From 847c90dfbacfbbbaaf75ba2fc065ac213cd1e02b Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sun, 23 Dec 2018 12:20:19 +0100
Subject: [PATCH] Initial commit

---
 .gitignore                             |  1 +
 README.md                              | 30 ++++++++++++++++
 base.yml                               |  6 ++++
 group_vars/all/vars.yml                | 16 +++++++++
 group_vars/all/vault.yml               | 49 ++++++++++++++++++++++++++
 group_vars/horus/ssh_through_proxy.yml |  3 ++
 hosts                                  | 36 +++++++++++++++++++
 ldap.yml                               |  6 ++++
 8 files changed, 147 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 base.yml
 create mode 100644 group_vars/all/vars.yml
 create mode 100644 group_vars/all/vault.yml
 create mode 100644 group_vars/horus/ssh_through_proxy.yml
 create mode 100644 hosts
 create mode 100644 ldap.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a8b42eb
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+*.retry
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..1b7ba10
--- /dev/null
+++ b/README.md
@@ -0,0 +1,30 @@
+# Playbook et rôles Ansible d'Aurore
+
+## Exécution d'un playbook
+
+```bash
+ansible-playbook --ask-vault-pass -K -i hosts base.yml
+```
+
+## FAQ
+
+### Automatiquement ajouter fingerprint ECDSA (dangereux !)
+
+Il faut changer la variable d'environnement suivante :
+`ANSIBLE_HOST_KEY_CHECKING=0`.
+
+### Configurer la connexion au bastion
+
+Dans la configuration SSH :
+
+```
+# Keep session alive only for bastion
+Host proxy.auro.re
+    ControlMaster auto
+    ControlPath ~/.ssh/%r@%h:%p
+
+Host *.auro.re 10.128.0.*
+    IdentityFile ~/.ssh/id_rsa_aurore
+    ForwardAgent yes
+```
+
diff --git a/base.yml b/base.yml
new file mode 100644
index 0000000..828f6a8
--- /dev/null
+++ b/base.yml
@@ -0,0 +1,6 @@
+---
+# Put a common configuration on all servers
+- hosts: all
+  roles:
+   - baseconfig
+
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
new file mode 100644
index 0000000..6b21e5f
--- /dev/null
+++ b/group_vars/all/vars.yml
@@ -0,0 +1,16 @@
+---
+# LDAP binding
+ldap_uri: 'ldap://10.128.0.11/'
+ldap_base: 'dc=auro,dc=re'
+ldap_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}"
+ldap_passwd: "{{ vault_ldap_passwd }}"
+
+# Scripts will tell users to go there to manage their account
+intranet_url: 'https://re2o.auro.re/'
+
+# Users in that group will be able to `sudo`
+sudo_group: 'sudoldap'
+
+# SSH keys for root account to use when LDAP is broken
+ssh_pub_keys: "{{ vault_ssh_pub_keys }}"
+
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
new file mode 100644
index 0000000..090355b
--- /dev/null
+++ b/group_vars/all/vault.yml
@@ -0,0 +1,49 @@
+$ANSIBLE_VAULT;1.1;AES256
+32366661316664386431313536386232363262626438626631386134373733666466643833373938
+3266333865383432333531393864666564346131333764360a303439343865333935313936373337
+64353531623837663231316435653337313764613233343636323863356535626534373632383664
+3965386436666663300a656432316338363333303934313065366264343038373436323432656164
+39646438633632333730646565646230666437353837383538343035323366616635616638613330
+39383433393433663066383866383637373531613231353431663765393463366261306561363036
+35646639336161303631636662613832396539316466373635386361353266393365313636616435
+36623138343733343931623264376432303366336136396661323236346138366565333733333432
+36333062383935393733313639333735346638373166666332353065643662313766326466313935
+63626662353661666130366466316432626533306663356264306564306135323666613538363163
+62663064373032613638636533343939653435336238393966663265343064633733366563336664
+62633238373737616134303130663266656435356165623936303261326330656237623566333039
+38343637303038653133326433393939616363353537373862666138396165386665316530316165
+31323237333963343831613464663631366665663865666362636335386364313533366436383764
+36373431363465613130646535303162666564663163323534383032373731353034653435656134
+32633964643066316164643137356334336339333334363564636664343739356533343066656136
+38346135313935373533366666346564643234323464626361393861633536333730613837633634
+30663464353864386238663731336438323663656662376632316330366432366236396265376337
+30353331366266316430323131393433373762646665633738623532373562303365613763326164
+32346161613437393462616662616539623234393732633235363135663462613630343661356632
+35333532373466383762623765376231386662336435363930316338376132356637303834643932
+63636566666138373461323163303566313631393837356634353163626639346630663130646266
+38653838383034653065386432623833323564646361333333386436613064376335616661356466
+32313534376464373839356130373661633538303530643331653162623864353032626436303837
+65303430396365343138666133646432633037346435356531376161333966303032663235653339
+63373138383036656662303332656437363735336131613030663962623566356630346534646666
+30383063383634613832376363366332643035616431316232353865363037336262623261363633
+32336463656664336237393934396430336661383632336330386534626636623533663239626232
+62653161363536383734653136376135323536353430346166386134656537643537383538353865
+36336137613165393438613165303665376532346462313465313531386430336232663733323133
+36396532313061383261313561363532396161656631383239663139653834333366316362343335
+61643830363136383532613738613038323830316638333436363139373530613761386430343365
+33363732613933376238323035353932336433333536353663663231636539326535663536323533
+66393134303364383764613661313337353134656264313661373262643931656566626164366336
+35613736323761333035613163643835653338323266623465353330396539636164353864363564
+33346233323766356532393734363037346330386666653733633665326339383133633462323539
+66396537346261643664366335653431353138373033306236316534366631353262343465353963
+38653231386336646534393237343632366137373036356666613866336232636439386663633563
+61633438336461653366343039396161376638333532303565323736333134303333393239356438
+30656631303766636432343838343436316136613966346165353962656138653862653662306539
+66366133376437356638306330336163656463656631386637323032623565353539623663613065
+34303163316161353037356333393565386462383462366430323136353137666332373034396361
+38616666613435346461333361383863653138643030366137613533646236613865626437386464
+63383434343236366433316534323236616664646235336338353832383365386637336234653332
+34646436356139373463363431303361633137303831656632303133313738393339353835343365
+34616234623463643139633639616336633630363664396338643633303133633739353161623339
+33306665306566363533363431383133363162613334316566336264333663393035313161396466
+62383035616136383939
diff --git a/group_vars/horus/ssh_through_proxy.yml b/group_vars/horus/ssh_through_proxy.yml
new file mode 100644
index 0000000..cbc38e5
--- /dev/null
+++ b/group_vars/horus/ssh_through_proxy.yml
@@ -0,0 +1,3 @@
+---
+
+ansible_ssh_extra_args: -o ProxyCommand='ssh -W %h:%p -q proxy.auro.re'
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..32510a8
--- /dev/null
+++ b/hosts
@@ -0,0 +1,36 @@
+# Aurore servers inventory
+
+[horus-pve]
+#virtu.fede-aurore.net
+
+[horus-proxy]
+proxy-web       ansible_host=10.128.0.254
+
+[horus-services-bdd]
+services-bdd    ansible_host=10.128.0.31
+
+[horus-wiki]
+wiki            ansible_host=10.128.0.51
+
+[horus-phabricator]
+phabricator     ansible_host=10.128.0.50
+
+# everything in horus (ovh)
+[horus:children]
+horus-pve
+horus-proxy
+horus-services-bdd
+horus-wiki
+horus-phabricator
+
+# every LXC container
+[container:children]
+horus-proxy
+horus-services-bdd
+horus-wiki
+horus-phabricator
+
+# every PVE
+[pve:children]
+horus-pve
+
diff --git a/ldap.yml b/ldap.yml
new file mode 100644
index 0000000..c9dda6a
--- /dev/null
+++ b/ldap.yml
@@ -0,0 +1,6 @@
+---
+# Plug only containers on LDAP
+- hosts: container
+  roles:
+   - ldap-client
+