diff --git a/books/base.yml b/books/base.yml
index 2896714..23c0daf 100644
--- a/books/base.yml
+++ b/books/base.yml
@@ -9,6 +9,7 @@
roles:
- networking
- base_config
+ - prometheus-node-exporter
- hosts: all, !tests, !no_user,
roles:
diff --git a/books/monitoring.yml b/books/monitoring.yml
new file mode 100644
index 0000000..1265a5b
--- /dev/null
+++ b/books/monitoring.yml
@@ -0,0 +1,12 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: prometheus_servers
+ roles:
+ - prometheus
+ - prometheus-alert-manager
+ - grafana
+ - prometheus-blackbox-exporter
+
+- hosts: all, !tests,
+ roles:
+ - prometheus-node-exporter
diff --git a/group_vars/all/ca.yml b/group_vars/all/ca.yml
new file mode 100644
index 0000000..6c4c46a
--- /dev/null
+++ b/group_vars/all/ca.yml
@@ -0,0 +1,57 @@
+---
+ca_passphrase: "{{ vault_ca_passphrase }}"
+ca_key: "{{ vault_ca_key }}"
+ca_cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFhzCCA2+gAwIBAgIUP+ptXLNUBVsZm5oYpynQd5mhB60wDQYJKoZIhvcNAQEL
+ BQAwUzELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxFTATBgNVBAoM
+ DFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0EgUGFpbnMtUGVyZHVzMB4XDTIxMDky
+ MTE0NDUxNloXDTMxMDkxOTE0NDUxNlowUzELMAkGA1UEBhMCRlIxEzARBgNVBAgM
+ ClNvbWUtU3RhdGUxFTATBgNVBAoMDFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0Eg
+ UGFpbnMtUGVyZHVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4jG+
+ 8N5YN91KghYjYTOBQ+lRYJ45X5S9mfcwwf8OIMGe+NyNkXx2GX4uYpZOitYOApI4
+ rGnAjhll7tdZevzfdqpUDCYUDT6iR4BzL32k22mIN+iW6zQPaZetOU7VIA9V5TsM
+ WbDsftqh6fj3N4SwVMpHiuiajMkX8CIELxoXDAJULvwyreWOONlwDMObtVCHBIhM
+ uf1Jbx2DfRNS/w6lbHPCrZefMCea1FrSaotOANXxNgQfptX3fLZbhH5RiZQLDU8k
+ ZChAUoW9hE4+uiSOUMd2hl9XgCWHcGEMcKyWG+/lx8UUw3Zl+oOrfb+IWo5IByVZ
+ 8nV5aiTMCuRlcTcMHUuedRaPcWfl5ZaEOVzhYXIYM4Oa8ShqXuWqW0WZ8oIhI2ya
+ hTE03mIPV1nX3ucE9GsDZpnrj7t+qd8etiZXFGVihKEqVFfhzKRsPh4wgUKH/gwG
+ AJshPA9NyJ0JpzUaWQ2acUjo3Hg9WPSTaMb46FS7hUdZUcZZiwSq9JjHDNAUKjNY
+ zudKjTyqJXkqwhNvMfKWFIGYjldvZgQXzuT8XmSHYSKuLfH9Ko28FX0Aujye1TTH
+ MPljXruyO04Q7NUg/jqtxdsWRpH/qCt12PmRuIiXsNCAeLjSuc75H+AOPbNudJLT
+ w2AUTkfn3mw/XTwEBfemHAo6GAdtCDKo6GxBqvcCAwEAAaNTMFEwHQYDVR0OBBYE
+ FIh4sxxlmesmbVKPWKo81BXMFVqVMB8GA1UdIwQYMBaAFIh4sxxlmesmbVKPWKo8
+ 1BXMFVqVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKipx6Nu
+ QwnYmwYPd3kUVBOj9ia0PVeE4LoUSRapzRTF2HilSIo9Sa7qD1HVxbWrghUPLjW/
+ Ru04k82hxvAm26gc1XeqIBzpgZmxwF0QibCeuj1vDXsndACXVHd6Atvnl0rW4bEI
+ pVCqerXNu0T4STk2V/xNqndGMRp/vZX67BlyHAHD4el957R9RYlyxW6fADrHDKqk
+ tC1eTeQtEi5W7v9X3dNGdtFS+exDrYpUTHPDwM81u25oCGUFGsH3RlG7LUEQ5mYW
+ SsJ3EKpIkMxSZB3/GqttCIHi+yEMtwDDL3dN8UnVaTkRjVNQxraOUwe66QByGqnJ
+ 9YeQNpUfZxWFW/GW2fBAvD/RaLrLZ4ywhUze38ks4jsLnAIduawjQ8GlNg9i2MqD
+ zvDat41LWSCDjRUOfCp7fc9lMlI5blTafozrAddMV8YUs3bQ6XD0H31pP59jb7nc
+ 5kmwqH6RivbFZZYBquQVujiiI7d+9m+X9OfTZJTCpRPCGYZcLuqH7txyPhixxrZd
+ a8lWJ+5jHOdncV/ZWSB5JnjKbaMMEPcaTo3puEPt/yl74CR7UOJXr5oM0bVFKjas
+ 90hY5U+jPAcneCk2oc44R4NWuQ7qbsjPRfcxxi27DoLbhlmPp9jQwYQEqmdflcZ0
+ zCTEq81KO2mAbJgTc/ahhcvAV/huJ5d8c9R1
+ -----END CERTIFICATE-----
+crl_distribution_points:
+ - full_name: "URI:https://ca.deso-palaiseau.fr/revocations.crl"
+ reasons:
+ - key_compromise
+ - ca_compromise
+ - affiliation_changed
+ - superseded
+ - cessation_of_operation
+ - certificate_hold
+ - privilege_withdrawn
+ - aa_compromise
+ - full_name: "URI:https://ca-pains-perdus.intra/revocations.crl"
+ reasons:
+ - key_compromise
+ - ca_compromise
+ - affiliation_changed
+ - superseded
+ - cessation_of_operation
+ - certificate_hold
+ - privilege_withdrawn
+ - aa_compromise
diff --git a/group_vars/all/revers_proxy.yml b/group_vars/all/revers_proxy.yml
new file mode 100644
index 0000000..34aea68
--- /dev/null
+++ b/group_vars/all/revers_proxy.yml
@@ -0,0 +1,9 @@
+---
+
+reverse_proxy_sites:
+ - {from: wiki.pains-perdus.fr, to: "https://azerty.fil.sand.auro.re:2443"}
+ - {from: hindley.pains-perdus.fr, to: "http://127.0.0.1:5000"}
+ - {from: "{{ grafana_domain_name }}", to: "http://127.0.0.1:3000"}
+
+sharing_sites:
+ - {from: share.deso-palaiseau.fr, folder: "/home/histausse/www", user: histausse, group: histausse}
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index f1e582e..90d7b95 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -2,3 +2,14 @@
# Use python 3
ansible_python_interpreter: /usr/bin/python3
dns_resolve_server: 1.1.1.1
+
+# Default prometheus serveur, to overide in host_vars or something
+appointed_prometheus_server: hindley
+
+grafana_admin_password: "{{ vault_grafana_admin_password }}"
+grafana_domain_name: monitoring.deso-palaiseau.fr
+
+kassandra_username: cassandre
+kassandra_password: "{{ vault_kassandra_password }}"
+alert_rooms:
+ - "#monitoring:pains-perdus.fr"
diff --git a/group_vars/all/vault b/group_vars/all/vault
index ecd6b1c..67d3aba 100644
--- a/group_vars/all/vault
+++ b/group_vars/all/vault
@@ -1,81 +1,272 @@
$ANSIBLE_VAULT;1.1;AES256
-38386365383032383336346430353334613639636464383235646565306161323463363466383934
-3636386138346634386634373266643937356339373734370a366435343137643330393939353664
-39386432396430306339326435323862373135323263663139373032646136333064373365313161
-6130343436313762620a633064326538393135626536343062383862366536646239656133366133
-38616531393837313365643734303062353030333763303132646231376363386239336631643231
-38303230643135653238333132633739363333656534643765623836333936363062613132316339
-31646365623030343433623264633665353432623839393638643039653561623361366630393631
-38333636316432323165316261323337306238633237653733376539323136663231376462623035
-30336463353738373061346431333435626362383134306661343562633437656462333430653663
-30396231336336353535373337343434366536333865623065653238333637383332613338613361
-61653566303962626534636530313238363662316163336532353738313962623835343032643930
-37333864366539363131333538643963353531663132353964306263316437323866666664633435
-39636663383831393534623639343839343931363834383839363837623636643838623536396563
-35396663326661386532303238353461636435366564366534393162663834363539363335393336
-62636465666665643165653130326437393162616433386637613430623466666364333334663132
-35356364646263653131363863303532633562306661636530313766636262386361623630326633
-62653866383864366666663963643138363264363965346538306135386633626439313961623735
-62363864373266333038333430613535633636343631316439353837376331666336326432663135
-33356630353862386166306536643538643163346532663439303764396565323661373136366133
-32373765376331323431386464396137666431613365363866323438663062386365326131616264
-39616632613565323238323133343061303433653539653833653264383165333364323239643466
-32613731393065323066396563363530393264323930653839396438356164356333333137656236
-31346133343336666337633637613064666533613631313335616637653735363462663864636330
-63646163383337323933323664303961346461613065356332383531333336326632316634656231
-64346565363636363066646533303238633465653830613264663963326630366564336330343236
-32623438306238396166666539363539646137643363666332366563663231326632363230666465
-36656662313335656462386463366432656230616232663637303235646664343066363563666261
-32393536666265663038353439623536633363386335326138383565643337353031356432396339
-31323464353338326237646263366262346265643363343761313436396332646237346339346333
-66323636336537303839653962306531643762366230303963636535633537613062366236613131
-39376162363134376135656463626366343537626438656362343838323435316266656637636161
-38623134386532383862303234666338306234646538623464613362623331396339613931653262
-62633364363230353666343562343661316431333664646161616632643736646664396532303633
-62336233316435626230386565383264313062646637313234626135626566343932343563653130
-38313137306331636436633536396539373032393135393336303731633030393139616136366536
-31633936613663303837306632643730613062663262616239343263636463386230313336363237
