Merge branch 'fix-ci' into 'master'
All checks were successful
continuous-integration/drone/push Build is passing

Fix CI

See merge request aurore/ansible!48
This commit is contained in:
ynerant 2020-11-04 20:54:55 +01:00
commit 61f78f5bd3
86 changed files with 115 additions and 74 deletions

19
.drone.yml Normal file
View file

@ -0,0 +1,19 @@
---
kind: pipeline
type: docker
name: check
steps:
- name: yamllint
image: python:3.9-alpine
commands:
- pip install yamllint==1.25.0
- yamllint -c .yamllint.yml .
- name: ansible-lint
image: python:3.9-alpine
commands:
- apk add --no-cache gcc libc-dev libffi-dev openssl-dev
- pip install ansible-lint==4.3.7
- ansible-lint *.yml
...

View file

@ -1,5 +1,5 @@
---
image: python:3.6
image: python:3.9-alpine
stages:
- lint
@ -7,12 +7,13 @@ stages:
yamllint:
stage: lint
script:
- pip install yamllint==1.15.0
- pip install yamllint==1.25.0
- yamllint -c .yamllint.yml .
ansible-lint:
stage: lint
script:
- pip install ansible-lint==4.0.0
- apk add gcc libc-dev libffi-dev openssl-dev
- pip install ansible-lint==4.3.7
- ansible-lint *.yml
...

View file

@ -3,5 +3,6 @@ extends: default
rules:
line-length:
max: 120
level: warning
...

View file

@ -9,5 +9,4 @@
# Plug LDAP on all servers
- hosts: all,!unifi
roles:
- ldap-client
- ldap_client

View file

@ -48,7 +48,7 @@ dns_host_suffix_main: 253
dns_host_suffix_backup: 153
backup_dns_servers:
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
# Finally raised!
mtu: 1500

View file

@ -1,3 +1,4 @@
---
$ANSIBLE_VAULT;1.1;AES256
61333538366635353537346231363235653162356330396434383631656465616330363136306563
3861333166386536633437386335613461646466346239360a643139303037613937373631313661

View file

@ -1,4 +1,3 @@
---
ldap_local_replica_uri:
- 'ldap://ldap-replica-edc.adm.auro.re'

View file

@ -4,4 +4,4 @@
# DON'T DO THIS AS IT RECREATES THE REPLICA
- hosts: ldap_replica
roles:
- ldap-replica
- ldap_replica

View file

@ -6,13 +6,13 @@
mxisd_releases: https://github.com/kamax-matrix/mxisd/releases
mxisd_deb: "{{ mxisd_releases }}/download/v1.3.1/mxisd_1.3.1_all.deb"
roles:
- debian-backports
- debian_backports
- nodejs
- matrix-synapse
- matrix-appservice-irc
- matrix-appservice-webhooks
- matrix_synapse
- matrix_appservice_irc
- matrix_appservice_webhooks
# Install Matrix services
- hosts: matrix-services.adm.auro.re
roles:
- debian-backports
- debian_backports

View file

@ -59,4 +59,4 @@
# Monitor all hosts
- hosts: all,!unifi,!ovh
roles:
- prometheus-node
- prometheus_node

View file

@ -3,7 +3,7 @@
# Set up DHCP servers.
- hosts: dhcp-*.adm.auro.re
roles:
- isc-dhcp-server
- isc_dhcp_server
# Deploy unbound DNS server (recursive).
@ -24,7 +24,7 @@
- hosts: ~routeur-aurore.*\.adm\.auro\.re
roles:
- router
- ipv6-edge-router
- ipv6_edge_router
# Radius (backup only for now)
- hosts: radius-*.adm.auro.re
@ -47,19 +47,19 @@
# Deploy Unifi Controller
#- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller
# - hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re
# roles:
# - unifi-controller
# Deploy Re2o switch service
#- hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o-service
# - hosts: switchs-manager.adm.auro.re
# vars:
# service_repo: https://gitlab.federez.net/re2o/switchs.git
# service_name: switchs
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o-service

View file

@ -19,6 +19,7 @@
option: "{{ item.option }}"
value: "{{ item.value }}"
state: present
mode: 0644
loop:
- option: confirm
value: "true"

View file

@ -77,6 +77,7 @@
copy:
src: "skel/dot_{{ item }}"
dest: "/etc/skel/.{{ item }}"
mode: 0644
loop:
- zshrc
- zshrc.local

View file

@ -54,6 +54,7 @@
option: "{{ item.option }}"
value: "{{ item.value }}"
state: present
mode: 0644
notify: Restart fail2ban service
loop:
- section: sshd

