Merge branch 'master' into fix_exported_prometheus

.ansible-lint

@@ -2,6 +2,7 @@ skip_list:
   - no-changed-when
   - load-failure
   - document-start
+  - meta-no-info
 
 warn_list:
   - experimental  # all rules tagged as experimental

bdd.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+# Install and configure bdd servers at Saclay and at OVH
+- hosts: bdd
+  roles:
+    - postgresql_server
+...

docker-ansible-lint/Dockerfile

@@ -2,6 +2,6 @@ FROM python:3.9-alpine
 LABEL description="Aurore's docker image for ansible-lint"
 
 RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
-RUN pip install "yamllint>=1.26.0,<2.0"
+RUN pip install --no-cache-dir "yamllint>=1.26.0,<2.0"
-RUN pip install "ansible-lint==5.0.0"
+RUN pip install --no-cache-dir "ansible-lint==5.0.0"
-RUN pip install "ansible>=2.10,<2.11"
+RUN pip install --no-cache-dir "ansible>=2.10,<2.11"

group_vars/all/vars.yml

@@ -17,9 +17,17 @@ ldap_admin_password: "{{ vault_ldap_admin_password }}"
 ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
 
 # Databases
-postgresql_services_url: 'services-bdd.adm.auro.re'
+postgresql_services_url: 'bdd-ovh.adm.auro.re'
 postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
 postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
+postgresql_etherpad_passwd: "{{ vault_postgresql_etherpad_passwd }}"
+postgresql_kanboard_passwd: "{{ vault_postgresql_kanboard_passwd }}"
+postgresql_grafana_passwd: "{{ vault_postgresql_grafana_passwd }}"
+postgresql_cas_passwd: "{{ vault_postgresql_cas_passwd }}"
+postgresql_drone_passwd: "{{ vault_postgresql_drone_passwd }}"
+postgresql_wikijs_passwd: "{{ vault_postgresql_wikijs_passwd }}"
+postgresql_nextcloud_passwd: "{{ vault_postgresql_nextcloud_passwd }}"
+postgresql_gitea_passwd: "{{ vault_postgresql_gitea_passwd }}"
 
 # Scripts will tell users to go there to manage their account
 intranet_url: 'https://re2o.auro.re/'
@@ -89,3 +97,9 @@ apartment_block_dhcp: "{{ apartment_block }}"
 ipv6_base_prefix: "2a09:6840"
 
 is_aurore_host: "{{ 'aurore_vm' in group_names }}"
+
+rsyslog_outputs:
+  - proto: relp
+    address: 10.128.0.241
+    port: 20514
+...

