diff --git a/.ansible-lint b/.ansible-lint
index a85e701..d98efd4 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,7 +1,10 @@
skip_list:
- - '301'
+ - no-changed-when
+ - load-failure
+ - document-start
warn_list:
- - '305' # Use shell only when shell functionality is required
- - '503' # Tasks that run when changed should likely be handlers
- experimental # all rules tagged as experimental
+
+exclude_paths:
+- group_vars/all/vault.yml
diff --git a/.drone.yml b/.drone.yml
index 416e400..eb6ce40 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -4,16 +4,9 @@ type: docker
name: check
steps:
- - name: yamllint
- image: python:3.9-alpine
+ - name: ansible and yaml linting
+ pull: never
+ image: aurore-ansible-lint-image
commands:
- - pip install yamllint==1.25.0
- - yamllint -c .yamllint.yml .
-
- - name: ansible-lint
- image: python:3.9-alpine
- commands:
- - apk add --no-cache gcc libc-dev libffi-dev openssl-dev
- - pip install ansible-lint==4.3.7
- - ansible-lint *.yml
+ - ansible-lint
...
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
deleted file mode 100644
index c62f35b..0000000
--- a/.gitlab-ci.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-image: python:3.9-alpine
-
-stages:
- - lint
-
-yamllint:
- stage: lint
- script:
- - pip install yamllint==1.25.0
- - yamllint -c .yamllint.yml .
-
-ansible-lint:
- stage: lint
- script:
- - apk add gcc libc-dev libffi-dev openssl-dev
- - pip install ansible-lint==4.3.7
- - ansible-lint *.yml
-...
diff --git a/.yamllint.yml b/.yamllint.yml
index c8666c8..af15be3 100644
--- a/.yamllint.yml
+++ b/.yamllint.yml
@@ -6,6 +6,5 @@ rules:
max: 120
level: warning
document-start:
- ignore: |
- /groups_var/all/vault.yml
+ ignore: group_vars/all/vault.yml
...
diff --git a/README.md b/README.md
index 00897a4..cb8683f 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,5 @@
+[](https://drone.auro.re/Aurore/ansible)
+
# Recettes Ansible d'Aurore
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
diff --git a/deploy_postfix_non_mailhost.yml b/deploy_postfix_non_mailhost.yml
new file mode 100644
index 0000000..e335928
--- /dev/null
+++ b/deploy_postfix_non_mailhost.yml
@@ -0,0 +1,8 @@
+---
+# Deploy a correclty configured postfix on non mailhost servers
+- hosts: all,!unifi
+ vars:
+ local_network: 10.128.0.0/16
+ relay_host: proxy.adm.auro.re
+ roles:
+ - postfix_non_mailhost
diff --git a/docker-ansible-lint/Dockerfile b/docker-ansible-lint/Dockerfile
new file mode 100644
index 0000000..5d60549
--- /dev/null
+++ b/docker-ansible-lint/Dockerfile
@@ -0,0 +1,7 @@
+FROM python:3.9-alpine
+LABEL description="Aurore's docker image for ansible-lint"
+
+RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
+RUN pip install "yamllint>=1.26.0,<2.0"
+RUN pip install "ansible-lint==5.0.0"
+RUN pip install "ansible>=2.10,<2.11"
diff --git a/docker-ansible-lint/README.md b/docker-ansible-lint/README.md
new file mode 100644
index 0000000..adabac3
--- /dev/null
+++ b/docker-ansible-lint/README.md
@@ -0,0 +1,18 @@
+# Ansible-lint image
+
+In order to build this image when a new version comes out, you need to
+1. ssh into the `drone.adm.auro.re` server
+2. git pull this repo to the lastest version
+3. optionally make the changes if it has not been done yet
+4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
+5. ???
+6. enjoy
+
+You can verify that the image was correclty built by running
+```
+# list the images present
+sudo docker image ls
+
+# run your image with an interactive shell
+sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
+```
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index b813ba3..3666f5b 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,174 +1,179 @@
$ANSIBLE_VAULT;1.1;AES256
-34336231623938346631313932323131336439623837626366646338396137633436646365386639
-6332383765386235396331373836366230663563376665380a616436373136633933376435653230
-64333963663436393265666434653164643164616134353665306462326666623530383838343135
-3531343533656332350a343432336636316131386132306238653736633966363235623833343638
-38643061383963396466346536343061653034333037393664356661376565643765306462626231
-39326233363962373839303464333833306532343834306232653731326135653934643836323639
-36343937626536346331613263663865346634666534646266623061303639626636393230616261
-32336366356439353738633234326138656464656630303362623664616634306230623538373965
-32346439306337623737616666353830626630373562366436653131393532313035303836326430
-64613235646366616533313065396663366434363832333535336631323366336437396664303834
-30336466313064636565326564356435306136396363373464326534303366323262303732626661
-38326663313332633530353739346538343434316133343066313530366637376135323564306537
-65626261303231656432333364333965663065346436626631666466643934623064333163626339
-32633565303734303862326365336339346133393431636266303530626564326361653230626536
-32313231373037633134623761663832393666353732613965613436323939343233613433343538
-37326438383130303861316663396333376662386337353964633930353536653437653061356635
-35646232343535313130646237643835376162623639333961323964353830653366626438346237
-36343663346332656537363434396633336161373730663364306239306432343930643230656465
-37633537616232656661313764626232303535383563353861396431643735326162383866626231
-61383165613332666537656137636430323332326335323763303537386662646263353539613964
-37323966306364306436653033393931663239383435613836356164633135306233356364313036
-39356661613434633930633066646437636535313565356366303732613731333062643231313035
-65333461396131663764626665393562623030343561313136363964393664376136303839333664
-65313465623331333538393734373264313562643232666130303930333662616465656432363039
-66616530336666343861336434633063343561323931323931346132376263376565313366306639
-64646465303432333136353661323936633965666364356633653861363139616562653834313861
-63306133613066373462383236613939316130623937643939323134343936356638376335323836
-39383334656236633037633230313138326238303863623231353465346661663162623138353461
-33343738613137366364633730346261366564646161373837613865393233663431636361663962
-38313230363737306265636435353533666262333666383639343364633464396566333433333538
-39643934646537653234336361613664333434623739353831316531313666396638333136343638
-33653034366362363562633462303165626333306664326366353334363964663936616430643662
-30616334326638323133366632663237356238353934323361376237613632396134663536336364
-39363439326335363437373939353564646663616464663763353931323233316135656634343137
-34396130386134386331643534353461663963323435656337653032376565313635623231343135
-34303130316239303065386134663332393938636332363665643832326439653733633231346537
-63383634333034323434376237663932613638363835393837613632663265616363303233653539
-61333765313463616665613136303533343230303735626437343635303934613365326166333966
-66613538393466666630363333643730653239393435616634303430396635383631613439623433
-36646431393865666162373232343335356366366633633264326639643434396234313863333163
-63396534623931633833656565396635333133376165613031663831633564663061656131303564
-61303132666264636139313738643161313134643733633366376538366135663135333333333564
-64366262353837363061653663616265393264373230346330636465336439623063636639356136
-65383638643961326661396336373163643832366561363764626461623662333436373136616437
-30316537653432356133616338353165633462643634323563306366343965326635363863316232
-61633135643861333635383464383937306236626632366235363433313335663431366531356337
-37303465323638383930336138356665343966336137356137656564303733373565366162343330
-38326366653733376138356339313564616165626235356363343430353239616339656239323964
-31643734653263653461333135386261646265323134633334376262323330396634643764323635
-30336262323035613338333166353364333836623865393132613338393237363734616330366463
-64646163303337323531636532383438356237306337656439663565643032633462316366663164
-33613039326337353531303831313136653539353261373930613030383134653261363833653439
-31343662623035393238646263633066653362323434306137633339393330376462356139333362
