From a03c775dbdbfd160bfcc7c2a4e5616a6034cf92a Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sun, 1 Sep 2019 13:27:58 +0200 Subject: [PATCH 01/48] =?UTF-8?q?ajout=20des=20vm=20de=20DS=20et=20d'EdC,?= =?UTF-8?q?=20ajout=20de=20qqes=20h=C3=B4tes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts | 9 +++++-- proxmox.yml | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 3c93b45..8aa1bbb 100644 --- a/hosts +++ b/hosts @@ -42,6 +42,7 @@ dns-fleming.adm.auro.re prometheus-fleming.adm.auro.re radius-fleming.adm.auro.re unifi-fleming.adm.auro.re +10.128.1.240 [pacaterie_pve] mordred.adm.auro.re @@ -55,10 +56,13 @@ radius-pacaterie.adm.auro.re unifi-pacaterie.adm.auro.re [edc_pve] -leodagan.adm.auro.re +10.128.4.1 + +[edc_vm] +10.128.4.240 [georgesand_pve] -merlin.adm.auro.re +10.128.5.2 # everything at ovh [ovh:children] @@ -83,6 +87,7 @@ pacaterie_vm # everything at edc [edc:children] edc_pve +edc_vm # everything at georgesand [georgesand:children] diff --git a/proxmox.yml b/proxmox.yml index 15914d4..f0ed543 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -82,6 +82,82 @@ disksize: 16 # G installiso: debian-9.9.0-amd64-netinst.iso + # Réseau EdC + - name: ldap-replica-edc1 + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-edc + virtu: chapalux + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + + # Réseau George Sand + - name: ldap-replica-gs1 + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dhcp-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: dns-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: prometheus-gs + virtu: perceval + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: radius-fleming + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-10.0.0-amd64-netinst.iso + - name: unifi-gs + virtu: freya + cores: 2 # 2 mimimum, 10 maximum + memory: 1024 # M + disksize: 16 # G + installiso: debian-9.9.0-amd64-netinst.iso + vars_prompt: - name: "password" prompt: "Enter LDAP password for your user" From 203815c429b732cb2d9ed82d82de048f37524d10 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sun, 1 Sep 2019 21:53:51 +0200 Subject: [PATCH 02/48] modified hosts and network playbook --- hosts | 82 ++++++++++++++++++++++++++++++----------------------- network.yml | 2 +- proxmox.yml | 6 ++-- 3 files changed, 50 insertions(+), 40 deletions(-) diff --git a/hosts b/hosts index 8aa1bbb..0ed4896 100644 --- a/hosts +++ b/hosts @@ -6,63 +6,72 @@ # > Then we regroup everything in global geographic and type groups. [ovh_pve] -horus.adm.auro.re +#horus.adm.auro.re [ovh_container] -synapse.adm.auro.re -services-bdd.adm.auro.re -phabricator.adm.auro.re -wiki.adm.auro.re -www.adm.auro.re -proxy.adm.auro.re -matrix-services.adm.auro.re +#synapse.adm.auro.re +#services-bdd.adm.auro.re +#phabricator.adm.auro.re +#wiki.adm.auro.re +#www.adm.auro.re +#proxy.adm.auro.re +#matrix-services.adm.auro.re [ovh_vm] -re2o-server.adm.auro.re -re2o-ldap.adm.auro.re -re2o-db.adm.auro.re -serge.adm.auro.re -passbolt.adm.auro.re -vpn-ovh.adm.auro.re -docker-ovh.adm.auro.re -switchs-manager.adm.auro.re +#re2o-server.adm.auro.re +#re2o-ldap.adm.auro.re +#re2o-db.adm.auro.re +#serge.adm.auro.re +#passbolt.adm.auro.re +#vpn-ovh.adm.auro.re +#docker-ovh.adm.auro.re +#switchs-manager.adm.auro.re [ovh_testing_vm] -re2o-test.adm.auro.re +#re2o-test.adm.auro.re [fleming_pve] -freya.adm.auro.re -#odin.adm.auro.re +#freya.adm.auro.re [fleming_vm] -ldap-replica-fleming1.adm.auro.re +#ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re -dhcp-fleming.adm.auro.re -dns-fleming.adm.auro.re -prometheus-fleming.adm.auro.re -radius-fleming.adm.auro.re -unifi-fleming.adm.auro.re -10.128.1.240 +#dhcp-fleming.adm.auro.re +#dns-fleming.adm.auro.re +#prometheus-fleming.adm.auro.re +#radius-fleming.adm.auro.re +#unifi-fleming.adm.auro.re +#routeur-fleming.adm.auro.re [pacaterie_pve] -mordred.adm.auro.re +#mordred.adm.auro.re [pacaterie_vm] -ldap-replica-pacaterie.adm.auro.re -dhcp-pacaterie.adm.auro.re -dns-pacaterie.adm.auro.re -prometheus-pacaterie.adm.auro.re -radius-pacaterie.adm.auro.re -unifi-pacaterie.adm.auro.re +#ldap-replica-pacaterie.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dns-pacaterie.adm.auro.re +#prometheus-pacaterie.adm.auro.re +#radius-pacaterie.adm.auro.re +#unifi-pacaterie.adm.auro.re +#routeur-pacaterie.adm.auro.re [edc_pve] -10.128.4.1 +#chapalux.adm.auro.re [edc_vm] -10.128.4.240 +#routeur-edc.adm.auro.re +#dns-edc.adm.auro.re +#dhcp-edc.adm.auro.re [georgesand_pve] -10.128.5.2 +#perceval.adm.auro.re + +[georgesand_vm] +#routeur-gs.adm.auro.re +#unifi-gs.adm.auro.re +#radius-gs.adm.auro.re +dns-gs.adm.auro.re +dhcp-gs.adm.auro.re # everything at ovh [ovh:children] @@ -92,6 +101,7 @@ edc_vm # everything at georgesand [georgesand:children] georgesand_pve +georgesand_vm # every LXC container [container:children] diff --git a/network.yml b/network.yml index cdff053..9137778 100644 --- a/network.yml +++ b/network.yml @@ -1,6 +1,6 @@ --- # Deploy DHCP -- hosts: dhcp-fleming.adm.auro.re,dhcp-pacaterie.adm.auro.re +- hosts: dhcp-fleming.adm.auro.re,dhcp-pacaterie.adm.auro.re,dhcp-gs.adm.auro.re vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp diff --git a/proxmox.yml b/proxmox.yml index f0ed543..fb51466 100644 --- a/proxmox.yml +++ b/proxmox.yml @@ -145,14 +145,14 @@ memory: 1024 # M disksize: 16 # G installiso: debian-10.0.0-amd64-netinst.iso - - name: radius-fleming - virtu: freya + - name: radius-gs + virtu: perceval cores: 2 # 2 mimimum, 10 maximum memory: 1024 # M disksize: 16 # G installiso: debian-10.0.0-amd64-netinst.iso - name: unifi-gs - virtu: freya + virtu: perceval cores: 2 # 2 mimimum, 10 maximum memory: 1024 # M disksize: 16 # G From d9f2d06c44981da39122efb2aaef6b1e6057f106 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sat, 15 Feb 2020 21:33:57 +0100 Subject: [PATCH 03/48] added aurore's hosts --- ansible.cfg | 1 + hosts | 51 ++++++++++++++++---- hosts.save | 131 ++++++++++++++++++++++++++++++++++++++++++++++++++++ network.yml | 32 ++++++------- 4 files changed, 191 insertions(+), 24 deletions(-) create mode 100644 hosts.save diff --git a/ansible.cfg b/ansible.cfg index 8d528bd..960e6df 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -33,3 +33,4 @@ become_ask_pass = True # TO know what changed always = yes +scp_if_ssh = True diff --git a/hosts b/hosts index 0ed4896..eb4e03a 100644 --- a/hosts +++ b/hosts @@ -5,6 +5,12 @@ # > So all containers at OVH are in ovh-container. # > Then we regroup everything in global geographic and type groups. +[aurore_pve] +merlin.adm.auro.re + +[aurore_vm] +#radius-aurore.adm.auro.re + [ovh_pve] #horus.adm.auro.re @@ -26,6 +32,7 @@ #vpn-ovh.adm.auro.re #docker-ovh.adm.auro.re #switchs-manager.adm.auro.re +#radius-aurore.adm.auro.re [ovh_testing_vm] #re2o-test.adm.auro.re @@ -37,11 +44,15 @@ #ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re #dhcp-fleming.adm.auro.re +#dhcp-fleming-backup.adm.auro.re #dns-fleming.adm.auro.re +#dns-fleming-backup.adm.auro.re #prometheus-fleming.adm.auro.re #radius-fleming.adm.auro.re +#radius-fleming-backup.adm.auro.re #unifi-fleming.adm.auro.re #routeur-fleming.adm.auro.re +#routeur-fleming-backup.adm.auro.re [pacaterie_pve] #mordred.adm.auro.re @@ -49,11 +60,15 @@ [pacaterie_vm] #ldap-replica-pacaterie.adm.auro.re #dhcp-pacaterie.adm.auro.re +#dhcp-pacaterie-backup.adm.auro.re #dns-pacaterie.adm.auro.re +#dns-pacaterie-backup.adm.auro.re #prometheus-pacaterie.adm.auro.re #radius-pacaterie.adm.auro.re +#radius-pacaterie-backup.adm.auro.re #unifi-pacaterie.adm.auro.re #routeur-pacaterie.adm.auro.re +#routeur-pacaterie-backup.adm.auro.re [edc_pve] #chapalux.adm.auro.re @@ -62,16 +77,19 @@ #routeur-edc.adm.auro.re #dns-edc.adm.auro.re #dhcp-edc.adm.auro.re +#unifi-edc.adm.auro.re +#radius-edc.adm.auro.re +#routeur-aurore.adm.auro.re -[georgesand_pve] +[gs_pve] #perceval.adm.auro.re -[georgesand_vm] +[gs_vm] #routeur-gs.adm.auro.re #unifi-gs.adm.auro.re #radius-gs.adm.auro.re -dns-gs.adm.auro.re -dhcp-gs.adm.auro.re +#dns-gs.adm.auro.re +#dhcp-gs.adm.auro.re # everything at ovh [ovh:children] @@ -99,9 +117,9 @@ edc_pve edc_vm # everything at georgesand -[georgesand:children] -georgesand_pve -georgesand_vm +[gs:children] +gs_pve +gs_vm # every LXC container [container:children] @@ -112,6 +130,7 @@ ovh_container ovh_vm fleming_vm pacaterie_vm +gs_vm # every PVE [pve:children] @@ -119,4 +138,20 @@ ovh_pve fleming_pve pacaterie_pve edc_pve -georgesand_pve +gs_pve + +[dhcp] +#dhcp-fleming.adm.auro.re +#dhcp-fleming-backup.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dhcp-pacaterie-backup.adm.auro.re +#dhcp-edc.adm.auro.re +#dhcp-gs.adm.auro.re + +[dns] +#dns-fleming.adm.auro.re +#dns-fleming-backup.adm.auro.re +#dns-pacaterie.adm.auro.re +#dns-pacaterie-backup.adm.auro.re +#dns-edc.adm.auro.re +#dns-gs.adm.auro.re diff --git a/hosts.save b/hosts.save new file mode 100644 index 0000000..c806780 --- /dev/null +++ b/hosts.save @@ -0,0 +1,131 @@ +# Aurore servers inventory + +# How to name your server ? +# > We name servers according to location, then type. +# > So all containers at OVH are in ovh-container. +# > Then we regroup everything in global geographic and type groups. + +[ovh_pve] +#horus.adm.auro.re + +[ovh_container] +#synapse.adm.auro.re +#services-bdd.adm.auro.re +#phabricator.adm.auro.re +#wiki.adm.auro.re +#www.adm.auro.re +#proxy.adm.auro.re +#matrix-services.adm.auro.re + +[ovh_vm] +#re2o-server.adm.auro.re +#re2o-ldap.adm.auro.re +#re2o-db.adm.auro.re +#serge.adm.auro.re +#passbolt.adm.auro.re +#vpn-ovh.adm.auro.re +#docker-ovh.adm.auro.re +#switchs-manager.adm.auro.re +#radius-aurore.adm.auro.re + +[ovh_testing_vm] +#re2o-test.adm.auro.re + +[fleming_pve] +#freya.adm.auro.re + +[fleming_vm] +#ldap-replica-fleming1.adm.auro.re +#ldap-replica-fleming2.adm.auro.re +#dhcp-fleming.adm.auro.re +#dhcp-fleming-backup.adm.auro.re +#dns-fleming.adm.auro.re +#dns-fleming-backup.adm.auro.re +#radius-fleming.adm.auro.re +#radius-fleming-backup.adm.auro.re +#routeur-fleming.adm.auro.re +#routeur-fleming-backup.adm.auro.re +#unifi-fleming.adm.auro.re +#prometheus + +[pacaterie_pve] +#mordred.adm.auro.re + +[pacaterie_vm] +#ldap-replica-pacaterie.