Merge branch 'master' into monitoring_pdu
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/pr Build is failing

This commit is contained in:
otthorn 2021-01-29 20:29:28 +01:00
commit a8af3c9c72
12 changed files with 138 additions and 39 deletions

View file

@ -1,2 +1,7 @@
skip_list: skip_list:
- '301' - '301'
warn_list:
- '305' # Use shell only when shell functionality is required
- '503' # Tasks that run when changed should likely be handlers
- experimental # all rules tagged as experimental

View file

@ -10,3 +10,8 @@
- hosts: all,!unifi - hosts: all,!unifi
roles: roles:
- ldap_client - ldap_client
# Install logrotate
- hosts: all,!unifi,!pve
roles:
- logrotate

View file

@ -2,10 +2,15 @@
certbot: certbot:
domains: domains:
- auro.re - auro.re
- chat.auro.re # cname to riot.auro.re
- codimd.auro.re - codimd.auro.re
- element.auro.re # cname to riot.auro.re
- ehterpad.auro.re # cname to pad.auro.re
- grafana.auro.re - grafana.auro.re
- hedgedoc.auro.re # cname to codimd.auro.re
- pad.auro.re - pad.auro.re
- passbolt.auro.re - passbolt.auro.re
- paste.auro.re # cname to privatebin.auro.re
- phabricator.auro.re - phabricator.auro.re
- privatebin.auro.re - privatebin.auro.re
- riot.auro.re - riot.auro.re
@ -13,7 +18,7 @@ certbot:
- status.auro.re - status.auro.re
- wiki.auro.re - wiki.auro.re
- www.auro.re - www.auro.re
- zero.auro.re - zero.auro.re # cname to privatebin.auro.re
mail: tech.aurore@lists.crans.org mail: tech.aurore@lists.crans.org
certname: auro.re certname: auro.re
@ -54,12 +59,12 @@ nginx:
to: "10.128.0.150:8080" to: "10.128.0.150:8080"
- from: chat.auro.re - from: chat.auro.re
to: "10.128.0.150:8080" to: "10.128.0.150:8080"
- from: codimd.auro.re - from: codimd.auro.re
to: "10.128.0.150:8081" to: "10.128.0.150:8081"
- from: hedgedoc.auro.re - from: hedgedoc.auro.re
to: "10.128.0.150:8081" to: "10.128.0.150:8081"
- from: grafana.auro.re - from: grafana.auro.re
to: "10.128.0.150:8082" to: "10.128.0.150:8082"

7
hosts
View file

@ -451,6 +451,13 @@ edc_pve
gs_pve gs_pve
rives_pve rives_pve
# every unifi
[unifi:children]
gs_unifi
edc_unifi
fleming_unifi
rives_unifi
pacaterie_unifi
############################################################################### ###############################################################################
# Groups by service # Groups by service

7
logrotate.yml Executable file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
# Playbook to run ONLY the logrotate role
# Install logrotate
- hosts: all,!unifi,!pve
roles:
- logrotate

View file

@ -4,26 +4,28 @@
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
apt: apt:
name: name:
- sudo
- molly-guard # prevent reboot
- ntp # network time sync
- apt # better than apt-get
- nano # for vulcain
- vim # better than nano
- emacs-nox # for maman
- htop # better than top
- zsh # to be able to ssh @erdnaxe
- fish # to motivate @edpibu
- oidentd # postgresql identification
- aptitude # nice to have for Ansible
- acl # advanced ACL - acl # advanced ACL
- iotop # monitor i/o - apt # better than apt-get
- tree # create a graphical tree of files - aptitude # nice to have for Ansible
- bash-completion # because bash - bash-completion # because bash
- curl # better than wget
- emacs-nox # for maman
- fish # to motivate @edpibu
- git # code versioning - git # code versioning
- htop # better than top
- iotop # monitor i/o
- less # i like cats - less # i like cats
- screen # Vulcain asked for this
- lsb-release - lsb-release
- molly-guard # prevent reboot
- nano # for vulcain
- net-tools
- ntp # network time sync
- oidentd # postgresql identification
- screen # Vulcain asked for this
- sudo
- tree # create a graphical tree of files
- vim # better than nano
- zsh # to be able to ssh @erdnaxe
update_cache: true update_cache: true
register: apt_result register: apt_result
retries: 3 retries: 3
@ -92,13 +94,13 @@
apt: apt:
pkg: smartmontools pkg: smartmontools
state: absent state: absent
autoremove: yes autoremove: true
when: ansible_system_vendor == "QEMU" when: ansible_system_vendor == "QEMU"
- name: Remove useless packages from the cache - name: Remove useless packages from the cache
apt: apt:
autoclean: yes autoclean: true
- name: Remove dependencies that are no longer required - name: Remove dependencies that are no longer required
apt: apt:
autoremove: yes autoremove: true

View file

@ -0,0 +1,8 @@
---
- name: Reload nginx
service:
name: nginx
state: reloaded
- name: Generate certificates
command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"

View file

@ -20,20 +20,6 @@
src: "letsencrypt/conf.d/certname.ini.j2" src: "letsencrypt/conf.d/certname.ini.j2"
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
mode: 0644 mode: 0644
register: certbot_config notify:
- Generate certificates
- name: Stop services to allow certbot to generate a cert. - Reload nginx
service:
name: nginx
state: stopped
when: certbot_config.changed
- name: Generate new certificate if the configuration changed
shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
when: certbot_config.changed
- name: Restart services to allow certbot to generate a cert.
service:
name: nginx
state: started
when: certbot_config.changed

View file

@ -18,6 +18,7 @@
owner: re2o-services owner: re2o-services
group: nogroup group: nogroup
recurse: true recurse: true
mode: 755
- name: Install isc-dhcp-server - name: Install isc-dhcp-server
apt: apt:
@ -101,7 +102,7 @@
when: is_aurore_host when: is_aurore_host
- name: force run dhcp re2o-service - name: force run dhcp re2o-service
shell: /var/local/re2o-services/dhcp/main.py --force command: /var/local/re2o-services/dhcp/main.py --force
- name: Ensure dhcpd is running - name: Ensure dhcpd is running
service: service:

View file

@ -0,0 +1,5 @@
---
- name: reload logrotate
service:
name: logrotate
state: reloaded

View file

@ -0,0 +1,29 @@
---
# Install and configure logrotate
# Install the apt package
- name: Install logrotate
apt:
name:
- logrotate
# Copy the configuration and reload the service if it has changed
- name: Configure logrotate
template:
src: logrotate.d/rsyslog.j2
dest: /etc/logrotate.d/rsyslog
owner: root
group: root
mode: "0644"
notify: reload logrotate
# Make sure the service is enabled and started
- name: Enable logrotate service
service:
name: logrotate
enabled: true
state: started
# Enforce new logrotate rules now
- name: Run logrotate now
command: /usr/sbin/logrotate -f /etc/logrotate.d/rsyslog

View file

@ -0,0 +1,39 @@
# {{ ansible_managed }}
/var/log/syslog
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 1
daily
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}