Merge branch 'fix-ci' into 'master'
All checks were successful
continuous-integration/drone/push Build is passing

Fix CI

See merge request aurore/ansible!48
This commit is contained in:
ynerant 2020-11-04 20:54:55 +01:00
commit 61f78f5bd3
86 changed files with 115 additions and 74 deletions

19
.drone.yml Normal file
View file

@ -0,0 +1,19 @@
---
kind: pipeline
type: docker
name: check
steps:
- name: yamllint
image: python:3.9-alpine
commands:
- pip install yamllint==1.25.0
- yamllint -c .yamllint.yml .
- name: ansible-lint
image: python:3.9-alpine
commands:
- apk add --no-cache gcc libc-dev libffi-dev openssl-dev
- pip install ansible-lint==4.3.7
- ansible-lint *.yml
...

View file

@ -1,5 +1,5 @@
--- ---
image: python:3.6 image: python:3.9-alpine
stages: stages:
- lint - lint
@ -7,12 +7,13 @@ stages:
yamllint: yamllint:
stage: lint stage: lint
script: script:
- pip install yamllint==1.15.0 - pip install yamllint==1.25.0
- yamllint -c .yamllint.yml . - yamllint -c .yamllint.yml .
ansible-lint: ansible-lint:
stage: lint stage: lint
script: script:
- pip install ansible-lint==4.0.0 - apk add gcc libc-dev libffi-dev openssl-dev
- pip install ansible-lint==4.3.7
- ansible-lint *.yml - ansible-lint *.yml
... ...

View file

@ -3,5 +3,6 @@ extends: default
rules: rules:
line-length: line-length:
max: 120
level: warning level: warning
... ...

View file

@ -9,5 +9,4 @@
# Plug LDAP on all servers # Plug LDAP on all servers
- hosts: all,!unifi - hosts: all,!unifi
roles: roles:
- ldap-client - ldap_client

View file

@ -48,7 +48,7 @@ dns_host_suffix_main: 253
dns_host_suffix_backup: 153 dns_host_suffix_backup: 153
backup_dns_servers: backup_dns_servers:
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
# Finally raised! # Finally raised!
mtu: 1500 mtu: 1500

View file

@ -1,3 +1,4 @@
---
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
61333538366635353537346231363235653162356330396434383631656465616330363136306563 61333538366635353537346231363235653162356330396434383631656465616330363136306563
3861333166386536633437386335613461646466346239360a643139303037613937373631313661 3861333166386536633437386335613461646466346239360a643139303037613937373631313661

View file

@ -1,4 +1,3 @@
--- ---
ldap_local_replica_uri: ldap_local_replica_uri:
- 'ldap://ldap-replica-edc.adm.auro.re' - 'ldap://ldap-replica-edc.adm.auro.re'

View file

@ -4,4 +4,4 @@
# DON'T DO THIS AS IT RECREATES THE REPLICA # DON'T DO THIS AS IT RECREATES THE REPLICA
- hosts: ldap_replica - hosts: ldap_replica
roles: roles:
- ldap-replica - ldap_replica

View file

@ -6,13 +6,13 @@
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb" mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb"
roles: roles:
- debian-backports - debian_backports
- nodejs - nodejs
- matrix-synapse - matrix_synapse
- matrix-appservice-irc - matrix_appservice_irc
- matrix-appservice-webhooks - matrix_appservice_webhooks
# Install Matrix services # Install Matrix services
- hosts: matrix-services.adm.auro.re - hosts: matrix-services.adm.auro.re
roles: roles:
- debian-backports - debian_backports

View file

@ -59,4 +59,4 @@
# Monitor all hosts # Monitor all hosts
- hosts: all,!unifi,!ovh - hosts: all,!unifi,!ovh
roles: roles:
- prometheus-node - prometheus_node