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dns-pacaterie.adm.auro.re +#prometheus-pacaterie.adm.auro.re +#radius-pacaterie.adm.auro.re +#unifi-pacaterie.adm.auro.re +#routeur-pacaterie.adm.auro.re + +[edc_pve] +#chapalux.adm.auro.re + +[edc_vm] +#routeur-edc.adm.auro.re +#dns-edc.adm.auro.re +#dhcp-edc.adm.auro.re +#unifi-edc.adm.auro.re +#radius-edc.adm.auro.re +#routeur-aurore.adm.auro.re +#10.128.0.254 + +[georgesand_pve] +#perceval.adm.auro.re + +[georgesand_vm] +#routeur-gs.adm.auro.re +#unifi-gs.adm.auro.re +#radius-gs.adm.auro.re +#dns-gs.adm.auro.re +#dhcp-gs.adm.auro.re + +# everything at ovh +[ovh:children] +ovh_pve +ovh_container +ovh_vm + +# everything at ovh_testing +[ovh_testing:children] +ovh_testing_vm + +# everything at fleming +[fleming:children] +fleming_pve +fleming_vm + +# everything at pacaterie +[pacaterie:children] +pacaterie_pve +pacaterie_vm + +# everything at edc +[edc:children] +edc_pve +edc_vm + +# everything at georgesand +[georgesand:children] +georgesand_pve +georgesand_vm + +# every LXC container +[container:children] +ovh_container + +# every virtual machine +[vm:children] +ovh_vm +fleming_vm +pacaterie_vm + +# every PVE +[pve:children] +ovh_pve +fleming_pve +pacaterie_pve +edc_pve +georgesand_pve diff --git a/network.yml b/network.yml index 9137778..0b5e51b 100644 --- a/network.yml +++ b/network.yml @@ -1,6 +1,6 @@ --- # Deploy DHCP -- hosts: dhcp-fleming.adm.auro.re,dhcp-pacaterie.adm.auro.re,dhcp-gs.adm.auro.re +- hosts: dhcp vars: service_repo: https://gitlab.federez.net/re2o/dhcp.git service_name: dhcp @@ -16,7 +16,7 @@ - isc-dhcp-server # Deploy DNS -- hosts: serge.adm.auro.re +- hosts: dns vars: service_repo: https://gitlab.crans.org/nounous/re2o-dns.git service_name: dns @@ -29,19 +29,19 @@ - re2o-service # Deploy Unifi Controller -- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re - roles: - - unifi-controller +#- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re +# roles: +# - unifi-controller # Deploy Re2o switch service -- hosts: switchs-manager.adm.auro.re - vars: - service_repo: https://gitlab.federez.net/re2o/switchs.git - service_name: switchs - service_version: master - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" - roles: - - re2o-service +#- hosts: switchs-manager.adm.auro.re +# vars: +# service_repo: https://gitlab.federez.net/re2o/switchs.git +# service_name: switchs +# service_version: master +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# roles: +# - re2o-service From 08fcf49e626c4d0b03573fe1c8b101a7af053cc5 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Thu, 20 Feb 2020 16:23:10 +0100 Subject: [PATCH 04/48] modified mainly hosts to match new servers and vms --- hosts | 141 ++++++++++++++++++++++++++++++---------------------------- 1 file changed, 72 insertions(+), 69 deletions(-) diff --git a/hosts b/hosts index eb4e03a..c88b606 100644 --- a/hosts +++ b/hosts @@ -9,87 +9,90 @@ merlin.adm.auro.re [aurore_vm] -#radius-aurore.adm.auro.re +radius-aurore.adm.auro.re [ovh_pve] -#horus.adm.auro.re +horus.adm.auro.re [ovh_container] -#synapse.adm.auro.re -#services-bdd.adm.auro.re -#phabricator.adm.auro.re -#wiki.adm.auro.re -#www.adm.auro.re -#proxy.adm.auro.re -#matrix-services.adm.auro.re +synapse.adm.auro.re +services-bdd.adm.auro.re +phabricator.adm.auro.re +wiki.adm.auro.re +www.adm.auro.re +proxy.adm.auro.re +matrix-services.adm.auro.re [ovh_vm] -#re2o-server.adm.auro.re -#re2o-ldap.adm.auro.re -#re2o-db.adm.auro.re -#serge.adm.auro.re -#passbolt.adm.auro.re -#vpn-ovh.adm.auro.re -#docker-ovh.adm.auro.re -#switchs-manager.adm.auro.re -#radius-aurore.adm.auro.re +re2o-server.adm.auro.re +re2o-ldap.adm.auro.re +re2o-db.adm.auro.re +serge.adm.auro.re +passbolt.adm.auro.re +vpn-ovh.adm.auro.re +docker-ovh.adm.auro.re +switchs-manager.adm.auro.re +radius-aurore.adm.auro.re [ovh_testing_vm] -#re2o-test.adm.auro.re +re2o-test.adm.auro.re [fleming_pve] -#freya.adm.auro.re +freya.adm.auro.re +marki.adm.auro.re [fleming_vm] -#ldap-replica-fleming1.adm.auro.re -#ldap-replica-fleming2.adm.auro.re -#dhcp-fleming.adm.auro.re -#dhcp-fleming-backup.adm.auro.re -#dns-fleming.adm.auro.re -#dns-fleming-backup.adm.auro.re -#prometheus-fleming.adm.auro.re -#radius-fleming.adm.auro.re -#radius-fleming-backup.adm.auro.re -#unifi-fleming.adm.auro.re -#routeur-fleming.adm.auro.re -#routeur-fleming-backup.adm.auro.re +ldap-replica-fleming1.adm.auro.re +ldap-replica-fleming2.adm.auro.re +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +dns-fleming.adm.auro.re +dns-fleming-backup.adm.auro.re +prometheus-fleming.adm.auro.re +radius-fleming.adm.auro.re +radius-fleming-backup.adm.auro.re +unifi-fleming.adm.auro.re +routeur-fleming.adm.auro.re +routeur-fleming-backup.adm.auro.re [pacaterie_pve] -#mordred.adm.auro.re +mordred.adm.auro.re +titan.adm.auro.re [pacaterie_vm] -#ldap-replica-pacaterie.adm.auro.re -#dhcp-pacaterie.adm.auro.re -#dhcp-pacaterie-backup.adm.auro.re -#dns-pacaterie.adm.auro.re -#dns-pacaterie-backup.adm.auro.re -#prometheus-pacaterie.adm.auro.re -#radius-pacaterie.adm.auro.re -#radius-pacaterie-backup.adm.auro.re -#unifi-pacaterie.adm.auro.re -#routeur-pacaterie.adm.auro.re -#routeur-pacaterie-backup.adm.auro.re +ldap-replica-pacaterie.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re +prometheus-pacaterie.adm.auro.re +radius-pacaterie.adm.auro.re +radius-pacaterie-backup.adm.auro.re +unifi-pacaterie.adm.auro.re +routeur-pacaterie.adm.auro.re +routeur-pacaterie-backup.adm.auro.re [edc_pve] -#chapalux.adm.auro.re +chapalux.adm.auro.re [edc_vm] -#routeur-edc.adm.auro.re -#dns-edc.adm.auro.re -#dhcp-edc.adm.auro.re -#unifi-edc.adm.auro.re -#radius-edc.adm.auro.re -#routeur-aurore.adm.auro.re +routeur-edc.adm.auro.re +dns-edc.adm.auro.re +dhcp-edc.adm.auro.re +unifi-edc.adm.auro.re +radius-edc.adm.auro.re +routeur-aurore.adm.auro.re [gs_pve] -#perceval.adm.auro.re +perceval.adm.auro.re [gs_vm] -#routeur-gs.adm.auro.re -#unifi-gs.adm.auro.re -#radius-gs.adm.auro.re -#dns-gs.adm.auro.re -#dhcp-gs.adm.auro.re +routeur-gs.adm.auro.re +unifi-gs.adm.auro.re +radius-gs.adm.auro.re +dns-gs.adm.auro.re +dhcp-gs.adm.auro.re # everything at ovh [ovh:children] @@ -141,17 +144,17 @@ edc_pve gs_pve [dhcp] -#dhcp-fleming.adm.auro.re -#dhcp-fleming-backup.adm.auro.re -#dhcp-pacaterie.adm.auro.re -#dhcp-pacaterie-backup.adm.auro.re -#dhcp-edc.adm.auro.re -#dhcp-gs.adm.auro.re +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re +dhcp-edc.adm.auro.re +dhcp-gs.adm.auro.re [dns] -#dns-fleming.adm.auro.re -#dns-fleming-backup.adm.auro.re -#dns-pacaterie.adm.auro.re -#dns-pacaterie-backup.adm.auro.re -#dns-edc.adm.auro.re -#dns-gs.adm.auro.re +dns-fleming.adm.auro.re +dns-fleming-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re +dns-edc.adm.auro.re +dns-gs.adm.auro.re From 73a22ba77ff9d2682a845ac99a84431770f75f04 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Thu, 20 Feb 2020 16:51:56 +0100 Subject: [PATCH 05/48] added group ldap-replica to hosts --- hosts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hosts b/hosts index c88b606..948c917 100644 --- a/hosts +++ b/hosts @@ -158,3 +158,9 @@ dns-pacaterie.adm.auro.re dns-pacaterie-backup.adm.auro.re dns-edc.adm.auro.re dns-gs.adm.auro.re + +[ldap-replica] +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +ldap-replica-pacaterie.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re From 3a399bd04cfd13d11c09e019d9edc8032701056f Mon Sep 17 00:00:00 2001 From: fpoutre Date: Thu, 20 Feb 2020 18:42:34 +0100 Subject: [PATCH 06/48] added ldap-replica support for ldap-clients of pacaterie and fleming --- base.yml | 6 +- copy_keys_to_aurore.sh | 4 + hosts | 98 ++++++------- hosts.save.1 | 165 ++++++++++++++++++++++ roles/ldap-client/templates/nslcd.conf.j2 | 9 +- 5 files changed, 229 insertions(+), 53 deletions(-) create mode 100755 copy_keys_to_aurore.sh create mode 100644 hosts.save.1 diff --git a/base.yml b/base.yml index dc3c2dc..bafc56b 100644 --- a/base.yml +++ b/base.yml @@ -12,6 +12,6 @@ # Clone LDAP on local geographic location # DON'T DO THIS AS IT RECREATES THE REPLICA -# - hosts: ldap-replica -# roles: -# - ldap-replica +#- hosts: ldap-replica +# roles: +# - ldap-replica diff --git a/copy_keys_to_aurore.sh b/copy_keys_to_aurore.sh new file mode 100755 index 0000000..12cf2c6 --- /dev/null +++ b/copy_keys_to_aurore.sh @@ -0,0 +1,4 @@ +#!/bin/bash +for ip in `cat hosts|grep .adm.auro.re`; do + sshpass -v -p "6+Fwa9h2L>L6]C*y" ssh-copy-id -o StrictHostKeyChecking=no fpoutre@$ip +done diff --git a/hosts b/hosts index 948c917..bdffb4d 100644 --- a/hosts +++ b/hosts @@ -6,44 +6,44 @@ # > Then we regroup everything in global geographic and type groups. [aurore_pve] -merlin.adm.auro.re +#merlin.adm.auro.re [aurore_vm] -radius-aurore.adm.auro.re +#radius-aurore.adm.auro.re [ovh_pve] -horus.adm.auro.re +#horus.adm.auro.re [ovh_container] -synapse.adm.auro.re -services-bdd.adm.auro.re -phabricator.adm.auro.re -wiki.adm.auro.re -www.adm.auro.re -proxy.adm.auro.re -matrix-services.adm.auro.re +#synapse.adm.auro.re +#services-bdd.adm.auro.re +#phabricator.adm.auro.re +#wiki.adm.auro.re +#www.adm.auro.re +#proxy.adm.auro.re +#matrix-services.adm.auro.re [ovh_vm] -re2o-server.adm.auro.re -re2o-ldap.adm.auro.re -re2o-db.adm.auro.re -serge.adm.auro.re -passbolt.adm.auro.re -vpn-ovh.adm.auro.re -docker-ovh.adm.auro.re -switchs-manager.adm.auro.re -radius-aurore.adm.auro.re +#re2o-server.adm.auro.re +#re2o-ldap.adm.auro.re +#re2o-db.adm.auro.re +#serge.adm.auro.re +#passbolt.adm.auro.re +#vpn-ovh.adm.auro.re +#docker-ovh.adm.auro.re +#switchs-manager.adm.auro.re +#radius-aurore.adm.auro.re [ovh_testing_vm] -re2o-test.adm.auro.re +#re2o-test.adm.auro.re [fleming_pve] freya.adm.auro.re marki.adm.auro.re [fleming_vm] -ldap-replica-fleming1.adm.auro.re -ldap-replica-fleming2.adm.auro.re +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re dns-fleming.adm.auro.re @@ -74,25 +74,25 @@ routeur-pacaterie.adm.auro.re routeur-pacaterie-backup.adm.auro.re [edc_pve] -chapalux.adm.auro.re +#chapalux.adm.auro.re [edc_vm] -routeur-edc.adm.auro.re -dns-edc.adm.auro.re -dhcp-edc.adm.auro.re -unifi-edc.adm.auro.re -radius-edc.adm.auro.re -routeur-aurore.adm.auro.re +#routeur-edc.adm.auro.re +#dns-edc.adm.auro.re +#dhcp-edc.adm.auro.re +#unifi-edc.adm.auro.re +#radius-edc.adm.auro.re +#routeur-aurore.adm.auro.re [gs_pve] -perceval.adm.auro.re +#perceval.adm.auro.re [gs_vm] -routeur-gs.adm.auro.re -unifi-gs.adm.auro.re -radius-gs.adm.auro.re -dns-gs.adm.auro.re -dhcp-gs.adm.auro.re +#routeur-gs.adm.auro.re +#unifi-gs.adm.auro.re +#radius-gs.adm.auro.re +#dns-gs.adm.auro.re +#dhcp-gs.adm.auro.re # everything at ovh [ovh:children] @@ -144,23 +144,25 @@ edc_pve gs_pve [dhcp] -dhcp-fleming.adm.auro.re -dhcp-fleming-backup.adm.auro.re -dhcp-pacaterie.adm.auro.re -dhcp-pacaterie-backup.adm.auro.re -dhcp-edc.adm.auro.re -dhcp-gs.adm.auro.re +#dhcp-fleming.adm.auro.re +#dhcp-fleming-backup.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dhcp-pacaterie-backup.adm.auro.re +#dhcp-edc.adm.auro.re +#dhcp-gs.adm.auro.re [dns] -dns-fleming.adm.auro.re -dns-fleming-backup.adm.auro.re -dns-pacaterie.adm.auro.re -dns-pacaterie-backup.adm.auro.re -dns-edc.adm.auro.re -dns-gs.adm.auro.re +#dns-fleming.adm.auro.re +#dns-fleming-backup.adm.auro.re +#dns-pacaterie.adm.auro.re +#dns-pacaterie-backup.adm.auro.re +#dns-edc.adm.auro.re +#dns-gs.adm.auro.re -[ldap-replica] +[ldap_replica_fleming] ldap-replica-fleming.adm.auro.re ldap-replica-fleming-backup.adm.auro.re + +[ldap_replica_pacaterie] ldap-replica-pacaterie.adm.auro.re ldap-replica-pacaterie-backup.adm.auro.re diff --git a/hosts.save.1 b/hosts.save.1 new file mode 100644 index 0000000..db677b4 --- /dev/null +++ b/hosts.save.1 @@ -0,0 +1,165 @@ +# Aurore servers inventory + +# How to name your server ? +# > We name servers according to location, then type. +# > So all containers at OVH are in ovh-container. +# > Then we regroup everything in global geographic and type groups. + +[aurore_pve] +merlin.adm.auro.re + +[aurore_vm] +radius-aurore.adm.auro.re + +[ovh_pve] +horus.adm.auro.re + +[ovh_container] +synapse.adm.auro.re +services-bdd.adm.auro.re +phabricator.adm.auro.re +wiki.adm.auro.re +www.adm.auro.re +proxy.adm.auro.re +matrix-services.adm.auro.re + +[ovh_vm] +re2o-server.adm.auro.re +re2o-ldap.adm.auro.re +re2o-db.adm.auro.re +serge.adm.auro.re +passbolt.adm.auro.re +vpn-ovh.adm.auro.re +docker-ovh.adm.auro.re +switchs-manager.adm.auro.re +radius-aurore.adm.auro.re + +[ovh_testing_vm] +re2o-test.adm.auro.re + +[fleming_pve] +freya.adm.auro.re +marki.adm.auro.re + +[fleming_vm] +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +dns-fleming.adm.auro.re +dns-fleming-backup.adm.auro.re +prometheus-fleming.adm.auro.re +radius-fleming.adm.auro.re +radius-fleming-backup.adm.auro.re +unifi-fleming.adm.auro.re +routeur-fleming.adm.auro.re +routeur-fleming-backup.adm.auro.re + +[pacaterie_pve] +mordred.adm.auro.re +titan.adm.auro.re + +[pacaterie_vm] +ldap-replica-pacaterie.