Compare commits
No commits in common. "master" and "networking" have entirely different histories.
master
...
networking
117 changed files with 387 additions and 6435 deletions
18
.gitmodules
vendored
18
.gitmodules
vendored
|
@ -1,18 +0,0 @@
|
||||||
[submodule "roles/matrix-bridge-discord"]
|
|
||||||
path = roles/matrix-bridge-discord
|
|
||||||
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-discord.git
|
|
||||||
[submodule "roles/matrix-bridge-facebook"]
|
|
||||||
path = roles/matrix-bridge-facebook
|
|
||||||
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-facebook.git
|
|
||||||
[submodule "roles/matrix-bridge-signal"]
|
|
||||||
path = roles/matrix-bridge-signal
|
|
||||||
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-signal.git
|
|
||||||
[submodule "roles/matrix-bridge-instagram"]
|
|
||||||
path = roles/matrix-bridge-instagram
|
|
||||||
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-instagram.git
|
|
||||||
[submodule "roles/postgre"]
|
|
||||||
path = roles/postgre
|
|
||||||
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/postgre.git
|
|
||||||
[submodule "roles/matrix-bridge-telegram"]
|
|
||||||
path = roles/matrix-bridge-telegram
|
|
||||||
url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-telegram.git
|
|
40
TODO.md
40
TODO.md
|
@ -1,40 +0,0 @@
|
||||||
# My todo list
|
|
||||||
|
|
||||||
Stuff that I should do but will probably never do.
|
|
||||||
|
|
||||||
## Polish the user role
|
|
||||||
|
|
||||||
The role is fine, but could use some default filter, like for the shell value.
|
|
||||||
|
|
||||||
Also, the variables are messy.
|
|
||||||
|
|
||||||
Also, a more atomique gestion of the users would be great.
|
|
||||||
|
|
||||||
## Create a role "generate certificate"
|
|
||||||
|
|
||||||
Curently, reverse_proxt_http and similare roles implement certbot themselves, and there is a role
|
|
||||||
for generating self signed certificate.
|
|
||||||
|
|
||||||
It would be better to manage certbot in a role, to allow off-wan machine to use reverse_proxy_http with self signed certificates for instance.
|
|
||||||
|
|
||||||
Bonus point if the role chose whether to use certbot or a self-signed certificate (but the dependencie gestion could begin to get tricky :/ )
|
|
||||||
|
|
||||||
## Proxmox setup
|
|
||||||
|
|
||||||
setup:
|
|
||||||
|
|
||||||
- x509 for clickodrom
|
|
||||||
- bind the clickodrom to a specific interface
|
|
||||||
- remove the "please pay us" message
|
|
||||||
- remove the enterprise apt repo
|
|
||||||
|
|
||||||
## VM setup
|
|
||||||
|
|
||||||
- create a VM from template using cloud init
|
|
||||||
- add VM to dynamic inventory
|
|
||||||
- use the cloud init account to connect to the new VM
|
|
||||||
- setup the VM
|
|
||||||
- disable cloud init
|
|
||||||
- remove cloud init account and change the connenction variable for the vm
|
|
||||||
|
|
||||||
good luck
|
|
0
books/apt_proxy.yml
Executable file → Normal file
0
books/apt_proxy.yml
Executable file → Normal file
4
books/base.yml
Executable file → Normal file
4
books/base.yml
Executable file → Normal file
|
@ -9,10 +9,6 @@
|
||||||
roles:
|
roles:
|
||||||
- networking
|
- networking
|
||||||
- base_config
|
- base_config
|
||||||
- prometheus-node-exporter
|
|
||||||
|
|
||||||
- hosts: all, !tests, !no_user,
|
|
||||||
roles:
|
|
||||||
- create_users
|
- create_users
|
||||||
- ssh_totp
|
- ssh_totp
|
||||||
|
|
||||||
|
|
1
books/dns.yml
Executable file → Normal file
1
books/dns.yml
Executable file → Normal file
|
@ -4,5 +4,6 @@
|
||||||
# Reverse proxy
|
# Reverse proxy
|
||||||
- hosts: proxy
|
- hosts: proxy
|
||||||
roles:
|
roles:
|
||||||
|
- install_nginx
|
||||||
- configure_resolved
|
- configure_resolved
|
||||||
- reverse_proxy_stream
|
- reverse_proxy_stream
|
||||||
|
|
0
books/gitea.yml
Executable file → Normal file
0
books/gitea.yml
Executable file → Normal file
0
books/keycloak.yml
Executable file → Normal file
0
books/keycloak.yml
Executable file → Normal file
|
@ -1,14 +0,0 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
---
|
|
||||||
- hosts: matrix
|
|
||||||
roles:
|
|
||||||
- synapse
|
|
||||||
- matrix-bridge-discord
|
|
||||||
- matrix-bridge-facebook
|
|
||||||
- matrix-bridge-signal
|
|
||||||
- matrix-bridge-instagram
|
|
||||||
- matrix-bridge-telegram
|
|
||||||
|
|
||||||
- hosts: proxy
|
|
||||||
roles:
|
|
||||||
- rp_synapse
|
|
|
@ -1,12 +0,0 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
---
|
|
||||||
- hosts: prometheus_servers
|
|
||||||
roles:
|
|
||||||
- prometheus
|
|
||||||
- prometheus-alert-manager
|
|
||||||
- grafana
|
|
||||||
- prometheus-blackbox-exporter
|
|
||||||
|
|
||||||
- hosts: all, !tests,
|
|
||||||
roles:
|
|
||||||
- prometheus-node-exporter
|
|
2
books/users.yml
Executable file → Normal file
2
books/users.yml
Executable file → Normal file
|
@ -1,7 +1,7 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
|
|
||||||
- hosts: all, !tests, !no_user
|
- hosts: all, !tests
|
||||||
roles:
|
roles:
|
||||||
- create_users
|
- create_users
|
||||||
- base_totp
|
- base_totp
|
||||||
|
|
0
books/vpn.yml
Executable file → Normal file
0
books/vpn.yml
Executable file → Normal file
1
books/web_services.yml
Executable file → Normal file
1
books/web_services.yml
Executable file → Normal file
|
@ -4,5 +4,6 @@
|
||||||
# Reverse proxy
|
# Reverse proxy
|
||||||
- hosts: proxy
|
- hosts: proxy
|
||||||
roles:
|
roles:
|
||||||
|
- install_nginx
|
||||||
- reverse_proxy_http
|
- reverse_proxy_http
|
||||||
- share_file_web
|
- share_file_web
|
||||||
|
|
|
@ -1,57 +0,0 @@
|
||||||
---
|
|
||||||
ca_passphrase: "{{ vault_ca_passphrase }}"
|
|
||||||
ca_key: "{{ vault_ca_key }}"
|
|
||||||
ca_cert: |
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIFhzCCA2+gAwIBAgIUP+ptXLNUBVsZm5oYpynQd5mhB60wDQYJKoZIhvcNAQEL
|
|
||||||
BQAwUzELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxFTATBgNVBAoM
|
|
||||||
DFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0EgUGFpbnMtUGVyZHVzMB4XDTIxMDky
|
|
||||||
MTE0NDUxNloXDTMxMDkxOTE0NDUxNlowUzELMAkGA1UEBhMCRlIxEzARBgNVBAgM
|
|
||||||
ClNvbWUtU3RhdGUxFTATBgNVBAoMDFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0Eg
|
|
||||||
UGFpbnMtUGVyZHVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4jG+
|
|
||||||
8N5YN91KghYjYTOBQ+lRYJ45X5S9mfcwwf8OIMGe+NyNkXx2GX4uYpZOitYOApI4
|
|
||||||
rGnAjhll7tdZevzfdqpUDCYUDT6iR4BzL32k22mIN+iW6zQPaZetOU7VIA9V5TsM
|
|
||||||
WbDsftqh6fj3N4SwVMpHiuiajMkX8CIELxoXDAJULvwyreWOONlwDMObtVCHBIhM
|
|
||||||
uf1Jbx2DfRNS/w6lbHPCrZefMCea1FrSaotOANXxNgQfptX3fLZbhH5RiZQLDU8k
|
|
||||||
ZChAUoW9hE4+uiSOUMd2hl9XgCWHcGEMcKyWG+/lx8UUw3Zl+oOrfb+IWo5IByVZ
|
|
||||||
8nV5aiTMCuRlcTcMHUuedRaPcWfl5ZaEOVzhYXIYM4Oa8ShqXuWqW0WZ8oIhI2ya
|
|
||||||
hTE03mIPV1nX3ucE9GsDZpnrj7t+qd8etiZXFGVihKEqVFfhzKRsPh4wgUKH/gwG
|
|
||||||
AJshPA9NyJ0JpzUaWQ2acUjo3Hg9WPSTaMb46FS7hUdZUcZZiwSq9JjHDNAUKjNY
|
|
||||||
zudKjTyqJXkqwhNvMfKWFIGYjldvZgQXzuT8XmSHYSKuLfH9Ko28FX0Aujye1TTH
|
|
||||||
MPljXruyO04Q7NUg/jqtxdsWRpH/qCt12PmRuIiXsNCAeLjSuc75H+AOPbNudJLT
|
|
||||||
w2AUTkfn3mw/XTwEBfemHAo6GAdtCDKo6GxBqvcCAwEAAaNTMFEwHQYDVR0OBBYE
|
|
||||||
FIh4sxxlmesmbVKPWKo81BXMFVqVMB8GA1UdIwQYMBaAFIh4sxxlmesmbVKPWKo8
|
|
||||||
1BXMFVqVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKipx6Nu
|
|
||||||
QwnYmwYPd3kUVBOj9ia0PVeE4LoUSRapzRTF2HilSIo9Sa7qD1HVxbWrghUPLjW/
|
|
||||||
Ru04k82hxvAm26gc1XeqIBzpgZmxwF0QibCeuj1vDXsndACXVHd6Atvnl0rW4bEI
|
|
||||||
pVCqerXNu0T4STk2V/xNqndGMRp/vZX67BlyHAHD4el957R9RYlyxW6fADrHDKqk
|
|
||||||
tC1eTeQtEi5W7v9X3dNGdtFS+exDrYpUTHPDwM81u25oCGUFGsH3RlG7LUEQ5mYW
|
|
||||||
SsJ3EKpIkMxSZB3/GqttCIHi+yEMtwDDL3dN8UnVaTkRjVNQxraOUwe66QByGqnJ
|
|
||||||
9YeQNpUfZxWFW/GW2fBAvD/RaLrLZ4ywhUze38ks4jsLnAIduawjQ8GlNg9i2MqD
|
|
||||||
zvDat41LWSCDjRUOfCp7fc9lMlI5blTafozrAddMV8YUs3bQ6XD0H31pP59jb7nc
|
|
||||||
5kmwqH6RivbFZZYBquQVujiiI7d+9m+X9OfTZJTCpRPCGYZcLuqH7txyPhixxrZd
|
|
||||||
a8lWJ+5jHOdncV/ZWSB5JnjKbaMMEPcaTo3puEPt/yl74CR7UOJXr5oM0bVFKjas
|
|
||||||
90hY5U+jPAcneCk2oc44R4NWuQ7qbsjPRfcxxi27DoLbhlmPp9jQwYQEqmdflcZ0
|
|
||||||
zCTEq81KO2mAbJgTc/ahhcvAV/huJ5d8c9R1
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
crl_distribution_points:
|
|
||||||
- full_name: "URI:https://ca.deso-palaiseau.fr/revocations.crl"
|
|
||||||
reasons:
|
|
||||||
- key_compromise
|
|
||||||
- ca_compromise
|
|
||||||
- affiliation_changed
|
|
||||||
- superseded
|
|
||||||
- cessation_of_operation
|
|
||||||
- certificate_hold
|
|
||||||
- privilege_withdrawn
|
|
||||||
- aa_compromise
|
|
||||||
- full_name: "URI:https://ca-pains-perdus.intra/revocations.crl"
|
|
||||||
reasons:
|
|
||||||
- key_compromise
|
|
||||||
- ca_compromise
|
|
||||||
- affiliation_changed
|
|
||||||
- superseded
|
|
||||||
- cessation_of_operation
|
|
||||||
- certificate_hold
|
|
||||||
- privilege_withdrawn
|
|
||||||
- aa_compromise
|
|
|
@ -1,65 +0,0 @@
|
||||||
---
|
|
||||||
matrix_server_name: pains-perdus.fr
|
|
||||||
matrix_local_server_name: synapse.pp.intra
|
|
||||||
matrix_enable_registration: False
|
|
||||||
synapse_postgre_user_pwd: "{{ vault_synapse_postgre_user_pwd }}"
|
|
||||||
matrix_max_upload_size: 50M
|
|
||||||
matrix_registration_shared_secret: "{{ vault_matrix_registration_shared_secret }}"
|
|
||||||
matrix_macaroon_secret: "{{ vault_matrix_macaroon_secret }}"
|
|
||||||
matrix_form_secret: "{{ vault_matrix_form_secret }}"
|
|
||||||
|
|
||||||
matrix_apps_services:
|
|
||||||
- discord
|
|
||||||
- facebook
|
|
||||||
- signal
|
|
||||||
- instagram
|
|
||||||
- telegram
|
|
||||||
|
|
||||||
# bridge discord
|
|
||||||
matrix_bridge_discord_postgre_user_pwd: "{{ vault_matrix_bridge_discord_postgre_user_pwd }}"
|
|
||||||
matrix_bridge_discord_client_ID: "{{ vault_matrix_bridge_discord_client_ID }}"
|
|
||||||
matrix_bridge_discord_botToken: "{{ vault_matrix_bridge_discord_botToken }}"
|
|
||||||
|
|
||||||
# bridge facebook
|
|
||||||
matrix_bridge_facebook_postgre_user_pwd: "{{ vault_matrix_bridge_facebook_postgre_user_pwd }}"