group_vars/all/vault.yml

@@ -1,181 +1,210 @@
 $ANSIBLE_VAULT;1.1;AES256
-31333135363439623565336435306566656236316266316330623236643862616666326332633937
+64396638346335393963396239326463353436373937386664393164373338376461636666326432
-3130356563393965626334373564623336633061303264660a646662636364313031316438396439
+3839376164613031613166313535346136396465383365660a376666373138363930393761376166
-36653532656533626535376662393061666430666536356430623030376335636530313237623038
+35663763316466336162316335623362633131636264663239316264666234393637333931616139
-6133333636323234320a323433376539333265333837303631316637346561383861656662633536
+3434636563363237300a663032636362343739343363356363643035363431373963316161303666
-32313839336431663466633764363937316439636439373732646163663664363665623065616335
+30343866336465623738613739333030323537376663383265306237346537313839656137353565
-39376463656566376666303635323830613533363638623436396536626634613137353232656434
+61303237643462626564346539343933313334663330323565396438663633316239333064376664
-63646233636666363932616432663536386630613466386437643534643136383362633264383232
+31356233363431313161643131303234616162613164643539643563613339313432333235383863
-38386335376635383465393465343065636330383664386435643762353435623161613235643934
+61376431316661626465383562386235616166353839616235356366386534393334373064616636
-35393038633163343862616633313836626138663237313062356330343562383964383031663834
+32623832643533663536626130333234366366366635393038393437313139383061633030653235
-31313338633063343665323438313162643039653136373163623533626630356534636436396237
+63666366333732626166653831613731363865313461636262346635666363373938316266383738
-65363238613665326437386233613861666638316362343337323462623736383263383231383663
+33306632353536663138663961623964636436373564376431623165623031353737366539313966
-35393832363231363163646430363263326538306136303864393830373163663036383364666563
+36373533653139373866666435343730613530646665343333643764666263626433363262313337
-64356561656537353965396631343261643431323034386263313139303932663932306631373932
+65396332666632323531333364666330366430356437383338303665646233383931306166326435
-65616132666631666266353935363262343733646431333436396438313466366566366231313236
+35653538643332353536626336323034353630353564633264333334613531363839653362663730
-61346539616131316562343939623432303236386662303036643131323632366231626330333333
+36326562383934363034363830313139393361363638623139663538653138393533626238303836
-62353533613264313434643834386462386139306362373039663730323263326239386130376162
+38326561366536353036356163656130633430306635393763663664643936306136346163383237
-33383161666538643535646132306262366535666563366661386132376162336237613164313634
+37653465656335306565333432643863623762366134313137326138613336323664323333313166
-66316530393164376537666135636632373735336636303634323866333930613362643439373331
+66363438636161613362346633346434663364396536613932616461613963383339336262313731
-65353736333264333636336238653064376538623135313730393634623939636365383932326338
+36636432366332356435643266353362333437333131343961336639343234363636353535636464
-30333231376366323033316364326330323065643364613538306661303032303239613335646237
+39353330643136613463343435623939653964346334616131393566623330386131333262666539
-39333335366163383561336233643830626432623336333864343239643534376339303231323563
+35656662323332373330353231393462646564393431646238653438386563633365333162656263
-31343539616266383461613666356665353036343533626332376661303565376162313666333338
+62623536316165316662653832393364316439303865326631636337373365333035336339666666
-37323332303765396362643732343935656664396136396361336533663335353663326233373664
+31323864303136616365643735306332326237666136306435626534363739373332656332336639
-63396265656538623238363532613532623633386531336236363363383765366335396532653161
+38343566643062616434656338646235343234333031343038346630306639633732623733313039
-63613736653863336235356336393839336530333930663539663536353963336331646630333334
+33393965653839396166326565653963303137316666663135373338613265613239643661336537
-30313436313335383365306463316338623033306634316332373732346630646430613630616236
+62306634326266323662623733346164383039653936326162663165316439653332313730313535
-61373430653238373161626436303264363662313565623862356266313930623162626535363765
+66613335653463396662626230653232383664363137323462353037303633633666626433306630
-64653136356364326238313136336335396131393637363432383961616636373839303132353932
+39623933343736616630333539393365396636366331393136343866323766656435613262383938
-30623366626236373861303838396562653131633436303862393166353930336636303765383438
+65383663663237386631333236363061306131643133336432313035396264346631656264356530
-36663863323337393061333735306663636564313966326561666436393562626562653764336162
+30663636653434323531343233633431313838636434666537373439333364666635363731316464
-62383235646539323861663438373365373239323731626236333263383037333065646433363464
+61623666653561623233623131666464396530316439626135653933343531303938313965393438
-66386435363938646538343262636331353064646330623439303166643538306130616236313532
+30346636363136386264643161666231396533323765343434346633303162383762663763616537
-31663238326465646562306265346132346138346363313532363566373436356630323130306363
+38656436353661326165393934613235376565316663643930656338333932633664643562633235
-35346463326136303532386433336137656639616165646562373533653663643031343533346565
+61656232613164643735626439393731626430343437303732393163616432616336323436643737
-65633237333431643038653830383836313538343033386665346431336235636133353637643234
+63626564363464396561356366616466363035663864306561616164373639376431633264633532
-32666361656137323130656331643562353135643861323438396135376532373437616333336631
+37316565313636363536666566313663653637333665343036363261373765306233386535326463
-35393366336438383666656165313634336133653238653464343730333739323539386331336461
+34316461346364323837326462386363313338666563623135376163656330393830663031326536
-32653563353032643730633530303636636439316139653231343738616131626438633561363239
+35373935636538656566646336633435643830346136663262386463366563613665613032336533
-37383533616565373162373832653730646265663864316335393938303465653035306138633437
+36373837616132666630393634656232303362613038353764353362303830323536373639306666
-62306433656365333561643333656564666565633638353730353764336561333536666136313235
+66306230336430666435663061616264343137303564303764356130396434666138373132323066
-35333133396332626637373962376130303838633131656538333634653861613639653165363930
+33623465663535643736383032396236613632643537633064346631383539366330363436666633
-32313436396161306235323861363265626134656566626132353362313830383638643739333765
+34323133626638613936636264346662373739616136663165626339326333623365336161653230
-65346636306366343863386238316530623338613038643933353839366434316339333430336230
+65626131643832306664666364333961633535313164376533343334613666303331333036643431
-63353839356536666165326138376163386534616661323834336163306632343536613034316335
+65626566613937633137343538323563373737623265353436336234316439316434613962313030
-64386433386637666430303338626635386131373134393530643963613966363965623763393133
+36366634383633363437373862323764366263623063653932383534353538363866643437303637
-38333337663630656366393338383230396431616535323864383235636337363336313036323139
+32346533643438323632653830626163666463343366346531383830353833346164313537326332
-32626566353261653734366237363131323431396665333638376637316536656434303434343133
+62623462316161663731653832653064313436633931393565323631306134613962396338353039
-61316564333536643331613437623764396232636461326435343735383563353236313238643638
+39323037366235336239646539643265303061623935636263336435653831373463313131343866
-32366463363530343866333334356166393433376563333563353135633336666434643435373766
+61666265616335356530376633343762343734373539613865333065343066343963383634653436
-33663130383436333961373535626334333931643030303834373330396530643837386364393933
+34363431356264373166663632643232646261323332636263383065356564383663363439373732
-33623835663833376263303237653063313861386333393262326335333365653164343561643135
+31636238346661616563646262353962393266613137363536346534313764376666313737306530
-66393962613933653762396566316338333861656361303939393631323163373133653135396237
+63666263346231353765623130396530623362383165373863383537633464636136313130373566
-34376232383638303861383462366564316537663064373865343037303638363337373435613433
+33396137366538656430653065373230376236626439316232396630326537653936356461623534
-38653137383561646634306334393766343837666333313135616365373633326230303437306566
+65623562306131613633373632356264366439373137356132333062343839383132643834323463
-31373161666463313131383434333530363163376637373637353531383463613364613032393638
+31353034306339663365343234396466396463663634613433663262623038363331363161623831
-31333938626464656465366639353631316337376135393765383562306166633364396536356633
+33366137643963633066323837363563326137383834346430316262353834353238336264373235
-63346434636636393736386234616534393462306335303135386566666635623431306133366665
+63353330656166333132306665623835316439623239333539626364313535616230626430313663
-36333762353130303264613232323362383762653837616432353561643030656439616163396664
+32323335653433303233343336663935653861393961626636623264333030383365623838653862
-66313735366266643364333665343765393264646630653638363563313338316633303639646563
+37663336346537336530656161613539666431366239666461343139343461613033336535306263
-36306538616237343064366139313533386639333734333131636636343064623237626365313163
+66326365663132333165666239306532386338323237653832363763386464333634383731393033
-30323438613564633739613733386430633839303331303238303762643664343132346637386465
+31666431366432303036313765616432353061616462393236383131373938353238613966383232
-31323732313166383562323161316139333532636238613661373639383539366231663436346664
+35376635326534386533653834353966633765303165633036343133393836316637313531636333
-33363439313964613938666338333135396633396635383964613736306436636364616131656533
+32376532383865323731306237633565663032666631616463636237313938663034396363373632
-62326263313935393339373837633132653339366133653136653032666563613839643334396131
+62613030666166343262333865636363346131393664373633313064656463366533336335316435
-38353032316336343765366439326230333535653630313065366632643133393063353438633362
+31653531366436646365636139663236393464636366666334336433396365663634336263323835
-39346132623530336437623530623662333438393361633861356535356535306137666334373232
+64653634326638393133346335343665343265333133363236343566366561653831313561326239
-64313465303961616133666335643338316331373164663966333762643964363538323637643338
+66393663336632333931383766633966333763333632393633353537333834643465373237386435
-66323563653364303538633630316562386230303634323966313935363439666464396262396564
+33366638643861386431313030623465633938313932326264396136353336653163373636633762
-37633636623835373832396462613665316461396662356664383938333963333566643861306363
+35313463313066373236623466356333616238343034616436333437363033343436353265613932
-34663461663633386464643961393137636365343566373262376432613264393536326136613763
+36646538663734346434313861363664316538663766383462633434343666343230306261663231
-66396139663861336432386233333335383165663434356563373031656330386664353635616363
+33643031313432333330363664396438663933636465303731373065386539363762353530323063
-32363963336463623131383536313233646462643137366365366337303430313131393764396537
+34383434393062623037356637323264663961383166373736376136336237613662363038343931
-65376438663733626636653564386631396337343236353631353638626330313763343632303963
+39393766323163333431373466303739363566623464646532666330653132376466346136303735
-38323035333737366562356431383535333639353866613264656336636330323637623033336165
+30303537353863623164373362306334333134616364323366326636323463346461326366303034
-36326136333232643539336230353165623835356665623736313166613262336136326432323163
+33646230333263366137313234646265653339326533666361363632653166326364336639333131
-39626337333464376331616664653366333430363631623138383861393366646437353364623838
+66346234366334316539343734633164656132343130303939613030346263616632616434653362
-34363063653830316339303131306537346137653166316633343764363630646133313062363962
+66316165626236343464373631623034396634313637303737643165303939333130313333393732
-36336530626162393733303432656133663233633765656239353161303431633164653331346664
+34663134373864626466376332373731393039336336383937646535666362386666663765623132
-36666465656264643737383031623834643334346637653162343436376631366534623863626431
+66313363313162323663356230383231376539363732396630623061663361373866316432623066
-38313766396366646634613533623231393632366562323263326461653239663037656539366333
+36643739363361373833616237353664313666613036666161623935343233346266626165393134
-38303562653839313266616266383666346438343963633231326266653562663462633534383063
+32346361323462393830366161646630303836376431316566613631343938316362383663343233
-62663665383237623632376461363834396637626537613834626132643165323735646139386232
+64376265353166303032373664336632616337353339643061623661663066363433616239356561
-32353034313330383835366464663838306133613430316237303831343935653238353565666666
+34633339323161396466663435396565383636653830373865346363333531396637633332653866
-37666364323939303164323463313636613861623963333534323033326662313662336132333565
+38633535333035343630323633363564613030653834333538616461653566636638646137396266
-63643935353432643332323932333735643564313231313563366464666132646333336230653066
+66613235306361653463643532313435383366326430383031306665373764643632653962623535
-37393564643734323634383266616632336430396530633732306566376564656434313762323863
+61363438336136383635386336363533613863346264353530303565353761626466636136306335
-35346439393330616234666638653036363034643064366436363638383664626530653463636536
+31383035326163393563383038383037353037666661363531633836376638393935336639333761
-39356135633836613430346532323732396538363735343232653666323963366433643238346134
+62333030326639623034326331643033326431396337376630333937623063313634353032326530
-39363637353939356464373064373063663730386334366433386134656265613731353231393333
+66393261663331313139643232313661356664653536326665363065646163626236306637666163
-31333830303966636130303463336566386266326338333663656635356139373039666435316137
+33373837343331306632623865316461336466656131303638303035366564336330613234616535
-34353934646136383263353336363134383331656333366463646630646264343533653735303161
+35356361623634646163646436623364353539623131333966383632383566313363613032393363
-65613666353339663565623230656162653135323163656435633132663265386233363930386165
+65313136383834366564643234643039386664376362353435613433373266616261633263386334
-31663861373162303338313265613536393533313738626464336238303830366636303131623863
+34616633653735373361656461363462636666656661326637363262363539613164336464336631
-37656330616336633437383937383235616439376532343166643966623437303137306262653036
+31326535626635333662346433656262633031643134623862653831643333396633363062356361
-61636237656332613232356130333237346239616639616234656534303837343832316330333266
+37343530643633663261323037333830393737366134303035333232343232333835653731623332
-30353235626666646136326666373030303963326533336365366466313637626466376261386132
+62333739346563353737386664663864343561306164333432306231626233646131333264656666
-39303164396236303232346234303265333531353031633937633236626664346130336535646133
+30356138376336373436333732383835303230323039326165633834336634626162326439613961
