diff --git a/.gitignore b/.gitignore index fa7c034..fc586ce 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ *.retry -__pycache__ +ldap-password.txt diff --git a/README.md b/README.md index ab2d34c..6b7d611 100644 --- a/README.md +++ b/README.md @@ -88,8 +88,7 @@ Dans la configuration SSH : ``` # Use a proxy jump server to log on all Aurore inventory Host 10.128.0.* *.adm.auro.re - IdentityFile ~/.ssh/id_rsa - ProxyJump auro.re + ProxyJump passerelle.auro.re ``` Il faut sa clé SSH configurée sur le serveur que l'on déploit. diff --git a/ansible.cfg b/ansible.cfg index 8d528bd..960e6df 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -33,3 +33,4 @@ become_ask_pass = True # TO know what changed always = yes +scp_if_ssh = True diff --git a/base.yml b/base.yml index cb83112..191d80d 100644 --- a/base.yml +++ b/base.yml @@ -12,6 +12,6 @@ # Clone LDAP on local geographic location # DON'T DO THIS AS IT RECREATES THE REPLICA -# - hosts: ldap-replica -# roles: -# - ldap-replica +#- hosts: ldap-replica +# roles: +# - ldap-replica diff --git a/copy-keys.sh b/copy-keys.sh new file mode 100755 index 0000000..e5343fd --- /dev/null +++ b/copy-keys.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -e + +# Grab valid unique hostnames from the Ansible inventory. +HOSTS=$(grep -ve '^[#\[]' hosts \ +| grep -ve '^$' \ +| grep -F adm.auro.re \ +| grep -vf ssh-blacklist.txt \ +| sort -u) + +for host in $HOSTS; do + echo "Handling host $host" + + # sshpass can be used for non-interactive password authentication. + # place your password in ldap-password.txt. + sshpass -f ldap-password.txt ssh-copy-id "$host" +done diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index d466fcd..6a0b66b 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -6,7 +6,7 @@ ansible_python_interpreter: /usr/bin/python3 # You can hash LDAP passwords with `slappasswd` tool ldap_base: 'dc=auro,dc=re' ldap_master_ipv4: '10.128.0.11' -ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}" +ldap_master_uri: "ldap://re2o-ldap.adm.auro.re" ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}" @@ -36,3 +36,18 @@ monitoring_mail: 'monitoring.aurore@lists.crans.org' matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}" matrix_discord_client_id: "559305991494303747" matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" + +### +# DNS +### + +# Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque +# résidence. +dns_host_suffix_main: 253 +dns_host_suffix_backup: 153 + +backup_dns_servers: + - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) + + +mtu: 1400 diff --git a/group_vars/dhcp/vars.yml b/group_vars/dhcp/vars.yml new file mode 100644 index 0000000..77933c1 --- /dev/null +++ b/group_vars/dhcp/vars.yml @@ -0,0 +1,4 @@ +--- +dhcp_failover: + primary_host: dhcp-{{ apartment_block }}.adm.auro.re + secondary_host: dhcp-{{ apartment_block }}-backup.adm.auro.re diff --git a/group_vars/edc/ldap_local_replica.yml b/group_vars/edc/ldap_local_replica.yml new file mode 100644 index 0000000..bad6801 --- /dev/null +++ b/group_vars/edc/ldap_local_replica.yml @@ -0,0 +1,4 @@ +--- +ldap_local_replica_uri: + - 'ldap://ldap-replica-edc.adm.auro.re' + diff --git a/group_vars/fleming/main.yml b/group_vars/fleming/main.yml new file mode 100644 index 0000000..f0d1f8f --- /dev/null +++ b/group_vars/fleming/main.yml @@ -0,0 +1,8 @@ +--- +apartment_block: fleming + +subnet_ids: + ap: 141 + users_wired: 10 + users_wifi: 11 + diff --git a/group_vars/pacaterie/main.yml b/group_vars/pacaterie/main.yml new file mode 100644 index 0000000..043d26d --- /dev/null +++ b/group_vars/pacaterie/main.yml @@ -0,0 +1,7 @@ +--- +apartment_block: pacaterie + +subnet_ids: + ap: 142 + users_wired: 20 + users_wifi: 21 diff --git a/hosts b/hosts index 25d42b3..8718a1d 100644 --- a/hosts +++ b/hosts @@ -4,146 +4,56 @@ # > We name servers according to location, then type. # > Then we regroup everything in global geographic and type groups. -[ovh_physical] -horus.adm.auro.re +[aurore_pve] +#merlin.adm.auro.re + +[aurore_vm] +#radius-aurore.adm.auro.re + +[ovh_pve] +#horus.adm.auro.re [ovh_container] -synapse.adm.auro.re -services-bdd.adm.auro.re -phabricator.adm.auro.re -wiki.adm.auro.re -www.adm.auro.re -proxy.adm.auro.re -matrix-services.adm.auro.re +#synapse.adm.auro.re +#services-bdd.adm.auro.re +#phabricator.adm.auro.re +#wiki.adm.auro.re +#www.adm.auro.re +#proxy.adm.auro.re +#matrix-services.adm.auro.re [ovh_vm] -re2o-server.adm.auro.re -re2o-ldap.adm.auro.re -re2o-db.adm.auro.re -serge.adm.auro.re -passbolt.adm.auro.re -vpn-ovh.adm.auro.re -docker-ovh.adm.auro.re -switchs-manager.adm.auro.re +#re2o-server.adm.auro.re +#re2o-ldap.adm.auro.re +#re2o-db.adm.auro.re +#serge.adm.auro.re +#passbolt.adm.auro.re +#vpn-ovh.adm.auro.re +#docker-ovh.adm.auro.re +#switchs-manager.adm.auro.re +#radius-aurore.adm.auro.re -[fleming_physical] +[ovh_testing_vm] +#re2o-test.adm.auro.re + +[fleming_pve] freya.adm.auro.re marki.adm.auro.re [fleming_vm] -ldap-replica-fleming1.adm.auro.re -#ldap-replica-fleming-fo.adm.auro.re +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re dhcp-fleming.adm.auro.re -#dhcp-fleming-fo.adm.auro.re +dhcp-fleming-backup.adm.auro.re dns-fleming.adm.auro.re -#dns-fleming-fo.adm.auro.re +dns-fleming-backup.adm.auro.re prometheus-fleming.adm.auro.re #prometheus-fleming-fo.adm.auro.re radius-fleming.adm.auro.re -#radius-fleming-fo.adm.auro.re +radius-fleming-backup.adm.auro.re unifi-fleming.adm.auro.re routeur-fleming.adm.auro.re -#routeur-fleming-fo.adm.auro.re - -[fleming_unifi] -fa-0-1.borne.auro.re -fa-1-1.borne.auro.re -fa-2-1.borne.auro.re -#fa-2-2.borne.auro.re -fa-3-1.borne.auro.re -fa-4-1.borne.auro.re -fb-0-1.borne.auro.re -fb-1-1.borne.auro.re -#fb-1-2.borne.auro.re -fb-2-1.borne.auro.re -#fb-2-2.borne.auro.re -fb-3-1.borne.auro.re -#fb-3-2.borne.auro.re -fb-4-1.borne.auro.re -#fb-4-2.borne.auro.re -fc-0-1.borne.auro.re -fc-1-1.borne.auro.re -fc-2-1.borne.auro.re -fc-3-1.borne.auro.re -fc-4-1.borne.auro.re -fd-0-1.borne.auro.re -fd-1-1.borne.auro.re -fd-2-1.borne.auro.re -fd-3-1.borne.auro.re -#fd-4-1.borne.auro.re -fe-0-1.borne.auro.re -fe-1-1.borne.auro.re -fe-1-2.borne.auro.re -fe-2-1.borne.auro.re -fe-2-2.borne.auro.re -fe-3-1.borne.auro.re -fe-3-2.borne.auro.re -fe-4-1.borne.auro.re -fe-4-2.borne.auro.re -ff-0-1.borne.auro.re -ff-0-f.borne.auro.re -ff-1-1.borne.auro.re -ff-1-2.borne.auro.re -ff-2-1.borne.auro.re -ff-2-2.borne.auro.re -ff-3-1.borne.auro.re -ff-3-2.borne.auro.re -ff-4-1.borne.auro.re -ff-4-2.borne.auro.re -fg-0-1.borne.auro.re -fg-1-1.borne.auro.re -#fg-1-2.borne.auro.re -fg-2-1.borne.auro.re -fg-2-2.borne.auro.re -fg-3-1.borne.auro.re -fg-3-2.borne.auro.re -fg-4-1.borne.auro.re -#fg-4-2.borne.auro.re -fh-0-1.borne.auro.re -fh-1-1.borne.auro.re -fh-1-2.borne.auro.re -fh-2-1.borne.auro.re -fh-2-2.borne.auro.re -fh-3-1.borne.auro.re -fh-3-2.borne.auro.re -fh-4-1.borne.auro.re -fh-4-2.borne.auro.re -fi-0-1.borne.auro.re -fi-1-1.borne.auro.re -fi-1-2.borne.auro.re -fi-2-1.borne.auro.re -fi-2-2.borne.auro.re -fi-3-1.borne.auro.re -fi-3-2.borne.auro.re -fi-4-1.borne.auro.re -fi-4-2.borne.auro.re -fj-0-1.borne.auro.re -fj-1-1.borne.auro.re -fj-1-2.borne.auro.re -fj-2-1.borne.auro.re -fj-2-2.borne.auro.re -fj-3-1.borne.auro.re -fj-3-2.borne.auro.re -fj-4-1.borne.auro.re -fj-4-2.borne.auro.re -fk-0-1.borne.auro.re -fk-1-1.borne.auro.re -fk-1-2.borne.auro.re -fk-2-1.borne.auro.re -fk-2-2.borne.auro.re -fk-3-1.borne.auro.re -fk-3-2.borne.auro.re -fk-4-1.borne.auro.re -fk-4-2.borne.auro.re -fl-0-1.borne.auro.re -fl-1-1.borne.auro.re -fl-1-2.borne.auro.re -fl-2-1.borne.auro.re -fl-2-2.borne.auro.re -fl-3-1.borne.auro.re -fl-3-2.borne.auro.re -fl-4-1.borne.auro.re -fl-4-2.borne.auro.re +routeur-fleming-backup.adm.auro.re [pacaterie_physical] mordred.adm.auro.re @@ -151,130 +61,43 @@ titan.adm.auro.re [pacaterie_vm] ldap-replica-pacaterie.adm.auro.re -#ldap-replica-pacaterie-fo.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re dhcp-pacaterie.adm.auro.re -#dhcp-pacaterie-fo.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re dns-pacaterie.adm.auro.re -#dns-pacaterie-fo.adm.auro.re +dns-pacaterie-backup.adm.auro.re prometheus-pacaterie.adm.auro.re #prometheus-pacaterie-fo.adm.auro.re radius-pacaterie.adm.auro.re -#radius-pacaterie-fo.adm.auro.re +radius-pacaterie-backup.adm.auro.re unifi-pacaterie.adm.auro.re routeur-pacaterie.adm.auro.re -#routeur-pacaterie-fo.adm.auro.re +routeur-pacaterie-backup.adm.auro.re -[pacaterie_unifi] -pc-1-1.borne.auro.re -pn-0-1.borne.auro.re -pn-0-2.borne.auro.re -pn-0-3.borne.auro.re -pn-1-1.borne.auro.re -pn-1-2.borne.auro.re -pn-1-3.borne.auro.re -pn-2-1.borne.auro.re -pn-2-2.borne.auro.re -pn-2-3.borne.auro.re -pn-3-1.borne.auro.re -pn-3-2.borne.auro.re -pn-3-3.borne.auro.re -pn-4-1.borne.auro.re -pn-4-2.borne.auro.re -pn-4-3.borne.auro.re -ps-0-1.borne.auro.re -ps-0-2.borne.auro.re -ps-0-3.borne.auro.re -ps-1-1.borne.auro.re -ps-1-2.borne.auro.re -ps-1-3.borne.auro.re -ps-2-1.borne.auro.re -ps-2-2.borne.auro.re -ps-2-3.borne.auro.re -ps-3-1.borne.auro.re -ps-3-2.borne.auro.re -ps-4-1.borne.auro.re -ps-4-2.borne.auro.re -ps-4-3.borne.auro.re - -[edc_physical] +[edc_pve] chapalux.adm.auro.re [edc_vm] -ldap-replica-edc.adm.auro.re -ldap-replica-edc-fo.adm.auro.re -dhcp-edc.adm.auro.re -dhcp-edc-fo.adm.auro.re -dns-edc.adm.auro.re -dns-edc-fo.adm.auro.re -prometheus-edc.adm.auro.re -prometheus-edc-fo.adm.auro.re -radius-edc.adm.auro.re -radius-edc-fo.adm.auro.re -unifi-edc.adm.auro.re routeur-edc.adm.auro.re -routeur-edc-fo.adm.auro.re +dns-edc.adm.auro.re +dhcp-edc.adm.auro.re +unifi-edc.adm.auro.re +radius-edc.adm.auro.re +routeur-aurore.adm.auro.re +ldap-replica-edc.adm.auro.re +#ldap-replica-edc-backup.adm.auro.re -[edc_unifi] -ep-0-1.borne.auro.re +[gs_pve] +#perceval.adm.auro.re -[georgesand_physical] -perceval.adm.auro.re - -[georgesand_vm] -ldap-replica-georgesand.adm.auro.re -ldap-replica-georgesand-fo.adm.auro.re -dhcp-georgesand.adm.auro.re -dhcp-georgesand-fo.adm.auro.re -dns-georgesand.adm.auro.re -dns-georgesand-fo.adm.auro.re -prometheus-georgesand.adm.auro.re -prometheus-georgesand-fo.adm.auro.re -radius-georgesand.adm.auro.re -radius-georgesand-fo.adm.auro.re -unifi-georgesand.adm.auro.re -routeur-georgesand.adm.auro.re -routeur-georgesand-fo.adm.auro.re - -[georgesand_unifi] -ga-0-1.borne.auro.re -ga-1-1.borne.auro.re -ga-2-1.borne.auro.re -ga-3-1.borne.auro.re -ga-4-1.borne.auro.re -ga-5-1.borne.auro.re -ga-5-2.borne.auro.re -gb-1-1.borne.auro.re -gb-2-1.borne.auro.re -gb-3-1.borne.auro.re -gb-4-1.borne.auro.re -gb-5-1.borne.auro.re -gc-1-1.borne.auro.re -gc-2-1.borne.auro.re -gc-3-1.borne.auro.re -gc-4-1.borne.auro.re -gc-5-1.borne.auro.re -gd-1-1.borne.auro.re -gd-2-1.borne.auro.re -gd-3-1.borne.auro.re -gd-4-1.borne.auro.re -gd-5-1.borne.auro.re -gd-garage-1.borne.auro.re -ge-0-1.borne.auro.re -ge-1-1.borne.auro.re -ge-2-1.borne.auro.re -ge-3-1.borne.auro.re -ge-4-1.borne.auro.re -ge-5-1.borne.auro.re -gf-0-1.borne.auro.re -gf-1-1.borne.auro.re -gf-2-1.borne.auro.re -gf-3-1.borne.auro.re -gf-4-1.borne.auro.re -gf-5-1.borne.auro.re - -##################### -# Geographic groups # -##################### +[gs_vm] +routeur-gs.adm.auro.re +unifi-gs.adm.auro.re +radius-gs.adm.auro.re +dns-gs.adm.auro.re +dhcp-gs.adm.auro.re +#ldap-replica-gs.adm.auro.re +#ldap-replica-gs-backup.adm.auro.re # everything at ovh [ovh:children] @@ -296,19 +119,13 @@ pacaterie_unifi # everything at edc [edc:children] -edc_physical +edc_pve edc_vm -edc_unifi # everything at georgesand -[georgesand:children] -georgesand_physical -georgesand_vm -georgesand_unifi - -##################### -# Type groups # -##################### +[gs:children] +gs_pve +gs_vm # every LXC container [container:children] @@ -320,23 +137,59 @@ ovh_vm fleming_vm pacaterie_vm edc_vm -georgesand_vm +gs_vm -# every physical -[physical:children] -ovh_physical -fleming_physical -pacaterie_physical -edc_physical -georgesand_physical +# every PVE +[pve:children] +ovh_pve +fleming_pve +pacaterie_pve +edc_pve +gs_pve -# every unifi access point -[unifi:children] -fleming_unifi -pacaterie_unifi -edc_unifi -georgesand_unifi +[dhcp] +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dhcp-pacaterie-backup.adm.auro.re +#dhcp-edc.adm.auro.re +#dhcp-gs.adm.auro.re -[all:vars] -# Force remote to use Python 3 -ansible_python_interpreter=/usr/bin/python3 +[recursive_dns:children] +rdns_main +rdns_backup + +[rdns_main] +dns-fleming.adm.auro.re +dns-pacaterie.adm.auro.re + +[rdns_backup] +dns-fleming-backup.adm.auro.re +dns-pacaterie-backup.adm.auro.re + + +# FIXME: +#dns-edc.adm.auro.re +#dns-gs.adm.auro.re + +[ldap_replica:children] +ldap_replica_fleming +ldap_replica_pacaterie +ldap_replica_edc +ldap_replica_gs + +[ldap_replica_fleming] +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re + +[ldap_replica_pacaterie] +ldap-replica-pacaterie.