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re +prometheus-pacaterie.adm.auro.re +radius-pacaterie.adm.auro.re +radius-pacaterie-backup.adm.auro.re +unifi-pacaterie.adm.auro.re +routeur-pacaterie.adm.auro.re +routeur-pacaterie-backup.adm.auro.re + +[edc_pve] +chapalux.adm.auro.re + +[edc_vm] +routeur-edc.adm.auro.re +dns-edc.adm.auro.re +dhcp-edc.adm.auro.re +unifi-edc.adm.auro.re +radius-edc.adm.auro.re +routeur-aurore.adm.auro.re + +[gs_pve] +perceval.adm.auro.re + +[gs_vm] +routeur-gs.adm.auro.re +unifi-gs.adm.auro.re +radius-gs.adm.auro.re +dns-gs.adm.auro.re +dhcp-gs.adm.auro.re + +# everything at ovh +[ovh:children] +ovh_pve +ovh_container +ovh_vm + +# everything at ovh_testing +[ovh_testing:children] +ovh_testing_vm + +# everything at fleming +[fleming:children] +fleming_pve +fleming_vm + +# everything at pacaterie +[pacaterie:children] +pacaterie_pve +pacaterie_vm + +# everything at edc +[edc:children] +edc_pve +edc_vm + +# everything at georgesand +[gs:children] +gs_pve +gs_vm + +# every LXC container +[container:children] +ovh_container + +# every virtual machine +[vm:children] +ovh_vm +fleming_vm +pacaterie_vm +gs_vm + +# every PVE +[pve:children] +ovh_pve +fleming_pve +pacaterie_pve +edc_pve +gs_pve + +[dhcp] +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re +dhcp-pacaterie.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re +dhcp-edc.adm.auro.re +dhcp-gs.adm.auro.re + +[dns] +dns-fleming.adm.auro.re +dns-fleming-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re +dns-edc.adm.auro.re +dns-gs.adm.auro.re + +[ldap-replica] +ldap-replica-fleming.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +ldap-replica-pacaterie-backup.adm.auro.re diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index db05bdc..ab8d556 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -5,11 +5,16 @@ uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. -{% if ldap_local_replica_uri is defined %} -{% for uri in ldap_local_replica_uri %} +{% if 'fleming_vm' in group_names or 'fleming_pve' in group_names %} +{% for uri in groups['ldap_replica_fleming'] %} uri {{ uri }} {% endfor %} {% endif %} +{% if 'pacaterie_vm' in group_names or 'pacaterie_pve' in group_names %} +{% for uri in groups['ldap_replica_pacaterie'] %} +uri ldap://{{ uri }} +{% endfor %} +{% endif %} uri {{ ldap_master_uri }} # The search base that will be used for all queries. From c0692c9ea804f55223ffb7c587d692c3226153ba Mon Sep 17 00:00:00 2001 From: fpoutre Date: Thu, 20 Feb 2020 18:42:57 +0100 Subject: [PATCH 07/48] added ldap-replica support for ldap-clients of pacaterie and fleming --- copy_keys_to_aurore.sh | 4 ---- 1 file changed, 4 deletions(-) delete mode 100755 copy_keys_to_aurore.sh diff --git a/copy_keys_to_aurore.sh b/copy_keys_to_aurore.sh deleted file mode 100755 index 12cf2c6..0000000 --- a/copy_keys_to_aurore.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -for ip in `cat hosts|grep .adm.auro.re`; do - sshpass -v -p "6+Fwa9h2L>L6]C*y" ssh-copy-id -o StrictHostKeyChecking=no fpoutre@$ip -done From b7b32dc4960879fe5730a3c49a04708816dab448 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Thu, 20 Feb 2020 19:08:09 +0100 Subject: [PATCH 08/48] modified the master_ldap_uri to use a ndd --- group_vars/all/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index d466fcd..d55fd60 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -6,7 +6,7 @@ ansible_python_interpreter: /usr/bin/python3 # You can hash LDAP passwords with `slappasswd` tool ldap_base: 'dc=auro,dc=re' ldap_master_ipv4: '10.128.0.11' -ldap_master_uri: "ldap://{{ ldap_master_ipv4 }}" +ldap_master_uri: "ldap://re2o-ldap.adm.auro.re" ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" ldap_nslcd_bind_dn: "cn=nslcd,ou=service-users,{{ ldap_base }}" ldap_nslcd_passwd: "{{ vault_ldap_nslcd_passwd }}" From 23f1b7a4a1b8714e6094801165ec00b34747048b Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sun, 22 Mar 2020 18:42:00 +0100 Subject: [PATCH 09/48] added support for edc and gs in ldap replica backup configuration --- hosts | 14 ++++++++++++++ roles/ldap-client/templates/nslcd.conf.j2 | 11 ++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index bdffb4d..25fcbb3 100644 --- a/hosts +++ b/hosts @@ -159,6 +159,12 @@ gs_pve #dns-edc.adm.auro.re #dns-gs.adm.auro.re +[ldap_replica] +ldap_replica_fleming +ldap_replica_pacaterie +ldap_replica_edc +ldap_replica_gs + [ldap_replica_fleming] ldap-replica-fleming.adm.auro.re ldap-replica-fleming-backup.adm.auro.re @@ -166,3 +172,11 @@ ldap-replica-fleming-backup.adm.auro.re [ldap_replica_pacaterie] ldap-replica-pacaterie.adm.auro.re ldap-replica-pacaterie-backup.adm.auro.re + +[ldap_replica_edc] +ldap-replica-edc.adm.auro.re +ldap-replica-edc-backup.adm.auro.re + +[ldap_replica_gs] +ldap-replica-gs.adm.auro.re +ldap-replica-gs-backup.adm.auro.re diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index ab8d556..bd256dc 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -15,6 +15,16 @@ uri {{ uri }} uri ldap://{{ uri }} {% endfor %} {% endif %} +{% if 'edc_vm' in group_names or 'edc_pve' in group_names %} +{% for uri in groups['ldap_replica_edc'] %} +uri {{ uri }} +{% endfor %} +{% endif %} +{% if 'gs_vm' in group_names or 'gs_pve' in group_names %} +{% for uri in groups['ldap_replica_gs'] %} +uri {{ uri }} +{% endfor %} +{% endif %} uri {{ ldap_master_uri }} # The search base that will be used for all queries. @@ -40,4 +50,3 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. #scope sub - From 0e61fcff908bdde04d1c19b1190eb104938dc1a9 Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sun, 22 Mar 2020 18:43:57 +0100 Subject: [PATCH 10/48] added support for ldap-replicas in the base.yml for edc and gs --- hosts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts b/hosts index 25fcbb3..7caec9b 100644 --- a/hosts +++ b/hosts @@ -83,6 +83,8 @@ routeur-pacaterie-backup.adm.auro.re #unifi-edc.adm.auro.re #radius-edc.adm.auro.re #routeur-aurore.adm.auro.re +ldap-replica-edc.adm.auro.re +ldap-replica-edc-backup.adm.auro.re [gs_pve] #perceval.adm.auro.re @@ -93,6 +95,8 @@ routeur-pacaterie-backup.adm.auro.re #radius-gs.adm.auro.re #dns-gs.adm.auro.re #dhcp-gs.adm.auro.re +ldap-replica-gs.adm.auro.re +ldap-replica-gs-backup.adm.auro.re # everything at ovh [ovh:children] From 40e915a7e0af83b9e4aca78651de835d7b95d92e Mon Sep 17 00:00:00 2001 From: fpoutre Date: Sun, 22 Mar 2020 19:06:38 +0100 Subject: [PATCH 11/48] happy little mistakes --- hosts | 33 ++++++++++++----------- roles/ldap-client/templates/nslcd.conf.j2 | 6 ++--- 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/hosts b/hosts index 7caec9b..2e83677 100644 --- a/hosts +++ b/hosts @@ -74,29 +74,29 @@ routeur-pacaterie.adm.auro.re routeur-pacaterie-backup.adm.auro.re [edc_pve] -#chapalux.adm.auro.re +chapalux.adm.auro.re [edc_vm] -#routeur-edc.adm.auro.re -#dns-edc.adm.auro.re -#dhcp-edc.adm.auro.re -#unifi-edc.adm.auro.re -#radius-edc.adm.auro.re -#routeur-aurore.adm.auro.re +routeur-edc.adm.auro.re +dns-edc.adm.auro.re +dhcp-edc.adm.auro.re +unifi-edc.adm.auro.re +radius-edc.adm.auro.re +routeur-aurore.adm.auro.re ldap-replica-edc.adm.auro.re -ldap-replica-edc-backup.adm.auro.re +#ldap-replica-edc-backup.adm.auro.re [gs_pve] #perceval.adm.auro.re [gs_vm] -#routeur-gs.adm.auro.re -#unifi-gs.adm.auro.re -#radius-gs.adm.auro.re -#dns-gs.adm.auro.re -#dhcp-gs.adm.auro.re -ldap-replica-gs.adm.auro.re -ldap-replica-gs-backup.adm.auro.re +routeur-gs.adm.auro.re +unifi-gs.adm.auro.re +radius-gs.adm.auro.re +dns-gs.adm.auro.re +dhcp-gs.adm.auro.re +#ldap-replica-gs.adm.auro.re +#ldap-replica-gs-backup.adm.auro.re # everything at ovh [ovh:children] @@ -137,6 +137,7 @@ ovh_container ovh_vm fleming_vm pacaterie_vm +edc_vm gs_vm # every PVE @@ -163,7 +164,7 @@ gs_pve #dns-edc.adm.auro.re #dns-gs.adm.auro.re -[ldap_replica] +[ldap_replica:children] ldap_replica_fleming ldap_replica_pacaterie ldap_replica_edc diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2 index bd256dc..1cb7856 100644 --- a/roles/ldap-client/templates/nslcd.conf.j2 +++ b/roles/ldap-client/templates/nslcd.conf.j2 @@ -7,7 +7,7 @@ gid nslcd # The location at which the LDAP server(s) should be reachable. {% if 'fleming_vm' in group_names or 'fleming_pve' in group_names %} {% for uri in groups['ldap_replica_fleming'] %} -uri {{ uri }} +uri ldap://{{ uri }} {% endfor %} {% endif %} {% if 'pacaterie_vm' in group_names or 'pacaterie_pve' in group_names %} @@ -17,12 +17,12 @@ uri ldap://{{ uri }} {% endif %} {% if 'edc_vm' in group_names or 'edc_pve' in group_names %} {% for uri in groups['ldap_replica_edc'] %} -uri {{ uri }} +uri ldap://{{ uri }} {% endfor %} {% endif %} {% if 'gs_vm' in group_names or 'gs_pve' in group_names %} {% for uri in groups['ldap_replica_gs'] %} -uri {{ uri }} +uri ldap://{{ uri }} {% endfor %} {% endif %} uri {{ ldap_master_uri }} From e6b2f80b49812c9396585f1c46f0100dbd1f036a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 5 Apr 2020 17:39:27 +0200 Subject: [PATCH 12/48] templatisation de la config dhcpd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit non encore testé --- group_vars/fleming/dhcp.yml | 11 +++ group_vars/pacaterie/dhcp.yml | 7 ++ .../templates/dhcp/dhcpd.conf.j2 | 77 ++++++++++++++++--- 3 files changed, 85 insertions(+), 10 deletions(-) create mode 100644 group_vars/fleming/dhcp.yml create mode 100644 group_vars/pacaterie/dhcp.yml diff --git a/group_vars/fleming/dhcp.yml b/group_vars/fleming/dhcp.yml new file mode 100644 index 0000000..97456e9 --- /dev/null +++ b/group_vars/fleming/dhcp.yml @@ -0,0 +1,11 @@ +--- +apartment_block: fleming + +subnet_ids: + ap: 141 + users_wired: 10 + users_wifi: 11 + +failover: + own-address: 10.128.2.254 + peer-address: 10.128.2.154 diff --git a/group_vars/pacaterie/dhcp.yml b/group_vars/pacaterie/dhcp.yml new file mode 100644 index 0000000..043d26d --- /dev/null +++ b/group_vars/pacaterie/dhcp.yml @@ -0,0 +1,7 @@ +--- +apartment_block: pacaterie + +subnet_ids: + ap: 142 + users_wired: 20 + users_wifi: 21 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 3b0da57..93527bd 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -1,15 +1,16 @@ # dhcpd.conf -# {{ ansible_managed }} +{{ ansible_managed }} -# option definitions common to all supported networks... -#option domain-name "example.org"; -#option domain-name-servers ns1.example.org, ns2.example.org; +default-lease-time 86400; +max-lease-time 86400; -# We have tagged network so use last 4 bytes for tag (1500 max) -option interface-mtu 1496; +# Option definitions common to all supported networks. -default-lease-time 600; -max-lease-time 7200; +# The MTU theoretically could go as high as 1496 (4-byte VLAN tag). +option interface-mtu 1400; +# XXX: hardcoded DNS for now +option domain-name-servers 80.67.169.12, 1.1.1.1; +option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the @@ -29,5 +30,61 @@ authoritative; # have to hack syslog.conf to complete the redirection). #log-facility local7; -# Aurore topology -# TODO + +# Bornes WiFi +subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { + interface "ens19"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.ap }}.255.255; + option routers 10.{{ subnet_ids.ap }}.0.250; + option domain-name-servers 80.67.169.12, 1.1.1.1; + option domain-name "borne.auro.re"; + option domain-search "borne.auro.re"; + include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; + + deny unknown-clients; +} + +# Users filaire +subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { + interface "ens20"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; + option routers 10.{{ subnet_ids.users_wired }}.0.240; + option domain-name "fil.{{ apartment_block }}.auro.re"; + option domain-search "auro.re"; + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; + + deny unknown-clients; +} + + +# Users WiFi +subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { + interface "ens21"; + option subnet-mask 255.255.0.0; + option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; + option routers 10.{{ subnet_ids.users_wired }}.0.240; + option domain-name "wifi.{{ apartment_block }}.auro.re"; + option domain-search "auro.re"; + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; + + pool { + range 10.{{ subnet_ids.users_wired }}.8.0 10.