|
|
||||||
# Those values are generated by the bridge the first time the bridge is launched.
|
|
||||||
# we copied the values generated from our test config
|
|
||||||
matrix_bridge_facebook_integration_manager_shared_secret: "{{ vault_matrix_bridge_facebook_integration_manager_shared_secret }}"
|
|
||||||
# matrix_bridge_facebook_as_token: "{{ vault_matrix_bridge_facebook_as_token }}"
|
|
||||||
# matrix_bridge_facebook_hs_token: "{{ vault_matrix_bridge_facebook_hs_token }}"
|
|
||||||
matrix_bridge_facebook_admins:
|
|
||||||
- g33kex
|
|
||||||
- histausse
|
|
||||||
matrix_bridge_facebook_allowed_external_user:
|
|
||||||
- '@dorianx:matrix.rezel.net'
|
|
||||||
|
|
||||||
# bridge signal
|
|
||||||
matrix_bridge_signal_postgre_user_pwd: "{{ vault_matrix_bridge_signal_postgre_user_pwd }}"
|
|
||||||
matrix_bridge_signal_admins:
|
|
||||||
- g33kex
|
|
||||||
- histausse
|
|
||||||
matrix_bridge_signal_allowed_external_user:
|
|
||||||
- '@dorianx:matrix.rezel.net'
|
|
||||||
|
|
||||||
# bridge instagram
|
|
||||||
matrix_bridge_instagram_postgre_user_pwd: "{{ vault_matrix_bridge_instagram_postgre_user_pwd }}"
|
|
||||||
matrix_bridge_instagram_admins:
|
|
||||||
- g33kex
|
|
||||||
- histausse
|
|
||||||
matrix_bridge_instagram_allowed_external_user:
|
|
||||||
- '@dorianx:matrix.rezel.net'
|
|
||||||
|
|
||||||
# bridge telegram
|
|
||||||
matrix_bridge_telegram_postgre_user_pwd: "{{ vault_matrix_bridge_telegram_postgre_user_pwd }}"
|
|
||||||
matrix_bridge_telegram_admins:
|
|
||||||
- g33kex
|
|
||||||
- histausse
|
|
||||||
matrix_bridge_telegram_allowed_external_user:
|
|
||||||
- '@dorianx:matrix.rezel.net'
|
|
||||||
matrix_bridge_telegram_api_id: "{{ vault_matrix_bridge_telegram_api_id }}"
|
|
||||||
matrix_bridge_telegram_api_hash: "{{ vault_matrix_bridge_telegram_api_hash }}"
|
|
||||||
matrix_bridge_telegram_bot_token: "{{ vault_matrix_bridge_telegram_bot_token }}"
|
|
||||||
|
|
||||||
# Not configured for now
|
|
||||||
matrix_stats_endpoint: https://127.0.0.1/report-usage-stats/push
|
|
||||||
|
|
|
@ -18,33 +18,59 @@ intranet:
|
||||||
ipv4: 172.20.1.1
|
ipv4: 172.20.1.1
|
||||||
netmaskv4: 32
|
netmaskv4: 32
|
||||||
comment: Hindley
|
comment: Hindley
|
||||||
router_hellman:
|
azerty:
|
||||||
domaine: 'router-hellman'
|
domaine: azerty
|
||||||
|
ipv4: 172.20.1.2
|
||||||
|
netmaskv4: 32
|
||||||
|
comment: Azerty
|
||||||
|
hellman:
|
||||||
|
domaine: hellman
|
||||||
ipv4: 172.20.1.3
|
ipv4: 172.20.1.3
|
||||||
netmaskv4: 32
|
netmaskv4: 32
|
||||||
comment: Router on Hellman
|
comment: Hellman
|
||||||
matrix:
|
rossum:
|
||||||
domaine: matrix
|
domaine: rossum
|
||||||
ipv4: 172.20.1.5
|
ipv4: 172.20.1.4
|
||||||
netmaskv4: 32
|
netmaskv4: 32
|
||||||
comment: Matrix server
|
comment: Rossum
|
||||||
guest_hellman:
|
guest_hellman:
|
||||||
domaine: hllm
|
domaine: hllm
|
||||||
ipv4: 172.20.198.0
|
ipv4: 172.20.103.0
|
||||||
netmaskv4: 24
|
netmaskv4: 24
|
||||||
gateway: 172.20.198.1
|
gateway: 172.20.103.1
|
||||||
comment: Lan for the vm hosted on hellman
|
comment: Lan for the vm hosted on hellman
|
||||||
subnets:
|
subnets:
|
||||||
hellman:
|
hellman:
|
||||||
domaine: router
|
domaine: hellman
|
||||||
ipv4: 172.20.198.1
|
ipv4: 172.20.103.1
|
||||||
netmaskv4: 32
|
netmaskv4: 32
|
||||||
comment: Router
|
comment: Hellman
|
||||||
test:
|
test:
|
||||||
domaine: test
|
domaine: test
|
||||||
ipv4: 172.20.199.0
|
ipv4: 172.20.199.0
|
||||||
netmaskv4: 24
|
netmaskv4: 24
|
||||||
comment: Test VM
|
comment: Test VM
|
||||||
|
subnets:
|
||||||
|
vm1:
|
||||||
|
domaine: vm1
|
||||||
|
ipv4: 172.20.199.1
|
||||||
|
netmaskv4: 32
|
||||||
|
comment: Test vm 1, on knuth
|
||||||
|
vm2:
|
||||||
|
domaine: vm2
|
||||||
|
ipv4: 172.20.199.2
|
||||||
|
netmaskv4: 32
|
||||||
|
comment: Test vm 2, on knuth
|
||||||
|
vm3:
|
||||||
|
domaine: vm3
|
||||||
|
ipv4: 172.20.199.3
|
||||||
|
netmaskv4: 32
|
||||||
|
comment: Test vm 3, on knuth
|
||||||
|
vm4:
|
||||||
|
domaine: vm4
|
||||||
|
ipv4: 172.20.199.4
|
||||||
|
netmaskv4: 32
|
||||||
|
comment: Test vm 4, on knuth
|
||||||
guest:
|
guest:
|
||||||
domaine: guest
|
domaine: guest
|
||||||
ipv4: 172.20.200.0
|
ipv4: 172.20.200.0
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
reverse_proxy_sites:
|
|
||||||
- {from: wiki.pains-perdus.fr, to: "https://azerty.fil.sand.auro.re:2443"}
|
|
||||||
- {from: hindley.pains-perdus.fr, to: "http://127.0.0.1:5000"}
|
|
||||||
- {from: "{{ grafana_domain_name }}", to: "http://127.0.0.1:3000"}
|
|
||||||
|
|
||||||
sharing_sites:
|
|
||||||
- {from: share.deso-palaiseau.fr, folder: "/home/histausse/www", user: histausse, group: histausse}
|
|
|
@ -2,14 +2,3 @@
|
||||||
# Use python 3
|
# Use python 3
|
||||||
ansible_python_interpreter: /usr/bin/python3
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
dns_resolve_server: 1.1.1.1
|
dns_resolve_server: 1.1.1.1
|
||||||
|
|
||||||
# Default prometheus serveur, to overide in host_vars or something
|
|
||||||
appointed_prometheus_server: hindley
|
|
||||||
|
|
||||||
grafana_admin_password: "{{ vault_grafana_admin_password }}"
|
|
||||||
grafana_domain_name: monitoring.deso-palaiseau.fr
|
|
||||||
|
|
||||||
kassandra_username: cassandre
|
|
||||||
kassandra_password: "{{ vault_kassandra_password }}"
|
|
||||||
alert_rooms:
|
|
||||||
- "#monitoring:pains-perdus.fr"
|
|
||||||
|
|
|
@ -1,305 +1,21 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
66396364626137653230336236313132366334386632383339303335333062323833373534643931
|
64373461313566643538663463386532303131323131373136353632363237656239373334636234
|
||||||
3035323936343830646136386237623565303262616366320a303665383565613936323763383538
|
3136333432376236626131336538616236386530376330380a323835363139333632623161313731
|
||||||
32373832626130636665313664356636623339353266656433366563366439363764386136616537
|
31383163363835626662316332356566643936663338626136376564326139336433313139343239
|
||||||
6230376436363463620a663761633130383262353661313461343839656361356238376433396639
|
6136633637613739630a666130383230613461623237363965623038633630623033653734623630
|
||||||
36643034376539383136633937613031343862653739396536346130303164346465356530323564
|
31663864323464326333373364663465393134346635613565636234623834633730326530663135
|
||||||
38396130343031343862383237383566333661623466353538343462343565373765316132666430
|
32313439333732323764373765633663643938306136666231326130346266373161356361333930
|
||||||
32393635623834343566303932343734653566326231303531346662303436653437663034333865
|
36613264383665346630636161343239306436626430626561396266306130353862333131633664
|
||||||
65666230623861393161353339336663616131393830333136373366626233363966613064656630
|
38366236343136663931666333346237363565366563353539396338343565306431353565616135
|
||||||
65663362636566323263353838393932343036613337383533393838636338393738303835666538
|
37336466626261633764623638633536383966663433633764356436353838343961346238613065
|
||||||
34373266393237326465613064656231616562626531353937653565346634646162653038356566
|
64663964373239616330356265343338356434303831396461633061393739326230396139643761
|
||||||
37643364336562643439616464636536353335666162623831313035663039386637323639623035
|
65393462323131346164396136366438323639393230326362303430656335343164306339616439
|
||||||
66653538646665306130393934333732346366366439396637313932366463343935303264613033
|
32356537366433663830643639666333383964373837313763343736626534306365613231633936
|
||||||
64633162373062373534643938646633306332303064356662366163366366326561656266636234
|
63313962633134366131643263306337343433633130626537313434356466613136326639616531
|
||||||
36613630346162353061313532386330653939373663616534653263306339633139653935663565
|
35633466623131613030643036643430613634346564313431363464326235643366313031306538
|
||||||
31316237373766653865326632306232346234613237643038613334353737323930636365303562
|
63666139366234393831313232636239666136323536626565366366353737626537613463326234
|
||||||
63333261646638633031313032386239383938386439376333613762346237313463643663336133
|
64613036616261646165373963306161326339393339353733666533353331316132306437653863
|
||||||
36353833333661323632633461333064313263323937613263356264366539313036366637646138
|
64386566616665386634343234323235386465396537616435333364356632626636353339353037
|
||||||
63373761626566613732623365643065626234643032323263623965316464343734386532333165
|
39386432323062393435313963613165633365666639353864303666303337613538653534316133
|
||||||
37626561616334396561333930326461393863346139663738393536626135386463366366396336
|
66383038633931333034336532333333356234313564393061636332666566383262383461346266
|
||||||
36306538373331616562373263653636643938643031386435633234666561353164386463323339
|
35303261626433663137
|
||||||
63353761653538663264333762613731336333656139313434613563343061386462643535346533
|
|
||||||
65366263383735306336386430636338396561346236333837336465323866333933333337626235
|
|
||||||
39653030326430663332636263333938326536356366643734346362643430336366623164633330
|
|
||||||
65383838383830306133626461643632656637336264666638383636376565666231373331393834
|
|
||||||
38663939633137363236303632616638646238313431653262346437313237356263616530656339
|
|
||||||
34336634386133383434623739326234313339333265636364373963343334363836313934653565
|
|
||||||
64336132376336323063663765643365336366303732666137376631323231343631656439383666
|
|
||||||
36383535316232636434653238313738653166633836303461376232333933316332326462656432
|
|
||||||
39313166396234613162623361343037383131663465383438356438663130306138356266656561
|
|
||||||
37306232653730653962656336373634643937333633623361343132393964623739623161373233
|
|
||||||
35373461303833343666623261616534323435663634363639316466613761616533646531616635
|
|
||||||
37663038396537343361393635343264613635666564343065313930376365393361363934643234
|
|
||||||
34663830386664613062626465633666616430646566633435303837623536646466616337376162
|
|
||||||
39376431643738336163653333333638663564356237393630636537306564333531336330333039
|
|
||||||
61386261316335323866353637626536363939346564373333633561323361396264373034353063
|
|
||||||
33613835393064393363326263623964353131326566353938623431396566663961633863313465
|
|
||||||
37373264343331333839356538346436336561656435643434353532626539333538343261616336
|
|
||||||
66623432653930633334363266316339373830643631316432303633633337666537373039323037
|
|
||||||
62316333356438346364663734613863316334636365316565336561626563373266386636366164
|
|
||||||
62346536313965643661356433383538646532633234313137353035633732356366643934663661
|
|
||||||
63373735323138356565613131373938613338653061383734643633636363353438373533313765
|
|
||||||
65393665616139343137643565626437373033363737633061386362376332353739313861623339
|
|
||||||
66333538666563636264303239353535306166656530346363396338373963653536333066383035
|
|
||||||
39633938353932303164306236626564306235326237646238393461306464386536616463376132
|
|
||||||
38666237376533353965656131373639353533333532396430616165383037303266653033633432
|
|
||||||
36666535616633333736653033386263616434343361383066663163363936386435626130303836
|
|
||||||
66623833323735643435653261323437386338663137653633663261336434636234623232356664
|
|
||||||
39376338303433303534636632376136656366633165616638623934666362666638653730343564
|
|
||||||
38303566653464383231633464306139306635386136336634643732623237643961643636333761
|
|
||||||
66326136633434346262343364633732303831323337663566613833646537346237643761616236
|
|
||||||
36373966356330333233336330663063663966633337373835656334326330326630353261666437
|
|
||||||
65316362643165353166656330313839623562633562373161356561663163636437633133323131
|
|
||||||
30373462336532353063663164303837653332383565663436383436396265373966653036316661
|
|
||||||
62663534383061656363643439633032383735376237653832616563383865613733356633323633
|
|
||||||
65326631353265383433346130636364656533333736653834333661623733333966666638326437
|
|
||||||
37353833663432613133336566663337313833323334393065303633396464613333393663643732
|
|
||||||
39666235353664323036306531306462653161613937313633623333306663333834303763623362
|
|
||||||
34613362396331383636626237376433303966626463633364353265356637653533623538653630
|
|
||||||
35393766306639633431373530363633306635663666373137653932663963363939616134643366
|
|
||||||
37363436336535663861336463653639653536303634363661666335666633306530633934363466
|
|
||||||
31386437363765633938633966343535386335323735623739656131623232393238316161353634
|
|
||||||
38633338643937623663346561383239313933613330626166636334333838333531666233356233
|
|
||||||
65343439373233353463663462333036376362643066613762303963383065633337326139353638
|
|
||||||
39373461386664313935393463313231353833663133663930323435353332373562396638343138
|
|
||||||
33636465626238663534313765363333326561386164346139396432336431376234383238333530
|
|
||||||
66356535353966633132626161343661643465633730633164666465366332623061386261383164
|
|
||||||
39313433663237633166343033353063613733383130636237393063623962613938373164653630
|
|
||||||
66343031613439316434666364366662373838626164653637636232643737376637633863616330
|
|
||||||
30326233323137323865643262363837353162363634333336353465373264336337383066323939
|
|
||||||
35336462336462613634363831343266336364646334386239373832653863323832303766643435
|
|
||||||
34356339653964373532326138303132616530663362303664633861373931373061393566313765
|
|
||||||
66343937343532386162346431623166366262623163306633393933663266616135663961643436
|
|
||||||
37653663303337623662393761336632356534663430316264343437653763656635323437646637
|
|
||||||
38393661306362313064613434396331613366373037613464356565373461393663636138633532
|
|
||||||
64343561346463316532366361646438323731383963646337623165383663666266316139656166
|
|
||||||
37336463633834636435343761613837666635653166326163346539626139613562396439306130
|
|
||||||
33363230626633346138303538373439626161623163626135643665613932666535343532303036
|
|
||||||
35373431343635393665616366643332643035623133613666396234353338623636663762636336
|
|
||||||
35346431303536613962323861336539396333346234393763396438383539383036333636353637
|
|
||||||
39646333383633326238393164333835393237623734383537376230353264346237353866333264
|
|
||||||
38643231343536356339373531633165393334353365336261656665336230373266633938343134
|
|
||||||
37646266383438633835323233306363643765653833666363376338356265663831636431646637
|
|
||||||
39633532353130396635383965643531363564373766323064616165376134613834303666306231
|
|
||||||
38643366333166633238626335313463623935373233353236393663353561383763636131383862
|
|
||||||
34623536343664623962326237326532643830636533636361666432333261363530373464356233
|
|
||||||
64373865653035613363373832653163326165363061623531373337663765653937303036656663
|
|
||||||
66636463346139663962393431633162303664313031306331323865313739323661303538336238
|
|
||||||
65313639663663393962396333666438633432323533613064313765353362326532613834373136
|
|
||||||
65326265646136613030353862326233646331396238343634323534626136376136356561316635
|
|
||||||
66333662666437613339396563323531396261366138323938303834393865633439313965613463
|
|
||||||
38343961646664626663346464393061396234356237663339323462623864663864383939353862
|
|
||||||
34313266373138346235626236303433613062306332343638663538356431663930303863306461
|
|
||||||
63386262333663393262623364343864376437616237313537343839656632363436613933376438
|
|
||||||
65346137313732316639353937336162313661386536383339633938613763336532353634373935
|
|
||||||
64393635366435666639346537386661383362623565623365636136316363336337663738356463
|
|
||||||
32333466363366336337653739313166396435323434376662356165643662353332306431383839
|
|
||||||
61613331313164336537313037393166356537656530616336663138316532323164346266353831
|
|
||||||
65666238306135346235376237376561333063373163633433386461383834633762646431396462
|
|
||||||
65313637623266646332336332363139376265363037383533613763373734313664343835396335
|
|
||||||
35323230326463356333653833326561306236336238373539653938653933636239626661376436
|
|
||||||
35303639643832343364393439386631616632313830363461326665303162383839653762366630
|
|
||||||
34656330393539636564346461316638396230323566376431636236306632616331323132623962
|
|
||||||
35666466326136633166323466666361326137306335353565326232373363323965373261636235
|
|
||||||
32363935323865303630383836303964326138393632333234643261386361393961336161636664
|
|
||||||
36393163343634633033396561313535663534623936323564373430396238356635356231386365
|
|
||||||
64313331633231336361613333313532626439393562356430386238396430393861396136633339
|
|
||||||
34303962343336356331663530613031636361333836646132316131343839623235356561633266
|
|
||||||
31343733353631653266353631376161613632373063323765663932646633653964366563363531
|
|
||||||
31313363393136643036366531333138353135666235303335393531353833313231386364393934
|
|
||||||
63653566616235303835393136646562626562353830653663386564366633343061613034383634
|
|
||||||
33363238303661313034636562356235393861356563333039313136396232343964613437356232
|
|
||||||
36346239303732333462613838653232326234353737633236396165616433656531393332663433
|
|
||||||
62366161373231646235656562323765653662343161383031613461643138303462386236666339
|
|
||||||
33623037366431353462346534636565393234626434613134343135343466623662386537386535
|
|
||||||
62306533386532353962626532613839346236303963646265333235336363653037373961663236
|
|
||||||
34366162353466373265643765356236313732353830303934376538343833343065363562356362
|
|
||||||
61623364386366396366353037393434626530326231623165376337306261373164343030383533
|
|
||||||
39353633656332363130326361636233363739333662663362366534396331353330343633313130
|
|
||||||
61326266343235396461353637333630333133326339303431376234356433623631316132633632
|
|
||||||
34653365623632613630306134643666373961623137393135393163383666326232633933393630
|
|
||||||
34666430316266326638613537373337386138383261643564313564666663666664363363323463
|
|
||||||
38366633346563343964653561316533323965366662663965623661613735366333313133663730
|
|
||||||
63626432306132356138623762366432613064326138646238643766313737653531653530663337
|
|
||||||
62393136356331636131303163313236386436663261613935353532666534386265313964656235
|
|
||||||
62633135643630313032666134393638663136373162646365343163353432333232613733346539
|
|
||||||
36666664613461343831373733393231303962356461383632303539633862633630636331613236
|
|
||||||
65376464363235326338366262323535646636316438356161316333663134613865326465626639
|
|
||||||
34633834376130663235316563333936633036623031326232636436363563633432323930383636
|
|
||||||
36383538333162623836306339613236623632353063366332636366376231353132663163623737
|
|
||||||
66373563663166666235313364383761383730346233363466623133386530313265383962333130
|
|
||||||
61313064316264613466626131616162376563346363323639303630343361613230333434613836
|
|
||||||
39303065626232393663626562376239356531613931323530323666353734396132613461643133
|
|
||||||
66356564626666303836326262666466623431373933303435616461653837383765393363623635
|
|
||||||
63386335313835366139633761613539366539356536663763396530356230353138633833316337
|
|
||||||
62343434323330393439656236626336323439333063376131643964376631376564306339323066
|
|
||||||
39666433663438306266393430303538316435336238383934323439323261373936326666623539
|
|
||||||
39633035313633313563663366666231383865333032333162386365633163366635393766366162
|
|
||||||
35663334303061303862346337376435616337663130633864383439653764366262323539666433