-31626531303639666464376335366135623063343266663265393635316338306633363561376234
-63653039313532376230626533353136666262663761376432633763636131653162386131366366
-36396534303230353133306331626539623832323462393237633233393865363864656531646632
-36613137366262393163386465656233373365636437616133393862663632636131393563613763
-62376133356430303838386634363963653865336138303831636164626538633066316637643732
-30363561393862623037616232653135663765336134383037346439373335393466646530616166
-33646462313463346535346236363830643130313632366162633866373362653162623035306366
-39623734306636356135393965646534313961306632623531303830343564393361343464653961
-31623562396435616466653232623163393161336434623631313233353736303834333935626138
-35613764633564313961316236623265353037636635656331363937356363323630646537393335
-36396632383865336639393033653738323739396236383535333332396361306131303864616130
-33613762643438393261353335383565316231623963386536653334666634623136343833613137
-37396261623035353038636337323536346334613837343935386132656338633335643265616138
-36663937376231333233646466633162346630653532336536373262313337373261656130643632
-66613534363130313230323665613163356366386664653436363132356664306231356135383266
-66376336323062323863616434323465356439343434646531373365313039303639343735323836
-35613234343563356162326466366638343439333464656434643332663432393730643130623032
-65663237333338323939616565333738306634383038643630376164306530623733623933333064
-62623131323736643832616334383338383634393664653338663436626434306631643966613031
-33616362313039666130613538306561343135626235343765396335396339373630373135313832
-38383062366262663832343563613334623336343639316435386664353636643162636634653535
-39623039643336393733626634363466353437353533373764313565653766663630386234626661
-61393161383565386131636563323038373236663861363339333361646464613836623139366435
-35363463623431343634653565363066623464653961313661343963363464386361306137393763
-64616135633935393566356561363038613134363964356136643734366232366166643564653264
-36613066366266646434323862643735643333613163666334363337643263626639623433663733
-39383562363531656433633033313961303837643765626530383665316433353634396463333662
-38353936633034636461303863356564653939393239316538663838643336346331363230616630
-62353237353733326132646138373737306135653634383032363433663063613430373935653131
-38646664393133363365303130623532373438313831643230396431363333386463643031653262
-64396261303235326530636565353764316236643466623666623165383536333565633064333262
-37316237643863626561613036303061346265613730626137316136623338626564666464333862
-35393831656533616365316334633538626166616263306636313231313234306532636633646665
-33336138333632396530333363613866376535316430656134613339626262666133666264376439
-64303964633165333161613663343438393539643839366331303563613436613730383837356165
-32363231653233346438313262393462313135636566343063626436326166373866356434656561
-65386562666331316232336463373336623733393161666430616165306238616531306266626363
-66636234333231666637616163353361306331393562393938353733303139393930633965373638
-36336266343231366662643134613662643037373638316362653030383866373636386339346466
-64396639353266316264653264343036616634343964646237363036313937323833633863316231
-35363964393863346132373830383032646536356261616265353439316637396563336536373363
-37313936393662353665653134613535393865333362636262656439326331336366303139653034
-35626566333965616162663465613335316462326130396330383236396133383039636335343565
-65386630653033376163
+66653939356531646231633866643664343439626466393835366664643239356166353639656466
+3731653736323063643664616534393834666637623438610a653265313233663738326166366234
+64393862363239636533343139663166643331363133343230633032656633663033313032353630
+3666666439346332350a323239376135383262376661366632363963303433666362316535323664
+31336635356137646565396131396461653630363362356638346266316231383036323632653366
+33323430663863346664653562326330376639623131323936386639303065313738356665613535
+64633663393963666363336265383661366264643931313939666561646134303130353034376530
+63383064373633326263383332303632316135353862333365326439636131366165663636626337
+63383566653331346536626138653733613666356162336163643566623737653337396436313134
+36343535363331366463306335386465643464336339663933323733396437663332303231363237
+39313663656136336466393737323965336430306437336530306361343631396132653230353137
+64316538373532333332643638613736393661336565346364313961613736383063316433623634
+62373137326336663236323463313462313739666162386333653235373763356335393039356638
+64646131313930313438613264303535633137663662613163653165393835303032366462326564
+33386134636231353762363563313137626134393563383838313834396235346364303731653136
+34363964386165323561633138306137613632616437643632656334653138373330346434386262
+65383662366135613939393266633062663665303935663634313735663361333862356565393265
+33373036623232663830623962363139626436616339393863326130333163353038373530643566
+33393733623635333931363932376663613364393832646231616133366264646230633033643062
+37336335383732613837303035376563653638306437393336383565623264316166653437386432
+61336433316531346636356262313534653037336139633839613163356365643466636662616462
+35323135636337353930636463613437326538303736643262663262633330396663303064313933
+32346437643938303265353363353735373862383761326333306138386266363566386336366436
+32386436323564323964346332313363373534626162613033363564646264376662323366353939
+64303663383031613634333333353563333761363134393637633031306561373339663031366466
+63396634396535366461396262663739383861656461383435323936636166623862663130356630
+33646365343564633662663438613338356131383638363930626338393739326336396361356232
+34366363646432316431656439656136633838663066626436383238323165393836386636373039
+64653930666334326237363261666364663531623535373265623638396334636439346465313238
+64356335313731353939313364363534393762616634326262653366303234633338626661663165
+36346430326431656639346161363861396438626661663930396334646339663333366535303438
+65346136396334376530366438613737386535353431396531316265393036623430383735623237
+64663634666564656633643462653962386332623539623933653966323066376536386463336361
+32353732663366643438343862613863373564383638336332353039643833653563396136626131
+63306635386163313131623738363533313131613537363735333337323334353462383039336433
+66636137356462383538303336363439313938666165366434333030396561613833613539383737
+33613332633763343865363034653730336364653461666331353837653637663139306366313663
+61633133633563353132643066366633626435303363616661353138343363363139386232386464
+33636432306366313234373861633762646661333836386462383761643865383231656664646265
+38653266613365366435643934623139336666343265363632386166336433626634656238366663
+32663664336162386336326566396336653831373364383033643331623834643838336635656438
+64393936366238616666333565353530643563656338323763336436636461353963343130666634
+65386430313463623539616537333134323134373836663036663830353435393365653136363566
+66356431663466666562653338623839363438396530653031373538663039353638623838633831
+64636534343263356166373561373864643736653530323530323833356539316232363564616135
+32643138313537356565306433326137623535373963353361393439383030646262393538626636
+37373336313132396465343561363635643633363638356365363935653931316263323261356531
+36636239323362663935356464663737386462306162373336333264333963653537353563383361
+34663030386331643361353033613564363236303364646430313866323836383238366535376230
+38616165626535343939323162303735656630666262336536626334313834333730626433643835
+39353963323364386430366339393162303031643865333839326533333961393036636365353637
+31353863633065306230353665623335353331366333323039646435613537336436373962626137