-36333833386362393935303663353062653836356564346338613938313532313637306230326465
+39613435326330383662373732373537633535633032366131633062386332343264363135383038
-33393464366231643033363230356566383938353434613737346233376530336537306562353034
+63643661653838636565616239353566636137656139323265326534386434306333343631353762
-31313938613732383330383239323564643531363733633666326664353330386137383263623330
+32616466323663653564363832613265323534336664353965363138623762376539346338316135
-61623534646463663231333561333431643563633065663864613562326464386330633839363065
+65303334313362303532653438313837336334333831343331396563626131633937386437333133
-32396266356462613562373533306432663866636165326330396634653332323165313565353635
+36663834303337666461313564366561353265363263316438303235393465646434663961646137
-32343533306564306631626331303634633036613730326636643961663064353138633362356630
+37646332306539393162633339643434396531663534633763616433326363383332373233636437
-33373235656561303738303263663436396162643532303264333137626138353938643261353564
+61643037396361623938386466313736313235323165343964346463346339626632383535323630
-36363465386339326634663563616662633634363337333462653166333233343038633062663334
+33396135303434666233353631616436653262646136623035376232316264343930626435303634
-32356435663738643531333539663936316535333836323934663831623039323264356562663463
+32646133303963343239383931653631653036353535333665373536366464366466646330656466
-63323165663836616364393932333137363037323034323632323165396664353766343138306431
+66623136333437346637343534396430313838636665663933376263623362363134396330356566
-65393165373561373064396530633230383963333562636661653062616437333037316462663335
+37616361326463323164663036386439373539663164393038663636643166383131616164643765
-34613661653663376663613531383764646438396666623661363461653133303939626665366430
+63303339653835353161663637323138376233613265373461316430353331633938336662656464
-37613331666333356566356432313831663737386362363436636239306431373534366164346631
+66613464666634363931303232326461653239396234303863386533333832663530346261353135
-32306361336363376337376333303035333763306138333238303030346434363662653766323635
+63656636306539353139353763663461336630373463353162623566383230366366653665326166
-36653336663635323939623430316330643837376332326136643136653039613366336438383437
+31393333376434313039396234393839643863346363383535653465323261666432633935336135
-66623530363333313339646233373430646163306165353430363663353331613762623031623935
+63363864386135313438373532353266353334616635653433613765393265363465656439356139
-33633062343562646235333130393263373936633731663362346631653731363765646361353436
+30643864343166353263633262663036613766396633343564363633303165373631633965373730
-63663532313130653634316530663361323536373031373031316561656238653333333331376436
+64636561663438646562363765623435313866303534623038383731396638306536323732626231
-31646636393062656166316161343438326564373333356465626463346139633836366634316238
+63343538616631363736336164316531653137646537303436343336653434646133336534356539
-34313166613666356535306534646163363664363066393331666564613230303362613666313938
+64306139643537393361666161623261353763646631386361666637656137633266343238656632
-37383065633064303661663666386566613664616163343034383766376638623364396136373839
+32333866666233636164313131363666376261663930653330393436666464653731333164643836
-37303035383733336662643932393636393037643861613633333265643333333332386366626164
+63386163363463343737386338653636323230653336393765386538393563356435646439626565
-63633436396264383035666334633336633065326339303062366334633865336134623134316238
+38623439623364326634616639303734383330613133393665643963313932316365656563383039
-64396266323139396238616137623166373362323364313936396266366532613261353735336133
+61643739333434366162663438613966343534393438373135643064623465386236353632646562
-64303935323231656237653134396134316130376262323633333863333238363137646131386634
+64346137393231313461393436626335626461343661653430396536373437306336666630313934
-31616133306531643338356235613837356135303938626539323139326633633939613330653434
+38616638336638303530346164663033613332366133656435656131356262343635386136636361
-37333263633739326230666339646463633933343163323365363761353166353066373430646432
+39623161383636373664396535366531396231643162353938663230373762626633663638343937
-31386535633661643862356663353166396236633266333635353864303532363362643561313334
+66326533386564353336366561316361646333393130316530366434383931666661646636373835
-38303364396661316266626335396265363234373532353130353639646331626230303932393136
+64323135356630656134366231646130626162356237613337386232636333383261376535653032
-38613463306561653765666562656136353531313433643162313137633535313263373035616233
+36366338636565616537313337323964613030393035393839626134373135646663636263633964
-62363339313662373833333630376466396265336638373361646434666636396333383063636462
+66623036633266623566646566386234356562396164366166656230663738633665333531653730
-33396236653130363862336630313362643565613962396439326531336339373466383138303861
+61383263656235313463666439666563656432363332616633646139363135316638613464383239
-64306135386337323437386331346436653466653863353836623339663037666235653962373832
+32633732653837326332326363326265336130633065623963636338323662383234623438623333
-36393036353533313437333033366266653964613766663331393363626532343866616538633264
+64653038323566326366336634313637363132343030633966313363646665313835343833376632
-63336461623838376234343265663933613965646666633132346433353463383839383263613530
+39616364616236396265643232336365356235333064323432326561633730386533633064393832
-36396361346534353834633835346362336164343932386363383637326433326439623532623634
+33313838373236386463366162386437356365346631633639613436356635396238646361376434
-38613335343734613335373761663935626539373534383335613966373334353763323135643666
+34626238333366343831393364653064656166396535343133343131316537653263646239323061
-32353530613163303866343832323131363363306638613336366132343633623861626630613866
+65393761326462656265393235663037323638333831623733323430623238626234303031303866
-31393261316637323764656535643837333265616562336634383464393561363932313237613162
+64336130333164306530333062343161653532383031336464363237656264363665373739626630
-32616562336335613864363063336564393536373734373930353436653563643935346636333631
+64353861383364386632613335646562623535353031303831653436633330663337613338666331
-33633766666635393232636464313063646463303564656663613666303234363138613533376138
+37396466633231303032656334313033633865636231613564303733633462366162383835623563
-30613935663362626432303266356435653566363439663763306233663261633465323933326437
+32616439333064663234663037623832633933303664383732646238376465353763646637623137
-32663962663932326263666461613365623264346539343033663566366137313732383839343633
+66623664333364653039326431333439373934383735316231373164376365646231353935623664
-39616363656434623666316639616136333431613136386439373739363862663466383234393962
+64653839613332626638623039366165356630383539333736383738326561313838383131633236
-35373966386235343535663362343464333531623136326565333633386561633132623762306466
+30306537383865326533623337346138376533376137336536343163326534396564656130326361
-32626166333430303161366638346336386534303838653737393731333238346435383134396561
+61623063636138323965643737313262616532346533333137346232396561373735376130356132
-32376435663363373037613332653333656166353530393635636466666438306531633535346630
+37646639383430336637646134353732323262333732323434353265376262353039633963313061
-63623831303435643761313836316435656465366331363930343637663439613738653363366438
+63363663353532633437333335306662313133306565623537666232353665333631653263663463
-35316337626234393932306432363631656364356237316233306638396438326339373866613063
+63656264333064333662343836366131333534386662303933336665353361663938346430653264
-64346338336239636535386130396465323333313337366263623362353838653938663161333539
+66383539643537313436373434363536376137333636363833626361376131633537643334383864
-64303063323838303030303635653038353432313333346632626330313539613266613362333837
+34626264666437323930396562626134653063396533323139616264313063343535623636626238
-63643735613363313163346233353535333434316337643961353635353465363238616432366434
+38366437626534376364623535613432313636366332353830616238666534363561646438343235
-35383736343765643166633033643462396634306163346235306438323264383438653635346433
+62613664313631643137643765626437363962636137343765343562613761396266626461393236
-38326431666336623635633531366562343830646434343964303837393864303836313434626230
+63613134303065623031396231366130373432633738393139393331323764623963346565373839
-35613437383034303761333763303432666630356135653637373936363331643032376437646630
+64356439663964333032366363343461353130326136363731386535313661663135303237386638
-64663561666238386536616630343763333661643762396462616239396536386634353431376266
+39336531333064613731323066376461373732323437386462353432613464663666363832653866
-34316433623037366330346633656365356136626363343461353137646632343533323361636336
+62666461313734643562346335393434653933313661336236383933363738323066636562363230
-62323939323732346232626264373964303134626532323937666537356361393461366133633731
+34666136626566376264623734393837353466616461666132623333656135346534646462633739
-62383037326563386266656464313331383733303837343465393234343730646138636263396636
+36363331383337343561326536303263303739656562653536363234636130633563663161353631
-38353262323064313131623738633835316338666530383335363565306432376132656634313264
+66613338323461623534613935396638343230643330636562353936343333383834303466643939
-33663237316437396432386130646664623065353361346263623637383630323136643262343865
+36346532663237616132633166323630623434353338366534373366326234366566383931343837
-62616230623631333864643831393438373964383037616265316337623335313265323135353935
+34613134646563383662656533666163653265326433643832626435663361336361376362633938
-33396530333935646437613931383137646233346664636363623561393336623062623039306362
+38326235383664653366353162393034323866653339383139306630663835306537663563366231
-62653966623636363562393336646164663631366334346361663039313161663765326634656238
+35306362663930326133363835643262393439346437653935343030653161303361303939323235
-35613239653536663639666137393963613231323134343639343061663935626162316664316539
+34363438313763623934613534613334333464366361323164323337316531303332663433376363
-32313639363335613063303664646163663264333565323934323264656438343831643964393635
+39326239653731653766303135343437333431636362666231393938316634663631353539386463
-62333061323861373433363638336363653265613331653665396563386362326336313430646438
+66623730356336633536336634313264336236633664303864373735663837316563363666363037
-30343936393166323033666131653734366439623937616665656133646639333739323538343764
+39303330623765316334666132326134376636303633393736343030323837383666333832613937
-62373335363038616239626638643933336433663631353263346365616366343061306430333031
+31383033663638373666626336636539636665386465666237323232643466383236313262383235
-39623466373633363565626331303463363964313638356632626663633533373764626664626434
+63303866366162393434633631323539633565363036326264376339666637316133376537633163
-34366336626466356332393335626433636438623866383232663937653465313439316635643334
+66353264353337653733353034643030333932313463393132396632353030656134313064326466
-30663861383261363830303863373961653135393764613435363939356266363836363066333835
+65636330346433643732313033643032393261313736343533636535643439336530663261353961
-30626263376438353765376235663339366336653337333638343666373235646339313139333966
+63326231643131613665306563646331323536396232633366313036623136623636376336383438
-66373262306164643536376539653432633265623437306634636132303934313036623736613337
+31363764323335666464623330333265386236643038353164303863356261653634316536303734
-64353638373262346564653563653966636137383633366264306630326337396132633231343831
+33356630346666393539393931393661656666386635663965346537353365396330613061663939
-31663439643737636661343834663364313734326437373430306430303134613933326633383838
+37386638653737383434393438366661303337636263666665373935316439386363663936646639
-38356630386566313830363464313262653038353064363466323064656433636663633637656631
+65333532636161353538363161363138356364303661396166643435386234336132393733663562
-62663233623766353962666332663064653266393937346162643731633139326362316134353438
+64383030656332343736626161653034333539343562303530336165373961356532663234366237
-38383765343631396132636663363465633533636532393835383730393066306633326364646337
+38666632616439343437333366623362626339363535623162303437306334643731633662343162
-32363238363365366331303665313634653635303032356137663364343161326132613039343162
+32623537383966623866613361383266353936643462613964646139653532633864643931376631
-35386633366464383138646630653365636133313964333435373533313163343235643036343531
+62633433613435356561316536663364656639373733646539316566373334636133383936303166
-63356139353739633565363165356464396332663564646466383637643837623565613837376431
+64366139616164636336303930306138316161306563623366633130386662306163386361353464
-61643538326230623763
+30393231666266383064343234636430356564323534353339396637636632303962633665363661
+63303733333137393261316436373864333734613136373633343564373537653935366333363464
+63346430643030323039343539356364313635653863373465303134353361653664333333356132
+37623062333663323135613133373662626663353838623233386166623739656535613732636564
+63333937613233643035353136386463376661346131616562393236623338636661636661373166
+62663962666237613431396436343434353031303165363130663163616633336134353430326634
+66383463363266346630646339643563633235623065666265643066313134383534666530356561
+62373737313834373239396262663463613835643737383439653837376135303733366436333733
+36363436386233663135646134386462306434303339656632313562623037633664346562323034
+33303833373733383338306333323561656333313430323136326234343032323034646663333436
+30316661636237333266656430376535366135353534633932356135383333646261663935363734
+30666263643265306434333535346330313231386339363865643862366639663832366431663161
+37646632376633323862303764363437613332643131623138393330353633323634303337616431
+66336366646138653737333137396338646138613339336466356537626461346330646434613933
+61633835653235333637623635353565376331623464636137393861633064353739323262653166
+66393533656435306530653034313034356231616563393438333162393630306462313530353535
+31656537626163316535376234393236336631366262666539613337633461396134396563326532
+30386538383136356632653962643538613261356462323637316335323864613133316364663933
+37633661306635323361336639633561663738396133623362316437303733313838313332303264
+36363932633136373762363762303933306637646230303564313965383335386333646161353261
+31663836366639326438626463326631343162616537653266366334343538643634663831343736
+61626666616463303034323730653966383365613637633539646263396238656630333766633134
+37326438366434333066666334323137343635396464366430633931366335353231643630383161
+64353034313338346162653237666266333466313630313363636135393433653761326134353464
+62306233663930383166313033373561366231313865303662316662663236343638383731633132
+62663061613837633833613737666633343063333963626265303236366365303736636361336337
+35666536383738636239626139633031376262306165386362386462346330386334333331376338
+30386235333963333732343930613562316464323632663638323536613232666230303631336436
+37643131353437393661663934306332343037323866656665613436393237333236636661333064
+62303063393239373065346461326464396232356531393932623739643835356637