|
|
||||||
61306432626635323730373964353338323030656437656364663035336531353537653839623133
|
|
||||||
66363934333866356635383930383036326638326534333164383034613730383861303439383632
|
|
||||||
30343434623834366162366564356131356139363432353864646535623537656137383166303262
|
|
||||||
33313433303561333932333832383465366633336262386163363137353731393135636632323931
|
|
||||||
37373233663336333332326238323338373639346333663366383966653337623132653537356632
|
|
||||||
66366462336133613735666631366661643432333037383536303736333432663338623165653834
|
|
||||||
36383930303664313432363433333130396236343332303561373261353561303331356333393330
|
|
||||||
38613037383038376335313836363337313633346539626532383132323766613838303237333766
|
|
||||||
62623235343232663566616233653764323132613634316263373330356635396232656264346333
|
|
||||||
31333339336630373934353130353464373962656264613938366132646665646531646633646536
|
|
||||||
37373639393030303161373032373638656566316666393239326338353164626434393235366264
|
|
||||||
63343864646336376538323235313333363531303563316634373338393137656663323132333533
|
|
||||||
35343062373534376531383531313835303738376439636630336161303539346363633064383435
|
|
||||||
38656434666239396539353338396662343035626333633862323739366136393063646431363531
|
|
||||||
33643566343736616665666361633961336163306632383632616264636165366165396132303237
|
|
||||||
32643436613034623062616463623038313061356364303235656439323430366430623339386339
|
|
||||||
66383130323530333963666431306130633565353833336464626331313030616239336138343035
|
|
||||||
31343833613631666461313631336565376264333336353561386233626234623730323561373134
|
|
||||||
61616236333962386231343532323464646235633530333062343663373830656130636665623865
|
|
||||||
36643633323539376165616238646139336365316532643565656266353539366433366330323330
|
|
||||||
62663735396233386463653437616639313331623736613562343236613564306139336233656263
|
|
||||||
65646534643762336435323232373062306434393463623662323963333232373631373530353237
|
|
||||||
35373131356538646462303961663862656533643162383436303361306639643134383436343739
|
|
||||||
66393238663837353164333662653933353530376433633930663336373634383036393637663934
|
|
||||||
39336337313264366135386464363061356664303638333866303562316664336636333566623366
|
|
||||||
32306639303963336233386365373562366466303930303931643266373235343366336163303930
|
|
||||||
30386337393966633135326164646532376637636265663762326562336565383935613062323462
|
|
||||||
62353536663936633837316363653366356231323664363439393866393133336261346134333863
|
|
||||||
64643832306236666636333939326531346163346335356636643566333362643533333034643739
|
|
||||||
36373736353464653531316262636231343963376633653239633037336133373130643762626461
|
|
||||||
35346637653434656339323861316233303863393263373638353664326430303731643439613430
|
|
||||||
65313161336137656536346435356132343835326636616164366266373561323864386366366432
|
|
||||||
66613039663836626161643336316432343436333130383935306638393564303838373938313930
|
|
||||||
37393633343562646461653339626135303262626434343132303462353662323066633639346433
|
|
||||||
64336239663733613234333738633730306337313936343865323030626566323066306266336334
|
|
||||||
33393332373163353130623132633264656137386163373662613965343162646433653263393566
|
|
||||||
39356464393962636233306462323730333837656363643164376438363565303138666564656633
|
|
||||||
33343933313138386539303837306365373639373464306537663439376637303134626262656264
|
|
||||||
64336663663238376231323030306438616434626466616566303135363333366564346636323562
|
|
||||||
32343765353931663261633338356161383734303764356465616136643862393266343031353534
|
|
||||||
37393030656663613764323831353839616466633664623530663962666466383562663464353334
|
|
||||||
37376435363230366362633939613764383863653438303933633962653937643332633063353937
|
|
||||||
36613434306634623362643233313164333832663639653066313137336565333138363864306363
|
|
||||||
31643366393733316236353263316537396336656139643435373365313965383235376166353862
|
|
||||||
62363438613163626564383966343331316338343835656236303565303631313733353265396537
|
|
||||||
38316463633931633431653837633134383563366133373362326664323731326363326137326232
|
|
||||||
30373536386435353236313330373537303239313538303361396330663837383166393536383966
|
|
||||||
34313466623333623466326365643664383737363363623731316565353366373864636135656333
|
|
||||||
64633132613138313564336337383338656639666330313939376234343839386438636433373832
|
|
||||||
37653366633238663266383565346564396135356163326566313665343339346333323765336631
|
|
||||||
35643762313662636662376331336139373866373437623631363636326135346536363765613936
|
|
||||||
32306166306135313638643633353131643939366465346233636639663961303563643162366133
|
|
||||||
32316634383963653038613037366266346634323361313337666262343432386239326337326334
|
|
||||||
65653461626264353564323161656631373865666433353139363639393338376661353064353966
|
|
||||||
33663064613665326564333737303733633433333735303461613933353435303461333033623433
|
|
||||||
62356236323735653338333861656435616661386339303439653531643065643030393536663963
|
|
||||||
64613730343036353636616462633365326661333038383264616336633839346466393665393465
|
|
||||||
30316465323466633234376466383538613539313239353937353531316462636463316238356634
|
|
||||||
38346439363033336363396165376162633536363361386564633362623864316339623233313235
|
|
||||||
36646161323832346332386261623837663135646237343864333564653533623835333834343333
|
|
||||||
33333739633130386131316537386636363234333466623730303061336136633330646361366632
|
|
||||||
37386336623862373561386663353063616635326131663535313337623232376164316631346436
|
|
||||||
65656536313761653739623130313766366662613630396337373034323562343633333234373031
|
|
||||||
63383861656461336333303436353739646461623333616236333962356564623566363031353334
|
|
||||||
38636165646632346633353766393230343736313966333564313730353262636135633164393334
|
|
||||||
32373063393964656365333164623165326532643633313563643337653062363566393636653934
|
|
||||||
63383533326337393762343462313732323561316532303137336133616634373339633864306334
|
|
||||||
64333032356531313763313838353730633939393536383165376130663163643339393439616163
|
|
||||||
35363162313063663765616332613834306134393731633662306130656464336132303130303165
|
|
||||||
32303261333162303438366436653963326162626334613030653038343834336232333733643461
|
|
||||||
62326632373832623863333536613339373539396533393639326463633837306439383439643437
|
|
||||||
61326261373064313733636566316631343132656663376234323339383464363537643266383238
|
|
||||||
63353366383664653837326637376537616266346161653038306331353938373230386131333032
|
|
||||||
36653461633134373034656534623262383335626539623939313936396136376565643332353230
|
|
||||||
62643633323835376563653337306631376664336464646234666336626532356562613864626464
|
|
||||||
64323135373835613239613830616134303561363630623435346562633466323462643839303536
|
|
||||||
62303634386563313565663837393761666532303834623063343431343364363338663838313961
|
|
||||||
39643431366661333465313066643939356336643264613133653738666438653630353239386465
|
|
||||||
32363739663566616431623665363763613531346134343933333963623033313762346438343937
|
|
||||||
31306262353364353434663231656538376262393235346432383936663065316165376364326134
|
|
||||||
61396563636462396438623262343537636131636339636566393138666565356438333562613461
|
|
||||||
64313139326365393439366138623366646435333132326638656438396161386139393036656439
|
|
||||||
32646535663564663462343862366666386633623730336333346335666436623866613564636665
|
|
||||||
64316230343332306266303831373139353934353633323032646135376632303631616533663534
|
|
||||||
31656539353538653539306331373233333337653864323433393038636232373439326462336337
|
|
||||||
65356565633835333939373736383134373963396132306638323664363639663262393232383335
|
|
||||||
30386231353535643139363536653065326663353665353932376533363634373164333061326634
|
|
||||||
33343330626136363465313132363563326666323335383239376133633161623033386231616332
|
|
||||||
66636566353337356433333266336565646133346637386366353239623937626431633039663734
|
|
||||||
31656466383362666333393165306561323164313164363030393639363435656262643461613033
|
|
||||||
30303466623230643330313164663535663836363536353238663136373133356663323062336438
|
|
||||||
33393935353161633536356134363064646235323339663730383464636134636433353062353537
|
|
||||||
30613135626264366566623339613037383636353334363530653732626165323738643461613337
|
|
||||||
35383138323336616563333965643630353836383032363034623963373733626232353365643536
|
|
||||||
32303761613033353563333531396630646261343966393662336661313336626662306538636633
|
|
||||||
30346430653736346636646264633936353562313537323863363462316561333865353563363630
|
|
||||||
37326336363234313933363333396336626436343936623535316665366437656637386539303862
|
|
||||||
34336330316430626563623331656464313663633432396263346564376532306364353566363664
|
|
||||||
61653131643837633639356533376163643465326166636436646165336635323838386265316264
|
|
||||||
38393433346262626365303261303533653931366531303565623165376661323834333535376364
|
|
||||||
30633034346635663262653835326131396165306632663161366138376631366364356162626338
|
|
||||||
65666465336365313535376637313365653632346432393937326334633861313562323564663638
|
|
||||||
36623462653539356339623666643234363361656639313133313635306362373738636264646531
|
|
||||||
32313063393731373666373266326661623562633935656233383339383161316564393130643932
|
|
||||||
39336163306462336638646138626236396237363939323461633330633762616561343432613937
|
|
||||||
66636663623063333333376666646334306662303561656231333365626164366336653237396236
|
|
||||||
63323531333139646336393033633731653437313230376465616663623734623339623238313863
|
|
||||||
35366639613930303166393739393163313635663063326432323434333363613930653937653136
|
|
||||||
65663766616465383736333164346533643236326561323335653331623931326130616236306462
|
|
||||||
63336434326464613335356333666237303261326432396361376534326566346435376461613933
|
|
||||||
39313537323939373264333064356166386339356131396466376437323638313366336336653766
|
|
||||||
63613365303032373939326463383463303136396239333236303437326331636637356133353135
|
|
||||||
63666430386631626139626664376264333833386437316563383830666135663431383162383366
|
|
||||||
33343463633462333263613965383034666336396564376635313666343434346366376434313830
|
|
||||||
38613638656439343465363261653737333362316433353964653530366562613137303231633464
|
|
||||||
33656364363032396566353830656634613434636561633063643261396334613935343133653830
|
|
||||||
37386634653166636561646163623964313465616163343661646464313036356435636338313237
|
|
||||||
39323266623861366562323238316666613237353236363235333436303333653561316635373233
|
|
||||||
61323233346330643431333866623861656632376164616533653765393866623432363130653331
|
|
||||||
36323937393138616162326438323463363438633437303665313630643432353633316337613537
|
|
||||||
33623130303738623763383936653333386631333135616637393731346665626634633238326537
|
|
||||||
36336539306166333062313465653630393134363936616237643866313264306531363163616136
|
|
||||||
30616166643439643034616562646464316662666539653439626461636537333639383636643630
|
|
||||||
38353266303831396630653261643536376633633430616365303866366132343062306539346530
|
|
||||||
65353836313464333833623364326661356164313963383462623138306534613934373366646535
|
|
||||||
38646630363564343865613035383130666663373333643530643237323030643432633139646239
|
|
||||||
61623136663139343866636663313731633530363033666536666137303861643339306331313233
|
|
||||||
30633665306333653734383731396663396433353862326162643463326365363565303634396661
|
|
||||||
36663832626636333936336131383236323538306131613237393835663235313636373330633164
|
|
||||||
32383331636561386164373964373664643436663830623361393965656265646137666263666632
|
|
||||||
33653736363232373838653235343665663465333562653861646436633061393430333133613735
|
|
||||||
33343238373633383966366365383333373263343139646533356439333763663462343263383631
|
|
||||||
35663666656562383230333065376439643132313734316166313430386661313234396164356338
|
|
||||||
39653265306637376239343537626237323332313234373862393862653265386266323161316135
|
|
||||||
64353139613530323264326639333464333366323437633932363334633635343436353462343130
|
|
||||||
32623337663533666334323965656435636561333865303461326163653061316137306339626136
|
|
||||||
64363166623962346366353732633865373037636563373338333061303263636363393632633337
|
|
||||||
61633833646466626663613063663131323139663263356663356538623536313230623361363332
|
|
||||||
35343630353637376636663762323564323033393834336261333838326332333966383266333363
|
|
||||||
66626436323566623866333462333832323536363465373265333830353265306263343731343662
|
|
||||||
37663036356330353537333434313165313662303038326335653761343432383639663365613334
|
|
||||||
63376239373638343432616665336437373266376463623330393238396138393734633934626661
|
|
||||||
34333164643330313531346636636432656230633264396130636338613564306337353337653030
|
|
||||||
39623466373732336435343738383539663833356233666165616638356436373231656661613138
|
|
||||||
31353062393463383035323962633330393733346237666366363939333437396163353433336638
|
|
||||||
65393433613337373935353338613630666539303231633139376235376162373932646338333436
|
|
||||||
65663363613831363538336233616666393836316237653432343137376262636632646234363230
|
|
||||||
39373133333931393963363339376166623563633733363137363361653463333066666465613432
|
|
||||||
39316662613734636462393936613338346361323438396634313234393335323462666632653938
|
|
||||||
65626464393733666431366161653238373266646266376463633366336332303133633738343165
|
|
||||||
32616239653230646565316463373139373933323365366430663463653631343837376232613666
|
|
||||||
63336134316536353962396430326166306339656137333765306233336234393233646136633833
|
|
||||||
31623861303530313739666636373138353339393434396335646535613932343666643261383639
|
|
||||||
39386135356463663335616466633137623035376639623635613765303732326232303937366262
|
|
||||||
34326464336666613566333562316164333339303636613265323538373263363866333932656532
|
|
||||||
33306163343437343861363861666533393462373561303562386135306133363664313638336163
|
|
||||||
61666239636535326634393437656536333034313139383961353062326138373463323361613533
|
|
||||||
61376264616361393262306237336363386237383665383839373637346535663639323065636135
|
|
||||||
33363436383031373232323936653163383535633436623936653766666231343838656533643532
|
|
||||||
64623961613837363362393563353438656631666336653861666233636437363632376365363630
|
|
||||||
66636536343365653761353235353435383132366464306432323434386135356631653538306134
|
|
||||||
65616630323833373732323535633932633563386233353062333739393562353338663663343734
|
|
||||||
62616333366630303833313131313633346539316163633665633438323237396533636232396661
|
|
||||||
63333432636166646433366138356263343535613334623538396335303739356135313566353265
|
|
||||||
34313936393436356334396139643863383561616130376466643533336363323163386437636138
|
|
||||||
34663961313534646439
|
|
||||||
|
|
|
@ -1,36 +1,33 @@
|
||||||
$ANSIBLE_VAULT;1.2;AES256;vpn_vault
|
$ANSIBLE_VAULT;1.2;AES256;vpn_vault
|
||||||
63336164323763623961373136616238363832356135343764343966356631333766396265653566
|
30346337663561363430646532656462396163656462643563336266636539386362376634616662
|
||||||
6139626665393664343961363966363339346636376431340a343730653565383265616365386366
|
3333666632613436396464663333396465303132613337300a363166623334386161316639393333
|
||||||
32333533666333373663373037653731666361343737356261636532303562663063343633346537
|
66616565336266383435353039373835356364653230353964633839386433343032623436656431
|
||||||
3337643137653839320a346236613362393636363935373162643237343831333535393461633963
|
3731613630616366340a376130363939643331393835633939656361313466346531313333383865
|
||||||
37343039383931613031663733666538383735383064356532373232633661386237366433396236
|
62636635333463346330383961663761656632343735313665626261363431376535636138333332
|
||||||
63666134376463313637643061623934653666353364353235323431633930373663636137313462
|
63323663316332353539346665343532666137326365633732366233653663343963306663663134
|
||||||
30666263386237303563393936373566386563386631656162303634306466656663666330313937
|
66353737616635646264306266366666656539613031373735323034356639643662383132653731
|
||||||
32313431343536666437626130646231333237343734303538363639383933633661323565353661
|
35393039356634623564666237386230393033616363353238383838313032366234383431623930
|
||||||
32343065383433623730346664643361306539623937656331333764346336396231656465373561
|
63663236656263663431633030623930326665343566333939306636373833396433393164386466
|
||||||
33343034303263303833373936383936366131663962613961666161303134316134316635626639
|
33613561343432356337633861373134306238623732393036396365643930356534636538336232
|
||||||
36666334393961306662626162393433643961646339323934653335613933383131633635623763
|
31386334353638633237613565343263366665346565616231633036393731316530366630633731
|
||||||
34656538336434303339613032623432613239303239373937643361306535383137643239646134
|
37376536653930303832656436366161323665653636393539343463306438613563323966376632
|
||||||
33336461613034303362353837313362643934666239363036333432373631336162646330333532
|
64306664363638636333326635393233363238613766353631646464353835626139343932633537
|
||||||
36303332306333623765653838373361353435646366323462383237343134643736376230353434
|
66613836656637376665366561343965366662366562383763653232643930636164393632333339
|
||||||
35333738313030636339363538656130643163353238666638383830316665646438366164636138
|
37656633343264346631663033386530623937343932373436616663613436366132343863336538
|
||||||
30643031336164323862633135313630666561656335626464336162386564306261396532396238
|
64656265313431626665363564343632313364383430643730643930323933373335623539313262
|
||||||
36666139386236663736613936633964363166343765626366323566613733353233313862646165
|
39386165363433616565303064323031633861373666613938376232316161333335613137343365
|
||||||
33373264633763386166373739313136343362383864343866323231373536633130633032616334
|
65306664626432326235643533633533356130316531656636613837393237343131626230636333
|
||||||
30383930333130646636666134363661316236323937373861343333333833616633346161323965
|
37623639636332386465613532376533653462643737636462326461333834383239366637656461
|
||||||
31343966396635626465613630333732353335373264646464373764363433393439656635636430
|
33343232666536636132356432313839376565376538356364363161366537653966356563356363
|
||||||
31303930333731656339633032366166386265653632633638323932626161623966613761636236
|
62303734333262316639613363653537373564306265303534306430363366666566323264313331
|
||||||
61303134663931636139336436313637333739626336643838663861626539323336393239643131
|
66326665393535306338626230646230633035363562396432396363323439336464353366323639
|
||||||
37383665326332393663323166643338353135363831306561623639643663326364343639316665
|
39353463323762356235656464346135373236353033613938636333656433653233393063373762
|
||||||
38343337323633353066653666366238633932393836396338336261663331656565653532613438
|
32653439346535383966303538303635393539336465373463303566383263333730643065383132
|
||||||
36323462326431333235376566343134663734373534663834316133333236636166386439633766
|
66353861643839653535663238393465396164383262326234353561343232396562383836353639
|
