Pains-Perdus/ansible
3
1
Fork 0
Code Issues Pull requests 1 Releases Wiki Activity

Compare commits

base: Pains-Perdus:master
Branches Tags
Pains-Perdus:master
Pains-Perdus:dev
Pains-Perdus:big_cleanup
Pains-Perdus:monitoring
Pains-Perdus:matrix
Pains-Perdus:networking
Pains-Perdus:DNS
..
compare: Pains-Perdus:networking
Branches Tags
Pains-Perdus:dev
Pains-Perdus:big_cleanup
Pains-Perdus:master
Pains-Perdus:monitoring
Pains-Perdus:matrix
Pains-Perdus:networking
Pains-Perdus:DNS

No commits in common. "master" and "networking" have entirely different histories.
master ... networking

117 changed files with 387 additions and 6435 deletions
Show stats Expand all files Collapse all files

18
.gitmodules vendored
View file

@ -1,18 +0,0 @@
[submodule "roles/matrix-bridge-discord"]
path = roles/matrix-bridge-discord
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-discord.git
[submodule "roles/matrix-bridge-facebook"]
path = roles/matrix-bridge-facebook
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-facebook.git
[submodule "roles/matrix-bridge-signal"]
path = roles/matrix-bridge-signal
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-signal.git
[submodule "roles/matrix-bridge-instagram"]
path = roles/matrix-bridge-instagram
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-instagram.git
[submodule "roles/postgre"]
path = roles/postgre
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/postgre.git
[submodule "roles/matrix-bridge-telegram"]
path = roles/matrix-bridge-telegram
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-telegram.git

40
TODO.md
View file

@ -1,40 +0,0 @@
# My todo list
Stuff that I should do but will probably never do.
## Polish the user role
The role is fine, but could use some default filter, like for the shell value.
Also, the variables are messy.
Also, a more atomique gestion of the users would be great.
## Create a role "generate certificate"
Curently, reverse_proxt_http and similare roles implement certbot themselves, and there is a role
for generating self signed certificate.
It would be better to manage certbot in a role, to allow off-wan machine to use reverse_proxy_http with self signed certificates for instance.
Bonus point if the role chose whether to use certbot or a self-signed certificate (but the dependencie gestion could begin to get tricky :/ )
## Proxmox setup
setup:
- x509 for clickodrom
- bind the clickodrom to a specific interface
- remove the "please pay us" message
- remove the enterprise apt repo
## VM setup
- create a VM from template using cloud init
- add VM to dynamic inventory
- use the cloud init account to connect to the new VM
- setup the VM
- disable cloud init
- remove cloud init account and change the connenction variable for the vm
good luck

0
books/apt_proxy.yml Executable file → Normal file
View file

4
books/base.yml Executable file → Normal file
View file

@ -9,10 +9,6 @@
roles:
- networking
- base_config
- prometheus-node-exporter
- hosts: all, !tests, !no_user,
roles:
- create_users
- ssh_totp

1
books/dns.yml Executable file → Normal file
View file

@ -4,5 +4,6 @@
# Reverse proxy
- hosts: proxy
roles:
- install_nginx
- configure_resolved
- reverse_proxy_stream

0
books/gitea.yml Executable file → Normal file
View file

0
books/keycloak.yml Executable file → Normal file
View file

14
books/matrix.yml
View file

@ -1,14 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: matrix
roles:
- synapse
- matrix-bridge-discord
- matrix-bridge-facebook
- matrix-bridge-signal
- matrix-bridge-instagram
- matrix-bridge-telegram
- hosts: proxy
roles:
- rp_synapse

12
books/monitoring.yml
View file

@ -1,12 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: prometheus_servers
roles:
- prometheus
- prometheus-alert-manager
- grafana
- prometheus-blackbox-exporter
- hosts: all, !tests,
roles:
- prometheus-node-exporter

2
books/users.yml Executable file → Normal file
View file

@ -1,7 +1,7 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all, !tests, !no_user
- hosts: all, !tests
roles:
- create_users
- base_totp

0
books/vpn.yml Executable file → Normal file
View file

1
books/web_services.yml Executable file → Normal file
View file

@ -4,5 +4,6 @@
# Reverse proxy
- hosts: proxy
roles:
- install_nginx
- reverse_proxy_http
- share_file_web

57
group_vars/all/ca.yml
View file

@ -1,57 +0,0 @@
---
ca_passphrase: "{{ vault_ca_passphrase }}"
ca_key: "{{ vault_ca_key }}"
ca_cert: |
-----BEGIN CERTIFICATE-----
MIIFhzCCA2+gAwIBAgIUP+ptXLNUBVsZm5oYpynQd5mhB60wDQYJKoZIhvcNAQEL
BQAwUzELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxFTATBgNVBAoM
DFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0EgUGFpbnMtUGVyZHVzMB4XDTIxMDky
MTE0NDUxNloXDTMxMDkxOTE0NDUxNlowUzELMAkGA1UEBhMCRlIxEzARBgNVBAgM
ClNvbWUtU3RhdGUxFTATBgNVBAoMDFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0Eg
UGFpbnMtUGVyZHVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4jG+
8N5YN91KghYjYTOBQ+lRYJ45X5S9mfcwwf8OIMGe+NyNkXx2GX4uYpZOitYOApI4
rGnAjhll7tdZevzfdqpUDCYUDT6iR4BzL32k22mIN+iW6zQPaZetOU7VIA9V5TsM
WbDsftqh6fj3N4SwVMpHiuiajMkX8CIELxoXDAJULvwyreWOONlwDMObtVCHBIhM
uf1Jbx2DfRNS/w6lbHPCrZefMCea1FrSaotOANXxNgQfptX3fLZbhH5RiZQLDU8k
ZChAUoW9hE4+uiSOUMd2hl9XgCWHcGEMcKyWG+/lx8UUw3Zl+oOrfb+IWo5IByVZ
8nV5aiTMCuRlcTcMHUuedRaPcWfl5ZaEOVzhYXIYM4Oa8ShqXuWqW0WZ8oIhI2ya
hTE03mIPV1nX3ucE9GsDZpnrj7t+qd8etiZXFGVihKEqVFfhzKRsPh4wgUKH/gwG
AJshPA9NyJ0JpzUaWQ2acUjo3Hg9WPSTaMb46FS7hUdZUcZZiwSq9JjHDNAUKjNY
zudKjTyqJXkqwhNvMfKWFIGYjldvZgQXzuT8XmSHYSKuLfH9Ko28FX0Aujye1TTH
MPljXruyO04Q7NUg/jqtxdsWRpH/qCt12PmRuIiXsNCAeLjSuc75H+AOPbNudJLT
w2AUTkfn3mw/XTwEBfemHAo6GAdtCDKo6GxBqvcCAwEAAaNTMFEwHQYDVR0OBBYE
FIh4sxxlmesmbVKPWKo81BXMFVqVMB8GA1UdIwQYMBaAFIh4sxxlmesmbVKPWKo8
1BXMFVqVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKipx6Nu
QwnYmwYPd3kUVBOj9ia0PVeE4LoUSRapzRTF2HilSIo9Sa7qD1HVxbWrghUPLjW/
Ru04k82hxvAm26gc1XeqIBzpgZmxwF0QibCeuj1vDXsndACXVHd6Atvnl0rW4bEI
pVCqerXNu0T4STk2V/xNqndGMRp/vZX67BlyHAHD4el957R9RYlyxW6fADrHDKqk
tC1eTeQtEi5W7v9X3dNGdtFS+exDrYpUTHPDwM81u25oCGUFGsH3RlG7LUEQ5mYW
SsJ3EKpIkMxSZB3/GqttCIHi+yEMtwDDL3dN8UnVaTkRjVNQxraOUwe66QByGqnJ
9YeQNpUfZxWFW/GW2fBAvD/RaLrLZ4ywhUze38ks4jsLnAIduawjQ8GlNg9i2MqD
zvDat41LWSCDjRUOfCp7fc9lMlI5blTafozrAddMV8YUs3bQ6XD0H31pP59jb7nc
5kmwqH6RivbFZZYBquQVujiiI7d+9m+X9OfTZJTCpRPCGYZcLuqH7txyPhixxrZd
a8lWJ+5jHOdncV/ZWSB5JnjKbaMMEPcaTo3puEPt/yl74CR7UOJXr5oM0bVFKjas
90hY5U+jPAcneCk2oc44R4NWuQ7qbsjPRfcxxi27DoLbhlmPp9jQwYQEqmdflcZ0
zCTEq81KO2mAbJgTc/ahhcvAV/huJ5d8c9R1
-----END CERTIFICATE-----
crl_distribution_points:
- full_name: "URI:https://ca.deso-palaiseau.fr/revocations.crl"
reasons:
- key_compromise
- ca_compromise
- affiliation_changed
- superseded
- cessation_of_operation
- certificate_hold
- privilege_withdrawn
- aa_compromise
- full_name: "URI:https://ca-pains-perdus.intra/revocations.crl"
reasons:
- key_compromise
- ca_compromise
- affiliation_changed
- superseded
- cessation_of_operation
- certificate_hold
- privilege_withdrawn
- aa_compromise

65
group_vars/all/matrix.yml
View file

@ -1,65 +0,0 @@
---
matrix_server_name: pains-perdus.fr
matrix_local_server_name: synapse.pp.intra
matrix_enable_registration: False
synapse_postgre_user_pwd: "{{ vault_synapse_postgre_user_pwd }}"
matrix_max_upload_size: 50M
matrix_registration_shared_secret: "{{ vault_matrix_registration_shared_secret }}"
matrix_macaroon_secret: "{{ vault_matrix_macaroon_secret }}"
matrix_form_secret: "{{ vault_matrix_form_secret }}"
matrix_apps_services:
- discord
- facebook
- signal
- instagram
- telegram
# bridge discord
matrix_bridge_discord_postgre_user_pwd: "{{ vault_matrix_bridge_discord_postgre_user_pwd }}"
matrix_bridge_discord_client_ID: "{{ vault_matrix_bridge_discord_client_ID }}"
matrix_bridge_discord_botToken: "{{ vault_matrix_bridge_discord_botToken }}"
# bridge facebook
matrix_bridge_facebook_postgre_user_pwd: "{{ vault_matrix_bridge_facebook_postgre_user_pwd }}"
# Those values are generated by the bridge the first time the bridge is launched.
# we copied the values generated from our test config
matrix_bridge_facebook_integration_manager_shared_secret: "{{ vault_matrix_bridge_facebook_integration_manager_shared_secret }}"
# matrix_bridge_facebook_as_token: "{{ vault_matrix_bridge_facebook_as_token }}"
# matrix_bridge_facebook_hs_token: "{{ vault_matrix_bridge_facebook_hs_token }}"
matrix_bridge_facebook_admins:
- g33kex
- histausse
matrix_bridge_facebook_allowed_external_user:
- '@dorianx:matrix.rezel.net'
# bridge signal
matrix_bridge_signal_postgre_user_pwd: "{{ vault_matrix_bridge_signal_postgre_user_pwd }}"
matrix_bridge_signal_admins:
- g33kex
- histausse
matrix_bridge_signal_allowed_external_user:
- '@dorianx:matrix.rezel.net'
# bridge instagram
matrix_bridge_instagram_postgre_user_pwd: "{{ vault_matrix_bridge_instagram_postgre_user_pwd }}"
matrix_bridge_instagram_admins:
- g33kex
- histausse
matrix_bridge_instagram_allowed_external_user:
- '@dorianx:matrix.rezel.net'
# bridge telegram
matrix_bridge_telegram_postgre_user_pwd: "{{ vault_matrix_bridge_telegram_postgre_user_pwd }}"
matrix_bridge_telegram_admins:
- g33kex
- histausse
matrix_bridge_telegram_allowed_external_user:
- '@dorianx:matrix.rezel.net'
matrix_bridge_telegram_api_id: "{{ vault_matrix_bridge_telegram_api_id }}"
matrix_bridge_telegram_api_hash: "{{ vault_matrix_bridge_telegram_api_hash }}"
matrix_bridge_telegram_bot_token: "{{ vault_matrix_bridge_telegram_bot_token }}"
# Not configured for now
matrix_stats_endpoint: https://127.0.0.1/report-usage-stats/push

50
group_vars/all/networking.yml
View file

@ -18,33 +18,59 @@ intranet:
ipv4: 172.20.1.1
netmaskv4: 32
comment: Hindley
router_hellman:
domaine: 'router-hellman'
azerty:
domaine: azerty
ipv4: 172.20.1.2
netmaskv4: 32
comment: Azerty
hellman:
domaine: hellman
ipv4: 172.20.1.3
netmaskv4: 32
comment: Router on Hellman
matrix:
domaine: matrix
ipv4: 172.20.1.5
comment: Hellman
rossum:
domaine: rossum
ipv4: 172.20.1.4
netmaskv4: 32
comment: Matrix server
comment: Rossum
guest_hellman:
domaine: hllm
ipv4: 172.20.198.0
ipv4: 172.20.103.0
netmaskv4: 24
gateway: 172.20.198.1
gateway: 172.20.103.1
comment: Lan for the vm hosted on hellman
subnets:
hellman:
domaine: router
ipv4: 172.20.198.1
domaine: hellman
ipv4: 172.20.103.1
netmaskv4: 32
comment: Router
comment: Hellman
test:
domaine: test
ipv4: 172.20.199.0
netmaskv4: 24
comment: Test VM
subnets:
vm1:
domaine: vm1
ipv4: 172.20.199.1
netmaskv4: 32
comment: Test vm 1, on knuth
vm2:
domaine: vm2
ipv4: 172.20.199.2
netmaskv4: 32
comment: Test vm 2, on knuth
vm3:
domaine: vm3
ipv4: 172.20.199.3
netmaskv4: 32
comment: Test vm 3, on knuth
vm4:
domaine: vm4
ipv4: 172.20.199.4
netmaskv4: 32
comment: Test vm 4, on knuth
guest:
domaine: guest
ipv4: 172.20.200.0