View file

@ -26,6 +26,7 @@
file:
path: /etc/letsencrypt/conf.d
state: directory
mode: 0755
- name: Add Certbot configuration
template:

View file

@ -1,5 +1,4 @@
---
- name: install GPG
apt:
name: gnupg
@ -23,16 +22,18 @@
template:
src: daemons.j2
dest: /etc/frr/daemons
mode: 0644
notify: restart frr
- name: setup frr.conf
template:
src: frr.conf.j2
dest: /etc/frr/frr.conf
mode: 0644
notify: restart frr
- name: enable+start frr
service:
name: frr
state: started
enabled: yes
enabled: true

View file

@ -1,5 +1,6 @@
---
- name: force run dhcp re2o-service
shell: /var/local/re2o-services/dhcp/main.py --force
command: /var/local/re2o-services/dhcp/main.py --force
become_user: re2o-services
- name: restart dhcpd
@ -11,4 +12,3 @@
systemd:
name: rsyslog
state: restarted

View file

@ -17,7 +17,8 @@
state: directory
owner: re2o-services
group: nogroup
recurse: yes
recurse: true
mode: u=rwX,g=rX,o=rX
- name: Install isc-dhcp-server
apt:
@ -101,7 +102,7 @@
when: is_aurore_host
- name: force run dhcp re2o-service
shell: /var/local/re2o-services/dhcp/main.py --force
command: /var/local/re2o-services/dhcp/main.py --force
- name: Ensure dhcpd is running
service:

View file

@ -40,6 +40,7 @@
file:
path: "{{ item }}"
state: directory
mode: 0755
loop:
- /etc/ldap/slapd.d
- /var/lib/ldap

View file

@ -11,6 +11,7 @@
template:
src: "nginx/snippets/{{ item }}.j2"
dest: "/etc/nginx/snippets/{{ item }}"
mode: 0644
loop:
- options-ssl.conf
- options-proxypass.conf
@ -19,11 +20,13 @@
template:
src: letsencrypt/dhparam.j2
dest: /etc/letsencrypt/dhparam
mode: 0644
- name: Copy reverse proxy sites
template:
src: "nginx/sites-available/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
mode: 0644
loop:
- reverseproxy
- reverseproxy_redirect_dname
@ -35,6 +38,7 @@
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link
mode: 0644
loop:
- reverseproxy
- reverseproxy_redirect_dname
@ -45,6 +49,7 @@
template:
src: www/html/50x.html.j2
dest: /var/www/html/50x.html
mode: 0644
- name: Indicate role in motd
template:

View file

@ -13,12 +13,14 @@
template:
src: prometheus/prometheus.yml.j2
dest: /etc/prometheus/prometheus.yml
mode: 0644
notify: Restart Prometheus
- name: Configure Prometheus alert rules
template:
src: "prometheus/{{ item }}.j2"
dest: "/etc/prometheus/{{ item }}"
mode: 0644
notify: Restart Prometheus
loop:
- alert.rules.yml
@ -45,12 +47,14 @@
copy:
content: "{{ prometheus_targets | to_nice_json }}"
dest: /etc/prometheus/targets.json
mode: 0644
# We don't need to restart Prometheus when updating nodes
- name: Configure Prometheus Ubiquity Unifi SNMP devices
copy:
content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
dest: /etc/prometheus/targets_unifi_snmp.json
mode: 0644
- name: Activate prometheus service
systemd:

View file

@ -1,3 +1,4 @@
---
- name: Add backports repositories
apt_repository:
repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
@ -5,11 +6,11 @@
- "deb"
- "deb-src"
- name: Ensure /var/www exists
file:
name: "/var/www"
state: directory
mode: 0755
- name: Clone re2o repo
git:
@ -22,11 +23,11 @@
template:
src: "{{ item }}.j2"
dest: "/var/www/re2o/re2o/{{ item }}"
mode: 0644
loop:
- settings_local.py
- local_routers.py
# What follows is a hideous abomination.
# Blame freeradius-python3 on backports.
@ -34,27 +35,28 @@
apt:
name: freeradius-python3
default_release: buster-backports
update_cache: yes
ignore_errors: yes
update_cache: true
ignore_errors: true
- name: fix freeradius-python3 postinstall script
template:
src: freeradius-python3.postinst.j2
dest: /var/lib/dpkg/info/freeradius-python3.postinst
mode: 0644
- name: reinstall broken package (this might fail too, for different reasons)
apt:
name: freeradius-python3
default_release: buster-backports
force: yes
ignore_errors: yes
force: true
ignore_errors: true
- name: Setup radius symlinks
file:
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
dest: "/etc/freeradius/3.0/{{ item.filename }}"
state: link
force: yes
force: true
loop:
- local_prefix: ""
filename: auth.py
@ -69,6 +71,7 @@
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
mode: 0640
loop:
- sites-enabled/default
- sites-enabled/inner-tunnel
@ -77,6 +80,7 @@
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
mode: 0640
loop:
- clients.conf
- proxy.conf
@ -99,7 +103,7 @@
when: "'aurore_vm' in group_names"
- name: Install radius requirements (except freeradius-python3)
shell:
command:
cmd: "{{ item }}"
chdir: /var/www/re2o/
loop:
@ -113,6 +117,7 @@
template:
src: "freeradius-logrotate.j2"
dest: "/etc/logrotate.d/freeradius"
mode: 0644
# Database setup
@ -154,7 +159,7 @@
state: absent
become_user: postgres
when: nuke_radius|default(false)
ignore_errors: yes
ignore_errors: true
- name: Nuking - Destroy old local DB if it exists
community.general.postgresql_db:
@ -244,13 +249,13 @@
dbname: re2o
db: re2o
publications:
- re2o_pub
- re2o_pub
become_user: postgres
- name: Restart freeradius, ensure enabled
systemd:
name: freeradius
enabled: yes
enabled: true
state: restarted
daemon_reload: yes
daemon_reload: true

