aurore
/
ansible
15
2
Fork 0
Code Issues 1 Pull Requests 13 Releases Wiki Activity

Add config for new VMs

Browse Source
pull/106/head
jeltz 1 year ago
parent 7c21275a11
commit 19c623ab0a
Signed by: jeltz
GPG Key ID: 800882B66C0C3326
15 changed files with 361 additions and 280 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape Escape View File

@ -1,3 +1,4 @@
*.retry
tmp
ldap-password.txt
__pycache__/

11
all.yml
Unescape Escape View File

@ -0,0 +1,11 @@
#!/usr/bin/env ansible-playbook
---
- import_playbook: playbooks/base.yml
- import_playbook: playbooks/root.yml
- import_playbook: playbooks/ssh.yml
- import_playbook: playbooks/chronyd.yml
- import_playbook: playbooks/kresd.yml
- import_playbook: playbooks/resolvconf.yml
- import_playbook: playbooks/ifupdown2.yml
- import_playbook: playbooks/keepalived.yml
...

3
deploy_all.sh
Unescape Escape View File

@ -1,3 +0,0 @@
#!/usr/bin/env bash
# Deploy all playbooks
ansible-playbook playbooks/*.yml $@

12
playbooks/base.yml
Unescape Escape View File

@ -1,10 +1,8 @@
#!/usr/bin/env ansible-playbook
---
# Put a common configuration on all servers
- hosts: all,!unifi
- hosts:
- pve_network
- vm_network
roles:
- baseconfig
- basesecurity
- ldap_client
- logrotate
- update_motd
- base_utils
...

32
playbooks/bird.yml
Unescape Escape View File

@ -5,17 +5,9 @@
- isp-2.rtr.infra.auro.re
vars:
bird__router_ids:
isp-1.rtr.infra.auro.re: 10.136.0.1
isp-2.rtr.infra.auro.re: 10.136.0.2
isp-1.rtr.infra.auro.re: 10.203.0.5
isp-2.rtr.infra.auro.re: 10.203.0.6
bird__router_id: "{{ bird__router_ids[inventory_hostname] }}"
bird__ospf_broadcast_interfaces:
ens20: null
bird__ospf_stub_interfaces:
- client-0
- client-1
- client-2
- client-3
- client-4
bird__radv_interfaces:
client-0:
prefix:
@ -43,7 +35,7 @@
domain_search:
- client-4.isp.auro.re
bird__radv_dns_servers:
- 2a09:6840:128::127
- 2a09:6840:128::10:3
roles:
- bird
@ -52,19 +44,9 @@
- infra-2.rtr.infra.auro.re
vars:
bird__router_ids:
infra-1.rtr.infra.auro.re: 10.203.1.3
infra-2.rtr.infra.auro.re: 10.203.1.4
infra-1.rtr.infra.auro.re: 10.203.0.3
infra-2.rtr.infra.auro.re: 10.203.0.4
bird__router_id: "{{ bird__router_ids[inventory_hostname] }}"
bird__ospf_broadcast_interfaces:
ens19: null
bird__ospf_stub_interfaces:
- ens20
- ens21
- ens22
- ens23
- ens1
- ens2
- ens1s3
roles:
- bird
@ -73,8 +55,8 @@
- edge-2.rtr.infra.auro.re
vars:
bird__router_ids:
edge-1.rtr.infra.auro.re: 10.203.1.1
edge-2.rtr.infra.auro.re: 10.203.1.2
edge-1.rtr.infra.auro.re: 10.203.0.1
edge-2.rtr.infra.auro.re: 10.203.0.2
bird__asn:
aurore: 43619
crans: 204515

4
playbooks/chronyd.yml
Unescape Escape View File

@ -17,10 +17,10 @@
- chronyd
- hosts:
- all
- pve_network
- vm_network
- "!ntp-1.int.infra.auro.re"
- "!ntp-2.int.infra.auro.re"
- "!unifi"
vars:
chronyd__pools:
- ntp-1.int.infra.auro.re