{{ subnet_ids.users_wired }}.10.255; + + {% if failover is defined %} + failover peer "dhcp-failover" { + primary; + split 128; + mclt 3600; + address {{ failover.own_address }}; + port 647; + peer address {{ failover.peer_address }}; + peer port 647; + max-response-delay 30; + max-unacked-updates 10; + load balance max seconds 3; + } + {% endif %} + } +} From 709e4614c2f104b1c549d91dc9b1ac1f8232036a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 5 Apr 2020 19:04:03 +0200 Subject: [PATCH 13/48] =?UTF-8?q?suppression=20d'une=20d=C3=A9claration=20?= =?UTF-8?q?DNS=20redondante?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 93527bd..2236e6d 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -37,7 +37,6 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option subnet-mask 255.255.0.0; option broadcast-address 10.{{ subnet_ids.ap }}.255.255; option routers 10.{{ subnet_ids.ap }}.0.250; - option domain-name-servers 80.67.169.12, 1.1.1.1; option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; From 6b369d5b28914dede16f398e612404f16bb660ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 5 Apr 2020 19:51:03 +0200 Subject: [PATCH 14/48] fix ProxyJump in README --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index a1abc50..e64776c 100644 --- a/README.md +++ b/README.md @@ -89,8 +89,7 @@ Dans la configuration SSH : # Use a key to log on all Crans servers # and use a proxy server Host 10.128.0.* *.adm.auro.re - IdentityFile ~/.ssh/id_rsa - ProxyJump auro.re + ProxyJump passerelle.auro.re ``` Il faut savoir que depuis Ansible 2.5, des connexions persistantes sont créées From 2a0a2e2ac657e89faeb2cbb987f40c9302672981 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 5 Apr 2020 19:48:56 +0200 Subject: [PATCH 15/48] dhcp: fix silly mix-ups --- base.yml | 6 ++++++ group_vars/fleming/dhcp.yml | 3 --- group_vars/pacaterie/dhcp.yml | 4 ++++ hosts | 4 ++-- .../isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 16 ++++++---------- 5 files changed, 18 insertions(+), 15 deletions(-) diff --git a/base.yml b/base.yml index bafc56b..a668ae5 100644 --- a/base.yml +++ b/base.yml @@ -10,6 +10,12 @@ roles: - ldap-client + +# Set up DHCP servers. +- hosts: dhcp + roles: + - isc-dhcp-server + # Clone LDAP on local geographic location # DON'T DO THIS AS IT RECREATES THE REPLICA #- hosts: ldap-replica diff --git a/group_vars/fleming/dhcp.yml b/group_vars/fleming/dhcp.yml index 97456e9..f0d1f8f 100644 --- a/group_vars/fleming/dhcp.yml +++ b/group_vars/fleming/dhcp.yml @@ -6,6 +6,3 @@ subnet_ids: users_wired: 10 users_wifi: 11 -failover: - own-address: 10.128.2.254 - peer-address: 10.128.2.154 diff --git a/group_vars/pacaterie/dhcp.yml b/group_vars/pacaterie/dhcp.yml index 043d26d..3fdf3c8 100644 --- a/group_vars/pacaterie/dhcp.yml +++ b/group_vars/pacaterie/dhcp.yml @@ -5,3 +5,7 @@ subnet_ids: ap: 142 users_wired: 20 users_wifi: 21 + +failover: + own_address: 10.128.2.254 + peer_address: 10.128.2.154 diff --git a/hosts b/hosts index 2e83677..d8defaf 100644 --- a/hosts +++ b/hosts @@ -149,9 +149,9 @@ edc_pve gs_pve [dhcp] -#dhcp-fleming.adm.auro.re +dhcp-fleming.adm.auro.re #dhcp-fleming-backup.adm.auro.re -#dhcp-pacaterie.adm.auro.re +dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 2236e6d..5ab2be5 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -20,11 +20,7 @@ ddns-update-style none; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. -{% if dhcp.authoritative %} authoritative; -{% else %} -#authoritative; -{% endif %} # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). @@ -59,19 +55,19 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { # Users WiFi -subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { +subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { interface "ens21"; option subnet-mask 255.255.0.0; - option broadcast-address 10.{{ subnet_ids.users_wired }}.255.255; - option routers 10.{{ subnet_ids.users_wired }}.0.240; + option broadcast-address 10.{{ subnet_ids.users_wifi }}.255.255; + option routers 10.{{ subnet_ids.users_wifi }}.0.240; option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; pool { - range 10.{{ subnet_ids.users_wired }}.8.0 10.{{ subnet_ids.users_wired }}.10.255; + range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wired }}.10.255; - {% if failover is defined %} +{% if failover is defined %} failover peer "dhcp-failover" { primary; split 128; @@ -84,6 +80,6 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { max-unacked-updates 10; load balance max seconds 3; } - {% endif %} +{% endif %} } } From 34b448faece84a67043d8bb9a21aee9f5dc2f4ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 14:41:34 +0200 Subject: [PATCH 16/48] dhcp: implement failover peer configuration --- group_vars/dhcp/vars.yml | 4 ++ group_vars/pacaterie/dhcp.yml | 4 -- hosts | 4 +- .../templates/dhcp/dhcpd.conf.j2 | 40 ++++++++++++++----- 4 files changed, 37 insertions(+), 15 deletions(-) create mode 100644 group_vars/dhcp/vars.yml diff --git a/group_vars/dhcp/vars.yml b/group_vars/dhcp/vars.yml new file mode 100644 index 0000000..77933c1 --- /dev/null +++ b/group_vars/dhcp/vars.yml @@ -0,0 +1,4 @@ +--- +dhcp_failover: + primary_host: dhcp-{{ apartment_block }}.adm.auro.re + secondary_host: dhcp-{{ apartment_block }}-backup.adm.auro.re diff --git a/group_vars/pacaterie/dhcp.yml b/group_vars/pacaterie/dhcp.yml index 3fdf3c8..043d26d 100644 --- a/group_vars/pacaterie/dhcp.yml +++ b/group_vars/pacaterie/dhcp.yml @@ -5,7 +5,3 @@ subnet_ids: ap: 142 users_wired: 20 users_wifi: 21 - -failover: - own_address: 10.128.2.254 - peer_address: 10.128.2.154 diff --git a/hosts b/hosts index d8defaf..83a6c53 100644 --- a/hosts +++ b/hosts @@ -150,9 +150,9 @@ gs_pve [dhcp] dhcp-fleming.adm.auro.re -#dhcp-fleming-backup.adm.auro.re +dhcp-fleming-backup.adm.auro.re dhcp-pacaterie.adm.auro.re -#dhcp-pacaterie-backup.adm.auro.re +dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 5ab2be5..da9f4d1 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -1,5 +1,5 @@ # dhcpd.conf -{{ ansible_managed }} +# {{ ansible_managed }} default-lease-time 86400; max-lease-time 86400; @@ -24,6 +24,7 @@ authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). +# XXX: This was enabled in one building and disabled in another. #log-facility local7; @@ -65,21 +66,42 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; pool { - range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wired }}.10.255; + range 10.{{ subnet_ids.users_wifi }}.8.0 10.{{ subnet_ids.users_wifi }}.10.255; -{% if failover is defined %} - failover peer "dhcp-failover" { +{% if dhcp_failover is defined %} + failover peer "dhcp-failover"; +{% endif %} + } +} + +{% if dhcp_failover is defined %} +failover peer "dhcp-failover" { +{% if inventory_hostname == dhcp_failover.primary_host %} primary; - split 128; + + # MCLT = Maximum Client Lead Time. + # Must be specified on the primary, forbidden on the secondary. mclt 3600; - address {{ failover.own_address }}; + + # Address or DNS name on which this node listens for connections + # from its failover peer. + address {{ dhcp_failover.primary_host }}; + peer address {{ dhcp_failover.secondary_host }}; +{% endif %} +{% if inventory_hostname == dhcp_failover.secondary_host %} + secondary; + # Address and peer address are reversed on the secondary node. + address {{ dhcp_failover.secondary_host }}; + peer address {{ dhcp_failover.primary_host }}; +{% endif %} + + # The following options can be shared between primary and + # secondary failover peers. port 647; - peer address {{ failover.peer_address }}; peer port 647; + split 128; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; } {% endif %} - } -} From fc21a5fa3db470a30dccddfb83fa37e1a5e2367e Mon Sep 17 00:00:00 2001 From: F/Poutre Date: Mon, 6 Apr 2020 16:30:52 +0200 Subject: [PATCH 17/48] Update base.yml --- base.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/base.yml b/base.yml index a668ae5..bafc56b 100644 --- a/base.yml +++ b/base.yml @@ -10,12 +10,6 @@ roles: - ldap-client - -# Set up DHCP servers. -- hosts: dhcp - roles: - - isc-dhcp-server - # Clone LDAP on local geographic location # DON'T DO THIS AS IT RECREATES THE REPLICA #- hosts: ldap-replica From 7ed34f79bd1547d0fe6062bc5547c65b6f1b5d73 Mon Sep 17 00:00:00 2001 From: F/Poutre Date: Mon, 6 Apr 2020 16:31:32 +0200 Subject: [PATCH 18/48] Update network.yml --- network.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/network.yml b/network.yml index 0b5e51b..bcd31cc 100644 --- a/network.yml +++ b/network.yml @@ -1,4 +1,5 @@ --- +''' # Deploy DHCP - hosts: dhcp vars: @@ -14,6 +15,12 @@ roles: - re2o-service - isc-dhcp-server +''' + +# Set up DHCP servers. +- hosts: dhcp + roles: + - isc-dhcp-server # Deploy DNS - hosts: dns From 01439c2388609c67b0c91914339d2181148dd50d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 16:37:10 +0200 Subject: [PATCH 19/48] fix network.yml syntax --- network.yml | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/network.yml b/network.yml index bcd31cc..66dd260 100644 --- a/network.yml +++ b/network.yml @@ -1,21 +1,19 @@ --- -''' -# Deploy DHCP -- hosts: dhcp - vars: - service_repo: https://gitlab.federez.net/re2o/dhcp.git - service_name: dhcp - service_version: master - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" - dhcp: - authoritative: true - roles: - - re2o-service - - isc-dhcp-server -''' +## Deploy DHCP +#- hosts: dhcp +# vars: +# service_repo: https://gitlab.federez.net/re2o/dhcp.git +# service_name: dhcp +# service_version: master +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# dhcp: +# authoritative: true +# roles: +# - re2o-service +# - isc-dhcp-server # Set up DHCP servers. - hosts: dhcp From 89a0dc57abe8588a606705c85770f78ff13fd8f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 16:49:14 +0200 Subject: [PATCH 20/48] run corresponding re2o-service on DHCP servers --- network.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/network.yml b/network.yml index 66dd260..ffb109b 100644 --- a/network.yml +++ b/network.yml @@ -17,7 +17,16 @@ # Set up DHCP servers. - hosts: dhcp + vars: + service_repo: https://gitlab.federez.net/re2o/dhcp.git + service_name: dhcp + service_version: master + service_config: + hostname: re2o-server.adm.auro.re + username: service-user + password: "{{ vault_serviceuser_passwd }}" roles: + - re2o-service - isc-dhcp-server # Deploy DNS From e760f9ad91165098d53d68ab0ee2306853d1f7eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 16:53:59 +0200 Subject: [PATCH 21/48] re2o-service: fix hostname --- network.