host_vars/bdd-ovh.adm.auro.re.yml

@@ -0,0 +1,70 @@
+---
+postgresql:
+  version: 13
+
+postgresql_hosts:
+  - database: etherpad
+    user: etherpad
+    net: 10.128.0.150/32
+    method: md5
+  - database: codimd
+    user: codimd
+    net: 10.128.0.150/32
+    method: md5
+  - database: synapse
+    user: synapse
+    net: 10.128.0.56/32
+    method: md5
+  - database: kanboard
+    user: kanboard
+    net: 10.128.0.150/32
+    method: md5
+  - database: grafana
+    user: grafana
+    net: 10.128.0.150/32
+    method: md5
+  - database: cas
+    user: cas
+    net: 10.128.0.150/32
+    method: md5
+
+postgresql_databases:
+  - synapse
+  - codimd
+  - etherpad
+  - kanboard
+  - grafana
+  - cas
+
+postgresql_users:
+  - name: synapse
+    database: synapse
+    password: "{{ postgresql_synapse_passwd }}"
+    privs:
+      - ALL
+  - name: codimd
+    database: codimd
+    password: "{{ postgresql_codimd_passwd }}"
+    privs:
+      - ALL
+  - name: etherpad
+    database: etherpad
+    password: "{{ postgresql_etherpad_passwd }}"
+    privs:
+      - ALL
+  - name: kanboard
+    database: kanboard
+    password: "{{ postgresql_kanboard_passwd }}"
+    privs:
+      - ALL
+  - name: grafana
+    database: grafana
+    password: "{{ postgresql_grafana_passwd }}"
+    privs:
+      - ALL
+  - name: cas
+    database: cas
+    password: "{{ postgresql_cas_passwd }}"
+    privs:
+      - ALL
+...

host_vars/bdd.adm.auro.re.yml

@@ -0,0 +1,50 @@
+---
+postgresql:
+  version: 13
+
+postgresql_hosts:
+  - database: nextcloud
+    user: nextcloud
+    net: 10.128.0.58/32
+    method: md5
+  - database: gitea
+    user: gitea
+    net: 10.128.0.60/32
+    method: md5
+  - database: wikijs
+    user: wikijs
+    net: 10.128.0.66/32
+    method: md5
+  - database: drone
+    user: drone
+    net: 10.128.0.64/32
+    method: md5
+
+postgresql_databases:
+  - nextcloud
+  - gitea
+  - wikijs
+  - drone
+
+postgresql_users:
+  - name: nextcloud
+    database: nextcloud
+    password: "{{ postgresql_nextcloud_passwd }}"
+    privs:
+      - ALL
+  - name: gitea
+    database: gitea
+    password: "{{ postgresql_gitea_passwd }}"
+    privs:
+      - ALL
+  - name: wikijs
+    database: wikijs
+    password: "{{ postgresql_wikijs_passwd }}"
+    privs:
+      - ALL
+  - name: drone
+    database: drone
+    password: "{{ postgresql_drone_passwd }}"
+    privs:
+      - ALL
+...

host_vars/log.adm.auro.re.yml

@@ -0,0 +1,9 @@
+---
+rsyslog_collector_base_dir: /var/log/remote
+rsyslog_inputs:
+  - proto: relp
+    port: 20514
+  - proto: udp
+    port: 514
+rsyslog_outputs: []
+...