||||||
31323931363066343334363764356630383764346332353162316461333762613366663130393831
|
65333437653463653231633331626136316634303031383566343963326236303039633432316261
|
||||||
36633430383131326335333130303832666430366134393462616163326239383538616531373166
|
33626465386562303962306562646338636439383638663861353665363732353163303330633837
|
||||||
37383130616339343832313335636364623434636434393430383566376433363565626336303064
|
37623934356635386137343661653438643365656661656538366130333036643636613161336436
|
||||||
63376234613835666338373662373735386561643431633037336231643033393563316363613131
|
66393365313565376339353165373764656531396662663630613833323964653337386130383635
|
||||||
61656232363035333635636464656465613763613032376666623238613362343032613465313331
|
37613865383330303430383561373565336662333038396539363661636566333864326133323962
|
||||||
62353035313862323631653766393463383565336535616630383839376135393037363038343639
|
63303934386430343962666162323361306431383936353832613534663638623663653136303631
|
||||||
39646531666130626638666535623533373766386531343236313962636539373233363462363032
|
33306566313633656238
|
||||||
61373938373139376236633062353063643037333062363464383638333635643331616465643533
|
|
||||||
34646238663731616635313131313438376536633862346165666631326632623534306666396264
|
|
||||||
636139633664356536626239303631643864
|
|
||||||
|
|
|
@ -1,8 +1,12 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
reverse_proxy_sites:
|
reverse_proxy_sites:
|
||||||
|
- {from: wiki.pains-perdus.fr, to: "https://azerty.fil.sand.auro.re:2443"}
|
||||||
- {from: hindley.pains-perdus.fr, to: "http://127.0.0.1:5000"}
|
- {from: hindley.pains-perdus.fr, to: "http://127.0.0.1:5000"}
|
||||||
|
- {from: gitea.deso-palaiseau.fr, to: "https://azerty.fil.sand.auro.re:8443"}
|
||||||
|
- {from: openid.deso-palaiseau.fr, to: "https://azerty.fil.sand.auro.re:7443"}
|
||||||
|
|
||||||
sharing_sites:
|
sharing_sites:
|
||||||
- {from: share.deso-palaiseau.fr, folder: "/home/histausse/www", user: histausse, group: histausse}
|
- {from: share.deso-palaiseau.fr, folder: "/home/histausse/www", user: histausse, group: histausse}
|
||||||
- {from: wiki.deso-palaiseau.fr, folder: "/home/histausse/wiki/public", user: histausse, group: histausse}
|
- {from: authority.deso-palaiseau.fr, folder: "/var/www/authority", user: root, group: root}
|
||||||
|
- {from: authority-info-access.deso-palaiseau.fr, folder: "/var/www/authority_info_access", user: root, group: root}
|
||||||
|
|
2
host_vars/azerty/ansible.yml
Normal file
2
host_vars/azerty/ansible.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
ansible_host: "azerty.fil.sand.auro.re"
|
14
host_vars/azerty/networking.yml
Normal file
14
host_vars/azerty/networking.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
interfaces:
|
||||||
|
enp0s25:
|
||||||
|
ipv4: 10.50.1.221
|
||||||
|
netmaskv4: 16
|
||||||
|
type: static
|
||||||
|
gateway: 10.50.0.254
|
||||||
|
wg0:
|
||||||
|
ipv4: "{{ intranet.subnets.physical.subnets.azerty.ipv4 }}"
|
||||||
|
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||||
|
type: wireguard
|
||||||
|
|
||||||
|
ipv4_forwarding: false
|
||||||
|
ipv6_forwarding: false
|
|
@ -2,8 +2,8 @@
|
||||||
vpn_interfaces:
|
vpn_interfaces:
|
||||||
wg0:
|
wg0:
|
||||||
ip: "{{ interfaces.wg0.ipv4 }}"
|
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||||
private_key: "{{ vpn_vault_matrix_key }}"
|
private_key: "{{ vpn_vault_azerty_key }}"
|
||||||
public_key: "oQH8CBofxNSOGevaz1HZlz3ZW+H3ndb/TmqM0pCiRR8="
|
public_key: "o9rdoSdnp4twbNbZAMl0wY4sFQh647qqRv6V8HJwMQY="
|
||||||
keepalive: true
|
keepalive: true
|
||||||
peers:
|
peers:
|
||||||
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
2
host_vars/hellman/ansible.yml
Normal file
2
host_vars/hellman/ansible.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
ansible_host: "hellman.fil.sand.auro.re"
|
24
host_vars/hellman/networking.yml
Normal file
24
host_vars/hellman/networking.yml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
---
|
||||||
|
interfaces:
|
||||||
|
enp7s0:
|
||||||
|
type: void
|
||||||
|
vmbr0:
|
||||||
|
ipv4: 10.50.2.17
|
||||||
|
netmaskv4: 16
|
||||||
|
type: static
|
||||||
|
bridge: true
|
||||||
|
gateway: 10.50.0.254
|
||||||
|
interfaces:
|
||||||
|
- enp7s0
|
||||||
|
vmbr1:
|
||||||
|
ipv4: "{{ intranet.subnets.guest_hellman.subnets.hellman.ipv4 }}"
|
||||||
|
netmaskv4: "{{ intranet.subnets.guest_hellman.netmaskv4 }}"
|
||||||
|
type: static
|
||||||
|
bridge: true
|
||||||
|
wg0:
|
||||||
|
ipv4: "{{ intranet.subnets.physical.subnets.hellman.ipv4 }}"
|
||||||
|
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||||
|
type: wireguard
|
||||||
|
|
||||||
|
ipv4_forwarding: false
|
||||||
|
ipv6_forwarding: false
|
13
host_vars/hellman/vpn.yml
Normal file
13
host_vars/hellman/vpn.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
vpn_interfaces:
|
||||||
|
wg0:
|
||||||
|
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||||
|
private_key: "{{ vpn_vault_hellman_key }}"
|
||||||
|
public_key: "+qV1RHAgSigOkrxUKqpGR83bydmlIHrEiw+A7zjbRk4="
|
||||||
|
keepalive: true
|
||||||
|
peers:
|
||||||
|
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
||||||
|
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
|
||||||
|
comment: "hindley"
|
|
@ -10,5 +10,3 @@ interfaces:
|
||||||
|
|
||||||
ipv4_forwarding: true
|
ipv4_forwarding: true
|
||||||
ipv6_forwarding: false
|
ipv6_forwarding: false
|
||||||
|
|
||||||
lan_address: "{{ intranet.subnets.physical.subnets.hindley.ipv4 }}"
|
|
||||||
|
|
|
@ -7,21 +7,45 @@ vpn_interfaces:
|
||||||
keepalive: false
|
keepalive: false
|
||||||
peers:
|
peers:
|
||||||
- endpoint: ""
|
- endpoint: ""
|
||||||
public_key: "jvjOCj5xVTLwyQ8o7QsYvF2ep1HbD/GKnmjpqJuztB8="
|
public_key: "{{ hostvars['azerty'].vpn_interfaces.wg0.public_key }}"
|
||||||
allowed_ips:
|
allowed_ips:
|
||||||
- "{{ intranet.subnets.physical.subnets.router_hellman.ipv4 }}/{{ intranet.subnets.physical.subnets.router_hellman.netmaskv4 }}"
|
- "{{ hostvars['azerty'].vpn_interfaces.wg0.ip }}/32"
|
||||||
|
comment: "azerty"
|
||||||
|
- endpoint: ""
|
||||||
|
public_key: "{{ hostvars['hellman'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['hellman'].vpn_interfaces.wg0.ip }}/32"
|
||||||
- "{{ intranet.subnets.guest_hellman.ipv4 }}/{{ intranet.subnets.guest_hellman.netmaskv4 }}"
|
- "{{ intranet.subnets.guest_hellman.ipv4 }}/{{ intranet.subnets.guest_hellman.netmaskv4 }}"
|
||||||
comment: "Router hosted on Hellman"
|
comment: "hellman"
|
||||||
- endpoint: ""
|
- endpoint: ""
|
||||||
public_key: "{{ vpn_guest_keys.knuth }}"
|
public_key: "{{ vpn_guest_keys.knuth }}"
|
||||||
allowed_ips:
|
allowed_ips:
|
||||||
- "{{ intranet.subnets.guest.subnets.knuth.ipv4 }}/{{ intranet.subnets.guest.subnets.knuth.netmaskv4 }}"
|
- "{{ intranet.subnets.guest.subnets.knuth.ipv4 }}/{{ intranet.subnets.guest.subnets.knuth.netmaskv4 }}"
|
||||||
comment: "Client laptop: knuth"
|
comment: "Client laptop: knuth"
|
||||||
- endpoint: ""
|
- endpoint: ""
|
||||||
public_key: "{{ hostvars['matrix_server'].vpn_interfaces.wg0.public_key }}"
|
public_key: "{{ hostvars['rossum'].vpn_interfaces.wg0.public_key }}"
|
||||||
allowed_ips:
|
allowed_ips:
|
||||||
- "{{ hostvars['matrix_server'].vpn_interfaces.wg0.ip }}/32"
|
- "{{ hostvars['rossum'].vpn_interfaces.wg0.ip }}/32"
|
||||||
comment: "matrix VM, hosted on g33kex's server"
|
comment: "Raspi at paris, Rossum"
|
||||||
|
- endpoint: ""
|
||||||
|
public_key: "{{ hostvars['vm1'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['vm1'].vpn_interfaces.wg0.ip }}/32"
|
||||||
|
comment: "Test VM 1, hosted by knuth"
|
||||||
|
- endpoint: ""
|
||||||
|
public_key: "{{ hostvars['vm2'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['vm2'].vpn_interfaces.wg0.ip }}/32"
|
||||||
|
comment: "Test VM 2, hosted by knuth"
|
||||||
|
- endpoint: ""
|
||||||
|
public_key: "{{ hostvars['vm3'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['vm3'].vpn_interfaces.wg0.ip }}/32"
|
||||||
|
comment: "Test VM 3, hosted by knuth"
|
||||||
|
- endpoint: ""
|
||||||
|
public_key: "{{ hostvars['vm4'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['vm4'].vpn_interfaces.wg0.ip }}/32"
|
||||||
|
comment: "Test VM 4, hosted by knuth"
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
#ansible_host: "172.20.1.5"
|
|
||||||
ansible_host: "nyx.ovh"
|
|
||||||
ansible_port: "4502"
|
|
14
host_vars/rossum/networking.yml
Normal file
14
host_vars/rossum/networking.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
ipv4: 192.168.0.50
|
||||||
|
netmaskv4: 24
|
||||||
|
type: static
|
||||||
|
gateway: 192.168.0.1
|
||||||
|
wg0:
|
||||||
|
ipv4: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"
|
||||||
|
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||||
|
type: wireguard
|
||||||
|
|
||||||
|
ipv4_forwarding: false
|
||||||
|
ipv6_forwarding: false
|
13
host_vars/rossum/vpn.yml
Normal file
13
host_vars/rossum/vpn.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
vpn_interfaces:
|
||||||
|
wg0:
|
||||||
|
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||||
|
private_key: "{{ vpn_vault_rossum_key }}"
|
||||||
|
public_key: "YNEp3V5wsDLxDR29WhzECOCdOxiOuxuAqUUwS3gJWT4="
|
||||||
|
keepalive: true
|
||||||
|
peers:
|
||||||
|
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
||||||
|
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
|
||||||
|
comment: "hindley"
|
2
host_vars/vm1/ansible.yml
Normal file
2
host_vars/vm1/ansible.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
ansible_host: "vm1"
|
24
host_vars/vm1/networking.yml
Normal file
24
host_vars/vm1/networking.yml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
---
|
||||||
|
interfaces:
|
||||||
|
enp0s3:
|
||||||
|
type: void
|
||||||
|
br0:
|
||||||
|
ipv4: 10.0.2.5
|
||||||
|
netmaskv4: 24
|
||||||
|
type: static
|
||||||
|
bridge: true
|
||||||
|
gateway: 10.0.2.1
|
||||||
|
interfaces:
|
||||||
|
- enp0s3
|
||||||
|
br1:
|
||||||
|
type: manual
|
||||||
|
bridge: true
|
||||||
|
interfaces:
|
||||||
|
- enp0s3.42
|
||||||
|
wg0:
|
||||||
|
ipv4: "{{ intranet.subnets.test.subnets.vm1.ipv4 }}"
|
||||||
|
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||||
|
type: wireguard
|
||||||
|
|
||||||
|
ipv4_forwarding: false
|
||||||
|
ipv6_forwarding: false
|
13
host_vars/vm1/vpn.yml
Normal file
13
host_vars/vm1/vpn.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
vpn_interfaces:
|
||||||
|
wg0:
|
||||||
|
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||||
|
private_key: "{{ vpn_vault_vm1_key }}"
|
||||||
|
public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs="
|
||||||
|
keepalive: true
|
||||||
|
peers:
|
||||||
|
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
||||||
|
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
|
||||||
|
comment: "hindley"
|
2
host_vars/vm2/ansible.yml
Normal file
2
host_vars/vm2/ansible.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
ansible_host: "vm2"
|
|
@ -1,13 +1,11 @@
|
||||||
---
|
---
|
||||||
interfaces:
|
interfaces:
|
||||||
ens18:
|
enp0s3:
|
||||||
type: dhcp
|
type: dhcp
|
||||||
wg0:
|
wg0:
|
||||||
ipv4: "{{ intranet.subnets.physical.subnets.matrix.ipv4 }}"
|
ipv4: "{{ intranet.subnets.test.subnets.vm2.ipv4 }}"
|
||||||
netmaskv4: "{{ intranet.netmaskv4 }}"
|
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||||
type: wireguard
|
type: wireguard
|
||||||
|
|
||||||
ipv4_forwarding: false
|
ipv4_forwarding: false
|
||||||
ipv6_forwarding: false
|
ipv6_forwarding: false
|
||||||
|
|
||||||
lan_address: "{{ intranet.subnets.physical.subnets.matrix.ipv4 }}"
|
|
13
host_vars/vm2/vpn.yml
Normal file
13
host_vars/vm2/vpn.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
vpn_interfaces:
|
||||||
|
wg0:
|
||||||
|
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||||
|
private_key: "{{ vpn_vault_vm2_key }}"
|
||||||
|
public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo="
|
||||||
|
keepalive: true
|
||||||
|
peers:
|
||||||
|
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
||||||
|
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
|
||||||
|
comment: "hindley"
|
2
host_vars/vm3/ansible.yml
Normal file
2
host_vars/vm3/ansible.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
ansible_host: "vm3"
|
14
host_vars/vm3/networking.yml
Normal file
14
host_vars/vm3/networking.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
interfaces:
|
||||||
|
enp0s3:
|
||||||
|
ipv4: 10.0.2.7
|
||||||
|
netmaskv4: 24
|
||||||
|
type: static
|
||||||
|
gateway: 10.0.2.1
|
||||||
|
wg0:
|
||||||
|
ipv4: "{{ intranet.subnets.test.subnets.vm3.ipv4 }}"
|
||||||
|
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||||
|
type: wireguard
|
||||||
|
|
||||||
|
ipv4_forwarding: false
|
||||||
|
ipv6_forwarding: false
|
13
host_vars/vm3/vpn.yml
Normal file
13
host_vars/vm3/vpn.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
vpn_interfaces:
|
||||||
|
wg0:
|
||||||
|
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||||
|
private_key: "{{ vpn_vault_vm3_key }}"
|
||||||
|
public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg="
|
||||||
|
keepalive: true
|
||||||
|
peers:
|
||||||
|
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
||||||
|
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
|
||||||
|
comment: "hindley"
|
2
host_vars/vm4/ansible.yml
Normal file
2
host_vars/vm4/ansible.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
ansible_host: "vm4"
|
14
host_vars/vm4/networking.yml
Normal file
14
host_vars/vm4/networking.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
interfaces:
|
||||||
|
enp0s3:
|
||||||
|
ipv4: 10.0.2.8
|
||||||
|
netmaskv4: 24
|
||||||
|
type: static
|
||||||
|
gateway: 10.0.2.1
|
||||||
|
wg0:
|
||||||
|
ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}"
|
||||||
|
netmaskv4: "{{ intranet.netmaskv4 }}"
|
||||||
|
type: wireguard
|
||||||
|
|
||||||
|
ipv4_forwarding: false
|
||||||
|
ipv6_forwarding: false
|
13
host_vars/vm4/vpn.yml
Normal file
13
host_vars/vm4/vpn.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
vpn_interfaces:
|
||||||
|
wg0:
|
||||||
|
ip: "{{ interfaces.wg0.ipv4 }}"
|
||||||
|
private_key: "{{ vpn_vault_vm4_key }}"
|
||||||
|
public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw="
|
||||||
|
keepalive: true
|
||||||
|
peers:
|
||||||
|
- endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
|
||||||
|
public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
|
||||||
|
allowed_ips:
|
||||||
|
- "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
|
||||||
|
comment: "hindley"
|
2
host_vars/vm5/ansible.yml
Normal file
2
host_vars/vm5/ansible.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
ansible_host: "vm5"
|
15
host_vars/vm5/networking.yml
Normal file
15
host_vars/vm5/networking.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
interfaces:
|
||||||
|
enp0s3:
|
||||||
|
type: void
|
||||||
|
br0:
|
||||||
|
ipv4: 10.0.2.9
|
||||||
|
netmaskv4: 24
|
||||||
|
type: static
|
||||||
|
bridge: true
|
||||||
|
gateway: 10.0.2.1
|
||||||
|
interfaces:
|
||||||
|
- enp0s3
|
||||||
|
|
||||||
|
ipv4_forwarding: false
|
||||||
|
ipv6_forwarding: false
|
48
hosts
48
hosts
|
@ -4,25 +4,51 @@ all:
|
||||||
ubuntu:
|
ubuntu:
|
||||||
hosts:
|
hosts:
|
||||||
hindley:
|
hindley:
|
||||||
|
vm5:
|
||||||
|
debian_buster:
|
||||||
|
hosts:
|
||||||
|
azerty:
|
||||||
|
vm1:
|
||||||
|
vm2:
|
||||||
|
vm3:
|
||||||
debian_bullseye:
|
debian_bullseye:
|
||||||
hosts:
|
hosts:
|
||||||
matrix_server:
|
vm4:
|
||||||
|
proxmox_buster:
|
||||||
|
hosts:
|
||||||
|
hellman:
|
||||||
|
raspbian_buster:
|
||||||
|
hosts:
|
||||||
|
rossum:
|
||||||
proxy:
|
proxy:
|
||||||
hosts:
|
hosts:
|
||||||
hindley:
|
hindley:
|
||||||
|
keycloak_host:
|
||||||
|
hosts:
|
||||||
|
azerty:
|
||||||
|
server_hostname: azerty.fil.sand.auro.re
|
||||||
|
gitea_host:
|
||||||
|
hosts:
|
||||||
|
azerty:
|
||||||
|
server_hostname: azerty.fil.sand.auro.re
|
||||||
|
tests:
|
||||||
|
hosts:
|
||||||
|
vm1:
|
||||||
|
vm2:
|
||||||
|
vm3:
|
||||||
|
vm4:
|
||||||
|
vm5:
|
||||||
|
rossum:
|
||||||
vpn:
|
vpn:
|
||||||
hosts:
|
hosts:
|
||||||
|
azerty:
|
||||||
hindley:
|
hindley:
|
||||||
matrix_server:
|
hellman:
|
||||||
|
rossum:
|
||||||
|
vm1:
|
||||||
|
vm2:
|
||||||
|
vm3:
|
||||||
|
vm4:
|
||||||
apt_proxies:
|
apt_proxies:
|
||||||
hosts:
|
hosts:
|
||||||
hindley:
|
hindley:
|
||||||
prometheus_servers:
|
|
||||||
hosts:
|
|
||||||
hindley:
|
|
||||||
matrix:
|
|
||||||
hosts:
|
|
||||||
matrix_server:
|
|
||||||
no_user:
|
|
||||||
hosts:
|
|
||||||
matrix_server:
|
|
||||||
|
|
|
@ -1,28 +1,4 @@
|
||||||
---
|
---
|
||||||
- name: Use a newer version of apt cacher nc for ubuntu 20.04
|
|
||||||
block:
|
|
||||||
- name: Set the default release
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/apt/apt.conf.d/01-vendor-ubuntu
|
|
||||||
regexp: '^APT::Default-Release '
|
|
||||||
line: "APT::Default-Release \"{{ ansible_facts['lsb']['codename'] }}\";"
|
|
||||||
- name: Pin node exporter
|
|
||||||
copy:
|
|
||||||
dest: /etc/apt/preferences.d/pin-apt-cacher-nc
|
|
||||||
content: |
|
|
||||||
Package: apt-cacher-nc
|
|
||||||
Pin: release n={{ ansible_facts['lsb']['codename'] }}
|
|
||||||
Pin-Priority: -10
|
|
||||||
|
|
||||||
Package: apt-cacher-nc
|
|
||||||
Pin: release n=groovy
|
|
||||||
Pin-Priority: 900
|
|
||||||
- name: Add the repo from groovy
|
|
||||||
apt_repository:
|
|
||||||
repo: deb http://fr.archive.ubuntu.com/ubuntu groovy universe
|
|
||||||
state: present
|
|
||||||
when: ansible_facts['lsb']['id'] == 'Ubuntu' and ansible_facts['lsb']['codename'] == 'focal'
|
|
||||||
|
|
||||||
- name: Install apt-cacher-ng
|
- name: Install apt-cacher-ng
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
|
|
|
@ -16,7 +16,6 @@
|
||||||
- unzip
|
- unzip
|
||||||
- tcpdump
|
- tcpdump
|
||||||
- net-tools
|
- net-tools
|
||||||
- acl
|
|
||||||
state: latest
|
state: latest
|
||||||
update_cache: true
|
update_cache: true
|
||||||
register: apt_result
|
register: apt_result
|
||||||
|
|
|
@ -1,167 +0,0 @@
|
||||||
GNU LESSER GENERAL PUBLIC LICENSE
|
|
||||||
Version 3, 29 June 2007
|
|
||||||
|
|
||||||
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
|
||||||
Everyone is permitted to copy and distribute verbatim copies
|
|
||||||
of this license document, but changing it is not allowed.
|
|
||||||
|
|
||||||
|
|
||||||
This version of the GNU Lesser General Public License incorporates
|
|
||||||
the terms and conditions of version 3 of the GNU General Public
|
|
||||||
License, supplemented by the additional permissions listed below.
|
|
||||||
|
|
||||||
0. Additional Definitions.
|
|
||||||
|
|
||||||
As used herein, "this License" refers to version 3 of the GNU Lesser
|
|
||||||
General Public License, and the "GNU GPL" refers to version 3 of the GNU
|
|
||||||
General Public License.
|
|
||||||
|
|
||||||
"The Library" refers to a covered work governed by this License,
|
|
||||||
other than an Application or a Combined Work as defined below.
|
|
||||||
|
|
||||||
An "Application" is any work that makes use of an interface provided
|
|
||||||
by the Library, but which is not otherwise based on the Library.
|
|
||||||
Defining a subclass of a class defined by the Library is deemed a mode
|
|
||||||
of using an interface provided by the Library.
|
|
||||||
|
|
||||||
A "Combined Work" is a work produced by combining or linking an
|
|
||||||
Application with the Library. The particular version of the Library
|
|
||||||
with which the Combined Work was made is also called the "Linked
|
|
||||||
Version".