-35363436356530363134663064653031376561343732346262383333353733363136396262643135
-31326566303535343833326562376464643632363434323839366366626134303830323563633237
-37313964353033316163303738636632346137353437333463303135323631383132623133663130
-32373163393861366137303138363134653534613236636439623731393837306130626638343134
-39313532386338343662333134353761653162663665396664366239633536613132313735373334
-37613161383633653861376433633632333163653439633938386137313632396137616337373465
-65383238396439666537313833663364333731613434333739393161363437306665363834653761
-34303464386633633163353636643964393233383232623765373239376633393139326630653765
-62646439646534376234323661383063656463313437323231333165626163626262626562376338
-62646362346261313738323830613037663035666361386139666432613230346334323063326239
-65303065343061613736343663363630336333623439383032313137616131623933323636306331
-34636130626338303039356137353532346562363531623936316162336663306437386532363236
-36333661316161613237343032623764396435346632363963643438316430666539393566353939
-33333234313839636537366465356364303438313830663261373563346538626432313139303030
-33333066626463663663643833323764643737386162663766356665643064313263376434353038
-37643630643737663566653562353261333734636262626437393239383063613661643166626630
-31313564346239396561326162333534376264616435313762623032636432363832383630343964
-30343663643935633465393465626131633931623930653962303830333065363435383237653566
-65646632376330306437663334313932653230653562356338663366616463303466366263366137
-64633934626339633235386630396561376130373763313137386531356637633863393035306634
-65353432323235363135633832373032623837376333346131303162303464616234313062316563
-64646634633963663032613533636665333335656539323238623362306363313835626632306236
-30663637356463363530316434316639326639633539333335633330333834643035353932313638
-64356565653065666131373538356462306633343161376537323762313666373235353236313963
-65613561633266306632616538616461626532666435663038646138386430376164663766363138
-35316262393065653739323035666531333330326235386133383834383865356635666537333533
-31376138353231313262646334386566376264323066373934666363313431643738383064666437
-36656437313039656666373530346534393735353163646635663839326366643333393665626464
-36616637303631653661373433653865323634363065303433386534363064356564636465366265
-31333064383233636538393032376234663663353162343530376631356533653231303730396465
-33366162376464633633313664303939306330613865663431653037303061633130626635653638
-66626264363333376463386666313663333964333137333231303361616533393236373861656534
-32326335306566623332396638383133353434363565316432353963353062313662326361336537
-34396632656234333263663831326566353434316234613365316132363730643665373761666562
-31393565653663653731633333633730326265376135666162656132623238333765333363653130
-61353632313532616266363139336162336565356365316531336364623930636430353831623233
-61616131313438306633333066613764313161333934316139633738623164623564646365663566
-66356464376133363137313036623930373362306166623838373131313330393837396261656561
-66396233313530643164353264656563383632363139333262626532376562613630643437666266
-66656335656634613138316138643666623430363833663035616138336461303035633731636262
-36393939333765346239666433323032323361343934656463396365333366623337316663396263
-36616431626633663963636135643833666234613830366434636532373031343263316436306162
-39356365376561643665323866656465313434623138326238353662653735613565623264333336
-61393763363862613766653064636130323732663466366133666361636339356464313037353462
-63633936653235656538383433393065393162643034393538666433616131343462346235393164
-39353663373338626665663563663162633430343330373430376336326432346233663365376533
-32656465343538643137326366653232343530363834383831386634366262303333636261353863
-32633437343432653936643766363338636535613532323362656435613363393238626466303861
-38633861333638613466306338613932353964393365356637306261626535323732316362623731
-33313963623439613939333639346461663338373334396165636231666266613065323731373964
-64313133383435333935376531313432663766633133633863356563663535333263636237386136
-61653963633166383135333436646465383536373039383538326366636634313061613730653962
-37623962643866396637336231363038373465393637356463656566666661313130313863383233
-37343636346535363832626365396262303862393535336565393635663637323730373564336634
-37363036323733306535336366373630356531353737303165376530656433626634343365626239
-64346136363030663862313431653761666432393933366665346361626361623039326434633835
-32666538653037613361343536383634643762356234366433663639653461303933306434333864
-37386436393465323139306161333738383265323436376536656264356230303163326134323864
-63396331666431666464656161633466333764653631623131646566303366333030653834333335
-31323365353239366232643863386365633861376235643034303563613363663661616564363663
-63326562613365653539383336383339646164623864323830653434623365393432666466323134
-33626330373361393734656632393232363866613863373135636537613934343065306265623964
-34643765636165393336356630353663343065333431656164363638646233663762346536343362
-65653364343537383336373933313464663464653465383830363631316336303464313731356230
-34336130323766386465373162346535396565346630353734303937396130656132376331326563
-36386339383338346533646331666262396432336434646333653664326635386238333763626637
-31363464306465666339316436323265623437636533643431363161323139653065323534636533
-64386334353439373133313937343234373963353331646233346432646430636530663336316134
-66303337313034396232643531643262343036313762633165353665653938313665386363353865
-66333166303636626565613136653365313763303263313239333033353638616566656134396131
-38356434343931303134303362313363343634613361353538636634336332373132356165326163
-30386130326239366532363962316435663862393836326439623862366166376234343439306465
-36346639623939353232366333643963646336383833386565643435393734653936313638663930
-32323065343737663564333961373034393261613862333431663562353964666561643831316432
-35313832356639333937333266306166656538643065386639346337306134613536356137316331
-38376434666332366531393639303561663934353130333161636530383932653236313530616531
-61656664626663373164343863333039356362343034326131376666623264663732303734366363
-30306430353732616131346637626332656434393163313661356465393263393235396662623962
-62643538623331646265643561623366383937313136383939366164613235666234663137653432
-34316138643139336331356663333632656539653632626136613431393736613630353237356164
-33623632643335663163656236633134343464353837346237316162346634633336663564656531
-39373730346130363963376463326238366235613539613466653139306237343164336462353236
-39323361636333353661633863663162633563343937366461346338363061623730633537626562
-30353938383664333861366431343033313961376436363065373430353736343563313531386663
-37313534303564333237616331396437376436383833373936376664666366373235613533663239
-64653863613531356666646233393533646131333961343730663461346235633961306263343831
-64386332653330323937643266373437633465363933653833343930616134626566363339366362
-36356163333730656233653431326430326566386264343330666131393166323537623137396237
-65386234653231666631366533383762643830333261363532666138386263643662633932626335
-66303363613035643931393933303035323566373634663037313338616132373162366334373962
-33666463613435396331326565353433336361303562326562663035313639333232333430373266
-65383235356132353838636565636436356361653831356430663935613766613237366564316566
-37396130393363386566306162346466326165353863636633306335383265306139396339383866
-34326335323962633032386162623033353036643437313832323166363764653339343638343964
-66626662326234306362656162336538353131366337643761643930306163333661653062663832
-61303963623433313565633235306132366663336662616232613339366363373934613631623431
-34323736383366333032343364373533363761323338346163323836653235653136646162306166
-65333734623663346233343961396566313838653036396430396134393839326535363237363638
-38333232333863396334366561303136333863356666656335633630616531363766343535616533
