diff --git a/hosts b/hosts index 11b7e06..a17ec3f 100644 --- a/hosts +++ b/hosts @@ -123,6 +123,8 @@ ns-1.auro.re ldap-1.int.infra.auro.re radius-1.isp.infra.auro.re #prometheus-fleming-fo.adm.auro.re +dhcp-1.isp.auro.re +dhcp-2.isp.auro.re radius-fleming.adm.auro.re dns-1.int.infra.auro.re isp-1.rtr.infra.auro.re diff --git a/playbooks/dhcpd.yml b/playbooks/dhcpd.yml new file mode 100755 index 0000000..4bafd1f --- /dev/null +++ b/playbooks/dhcpd.yml @@ -0,0 +1,63 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: + - dhcp-1.isp.auro.re + - dhcp-2.isp.auro.re + vars: + dhcpd__omapi_key: + algorithm: hmac-sha512 + secret: 99XuJO0ofX3VAnWWlyixWbQ5YTagPfgxyh14IbLNBb3/JzEklkWopvQdj/PXVYbfb/sRyFJBhLexPag4dLh7PA== + dhcpd__interfaces: + - client-0 + - client-1 + - client-2 + - client-3 + - client-4 + dhcpd__dns_servers: + - 10.128.0.127 + dhcpd__domain_search: + - isp.auro.re + - auro.re + dhcpd__subnets: + - network: 100.64.0.0/27 + routers: + - 100.64.0.1 + start: 100.64.0.4 + end: 100.64.0.30 + domain_name: client-0.isp.auro.re + failover: true + - network: 100.64.0.32/27 + routers: + - 100.64.0.31 + start: 100.64.0.33 + end: 100.64.0.63 + domain_name: client-1.isp.auro.re + failover: true + - network: 100.64.0.64/27 + routers: + - 100.64.0.65 + start: 100.64.0.67 + end: 100.64.0.95 + domain_name: client-2.isp.auro.re + failover: true + - network: 100.64.0.96/27 + routers: + - 100.64.0.97 + start: 100.64.0.99 + end: 100.64.0.127 + domain_name: client-3.isp.auro.re + failover: true + - network: 100.64.0.128/27 + routers: + - 100.64.0.129 + start: 100.64.0.131 + end: 100.64.0.159 + domain_name: client-4.isp.auro.re + failover: true + # FIXME: ugly + dhcpd__failover_primary: "{{ inventory_hostname_short == 'dhcp-1' }}" + dhcpd__failover_address: "{{ '10.128.0.204' if dhcpd__failover_primary else '10.128.0.91' }}" + dhcpd__failover_peer_address: "{{ '10.128.0.91' if dhcpd__failover_primary else '10.128.0.204' }}" + roles: + - dhcpd +... diff --git a/playbooks/isc-dhcp-server.yml b/playbooks/isc-dhcp-server.yml deleted file mode 100755 index c46b691..0000000 --- a/playbooks/isc-dhcp-server.yml +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -- hosts: dhcp-*.adm.auro.re - vars: - update_motd: - unbound: isc-dhcp-server est déployé. - roles: - - isc_dhcp_server - - update_motd diff --git a/roles/dhcpd/defaults/main.yml b/roles/dhcpd/defaults/main.yml new file mode 100644 index 0000000..fb1d313 --- /dev/null +++ b/roles/dhcpd/defaults/main.yml @@ -0,0 +1,15 @@ +--- +dhcpd_interfaces: [] +dhcpd__default_lease_time: 600 +dhcpd__max_lease_time: 7200 +dhcpd__dns_servers: [] +dhcpd__domain_search: [] +dhcpd__subnets: [] +dhcpd__failover_port: 519 +dhcpd__failover_mclt: 3600 +dhcpd__failover_split: 128 +dhcpd__failover_max_response_delay: 60 +dhcpd__failover_max_unacked_updates: 10 +dhcpd__failover_lb_max_seconds: 3 +dhcpd__omapi_port: 7911 +... diff --git a/roles/dhcpd/handlers/main.yml b/roles/dhcpd/handlers/main.yml new file mode 100644 index 0000000..1fe5942 --- /dev/null +++ b/roles/dhcpd/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart isc-dhcp-server + systemd: + name: isc-dhcp-server.service + state: restarted +... diff --git a/roles/dhcpd/tasks/main.yml b/roles/dhcpd/tasks/main.yml new file mode 100644 index 0000000..9e8f12f --- /dev/null +++ b/roles/dhcpd/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: Install isc-dhcp-server + apt: + name: isc-dhcp-server + +- name: Configure isc-dhcp-server + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: u=rw,g=r,o= + owner: root + group: root + loop: + - src: dhcpd.conf.j2 + dest: /etc/dhcp/dhcpd.conf + - src: default.j2 + dest: /etc/default/isc-dhcp-server + notify: + - Restart isc-dhcp-server + +#- src: dhcpd6.conf.j2 +# dest: /etc/dhcp/dhcpd6.conf + +- name: Enable and start isc-dhcp-server + systemd: + name: isc-dhcp-server.service + state: started + enabled: true +... diff --git a/roles/dhcpd/templates/default.j2 b/roles/dhcpd/templates/default.j2 new file mode 100644 index 0000000..755f610 --- /dev/null +++ b/roles/dhcpd/templates/default.j2 @@ -0,0 +1,4 @@ +{{ ansible_managed | comment }} + +INTERFACESv4="{{ dhcpd__interfaces | join(' ') }}" +INTERFACESv6="" diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2 new file mode 100644 index 0000000..53b947f --- /dev/null +++ b/roles/dhcpd/templates/dhcpd.conf.j2 @@ -0,0 +1,64 @@ +{{ ansible_managed | comment }} + +default-lease-time {{ dhcpd__default_lease_time }}; +max-lease-time {{ dhcpd__max_lease_time }}; + +ddns-update-style none; + +authoritative; + +{% if dhcpd__omapi_key | default({}) %} +omapi-port {{ dhcpd__omapi_port }}; +omapi-key omapi_key; + +key omapi_key { + algorithm {{ dhcpd__omapi_key.algorithm }}; + secret {{ dhcpd__omapi_key.secret }}; +} +{% endif %} + +{% if dhcpd__subnets | selectattr("failover", "true") | list %} +failover peer "peer" { +{% if dhcpd__failover_primary | default(false) %} + primary; + mclt {{ dhcpd__failover_mclt }}; + split {{ dhcpd__failover_split }}; +{% else %} + secondary; +{% endif %} + address {{ dhcpd__failover_address }}; + port {{ dhcpd__failover_port }}; + peer address {{ dhcpd__failover_peer_address }}; + peer port {{ dhcpd__failover_peer_port + | default(dhcpd__failover_port) }}; + max-response-delay {{ dhcpd__failover_max_response_delay }}; + max-unacked-updates {{ dhcpd__failover_max_unacked_updates }}; + load balance max seconds {{ dhcpd__failover_lb_max_seconds }}; +} +{% endif %} + +{% if dhcpd__dns_servers | default([]) %} +option domain-name-servers {{ dhcpd__dns_servers | join(", ") }}; +{% endif %} + +{% if dhcpd__domain_search | default([]) %} +option domain-search {{ dhcpd__domain_search + | map("enquote") | join(", ") }}; +{% endif %} + +{% for subnet in dhcpd__subnets %} +subnet {{ subnet.network + | ansible.utils.ipaddr("network") }} + netmask {{ subnet.network + | ansible.utils.ipaddr("netmask") }} { + pool { + range {{ subnet.start }} {{ subnet.end }}; +{% if subnet.failover | default(false) %} + failover peer "peer"; +{% endif %} + } +{% if subnet.routers | default([]) %} + option routers {{ subnet.routers | join(", ") }}; +{% endif %} +} +{% endfor %} diff --git a/roles/isc_dhcp_server/handlers/main.yml b/roles/isc_dhcp_server/handlers/main.yml deleted file mode 100644 index fd4dd48..0000000 --- a/roles/isc_dhcp_server/handlers/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: force run dhcp re2o-service - command: /var/local/re2o-services/dhcp/main.py --force - become_user: re2o-services - -- name: restart dhcpd - systemd: - state: restarted - name: isc-dhcp-server - -- name: restart rsyslog - systemd: - name: rsyslog - state: restarted diff --git a/roles/isc_dhcp_server/tasks/main.yml b/roles/isc_dhcp_server/tasks/main.yml deleted file mode 100644 index 9d69d63..0000000 --- a/roles/isc_dhcp_server/tasks/main.yml +++ /dev/null @@ -1,111 +0,0 @@ ---- -- name: Install dhcp (re2o-service) - import_role: - name: re2o_service - vars: - service_repo: https://gitlab.federez.net/re2o/dhcp.git - service_name: dhcp - service_version: master - service_config: - hostname: re2o.