Merge pull request 'Move playbooks in subfolder' (#73) from move_playbooks into master

Reviewed-on: #73
This commit is contained in:
erdnaxe 2021-11-28 10:16:26 +01:00
commit 3c25e64516
24 changed files with 135 additions and 146 deletions

View file

@ -2,8 +2,9 @@
# Recettes Ansible d'Aurore
Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
Pour les utiliser, vérifiez que vous avez au moins Ansible 2.7.
Dépendances requises :
* Ansible 2.9 ou plus récent.
## Ansible 101

View file

@ -2,6 +2,9 @@
[defaults]
# Explicitly redefine some defaults to make subfolder execution work
roles_path = ./roles
# Do not create .retry files
retry_files_enabled = False

3
deploy_all.sh Executable file
View file

@ -0,0 +1,3 @@
#!/usr/bin/env bash
# Deploy all playbooks
ansible-playbook playbooks/*.yml $@

View file

@ -1,9 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Deploy a correclty configured postfix on non mailhost servers
- hosts: all,!unifi
vars:
local_network: 10.128.0.0/16
relay_host: proxy.adm.auro.re
roles:
- postfix_non_mailhost

View file

@ -1,82 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# Set up DHCP servers.
- hosts: dhcp-*.adm.auro.re
vars:
update_motd:
unbound: isc-dhcp-server est déployé.
roles:
- isc_dhcp_server
- update_motd
# Deploy unbound DNS server (recursive).
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
vars:
update_motd:
unbound: Unbound est déployé.
roles:
- unbound
- update_motd
# Déploiement du service re2o aurore-firewall et keepalived
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec radvd) est déployé.
roles:
- router
- radvd
- update_motd
# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec DHCPv6) est déployé.
roles:
- router
- ipv6_edge_router
- update_motd
# Radius (backup only for now)
- hosts: radius-*.adm.auro.re
vars:
update_motd:
unbound: FreeRADIUS est déployé.
roles:
- radius
- update_motd
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service
# Deploy Unifi Controller
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller
# Deploy Re2o switch service
# - hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

View file

@ -5,14 +5,6 @@
roles:
- baseconfig
- basesecurity
- update_motd
# Plug LDAP on all servers
- hosts: all,!unifi
roles:
- ldap_client
# Install logrotate
- hosts: all,!unifi,!pve
roles:
- logrotate
- update_motd

View file

@ -10,7 +10,7 @@
- borgbackup_server
- update_motd
- hosts: all,!unifi,!unifi-*,!wiki.adm.auro.re
- hosts: all,!unifi,!unifi-*
vars:
update_motd:
borgbackup_client: >-

10
playbooks/docker.yml Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Docker hosts
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,wikijs.adm.auro.re
vars:
update_motd:
docker: Docker est déployé.
roles:
- docker
- update_motd

9
playbooks/isc-dhcp-server.yml Executable file
View file

@ -0,0 +1,9 @@
#!/usr/bin/env ansible-playbook
---
- hosts: dhcp-*.adm.auro.re
vars:
update_motd:
unbound: isc-dhcp-server est déployé.
roles:
- isc_dhcp_server
- update_motd

17
playbooks/knot.yml Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

View file

@ -1,7 +1,10 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# Clone LDAP on local geographic location
# DON'T DO THIS AS IT RECREATES THE REPLICA
- hosts: ldap_replica
roles:
- ldap_replica
#- hosts: ldap_replica
# roles:
# - ldap_replica

View file

@ -1,6 +1,6 @@
#!/usr/bin/env ansible-playbook
---
# Install Matrix Synapse on corresponding containers
# Install Matrix Synapse
- hosts: synapse.adm.auro.re
vars:
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
@ -16,8 +16,3 @@
- matrix_appservice_irc
- matrix_appservice_webhooks
- update_motd
# Install Matrix services
- hosts: matrix-services.adm.auro.re
roles:
- debian_backports

View file

@ -1,19 +1,5 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Docker hosts
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re,stream.adm.auro.re,wikijs.adm.auro.re
vars:
update_motd:
docker: Docker est déployé.
roles:
- docker
- update_motd
# Deploy Passbolt
- hosts: passbolt.adm.auro.re
roles:
- passbolt
- hosts: reverseproxy
vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'

View file

@ -1,4 +1,13 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Postfix on non mailhost servers
- hosts: all,!unifi
vars:
local_network: 10.128.0.0/16
relay_host: proxy.adm.auro.re
roles:
- postfix_non_mailhost
# Deploy Re2o mail service
- hosts: mail.auro.re
vars:
@ -10,4 +19,4 @@
username: service-user
password: "{{ vault_serviceuser_passwd }}"
roles:
- re2o-service
- re2o_service

View file

@ -1,7 +1,7 @@
#!/usr/bin/env ansible-playbook
---
# Install and configure bdd servers at Saclay and at OVH
- hosts: bdd,!re2o-bdd.adm.auro.re,!services-bdd-local.adm.auro.re
# Install and configure database servers at Saclay and at OVH
- hosts: bdd.adm.auro.re,bdd-ovh.adm.auro.re
vars:
update_motd:
postgresql: PostgreSQL est déployé.

10
playbooks/radius.yml Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Radius
- hosts: radius-*.adm.auro.re
vars:
update_motd:
unbound: FreeRADIUS est déployé.
roles:
- radius
- update_motd

23
playbooks/router.yml Executable file
View file

@ -0,0 +1,23 @@
#!/usr/bin/env ansible-playbook
---
# Deploy firewall and keepalived
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs|rives).*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec radvd) est déployé.
roles:
- router
- radvd
- update_motd
# No radvd here
- hosts: ~routeur-aurore.*\.adm\.auro\.re
vars:
update_motd:
unbound: Le routage (avec DHCPv6) est déployé.
roles:
- router
- ipv6_edge_router
- update_motd

17
playbooks/switchs-manager.yml Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# Deploy Re2o switch service
# - hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

10
playbooks/unbound.yml Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env ansible-playbook
---
# Deploy unbound DNS server (recursive).
- hosts: dns-*.adm.auro.re,!dns-aurore*.adm.auro.re
vars:
update_motd:
unbound: Unbound est déployé.
roles:
- unbound
- update_motd

9
playbooks/unifi.yml Executable file
View file

@ -0,0 +1,9 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# Deploy Unifi Controller
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller

View file

@ -1,17 +0,0 @@
#!/usr/bin/env ansible-playbook
---
# This is a special playbook to upgrade sudo everywhere after the
# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
# Please always use with --limit myserver.adm.auro.re
# And list updates with --check
- hosts: all
tasks:
- name: Upgrade sudo
apt:
name: sudo
state: latest
update_cache: true
cache_valid_time: 3600 # one hour
register: apt_result
retries: 3
until: apt_result is succeeded