-35656166303837653365303436623431613931336331356531666665346562613263363666626238
-62626236323863383366643162356462306163653032626130333863656337623136646439316337
-33306432663134383038646133346131333732633932383239643733643138303434646565663266
-34616265383733343963323538656138656331396438616133393063356638633965323363653066
-65353837333363613762333839313631373137363064383830353565333832356162323862393030
-35373038613133643466636537626437393837633865363566343565626633376262373766613738
-39343334336238363131373762646564653839623531323066356430326263376534373664363331
-64373735383933303638303661333964333464306338613363326261623438336530636262373766
-35346339643939666162386232666236326131366366303432393838326239313730323431376231
-39363032616666393431326533643865643937363937356431623763363037373333653266376561
-63323462363063343234373534663063353865363037383932386231313338343239653131633561
-34623439396232633265616438623562666333303932396366663330326565363736633461333463
-66346537323061306662323062393061353565393165363532306439343262343632616465363364
-30376331346430313536313963333136663833323064633631653935326366633862336163316538
-33383434336666303434363236396662366664393637656462363331356631613332353766636663
-62323264336235306532343065323834313730353237616463373766303439663533336366363565
-35646461636263646633343634323735383235376330616334373937646165623639363663353361
-65613034353736633332663333616564356265323731613537393430633137333337643663323137
-31623732663331653935316337306433333633353565343265666333363864346562363961333439
-30656136636661396335623566386362333861616663393738626632633537613564636261383138
-3233
+32313562646230353138303964366135656361616532343933353732313961323339653964353130
+3938346666633565356134343835633964626261363365370a663664663938383731343733386136
+33356531323762313463326339333963336636353933326537333665313334616563626632336663
+6537363033663935660a613366613962626563643035663330343061353836646561623031323236
+65313633383063373064613930623530656365396335663363643330636239643937373163623932
+61373136303737333739316565323934376433316362353935363637373264616238373831666438
+35343135383233653963333237393232353631636566373766366664656666313436323535393736
+62323731343261373331393062633030356235313834373861323138663930613332643432386436
+38383038616536316465343561643639353434396631643033633537393265646532613161343732
+32363265643963386538326639353233363438643833306637336431303533396562613863633537
+30303334643137313136633039393463346562306236353566333563633238313865313534326137
+33623036376439653532313833633135326631643361333463633162303065623633636331666661
+62303636653233666164383463356530633464306564383236373832616263653165373937303030
+31323865656436366265303537306438303434613135396166313635656566373539303463393830
+65383636363064333730623161316162373734626433346564333835393030616437636665316566
+37353937626465383439633534316336313931663561336335653761396230393031393839336264
+37623037663032646631656637386366333131356562376665333964393264643133626532653564
+32353235633434656334663233303664613865343039613330663833396162646430623735653434
+66633466306338373061326636366330643639383632353564353865623637303832306332653131
+37343566393965326635613135613134316264616336303233616162313839626235386137343435
+33633336636434343531633362633834376135303337363637303039323038313937646236366265
+34303434373566313730623664653263653466366133363562333736393836393363326665353434
+30333263323366326436623238353335323936346637646130623265366535653737343665373165
+63336166633831623464343862353065653162613934646539396364353162633063303332313266
+65656163396463363737663931353765376337643065646131303264363961366336343432653537
+65306437623535393132343962333666366665316362366536663431646435633166333731303232
+63313337353334623330623862386661306333366638306433373437623835636631376231373636
+66666539363561313166396438343730656230663532633031353336636565343964366136663466
+38316364663936303231633633613832313163646262313238346666336661613236343966353130
+62656237663865306632333130653933633332623061633062363964643130383430613864663935
+63663765356434626661346165653163626565336437613539653536306432376332616430393737
+34366139336363383761366338623236383135373634613239616665343061396633383231663230
+63653331336366666234626662356461663263626465663036326162343239373734346661626665
+61666231613565356633343030343935393135653261376239303037373634386138393463363239
+30356365663133646634333863616230646235656135336330393836353462323630376537366334
+31306330363232326661616666623131383837353139643838326430653561346565393762323936
+31623136656361383039653763613162356530653933376539336130376237396661663664393733
+36396433303339613965316230613237303331646331383239356638333366653961303138343663
+33393664303637333863313364356666383836633063643539333262633565623534323866316537
+38623630363139643837396330353463303932383231663831363763656537386531383531303165
+37366338343063346230656461393832383736636662656666636434363731623437303862636366
+33613333393139613637623963373262323637653531336265333033333135613330313166633738
+36353935383931363535656539333130653164613431616438613432313532373063353738656162
+36616563383133623336396633343762376537663432356238653766666636323232623065313537
+39636632326166323130646633626431323831373963313837613465356436326430616433303662
+65343834663937306539663330366538643265626665613631323036616463313266303237613938
+30613565306636306561643238326138623366343365303934306561623234313332636462383363
+30623432326336396364636164366463326533613665333830656564626663383331323661663934
+35353135323930656138373830623932396138626335343265623738383532333861306561323430
+66333532333961636463656535636132323535313730333762633139306235373031363831363266
+33646635316137616663653461393566303432386330623936633330373461333762356532663062
+39666437363931313861356331653932303132353364623664656364316430653933653935616230
+38376631316463646663626562366233626334323235633235653364623936643131356130343261
+36396535393335366532313930623363663032386635396262363430303466373737633739626435
+30636136396562336561393936353763383732653166353266376165663233626266353638363131
+65323462633039323334613566373434343363633532656534663635363763396265663137636331
+38613736353635613437663133616431396666316230393066343431336535626335373437393039
+63666135353937313765316134326338376161353862373161653039333631306264343464353035
+65353639313134346239646362663836643734373465353866373238613162303336306438376237
+35363934333536376136666561333636653136316435316530366461306636333063313739626630
+37633333333766613663636466373364663132613266343136376138663461383832356631303132
+30363434336161393962363636313364663839383734373533356663343733333731613535646433
+64396361643736653931336365313338313633383038306131333863306437386362633263646364
+36656566326333333136636566613066623362363263373435356162396431396334386237383231
+30326465646334613235666435613462633230353434653666336364646466613066346366376262
+66633863333461626631383961663930383663666538613162643730323565653732386330613538
+38666164353130386530376332643637333931313661633634303636643639613561643338373331
+63333932306634313933366533623837613934366334396637396361623439383964333665383435
+62316265356537616137643537366666336634393935613034393737313930333364323031653234
+37366561356332666439623462396266623961653039626562393065393336643962373064343563
+36346665666338623931343739386531343833386135356164303532643463346565316163656633
+32616365623065626139383362613466633332666133313263393062373338653834363830333039
+62626230343362393533633061663432363836616539643065643839623065633363393134643534
+63343935376537393739333063333333386239663763383435633234376434366362616433363162
+34363539633661633333306133363433313761303138363864373266333461303139613362663937
+39626332356139396330393361613364643363366164376234316266316164393035386334366362
+36373065626530333237636139336163623766623561656234333239646263626164323134633434
+63326635393665333533383562633438303036616262366435373739386430353964333265393732