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" - -- name: Ensure appropriate permissions on dhcp re2o service - file: - path: /var/local/re2o-services/dhcp/ - state: directory - owner: re2o-services - group: nogroup - recurse: true - mode: 0755 - -- name: Install isc-dhcp-server - apt: - update_cache: true - name: isc-dhcp-server - state: present - register: apt_result - retries: 3 - until: apt_result is succeeded - notify: restart dhcpd - -- name: Ensure dhcp log directory exists - file: - path: /var/log/dhcp - owner: root - group: root - mode: u=rwx,g=rx,a=rx - state: directory - -- name: Ensure rsyslog knows where to send dhcp logs - lineinfile: - path: /etc/rsyslog.conf - line: "local7.* /var/log/dhcp/dhcpd.log" - notify: restart rsyslog - -- name: Configure dhcp log rotation - template: - src: logrotate.d/dhcp.j2 - dest: /etc/logrotate.d/dhcp - mode: 0644 - -- name: set up cron to reload dhcp re2o service - cron: - # Do not change this name or idempotence *might* be lost. - name: dhcp-re2o-service - cron_file: re2o-services - minute: "*/2" - hour: "*" - day: "*" - weekday: "*" - month: "*" - user: root - job: "/usr/bin/python3 /var/local/re2o-services/dhcp/main.py" - -- name: Configure /etc/default/isc-dhcp-server - template: - src: default/isc-dhcp-server.j2 - dest: /etc/default/isc-dhcp-server - mode: 0644 - notify: restart dhcpd - -- name: Configure dhcp-failover.conf - template: - src: dhcp/dhcp-failover.conf.j2 - dest: /etc/dhcp/dhcp-failover.conf - mode: 0600 - when: dhcp_failover_enabled - notify: restart dhcpd - -- name: Configure dhcpd.conf - template: - src: dhcp/dhcpd.conf.j2 - dest: /etc/dhcp/dhcpd.conf - mode: 0600 - notify: restart dhcpd - -- name: Configure subnets.conf (regular service) - template: - src: dhcp/regular-subnets.conf.j2 - dest: /etc/dhcp/subnets.conf - mode: 0600 - notify: restart dhcpd - when: not is_aurore_host - -- name: Configure subnets.conf (aurore service) - template: - src: dhcp/aurore-subnets.conf.j2 - dest: /etc/dhcp/subnets.conf - mode: 0600 - notify: restart dhcpd - when: is_aurore_host - -- name: force run dhcp re2o-service - command: /var/local/re2o-services/dhcp/main.py --force - -- name: Ensure dhcpd is running - service: - name: isc-dhcp-server - state: started - enabled: true diff --git a/roles/isc_dhcp_server/templates/default/isc-dhcp-server.j2 b/roles/isc_dhcp_server/templates/default/isc-dhcp-server.j2 deleted file mode 100644 index 6a7c7f7..0000000 --- a/roles/isc_dhcp_server/templates/default/isc-dhcp-server.j2 +++ /dev/null @@ -1,24 +0,0 @@ -# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) - -# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). -#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf -#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf - -# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). -#DHCPDv4_PID=/var/run/dhcpd.pid -#DHCPDv6_PID=/var/run/dhcpd6.pid - -# Additional options to start dhcpd with. -# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead -#OPTIONS="" - -# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? -# Separate multiple interfaces with spaces, e.g. "eth0 eth1". - -{% if is_aurore_host %} -INTERFACESv4="ens19" -INTERFACESv6="" -{% else %} -INTERFACESv4="ens19 ens20 ens21 ens22 ens23" -INTERFACESv6="" -{% endif %} diff --git a/roles/isc_dhcp_server/templates/dhcp/aurore-subnets.conf.j2 b/roles/isc_dhcp_server/templates/dhcp/aurore-subnets.conf.j2 deleted file mode 100644 index 1a0e09e..0000000 --- a/roles/isc_dhcp_server/templates/dhcp/aurore-subnets.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -subnet 45.66.110.0 netmask 255.255.255.0 { - interface "ens19"; - option subnet-mask 255.255.255.0; - option broadcast-address 45.66.110.255; - option routers 45.66.110.{{ router_ip_suffix }}; - option domain-name-servers 45.66.110.{{ dns_host_suffix_main }}, {{ backup_dns_servers|join(', ') }}; - option domain-name "adh.auro.re"; - option domain-search "adh.auro.re"; - include "/var/local/re2o-services/dhcp/generated/dhcp.adh.auro.re.list"; - - deny unknown-clients; -} diff --git a/roles/isc_dhcp_server/templates/dhcp/dhcp-failover.conf.j2 b/roles/isc_dhcp_server/templates/dhcp/dhcp-failover.conf.j2 deleted file mode 100644 index 6252343..0000000 --- a/roles/isc_dhcp_server/templates/dhcp/dhcp-failover.conf.j2 +++ /dev/null @@ -1,31 +0,0 @@ -failover peer "dhcp-failover" { -{% if inventory_hostname == dhcp_failover.primary_host %} - primary; - - # MCLT = Maximum Client Lead Time. - # Must be specified on the primary, forbidden on the secondary. - mclt 3600; - - # Address or DNS name on which this node listens for connections - # from its failover peer. - address {{ dhcp_failover.primary_host }}; - peer address {{ dhcp_failover.secondary_host }}; - - # Load balancing. - split 128; -{% endif %} -{% if inventory_hostname == dhcp_failover.secondary_host %} - secondary; - # Address and peer address are reversed on the secondary node. - address {{ dhcp_failover.secondary_host }}; - peer address {{ dhcp_failover.primary_host }}; -{% endif %} - - # The following options can be shared between primary and - # secondary failover peers. - port 647; - peer port 647; - max-response-delay 30; - max-unacked-updates 10; - load balance max seconds 3; -} diff --git a/roles/isc_dhcp_server/templates/dhcp/dhcpd.conf.j2 b/roles/isc_dhcp_server/templates/dhcp/dhcpd.conf.j2 deleted file mode 100644 index 84c86fd..0000000 --- a/roles/isc_dhcp_server/templates/dhcp/dhcpd.conf.j2 +++ /dev/null @@ -1,25 +0,0 @@ -default-lease-time 86400; -max-lease-time 86400; - -# Option definitions common to all supported networks. - -option interface-mtu {{ mtu }}; -option root-path "/"; - -# The ddns-updates-style parameter controls whether or not the server will -# attempt to do a DNS update when a lease is confirmed. We default to the -# behavior of the version 2 packages ('none', since DHCP v2 didn't -# have support for DDNS.) -ddns-update-style none; - -# If this DHCP server is the official DHCP server for the local -# network, the authoritative directive should be uncommented. -authoritative; - -log-facility local7; - -{% if dhcp_failover_enabled %} -include "/etc/dhcp/dhcp-failover.conf"; -{% endif %} - -include "/etc/dhcp/subnets.conf"; diff --git a/roles/isc_dhcp_server/templates/dhcp/regular-subnets.conf.j2 b/roles/isc_dhcp_server/templates/dhcp/regular-subnets.conf.j2 deleted file mode 100644 index 43f49fa..0000000 --- a/roles/isc_dhcp_server/templates/dhcp/regular-subnets.conf.j2 +++ /dev/null @@ -1,94 +0,0 @@ -# Bornes WiFi -subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { - interface "ens19"; - option subnet-mask 255.255.0.0; - option broadcast-address 10.{{ subnet_ids.ap }}.255.255; - option routers 10.{{ subnet_ids.ap }}.0.250; - option domain-name "borne.auro.re"; - option domain-search "borne.auro.re"; - - option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; - - deny unknown-clients; -} - -# Users filaire -subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { - interface "ens20"; - option subnet-mask 255.255.0.0; - option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; - option routers 10.{{ subnet_ids.users_wired }}.0.{{ router_ip_suffix }}; - option domain-name "fil.{{ apartment_block_dhcp }}.auro.re"; - option domain-search "auro.re"; - - option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - - include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block_dhcp }}.auro.re.list"; - - deny unknown-clients; -} - - -# Users WiFi -subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { - interface "ens21"; - option subnet-mask 255.255.0.0; - option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255; - option routers 10.{{ subnet_ids.users_wifi }}.0.{{ router_ip_suffix }}; - option domain-name "wifi.{{ apartment_block_dhcp }}.auro.re"; - option domain-search "auro.re"; - - option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; - - include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block_dhcp }}.auro.re.list"; - - pool { - range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255; - -{% if dhcp_failover is defined %} - failover peer "dhcp-failover"; -{% endif %} - } -} - -# Banni -subnet 10.{{ subnet_ids.users_banni }}.0.0 netmask 255.255.0.0 { - interface "ens22"; - option subnet-mask 255.255.0.0; - option broadcast-address 10.{{ subnet_ids.users_banni }}.255.255; - option routers 10.{{ subnet_ids.users_banni }}.0.{{ router_ip_suffix }}; - option domain-name "banni.{{ apartment_block_dhcp }}.auro.re"; - option domain-search "auro.re"; - - option domain-name-servers 10.{{ subnet_ids.users_banni }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_banni }}.0.{{ dns_host_suffix_backup }}; - - pool { - range 10.{{ subnet_ids.users_banni }}.1.0 10.{{ subnet_ids.users_banni }}.2.255; - -{% if dhcp_failover is defined %} - failover peer "dhcp-failover"; -{% endif %} - } -} - - -# Accueil -subnet 10.{{ subnet_ids.users_accueil }}.0.0 netmask 255.255.0.0 { - interface "ens23"; - option subnet-mask 255.255.0.0; - option broadcast-address 10.{{ subnet_ids.users_accueil }}.255.255; - option routers 10.{{ subnet_ids.users_accueil }}.0.{{ router_ip_suffix }}; - option domain-name "accueil.{{ apartment_block_dhcp }}.auro.re"; - option domain-search "auro.re"; - - option domain-name-servers 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix_backup }}; - - pool { - range 10.{{ subnet_ids.users_accueil }}.1.0 10.{{ subnet_ids.users_accueil }}.2.255; - -{% if dhcp_failover is defined %} - failover peer "dhcp-failover"; -{% endif %} - } -} diff --git a/roles/isc_dhcp_server/templates/logrotate.d/dhcp.j2 b/roles/isc_dhcp_server/templates/logrotate.d/dhcp.j2 deleted file mode 100644 index 9823aed..0000000 --- a/roles/isc_dhcp_server/templates/logrotate.d/dhcp.j2 +++ /dev/null @@ -1,11 +0,0 @@ -/var/log/dhcp/dhcpd.log { - # common options - daily - rotate 365 - missingok - compress - delaycompress - notifempty - - copytruncate -} diff --git a/roles/isc_dhcp_server/vars/main.yml b/roles/isc_dhcp_server/vars/main.yml deleted file mode 100644 index 77933c1..0000000 --- a/roles/isc_dhcp_server/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dhcp_failover: - primary_host: dhcp-{{ apartment_block }}.adm.auro.re - secondary_host: dhcp-{{ apartment_block }}-backup.adm.auro.re