|
|
||||||
|
|
||||||
The "Minimal Corresponding Source" for a Combined Work means the
|
|
||||||
Corresponding Source for the Combined Work, excluding any source code
|
|
||||||
for portions of the Combined Work that, considered in isolation, are
|
|
||||||
based on the Application, and not on the Linked Version.
|
|
||||||
|
|
||||||
The "Corresponding Application Code" for a Combined Work means the
|
|
||||||
object code and/or source code for the Application, including any data
|
|
||||||
and utility programs needed for reproducing the Combined Work from the
|
|
||||||
Application, but excluding the System Libraries of the Combined Work.
|
|
||||||
|
|
||||||
1. Exception to Section 3 of the GNU GPL.
|
|
||||||
|
|
||||||
You may convey a covered work under sections 3 and 4 of this License
|
|
||||||
without being bound by section 3 of the GNU GPL.
|
|
||||||
|
|
||||||
2. Conveying Modified Versions.
|
|
||||||
|
|
||||||
If you modify a copy of the Library, and, in your modifications, a
|
|
||||||
facility refers to a function or data to be supplied by an Application
|
|
||||||
that uses the facility (other than as an argument passed when the
|
|
||||||
facility is invoked), then you may convey a copy of the modified
|
|
||||||
version:
|
|
||||||
|
|
||||||
a) under this License, provided that you make a good faith effort to
|
|
||||||
ensure that, in the event an Application does not supply the
|
|
||||||
function or data, the facility still operates, and performs
|
|
||||||
whatever part of its purpose remains meaningful, or
|
|
||||||
|
|
||||||
b) under the GNU GPL, with none of the additional permissions of
|
|
||||||
this License applicable to that copy.
|
|
||||||
|
|
||||||
3. Object Code Incorporating Material from Library Header Files.
|
|
||||||
|
|
||||||
The object code form of an Application may incorporate material from
|
|
||||||
a header file that is part of the Library. You may convey such object
|
|
||||||
code under terms of your choice, provided that, if the incorporated
|
|
||||||
material is not limited to numerical parameters, data structure
|
|
||||||
layouts and accessors, or small macros, inline functions and templates
|
|
||||||
(ten or fewer lines in length), you do both of the following:
|
|
||||||
|
|
||||||
a) Give prominent notice with each copy of the object code that the
|
|
||||||
Library is used in it and that the Library and its use are
|
|
||||||
covered by this License.
|
|
||||||
|
|
||||||
b) Accompany the object code with a copy of the GNU GPL and this license
|
|
||||||
document.
|
|
||||||
|
|
||||||
4. Combined Works.
|
|
||||||
|
|
||||||
You may convey a Combined Work under terms of your choice that,
|
|
||||||
taken together, effectively do not restrict modification of the
|
|
||||||
portions of the Library contained in the Combined Work and reverse
|
|
||||||
engineering for debugging such modifications, if you also do each of
|
|
||||||
the following:
|
|
||||||
|
|
||||||
a) Give prominent notice with each copy of the Combined Work that
|
|
||||||
the Library is used in it and that the Library and its use are
|
|
||||||
covered by this License.
|
|
||||||
|
|
||||||
b) Accompany the Combined Work with a copy of the GNU GPL and this license
|
|
||||||
document.
|
|
||||||
|
|
||||||
c) For a Combined Work that displays copyright notices during
|
|
||||||
execution, include the copyright notice for the Library among
|
|
||||||
these notices, as well as a reference directing the user to the
|
|
||||||
copies of the GNU GPL and this license document.
|
|
||||||
|
|
||||||
d) Do one of the following:
|
|
||||||
|
|
||||||
0) Convey the Minimal Corresponding Source under the terms of this
|
|
||||||
License, and the Corresponding Application Code in a form
|
|
||||||
suitable for, and under terms that permit, the user to
|
|
||||||
recombine or relink the Application with a modified version of
|
|
||||||
the Linked Version to produce a modified Combined Work, in the
|
|
||||||
manner specified by section 6 of the GNU GPL for conveying
|
|
||||||
Corresponding Source.
|
|
||||||
|
|
||||||
1) Use a suitable shared library mechanism for linking with the
|
|
||||||
Library. A suitable mechanism is one that (a) uses at run time
|
|
||||||
a copy of the Library already present on the user's computer
|
|
||||||
system, and (b) will operate properly with a modified version
|
|
||||||
of the Library that is interface-compatible with the Linked
|
|
||||||
Version.
|
|
||||||
|
|
||||||
e) Provide Installation Information, but only if you would otherwise
|
|
||||||
be required to provide such information under section 6 of the
|
|
||||||
GNU GPL, and only to the extent that such information is
|
|
||||||
necessary to install and execute a modified version of the
|
|
||||||
Combined Work produced by recombining or relinking the
|
|
||||||
Application with a modified version of the Linked Version. (If
|
|
||||||
you use option 4d0, the Installation Information must accompany
|
|
||||||
the Minimal Corresponding Source and Corresponding Application
|
|
||||||
Code. If you use option 4d1, you must provide the Installation
|
|
||||||
Information in the manner specified by section 6 of the GNU GPL
|
|
||||||
for conveying Corresponding Source.)
|
|
||||||
|
|
||||||
5. Combined Libraries.
|
|
||||||
|
|
||||||
You may place library facilities that are a work based on the
|
|
||||||
Library side by side in a single library together with other library
|
|
||||||
facilities that are not Applications and are not covered by this
|
|
||||||
License, and convey such a combined library under terms of your
|
|
||||||
choice, if you do both of the following:
|
|
||||||
|
|
||||||
a) Accompany the combined library with a copy of the same work based
|
|
||||||
on the Library, uncombined with any other library facilities,
|
|
||||||
conveyed under the terms of this License.
|
|
||||||
|
|
||||||
b) Give prominent notice with the combined library that part of it
|
|
||||||
is a work based on the Library, and explaining where to find the
|
|
||||||
accompanying uncombined form of the same work.
|
|
||||||
|
|
||||||
6. Revised Versions of the GNU Lesser General Public License.
|
|
||||||
|
|
||||||
The Free Software Foundation may publish revised and/or new versions
|
|
||||||
of the GNU Lesser General Public License from time to time. Such new
|
|
||||||
versions will be similar in spirit to the present version, but may
|
|
||||||
differ in detail to address new problems or concerns.
|
|
||||||
|
|
||||||
Each version is given a distinguishing version number. If the
|
|
||||||
Library as you received it specifies that a certain numbered version
|
|
||||||
of the GNU Lesser General Public License "or any later version"
|
|
||||||
applies to it, you have the option of following the terms and
|
|
||||||
conditions either of that published version or of any later version
|
|
||||||
published by the Free Software Foundation. If the Library as you
|
|
||||||
received it does not specify a version number of the GNU Lesser
|
|
||||||
General Public License, you may choose any version of the GNU Lesser
|
|
||||||
General Public License ever published by the Free Software Foundation.
|
|
||||||
|
|
||||||
If the Library as you received it specifies that a proxy can decide
|
|
||||||
whether future versions of the GNU Lesser General Public License shall
|
|
||||||
apply, that proxy's public statement of acceptance of any version is
|
|
||||||
permanent authorization for you to choose that version for the
|
|
||||||
Library.
|
|
||||||
|
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
# generate-cert
|
|
||||||
|
|
||||||
This role is part of the project [Ansible Hacky PKI](https://gitea.auro.re/histausse/ansible_hacky_pki) licenced under the LGPL 3.
|
|
||||||
|
|
||||||
You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**.
|
|
||||||
In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability,
|
|
||||||
please contact me to see if we can find a patch.
|
|
||||||
|
|
||||||
Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>
|
|
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
key_usage:
|
|
||||||
- digitalSignature
|
|
||||||
- keyEncipherment
|
|
||||||
validity_duration: "+365d"
|
|
||||||
time_before_expiration_for_renewal: "+30d" # need a better name
|
|
||||||
force_renewal: no
|
|
||||||
store_directory: /etc/hackypky
|
|
|
@ -1,165 +0,0 @@
|
||||||
---
|
|
||||||
- name: Ensure the directories used to store certs exist
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
group: root
|
|
||||||
owner: root
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
loop:
|
|
||||||
- "{{ store_directory }}"
|
|
||||||
- "{{ store_directory }}/crts"
|
|
||||||
- "{{ store_directory }}/keys"
|
|
||||||
|
|
||||||
- name: Ensure the directory containing the cert exist
|
|
||||||
file:
|
|
||||||
path: "{{ directory }}"
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Test if the key already exist
|
|
||||||
stat:
|
|
||||||
path: "{{ store_directory}}/keys/{{ cname }}.key"
|
|
||||||
register: key_file
|
|
||||||
|
|
||||||
- name: Test if the cert already exist
|
|
||||||
stat:
|
|
||||||
path: "{{ store_directory}}/crts/{{ cname }}.crt"
|
|
||||||
register: cert_file
|
|
||||||
|
|
||||||
- name: Test if we need to renew the certificate
|
|
||||||
openssl_certificate_info:
|
|
||||||
path: "{{ store_directory }}/crts/{{ cname }}.crt"
|
|
||||||
valid_at:
|
|
||||||
renewal: "{{ time_before_expiration_for_renewal }}"
|
|
||||||
register: validity
|
|
||||||
when: cert_file.stat.exists
|
|
||||||
|
|
||||||
- name: Generate the certificate
|
|
||||||
block:
|
|
||||||
- name: Generate private key
|
|
||||||
become: false
|
|
||||||
openssl_privatekey:
|
|
||||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
|
||||||
mode: u=rw,g=,o=
|
|
||||||
size: "{{ key_size | default(omit) }}"
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Generate a Certificate Signing Request
|
|
||||||
become: false
|
|
||||||
openssl_csr:
|
|
||||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
|
|
||||||
privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
|
||||||
common_name: "{{ cname }}"
|
|
||||||
country_name: "{{ country_name | default(omit) }}"
|
|
||||||
locality_name: "{{ locality_name | default(omit) }}"
|
|
||||||
state_or_province_name: "{{ state_or_province_name | default(omit) }}"
|
|
||||||
organization_name: "{{ organization_name | default(omit) }}"
|
|
||||||
organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
|
|
||||||
email_address: "{{ email_address | default(omit) }}"
|
|
||||||
basic_constraints:
|
|
||||||
- CA:FALSE # syntax?
|
|
||||||
basic_constraints_critical: yes
|
|
||||||
key_usage: "{{ key_usage }}"
|
|
||||||
key_usage_critical: yes
|
|
||||||
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
|
|
||||||
crl_distribution_points: "{{ crl_distribution_points | default(omit) }}"
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Put the CA in a file
|
|
||||||
become: false
|
|
||||||
copy:
|
|
||||||
content: "{{ ca_cert }}"
|
|
||||||
dest: "/tmp/ansible_hacky_pki_ca.crt"
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Put the CA key in a file
|
|
||||||
become: false
|
|
||||||
copy:
|
|
||||||
content: "{{ ca_key }}"
|
|
||||||
dest: "/tmp/ansible_hacky_pki_ca.key"
|
|
||||||
mode: u=rw,g=,o=
|
|
||||||
delegate_to: localhost
|
|
||||||
no_log: yes
|
|
||||||
|
|
||||||
- name: Sign the certificate
|
|
||||||
become: false
|
|
||||||
openssl_certificate:
|
|
||||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
|
|
||||||
csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
|
|
||||||
ownca_not_after: "{{ validity_duration }}"
|
|
||||||
ownca_path: /tmp/ansible_hacky_pki_ca.crt
|
|
||||||
ownca_privatekey_passphrase: "{{ ca_passphrase }}"
|
|
||||||
ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
|
|
||||||
provider: ownca
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Send private key to the server
|
|
||||||
copy:
|
|
||||||
src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
|
||||||
dest: "{{ store_directory }}/keys/{{ cname }}.key"
|
|
||||||
owner: "{{ owner | default('root') }}"
|
|
||||||
group: "{{ group | default('root') }}"
|
|
||||||
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
|
|
||||||
no_log: yes
|
|
||||||
|
|
||||||
- name: Send certificate to the server
|
|
||||||
copy:
|
|
||||||
src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
|
|
||||||
dest: "{{ store_directory }}/crts/{{ cname }}.crt"
|
|
||||||
owner: "{{ owner | default('root') }}"
|
|
||||||
group: "{{ group | default('root') }}"
|
|
||||||
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
|
|
||||||
|
|
||||||
# Clean up
|
|
||||||
- name: Remove the local cert key
|
|
||||||
become: false
|
|
||||||
file:
|
|
||||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
|
||||||
state: absent
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Remove the CSR
|
|
||||||
become: false
|
|
||||||
file:
|
|
||||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
|
|
||||||
state: absent
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Remove the local certificate
|
|
||||||
become: false
|
|
||||||
file:
|
|
||||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
|
|
||||||
state: absent
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Remove the CA certificate
|
|
||||||
become: false
|
|
||||||
file:
|
|
||||||
path: /tmp/ansible_hacky_pki_ca.crt
|
|
||||||
state: absent
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Remove the CA key
|
|
||||||
become: false
|
|
||||||
file:
|
|
||||||
path: /tmp/ansible_hacky_pki_ca.key
|
|
||||||
state: absent
|
|
||||||
delegate_to: localhost
|
|
||||||
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
|
||||||
|
|
||||||
- name: Create the link to cert
|
|
||||||
file:
|
|
||||||
src: "{{ store_directory }}/crts/{{ cname }}.crt"
|
|
||||||
dest: "{{ directory }}/{{ cname }}.crt"
|
|
||||||
owner: "{{ owner | default('root') }}"
|
|
||||||
group: "{{ group | default('root') }}"
|
|
||||||
state: link
|
|
||||||
|
|
||||||
- name: Create the link to key
|
|
||||||
file:
|
|
||||||
src: "{{ store_directory }}/keys/{{ cname }}.key"
|
|
||||||
dest: "{{ directory }}/{{ cname }}.key"
|
|
||||||
owner: "{{ owner | default('root') }}"
|
|
||||||
group: "{{ group | default('root') }}"
|
|
||||||
state: link
|
|
||||||
|
|
|
@ -1,13 +1,4 @@
|
||||||
---
|
---
|
||||||
- name: Install openssl
|
|
||||||
apt:
|
|
||||||
name: python3-openssl
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
||||||
|
|
||||||
- name: Ensure the cert directory exists
|
- name: Ensure the cert directory exists
|
||||||
file:
|
file:
|
||||||
path: /var/certificates
|
path: /var/certificates
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
- name: Restart Grafana
|
|
||||||
systemd:
|
|
||||||
name: grafana-server
|
|
||||||
state: restarted
|
|
|
@ -1,79 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install apt transport https
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- apt-transport-https
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
||||||
|
|
||||||
- name: Add Graphana Repo Key
|
|
||||||
apt_key:
|
|
||||||
url: https://packages.grafana.com/gpg.key
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Add Grafana Repository
|
|
||||||
apt_repository:
|
|
||||||
repo: deb https://packages.grafana.com/oss/deb stable main
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Install Grafana
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- grafana
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
||||||
|
|
||||||
- name: Configure Grafana
|
|
||||||
template:
|
|
||||||
src: grafana.ini
|
|
||||||
dest: /etc/grafana/grafana.ini
|
|
||||||
owner: grafana
|
|
||||||
group: grafana
|
|
||||||
mode: u=rw,g=r,o=
|
|
||||||
no_log: true
|
|
||||||
notify: Restart Grafana
|
|
||||||
|
|
||||||
- name: Copy the CA cert
|
|
||||||
copy:
|
|
||||||
content: "{{ ca_cert }}"
|
|
||||||
dest: /etc/grafana/ca.crt
|
|
||||||
notify: Restart prometheus
|
|
||||||
|
|
||||||
- name: Generate certificate
|
|
||||||
include_role:
|
|
||||||
name: generate-cert
|
|
||||||
vars:
|
|
||||||
directory: /etc/grafana/
|
|
||||||
cname: "grafana-{{ lan_address }}"
|
|
||||||
owner: grafana
|
|
||||||
group: grafana
|
|
||||||
key_mode: u=rw,g=,o=
|
|
||||||
subject_alt_name: "IP:{{ lan_address }}"
|
|
||||||
# Need an equivalent to notify here
|
|
||||||
|
|
||||||
## THIS CERT CANNOT BE MONITORED BECAUSE IT IS A CLIENT CERT :'(
|
|
||||||
#- name: Ensured the certificate is monitored
|
|
||||||
# import_tasks: register-cert-to-monitoring.yml
|
|
||||||
# vars:
|
|
||||||
# target: "{{ lan_address }}:<PORT>|grafana-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
|
||||||
|
|
||||||
- name: Add Prometheus data source
|
|
||||||
template:
|
|
||||||
src: prometheus_datasource.yaml
|
|
||||||
dest: /etc/grafana/provisioning/datasources/prometheus_datasource.yaml
|
|
||||||
owner: grafana
|
|
||||||
group: grafana
|
|
||||||
mode: u=rw,g=r,o=
|
|
||||||
notify: Restart Grafana
|
|
||||||
|
|
||||||
- name: Enable Grafana
|
|
||||||
systemd:
|
|
||||||
name: grafana-server
|
|
||||||
enabled: true
|
|
||||||
state: started
|
|
|
@ -1,23 +0,0 @@
|
||||||
---
|
|
||||||
- name: Get the list of targets of the server
|
|
||||||
slurp:
|
|
||||||
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
|
||||||
register: server_tls_targets_file
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
|
|
||||||
- name: Set target variable from file
|
|
||||||
set_fact:
|
|
||||||
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
|
|
||||||
|
|
||||||
- name: Register the endpoint to the prometheus server
|
|
||||||
block:
|
|
||||||
- name: Add the target
|
|
||||||
set_fact:
|
|
||||||
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
|
|
||||||
|
|
||||||
- name: Put the new target list
|
|
||||||
copy:
|
|
||||||
content: "{{ new_server_tls_targets | to_nice_json }}"
|
|
||||||
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
when: target not in server_tls_targets.0.targets
|
|
File diff suppressed because it is too large
Load diff
|
@ -1,17 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
apiVersion: 1
|
|
||||||
|
|
||||||
datasources:
|
|
||||||
- name: Prometheus
|
|
||||||
type: prometheus
|
|
||||||
# Access mode - proxy (server in the UI) or direct (browser in the UI).
|
|
||||||
access: proxy
|
|
||||||
url: https://{{ lan_address }}:9090
|
|
||||||
jsonData:
|
|
||||||
httpMethod: POST
|
|
||||||
tlsAuth: true
|
|
||||||
tlsAuthWithCACert: true
|
|
||||||
secureJsonData:
|
|
||||||
tlsCACert: $__file{/etc/grafana/ca.crt}
|
|
||||||
tlsClientCert: $__file{/etc/grafana/grafana-{{ lan_address }}.crt}
|
|
||||||
tlsClientKey: $__file{/etc/grafana/grafana-{{ lan_address }}.key}
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 2358c022895b3ce2f2a08dea41580e4cf84d218f
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 89fb99ebb7c35ec3c11ecd5e4fbb194817f9cae6
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 70675bec04af6bf456857c30687c5e57fa5e812a
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit b27360700e82dd14fc42de6bdffc3d80bf3fa975
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit c8e442e4a931acc2220e4406282925c2d4a48954
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit e5ce16268f165be36d4f2f893caf47f9bdb6f332
|
|
|
@ -1,10 +0,0 @@
|
||||||
---
|
|
||||||
- name: Restart Alertmanager
|
|
||||||
systemd:
|
|
||||||
name: prometheus-alertmanager.service
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: Restart kassandra
|
|
||||||
systemd:
|
|
||||||
name: kassandra.service
|
|
||||||
state: restarted
|
|
|
@ -1,2 +0,0 @@
|
||||||
dependencies:
|
|
||||||
- role: install_nginx
|
|
|
@ -1,73 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install dependencies
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- python3.9
|
|
||||||
- python3.9-venv
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
||||||
|
|
||||||
- name: Create the kassandra user
|
|
||||||
user:
|
|
||||||
name: kassandra
|
|
||||||
home: /opt/kassandra
|
|
||||||
password_lock: yes
|
|
||||||
system: yes
|
|
||||||
|
|
||||||
- name: Install kassandra
|
|
||||||
become: yes
|
|
||||||
become_user: kassandra
|
|
||||||
pip:
|
|
||||||
name:
|
|
||||||
- wheel
|
|
||||||
- "kassandra @ git+https://gitea.auro.re/histausse/kassandra.git"
|
|
||||||
virtualenv: /opt/kassandra
|
|
||||||
virtualenv_command: "python3.9 -m venv"
|
|
||||||
|
|
||||||
- name: Configure kassandra
|
|
||||||
template:
|
|
||||||
src: kassandra-config.yaml
|
|
||||||
dest: /opt/kassandra/config.yaml
|
|
||||||
owner: kassandra
|
|
||||||
group: nogroup
|
|
||||||
mode: '0600'
|
|
||||||
notify: Restart kassandra
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Copy the CA cert
|
|
||||||
copy:
|
|
||||||
content: "{{ ca_cert }}"
|
|
||||||
dest: /opt/kassandra/ca.crt
|
|
||||||
notify: Restart kassandra
|
|
||||||
|
|
||||||
- name: Generate certificate
|
|
||||||
include_role:
|
|
||||||
name: generate-cert
|
|
||||||
vars:
|
|
||||||
directory: /opt/kassandra/
|
|
||||||
cname: "kassandra-{{ lan_address }}"
|
|
||||||
owner: kassandra
|
|
||||||
group: nogroup
|
|
||||||
key_mode: u=rw,g=,o=
|
|
||||||
subject_alt_name: "IP:{{ lan_address }}"
|
|
||||||
# Need an equivalent to notify here
|
|
||||||
|
|
||||||
- name: Ensured the certificate is monitored
|
|
||||||
import_tasks: register-cert-to-monitoring.yml
|
|
||||||
vars:
|
|
||||||
target: "{{ lan_address }}:8000|kassandra-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
|
||||||
|
|
||||||
- name: Copy the daemon configuration
|
|
||||||
template:
|
|
||||||
src: kassandra.service
|
|
||||||
dest: /etc/systemd/system/kassandra.service
|
|
||||||
notify: Restart kassandra
|
|
||||||
|
|
||||||
- name: Enable the daemon
|
|
||||||
systemd:
|
|
||||||
name: kassandra
|
|
||||||
state: started
|
|
||||||
enabled: yes
|
|
|
@ -1,75 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install Prometheus Alert Manager
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- prometheus-alertmanager
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
||||||
|
|
||||||
- name: Setup the arguments for alertmanager
|
|
||||||
template:
|
|
||||||
src: prometheus-alertmanager
|
|
||||||
dest: /etc/default/prometheus-alertmanager
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0644'
|
|
||||||
notify: Restart Alertmanager
|
|
||||||
vars:
|
|
||||||
args:
|
|
||||||
- name: web.listen-address
|
|
||||||
value: "127.0.0.1:9093"
|
|
||||||
|
|
||||||
- name: Copy the CA cert
|
|
||||||
copy:
|
|
||||||
content: "{{ ca_cert }}"
|
|
||||||
dest: /etc/prometheus/ca.crt
|
|
||||||
notify:
|
|
||||||
- Restart Alertmanager
|
|
||||||
- Reload nginx
|
|
||||||
|
|
||||||
- name: Generate certificate
|
|
||||||
include_role:
|
|
||||||
name: generate-cert
|
|
||||||
vars:
|
|
||||||
directory: /etc/prometheus/
|
|
||||||
cname: "alertmanager-{{ lan_address }}"
|
|
||||||
owner: prometheus
|
|
||||||
group: prometheus
|
|
||||||
key_mode: u=rw,g=,o=
|
|
||||||
subject_alt_name: "IP:{{ lan_address }}"
|
|
||||||
# Need an equivalent to notify here
|
|
||||||
|
|
||||||
- name: Ensured the certificate is monitored
|
|
||||||
import_tasks: register-cert-to-monitoring.yml
|
|
||||||
vars:
|
|
||||||
target: "{{ lan_address }}:9093|alertmanager-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
|
||||||
|
|
||||||
- name: Setup the alertmanager config
|
|
||||||
template:
|
|
||||||
src: alertmanager.yml
|
|
||||||
dest: /etc/prometheus/alertmanager.yml
|
|
||||||
owner: prometheus
|
|
||||||
group: prometheus
|
|
||||||
mode: '0640'
|
|
||||||
notify: Restart Alertmanager
|
|
||||||
|
|
||||||
# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
|
|
||||||
# Think prometheus, think!
|
|
||||||
- name: Copy the nginx config
|
|
||||||
template:
|
|
||||||
src: atrocious_nginx_stub
|
|
||||||
dest: "/etc/nginx/sites-available/internal-alertmanager"
|
|
||||||
notify: Reload nginx
|
|
||||||
|
|
||||||
- name: Activate the config
|
|
||||||
file:
|
|
||||||
src: "/etc/nginx/sites-available/internal-alertmanager"
|
|
||||||
dest: "/etc/nginx/sites-enabled/internal-alertmanager"
|
|
||||||
state: link
|
|
||||||
force: yes
|
|
||||||
|
|
||||||
- name: Setup the matrix bot
|
|
||||||
import_tasks: kassandra.yml
|
|
|
@ -1,23 +0,0 @@
|
||||||
---
|
|
||||||
- name: Get the list of targets of the server
|
|
||||||
slurp:
|
|
||||||
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
|
||||||
register: server_tls_targets_file
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
|
|
||||||
- name: Set target variable from file
|
|
||||||
set_fact:
|
|
||||||
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
|
|
||||||
|
|
||||||
- name: Register the endpoint to the prometheus server
|
|
||||||
block:
|
|
||||||
- name: Add the target
|
|
||||||
set_fact:
|
|
||||||
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
|
|
||||||
|
|
||||||
- name: Put the new target list
|
|
||||||
copy:
|
|
||||||
content: "{{ new_server_tls_targets | to_nice_json }}"
|
|
||||||
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
when: target not in server_tls_targets.0.targets
|
|
|
@ -1,32 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
# See https://prometheus.io/docs/alerting/configuration/ for documentation.
|
|
||||||
|
|
||||||
global:
|
|
||||||
# Config used by default by the receivers
|
|
||||||
http_config:
|
|
||||||
tls_config:
|
|
||||||
ca_file: "/etc/prometheus/ca.crt"
|
|
||||||
cert_file: "/etc/prometheus/alertmanager-{{ lan_address }}.crt"
|
|
||||||
key_file: "/etc/prometheus/alertmanager-{{ lan_address }}.key"
|
|
||||||
|
|
||||||
# The directory from which notification templates are read.
|
|
||||||
templates:
|
|
||||||
- "/etc/prometheus/alertmanager_templates/*.tmpl"
|
|
||||||
|
|
||||||
# The root route on which each incoming alert enters.
|
|
||||||
route:
|
|
||||||
repeat_interval: 6h
|
|
||||||
|
|
||||||
# A default receiver
|
|
||||||
receiver: kassandra
|
|
||||||
|
|
||||||
# Inhibition rules allow to mute a set of alerts given that another alert is
|
|
||||||
# firing.
|
|
||||||
# We use this to mute any warning-level notifications if the same alert is
|
|
||||||
# already critical.
|
|
||||||
inhibit_rules:
|
|
||||||
|
|
||||||
receivers:
|
|
||||||
- name: kassandra
|
|
||||||
webhook_configs:
|
|
||||||
- url: "https://{{ lan_address }}:8000/webhook"
|
|
|
@ -1,13 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen {{ lan_address }}:9093 ssl;
|
|
||||||
ssl_certificate /etc/prometheus/alertmanager-{{ lan_address }}.crt;
|
|
||||||
ssl_certificate_key /etc/prometheus/alertmanager-{{ lan_address }}.key;
|
|
||||||
ssl_client_certificate /etc/prometheus/ca.crt;
|
|
||||||
ssl_verify_client on;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:9093;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,16 +0,0 @@
|
||||||
---
|
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
username: {{ kassandra_username }}
|
|
||||||
homeserver: https://{{ matrix_server_name}}
|
|
||||||
password: {{ kassandra_password }}
|
|
||||||
tls: yes
|
|
||||||
tls_auth: yes
|
|
||||||
host: {{ lan_address }}
|
|
||||||
tls_crt: kassandra-{{ lan_address }}.crt
|
|
||||||
tls_key: kassandra-{{ lan_address }}.key
|
|
||||||
ca_crt: ca.crt
|
|
||||||
alert_rooms:
|
|
||||||
{% for room in alert_rooms %}
|
|
||||||
- "{{ room }}"
|
|
||||||
{% endfor %}
|
|
||||||
...
|
|
|
@ -1,12 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
[Unit]
|
|
||||||
Description=Kassandra bot for alertmanager
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
WorkingDirectory=/opt/kassandra
|
|
||||||
ExecStart=/opt/kassandra/bin/kassandra
|
|
||||||
User=kassandra
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,75 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
# Set the command-line arguments to pass to the server.
|
|
||||||
{% if not args %}
|
|
||||||
ARGS=""
|
|
||||||
{% else %}
|
|
||||||
ARGS="\
|
|
||||||
{% for arg in args %}
|
|
||||||
--{{ arg.name }}={{ arg.value }} \
|
|
||||||
{% endfor %}
|
|
||||||
"
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# The alert manager supports the following options:
|
|
||||||
|
|
||||||
# --config.file="/etc/prometheus/alertmanager.yml"
|
|
||||||
# Alertmanager configuration file name.
|
|
||||||
# --storage.path="/var/lib/prometheus/alertmanager/"
|
|
||||||
# Base path for data storage.
|
|
||||||
# --data.retention=120h
|
|
||||||
# How long to keep data for.
|
|
||||||
# --alerts.gc-interval=30m
|
|
||||||
# Interval between alert GC.
|
|
||||||
# --log.level=info
|
|
||||||
# Only log messages with the given severity or above.
|
|
||||||
# --web.external-url=WEB.EXTERNAL-URL
|
|
||||||
# The URL under which Alertmanager is externally reachable (for example,
|
|
||||||
# if Alertmanager is served via a reverse proxy). Used for generating
|
|
||||||
# relative and absolute links back to Alertmanager itself. If the URL has
|
|
||||||
# a path portion, it will be used to prefix all HTTP endpoints served by
|
|
||||||
# Alertmanager. If omitted, relevant URL components will be derived
|
|
||||||
# automatically.
|
|
||||||
# --web.route-prefix=WEB.ROUTE-PREFIX
|
|
||||||
# Prefix for the internal routes of web endpoints. Defaults to path of
|
|
||||||
# --web.external-url.
|
|
||||||
# --web.listen-address=":9093"
|
|
||||||
# Address to listen on for the web interface and API.
|
|
||||||
# --web.ui-path="/usr/share/prometheus/alertmanager/ui/"
|
|
||||||
# Path to static UI directory.
|
|
||||||
# --template.default="/usr/share/prometheus/alertmanager/default.tmpl"
|
|
||||||
# Path to default notification template.
|
|
||||||
# --cluster.listen-address="0.0.0.0:9094"
|
|
||||||
# Listen address for cluster.
|
|
||||||
# --cluster.advertise-address=CLUSTER.ADVERTISE-ADDRESS
|
|
||||||
# Explicit address to advertise in cluster.
|
|
||||||
# --cluster.peer=CLUSTER.PEER ...
|
|
||||||
# Initial peers (may be repeated).
|
|
||||||
# --cluster.peer-timeout=15s
|
|
||||||
# Time to wait between peers to send notifications.
|
|
||||||
# --cluster.gossip-interval=200ms
|
|
||||||
# Interval between sending gossip messages. By lowering this value (more
|
|
||||||
# frequent) gossip messages are propagated across the cluster more
|
|
||||||
# quickly at the expense of increased bandwidth.
|
|
||||||
# --cluster.pushpull-interval=1m0s
|
|
||||||
# Interval for gossip state syncs. Setting this interval lower (more
|
|
||||||
# frequent) will increase convergence speeds across larger clusters at
|
|
||||||
# the expense of increased bandwidth usage.
|
|
||||||
# --cluster.tcp-timeout=10s Timeout for establishing a stream connection
|
|
||||||
# with a remote node for a full state sync, and for stream read and write
|
|
||||||
# operations.
|
|
||||||
# --cluster.probe-timeout=500ms
|
|
||||||
# Timeout to wait for an ack from a probed node before assuming it is
|
|
||||||
# unhealthy. This should be set to 99-percentile of RTT (round-trip time)
|
|
||||||
# on your network.
|
|
||||||
# --cluster.probe-interval=1s
|
|
||||||
# Interval between random node probes. Setting this lower (more frequent)
|
|
||||||
# will cause the cluster to detect failed nodes more quickly at the
|
|
||||||
# expense of increased bandwidth usage.
|
|
||||||
# --cluster.settle-timeout=1m0s
|
|
||||||
# Maximum time to wait for cluster connections to settle before
|
|
||||||
# evaluating notifications.
|
|
||||||
# --cluster.reconnect-interval=10s
|
|
||||||
# Interval between attempting to reconnect to lost peers.
|
|
||||||
# --cluster.reconnect-timeout=6h0m0s
|
|
||||||
# Length of time to attempt to reconnect to a lost peer.
|
|
|
@ -1,47 +0,0 @@
|
||||||
---
|
|
||||||
groups:
|
|
||||||
- name: BlackBoxAllInstances
|
|
||||||
rules:
|
|
||||||
|
|
||||||
- alert: SiteUp
|
|
||||||
expr: probe_success{job="blackbox http-down"} == 1
|
|
||||||
annotations:
|
|
||||||
title: '{{ $labels.instance }} is UP!'
|
|
||||||
description: '{{ $labels.instance }} is now up!'
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: 'critical'
|
|
||||||
|
|
||||||
- alert: SiteDown
|
|
||||||
expr: probe_success{job="blackbox http-up"} == 0
|
|
||||||
for: 5m
|
|
||||||
annotations:
|
|
||||||
title: '{{ $labels.instance }} is Down'
|
|
||||||
description: >-
|
|
||||||
{{ $labels.instance }} has been down for more than 5 minutes.
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: 'warning'
|
|
||||||
|
|
||||||
- alert: CertExpLess30daysProb
|
|
||||||
expr: (probe_ssl_earliest_cert_expiry{job="blackbox internal tls"}-time()) < 2592000
|
|
||||||
annotations:
|
|
||||||
title: '{{ $labels.cname }} will expire soon'
|
|
||||||
description: >-
|
|
||||||
The certificate {{ $labels.cname }} on {{ $labels.instance }} will expire in
|
|
||||||
{{ $value | humanizeDuration }}, it's time to renew it.
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: 'warning'
|
|
||||||
|
|
||||||
- alert: CertExpLess10daysProb
|
|
||||||
expr: (probe_ssl_earliest_cert_expiry{job="blackbox internal tls"}-time()) < 864000
|
|
||||||
annotations:
|
|
||||||
title: '{{ $labels.cname }} expiracy is imminent!'
|
|
||||||
description: >-
|
|
||||||
The certificate {{ $labels.cname }} on {{ $labels.instance }} will expire in
|
|
||||||
{{ $value | humanizeDuration }}!
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: 'critical'
|
|
||||||
...
|
|
|
@ -1,10 +0,0 @@
|
||||||
---
|
|
||||||
- name: Restart blackbox-exporter
|
|
||||||
systemd:
|
|
||||||
name: prometheus-blackbox-exporter.service
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: Restart prometheus
|
|
||||||
systemd:
|
|
||||||
name: prometheus
|
|
||||||
state: restarted
|
|
|
@ -1,2 +0,0 @@
|
||||||
dependencies:
|
|
||||||
- role: install_nginx
|
|
|
@ -1,96 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install Prometheus Components
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- prometheus-blackbox-exporter
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
||||||
|
|
||||||
- name: Copy the CA cert
|
|
||||||
copy:
|
|
||||||
content: "{{ ca_cert }}"
|
|
||||||
dest: /etc/prometheus/ca.crt
|
|
||||||
notify:
|
|
||||||
- Restart blackbox-exporter
|
|
||||||
- Reload nginx
|
|
||||||
|
|
||||||
- name: Generate certificate
|
|
||||||
include_role:
|
|
||||||
name: generate-cert
|
|
||||||
vars:
|
|
||||||
directory: /etc/prometheus/
|
|
||||||
cname: "blackbox-{{ lan_address }}"
|
|
||||||
owner: prometheus
|
|
||||||
group: prometheus
|
|
||||||
key_mode: u=rw,g=,o=
|
|
||||||
subject_alt_name: "IP:{{ lan_address }}"
|
|
||||||
# Need an equivalent to notify here
|
|
||||||
|
|
||||||
- name: Ensured the certificate is monitored
|
|
||||||
import_tasks: register-cert-to-monitoring.yml
|
|
||||||
vars:
|
|
||||||
target: "{{ lan_address }}:9115|blackbox-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
|
||||||
|
|
||||||
- name: Setup the blackbox config
|
|
||||||
template:
|
|
||||||
src: blackbox.yml
|
|
||||||
dest: /etc/prometheus/blackbox.yml
|
|
||||||
owner: prometheus
|
|
||||||
group: prometheus
|
|
||||||
mode: '0640'
|
|
||||||
notify: Restart blackbox-exporter
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
#- name: Copy the web-config folder
|
|
||||||
# template:
|
|
||||||
# src: web-config.yaml
|
|
||||||
# dest: /etc/prometheus/web-config-blackbox.yaml
|
|
||||||
# group: prometheus
|
|
||||||
# owner: prometheus
|
|
||||||
# mode: u=rw,g=r,o=r
|
|
||||||
# notify: Restart blackbox-exporter
|
|
||||||
|
|
||||||
- name: Setup the arguments for prometheus
|
|
||||||
template:
|
|
||||||
src: prometheus-blackbox-exporter
|
|
||||||
dest: /etc/default/prometheus-blackbox-exporter
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0644'
|
|
||||||
notify: Restart blackbox-exporter
|
|
||||||
vars:
|
|
||||||
args:
|
|
||||||
- name: web.listen-address
|
|
||||||
value: "127.0.0.1:9115"