+39393461373938613432303565323763653130313334313637306534666235643337383333333837
+39353834373666646561626535386239303030633062633565356332653664343337636263363631
+32636264353165343637633436373564313065643236396631366334633365386234636261383066
+35373433353539626661336430663037303839353134613230633363373664363962316630386265
+35663535353466613265616637646130316531643461393965643232366432313561303238393432
+32353266336533633064363039343431333331646132363833303433363632613632646461666366
+31613764313237636236303432613864336532323537333062363066633463393666366331653936
+31653133313862356632383066353361636334303138666361333939646536333137343734343731
+31636130623666386236393462646236393933383235313036383932336665616430333330316634
+62623631373631383434333363376331643664336536636430393962626165646662636637313633
+37316166343834373865353730343733613736643038366233623661636237633136356338356564
+31363139666630656530616334386362393638343331396436633862393031343331613438373236
+66336338623264306237333334623063626431326366643835373832383165663864613530386639
+37303064643034376135303066396164623237623239663962636563353130626332316333396331
+36646238386634623761643135353132326438303566316232653630353332363262643964666561
+32363534653261396136643765613237633761353337376338666238663039656666386137633538
+39373662336231613364393238663566303662643333633532613866643036356163313033313933
+62346532393032323432316361633162373664393363306239366433333766396438633730353533
+39306338303238356638336636306565366339336630643934323665363261303930313435633735
+65363732623666306631613465633034393536326237346639356566643736303937333239626531
+62313061383266316361326339623436373262633238366234353461306432396133383330616432
+30666235646238663631326636396364313565393966373533323464356337326138363233346430
+61393438383737393839653039633762613137353932323730613537653939613861346636653738
+39336331333237613838656531363766343235383938353165653662653439643861323436393833
+65303565356330633764663633613231336166323134653937636133343031343938366639656161
+38666136633564646131333038326237393861326564623338333438313063303661303132323938
+37303162316236666162396363626133306365666533306639383139336330616130313635353034
+65623934323930383763383466323338373561643538343564303331653961653230643863323937
+35306636376530356631303362396439643963363937633266313935343262396565383163353630
+32396132316239366231303532306436623330643732393737343636646234656662646366376265
+36343034396562633634633663623133396636643634663932393739306435653034333164656336
+62373633333938356261663261356161663937366239356464383335613431396339333761323062
+32616333656533653939336338393431366439346433396232373934353235653730616230633762
+35656533326163316132373038306239663966366465393231646331646333383932336461306438
+65636434333433366637663139656630363464663564303166393931363032323633336661326164
+36633132363161616466333134343730636166653962623632366535663366653139343230363363
+66373432343961393437663466363063333561353637316438653961383966623134336537376130
+61353031386435336236346564643064613433666137633437376362626661653733343734346438
+35646332643462643631323835376231656464626536393562616466636363386339336564613539
+33316637313862356131633636626238633961363065323964353634633462663132653864373365
+61306163396532656636346532326131633134346139323566326361323664376633636339643539
+64323939336264346638653365663162356365653536333738383064326463313662356266373239
+39613439313866333735366639306166336261643938313133633633303432396662373862653736
+62313438633063343938313965616337363961303730386432333862383265653061333832306565
+66373663643435613639623735373066616236353739333538616535616435643964653936356431
+30363364323434376365393639643731663866396163636665626537343433663863363130303866
+38356565613334613931343431663862346263643330646263613166636561303038376238656430
+66316330326662616634396561366563316632663166383564343935633532633034333138653665
+37613964616162373262383338613434663166613862653963636135616265613634323438613463
+61393730396164643730393636646630386561303534363731623433363631666561313065373163
+63663164383335613565666262383162363732616534363637323566353064343162383231303064
+35373765376533383339353339636432633562333730386463633534353639656634636438303163
+36653061303036653535643933663131616166666631393836383531643165363265626562623533
+65363739663461356565313136663763333630643035383132323335333931333661376166326531
+34316166623630386365386632373433383735313563643463333662366335616237303633653763
+39633465353166313930353731376639336634633463346334643330646430313039613461333766
+65633965613962376637353131373966383034333536616361326364633532353138326535663866
+31336664333936393834346138653531313862323938373736383162386633383061373561306338
+39626634653338356330373338376332623638336537373932653539353734636336616232306132
+33323338653265666262383039393935616366623661653530623662373637356339653565323962
+63626461396264356564363238663331653662613337343236333763363461623865636564373037
+62376633616131313439343866336363653135363035386534386665323433653366653630646138
+30666330363835303664336162343432653235386631616433613262646336626331336532393438
+63313737353531316261353437663163383964663561313235393338306362376137383330656162
+32373363643466336231633136323264383934666634363933393137323032366564313137356262
+62333533363638616639633863663931376364373061323732343934643337383239303631626537
+37393032656231303366396233396162626236663230383966306361633233633430623135376132
+66393765363931386662326236393865353161633036666465653236393366363534343764316565
+66646166656437373231623133303662393461323830363261373566646163626334306265356436
+64353930303966303364396166663535336265383536373139396137396130333138393561616632
+36393732326136396534366630353731653331636333663965323433643931653033383039363638
+66373161326430363831343238656632626564306338636361363530663463363232373139366537
+37393162666464353662383564383665343334363463626231316535353738373333313738316138
+66383537663363633161346630323330653933356565616639353536386136666265383432646233
+65303163393635616539323762633962633165323661663561313061616239373834633937623064
+37373864303336323437303563656163303137656230336562336431623665323731326565626238
+64656232663363663065636239313030656132396333623332333637303537653534356662353838
+34303364636537623735656537613735393334616661373532363935363534356466663134613138
+38373437646135356165333336636639313134636136313637333364396335636335313361353265
+32396236643133396663383165653131316339616330373034393331373831626339313466363132
+34386266363637363562663764393133653732623039663034393539363061633237363737613336
+61323538633263666431346532346564353235643037383535373366613831373066636138626366
+36356563663339646534353962376436613566666165346135333264373334626530616332333961
+34386536666338306632306362343435346666303737613238373863366331646438386538373861
+63626361623932326334626630663336323439643666623332613262346535663462643834353231
+38303766366461323532356139306264326264343536386535303331376262376431666538626464
+61666235643939643334646463623337316565346263613862616263333335613736303366613430
+38303461366438363534633036373264303633613964363561346336653136353132666663376363
+38633235316666356464636538636337323432643037613762303735333836643861363464366337
+33366138396262623530663138353963306164306163303663623438353130646566656332373938
+61336337316334303135646461373463643365623235343834636164396366636639633933366561
+31386533336261326439386661326462353831393733643065316266376230383839333733396233
+63393935306331376336393937616336326263643631353764386164363639626334663032613133
+33633436376534373138316466353838663835336634306538313334643036333537653864323162
+39663565376331346532656130306632393638663139626334323261643733376636623961323533
+32653066326235346130333732396231346136336134383863383864613830313031646664386234