493
playbooks/ifupdown2.yml
Unescape Escape View File

@ -1,313 +1,410 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- ntp-1.int.infra.auro.re
- dns-1.int.infra.auro.re
- dhcp-1.isp.auro.re
- dhcp-2.isp.auro.re
- isp-1.rtr.infra.auro.re
- isp-2.rtr.infra.auro.re
- edge-1.rtr.infra.auro.re
- edge-2.rtr.infra.auro.re
- infra-1.rtr.infra.auro.re
- infra-2.rtr.infra.auro.re
- vm_network
vars:
ifupdown2__gateways:
adm:
- 2a09:6840:128::254
- 10.128.0.254
# TODO: netbox
ifupdown2__hosts:
ntp-1.int.infra.auro.re:
edge-1.rtr.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:2/56
- 10.128.10.2/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
ipv6_addrgen: false
forward: true
ens20:
ipv6_addrgen: false
forward: true
ens21:
ipv6_addrgen: false
forward: true
ens22:
addresses:
- 2a09:6840:203:0:1::1/56
- 10.203.0.1/16
forward: true
edge-2.rtr.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::203/56
- 10.128.0.203/16
- 2a09:6840:128:10:102/56
- 10.128.10.102/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
ipv6_addrgen: false
forward: true
ens20:
ipv6_addrgen: false
forward: true
ens21:
ipv6_addrgen: false
forward: true
ens22:
addresses:
- 2a09:6840:203:0:2::1/56
- 10.203.0.2/16
forward: true
dns-1.int.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::127/56
- 10.128.0.127/16
dhcp-1.isp.auro.re:
- 2a09:6840:128::10:3/56
- 10.128.10.3/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:206:0:2::1/56
- 10.206.0.2/16
dns-2.int.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:103/56
- 10.128.10.103/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:206:0:3::1/56
- 10.206.0.3/16
ssh-1.mgmt.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:1/56
- 10.128.10.1/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
- 45.66.108.2/16
ssh-2.mgmt.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:101/56
- 10.128.10.101/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
- 45.66.108.3/16
infra-1.rtr.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:4/56
- 10.128.10.4/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:203:1:3::1/56
- 10.203.1.3/16
forward: true
ens20:
ipv6_addrgen: false
forward: true
ens21:
ipv6_addrgen: false
forward: true
ens22:
ipv6_addrgen: false
forward: true
ens23:
ipv6_addrgen: false
forward: true
ens1:
ipv6_addrgen: false
forward: true
ens2:
ipv6_addrgen: false
forward: true
enp1s3:
ipv6_addrgen: false
forward: true
infra-2.rtr.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:104/56
- 10.128.10.104/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:203:4::1/64
- 10.203.1.4/16
forward: true
ens20:
ipv6_addrgen: false
forward: true
ens21:
ipv6_addrgen: false
forward: true
ens22:
ipv6_addrgen: false
forward: true
ens23:
ipv6_addrgen: false
forward: true
ens1:
ipv6_addrgen: false
forward: true
ens2:
ipv6_addrgen: false
forward: true
enp1s3:
ipv6_addrgen: false
forward: true
isp-1.rtr.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::204/56
- 10.128.0.204/16
ens19: null
- 2a09:6840:128::10:5/56
- 10.128.10.5/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:203:0:5::1/56
- 10.203.0.5/16
forward: true
ens20:
ipv6_addrgen: false
clients:
bridge_vlan_aware: true
bridge_ports:
- ens19
- ens20
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
ipv6_addrgen: false
forward: true
client-0:
addresses:
- 100.64.0.2/27
vlan_id: 1000
vlan_raw_device: clients
ipv6_addrgen: false
forward: true
client-1:
addresses:
- 100.64.0.34/27
vlan_id: 1001
vlan_raw_device: clients
ipv6_addrgen: false
forward: true
client-2:
addresses:
- 100.64.0.66/27
vlan_id: 1002
vlan_raw_device: clients
ipv6_addrgen: false
forward: true
client-3:
addresses:
- 100.64.0.98/27
vlan_id: 1003
vlan_raw_device: clients
ipv6_addrgen: false
forward: true
client-4:
addresses:
- 100.64.0.130/27
vlan_id: 1004
vlan_raw_device: clients
dhcp-2.isp.auro.re:
ipv6_addrgen: false
forward: true
isp-2.rtr.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::91/56
- 10.128.0.91/16
ens19: null
- 2a09:6840:128::10:105/56
- 10.128.10.105/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:203:0:5::1/56
- 10.203.0.5/16
forward: true
ens20:
ipv6_addrgen: false
clients:
bridge_vlan_aware: true
bridge_ports:
- ens19
- ens20
bridge_vids:
- 1000-1004
forward: true
client-0:
addresses:
- 100.64.0.3/27
vlan_id: 1000
vlan_raw_device: clients
ipv6_addrgen: false
forward: true
client-1:
addresses:
- 100.64.0.35/27
vlan_id: 1001
vlan_raw_device: clients
ipv6_addrgen: false
forward: true
client-2:
addresses:
- 100.64.0.67/27
vlan_id: 1002
vlan_raw_device: clients
ipv6_addrgen: false
forward: true
client-3:
addresses:
- 100.64.0.99/27
vlan_id: 1003
vlan_raw_device: clients
ipv6_addrgen: false
forward: true
client-4:
addresses:
- 100.64.0.131/27
vlan_id: 1004
vlan_raw_device: clients
isp-1.rtr.infra.auro.re:
ipv6_addrgen: false
forward: true
dhcp-1.isp.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::255/56