9
group_vars/all/revers_proxy.yml
View file

@ -1,9 +0,0 @@
---
reverse_proxy_sites:
- {from: wiki.pains-perdus.fr, to: "https://azerty.fil.sand.auro.re:2443"}
- {from: hindley.pains-perdus.fr, to: "http://127.0.0.1:5000"}
- {from: "{{ grafana_domain_name }}", to: "http://127.0.0.1:3000"}
sharing_sites:
- {from: share.deso-palaiseau.fr, folder: "/home/histausse/www", user: histausse, group: histausse}

11
group_vars/all/vars.yml
View file

@ -2,14 +2,3 @@
# Use python 3
ansible_python_interpreter: /usr/bin/python3
dns_resolve_server: 1.1.1.1
# Default prometheus serveur, to overide in host_vars or something
appointed_prometheus_server: hindley
grafana_admin_password: "{{ vault_grafana_admin_password }}"
grafana_domain_name: monitoring.deso-palaiseau.fr
kassandra_username: cassandre
kassandra_password: "{{ vault_kassandra_password }}"
alert_rooms:
- "#monitoring:pains-perdus.fr"

324
group_vars/all/vault
View file

@ -1,305 +1,21 @@
$ANSIBLE_VAULT;1.1;AES256
66396364626137653230336236313132366334386632383339303335333062323833373534643931
3035323936343830646136386237623565303262616366320a303665383565613936323763383538
32373832626130636665313664356636623339353266656433366563366439363764386136616537
6230376436363463620a663761633130383262353661313461343839656361356238376433396639
36643034376539383136633937613031343862653739396536346130303164346465356530323564
38396130343031343862383237383566333661623466353538343462343565373765316132666430
32393635623834343566303932343734653566326231303531346662303436653437663034333865
65666230623861393161353339336663616131393830333136373366626233363966613064656630
65663362636566323263353838393932343036613337383533393838636338393738303835666538
34373266393237326465613064656231616562626531353937653565346634646162653038356566
37643364336562643439616464636536353335666162623831313035663039386637323639623035
66653538646665306130393934333732346366366439396637313932366463343935303264613033
64633162373062373534643938646633306332303064356662366163366366326561656266636234
36613630346162353061313532386330653939373663616534653263306339633139653935663565
31316237373766653865326632306232346234613237643038613334353737323930636365303562
63333261646638633031313032386239383938386439376333613762346237313463643663336133
36353833333661323632633461333064313263323937613263356264366539313036366637646138
63373761626566613732623365643065626234643032323263623965316464343734386532333165
37626561616334396561333930326461393863346139663738393536626135386463366366396336
36306538373331616562373263653636643938643031386435633234666561353164386463323339
63353761653538663264333762613731336333656139313434613563343061386462643535346533
65366263383735306336386430636338396561346236333837336465323866333933333337626235
39653030326430663332636263333938326536356366643734346362643430336366623164633330
65383838383830306133626461643632656637336264666638383636376565666231373331393834
38663939633137363236303632616638646238313431653262346437313237356263616530656339
34336634386133383434623739326234313339333265636364373963343334363836313934653565
64336132376336323063663765643365336366303732666137376631323231343631656439383666
36383535316232636434653238313738653166633836303461376232333933316332326462656432
39313166396234613162623361343037383131663465383438356438663130306138356266656561
37306232653730653962656336373634643937333633623361343132393964623739623161373233
35373461303833343666623261616534323435663634363639316466613761616533646531616635
37663038396537343361393635343264613635666564343065313930376365393361363934643234
34663830386664613062626465633666616430646566633435303837623536646466616337376162
39376431643738336163653333333638663564356237393630636537306564333531336330333039
61386261316335323866353637626536363939346564373333633561323361396264373034353063
33613835393064393363326263623964353131326566353938623431396566663961633863313465
37373264343331333839356538346436336561656435643434353532626539333538343261616336
66623432653930633334363266316339373830643631316432303633633337666537373039323037
62316333356438346364663734613863316334636365316565336561626563373266386636366164
62346536313965643661356433383538646532633234313137353035633732356366643934663661
63373735323138356565613131373938613338653061383734643633636363353438373533313765
65393665616139343137643565626437373033363737633061386362376332353739313861623339
66333538666563636264303239353535306166656530346363396338373963653536333066383035
39633938353932303164306236626564306235326237646238393461306464386536616463376132
38666237376533353965656131373639353533333532396430616165383037303266653033633432
36666535616633333736653033386263616434343361383066663163363936386435626130303836
66623833323735643435653261323437386338663137653633663261336434636234623232356664
39376338303433303534636632376136656366633165616638623934666362666638653730343564
38303566653464383231633464306139306635386136336634643732623237643961643636333761
66326136633434346262343364633732303831323337663566613833646537346237643761616236
36373966356330333233336330663063663966633337373835656334326330326630353261666437
65316362643165353166656330313839623562633562373161356561663163636437633133323131
30373462336532353063663164303837653332383565663436383436396265373966653036316661
62663534383061656363643439633032383735376237653832616563383865613733356633323633
65326631353265383433346130636364656533333736653834333661623733333966666638326437
37353833663432613133336566663337313833323334393065303633396464613333393663643732
39666235353664323036306531306462653161613937313633623333306663333834303763623362
34613362396331383636626237376433303966626463633364353265356637653533623538653630
35393766306639633431373530363633306635663666373137653932663963363939616134643366
37363436336535663861336463653639653536303634363661666335666633306530633934363466
31386437363765633938633966343535386335323735623739656131623232393238316161353634
38633338643937623663346561383239313933613330626166636334333838333531666233356233
65343439373233353463663462333036376362643066613762303963383065633337326139353638
39373461386664313935393463313231353833663133663930323435353332373562396638343138
33636465626238663534313765363333326561386164346139396432336431376234383238333530
66356535353966633132626161343661643465633730633164666465366332623061386261383164
39313433663237633166343033353063613733383130636237393063623962613938373164653630
66343031613439316434666364366662373838626164653637636232643737376637633863616330
30326233323137323865643262363837353162363634333336353465373264336337383066323939
35336462336462613634363831343266336364646334386239373832653863323832303766643435
34356339653964373532326138303132616530663362303664633861373931373061393566313765
66343937343532386162346431623166366262623163306633393933663266616135663961643436
37653663303337623662393761336632356534663430316264343437653763656635323437646637
38393661306362313064613434396331613366373037613464356565373461393663636138633532
64343561346463316532366361646438323731383963646337623165383663666266316139656166
37336463633834636435343761613837666635653166326163346539626139613562396439306130
33363230626633346138303538373439626161623163626135643665613932666535343532303036
35373431343635393665616366643332643035623133613666396234353338623636663762636336
35346431303536613962323861336539396333346234393763396438383539383036333636353637
39646333383633326238393164333835393237623734383537376230353264346237353866333264
38643231343536356339373531633165393334353365336261656665336230373266633938343134
37646266383438633835323233306363643765653833666363376338356265663831636431646637
39633532353130396635383965643531363564373766323064616165376134613834303666306231
38643366333166633238626335313463623935373233353236393663353561383763636131383862
34623536343664623962326237326532643830636533636361666432333261363530373464356233
64373865653035613363373832653163326165363061623531373337663765653937303036656663
66636463346139663962393431633162303664313031306331323865313739323661303538336238
65313639663663393962396333666438633432323533613064313765353362326532613834373136
65326265646136613030353862326233646331396238343634323534626136376136356561316635
66333662666437613339396563323531396261366138323938303834393865633439313965613463
38343961646664626663346464393061396234356237663339323462623864663864383939353862
34313266373138346235626236303433613062306332343638663538356431663930303863306461
63386262333663393262623364343864376437616237313537343839656632363436613933376438
65346137313732316639353937336162313661386536383339633938613763336532353634373935
64393635366435666639346537386661383362623565623365636136316363336337663738356463
32333466363366336337653739313166396435323434376662356165643662353332306431383839
61613331313164336537313037393166356537656530616336663138316532323164346266353831
65666238306135346235376237376561333063373163633433386461383834633762646431396462
65313637623266646332336332363139376265363037383533613763373734313664343835396335
35323230326463356333653833326561306236336238373539653938653933636239626661376436
35303639643832343364393439386631616632313830363461326665303162383839653762366630
34656330393539636564346461316638396230323566376431636236306632616331323132623962
35666466326136633166323466666361326137306335353565326232373363323965373261636235
32363935323865303630383836303964326138393632333234643261386361393961336161636664
36393163343634633033396561313535663534623936323564373430396238356635356231386365
64313331633231336361613333313532626439393562356430386238396430393861396136633339
34303962343336356331663530613031636361333836646132316131343839623235356561633266
31343733353631653266353631376161613632373063323765663932646633653964366563363531
31313363393136643036366531333138353135666235303335393531353833313231386364393934
63653566616235303835393136646562626562353830653663386564366633343061613034383634
33363238303661313034636562356235393861356563333039313136396232343964613437356232
36346239303732333462613838653232326234353737633236396165616433656531393332663433
62366161373231646235656562323765653662343161383031613461643138303462386236666339
33623037366431353462346534636565393234626434613134343135343466623662386537386535
62306533386532353962626532613839346236303963646265333235336363653037373961663236
34366162353466373265643765356236313732353830303934376538343833343065363562356362
61623364386366396366353037393434626530326231623165376337306261373164343030383533
39353633656332363130326361636233363739333662663362366534396331353330343633313130
61326266343235396461353637333630333133326339303431376234356433623631316132633632
34653365623632613630306134643666373961623137393135393163383666326232633933393630
34666430316266326638613537373337386138383261643564313564666663666664363363323463
38366633346563343964653561316533323965366662663965623661613735366333313133663730
63626432306132356138623762366432613064326138646238643766313737653531653530663337
62393136356331636131303163313236386436663261613935353532666534386265313964656235
62633135643630313032666134393638663136373162646365343163353432333232613733346539
36666664613461343831373733393231303962356461383632303539633862633630636331613236
65376464363235326338366262323535646636316438356161316333663134613865326465626639
34633834376130663235316563333936633036623031326232636436363563633432323930383636
36383538333162623836306339613236623632353063366332636366376231353132663163623737
66373563663166666235313364383761383730346233363466623133386530313265383962333130
61313064316264613466626131616162376563346363323639303630343361613230333434613836
39303065626232393663626562376239356531613931323530323666353734396132613461643133
66356564626666303836326262666466623431373933303435616461653837383765393363623635
63386335313835366139633761613539366539356536663763396530356230353138633833316337
62343434323330393439656236626336323439333063376131643964376631376564306339323066
39666433663438306266393430303538316435336238383934323439323261373936326666623539
39633035313633313563663366666231383865333032333162386365633163366635393766366162
35663334303061303862346337376435616337663130633864383439653764366262323539666433
61306432626635323730373964353338323030656437656364663035336531353537653839623133
66363934333866356635383930383036326638326534333164383034613730383861303439383632
30343434623834366162366564356131356139363432353864646535623537656137383166303262
33313433303561333932333832383465366633336262386163363137353731393135636632323931
37373233663336333332326238323338373639346333663366383966653337623132653537356632
66366462336133613735666631366661643432333037383536303736333432663338623165653834
36383930303664313432363433333130396236343332303561373261353561303331356333393330
38613037383038376335313836363337313633346539626532383132323766613838303237333766
62623235343232663566616233653764323132613634316263373330356635396232656264346333
31333339336630373934353130353464373962656264613938366132646665646531646633646536
37373639393030303161373032373638656566316666393239326338353164626434393235366264
63343864646336376538323235313333363531303563316634373338393137656663323132333533
35343062373534376531383531313835303738376439636630336161303539346363633064383435
38656434666239396539353338396662343035626333633862323739366136393063646431363531
33643566343736616665666361633961336163306632383632616264636165366165396132303237
32643436613034623062616463623038313061356364303235656439323430366430623339386339
66383130323530333963666431306130633565353833336464626331313030616239336138343035