hosts

@@ -29,14 +29,16 @@ stream.adm.auro.re
 re2o-server.adm.auro.re
 re2o-ldap.adm.auro.re
 re2o-db.adm.auro.re
-services-bdd-local.adm.auro.re
+#services-bdd-local.adm.auro.re
 backup.adm.auro.re
-services-web.adm.auro.re
 mail.adm.auro.re
 wikijs.adm.auro.re
 prometheus-aurore.adm.auro.re
 portail.adm.auro.re
 jitsi-aurore.adm.auro.re
+log.adm.auro.re
+bdd.adm.auro.re
+bdd-ovh.adm.auro.re
 
 [aurore_testing_vm]
 pendragon.adm.auro.re
@@ -49,7 +51,7 @@ horus.adm.auro.re
 
 [ovh_container]
 synapse.adm.auro.re
-services-bdd.adm.auro.re
+#services-bdd.adm.auro.re
 phabricator.adm.auro.re
 wiki.adm.auro.re
 www.adm.auro.re
@@ -508,3 +510,7 @@ reverseproxy
 [reverseproxy]
 proxy-ovh.adm.auro.re
 proxy.adm.auro.re
+
+[bdd]
+bdd.adm.auro.re
+bdd-ovh.adm.auro.re

log.yml

@@ -0,0 +1,5 @@
+---
+- hosts: log.adm.auro.re
+  roles:
+    - rsyslog_collector
+...

monitoring.yml

@@ -4,6 +4,7 @@
   vars:
     prometheus_alertmanager: docker-ovh.adm.auro.re:9093
     snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+    snmp_switch_community: "{{ vault_snmp_switch_community }}"
 
     # Prometheus targets.json
     prometheus_targets:
@@ -18,6 +19,7 @@
   vars:
     prometheus_alertmanager: docker-ovh.adm.auro.re:9093
     snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+    snmp_switch_community: "{{ vault_snmp_switch_community }}"
 
     # Prometheus targets.json
     prometheus_targets:
@@ -27,6 +29,7 @@
       - targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
     prometheus_ups_snmp_targets:
       - ups-pn-1.ups.auro.re
+      - ups-ps-1.ups.auro.re
   roles:
     - prometheus
 
@@ -34,10 +37,12 @@
   vars:
     prometheus_alertmanager: docker-ovh.adm.auro.re:9093
     snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+    snmp_switch_community: "{{ vault_snmp_switch_community }}"
 
     # Prometheus targets.json
     prometheus_ups_snmp_targets:
       - ups-ec-1.ups.auro.re
+      - ups-ec-2.ups.auro.re
 
     prometheus_targets:
       - targets: |
@@ -51,6 +56,7 @@
   vars:
     prometheus_alertmanager: docker-ovh.adm.auro.re:9093
     snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+    snmp_switch_community: "{{ vault_snmp_switch_community }}"
 
     # Prometheus targets.json
     prometheus_targets:
@@ -67,6 +73,7 @@
   vars:
     prometheus_alertmanager: docker-ovh.adm.auro.re:9093
     snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+    snmp_switch_community: "{{ vault_snmp_switch_community }}"
 
     # Prometheus targets.json
     prometheus_ups_snmp_targets:
@@ -113,6 +120,7 @@
   vars:
     prometheus_alertmanager: docker-ovh.adm.auro.re:9093
     snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+    snmp_switch_community: "{{ vault_snmp_switch_community }}"
 
     # Prometheus targets.json
     prometheus_targets:

roles/baseconfig/files/update-motd.d/10-uname

@@ -1,3 +0,0 @@
-#!/bin/sh
-# {{ ansible_managed }}
-uname -snrvm

roles/baseconfig/tasks/main.yml

@@ -9,8 +9,6 @@
       - aptitude  # nice to have for Ansible
       - bash-completion  # because bash
       - curl  # better than wget
-      - emacs-nox  # for maman
-      - fish  # to motivate @edpibu
       - git  # code versioning
       - htop  # better than top
       - iotop  # monitor i/o
@@ -18,29 +16,21 @@
       - lsb-release
       - molly-guard  # prevent reboot
       - nano  # for vulcain
-      - net-tools
       - ntp  # network time sync
-      - oidentd  # postgresql identification
       - screen  # Vulcain asked for this
       - sudo
       - tmux  # For shirenn
       - tree  # create a graphical tree of files
       - vim  # better than nano
       - zsh  # to be able to ssh @erdnaxe
+      - dnsutils  # dig
     update_cache: true
   register: apt_result
   retries: 3
   until: apt_result is succeeded
 
-# Pimp my server
+- include_role:
-- name: Customize motd
+    name: update_motd
-  copy:
-    src: "update-motd.d/{{ item }}"
-    dest: "/etc/update-motd.d/{{ item }}"
-    mode: 0755
-  loop:
-    - 00-logo
-    - 10-uname
 
 - name: Remove Debian warranty motd
   file:

roles/ldap_client/tasks/main.yml

@@ -21,4 +21,4 @@
     user: root
     key: "{{ ssh_pub_keys }}"
     state: present
-#    exclusive: True
+    exclusive: true

roles/nginx/tasks/main.yml

@@ -29,6 +29,24 @@
     dest: "/etc/nginx/sites-enabled/default"
     state: absent
 
+- name: Add 'extended' log format
+  template:
+    src: nginx/conf.d/extended_log.conf.j2
+    dest: /etc/nginx/conf.d/extended_log.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Reload nginx
+
+- name: Add syslog snippet
+  template:
+    src: nginx/snippets/syslog.conf.j2
+    dest: /etc/nginx/snippets/syslog.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Reload nginx
+
 - name: Copy reverse proxy sites
   when: reverseproxy is defined
   template:

roles/nginx/templates/nginx/conf.d/extended_log.conf.j2

@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+log_format extended
+    '$remote_addr - $http_x_forwarded_for - $connection '
+    '$remote_user [$time_local] '
+    '"$host" "$request" $status $body_bytes_sent '
+    '"$http_referer" "$http_user_agent"';

roles/nginx/templates/nginx/sites-available/redirect.j2

@@ -8,6 +8,8 @@ server {
 
     server_name {{ site.from }};
 
+    include "/etc/nginx/snippets/syslog.conf";
+
 {% for realip in nginx.real_ip_from %}
     set_real_ip_from {{ realip }};
 {% endfor %}
@@ -25,6 +27,8 @@ server {
 
     server_name {{ site.from }};
 
+    include "/etc/nginx/snippets/syslog.conf";
+
     # SSL common conf
     include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
 
@@ -52,6 +56,8 @@ server {
 
     server_name {{ from }};
 
+    include "/etc/nginx/snippets/syslog.conf";
+
 {% for realip in nginx.real_ip_from %}
     set_real_ip_from {{ realip }};
 {% endfor %}
@@ -72,6 +78,8 @@ server {
     # SSL common conf
     include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
 
+    include "/etc/nginx/snippets/syslog.conf";
+
 {% for realip in nginx.real_ip_from %}
     set_real_ip_from {{ realip }};
 {% endfor %}

roles/nginx/templates/nginx/sites-available/reverseproxy.j2

@@ -15,6 +15,8 @@ server {
 
     server_name {{ site.from }};
 
+    include "/etc/nginx/snippets/syslog.conf";
+
 {% for realip in nginx.real_ip_from %}
     set_real_ip_from {{ realip }};
 {% endfor %}
@@ -39,6 +41,8 @@ server {
     access_log      /var/log/nginx/{{ site.from }}.log;
     error_log       /var/log/nginx/{{ site.from }}_error.log;
 
+    include "/etc/nginx/snippets/syslog.conf";
+
     # Keep the TCP connection open a bit for faster browsing
     keepalive_timeout 70;
 

roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2

@@ -12,6 +12,8 @@ server {
 
     server_name {{ from }};
 
+    include "/etc/nginx/snippets/syslog.conf";
+
 {% for realip in nginx.real_ip_from %}
     set_real_ip_from {{ realip }};
 {% endfor %}
@@ -29,6 +31,8 @@ server {
 
     server_name {{ from }};
 
+    include "/etc/nginx/snippets/syslog.conf";
+
     # SSL common conf
     include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
 

roles/nginx/templates/nginx/sites-available/service.j2

@@ -19,6 +19,9 @@ upstream {{ upstream.name }} {
 server {
     listen 443 default_server ssl;
     listen [::]:443 default_server ssl;
+
+    include "/etc/nginx/snippets/syslog.conf";
+
     include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf";
 
     server_name _;
@@ -50,6 +53,8 @@ server {
     # Hide Nginx version
     server_tokens off;
 