- 10.128.0.255/16
ens19: null
ens20:
forward: true
- 2a09:6840:128::10:6/56
- 10.128.10.6/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:136:0:1::1/56
- 10.136.0.1/16
- 2a09:6840:210:1:1::1/56
- 10.210.1.1/16
ens20: null
clients:
bridge_vlan_aware: true
bridge_ports:
- ens19
- ens20
bridge_vids:
- 1000-1004
bridge_disable_pvid: true
forward: true
ipv6_addrgen: false
client-0:
forward: true
addresses:
- 100.64.0.2/27
vlan_id: 1000
vlan_raw_device: clients
ipv6_addrgen: false
client-1:
forward: true
addresses:
- 100.64.0.34/27
vlan_id: 1001
vlan_raw_device: clients
ipv6_addrgen: false
client-2:
forward: true
addresses:
- 100.64.0.66/27
vlan_id: 1002
vlan_raw_device: clients
ipv6_addrgen: false
client-3:
forward: true
addresses:
- 100.64.0.98/27
vlan_id: 1003
vlan_raw_device: clients
ipv6_addrgen: false
client-4:
forward: true
addresses:
- 100.64.0.130/27
vlan_id: 1004
vlan_raw_device: clients
ipv6_addrgen: false
isp-2.rtr.infra.auro.re:
dhcp-2.isp.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::158/56
- 10.128.0.158/16
ens19: null
ens20:
forward: true
- 2a09:6840:128::10:106/56
- 10.128.10.106/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:136:0:2::1/56
- 10.136.0.2/16
- 2a09:6840:210:1:2::1/56
- 10.210.1.2/16
ens20: null
clients:
bridge_vlan_aware: true
bridge_ports:
- ens19
- ens20
bridge_vids:
- 1000-1004
client-0:
forward: true
addresses:
- 100.64.0.3/27
vlan_id: 1000
vlan_raw_device: clients
ipv6_addrgen: false
client-1:
forward: true
addresses:
- 100.64.0.35/27
vlan_id: 1001
vlan_raw_device: clients
ipv6_addrgen: false
client-2:
forward: true
addresses:
- 100.64.0.67/27
vlan_id: 1002
vlan_raw_device: clients
ipv6_addrgen: false
client-3:
forward: true
addresses:
- 100.64.0.99/27
vlan_id: 1003
vlan_raw_device: clients
ipv6_addrgen: false
client-4:
forward: true
addresses:
- 100.64.0.131/27
vlan_id: 1004
vlan_raw_device: clients
ipv6_addrgen: false
edge-1.rtr.infra.auro.re:
radius-1.isp.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::186/56
- 10.128.0.186/16
ens19: null # crans
ens20: null # vr
ens21: null # zayo
ens22: # backbone
addresses:
- 2a09:6840:203:1:1::1/64
- 10.203.1.1/16
edge-2.rtr.infra.auro.re:
addresses:
- 2a09:6840:128::10:7/56
- 10.128.10.7/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:210:1:1::1/56
- 10.210.1.1/16
radius-2.isp.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::228/56
- 10.128.0.228/16
ens19: null # crans
ens20: null # vr
ens21: null # zayo
ens22: # backbone
addresses:
- 2a09:6840:203:1:2::1/64
- 10.203.1.2/16
infra-1.rtr.infra.auro.re:
addresses:
- 2a09:6840:128::10:107/56
- 10.128.10.107/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:210:1:2::1/56
ldap-1.int.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::2:76/56
- 10.128.2.76/16
- 2a09:6840:128::10:8/56
- 10.128.10.8/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:1:3::1/64
- 10.203.1.3/16
ens20:
ipv6_addrgen: false
ens21:
ipv6_addrgen: false
ens22:
ipv6_addrgen: false
ens23:
ipv6_addrgen: false
ens1:
ipv6_addrgen: false
ens2:
ipv6_addrgen: false
enp1s3:
ipv6_addrgen: false
infra-2.rtr.infra.auro.re:
- 2a09:6840:206:1:3::1/56
- 10.206.1.3/16
ldap-2.int.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::2:27/56
- 10.128.2.27/16
- 2a09:6840:128::10:108/56
- 10.128.10.108/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:1:4::1/64
- 10.203.1.4/16
ens20:
ipv6_addrgen: false
ens21:
ipv6_addrgen: false
ens22:
ipv6_addrgen: false
ens23:
ipv6_addrgen: false
ens1:
ipv6_addrgen: false
ens2:
ipv6_addrgen: false
enp1s3:
ipv6_addrgen: false
- 2a09:6840:206:1:4::1/56
- 10.206.1.4/16
ntp-1.int.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:9/56
- 10.128.10.9/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:206:1:5::1/56
- 10.206.1.5/16
ntp-2.int.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:109/56
- 10.128.10.109/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:206:1:6::1/56
- 10.206.1.6/16
prometheus-1.monit.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:10/56
- 10.128.10.10/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:204:1:1::1/56
- 10.204.1.1/16
prometheus-2.monit.infra.auro.re:
ens18:
addresses:
- 2a09:6840:128::10:110/56
- 10.128.10.110/16
gateways: "{{ ifupdown2__gateways.adm }}"
ens19:
addresses:
- 2a09:6840:204:1:2::1/56
- 10.204.1.2/16
ifupdown2__interfaces: "{{ ifupdown2__hosts[inventory_hostname] }}"
roles:
- ifupdown2
- hosts:
- ntp-1.int.infra.auro.re
- dns-1.int.infra.auro.re
- dhcp-1.isp.auro.re
- dhcp-2.isp.auro.re
- isp-1.rtr.infra.auro.re
- isp-2.rtr.infra.auro.re
- edge-1.rtr.infra.auro.re
- edge-2.rtr.infra.auro.re
- infra-1.rtr.infra.auro.re
- infra-2.rtr.infra.auro.re
vars:
resolvconf__nameservers:
- 2a09:6840:128::127
- 10.128.0.127
resolvconf__domain: auro.re
resolvconf__search:
- "{{ inventory_hostname | remove_domain_suffix }}"
- auro.re
roles:
- resolvconf
...