+66643838303566626131323834646564613830333937616264383864316666343333396636303836
+38633335656536653334626530303835623531666665326533303535313164323836373365636265
+65393061363933373931396134623264643065633534313566346336343862346537343437363765
+62663264376266326538616330376633353832353234653661613964373231666562326466663934
+38393931643736626332623461613737383463663935656263656233306437653331343838343865
+64343239636166343134336261656162393938396633376663366466653634373566336165323237
+34386137313961653739393231616532346664366138356631353030623236343535363435636462
+32323564306339396437633763613535393230386631616166656539373861386633363464653439
+34323134626334356631623764356232366337646236313031336138333636633834353463363961
+32316664383038633330383765356563353062303133333133336365346561643234386161383461
+39323964303061313461386333613961396533646161663230666466616231386239386666306233
+39343239323739323738373263313662336237346663663432343861343034633463386163303366
+38333537626232663438383230623032623765336164653438653434396362633063333437366338
+34373431323539306531323536363238333037643337626131336631356537626237656630393964
+38393736633433306632323334613232303162313962616334376130353931336337303462363266
+39643137643034396564303531346361336134353461653535336165323032323238663631653935
+38366339366436376166333335663230306663633634336434323532316664666134313365323834
+31363964346561373262393632366637396633323332393162666166326631383164643265353135
+34303664353434373131653530346634386333663732373966613761616261323032336266646163
+32663966656464633565356337653534623962663939333033613933633965666339653764663134
+38363965393730633638653561393432303835303164396462366435353030643966316665333061
+39643634646137626338323537393031356532616637666634333139396630663930636235333735
+66336465666439356636623037653564393161393432346534656132346631396462356463336566
+30303833386638333866396462633330306439613139636331636331333663386438623461343133
+30643164366434353765633738356536643861303232393362343131353730376364623463326361
+37363061623333653466636438666465616133396233616430393265626362663736613031383764
+63353065306166646461623763643062383738376266353765643134376538393233383663346237
+37643639663063383266373536323533343936633134386263616163343637613636303134343037
+34626232303335393532643134646132323463396333386664333731646331343937363661323539
+65663936366464643162633432666537393439313664643638343237653566613235353165663336
+32373037346239356337633036306138343366666463363538373836616530313565613562383433
+64616263626165343938363230613039356137643665653734366533393033316363663036363738
+66323663663366666162623734363465663939383830396533383665393139633530616263663136
+64333132633031623835373831636366643831626235303831313761653734666365386462393534
+66303332656561653162636636313439663633396638353638363465663138353866376636326634
+63613865613466326230323564323439393061653664393261373531306235333663373434636262
+62353132653333313635653633346461323165373862343839316539653038633664353830643234
+36633763653738323732386263643461333761306532303534663763323735636563366266653464
+66636236393033613736656562663661346162316164616663306465623431613133633130383136
+35313434346164653163396137383064656538353766653237646237663639663039663665666236
+62346139633234343735303762653030326333333764356562656435623330663066353333326239
+39646465393362323537343766366432323765363139643361643037373739643636623437386636
+32353233303337623136343062623633306361383737303431613663633163643832343434656335
+39633434393466646366376534333865633361333861653366316238626637363537303335363662
+61353830303733623665643864333134623062356334616331363565333235666261653732633264
+62663238663461343738303764303636366638393830623264613730303635623635626364646464
+35623239356235316136343532616638663930313565383264663936633733386663326161623830
+62626634313963323866653432343561303233343035353433613731353538356438613033346638
+33613466656633626261326465336437613630376335663933303061393731313065636131393762
+65613037653363636235613838613535316635613066393436356537633662313539323163613361
+36356632323634363335366665376663346565393439313031636331633235333664663830636135
+64653266616262336437623731383161383437613461323837653066656233643230663064616432
+65383337323333633465316533623465303735396430326334643634626436303263396534356335
+34373134653232303866386433643864363536643138353965323130616338353731633434326361
+66303133353264343664323435653133383431626263373237613631616235666465616333343937
+37323333653565363665376236396232393132336137346461613831623063326631636335333365
+65376538396265313732323932383061633464393630393563386163393230623238633938396535
+34333330386131353336646361313634353862663762653234373235366565343232306432653731
+61383863306632626463653831383735636233623966353130626634366638626236383864316531
+37353062336539626531356133313132663330663135393930356565323364353761393439373533
+61366465313462313033306631333432646163653832363564313838643362316263353562373262
+33343664666230303065373836306663643135303439356362336634346637353438633364306365
+30623332363436353865633738663464636132306134386465306164363333386338323433643163
+37626235303062393933393363656339636139323464373439363765316266646536316336666163
+34306262326238343937623432643262646263666266623933623565363535326235623637396237
+64623961663037653033383933333062393932613933303962326538333739303731363137623365
+30363030353433646133666166383938356232396331656165343531343232613934663834633464
+36353331373233393861636131393238363031383135613633373665613364373466356663376431
+66303331383837663261313838363266656164633836623661326331356566653938306266376632
+63613238356135373938663030343634393566653963306237303138626461613931356565663835
+64386433613937643730396130663333646334386336613864333533626661626166346232333964
+66316664346231376639393132613936323261383131633737386331343966363961633237666334
+38353363383761333439373437623937393534626435386262383732363833346166656233666332
+62636130323536663432633434646666303664393130626437636132316264613535306463623964
+30633030613665343631373366363737313130666337326230633631646461356362363963306361
+64393639353339303436346438313833333432356666666339613666623132636235383866343838
+36666263343538633537303665616366656363373736306235333264336466313939356131303561
+33363030653966316232313933323665663330303338366333656536623861623537313266383565
+65633866663665393635646531353539623362646663356664333866623432333465333335333333
+31616262356537646261373166343665633238633235373335343134393366663462393465643135
+35326336613835663132343233386564373462353561333066323631313664373865323233653336
+65333731336565633664636562326365343263373263373162653239633964396138616335616230
+63376562383064663330363562306338346465666563306365306639353632396633323830353337
+65666233376239333436633566623535383065646235353832363030303565623531333539613864
+63393339656238323466343564333134636164383062613138656138373936636531636166393062
+32613431636233316533353937326234663336343231313630393037313663383034383238346562
+36383264626366383835623261643562323037303661383832323939363939623038626664393530
+65353061313266633764353331313532383766613735333131373365366336306139343265306634
+66313435313965633362356563313763653634643362616138633832633136333362343731346166
+34613431653134363732353833643962636431623036393935666237663833373934373438666434
+36633538306632383439323465636665303863646532653165666638316137633738363736386633
+33303234306531356136316463353232303737323661333430333137636633306131316434376665
+64323633383735313536373534626331356631316464643530363866633730353239346633396364
+36323437306165363465613365383666353037313333653230316234626439623964343336343762
+66343831343133343330336536613134303836626434663731343636613835623364633236653962
+63356635363239663533336265306261393337313136313937356662616231636461373230376232
+64313738333966633265626166653266313932666134356235373238376530303437646464333364
+31613631386335356561363938323831313061373566323638663864393266656361366463353736
+63386361373737383837336435633562626566656666373737313464323466313364626466633537