+    include "/etc/nginx/snippets/syslog.conf";
+
 {% for realip in nginx.real_ip_from %}
     set_real_ip_from {{ realip }};
 {% endfor %}
@@ -71,6 +76,8 @@ server {
     server_name {{ server.server_name|join(" ") }};
     charset utf-8;
 
+    include "/etc/nginx/snippets/syslog.conf";
+
     # Hide Nginx version
     server_tokens off;
 
@@ -98,6 +105,8 @@ server {
     server_name {{ server.server_name|join(" ") }};
     charset utf-8;
 
+    include "/etc/nginx/snippets/syslog.conf";
+
     # Hide Nginx version
     server_tokens off;
 

roles/nginx/templates/nginx/snippets/syslog.conf.j2

@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+
+access_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=info extended;
+error_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=error;

roles/postgresql_server/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+postgresql_hosts: []
+postgresql_databases: []
+postgresql_users: []
+...

roles/postgresql_server/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart postgresql
+  service:
+    name: postgresql
+    state: restarted
+    enabled: true

roles/postgresql_server/tasks/main.yml

@@ -0,0 +1,74 @@
+---
+- name: Install postgresql and psycopg2
+  apt:
+    update_cache: true
+    pkg:
+      - postgresql
+      - python3-psycopg2
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Ensure main postgresql directory exists
+  file:
+    path: /etc/postgresql/{{ postgresql.version }}/main/
+    state: directory
+    owner: postgres
+    group: postgres
+    mode: 0755
+
+- name: Ensure configuration directory exists
+  file:
+    path: /etc/postgresql/{{ postgresql.version }}/main/conf.d
+    state: directory
+    owner: postgres
+    group: postgres
+    mode: 0755
+
+- name: Configuration of postgresql {{ postgresql.version }}
+  template:
+    src: postgresql/{{ item }}.j2
+    dest: /etc/postgresql/{{ postgresql.version }}/main/{{ item }}
+    mode: 0640
+    owner: postgres
+    group: postgres
+  loop:
+    - pg_hba.conf
+    - postgresql.conf
+  notify:
+    - restart postgresql
+
+- name: Create databases
+  become: true
+  become_user: postgres
+  postgresql_db:
+    name: "{{ item }}"
+    encoding: UTF-8
+    lc_collate: en_US.UTF-8
+    lc_ctype: en_US.UTF-8
+    template: template0
+  loop: "{{ postgresql_databases }}"
+
+- name: Create users
+  become: true
+  become_user: postgres
+  postgresql_user:
+    db: "{{ item.database }}"
+    name: "{{ item.name }}"
+    password: "{{ item.password }}"
+  no_log: true
+  loop: "{{ postgresql_users }}"
+
+- name: Grant privileges to users
+  become: true
+  become_user: postgres
+  postgresql_privs:
+    db: postgres
+    type: database
+    role: "{{ item.name }}"
+    privs: "{{ item.privs | join(',') }}"
+    obj: "{{ item.database }}"
+  no_log: true
+  loop: "{{ postgresql_users }}"
+...

roles/postgresql_server/templates/postgresql/pg_hba.conf.j2

@@ -0,0 +1,20 @@
+{{ ansible_managed | comment }}
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# DO NOT DISABLE!
+# If you change this first entry you will need to make sure that the
+# database superuser can access the database using some other method.
+# Noninteractive access to all databases is required during automatic
+# maintenance (custom daily cronjobs, replication, and similar tasks).
+#
+# Database administrative login by Unix domain socket
+local   all             postgres                                peer
+
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     peer
+
+{% for host in postgresql_hosts %}  
+host "{{ host.database }}" "{{ host.user }}" {{ host.net }} {{ host.method }}
+{% endfor %}

roles/postgresql_server/templates/postgresql/postgresql.conf.j2

@@ -0,0 +1,695 @@
+{{ ansible_managed | comment }}
+
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+# All changes to this section REQUIRES restart
+
+# use data in another directory
+data_directory = '/var/lib/postgresql/{{ postgresql.version }}/main'	
+# host-based authentication file
+hba_file = '/etc/postgresql/{{ postgresql.version }}/main/pg_hba.conf'
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+external_pid_file = '/run/postgresql/{{ postgresql.version }}-main.pid'
+# write an extra PID file
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '0.0.0.0, ::'
+# listen_addresses = * # listen to all
+#listen_addresses = 'localhost'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+port = 5432				# (change requires restart)
+max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+unix_socket_directories = '/var/run/postgresql'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP Keepalives -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+ssl = on
+#ssl_ca_file = ''
+ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+#ssl_crl_file = ''
+ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+shared_buffers = 128MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 512kB		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+max_wal_size = 1GB
+min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 256kB		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+log_line_prefix = '%m [%p] %q%u@%d '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+log_timezone = 'Europe/Paris'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+cluster_name = '{{ postgresql.version }}/main'			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+stats_temp_directory = '/var/run/postgresql/{{ postgresql.version }}-main.pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+datestyle = 'iso, dmy'
+#intervalstyle = 'postgres'
+timezone = 'Europe/Paris'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+lc_messages = 'en_US.UTF-8'
+lc_monetary = 'en_US.UTF-8'
+lc_numeric = 'en_US.UTF-8'
+lc_time = 'en_US.UTF-8'
+
+# default configuration for text search
+default_text_search_config = 'pg_catalog.french'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#default_with_oids = off
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+include_dir = 'conf.d'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here

roles/prometheus/tasks/main.yml

@@ -84,8 +84,11 @@
     enabled: true
     state: started
 
-- name: Indicate role in motd
+- include_role:
-  template:
+    name: update_motd
-    src: update-motd.d/05-service.j2
+  vars:
-    dest: /etc/update-motd.d/05-prometheus
+    motd_messages:
-    mode: 0755
+      - key: 05-prometheus
+        message: >-
+          Prometheus est déployé sur cette machine (voir /etc/prometheus)
+...

roles/prometheus/templates/prometheus/alert.rules.yml.j2

@@ -119,7 +119,7 @@ groups:
       summary: "La tension de sortie de {{ $labels.instance }} est de {{ $value }}V."  
 
   - alert: UpsTimeRemainingWarning
-    expr: upsEstimatedMinutesRemaining < 15
+    expr: upsEstimatedMinutesRemaining < 8
     for: 1m
     labels:
       severity: warning

roles/prometheus/templates/prometheus/snmp.yml.j2

@@ -14,6 +14,7 @@ eatonups:
   - 1.3.6.1.2.1.33.1.3
   - 1.3.6.1.2.1.33.1.4
   - 1.3.6.1.4.1.534.1.6
+  - 1.3.6.1.4.1.318.1.1.10.2.3.2.1.4
   get:
   - 1.3.6.1.2.1.1.3.0
   metrics:
@@ -68,9 +69,10 @@ eatonups:
     - labelname: upsOutputLineIndex
       type: gauge
   - name: xupsEnvRemoteTemp
-    oid: 1.3.6.1.4.1.534.1.6.5
+#    oid: 1.3.6.1.4.1.534.1.6.5
+    oid: 1.3.6.1.4.1.318.1.1.10.2.3.2.1.4
     type: gauge
-    help: The reading of an EMP's temperature sensor. - 1.3.6.1.4.1.534.1.6.5
+    help: The reading of an EMP's temperature sensor. - 1.3.6.1.4.1.318.1.1.10.2.3.2.1.4
   - name: xupsEnvRemoteHumidity
     oid: 1.3.6.1.4.1.534.1.6.6
     type: gauge

roles/prometheus/templates/update-motd.d/05-service.j2

@@ -1,4 +0,0 @@
-#!/bin/sh
-# {{ ansible_managed }}
-echo "> prometheus a été déployé sur cette machine."
-echo "  Voir /etc/prometheus/"

roles/prometheus_federate/tasks/main.yml

@@ -38,9 +38,12 @@
     enabled: true
     state: started
 
-- name: Indicate role in motd
+- include_role:
-  template:
+    name: update_motd
-    src: update-motd.d/05-service.j2
+  vars:
-    dest: /etc/update-motd.d/05-prometheus
+    motd_messages:
-    mode: 0755
+      - key: 05-prometheus-federate
+        message: >-
+          Prometheus (en configuration fédération) est déployé sur cette
+          machine (voir /etc/prometheus)
 ...