16
playbooks/keepalived.yml
Unescape Escape View File

@ -5,7 +5,7 @@
- isp-2.rtr.infra.auro.re
vars:
keepalived__virtual_router_id: 80
keepalived__interface: ens20
keepalived__interface: ens19
keepalived__virtual_addresses:
client-0:
- 100.64.0.1/27
@ -61,31 +61,31 @@
keepalived__virtual_addresses:
ens20:
- 10.204.0.1/16
- 2a09:6840:204::1/64
- 2a09:6840:204::1/56
- fe80::1/10
ens21:
- 10.205.0.1/16
- 2a09:6840:205::1/64
- 2a09:6840:205::1/56
- fe80::1/10
ens22:
- 10.206.0.1/16
- 2a09:6840:206::1/64
- 2a09:6840:206::1/56
- fe80::1/10
ens23:
- 10.207.0.1/16
- 2a09:6840:207::1/64
- 2a09:6840:207::1/56
- fe80::1/10
ens1:
- 10.208.0.1/16
- 2a09:6840:208::1/64
- 2a09:6840:208::1/56
- fe80::1/10
ens2:
- 10.209.0.1/16
- 2a09:6840:209::1/64
- 2a09:6840:209::1/56
- fe80::1/10
enp1s3:
- 10.210.0.1/16
- 2a09:6840:210::1/64
- 2a09:6840:210::1/56
- fe80::1/10
roles:
- keepalived

4
playbooks/knotd.yml
Unescape Escape View File

@ -361,8 +361,8 @@
- 10.128.10.1
- 2a09:6840:128::10:1
ssh-2.mgmt:
- 10.128.10.2
- 2a09:6840:128::10:2
- 10.128.10.101
- 2a09:6840:128::10:101
infra-1.rtr:
- 10.128.10.4
- 2a09:6840:128::10:4

10
playbooks/radius.yml
Unescape Escape View File

@ -1,10 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Radius
- hosts: radius-*.adm.auro.re
vars:
update_motd:
unbound: FreeRADIUS est déployé.
roles:
- radius
- update_motd

16
playbooks/resolvconf.yml
Unescape Escape View File

@ -0,0 +1,16 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- vm_network
- pve_network
vars:
resolvconf__nameservers:
- 2a09:6840:128::10:3
- 10.128.10.3
resolvconf__domain: auro.re.
resolvconf__search:
- "{{ inventory_hostname | remove_domain_suffix }}"
- auro.re.
roles:
- resolvconf
...

4
playbooks/root.yml
Unescape Escape View File

@ -1,6 +1,8 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all,!unifi
- hosts:
- vm_network
- pve_network
vars:
root_shell: /bin/bash
root_password: "{{ vault_root_password }}"

23
playbooks/router.yml
Unescape Escape View File

@ -1,23 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Deploy firewall and keepalived
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec radvd) est déployé.
roles:
- router
- radvd
- update_motd
# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec DHCPv6) est déployé.
roles:
- router
- ipv6_edge_router
- update_motd

4
playbooks/ssh.yml
Unescape Escape View File

@ -1,6 +1,8 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all,!unifi
- hosts:
- pve_network
- vm_network
vars:
openssh_users_ca_public_key:
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAAB\

8
roles/base_utils/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,8 @@
---
- name: Install base utils
apt:
name:
- htop
- vim
- dnsutils
...
Write Preview
Loading…
Cancel
Save