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network.yml b/network.yml index ffb109b..082df3d 100644 --- a/network.yml +++ b/network.yml @@ -22,7 +22,7 @@ service_name: dhcp service_version: master service_config: - hostname: re2o-server.adm.auro.re + hostname: re2o.adm.auro.re username: service-user password: "{{ vault_serviceuser_passwd }}" roles: From d323b78c168a655c3f126098be8fad79dbc1cb2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 16:54:20 +0200 Subject: [PATCH 22/48] fix bogus dhcpd config - move failover peer declaration to beginning of file - set split only on primary - fix re2o-service hostname - add /etc/default/isc-dhcp-server --- network.yml | 2 +- roles/isc-dhcp-server/tasks/main.yml | 11 ++- .../templates/default/isc-dhcp-server.j2 | 18 +++++ .../templates/dhcp/dhcpd.conf.j2 | 67 ++++++++++--------- 4 files changed, 65 insertions(+), 33 deletions(-) create mode 100644 roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 diff --git a/network.yml b/network.yml index 082df3d..f402921 100644 --- a/network.yml +++ b/network.yml @@ -22,7 +22,7 @@ service_name: dhcp service_version: master service_config: - hostname: re2o.adm.auro.re + hostname: re2o.auro.re username: service-user password: "{{ vault_serviceuser_passwd }}" roles: diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 0004081..c227e24 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -8,14 +8,21 @@ retries: 3 until: apt_result is succeeded + +- name: Configure /etc/default/isc-dhcp-server + template: + src: default/isc-dhcp-server.j2 + dest: /etc/default/isc-dhcp-server + mode: 0644 + - name: Configure isc-dhcp-server template: src: dhcp/dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf mode: 0600 -- name: Ensure that isc-dhcp-server is started +- name: Ensure that isc-dhcp-server is started / reloaded systemd: name: isc-dhcp-server - state: started + state: restarted enabled: true diff --git a/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 b/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 new file mode 100644 index 0000000..83f7cae --- /dev/null +++ b/roles/isc-dhcp-server/templates/default/isc-dhcp-server.j2 @@ -0,0 +1,18 @@ +# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) + +# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). +#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf +#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf + +# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). +#DHCPDv4_PID=/var/run/dhcpd.pid +#DHCPDv6_PID=/var/run/dhcpd6.pid + +# Additional options to start dhcpd with. +# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead +#OPTIONS="" + +# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? +# Separate multiple interfaces with spaces, e.g. "eth0 eth1". +INTERFACESv4="ens19 ens20 ens21" +INTERFACESv6="" diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index da9f4d1..1f2196e 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -28,6 +28,43 @@ authoritative; #log-facility local7; +# TODO: move this failover peer declaration to a separate file and include it. +{% if dhcp_failover is defined %} +failover peer "dhcp-failover" { +{% if inventory_hostname == dhcp_failover.primary_host %} + primary; + + # MCLT = Maximum Client Lead Time. + # Must be specified on the primary, forbidden on the secondary. + mclt 3600; + + # Address or DNS name on which this node listens for connections + # from its failover peer. + address {{ dhcp_failover.primary_host }}; + peer address {{ dhcp_failover.secondary_host }}; + + # Load balancing. + split 128; +{% endif %} +{% if inventory_hostname == dhcp_failover.secondary_host %} + secondary; + # Address and peer address are reversed on the secondary node. + address {{ dhcp_failover.secondary_host }}; + peer address {{ dhcp_failover.primary_host }}; +{% endif %} + + # The following options can be shared between primary and + # secondary failover peers. + port 647; + peer port 647; + max-response-delay 30; + max-unacked-updates 10; + load balance max seconds 3; + } +{% endif %} + + + # Bornes WiFi subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { interface "ens19"; @@ -74,34 +111,4 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { } } -{% if dhcp_failover is defined %} -failover peer "dhcp-failover" { -{% if inventory_hostname == dhcp_failover.primary_host %} - primary; - # MCLT = Maximum Client Lead Time. - # Must be specified on the primary, forbidden on the secondary. - mclt 3600; - - # Address or DNS name on which this node listens for connections - # from its failover peer. - address {{ dhcp_failover.primary_host }}; - peer address {{ dhcp_failover.secondary_host }}; -{% endif %} -{% if inventory_hostname == dhcp_failover.secondary_host %} - secondary; - # Address and peer address are reversed on the secondary node. - address {{ dhcp_failover.secondary_host }}; - peer address {{ dhcp_failover.primary_host }}; -{% endif %} - - # The following options can be shared between primary and - # secondary failover peers. - port 647; - peer port 647; - split 128; - max-response-delay 30; - max-unacked-updates 10; - load balance max seconds 3; - } -{% endif %} From 51fdb899404ce7585e3f53bb53f0d48231165abe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 17:28:04 +0200 Subject: [PATCH 23/48] extract dhcp-failover.conf into separate file --- roles/isc-dhcp-server/tasks/main.yml | 10 +++++- .../templates/dhcp/dhcp-failover.conf.j2 | 31 +++++++++++++++++ .../templates/dhcp/dhcpd.conf.j2 | 34 +------------------ 3 files changed, 41 insertions(+), 34 deletions(-) create mode 100644 roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index c227e24..171d782 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -15,7 +15,15 @@ dest: /etc/default/isc-dhcp-server mode: 0644 -- name: Configure isc-dhcp-server + +- name: Configure dhcp-failover.conf + template: + src: dhcp/dhcp-failover.conf.j2 + dest: /etc/dhcp/dhcp-failover.conf + mode: 0600 + when: dhcp_failover is defined + +- name: Configure dhcpd.conf template: src: dhcp/dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 new file mode 100644 index 0000000..6252343 --- /dev/null +++ b/roles/isc-dhcp-server/templates/dhcp/dhcp-failover.conf.j2 @@ -0,0 +1,31 @@ +failover peer "dhcp-failover" { +{% if inventory_hostname == dhcp_failover.primary_host %} + primary; + + # MCLT = Maximum Client Lead Time. + # Must be specified on the primary, forbidden on the secondary. + mclt 3600; + + # Address or DNS name on which this node listens for connections + # from its failover peer. + address {{ dhcp_failover.primary_host }}; + peer address {{ dhcp_failover.secondary_host }}; + + # Load balancing. + split 128; +{% endif %} +{% if inventory_hostname == dhcp_failover.secondary_host %} + secondary; + # Address and peer address are reversed on the secondary node. + address {{ dhcp_failover.secondary_host }}; + peer address {{ dhcp_failover.primary_host }}; +{% endif %} + + # The following options can be shared between primary and + # secondary failover peers. + port 647; + peer port 647; + max-response-delay 30; + max-unacked-updates 10; + load balance max seconds 3; +} diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 1f2196e..01b0a8d 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -30,40 +30,8 @@ authoritative; # TODO: move this failover peer declaration to a separate file and include it. {% if dhcp_failover is defined %} -failover peer "dhcp-failover" { -{% if inventory_hostname == dhcp_failover.primary_host %} - primary; - - # MCLT = Maximum Client Lead Time. - # Must be specified on the primary, forbidden on the secondary. - mclt 3600; - - # Address or DNS name on which this node listens for connections - # from its failover peer. - address {{ dhcp_failover.primary_host }}; - peer address {{ dhcp_failover.secondary_host }}; - - # Load balancing. - split 128; +include "/etc/dhcp/dhcp-failover.conf"; {% endif %} -{% if inventory_hostname == dhcp_failover.secondary_host %} - secondary; - # Address and peer address are reversed on the secondary node. - address {{ dhcp_failover.secondary_host }}; - peer address {{ dhcp_failover.primary_host }}; -{% endif %} - - # The following options can be shared between primary and - # secondary failover peers. - port 647; - peer port 647; - max-response-delay 30; - max-unacked-updates 10; - load balance max seconds 3; - } -{% endif %} - - # Bornes WiFi subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { From 7347829494ee0e4d1d80dd09db3321fbb9928ee6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 17:42:54 +0200 Subject: [PATCH 24/48] tackle logs --- roles/isc-dhcp-server/tasks/main.yml | 14 +++++++++++++- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 5 +---- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 171d782..269843e 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -8,6 +8,19 @@ retries: 3 until: apt_result is succeeded +- name: Ensure dhcp log directory exists + file: + path: /var/log/dhcp + owner: root + group: root + mode: u=rwx,g=rx,a=rx + state: directory + +- name: Ensute rsyslog knows where to send dhcp logs + lineinfile: + path: /etc/rsyslog.conf + regexp: '^local7[.][*]' + line: "local7.* /var/log/dhcp/dhcpd.log" - name: Configure /etc/default/isc-dhcp-server template: @@ -15,7 +28,6 @@ dest: /etc/default/isc-dhcp-server mode: 0644 - - name: Configure dhcp-failover.conf template: src: dhcp/dhcp-failover.conf.j2 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 01b0a8d..9b166c2 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -22,10 +22,7 @@ ddns-update-style none; # network, the authoritative directive should be uncommented. authoritative; -# Use this to send dhcp log messages to a different log file (you also -# have to hack syslog.conf to complete the redirection). -# XXX: This was enabled in one building and disabled in another. -#log-facility local7; +log-facility local7; # TODO: move this failover peer declaration to a separate file and include it. From 6cce62850dbbf336413c02ce7bf2830fa556ea5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 17:58:02 +0200 Subject: [PATCH 25/48] dhcp: configure log rotation --- roles/isc-dhcp-server/tasks/main.yml | 16 +++++++++++++--- .../templates/logrotate.d/dhcp.j2 | 11 +++++++++++ 2 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 269843e..2916941 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -16,11 +16,21 @@ mode: u=rwx,g=rx,a=rx state: directory -- name: Ensute rsyslog knows where to send dhcp logs +- name: Ensure rsyslog knows where to send dhcp logs lineinfile: path: /etc/rsyslog.conf - regexp: '^local7[.][*]' - line: "local7.* /var/log/dhcp/dhcpd.log" + line: "local7.* /var/log/dhcp/dhcpd.log" + +- name: Configure dhcp log rotation + template: + src: logrotate.d/dhcp.j2 + dest: /etc/logrotate.d/dhcp + mode: 0644 + +- name: restart rsyslog + systemd: + name: rsyslog + state: restarted - name: Configure /etc/default/isc-dhcp-server template: diff --git a/roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 b/roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 new file mode 100644 index 0000000..9823aed --- /dev/null +++ b/roles/isc-dhcp-server/templates/logrotate.d/dhcp.j2 @@ -0,0 +1,11 @@ +/var/log/dhcp/dhcpd.log { + # common options + daily + rotate 365 + missingok + compress + delaycompress + notifempty + + copytruncate +} From 8579b99b2ee239b122b58eab9c715a6a55b79ab9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 19:03:10 +0200 Subject: [PATCH 26/48] dhcp: cron.d entry + let main.py restart the server --- roles/isc-dhcp-server/tasks/main.yml | 19 +++++++++++++------ .../templates/cron.d/re2o-services | 4 ++++ 2 files changed, 17 insertions(+), 6 deletions(-) create mode 100644 roles/isc-dhcp-server/templates/cron.d/re2o-services diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml index 2916941..4d6ef54 100644 --- a/roles/isc-dhcp-server/tasks/main.yml +++ b/roles/isc-dhcp-server/tasks/main.yml @@ -27,6 +27,19 @@ dest: /etc/logrotate.d/dhcp mode: 0644 +- name: set up cron to reload dhcp re2o service + cron: + # Do not change this name or idempotence *might* be lost. + name: dhcp-re2o-service + cron_file: re2o-services + minute: "*" + hour: "*" + day: "*" + weekday: "*" + month: "*" + user: root + job: "/usr/bin/python3 /var/local/re2o-services/dhcp/main.py" + - name: restart rsyslog systemd: name: rsyslog @@ -50,9 +63,3 @@ src: dhcp/dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf mode: 0600 - -- name: Ensure that isc-dhcp-server is started / reloaded - systemd: - name: isc-dhcp-server - state: restarted - enabled: true diff --git a/roles/isc-dhcp-server/templates/cron.d/re2o-services b/roles/isc-dhcp-server/templates/cron.d/re2o-services new file mode 100644 index 0000000..abc05dd --- /dev/null +++ b/roles/isc-dhcp-server/templates/cron.d/re2o-services @@ -0,0 +1,4 @@ +# Régénération des services re2o + +# Régénération du dhcp +* * * * * root /usr/bin/python3 /var/local/re2o-services/dhcp/main.py From 8fee0857c139e7ced6e51e5179464d860759a69f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 19:03:38 +0200 Subject: [PATCH 27/48] re2o-service: force clone git repository --- roles/re2o-service/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o-service/tasks/main.yml index 473a4d7..74ac8fd 100644 --- a/roles/re2o-service/tasks/main.yml +++ b/roles/re2o-service/tasks/main.yml @@ -9,6 +9,7 @@ repo: "{{ service_repo }}" dest: "{{ service_homedir }}/{{ service_name }}" version: "{{ service_version }}" + force: true become: true become_user: "{{ service_user }}" From 9b043d95d379d62305590a3cd00be46b85647a67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 6 Apr 2020 19:06:53 +0200 Subject: [PATCH 28/48] dhcp: don't touch pacaterie yet --- hosts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 83a6c53..c5561a3 100644 --- a/hosts +++ b/hosts @@ -151,8 +151,8 @@ gs_pve [dhcp] dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re -dhcp-pacaterie.adm.auro.re -dhcp-pacaterie-backup.adm.auro.re +#dhcp-pacaterie.adm.auro.re +#dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re From b3712ed3354cef44c015b38c16aa6d2d7897ce77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 13 Apr 2020 16:35:09 +0200 Subject: [PATCH 29/48] unbound: initial deployment --- group_vars/edc/ldap_local_replica.yml | 4 + group_vars/fleming/{dhcp.yml => main.yml} | 0 group_vars/pacaterie/{dhcp.yml => main.yml} | 0 hosts | 6 +- network.yml | 47 +++++------ roles/unbound/tasks/main.yml | 25 ++++++ roles/unbound/templates/recursive.conf.j2 | 89 +++++++++++++++++++++ roles/unbound/templates/unbound.conf.j2 | 10 +++ 8 files changed, 152 insertions(+), 29 deletions(-) create mode 100644 group_vars/edc/ldap_local_replica.yml rename group_vars/fleming/{dhcp.yml => main.yml} (100%) rename group_vars/pacaterie/{dhcp.yml => main.yml} (100%) create mode 100644 roles/unbound/tasks/main.yml create mode 100644 roles/unbound/templates/recursive.conf.j2 create mode 100644 roles/unbound/templates/unbound.conf.j2 diff --git a/group_vars/edc/ldap_local_replica.yml b/group_vars/edc/ldap_local_replica.yml new file mode 100644 index 0000000..bad6801 --- /dev/null +++ b/group_vars/edc/ldap_local_replica.yml @@ -0,0 +1,4 @@ +--- +ldap_local_replica_uri: + - 'ldap://ldap-replica-edc.adm.auro.re' + diff --git a/group_vars/fleming/dhcp.yml b/group_vars/fleming/main.yml similarity index 100% rename from group_vars/fleming/dhcp.yml rename to group_vars/fleming/main.yml diff --git a/group_vars/pacaterie/dhcp.yml b/group_vars/pacaterie/main.yml similarity index 100% rename from group_vars/pacaterie/dhcp.yml rename to group_vars/pacaterie/main.yml diff --git a/hosts b/hosts index c5561a3..8bdbb48 100644 --- a/hosts +++ b/hosts @@ -149,15 +149,15 @@ edc_pve gs_pve [dhcp] -dhcp-fleming.adm.auro.re +#dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re -[dns] -#dns-fleming.adm.auro.re +[recursive_dns] +dns-fleming.adm.auro.re #dns-fleming-backup.adm.auro.re #dns-pacaterie.adm.auro.re #dns-pacaterie-backup.adm.auro.re diff --git a/network.yml b/network.yml index f402921..70c5641 100644 --- a/network.yml +++ b/network.yml @@ -1,20 +1,4 @@ --- -## Deploy DHCP -#- hosts: dhcp -# vars: -# service_repo: https://gitlab.federez.net/re2o/dhcp.git -# service_name: dhcp -# service_version: master -# service_config: -# hostname: re2o-server.adm.auro.re -# username: service-user -# password: "{{ vault_serviceuser_passwd }}" -# dhcp: -# authoritative: true -# roles: -# - re2o-service -# - isc-dhcp-server - # Set up DHCP servers. - hosts: dhcp vars: @@ -29,18 +13,29 @@ - re2o-service - isc-dhcp-server -# Deploy DNS -- hosts: dns + + +# Deploy unbound DNS server (recursive). +- hosts: recursive_dns vars: - service_repo: https://gitlab.crans.org/nounous/re2o-dns.git - service_name: dns - service_version: crans - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" + - dns_host_suffix: 253 roles: - - re2o-service + - unbound + + +# WIP: Deploy authoritative DNS servers +# - hosts: authoritative_dns +# vars: +# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git +# service_name: dns +# service_version: crans +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# roles: +# - re2o-service + # Deploy Unifi Controller #- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000..6358173 --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,25 @@ +--- + +- name: install unbound + apt: + update_cache: true + name: unbound + state: present + +- name: setup main unbound config file + template: + src: unbound.conf.j2 + dest: /etc/unbound/unbound.conf + mode: 0644 + +- name: setup recursive DNS server config + template: + src: recursive.conf.j2 + dest: /etc/unbound/unbound.conf.d/recursive.conf + mode: 0644 + + +- name: restart unbound after editing config + systemd: + state: restarted + name: unbound diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 new file mode 100644 index 0000000..1660ccb --- /dev/null +++ b/roles/unbound/templates/recursive.conf.j2 @@ -0,0 +1,89 @@ +server: + verbosity: 1 + use-syslog: yes + logfile: "/var/log/unbound.log" + log-time-ascii: yes + + # IP addresses on which to listen. + interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} + interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} + interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + + + # By default, anything other than localhost is refused. + # Whitelist some subnets: + access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow + access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow + access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + + do-ip4: yes + # FIXME: IPv6 deployment... someday... + do-ip6: no + + do-udp: yes + do-tcp: yes + + num-threads: {{ ansible_processor_vcpus }} + + # power of 2 close to num-threads + # TODO: compute this dynamically w/ Ansible + msg-cache-slabs: 16 + rrset-cache-slabs: 16 + infra-cache-slabs: 16 + key-cache-slabs: 16 + + # Read the root hints from this file + # FIXME: missing file. + # root-hints: "/var/lib/unbound/root.hints" + + harden-referral-path: yes + use-caps-for-id: yes + hide-identity: yes + hide-version: yes + harden-glue: yes + harden-dnssec-stripped: yes + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # WARNING : against protocol rule but efficient against stupidly too low TTLs + + cache-min-ttl: 3600 + + # the time to live (TTL) value cap for RRsets and messages in the + # cache. Items are not cached for longer. In seconds. + cache-max-ttl: 86400 + + prefetch: yes + + # If nonzero, unwanted replies are not only reported in statistics, but also + # a running total is kept per thread. If it reaches the threshold, a warning + # is printed and a defensive action is taken, the cache is cleared to flush + # potential poison out of it. A suggested value is 10000000, the default is + # 0 (turned off). We think 10K is a good value. + unwanted-reply-threshold: 10000 + + # Should additional section of secure message also be kept clean of unsecure + # data. Useful to shield the users of this validator from potential bogus + # data in the additional section. All unsigned data in the additional section + # is removed from secure messages. + val-clean-additional: yes + + # Log validation failures + val-log-level: 2 + + + private-address: 10.0.0.0/8 + + # Optimise + # https://unbound.net/documentation/howto_optimise.html + + # Faster UDP with multithreading (only on Linux). + so-reuseport: yes + + # Taille du cache + rrset-cache-size: 100m + msg-cache-size: 50m + + # gestion DNSSEC + harden-below-nxdomain: yes + harden-dnssec-stripped: yes diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 new file mode 100644 index 0000000..b2d7672 --- /dev/null +++ b/roles/unbound/templates/unbound.conf.j2 @@ -0,0 +1,10 @@ +# Unbound configuration file for Debian. +# +# See the unbound.conf(5) man page. +# +# See /usr/share/doc/unbound/examples/unbound.conf for a commented +# reference config file. +# +# The following line includes additional configuration files from the +# /etc/unbound/unbound.conf.d directory. +include: "/etc/unbound/unbound.conf.d/*.conf" From f05e92dc5ef67a7679201b0a0bf887c0ffb5d4f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 13 Apr 2020 18:24:45 +0200 Subject: [PATCH 30/48] unbound: remove unchecked configuration keys --- roles/unbound/templates/recursive.conf.j2 | 78 ++--------------------- 1 file changed, 6 insertions(+), 72 deletions(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 1660ccb..f650b6c 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -1,9 +1,11 @@ server: - verbosity: 1 - use-syslog: yes - logfile: "/var/log/unbound.log" + # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes - + + do-ip4: yes + # FIXME: IPv6 deployment... someday... + do-ip6: no + # IP addresses on which to listen. interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} @@ -16,74 +18,6 @@ server: access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow - do-ip4: yes - # FIXME: IPv6 deployment... someday... - do-ip6: no - - do-udp: yes - do-tcp: yes - num-threads: {{ ansible_processor_vcpus }} - - # power of 2 close to num-threads - # TODO: compute this dynamically w/ Ansible - msg-cache-slabs: 16 - rrset-cache-slabs: 16 - infra-cache-slabs: 16 - key-cache-slabs: 16 - - # Read the root hints from this file - # FIXME: missing file. - # root-hints: "/var/lib/unbound/root.hints" - - harden-referral-path: yes - use-caps-for-id: yes - hide-identity: yes - hide-version: yes - harden-glue: yes - harden-dnssec-stripped: yes - - # the time to live (TTL) value lower bound, in seconds. Default 0. - # If more than an hour could easily give trouble due to stale data. - # WARNING : against protocol rule but efficient against stupidly too low TTLs - - cache-min-ttl: 3600 - - # the time to live (TTL) value cap for RRsets and messages in the - # cache. Items are not cached for longer. In seconds. - cache-max-ttl: 86400 - - prefetch: yes - - # If nonzero, unwanted replies are not only reported in statistics, but also - # a running total is kept per thread. If it reaches the threshold, a warning - # is printed and a defensive action is taken, the cache is cleared to flush - # potential poison out of it. A suggested value is 10000000, the default is - # 0 (turned off). We think 10K is a good value. - unwanted-reply-threshold: 10000 - - # Should additional section of secure message also be kept clean of unsecure - # data. Useful to shield the users of this validator from potential bogus - # data in the additional section. All unsigned data in the additional section - # is removed from secure messages. - val-clean-additional: yes - - # Log validation failures - val-log-level: 2 - private-address: 10.0.0.0/8 - - # Optimise - # https://unbound.net/documentation/howto_optimise.html - - # Faster UDP with multithreading (only on Linux). - so-reuseport: yes - - # Taille du cache - rrset-cache-size: 100m - msg-cache-size: 50m - - # gestion DNSSEC - harden-below-nxdomain: yes - harden-dnssec-stripped: yes From 7275ebda47f48df7af5d3f553e6c2034bc281dcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 15:39:32 +0200 Subject: [PATCH 31/48] dhcp: ask clients to use our DNS servers --- group_vars/all/vars.yml | 14 ++++++++++++++ network.yml | 2 -- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 14 ++++++++------ 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index d55fd60..0cb89fc 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -36,3 +36,17 @@ monitoring_mail: 'monitoring.aurore@lists.crans.org' matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}" matrix_discord_client_id: "559305991494303747" matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" + +### +# DNS +### + +# Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque +# résidence. +dns_host_suffix: 253 + +upstream_dns_servers: + - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) + - "1.1.1.1" # Cloudflare + + diff --git a/network.yml b/network.yml index 70c5641..9e8980c 100644 --- a/network.yml +++ b/network.yml @@ -17,8 +17,6 @@ # Deploy unbound DNS server (recursive). - hosts: recursive_dns - vars: - - dns_host_suffix: 253 roles: - unbound diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 9b166c2..47da1d9 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -1,4 +1,3 @@ -# dhcpd.conf # {{ ansible_managed }} default-lease-time 86400; @@ -8,8 +7,6 @@ max-lease-time 86400; # The MTU theoretically could go as high as 1496 (4-byte VLAN tag). option interface-mtu 1400; -# XXX: hardcoded DNS for now -option domain-name-servers 80.67.169.12, 1.1.1.1; option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will @@ -24,8 +21,6 @@ authoritative; log-facility local7; - -# TODO: move this failover peer declaration to a separate file and include it. {% if dhcp_failover is defined %} include "/etc/dhcp/dhcp-failover.conf"; {% endif %} @@ -38,6 +33,8 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.ap }}.0.250; option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; + + option domain-name-servers 10.