View file

@ -3,7 +3,7 @@
# Set up DHCP servers. # Set up DHCP servers.
- hosts: dhcp-*.adm.auro.re - hosts: dhcp-*.adm.auro.re
roles: roles:
- isc-dhcp-server - isc_dhcp_server
# Deploy unbound DNS server (recursive). # Deploy unbound DNS server (recursive).
@ -24,7 +24,7 @@
- hosts: ~routeur-aurore.*\.adm\.auro\.re - hosts: ~routeur-aurore.*\.adm\.auro\.re
roles: roles:
- router - router
- ipv6-edge-router - ipv6_edge_router
# Radius (backup only for now) # Radius (backup only for now)
- hosts: radius-*.adm.auro.re - hosts: radius-*.adm.auro.re
@ -47,19 +47,19 @@
# Deploy Unifi Controller # Deploy Unifi Controller
#- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re # - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles: # roles:
# - unifi-controller # - unifi-controller
# Deploy Re2o switch service # Deploy Re2o switch service
#- hosts: switchs-manager.adm.auro.re # - hosts: switchs-manager.adm.auro.re
# vars: # vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git # service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs # service_name: switchs
# service_version: master # service_version: master
# service_config: # service_config:
# hostname: re2o-server.adm.auro.re # hostname: re2o-server.adm.auro.re
# username: service-user # username: service-user
# password: "{{ vault_serviceuser_passwd }}" # password: "{{ vault_serviceuser_passwd }}"
# roles: # roles:
# - re2o-service # - re2o-service

View file

@ -19,6 +19,7 @@
option: "{{ item.option }}" option: "{{ item.option }}"
value: "{{ item.value }}" value: "{{ item.value }}"
state: present state: present
mode: 0644
loop: loop:
- option: confirm - option: confirm
value: "true" value: "true"

View file

@ -77,6 +77,7 @@
copy: copy:
src: "skel/dot_{{ item }}" src: "skel/dot_{{ item }}"
dest: "/etc/skel/.{{ item }}" dest: "/etc/skel/.{{ item }}"
mode: 0644
loop: loop:
- zshrc - zshrc
- zshrc.local - zshrc.local

View file

@ -54,6 +54,7 @@
option: "{{ item.option }}" option: "{{ item.option }}"
value: "{{ item.value }}" value: "{{ item.value }}"
state: present state: present
mode: 0644
notify: Restart fail2ban service notify: Restart fail2ban service
loop: loop:
- section: sshd - section: sshd

View file

@ -26,6 +26,7 @@
file: file:
path: /etc/letsencrypt/conf.d path: /etc/letsencrypt/conf.d
state: directory state: directory
mode: 0755
- name: Add Certbot configuration - name: Add Certbot configuration
template: template:

View file

@ -1,5 +1,4 @@
--- ---
- name: install GPG - name: install GPG
apt: apt:
name: gnupg name: gnupg
@ -18,21 +17,23 @@
- name: Install frr - name: Install frr
apt: apt:
name: frr name: frr
- name: setup frr daemons - name: setup frr daemons
template: template:
src: daemons.j2 src: daemons.j2
dest: /etc/frr/daemons dest: /etc/frr/daemons
mode: 0644
notify: restart frr notify: restart frr
- name: setup frr.conf - name: setup frr.conf
template: template:
src: frr.conf.j2 src: frr.conf.j2
dest: /etc/frr/frr.conf dest: /etc/frr/frr.conf
mode: 0644
notify: restart frr notify: restart frr
- name: enable+start frr - name: enable+start frr
service: service:
name: frr name: frr
state: started state: started
enabled: yes enabled: true

View file

@ -1,5 +1,6 @@
---
- name: force run dhcp re2o-service - name: force run dhcp re2o-service
shell: /var/local/re2o-services/dhcp/main.py --force command: /var/local/re2o-services/dhcp/main.py --force
become_user: re2o-services become_user: re2o-services
- name: restart dhcpd - name: restart dhcpd
@ -11,4 +12,3 @@
systemd: systemd:
name: rsyslog name: rsyslog
state: restarted state: restarted

View file

@ -17,7 +17,8 @@
state: directory state: directory
owner: re2o-services owner: re2o-services
group: nogroup group: nogroup
recurse: yes recurse: true
mode: u=rwX,g=rX,o=rX
- name: Install isc-dhcp-server - name: Install isc-dhcp-server
apt: apt:
@ -101,7 +102,7 @@
when: is_aurore_host when: is_aurore_host
- name: force run dhcp re2o-service - name: force run dhcp re2o-service
shell: /var/local/re2o-services/dhcp/main.py --force command: /var/local/re2o-services/dhcp/main.py --force
- name: Ensure dhcpd is running - name: Ensure dhcpd is running
service: service:

View file

@ -40,6 +40,7 @@
file: file:
path: "{{ item }}" path: "{{ item }}"
state: directory state: directory
mode: 0755
loop: loop:
- /etc/ldap/slapd.d - /etc/ldap/slapd.d
- /var/lib/ldap - /var/lib/ldap

View file

@ -11,6 +11,7 @@
template: template:
src: "nginx/snippets/{{ item }}.j2" src: "nginx/snippets/{{ item }}.j2"
dest: "/etc/nginx/snippets/{{ item }}" dest: "/etc/nginx/snippets/{{ item }}"
mode: 0644
loop: loop:
- options-ssl.conf - options-ssl.conf
- options-proxypass.conf - options-proxypass.conf
@ -19,11 +20,13 @@
template: template:
src: letsencrypt/dhparam.j2 src: letsencrypt/dhparam.j2
dest: /etc/letsencrypt/dhparam dest: /etc/letsencrypt/dhparam
mode: 0644
- name: Copy reverse proxy sites - name: Copy reverse proxy sites
template: template:
src: "nginx/sites-available/{{ item }}.j2" src: "nginx/sites-available/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}" dest: "/etc/nginx/sites-available/{{ item }}"
mode: 0644
loop: loop:
- reverseproxy - reverseproxy
- reverseproxy_redirect_dname - reverseproxy_redirect_dname
@ -35,6 +38,7 @@
src: "/etc/nginx/sites-available/{{ item }}" src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}" dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link state: link
mode: 0644
loop: loop:
- reverseproxy - reverseproxy
- reverseproxy_redirect_dname - reverseproxy_redirect_dname
@ -45,6 +49,7 @@
template: template:
src: www/html/50x.html.j2 src: www/html/50x.html.j2
dest: /var/www/html/50x.html dest: /var/www/html/50x.html
mode: 0644
- name: Indicate role in motd - name: Indicate role in motd
template: template:

View file

@ -13,12 +13,14 @@
template: template:
src: prometheus/prometheus.yml.j2 src: prometheus/prometheus.yml.j2
dest: /etc/prometheus/prometheus.yml dest: /etc/prometheus/prometheus.yml
mode: 0644
notify: Restart Prometheus notify: Restart Prometheus
- name: Configure Prometheus alert rules - name: Configure Prometheus alert rules
template: template:
src: "prometheus/{{ item }}.j2" src: "prometheus/{{ item }}.j2"
dest: "/etc/prometheus/{{ item }}" dest: "/etc/prometheus/{{ item }}"
mode: 0644
notify: Restart Prometheus notify: Restart Prometheus
loop: loop:
- alert.rules.yml - alert.rules.yml
@ -45,12 +47,14 @@
copy: copy:
content: "{{ prometheus_targets | to_nice_json }}" content: "{{ prometheus_targets | to_nice_json }}"
dest: /etc/prometheus/targets.json dest: /etc/prometheus/targets.json
mode: 0644
# We don't need to restart Prometheus when updating nodes # We don't need to restart Prometheus when updating nodes
- name: Configure Prometheus Ubiquity Unifi SNMP devices - name: Configure Prometheus Ubiquity Unifi SNMP devices
copy: copy:
content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}" content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
dest: /etc/prometheus/targets_unifi_snmp.json dest: /etc/prometheus/targets_unifi_snmp.json
mode: 0644
- name: Activate prometheus service - name: Activate prometheus service
systemd: systemd:

View file

@ -1,3 +1,4 @@
---
- name: Add backports repositories - name: Add backports repositories
apt_repository: apt_repository:
repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free" repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
@ -5,11 +6,11 @@
- "deb" - "deb"
- "deb-src" - "deb-src"
- name: Ensure /var/www exists - name: Ensure /var/www exists
file: file:
name: "/var/www" name: "/var/www"
state: directory state: directory
mode: 0755
- name: Clone re2o repo - name: Clone re2o repo
git: git:
@ -22,11 +23,11 @@
template: template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: "/var/www/re2o/re2o/{{ item }}" dest: "/var/www/re2o/re2o/{{ item }}"
mode: 0644
loop: loop:
- settings_local.py - settings_local.py
- local_routers.py - local_routers.py
# What follows is a hideous abomination. # What follows is a hideous abomination.
# Blame freeradius-python3 on backports. # Blame freeradius-python3 on backports.
@ -34,27 +35,28 @@
apt: apt:
name: freeradius-python3 name: freeradius-python3
default_release: buster-backports default_release: buster-backports
update_cache: yes update_cache: true
ignore_errors: yes ignore_errors: true
- name: fix freeradius-python3 postinstall script - name: fix freeradius-python3 postinstall script
template: template:
src: freeradius-python3.postinst.j2 src: freeradius-python3.postinst.j2
dest: /var/lib/dpkg/info/freeradius-python3.postinst dest: /var/lib/dpkg/info/freeradius-python3.postinst
mode: 0644
- name: reinstall broken package (this might fail too, for different reasons) - name: reinstall broken package (this might fail too, for different reasons)
apt: apt:
name: freeradius-python3 name: freeradius-python3
default_release: buster-backports default_release: buster-backports
force: yes force: true
ignore_errors: yes ignore_errors: true
- name: Setup radius symlinks - name: Setup radius symlinks
file: file:
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}" src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
dest: "/etc/freeradius/3.0/{{ item.filename }}" dest: "/etc/freeradius/3.0/{{ item.filename }}"
state: link state: link
force: yes force: true
loop: loop:
- local_prefix: "" - local_prefix: ""
filename: auth.py filename: auth.py
@ -69,6 +71,7 @@
template: template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}" dest: "/etc/freeradius/3.0/{{ item }}"
mode: 0640
loop: loop:
- sites-enabled/default - sites-enabled/default
- sites-enabled/inner-tunnel - sites-enabled/inner-tunnel
@ -77,6 +80,7 @@
template: template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}" dest: "/etc/freeradius/3.0/{{ item }}"
mode: 0640
loop: loop:
- clients.conf - clients.conf
- proxy.conf - proxy.conf
@ -99,7 +103,7 @@
when: "'aurore_vm' in group_names" when: "'aurore_vm' in group_names"
- name: Install radius requirements (except freeradius-python3) - name: Install radius requirements (except freeradius-python3)
shell: command:
cmd: "{{ item }}" cmd: "{{ item }}"
chdir: /var/www/re2o/ chdir: /var/www/re2o/
loop: loop:
@ -113,6 +117,7 @@
template: template:
src: "freeradius-logrotate.j2" src: "freeradius-logrotate.j2"
dest: "/etc/logrotate.d/freeradius" dest: "/etc/logrotate.d/freeradius"
mode: 0644
# Database setup # Database setup
@ -154,7 +159,7 @@
state: absent state: absent
become_user: postgres become_user: postgres
when: nuke_radius|default(false) when: nuke_radius|default(false)
ignore_errors: yes ignore_errors: true
- name: Nuking - Destroy old local DB if it exists - name: Nuking - Destroy old local DB if it exists
community.general.postgresql_db: community.general.postgresql_db:
@ -244,13 +249,13 @@
dbname: re2o dbname: re2o
db: re2o db: re2o
publications: publications:
- re2o_pub - re2o_pub
become_user: postgres become_user: postgres
- name: Restart freeradius, ensure enabled - name: Restart freeradius, ensure enabled
systemd: systemd:
name: freeradius name: freeradius
enabled: yes enabled: true
state: restarted state: restarted
daemon_reload: yes daemon_reload: true

View file

@ -1,5 +1,6 @@
---
- name: restart radvd - name: restart radvd
systemd: systemd:
state: restarted state: restarted
name: radvd name: radvd
enabled: yes enabled: true

View file

@ -1,6 +1,4 @@
--- ---
# Warning: radvd installation seems to fail if the configuration # Warning: radvd installation seems to fail if the configuration
# file doesn't already exist when the package is installed, # file doesn't already exist when the package is installed,
# so the order is important. # so the order is important.
@ -19,4 +17,3 @@
name: radvd name: radvd
state: present state: present
notify: restart radvd notify: restart radvd

View file

@ -1,8 +1,9 @@
---
- name: restart keepalived - name: restart keepalived
systemd: systemd:
state: restarted state: restarted
name: keepalived name: keepalived
enabled: yes enabled: true
- name: run aurore-firewall - name: run aurore-firewall
command: python3 main.py --force command: python3 main.py --force

View file

@ -3,25 +3,25 @@
# XXX: YES, this is ugly as fuck. # XXX: YES, this is ugly as fuck.
- name: set IP suffix (main) - name: set IP suffix (main)
set_fact: set_fact:
router_hard_ip_suffix: 240 router_hard_ip_suffix: 240
when: "'backup' not in ansible_hostname" when: "'backup' not in ansible_hostname"
- name: set IP suffix (backup) - name: set IP suffix (backup)
set_fact: set_fact:
router_hard_ip_suffix: 140 router_hard_ip_suffix: 140
when: "'backup' in ansible_hostname" when: "'backup' in ansible_hostname"
- name: Enable IPv4 packet forwarding - name: Enable IPv4 packet forwarding
ansible.posix.sysctl: ansible.posix.sysctl:
name: net.ipv4.ip_forward name: net.ipv4.ip_forward
value: '1' value: '1'
sysctl_set: yes sysctl_set: true
- name: Enable IPv6 packet forwarding - name: Enable IPv6 packet forwarding
ansible.posix.sysctl: ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding name: net.ipv6.conf.all.forwarding
value: '1' value: '1'
sysctl_set: yes sysctl_set: true
- name: Configure /etc/network/interfaces for routeur-aurore* - name: Configure /etc/network/interfaces for routeur-aurore*
template: template:

View file

@ -1,3 +1,4 @@
---
- name: restart unbound - name: restart unbound
systemd: systemd:
state: restarted state: restarted

View file

@ -32,26 +32,26 @@
- fede-aurore.net - fede-aurore.net
reverseproxy_sites: reverseproxy_sites:
- {from: re2o.auro.re, to: 10.128.0.10} - {from: re2o.auro.re, to: 10.128.0.10}
- {from: intranet.auro.re, to: 10.128.0.10} - {from: intranet.auro.re, to: 10.128.0.10}
- {from: phabricator.auro.re, to: 10.128.0.50} - {from: phabricator.auro.re, to: 10.128.0.50}
- {from: wiki.auro.re, to: 10.128.0.51} - {from: wiki.auro.re, to: 10.128.0.51}
- {from: www.auro.re, to: 10.128.0.52} - {from: www.auro.re, to: 10.128.0.52}
- {from: drone.auro.re, to: "10.128.0.64:8000"} - {from: drone.auro.re, to: "10.128.0.64:8000"}
- {from: re2o-test.auro.re, to: 10.128.0.100} - {from: re2o-test.auro.re, to: 10.128.0.100}
- {from: riot.auro.re, to: "10.128.0.150:8080"} - {from: riot.auro.re, to: "10.128.0.150:8080"}
- {from: codimd.auro.re, to: "10.128.0.150:8081"} - {from: codimd.auro.re, to: "10.128.0.150:8081"}
- {from: grafana.auro.re, to: "10.128.0.150:8082"} - {from: grafana.auro.re, to: "10.128.0.150:8082"}
- {from: privatebin.auro.re, to: "10.128.0.150:8083"} - {from: privatebin.auro.re, to: "10.128.0.150:8083"}
- {from: pad.auro.re, to: "10.128.0.150:8084"} - {from: pad.auro.re, to: "10.128.0.150:8084"}
- {from: cas.auro.re, to: "10.128.0.150:8085"} - {from: cas.auro.re, to: "10.128.0.150:8085"}
redirect_sites: redirect_sites:
- {from: auro.re, to: www.auro.re} - {from: auro.re, to: www.auro.re}
roles: roles:
- certbot - certbot
- nginx-reverseproxy - nginx_reverseproxy