Merge branch 'master' into quagga

.ansible-lint

@@ -1,7 +1,10 @@
 skip_list:
-  - '301'
+  - no-changed-when
+  - load-failure
+  - document-start
 
 warn_list:
-  - '305'  # Use shell only when shell functionality is required
-  - '503'  # Tasks that run when changed should likely be handlers
   - experimental  # all rules tagged as experimental
+
+exclude_paths:
+- group_vars/all/vault.yml

.drone.yml

@@ -4,16 +4,9 @@ type: docker
 name: check
 
 steps:
-  - name: yamllint
-    image: python:3.9-alpine
+  - name: ansible and yaml linting
+    pull: never
+    image: aurore-ansible-lint-image
     commands:
-      - pip install yamllint==1.25.0
-      - yamllint -c .yamllint.yml .
-
-  - name: ansible-lint
-    image: python:3.9-alpine
-    commands:
-      - apk add --no-cache gcc libc-dev libffi-dev openssl-dev
-      - pip install ansible-lint==4.3.7
-      - ansible-lint *.yml
+      - ansible-lint
 ...

.gitlab-ci.yml

@@ -1,19 +0,0 @@
----
-image: python:3.9-alpine
-
-stages:
-  - lint
-
-yamllint:
-  stage: lint
-  script:
-    - pip install yamllint==1.25.0
-    - yamllint -c .yamllint.yml .
-
-ansible-lint:
-  stage: lint
-  script:
-    - apk add gcc libc-dev libffi-dev openssl-dev
-    - pip install ansible-lint==4.3.7
-    - ansible-lint *.yml
-...

.yamllint.yml

@@ -6,6 +6,5 @@ rules:
     max: 120
     level: warning
   document-start:
-    ignore: |
-      /groups_var/all/vault.yml
+    ignore: group_vars/all/vault.yml
 ...

README.md

@@ -1,3 +1,5 @@
+[![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
+
 # Recettes Ansible d'Aurore
 
 Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.

deploy_postfix_non_mailhost.yml

@@ -0,0 +1,8 @@
+---
+# Deploy a correclty configured postfix on non mailhost servers
+- hosts: all,!unifi
+  vars:
+    local_network: 10.128.0.0/16
+    relay_host: proxy.adm.auro.re
+  roles:
+    - postfix_non_mailhost

docker-ansible-lint/Dockerfile

@@ -0,0 +1,7 @@
+FROM python:3.9-alpine
+LABEL description="Aurore's docker image for ansible-lint"
+
+RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
+RUN pip install "yamllint>=1.26.0,<2.0"
+RUN pip install "ansible-lint==5.0.0"
+RUN pip install "ansible>=2.10,<2.11"

docker-ansible-lint/README.md

@@ -0,0 +1,18 @@
+# Ansible-lint image
+
+In order to build this image when a new version comes out, you need to
+1. ssh into the `drone.adm.auro.re` server
+2. git pull this repo to the lastest version
+3. optionally make the changes if it has not been done yet
+4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
+5. ???
+6. enjoy
+
+You can verify that the image was correclty built by running
+```
+# list the images present
+sudo docker image ls
+
+# run your image with an interactive shell
+sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
+```