{{ subnet_ids.ap }}.0.253, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; deny unknown-clients; @@ -51,6 +48,9 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.users_wired }}.0.240; option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.253, {{ upstream_dns_servers|join(', ') }}; + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; deny unknown-clients; @@ -65,6 +65,9 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.users_wifi }}.0.240; option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.253, {{ upstream_dns_servers|join(', ') }}; + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; pool { @@ -76,4 +79,3 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { } } - From 1777d0e154f09e754710c583cdf7437d3c8f8430 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 15:42:31 +0200 Subject: [PATCH 32/48] unbound: log to /var/log/unbound.log, errors only --- roles/unbound/templates/recursive.conf.j2 | 7 +++++++ roles/unbound/templates/unbound.conf.j2 | 2 ++ 2 files changed, 9 insertions(+) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index f650b6c..f5f7f69 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -1,7 +1,14 @@ +# {{ ansible_managed }} + server: # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes + logfile: /var/log/unbound.log + + # Only log errors. + verbosity: 0 + do-ip4: yes # FIXME: IPv6 deployment... someday... do-ip6: no diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index b2d7672..ee9a1cf 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -1,3 +1,5 @@ +# {{ ansible_managed }} +# # Unbound configuration file for Debian. # # See the unbound.conf(5) man page. From bfc7d542df8d82ed922371cfc80c3bd9d051f2d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 15:43:39 +0200 Subject: [PATCH 33/48] hosts: add all DNS VMs from fleming and pacaterie --- hosts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts b/hosts index 8bdbb48..e731c4c 100644 --- a/hosts +++ b/hosts @@ -158,9 +158,9 @@ dhcp-fleming-backup.adm.auro.re [recursive_dns] dns-fleming.adm.auro.re -#dns-fleming-backup.adm.auro.re -#dns-pacaterie.adm.auro.re -#dns-pacaterie-backup.adm.auro.re +dns-fleming-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re #dns-edc.adm.auro.re #dns-gs.adm.auro.re From 22166bc69bef0f0ba9eb5c8623ba6e178053a4dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:23:57 +0200 Subject: [PATCH 34/48] unbound: log to journalctl --- group_vars/all/vars.yml | 2 +- hosts | 2 +- roles/unbound/tasks/main.yml | 1 - roles/unbound/templates/recursive.conf.j2 | 6 ++++-- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 0cb89fc..153e4f5 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -49,4 +49,4 @@ upstream_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - "1.1.1.1" # Cloudflare - +unbound_log_file: "/var/log/unbound.log" diff --git a/hosts b/hosts index e731c4c..0fc686d 100644 --- a/hosts +++ b/hosts @@ -150,7 +150,7 @@ gs_pve [dhcp] #dhcp-fleming.adm.auro.re -dhcp-fleming-backup.adm.auro.re +#dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 6358173..4dfaa59 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -18,7 +18,6 @@ dest: /etc/unbound/unbound.conf.d/recursive.conf mode: 0644 - - name: restart unbound after editing config systemd: state: restarted diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index f5f7f69..ebfd445 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -4,11 +4,13 @@ server: # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes - logfile: /var/log/unbound.log - # Only log errors. verbosity: 0 + # "" sends logs to stderr, journalctl will pick things up. + logfile: "" + + do-ip4: yes # FIXME: IPv6 deployment... someday... do-ip6: no From b57fa6e356b529568151f6b1a70dbd2928e4eb67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:51:37 +0200 Subject: [PATCH 35/48] dhcp: use backup DNS servers too --- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 47da1d9..4c352ea 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -34,7 +34,7 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; - option domain-name-servers 10.{{ subnet_ids.ap }}.0.253, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; deny unknown-clients; @@ -49,7 +49,7 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.253, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; @@ -66,7 +66,7 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.253, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; From a0651d770378f02dcfd1776b522a96f5de7958ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:52:13 +0200 Subject: [PATCH 36/48] unbound: bind to the right addresses on backup hosts --- group_vars/all/vars.yml | 4 ++-- hosts | 13 +++++++++++-- roles/unbound/tasks/main.yml | 10 ++++++++++ 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 153e4f5..5c438a9 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -43,10 +43,10 @@ matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" # Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque # résidence. -dns_host_suffix: 253 +dns_host_suffix_main: 253 +dns_host_suffix_backup: 153 upstream_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - "1.1.1.1" # Cloudflare -unbound_log_file: "/var/log/unbound.log" diff --git a/hosts b/hosts index 0fc686d..9ec7bef 100644 --- a/hosts +++ b/hosts @@ -156,11 +156,20 @@ gs_pve #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re -[recursive_dns] +[recursive_dns:children] +rdns_main +rdns_backup + +[rdns_main] dns-fleming.adm.auro.re -dns-fleming-backup.adm.auro.re dns-pacaterie.adm.auro.re + +[rdns_backup] +dns-fleming-backup.adm.auro.re dns-pacaterie-backup.adm.auro.re + + +# FIXME: #dns-edc.adm.auro.re #dns-gs.adm.auro.re diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 4dfaa59..18f99ce 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -1,5 +1,15 @@ --- +# This is used to let unbound bind to the right IP addresses. +- set_fact: + dns_host_suffix: "{{ dns_host_suffix_main }}" + when: "'rdns_main' in group_names" + +- set_fact: + dns_host_suffix: "{{ dns_host_suffix_backup }}" + when: "'rdns_backup' in group_names" + + - name: install unbound apt: update_cache: true From 12022389c4523e875fb571790d420a8e9103bcf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:57:18 +0200 Subject: [PATCH 37/48] hosts: enable dhcp deployment on fleming --- hosts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 9ec7bef..f1ac5fd 100644 --- a/hosts +++ b/hosts @@ -149,8 +149,8 @@ edc_pve gs_pve [dhcp] -#dhcp-fleming.adm.auro.re -#dhcp-fleming-backup.adm.auro.re +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re From 662452065fd0168c7afad42a49f991970507707d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 17:06:38 +0200 Subject: [PATCH 38/48] dhcp: remove Cloudflare from backup DNS and rename variable, since these are not technically upstream DNS servers (unbound will ask the root servers, not these) --- group_vars/all/vars.yml | 3 +-- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 5c438a9..be601da 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -46,7 +46,6 @@ matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" dns_host_suffix_main: 253 dns_host_suffix_backup: 153 -upstream_dns_servers: +backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - - "1.1.1.1" # Cloudflare diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 4c352ea..f0a35fe 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -34,7 +34,7 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; - option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; deny unknown-clients; @@ -49,7 +49,7 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; @@ -66,7 +66,7 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; From ded5f38aecfa6732c37f31c0bf8b9b40076afce5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 17:36:25 +0200 Subject: [PATCH 39/48] unbound: name set_fact tasks --- roles/unbound/tasks/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 18f99ce..44a4358 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -1,11 +1,13 @@ --- # This is used to let unbound bind to the right IP addresses. -- set_fact: +- name: set dns_host_suffix (main) + set_fact: dns_host_suffix: "{{ dns_host_suffix_main }}" when: "'rdns_main' in group_names" -- set_fact: +- name: set dns_host_suffix (backup) + set_fact: dns_host_suffix: "{{ dns_host_suffix_backup }}" when: "'rdns_backup' in group_names" From bac131791b80f6caf6da5293f361e975d9ee2087 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Tue, 28 Apr 2020 20:13:56 +0200 Subject: [PATCH 40/48] unbound: bump verbosity up to 3 Some users are having issues resolving *.auro.re domains from our network, and the bug does not show itself reliably. Increased verbosity should help us pinpoint its source. --- roles/unbound/templates/recursive.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index ebfd445..2b4a442 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -5,7 +5,7 @@ server: log-time-ascii: yes # Only log errors. - verbosity: 0 + verbosity: 3 # "" sends logs to stderr, journalctl will pick things up. logfile: "" From b4482b6d3b6fb3ece1453599e7a811e95ada6e11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Tue, 28 Apr 2020 20:21:47 +0200 Subject: [PATCH 41/48] unbound: configure unbound-control --- roles/unbound/tasks/main.yml | 23 +++++++++++++++++++ .../unbound/templates/unbound-control.conf.j2 | 23 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 roles/unbound/templates/unbound-control.conf.j2 diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 44a4358..6b116cd 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -17,6 +17,29 @@ update_cache: true name: unbound state: present + register: unbound_install + +- name: check if unbound-control certificate exists + stat: + path: /etc/unbound/unbound_control.pem + register: ubc_control_pem + + +- name: check if unbound server certificate exists + stat: + path: /etc/unbound/unbound_server.pem + register: ubc_server_pem + +- name: run unbound-control-setup if a certificate is missing + command: unbound-control-setup + become: yes + when: ubc_control_pem.stat.exists == False or ubc_server_pem.stat.exists == False + +- name: add unbound-control configuration + template: + src: unbound-control.conf.j2 + dest: /etc/unbound/unbound.conf.d/unbound-control.conf + mode: 0644 - name: setup main unbound config file template: diff --git a/roles/unbound/templates/unbound-control.conf.j2 b/roles/unbound/templates/unbound-control.conf.j2 new file mode 100644 index 0000000..edaa6c2 --- /dev/null +++ b/roles/unbound/templates/unbound-control.conf.j2 @@ -0,0 +1,23 @@ +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. + control-interface: 127.0.0.1 + + # port number for