+30656333303234663630633237633161393966623562633964393161336335616362323535656136
+38666162306162366461303663346562306638353334383630306231346234396566343162323135
+35376136346138626130323765626464613537623530616235353537373932626535316566363332
+38336533333162643666376232646330613166633535383961666264373530313563386535353434
+38333062376634323933336239656138393961633863633537396364333039333262616166613832
+30373632333062663730343731663162376238313930376631643163353063663838326434633435
+65323465343839616166386435636233306136306563666535633164633430386332323266323038
+63653061396662336362646331353062326261376161363662346639373965356266333239613137
+35393665636238663262646130356664343033633363303536663538306139336139383864636236
+38313834393733316636313862383930343839653662623335393637396363333434646262383465
+38313231353862373935316236383135396639643761623035313834353730396330613237316465
+66646131326462383662303563646366333630343934376339323936363966393939623031343833
+63366333623332623666643932343739363735326361636536656164303365363163633934633730
+31306264656535396665386133353366653064363036656135663135373931636566646638356662
+39393433363633613437346637383837663864643734643332393833363830616536623933623239
+35366530636235643333336261633661636330633535393030313134633834633261363635376234
+63643139306632613330346264656434326238383061633837653064663334323762613636353339
+38363861356131376230613032353738356134316261613030353932303635383564333664386338
+63363033613232386431633531356532653035343466616664626363643734306233393566356663
+31643039336332636461366266343865383666356166333566386531626134373038663362306533
+34306534623166393561633266333366653261653365326337613436633137373234366234326564
+30316231636339366434396131623064353961336666626563613234303034376537646130323637
+33386532393339646437366337626463393066653831646337346463356437386333656464393233
+64333036663330373662646534653239303831323536346138393939383861303331336630353738
+33383838663939393038386438636135396361316438363234313864343731616363336533393738
+65343166343335623665653936396362363861636231643432313962333034383337656634666633
+61333161643464323562343539633130373065666363393337636664376662313834656232616164
+37613062346439326665633236323661646331336333313034306133353732336163656339373335
+65303662633039316439343363306637303530323235663261386162363930623233616639333264
+62303965636463303166323461376531393031343464663562353537613034613033346336393638
+63373165663931346566626437393166626539393866646535393330323335333737353633633764
+36643132336430303264633032316634663531666165613037313264303962663337653233346561
+63646162343930356464623431333031613464323333323162323265633637313538363963633338
+64393566643131666333333263626435613465303862663166303034313430616165656666646432
+63363634366434666461613337353765663466396330613230663737613030323531663432363465
+61623661666664366664303434373362303431623234393862633639336332316333303664323937
+31653462326432633966353138626333306136623735633932323666656632383034633662333635
+36303437343361343437643963663536646636626232633063636332353037396264366361336631
+39353638643930326166393666663262336232663661383862363731393733336665326637653434
+38343362386430363666666239623333623339623862613630663762353835303837663061303432
+39366138383263653338393131393532663965666164353963373461373263616565373166303530
+64306333343764363264363934393739316133313536353065326632316365396132326235626232
+37353562363139386633656437623165623530636138313139643764613230633133386666366437
+62333634356362343633643235643537383837343731303036396566396238623939643466373630
+64633161636638393732656534346139343230313132613737313565393665613265353562313037
+62313362363362623934663564626265363463396366336633313839643134653962656332653639
+36353238353264326139386438363438363066396537633963343839616462373838393232333932
+63353566663363373636336665393763323237383337343137623063653265393264396361383166
+34666332616164633639626537393234316530626461653161393036386161396666386538316366
+39393762626663373430646666653233376134343838313034313136303837333233353761353530
+31623364333033643035363735396562623965636437613661663736376665393037363966633430
+31376334333139613466613238303938663337313239643066353532383132336539353861396538
+33333664393764666635326461383737653661643731323935353531653735613263383435366533
+61333436386335383634376366666233633833643738646436373664306338643366643035613138
+66643661336633666333366438303136316332616638336261353162383266623933316631396232
+35306437643133346538323364616638636464613536323334646637333061343332376433346634
+31356333633832636437316466343034633266613263336132383336326532363137303861656138
+35356635343232313631613638366164303164623530663862653138633065306163343132626430
+31633739653666646564323365663961396562333336366130636530393463383461623934343164
+36316264363065343563636331373635343638373864646465306566646234643732306530353636
+38316437393264643533623338656663343633646265613531623933666432663334646136356265
+32326530343938653761333734323563643532363330326531313335323764653239626137613164
+61306437663537303561393039623330626530393363653165366236343737653137616539646332
+32656363383631393438336434323032343632393736376132656439663962323232336630623466
+64373939323832373934373531363838333565396236383661633134303338373030313436303130
+37663438336262346164633632653739613766343938303138653330656431396336376461633339
+66396565646661346461643035646432643432343435333861366531316265306530653034386265
+39303239366633613431333863663034633864373439646236633434333738383662643063373835
+31626134323462353965653131656336316265376364636533333631373966306631613566663133
+30616162636138303139306436653834366233616631303037393538633735323133346562383736
+66306265346266393566613137326132366132366463353330306539653732393963366165353139
+66643663643339666137343930633637396263346264643561383162666461346431346532353733
+38303863303537646130363066303439623664316666373039613639653133666635356165303831
+66653238643265386161393062393763383263656161666162633833336166333538386566323732
+63303962313365363939323630386532373938313630633532613331306164356338633137346262
+37376665373131316338383265363335646463663534623334303839383965376362643061376133
+36323830323938636636356561616238636134616263323633626662396239373531646363336566
+65383938656530396361663631613532316262396562323034663763653230646336633263336538
+34333866306564313562303930616330653638313031656138343565653161323931356561633264
+33313066643461343636623235376636646537663263313234356133376532663439386364326264
+30356238613761363638376431623431366131373230373239643066343035356462326533613533
+64623438363138636435333963376366656232313435373131313235636265323062333562323436
+66313532616131623836373134363033646238313861616334313033326330616631633439613332
+32393134643464363337653138336332353531316261316562393532346365666261346534653037
+33363363393563636638343265393135663838393263623364366561623934316439306663396665
+34323838366463653032303337323434643461323732623464373564613365663037383834353266
+66376537623464653433393638623337353233363932656637363661323862663930633931626138
+32613436303533353261666131636231353835666138663235386430323161623565333934383364
+65393730636438306132663464313331663966346330346437383231646439366631323865376530
+37343534616239373739353930313331303537303131653433393338396136313161306432303937
+31333535623562656662613762626365306632626461333835346431343766393135653536356536
+34653137303162656164373738373264613536663831363662373964306231343239656533353832
+32643232333339316539323132663239613731393939316466653464373835303632313436323163
+61383338333739363730633162373530626563393938323131323538326430323431623931393030
+63353264626465323061663531656131633834353233643962666333383530376233636166636666