+6661656232313066363235616364646663623039386561636332
diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml
new file mode 100644
index 0000000..053e637
--- /dev/null
+++ b/group_vars/certbot.yml
@@ -0,0 +1,8 @@
+---
+glob_certbot:
+ - dns_rfc2136_server: '10.128.0.30'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: tech.aurore@lists.crans.org
+ certname: auro.re
+ domains: "*.auro.re"
diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml
new file mode 100644
index 0000000..31adf3a
--- /dev/null
+++ b/group_vars/nginx.yml
@@ -0,0 +1,32 @@
+---
+glob_nginx:
+ contact: tech.aurore@lists.crans.org
+ who: "L'équipe technique d'Aurore"
+ service_name: service
+ ssl:
+ # Add adm.auro.re if necessary
+ - name: auro.re
+ cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+ cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+ trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+ servers:
+ - ssl: false # Replace by auro.re or adm.auro.re
+ default: true
+ server_name:
+ - "default"
+ - "_"
+ root: "/var/www/html"
+ locations:
+ - filter: "/"
+ params: []
+ additional_params: []
+ upstreams: []
+
+ auth_passwd: []
+ default_server:
+ default_ssl_server:
+ default_ssl_domain: auro.re
+ real_ip_from:
+ - "10.128.0.0/16"
+ - "2a09:6840:128::/64"
+ deploy_robots_file: false
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
new file mode 100644
index 0000000..fdb4685
--- /dev/null
+++ b/group_vars/reverseproxy.yml
@@ -0,0 +1,11 @@
+loc_nginx:
+ servers: []
+
+glob_reverseproxy:
+ redirect_dnames:
+ - aurores.net
+ - fede-aurore.net
+
+ reverseproxy_sites: []
+
+ redirect_sites: []
diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml
new file mode 100644
index 0000000..d4845b7
--- /dev/null
+++ b/host_vars/portail.adm.auro.re.yml
@@ -0,0 +1,105 @@
+---
+loc_nginx:
+ service_name: captive_portal
+ default_server: '$server_addr'
+ default_ssl_server: '$server_addr'
+
+ servers:
+ - server_name:
+ - "10.13.0.247"
+ locations:
+ - filter: "/"
+ params:
+ - "return 302 https://portail-fleming.auro.re/portail/"
+
+ - ssl: auro.re
+ server_name:
+ - portail-fleming.auro.re
+ locations:
+ - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+ params:
+ - "proxy_pass http://10.128.0.20"
+ - "include /etc/nginx/snippets/options-proxypass.conf"
+ - filter: "/"
+ params:
+ - "return 302 https://portail-fleming.auro.re/portail/"
+
+ - ssl: auro.re
+ server_name:
+ - 10.23.0.247
+ locations:
+ - filter: "/"
+ params:
+ - "return 302 https://portail-pacaterie.auro.re/portail/"
+
+ - ssl: auro.re
+ server_name:
+ - portail-pacaterie.auro.re
+ locations:
+ - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+ params:
+ - "proxy_pass http://10.128.0.20"
+ - "include /etc/nginx/snippets/options-proxypass.conf"
+ - filter: "/"
+ params:
+ - "return 302 https://portail-pacaterie.auro.re/portail/"
+
+ - ssl: auro.re
+ server_name:
+ - "10.33.0.247"
+ locations:
+ - filter: "/"
+ params:
+ - "return 302 https://portail-rives.auro.re/portail/"
+
+ - ssl: auro.re
+ server_name:
+ - portail-rives.auro.re
+ locations:
+ - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+ params:
+ - "proxy_pass http://10.128.0.20"
+ - "include /etc/nginx/snippets/options-proxypass.conf"
+ - filter: "/"
+ params:
+ - "return 302 https://portail-rives.auro.re/portail/"
+
+ - ssl: auro.re
+ server_name:
+ - "10.43.0.247"
+ locations:
+ - filter: "/"
+ params:
+ - "return 302 https://portail-edc.auro.re/portail/"
+
+ - ssl: auro.re
+ server_name:
+ - portail-edc.auro.re
+ locations:
+ - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+ params:
+ - "proxy_pass http://10.128.0.20"
+ - "include /etc/nginx/snippets/options-proxypass.conf"
+ - filter: "/"
+ params:
+ - "return 302 https://portail-edc.auro.re/portail/"
+
+ - ssl: auro.re
+ server_name:
+ - "10.53.0.247"
+ locations:
+ - filter: "/"
+ params:
+ - "return 302 https://portail-gs.auro.re/portail/"
+
+ - ssl: auro.re
+ server_name:
+ - portail-gs.auro.re
+ locations:
+ - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+ params:
+ - "proxy_pass http://10.128.0.20"
+ - "include /etc/nginx/snippets/options-proxypass.conf"
+ - filter: "/"
+ params:
+ - "return 302 https://portail-gs.auro.re/portail/"
diff --git a/host_vars/proxy-ovh.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml
index d68a483..13f0a1d 100644
--- a/host_vars/proxy-ovh.adm.auro.re.yml
+++ b/host_vars/proxy-ovh.adm.auro.re.yml
@@ -1,39 +1,13 @@
---
-certbot:
- domains:
- - auro.re
- - chat.auro.re # cname to riot.auro.re
- - codimd.auro.re
- - element.auro.re # cname to riot.auro.re
- - ehterpad.auro.re # cname to pad.auro.re
- - grafana.auro.re
- - hedgedoc.auro.re # cname to codimd.auro.re
- - pad.auro.re
- - passbolt.auro.re
- - paste.auro.re # cname to privatebin.auro.re
- - phabricator.auro.re
- - privatebin.auro.re
- - riot.auro.re
- - sharelatex.auro.re
- - status.auro.re
- - wiki.auro.re
- - www.auro.re
- - zero.auro.re # cname to privatebin.auro.re
- mail: tech.aurore@lists.crans.org
- certname: auro.re
-
-nginx:
- ssl:
- cert: /etc/letsencrypt/live/auro.re/fullchain.pem
- cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
- trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
-
- redirect_dnames:
- - aurores.net
- - fede-aurore.net
-
- redirect_tcp: {}
+loc_certbot:
+ - dns_rfc2136_server: '10.128.0.30'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: tech.aurore@lists.crans.org
+ certname: auro.re
+ domains: "auro.re, *.auro.re"
+loc_reverseproxy:
redirect_sites:
- from: www.auro.re
to: auro.re
diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml
index b8fb2c3..6eb74f2 100644
--- a/host_vars/proxy.adm.auro.re.yml
+++ b/host_vars/proxy.adm.auro.re.yml
@@ -1,31 +1,31 @@
---
-certbot:
- domains:
- - bbb.auro.re
- - drone.auro.re
- - gitea.auro.re
- - intranet.auro.re
- - litl.auro.re
- - nextcloud.auro.re
- - re2o.auro.re
- - vote.auro.re
- - re2o-server.auro.re
- - re2o-test.auro.re
- - wikijs.auro.re
+loc_certbot:
+ - dns_rfc2136_server: '10.128.0.30'
+ dns_rfc2136_name: certbot_adm_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+ mail: tech.aurore@lists.crans.org
+ certname: adm.auro.re
+ domains: "*.adm.auro.re"
+ - dns_rfc2136_server: '10.128.0.30'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: tech.aurore@lists.crans.org
+ certname: auro.re
+ domains: "*.auro.re"
- mail: tech.aurore@lists.crans.org
- certname: auro.re
-
-nginx:
+loc_nginx:
+ servers: []
ssl:
- cert: /etc/letsencrypt/live/auro.re/fullchain.pem
- cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
- trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
-
- redirect_dnames:
- - aurores.net
- - fede-aurore.net
+ - name: adm.auro.re
+ cert: /etc/letsencrypt/live/adm.auro.re/fullchain.pem
+ cert_key: /etc/letsencrypt/live/adm.auro.re/privkey.pem
+ trusted_cert: /etc/letsencrypt/live/adm.auro.re/chain.pem
+ - name: auro.re
+ cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+ cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+ trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+loc_reverseproxy:
redirect_tcp:
- name: Gitea
port: 2222
@@ -33,7 +33,7 @@ nginx:
redirect_sites:
- from: 45.66.111.61
- to: auro.re
+ to: intranet.auro.re
reverseproxy_sites:
- from: re2o.auro.re
@@ -49,6 +49,9 @@ nginx:
- from: gitea.auro.re
to: "10.128.0.60:3000"
+ - from: git.adm.auro.re
+ to: "10.128.0.60:3000"
+ ssl: adm.auro.re
- from: drone.auro.re
to: "10.128.0.64:8000"
diff --git a/hosts b/hosts
index eec54a0..7cf9128 100644
--- a/hosts
+++ b/hosts
@@ -35,6 +35,8 @@ services-web.adm.auro.re
mail.adm.auro.re
wikijs.adm.auro.re
prometheus-aurore.adm.auro.re
+portail.adm.auro.re
+jitsi-aurore.adm.auro.re
[aurore_testing_vm]
pendragon.adm.auro.re
@@ -61,6 +63,8 @@ vpn-ovh.adm.auro.re
docker-ovh.adm.auro.re
switchs-manager.adm.auro.re
ldap-replica-ovh.adm.auro.re
+prometheus-ovh.adm.auro.re
+prometheus-federate.adm.auro.re
[ovh_testing_vm]
#re2o-test.adm.auro.re
@@ -265,6 +269,7 @@ ep-1-3.borne.auro.re
ep-1-2.borne.auro.re
ep-0-1.borne.auro.re
eo-2-1.borne.auro.re
+ee-2-1.borne.auro.re
###############################################################################