31343833613631666461313631336565376264333336353561386233626234623730323561373134
61616236333962386231343532323464646235633530333062343663373830656130636665623865
36643633323539376165616238646139336365316532643565656266353539366433366330323330
62663735396233386463653437616639313331623736613562343236613564306139336233656263
65646534643762336435323232373062306434393463623662323963333232373631373530353237
35373131356538646462303961663862656533643162383436303361306639643134383436343739
66393238663837353164333662653933353530376433633930663336373634383036393637663934
39336337313264366135386464363061356664303638333866303562316664336636333566623366
32306639303963336233386365373562366466303930303931643266373235343366336163303930
30386337393966633135326164646532376637636265663762326562336565383935613062323462
62353536663936633837316363653366356231323664363439393866393133336261346134333863
64643832306236666636333939326531346163346335356636643566333362643533333034643739
36373736353464653531316262636231343963376633653239633037336133373130643762626461
35346637653434656339323861316233303863393263373638353664326430303731643439613430
65313161336137656536346435356132343835326636616164366266373561323864386366366432
66613039663836626161643336316432343436333130383935306638393564303838373938313930
37393633343562646461653339626135303262626434343132303462353662323066633639346433
64336239663733613234333738633730306337313936343865323030626566323066306266336334
33393332373163353130623132633264656137386163373662613965343162646433653263393566
39356464393962636233306462323730333837656363643164376438363565303138666564656633
33343933313138386539303837306365373639373464306537663439376637303134626262656264
64336663663238376231323030306438616434626466616566303135363333366564346636323562
32343765353931663261633338356161383734303764356465616136643862393266343031353534
37393030656663613764323831353839616466633664623530663962666466383562663464353334
37376435363230366362633939613764383863653438303933633962653937643332633063353937
36613434306634623362643233313164333832663639653066313137336565333138363864306363
31643366393733316236353263316537396336656139643435373365313965383235376166353862
62363438613163626564383966343331316338343835656236303565303631313733353265396537
38316463633931633431653837633134383563366133373362326664323731326363326137326232
30373536386435353236313330373537303239313538303361396330663837383166393536383966
34313466623333623466326365643664383737363363623731316565353366373864636135656333
64633132613138313564336337383338656639666330313939376234343839386438636433373832
37653366633238663266383565346564396135356163326566313665343339346333323765336631
35643762313662636662376331336139373866373437623631363636326135346536363765613936
32306166306135313638643633353131643939366465346233636639663961303563643162366133
32316634383963653038613037366266346634323361313337666262343432386239326337326334
65653461626264353564323161656631373865666433353139363639393338376661353064353966
33663064613665326564333737303733633433333735303461613933353435303461333033623433
62356236323735653338333861656435616661386339303439653531643065643030393536663963
64613730343036353636616462633365326661333038383264616336633839346466393665393465
30316465323466633234376466383538613539313239353937353531316462636463316238356634
38346439363033336363396165376162633536363361386564633362623864316339623233313235
36646161323832346332386261623837663135646237343864333564653533623835333834343333
33333739633130386131316537386636363234333466623730303061336136633330646361366632
37386336623862373561386663353063616635326131663535313337623232376164316631346436
65656536313761653739623130313766366662613630396337373034323562343633333234373031
63383861656461336333303436353739646461623333616236333962356564623566363031353334
38636165646632346633353766393230343736313966333564313730353262636135633164393334
32373063393964656365333164623165326532643633313563643337653062363566393636653934
63383533326337393762343462313732323561316532303137336133616634373339633864306334
64333032356531313763313838353730633939393536383165376130663163643339393439616163
35363162313063663765616332613834306134393731633662306130656464336132303130303165
32303261333162303438366436653963326162626334613030653038343834336232333733643461
62326632373832623863333536613339373539396533393639326463633837306439383439643437
61326261373064313733636566316631343132656663376234323339383464363537643266383238
63353366383664653837326637376537616266346161653038306331353938373230386131333032
36653461633134373034656534623262383335626539623939313936396136376565643332353230
62643633323835376563653337306631376664336464646234666336626532356562613864626464
64323135373835613239613830616134303561363630623435346562633466323462643839303536
62303634386563313565663837393761666532303834623063343431343364363338663838313961
39643431366661333465313066643939356336643264613133653738666438653630353239386465
32363739663566616431623665363763613531346134343933333963623033313762346438343937
31306262353364353434663231656538376262393235346432383936663065316165376364326134
61396563636462396438623262343537636131636339636566393138666565356438333562613461
64313139326365393439366138623366646435333132326638656438396161386139393036656439
32646535663564663462343862366666386633623730336333346335666436623866613564636665
64316230343332306266303831373139353934353633323032646135376632303631616533663534
31656539353538653539306331373233333337653864323433393038636232373439326462336337
65356565633835333939373736383134373963396132306638323664363639663262393232383335
30386231353535643139363536653065326663353665353932376533363634373164333061326634
33343330626136363465313132363563326666323335383239376133633161623033386231616332
66636566353337356433333266336565646133346637386366353239623937626431633039663734
31656466383362666333393165306561323164313164363030393639363435656262643461613033
30303466623230643330313164663535663836363536353238663136373133356663323062336438
33393935353161633536356134363064646235323339663730383464636134636433353062353537
30613135626264366566623339613037383636353334363530653732626165323738643461613337
35383138323336616563333965643630353836383032363034623963373733626232353365643536
32303761613033353563333531396630646261343966393662336661313336626662306538636633
30346430653736346636646264633936353562313537323863363462316561333865353563363630
37326336363234313933363333396336626436343936623535316665366437656637386539303862
34336330316430626563623331656464313663633432396263346564376532306364353566363664
61653131643837633639356533376163643465326166636436646165336635323838386265316264
38393433346262626365303261303533653931366531303565623165376661323834333535376364
30633034346635663262653835326131396165306632663161366138376631366364356162626338
65666465336365313535376637313365653632346432393937326334633861313562323564663638
36623462653539356339623666643234363361656639313133313635306362373738636264646531
32313063393731373666373266326661623562633935656233383339383161316564393130643932
39336163306462336638646138626236396237363939323461633330633762616561343432613937
66636663623063333333376666646334306662303561656231333365626164366336653237396236
63323531333139646336393033633731653437313230376465616663623734623339623238313863
35366639613930303166393739393163313635663063326432323434333363613930653937653136
65663766616465383736333164346533643236326561323335653331623931326130616236306462
63336434326464613335356333666237303261326432396361376534326566346435376461613933
39313537323939373264333064356166386339356131396466376437323638313366336336653766
63613365303032373939326463383463303136396239333236303437326331636637356133353135
63666430386631626139626664376264333833386437316563383830666135663431383162383366
33343463633462333263613965383034666336396564376635313666343434346366376434313830
38613638656439343465363261653737333362316433353964653530366562613137303231633464
33656364363032396566353830656634613434636561633063643261396334613935343133653830
37386634653166636561646163623964313465616163343661646464313036356435636338313237
39323266623861366562323238316666613237353236363235333436303333653561316635373233
61323233346330643431333866623861656632376164616533653765393866623432363130653331
36323937393138616162326438323463363438633437303665313630643432353633316337613537
33623130303738623763383936653333386631333135616637393731346665626634633238326537
36336539306166333062313465653630393134363936616237643866313264306531363163616136
30616166643439643034616562646464316662666539653439626461636537333639383636643630
38353266303831396630653261643536376633633430616365303866366132343062306539346530
65353836313464333833623364326661356164313963383462623138306534613934373366646535
38646630363564343865613035383130666663373333643530643237323030643432633139646239
61623136663139343866636663313731633530363033666536666137303861643339306331313233
30633665306333653734383731396663396433353862326162643463326365363565303634396661
36663832626636333936336131383236323538306131613237393835663235313636373330633164
32383331636561386164373964373664643436663830623361393965656265646137666263666632
33653736363232373838653235343665663465333562653861646436633061393430333133613735
33343238373633383966366365383333373263343139646533356439333763663462343263383631
35663666656562383230333065376439643132313734316166313430386661313234396164356338
39653265306637376239343537626237323332313234373862393862653265386266323161316135
64353139613530323264326639333464333366323437633932363334633635343436353462343130
32623337663533666334323965656435636561333865303461326163653061316137306339626136
64363166623962346366353732633865373037636563373338333061303263636363393632633337
61633833646466626663613063663131323139663263356663356538623536313230623361363332
35343630353637376636663762323564323033393834336261333838326332333966383266333363
66626436323566623866333462333832323536363465373265333830353265306263343731343662
37663036356330353537333434313165313662303038326335653761343432383639663365613334
63376239373638343432616665336437373266376463623330393238396138393734633934626661
34333164643330313531346636636432656230633264396130636338613564306337353337653030
39623466373732336435343738383539663833356233666165616638356436373231656661613138
31353062393463383035323962633330393733346237666366363939333437396163353433336638
65393433613337373935353338613630666539303231633139376235376162373932646338333436
65663363613831363538336233616666393836316237653432343137376262636632646234363230
39373133333931393963363339376166623563633733363137363361653463333066666465613432
39316662613734636462393936613338346361323438396634313234393335323462666632653938
65626464393733666431366161653238373266646266376463633366336332303133633738343165
32616239653230646565316463373139373933323365366430663463653631343837376232613666
63336134316536353962396430326166306339656137333765306233336234393233646136633833
31623861303530313739666636373138353339393434396335646535613932343666643261383639
39386135356463663335616466633137623035376639623635613765303732326232303937366262
34326464336666613566333562316164333339303636613265323538373263363866333932656532
33306163343437343861363861666533393462373561303562386135306133363664313638336163
61666239636535326634393437656536333034313139383961353062326138373463323361613533
61376264616361393262306237336363386237383665383839373637346535663639323065636135
33363436383031373232323936653163383535633436623936653766666231343838656533643532
64623961613837363362393563353438656631666336653861666233636437363632376365363630
66636536343365653761353235353435383132366464306432323434386135356631653538306134
65616630323833373732323535633932633563386233353062333739393562353338663663343734
62616333366630303833313131313633346539316163633665633438323237396533636232396661
63333432636166646433366138356263343535613334623538396335303739356135313566353265
34313936393436356334396139643863383561616130376466643533336363323163386437636138
34663961313534646439
64373461313566643538663463386532303131323131373136353632363237656239373334636234
3136333432376236626131336538616236386530376330380a323835363139333632623161313731
31383163363835626662316332356566643936663338626136376564326139336433313139343239
6136633637613739630a666130383230613461623237363965623038633630623033653734623630
31663864323464326333373364663465393134346635613565636234623834633730326530663135
32313439333732323764373765633663643938306136666231326130346266373161356361333930
36613264383665346630636161343239306436626430626561396266306130353862333131633664
38366236343136663931666333346237363565366563353539396338343565306431353565616135
37336466626261633764623638633536383966663433633764356436353838343961346238613065
64663964373239616330356265343338356434303831396461633061393739326230396139643761
65393462323131346164396136366438323639393230326362303430656335343164306339616439
32356537366433663830643639666333383964373837313763343736626534306365613231633936
63313962633134366131643263306337343433633130626537313434356466613136326639616531
35633466623131613030643036643430613634346564313431363464326235643366313031306538
63666139366234393831313232636239666136323536626565366366353737626537613463326234
64613036616261646165373963306161326339393339353733666533353331316132306437653863
64386566616665386634343234323235386465396537616435333364356632626636353339353037
39386432323062393435313963613165633365666639353864303666303337613538653534316133
66383038633931333034336532333333356234313564393061636332666566383262383461346266
35303261626433663137