roles/prometheus_federate/templates/update-motd.d/05-service.j2

@@ -1,4 +0,0 @@
-#!/bin/sh
-# {{ ansible_managed }}
-echo "> prometheus a été déployé sur cette machine."
-echo "  Voir /etc/prometheus/"

roles/router/templates/firewall_config.py

@@ -36,6 +36,11 @@ interfaces_type = {
     'admin' : ['ens18']
 }
 
+log_ignore_v4 = [
+    '224.0.0.0/24',
+    '224.0.1.0/24',
+    '239.0.0.0/8',
+]
 
 ### Specify nat settings: name, interfaces with range, and global range for nat
 ### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST

roles/router/templates/firewall_config_aurore.py

@@ -33,6 +33,12 @@ interfaces_type = {
     'admin' : ['ens19', 'ens20', 'ens23']
 }
 
+log_ignore_v4 = [
+    '224.0.0.0/24',
+    '224.0.1.0/24',
+    '239.0.0.0/8',
+]
+
 ### Specify nat settings: name, interfaces with range, and global range for nat
 ### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
 ### contain /16 range

roles/router/templates/interfaces-aurore

@@ -11,7 +11,6 @@ iface lo inet loopback
 auto ens18
 iface ens18 inet static
         address 10.129.0.{{ router_hard_ip_suffix }}/16
-        gateway 10.129.0.1
 
 iface ens18 inet6 static
         address 2a09:6840:129::0:{{ router_hard_ip_suffix }}/64

roles/router/templates/keepalived-aurore.conf

@@ -39,7 +39,7 @@ vrrp_instance VI_ROUT_aurore_IPv4 {
         10.129.0.254/16 brd 10.129.255.255 dev ens18 scope global
 
         # Adm
-        10.128.0.254/16 brd 10.129.255.255 dev ens19 scope global
+        10.128.0.254/16 brd 10.128.255.255 dev ens19 scope global
 
         # Switches
         10.130.0.254/16 brd 10.130.255.255 dev ens20 scope global

roles/rsyslog_collector/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+rsyslog_inputs: []
+rsyslog_collector_base_dir: /var/log/remote
+rsyslog_collector_rotate_path: /usr/local/sbin/rotate_remote_logs
+rsyslog_collector_keep_days: 0
+rsyslog_collector_compress_days: 1
+...

roles/rsyslog_collector/files/rotate

@@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+import argparse
+import datetime
+import logging
+import pathlib
+import subprocess
+
+
+def compress_file(filename):
+    subprocess.run(["xz", "-z", str(filename)])
+
+
+def find_files(base_dir, extension, days):
+    delta = datetime.timedelta(days=days)
+    now = datetime.datetime.now()
+    for path in base_dir.rglob(f"*{extension}"):
+        stem = path.name.removesuffix(extension)
+        date = datetime.datetime.fromisoformat(stem)
+        if date < now - delta:
+            yield path
+
+
+def compress_logs(base_dir, days):
+    for path in find_files(base_dir, ".log", days):
+        logging.info("Compressing log file %s", str(path))
+        compress_file(path)
+
+
+def remove_logs(base_dir, days):
+    for path in find_files(base_dir, ".log.xz", days):
+        logging.info("Removing log file %s", str(path))
+        path.unlink()
+
+
+def main():
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--compress-days", type=int, default=0)
+    parser.add_argument("--keep-days", type=int, default=0)
+    parser.add_argument(
+        "--base-dir", type=pathlib.Path, default="/var/log/remote"
+    )
+
+    args = parser.parse_args()
+
+    logging.basicConfig(format="%(levelname)s %(message)s", level=logging.INFO)
+
+    logging.info("Rotate script started")
+
+    if args.compress_days > 0:
+        compress_logs(args.base_dir, args.compress_days)
+
+    if args.keep_days > 0:
+        remove_logs(args.base_dir, args.keep_days)
+
+    logging.info("Rotate script done")
+
+
+if __name__ == "__main__":
+    main()

roles/rsyslog_collector/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Run systemd daemon-reload
+  systemd:
+    daemon_reload: true
+...

roles/rsyslog_collector/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: rsyslog_common
+...

roles/rsyslog_collector/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Install rsyslog-relp if needed
+  become: true
+  apt:
+    name: rsyslog-relp
+    state: present
+  when: "rsyslog_inputs | selectattr('proto', 'eq', 'relp') | list"
+
+- name: Ensure log storage directory exists
+  become: true
+  file:
+    path: "{{ rsyslog_collector_base_dir }}"
+    state: directory
+    owner: root
+    group: adm
+    mode: u=rwx,g=rwx,o=
+
+- name: Deploy rsyslog input configuration file
+  become: true
+  template:
+    src: 20-collector.conf.j2
+    dest: /etc/rsyslog.d/20-collector.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: Restart rsyslog
+
+- name: Install rotate script
+  become: true
+  copy:
+    src: rotate
+    dest: "{{ rsyslog_collector_rotate_path }}"
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=
+
+- name: Install timer and service for rotate script
+  become: true
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=
+  loop:
+    - rotate-remote-logs.timer
+    - rotate-remote-logs.service
+  notify:
+    - Run systemd daemon-reload
+
+- name: Enable timer for log rotation
+  become: true
+  systemd:
+    name: rotate-remote-logs.timer
+    enabled: true
+    state: started
+...

roles/rsyslog_collector/templates/20-collector.conf.j2

@@ -0,0 +1,54 @@
+{{ ansible_managed | comment }}
+
+module(load="mmrm1stspace")
+
+{%
+    set input_modules = {
+        "relp": "imrelp",
+        "udp": "imudp",
+    }
+%}
+
+{%
+    for module in rsyslog_inputs
+        | map(attribute="proto")
+        | map("extract", input_modules)
+        | list
+        | unique
+%}
+module(load="{{ module }}")
+{% endfor %}
+
+template(name="incomingFilename" type="list") {
+    constant(value="{{ rsyslog_collector_base_dir }}/")
+    property(name="fromhost-ip")
+    constant(value="/")
+    property(name="timegenerated" dateFormat="year")
+    constant(value="-")
+    property(name="timegenerated" dateFormat="month")
+    constant(value="-")
+    property(name="timegenerated" dateFormat="day")
+    constant(value=".log")
+}
+
+ruleset(name="handleIncomingLogs") {
+    action(type="mmrm1stspace")
+    action(
+        type="omfile"
+        dynaFile="incomingFilename"
+        template="RSYSLOG_FileFormat"
+    )
+    call sendLogsToRemote
+}
+
+# TODO: add protocol-specific options (eg. TLS)
+{% for input in rsyslog_inputs %}
+input(
+    type="{{ input_modules[input.proto] }}"
+{% if "address" in input %}
+    address="{{ input.address }}"
+{% endif %}
+    port="{{ input.port }}"
+    ruleset="handleIncomingLogs"
+)
+{% endfor %}

roles/rsyslog_collector/templates/rotate-remote-logs.service.j2

@@ -0,0 +1,12 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description=Rotate remote logs
+
+[Service]
+User=root
+Type=simple
+ExecStart={{ rsyslog_collector_rotate_path }} \
+    --base-dir {{ rsyslog_collector_base_dir }} \
+    --compress-days {{ rsyslog_collector_compress_days }} \
+    --keep-days {{ rsyslog_collector_keep_days }}

roles/rsyslog_collector/templates/rotate-remote-logs.timer.j2

@@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description=Rotate remote logs daily
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target

roles/rsyslog_common/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+rsyslog_outputs: []
+...

roles/rsyslog_common/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Restart rsyslog
+  become: true
+  systemd:
+    name: rsyslog.service
+    state: restarted
+
+- name: Restart systemd-journald
+  become: true
+  systemd:
+    name: systemd-journald.service
+    state: restarted
+...

roles/rsyslog_common/tasks/main.yml

@@ -0,0 +1,60 @@
+---
+- name: Install rsyslog
+  become: true
+  apt:
+    name: rsyslog
+    state: present
+
+- name: Install rsyslog modules if needed
+  become: true
+  apt:
+    name: "{{ item.pkg }}"
+    state: present
+  when: "rsyslog_outputs | selectattr('proto', 'eq', item.proto) | list"
+  loop:
+    - proto: relp
+      pkg: rsyslog-relp
+    - proto: redis
+      pkg: rsyslog-hiredis
+
+- name: Deploy main rsyslog configuration
+  become: true
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  loop:
+    - src: rsyslog.conf.j2
+      dest: /etc/rsyslog.conf
+    - src: 10-common.conf.j2
+      dest: /etc/rsyslog.d/10-common.conf
+  notify: Restart rsyslog
+
+- name: Create journald.conf.d directory
+  become: true
+  file:
+    path: /etc/systemd/journald.conf.d
+    state: directory
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=rx
+
+- name: Deploy journald configuration
+  become: true
+  template:
+    src: forward-syslog.conf.j2
+    dest: /etc/systemd/journald.conf.d/forward-syslog.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: Restart systemd-journald
+
+- name: Enable rsyslog service
+  become: true
+  systemd:
+    name: rsyslog.service
+    state: started
+    enabled: true
+...