# George Sand
@@ -488,3 +493,18 @@ ldap-replica-ovh.adm.auro.re
[ldap_replica_rives]
ldap-replica-rives.adm.auro.re
+[certbot]
+portail.adm.auro.re
+
+[certbot:children]
+reverseproxy
+
+[nginx]
+portail.adm.auro.re
+
+[nginx:children]
+reverseproxy
+
+[reverseproxy]
+proxy-ovh.adm.auro.re
+proxy.adm.auro.re
diff --git a/monitoring.yml b/monitoring.yml
index c31fe86..53bdae7 100755
--- a/monitoring.yml
+++ b/monitoring.yml
@@ -1,6 +1,6 @@
#!/usr/bin/env ansible-playbook
---
-- hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re
+- hosts: prometheus-fleming.adm.auro.re
vars:
prometheus_alertmanager: docker-ovh.adm.auro.re:9093
snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
@@ -88,10 +88,43 @@
# Prometheus targets.json
prometheus_targets:
- targets: |
- {{ groups['aurore_pve'] + groups['aurore_vm'] + groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
+ {{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
roles:
- prometheus
+- hosts: prometheus-ovh.adm.auro.re
+ vars:
+ prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+ snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+ # Prometheus targets.json
+ prometheus_targets:
+ - targets: |
+ {{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
+ prometheus_docker_targets:
+ - docker-ovh.adm.auro.re:8087
+ roles:
+ - prometheus
+
+
+- hosts: prometheus-federate.adm.auro.re
+ vars:
+ prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+ snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+ # Prometheus targets.json
+ prometheus_targets:
+ - prometheus-edc.adm.auro.re
+ - prometheus-gs.adm.auro.re
+ - prometheus-fleming.adm.auro.re
+ - prometheus-pacaterie.adm.auro.re
+ - prometheus-rives.adm.auro.re
+ - prometheus-aurore.adm.auro.re
+ - prometheus-ovh.adm.auro.re
+ - prometheus-federate.adm.auro.re
+ roles:
+ - prometheus_federate
+
# Monitor all hosts
- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
diff --git a/network.yml b/network.yml
index e64d8ff..50fde19 100755
--- a/network.yml
+++ b/network.yml
@@ -43,7 +43,7 @@
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
-# - re2o-service
+# - re2o_service
# Deploy Unifi Controller
@@ -62,4 +62,4 @@
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
-# - re2o-service
+# - re2o_service
diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml
index c1d3eda..0c13978 100644
--- a/roles/baseconfig/tasks/main.yml
+++ b/roles/baseconfig/tasks/main.yml
@@ -23,6 +23,7 @@
- oidentd # postgresql identification
- screen # Vulcain asked for this
- sudo
+ - tmux # For shirenn
- tree # create a graphical tree of files
- vim # better than nano
- zsh # to be able to ssh @erdnaxe
diff --git a/roles/certbot/handlers/main.yml b/roles/certbot/handlers/main.yml
deleted file mode 100644
index 82d2202..0000000
--- a/roles/certbot/handlers/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-- name: Reload nginx
- service:
- name: nginx
- state: reloaded
-
-- name: Generate certificates
- command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index cbce286..8404b4d 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -1,13 +1,28 @@
---
-- name: Install certbot and nginx plugin
+- name: Install certbot and RFC2136 plugin
apt:
update_cache: true
name:
- certbot
- - python3-certbot-nginx
- register: pkg_result
+ - python3-certbot-dns-rfc2136
+ state: present
+ register: apt_result
retries: 3
- until: pkg_result is succeeded
+ until: apt_result is succeeded
+
+- name: Add DNS credentials
+ template:
+ src: letsencrypt/rfc2136.ini.j2
+ dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
+ mode: 0600
+ owner: root
+ loop: "{{ certbot }}"
+
+- name: Add dhparam
+ template:
+ src: "letsencrypt/dhparam.j2"
+ dest: "/etc/letsencrypt/dhparam"
+ mode: 0600
- name: Create /etc/letsencrypt/conf.d
file:
@@ -18,8 +33,19 @@
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"
- dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+ dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
mode: 0644
- notify:
- - Generate certificates
- - Reload nginx
+ loop: "{{ certbot }}"
+
+- name: Run certbot
+ command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+ loop: "{{ certbot }}"
+
+- name: Clean old files
+ file:
+ path: "{{ item }}"
+ state: absent
+ loop:
+ - "/etc/letsencrypt/options-ssl-nginx.conf"
+ - "/etc/letsencrypt/ssl-dhparams.pem"
+ - "/etc/letsencrypt/rfc2136.ini"
diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
index c23d930..b695166 100644
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@@ -1,7 +1,7 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment(decoration='# ') }}
-# Pour appliquer cette conf et générer la conf de renewal :
-# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+# To generate the certificate, please use the following command
+# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
@@ -10,14 +10,19 @@ rsa-key-size = 4096
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
-email = {{ certbot.mail }}
+email = {{ item.mail }}
# Uncomment to use a text interface instead of ncurses
text = True
-# Use nginx challenge
-authenticator = nginx
+# Yes I want to sell my soul and my guinea pig.
+agree-tos = True
+
+# Use DNS-01 challenge
+authenticator = dns-rfc2136
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
+dns-rfc2136-propagation-seconds = 30
# Wildcard the domain
-cert-name = {{ certbot.certname }}
-domains = {{ ", ".join(certbot.domains) }}
+cert-name = {{ item.certname }}
+domains = {{ item.domains }}
diff --git a/roles/nginx_reverseproxy/templates/letsencrypt/dhparam.j2 b/roles/certbot/templates/letsencrypt/dhparam.j2
similarity index 100%
rename from roles/nginx_reverseproxy/templates/letsencrypt/dhparam.j2
rename to roles/certbot/templates/letsencrypt/dhparam.j2
diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
new file mode 100644
index 0000000..e864958
--- /dev/null
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment(decoration='# ') }}
+
+dns_rfc2136_server = {{ item.dns_rfc2136_server }}
+dns_rfc2136_port = 53
+dns_rfc2136_name = {{ item.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
+dns_rfc2136_algorithm = HMAC-SHA512
diff --git a/roles/debian-backports/tasks/main.yml b/roles/debian_backports/tasks/main.yml
similarity index 100%
rename from roles/debian-backports/tasks/main.yml
rename to roles/debian_backports/tasks/main.yml
diff --git a/roles/debian-backports/templates/backports.list.j2 b/roles/debian_backports/templates/backports.list.j2
similarity index 100%
rename from roles/debian-backports/templates/backports.list.j2
rename to roles/debian_backports/templates/backports.list.j2
diff --git a/roles/isc_dhcp_server/handlers/main.yml b/roles/isc_dhcp_server/handlers/main.yml
index 05b48c6..fd4dd48 100644
--- a/roles/isc_dhcp_server/handlers/main.yml
+++ b/roles/isc_dhcp_server/handlers/main.yml
@@ -1,6 +1,6 @@
---
- name: force run dhcp re2o-service
- shell: /var/local/re2o-services/dhcp/main.py --force
+ command: /var/local/re2o-services/dhcp/main.py --force
become_user: re2o-services
- name: restart dhcpd
diff --git a/roles/isc_dhcp_server/tasks/main.yml b/roles/isc_dhcp_server/tasks/main.yml
index 57d2d25..9d69d63 100644
--- a/roles/isc_dhcp_server/tasks/main.yml
+++ b/roles/isc_dhcp_server/tasks/main.yml
@@ -1,7 +1,7 @@
---
- name: Install dhcp (re2o-service)
import_role:
- name: re2o-service
+ name: re2o_service
vars:
service_repo: https://gitlab.federez.net/re2o/dhcp.git
service_name: dhcp
@@ -18,7 +18,7 @@
owner: re2o-services
group: nogroup
recurse: true
- mode: 755
+ mode: 0755
- name: Install isc-dhcp-server
apt:
diff --git a/roles/logrotate/templates/logrotate.d/rsyslog.j2 b/roles/logrotate/templates/logrotate.d/rsyslog.j2
index beab470..f47e725 100644
--- a/roles/logrotate/templates/logrotate.d/rsyslog.j2
+++ b/roles/logrotate/templates/logrotate.d/rsyslog.j2
@@ -26,7 +26,7 @@
/var/log/debug
/var/log/messages
{
- rotate 1
+ rotate 90
daily
missingok
notifempty
diff --git a/roles/nginx_reverseproxy/handlers/main.yml b/roles/nginx/handlers/main.yml
similarity index 100%