|
|
||||||
# value: "{{ lan_address }}:9115"
|
|
||||||
- name: config.file
|
|
||||||
value: /etc/prometheus/blackbox.yml
|
|
||||||
# - name: web.config.file
|
|
||||||
# value: /etc/prometheus/web-config.yaml
|
|
||||||
|
|
||||||
## Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
|
|
||||||
# Think prometheus, think!
|
|
||||||
- name: Copy the nginx config
|
|
||||||
template:
|
|
||||||
src: atrocious_nginx_stub
|
|
||||||
dest: "/etc/nginx/sites-available/internal-blackbox"
|
|
||||||
notify: Reload nginx
|
|
||||||
|
|
||||||
- name: Activate the config
|
|
||||||
file:
|
|
||||||
src: "/etc/nginx/sites-available/internal-blackbox"
|
|
||||||
dest: "/etc/nginx/sites-enabled/internal-blackbox"
|
|
||||||
state: link
|
|
||||||
force: yes
|
|
||||||
|
|
||||||
- name: Add alert rules for node on the prometheus server
|
|
||||||
copy:
|
|
||||||
src: alerts-blackbox.yml
|
|
||||||
dest: /etc/prometheus/alertsblackbox.yml
|
|
||||||
owner: prometheus
|
|
||||||
group: prometheus
|
|
||||||
mode: u=rw,g=r,o=r
|
|
||||||
notify: Restart prometheus
|
|
|
@ -1,23 +0,0 @@
|
||||||
---
|
|
||||||
- name: Get the list of targets of the server
|
|
||||||
slurp:
|
|
||||||
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
|
||||||
register: server_tls_targets_file
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
|
|
||||||
- name: Set target variable from file
|
|
||||||
set_fact:
|
|
||||||
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
|
|
||||||
|
|
||||||
- name: Register the endpoint to the prometheus server
|
|
||||||
block:
|
|
||||||
- name: Add the target
|
|
||||||
set_fact:
|
|
||||||
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
|
|
||||||
|
|
||||||
- name: Put the new target list
|
|
||||||
copy:
|
|
||||||
content: "{{ new_server_tls_targets | to_nice_json }}"
|
|
||||||
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
when: target not in server_tls_targets.0.targets
|
|
|
@ -1,13 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen {{ lan_address }}:9115 ssl;
|
|
||||||
ssl_certificate /etc/prometheus/blackbox-{{ lan_address }}.crt;
|
|
||||||
ssl_certificate_key /etc/prometheus/blackbox-{{ lan_address }}.key;
|
|
||||||
ssl_client_certificate /etc/prometheus/ca.crt;
|
|
||||||
ssl_verify_client on;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:9115;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,23 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
modules:
|
|
||||||
http_2xx:
|
|
||||||
prober: http
|
|
||||||
http:
|
|
||||||
http_post_2xx:
|
|
||||||
prober: http
|
|
||||||
http:
|
|
||||||
method: POST
|
|
||||||
tcp_connect:
|
|
||||||
prober: tcp
|
|
||||||
icmp:
|
|
||||||
prober: icmp
|
|
||||||
internal_tls_connect:
|
|
||||||
prober: tcp
|
|
||||||
timeout: 10s
|
|
||||||
tcp:
|
|
||||||
tls: true
|
|
||||||
tls_config:
|
|
||||||
ca_file: '/etc/prometheus/ca.crt'
|
|
||||||
cert_file: '/etc/prometheus/blackbox-{{ lan_address }}.crt'
|
|
||||||
key_file: '/etc/prometheus/blackbox-{{ lan_address }}.key'
|
|
|
@ -1,21 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
# Set the command-line arguments to pass to the server.
|
|
||||||
{% if not args %}
|
|
||||||
ARGS=""
|
|
||||||
{% else %}
|
|
||||||
ARGS="\
|
|
||||||
{% for arg in args %}
|
|
||||||
--{{ arg.name }}={{ arg.value }} \
|
|
||||||
{% endfor %}
|
|
||||||
"
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# Usage of prometheus-blackbox-exporter:
|
|
||||||
# --config.file="blackbox.yml"
|
|
||||||
# Blackbox exporter configuration file.
|
|
||||||
# --web.listen-address=":9115"
|
|
||||||
# The address to listen on for HTTP requests.
|
|
||||||
# --timeout-offset=0.5 Offset to subtract from timeout in seconds.
|
|
||||||
# --log.level=info Only log messages with the given severity or above.
|
|
||||||
# One of: [debug, info, warn, error]
|
|
|
@ -1,6 +0,0 @@
|
||||||
[
|
|
||||||
{
|
|
||||||
"targets": [
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
|
@ -1,7 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
tls_server_config:
|
|
||||||
cert_file: "/etc/prometheus/blackbox-{{ lan_address }}.crt"
|
|
||||||
key_file: "/etc/prometheus/blackbox-{{ lan_address }}.key"
|
|
||||||
client_auth_type: "RequireAndVerifyClientCert"
|
|
||||||
client_ca_file: "/etc/prometheus/ca.crt"
|
|
|
@ -1,181 +0,0 @@
|
||||||
---
|
|
||||||
groups:
|
|
||||||
- name: NodeAllInstances
|
|
||||||
rules:
|
|
||||||
|
|
||||||
- alert: InstanceDown
|
|
||||||
expr: up{job='node'} == 0
|
|
||||||
for: 5m
|
|
||||||
annotations:
|
|
||||||
title: 'Instance {{ $labels.instance }} down'
|
|
||||||
description: >-
|
|
||||||
{{ $labels.instance }} has been down for more than 5 minutes.
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: critical
|
|
||||||
|
|
||||||
- alert: OutOfDiskSpace
|
|
||||||
expr: (100 - node_filesystem_avail_bytes{} *100 / node_filesystem_size_bytes{}) > 80
|
|
||||||
for: 1m
|
|
||||||
annotations:
|
|
||||||
title: '`{{ $labels.instance }}:{{ $labels.mountpoint }}` is out of space'
|
|
||||||
description: >-
|
|
||||||
Partition `{{ $labels.mountpoint }}` (`{{ $labels.device }}`) of {{ $labels.instance }}
|
|
||||||
uses {{ $value | printf "%.1f" }}% of its capacity.
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: warning
|
|
||||||
|
|
||||||
- alert: OutOfMemory
|
|
||||||
expr: >-
|
|
||||||
(
|
|
||||||
node_memory_MemTotal_bytes
|
|
||||||
- node_memory_MemFree_bytes
|
|
||||||
- node_memory_Cached_bytes
|
|
||||||
- node_memory_Buffers_bytes
|
|
||||||
) / node_memory_MemTotal_bytes * 100 > 80
|
|
||||||
for: 1m
|
|
||||||
annotations:
|
|
||||||
title: '{{ $labels.instance }} is out of memory'
|
|
||||||
description: >-
|
|
||||||
{{ $labels.instance }} uses {{ $value | printf "%.1f" }}% of its memory capacity.
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: warning
|
|
||||||
|
|
||||||
- alert: OutOfInode
|
|
||||||
expr: >-
|
|
||||||
(
|
|
||||||
node_filesystem_files
|
|
||||||
- node_filesystem_files_free
|
|
||||||
) / node_filesystem_files * 100 >= 90
|
|
||||||
for: 5m
|
|
||||||
annotations:
|
|
||||||
title: '`{{ $labels.instance }}:{{ $labels.mountpoint }}` is out of Inodes'
|
|
||||||
description: >-
|
|
||||||
Partition {{ $labels.mountpoint }} ({{ $labels.device }}) of {{ $labels.instance }}
|
|
||||||
uses {{ $value | printf "%.1f" }}% of its Inodes.
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: warning
|
|
||||||
|
|
||||||
- alert: Swapping
|
|
||||||
expr: >-
|
|
||||||
(
|
|
||||||
node_memory_SwapTotal_bytes
|
|
||||||
- node_memory_SwapFree_bytes
|
|
||||||
) / node_memory_SwapTotal_bytes * 100 >= 50
|
|
||||||
for: 5m
|
|
||||||
annotations:
|
|
||||||
title: '{{ $labels.instance }} is using a lot of swap'
|
|
||||||
description: >-
|
|
||||||
{{ $labels.instance }} uses {{ $value | printf "%.1f" }}% of its memory capacity.
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: warning
|
|
||||||
|
|
||||||
- alert: PhysicalComponentTooHot
|
|
||||||
expr: node_hwmon_temp_celsius > 79
|
|
||||||
for: 5m
|
|
||||||
annotations:
|
|
||||||
title: '{{ $labels.instance }} is heating up'
|
|
||||||
description: >-
|
|
||||||
The internal temperature of {{ $labels.instance }} is {{ $value }}°C!
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: critical
|
|
||||||
|
|
||||||
- alert: PhysicalComponentHeatAlarm
|
|
||||||
expr: node_hwmon_temp_crit_alarm_celsius == 1
|
|
||||||
for: 0m
|
|
||||||
annotations:
|
|
||||||
title: 'The temperature alarm of {{ $labels.instance }} is up'
|
|
||||||
description: >-
|
|
||||||
Do something!
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: critical
|
|
||||||
|
|
||||||
- alert: OOMKill
|
|
||||||
expr: increase(node_vmstat_oom_kill[1m]) > 0
|
|
||||||
for: 0m
|
|
||||||
annotations:
|
|
||||||
title: 'The kernel is killing processes'
|
|
||||||
description: >-
|
|
||||||
The kernel killed {{ $value }} proccesses (OOM killer)
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: warning
|
|
||||||
|
|
||||||
- alert: CorrectableErrorDetected
|
|
||||||
expr: increase(node_edac_correctable_errors_total[1m]) > 0
|
|
||||||
for: 0m
|
|
||||||
annotations:
|
|
||||||
title: 'Memory errors have been corrected'
|
|
||||||
description: >-
|
|
||||||
{{ $value | printf "%.1f" }} error(s) have been corrected (EDAC)
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: warning
|
|
||||||
|
|
||||||
- alert: UncorrectableErrorDetected
|
|
||||||
expr: increase(node_edac_uncorrectable_errors_total[1m]) > 0
|
|
||||||
for: 0m
|
|
||||||
annotations:
|
|
||||||
title: 'Memory errors could not be corrected'
|
|
||||||
description: >-
|
|
||||||
{{ $value | printf "%.1f" }} error(s) could not be corrected (EDAC)
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: warning
|
|
||||||
|
|
||||||
- alert: UnhealthyDisk
|
|
||||||
expr: >-
|
|
||||||
(
|
|
||||||
smartmon_device_smart_healthy
|
|
||||||
and on (instance, disk)
|
|
||||||
smartmon_device_info{product!="QEMU HARDDISK"}
|
|
||||||
) < 1
|
|
||||||
for: 10m
|
|
||||||
annotations:
|
|
||||||
title: '`{{ $labels.instance }}:{{ $labels.disk }}` is unhealthy'
|
|
||||||
description: >-
|
|
||||||
Smartools detected that `{{ $labels.disk }}` on {{ $labels.instance }} is unhealthy
|
|
||||||
and will probably need to be changed.
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: critical
|
|
||||||
|
|
||||||
- alert: ServiceFailed
|
|
||||||
expr: node_systemd_unit_state{state="failed"}==1
|
|
||||||
for: 10m
|
|
||||||
annotations:
|
|
||||||
title: '{{ $labels.name }} failed'
|
|
||||||
description: >-
|
|
||||||
The systemd service {{ $labels.name }} failed on {{ $labels.instance }}
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: warning
|
|
||||||
|
|
||||||
- alert: CertExpLess30days
|
|
||||||
expr: (local_x509_expiry_date{job="blackbox internal tls"}-time()) < 2592000
|
|
||||||
annotations:
|
|
||||||
title: '{{ $labels.cname }} will expire soon'
|
|
||||||
description: >-
|
|
||||||
The certificate {{ $labels.cname }} on {{ $labels.instance }} at {{ $labels.file }}
|
|
||||||
will expire in {{ $value | humanizeDuration }}, it's time to renew it.
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: 'warning'
|
|
||||||
|
|
||||||
- alert: CertExpLess10days
|
|
||||||
expr: (local_x509_expiry_date{job="blackbox internal tls"}-time()) < 864000
|
|
||||||
annotations:
|
|
||||||
title: '{{ $labels.cname }} expiracy is imminent!'
|
|
||||||
description: >-
|
|
||||||
The certificate {{ $labels.cname }} on {{ $labels.instance }} at {{ $labels.file }}
|
|
||||||
will expire in {{ $value | humanizeDuration }}, RENEW IT!!!
|
|
||||||
labels:
|
|
||||||
value: "{{ $value }}"
|
|
||||||
severity: 'critical'
|
|
||||||
...
|
|
|
@ -1,25 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
sanitize() {
|
|
||||||
while read -r data; do
|
|
||||||
set -- $data
|
|
||||||
printf %q "$1" | sed -e 's/\\ / /g'
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
print_metric() {
|
|
||||||
while read -r data; do
|
|
||||||
set -- $data
|
|
||||||
if [ -f "$1" ]; then
|
|
||||||
exp_date=`openssl x509 -enddate --noout -in "$1" | sed -e 's/notAfter=//g'`
|
|
||||||
exp_date_unixtime=`date -d "$exp_date" -u +%s`
|
|
||||||
cname=`openssl x509 -subject --noout -in "$1" | sed -e 's/^.*CN = //' | sed -e 's/,.*$//' | sanitize`
|
|
||||||
filename=`realpath "$1" | sanitize`
|
|
||||||
echo "local_x509_expiry_date{cname=\"$cname\",file=\"$filename\"} $exp_date_unixtime"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
echo '# HELP local_x509_expiry_date The cert expiry date in unixtime'
|
|
||||||
echo '# TYPE local_x509_expiry_date gauge'
|
|
||||||
printf '%s\n' "$@" | print_metric
|
|
|
@ -1,5 +0,0 @@
|
||||||
# The list of certs to monitor
|
|
||||||
ARGS="
|
|
||||||
/etc/letsencrypt/live/**/cert.pem
|
|
||||||
/etc/hackypky/crts/*.crt
|
|
||||||
"
|
|
|
@ -1,8 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Collect local x509 certificate metrics for prometheus-node-exporter
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
EnvironmentFile=/etc/default/prometheus-node-exporter-local_x509
|
|
||||||
Environment=TMPDIR=/var/lib/prometheus/node-exporter
|
|
||||||
ExecStart=/bin/bash -c "/usr/share/prometheus-node-exporter-collectors/local_x509.sh $ARGS | sponge /var/lib/prometheus/node-exporter/local_x509.prom"
|
|
|
@ -1,9 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Run local x509 metrics collection every 15 minutes
|
|
||||||
|
|
||||||
[Timer]
|
|
||||||
OnBootSec=0
|
|
||||||
OnUnitActiveSec=15min
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=timers.target
|
|
|
@ -1,10 +0,0 @@
|
||||||
---
|
|
||||||
- name: Restart prometheus-node-exporter
|
|
||||||
systemd:
|
|
||||||
name: prometheus-node-exporter
|
|
||||||
state: restarted
|
|
||||||
- name: Restart appointed_prometheus_server
|
|
||||||
systemd:
|
|
||||||
name: prometheus
|
|
||||||
state: restarted
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
|
@ -1,69 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install moreutils # we need the sponge command
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- moreutils
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
||||||
|
|
||||||
- name: Ensure /usr/share/prometheus-node-exporter exist
|
|
||||||
file:
|
|
||||||
path: /usr/share/prometheus-node-exporter/
|
|
||||||
state: directory
|
|
||||||
group: root
|
|
||||||
owner: root
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
|
|
||||||
# Optionnal, but used with the hacky_pki role
|
|
||||||
- name: Ensure /etc/hackypky/crts/ exist
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
group: root
|
|
||||||
owner: root
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
loop:
|
|
||||||
- /etc/hackypky
|
|
||||||
- /etc/hackypky/crts
|
|
||||||
|
|
||||||
- name: Add the script
|
|
||||||
copy:
|
|
||||||
src: local_x509.sh
|
|
||||||
dest: /usr/share/prometheus-node-exporter-collectors/local_x509.sh
|
|
||||||
group: root
|
|
||||||
owner: root
|
|
||||||
mode: u=rwx,g=,o=
|
|
||||||
|
|
||||||
- name: Add the env file
|
|
||||||
copy:
|
|
||||||
src: prometheus-node-exporter-local_x509
|
|
||||||
dest: /etc/default/prometheus-node-exporter-local_x509
|
|
||||||
group: root
|
|
||||||
owner: root
|
|
||||||
force: no
|
|
||||||
mode: u=rwx,g=r,o=r
|
|
||||||
|
|
||||||
- name: Add the timer
|
|
||||||
copy:
|
|
||||||
src: prometheus-node-exporter-local_x509.timer
|
|
||||||
dest: /lib/systemd/system/prometheus-node-exporter-local_x509.timer
|
|
||||||
group: root
|
|
||||||
owner: root
|
|
||||||
mode: u=rw,g=r,o=r
|
|
||||||
|
|
||||||
- name: Add the service
|
|
||||||
copy:
|
|
||||||
src: prometheus-node-exporter-local_x509.service
|
|
||||||
dest: /lib/systemd/system/prometheus-node-exporter-local_x509.service
|
|
||||||
group: root
|
|
||||||
owner: root
|
|
||||||
mode: u=rw,g=r,o=r
|
|
||||||
|
|
||||||
- name: Enable the timer
|
|
||||||
systemd:
|
|
||||||
name: prometheus-node-exporter-local_x509.timer
|
|
||||||
enabled: true
|
|
||||||
state: started
|
|
|
@ -1,130 +0,0 @@
|
||||||
---
|
|
||||||
- name: Use a newer version of Node exporter for ubuntu 20.04
|
|
||||||
block:
|
|
||||||
- name: Set the default release
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/apt/apt.conf.d/01-vendor-ubuntu
|
|
||||||
regexp: '^APT::Default-Release '
|
|
||||||
line: "APT::Default-Release \"{{ ansible_facts['lsb']['codename'] }}\";"
|
|
||||||
- name: Pin node exporter
|
|
||||||
copy:
|
|
||||||
dest: /etc/apt/preferences.d/pin-prometheus-node-exporter
|
|
||||||
content: |
|
|
||||||
Package: prometheus-node-exporter
|
|
||||||
Pin: release n={{ ansible_facts['lsb']['codename'] }}
|
|
||||||
Pin-Priority: -10
|
|
||||||
|
|
||||||
Package: prometheus-node-exporter
|
|
||||||
Pin: release n=groovy
|
|
||||||
Pin-Priority: 900
|
|
||||||
- name: Add the repo from groovy
|
|
||||||
apt_repository:
|
|
||||||
repo: deb http://fr.archive.ubuntu.com/ubuntu groovy universe
|
|
||||||
state: present
|
|
||||||
when: ansible_facts['lsb']['id'] == 'Ubuntu' and ansible_facts['lsb']['codename'] == 'focal'
|
|
||||||
|
|
||||||
- name: Install Prometheus Node exporter
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- prometheus-node-exporter
|
|
||||||
- prometheus-node-exporter-collectors
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
install_recommends: false # Do not install smartmontools
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
||||||
|
|
||||||
|
|
||||||
- name: Install the local_x509 exporter
|
|
||||||
import_tasks: local_x509_collector.yml
|
|
||||||
|
|
||||||
- name: Ensure /etc/node_exporter exist
|
|
||||||
file:
|
|
||||||
path: /etc/node_exporter
|
|
||||||
state: directory
|
|
||||||
group: prometheus
|
|
||||||
owner: prometheus
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
|
|
||||||
- name: Copy the config folder
|
|
||||||
template:
|
|
||||||
src: config.yaml
|
|
||||||
dest: /etc/node_exporter/config.yaml
|
|
||||||
group: prometheus
|
|
||||||
owner: prometheus
|
|
||||||
mode: u=rw,g=r,o=r
|
|
||||||
notify: Restart prometheus-node-exporter
|
|
||||||
|
|
||||||
- name: Copy the CA cert
|
|
||||||
copy:
|
|
||||||
content: "{{ ca_cert }}"
|
|
||||||
dest: /etc/node_exporter/ca.crt
|
|
||||||
notify: Restart prometheus-node-exporter
|
|
||||||
|
|
||||||
- name: Generate certificate
|
|
||||||
include_role:
|
|
||||||
name: generate-cert
|
|
||||||
vars:
|
|
||||||
directory: /etc/node_exporter/
|
|
||||||
cname: "node-exp-{{ lan_address }}"
|
|
||||||
owner: prometheus
|
|
||||||
group: prometheus
|
|
||||||
key_mode: u=rw,g=,o=
|
|
||||||
subject_alt_name: "IP:{{ lan_address }}"
|
|
||||||
# Need an equivalent to notify here
|
|
||||||
|
|
||||||
- name: Ensured the certificate is monitored
|
|
||||||
import_tasks: register-cert-to-monitoring.yml
|
|
||||||
vars:
|
|
||||||
target: "{{ lan_address }}:9100|node-exp-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
|
||||||
|
|
||||||
- name: Setup the arguments for node-exporter
|
|
||||||
template:
|
|
||||||
src: prometheus-node-exporter
|
|
||||||
dest: /etc/default/prometheus-node-exporter
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: u=rw,g=r,o=r
|
|
||||||
notify: Restart prometheus-node-exporter
|
|
||||||
vars:
|
|
||||||
args:
|
|
||||||
- name: web.listen-address
|
|
||||||
value: "{{ lan_address }}:9100"
|
|
||||||
- name: web.config
|
|
||||||
value: /etc/node_exporter/config.yaml
|
|
||||||
|
|
||||||
- name: Add the node to the server targets
|
|
||||||
block:
|
|
||||||
- name: Get the list of targets of the server
|
|
||||||
slurp:
|
|
||||||
src: /etc/prometheus/targets/node-targets.json
|
|
||||||
register: server_node_target_file
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
|
|
||||||
- name: Set target variable
|
|
||||||
set_fact:
|
|
||||||
server_node_target: "{{ server_node_target_file['content'] | b64decode | from_json }}"
|
|
||||||
|
|
||||||
- name: Register the node to the prometheus server
|
|
||||||
block:
|
|
||||||
- name: Add the node to the targets
|
|
||||||
set_fact:
|
|
||||||
new_server_node_target: "[{{ server_node_target[0] | combine({'targets': [lan_address + '|' + ansible_facts['nodename']]}, list_merge='append_rp') }}]"
|
|
||||||
|
|
||||||
- name: Put the new target list
|
|
||||||
copy:
|
|
||||||
content: "{{ new_server_node_target | to_nice_json }}"
|
|
||||||
dest: /etc/prometheus/node-targets.json
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
when: (lan_address + '|' + ansible_facts['nodename']) not in server_node_target.0.targets
|
|
||||||
|
|
||||||
- name: Add alert rules for node on the prometheus server
|
|
||||||
copy:
|
|
||||||
src: alerts-node.yml
|
|
||||||
dest: /etc/prometheus/alerts/node.yml
|
|
||||||
owner: prometheus
|
|
||||||
group: prometheus
|
|
||||||
mode: u=rw,g=r,o=r
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
notify: Restart appointed_prometheus_server
|
|
|
@ -1,23 +0,0 @@
|
||||||
---
|
|
||||||
- name: Get the list of targets of the server
|
|
||||||
slurp:
|
|
||||||
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
|
||||||
register: server_tls_targets_file
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
|
|
||||||
- name: Set target variable from file
|
|
||||||
set_fact:
|
|
||||||
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
|
|
||||||
|
|
||||||
- name: Register the endpoint to the prometheus server
|
|
||||||
block:
|
|
||||||
- name: Add the target
|
|
||||||
set_fact:
|
|
||||||
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
|
|
||||||
|
|
||||||
- name: Put the new target list
|
|
||||||
copy:
|
|
||||||
content: "{{ new_server_tls_targets | to_nice_json }}"
|
|
||||||
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
when: target not in server_tls_targets.0.targets
|
|
|
@ -1,7 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
tls_server_config:
|
|
||||||
cert_file: "/etc/node_exporter/node-exp-{{ lan_address }}.crt"
|
|
||||||
key_file: "/etc/node_exporter/node-exp-{{ lan_address }}.key"
|
|
||||||
client_auth_type: "RequireAndVerifyClientCert"
|
|
||||||
client_ca_file: "/etc/node_exporter/ca.crt"