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re + +[ldap_replica_edc] +ldap-replica-edc.adm.auro.re +ldap-replica-edc-backup.adm.auro.re + +[ldap_replica_gs] +ldap-replica-gs.adm.auro.re +ldap-replica-gs-backup.adm.auro.re diff --git a/hosts.save b/hosts.save new file mode 100644 index 0000000..c806780 --- /dev/null +++ b/hosts.save @@ -0,0 +1,131 @@ +# Aurore servers inventory + +# How to name your server ? +# > We name servers according to location, then type. +# > So all containers at OVH are in ovh-container. +# > Then we regroup everything in global geographic and type groups. + +[ovh_pve] +#horus.adm.auro.re + +[ovh_container] +#synapse.adm.auro.re +#services-bdd.adm.auro.re +#phabricator.adm.auro.re +#wiki.adm.auro.re +#www.adm.auro.re +#proxy.adm.auro.re +#matrix-services.adm.auro.re + +[ovh_vm] +#re2o-server.adm.auro.re +#re2o-ldap.adm.auro.re +#re2o-db.adm.auro.re +#serge.adm.auro.re +#passbolt.adm.auro.re +#vpn-ovh.adm.auro.re +#docker-ovh.adm.auro.re +#switchs-manager.adm.auro.re +#radius-aurore.adm.auro.re + +[ovh_testing_vm] +#re2o-test.adm.auro.re + +[fleming_pve] +#freya.adm.auro.re + +[fleming_vm] +#ldap-replica-fleming1.adm.auro.re +#ldap-replica-fleming2.adm.auro.re +#dhcp-fleming.adm.auro.re +#dhcp-fleming-backup.adm.auro.re +#dns-fleming.adm.auro.re +#dns-fleming-backup.adm.auro.re +#radius-fleming.adm.auro.re +#radius-fleming-backup.adm.auro.re +#routeur-fleming.adm.auro.re +#routeur-fleming-backup.adm.auro.re +#unifi-fleming.adm.auro.re +#prometheus + +[pacaterie_pve] +#mordred.adm.auro.re + +[pacaterie_vm] +#ldap-replica-pacaterie.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dns-pacaterie.adm.auro.re +#prometheus-pacaterie.adm.auro.re +#radius-pacaterie.adm.auro.re +#unifi-pacaterie.adm.auro.re +#routeur-pacaterie.adm.auro.re + +[edc_pve] +#chapalux.adm.auro.re + +[edc_vm] +#routeur-edc.adm.auro.re +#dns-edc.adm.auro.re +#dhcp-edc.adm.auro.re +#unifi-edc.adm.auro.re +#radius-edc.adm.auro.re +#routeur-aurore.adm.auro.re +#10.128.0.254 + +[georgesand_pve] +#perceval.adm.auro.re + +[georgesand_vm] +#routeur-gs.adm.auro.re +#unifi-gs.adm.auro.re +#radius-gs.adm.auro.re +#dns-gs.adm.auro.re +#dhcp-gs.adm.auro.re + +# everything at ovh +[ovh:children] +ovh_pve +ovh_container +ovh_vm + +# everything at ovh_testing +[ovh_testing:children] +ovh_testing_vm + +# everything at fleming +[fleming:children] +fleming_pve +fleming_vm + +# everything at pacaterie +[pacaterie:children] +pacaterie_pve +pacaterie_vm + +# everything at edc +[edc:children] +edc_pve +edc_vm + +# everything at georgesand +[georgesand:children] +georgesand_pve +georgesand_vm + +# every LXC container +[container:children] +ovh_container + +# every virtual machine +[vm:children] +ovh_vm +fleming_vm +pacaterie_vm + +# every PVE +[pve:children] +ovh_pve +fleming_pve +pacaterie_pve +edc_pve +georgesand_pve diff --git a/hosts.save.1 b/hosts.save.1 new file mode 100644 index 0000000..db677b4 --- /dev/null +++ b/hosts.save.1 @@ -0,0 +1,165 @@ +# Aurore servers inventory + +# How to name your server ? +# > We name servers according to location, then type. +# > So all containers at OVH are in ovh-container. +# > Then we regroup everything in global geographic and type groups. + +[aurore_pve] +merlin.adm.auro.re + +[aurore_vm] +radius-aurore.adm.auro.re + +[ovh_pve] +horus.adm.auro.re + +[ovh_container] +synapse.adm.auro.re +services-bdd.adm.auro.re +phabricator.adm.auro.re +wiki.adm.auro.re +www.adm.auro.re +proxy.adm.auro.re +matrix-services.adm.auro.re + +[ovh_vm] +re2o-server.adm.auro.re +re2o-ldap.adm.auro.re +re2o-db.adm.auro.re +serge.adm.auro.re +passbolt.adm.auro.re +vpn-ovh.adm.auro.re +docker-ovh.adm.auro.re +switchs-manager.adm.auro.re +radius-aurore.adm.auro.re + +[ovh_testing_vm] +re2o-test.adm.auro.re + +[fleming_pve] +freya.adm.auro.re +marki.adm.auro.re + +[fleming_vm] +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +dns-fleming.adm.auro.re +dns-fleming-backup.adm.auro.re +prometheus-fleming.adm.auro.re +radius-fleming.adm.auro.re +radius-fleming-backup.adm.auro.re +unifi-fleming.adm.auro.re +routeur-fleming.adm.auro.re +routeur-fleming-backup.adm.auro.re + +[pacaterie_pve] +mordred.adm.auro.re +titan.adm.auro.re + +[pacaterie_vm] +ldap-replica-pacaterie.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re +prometheus-pacaterie.adm.auro.re +radius-pacaterie.adm.auro.re +radius-pacaterie-backup.adm.auro.re +unifi-pacaterie.adm.auro.re +routeur-pacaterie.adm.auro.re +routeur-pacaterie-backup.adm.auro.re + +[edc_pve] +chapalux.adm.auro.re + +[edc_vm] +routeur-edc.adm.auro.re +dns-edc.adm.auro.re +dhcp-edc.adm.auro.re +unifi-edc.adm.auro.re +radius-edc.adm.auro.re +routeur-aurore.adm.auro.re + +[gs_pve] +perceval.adm.auro.re + +[gs_vm] +routeur-gs.adm.auro.re +unifi-gs.adm.auro.re +radius-gs.adm.auro.re +dns-gs.adm.auro.re +dhcp-gs.adm.auro.re + +# everything at ovh +[ovh:children] +ovh_pve +ovh_container +ovh_vm + +# everything at ovh_testing +[ovh_testing:children] +ovh_testing_vm + +# everything at fleming +[fleming:children] +fleming_pve +fleming_vm + +# everything at pacaterie +[pacaterie:children] +pacaterie_pve +pacaterie_vm + +# everything at edc +[edc:children] +edc_pve +edc_vm + +# everything at georgesand +[gs:children] +gs_pve +gs_vm + +# every LXC container +[container:children] +ovh_container + +# every virtual machine +[vm:children] +ovh_vm +fleming_vm +pacaterie_vm +gs_vm + +# every PVE +[pve:children] +ovh_pve +fleming_pve +pacaterie_pve +edc_pve +gs_pve + +[dhcp] +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re +dhcp-edc.adm.auro.re +dhcp-gs.adm.auro.re + +[dns] +dns-fleming.adm.auro.re +dns-fleming-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re +dns-edc.adm.auro.re +dns-gs.adm.auro.re + +[ldap-replica] +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re diff --git a/network.yml b/network.yml index 1a353f5..9e8980c 100644 --- a/network.yml +++ b/network.yml @@ -1,47 +1,54 @@ --- -# Deploy DHCP -- hosts: dhcp-fleming.adm.auro.re,dhcp-pacaterie.adm.auro.re +# Set up DHCP servers. +- hosts: dhcp vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp service_version: master service_config: - hostname: re2o-server.adm.auro.re + hostname: re2o.auro.re username: service-user password: "{{ vault_serviceuser_passwd }}" - dhcp: - authoritative: yes roles: - re2o-service - isc-dhcp-server -# Deploy DNS -- hosts: serge.adm.auro.re - vars: - service_repo: https://gitlab.crans.org/nounous/re2o-dns.git - service_name: dns - service_version: crans - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" + + +# Deploy unbound DNS server (recursive). +- hosts: recursive_dns roles: - - re2o-service + - unbound + + +# WIP: Deploy authoritative DNS servers +# - hosts: authoritative_dns +# vars: +# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git +# service_name: dns +# service_version: crans +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# roles: +# - re2o-service + # Deploy Unifi Controller -- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re - roles: - - unifi-controller +#- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re +# roles: +# - unifi-controller # Deploy Re2o switch service -- hosts: switchs-manager.adm.auro.re - vars: - service_repo: https://gitlab.federez.net/re2o/switchs.git - service_name: switchs - service_version: master - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" - roles: - - re2o-service +#- hosts: switchs-manager.adm.auro.re +# vars: +# service_repo: https://gitlab.federez.net/re2o/switchs.git +# service_name: switchs +# service_version: master +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# roles: +# - re2o-service diff --git a/proxmox.yml b/proxmox.yml index 8aa56fb..98af1cc 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -3,6 +3,161 @@ - hosts: proxy.adm.auro.re # Host with python-proxmoxer and python-requests become: false # We do not need root as we use Proxmox API + vars: + vm_definitions: + + # Réseau Pacaterie + - name: ldap-replica-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-pacaterie + virtu: mordred + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + + # Réseau Fleming + - name: ldap-replica-fleming1 + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + + # Réseau EdC + - name: ldap-replica-edc1 + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + + # Réseau George Sand + - name: ldap-replica-gs1 + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + vars_prompt: - name: "password" prompt: "Enter LDAP password for your user" diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 0004081..4d6ef54 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -8,14 +8,58 @@ retries: 3 until: apt_result is succeeded -- name: Configure isc-dhcp-server +- name: Ensure dhcp log directory exists + file: + path: /var/log/dhcp + owner: root + group: root + mode: u=rwx,g=rx,a=rx + state: directory + +- name: Ensure rsyslog knows where to send dhcp logs + lineinfile: + path: /etc/rsyslog.conf + line: "local7.