group_vars/all/vault.yml

@@ -1,174 +1,179 @@
 $ANSIBLE_VAULT;1.1;AES256
-34336231623938346631313932323131336439623837626366646338396137633436646365386639
-6332383765386235396331373836366230663563376665380a616436373136633933376435653230
-64333963663436393265666434653164643164616134353665306462326666623530383838343135
-3531343533656332350a343432336636316131386132306238653736633966363235623833343638
-38643061383963396466346536343061653034333037393664356661376565643765306462626231
-39326233363962373839303464333833306532343834306232653731326135653934643836323639
-36343937626536346331613263663865346634666534646266623061303639626636393230616261
-32336366356439353738633234326138656464656630303362623664616634306230623538373965
-32346439306337623737616666353830626630373562366436653131393532313035303836326430
-64613235646366616533313065396663366434363832333535336631323366336437396664303834
-30336466313064636565326564356435306136396363373464326534303366323262303732626661
-38326663313332633530353739346538343434316133343066313530366637376135323564306537
-65626261303231656432333364333965663065346436626631666466643934623064333163626339
-32633565303734303862326365336339346133393431636266303530626564326361653230626536
-32313231373037633134623761663832393666353732613965613436323939343233613433343538
-37326438383130303861316663396333376662386337353964633930353536653437653061356635
-35646232343535313130646237643835376162623639333961323964353830653366626438346237
-36343663346332656537363434396633336161373730663364306239306432343930643230656465
-37633537616232656661313764626232303535383563353861396431643735326162383866626231
-61383165613332666537656137636430323332326335323763303537386662646263353539613964
-37323966306364306436653033393931663239383435613836356164633135306233356364313036
-39356661613434633930633066646437636535313565356366303732613731333062643231313035
-65333461396131663764626665393562623030343561313136363964393664376136303839333664
-65313465623331333538393734373264313562643232666130303930333662616465656432363039
-66616530336666343861336434633063343561323931323931346132376263376565313366306639
-64646465303432333136353661323936633965666364356633653861363139616562653834313861
-63306133613066373462383236613939316130623937643939323134343936356638376335323836
-39383334656236633037633230313138326238303863623231353465346661663162623138353461
-33343738613137366364633730346261366564646161373837613865393233663431636361663962
-38313230363737306265636435353533666262333666383639343364633464396566333433333538
-39643934646537653234336361613664333434623739353831316531313666396638333136343638
-33653034366362363562633462303165626333306664326366353334363964663936616430643662
-30616334326638323133366632663237356238353934323361376237613632396134663536336364
-39363439326335363437373939353564646663616464663763353931323233316135656634343137
-34396130386134386331643534353461663963323435656337653032376565313635623231343135
-34303130316239303065386134663332393938636332363665643832326439653733633231346537
-63383634333034323434376237663932613638363835393837613632663265616363303233653539
-61333765313463616665613136303533343230303735626437343635303934613365326166333966
-66613538393466666630363333643730653239393435616634303430396635383631613439623433
-36646431393865666162373232343335356366366633633264326639643434396234313863333163
-63396534623931633833656565396635333133376165613031663831633564663061656131303564
-61303132666264636139313738643161313134643733633366376538366135663135333333333564
-64366262353837363061653663616265393264373230346330636465336439623063636639356136
-65383638643961326661396336373163643832366561363764626461623662333436373136616437
-30316537653432356133616338353165633462643634323563306366343965326635363863316232
-61633135643861333635383464383937306236626632366235363433313335663431366531356337
-37303465323638383930336138356665343966336137356137656564303733373565366162343330
-38326366653733376138356339313564616165626235356363343430353239616339656239323964
-31643734653263653461333135386261646265323134633334376262323330396634643764323635
-30336262323035613338333166353364333836623865393132613338393237363734616330366463
-64646163303337323531636532383438356237306337656439663565643032633462316366663164
-33613039326337353531303831313136653539353261373930613030383134653261363833653439
-31343662623035393238646263633066653362323434306137633339393330376462356139333362
-35363436356530363134663064653031376561343732346262383333353733363136396262643135
-31326566303535343833326562376464643632363434323839366366626134303830323563633237
-37313964353033316163303738636632346137353437333463303135323631383132623133663130
-32373163393861366137303138363134653534613236636439623731393837306130626638343134
-39313532386338343662333134353761653162663665396664366239633536613132313735373334
-37613161383633653861376433633632333163653439633938386137313632396137616337373465
-65383238396439666537313833663364333731613434333739393161363437306665363834653761
-34303464386633633163353636643964393233383232623765373239376633393139326630653765
-62646439646534376234323661383063656463313437323231333165626163626262626562376338
-62646362346261313738323830613037663035666361386139666432613230346334323063326239
-65303065343061613736343663363630336333623439383032313137616131623933323636306331
-34636130626338303039356137353532346562363531623936316162336663306437386532363236
-36333661316161613237343032623764396435346632363963643438316430666539393566353939
-33333234313839636537366465356364303438313830663261373563346538626432313139303030
-33333066626463663663643833323764643737386162663766356665643064313263376434353038
-37643630643737663566653562353261333734636262626437393239383063613661643166626630
-31313564346239396561326162333534376264616435313762623032636432363832383630343964
-30343663643935633465393465626131633931623930653962303830333065363435383237653566
-65646632376330306437663334313932653230653562356338663366616463303466366263366137
-64633934626339633235386630396561376130373763313137386531356637633863393035306634
-65353432323235363135633832373032623837376333346131303162303464616234313062316563
-64646634633963663032613533636665333335656539323238623362306363313835626632306236
-30663637356463363530316434316639326639633539333335633330333834643035353932313638
-64356565653065666131373538356462306633343161376537323762313666373235353236313963
-65613561633266306632616538616461626532666435663038646138386430376164663766363138
-35316262393065653739323035666531333330326235386133383834383865356635666537333533
-31376138353231313262646334386566376264323066373934666363313431643738383064666437
-36656437313039656666373530346534393735353163646635663839326366643333393665626464
-36616637303631653661373433653865323634363065303433386534363064356564636465366265
-31333064383233636538393032376234663663353162343530376631356533653231303730396465
-33366162376464633633313664303939306330613865663431653037303061633130626635653638
-66626264363333376463386666313663333964333137333231303361616533393236373861656534
-32326335306566623332396638383133353434363565316432353963353062313662326361336537
-34396632656234333263663831326566353434316234613365316132363730643665373761666562
-31393565653663653731633333633730326265376135666162656132623238333765333363653130
-61353632313532616266363139336162336565356365316531336364623930636430353831623233
-61616131313438306633333066613764313161333934316139633738623164623564646365663566
-66356464376133363137313036623930373362306166623838373131313330393837396261656561
-66396233313530643164353264656563383632363139333262626532376562613630643437666266
-66656335656634613138316138643666623430363833663035616138336461303035633731636262
-36393939333765346239666433323032323361343934656463396365333366623337316663396263
-36616431626633663963636135643833666234613830366434636532373031343263316436306162
-39356365376561643665323866656465313434623138326238353662653735613565623264333336
-61393763363862613766653064636130323732663466366133666361636339356464313037353462
-63633936653235656538383433393065393162643034393538666433616131343462346235393164
-39353663373338626665663563663162633430343330373430376336326432346233663365376533
-32656465343538643137326366653232343530363834383831386634366262303333636261353863
-32633437343432653936643766363338636535613532323362656435613363393238626466303861
-38633861333638613466306338613932353964393365356637306261626535323732316362623731
-33313963623439613939333639346461663338373334396165636231666266613065323731373964
-64313133383435333935376531313432663766633133633863356563663535333263636237386136
-61653963633166383135333436646465383536373039383538326366636634313061613730653962
-37623962643866396637336231363038373465393637356463656566666661313130313863383233
-37343636346535363832626365396262303862393535336565393635663637323730373564336634
-37363036323733306535336366373630356531353737303165376530656433626634343365626239
-64346136363030663862313431653761666432393933366665346361626361623039326434633835
-32666538653037613361343536383634643762356234366433663639653461303933306434333864
-37386436393465323139306161333738383265323436376536656264356230303163326134323864
-63396331666431666464656161633466333764653631623131646566303366333030653834333335
-31323365353239366232643863386365633861376235643034303563613363663661616564363663
-63326562613365653539383336383339646164623864323830653434623365393432666466323134
-33626330373361393734656632393232363866613863373135636537613934343065306265623964
-34643765636165393336356630353663343065333431656164363638646233663762346536343362
-65653364343537383336373933313464663464653465383830363631316336303464313731356230
-34336130323766386465373162346535396565346630353734303937396130656132376331326563
-36386339383338346533646331666262396432336434646333653664326635386238333763626637
-31363464306465666339316436323265623437636533643431363161323139653065323534636533
-64386334353439373133313937343234373963353331646233346432646430636530663336316134
-66303337313034396232643531643262343036313762633165353665653938313665386363353865
-66333166303636626565613136653365313763303263313239333033353638616566656134396131
-38356434343931303134303362313363343634613361353538636634336332373132356165326163
-30386130326239366532363962316435663862393836326439623862366166376234343439306465
-36346639623939353232366333643963646336383833386565643435393734653936313638663930
-32323065343737663564333961373034393261613862333431663562353964666561643831316432
-35313832356639333937333266306166656538643065386639346337306134613536356137316331
-38376434666332366531393639303561663934353130333161636530383932653236313530616531
-61656664626663373164343863333039356362343034326131376666623264663732303734366363
-30306430353732616131346637626332656434393163313661356465393263393235396662623962
-62643538623331646265643561623366383937313136383939366164613235666234663137653432
-34316138643139336331356663333632656539653632626136613431393736613630353237356164
-33623632643335663163656236633134343464353837346237316162346634633336663564656531
-39373730346130363963376463326238366235613539613466653139306237343164336462353236
-39323361636333353661633863663162633563343937366461346338363061623730633537626562
-30353938383664333861366431343033313961376436363065373430353736343563313531386663
-37313534303564333237616331396437376436383833373936376664666366373235613533663239
-64653863613531356666646233393533646131333961343730663461346235633961306263343831
-64386332653330323937643266373437633465363933653833343930616134626566363339366362
-36356163333730656233653431326430326566386264343330666131393166323537623137396237
-65386234653231666631366533383762643830333261363532666138386263643662633932626335
-66303363613035643931393933303035323566373634663037313338616132373162366334373962
-33666463613435396331326565353433336361303562326562663035313639333232333430373266
-65383235356132353838636565636436356361653831356430663935613766613237366564316566
-37396130393363386566306162346466326165353863636633306335383265306139396339383866
-34326335323962633032386162623033353036643437313832323166363764653339343638343964
-66626662326234306362656162336538353131366337643761643930306163333661653062663832
-61303963623433313565633235306132366663336662616232613339366363373934613631623431
-34323736383366333032343364373533363761323338346163323836653235653136646162306166
-65333734623663346233343961396566313838653036396430396134393839326535363237363638
-38333232333863396334366561303136333863356666656335633630616531363766343535616533
-35656166303837653365303436623431613931336331356531666665346562613263363666626238
-62626236323863383366643162356462306163653032626130333863656337623136646439316337
-33306432663134383038646133346131333732633932383239643733643138303434646565663266
-34616265383733343963323538656138656331396438616133393063356638633965323363653066
-65353837333363613762333839313631373137363064383830353565333832356162323862393030
-35373038613133643466636537626437393837633865363566343565626633376262373766613738
-39343334336238363131373762646564653839623531323066356430326263376534373664363331
-64373735383933303638303661333964333464306338613363326261623438336530636262373766
-35346339643939666162386232666236326131366366303432393838326239313730323431376231
-39363032616666393431326533643865643937363937356431623763363037373333653266376561
-63323462363063343234373534663063353865363037383932386231313338343239653131633561
-34623439396232633265616438623562666333303932396366663330326565363736633461333463
-66346537323061306662323062393061353565393165363532306439343262343632616465363364
-30376331346430313536313963333136663833323064633631653935326366633862336163316538
-33383434336666303434363236396662366664393637656462363331356631613332353766636663
-62323264336235306532343065323834313730353237616463373766303439663533336366363565
-35646461636263646633343634323735383235376330616334373937646165623639363663353361
-65613034353736633332663333616564356265323731613537393430633137333337643663323137
-31623732663331653935316337306433333633353565343265666333363864346562363961333439
-30656136636661396335623566386362333861616663393738626632633537613564636261383138
-3233
+32313562646230353138303964366135656361616532343933353732313961323339653964353130
+3938346666633565356134343835633964626261363365370a663664663938383731343733386136
+33356531323762313463326339333963336636353933326537333665313334616563626632336663
+6537363033663935660a613366613962626563643035663330343061353836646561623031323236
+65313633383063373064613930623530656365396335663363643330636239643937373163623932
+61373136303737333739316565323934376433316362353935363637373264616238373831666438
+35343135383233653963333237393232353631636566373766366664656666313436323535393736
+62323731343261373331393062633030356235313834373861323138663930613332643432386436
+38383038616536316465343561643639353434396631643033633537393265646532613161343732
+32363265643963386538326639353233363438643833306637336431303533396562613863633537
+30303334643137313136633039393463346562306236353566333563633238313865313534326137
+33623036376439653532313833633135326631643361333463633162303065623633636331666661
+62303636653233666164383463356530633464306564383236373832616263653165373937303030
+31323865656436366265303537306438303434613135396166313635656566373539303463393830
+65383636363064333730623161316162373734626433346564333835393030616437636665316566
+37353937626465383439633534316336313931663561336335653761396230393031393839336264
+37623037663032646631656637386366333131356562376665333964393264643133626532653564
+32353235633434656334663233303664613865343039613330663833396162646430623735653434
+66633466306338373061326636366330643639383632353564353865623637303832306332653131
+37343566393965326635613135613134316264616336303233616162313839626235386137343435
+33633336636434343531633362633834376135303337363637303039323038313937646236366265
+34303434373566313730623664653263653466366133363562333736393836393363326665353434
+30333263323366326436623238353335323936346637646130623265366535653737343665373165
+63336166633831623464343862353065653162613934646539396364353162633063303332313266
+65656163396463363737663931353765376337643065646131303264363961366336343432653537
+65306437623535393132343962333666366665316362366536663431646435633166333731303232
+63313337353334623330623862386661306333366638306433373437623835636631376231373636
+66666539363561313166396438343730656230663532633031353336636565343964366136663466
+38316364663936303231633633613832313163646262313238346666336661613236343966353130
+62656237663865306632333130653933633332623061633062363964643130383430613864663935
+63663765356434626661346165653163626565336437613539653536306432376332616430393737
+34366139336363383761366338623236383135373634613239616665343061396633383231663230
+63653331336366666234626662356461663263626465663036326162343239373734346661626665
+61666231613565356633343030343935393135653261376239303037373634386138393463363239
+30356365663133646634333863616230646235656135336330393836353462323630376537366334
+31306330363232326661616666623131383837353139643838326430653561346565393762323936
+31623136656361383039653763613162356530653933376539336130376237396661663664393733
+36396433303339613965316230613237303331646331383239356638333366653961303138343663
+33393664303637333863313364356666383836633063643539333262633565623534323866316537
+38623630363139643837396330353463303932383231663831363763656537386531383531303165
+37366338343063346230656461393832383736636662656666636434363731623437303862636366
+33613333393139613637623963373262323637653531336265333033333135613330313166633738
+36353935383931363535656539333130653164613431616438613432313532373063353738656162
+36616563383133623336396633343762376537663432356238653766666636323232623065313537
+39636632326166323130646633626431323831373963313837613465356436326430616433303662
+65343834663937306539663330366538643265626665613631323036616463313266303237613938
+30613565306636306561643238326138623366343365303934306561623234313332636462383363
+30623432326336396364636164366463326533613665333830656564626663383331323661663934
+35353135323930656138373830623932396138626335343265623738383532333861306561323430
+66333532333961636463656535636132323535313730333762633139306235373031363831363266
+33646635316137616663653461393566303432386330623936633330373461333762356532663062
+39666437363931313861356331653932303132353364623664656364316430653933653935616230
+38376631316463646663626562366233626334323235633235653364623936643131356130343261
+36396535393335366532313930623363663032386635396262363430303466373737633739626435
+30636136396562336561393936353763383732653166353266376165663233626266353638363131
+65323462633039323334613566373434343363633532656534663635363763396265663137636331
+38613736353635613437663133616431396666316230393066343431336535626335373437393039
+63666135353937313765316134326338376161353862373161653039333631306264343464353035
+65353639313134346239646362663836643734373465353866373238613162303336306438376237
+35363934333536376136666561333636653136316435316530366461306636333063313739626630
+37633333333766613663636466373364663132613266343136376138663461383832356631303132
+30363434336161393962363636313364663839383734373533356663343733333731613535646433
+64396361643736653931336365313338313633383038306131333863306437386362633263646364
+36656566326333333136636566613066623362363263373435356162396431396334386237383231
+30326465646334613235666435613462633230353434653666336364646466613066346366376262
+66633863333461626631383961663930383663666538613162643730323565653732386330613538
+38666164353130386530376332643637333931313661633634303636643639613561643338373331
+63333932306634313933366533623837613934366334396637396361623439383964333665383435
+62316265356537616137643537366666336634393935613034393737313930333364323031653234
+37366561356332666439623462396266623961653039626562393065393336643962373064343563
+36346665666338623931343739386531343833386135356164303532643463346565316163656633
+32616365623065626139383362613466633332666133313263393062373338653834363830333039
+62626230343362393533633061663432363836616539643065643839623065633363393134643534
+63343935376537393739333063333333386239663763383435633234376434366362616433363162
+34363539633661633333306133363433313761303138363864373266333461303139613362663937
+39626332356139396330393361613364643363366164376234316266316164393035386334366362
+36373065626530333237636139336163623766623561656234333239646263626164323134633434
+63326635393665333533383562633438303036616262366435373739386430353964333265393732
+66643838303566626131323834646564613830333937616264383864316666343333396636303836
+38633335656536653334626530303835623531666665326533303535313164323836373365636265
+65393061363933373931396134623264643065633534313566346336343862346537343437363765
+62663264376266326538616330376633353832353234653661613964373231666562326466663934
+38393931643736626332623461613737383463663935656263656233306437653331343838343865
+64343239636166343134336261656162393938396633376663366466653634373566336165323237
+34386137313961653739393231616532346664366138356631353030623236343535363435636462
+32323564306339396437633763613535393230386631616166656539373861386633363464653439
+34323134626334356631623764356232366337646236313031336138333636633834353463363961
+32316664383038633330383765356563353062303133333133336365346561643234386161383461
+39323964303061313461386333613961396533646161663230666466616231386239386666306233
+39343239323739323738373263313662336237346663663432343861343034633463386163303366
+38333537626232663438383230623032623765336164653438653434396362633063333437366338
+34373431323539306531323536363238333037643337626131336631356537626237656630393964
+38393736633433306632323334613232303162313962616334376130353931336337303462363266
+39643137643034396564303531346361336134353461653535336165323032323238663631653935
+38366339366436376166333335663230306663633634336434323532316664666134313365323834
+31363964346561373262393632366637396633323332393162666166326631383164643265353135
+34303664353434373131653530346634386333663732373966613761616261323032336266646163
+32663966656464633565356337653534623962663939333033613933633965666339653764663134
+38363965393730633638653561393432303835303164396462366435353030643966316665333061
+39643634646137626338323537393031356532616637666634333139396630663930636235333735
+66336465666439356636623037653564393161393432346534656132346631396462356463336566
+30303833386638333866396462633330306439613139636331636331333663386438623461343133
+30643164366434353765633738356536643861303232393362343131353730376364623463326361
+37363061623333653466636438666465616133396233616430393265626362663736613031383764
+63353065306166646461623763643062383738376266353765643134376538393233383663346237
+37643639663063383266373536323533343936633134386263616163343637613636303134343037
+34626232303335393532643134646132323463396333386664333731646331343937363661323539
+65663936366464643162633432666537393439313664643638343237653566613235353165663336
+32373037346239356337633036306138343366666463363538373836616530313565613562383433
+64616263626165343938363230613039356137643665653734366533393033316363663036363738
+66323663663366666162623734363465663939383830396533383665393139633530616263663136
+64333132633031623835373831636366643831626235303831313761653734666365386462393534
+66303332656561653162636636313439663633396638353638363465663138353866376636326634
+63613865613466326230323564323439393061653664393261373531306235333663373434636262
+62353132653333313635653633346461323165373862343839316539653038633664353830643234
+36633763653738323732386263643461333761306532303534663763323735636563366266653464
+66636236393033613736656562663661346162316164616663306465623431613133633130383136
+35313434346164653163396137383064656538353766653237646237663639663039663665666236
+62346139633234343735303762653030326333333764356562656435623330663066353333326239
+39646465393362323537343766366432323765363139643361643037373739643636623437386636
+32353233303337623136343062623633306361383737303431613663633163643832343434656335
+39633434393466646366376534333865633361333861653366316238626637363537303335363662
+61353830303733623665643864333134623062356334616331363565333235666261653732633264
+62663238663461343738303764303636366638393830623264613730303635623635626364646464
+35623239356235316136343532616638663930313565383264663936633733386663326161623830
+62626634313963323866653432343561303233343035353433613731353538356438613033346638
+33613466656633626261326465336437613630376335663933303061393731313065636131393762
+65613037653363636235613838613535316635613066393436356537633662313539323163613361
+36356632323634363335366665376663346565393439313031636331633235333664663830636135
+64653266616262336437623731383161383437613461323837653066656233643230663064616432
+65383337323333633465316533623465303735396430326334643634626436303263396534356335
+34373134653232303866386433643864363536643138353965323130616338353731633434326361
+66303133353264343664323435653133383431626263373237613631616235666465616333343937
+37323333653565363665376236396232393132336137346461613831623063326631636335333365
+65376538396265313732323932383061633464393630393563386163393230623238633938396535
+34333330386131353336646361313634353862663762653234373235366565343232306432653731
+61383863306632626463653831383735636233623966353130626634366638626236383864316531
+37353062336539626531356133313132663330663135393930356565323364353761393439373533
+61366465313462313033306631333432646163653832363564313838643362316263353562373262
+33343664666230303065373836306663643135303439356362336634346637353438633364306365
+30623332363436353865633738663464636132306134386465306164363333386338323433643163
+37626235303062393933393363656339636139323464373439363765316266646536316336666163
+34306262326238343937623432643262646263666266623933623565363535326235623637396237
+64623961663037653033383933333062393932613933303962326538333739303731363137623365
+30363030353433646133666166383938356232396331656165343531343232613934663834633464
+36353331373233393861636131393238363031383135613633373665613364373466356663376431
+66303331383837663261313838363266656164633836623661326331356566653938306266376632
+63613238356135373938663030343634393566653963306237303138626461613931356565663835
+64386433613937643730396130663333646334386336613864333533626661626166346232333964
+66316664346231376639393132613936323261383131633737386331343966363961633237666334
+38353363383761333439373437623937393534626435386262383732363833346166656233666332
+62636130323536663432633434646666303664393130626437636132316264613535306463623964
+30633030613665343631373366363737313130666337326230633631646461356362363963306361
+64393639353339303436346438313833333432356666666339613666623132636235383866343838
+36666263343538633537303665616366656363373736306235333264336466313939356131303561
+33363030653966316232313933323665663330303338366333656536623861623537313266383565
+65633866663665393635646531353539623362646663356664333866623432333465333335333333
+31616262356537646261373166343665633238633235373335343134393366663462393465643135
+35326336613835663132343233386564373462353561333066323631313664373865323233653336
+65333731336565633664636562326365343263373263373162653239633964396138616335616230
+63376562383064663330363562306338346465666563306365306639353632396633323830353337
+65666233376239333436633566623535383065646235353832363030303565623531333539613864
+63393339656238323466343564333134636164383062613138656138373936636531636166393062
+32613431636233316533353937326234663336343231313630393037313663383034383238346562
+36383264626366383835623261643562323037303661383832323939363939623038626664393530
+65353061313266633764353331313532383766613735333131373365366336306139343265306634
+66313435313965633362356563313763653634643362616138633832633136333362343731346166
+34613431653134363732353833643962636431623036393935666237663833373934373438666434
+36633538306632383439323465636665303863646532653165666638316137633738363736386633
+33303234306531356136316463353232303737323661333430333137636633306131316434376665
+64323633383735313536373534626331356631316464643530363866633730353239346633396364
+36323437306165363465613365383666353037313333653230316234626439623964343336343762
+66343831343133343330336536613134303836626434663731343636613835623364633236653962
+63356635363239663533336265306261393337313136313937356662616231636461373230376232
+64313738333966633265626166653266313932666134356235373238376530303437646464333364
+31613631386335356561363938323831313061373566323638663864393266656361366463353736
+63386361373737383837336435633562626566656666373737313464323466313364626466633537
+6661656232313066363235616364646663623039386561636332