+30393534613466623031346236643333316336333633646630643164653834353536333461353537
+62613038323730363638616437393536636333323237626633343165386230393064666638396332
+62653736353238653235356462656266616635613861623762336139656139363966386237393538
+62616661613537633232636134373763376465386361313266663133643364356231636232386261
+38653935663231323833626635663730623438306134636363633062373738396334393435373632
+39343862646464633934643735363332353064396464663761393836353137313536383930653765
+64643766616139306335313965376434643637613836373663663131663065663961376661363239
+39373563313737396131323465333462346138316131303663336638303838346565633136343964
+63633161326361303232613163316434343565623863363662623765376365663337653239376263
+61336566336239643033666566316232623966643662386233396438343366303838363661653364
+64323065396531363363393433316538386366623839626639373266393432313730646261333830
+38383964633036333139383131326361353461346337353436333730656161326361306330373636
+31303438356633363332633839616237383334396137623263363030373361623032663363656330
+31653464353737336333356635326366316533663839366636393263343963356530663135366435
+66656365396565306635656663666434646632353035653138616161383434316232386333623162
+30363964666239373361656437363263646239366362316331313234623562363434613137326536
+30356436356436333263656338303566356133383034353161383663356236353361623539653466
+63663033393733366630356432613238633936306537333136366430303033336532306239336133
+35343432633663396165663466626263316434646265363363316436636433656165333839356433
+33313838313833333565653233623732316161316566343135323065313166376466613264616163
+61383062346235643033363866643838626537363534383162353435343835643563316535663533
+33623630383835353339656430633135393364346432663662663934393534366534326137666236
+62356136346333653538626433333139353566313831643063626165343437333265633537313261
+39613933653362353731353261373230313432303536316664636663396238643665633937623837
+38373761663538653232646365333331396565343831343534383230323032373166663033333837
+36353163353732313735663065663531646366326332663831623039366566386237333134616638
+32323639326431303335396265333539643935613062326438343834376365313565666262623465
+363230303264613965363966303463356363
diff --git a/host_vars/azerty/networking.yml b/host_vars/azerty/networking.yml
index 04d24d7..52a91b9 100644
--- a/host_vars/azerty/networking.yml
+++ b/host_vars/azerty/networking.yml
@@ -12,3 +12,5 @@ interfaces:
ipv4_forwarding: false
ipv6_forwarding: false
+
+lan_address: "{{ intranet.subnets.physical.subnets.azerty.ipv4 }}"
diff --git a/host_vars/hellman/networking.yml b/host_vars/hellman/networking.yml
index 17eeafe..c4a499e 100644
--- a/host_vars/hellman/networking.yml
+++ b/host_vars/hellman/networking.yml
@@ -22,3 +22,5 @@ interfaces:
ipv4_forwarding: true
ipv6_forwarding: false
+
+lan_address: "{{ intranet.subnets.physical.subnets.hellman.ipv4 }}"
diff --git a/host_vars/hindley/networking.yml b/host_vars/hindley/networking.yml
index 6826896..efdd3e5 100644
--- a/host_vars/hindley/networking.yml
+++ b/host_vars/hindley/networking.yml
@@ -10,3 +10,5 @@ interfaces:
ipv4_forwarding: true
ipv6_forwarding: false
+
+lan_address: "{{ intranet.subnets.physical.subnets.hindley.ipv4 }}"
diff --git a/host_vars/matrix_server/networking.yml b/host_vars/matrix_server/networking.yml
index 3da7101..de2694d 100644
--- a/host_vars/matrix_server/networking.yml
+++ b/host_vars/matrix_server/networking.yml
@@ -9,3 +9,5 @@ interfaces:
ipv4_forwarding: false
ipv6_forwarding: false
+
+lan_address: "{{ intranet.subnets.physical.subnets.matrix.ipv4 }}"
diff --git a/host_vars/rossum/networking.yml b/host_vars/rossum/networking.yml
index 6bcc4ed..a34b62e 100644
--- a/host_vars/rossum/networking.yml
+++ b/host_vars/rossum/networking.yml
@@ -1,10 +1,7 @@
---
interfaces:
eth0:
- ipv4: 192.168.0.50
- netmaskv4: 24
- type: static
- gateway: 192.168.0.1
+ type: dhcp
wg0:
ipv4: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
@@ -12,3 +9,5 @@ interfaces:
ipv4_forwarding: false
ipv6_forwarding: false
+
+lan_address: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"
diff --git a/host_vars/vm1/ansible.yml b/host_vars/vm1/ansible.yml
deleted file mode 100644
index 7827357..0000000
--- a/host_vars/vm1/ansible.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_host: "vm1"
diff --git a/host_vars/vm1/networking.yml b/host_vars/vm1/networking.yml
deleted file mode 100644
index 3ac5ae7..0000000
--- a/host_vars/vm1/networking.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-interfaces:
- enp0s3:
- type: void
- br0:
- ipv4: 10.0.2.5
- netmaskv4: 24
- type: static
- bridge: true
- gateway: 10.0.2.1
- interfaces:
- - enp0s3
- br1:
- type: manual
- bridge: true
- interfaces:
- - enp0s3.42
- wg0:
- ipv4: "{{ intranet.subnets.test.subnets.vm1.ipv4 }}"
- netmaskv4: "{{ intranet.netmaskv4 }}"
- type: wireguard
-
-ipv4_forwarding: false
-ipv6_forwarding: false
diff --git a/host_vars/vm1/vpn.yml b/host_vars/vm1/vpn.yml
deleted file mode 100644
index 349ec5a..0000000
--- a/host_vars/vm1/vpn.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-vpn_interfaces:
- wg0:
- ip: "{{ interfaces.wg0.ipv4 }}"
- private_key: "{{ vpn_vault_vm1_key }}"
- public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs="
- keepalive: true
- peers:
- - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
- public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
- allowed_ips:
- - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
- comment: "hindley"
diff --git a/host_vars/vm2/ansible.yml b/host_vars/vm2/ansible.yml
deleted file mode 100644
index da11026..0000000
--- a/host_vars/vm2/ansible.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_host: "vm2"
diff --git a/host_vars/vm2/networking.yml b/host_vars/vm2/networking.yml
deleted file mode 100644
index f05677f..0000000
--- a/host_vars/vm2/networking.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-interfaces:
- enp0s3:
- type: dhcp
- wg0:
- ipv4: "{{ intranet.subnets.test.subnets.vm2.ipv4 }}"
- netmaskv4: "{{ intranet.netmaskv4 }}"
- type: wireguard
-
-ipv4_forwarding: false
-ipv6_forwarding: false
diff --git a/host_vars/vm2/vpn.yml b/host_vars/vm2/vpn.yml
deleted file mode 100644
index cce5491..0000000
--- a/host_vars/vm2/vpn.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-vpn_interfaces:
- wg0:
- ip: "{{ interfaces.wg0.ipv4 }}"
- private_key: "{{ vpn_vault_vm2_key }}"
- public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo="
- keepalive: true
- peers:
- - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
- public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
- allowed_ips:
- - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
- comment: "hindley"
diff --git a/host_vars/vm3/ansible.yml b/host_vars/vm3/ansible.yml
deleted file mode 100644
index bd11ecb..0000000
--- a/host_vars/vm3/ansible.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_host: "vm3"
diff --git a/host_vars/vm3/networking.yml b/host_vars/vm3/networking.yml
deleted file mode 100644
index 71acd30..0000000
--- a/host_vars/vm3/networking.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-interfaces:
- enp0s3:
- ipv4: 10.0.2.7
- netmaskv4: 24
- type: static
- gateway: 10.0.2.1
- wg0:
- ipv4: "{{ intranet.subnets.test.subnets.vm3.ipv4 }}"
- netmaskv4: "{{ intranet.netmaskv4 }}"
- type: wireguard
-
-ipv4_forwarding: false
-ipv6_forwarding: false
diff --git a/host_vars/vm3/vpn.yml b/host_vars/vm3/vpn.yml
deleted file mode 100644
index f6cf0a9..0000000
--- a/host_vars/vm3/vpn.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-vpn_interfaces:
- wg0:
- ip: "{{ interfaces.wg0.ipv4 }}"
- private_key: "{{ vpn_vault_vm3_key }}"
- public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg="
- keepalive: true
- peers:
- - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
- public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
- allowed_ips:
- - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
- comment: "hindley"
diff --git a/host_vars/vm4/ansible.yml b/host_vars/vm4/ansible.yml
deleted file mode 100644
index 131eced..0000000
--- a/host_vars/vm4/ansible.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_host: "vm4"
diff --git a/host_vars/vm4/networking.yml b/host_vars/vm4/networking.yml
deleted file mode 100644
index 1e9e9b4..0000000
--- a/host_vars/vm4/networking.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-interfaces:
- enp0s3:
- ipv4: 10.0.2.8
- netmaskv4: 24
- type: static
- gateway: 10.0.2.1
- wg0:
- ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}"
- netmaskv4: "{{ intranet.netmaskv4 }}"
- type: wireguard
-
-ipv4_forwarding: false
-ipv6_forwarding: false
diff --git a/host_vars/vm4/vpn.yml b/host_vars/vm4/vpn.yml
deleted file mode 100644
index ccd2acb..0000000
--- a/host_vars/vm4/vpn.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-vpn_interfaces:
- wg0:
- ip: "{{ interfaces.wg0.ipv4 }}"
- private_key: "{{ vpn_vault_vm4_key }}"
- public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw="
- keepalive: true
- peers:
- - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
- public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
- allowed_ips:
- - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
- comment: "hindley"
diff --git a/host_vars/vm5/ansible.yml b/host_vars/vm5/ansible.yml
deleted file mode 100644
index 30c6274..0000000
--- a/host_vars/vm5/ansible.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_host: "vm5"
diff --git a/host_vars/vm5/networking.yml b/host_vars/vm5/networking.yml
deleted file mode 100644
index 5753321..0000000
--- a/host_vars/vm5/networking.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-interfaces:
- enp0s3:
- type: void
- br0:
- ipv4: 10.0.2.9
- netmaskv4: 24
- type: static
- bridge: true
- gateway: 10.0.2.1
- interfaces:
- - enp0s3
-
-ipv4_forwarding: false
-ipv6_forwarding: false
diff --git a/hosts b/hosts
index d96d57e..9b60703 100644
--- a/hosts
+++ b/hosts
@@ -4,17 +4,12 @@ all:
ubuntu:
hosts:
hindley:
- vm5:
debian_buster:
hosts:
azerty:
- vm1:
- vm2:
- vm3:
debian_bullseye:
hosts:
matrix_server:
- vm4:
proxmox_buster:
hosts:
hellman:
@@ -34,26 +29,22 @@ all:
server_hostname: azerty.fil.sand.auro.re
tests:
hosts:
- vm1:
- vm2:
- vm3:
- vm4:
- vm5:
rossum:
+ azerty:
+ hellman:
vpn:
hosts:
azerty:
hindley:
hellman:
rossum:
- vm1:
- vm2:
- vm3:
- vm4:
matrix_server:
apt_proxies:
hosts:
hindley:
+ prometheus_servers:
+ hosts:
+ hindley:
matrix:
hosts:
matrix_server:
diff --git a/roles/base_config/tasks/main.yml b/roles/base_config/tasks/main.yml
index 7e0525b..6338f03 100644
--- a/roles/base_config/tasks/main.yml
+++ b/roles/base_config/tasks/main.yml
@@ -16,6 +16,7 @@
- unzip
- tcpdump
- net-tools
+ - acl
state: latest
update_cache: true
register: apt_result
diff --git a/roles/generate-cert/LICENSE b/roles/generate-cert/LICENSE
new file mode 100644
index 0000000..f234cd5
--- /dev/null
+++ b/roles/generate-cert/LICENSE
@@ -0,0 +1,167 @@
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+ This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+ 0. Additional Definitions.
+
+ As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+ "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+ An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+ A "Combined Work" is a work produced by combining or linking an
+Application with the Library. The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+ The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+ The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+ 1. Exception to Section 3 of the GNU GPL.
+
+ You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+ 2. Conveying Modified Versions.
+
+ If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+ a) under this License, provided that you make a good faith effort to
+ ensure that, in the event an Application does not supply the
+ function or data, the facility still operates, and performs
+ whatever part of its purpose remains meaningful, or
+
+ b) under the GNU GPL, with none of the additional permissions of
+ this License applicable to that copy.
+
+ 3. Object Code Incorporating Material from Library Header Files.
+
+ The object code form of an Application may incorporate material from
+a header file that is part of the Library. You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+ a) Give prominent notice with each copy of the object code that the
+ Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the object code with a copy of the GNU GPL and this license
+ document.
+
+ 4. Combined Works.
+
+ You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+ a) Give prominent notice with each copy of the Combined Work that
+ the Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the Combined Work with a copy of the GNU GPL and this license
+ document.
+
+ c) For a Combined Work that displays copyright notices during
+ execution, include the copyright notice for the Library among
+ these notices, as well as a reference directing the user to the
+ copies of the GNU GPL and this license document.
+
+ d) Do one of the following:
+
+ 0) Convey the Minimal Corresponding Source under the terms of this
+ License, and the Corresponding Application Code in a form
+ suitable for, and under terms that permit, the user to
+ recombine or relink the Application with a modified version of
+ the Linked Version to produce a modified Combined Work, in the
+ manner specified by section 6 of the GNU GPL for conveying
+ Corresponding Source.
+
+ 1) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (a) uses at run time
+ a copy of the Library already present on the user's computer
+ system, and (b) will operate properly with a modified version
+ of the Library that is interface-compatible with the Linked
+ Version.
+
+ e) Provide Installation Information, but only if you would otherwise
+ be required to provide such information under section 6 of the
+ GNU GPL, and only to the extent that such information is
+ necessary to install and execute a modified version of the
+ Combined Work produced by recombining or relinking the
+ Application with a modified version of the Linked Version. (If
+ you use option 4d0, the Installation Information must accompany
+ the Minimal Corresponding Source and Corresponding Application
+ Code. If you use option 4d1, you must provide the Installation
+ Information in the manner specified by section 6 of the GNU GPL
+ for conveying Corresponding Source.)
+
+ 5. Combined Libraries.
+
+ You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+ a) Accompany the combined library with a copy of the same work based
+ on the Library, uncombined with any other library facilities,
+ conveyed under the terms of this License.
+
+ b) Give prominent notice with the combined library that part of it
+ is a work based on the Library, and explaining where to find the
+ accompanying uncombined form of the same work.
+
+ 6. Revised Versions of the GNU Lesser General Public License.
+
+ The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+ If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
+
+
diff --git a/roles/generate-cert/README.md b/roles/generate-cert/README.md
new file mode 100644
index 0000000..ce5aeca
--- /dev/null
+++ b/roles/generate-cert/README.md
@@ -0,0 +1,9 @@
+# generate-cert
+
+This role is part of the project [Ansible Hacky PKI](https://gitea.auro.re/histausse/ansible_hacky_pki) licenced under the LGPL 3.
+
+You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**.
+In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability,
+please contact me to see if we can find a patch.
+
+Copyright 2021 Jean-Marie Mineau
diff --git a/roles/generate-cert/defaults/main.yml b/roles/generate-cert/defaults/main.yml
new file mode 100644
index 0000000..b104186
--- /dev/null
+++ b/roles/generate-cert/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+key_usage:
+ - digitalSignature
+ - keyEncipherment
+validity_duration: "+365d"
+time_before_expiration_for_renewal: "+30d" # need a better name
+force_renewal: no
+store_directory: /etc/hackypky
diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml
new file mode 100644
index 0000000..afd91c7
--- /dev/null
+++ b/roles/generate-cert/tasks/main.yml
@@ -0,0 +1,165 @@
+---
+- name: Ensure the directories used to store certs exist
+ file:
+ path: "{{ item }}"
+ state: directory
+ group: root
+ owner: root
+ mode: u=rwx,g=rx,o=rx
+ loop:
+ - "{{ store_directory }}"
+ - "{{ store_directory }}/crts"
+ - "{{ store_directory }}/keys"
+
+- name: Ensure the directory containing the cert exist
+ file:
+ path: "{{ directory }}"
+ state: directory
+
+- name: Test if the key already exist
+ stat:
+ path: "{{ store_directory}}/keys/{{ cname }}.key"
+ register: key_file
+
+- name: Test if the cert already exist
+ stat:
+ path: "{{ store_directory}}/crts/{{ cname }}.crt"
+ register: cert_file
+
+- name: Test if we need to renew the certificate
+ openssl_certificate_info:
+ path: "{{ store_directory }}/crts/{{ cname }}.crt"
+ valid_at:
+ renewal: "{{ time_before_expiration_for_renewal }}"
+ register: validity
+ when: cert_file.stat.exists
+
+- name: Generate the certificate
+ block:
+ - name: Generate private key
+ become: false
+ openssl_privatekey:
+ path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+ mode: u=rw,g=,o=
+ size: "{{ key_size | default(omit) }}"
+ delegate_to: localhost
+
+ - name: Generate a Certificate Signing Request
+ become: false
+ openssl_csr:
+ path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
+ privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+ common_name: "{{ cname }}"
+ country_name: "{{ country_name | default(omit) }}"
+ locality_name: "{{ locality_name | default(omit) }}"
+ state_or_province_name: "{{ state_or_province_name | default(omit) }}"
+ organization_name: "{{ organization_name | default(omit) }}"
+ organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
+ email_address: "{{ email_address | default(omit) }}"
+ basic_constraints:
+ - CA:FALSE # syntax?
+ basic_constraints_critical: yes
+ key_usage: "{{ key_usage }}"
+ key_usage_critical: yes
+ subject_alt_name: "{{ subject_alt_name | default(omit) }}"
+ crl_distribution_points: "{{ crl_distribution_points | default(omit) }}"
+ delegate_to: localhost
+
+ - name: Put the CA in a file
+ become: false
+ copy:
+ content: "{{ ca_cert }}"
+ dest: "/tmp/ansible_hacky_pki_ca.crt"
+ delegate_to: localhost
+
+ - name: Put the CA key in a file
+ become: false
+ copy:
+ content: "{{ ca_key }}"
+ dest: "/tmp/ansible_hacky_pki_ca.key"
+ mode: u=rw,g=,o=
+ delegate_to: localhost
+ no_log: yes
+
+ - name: Sign the certificate
+ become: false
+ openssl_certificate:
+ path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
+ csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
+ ownca_not_after: "{{ validity_duration }}"
+ ownca_path: /tmp/ansible_hacky_pki_ca.crt
+ ownca_privatekey_passphrase: "{{ ca_passphrase }}"
+ ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
+ provider: ownca
+ delegate_to: localhost
+
+ - name: Send private key to the server
+ copy:
+ src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+ dest: "{{ store_directory }}/keys/{{ cname }}.key"
+ owner: "{{ owner | default('root') }}"
+ group: "{{ group | default('root') }}"
+ mode: "{{ key_mode | default('u=rw,g=,o=') }}"
+ no_log: yes
+
+ - name: Send certificate to the server
+ copy:
+ src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
+ dest: "{{ store_directory }}/crts/{{ cname }}.crt"
+ owner: "{{ owner | default('root') }}"
+ group: "{{ group | default('root') }}"
+ mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
+
+ # Clean up
+ - name: Remove the local cert key
+ become: false
+ file:
+ path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+ state: absent
+ delegate_to: localhost
+
+ - name: Remove the CSR
+ become: false
+ file:
+ path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
+ state: absent
+ delegate_to: localhost
+
+ - name: Remove the local certificate
+ become: false
+ file:
+ path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
+ state: absent
+ delegate_to: localhost
+
+ - name: Remove the CA certificate
+ become: false
+ file:
+ path: /tmp/ansible_hacky_pki_ca.crt
+ state: absent
+ delegate_to: localhost
+
+ - name: Remove the CA key
+ become: false
+ file:
+ path: /tmp/ansible_hacky_pki_ca.key
+ state: absent
+ delegate_to: localhost
+ when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
+
+- name: Create the link to cert
+ file:
+ src: "{{ store_directory }}/crts/{{ cname }}.crt"
+ dest: "{{ directory }}/{{ cname }}.crt"
+ owner: "{{ owner | default('root') }}"
+ group: "{{ group | default('root') }}"
+ state: link
+
+- name: Create the link to key
+ file:
+ src: "{{ store_directory }}/keys/{{ cname }}.key"
+ dest: "{{ directory }}/{{ cname }}.key"
+ owner: "{{ owner | default('root') }}"
+ group: "{{ group | default('root') }}"
+ state: link
+
diff --git a/roles/grafana/handlers/main.yml b/roles/grafana/handlers/main.yml
new file mode 100644
index 0000000..cfedf9f
--- /dev/null
+++ b/roles/grafana/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart Grafana
+ systemd:
+ name: grafana-server
+ state: restarted
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
new file mode 100644
index 0000000..98c4d41
--- /dev/null
+++ b/roles/grafana/tasks/main.yml
@@ -0,0 +1,79 @@
+---
+- name: Install apt transport https
+ apt:
+ name:
+ - apt-transport-https
+ state: latest
+ update_cache: true
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Add Graphana Repo Key
+ apt_key:
+ url: https://packages.grafana.com/gpg.key
+ state: present
+
+- name: Add Grafana Repository
+ apt_repository:
+ repo: deb https://packages.grafana.com/oss/deb stable main
+ state: present
+
+- name: Install Grafana
+ apt:
+ name:
+ - grafana
+ state: latest
+ update_cache: true
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Configure Grafana
+ template:
+ src: grafana.ini
+ dest: /etc/grafana/grafana.ini
+ owner: grafana
+ group: grafana
+ mode: u=rw,g=r,o=
+ no_log: true
+ notify: Restart Grafana
+
+- name: Copy the CA cert
+ copy:
+ content: "{{ ca_cert }}"
+ dest: /etc/grafana/ca.crt
+ notify: Restart prometheus
+
+- name: Generate certificate
+ include_role:
+ name: generate-cert
+ vars:
+ directory: /etc/grafana/
+ cname: "grafana-{{ lan_address }}"
+ owner: grafana
+ group: grafana
+ key_mode: u=rw,g=,o=
+ subject_alt_name: "IP:{{ lan_address }}"
+# Need an equivalent to notify here
+
+## THIS CERT CANNOT BE MONITORED BECAUSE IT IS A CLIENT CERT :'(
+#- name: Ensured the certificate is monitored
+# import_tasks: register-cert-to-monitoring.yml
+# vars:
+# target: "{{ lan_address }}:|grafana-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
+
+- name: Add Prometheus data source
+ template:
+ src: prometheus_datasource.yaml
+ dest: /etc/grafana/provisioning/datasources/prometheus_datasource.yaml
+ owner: grafana
+ group: grafana
+ mode: u=rw,g=r,o=
+ notify: Restart Grafana
+
+- name: Enable Grafana
+ systemd:
+ name: grafana-server
+ enabled: true
+ state: started
diff --git a/roles/grafana/tasks/register-cert-to-monitoring.yml b/roles/grafana/tasks/register-cert-to-monitoring.yml
new file mode 100644
index 0000000..82d550a
--- /dev/null
+++ b/roles/grafana/tasks/register-cert-to-monitoring.yml
@@ -0,0 +1,23 @@
+---
+- name: Get the list of targets of the server
+ slurp:
+ src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+ register: server_tls_targets_file
+ delegate_to: "{{ appointed_prometheus_server }}"
+
+- name: Set target variable from file
+ set_fact:
+ server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
+
+- name: Register the endpoint to the prometheus server
+ block:
+ - name: Add the target
+ set_fact:
+ new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
+
+ - name: Put the new target list
+ copy:
+ content: "{{ new_server_tls_targets | to_nice_json }}"
+ dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+ delegate_to: "{{ appointed_prometheus_server }}"
+ when: target not in server_tls_targets.0.targets
diff --git a/roles/grafana/templates/grafana.ini b/roles/grafana/templates/grafana.ini
new file mode 100644
index 0000000..8acbf7e
--- /dev/null
+++ b/roles/grafana/templates/grafana.ini
@@ -0,0 +1,1008 @@
+{{ ansible_managed | comment }}
+
+##################### Grafana Configuration Example #####################
+#
+# Everything has defaults so you only need to uncomment things you want to
+# change
+
+# possible values : production, development
+;app_mode = production
+
+# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
+;instance_name = ${HOSTNAME}
+
+#################################### Paths ####################################
+[paths]
+# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
+;data = /var/lib/grafana
+
+# Temporary files in `data` directory older than given duration will be removed
+;temp_data_lifetime = 24h
+
+# Directory where grafana can store logs
+;logs = /var/log/grafana
+
+# Directory where grafana will automatically scan and look for plugins
+;plugins = /var/lib/grafana/plugins
+
+# folder that contains provisioning config files that grafana will apply on startup and while running.