remote control operations. + control-port: 8953 + + # unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" From 3695a3d771ad19b4350041ae836d6e4cae606933 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Tue, 28 Apr 2020 23:14:43 +0200 Subject: [PATCH 42/48] unbound: attempt to fix spurious blacklisting --- roles/unbound/templates/recursive.conf.j2 | 24 +++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 2b4a442..a65bd43 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -30,3 +30,27 @@ server: num-threads: {{ ansible_processor_vcpus }} private-address: 10.0.0.0/8 + + # XXX + # We've been having issues with bogus DNSSEC responses, and unintended + # blacklisting of nameservers because of that. + # The following is intended as a stopgap solution. + # + # unbound had issues with auro.re's DS records, apparently; + # it kept receiving an error, which subsequently caused a blacklisting + # of relevant servers and an inability to resolve auro.re and its + # subdomains. + # + # auro.re does not have DNSSEC anyway, so we can treat it as insecure. + domain-insecure: "auro.re" + + + # The host cache TTL affects blacklisting of supposedly bogus hosts. + # The default was 900 (15 minutes). + infra-host-ttl: 60 + + harden-dnssec-stripped: no + disable-dnssec-lame-check: yes + + + From b94c62d7107003ffd55b0b60257a66f29d2ae92e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 16:37:21 +0200 Subject: [PATCH 43/48] unbound-control: no certificates for local use --- roles/unbound/tasks/main.yml | 16 ---------------- roles/unbound/templates/unbound-control.conf.j2 | 14 +++----------- 2 files changed, 3 insertions(+), 27 deletions(-) diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 6b116cd..7374281 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -19,22 +19,6 @@ state: present register: unbound_install -- name: check if unbound-control certificate exists - stat: - path: /etc/unbound/unbound_control.pem - register: ubc_control_pem - - -- name: check if unbound server certificate exists - stat: - path: /etc/unbound/unbound_server.pem - register: ubc_server_pem - -- name: run unbound-control-setup if a certificate is missing - command: unbound-control-setup - become: yes - when: ubc_control_pem.stat.exists == False or ubc_server_pem.stat.exists == False - - name: add unbound-control configuration template: src: unbound-control.conf.j2 diff --git a/roles/unbound/templates/unbound-control.conf.j2 b/roles/unbound/templates/unbound-control.conf.j2 index edaa6c2..a3ba77a 100644 --- a/roles/unbound/templates/unbound-control.conf.j2 +++ b/roles/unbound/templates/unbound-control.conf.j2 @@ -10,14 +10,6 @@ remote-control: # port number for remote control operations. control-port: 8953 - # unbound server key file. - server-key-file: "/etc/unbound/unbound_server.key" - - # unbound server certificate file. - server-cert-file: "/etc/unbound/unbound_server.pem" - - # unbound-control key file. - control-key-file: "/etc/unbound/unbound_control.key" - - # unbound-control certificate file. - control-cert-file: "/etc/unbound/unbound_control.pem" + # Disable the use of certificates for unbound-control. + # It's only listening locally, there's no need for the added complexity. + control-use-cert: "no" From 1dca5d2259a1f5e19e79b12868fea7c77f635364 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 16:43:44 +0200 Subject: [PATCH 44/48] unbound: use handlers Only restart unbound if the configuration was actually updated. --- roles/unbound/handlers/main.yml | 4 ++++ roles/unbound/tasks/main.yml | 8 +++----- 2 files changed, 7 insertions(+), 5 deletions(-) create mode 100644 roles/unbound/handlers/main.yml diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml new file mode 100644 index 0000000..c2efa8f --- /dev/null +++ b/roles/unbound/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart unbound + systemd: + state: restarted + name: unbound diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 7374281..cabae99 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -24,20 +24,18 @@ src: unbound-control.conf.j2 dest: /etc/unbound/unbound.conf.d/unbound-control.conf mode: 0644 + notify: restart unbound - name: setup main unbound config file template: src: unbound.conf.j2 dest: /etc/unbound/unbound.conf mode: 0644 + notify: restart unbound - name: setup recursive DNS server config template: src: recursive.conf.j2 dest: /etc/unbound/unbound.conf.d/recursive.conf mode: 0644 - -- name: restart unbound after editing config - systemd: - state: restarted - name: unbound + notify: restart unbound From c54e8f5d675a23e26a454dc9e95abf439350cfbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 16:49:33 +0200 Subject: [PATCH 45/48] unbound: smarter logging - stop using journald, write to /var/log/unbound/ - set up frequent log rotation for the huge log files we are producing --- roles/unbound/handlers/main.yml | 3 +++ roles/unbound/tasks/main.yml | 21 +++++++++++++++++++ roles/unbound/templates/recursive.conf.j2 | 3 +-- .../unbound/templates/unbound-apparmor-config | 1 + roles/unbound/templates/unbound-logrotate.j2 | 13 ++++++++++++ 5 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 roles/unbound/templates/unbound-apparmor-config create mode 100644 roles/unbound/templates/unbound-logrotate.j2 diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml index c2efa8f..a619b94 100644 --- a/roles/unbound/handlers/main.yml +++ b/roles/unbound/handlers/main.yml @@ -2,3 +2,6 @@ systemd: state: restarted name: unbound + +- name: read unbound apparmor config + command: apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index cabae99..ff45ec1 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -33,6 +33,27 @@ mode: 0644 notify: restart unbound +- name: ensure unbound log directory exists + file: + path: /var/log/unbound + state: directory + mode: '0755' + owner: unbound + group: unbound + +- name: ask apparmor to allow unbound to write to log file + template: + src: unbound-apparmor-config + dest: /etc/apparmor.d/local/usr.sbin.unbound + mode: '0644' + notify: read unbound apparmor config + +- name: setup unbound log rotation + template: + src: unbound-logrotate.j2 + dest: /etc/logrotate.d/unbound + mode: 0644 + - name: setup recursive DNS server config template: src: recursive.conf.j2 diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index a65bd43..b24613f 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -8,8 +8,7 @@ server: verbosity: 3 # "" sends logs to stderr, journalctl will pick things up. - logfile: "" - + logfile: "/var/log/unbound/unbound.log" do-ip4: yes # FIXME: IPv6 deployment... someday... diff --git a/roles/unbound/templates/unbound-apparmor-config b/roles/unbound/templates/unbound-apparmor-config new file mode 100644 index 0000000..f40ee05 --- /dev/null +++ b/roles/unbound/templates/unbound-apparmor-config @@ -0,0 +1 @@ +/var/log/unbound/unbound.log rw, diff --git a/roles/unbound/templates/unbound-logrotate.j2 b/roles/unbound/templates/unbound-logrotate.j2 new file mode 100644 index 0000000..d57e83e --- /dev/null +++ b/roles/unbound/templates/unbound-logrotate.j2 @@ -0,0 +1,13 @@ +/var/log/unbound/*.log { + daily + rotate 30 + missingok + notifempty + compress + delaycompress + sharedscripts + create 644 + postrotate + /usr/local/sbin/unbound-control log_reopen + endscript +} From aae7e0120a00e7523ee28aef49c0fede76effa7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 18:06:58 +0200 Subject: [PATCH 46/48] unbound: drop verbosity but log SERVFAILs TODO: less frequent log rotation because of decreased log volume --- roles/unbound/templates/recursive.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index b24613f..0ba6f5b 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -5,9 +5,9 @@ server: log-time-ascii: yes # Only log errors. - verbosity: 3 + verbosity: 0 + log-servfail: yes - # "" sends logs to stderr, journalctl will pick things up. logfile: "/var/log/unbound/unbound.log" do-ip4: yes From a77b2c4f0f3d095a536ea2304da4078f7c5c63d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 2 May 2020 18:44:17 +0200 Subject: [PATCH 47/48] unbound: fix MTU settings That was the root cause of all our DNSSEC issues. Now that this was fixed, we're not having these anymore, so the relaxed checks can be restored back to their original state. --- group_vars/all/vars.yml | 2 ++ .../templates/dhcp/dhcpd.conf.j2 | 3 +-- roles/unbound/templates/recursive.conf.j2 | 25 +++++++------------ 3 files changed, 12 insertions(+), 18 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index be601da..6a0b66b 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -49,3 +49,5 @@ dns_host_suffix_backup: 153 backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) + +mtu: 1400 diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index f0a35fe..dc642ae 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -5,8 +5,7 @@ max-lease-time 86400; # Option definitions common to all supported networks. -# The MTU theoretically could go as high as 1496 (4-byte VLAN tag). -option interface-mtu 1400; +option interface-mtu {{ mtu }}; option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 0ba6f5b..62c93be 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -30,26 +30,19 @@ server: private-address: 10.0.0.0/8 - # XXX - # We've been having issues with bogus DNSSEC responses, and unintended - # blacklisting of nameservers because of that. - # The following is intended as a stopgap solution. - # - # unbound had issues with auro.re's DS records, apparently; - # it kept receiving an error, which subsequently caused a blacklisting - # of relevant servers and an inability to resolve auro.re and its - # subdomains. - # - # auro.re does not have DNSSEC anyway, so we can treat it as insecure. - domain-insecure: "auro.re" - - # The host cache TTL affects blacklisting of supposedly bogus hosts. # The default was 900 (15 minutes). infra-host-ttl: 60 - harden-dnssec-stripped: no - disable-dnssec-lame-check: yes + # The following is vital, we were having issues + # with DNSSEC that turned out to be due to UDP responses that were too + # large. + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) + edns-buffer-size: {{ mtu }} + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + max-udp-size: {{ mtu }} From 29991141f51b3c316c13599190ec34aafc7caf09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 3 May 2020 11:17:10 +0200 Subject: [PATCH 48/48] misc: add script to copy SSH keys This one has the advantage of actually working :) I had to blacklist some hosts because they would either outright refuse connections or would refuse my LDAP credentials. --- .gitignore | 1 + copy-keys.sh | 17 +++++++++++++++++ ssh-blacklist.txt | 4 ++++ 3 files changed, 22 insertions(+) create mode 100755 copy-keys.sh create mode 100644 ssh-blacklist.txt diff --git a/.gitignore b/.gitignore index a8b42eb..fc586ce 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.retry +ldap-password.txt diff --git a/copy-keys.sh b/copy-keys.sh new file mode 100755 index 0000000..e5343fd --- /dev/null +++ b/copy-keys.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -e + +# Grab valid unique hostnames from the Ansible inventory. +HOSTS=$(grep -ve '^[#\[]' hosts \ +| grep -ve '^$' \ +| grep -F adm.auro.re \ +| grep -vf ssh-blacklist.txt \ +| sort -u) + +for host in $HOSTS; do + echo "Handling host $host" + + # sshpass can be used for non-interactive password authentication. + # place your password in ldap-password.txt. + sshpass -f ldap-password.txt ssh-copy-id "$host" +done diff --git a/ssh-blacklist.txt b/ssh-blacklist.txt new file mode 100644 index 0000000..248f525 --- /dev/null +++ b/ssh-blacklist.txt @@ -0,0 +1,4 @@ +ldap-replica-edc-backup.adm.auro.re +ldap-replica-fleming-backup.adm.auro.re +ldap-replica-gs.adm.auro.re +ldap-replica-gs-backup.adm.auro.re