscripts/templates/smsgw.env.j2
@@ -0,0 +1,5 @@
+R3_TOTAL_MEMBERCOUNT={{ realraum_member_count }}
+R3_MQTT_BROKER={{ mqtt_broker_uri }}
+TUER_STATUSPUSH_SSH_ID_FILE=/home/realraum/.ssh/{{ vault_iotscripts_realraum_spaceapi_ssh_key_name }}
+TUER_STATUSPUSH_SSH_USER={{ spaceapi_publish_username }}
+TUER_STATUSPUSH_SSH_HOST_PORT={{ spaceapi_publish_host_port }}