67
group_vars/all/vpn_vault
View file

@ -1,36 +1,33 @@
$ANSIBLE_VAULT;1.2;AES256;vpn_vault
63336164323763623961373136616238363832356135343764343966356631333766396265653566
6139626665393664343961363966363339346636376431340a343730653565383265616365386366
32333533666333373663373037653731666361343737356261636532303562663063343633346537
3337643137653839320a346236613362393636363935373162643237343831333535393461633963
37343039383931613031663733666538383735383064356532373232633661386237366433396236
63666134376463313637643061623934653666353364353235323431633930373663636137313462
30666263386237303563393936373566386563386631656162303634306466656663666330313937
32313431343536666437626130646231333237343734303538363639383933633661323565353661
32343065383433623730346664643361306539623937656331333764346336396231656465373561
33343034303263303833373936383936366131663962613961666161303134316134316635626639
36666334393961306662626162393433643961646339323934653335613933383131633635623763
34656538336434303339613032623432613239303239373937643361306535383137643239646134
33336461613034303362353837313362643934666239363036333432373631336162646330333532
36303332306333623765653838373361353435646366323462383237343134643736376230353434
35333738313030636339363538656130643163353238666638383830316665646438366164636138
30643031336164323862633135313630666561656335626464336162386564306261396532396238
36666139386236663736613936633964363166343765626366323566613733353233313862646165
33373264633763386166373739313136343362383864343866323231373536633130633032616334
30383930333130646636666134363661316236323937373861343333333833616633346161323965
31343966396635626465613630333732353335373264646464373764363433393439656635636430
31303930333731656339633032366166386265653632633638323932626161623966613761636236
61303134663931636139336436313637333739626336643838663861626539323336393239643131
37383665326332393663323166643338353135363831306561623639643663326364343639316665
38343337323633353066653666366238633932393836396338336261663331656565653532613438
36323462326431333235376566343134663734373534663834316133333236636166386439633766
31323931363066343334363764356630383764346332353162316461333762613366663130393831
36633430383131326335333130303832666430366134393462616163326239383538616531373166
37383130616339343832313335636364623434636434393430383566376433363565626336303064
63376234613835666338373662373735386561643431633037336231643033393563316363613131
61656232363035333635636464656465613763613032376666623238613362343032613465313331
62353035313862323631653766393463383565336535616630383839376135393037363038343639
39646531666130626638666535623533373766386531343236313962636539373233363462363032
61373938373139376236633062353063643037333062363464383638333635643331616465643533
34646238663731616635313131313438376536633862346165666631326632623534306666396264
636139633664356536626239303631643864
30346337663561363430646532656462396163656462643563336266636539386362376634616662
3333666632613436396464663333396465303132613337300a363166623334386161316639393333
66616565336266383435353039373835356364653230353964633839386433343032623436656431
3731613630616366340a376130363939643331393835633939656361313466346531313333383865
62636635333463346330383961663761656632343735313665626261363431376535636138333332
63323663316332353539346665343532666137326365633732366233653663343963306663663134
66353737616635646264306266366666656539613031373735323034356639643662383132653731
35393039356634623564666237386230393033616363353238383838313032366234383431623930
63663236656263663431633030623930326665343566333939306636373833396433393164386466
33613561343432356337633861373134306238623732393036396365643930356534636538336232
31386334353638633237613565343263366665346565616231633036393731316530366630633731
37376536653930303832656436366161323665653636393539343463306438613563323966376632
64306664363638636333326635393233363238613766353631646464353835626139343932633537
66613836656637376665366561343965366662366562383763653232643930636164393632333339
37656633343264346631663033386530623937343932373436616663613436366132343863336538
64656265313431626665363564343632313364383430643730643930323933373335623539313262
39386165363433616565303064323031633861373666613938376232316161333335613137343365
65306664626432326235643533633533356130316531656636613837393237343131626230636333
37623639636332386465613532376533653462643737636462326461333834383239366637656461
33343232666536636132356432313839376565376538356364363161366537653966356563356363
62303734333262316639613363653537373564306265303534306430363366666566323264313331
66326665393535306338626230646230633035363562396432396363323439336464353366323639
39353463323762356235656464346135373236353033613938636333656433653233393063373762
32653439346535383966303538303635393539336465373463303566383263333730643065383132
66353861643839653535663238393465396164383262326234353561343232396562383836353639
65333437653463653231633331626136316634303031383566343963326236303039633432316261
33626465386562303962306562646338636439383638663861353665363732353163303330633837
37623934356635386137343661653438643365656661656538366130333036643636613161336436
66393365313565376339353165373764656531396662663630613833323964653337386130383635
37613865383330303430383561373565336662333038396539363661636566333864326133323962
63303934386430343962666162323361306431383936353832613534663638623663653136303631
33306566313633656238

6
group_vars/all/web_services.yml
View file

@ -1,8 +1,12 @@
---
reverse_proxy_sites:
- {from: wiki.pains-perdus.fr, to: "https://azerty.fil.sand.auro.re:2443"}
- {from: hindley.pains-perdus.fr, to: "http://127.0.0.1:5000"}
- {from: gitea.deso-palaiseau.fr, to: "https://azerty.fil.sand.auro.re:8443"}
- {from: openid.deso-palaiseau.fr, to: "https://azerty.fil.sand.auro.re:7443"}
sharing_sites:
- {from: share.deso-palaiseau.fr, folder: "/home/histausse/www", user: histausse, group: histausse}
- {from: wiki.deso-palaiseau.fr, folder: "/home/histausse/wiki/public", user: histausse, group: histausse}
- {from: authority.deso-palaiseau.fr, folder: "/var/www/authority", user: root, group: root}
- {from: authority-info-access.deso-palaiseau.fr, folder: "/var/www/authority_info_access", user: root, group: root}

2
host_vars/azerty/ansible.yml Normal file
View file

@ -0,0 +1,2 @@
---
ansible_host: "azerty.fil.sand.auro.re"

14
host_vars/azerty/networking.yml Normal file
View file

@ -0,0 +1,14 @@
---
interfaces:
enp0s25:
ipv4: 10.50.1.221
netmaskv4: 16
type: static
gateway: 10.50.0.254
wg0:
ipv4: "{{ intranet.subnets.physical.subnets.azerty.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

4
host_vars/matrix_server/vpn.yml → host_vars/azerty/vpn.yml
View file

@ -2,8 +2,8 @@
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_matrix_key }}"
public_key: "oQH8CBofxNSOGevaz1HZlz3ZW+H3ndb/TmqM0pCiRR8="
private_key: "{{ vpn_vault_azerty_key }}"
public_key: "o9rdoSdnp4twbNbZAMl0wY4sFQh647qqRv6V8HJwMQY="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"

2
host_vars/hellman/ansible.yml Normal file
View file

@ -0,0 +1,2 @@
---
ansible_host: "hellman.fil.sand.auro.re"

24
host_vars/hellman/networking.yml Normal file
View file

@ -0,0 +1,24 @@
---
interfaces:
enp7s0:
type: void
vmbr0:
ipv4: 10.50.2.17
netmaskv4: 16
type: static
bridge: true
gateway: 10.50.0.254
interfaces:
- enp7s0
vmbr1:
ipv4: "{{ intranet.subnets.guest_hellman.subnets.hellman.ipv4 }}"
netmaskv4: "{{ intranet.subnets.guest_hellman.netmaskv4 }}"
type: static
bridge: true
wg0:
ipv4: "{{ intranet.subnets.physical.subnets.hellman.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

13
host_vars/hellman/vpn.yml Normal file
View file

@ -0,0 +1,13 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_hellman_key }}"
public_key: "+qV1RHAgSigOkrxUKqpGR83bydmlIHrEiw+A7zjbRk4="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

2
host_vars/hindley/networking.yml
View file

@ -10,5 +10,3 @@ interfaces:
ipv4_forwarding: true
ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.hindley.ipv4 }}"

38
host_vars/hindley/vpn.yml
View file

@ -7,21 +7,45 @@ vpn_interfaces:
keepalive: false
peers:
- endpoint: ""
public_key: "jvjOCj5xVTLwyQ8o7QsYvF2ep1HbD/GKnmjpqJuztB8="
public_key: "{{ hostvars['azerty'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['azerty'].vpn_interfaces.wg0.ip }}/32"
comment: "azerty"
- endpoint: ""
public_key: "{{ hostvars['hellman'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ intranet.subnets.physical.subnets.router_hellman.ipv4 }}/{{ intranet.subnets.physical.subnets.router_hellman.netmaskv4 }}"
- "{{ hostvars['hellman'].vpn_interfaces.wg0.ip }}/32"
- "{{ intranet.subnets.guest_hellman.ipv4 }}/{{ intranet.subnets.guest_hellman.netmaskv4 }}"
comment: "Router hosted on Hellman"
comment: "hellman"
- endpoint: ""
public_key: "{{ vpn_guest_keys.knuth }}"
allowed_ips:
- "{{ intranet.subnets.guest.subnets.knuth.ipv4 }}/{{ intranet.subnets.guest.subnets.knuth.netmaskv4 }}"
comment: "Client laptop: knuth"
- endpoint: ""
public_key: "{{ hostvars['matrix_server'].vpn_interfaces.wg0.public_key }}"
public_key: "{{ hostvars['rossum'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['matrix_server'].vpn_interfaces.wg0.ip }}/32"
comment: "matrix VM, hosted on g33kex's server"
- "{{ hostvars['rossum'].vpn_interfaces.wg0.ip }}/32"
comment: "Raspi at paris, Rossum"
- endpoint: ""
public_key: "{{ hostvars['vm1'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['vm1'].vpn_interfaces.wg0.ip }}/32"
comment: "Test VM 1, hosted by knuth"
- endpoint: ""
public_key: "{{ hostvars['vm2'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['vm2'].vpn_interfaces.wg0.ip }}/32"
comment: "Test VM 2, hosted by knuth"
- endpoint: ""
public_key: "{{ hostvars['vm3'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['vm3'].vpn_interfaces.wg0.ip }}/32"
comment: "Test VM 3, hosted by knuth"
- endpoint: ""
public_key: "{{ hostvars['vm4'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['vm4'].vpn_interfaces.wg0.ip }}/32"
comment: "Test VM 4, hosted by knuth"

4
host_vars/matrix_server/ansible.yml
View file

@ -1,4 +0,0 @@
---
#ansible_host: "172.20.1.5"
ansible_host: "nyx.ovh"
ansible_port: "4502"

14
host_vars/rossum/networking.yml Normal file
View file

@ -0,0 +1,14 @@
---
interfaces:
eth0:
ipv4: 192.168.0.50
netmaskv4: 24
type: static
gateway: 192.168.0.1
wg0:
ipv4: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

13
host_vars/rossum/vpn.yml Normal file
View file

@ -0,0 +1,13 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_rossum_key }}"
public_key: "YNEp3V5wsDLxDR29WhzECOCdOxiOuxuAqUUwS3gJWT4="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

2
host_vars/vm1/ansible.yml Normal file
View file

@ -0,0 +1,2 @@
---
ansible_host: "vm1"

24
host_vars/vm1/networking.yml Normal file
View file

@ -0,0 +1,24 @@
---
interfaces:
enp0s3:
type: void
br0:
ipv4: 10.0.2.5
netmaskv4: 24
type: static
bridge: true
gateway: 10.0.2.1
interfaces:
- enp0s3
br1:
type: manual
bridge: true
interfaces:
- enp0s3.42
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm1.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

13
host_vars/vm1/vpn.yml Normal file
View file

@ -0,0 +1,13 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm1_key }}"
public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

2
host_vars/vm2/ansible.yml Normal file
View file

@ -0,0 +1,2 @@
---
ansible_host: "vm2"

6
host_vars/matrix_server/networking.yml → host_vars/vm2/networking.yml
View file

@ -1,13 +1,11 @@
---
interfaces:
ens18:
enp0s3:
type: dhcp
wg0:
ipv4: "{{ intranet.subnets.physical.subnets.matrix.ipv4 }}"
ipv4: "{{ intranet.subnets.test.subnets.vm2.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false
lan_address: "{{ intranet.subnets.physical.subnets.matrix.ipv4 }}"

13
host_vars/vm2/vpn.yml Normal file
View file

@ -0,0 +1,13 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm2_key }}"
public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

2
host_vars/vm3/ansible.yml Normal file
View file

@ -0,0 +1,2 @@
---
ansible_host: "vm3"

14
host_vars/vm3/networking.yml Normal file
View file

@ -0,0 +1,14 @@
---
interfaces:
enp0s3:
ipv4: 10.0.2.7
netmaskv4: 24
type: static
gateway: 10.0.2.1
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm3.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

13
host_vars/vm3/vpn.yml Normal file
View file

@ -0,0 +1,13 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm3_key }}"
public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

2
host_vars/vm4/ansible.yml Normal file
View file

@ -0,0 +1,2 @@
---
ansible_host: "vm4"

14
host_vars/vm4/networking.yml Normal file
View file

@ -0,0 +1,14 @@
---
interfaces:
enp0s3:
ipv4: 10.0.2.8
netmaskv4: 24
type: static
gateway: 10.0.2.1
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

13
host_vars/vm4/vpn.yml Normal file
View file

@ -0,0 +1,13 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm4_key }}"
public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw="
keepalive: true
peers:
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
allowed_ips:
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
comment: "hindley"

2
host_vars/vm5/ansible.yml Normal file
View file

@ -0,0 +1,2 @@
---
ansible_host: "vm5"

15
host_vars/vm5/networking.yml Normal file
View file

@ -0,0 +1,15 @@
---
interfaces:
enp0s3:
type: void
br0:
ipv4: 10.0.2.9
netmaskv4: 24
type: static
bridge: true
gateway: 10.0.2.1
interfaces:
- enp0s3
ipv4_forwarding: false
ipv6_forwarding: false

48
hosts
View file

@ -4,25 +4,51 @@ all:
ubuntu:
hosts:
hindley:
vm5:
debian_buster:
hosts:
azerty:
vm1:
vm2:
vm3:
debian_bullseye:
hosts:
matrix_server:
vm4:
proxmox_buster:
hosts:
hellman:
raspbian_buster:
hosts:
rossum:
proxy:
hosts:
hindley:
keycloak_host:
hosts:
azerty:
server_hostname: azerty.fil.sand.auro.re
gitea_host:
hosts:
azerty:
server_hostname: azerty.fil.sand.auro.re
tests:
hosts:
vm1:
vm2:
vm3:
vm4:
vm5:
rossum:
vpn:
hosts:
azerty:
hindley:
matrix_server:
hellman:
rossum:
vm1:
vm2:
vm3:
vm4:
apt_proxies:
hosts:
hindley:
prometheus_servers:
hosts:
hindley:
matrix:
hosts:
matrix_server:
no_user:
hosts:
matrix_server:

24
roles/apt_cacher_ng/tasks/main.yml
View file

@ -1,28 +1,4 @@
---
- name: Use a newer version of apt cacher nc for ubuntu 20.04
block:
- name: Set the default release
lineinfile:
path: /etc/apt/apt.conf.d/01-vendor-ubuntu
regexp: '^APT::Default-Release '
line: "APT::Default-Release \"{{ ansible_facts['lsb']['codename'] }}\";"
- name: Pin node exporter
copy:
dest: /etc/apt/preferences.d/pin-apt-cacher-nc
content: |
Package: apt-cacher-nc
Pin: release n={{ ansible_facts['lsb']['codename'] }}
Pin-Priority: -10
Package: apt-cacher-nc
Pin: release n=groovy
Pin-Priority: 900
- name: Add the repo from groovy
apt_repository:
repo: deb http://fr.archive.ubuntu.com/ubuntu groovy universe
state: present
when: ansible_facts['lsb']['id'] == 'Ubuntu' and ansible_facts['lsb']['codename'] == 'focal'
- name: Install apt-cacher-ng
apt:
name:

1
roles/base_config/tasks/main.yml
View file

@ -16,7 +16,6 @@
- unzip
- tcpdump
- net-tools
- acl
state: latest
update_cache: true
register: apt_result

167
roles/generate-cert/LICENSE
View file

@ -1,167 +0,0 @@
GNU LESSER GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
This version of the GNU Lesser General Public License incorporates
the terms and conditions of version 3 of the GNU General Public
License, supplemented by the additional permissions listed below.
0. Additional Definitions.
As used herein, "this License" refers to version 3 of the GNU Lesser
General Public License, and the "GNU GPL" refers to version 3 of the GNU
General Public License.
"The Library" refers to a covered work governed by this License,
other than an Application or a Combined Work as defined below.
An "Application" is any work that makes use of an interface provided
by the Library, but which is not otherwise based on the Library.
Defining a subclass of a class defined by the Library is deemed a mode
of using an interface provided by the Library.
A "Combined Work" is a work produced by combining or linking an
Application with the Library. The particular version of the Library
with which the Combined Work was made is also called the "Linked
Version".
The "Minimal Corresponding Source" for a Combined Work means the
Corresponding Source for the Combined Work, excluding any source code
for portions of the Combined Work that, considered in isolation, are
based on the Application, and not on the Linked Version.
The "Corresponding Application Code" for a Combined Work means the
object code and/or source code for the Application, including any data
and utility programs needed for reproducing the Combined Work from the
Application, but excluding the System Libraries of the Combined Work.
1. Exception to Section 3 of the GNU GPL.
You may convey a covered work under sections 3 and 4 of this License
without being bound by section 3 of the GNU GPL.
2. Conveying Modified Versions.
If you modify a copy of the Library, and, in your modifications, a
facility refers to a function or data to be supplied by an Application
that uses the facility (other than as an argument passed when the
facility is invoked), then you may convey a copy of the modified
version:
a) under this License, provided that you make a good faith effort to
ensure that, in the event an Application does not supply the
function or data, the facility still operates, and performs
whatever part of its purpose remains meaningful, or
b) under the GNU GPL, with none of the additional permissions of
this License applicable to that copy.
3. Object Code Incorporating Material from Library Header Files.
The object code form of an Application may incorporate material from
a header file that is part of the Library. You may convey such object
code under terms of your choice, provided that, if the incorporated
material is not limited to numerical parameters, data structure
layouts and accessors, or small macros, inline functions and templates
(ten or fewer lines in length), you do both of the following:
a) Give prominent notice with each copy of the object code that the
Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the object code with a copy of the GNU GPL and this license
document.
4. Combined Works.
You may convey a Combined Work under terms of your choice that,
taken together, effectively do not restrict modification of the
portions of the Library contained in the Combined Work and reverse
engineering for debugging such modifications, if you also do each of
the following:
a) Give prominent notice with each copy of the Combined Work that
the Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the Combined Work with a copy of the GNU GPL and this license
document.
c) For a Combined Work that displays copyright notices during
execution, include the copyright notice for the Library among
these notices, as well as a reference directing the user to the
copies of the GNU GPL and this license document.
d) Do one of the following:
0) Convey the Minimal Corresponding Source under the terms of this
License, and the Corresponding Application Code in a form
suitable for, and under terms that permit, the user to
recombine or relink the Application with a modified version of
the Linked Version to produce a modified Combined Work, in the
manner specified by section 6 of the GNU GPL for conveying
Corresponding Source.
1) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (a) uses at run time
a copy of the Library already present on the user's computer
system, and (b) will operate properly with a modified version
of the Library that is interface-compatible with the Linked
Version.
e) Provide Installation Information, but only if you would otherwise
be required to provide such information under section 6 of the
GNU GPL, and only to the extent that such information is
necessary to install and execute a modified version of the
Combined Work produced by recombining or relinking the
Application with a modified version of the Linked Version. (If
you use option 4d0, the Installation Information must accompany
the Minimal Corresponding Source and Corresponding Application
Code. If you use option 4d1, you must provide the Installation
Information in the manner specified by section 6 of the GNU GPL
for conveying Corresponding Source.)
5. Combined Libraries.
You may place library facilities that are a work based on the
Library side by side in a single library together with other library
facilities that are not Applications and are not covered by this
License, and convey such a combined library under terms of your
choice, if you do both of the following:
a) Accompany the combined library with a copy of the same work based
on the Library, uncombined with any other library facilities,
conveyed under the terms of this License.
b) Give prominent notice with the combined library that part of it
is a work based on the Library, and explaining where to find the
accompanying uncombined form of the same work.
6. Revised Versions of the GNU Lesser General Public License.
The Free Software Foundation may publish revised and/or new versions
of the GNU Lesser General Public License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the
Library as you received it specifies that a certain numbered version
of the GNU Lesser General Public License "or any later version"
applies to it, you have the option of following the terms and
conditions either of that published version or of any later version
published by the Free Software Foundation. If the Library as you
received it does not specify a version number of the GNU Lesser
General Public License, you may choose any version of the GNU Lesser
General Public License ever published by the Free Software Foundation.
If the Library as you received it specifies that a proxy can decide
whether future versions of the GNU Lesser General Public License shall
apply, that proxy's public statement of acceptance of any version is
permanent authorization for you to choose that version for the
Library.

9
roles/generate-cert/README.md
View file

@ -1,9 +0,0 @@
# generate-cert
This role is part of the project [Ansible Hacky PKI](https://gitea.auro.re/histausse/ansible_hacky_pki) licenced under the LGPL 3.
You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**.
In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability,
please contact me to see if we can find a patch.
Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>

8
roles/generate-cert/defaults/main.yml
View file

@ -1,8 +0,0 @@
---
key_usage:
- digitalSignature
- keyEncipherment
validity_duration: "+365d"
time_before_expiration_for_renewal: "+30d" # need a better name
force_renewal: no
store_directory: /etc/hackypky

165
roles/generate-cert/tasks/main.yml
View file

@ -1,165 +0,0 @@
---
- name: Ensure the directories used to store certs exist
file:
path: "{{ item }}"
state: directory
group: root
owner: root
mode: u=rwx,g=rx,o=rx
loop:
- "{{ store_directory }}"
- "{{ store_directory }}/crts"
- "{{ store_directory }}/keys"
- name: Ensure the directory containing the cert exist
file:
path: "{{ directory }}"
state: directory
- name: Test if the key already exist
stat:
path: "{{ store_directory}}/keys/{{ cname }}.key"
register: key_file
- name: Test if the cert already exist
stat:
path: "{{ store_directory}}/crts/{{ cname }}.crt"
register: cert_file
- name: Test if we need to renew the certificate
openssl_certificate_info:
path: "{{ store_directory }}/crts/{{ cname }}.crt"
valid_at:
renewal: "{{ time_before_expiration_for_renewal }}"
register: validity
when: cert_file.stat.exists
- name: Generate the certificate
block:
- name: Generate private key
become: false
openssl_privatekey:
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
mode: u=rw,g=,o=
size: "{{ key_size | default(omit) }}"
delegate_to: localhost
- name: Generate a Certificate Signing Request
become: false
openssl_csr:
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
common_name: "{{ cname }}"
country_name: "{{ country_name | default(omit) }}"
locality_name: "{{ locality_name | default(omit) }}"
state_or_province_name: "{{ state_or_province_name | default(omit) }}"
organization_name: "{{ organization_name | default(omit) }}"
organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
email_address: "{{ email_address | default(omit) }}"
basic_constraints:
- CA:FALSE # syntax?
basic_constraints_critical: yes
key_usage: "{{ key_usage }}"
key_usage_critical: yes
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
crl_distribution_points: "{{ crl_distribution_points | default(omit) }}"
delegate_to: localhost
- name: Put the CA in a file
become: false
copy:
content: "{{ ca_cert }}"
dest: "/tmp/ansible_hacky_pki_ca.crt"
delegate_to: localhost
- name: Put the CA key in a file
become: false
copy:
content: "{{ ca_key }}"
dest: "/tmp/ansible_hacky_pki_ca.key"
mode: u=rw,g=,o=
delegate_to: localhost
no_log: yes
- name: Sign the certificate
become: false
openssl_certificate:
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
ownca_not_after: "{{ validity_duration }}"
ownca_path: /tmp/ansible_hacky_pki_ca.crt
ownca_privatekey_passphrase: "{{ ca_passphrase }}"
ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
provider: ownca
delegate_to: localhost
- name: Send private key to the server
copy:
src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
dest: "{{ store_directory }}/keys/{{ cname }}.key"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
no_log: yes
- name: Send certificate to the server
copy:
src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
dest: "{{ store_directory }}/crts/{{ cname }}.crt"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
# Clean up
- name: Remove the local cert key
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
state: absent
delegate_to: localhost
- name: Remove the CSR
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
state: absent
delegate_to: localhost
- name: Remove the local certificate
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
state: absent
delegate_to: localhost
- name: Remove the CA certificate
become: false
file:
path: /tmp/ansible_hacky_pki_ca.crt
state: absent
delegate_to: localhost
- name: Remove the CA key
become: false
file:
path: /tmp/ansible_hacky_pki_ca.key
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Create the link to cert
file:
src: "{{ store_directory }}/crts/{{ cname }}.crt"
dest: "{{ directory }}/{{ cname }}.crt"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
state: link
- name: Create the link to key
file:
src: "{{ store_directory }}/keys/{{ cname }}.key"
dest: "{{ directory }}/{{ cname }}.key"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
state: link

9
roles/generate_self_signed_certificate/tasks/main.yml
View file

@ -1,13 +1,4 @@
---
- name: Install openssl
apt:
name: python3-openssl
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Ensure the cert directory exists
file:
path: /var/certificates

5
roles/grafana/handlers/main.yml
View file

@ -1,5 +0,0 @@
---
- name: Restart Grafana
systemd:
name: grafana-server
state: restarted

79
roles/grafana/tasks/main.yml
View file

@ -1,79 +0,0 @@
---
- name: Install apt transport https
apt:
name:
- apt-transport-https
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Add Graphana Repo Key
apt_key:
url: https://packages.grafana.com/gpg.key
state: present
- name: Add Grafana Repository
apt_repository:
repo: deb https://packages.grafana.com/oss/deb stable main
state: present
- name: Install Grafana
apt:
name:
- grafana
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure Grafana
template:
src: grafana.ini
dest: /etc/grafana/grafana.ini
owner: grafana
group: grafana
mode: u=rw,g=r,o=
no_log: true
notify: Restart Grafana
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/grafana/ca.crt
notify: Restart prometheus
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/grafana/
cname: "grafana-{{ lan_address }}"
owner: grafana
group: grafana
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
## THIS CERT CANNOT BE MONITORED BECAUSE IT IS A CLIENT CERT :'(
#- name: Ensured the certificate is monitored
# import_tasks: register-cert-to-monitoring.yml
# vars:
# target: "{{ lan_address }}:<PORT>|grafana-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Add Prometheus data source
template:
src: prometheus_datasource.yaml
dest: /etc/grafana/provisioning/datasources/prometheus_datasource.yaml
owner: grafana
group: grafana
mode: u=rw,g=r,o=
notify: Restart Grafana
- name: Enable Grafana
systemd:
name: grafana-server
enabled: true
state: started

23
roles/grafana/tasks/register-cert-to-monitoring.yml
View file

@ -1,23 +0,0 @@
---
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
register: server_tls_targets_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable from file
set_fact:
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
- name: Register the endpoint to the prometheus server
block:
- name: Add the target
set_fact:
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_tls_targets | to_nice_json }}"
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: target not in server_tls_targets.0.targets

1008
roles/grafana/templates/grafana.ini
View file

File diff suppressed because it is too large Load diff

17
roles/grafana/templates/prometheus_datasource.yaml
View file

@ -1,17 +0,0 @@
{{ ansible_managed | comment }}
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
# Access mode - proxy (server in the UI) or direct (browser in the UI).
access: proxy
url: https://{{ lan_address }}:9090
jsonData:
httpMethod: POST
tlsAuth: true
tlsAuthWithCACert: true
secureJsonData:
tlsCACert: $__file{/etc/grafana/ca.crt}
tlsClientCert: $__file{/etc/grafana/grafana-{{ lan_address }}.crt}
tlsClientKey: $__file{/etc/grafana/grafana-{{ lan_address }}.key}

1
roles/matrix-bridge-discord

@ -1 +0,0 @@
Subproject commit 2358c022895b3ce2f2a08dea41580e4cf84d218f

1
roles/matrix-bridge-facebook

@ -1 +0,0 @@
Subproject commit 89fb99ebb7c35ec3c11ecd5e4fbb194817f9cae6

1
roles/matrix-bridge-instagram

@ -1 +0,0 @@
Subproject commit 70675bec04af6bf456857c30687c5e57fa5e812a

1
roles/matrix-bridge-signal

@ -1 +0,0 @@
Subproject commit b27360700e82dd14fc42de6bdffc3d80bf3fa975

1
roles/matrix-bridge-telegram

@ -1 +0,0 @@
Subproject commit c8e442e4a931acc2220e4406282925c2d4a48954

1
roles/postgre

@ -1 +0,0 @@
Subproject commit e5ce16268f165be36d4f2f893caf47f9bdb6f332

10
roles/prometheus-alert-manager/handlers/main.yml
View file

@ -1,10 +0,0 @@
---
- name: Restart Alertmanager
systemd:
name: prometheus-alertmanager.service
state: restarted
- name: Restart kassandra
systemd:
name: kassandra.service
state: restarted

2
roles/prometheus-alert-manager/meta/main.yml
View file

@ -1,2 +0,0 @@
dependencies:
- role: install_nginx

73
roles/prometheus-alert-manager/tasks/kassandra.yml
View file

@ -1,73 +0,0 @@
---
- name: Install dependencies
apt:
name:
- python3.9
- python3.9-venv
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Create the kassandra user
user:
name: kassandra
home: /opt/kassandra
password_lock: yes
system: yes
- name: Install kassandra
become: yes
become_user: kassandra
pip:
name:
- wheel
- "kassandra @ git+https://gitea.auro.re/histausse/kassandra.git"
virtualenv: /opt/kassandra
virtualenv_command: "python3.9 -m venv"
- name: Configure kassandra
template:
src: kassandra-config.yaml
dest: /opt/kassandra/config.yaml
owner: kassandra
group: nogroup
mode: '0600'
notify: Restart kassandra
no_log: true
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /opt/kassandra/ca.crt
notify: Restart kassandra
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /opt/kassandra/
cname: "kassandra-{{ lan_address }}"
owner: kassandra
group: nogroup
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
- name: Ensured the certificate is monitored
import_tasks: register-cert-to-monitoring.yml
vars:
target: "{{ lan_address }}:8000|kassandra-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Copy the daemon configuration
template:
src: kassandra.service
dest: /etc/systemd/system/kassandra.service
notify: Restart kassandra
- name: Enable the daemon
systemd:
name: kassandra
state: started
enabled: yes

75
roles/prometheus-alert-manager/tasks/main.yml
View file

@ -1,75 +0,0 @@
---
- name: Install Prometheus Alert Manager
apt:
name:
- prometheus-alertmanager
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Setup the arguments for alertmanager
template:
src: prometheus-alertmanager
dest: /etc/default/prometheus-alertmanager
owner: root
group: root
mode: '0644'
notify: Restart Alertmanager
vars:
args:
- name: web.listen-address
value: "127.0.0.1:9093"
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/prometheus/ca.crt
notify:
- Restart Alertmanager
- Reload nginx
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/prometheus/
cname: "alertmanager-{{ lan_address }}"
owner: prometheus
group: prometheus
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
- name: Ensured the certificate is monitored
import_tasks: register-cert-to-monitoring.yml
vars:
target: "{{ lan_address }}:9093|alertmanager-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Setup the alertmanager config
template:
src: alertmanager.yml
dest: /etc/prometheus/alertmanager.yml
owner: prometheus
group: prometheus
mode: '0640'
notify: Restart Alertmanager
# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
# Think prometheus, think!
- name: Copy the nginx config
template:
src: atrocious_nginx_stub
dest: "/etc/nginx/sites-available/internal-alertmanager"
notify: Reload nginx
- name: Activate the config
file:
src: "/etc/nginx/sites-available/internal-alertmanager"
dest: "/etc/nginx/sites-enabled/internal-alertmanager"
state: link
force: yes
- name: Setup the matrix bot
import_tasks: kassandra.yml

23
roles/prometheus-alert-manager/tasks/register-cert-to-monitoring.yml
View file

@ -1,23 +0,0 @@
---
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
register: server_tls_targets_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable from file
set_fact:
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
- name: Register the endpoint to the prometheus server
block:
- name: Add the target
set_fact:
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_tls_targets | to_nice_json }}"
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: target not in server_tls_targets.0.targets

32
roles/prometheus-alert-manager/templates/alertmanager.yml
View file

@ -1,32 +0,0 @@
{{ ansible_managed | comment }}
# See https://prometheus.io/docs/alerting/configuration/ for documentation.
global:
# Config used by default by the receivers
http_config:
tls_config:
ca_file: "/etc/prometheus/ca.crt"
cert_file: "/etc/prometheus/alertmanager-{{ lan_address }}.crt"
key_file: "/etc/prometheus/alertmanager-{{ lan_address }}.key"
# The directory from which notification templates are read.
templates:
- "/etc/prometheus/alertmanager_templates/*.tmpl"
# The root route on which each incoming alert enters.
route:
repeat_interval: 6h
# A default receiver
receiver: kassandra
# Inhibition rules allow to mute a set of alerts given that another alert is
# firing.
# We use this to mute any warning-level notifications if the same alert is
# already critical.
inhibit_rules:
receivers:
- name: kassandra
webhook_configs:
- url: "https://{{ lan_address }}:8000/webhook"

13
roles/prometheus-alert-manager/templates/atrocious_nginx_stub
View file

@ -1,13 +0,0 @@
{{ ansible_managed | comment }}
server {
listen {{ lan_address }}:9093 ssl;
ssl_certificate /etc/prometheus/alertmanager-{{ lan_address }}.crt;
ssl_certificate_key /etc/prometheus/alertmanager-{{ lan_address }}.key;
ssl_client_certificate /etc/prometheus/ca.crt;
ssl_verify_client on;
location / {
proxy_pass http://127.0.0.1:9093;
}
}

16
roles/prometheus-alert-manager/templates/kassandra-config.yaml
View file

@ -1,16 +0,0 @@
---
{{ ansible_managed | comment }}
username: {{ kassandra_username }}
homeserver: https://{{ matrix_server_name}}
password: {{ kassandra_password }}
tls: yes
tls_auth: yes
host: {{ lan_address }}
tls_crt: kassandra-{{ lan_address }}.crt
tls_key: kassandra-{{ lan_address }}.key
ca_crt: ca.crt
alert_rooms:
{% for room in alert_rooms %}
- "{{ room }}"
{% endfor %}
...

12
roles/prometheus-alert-manager/templates/kassandra.service
View file

@ -1,12 +0,0 @@
{{ ansible_managed | comment }}
[Unit]
Description=Kassandra bot for alertmanager
[Service]
WorkingDirectory=/opt/kassandra
ExecStart=/opt/kassandra/bin/kassandra
User=kassandra
[Install]
WantedBy=multi-user.target

75
roles/prometheus-alert-manager/templates/prometheus-alertmanager
View file

@ -1,75 +0,0 @@
{{ ansible_managed | comment }}
# Set the command-line arguments to pass to the server.
{% if not args %}
ARGS=""
{% else %}
ARGS="\
{% for arg in args %}
--{{ arg.name }}={{ arg.value }} \
{% endfor %}
"
{% endif %}
# The alert manager supports the following options:
# --config.file="/etc/prometheus/alertmanager.yml"
# Alertmanager configuration file name.
# --storage.path="/var/lib/prometheus/alertmanager/"
# Base path for data storage.
# --data.retention=120h
# How long to keep data for.
# --alerts.gc-interval=30m
# Interval between alert GC.
# --log.level=info
# Only log messages with the given severity or above.
# --web.external-url=WEB.EXTERNAL-URL
# The URL under which Alertmanager is externally reachable (for example,
# if Alertmanager is served via a reverse proxy). Used for generating
# relative and absolute links back to Alertmanager itself. If the URL has
# a path portion, it will be used to prefix all HTTP endpoints served by
# Alertmanager. If omitted, relevant URL components will be derived
# automatically.
# --web.route-prefix=WEB.ROUTE-PREFIX
# Prefix for the internal routes of web endpoints. Defaults to path of
# --web.external-url.
# --web.listen-address=":9093"
# Address to listen on for the web interface and API.
# --web.ui-path="/usr/share/prometheus/alertmanager/ui/"
# Path to static UI directory.
# --template.default="/usr/share/prometheus/alertmanager/default.tmpl"
# Path to default notification template.
# --cluster.listen-address="0.0.0.0:9094"
# Listen address for cluster.
# --cluster.advertise-address=CLUSTER.ADVERTISE-ADDRESS
# Explicit address to advertise in cluster.
# --cluster.peer=CLUSTER.PEER ...
# Initial peers (may be repeated).
# --cluster.peer-timeout=15s
# Time to wait between peers to send notifications.
# --cluster.gossip-interval=200ms
# Interval between sending gossip messages. By lowering this value (more
# frequent) gossip messages are propagated across the cluster more
# quickly at the expense of increased bandwidth.
# --cluster.pushpull-interval=1m0s
# Interval for gossip state syncs. Setting this interval lower (more
# frequent) will increase convergence speeds across larger clusters at
# the expense of increased bandwidth usage.
# --cluster.tcp-timeout=10s Timeout for establishing a stream connection
# with a remote node for a full state sync, and for stream read and write
# operations.
# --cluster.probe-timeout=500ms
# Timeout to wait for an ack from a probed node before assuming it is
# unhealthy. This should be set to 99-percentile of RTT (round-trip time)
# on your network.
# --cluster.probe-interval=1s
# Interval between random node probes. Setting this lower (more frequent)
# will cause the cluster to detect failed nodes more quickly at the
# expense of increased bandwidth usage.
# --cluster.settle-timeout=1m0s
# Maximum time to wait for cluster connections to settle before
# evaluating notifications.
# --cluster.reconnect-interval=10s
# Interval between attempting to reconnect to lost peers.
# --cluster.reconnect-timeout=6h0m0s
# Length of time to attempt to reconnect to a lost peer.

47
roles/prometheus-blackbox-exporter/files/alerts-blackbox.yml
View file

@ -1,47 +0,0 @@
---
groups:
- name: BlackBoxAllInstances
rules:
- alert: SiteUp
expr: probe_success{job="blackbox http-down"} == 1
annotations:
title: '{{ $labels.instance }} is UP!'
description: '{{ $labels.instance }} is now up!'
labels:
value: "{{ $value }}"
severity: 'critical'
- alert: SiteDown
expr: probe_success{job="blackbox http-up"} == 0
for: 5m
annotations:
title: '{{ $labels.instance }} is Down'
description: >-
{{ $labels.instance }} has been down for more than 5 minutes.
labels:
value: "{{ $value }}"
severity: 'warning'
- alert: CertExpLess30daysProb
expr: (probe_ssl_earliest_cert_expiry{job="blackbox internal tls"}-time()) < 2592000
annotations:
title: '{{ $labels.cname }} will expire soon'
description: >-
The certificate {{ $labels.cname }} on {{ $labels.instance }} will expire in
{{ $value | humanizeDuration }}, it's time to renew it.
labels:
value: "{{ $value }}"
severity: 'warning'
- alert: CertExpLess10daysProb
expr: (probe_ssl_earliest_cert_expiry{job="blackbox internal tls"}-time()) < 864000
annotations:
title: '{{ $labels.cname }} expiracy is imminent!'
description: >-
The certificate {{ $labels.cname }} on {{ $labels.instance }} will expire in
{{ $value | humanizeDuration }}!
labels:
value: "{{ $value }}"
severity: 'critical'
...

10
roles/prometheus-blackbox-exporter/handlers/main.yml
View file

@ -1,10 +0,0 @@
---
- name: Restart blackbox-exporter
systemd:
name: prometheus-blackbox-exporter.service
state: restarted
- name: Restart prometheus
systemd:
name: prometheus
state: restarted

2
roles/prometheus-blackbox-exporter/meta/main.yml
View file

@ -1,2 +0,0 @@
dependencies:
- role: install_nginx

96
roles/prometheus-blackbox-exporter/tasks/main.yml
View file

@ -1,96 +0,0 @@
---
- name: Install Prometheus Components
apt:
name:
- prometheus-blackbox-exporter
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/prometheus/ca.crt
notify:
- Restart blackbox-exporter
- Reload nginx
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/prometheus/
cname: "blackbox-{{ lan_address }}"
owner: prometheus
group: prometheus
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
- name: Ensured the certificate is monitored
import_tasks: register-cert-to-monitoring.yml
vars:
target: "{{ lan_address }}:9115|blackbox-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Setup the blackbox config
template:
src: blackbox.yml
dest: /etc/prometheus/blackbox.yml
owner: prometheus
group: prometheus
mode: '0640'
notify: Restart blackbox-exporter
no_log: true
#- name: Copy the web-config folder
# template:
# src: web-config.yaml
# dest: /etc/prometheus/web-config-blackbox.yaml
# group: prometheus
# owner: prometheus
# mode: u=rw,g=r,o=r
# notify: Restart blackbox-exporter
- name: Setup the arguments for prometheus
template:
src: prometheus-blackbox-exporter
dest: /etc/default/prometheus-blackbox-exporter
owner: root
group: root
mode: '0644'
notify: Restart blackbox-exporter
vars:
args:
- name: web.listen-address
value: "127.0.0.1:9115"
# value: "{{ lan_address }}:9115"
- name: config.file
value: /etc/prometheus/blackbox.yml
# - name: web.config.file
# value: /etc/prometheus/web-config.yaml
## Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
# Think prometheus, think!
- name: Copy the nginx config
template:
src: atrocious_nginx_stub
dest: "/etc/nginx/sites-available/internal-blackbox"
notify: Reload nginx
- name: Activate the config
file:
src: "/etc/nginx/sites-available/internal-blackbox"
dest: "/etc/nginx/sites-enabled/internal-blackbox"
state: link
force: yes
- name: Add alert rules for node on the prometheus server
copy:
src: alerts-blackbox.yml
dest: /etc/prometheus/alertsblackbox.yml
owner: prometheus
group: prometheus
mode: u=rw,g=r,o=r
notify: Restart prometheus

23
roles/prometheus-blackbox-exporter/tasks/register-cert-to-monitoring.yml
View file

@ -1,23 +0,0 @@
---
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
register: server_tls_targets_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable from file
set_fact:
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
- name: Register the endpoint to the prometheus server
block:
- name: Add the target
set_fact:
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_tls_targets | to_nice_json }}"
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: target not in server_tls_targets.0.targets

13
roles/prometheus-blackbox-exporter/templates/atrocious_nginx_stub
View file

@ -1,13 +0,0 @@
{{ ansible_managed | comment }}
server {
listen {{ lan_address }}:9115 ssl;
ssl_certificate /etc/prometheus/blackbox-{{ lan_address }}.crt;
ssl_certificate_key /etc/prometheus/blackbox-{{ lan_address }}.key;
ssl_client_certificate /etc/prometheus/ca.crt;
ssl_verify_client on;
location / {
proxy_pass http://127.0.0.1:9115;
}
}

23
roles/prometheus-blackbox-exporter/templates/blackbox.yml
View file

@ -1,23 +0,0 @@
{{ ansible_managed | comment }}
modules:
http_2xx:
prober: http
http:
http_post_2xx:
prober: http
http:
method: POST
tcp_connect:
prober: tcp
icmp:
prober: icmp
internal_tls_connect:
prober: tcp
timeout: 10s
tcp:
tls: true
tls_config:
ca_file: '/etc/prometheus/ca.crt'
cert_file: '/etc/prometheus/blackbox-{{ lan_address }}.crt'
key_file: '/etc/prometheus/blackbox-{{ lan_address }}.key'

21
roles/prometheus-blackbox-exporter/templates/prometheus-blackbox-exporter
View file

@ -1,21 +0,0 @@
{{ ansible_managed | comment }}
# Set the command-line arguments to pass to the server.
{% if not args %}
ARGS=""
{% else %}
ARGS="\
{% for arg in args %}
--{{ arg.name }}={{ arg.value }} \
{% endfor %}
"
{% endif %}
# Usage of prometheus-blackbox-exporter:
# --config.file="blackbox.yml"
# Blackbox exporter configuration file.
# --web.listen-address=":9115"
# The address to listen on for HTTP requests.
# --timeout-offset=0.5 Offset to subtract from timeout in seconds.
# --log.level=info Only log messages with the given severity or above.
# One of: [debug, info, warn, error]

6
roles/prometheus-blackbox-exporter/templates/targets.json
View file

@ -1,6 +0,0 @@
[
{
"targets": [
]
}
]

7
roles/prometheus-blackbox-exporter/templates/web-config.yaml
View file

@ -1,7 +0,0 @@
{{ ansible_managed | comment }}
tls_server_config:
cert_file: "/etc/prometheus/blackbox-{{ lan_address }}.crt"
key_file: "/etc/prometheus/blackbox-{{ lan_address }}.key"
client_auth_type: "RequireAndVerifyClientCert"
client_ca_file: "/etc/prometheus/ca.crt"

181
roles/prometheus-node-exporter/files/alerts-node.yml
View file

@ -1,181 +0,0 @@
---
groups:
- name: NodeAllInstances
rules:
- alert: InstanceDown
expr: up{job='node'} == 0
for: 5m
annotations:
title: 'Instance {{ $labels.instance }} down'
description: >-
{{ $labels.instance }} has been down for more than 5 minutes.
labels:
value: "{{ $value }}"
severity: critical
- alert: OutOfDiskSpace
expr: (100 - node_filesystem_avail_bytes{} *100 / node_filesystem_size_bytes{}) > 80
for: 1m
annotations:
title: '`{{ $labels.instance }}:{{ $labels.mountpoint }}` is out of space'
description: >-
Partition `{{ $labels.mountpoint }}` (`{{ $labels.device }}`) of {{ $labels.instance }}
uses {{ $value | printf "%.1f" }}% of its capacity.
labels:
value: "{{ $value }}"
severity: warning
- alert: OutOfMemory
expr: >-
(
node_memory_MemTotal_bytes
- node_memory_MemFree_bytes
- node_memory_Cached_bytes
- node_memory_Buffers_bytes
) / node_memory_MemTotal_bytes * 100 > 80
for: 1m
annotations:
title: '{{ $labels.instance }} is out of memory'
description: >-
{{ $labels.instance }} uses {{ $value | printf "%.1f" }}% of its memory capacity.
labels:
value: "{{ $value }}"
severity: warning
- alert: OutOfInode
expr: >-
(
node_filesystem_files
- node_filesystem_files_free
) / node_filesystem_files * 100 >= 90
for: 5m
annotations:
title: '`{{ $labels.instance }}:{{ $labels.mountpoint }}` is out of Inodes'
description: >-
Partition {{ $labels.mountpoint }} ({{ $labels.device }}) of {{ $labels.instance }}
uses {{ $value | printf "%.1f" }}% of its Inodes.
labels:
value: "{{ $value }}"
severity: warning
- alert: Swapping
expr: >-
(
node_memory_SwapTotal_bytes
- node_memory_SwapFree_bytes
) / node_memory_SwapTotal_bytes * 100 >= 50
for: 5m
annotations:
title: '{{ $labels.instance }} is using a lot of swap'
description: >-
{{ $labels.instance }} uses {{ $value | printf "%.1f" }}% of its memory capacity.
labels:
value: "{{ $value }}"
severity: warning
- alert: PhysicalComponentTooHot
expr: node_hwmon_temp_celsius > 79
for: 5m
annotations:
title: '{{ $labels.instance }} is heating up'
description: >-
The internal temperature of {{ $labels.instance }} is {{ $value }}°C!
labels:
value: "{{ $value }}"
severity: critical
- alert: PhysicalComponentHeatAlarm
expr: node_hwmon_temp_crit_alarm_celsius == 1
for: 0m
annotations:
title: 'The temperature alarm of {{ $labels.instance }} is up'
description: >-
Do something!
labels:
value: "{{ $value }}"
severity: critical
- alert: OOMKill
expr: increase(node_vmstat_oom_kill[1m]) > 0
for: 0m
annotations:
title: 'The kernel is killing processes'
description: >-
The kernel killed {{ $value }} proccesses (OOM killer)
labels:
value: "{{ $value }}"
severity: warning
- alert: CorrectableErrorDetected
expr: increase(node_edac_correctable_errors_total[1m]) > 0
for: 0m
annotations:
title: 'Memory errors have been corrected'
description: >-
{{ $value | printf "%.1f" }} error(s) have been corrected (EDAC)
labels:
value: "{{ $value }}"
severity: warning
- alert: UncorrectableErrorDetected
expr: increase(node_edac_uncorrectable_errors_total[1m]) > 0
for: 0m
annotations:
title: 'Memory errors could not be corrected'
description: >-
{{ $value | printf "%.1f" }} error(s) could not be corrected (EDAC)
labels:
value: "{{ $value }}"
severity: warning
- alert: UnhealthyDisk
expr: >-
(
smartmon_device_smart_healthy
and on (instance, disk)
smartmon_device_info{product!="QEMU HARDDISK"}
) < 1
for: 10m
annotations:
title: '`{{ $labels.instance }}:{{ $labels.disk }}` is unhealthy'
description: >-
Smartools detected that `{{ $labels.disk }}` on {{ $labels.instance }} is unhealthy
and will probably need to be changed.
labels:
value: "{{ $value }}"
severity: critical
- alert: ServiceFailed
expr: node_systemd_unit_state{state="failed"}==1
for: 10m
annotations:
title: '{{ $labels.name }} failed'
description: >-
The systemd service {{ $labels.name }} failed on {{ $labels.instance }}
labels:
value: "{{ $value }}"
severity: warning
- alert: CertExpLess30days
expr: (local_x509_expiry_date{job="blackbox internal tls"}-time()) < 2592000
annotations:
title: '{{ $labels.cname }} will expire soon'
description: >-
The certificate {{ $labels.cname }} on {{ $labels.instance }} at {{ $labels.file }}
will expire in {{ $value | humanizeDuration }}, it's time to renew it.
labels:
value: "{{ $value }}"
severity: 'warning'
- alert: CertExpLess10days
expr: (local_x509_expiry_date{job="blackbox internal tls"}-time()) < 864000
annotations:
title: '{{ $labels.cname }} expiracy is imminent!'
description: >-
The certificate {{ $labels.cname }} on {{ $labels.instance }} at {{ $labels.file }}
will expire in {{ $value | humanizeDuration }}, RENEW IT!!!
labels:
value: "{{ $value }}"
severity: 'critical'
...

25
roles/prometheus-node-exporter/files/local_x509.sh
View file

@ -1,25 +0,0 @@
#!/usr/bin/env bash
sanitize() {
while read -r data; do
set -- $data
printf %q "$1" | sed -e 's/\\ / /g'
done
}
print_metric() {
while read -r data; do
set -- $data
if [ -f "$1" ]; then
exp_date=`openssl x509 -enddate --noout -in "$1" | sed -e 's/notAfter=//g'`
exp_date_unixtime=`date -d "$exp_date" -u +%s`
cname=`openssl x509 -subject --noout -in "$1" | sed -e 's/^.*CN = //' | sed -e 's/,.*$//' | sanitize`
filename=`realpath "$1" | sanitize`
echo "local_x509_expiry_date{cname=\"$cname\",file=\"$filename\"} $exp_date_unixtime"
fi
done
}
echo '# HELP local_x509_expiry_date The cert expiry date in unixtime'
echo '# TYPE local_x509_expiry_date gauge'
printf '%s\n' "$@" | print_metric

5
roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509
View file

@ -1,5 +0,0 @@
# The list of certs to monitor
ARGS="
/etc/letsencrypt/live/**/cert.pem
/etc/hackypky/crts/*.crt
"

8
roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509.service
View file

@ -1,8 +0,0 @@
[Unit]
Description=Collect local x509 certificate metrics for prometheus-node-exporter
[Service]
Type=oneshot
EnvironmentFile=/etc/default/prometheus-node-exporter-local_x509
Environment=TMPDIR=/var/lib/prometheus/node-exporter
ExecStart=/bin/bash -c "/usr/share/prometheus-node-exporter-collectors/local_x509.sh $ARGS | sponge /var/lib/prometheus/node-exporter/local_x509.prom"

9
roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509.timer
View file

@ -1,9 +0,0 @@
[Unit]
Description=Run local x509 metrics collection every 15 minutes
[Timer]
OnBootSec=0
OnUnitActiveSec=15min
[Install]
WantedBy=timers.target

10
roles/prometheus-node-exporter/handlers/main.yml
View file

@ -1,10 +0,0 @@
---
- name: Restart prometheus-node-exporter
systemd:
name: prometheus-node-exporter
state: restarted
- name: Restart appointed_prometheus_server
systemd:
name: prometheus
state: restarted
delegate_to: "{{ appointed_prometheus_server }}"

69
roles/prometheus-node-exporter/tasks/local_x509_collector.yml
View file

@ -1,69 +0,0 @@
---
- name: Install moreutils # we need the sponge command
apt:
name:
- moreutils
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Ensure /usr/share/prometheus-node-exporter exist
file:
path: /usr/share/prometheus-node-exporter/
state: directory
group: root
owner: root
mode: u=rwx,g=rx,o=rx
# Optionnal, but used with the hacky_pki role
- name: Ensure /etc/hackypky/crts/ exist
file:
path: "{{ item }}"
state: directory
group: root
owner: root
mode: u=rwx,g=rx,o=rx
loop:
- /etc/hackypky
- /etc/hackypky/crts
- name: Add the script
copy:
src: local_x509.sh
dest: /usr/share/prometheus-node-exporter-collectors/local_x509.sh
group: root
owner: root
mode: u=rwx,g=,o=
- name: Add the env file
copy:
src: prometheus-node-exporter-local_x509
dest: /etc/default/prometheus-node-exporter-local_x509
group: root
owner: root
force: no
mode: u=rwx,g=r,o=r
- name: Add the timer
copy:
src: prometheus-node-exporter-local_x509.timer
dest: /lib/systemd/system/prometheus-node-exporter-local_x509.timer
group: root
owner: root
mode: u=rw,g=r,o=r
- name: Add the service
copy:
src: prometheus-node-exporter-local_x509.service
dest: /lib/systemd/system/prometheus-node-exporter-local_x509.service
group: root
owner: root
mode: u=rw,g=r,o=r
- name: Enable the timer
systemd:
name: prometheus-node-exporter-local_x509.timer
enabled: true
state: started

130
roles/prometheus-node-exporter/tasks/main.yml
View file

@ -1,130 +0,0 @@
---
- name: Use a newer version of Node exporter for ubuntu 20.04
block:
- name: Set the default release
lineinfile:
path: /etc/apt/apt.conf.d/01-vendor-ubuntu
regexp: '^APT::Default-Release '
line: "APT::Default-Release \"{{ ansible_facts['lsb']['codename'] }}\";"
- name: Pin node exporter
copy:
dest: /etc/apt/preferences.d/pin-prometheus-node-exporter
content: |
Package: prometheus-node-exporter
Pin: release n={{ ansible_facts['lsb']['codename'] }}
Pin-Priority: -10
Package: prometheus-node-exporter
Pin: release n=groovy
Pin-Priority: 900
- name: Add the repo from groovy
apt_repository:
repo: deb http://fr.archive.ubuntu.com/ubuntu groovy universe
state: present
when: ansible_facts['lsb']['id'] == 'Ubuntu' and ansible_facts['lsb']['codename'] == 'focal'
- name: Install Prometheus Node exporter
apt:
name:
- prometheus-node-exporter
- prometheus-node-exporter-collectors
state: latest
update_cache: true
install_recommends: false # Do not install smartmontools
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Install the local_x509 exporter
import_tasks: local_x509_collector.yml
- name: Ensure /etc/node_exporter exist
file:
path: /etc/node_exporter
state: directory
group: prometheus
owner: prometheus
mode: u=rwx,g=rx,o=rx
- name: Copy the config folder
template:
src: config.yaml
dest: /etc/node_exporter/config.yaml
group: prometheus
owner: prometheus
mode: u=rw,g=r,o=r
notify: Restart prometheus-node-exporter
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/node_exporter/ca.crt
notify: Restart prometheus-node-exporter
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/node_exporter/
cname: "node-exp-{{ lan_address }}"
owner: prometheus
group: prometheus
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
- name: Ensured the certificate is monitored
import_tasks: register-cert-to-monitoring.yml
vars:
target: "{{ lan_address }}:9100|node-exp-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Setup the arguments for node-exporter
template:
src: prometheus-node-exporter
dest: /etc/default/prometheus-node-exporter
owner: root
group: root
mode: u=rw,g=r,o=r
notify: Restart prometheus-node-exporter
vars:
args:
- name: web.listen-address
value: "{{ lan_address }}:9100"
- name: web.config
value: /etc/node_exporter/config.yaml
- name: Add the node to the server targets
block:
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/node-targets.json
register: server_node_target_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable
set_fact:
server_node_target: "{{ server_node_target_file['content'] | b64decode | from_json }}"
- name: Register the node to the prometheus server
block:
- name: Add the node to the targets
set_fact:
new_server_node_target: "[{{ server_node_target[0] | combine({'targets': [lan_address + '|' + ansible_facts['nodename']]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_node_target | to_nice_json }}"
dest: /etc/prometheus/node-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: (lan_address + '|' + ansible_facts['nodename']) not in server_node_target.0.targets
- name: Add alert rules for node on the prometheus server
copy:
src: alerts-node.yml
dest: /etc/prometheus/alerts/node.yml
owner: prometheus
group: prometheus
mode: u=rw,g=r,o=r
delegate_to: "{{ appointed_prometheus_server }}"
notify: Restart appointed_prometheus_server

23
roles/prometheus-node-exporter/tasks/register-cert-to-monitoring.yml
View file

@ -1,23 +0,0 @@
---
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
register: server_tls_targets_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable from file
set_fact:
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
- name: Register the endpoint to the prometheus server
block:
- name: Add the target
set_fact:
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_tls_targets | to_nice_json }}"
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: target not in server_tls_targets.0.targets

7
roles/prometheus-node-exporter/templates/config.yaml
View file

@ -1,7 +0,0 @@
{{ ansible_managed | comment }}
tls_server_config:
cert_file: "/etc/node_exporter/node-exp-{{ lan_address }}.crt"
key_file: "/etc/node_exporter/node-exp-{{ lan_address }}.key"
client_auth_type: "RequireAndVerifyClientCert"
client_ca_file: "/etc/node_exporter/ca.crt"

138
roles/prometheus-node-exporter/templates/prometheus-node-exporter
View file

@ -1,138 +0,0 @@
{{ ansible_managed | comment }}
# Set the command-line arguments to pass to the server.
# Due to shell scaping, to pass backslashes for regexes, you need to double
# them (\\d for \d). If running under systemd, you need to double them again
# (\\\\d to mean \d), and escape newlines too.
{% if not args %}
ARGS=""
{% else %}
ARGS="\
{% for arg in args %}
--{{ arg.name }}={{ arg.value }} \
{% endfor %}
"
{% endif %}
# Prometheus-node-exporter supports the following options:
#
# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$"
# Regexp of devices to ignore for diskstats.
# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)"
# Regexp of mount points to ignore for filesystem
# collector.
# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$"
# Regexp of filesystem types to ignore for
# filesystem collector.
# --collector.netdev.ignored-devices="^lo$"
# Regexp of net devices to ignore for netdev
# collector.
# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$"
# Regexp of fields to return for netstat
# collector.
# --collector.ntp.server="127.0.0.1"
# NTP server to use for ntp collector
# --collector.ntp.protocol-version=4
# NTP protocol version
# --collector.ntp.server-is-local
# Certify that collector.ntp.server address is the
# same local host as this collector.
# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query
# --collector.ntp.max-distance=3.46608s
# Max accumulated distance to the root
# --collector.ntp.local-offset-tolerance=1ms
# Offset between local clock and local ntpd time
# to tolerate
# --path.procfs="/proc" procfs mountpoint.
# --path.sysfs="/sys" sysfs mountpoint.
# --collector.qdisc.fixtures=""
# test fixtures to use for qdisc collector
# end-to-end testing
# --collector.runit.servicedir="/etc/service"
# Path to runit service directory.
# --collector.supervisord.url="http://localhost:9001/RPC2"
# XML RPC endpoint.
# --collector.systemd.unit-whitelist=".+"
# Regexp of systemd units to whitelist. Units must
# both match whitelist and not match blacklist to
# be included.
# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)"
# Regexp of systemd units to blacklist. Units must
# both match whitelist and not match blacklist to
# be included.
# --collector.systemd.private
# Establish a private, direct connection to
# systemd without dbus.
# --collector.textfile.directory="/var/lib/prometheus/node-exporter"
# Directory to read text files with metrics from.
# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*"
# Regexp of fields to return for vmstat collector.
# --collector.wifi.fixtures=""
# test fixtures to use for wifi collector metrics
# --collector.arp Enable the arp collector (default: enabled).
# --collector.bcache Enable the bcache collector (default: enabled).
# --collector.bonding Enable the bonding collector (default: enabled).
# --collector.buddyinfo Enable the buddyinfo collector (default:
# disabled).
# --collector.conntrack Enable the conntrack collector (default:
# enabled).
# --collector.cpu Enable the cpu collector (default: enabled).
# --collector.diskstats Enable the diskstats collector (default:
# enabled).
# --collector.drbd Enable the drbd collector (default: disabled).
# --collector.edac Enable the edac collector (default: enabled).
# --collector.entropy Enable the entropy collector (default: enabled).
# --collector.filefd Enable the filefd collector (default: enabled).
# --collector.filesystem Enable the filesystem collector (default:
# enabled).
# --collector.hwmon Enable the hwmon collector (default: enabled).
# --collector.infiniband Enable the infiniband collector (default:
# enabled).
# --collector.interrupts Enable the interrupts collector (default:
# disabled).
# --collector.ipvs Enable the ipvs collector (default: enabled).
# --collector.ksmd Enable the ksmd collector (default: disabled).
# --collector.loadavg Enable the loadavg collector (default: enabled).
# --collector.logind Enable the logind collector (default: disabled).
# --collector.mdadm Enable the mdadm collector (default: enabled).
# --collector.meminfo Enable the meminfo collector (default: enabled).
# --collector.meminfo_numa Enable the meminfo_numa collector (default:
# disabled).
# --collector.mountstats Enable the mountstats collector (default:
# disabled).
# --collector.netdev Enable the netdev collector (default: enabled).
# --collector.netstat Enable the netstat collector (default: enabled).
# --collector.nfs Enable the nfs collector (default: enabled).
# --collector.nfsd Enable the nfsd collector (default: enabled).
# --collector.ntp Enable the ntp collector (default: disabled).
# --collector.qdisc Enable the qdisc collector (default: disabled).
# --collector.runit Enable the runit collector (default: disabled).
# --collector.sockstat Enable the sockstat collector (default:
# enabled).
# --collector.stat Enable the stat collector (default: enabled).
# --collector.supervisord Enable the supervisord collector (default:
# disabled).
# --collector.systemd Enable the systemd collector (default: enabled).
# --collector.tcpstat Enable the tcpstat collector (default:
# disabled).
# --collector.textfile Enable the textfile collector (default:
# enabled).
# --collector.time Enable the time collector (default: enabled).
# --collector.uname Enable the uname collector (default: enabled).
# --collector.vmstat Enable the vmstat collector (default: enabled).
# --collector.wifi Enable the wifi collector (default: enabled).
# --collector.xfs Enable the xfs collector (default: enabled).
# --collector.zfs Enable the zfs collector (default: enabled).
# --collector.timex Enable the timex collector (default: enabled).
# --web.listen-address=":9100"
# Address on which to expose metrics and web
# interface.
# --web.telemetry-path="/metrics"
# Path under which to expose metrics.
# --log.level="info" Only log messages with the given severity or
# above. Valid levels: [debug, info, warn, error,
# fatal]
# --log.format="logger:stderr"
# Set the log target and format. Example:
# "logger:syslog?appname=bob&local=7" or
# "logger:stdout?json=true"

5
roles/prometheus/handlers/main.yml
View file

@ -1,5 +0,0 @@
---
- name: Restart prometheus
systemd:
name: prometheus
state: restarted

2
roles/prometheus/meta/main.yml
View file

@ -1,2 +0,0 @@
dependencies:
- role: install_nginx

117
roles/prometheus/tasks/main.yml
View file

@ -1,117 +0,0 @@
---
- name: Install Prometheus Components
apt:
name:
- prometheus
- prometheus-pushgateway
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Ensure the alert folder exist
file:
path: /etc/prometheus/alerts
state: directory
group: prometheus
owner: prometheus
mode: u=rwx,g=rx,o=rx
- name: Ensure the target folder exist
file:
path: /etc/prometheus/targets
state: directory
group: prometheus
owner: prometheus
mode: u=rwx,g=rx,o=rx
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/prometheus/ca.crt
notify:
- Restart prometheus
- Reload nginx
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/prometheus/
cname: "prometheus-{{ lan_address }}"
owner: prometheus
group: prometheus
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
- name: Ensured the certificate is monitored
import_tasks: register-cert-to-monitoring.yml
vars:
target: "{{ lan_address }}:9090|prometheus-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
- name: Setup the prometheus config
template:
src: prometheus.yml
dest: /etc/prometheus/prometheus.yml
owner: prometheus
group: prometheus
mode: '0640'
notify: Restart prometheus
no_log: true
- name: Add node targets file
template:
src: node-targets.json
dest: "/etc/prometheus/targets/{{ item }}-targets.json"
owner: prometheus
group: prometheus
mode: '0640'
force: no
notify: Restart prometheus
loop:
- blackbox-http-down
- blackbox-http-up
- blackbox-tls-internal
- node
- name: Copy the web-config folder
template:
src: web-config.yaml
dest: /etc/prometheus/web-config.yaml
group: prometheus
owner: prometheus
mode: u=rw,g=r,o=r
notify: Restart prometheus
- name: Setup the arguments for prometheus
template:
src: prometheus
dest: /etc/default/prometheus
owner: root
group: root
mode: '0644'
notify: Restart prometheus
vars:
args:
- name: web.listen-address
value: "127.0.0.1:9090"
# value: "{{ lan_address }}:9090"
# - name: web.config.file # Not available before 2.24, and it sucks
# value: /etc/prometheus/web-config.yaml
# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
# Think prometheus, think!
- name: Copy the nginx config
template:
src: atrocious_nginx_stub
dest: "/etc/nginx/sites-available/internal-prometheus"
notify: Reload nginx
- name: Activate the config
file:
src: "/etc/nginx/sites-available/internal-prometheus"
dest: "/etc/nginx/sites-enabled/internal-prometheus"
state: link
force: yes

23
roles/prometheus/tasks/register-cert-to-monitoring.yml
View file

@ -1,23 +0,0 @@
---
- name: Get the list of targets of the server
slurp:
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
register: server_tls_targets_file
delegate_to: "{{ appointed_prometheus_server }}"
- name: Set target variable from file
set_fact:
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
- name: Register the endpoint to the prometheus server
block:
- name: Add the target
set_fact:
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
- name: Put the new target list
copy:
content: "{{ new_server_tls_targets | to_nice_json }}"
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
delegate_to: "{{ appointed_prometheus_server }}"
when: target not in server_tls_targets.0.targets

13
roles/prometheus/templates/atrocious_nginx_stub
View file

@ -1,13 +0,0 @@
{{ ansible_managed | comment }}
server {
listen {{ lan_address }}:9090 ssl;
ssl_certificate /etc/prometheus/prometheus-{{ lan_address }}.crt;
ssl_certificate_key /etc/prometheus/prometheus-{{ lan_address }}.key;
ssl_client_certificate /etc/prometheus/ca.crt;
ssl_verify_client on;
location / {
proxy_pass http://127.0.0.1:9090;
}
}

Some files were not shown because too many files have changed in this diff Show more