roles/rsyslog_common/templates/10-common.conf.j2

@@ -0,0 +1,105 @@
+{{ ansible_managed | comment }}
+
+{%
+    set output_modules = {
+        "relp": "omrelp",
+        "udp": "omfwd",
+        "redis": "omhiredis",
+    }
+%}
+
+global(
+    workDirectory="/var/spool/rsyslog"
+    preserveFQDN="on"
+)
+
+# Collect logs via /dev/log
+module(load="imuxsock")
+
+# Collect kernel logs
+module(load="imklog")
+
+# Parse CEE logs
+module(load="mmjsonparse")
+
+# Load export modules
+{%
+    for module in rsyslog_outputs
+        | map(attribute="proto")
+        | map("extract", output_modules)
+        | list
+        | unique
+%}
+module(load="{{ module }}")
+{% endfor %}
+
+# FIXME: Attention, il faut voir si rsyslog arrive bien à créer
+# les fichiers de plusieurs jours (le 1er est peut-être crée avant
+# de dropper les privilèges, mais les suivants je pense pas).
+module(
+    load="builtin:omfile"
+    # Format avec dates précises
+    template="RSYSLOG_FileFormat"
+    fileOwner="root"
+    fileGroup="adm"
+    fileCreateMode="0640"
+    dirCreateMode="0755"
+)
+
+template(name="templateJson" type="list" option.jsonf="on") {
+    property(outname="hostname_reported" name="hostname" format="jsonf")
+    property(outname="src" name="fromhost-ip" format="jsonf")
+    property(outname="facility" name="syslogfacility-text" format="jsonf")
+    property(outname="program" name="programname" format="jsonf")
+    property(outname="pid" name="procid" format="jsonf")
+    property(outname="time_reported" name="timereported" format="jsonf"
+        dateformat="rfc3339")
+    property(outname="time_generated" name="timegenerated" format="jsonf"
+        dateformat="rfc3339")
+    property(outname="message" name="msg" format="jsonf")
+}
+
+ruleset(name="sendLogsToDisk") {
+    auth,authpriv.* action(type="omfile" file="/var/log/auth.log")
+    mail.* action(type="omfile" file="/var/log/mail.log" sync="off")
+    kern.* action(type="omfile" file="/var/log/kern.log")
+    *.*;auth,authpriv,mail,kern.none action(type="omfile"
+        file="/var/log/syslog.log" sync="off")
+}
+
+# Send logs to remote collector(s)
+ruleset(name="sendLogsToRemote") {
+{% for output in rsyslog_outputs %}
+    action(
+        type="{{ output_modules[output.proto] }}"
+
+{% if output_modules[output.proto] == "omfwd" %}
+        protocol="{{ output.proto }}"
+        target="{{ output.address }}"
+        port="{{ output.port }}"
+{% elif output_modules[output.proto] == "omhiredis" %}
+        server="{{ output.address }}"
+        serverport="{{ output.port }}"
+        mode="publish"
+        key="{{ output.key }}"
+        template="templateJson"
+{% if output.password is defined %}
+        serverpassword="{{ output.password }}"
+{% endif %}
+{% elif output_modules[output.proto] == "omrelp" %}
+        target="{{ output.address }}"
+        port="{{ output.port }}"
+{% endif %}
+
+{% if loop.index > 1 and output.fallback %}
+        action.execOnlyWhenPreviousIsSuspended="on"
+{% endif %}
+    )
+{% endfor %}
+}
+
+# Send local logs to files (useful for debugging or if the collector is down)
+call sendLogsToDisk
+
+# Send local logs to the remote collector
+call sendLogsToRemote

roles/rsyslog_common/templates/forward-syslog.conf.j2

@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+
+[Journal]
+ForwardToSyslog=yes
+MaxLevelSyslog=debug

roles/rsyslog_common/templates/rsyslog.conf.j2

@@ -0,0 +1,3 @@
+{{ ansible_managed | comment }}
+
+include(file="/etc/rsyslog.d/*.conf")

roles/update_motd/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Remove cached motd
+  become: true
+  file:
+    path: "{{ item }}" 
+    state: absent
+  loop:
+    - /var/run/motd.dynamic
+    - /var/run/motd.dynamic.new
+...

roles/update_motd/tasks/main.yml

@@ -0,0 +1,53 @@
+---
+- name: Ensure update-motd.d exists
+  become: true
+  file:
+    path: /etc/update-motd.d
+    state: directory
+    mode: u=rwx,g=rx,o=rx
+    owner: root
+    group: root
+
+- name: Customize motd
+  become: true
+  template:
+    src: "{{ item }}"
+    dest: "/etc/update-motd.d/{{ item }}"
+    mode: u=rwx,g=rx,o=rx
+    owner: root
+    group: root
+  loop:
+    - 00-logo
+    - 10-messages
+    - 20-uname
+  notify: Remove cached motd
+
+- name: Remove Debian warranty motd
+  become: true
+  file:
+    path: /etc/motd
+    state: absent
+  notify: Remove cached motd
+
+- name: Ensure motd-messages exists
+  become: true
+  file:
+    path: /etc/motd-messages
+    state: directory
+    mode: u=rwx,g=rx,o=rx
+    owner: root
+    group: root
+  notify: Remove cached motd
+
+- name: Install additional motd messages
+  become: true
+  copy:
+    content: "✨ {{ item.message }}\n"
+    dest: "/etc/motd-messages/{{ item.key }}"
+    mode: u=rwx,g=rx,o=rx
+    owner: root
+    group: root
+  loop: "{{ motd_messages }}"
+  notify: Remove cached motd
+  when: motd_messages is defined
+...

roles/update_motd/templates/00-logo

@@ -1,23 +1,23 @@
 #!/bin/sh
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
 # Pretty uptime
 upSeconds="$(/usr/bin/cut -d. -f1 /proc/uptime)"
-mins=$((${upSeconds}/60%60))
+mins="$((upSeconds / 60 % 60))"
-hours=$((${upSeconds}/3600%24))
+hours="$((upSeconds / 3600 % 24))"
-days=$((${upSeconds}/86400))
+days="$((upSeconds / 86400))"
-UPTIME=`printf "%d jours, %02dh%02dm" "$days" "$hours" "$mins"`
+UPTIME="$(printf "%d jours, %02dh%02dm" "$days" "$hours" "$mins")"
 
 # RAM
-RAM=`free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2 }'`
+RAM="$(free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2}')"
-DISK=`df -h | awk '$NF=="/"{printf "%d/%dGB (%s)\n", $3,$2,$5}'`
+DISK="$(df -h | awk '$NF=="/"{printf "%d/%dGB (%s)\n", $3,$2,$5}')"
 
 # Text font
-bold=$(tput bold)
+bold="$(tput bold)"
-normal=$(tput sgr0)
+normal="$(tput sgr0)"
 
 # Logo
-cat << EOF
+cat <<EOF
 
                                             ${bold}Uptime${normal} : ${UPTIME}
                                             ${bold}Mémoire${normal} : ${RAM}

roles/update_motd/templates/10-messages

@@ -0,0 +1,4 @@
+#!/bin/sh
+set -euf
+
+find /etc/motd-messages -type f -exec cat -- {} +

roles/update_motd/templates/20-uname

@@ -0,0 +1,4 @@
+#!/bin/sh
+{{ ansible_managed | comment }}
+
+uname -snrvm

sudo_upgrade.yml

@@ -0,0 +1,17 @@
+#!/usr/bin/env ansible-playbook
+---
+# This is a special playbook to upgrade sudo everywhere after the
+# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
+# Please always use with --limit myserver.adm.auro.re
+# And list updates with --check
+- hosts: all
+  tasks:
+    - name: Upgrade sudo
+      apt:
+        name: sudo
+        state: latest
+        update_cache: true
+        cache_valid_time: 3600  # one hour
+      register: apt_result
+      retries: 3
+      until: apt_result is succeeded