View file

@ -1,5 +1,6 @@
---
- name: restart radvd
systemd:
state: restarted
name: radvd
enabled: yes
enabled: true

View file

@ -1,6 +1,4 @@
---
# Warning: radvd installation seems to fail if the configuration
# file doesn't already exist when the package is installed,
# so the order is important.
@ -19,4 +17,3 @@
name: radvd
state: present
notify: restart radvd

View file

@ -1,8 +1,9 @@
---
- name: restart keepalived
systemd:
state: restarted
name: keepalived
enabled: yes
enabled: true
- name: run aurore-firewall
command: python3 main.py --force

View file

@ -3,25 +3,25 @@
# XXX: YES, this is ugly as fuck.
- name: set IP suffix (main)
set_fact:
router_hard_ip_suffix: 240
router_hard_ip_suffix: 240
when: "'backup' not in ansible_hostname"
- name: set IP suffix (backup)
set_fact:
router_hard_ip_suffix: 140
router_hard_ip_suffix: 140
when: "'backup' in ansible_hostname"
- name: Enable IPv4 packet forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
sysctl_set: true
- name: Enable IPv6 packet forwarding
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '1'
sysctl_set: yes
sysctl_set: true
- name: Configure /etc/network/interfaces for routeur-aurore*
template:

View file

@ -1,3 +1,4 @@
---
- name: restart unbound
systemd:
state: restarted

View file

@ -32,26 +32,26 @@
- fede-aurore.net
reverseproxy_sites:
- {from: re2o.auro.re, to: 10.128.0.10}
- {from: intranet.auro.re, to: 10.128.0.10}
- {from: re2o.auro.re, to: 10.128.0.10}
- {from: intranet.auro.re, to: 10.128.0.10}
- {from: phabricator.auro.re, to: 10.128.0.50}
- {from: wiki.auro.re, to: 10.128.0.51}
- {from: www.auro.re, to: 10.128.0.52}
- {from: phabricator.auro.re, to: 10.128.0.50}
- {from: wiki.auro.re, to: 10.128.0.51}
- {from: www.auro.re, to: 10.128.0.52}
- {from: drone.auro.re, to: "10.128.0.64:8000"}
- {from: drone.auro.re, to: "10.128.0.64:8000"}
- {from: re2o-test.auro.re, to: 10.128.0.100}
- {from: re2o-test.auro.re, to: 10.128.0.100}
- {from: riot.auro.re, to: "10.128.0.150:8080"}
- {from: codimd.auro.re, to: "10.128.0.150:8081"}
- {from: grafana.auro.re, to: "10.128.0.150:8082"}
- {from: privatebin.auro.re, to: "10.128.0.150:8083"}
- {from: pad.auro.re, to: "10.128.0.150:8084"}
- {from: cas.auro.re, to: "10.128.0.150:8085"}
- {from: riot.auro.re, to: "10.128.0.150:8080"}
- {from: codimd.auro.re, to: "10.128.0.150:8081"}
- {from: grafana.auro.re, to: "10.128.0.150:8082"}
- {from: privatebin.auro.re, to: "10.128.0.150:8083"}
- {from: pad.auro.re, to: "10.128.0.150:8084"}
- {from: cas.auro.re, to: "10.128.0.150:8085"}
redirect_sites:
- {from: auro.re, to: www.auro.re}
- {from: auro.re, to: www.auro.re}
roles:
- certbot
- nginx-reverseproxy
- nginx_reverseproxy