rename from roles/nginx_reverseproxy/handlers/main.yml
rename to roles/nginx/handlers/main.yml
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..210c7f0
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,146 @@
+---
+- name: Install NGINX
+ apt:
+ update_cache: true
+ name: nginx
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+
+- name: Copy proxypass snippets
+ template:
+ src: "nginx/snippets/options-proxypass.conf.j2"
+ dest: "/etc/nginx/snippets/options-proxypass.conf"
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Copy SSL snippets
+ template:
+ src: "nginx/snippets/options-ssl.conf.j2"
+ dest: "/etc/nginx/snippets/options-ssl.{{ item.name }}.conf"
+ owner: root
+ group: root
+ mode: 0644
+ loop: "{{ nginx.ssl }}"
+
+- name: Disable default site
+ file:
+ dest: "/etc/nginx/sites-enabled/default"
+ state: absent
+
+- name: Copy reverse proxy sites
+ when: reverseproxy is defined
+ template:
+ src: "nginx/sites-available/{{ item }}.j2"
+ dest: "/etc/nginx/sites-available/{{ item }}"
+ owner: root
+ group: root
+ mode: 0644
+ loop:
+ - reverseproxy
+ - reverseproxy_redirect_dname
+ - redirect
+ notify: Reload nginx
+
+- name: Activate reverse proxy sites
+ when: reverseproxy is defined
+ file:
+ src: "/etc/nginx/sites-available/{{ item }}"
+ dest: "/etc/nginx/sites-enabled/{{ item }}"
+ owner: root
+ group: root
+ state: link
+ loop:
+ - reverseproxy
+ - reverseproxy_redirect_dname
+ - redirect
+ notify: Reload nginx
+ ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Copy forward modules
+ when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
+ template:
+ src: "nginx/modules-available/60-forward.conf.j2"
+ dest: "/etc/nginx/modules-available/60-forward.conf"
+ mode: 0644
+ notify: Reload nginx
+
+- name: Activate modules
+ when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
+ file:
+ src: "/etc/nginx/modules-available/60-forward.conf"
+ dest: "/etc/nginx/modules-enabled/60-forward.conf"
+ state: link
+ mode: 0644
+ notify: Reload nginx
+ ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Copy service nginx configuration
+ when: nginx.servers is defined and nginx.servers|length > 0
+ template:
+ src: "nginx/sites-available/service.j2"
+ dest: "/etc/nginx/sites-available/{{ nginx.service_name }}"
+ owner: root
+ group: root
+ mode: 0644
+ notify: Reload nginx
+
+- name: Activate local nginx service site
+ when: nginx.servers is defined and nginx.servers|length > 0
+ file:
+ src: "/etc/nginx/sites-available/{{ nginx.service_name }}"
+ dest: "/etc/nginx/sites-enabled/{{ nginx.service_name }}"
+ owner: root
+ group: root
+ state: link
+ notify: Reload nginx
+ ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Copy 50x error page
+ template:
+ src: www/html/50x.html.j2
+ dest: /var/www/html/50x.html
+ owner: www-data
+ group: www-data
+ mode: 0644
+
+- name: Copy robots.txt file
+ when: nginx.deploy_robots_file
+ template:
+ src: www/html/robots.txt.j2
+ dest: /var/www/html/robots.txt
+ owner: www-data
+ group: www-data
+ mode: 0644
+
+- name: Install passwords
+ when: nginx.auth_passwd|length > 0
+ template:
+ src: nginx/passwd.j2
+ dest: /etc/nginx/passwd
+ mode: 0644
+
+- name: Copy 401 error page
+ when: nginx.auth_passwd|length > 0
+ template:
+ src: www/html/401.html.j2
+ dest: /var/www/html/401.html
+ owner: www-data
+ group: www-data
+ mode: 0644
+
+- name: Indicate role in motd
+ template:
+ src: update-motd.d/05-service.j2
+ dest: /etc/update-motd.d/05-nginx
+ mode: 0755
+
+- name: Clean old files
+ file:
+ path: "{{ item }}"
+ state: absent
+ loop:
+ - "/etc/nginx/snippets/options-ssl.conf"
+ - "/var/www/custom_401.html"
+ - "/var/www/robots.txt"
diff --git a/roles/nginx/templates/letsencrypt/dhparam.j2 b/roles/nginx/templates/letsencrypt/dhparam.j2
new file mode 100644
index 0000000..9b182b7
--- /dev/null
+++ b/roles/nginx/templates/letsencrypt/dhparam.j2
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 b/roles/nginx/templates/nginx/modules-available/60-forward.conf.j2
similarity index 72%
rename from roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2
rename to roles/nginx/templates/nginx/modules-available/60-forward.conf.j2
index 9a86a5d..f05b00d 100644
--- a/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2
+++ b/roles/nginx/templates/nginx/modules-available/60-forward.conf.j2
@@ -1,6 +1,6 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
-{% for site in nginx.redirect_tcp %}
+{% for site in reverseproxy.redirect_tcp %}
# Forward port {{ site.port }} to {{ site.name }}
stream {
server {
@@ -12,3 +12,4 @@ stream {
}
{% endfor %}
+
diff --git a/roles/nginx/templates/nginx/passwd.j2 b/roles/nginx/templates/nginx/passwd.j2
new file mode 100644
index 0000000..ed45d93
--- /dev/null
+++ b/roles/nginx/templates/nginx/passwd.j2
@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+{% for user, hash in nginx.auth_passwd.items() -%}
+{{ user }}:{{ hash }}
+{% endfor -%}
diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 b/roles/nginx/templates/nginx/sites-available/redirect.j2
similarity index 56%
rename from roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
rename to roles/nginx/templates/nginx/sites-available/redirect.j2
index 28e9b7d..2543400 100644
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
+++ b/roles/nginx/templates/nginx/sites-available/redirect.j2
@@ -1,6 +1,6 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
-{% for site in nginx.redirect_sites %}
+{% for site in reverseproxy.redirect_sites %}
# Redirect http://{{ site.from }} to http://{{ site.to }}
server {
listen 80;
@@ -8,6 +8,11 @@ server {
server_name {{ site.from }};
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
+
location / {
return 302 http://{{ site.to }}$request_uri;
}
@@ -21,7 +26,12 @@ server {
server_name {{ site.from }};
# SSL common conf
- include "/etc/nginx/snippets/options-ssl.conf";
+ include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
+
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
location / {
return 302 https://{{ site.to }}$request_uri;
@@ -31,8 +41,8 @@ server {
{% endfor %}
{# Also redirect for DNAMEs #}
-{% for dname in nginx.redirect_dnames %}
-{% for site in nginx.redirect_sites %}
+{% for dname in reverseproxy.redirect_dnames %}
+{% for site in reverseproxy.redirect_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ site.to }}
@@ -42,6 +52,11 @@ server {
server_name {{ from }};
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
+
location / {
return 302 http://{{ site.to }}$request_uri;
}
@@ -55,7 +70,12 @@ server {
server_name {{ from }};
# SSL common conf
- include "/etc/nginx/snippets/options-ssl.conf";
+ include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
+
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
location / {
return 302 https://{{ site.to }}$request_uri;
diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
similarity index 74%
rename from roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
rename to roles/nginx/templates/nginx/sites-available/reverseproxy.j2
index d29d13c..ae2d7a6 100644
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
# Automatic Connection header for WebSocket support
# See http://nginx.org/en/docs/http/websocket.html
@@ -7,7 +7,7 @@ map $http_upgrade $connection_upgrade {
'' close;
}
-{% for site in nginx.reverseproxy_sites %}
+{% for site in reverseproxy.reverseproxy_sites %}
# Redirect http://{{ site.from }} to https://{{ site.from }}
server {
listen 80;
@@ -15,6 +15,11 @@ server {
server_name {{ site.from }};
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
+
location / {
return 302 https://$host$request_uri;
}
@@ -28,7 +33,7 @@ server {
server_name {{ site.from }};
# SSL common conf
- include "/etc/nginx/snippets/options-ssl.conf";
+ include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
# Log into separate log files
access_log /var/log/nginx/{{ site.from }}.log;
@@ -43,8 +48,9 @@ server {
root /var/www/html;
}
- set_real_ip_from 10.231.136.0/24;
- set_real_ip_from 2a0c:700:0:2::/64;
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
real_ip_header P-Real-Ip;
location / {
diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
similarity index 55%
rename from roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
rename to roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
index bac615d..819fd7a 100644
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
+++ b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
@@ -1,7 +1,7 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
-{% for dname in nginx.redirect_dnames %}
-{% for site in nginx.reverseproxy_sites %}
+{% for dname in reverseproxy.redirect_dnames %}
+{% for site in reverseproxy.reverseproxy_sites %}
{% set from = site.from | regex_replace('auro.re', dname) %}
{% set to = site.from %}
{% if from != site.from %}
@@ -12,6 +12,11 @@ server {
server_name {{ from }};
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
+
location / {
return 302 http://{{ to }}$request_uri;
}
@@ -25,7 +30,12 @@ server {
server_name {{ from }};
# SSL common conf
- include "/etc/nginx/snippets/options-ssl.conf";
+ include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
+
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
location / {
return 302 https://{{ to }}$request_uri;
diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2
new file mode 100644
index 0000000..39f25eb
--- /dev/null
+++ b/roles/nginx/templates/nginx/sites-available/service.j2
@@ -0,0 +1,132 @@
+{{ ansible_managed | comment }}
+
+# Automatic Connection header for WebSocket support
+# See http://nginx.org/en/docs/http/websocket.html
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+}
+
+{% for upstream in nginx.upstreams -%}
+upstream {{ upstream.name }} {
+ # Path of the server
+ server {{ upstream.server }};
+}
+{% endfor -%}
+
+{% if nginx.default_ssl_server -%}
+# Redirect all services to the main site
+server {
+ listen 443 default_server ssl;
+ listen [::]:443 default_server ssl;
+ include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf";
+
+ server_name _;
+ charset utf-8;
+
+ # Hide Nginx version
+ server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
+
+ location / {
+ return 302 https://{{ nginx.default_ssl_server }}$request_uri;
+ }
+}
+{% endif -%}
+
+{% if nginx.default_server -%}
+# Redirect all services to the main site
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ server_name _;
+ charset utf-8;
+
+ # Hide Nginx version
+ server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
+
+ location / {
+ return 302 http://{{ nginx.default_server }}$request_uri;
+ }
+}
+{% endif -%}
+
+{% for server in nginx.servers %}
+{% if server.ssl is defined and server.ssl -%}
+# Redirect HTTP to HTTPS
+server {
+ listen 80{% if server.default is defined and server.default %} default_server{% endif %};
+ listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
+
+ server_name {{ server.server_name|join(" ") }};
+ charset utf-8;
+
+ # Hide Nginx version
+ server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
+
+ location / {
+ return 302 https://$host$request_uri;
+ }
+}
+{% endif -%}
+
+server {
+ {% if server.ssl is defined and server.ssl -%}
+ listen 443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
+ listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
+ include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
+ {% else -%}
+ listen 80;
+ listen [::]:80;
+ {% endif -%}
+
+ server_name {{ server.server_name|join(" ") }};
+ charset utf-8;
+
+ # Hide Nginx version
+ server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+ set_real_ip_from {{ realip }};
+{% endfor %}
+ real_ip_header P-Real-Ip;
+
+ {% if server.root is defined %}root {{ server.root }};{% endif %}
+ {% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}
+
+ {% if server.access_log is defined %}access_log {{ server.access_log }};{% endif %}
+ {% if server.error_log is defined %}error_log {{ server.error_log }};{% endif %}
+
+{% if server.additional_params is defined %}
+{% for param in server.additional_params %}
+ {{ param }};
+{% endfor %}
+{% endif %}
+
+{% if server.locations is defined %}
+{% for location in server.locations %}
+ location {{ location.filter }} {
+{% for param in location.params %}
+ {{ param }};
+{% endfor %}
+ }
+
+{% endfor %}
+{% endif %}
+}
+{% endfor %}
diff --git a/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2 b/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
new file mode 100644
index 0000000..a173dea
--- /dev/null
+++ b/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
@@ -0,0 +1,18 @@
+{{ ansible_managed | comment }}
+
+# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+fastcgi_split_path_info (^/[^/]*)(.*)$;
+
+# check that the PHP script exists before passing it
+try_files $fastcgi_script_name =404;
+
+# Bypass the fact that try_files resets $fastcgi_path_info
+# see: http://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
+fastcgi_param PATH_INFO $path_info;
+
+# Let NGINX handle errors
+fastcgi_intercept_errors on;
+
+include /etc/nginx/fastcgi.conf;
+fastcgi_pass unix:/var/run/fcgiwrap.socket;
diff --git a/roles/nginx_reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2
similarity index 93%
rename from roles/nginx_reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
rename to roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2
index 9515d81..7f8d4b8 100644
--- a/roles/nginx_reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
+++ b/roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
proxy_redirect off;
proxy_set_header Host $host;
diff --git a/roles/nginx_reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
similarity index 76%
rename from roles/nginx_reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
rename to roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
index fee51c6..d665eaf 100644
--- a/roles/nginx_reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
+++ b/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
@@ -1,7 +1,7 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
-ssl_certificate {{ nginx.ssl.cert }};
-ssl_certificate_key {{ nginx.ssl.cert_key }};
+ssl_certificate {{ item.cert }};
+ssl_certificate_key {{ item.cert_key }};
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
@@ -13,5 +13,5 @@ ssl_prefer_server_ciphers off;
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
-ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+ssl_trusted_certificate {{ item.trusted_cert }};
diff --git a/roles/nginx_reverseproxy/templates/update-motd.d/05-service.j2 b/roles/nginx/templates/update-motd.d/05-service.j2
similarity index 78%
rename from roles/nginx_reverseproxy/templates/update-motd.d/05-service.j2
rename to roles/nginx/templates/update-motd.d/05-service.j2
index fdff0b8..c52c655 100755
--- a/roles/nginx_reverseproxy/templates/update-motd.d/05-service.j2
+++ b/roles/nginx/templates/update-motd.d/05-service.j2
@@ -1,3 +1,3 @@
#!/usr/bin/tail +14
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
�[0m> �[38;5;82mNGINX�[0m a été déployé sur cette machine. Voir �[38;5;6m/etc/nginx/�[0m.
diff --git a/roles/nginx/templates/www/html/401.html.j2 b/roles/nginx/templates/www/html/401.html.j2
new file mode 100644
index 0000000..93fc38a
--- /dev/null
+++ b/roles/nginx/templates/www/html/401.html.j2
@@ -0,0 +1,18 @@
+{{ ansible_header | comment('xml') }}
+
+
+
+ Accès refusé
+
+
+
+ Accès refusé
+
+ Pour éviter le scan des adresses de diffusions par un robot, cette page demande un identifiant et mot de passe.
+
+
+ - Identifiant : Stop
+ - Mot de passe : Spam
+
+
+
diff --git a/roles/nginx_reverseproxy/templates/www/html/50x.html.j2 b/roles/nginx/templates/www/html/50x.html.j2
similarity index 92%
rename from roles/nginx_reverseproxy/templates/www/html/50x.html.j2
rename to roles/nginx/templates/www/html/50x.html.j2
index e5c8733..078e2de 100644
--- a/roles/nginx_reverseproxy/templates/www/html/50x.html.j2
+++ b/roles/nginx/templates/www/html/50x.html.j2
@@ -57,7 +57,7 @@
502
Whoops, le service prend trop de temps à répondre…
Essayez de rafraîchir la page. Si le problème persiste, pensez
- à contacter l'équipe technique d'Aurore.
+ à contacter {{ nginx.who }}.