* /var/log/dhcp/dhcpd.log" + +- name: Configure dhcp log rotation + template: + src: logrotate.d/dhcp.j2 + dest: /etc/logrotate.d/dhcp + mode: 0644 + +- name: set up cron to reload dhcp re2o service + cron: + # Do not change this name or idempotence *might* be lost. + name: dhcp-re2o-service + cron_file: re2o-services + minute: "*" + hour: "*" + day: "*" + weekday: "*" + month: "*" + user: root + job: "/usr/bin/python3 /var/local/re2o-services/dhcp/main.py" + +- name: restart rsyslog + systemd: + name: rsyslog + state: restarted + +- name: Configure /etc/default/isc-dhcp-server + template: + src: default/isc-dhcp-server.j2 + dest: /etc/default/isc-dhcp-server + mode: 0644 + +- name: Configure dhcp-failover.conf + template: + src: dhcp/dhcp-failover.conf.j2 + dest: /etc/dhcp/dhcp-failover.conf + mode: 0600 + when: dhcp_failover is defined + +- name: Configure dhcpd.conf template: src: dhcp/dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf mode: 0600 - -- name: Ensure that isc-dhcp-server is started - systemd: - name: isc-dhcp-server - state: started - enabled: true diff --git a/roles/isc-dhcp-server/templates/cron.d/re2o-services b/roles/isc-dhcp-server/templates/cron.d/re2o-services new file mode 100644 index 0000000..abc05dd --- /dev/null +++ b/roles/isc-dhcp-server/templates/cron.d/re2o-services @@ -0,0 +1,4 @@ +# Régénération des services re2o + +# Régénération du dhcp +* * * * * root /usr/bin/python3 /var/local/re2o-services/dhcp/main.py diff --git a/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 b/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 new file mode 100644 index 0000000..83f7cae --- /dev/null +++ b/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 @@ -0,0 +1,18 @@ +# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) + +# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). +#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf +#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf + +# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). +#DHCPDv4_PID=/var/run/dhcpd.pid +#DHCPDv6_PID=/var/run/dhcpd6.pid + +# Additional options to start dhcpd with. +# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead +#OPTIONS="" + +# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? +# Separate multiple interfaces with spaces, e.g. "eth0 eth1". +INTERFACESv4="ens19 ens20 ens21" +INTERFACESv6="" diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 new file mode 100644 index 0000000..6252343 --- /dev/null +++ b/roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 @@ -0,0 +1,31 @@ +failover peer "dhcp-failover" { +{% if inventory_hostname == dhcp_failover.primary_host %} + primary; + + # MCLT = Maximum Client Lead Time. + # Must be specified on the primary, forbidden on the secondary. + mclt 3600; + + # Address or DNS name on which this node listens for connections + # from its failover peer. + address {{ dhcp_failover.primary_host }}; + peer address {{ dhcp_failover.secondary_host }}; + + # Load balancing. + split 128; +{% endif %} +{% if inventory_hostname == dhcp_failover.secondary_host %} + secondary; + # Address and peer address are reversed on the secondary node. + address {{ dhcp_failover.secondary_host }}; + peer address {{ dhcp_failover.primary_host }}; +{% endif %} + + # The following options can be shared between primary and + # secondary failover peers. + port 647; + peer port 647; + max-response-delay 30; + max-unacked-updates 10; + load balance max seconds 3; +} diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 3b0da57..dc642ae 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -1,15 +1,12 @@ -# dhcpd.conf # {{ ansible_managed }} -# option definitions common to all supported networks... -#option domain-name "example.org"; -#option domain-name-servers ns1.example.org, ns2.example.org; +default-lease-time 86400; +max-lease-time 86400; -# We have tagged network so use last 4 bytes for tag (1500 max) -option interface-mtu 1496; +# Option definitions common to all supported networks. -default-lease-time 600; -max-lease-time 7200; +option interface-mtu {{ mtu }}; +option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the @@ -19,15 +16,65 @@ ddns-update-style none; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. -{% if dhcp.authoritative %} authoritative; -{% else %} -#authoritative; + +log-facility local7; + +{% if dhcp_failover is defined %} +include "/etc/dhcp/dhcp-failover.conf"; {% endif %} -# Use this to send dhcp log messages to a different log file (you also -# have to hack syslog.conf to complete the redirection). -#log-facility local7; +# Bornes WiFi +subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { + interface "ens19"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.ap }}.255.255; + option routers 10.