group_vars/certbot.yml

@@ -0,0 +1,8 @@
+---
+glob_certbot:
+  - dns_rfc2136_server: '10.128.0.30'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    mail: tech.aurore@lists.crans.org
+    certname: auro.re
+    domains: "*.auro.re"

group_vars/nginx.yml

@@ -0,0 +1,32 @@
+---
+glob_nginx:
+  contact: tech.aurore@lists.crans.org
+  who: "L'équipe technique d'Aurore"
+  service_name: service
+  ssl:
+    # Add adm.auro.re if necessary
+    - name: auro.re
+      cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+      cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+  servers:
+    - ssl: false  # Replace by auro.re or adm.auro.re
+      default: true
+      server_name:
+        - "default"
+        - "_"
+      root: "/var/www/html"
+      locations:
+        - filter: "/"
+          params: []
+      additional_params: []
+  upstreams: []
+
+  auth_passwd: []
+  default_server:
+  default_ssl_server:
+  default_ssl_domain: auro.re
+  real_ip_from:
+    - "10.128.0.0/16"
+    - "2a09:6840:128::/64"
+  deploy_robots_file: false

group_vars/reverseproxy.yml

@@ -0,0 +1,11 @@
+loc_nginx:
+  servers: []
+
+glob_reverseproxy:
+  redirect_dnames:
+    - aurores.net
+    - fede-aurore.net
+
+  reverseproxy_sites: []
+
+  redirect_sites: []

host_vars/portail.adm.auro.re.yml

@@ -0,0 +1,105 @@
+---
+loc_nginx:
+  service_name: captive_portal
+  default_server: '$server_addr'
+  default_ssl_server: '$server_addr'
+
+  servers:
+    - server_name:
+        - "10.13.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-fleming.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - portail-fleming.auro.re
+      locations:
+        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.20"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-fleming.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - 10.23.0.247
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-pacaterie.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - portail-pacaterie.auro.re
+      locations:
+        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.20"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-pacaterie.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - "10.33.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-rives.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - portail-rives.auro.re
+      locations:
+        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.20"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-rives.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - "10.43.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-edc.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - portail-edc.auro.re
+      locations:
+        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.20"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-edc.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - "10.53.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-gs.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - portail-gs.auro.re
+      locations:
+        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.20"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-gs.auro.re/portail/"

host_vars/proxy-ovh.adm.auro.re.yml

@@ -1,39 +1,13 @@
 ---
-certbot:
-  domains:
-    - auro.re
-    - chat.auro.re  # cname to riot.auro.re
-    - codimd.auro.re
-    - element.auro.re  # cname to riot.auro.re
-    - ehterpad.auro.re  # cname to pad.auro.re
-    - grafana.auro.re
-    - hedgedoc.auro.re  # cname to codimd.auro.re
-    - pad.auro.re
-    - passbolt.auro.re
-    - paste.auro.re  # cname to privatebin.auro.re
-    - phabricator.auro.re
-    - privatebin.auro.re
-    - riot.auro.re
-    - sharelatex.auro.re
-    - status.auro.re
-    - wiki.auro.re
-    - www.auro.re
-    - zero.auro.re  # cname to privatebin.auro.re
-  mail: tech.aurore@lists.crans.org
-  certname: auro.re
-
-nginx:
-  ssl:
-    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
-    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
-    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
-
-  redirect_dnames:
-    - aurores.net
-    - fede-aurore.net
-
-  redirect_tcp: {}
+loc_certbot:
+  - dns_rfc2136_server: '10.128.0.30'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    mail: tech.aurore@lists.crans.org
+    certname: auro.re
+    domains: "auro.re, *.auro.re"
 
+loc_reverseproxy:
   redirect_sites:
     - from: www.auro.re
       to: auro.re

host_vars/proxy.adm.auro.re.yml

@@ -1,31 +1,31 @@
 ---
-certbot:
-  domains:
-    - bbb.auro.re
-    - drone.auro.re
-    - gitea.auro.re
-    - intranet.auro.re
-    - litl.auro.re
-    - nextcloud.auro.re
-    - re2o.auro.re
-    - vote.auro.re
-    - re2o-server.auro.re
-    - re2o-test.auro.re
-    - wikijs.auro.re
+loc_certbot:
+  - dns_rfc2136_server: '10.128.0.30'
+    dns_rfc2136_name: certbot_adm_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+    mail: tech.aurore@lists.crans.org
+    certname: adm.auro.re
+    domains: "*.adm.auro.re"
+  - dns_rfc2136_server: '10.128.0.30'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    mail: tech.aurore@lists.crans.org
+    certname: auro.re
+    domains: "*.auro.re"
 
-  mail: tech.aurore@lists.crans.org
-  certname: auro.re
-
-nginx:
+loc_nginx:
+  servers: []
   ssl:
-    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
-    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
-    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
-
-  redirect_dnames:
-    - aurores.net
-    - fede-aurore.net
+    - name: adm.auro.re
+      cert: /etc/letsencrypt/live/adm.auro.re/fullchain.pem
+      cert_key: /etc/letsencrypt/live/adm.auro.re/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/adm.auro.re/chain.pem
+    - name: auro.re
+      cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+      cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
 
+loc_reverseproxy:
   redirect_tcp:
     - name: Gitea
       port: 2222
@@ -33,7 +33,7 @@ nginx:
 
   redirect_sites:
     - from: 45.66.111.61
-      to: auro.re
+      to: intranet.auro.re
 
   reverseproxy_sites:
     - from: re2o.auro.re
@@ -49,6 +49,9 @@ nginx:
 
     - from: gitea.auro.re
       to: "10.128.0.60:3000"
+    - from: git.adm.auro.re
+      to: "10.128.0.60:3000"
+      ssl: adm.auro.re
 
     - from: drone.auro.re
       to: "10.128.0.64:8000"

hosts

@@ -35,6 +35,8 @@ services-web.adm.auro.re
 mail.adm.auro.re
 wikijs.adm.auro.re
 prometheus-aurore.adm.auro.re
+portail.adm.auro.re
+jitsi-aurore.adm.auro.re
 
 [aurore_testing_vm]
 pendragon.adm.auro.re
@@ -61,6 +63,8 @@ vpn-ovh.adm.auro.re
 docker-ovh.adm.auro.re
 switchs-manager.adm.auro.re
 ldap-replica-ovh.adm.auro.re
+prometheus-ovh.adm.auro.re
+prometheus-federate.adm.auro.re
 
 [ovh_testing_vm]
 #re2o-test.adm.auro.re
@@ -265,6 +269,7 @@ ep-1-3.borne.auro.re
 ep-1-2.borne.auro.re
 ep-0-1.borne.auro.re
 eo-2-1.borne.auro.re
+ee-2-1.borne.auro.re
 
 ###############################################################################
 # George Sand
@@ -488,3 +493,18 @@ ldap-replica-ovh.adm.auro.re
 [ldap_replica_rives]
 ldap-replica-rives.adm.auro.re
 
+[certbot]
+portail.adm.auro.re
+
+[certbot:children]
+reverseproxy
+
+[nginx]
+portail.adm.auro.re
+
+[nginx:children]
+reverseproxy
+
+[reverseproxy]
+proxy-ovh.adm.auro.re
+proxy.adm.auro.re

monitoring.yml

@@ -1,6 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
-- hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re
+- hosts: prometheus-fleming.adm.auro.re
   vars:
     prometheus_alertmanager: docker-ovh.adm.auro.re:9093
     snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
@@ -88,10 +88,43 @@
     # Prometheus targets.json
     prometheus_targets:
       - targets: |
-          {{ groups['aurore_pve'] + groups['aurore_vm'] + groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
+          {{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
   roles:
     - prometheus
 
+- hosts: prometheus-ovh.adm.auro.re
+  vars:
+    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+    # Prometheus targets.json
+    prometheus_targets:
+      - targets: |
+          {{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
+    prometheus_docker_targets:
+      - docker-ovh.adm.auro.re:8087
+  roles:
+    - prometheus
+
+
+- hosts: prometheus-federate.adm.auro.re
+  vars:
+    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+    # Prometheus targets.json
+    prometheus_targets:
+      - prometheus-edc.adm.auro.re
+      - prometheus-gs.adm.auro.re
+      - prometheus-fleming.adm.auro.re
+      - prometheus-pacaterie.adm.auro.re
+      - prometheus-rives.adm.auro.re
+      - prometheus-aurore.adm.auro.re
+      - prometheus-ovh.adm.auro.re
+      - prometheus-federate.adm.auro.re
+  roles:
+    - prometheus_federate
+
 
 # Monitor all hosts
 - hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container

network.yml

@@ -43,7 +43,7 @@
 #       username: service-user
 #       password: "{{ vault_serviceuser_passwd }}"
 #   roles:
-#     - re2o-service
+#     - re2o_service
 
 
 # Deploy Unifi Controller
@@ -62,4 +62,4 @@
 #       username: service-user
 #       password: "{{ vault_serviceuser_passwd }}"
 #   roles:
-#     - re2o-service
+#     - re2o_service

roles/baseconfig/tasks/main.yml

@@ -23,6 +23,7 @@
       - oidentd  # postgresql identification
       - screen  # Vulcain asked for this
       - sudo
+      - tmux  # For shirenn
       - tree  # create a graphical tree of files
       - vim  # better than nano
       - zsh  # to be able to ssh @erdnaxe

roles/certbot/handlers/main.yml

@@ -1,8 +0,0 @@
----
-- name: Reload nginx
-  service:
-    name: nginx
-    state: reloaded
-
-- name: Generate certificates
-  command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"

roles/certbot/tasks/main.yml

@@ -1,13 +1,28 @@
 ---
-- name: Install certbot and nginx plugin
+- name: Install certbot and RFC2136 plugin
   apt:
     update_cache: true
     name:
       - certbot
-      - python3-certbot-nginx
-  register: pkg_result
+      - python3-certbot-dns-rfc2136
+    state: present
+  register: apt_result
   retries: 3
-  until: pkg_result is succeeded
+  until: apt_result is succeeded
+
+- name: Add DNS credentials
+  template:
+    src: letsencrypt/rfc2136.ini.j2
+    dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
+    mode: 0600
+    owner: root
+  loop: "{{ certbot }}"
+
+- name: Add dhparam
+  template:
+    src: "letsencrypt/dhparam.j2"
+    dest: "/etc/letsencrypt/dhparam"
+    mode: 0600
 
 - name: Create /etc/letsencrypt/conf.d
   file:
@@ -18,8 +33,19 @@
 - name: Add Certbot configuration
   template:
     src: "letsencrypt/conf.d/certname.ini.j2"
-    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+    dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
     mode: 0644
-  notify:
-    - Generate certificates
-    - Reload nginx
+  loop: "{{ certbot }}"
+
+- name: Run certbot
+  command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+  loop: "{{ certbot }}"
+
+- name: Clean old files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/letsencrypt/options-ssl-nginx.conf"
+    - "/etc/letsencrypt/ssl-dhparams.pem"
+    - "/etc/letsencrypt/rfc2136.ini"

roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2

@@ -1,7 +1,7 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment(decoration='# ') }}
 
-# Pour appliquer cette conf et générer la conf de renewal :
-# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+# To generate the certificate, please use the following command
+# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
 
 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096
@@ -10,14 +10,19 @@ rsa-key-size = 4096
 # server = https://acme-staging.api.letsencrypt.org/directory
 
 # Uncomment and update to register with the specified e-mail address
-email = {{ certbot.mail }}
+email = {{ item.mail }}
 
 # Uncomment to use a text interface instead of ncurses
 text = True
 
-# Use nginx challenge
-authenticator = nginx
+# Yes I want to sell my soul and my guinea pig.
+agree-tos = True
+
+# Use DNS-01 challenge
+authenticator = dns-rfc2136
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
+dns-rfc2136-propagation-seconds = 30
 
 # Wildcard the domain
-cert-name = {{ certbot.certname }}
-domains = {{ ", ".join(certbot.domains) }}
+cert-name = {{ item.certname }}
+domains = {{ item.domains }}

roles/certbot/templates/letsencrypt/rfc2136.ini.j2

@@ -0,0 +1,7 @@
+{{ ansible_managed | comment(decoration='# ') }}
+
+dns_rfc2136_server = {{ item.dns_rfc2136_server }}
+dns_rfc2136_port = 53
+dns_rfc2136_name = {{ item.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
+dns_rfc2136_algorithm = HMAC-SHA512

roles/isc_dhcp_server/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: force run dhcp re2o-service
-  shell: /var/local/re2o-services/dhcp/main.py --force
+  command: /var/local/re2o-services/dhcp/main.py --force
   become_user: re2o-services
 
 - name: restart dhcpd

roles/isc_dhcp_server/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Install dhcp (re2o-service)
   import_role:
-    name: re2o-service
+    name: re2o_service
   vars:
     service_repo: https://gitlab.federez.net/re2o/dhcp.git
     service_name: dhcp
@@ -18,7 +18,7 @@
     owner: re2o-services
     group: nogroup
     recurse: true
-    mode: 755
+    mode: 0755
 
 - name: Install isc-dhcp-server
   apt:

roles/logrotate/templates/logrotate.d/rsyslog.j2

@@ -26,7 +26,7 @@
 /var/log/debug
 /var/log/messages
 {
-	rotate 1
+	rotate 90
 	daily
 	missingok
 	notifempty

roles/nginx/tasks/main.yml

@@ -0,0 +1,146 @@
+---
+- name: Install NGINX
+  apt:
+    update_cache: true
+    name: nginx
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Copy proxypass snippets
+  template:
+    src: "nginx/snippets/options-proxypass.conf.j2"
+    dest: "/etc/nginx/snippets/options-proxypass.conf"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Copy SSL snippets
+  template:
+    src: "nginx/snippets/options-ssl.conf.j2"
+    dest: "/etc/nginx/snippets/options-ssl.{{ item.name }}.conf"
+    owner: root
+    group: root
+    mode: 0644
+  loop: "{{ nginx.ssl }}"
+
+- name: Disable default site
+  file:
+    dest: "/etc/nginx/sites-enabled/default"
+    state: absent
+
+- name: Copy reverse proxy sites
+  when: reverseproxy is defined
+  template:
+    src: "nginx/sites-available/{{ item }}.j2"
+    dest: "/etc/nginx/sites-available/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - reverseproxy
+    - reverseproxy_redirect_dname
+    - redirect
+  notify: Reload nginx
+
+- name: Activate reverse proxy sites
+  when: reverseproxy is defined
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    owner: root
+    group: root
+    state: link
+  loop:
+    - reverseproxy
+    - reverseproxy_redirect_dname
+    - redirect
+  notify: Reload nginx
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Copy forward modules
+  when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
+  template:
+    src: "nginx/modules-available/60-forward.conf.j2"
+    dest: "/etc/nginx/modules-available/60-forward.conf"
+    mode: 0644
+  notify: Reload nginx
+
+- name: Activate modules
+  when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
+  file:
+    src: "/etc/nginx/modules-available/60-forward.conf"
+    dest: "/etc/nginx/modules-enabled/60-forward.conf"
+    state: link
+    mode: 0644
+  notify: Reload nginx
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Copy service nginx configuration
+  when: nginx.servers is defined and nginx.servers|length > 0
+  template:
+    src: "nginx/sites-available/service.j2"
+    dest: "/etc/nginx/sites-available/{{ nginx.service_name }}"
+    owner: root
+    group: root
+    mode: 0644
+  notify: Reload nginx
+
+- name: Activate local nginx service site
+  when: nginx.servers is defined and nginx.servers|length > 0
+  file:
+    src: "/etc/nginx/sites-available/{{ nginx.service_name }}"
+    dest: "/etc/nginx/sites-enabled/{{ nginx.service_name }}"
+    owner: root
+    group: root
+    state: link
+  notify: Reload nginx
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Copy 50x error page
+  template:
+    src: www/html/50x.html.j2
+    dest: /var/www/html/50x.html
+    owner: www-data
+    group: www-data
+    mode: 0644
+
+- name: Copy robots.txt file
+  when: nginx.deploy_robots_file
+  template:
+    src: www/html/robots.txt.j2
+    dest: /var/www/html/robots.txt
+    owner: www-data
+    group: www-data
+    mode: 0644
+
+- name: Install passwords
+  when: nginx.auth_passwd|length > 0
+  template:
+    src: nginx/passwd.j2
+    dest: /etc/nginx/passwd
+    mode: 0644
+
+- name: Copy 401 error page
+  when: nginx.auth_passwd|length > 0
+  template:
+    src: www/html/401.html.j2
+    dest: /var/www/html/401.html
+    owner: www-data
+    group: www-data
+    mode: 0644
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-nginx
+    mode: 0755
+
+- name: Clean old files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/nginx/snippets/options-ssl.conf"
+    - "/var/www/custom_401.html"
+    - "/var/www/robots.txt"

roles/nginx/templates/letsencrypt/dhparam.j2

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

roles/nginx/templates/nginx/modules-available/60-forward.conf.j2

@@ -1,6 +1,6 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
-{% for site in nginx.redirect_tcp %}
+{% for site in reverseproxy.redirect_tcp %}
 # Forward port {{ site.port }} to {{ site.name }}
 stream {
     server {
@@ -12,3 +12,4 @@ stream {
 }
 
 {% endfor %}
+

roles/nginx/templates/nginx/passwd.j2

@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+{% for user, hash in nginx.auth_passwd.items() -%}
+{{ user }}:{{ hash }}
+{% endfor -%}

roles/nginx/templates/nginx/sites-available/redirect.j2

@@ -1,6 +1,6 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
-{% for site in nginx.redirect_sites %}
+{% for site in reverseproxy.redirect_sites %}
 # Redirect http://{{ site.from }} to http://{{ site.to }}
 server {
     listen 80;
@@ -8,6 +8,11 @@ server {
 
     server_name {{ site.from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 http://{{ site.to }}$request_uri;
     }
@@ -21,7 +26,12 @@ server {
     server_name {{ site.from }};
 
     # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
 
     location / {
         return 302 https://{{ site.to }}$request_uri;
@@ -31,8 +41,8 @@ server {
 {% endfor %}
 
 {# Also redirect for DNAMEs #}
-{% for dname in nginx.redirect_dnames %}
-{% for site in nginx.redirect_sites %}
+{% for dname in reverseproxy.redirect_dnames %}
+{% for site in reverseproxy.redirect_sites %}
 {% set from = site.from | regex_replace('crans.org', dname) %}
 {% if from != site.from %}
 # Redirect http://{{ from }} to http://{{ site.to }}
@@ -42,6 +52,11 @@ server {
 
     server_name {{ from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 http://{{ site.to }}$request_uri;
     }
@@ -55,7 +70,12 @@ server {
     server_name {{ from }};
 
     # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
 
     location / {
         return 302 https://{{ site.to }}$request_uri;

roles/nginx/templates/nginx/sites-available/reverseproxy.j2

@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
 # Automatic Connection header for WebSocket support
 # See http://nginx.org/en/docs/http/websocket.html
@@ -7,7 +7,7 @@ map $http_upgrade $connection_upgrade {
     ''      close;
 }
 
-{% for site in nginx.reverseproxy_sites %}
+{% for site in reverseproxy.reverseproxy_sites %}
 # Redirect http://{{ site.from }} to https://{{ site.from }}
 server {
     listen 80;
@@ -15,6 +15,11 @@ server {
 
     server_name {{ site.from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 https://$host$request_uri;
     }
@@ -28,7 +33,7 @@ server {
     server_name {{ site.from }};
 
     # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
 
     # Log into separate log files
     access_log      /var/log/nginx/{{ site.from }}.log;
@@ -43,8 +48,9 @@ server {
         root /var/www/html;
     }
 
-    set_real_ip_from 10.231.136.0/24;
-    set_real_ip_from 2a0c:700:0:2::/64;
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
     real_ip_header P-Real-Ip;
 
     location / {

roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2

@@ -1,7 +1,7 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
-{% for dname in nginx.redirect_dnames %}
-{% for site in nginx.reverseproxy_sites %}
+{% for dname in reverseproxy.redirect_dnames %}
+{% for site in reverseproxy.reverseproxy_sites %}
 {% set from = site.from | regex_replace('auro.re', dname) %}
 {% set to = site.from %}
 {% if from != site.from %}
@@ -12,6 +12,11 @@ server {
 
     server_name {{ from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 http://{{ to }}$request_uri;
     }
@@ -25,7 +30,12 @@ server {
     server_name {{ from }};
 
     # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
 
     location / {
         return 302 https://{{ to }}$request_uri;

roles/nginx/templates/nginx/sites-available/service.j2

@@ -0,0 +1,132 @@
+{{ ansible_managed | comment }}
+
+# Automatic Connection header for WebSocket support
+# See http://nginx.org/en/docs/http/websocket.html
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+{% for upstream in nginx.upstreams -%}
+upstream {{ upstream.name }} {
+    # Path of the server
+    server {{ upstream.server }};
+}
+{% endfor -%}
+
+{% if nginx.default_ssl_server -%}
+# Redirect all services to the main site
+server {
+    listen 443 default_server ssl;
+    listen [::]:443 default_server ssl;
+    include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf";
+
+    server_name _;
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
+    location / {
+        return 302 https://{{ nginx.default_ssl_server }}$request_uri;
+    }
+}
+{% endif -%}
+
+{% if nginx.default_server -%}
+# Redirect all services to the main site
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    server_name _;
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
+    location / {
+        return 302 http://{{ nginx.default_server }}$request_uri;
+    }
+}
+{% endif -%}
+
+{% for server in nginx.servers %}
+{% if server.ssl is defined and server.ssl -%}
+# Redirect HTTP to HTTPS
+server {
+    listen 80{% if server.default is defined and server.default %} default_server{% endif %};
+    listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
+
+    server_name {{ server.server_name|join(" ") }};
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
+    location / {
+        return 302 https://$host$request_uri;
+    }
+}
+{% endif -%}
+
+server {
+    {% if server.ssl is defined and server.ssl -%}
+    listen 443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
+    listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
+    include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
+    {% else -%}
+    listen 80;
+    listen [::]:80;
+    {% endif -%}
+
+    server_name {{ server.server_name|join(" ") }};
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
+    {% if server.root is defined %}root {{ server.root }};{% endif %}
+    {% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}
+
+    {% if server.access_log is defined %}access_log {{ server.access_log }};{% endif %}
+    {% if server.error_log is defined %}error_log {{ server.error_log }};{% endif %}
+
+{% if server.additional_params is defined %}
+{% for param in server.additional_params %}
+    {{ param }};
+{% endfor %}
+{% endif %}
+
+{% if server.locations is defined %}
+{% for location in server.locations %}
+    location {{ location.filter }} {
+{% for param in location.params %}
+        {{ param }};
+{% endfor %}
+    }
+
+{% endfor %}
+{% endif %}
+}
+{% endfor %}

roles/nginx/templates/nginx/snippets/fastcgi.conf.j2

@@ -0,0 +1,18 @@
+{{ ansible_managed | comment }}
+
+# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+fastcgi_split_path_info (^/[^/]*)(.*)$;
+
+# check that the PHP script exists before passing it
+try_files $fastcgi_script_name =404;
+
+# Bypass the fact that try_files resets $fastcgi_path_info
+# see: http://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
+fastcgi_param PATH_INFO $path_info;
+
+# Let NGINX handle errors
+fastcgi_intercept_errors on;
+
+include /etc/nginx/fastcgi.conf;
+fastcgi_pass unix:/var/run/fcgiwrap.socket;

roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2

@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
 proxy_redirect off;
 proxy_set_header Host $host;

roles/nginx/templates/nginx/snippets/options-ssl.conf.j2

@@ -1,7 +1,7 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
-ssl_certificate {{ nginx.ssl.cert }};
-ssl_certificate_key {{ nginx.ssl.cert_key }};
+ssl_certificate {{ item.cert }};
+ssl_certificate_key {{ item.cert_key }};
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;
 ssl_session_tickets off;
@@ -13,5 +13,5 @@ ssl_prefer_server_ciphers off;
 # Enable OCSP Stapling, point to certificate chain
 ssl_stapling on;
 ssl_stapling_verify on;
-ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+ssl_trusted_certificate {{ item.trusted_cert }};
 

roles/nginx/templates/update-motd.d/05-service.j2

@@ -1,3 +1,3 @@
 #!/usr/bin/tail +14
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 > NGINX a été déployé sur cette machine. Voir /etc/nginx/.

roles/nginx/templates/www/html/401.html.j2

@@ -0,0 +1,18 @@
+{{ ansible_header | comment('xml') }}
+
+<html>
+<head>
+  <title>Accès refusé</title>
+  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+</head>
+<body>
+  <h1>Accès refusé</h1>
+  <p>
+    Pour éviter le scan des adresses de diffusions par un robot, cette page demande un identifiant et mot de passe.
+  </p>
+  <ul>
+    <li>Identifiant : <em>Stop</em></li>
+    <li>Mot de passe : <em>Spam</em></li>
+  </ul>
+</body>
+</html>

roles/nginx/templates/www/html/50x.html.j2

@@ -57,7 +57,7 @@
     <h1>502</h1>
     <p>Whoops, le service prend trop de temps à répondre…</p>
     <p>Essayez de rafraîchir la page. Si le problème persiste, pensez
-    à contacter <a href="mailto:tech.aurore@lists.crans.org">l'équipe technique d'Aurore</a>.</p>
+    à contacter <a href="mailto:{{ nginx.contact }}">{{ nginx.who }}</a>.</p>
 </body>
 </html>
 

roles/nginx/templates/www/html/robots.txt.j2

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

roles/nginx_reverseproxy/tasks/main.yml

@@ -1,73 +0,0 @@
----
-- name: Install NGINX
-  apt:
-    update_cache: true
-    name: nginx
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-
-- name: Copy snippets
-  template:
-    src: "nginx/snippets/{{ item }}.j2"
-    dest: "/etc/nginx/snippets/{{ item }}"
-    mode: 0644
-  loop:
-    - options-ssl.conf
-    - options-proxypass.conf
-
-- name: Copy dhparam
-  template:
-    src: letsencrypt/dhparam.j2
-    dest: /etc/letsencrypt/dhparam
-    mode: 0644
-
-- name: Copy reverse proxy sites
-  template:
-    src: "nginx/sites-available/{{ item }}.j2"
-    dest: "/etc/nginx/sites-available/{{ item }}"
-    mode: 0644
-  loop:
-    - reverseproxy
-    - reverseproxy_redirect_dname
-    - redirect
-  notify: Reload nginx
-
-- name: Activate sites
-  file:
-    src: "/etc/nginx/sites-available/{{ item }}"
-    dest: "/etc/nginx/sites-enabled/{{ item }}"
-    state: link
-    mode: 0644
-  loop:
-    - reverseproxy
-    - reverseproxy_redirect_dname
-    - redirect
-  notify: Reload nginx
-
-- name: Copy forward modules
-  template:
-    src: "nginx/modules-available/60-forward.conf.j2"
-    dest: "/etc/nginx/modules-available/60-forward.conf"
-    mode: 0644
-  notify: Reload nginx
-
-- name: Activate modules
-  file:
-    src: "/etc/nginx/modules-available/60-forward.conf"
-    dest: "/etc/nginx/modules-enabled/60-forward.conf"
-    state: link
-    mode: 0644
-  notify: Reload nginx
-
-- name: Copy 50x error page
-  template:
-    src: www/html/50x.html.j2
-    dest: /var/www/html/50x.html
-    mode: 0644
-
-- name: Indicate role in motd
-  template:
-    src: update-motd.d/05-service.j2
-    dest: /etc/update-motd.d/05-nginx
-    mode: 0755

roles/postfix_non_mailhost/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: restart postfix
+  service:
+    name: postfix
+    state: restarted
+
+- name: reload postfix
+  service:
+    name: postfix
+    state: reloaded

roles/postfix_non_mailhost/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+- name: Install postfix
+  apt:
+    name: postfix
+    update_cache: true
+  register: result
+  retries: 3
+  until: result is succeeded
+
+- name: Configure postfix
+  template:
+    src: main.cf.j2
+    dest: /etc/postfix/main.cf
+    mode: 0644
+    owner: root
+    group: root
+  notify: restart postfix

roles/postfix_non_mailhost/templates/main.cf.j2

@@ -0,0 +1,32 @@
+# {{ ansible_managed }}
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# Template based on /usr/share/postfix/main.cf.debian
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+# Send mail as user@{{ ansible_fqdn }}
+myhostname = {{ ansible_fqdn }}
+myorigin = $myhostname
+mydomain = $myhostname
+
+# Specify the trusted networks
+mynetworks = 127.0.0.0/8 {{ local_network }}
+
+# This host does not relay mail from untrusted networks
+relay_domains =
+
+# This is needed if no direct Internet access is available
+relayhost = {{ relay_host }}

roles/prometheus/tasks/main.yml

@@ -64,6 +64,13 @@
     mode: 0644
   when: prometheus_ups_snmp_targets is defined
 
+- name: Configure Prometheus docker monitoring
+  copy:
+    content: "{{ [{'targets': prometheus_docker_targets }] | to_nice_json }}\n"
+    dest: /etc/prometheus/targets_docker.json
+    mode: 0644
+  when: prometheus_docker_targets is defined
+
 - name: Activate prometheus service
   systemd:
     name: prometheus

roles/prometheus/templates/prometheus/alert.rules.yml.j2

@@ -22,7 +22,7 @@ groups:
     labels:
       severity: warning
     annotations:
-      summary: "Mémoire libre de {{ $labels.instance }} à {{ $value | printf "%.2f" }}%."
+      summary: "Mémoire libre de {{ $labels.instance }} à {{ humanize $value }}%."
 
   # Alert for out of disk space
   - alert: OutOfDiskSpace
@@ -31,7 +31,7 @@ groups:
     labels:
       severity: warning
     annotations:
-      summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value | printf "%.2f" }}%."
+      summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ humanize $value }}%."
 
   # Alert for out of inode space on disk
   - alert: OutOfInodes
@@ -49,7 +49,7 @@ groups:
     labels:
       severity: warning
     annotations:
-      summary: "CPU sur {{ $labels.instance }} à {{ $value | printf "%.2f" }}%."
+      summary: "CPU sur {{ $labels.instance }} à {{ humanize $value }}%."
 
   # Check systemd unit (> buster)
   - alert: SystemdServiceFailed
@@ -59,11 +59,20 @@ groups:
       severity: warning
     annotations:
       summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}"
+
+  # Check load of instance
+  - alert: LoadUsage
+    expr: node_load1 > 5
+    for: 2m
+    labels:
+      severity: warning
+    annotations:
+      summary: "La charge de {{ $labels.instance }} est à {{ $value }} !"
   
   # Check UPS
   - alert: UpsOutputSourceChanged
     expr: upsOutputSource != 3
-    for: 5m
+    for: 1m
     labels:
       severity: warning
     annotations:
@@ -71,7 +80,7 @@ groups:
 
   - alert: UpsBatteryStatusWarning
     expr: upsBatteryStatus == 3
-    for: 5m
+    for: 2m
     labels:
       severity: warning
     annotations:
@@ -79,7 +88,7 @@ groups:
 
   - alert: UpsBatteryStatusCritical
     expr: upsBatteryStatus == 4
-    for: 5m
+    for: 10m
     labels:
       severity: warning
     annotations:
@@ -95,7 +104,7 @@ groups:
 
   - alert: UpsWrongInputVoltage
     expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
-    for: 5m
+    for: 10m
     labels:
       severity: warning
     annotations:
@@ -103,7 +112,7 @@ groups:
 
   - alert: UpsWrongOutputVoltage
     expr: (upsOutputVoltage < 220) or (upsOutputVoltage > 240)
-    for: 5m
+    for: 10m
     labels:
       severity: warning
     annotations:
@@ -111,7 +120,7 @@ groups:
 
   - alert: UpsTimeRemainingWarning
     expr: upsEstimatedMinutesRemaining < 15
-    for: 5m
+    for: 1m
     labels:
       severity: warning
     annotations:
@@ -119,7 +128,7 @@ groups:
 
   - alert: UpsTimeRemainingCritical
     expr: upsEstimatedMinutesRemaining < 5
-    for: 5m
+    for: 1m
     labels:
       severity: critical
     annotations:

roles/prometheus/templates/prometheus/prometheus.yml.j2

@@ -81,3 +81,7 @@ scrape_configs:
       - target_label: __address__
         replacement: 127.0.0.1:9116
 
+  - job_name: docker
+    file_sd_configs:
+      - files:
+        - '/etc/prometheus/targets_docker.json'

roles/prometheus/templates/prometheus/snmp.yml.j2

@@ -162,13 +162,31 @@ ubiquiti_unifi:
     indexes:
     - labelname: unifiVapIndex
       type: gauge
-  - name: unifiVapNumStations
+  - name: unifi_vap_num_stations
     oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
     type: gauge
     help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
     indexes:
-    - labelname: unifiVapIndex
+    - labelname: unifi_vap_index
       type: gauge
+    lookups:
+    - labels: [unifi_vap_index]
+      labelname: unifi_vap_essid
+      oid: 1.3.6.1.4.1.41112.1.6.1.2.1.6
+      type: DisplayString
+    - labels: [unifi_vap_index]
+      labelname: unifi_vap_radio
+      oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
+      type: DisplayString
+    - labels: []
+      labelname: unifi_vap_index
+#  - name: unifiVapNumStations
+#    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
+#    type: gauge
+#    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
+#    indexes:
+#    - labelname: unifiVapIndex
+#      type: gauge
   - name: unifiVapRadio
     oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
     type: DisplayString

roles/prometheus_federate/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart Prometheus
+  service:
+    name: prometheus
+    state: restarted

roles/prometheus_federate/tasks/main.yml

@@ -0,0 +1,46 @@
+---
+- name: Install Prometheus
+  apt:
+    update_cache: true
+    name:
+      - prometheus
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure Prometheus
+  template:
+    src: prometheus/prometheus.yml.j2
+    dest: /etc/prometheus/prometheus.yml
+    mode: 0644
+  notify: Restart Prometheus
+
+- name: Configure Prometheus alert rules
+  template:
+    src: "prometheus/{{ item }}.j2"
+    dest: "/etc/prometheus/{{ item }}"
+    mode: 0644
+  notify: Restart Prometheus
+  loop:
+    - alert.rules.yml
+    - django.rules.yml
+
+# We don't need to restart Prometheus when updating nodes
+- name: Configure Prometheus Federate devices
+  copy:
+    content: "{{  [{'targets': prometheus_targets }] | to_nice_json }}"
+    dest: /etc/prometheus/targets.json
+    mode: 0644
+  when: prometheus_targets is defined
+
+- name: Activate prometheus service
+  systemd:
+    name: prometheus
+    enabled: true
+    state: started
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-prometheus
+    mode: 0755

roles/prometheus_federate/templates/prometheus/alert.rules.yml.j2

@@ -0,0 +1,138 @@
+# {{ ansible_managed }}
+{# As this is also Jinja2 it will conflict without a raw block #}
+{# Depending of Prometheus Node exporter version, rules can change depending of version #}
+{% raw %}
+groups:
+- name: alert.rules
+  rules:
+
+  # Alert for any instance that is unreachable for >3 minutes.
+  - alert: InstanceDown
+    expr: up == 0
+    for: 3m
+    labels:
+      severity: critical
+    annotations:
+      summary: "Federate : {{ $labels.exported_instance }} est invisible depuis plus de 3 minutes !"
+
+  # Alert for out of memory
+  - alert: OutOfMemory
+    expr: (node_memory_MemFree_bytes + node_memory_Cached_bytes + node_memory_Buffers_bytes) / node_memory_MemTotal_bytes * 100 < 10
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Federate : Mémoire libre de {{ $labels.exported_instance }} à {{ humanize $value }}%."
+
+  # Alert for out of disk space
+  - alert: OutOfDiskSpace
+    expr: node_filesystem_free_bytes{fstype="ext4"} / node_filesystem_size_bytes{fstype="ext4"} * 100 < 10
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.exported_instance }} à {{ humanize $value }}%."
+
+  # Alert for out of inode space on disk
+  - alert: OutOfInodes
+    expr: node_filesystem_files_free{fstype="ext4"} / node_filesystem_files{fstype="ext4"} * 100 < 10
+    for: 5m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Federate : Presque plus d'inodes disponibles ({{ $value }}% restant) dans {{ $labels.mountpoint }} sur {{ $labels.exported_instance }}."
+
+  # Alert for high CPU usage
+  - alert: CpuUsage
+    expr: (100 - avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 75
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Federate : CPU sur {{ $labels.exported_instance }} à {{ humanize $value }}%."
+
+  # Check systemd unit (> buster)
+  - alert: SystemdServiceFailed
+    expr: node_systemd_unit_state{state="failed"} == 1
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Federate : {{ $labels.name }} a échoué sur {{ $labels.exported_instance }}"
+
+  # Check load of instance
+  - alert: LoadUsage
+    expr: node_load1 > 5
+    for: 2m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Federate : la charge de {{ $labels.exported_instance }} est à {{ $value }} !"
+
+  # Check UPS
+  - alert: UpsOutputSourceChanged
+    expr: upsOutputSource != 3
+    for: 1m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Federate : La source d'alimentation de {{ $labels.exported_instance }} a changé !"
+
+  - alert: UpsBatteryStatusWarning
+    expr: upsBatteryStatus == 3
+    for: 2m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Federate : L'état de la batterie de {{ $labels.exported_instance }} est faible !"
+
+  - alert: UpsBatteryStatusCritical
+    expr: upsBatteryStatus == 4
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      summary: "L'état de la batterie de {{ $labels.exported_instance }} est affaibli !"
+
+  - alert: UpsHighLoad
+    expr: upsOutputPercentLoad > 70
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      summary: "Federate : La charge de {{ $labels.exported_instance }} est de {{ $value }}% !"
+
+  - alert: UpsWrongInputVoltage
+    expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Federate : La tension d'entrée de {{ $labels.exported_instance }} est de {{ $value }}V."
+
+  - alert: UpsWrongOutputVoltage
+    expr: (upsOutputVoltage < 220) or (upsOutputVoltage > 240)
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Federate : La tension de sortie de {{ $labels.exported_instance }} est de {{ $value }}V."
+
+  - alert: UpsTimeRemainingWarning
+    expr: upsEstimatedMinutesRemaining < 15
+    for: 1m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Federate : L'autonomie restante sur {{ $labels.exported_instance }} est de {{ $value }} min."
+
+  - alert: UpsTimeRemainingCritical
+    expr: upsEstimatedMinutesRemaining < 5
+    for: 1m
+    labels:
+      severity: critical
+    annotations:
+      summary: "Federate : L'autonomie restante sur {{ $labels.exported_instance }} est de {{ $value }} min."
+
+
+{% endraw %}

roles/prometheus_federate/templates/prometheus/django.rules.yml.j2

@@ -0,0 +1,106 @@
+# {{ ansible_managed }}
+{# As this is also Jinja2 it will conflict without a raw block #}
+{% raw %}
+groups:
+- name: django.rules
+  rules:
+  - record: job:django_http_requests_before_middlewares_total:sum_rate30s
+    expr: sum(rate(django_http_requests_before_middlewares_total[30s])) BY (job)
+  - record: job:django_http_requests_unknown_latency_total:sum_rate30s
+    expr: sum(rate(django_http_requests_unknown_latency_total[30s])) BY (job)
+  - record: job:django_http_ajax_requests_total:sum_rate30s
+    expr: sum(rate(django_http_ajax_requests_total[30s])) BY (job)
+  - record: job:django_http_responses_before_middlewares_total:sum_rate30s
+    expr: sum(rate(django_http_responses_before_middlewares_total[30s])) BY (job)
+  - record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s
+    expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s]))
+      BY (job)
+  - record: job:django_http_requests_body_total_bytes:sum_rate30s
+    expr: sum(rate(django_http_requests_body_total_bytes[30s])) BY (job)
+  - record: job:django_http_responses_streaming_total:sum_rate30s
+    expr: sum(rate(django_http_responses_streaming_total[30s])) BY (job)
+  - record: job:django_http_responses_body_total_bytes:sum_rate30s
+    expr: sum(rate(django_http_responses_body_total_bytes[30s])) BY (job)
+  - record: job:django_http_requests_total:sum_rate30s
+    expr: sum(rate(django_http_requests_total_by_method[30s])) BY (job)
+  - record: job:django_http_requests_total_by_method:sum_rate30s
+    expr: sum(rate(django_http_requests_total_by_method[30s])) BY (job, method)
+  - record: job:django_http_requests_total_by_transport:sum_rate30s
+    expr: sum(rate(django_http_requests_total_by_transport[30s])) BY (job, transport)
+  - record: job:django_http_requests_total_by_view:sum_rate30s
+    expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) BY (job,
+      view)
+  - record: job:django_http_requests_total_by_view_transport_method:sum_rate30s
+    expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) BY (job,
+      view, transport, method)
+  - record: job:django_http_responses_total_by_templatename:sum_rate30s
+    expr: sum(rate(django_http_responses_total_by_templatename[30s])) BY (job, templatename)
+  - record: job:django_http_responses_total_by_status:sum_rate30s
+    expr: sum(rate(django_http_responses_total_by_status[30s])) BY (job, status)
+  - record: job:django_http_responses_total_by_charset:sum_rate30s
+    expr: sum(rate(django_http_responses_total_by_charset[30s])) BY (job, charset)
+  - record: job:django_http_exceptions_total_by_type:sum_rate30s
+    expr: sum(rate(django_http_exceptions_total_by_type[30s])) BY (job, type)
+  - record: job:django_http_exceptions_total_by_view:sum_rate30s
+    expr: sum(rate(django_http_exceptions_total_by_view[30s])) BY (job, view)
+  - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
+    expr: histogram_quantile(0.5, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s]))
+      BY (job, le))
+    labels:
+      quantile: "50"
+  - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
+    expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s]))
+      BY (job, le))
+    labels:
+      quantile: "95"
+  - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
+    expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s]))
+      BY (job, le))
+    labels:
+      quantile: "99"
+  - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
+    expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s]))
+      BY (job, le))
+    labels:
+      quantile: "99.9"
+  - record: job:django_http_requests_latency_seconds:quantile_rate30s
+    expr: histogram_quantile(0.5, sum(rate(django_http_requests_latency_seconds_bucket[30s]))
+      BY (job, le))
+    labels:
+      quantile: "50"
+  - record: job:django_http_requests_latency_seconds:quantile_rate30s
+    expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s]))
+      BY (job, le))
+    labels:
+      quantile: "95"
+  - record: job:django_http_requests_latency_seconds:quantile_rate30s
+    expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s]))
+      BY (job, le))
+    labels:
+      quantile: "99"
+  - record: job:django_http_requests_latency_seconds:quantile_rate30s
+    expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s]))
+      BY (job, le))
+    labels:
+      quantile: "99.9"
+  - record: job:django_model_inserts_total:sum_rate1m
+    expr: sum(rate(django_model_inserts_total[1m])) BY (job, model)
+  - record: job:django_model_updates_total:sum_rate1m
+    expr: sum(rate(django_model_updates_total[1m])) BY (job, model)
+  - record: job:django_model_deletes_total:sum_rate1m
+    expr: sum(rate(django_model_deletes_total[1m])) BY (job, model)
+  - record: job:django_db_new_connections_total:sum_rate30s
+    expr: sum(rate(django_db_new_connections_total[30s])) BY (alias, vendor)
+  - record: job:django_db_new_connection_errors_total:sum_rate30s
+    expr: sum(rate(django_db_new_connection_errors_total[30s])) BY (alias, vendor)
+  - record: job:django_db_execute_total:sum_rate30s
+    expr: sum(rate(django_db_execute_total[30s])) BY (alias, vendor)
+  - record: job:django_db_execute_many_total:sum_rate30s
+    expr: sum(rate(django_db_execute_many_total[30s])) BY (alias, vendor)
+  - record: job:django_db_errors_total:sum_rate30s
+    expr: sum(rate(django_db_errors_total[30s])) BY (alias, vendor, type)
+  - record: job:django_migrations_applied_total:max
+    expr: max(django_migrations_applied_total) BY (job, connection)
+  - record: job:django_migrations_unapplied_total:max
+    expr: max(django_migrations_unapplied_total) BY (job, connection)
+{% endraw %}

roles/prometheus_federate/templates/prometheus/prometheus.yml.j2

@@ -0,0 +1,56 @@
+# {{ ansible_managed }}
+
+global:
+  # scrape_interval is set to the global default (60s)
+  # evaluation_interval is set to the global default (60s)
+  # scrape_timeout is set to the global default (10s).
+
+  # Attach these labels to any time series or alerts when communicating with
+  # external systems (federation, remote storage, Alertmanager).
+  external_labels:
+      monitor: 'example'
+
+# Alertmanager configuration
+# Use prometheus alertmanager installed on the same machine
+alerting:
+  alertmanagers:
+  - static_configs:
+    - targets: ['{{ prometheus_alertmanager }}']
+
+# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
+rule_files:
+  - "alert.rules.yml"  # Monitoring alerts, this is the file you may be searching!
+  - "django.rules.yml"  # Custom rules specific for Django project monitoring
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+  # The .json in file_sd_configs is dynamically reloaded
+
+
+  - job_name: federate
+    scrape_interval: 15s
+    metrics_path: '/federate'
+    file_sd_configs:
+      - files:
+        - '/etc/prometheus/targets.json'
+    relabel_configs:
+      # Do not put :9100 in instance name, rather here
+      - source_labels: [__address__]
+        target_label: __param_target
+      - source_labels: [__param_target]
+        target_label: instance
+      - source_labels: [__param_target]
+        target_label: __address__
+        replacement: '$1:9090'
+    params:
+      'match[]':
+        - '{job="servers"}'
+        - '{job="prometheus"}'
+        - '{job="unifi_snmp"}'
+        - '{job="django"}'
+        - '{job="ups_snmp"}'
+        - '{job="django"}'
+        - '{job="docker"}'
+        - '{job="switch"}'
+

roles/prometheus_federate/templates/prometheus/snmp.yml.j2

@@ -0,0 +1,387 @@
+# {{ ansible_managed }}
+# TODOlist :
+# - Faire fonctionner le monitoring des switchs défini ici
+#   * Configurer tous les switchs avec un compte SNMPv3
+#   * Mettre l'inventaire des switchs dans Ansible
+# - Optimiser les règles pour les bornes Unifi,
+#   on pourrait indexer avec les SSID
+
+eatonups:
+  walk:
+  - 1.3.6.1.2.1.33.1.2
+  - 1.3.6.1.2.1.33.1.3
+  - 1.3.6.1.2.1.33.1.4
+  - 1.3.6.1.4.1.534.1.6
+  get:
+  - 1.3.6.1.2.1.1.3.0
+  metrics:
+  - name: sysUpTime
+    oid: 1.3.6.1.2.1.1.3
+    type: gauge
+    help: The time (in hundredths of a second) since the network management portion
+      of the system was last re-initialized. - 1.3.6.1.2.1.1.3
+  - name: upsBatteryStatus
+    oid: 1.3.6.1.2.1.33.1.2.1
+    type: gauge
+    help: The indication of the capacity remaining in the UPS system's batteries -
+      1.3.6.1.2.1.33.1.2.1
+  - name: upsEstimatedMinutesRemaining
+    oid: 1.3.6.1.2.1.33.1.2.3
+    type: gauge
+    help: An estimate of the time to battery charge depletion under the present load
+      conditions if the utility power is off and remains off, or if it were to be
+      lost and remain off. - 1.3.6.1.2.1.33.1.2.3
+  - name: upsInputVoltage
+    oid: 1.3.6.1.2.1.33.1.3.3.1.3
+    type: gauge
+    help: The magnitude of the present input voltage. - 1.3.6.1.2.1.33.1.3.3.1.3
+    indexes:
+    - labelname: upsInputLineIndex
+      type: gauge
+  - name: upsOutputSource
+    oid: 1.3.6.1.2.1.33.1.4.1
+    type: gauge
+    help: The present source of output power - 1.3.6.1.2.1.33.1.4.1
+  - name: upsOutputVoltage
+    oid: 1.3.6.1.2.1.33.1.4.4.1.2
+    type: gauge
+    help: The present output voltage. - 1.3.6.1.2.1.33.1.4.4.1.2
+    indexes:
+    - labelname: upsOutputLineIndex
+      type: gauge
+  - name: upsOutputPower
+    oid: 1.3.6.1.2.1.33.1.4.4.1.4
+    type: gauge
+    help: The present output true power. - 1.3.6.1.2.1.33.1.4.4.1.4
+    indexes:
+    - labelname: upsOutputLineIndex
+      type: gauge
+  - name: upsOutputPercentLoad
+    oid: 1.3.6.1.2.1.33.1.4.4.1.5
+    type: gauge
+    help: The percentage of the UPS power capacity presently being used on this output
+      line, i.e., the greater of the percent load of true power capacity and the percent
+      load of VA. - 1.3.6.1.2.1.33.1.4.4.1.5
+    indexes:
+    - labelname: upsOutputLineIndex
+      type: gauge
+  - name: xupsEnvRemoteTemp
+    oid: 1.3.6.1.4.1.534.1.6.5
+    type: gauge
+    help: The reading of an EMP's temperature sensor. - 1.3.6.1.4.1.534.1.6.5
+  - name: xupsEnvRemoteHumidity
+    oid: 1.3.6.1.4.1.534.1.6.6
+    type: gauge
+    help: The reading of an EMP's humidity sensor. - 1.3.6.1.4.1.534.1.6.6
+  version: 1
+  auth:
+    community: public
+
+
+procurve_switch:
+  walk:
+  - 1.3.6.1.2.1.31.1.1.1.10
+  - 1.3.6.1.2.1.31.1.1.1.6
+  get:
+  - 1.3.6.1.2.1.1.3.0
+  - 1.3.6.1.2.1.1.5.0
+  - 1.3.6.1.2.1.1.6.0
+  metrics:
+  - name: sysUpTime
+    oid: 1.3.6.1.2.1.1.3
+    type: gauge
+    help: The time (in hundredths of a second) since the network management portion
+      of the system was last re-initialized. - 1.3.6.1.2.1.1.3
+  - name: sysName
+    oid: 1.3.6.1.2.1.1.5
+    type: DisplayString
+    help: An administratively-assigned name for this managed node - 1.3.6.1.2.1.1.5
+  - name: sysLocation
+    oid: 1.3.6.1.2.1.1.6
+    type: DisplayString
+    help: The physical location of this node (e.g., 'telephone closet, 3rd floor')
+      - 1.3.6.1.2.1.1.6
+  - name: ifHCOutOctets
+    oid: 1.3.6.1.2.1.31.1.1.1.10
+    type: counter
+    help: The total number of octets transmitted out of the interface, including framing
+      characters - 1.3.6.1.2.1.31.1.1.1.10
+    indexes:
+    - labelname: ifIndex
+      type: gauge
+  - name: ifHCInOctets
+    oid: 1.3.6.1.2.1.31.1.1.1.6
+    type: counter
+    help: The total number of octets received on the interface, including framing
+      characters - 1.3.6.1.2.1.31.1.1.1.6
+    indexes:
+    - labelname: ifIndex
+      type: gauge
+  version: 3
+  auth:
+    username: prometheus
+
+ubiquiti_unifi:
+  walk:
+  - 1.3.6.1.4.1.41112.1.6
+  get:
+  - 1.3.6.1.2.1.1.5.0
+  - 1.3.6.1.2.1.1.6.0
+  metrics:
+# Pour faire une WifiMap un jour, on peut entrer la location dans la conf des bornes
+#  - name: sysLocation
+#    oid: 1.3.6.1.2.1.1.6
+#    type: DisplayString
+#    help: The physical location of this node (e.g., 'telephone closet, 3rd floor')
+#      - 1.3.6.1.2.1.1.6
+  - name: unifiVapIndex
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.1
+    type: gauge
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.1'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapChannel
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.4
+    type: gauge
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.4'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapEssId
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.6
+    type: DisplayString
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.6'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapName
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.7
+    type: DisplayString
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.7'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifi_vap_num_stations
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
+    type: gauge
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
+    indexes:
+    - labelname: unifi_vap_index
+      type: gauge
+    lookups:
+    - labels: [unifi_vap_index]
+      labelname: unifi_vap_essid
+      oid: 1.3.6.1.4.1.41112.1.6.1.2.1.6
+      type: DisplayString
+    - labels: [unifi_vap_index]
+      labelname: unifi_vap_radio
+      oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
+      type: DisplayString
+    - labels: []
+      labelname: unifi_vap_index
+#  - name: unifiVapNumStations
+#    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
+#    type: gauge
+#    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
+#    indexes:
+#    - labelname: unifiVapIndex
+#      type: gauge
+  - name: unifiVapRadio
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
+    type: DisplayString
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.9'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapRxBytes
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.10
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.10'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapRxCrypts
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.11
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.11'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapRxDropped
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.12
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.12'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapRxErrors
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.13
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.13'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapRxFrags
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.14
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.14'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapRxPackets
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.15
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.15'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapTxBytes
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.16
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.16'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapTxDropped
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.17
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.17'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapTxErrors
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.18
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.18'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapTxPackets
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.19
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.19'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapTxRetries
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.20
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.20'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapTxPower
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.21
+    type: gauge
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.21'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapUp
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.22
+    type: gauge
+    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.22'
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiVapUsage
+    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.23
+    type: DisplayString
+    help: guest or regular user - 1.3.6.1.4.1.41112.1.6.1.2.1.23
+    indexes:
+    - labelname: unifiVapIndex
+      type: gauge
+  - name: unifiIfIndex
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.1
+    type: gauge
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.1'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiIfName
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.5
+    type: DisplayString
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.5'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiIfRxBytes
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.6
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.6'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiIfRxDropped
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.7
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.7'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiIfRxError
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.8
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.8'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiIfRxMulticast
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.9
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.9'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiIfRxPackets
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.10
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.10'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiIfTxBytes
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.12
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.12'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiIfTxDropped
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.13
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.13'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiIfTxError
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.14
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.14'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiIfTxPackets
+    oid: 1.3.6.1.4.1.41112.1.6.2.1.1.15
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.2.1.1.15'
+    indexes:
+    - labelname: unifiIfIndex
+      type: gauge
+  - name: unifiApSystemModel
+    oid: 1.3.6.1.4.1.41112.1.6.3.3
+    type: DisplayString
+    help: ' - 1.3.6.1.4.1.41112.1.6.3.3'
+  - name: unifiApSystemUptime
+    oid: 1.3.6.1.4.1.41112.1.6.3.5
+    type: counter
+    help: ' - 1.3.6.1.4.1.41112.1.6.3.5'
+  version: 3
+  auth:
+    security_level: authPriv
+    username: snmp_prometheus
+    password: {{ snmp_unifi_password }}
+    auth_protocol: SHA
+    priv_protocol: AES
+    priv_password: {{ snmp_unifi_password }}

roles/prometheus_federate/templates/update-motd.d/05-service.j2

@@ -0,0 +1,4 @@
+#!/bin/sh
+# {{ ansible_managed }}
+echo "> prometheus a été déployé sur cette machine."
+echo "  Voir /etc/prometheus/"

roles/radius/tasks/main.yml

@@ -106,12 +106,11 @@
 
 - name: Install radius requirements (except freeradius-python3)
   shell:
-    cmd: "{{ item }}"
+    cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
     chdir: /var/www/re2o/
-  loop:
-    - "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
-    - "pip3 install -r pip_requirements.txt"
 
+- name: Install PyPi requirements for radius
+  command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
 
 # End of hideousness (hopefully).
 

roles/router/tasks/main.yml

@@ -30,11 +30,19 @@
     mode: 0644
   when: "'routeur-aurore' in ansible_hostname"
 
+- name: Install ipset
+  apt:
+    name: ipset
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
 - name: Install aurore-firewall (re2o-service)
   import_role:
-    name: re2o-service
+    name: re2o_service
   vars:
-    service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
+    service_repo: https://gitea.auro.re/Aurore/aurore-firewall.git
     service_name: aurore-firewall
     service_version: aurore
     service_config:

roles/router/templates/firewall_config.py

@@ -31,7 +31,7 @@ role = ['routeur']
 ### Specify each interface role
 
 interfaces_type = {
-    'routable' : ['ens20', 'ens21'],
+    'routable' : ['ens20', 'ens21', 'ens23'],
     'sortie' : ['ens19'],
     'admin' : ['ens18']
 }
@@ -57,9 +57,53 @@ nat = [
         },
         'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
         'extra_nat' : {
-            '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
+            'ens19': {
+                '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
                 apartment_block_id }}',
-            '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
+                '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}',
+            },
         }
+    },
+    {
+        'name': 'Accueil',
+        'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',
+        'extra_nat': {
+            'ens19': {
+                '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ apartment_block_id }}',
+                '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}',
+            },
+            'ens23' : {
+                '10.{{ subnet_ids.users_accueil }}.1.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
+                '10.{{ subnet_ids.users_accueil }}.2.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
+            },
+        },
+        'extra_nat_group': {
+            'ens19': 'accueil_ens23_allowed',
+        },
+    },
+]
+
+# ATTENTION: on doit avoir retry ≥ grace
+# ATTENTION: il faut que ip_redirect gère tous les ports
+# autorisés dans le profile re2o, sinon on laisse sortir
+# du trafic
+accueils = [
+    {
+        'iface': 'ens23',
+        'grace_period': 1800,
+        'retry_period': 86400,
+        'ip_sources': [
+            '10.{{ subnet_ids.users_accueil }}.1.0/24',
+            '10.{{ subnet_ids.users_accueil }}.2.0/24',
+        ],
+        'ip_redirect': {
+            "tcp": {
+                "10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"],
+            }
+        },
+        'triggers': [
+            ('4', 'tcp', '46.255.53.35', 443),  # ComNPay
+            ('4', 'tcp', '46.255.53.35', 80),
+        ]
     }
 ]

roles/router/templates/firewall_config_aurore.py

@@ -41,9 +41,11 @@ nat = [
     {
         'name' : 'AdminVlans',
         'extra_nat' : {
-            '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
-            '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
-            '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
+            'ens18': {
+                '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
+                '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
+                '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
+            },
         }
     }
 ]

roles/router/templates/keepalived.conf

@@ -50,6 +50,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
 
         # Wifi
         10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
+
+	# Accueil
+        10.{{ subnet_ids.users_accueil }}.0.254/16 brd 10.{{ subnet_ids.users_accueil }}.255.255 dev ens23 scope global
    }
 
 

roles/unbound/templates/recursive.conf.j2

@@ -23,12 +23,14 @@ server:
     interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
     interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
     interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
+    interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}
 
 
     # IPv6
     interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
     interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
     interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
+    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}
 
  
     # By default, anything other than localhost is refused.
@@ -36,12 +38,11 @@ server:
     access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
     access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
     access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
+    access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow
     access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
 
     num-threads: {{ ansible_processor_vcpus }}
 
-    private-address: 10.0.0.0/8
-
     # The host cache TTL affects blacklisting of supposedly bogus hosts.
     # The default was 900 (15 minutes).
     infra-host-ttl: 60

services_web.yml

@@ -10,8 +10,19 @@
   roles:
     - passbolt
 
-# Deploy reverse proxy
-- hosts: proxy*.adm.auro.re
+- hosts: reverseproxy
+  vars:
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
+    nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
+    reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
   roles:
     - certbot
-    - nginx_reverseproxy
+    - nginx
+
+- hosts: nginx,!reverseproxy
+  vars:
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
+    nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
+  roles:
+    - certbot
+    - nginx

utils/README.md

@@ -0,0 +1,4 @@
+# Utils
+
+A repository of Ansible Playbooks that are useful, as little script or various
+utilities, but not used in production.

utils/re2o_mail_server.yml

@@ -0,0 +1,13 @@
+---
+# Deploy Re2o mail service
+- hosts: mail.auro.re
+  vars:
+    service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git
+    service_name: mail-server
+    service_version: aurore
+    service_config:
+      hostname: re2o-test.adm.auro.re  # use test instance for now, should be changed for prod!
+      username: service-user
+      password: "{{ vault_serviceuser_passwd }}"
+  roles:
+    - re2o-service

utils/reboot_needed_check.yml

@@ -0,0 +1,31 @@
+#!/usr/bin/env ansible-playbook
+---
+# Check if a reboot is required by the installation of some packages (ie kernel)
+- hosts: localhost
+  tasks:
+    - name: Make sure local file exist but is empty  # weird hack, I know
+      copy:
+        dest: /tmp/ansible_dump_reboot_needed.txt
+        content: ""
+        force: true
+        mode: 0644
+
+- hosts: all,!unifi,!escalope.adm.auro.re,!loki.adm.auro.re,!viviane.adm.auro.re,!vpn-ovh.adm.auro.re
+  tasks:
+    # Register the output of the file /var/run/reboot-required.pkgs
+    - name: Register if boot is required
+      shell: if [ -e /var/run/reboot-required.pkgs ]; then cat /var/run/reboot-required.pkgs; fi
+      register: result
+
+    - name: DEBUG
+      debug:
+        msg: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
+      when: result.stdout is defined
+
+    # Add info line by line
+    - name: Dump all info into the local file
+      delegate_to: localhost
+      lineinfile:
+        path: /tmp/ansible_dump_reboot_needed.txt
+        line: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
+      when: result.stdout is defined

utils/version_check.yml

@@ -0,0 +1,21 @@
+#!/usr/bin/env ansible-playbook
+---
+# Check for the distribution
+- hosts: localhost
+  tasks:
+    - name: Make sure local file exist but is empty  # weird hack, I know
+      copy:
+        dest: /tmp/ansible_dump_reboot_needed.txt
+        content: ""
+        force: true
+        mode: 0644
+
+- hosts: all,!unifi
+  tasks:
+    # Add info line by line
+    - name: Dump all info into the local file
+      delegate_to: localhost
+      lineinfile:
+        path: /tmp/ansible_dump_dist_version.txt
+        line: "[{{ ansible_facts['nodename'] }}] {{ ansible_fqdn }} : {{
+                ansible_distribution }} {{ ansible_distribution_version }}"