+;provisioning = conf/provisioning
+
+#################################### Server ####################################
+[server]
+# Protocol (http, https, h2, socket)
+;protocol = http
+
+# The ip address to bind to, empty will bind to all interfaces
+http_addr = 127.0.0.1
+
+# The http port to use
+;http_port = 3000
+
+# The public facing domain name used to access grafana from a browser
+domain = {{ grafana_domain_name }}
+
+# Redirect to correct domain if host header does not match domain
+# Prevents DNS rebinding attacks
+;enforce_domain = false
+
+# The full public facing url you use in browser, used for redirects and emails
+# If you use reverse proxy and sub path specify full url (with sub path)
+root_url = %(protocol)s://%(domain)s/
+
+# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
+;serve_from_sub_path = false
+
+# Log web requests
+router_logging = true
+
+# the path relative working path
+;static_root_path = public
+
+# enable gzip
+enable_gzip = true
+
+# https certs & key file
+;cert_file =
+;cert_key =
+
+# Unix socket path
+;socket =
+
+# CDN Url
+;cdn_url =
+
+# Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections.
+# `0` means there is no timeout for reading the request.
+;read_timeout = 0
+
+#################################### Database ####################################
+[database]
+# You can configure the database connection by specifying type, host, name, user and password
+# as separate properties or as on string using the url properties.
+
+# Either "mysql", "postgres" or "sqlite3", it's your choice
+;type = sqlite3
+;host = 127.0.0.1:3306
+;name = grafana
+;user = root
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+
+# Use either URL or the previous fields to configure the database
+# Example: mysql://user:secret@host:port/database
+;url =
+
+# For "postgres" only, either "disable", "require" or "verify-full"
+;ssl_mode = disable
+
+# Database drivers may support different transaction isolation levels.
+# Currently, only "mysql" driver supports isolation levels.
+# If the value is empty - driver's default isolation level is applied.
+# For "mysql" use "READ-UNCOMMITTED", "READ-COMMITTED", "REPEATABLE-READ" or "SERIALIZABLE".
+;isolation_level =
+
+;ca_cert_path =
+;client_key_path =
+;client_cert_path =
+;server_cert_name =
+
+# For "sqlite3" only, path relative to data_path setting
+;path = grafana.db
+
+# Max idle conn setting default is 2
+;max_idle_conn = 2
+
+# Max conn setting default is 0 (mean not set)
+;max_open_conn =
+
+# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
+;conn_max_lifetime = 14400
+
+# Set to true to log the sql calls and execution times.
+;log_queries =
+
+# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
+;cache_mode = private
+
+################################### Data sources #########################
+[datasources]
+# Upper limit of data sources that Grafana will return. This limit is a temporary configuration and it will be deprecated when pagination will be introduced on the list data sources API.
+;datasource_limit = 5000
+
+#################################### Cache server #############################
+[remote_cache]
+# Either "redis", "memcached" or "database" default is "database"
+;type = database
+
+# cache connectionstring options
+# database: will use Grafana primary database.
+# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'.
+# memcache: 127.0.0.1:11211
+;connstr =
+
+#################################### Data proxy ###########################
+[dataproxy]
+
+# This enables data proxy logging, default is false
+;logging = false
+
+# How long the data proxy waits to read the headers of the response before timing out, default is 30 seconds.
+# This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.
+;timeout = 30
+
+# How long the data proxy waits to establish a TCP connection before timing out, default is 10 seconds.
+;dialTimeout = 10
+
+# How many seconds the data proxy waits before sending a keepalive probe request.
+;keep_alive_seconds = 30
+
+# How many seconds the data proxy waits for a successful TLS Handshake before timing out.
+;tls_handshake_timeout_seconds = 10
+
+# How many seconds the data proxy will wait for a server's first response headers after
+# fully writing the request headers if the request has an "Expect: 100-continue"
+# header. A value of 0 will result in the body being sent immediately, without
+# waiting for the server to approve.
+;expect_continue_timeout_seconds = 1
+
+# Optionally limits the total number of connections per host, including connections in the dialing,
+# active, and idle states. On limit violation, dials will block.
+# A value of zero (0) means no limit.
+;max_conns_per_host = 0
+
+# The maximum number of idle connections that Grafana will keep alive.
+;max_idle_connections = 100
+
+# How many seconds the data proxy keeps an idle connection open before timing out.
+;idle_conn_timeout_seconds = 90
+
+# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
+;send_user_header = false
+
+#################################### Analytics ####################################
+[analytics]
+# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
+# No ip addresses are being tracked, only simple counters to track
+# running instances, dashboard and error counts. It is very helpful to us.
+# Change this option to false to disable reporting.
+;reporting_enabled = true
+
+# The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs
+;reporting_distributor = grafana-labs
+
+# Set to false to disable all checks to https://grafana.net
+# for new versions (grafana itself and plugins), check is used
+# in some UI views to notify that grafana or plugin update exists
+# This option does not cause any auto updates, nor send any information
+# only a GET request to http://grafana.com to get latest versions
+;check_for_updates = true
+
+# Google Analytics universal tracking code, only enabled if you specify an id here
+;google_analytics_ua_id =
+
+# Google Tag Manager ID, only enabled if you specify an id here
+;google_tag_manager_id =
+
+#################################### Security ####################################
+[security]
+# disable creation of admin user on first start of grafana
+;disable_initial_admin_creation = false
+
+# default admin user, created on startup
+;admin_user = admin
+
+# default admin password, can be changed before first start of grafana, or in profile settings
+admin_password = {{ grafana_admin_password }}
+
+# used for signing
+;secret_key = SW2YcwTIb9zpOOhoPsMm
+
+# disable gravatar profile images
+;disable_gravatar = false
+
+# data source proxy whitelist (ip_or_domain:port separated by spaces)
+;data_source_proxy_whitelist =
+
+# disable protection against brute force login attempts
+;disable_brute_force_login_protection = false
+
+# set to true if you host Grafana behind HTTPS. default is false.
+;cookie_secure = false
+
+# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
+;cookie_samesite = lax
+
+# set to true if you want to allow browsers to render Grafana in a ,