{{ subnet_ids.ap }}.0.250; + option domain-name "borne.auro.re"; + option domain-search "borne.auro.re"; + + option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; + include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; + + deny unknown-clients; +} + +# Users filaire +subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { + interface "ens20"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; + option routers 10.{{ subnet_ids.users_wired }}.0.240; + option domain-name "fil.{{ apartment_block }}.auro.re"; + option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; + + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; + + deny unknown-clients; +} + + +# Users WiFi +subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { + interface "ens21"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255; + option routers 10.{{ subnet_ids.users_wifi }}.0.240; + option domain-name "wifi.{{ apartment_block }}.auro.re"; + option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; + + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; + + pool { + range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255; + +{% if dhcp_failover is defined %} + failover peer "dhcp-failover"; +{% endif %} + } +} -# Aurore topology -# TODO diff --git a/roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 b/roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 new file mode 100644 index 0000000..9823aed --- /dev/null +++ b/roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 @@ -0,0 +1,11 @@ +/var/log/dhcp/dhcpd.log { + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + copytruncate +} diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index db05bdc..1cb7856 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -5,9 +5,24 @@ uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. -{% if ldap_local_replica_uri is defined %} -{% for uri in ldap_local_replica_uri %} -uri {{ uri }} +{% if 'fleming_vm' in group_names or 'fleming_pve' in group_names %} +{% for uri in groups['ldap_replica_fleming'] %} +uri ldap://{{ uri }} +{% endfor %} +{% endif %} +{% if 'pacaterie_vm' in group_names or 'pacaterie_pve' in group_names %} +{% for uri in groups['ldap_replica_pacaterie'] %} +uri ldap://{{ uri }} +{% endfor %} +{% endif %} +{% if 'edc_vm' in group_names or 'edc_pve' in group_names %} +{% for uri in groups['ldap_replica_edc'] %} +uri ldap://{{ uri }} +{% endfor %} +{% endif %} +{% if 'gs_vm' in group_names or 'gs_pve' in group_names %} +{% for uri in groups['ldap_replica_gs'] %} +uri ldap://{{ uri }} {% endfor %} {% endif %} uri {{ ldap_master_uri }} @@ -35,4 +50,3 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. #scope sub - diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 473a4d7..74ac8fd 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -9,6 +9,7 @@ repo: "{{ service_repo }}" dest: "{{ service_homedir }}/{{ service_name }}" version: "{{ service_version }}" + force: true become: true become_user: "{{ service_user }}" diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml new file mode 100644 index 0000000..a619b94 --- /dev/null +++ b/roles/unbound/handlers/main.yml @@ -0,0 +1,7 @@ +- name: restart unbound + systemd: + state: restarted + name: unbound + +- name: read unbound apparmor config + command: apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000..ff45ec1 --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,62 @@ +--- + +# This is used to let unbound bind to the right IP addresses. +- name: set dns_host_suffix (main) + set_fact: + dns_host_suffix: "{{ dns_host_suffix_main }}" + when: "'rdns_main' in group_names" + +- name: set dns_host_suffix (backup) + set_fact: + dns_host_suffix: "{{ dns_host_suffix_backup }}" + when: "'rdns_backup' in group_names" + + +- name: install unbound + apt: + update_cache: true + name: unbound + state: present + register: unbound_install + +- name: add unbound-control configuration + template: + src: unbound-control.conf.j2 + dest: /etc/unbound/unbound.conf.d/unbound-control.conf + mode: 0644 + notify: restart unbound + +- name: setup main unbound config file + template: + src: unbound.conf.j2 + dest: /etc/unbound/unbound.conf + mode: 0644 + notify: restart unbound + +- name: ensure unbound log directory exists + file: + path: /var/log/unbound + state: directory + mode: '0755' + owner: unbound + group: unbound + +- name: ask apparmor to allow unbound to write to log file + template: + src: unbound-apparmor-config + dest: /etc/apparmor.d/local/usr.sbin.unbound + mode: '0644' + notify: read unbound apparmor config + +- name: setup unbound log rotation + template: + src: unbound-logrotate.j2 + dest: /etc/logrotate.d/unbound + mode: 0644 + +- name: setup recursive DNS server config + template: + src: recursive.conf.j2 + dest: /etc/unbound/unbound.conf.d/recursive.conf + mode: 0644 + notify: restart unbound diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 new file mode 100644 index 0000000..62c93be --- /dev/null +++ b/roles/unbound/templates/recursive.conf.j2 @@ -0,0 +1,48 @@ +# {{ ansible_managed }} + +server: + # Timestamps use UTC ASCII instead of UNIX epoch. + log-time-ascii: yes + + # Only log errors. + verbosity: 0 + log-servfail: yes + + logfile: "/var/log/unbound/unbound.log" + + do-ip4: yes + # FIXME: IPv6 deployment... someday... + do-ip6: no + + # IP addresses on which to listen. + interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} + interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} + interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + + + # By default, anything other than localhost is refused. + # Whitelist some subnets: + access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow + access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow + access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + + num-threads: {{ ansible_processor_vcpus }} + + private-address: 10.0.0.0/8 + + # The host cache TTL affects blacklisting of supposedly bogus hosts. + # The default was 900 (15 minutes). + infra-host-ttl: 60 + + + # The following is vital, we were having issues + # with DNSSEC that turned out to be due to UDP responses that were too + # large. + + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) + edns-buffer-size: {{ mtu }} + + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + max-udp-size: {{ mtu }} diff --git a/roles/unbound/templates/unbound-apparmor-config b/roles/unbound/templates/unbound-apparmor-config new file mode 100644 index 0000000..f40ee05 --- /dev/null +++ b/roles/unbound/templates/unbound-apparmor-config @@ -0,0 +1 @@ +/var/log/unbound/unbound.log rw, diff --git a/roles/unbound/templates/unbound-control.conf.j2 b/roles/unbound/templates/unbound-control.conf.j2 new file mode 100644 index 0000000..a3ba77a --- /dev/null +++ b/roles/unbound/templates/unbound-control.conf.j2 @@ -0,0 +1,15 @@ +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. + control-interface: 127.0.0.1 + + # port number for remote control operations. + control-port: 8953 + + # Disable the use of certificates for unbound-control. + # It's only listening locally, there's no need for the added complexity. + control-use-cert: "no" diff --git a/roles/unbound/templates/unbound-logrotate.j2 b/roles/unbound/templates/unbound-logrotate.j2 new file mode 100644 index 0000000..d57e83e --- /dev/null +++ b/roles/unbound/templates/unbound-logrotate.j2 @@ -0,0 +1,13 @@ +/var/log/unbound/*.log { + daily + rotate 30 + missingok + notifempty + compress + delaycompress + sharedscripts + create 644 + postrotate + /usr/local/sbin/unbound-control log_reopen + endscript +} diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 new file mode 100644 index 0000000..ee9a1cf --- /dev/null +++ b/roles/unbound/templates/unbound.conf.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} +# +# Unbound configuration file for Debian. +# +# See the unbound.conf(5) man page. +# +# See /usr/share/doc/unbound/examples/unbound.conf for a commented +# reference config file. +# +# The following line includes additional configuration files from the +# /etc/unbound/unbound.conf.d directory. +include: "/etc/unbound/unbound.conf.d/*.conf" diff --git a/ssh-blacklist.txt b/ssh-blacklist.txt new file mode 100644 index 0000000..248f525 --- /dev/null +++ b/ssh-blacklist.txt @@ -0,0 +1,4 @@ +ldap-replica-edc-backup.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +ldap-replica-gs.adm.auro.re +ldap-replica-gs-backup.adm.auro.re