|
|
|
@ -1,138 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
# Set the command-line arguments to pass to the server.
|
|
||||||
# Due to shell scaping, to pass backslashes for regexes, you need to double
|
|
||||||
# them (\\d for \d). If running under systemd, you need to double them again
|
|
||||||
# (\\\\d to mean \d), and escape newlines too.
|
|
||||||
{% if not args %}
|
|
||||||
ARGS=""
|
|
||||||
{% else %}
|
|
||||||
ARGS="\
|
|
||||||
{% for arg in args %}
|
|
||||||
--{{ arg.name }}={{ arg.value }} \
|
|
||||||
{% endfor %}
|
|
||||||
"
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# Prometheus-node-exporter supports the following options:
|
|
||||||
#
|
|
||||||
# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$"
|
|
||||||
# Regexp of devices to ignore for diskstats.
|
|
||||||
# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)"
|
|
||||||
# Regexp of mount points to ignore for filesystem
|
|
||||||
# collector.
|
|
||||||
# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$"
|
|
||||||
# Regexp of filesystem types to ignore for
|
|
||||||
# filesystem collector.
|
|
||||||
# --collector.netdev.ignored-devices="^lo$"
|
|
||||||
# Regexp of net devices to ignore for netdev
|
|
||||||
# collector.
|
|
||||||
# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$"
|
|
||||||
# Regexp of fields to return for netstat
|
|
||||||
# collector.
|
|
||||||
# --collector.ntp.server="127.0.0.1"
|
|
||||||
# NTP server to use for ntp collector
|
|
||||||
# --collector.ntp.protocol-version=4
|
|
||||||
# NTP protocol version
|
|
||||||
# --collector.ntp.server-is-local
|
|
||||||
# Certify that collector.ntp.server address is the
|
|
||||||
# same local host as this collector.
|
|
||||||
# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query
|
|
||||||
# --collector.ntp.max-distance=3.46608s
|
|
||||||
# Max accumulated distance to the root
|
|
||||||
# --collector.ntp.local-offset-tolerance=1ms
|
|
||||||
# Offset between local clock and local ntpd time
|
|
||||||
# to tolerate
|
|
||||||
# --path.procfs="/proc" procfs mountpoint.
|
|
||||||
# --path.sysfs="/sys" sysfs mountpoint.
|
|
||||||
# --collector.qdisc.fixtures=""
|
|
||||||
# test fixtures to use for qdisc collector
|
|
||||||
# end-to-end testing
|
|
||||||
# --collector.runit.servicedir="/etc/service"
|
|
||||||
# Path to runit service directory.
|
|
||||||
# --collector.supervisord.url="http://localhost:9001/RPC2"
|
|
||||||
# XML RPC endpoint.
|
|
||||||
# --collector.systemd.unit-whitelist=".+"
|
|
||||||
# Regexp of systemd units to whitelist. Units must
|
|
||||||
# both match whitelist and not match blacklist to
|
|
||||||
# be included.
|
|
||||||
# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)"
|
|
||||||
# Regexp of systemd units to blacklist. Units must
|
|
||||||
# both match whitelist and not match blacklist to
|
|
||||||
# be included.
|
|
||||||
# --collector.systemd.private
|
|
||||||
# Establish a private, direct connection to
|
|
||||||
# systemd without dbus.
|
|
||||||
# --collector.textfile.directory="/var/lib/prometheus/node-exporter"
|
|
||||||
# Directory to read text files with metrics from.
|
|
||||||
# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*"
|
|
||||||
# Regexp of fields to return for vmstat collector.
|
|
||||||
# --collector.wifi.fixtures=""
|
|
||||||
# test fixtures to use for wifi collector metrics
|
|
||||||
# --collector.arp Enable the arp collector (default: enabled).
|
|
||||||
# --collector.bcache Enable the bcache collector (default: enabled).
|
|
||||||
# --collector.bonding Enable the bonding collector (default: enabled).
|
|
||||||
# --collector.buddyinfo Enable the buddyinfo collector (default:
|
|
||||||
# disabled).
|
|
||||||
# --collector.conntrack Enable the conntrack collector (default:
|
|
||||||
# enabled).
|
|
||||||
# --collector.cpu Enable the cpu collector (default: enabled).
|
|
||||||
# --collector.diskstats Enable the diskstats collector (default:
|
|
||||||
# enabled).
|
|
||||||
# --collector.drbd Enable the drbd collector (default: disabled).
|
|
||||||
# --collector.edac Enable the edac collector (default: enabled).
|
|
||||||
# --collector.entropy Enable the entropy collector (default: enabled).
|
|
||||||
# --collector.filefd Enable the filefd collector (default: enabled).
|
|
||||||
# --collector.filesystem Enable the filesystem collector (default:
|
|
||||||
# enabled).
|
|
||||||
# --collector.hwmon Enable the hwmon collector (default: enabled).
|
|
||||||
# --collector.infiniband Enable the infiniband collector (default:
|
|
||||||
# enabled).
|
|
||||||
# --collector.interrupts Enable the interrupts collector (default:
|
|
||||||
# disabled).
|
|
||||||
# --collector.ipvs Enable the ipvs collector (default: enabled).
|
|
||||||
# --collector.ksmd Enable the ksmd collector (default: disabled).
|
|
||||||
# --collector.loadavg Enable the loadavg collector (default: enabled).
|
|
||||||
# --collector.logind Enable the logind collector (default: disabled).
|
|
||||||
# --collector.mdadm Enable the mdadm collector (default: enabled).
|
|
||||||
# --collector.meminfo Enable the meminfo collector (default: enabled).
|
|
||||||
# --collector.meminfo_numa Enable the meminfo_numa collector (default:
|
|
||||||
# disabled).
|
|
||||||
# --collector.mountstats Enable the mountstats collector (default:
|
|
||||||
# disabled).
|
|
||||||
# --collector.netdev Enable the netdev collector (default: enabled).
|
|
||||||
# --collector.netstat Enable the netstat collector (default: enabled).
|
|
||||||
# --collector.nfs Enable the nfs collector (default: enabled).
|
|
||||||
# --collector.nfsd Enable the nfsd collector (default: enabled).
|
|
||||||
# --collector.ntp Enable the ntp collector (default: disabled).
|
|
||||||
# --collector.qdisc Enable the qdisc collector (default: disabled).
|
|
||||||
# --collector.runit Enable the runit collector (default: disabled).
|
|
||||||
# --collector.sockstat Enable the sockstat collector (default:
|
|
||||||
# enabled).
|
|
||||||
# --collector.stat Enable the stat collector (default: enabled).
|
|
||||||
# --collector.supervisord Enable the supervisord collector (default:
|
|
||||||
# disabled).
|
|
||||||
# --collector.systemd Enable the systemd collector (default: enabled).
|
|
||||||
# --collector.tcpstat Enable the tcpstat collector (default:
|
|
||||||
# disabled).
|
|
||||||
# --collector.textfile Enable the textfile collector (default:
|
|
||||||
# enabled).
|
|
||||||
# --collector.time Enable the time collector (default: enabled).
|
|
||||||
# --collector.uname Enable the uname collector (default: enabled).
|
|
||||||
# --collector.vmstat Enable the vmstat collector (default: enabled).
|
|
||||||
# --collector.wifi Enable the wifi collector (default: enabled).
|
|
||||||
# --collector.xfs Enable the xfs collector (default: enabled).
|
|
||||||
# --collector.zfs Enable the zfs collector (default: enabled).
|
|
||||||
# --collector.timex Enable the timex collector (default: enabled).
|
|
||||||
# --web.listen-address=":9100"
|
|
||||||
# Address on which to expose metrics and web
|
|
||||||
# interface.
|
|
||||||
# --web.telemetry-path="/metrics"
|
|
||||||
# Path under which to expose metrics.
|
|
||||||
# --log.level="info" Only log messages with the given severity or
|
|
||||||
# above. Valid levels: [debug, info, warn, error,
|
|
||||||
# fatal]
|
|
||||||
# --log.format="logger:stderr"
|
|
||||||
# Set the log target and format. Example:
|
|
||||||
# "logger:syslog?appname=bob&local=7" or
|
|
||||||
# "logger:stdout?json=true"
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
- name: Restart prometheus
|
|
||||||
systemd:
|
|
||||||
name: prometheus
|
|
||||||
state: restarted
|
|
|
@ -1,2 +0,0 @@
|
||||||
dependencies:
|
|
||||||
- role: install_nginx
|
|
|
@ -1,117 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install Prometheus Components
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- prometheus
|
|
||||||
- prometheus-pushgateway
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
|
||||||
until: apt_result is succeeded
|
|
||||||
|
|
||||||
- name: Ensure the alert folder exist
|
|
||||||
file:
|
|
||||||
path: /etc/prometheus/alerts
|
|
||||||
state: directory
|
|
||||||
group: prometheus
|
|
||||||
owner: prometheus
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
|
|
||||||
- name: Ensure the target folder exist
|
|
||||||
file:
|
|
||||||
path: /etc/prometheus/targets
|
|
||||||
state: directory
|
|
||||||
group: prometheus
|
|
||||||
owner: prometheus
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
|
|
||||||
- name: Copy the CA cert
|
|
||||||
copy:
|
|
||||||
content: "{{ ca_cert }}"
|
|
||||||
dest: /etc/prometheus/ca.crt
|
|
||||||
notify:
|
|
||||||
- Restart prometheus
|
|
||||||
- Reload nginx
|
|
||||||
|
|
||||||
- name: Generate certificate
|
|
||||||
include_role:
|
|
||||||
name: generate-cert
|
|
||||||
vars:
|
|
||||||
directory: /etc/prometheus/
|
|
||||||
cname: "prometheus-{{ lan_address }}"
|
|
||||||
owner: prometheus
|
|
||||||
group: prometheus
|
|
||||||
key_mode: u=rw,g=,o=
|
|
||||||
subject_alt_name: "IP:{{ lan_address }}"
|
|
||||||
# Need an equivalent to notify here
|
|
||||||
|
|
||||||
- name: Ensured the certificate is monitored
|
|
||||||
import_tasks: register-cert-to-monitoring.yml
|
|
||||||
vars:
|
|
||||||
target: "{{ lan_address }}:9090|prometheus-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
|
|
||||||
|
|
||||||
- name: Setup the prometheus config
|
|
||||||
template:
|
|
||||||
src: prometheus.yml
|
|
||||||
dest: /etc/prometheus/prometheus.yml
|
|
||||||
owner: prometheus
|
|
||||||
group: prometheus
|
|
||||||
mode: '0640'
|
|
||||||
notify: Restart prometheus
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Add node targets file
|
|
||||||
template:
|
|
||||||
src: node-targets.json
|
|
||||||
dest: "/etc/prometheus/targets/{{ item }}-targets.json"
|
|
||||||
owner: prometheus
|
|
||||||
group: prometheus
|
|
||||||
mode: '0640'
|
|
||||||
force: no
|
|
||||||
notify: Restart prometheus
|
|
||||||
loop:
|
|
||||||
- blackbox-http-down
|
|
||||||
- blackbox-http-up
|
|
||||||
- blackbox-tls-internal
|
|
||||||
- node
|
|
||||||
|
|
||||||
- name: Copy the web-config folder
|
|
||||||
template:
|
|
||||||
src: web-config.yaml
|
|
||||||
dest: /etc/prometheus/web-config.yaml
|
|
||||||
group: prometheus
|
|
||||||
owner: prometheus
|
|
||||||
mode: u=rw,g=r,o=r
|
|
||||||
notify: Restart prometheus
|
|
||||||
|
|
||||||
- name: Setup the arguments for prometheus
|
|
||||||
template:
|
|
||||||
src: prometheus
|
|
||||||
dest: /etc/default/prometheus
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0644'
|
|
||||||
notify: Restart prometheus
|
|
||||||
vars:
|
|
||||||
args:
|
|
||||||
- name: web.listen-address
|
|
||||||
value: "127.0.0.1:9090"
|
|
||||||
# value: "{{ lan_address }}:9090"
|
|
||||||
# - name: web.config.file # Not available before 2.24, and it sucks
|
|
||||||
# value: /etc/prometheus/web-config.yaml
|
|
||||||
|
|
||||||
# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
|
|
||||||
# Think prometheus, think!
|
|
||||||
- name: Copy the nginx config
|
|
||||||
template:
|
|
||||||
src: atrocious_nginx_stub
|
|
||||||
dest: "/etc/nginx/sites-available/internal-prometheus"
|
|
||||||
notify: Reload nginx
|
|
||||||
|
|
||||||
- name: Activate the config
|
|
||||||
file:
|
|
||||||
src: "/etc/nginx/sites-available/internal-prometheus"
|
|
||||||
dest: "/etc/nginx/sites-enabled/internal-prometheus"
|
|
||||||
state: link
|
|
||||||
force: yes
|
|
|
@ -1,23 +0,0 @@
|
||||||
---
|
|
||||||
- name: Get the list of targets of the server
|
|
||||||
slurp:
|
|
||||||
src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
|
||||||
register: server_tls_targets_file
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
|
|
||||||
- name: Set target variable from file
|
|
||||||
set_fact:
|
|
||||||
server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
|
|
||||||
|
|
||||||
- name: Register the endpoint to the prometheus server
|
|
||||||
block:
|
|
||||||
- name: Add the target
|
|
||||||
set_fact:
|
|
||||||
new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
|
|
||||||
|
|
||||||
- name: Put the new target list
|
|
||||||
copy:
|
|
||||||
content: "{{ new_server_tls_targets | to_nice_json }}"
|
|
||||||
dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
|
|
||||||
delegate_to: "{{ appointed_prometheus_server }}"
|
|
||||||
when: target not in server_tls_targets.0.targets
|
|
|
@ -1,13 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen {{ lan_address }}:9090 ssl;
|
|
||||||
ssl_certificate /etc/prometheus/prometheus-{{ lan_address }}.crt;
|
|
||||||
ssl_certificate_key /etc/prometheus/prometheus-{{ lan_address }}.key;
|
|
||||||
ssl_client_certificate /etc/prometheus/ca.crt;
|
|
||||||
ssl_verify_client on;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:9090;
|
|
||||||
}
|
|
||||||
}
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue